ML20344A399
| ML20344A399 | |
| Person / Time | |
|---|---|
| Issue date: | 11/04/2020 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Burkhart, L, ACRS | |
| References | |
| Download: ML20344A399 (79) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Docket Number:
(n/a)
Location:
teleconference Date:
Wednesday, November 4, 2020 Work Order No.:
NRC-1204 Pages 1-57 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 680TH MEETING 4
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5
(ACRS) 6
+ + + + +
7 WEDNESDAY 8
NOVEMBER 4, 2020 9
+ + + + +
10 The Advisory Committee met via 11 Teleconference, at 2:00 p.m. EST, Matthew W. Sunseri, 12 Chairman, presiding.
13 14 COMMITTEE MEMBERS:
15 MATTHEW W. SUNSERI, Chairman 16 JOY L. REMPE, Vice Chairman 17 WALTER L. KIRCHNER, Member-at-Large 18 RONALD G. BALLINGER, Member 19 DENNIS BLEY, Member 20 CHARLES H. BROWN, JR., Member 21 VESNA B. DIMITRIJEVIC, Member 22 JOSE MARCH-LEUBA, Member 23 DAVID PETTI, Member 24 PETER RICCARDELLA, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 ACRS CONSULTANT:
1 MICHAEL L. CORRADINI 2
3 DESIGNATED FEDERAL OFFICIAL:
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 A G E N D A 1
- 1. Opening Remarks 2
1.1. Opening Statement 4
3 1.2. Items of Current Interest 6
4
- 2. Review of Latest Update of Branch Technical 5
Position 7-19, "Guidance for Evaluation of Diversity 6
and Defense-in-Depth in Digital Computer-Based I&C 7
Systems" 8
2.1. Remarks from the Subcommittee Chairman 10 9
2.2. Presentation and Discussion with 10 Representatives from the NRC Staff and 11 NEI................. 13 12 2.3. Public Comment............ 49 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 P R O C E E D I N G S 1
2:00 p.m.
2 CHAIRMAN SUNSERI: Good day to everyone 3
signed in. The meeting will now come to order. This 4
is the first day of the 680th Meeting of the Advisory 5
Committee on Reactor Safeguards.
6 I'm Matthew Sunseri, the Chair of the 7
ACRS. I will now call the roll to verify quorum and 8
to also verify that members are able to participate.
9 Ron Ballinger?
10 MEMBER BALLINGER: Here.
11 CHAIRMAN SUNSERI: Dennis Bley? Dennis 12 Bley? Charles Brown?
13 MEMBER BROWN: I'm here.
14 CHAIRMAN SUNSERI: Vesna Dimitrijevic?
15 MEMBER DIMITRIJEVIC: Here.
16 CHAIRMAN SUNSERI: Walt Kirchner? Walt?
17 MEMBER KIRCHNER: I'm here.
18 CHAIRMAN SUNSERI: Okay, good.
19 MEMBER KIRCHNER: Thanks.
20 CHAIRMAN SUNSERI: Great, all right, good.
21 Jose March-Leuba?
22 MEMBER MARCH-LEUBA: I'm here.
23 CHAIRMAN SUNSERI: Dave Petti?
24 MEMBER PETTI: Here.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 CHAIRMAN SUNSERI: Joy Rempe?
1 VICE CHAIRMAN REMPE: Here.
2 CHAIRMAN SUNSERI: Pete Riccardella?
3 MEMBER RICCARDELLA: Here.
4 CHAIRMAN SUNSERI: And myself, okay.
5 Dennis Bley?
6 CHAIRMAN BLEY: Here.
7 CHAIRMAN SUNSERI: All right, great. Good.
8 I note we have a quorum. The ACRS was established by 9
the Atomic Energy Act and is governed by the Federal 10 Advisory Committee Act.
11 The ACRS section of the U.S. NRC public 12 website provides information about the history of the 13 ACRS and provides documents such as our charter, 14 bylaws, Federal Register Notices for meetings, letter 15 reports, and transcripts of all full and subcommittee 16 meetings, including all slides presented at the 17 meetings.
18 The committee provides its advice on 19 safety matters to the Commission through its publicly 20 available letter reports.
21 The Federal Register Notice announcing 22 this meeting was published on October 23, 2020 and 23 provides an agenda and instructions for interested 24 parties to provide documents or request opportunities 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 to address the committee.
1 The Designated Federal Officer for this 2
meeting is Ms. Christina Antonescu.
3 During this meeting over the coming days, 4
the committee will consider the following. We will 5
conduct reviews and prepare reports on two technical 6
topics, the first being the latest update of the 7
Branch Technical Position 7-19, Guidance for 8
Evaluation of Diversity and Defense-in-Depth in 9
Digital Computer-Based I&C Systems. And the second is 10 a Regulatory Guide 1.200 Revision on Review and 11 Approval of New Methods for Light-Water Reactors.
12 We will also begin preparations for a 13 Commission meeting that is scheduled for December 4.
14 On Friday morning, we will have a planning and 15 procedures session.
16 Those that read the agenda prior to today, 17 you will note that there was an information briefing 18 scheduled for OKLO's combined license application.
19 However, that item is being rescheduled at the request 20 of the applicant and we will use part of that time for 21 report preparation.
22 A phone bridge line has been opened to 23 allow members of the public to listen in on the 24 presentations and committee discussions. We have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 received no written comments or requests to make oral 1
statements from members of the public regarding 2
today's session.
3 There will be an opportunity for public 4
comment and we have set aside time in the agenda for 5
comments from members of the public if any are 6
listening to our meeting.
7 Written comments may be forwarded to Ms.
8 Christina Antonescu, the Designated Federal Officer.
9 A transcript of the open portions of the 10
- meeting, with the exceptions of our report 11 preparations and planning and procedure session is 12 being kept and it is requested that speakers identify 13 themselves and speak with sufficient clarity and 14 volume so that they may be readily heard.
15 Additionally, participants should mute themselves when 16 not speaking.
17 And I will ask the members, do you have 18 any questions about the agenda or where we're going 19 this week? Or if any member has anything they want to 20 say? Okay.
21 Before we start today's agenda, I have two 22 announcements to make. It is with overwhelming 23 sadness that I inform you that our colleague and 24 friend Paula Dorm passed away last Thursday.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 As a pillar of the NRC, Ms. Dorm's career 1
extended beyond 35-plus years. Most recently, she was 2
a management analyst in PMDA, here with the ACRS, 3
where she supported the committee in operational 4
activities such as information technology and, 5
earlier, with conference room management.
6 Before joining the ACRS, Ms. Dorm worked 7
as a management analyst in the offices of Nuclear 8
Material Safety and Safeguards, Chief Information 9
Officer, and Research. Her work was invaluable to the 10 committee and created the needed infrastructure for 11 the committee to meet and conduct our business.
12 Paula will be missed immensely. Please 13 keep her family and those close to her in your 14 thoughts.
15 I also acknowledge that the ACRS was 16 saddened to learn that Dr. B. John Garrick, former 17 chairman of the U.S. Nuclear Regulatory Commission's 18 Advisory Committee on Nuclear Waste, passed away this 19 past Sunday.
20 Dr. Garrick was a recognized international 21 authority on the application of risk sciences to 22 complex technological systems in the nuclear space, 23 defense, chemical, marine, and transportation fields.
24 He served for ten years, four of which as 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 chairman, on the ACNW. In 2004, Dr. Garrick was 1
appointed by President George W. Bush to the U.S.
2 Nuclear Waste Technical Review Board as chairman and 3
served two terms, ending in 2012.
4 At UCLA's School of Engineering, he is the 5
founder of the B. John Garrick Institute for Risk 6
Sciences.
7 NRC and its advisory committees are 8
indebted to Dr. Garrick's leadership and technical 9
guidance and we honor his memory and decades of work 10 in nuclear risk analysis as we meet today.
11 Please check your NRC daily updates for 12 more information as it becomes available on the loss 13 of these two colleagues.
14 We will now turn to our agenda. And I 15 will introduce Member Charles Brown for leading us on 16 the review of the latest update of the Branch 17 Technical Position 7-19. Charlie? You with us, 18 Charlie? Christina?
19 MEMBER BROWN: I got it. I didn't turn my 20 mic on, sorry about that, Matt.
21 CHAIRMAN SUNSERI: No, no, that's okay.
22 We've had -- there's been a number of weather-related 23 influences over the last couple of days and so, it's 24 understandable. Go ahead, you have the floor, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 Charlie.
1 MEMBER BROWN: Okay, thank you very much.
2 Eric, Wendell, you all both are there? I see you're 3
signed in, can you hear?
4 MR. BENNER: Yes, we can.
5 MR. MORTON: Yes, we can.
6 MEMBER BROWN: Okey doke. Eric, would you 7
like to have any opening remarks before we commence?
8 MR. BENNER: I would.
9 MEMBER BROWN: Okay. Proceed.
10 MR. BENNER: First, I share your sadness in 11 the loss of our colleagues Ms. Dorm and Dr. Garrick.
12 So, on that, definitely is something to be mindful of 13 as we conduct all of our activities.
14 I want to say that, regarding this 15 document, I very much appreciate all the feedback that 16 the subcommittee has provided us. The members of the 17 staff who have been working on this document all 18 genuinely believe it is a much better product because 19 of the interactions we've had with the subcommittee, 20 as well as the stakeholder feedback we've received on 21 the document.
22 As we hope for expanded safe use of 23 digital technologies in the nuclear industry, it is 24 instrumental that we have clear guidance for how the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 staff would review any modifications that need a 1
license amendment for an operating reactor or, 2
obviously, how we would do the initial review of a 3
system for a new reactor.
4 The staff has taken great pains to try to 5
construct this guidance in a manner that, if followed 6
by the staff, it will have -- demonstrate a clear 7
basis for how the regulations, applicable regulations 8
have been met in this area, at the same time making it 9
clear the flexibilities and different pathways that 10 licensees and applicants have to address the technical 11 issue of common-cause failure in a digital I&C system.
12 So with all that, the document, the 13 guidance document before is not perfect, it never will 14 be perfect, but I think -- Member Brown did point out 15 at the subcommittee meeting that part of this is just 16 to use it, right?
17 That we can evolve and learn as we use any 18 guidance document and as long as we have the right 19 safety and regulatory perspective, we will make good, 20 sound regulatory decisions and can take the lessons 21 learned from those regulatory decisions to further 22 refine the document.
23 To that last point, we have embedded in 24 our presentation today how we have incorporated 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 lessons learned from those reviews that we consider 1
most successful in the past to help shape how the 2
staff would look at future applications.
3 So that's the end of my opening remarks 4
and not knowing how you want to proceed, Member Brown, 5
certainly, Wendell Morton will be the lead presenter 6
for the presentation today, but he has a team of folks 7
on standby to address any questions that the committee 8
may have.
9 MEMBER BROWN: Okay. Thank you very much, 10 Eric. I would like to make one observation relative 11 to your introductory comments, which I think is 12 appropriate. We had three subcommittee meetings on 13 this document, if I'm not mistaken. I went back and 14 looked and counted up.
15 You may remember, Eric and Wendell, the 16 first one, there was suggestions or observations from 17 a couple of the members, I know Dennis and myself, 18 that the document kind of wandered around a little 19 bit.
20 And you all, I think, took that to heart, 21 did some very significant reorganization, so that it 22 has become, whether we agree with each and every 23 little point and everything, the flow of the document 24 makes sense. And the ease of use, in my mind, is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 significantly above that of Rev 7, which I did line-1 by-line and paragraph-by-paragraph comparisons with 2
two years ago, or a year and a half ago.
3 So I did want to give credit to the staff 4
for listening to both the committee, as well as the 5
public and the industry, in putting together their 6
revisions. So we'll start that off on a positive 7
note. And, Wendell, if you would like to start off, 8
have at it.
9 MR. MORTON: Yes, sir. Thank you, Member 10 Brown. Once again, good afternoon, ACRS members, 11 members of the public, NRC staff. This is Wendell 12 Morton, I'm the team lead for the BTP 7-19 Revision 8 13 project.
14 And I want to thank my fellow team 15 members, starting off with Rossnyev Alvarado, David 16 Rahn, (telephonic interference) and of course, our 17 illustrious PM Tekia Govan, who will be driving for me 18 this afternoon, thank you, Tekia, appreciate it.
19 We're going to go over some of the changes 20 we've made to the BTP up to this point, that includes 21 the previous three ACRS meetings we've had, and thank 22 you, Member Brown, for keeping that in mind, because 23 we have been talking to the subcommittee a number of 24 different times and there's been a lot of different 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 feedback provided by ACRS and we appreciate the 1
positivity we've got so far.
2 We did take a lot of the feedback we 3
received from ACRS to heart, very much so. And one of 4
the main goals of the BTP was to make sure that the 5
document itself was usable. Before you even get into 6
the technical content, is it actually usable in terms 7
of can a person pick it up and read it and understand 8
exactly where you're going in the document to find 9
useful information? And that was definitely one of 10 the goals that we had.
11 As part of this process, we also had a lot 12 of feedback from our stakeholders, both internally 13 with the staff and also with the industry at large, 14 which we've had a number of different public meetings.
15 And we solicited specific feedback and 16 specific concerns that licensees and applicants have 17 had in trying to utilize the previous rev of the 18 document, to incorporate those lessons learned from 19 previous licensing activities and some of those 20 previous challenges that folks may have had, including 21 things the staff identified as areas for improvement.
22 And you will see these things incorporated into this 23 version of the document.
24 Like I said, we are going to talk about 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 many of the things we've had, at least post those 1
previous ACRS meetings. And I do want to note, just 2
for the record, the document is still technically in 3
concurrence. So I just want to make that -- keep that 4
in (telephonic interference) for the ACRS members.
5 So, Tekia, please go to slide two.
6 So today, in terms of the agenda, similar 7
to the previous meeting, we're going to talk about 8
some of the objectives that I just kind of covered in 9
some more detail. The various topics and concepts 10 that are covered within the BTP 7-19 Revision 8.
11 We'll talk about some of the key changes 12 we made in the document, for your consumption. Some 13 of those changes included the scope of the daft of BTP 14 7-19. I'll also discuss in more detail the 15 refinements we made based upon all the great ACRS 16 feedback we've received.
17 Another topic, we'll talk about is the 18 safety significance determination, which we previously 19 understand used to be referred to as the graded 20 approach. We made further refinements on that 21 particular topic, as well as the overall D3 assessment 22 itself, and some additional items we'll talk about.
23 And then, we'll talk about the status and next steps.
24 Tekia, please go to slide number two.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 And of course, like I said earlier, our 1
objective generally is to present those changes that 2
we've made, updates and refinements we've made to the 3
document to receive further feedback from ACRS. Sorry 4
for the typo we have inside there, it says 5
subcommittee, it should say full committee at this 6
point, I apologize for that.
7 And of course, we're looking for obtaining 8
the ACRS recommendation letter for the project.
9 Tekia, could you go to slide number four?
10 So some of the specific topics, sort of 11 like we just kind of discussed, you see a number of 12 important items we've changed, and many of these 13 aspects have been updated or refined based upon the 14 public comments we received, based upon internal 15 feedback we had with our own staff discussions and 16 licensing activities, and based upon our interactions 17 with the public and industry through the numerous 18 public meetings we've had in the last year and a half 19 or so, and also, just looking at the document, taking 20 a clean reading and seeing where could we make 21 improvements in some of these of these topics.
22 So each one of these received some level 23 of refinement or improvement based upon the various 24 interactions that we've had with the public, with 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 ACRS, and with our own internal discussions on some of 1
them.
2 And like Eric referred to earlier, there 3
are a number of lessons learned that we've had in our 4
successful licensing reviews that have been 5
incorporated into this version of the BTP, to 6
streamline the process and make it more clear and to 7
firm up the regulatory basis and of the technical 8
aspects of the document as well. Tekia, please go to 9
slide number five, please?
10 So the summary of key changes. One of the 11 major changes we've had, and we kind of discussed this 12 in some detail at the subcommittee meeting, was that 13 the document really is staff guidance, it's not 14 necessarily intended to be treated as a reg guide per 15 se, although we understand that people use it as such.
16 But the guidance really is clarified to be 17 directed towards staff reviewers, that's one of the 18 key changes we made. That's why the tone and tenor of 19 the document changed since previous revs that focused 20 on what we have seen, some of the changes were 21 directed towards that end.
22 We also added and made technical 23 requirements to the failure types considered within 24 the BTP 7-19. For example, we tried to clarify that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 with regard to some topics, like spurious operation, 1
there are some types of failures that are within 2
design basis to cover and there's those types of 3
failures that are beyond-design-basis events.
4 So we clarified that discussion based upon 5
feedback we've heard from industry and public 6
comments, where there may have been confusion about 7
what specific types of failures are under the scope of 8
the BTP.
9 We also clarified the term latent design 10 defect and we recognized we were previously using the 11 term latent defect, but that's one of the things that 12 based upon interaction with industry and public 13 comments, as well as some internal discussions, and 14 especially with some interaction we had with ACRS, we 15 decided to refine the term to better align it, the 16 actual name of the term to better align with the 17 definition that we have inside here.
18 And also the safety significance 19 determination scheme, the quality of assessments, 20 spurious operation guide, all received some level of 21 refinements and improvements based on our interactions 22 with ACRS, as well as public comment and feedback 23 we've gotten from industry and the public. Tekia, 24 please go to slide number six.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 So in terms of the basic scope of the 1
document, we covered in the subcommittee meeting that 2
we refined the document to clarify what specifically 3
is expected to be covered with the Branch Technical 4
Position 7-19, to ensure that the scope of the 5
document, the types of failures, software, hardware, 6
et cetera, that is expected to be addressed by the 7
staff who are utilizing the BTP itself, to make sure 8
it fully aligns with the Commission direction in SRM 9
to SECY-93-087.
10 And as Eric said, we recognize that there 11 are areas for improvement and we're always trying to 12 make sure we were refining this so it was clear and 13 understandable what the scope of the draft document is 14 about. In Revision 8, we made a concerted effort to 15 make sure that this is very clear and present for the 16 folks who picked it up and read it. Slide number 17 seven, thank you.
18 And now, we're going to get to some of the 19 more detailed discussion, in terms of the requirements 20 we made based on ACRS feedback.
21 The first bullet you see there, something 22 that we got into a lot of discussion about in the last 23 subcommittee meeting, which talked about within the 24 background section maybe having some more information 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 about how your basic architectural design for your I&C 1
system is in and of itself a barrier against digital 2
common-cause failure, if you do the right things in 3
terms of the design of the architecture itself, before 4
you get into any other types of aspects that you get 5
into the BTP about.
6 And that was on the recommendations 7
clarified from ACRS, we agree wholeheartedly with 8
that, and we did add some additional details about 9
that aspect into the BTP in the background discussion.
10 And Member Brown sort of referred to, a 11 number of the other bullets talk about how we tried to 12 revise the document to be more clear and concise and 13 so that there is not information hanging over here or 14 hanging over there, it does not have an ambling 15 discussion, that there is clear and specific 16 connectivity between each topic inside there and that 17 there's clear transitions from one topic to the next 18 topic, so that it's understandable that you go from 19 background to safety significance determination, to 20 the D3 assessment itself and all the things that 21 encompasses that, and all the other supporting 22 aspects.
23 So we made a concerted effort to make sure 24 that the connectivity was there, so it was clear and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 concise what we're trying to talk about here.
1 And, obviously, there were other topics, 2
those were some of the bigger ones that I wanted to 3
kind of express to the full committee that there were 4
a number of excellent comments made towards that end.
5 And for example, Member Brown referred to 6
us the November 11, 2011 letter with regard to 7
spurious operations and making sure that we were still 8
taking into account that feedback and that we did 9
incorporate that feedback to the extent practicable as 10 well.
11 So we wanted to make sure we were 12 consistent with ACRS's previous feedback as well, but 13 more recent feedback as well. So if there's no 14 questions on this slide, we'll go to slide number 15 eight. Thank you, Tekia.
16 So the safety significance determination.
17 So one of the things that we also refined based upon 18 ACRS feedback, as well as some additional feedback we 19 received from industry, is that there may be a little 20 bit of redundancy and some non-clarity within the 21 original categorization that we had.
22 If you recall from the previous version, 23 we did have four categories. We thought that, based 24 on some feedback we heard from industry and then from 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 the previous subcommittee meeting and ACRS, we thought 1
it may be better to consolidate some of the categories 2
for simplicity's sake, so that it's a little more 3
clear about what the expectations are when you're 4
making your significance determination.
5 This is how we're doing the quote/unquote 6
graded approach. So rather than focusing on that 7
particular aspect, we're focusing more on the 8
characteristics of the system.
9 So, as you see, the first bullet is for 10 high significance systems.
11 The second bullet you have here is the 12 consolidation in two previous categories, where we 13 covered non-safety-related systems that perform a 14 safety significant function and those safety-related 15 systems that don't perform necessarily a safety 16 significant function.
17 Rather than having them be two separate 18 categories, we decided to consolidate them for 19 simplicity's sake and for the fact that it didn't 20 really make sense necessarily to have four categories, 21 when it's simpler to have three.
22 And this better conforms with the guidance 23 within the D3 assessment, because we didn't 24 necessarily need to have all of the extra category in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 order to provide an adequate D3 assessment. So the 1
consolidation as part of the feedback we heard from 2
the ACRS and the general public made a lot of sense.
3 That's why you'll see a little bit of the different 4
configuration to this section then the previous 5
section.
6 And I do want to make it clear that for 7
non-safety-related SSCs that perform safety 8
significant functions, they are still in fact less 9
safety significant than safety-related functions that 10 perform safety significant functions. So I wanted to 11 make that clear, that we're not trying to jump the 12 queue in terms of importance here.
13 So if there's no other questions on this 14 slide --
15 MEMBER DIMITRIJEVIC: Well, I have a 16 question of these things, exactly what you just said.
17 MR. MORTON: Yes?
18 MEMBER DIMITRIJEVIC: What do you mean if 19
-- why would they have a low safety significance event 20 that performs safety significant function? How did 21 you conclude that?
22 MR. MORTON: Sorry, can you repeat your 23 question?
24 MEMBER DIMITRIJEVIC: Okay. You just said 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 that SSCs which are non-safety-related but perform 1
safety significant functions, they will have lower 2
safety significance. That's what you just said, 3
right? That they just in category of low safety 4
significance, right?
5 MR. MORTON: Right. So what I was saying 6
7 MEMBER DIMITRIJEVIC: So my question is, 8
how did you conclude that non-safety-related SSCs 9
which perform safety significant function will have 10 lower safety significance?
11 MR. MORTON: Right. So, fundamentally, 12 what that statement was getting to was that the top 13 category bullet that you see there, that particular 14 bullet refers to those safety-related SSCs that 15 perform safety significant functions.
Their 16 functionality is more critical than a non-safety-17 related system, even if it performs a safety-related 18 function.
19 For example, those would be those types of 20 systems that would be within your protection system, 21 your HPSI, LPSI, RPSI, reactor trip functions are more 22 safety critical than a non-supported (phonetic) 23 function, even if it performs a safety significant 24 function. So we say that just to make it clear that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 we --
1 MEMBER DIMITRIJEVIC:
Maybe this is 2
something particular for the I&C, but that's 3
absolutely not true for SSCs in the general. So if it 4
perform safety significant function, then it's safety 5
significant. Doesn't matter what is categorization 6
when it comes to the safety or not safety-related.
7 So grouping those two in the low safety 8
significant, I mean, I find that very strange, but it 9
could be really particular to I&C, definitely not 10 applicable to any other SSCs.
11 MEMBER BROWN: Can I make an observation?
12 MEMBER DIMITRIJEVIC: Yes.
13 MEMBER BROWN: And if I get this wrong, 14 Wendell, tell me. There are -- when you go through 7-15 19, when you're evaluating CCS or other things that 16 could compromise systems, you're allowed to take 17 credit for non-safety systems that interact or can 18 perform safety significant functions.
19 And that's the way I looked at that last 20 line, after the and. So we do allow non-safety-21 related systems to be backups and --
22 MR. MORTON: That's correct.
23 MEMBER BROWN: -- that's part of the SRM --
24 MR. MORTON: That's correct.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 MEMBER BROWN: -- from the Commission --
1 MR. MORTON: That's correct.
2 MEMBER BROWN: -- to perform safety 3
significant functions. So that's why grouping, in my 4
opinion, okay, only, I liked this restructuring of 5
- these, because they don't make them seem 6
insignificant. They are kind of in that in-between 7
set of categories. So I mean --
8 MR. MORTON: That's correct.
9 MEMBER BROWN: -- that's my understanding 10 of the non-safety-related SSCs that do perform safety 11 significance, they're not primary, but there are 12 systems that are non-safety-related that do perform 13 safety significant functions. Your rod control system 14 15 MR. MORTON: That's correct.
16 MEMBER BROWN: -- performs, it's a non-17 safety system, but it performs a safety significant 18 function, it drives the rods in if you want them to.
19 MR. MORTON: Correct.
20 MEMBER DIMITRIJEVIC: Okay.
21 (Simultaneous speaking.)
22 MEMBER DIMITRIJEVIC: My point, and I don't 23 want to go into particularity of the I&C structure, if 24 this is -- obviously, this is based on these four 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 categories from 50.69 CFR.
1 If that thing -- these non-safety systems 2
which perform safety significant functions deserve a 3
special treatment, which is not really, not the same 4
treatment as safety-related systems that do not 5
perform safety significant functions, so the special 6
treatment for those systems which happen to be 7
categorized as non-safety but they perform safety 8
significant function separate from this category.
9 So I just want to point out, if this is 10 based on the 50.69, 10 CFR 50.69 categorization, then 11 it's not similar and it should not be grouped that 12 way. If you have a separate reason to group it like 13 that, then that should be well defined. That's my 14 point. Because there -- okay. That's the point I 15 want to make, all right?
16 MR. BENNER: And that's a very good point, 17 because that is some of the discussion we had at the 18 subcommittee, that the way we had structured this 19 before looked too much like 50.69 categorization and 20 that was causing confusion. So we have made this 21 change to partially break away, that it was not 22 intended to be a mirror of 50.69.
23 That being said, these descriptive terms, 24 we know still offer not as much clarity as we would 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 like, which is why in the BTP proper, under each of 1
these categories, we have examples of what falls into 2
each of these categories.
3 And I think in looking at those examples, 4
it does become clear that the relative safety 5
significance of, even though we're saying that a non-6 safety-related system performs a safety significant 7
function, as we alluded to here, yeah, rod control 8
falls into that category, because you would use it to 9
drive rods in, and that's a good thing and very good.
10 That is not as safety significant as having the 11 function of being able to scram to get the rods in.
12 So it is an imperfect science, I guess I 13 shouldn't even call it a science, but it's trying to 14 recognize that, particularly for, as we do digital I&C 15 systems to do all kinds of different things in the 16 plant, the level of rigor with which we need to assess 17 both the likelihood and the consequences of common-18 cause failure is partially dependent upon the overall 19 safety significance of the system.
20 CHAIRMAN BLEY: This is Dennis Bley. And, 21 Eric, not so much to you guys, to Vesna and Charlie, 22 we've had years of bickering with these folks. They 23 used to lay it out just like 50.69, and they had a 24 piece of it that was, to me, very illogical.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 They functions that were risk 1
significant, but not safety-related, they treated as 2
a lower level than things that were risk significant 3
and safety-related, which made no sense to me.
4 They explained the way they grouped them, 5
and that kind of made sense and you didn't have things 6
that really fell in that other category. So this was 7
a way to get out of that logic conundrum they had 8
gotten themselves into. So I think it's pretty 9
reasonable for I&C, given the way they define all of 10 these. That's all I wanted to toss in.
11 MEMBER DIMITRIJEVIC: Thank you, Dennis.
12 I mean, the thing is, maybe the problem is how they 13 define safety significant function. If the rods drop 14 when you -- driving rod inverses (phonetic) dropping 15 them, it's a different function than that -- maybe 16 they could do -- find a definition of the safety 17 significant function, because as it says here, it 18 doesn't really makes sense, it rings the bell that 19 something is not using risk-informed insights.
20 CHAIRMAN BLEY: But as Eric said, they do 21 it through their examples, and I think that works. So 22 I think it's --
23 (Simultaneous speaking.)
24 MEMBER DIMITRIJEVIC: Okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 CHAIRMAN BLEY: -- or we'll never get 1
through.
2 MR. MORTON: Right. We provide examples, 3
or I guess, characteristics, to better refine these 4
terms, in the BTP itself, to address your question, 5
Member.
6 MEMBER BROWN: Okay. Can we go on now?
7 MR. MORTON: Yes.
8 (Simultaneous speaking.)
9 MR. MORTON: So this slide is just a basic 10 summary of how we define the D3 assessment, so it's 11 really setting the stage for we considered the D3 12 assessment, making sure we refine it from the previous 13 version of the document.
14 This information is essentially straight 15 out of the BTP itself, just to kind of given an idea 16 of what the D3 assessment is and how the safety 17 significant determination plays a part in how you 18 analyze a D3 assessment.
19 With regards to the previous slide, one of 20 the reasons for the grouping, beyond just the 21 characteristics of the individual SSCs is we grouped 22 them to better organize the technical rigor needed for 23 the analysis of the different SSCs.
24 As we've been talking about, different 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 SSCs have different regulatory requirements on them 1
and, therefore, that sort of directs you to the type 2
of technical rigor necessary to address CCF for those 3
different types of SSCs that may be inside of an 4
application. Please go to slide number ten, Tekia.
5 Thank you.
6 So the various D3 assessment methods that 7
we have. And part of the effort for this particular 8
revision is to provide a lot of flexibility for both 9
the staff reviewer and an industry person that may be 10 using this document to address CCF in a number of 11 different ways. We didn't want to lock it down into 12 one particular method, we wanted to provide a lot of 13 flexibility to address that.
14 For example, we have had a number of 15 different license successes through different 16 applicants using these particular methods. For 17 example, the recently certified APR1400 design 18 essentially utilized all these categories to a certain 19 degree. There was a full-blown D3 assessment.
20 There's an automated diverse actuation system. They 21 even did a thermohydraulic analysis for the balance 22 plant-side (phonetic) would have a fully integrated 23 digital system attached to it.
24 And there's other examples out there of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 different licensees that used different types and 1
aspects of these methods, that have all varying forms 2
of success that the staff has certified or approved.
3 And part of the D3 assessment in these 4
various methods has been updated to reflect some of 5
these successes we've had with our different licensing 6
reviews, both in operating plant space and advanced 7
reactor space as well.
8 One of the things I do want to also kind 9
of reiterate, as far as the entire development process 10 for the D3 assessment is that the staff does not 11 prescribe specific design solutions for addressing 12 CCF.
13 Our goal is to provide various avenues to 14 do so, either something that's directly written within 15 the BTP or if a licensee or applicant has their own 16 particular unique solution, the staff is open to 17 examining that as well. So we don't prescribe design 18 solution.
19 There was one that we talked about with 20 industry a while ago, when we started, and engaged 21 them on the BTP and their concerns, there was one 22 concern by industry that the staff was requiring an 23 analog backup to be installed whenever you upgraded 24 your RPS or ESS system for modification.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 Definitely not true, the staff did not 1
require a specific design solution, we leave that up 2
to the applicant to determine that and we review it 3
with the BTP.
4 Just wanted to kind of clarify a couple of 5
those points to kind of highlight a lot of the lessons 6
learned have been put into the D3 assessment to refine 7
and improve it. Tekia, please go to slide number 11.
8 So the one aspect of those improvements, 9
and this is germane to the previous slide we had about 10 the safety significance determination, is that one 11 such ability provided within this revision is to allow 12 the use of a qualitative assessment to address CCF for 13 those digital I&C systems and lines of lower safety 14 significance.
15 We think this is a good refinement, 16 because it leverages a technically adequate method to 17 address CCF that's not specific to your RPS or ESS 18 systems, but potentially other systems of lower safety 19 significance.
20 So we wanted to leverage the technical 21 content that was already on the books for us and is 22 being used by industry right now as a means to address 23 CCF. So that was brought into the mix for this BTP.
24 If there's no questions on that, we'll go to slide 12.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 And also for the spurious operation 1
guidance, also something that was talked about in the 2
previous revision, we took that previous information 3
and based upon feedback received from industry and 4
feedback from ACRS, as earlier I mentioned the letter 5
from 2011 from ACRS about this concept, we refined it 6
a little further and clarified not just the regulatory 7
basis for it, but also put a specific focus on it.
8 Because one of the things we heard from 9
industry as part of public comment and in terms of 10 interaction in public meetings is that there was 11 concern that it would be an unbounded type of 12 evaluation or that you wanted a separate evaluation, 13 when really, the guidance for spurious operation is 14 really saying, hey, spurious operation is a potential 15 outcome of a CCF, and for the staff to be cognizant 16 this is a potentiality of a CCF and to make sure the 17 design takes that into account as well.
18 This is consistent with what we did with 19 Rev 7, we just made it a little more clear, 20 specifically for the staff when you're looking at an 21 individual design for it.
22 And for example, talking about licensing 23 successes, the NuScale Chapter 7 review, APR1400 24 certification, both of these designs looked and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 analyzed, as part of their D3 assessments, spurious 1
operation of both safety and non-safety-related SSCs 2
to ensure that particular consequence was taken into 3
account when postulating the CCF.
4 So successfully performing this aspect of 5
an evaluation is something that has been done, and 6
those lessons learned have also been incorporated 7
within the BTP as well. If there's no questions on 8
that, we'll go to slide number 13.
9 And just some additional items in draft 10 Rev 8. We talk about positions for the SMR-SECY 11 087, we made some additional requirements for that 12 position, also based upon a lot of public feedback and 13 interaction we had, including the public comments.
14 Justification for not correcting system 15 vulnerabilities, essentially providing alternative 16 method to address CCF if you did not use other 17 portions of the BTP. We made some additional 18 refinements to that section to provide some more 19 flexibility for an applicant to address CCF in a way 20 that may not necessarily be described in the BTP.
21 So these sections were also updated as 22 part of the BTP to refine it and provide more 23 flexibility for the folks reading it and the folks who 24 will use it. And if there's no question on that, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 we'll go to the next steps.
1 In terms of status and next steps, as I 2
said earlier, the document is still under concurrence 3
at this point, technically. The next step is we are 4
looking for the ACRS letter of recommendation, hoping 5
to get that.
6 And in terms of the next step after that, 7
the OMB review and publication of final BTP Revision, 8
we're predicting January 2020. Excuse me, 2021, 9
excuse me, we're in 2020 now. And if you could go to 10 slide 15?
11 That concludes my presentation. Does 12 anyone have any questions for the ACRS members?
13 MEMBER BROWN: Yes, but I'll let other 14 people speak first.
15 MR. MORTON: Okay.
16 MEMBER BROWN: Any other members have any 17 comments? Well, I guess not, so I guess I'll have to 18 stick my foot in the water here. The -- let me make 19 sure I get this clear.
20 After -- I went through your revision and 21 your corrections that you made subsequence to our last 22 meeting, and I guess the one area, not with specifics, 23 but it was a couple of the BTP sections, and I think 24 it was, if I get specific, it's where you talk about 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 combining, I think you lead in with the new systems, 1
with the digital I&C systems, with their flexibility, 2
that your ability to integrate and the 3
interconnectivity can be much different from the 4
analog systems.
5 And as a result, verifying potential CCFs 6
are more challenging. And that was in background and 7
in Section B.2.1.
8 MR. MORTON: Yes, that is correct.
9 MEMBER BROWN: And this is not personal 10 comment, now, that I think they're more than just 11 challenging, okay? Because you've eliminated, by 12 combining them, you've literally eliminated two of the 13 major considerations in defense-in-depth, redundancy 14 and independence.
15 And you don't mention that, in terms of 16 the overall discussion, that whatever else you do, the 17 final determination should be that the reviewers, 18 after they look at it, should verify that those 19 redundant and independent architectures are 20 maintained. You don't want to lose that defense-in-21 depth with whatever integration and connectivity that 22 they do.
23 So the document in those sections doesn't 24 really say anything of that last bit. And my personal 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 opinion is that those couple of sections should, after 1
you go through all the other stuff, to make sure that 2
those particular defense-in-depth characteristics are 3
not lost sight of when combining.
4 I'm not telling you not to combine, some 5
things can be combined, probably. I say probably 6
because you know what I would do, probably not do that 7
ever. But not to be prescriptive about it, the 8
reviewers, one of their main jobs is to not lose those 9
two major and critical features of defense-in-depth.
10 So that's the first observation I would 11 make relative to the revised document. And that's on 12 the general combining.
13 The other part that gets missed in this, 14 and I guess I would try to describe existing plants a 15 little bit, and this is in the interconnections 16 relative to communications. If you look at the last 17 two design certifications we did, which were very --
18 hold on a minute, I had to cut off somebody, sorry.
19 MR. MORTON: I hope they don't mind.
20 MEMBER BROWN: No, I have to keep the phone 21 on because of my wife's circumstances, so I zero 22 everybody out, but I had to at least turn it off.
23 The outputs of all information out of the 24 RTS and the ESFAS were sent to what I would call the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 non-safety actuation systems for ESFAS, whether your 1
starting pumps are operating a valve or scramming, or 2
not scramming, but driving the rods somewhere or what 3
have you, and up to networks, were all done with one-4 way communications. It's a defense-in-depth issue.
5 And then, when they went into networks, it 6
was one-way into those, and out of the networks, out 7
to the rest of the business world, it was one-way.
8 And that's a difference from today's, if you make 9
those two-ways, that's different from today's plants.
10 I mean, you effectively eliminate any defenses you 11 have if those are bidirectional software-based.
12 And I don't care what you call them, but 13 today's plants, it's all done through administrative 14 means. Somebody comes into the site, they have to 15 sign in if they're going to go fiddle with the I&C.
16 Once they get in, they got to sign into the plant.
17 Then, they got to go to the main control room. Then, 18 they have to get the keys, et cetera, et cetera. And 19 two people have to go down and fiddle with the stuff.
20 All that is a defense-in-depth, whether we 21 want to call it something else or not, but it's under 22 administrative control. The problem with the digital 23 microprocessor-based systems is that all this nifty 24 whipping data back and forth eliminates all of that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 defense-in-depth you have for that type of access.
1 That emphasis, both in the combining and 2
in your normal, even if you don't combine them, output 3
from the RTS and ESFAS systems up to the main control 4
rooms or out to the rest of the world does not 5
emphasize one-way communication devices -- it's 6
bidirectional. You don't have to say how you do it, 7
just as long as it's not software.
8 So those are the two weaknesses I see 9
right now, after I went through all your changes. I 10 was pretty pleased with most of the rest, I thought 11 you all did a good job of incorporating various 12 members'
- comments, not
- comments, excuse me, 13 observations in previous meetings, but those two still 14 kind of stuck out at the end.
15 So I plan on having a discussion with the 16 members on that and we'll determine which way we would 17 like to go, in terms of our response back on this 18 particular, to try to clean this last BTP up and get 19 the sucker out. Because like you, I think the 20 important thing now is to get it out, with whatever 21 imperfections it has.
22 So those are my two observations today.
23 You already had those in form of a comment that I gave 24 you previously.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 MR. MORTON: Yes.
1 MEMBER BROWN: And I noticed that you 2
really didn't do much with those. So that was it.
3 Any other members have any other comments before I go 4
to the phones?
5 MR. MORTON: Well, Member Brown, can I 6
respond to you --
7 MEMBER BROWN: Oh, yeah --
8 MR. MORTON: -- real quick?
9 MEMBER BROWN: -- absolutely.
10 MR. MORTON: Okay, cool, before we go to 11 the phones. We actually addressed that, in terms of 12 your second point, in terms of the one-way data 13 communications, we addressed that to a certain degree 14 with a paragraph we added about defense-in-depth in 15 terms of architectural defense-in-depth.
16 And we did add a few mentions about 17 control of access, in reference to SRP Chapter 13.6.6, 18 in Table 3 and Chart 7, because we recognized -- and 19 I'll just read it, and you can look at page three of 20 the BTP, we actually added a paragraph per some of 21 your previous comments to address that point, that 22 maintaining independence and redundancy, those aren't 23 the only aspects of defense-in-depth.
24 We also talked about other things that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 contributed to it, in terms of control of access to 1
physical, electronic, and software-based elements. We 2
provided the reference to the other section of the 3
SRP.
4 That's not necessarily something we get 5
into as per this particular document, we do have a 6
reference that points the reviewer in that direction, 7
because we do recognize what you just said. That is 8
something to consider when looking at a digital 9
design.
10 MEMBER BROWN: What page did you -- you 11 said page three?
12 MR. MORTON: Page three. If you go onto 13 page three of the BTP, it's like the last paragraph, 14 full paragraph.
15 MEMBER BROWN: Yeah, that's the one 16 outlined in
- red, where it
- says, an overall 17 architecture?
18 MR. MORTON: Yes.
19 MEMBER BROWN: And the only thing you said, 20 really, was measures to control access to physical, 21 electronic, and software-based elements that if 22 tampered with could have adverse plant consequences.
23 MR. MORTON: Correct.
24 MEMBER BROWN: I would -- okay, I saw that, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 it just was not quite as definitive, in terms of --
1 various people have various -- they think they're so 2
smart when they're doing these communications devices 3
and that whatever they do is never going to be 4
compromised by anybody. So the engineer software guys 5
just love this stuff.
6 MR. MORTON: Understood, understood.
7 MEMBER BROWN: And the difference between 8
bidirectional and one-way is pretty clear. And that 9
does -- it's not prescriptive, but it's pretty clear, 10 because there's no need to have somebody come in from 11 anyplace else, electronically, into those two systems, 12 other than going down to the cabinets and changing out 13 a programmable read-only memory or adding new software 14 into it under physical supervision.
15 There's just no reason. I mean, all 16 communications out of those, even to do triggering of 17 other devices in the plant, doesn't need to be 18 bidirectional, if it's a software-type signal to other 19 software-controlled systems.
20 MR. MORTON: Right.
21 MEMBER BROWN: And that was my point 22 relative to, particularly in the way you phrase this, 23 is that when you go from the higher safety 24 significance, whatever the terminology is, now, I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 liked it, to the lower significant safety systems or 1
lower significance systems, that's pretty clear.
2 And that took into account my thought 3
processes, but we didn't manage to get the one-way 4
directional stuff in there, just the general thought 5
process.
6 So I see, I read the red thing and I 7
looked through the preceding paragraph and there 8
weren't many changes there. But we did get at least 9
some of the architectural thought processes in.
10 MR. MORTON: Yes. And we understand and we 11 are, to a degree, limited in this document, because 12 that's not necessarily a D3 aspect per se. If you 13 look in other documents like ISE-4 and other guidance 14 documents that do a far better job of addressing those 15 points, more than we can do here.
16 But we did have that reference there. But 17 that was probably going in a direction that's a little 18 beyond what we can do in terms of the BTP itself, 19 because the subject matter is a little bit different.
20 But we did want to make that reference to your point, 21 but that's an important aspect to keep in mind. But 22 we understand.
23 MEMBER BROWN: Okay. Anybody else have a 24 response? Okay. Is the public line open yet?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 MS. ANTONESCU: Thomas --
1 OPERATOR: Public line is open --
2 MEMBER BROWN: Thomas, yeah, Thomas --
3 OPERATOR: -- for comments.
4 MEMBER BROWN: -- I'm sorry. Is it open, 5
I didn't hear you?
6 OPERATOR: Yes.
7 MEMBER BROWN: Okay. Is there anybody on 8
the public line that would like to make a comment?
9 MR. SCAROLA: Excuse me, this is Ken 10 Scarola. Are you accepting comments from the public?
11 MEMBER BROWN: Yes. Ken, are you there?
12 MR. SCAROLA: Hello? Yeah, I'm trying to 13 make a comment, but I don't know if I'm piped in yet.
14 MEMBER BROWN: Yeah, Ken, we can hear you.
15 OPERATOR: Yeah, we can hear you, Ken.
16 MEMBER BROWN: But you hear us?
17 MS. ANTONESCU: We can hear you.
18 MEMBER BROWN: Ken?
19 MR. MOORE: Steve Vaughn, can you hear us?
20 MEMBER BROWN: Steve, can you hear us?
21 MR. VAUGHN: Yeah, we can hear you.
22 MR. MOORE: Okay, because we can hear you 23 talking.
24 MEMBER BROWN: Okay. Steve, you're on the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 line, right? Excuse me?
1 MS. ANTONESCU: Thomas, can you cut off 2
the line, please?
3 MEMBER BROWN: What happened here? I'm not 4
a computer weenie on this part of it, who's --
5 MS. ANTONESCU: I think they were using 6
the bridge line, they didn't feel they were on and 7
they were talking among each other.
8 MEMBER BROWN: Yeah --
9 MR. MOORE: Right.
10 MEMBER BROWN: -- I got that. Thomas, is 11 there a way to get the bridge line straightened out?
12 CHAIRMAN BLEY: Yeah, they could not hear 13 us, apparently.
14 MEMBER BROWN: Yeah, that's what I got out 15 of that, all of them, nobody could hear us.
16 MS. ANTONESCU: We still have Steve Vaughn 17 from NEI. Steve, if you can connect on the MS invite 18 that I sent you, maybe that's a better way, since we 19 don't know yet about the bridge line, if we can open 20 it.
21 MEMBER BROWN: Is Steve still on? Okay, 22 he's not on. So --
23 MR. SCAROLA: Charlie, this is Ken Scarola, 24 are you taking comments from the public?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 MEMBER BROWN: Who's speaking?
1 MR. MOORE: It's Ken Scarola, I think.
2 MEMBER BROWN: He can't hear us --
3 MR. SCAROLA: Hello?
4 MEMBER BROWN: Ken, can you hear me?
5 MR. VAUGHN: Hey, real quick, this is Steve 6
Vaughn from NEI. So everyone can hear the discussion, 7
public stakeholder line discussion, they're trying to 8
figure out how to tie us back into the meeting.
9 OPERATOR: They have to unmute themself 10 with *6.
11 MR. SCAROLA: Okay.
12 MR. VAUGHN: So we'll just wait until they 13 tie us back, and then they'll open for public 14 comments.
15 OPERATOR: With *6.
16 MS. ANTONESCU: I don't think they can 17 hear us either, I'm going to give Steve Vaughn a call 18 again and let him know. *6, correct?
19 OPERATOR: That's correct.
20 MS. ANTONESCU: Okay.
21 MEMBER BROWN: Who just said that? Is that 22 Thomas?
23 OPERATOR: That is Thomas.
24 MEMBER BROWN: Okay, thank you, Thomas.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 OPERATOR: Okay.
1 CHAIRMAN SUNSERI: Thomas, this is Matt.
2 Can we have a staff member just call in on the public 3
line and tell them --
4 OPERATOR: For the members on the public 5
line, you need to press *6.
6 CHAIRMAN SUNSERI: So this is Matt. What's 7
going on? What are we doing?
8 MEMBER BROWN: Yeah, you've got me, Matt, 9
I don't know.
10 OPERATOR: Matt, this is Thomas, can you 11 hear me?
12 CHAIRMAN SUNSERI: Yes, I can hear you, 13 Thomas.
14 MR. SCAROLA: Yes, Ken Scarola is on the 15 public line.
16 MEMBER BROWN: Can you hear us?
17 OPERATOR: If you would like to make a 18 comment --
19 CHAIRMAN SUNSERI: So, Thomas, can we -- I 20 mean, we need somebody from our staff to call in on 21 the public line and talk to those people and tell them 22 we can hear them, but they can't hear us.
23 MS. ANTONESCU: I've already done that on 24 a separate line, but the *6 isn't working either, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 they've already tried it.
1 MEMBER BROWN: Well, but we can hear them, 2
so if you tell them to just go ahead and announce 3
their names and give their comments, we'll hear it.
4 CHAIRMAN SUNSERI: Yes.
5 MS. ANTONESCU: But they won't be able to 6
hear you back.
7 MR. MOORE: For members on the public line, 8
this is Scott Moore, I'm the executive director. The 9
members and the committee can hear you, but you cannot 10 hear them. So if you want to make a statement, 11 announce your name and then, go ahead and make your 12 statement, they can hear you.
13 MR. VAUGHN: All right. Thank you, Scott.
14 This is Steve Vaughan with the Nuclear Energy 15 Institute. Can you hear me?
16 MS. ANTONESCU: Yes, we can hear you.
17 MR. MOORE: Yes, I can, and I'm moderating 18 both lines.
19 MR. VAUGHN: Okay, thank you. Yes. So for 20 the other public stakeholders that want to make 21 comments, when I'm done, just press *6 and we'll kind 22 of go in order as best we can. But again, thank you, 23 my name is Steven Vaughn with the Nuclear Energy 24 Institute.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 And first off, I'd like to just say that 1
I appreciate the opportunity to allow NEI and its 2
members to participate in the three subcommittee 3
meetings on BTP 7-19. It felt like those public 4
discussions were great, we learned a lot. We were 5
able to discuss technical comments and regulatory 6
comments.
7 And I think the staff did incorporate a 8
lot of those and we very much appreciate that. And we 9
think the document has improved over the, let's see, 10 it's been a year, year and a half, has shown lots of 11 improvement. There's still a couple items that we 12 don't agree on completely, and that's okay.
13 NEI did submit a comment letter in, let's 14 see, mid-September, this month, to support a public 15 meeting on this topic on September 24. So again 16 another opportunity to have the industry and NEI 17 provide their perspectives.
18 So one thing I would note that was I think 19 a new comment, or new addition to the BTP, was the 20 concept of active hardware components.
21 So just one thing, I know we're getting 22 towards the end of the line here, where we really need 23 this BTP to hit the streets so people can use it, I 24 understand that is a concern and we're all about 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 getting this document issued as soon as possible, but 1
if there's an opportunity to clarify what is meant by 2
an active hardware component, it could provide a 3
little more clarity to folks who are going to submit 4
license amendment requests to understand what the 5
scope of what they need to do in addressing common-6 cause failures in I&C systems.
7 So I just -- one last comment, but again, 8
appreciate the opportunity to participate over the 9
last year and a half. We look forward to seeing the 10 document being issued as soon as possible. Thanks.
11 MEMBER BROWN: Thank you, Steve, if you can 12 hear me.
13 MR. SCAROLA: This is, yeah, this is Ken 14 Scarola from Nuclear Automation Engineering. I have 15 three comments, I hope you can --
16 MR. MOORE: We can hear you, Ken.
17 MR. SCAROLA: -- have the time for all 18 three of them. Can everybody hear me okay?
19 MR. MOORE: Yes.
20 CHAIRMAN SUNSERI: Yes, we can.
21 MR. SCAROLA: Okay. So my first comment 22 pertains to beyond-design-basis events versus design-23 basis events.
24 As stated in the BTP, CCFs due to design 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 defects are beyond-design-basis events and they can be 1
analyzed using best estimate methods. I completely 2
agree with that.
3 And Section B.1.1 says best estimate 4
methods include acceptance criteria that are less 5
conservative than the acceptance criteria for design-6 basis events in the Final Safety Analysis Report. I 7
also agree with that.
8 However, within the BTP, there are no 9
actual acceptance criteria defined for D3 assessments, 10 with the exception of the acceptance criteria for CCFs 11 that are not mitigated. But those acceptance criteria 12 are not less conservative, they are the same 13 conservative, they are equally conservative to those 14 that are in the FSAR and they should not apply to 15 beyond-design-basis events.
16 Paragraphs B.3.b and B.5.c say the D3 17 analysis must demonstrate that the effects of 18 unmitigated or unassessed CCFs are bounded by the FSAR 19 criteria. But that should not be the case, because 20 that's the same conservatism, that's not less 21 conservatism, which is stated in Section B.1.1.
22 So the bottom line is the acceptance 23 criteria for beyond-design-basis events should be less 24 conservative than for design-basis events and the CCFs 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 due to a design defect are beyond-design-basis events.
1 So right now this BTP is significantly 2
more conservative than its prior versions, which 3
allowed relaxed acceptance criteria for beyond-design-4 basis events, and the BTP is actually inconsistent 5
within itself. So that's my first comment.
6 My second comment pertains to malfunctions 7
related to hardware failures. And the guidance 8
references various things, like NUREG-0800 and the 9
single failure criteria to handle these things.
10 But in highly integrated digital systems, 11 CCFs due to hardware malfunctions are much more likely 12 than CCFs due to design defects. And hardware 13 malfunctions are design-basis events, not beyond-14 design-basis events.
15 Therefore, they need to be analyzed very 16 conservatively and they should not be analyzed with 17 relaxed acceptance criteria. And this is because they 18 are much more likely to occur within the lifetime of 19 the plant.
20 And in highly integrated systems, as 21 Charlie has identified, we tend to connect an awful 22 lot of things together. And a hardware malfunction, 23 a single hardware malfunction, can adversely affect 24 many, many things concurrently if the systems are not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 properly designed to prevent that.
1 Therefore, I understand that the intent of 2
this BTP is to focus on design defects, I'm simply 3
pointing out that there is no sufficient guidance 4
today to address CCFs due to hardware malfunctions in 5
highly integrated digital systems. And the staff 6
should be moving ahead with this additional guidance 7
as soon as possible.
8 My third comment. Section B.1.1 says that 9
LOOP does not need to be considered with other events 10 if LOOP is the initiating event. LOOP, I mean loss of 11 offsite power.
12 It's equally important that the D3 13 assessment does not need to consider the case where 14 the initiating event is not loss of offsite power, for 15 example, large break LOCA, but then there is 16 subsequently a loss of offsite power.
17 This does need to be accounted for within 18 the design-basis events in the FSAR. But it is an 19 untenable beyond-design-basis event condition for a 20 concurrent CCF. We just can't handle it. So it's 21 equally important that the BTP identifies the case 22 where the LOOP occurs first and when the LOOP occurs 23 second, and we cannot handle this concurrent with any 24 other event.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 And I can tell you, having been involved 1
with the design analysis for several AWLRs and for 2
operating plants that have digital protection systems, 3
none of these could mitigate a scenario with an 4
accident concurrent with a loss of offsite power. We 5
just can't do it. So I would hope that we can clarify 6
that point.
7 Those are my three comments. Thank you.
8 MR. MOORE: Thank you. The committee heard 9
all of those comments. Is there anybody else on the 10 public line that would like to make any comments?
11 Thank you. That concludes the public comment period.
12 Thomas, you can close the public line.
13 CHAIRMAN SUNSERI: Thank you, Scott.
14 MR. MOORE: Sure.
15 MEMBER BROWN: Yeah, thank you, Scott, for 16 being the intermediary there. Much appreciated.
17 Where are we? We finished the public 18 comment, we've gone around the table, or the internet.
19 I presume we'll get those captured in the transcript, 20 I couldn't write fast enough, and they'll be available 21 for the staff to handle those? Did you all get them, 22 Eric, or will be available to get them?
23 CHAIRMAN SUNSERI: It will be on the 24 transcript, Charlie.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 MEMBER BROWN: Is Eric still there? And/or 1
Wendell?
2 MR. MORTON: Member Brown, this is Wendell.
3 Yes, we did get them.
4 MEMBER BROWN: Okay. I couldn't write fast 5
enough. So I'm not sure when we'll have the 6
transcript, but those can be tossed into your hopper 7
for consideration at some point.
8 MR. MORTON: Okay.
9 MEMBER BROWN: With that in mind, am I 10 missing something? But it appears that we have 11 completed this subcommittee meeting. And unless there 12 are any other comments, one more shot? Hearing none, 13 we will close the meeting. Matt, I presume we will be 14 heading into the next section. I'll turn it back over 15 to you.
16 CHAIRMAN SUNSERI: Okay, Charlie, thanks.
17 Do you have a draft report prepared on this?
18 MEMBER BROWN: Yes, it's in the system, in 19 there. I've got a few, as I go through it, I'll read 20 the whole thing, but based on some of the stuff I was 21 looking at last night and this morning, I will be 22 taking at least one of the recommendations and 23 discussion out, but we can do that easily at line-by-24 line.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 CHAIRMAN SUNSERI: So are you prepared to 1
do a read-in to the record of your letter now, the 2
letter report?
3 MEMBER BROWN: Absolutely. I've got a hard 4
copy printout of my own.
5 CHAIRMAN SUNSERI: We'll see if Sandra is 6
on.
7 MEMBER BROWN: Can we take a five-minute 8
break for some of the old guys?
9 CHAIRMAN SUNSERI: Yeah, we can do a five-10 minute break while we transition and get the letter 11 up. But I'd like to read it in before the next 12 session starts.
13 MEMBER BROWN: That should be easy.
14 CHAIRMAN SUNSERI: Okay.
15 MEMBER BROWN: It's only about 250 lines 16 long, it's not hard.
17 CHAIRMAN SUNSERI: Okay. So we're going to 18 break until 3:15, and we'll resume with the read-in of 19 the draft letter, 3:15. Thank you.
20 (Whereupon, the above-entitled matter went 21 off the record at 3:11 p.m.)
22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
Draft Branch Technical Position 7-19, Revision 8 Advisory Committee on Reactor Safeguards Full Committee Meeting NRC Staff Presentation November 4, 2020
Agenda
- Objectives
- Topics within the draft BTP 7-19
- Summary of key changes
- Scope of the draft BTP 7-19
- Refinements based on ACRS feedback
- Safety significance
- D3 Assessment
- Additional Items in the draft BTP 7-19
- Status and next steps 2
Objectives
- Present key changes made in the draft BTP 7-19, Rev.
8, in response to comments provided by external stakeholders and the ACRS subcommittee.
- Obtain ACRS recommendation letter.
3
Topics in BTP 7-19, Revision 8 Scope of the BTP Safety Significance Determination Defense-in-Depth and Diversity (D3) Assessment Means to Eliminate CCF from Further Consideration Diverse Means to Mitigate CCF Evaluation of Event Consequences for Coping with CCF Qualitative Assessment Spurious Operation Manual Action Means to Address Position 4 in SRM-SECY-93-087 Justification for Not Correcting Specific Vulnerabilities 4
Summary of Key Changes
- Emphasized that guidance is directed to staff reviewers
- Added guidance and technical refinements for:
- Failure types considered in BTP 7-19
- Latent design defect
- Safety significance determination scheme
- Qualitative assessment guidance
- Spurious operation guidance
- Consolidated technical guidance and acceptance criteria to perform the D3 Assessment.
- Performed other improvements for readability and organization.
5
Scope of draft BTP 7-19, Revision 8 Clarified and improved guidance to NRC staff for the evaluation of defense-in-depth and diversity (D3) for proposed digital I&C systems in accordance with the high level principles provided by the Commission in the SRM to SECY 93-087.
6
Refinements based on ACRS Feedback
- Improved discussion on DI&C architectural considerations while maintaining defense-in-depth.
- Improved lead-in discussions in each section of the BTP.
- Added discussion clarifying echelons of defense and overall defense-in-depth concept.
- Refined the connectivity between major sections to improve logic flow and readability.
7
Safety Significance Determination
- High Safety Significance: Safety-related SSCs that Perform Safety-Significant Functions.
- Lower Safety Significance: Safety-Related SSCs that Do Not Perform Safety-Significant Functions and Non-safety-related SSCs that Do Perform Safety-Significant Functions.
- Lowest Safety Significance: Non-safety-related SSCs that Do Not Perform Safety-Significant Functions.
8
D3 Assessment
- A D3 assessment is a systematic approach an applicant uses to analyze the proposed design of a DI&C system for CCFs that can occur concurrently within a redundant design, such as within two or more independent divisions.
- A safety significance determination (i.e. graded) approach could be used to select methods to perform a D3 assessment, including any categorization of proposed DI&C SSCs based on the safety significance of the functions performed by the proposed DI&C SSCs.
9
D3 Assessment - Methods
- Identified means to eliminate CCF from further consideration using design attributes: diversity, testing, or qualitative assessment; or
- Identified means to prevent or mitigate the effects of CCFs; or
- Identified strategy to cope with CCFs by evaluating if the consequences due to CCF remain within acceptable limits; or
- A combination of the above or a different proposed solution by the licensee/applicant (alternative methods).
10
D3 Assessment - Qualitative Assessment
- Considered a less technically-rigorous type of a D3 assessment for purpose of this BTP.
- Qualitative assessment can only be used for low safety significance systems
- CCF removed from further consideration if found sufficiently low
- Defined what constitutes a Qualitative Assessment.
- Using factors in the aggregate to demonstrate likelihood of failure (i.e.
CCF due to latent defect) remains acceptable
- Supporting failure and consequence analysis (e.g. FMEA, FTAs, etc.)
- Provided staff guidance and acceptance criteria.
11
D3 Assessment - Spurious Operation
- Provided background information in Section 3 to consider spurious operation while evaluating a D3 assessment.
- Clarified regulatory basis of spurious operation.
- Spurious operations as a result of CCFs originating from latent design defects are within the scope of this BTP
- Focused the staff guidance on integrated systems.
- Integrated acceptance criteria into relevant subsections within the review guidance of the D3 assessment.
12
Additional Items in Draft Revision 8
- Manual Action Means to Address Position 4 in SRM-SECY-93-087.
- Clarified staff guidance on the use of displays and manual controls to monitor, control and actuate critical safety functions from the main control room
- Justification for Not Correcting Specific Vulnerabilities.
- highlighted the possible use of alternative methods to not address specific CCF vulnerabilities
- Emphasized that justifications would be reviewed on a case-by-case basis only 13
Status and Next Steps
- ACRS letter of recommendation
15 Questions
16 Acronyms ACRS Advisory Committee on Reactor Safeguards BTP Branch Technical Position CCF Common Cause Failure D3 Defense-in-Depth and Diversity DI&C Digital Instrumentation and Control OMB Office of Management and Budget SECY NRC Office of the Secretary to the Commission SRM Staff Requirements Memorandum SSC Structures, Systems, and Components
Background Information 17
SRM to SECY-93-087 1.
The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.
2.
In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate methods.
The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.
3.
If a postulated common-mode failure could disable a safety function, then a diverse means with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a nonsafety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.
4.
A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in Items 1 and 3 above.
18
SECY-18-0090 - Five Guiding Principles 1.
Applicants and licensees for Production and Utilization Facilities under 10 CFR Part 50, Domestic Licensing of Productions and Utilization Facilities or under 10 CFR Part 52, Licensees, Certifications and Approvals for Nuclear Power Plants should continue to assess and address CCFs due to software for DI&C systems and components.
2.
A defense-in-depth and diversity analysis for reactor trip systems and engineered safety features should continue to be performed to demonstrate that vulnerabilities to a CCF have been identified and adequately addressed. In performing this analysis, the vendor, applicant, or licensee should analyze each postulated CCF for each event evaluated in the accident analysis section of the safety analysis report. This defense-in-depth and diversity analysis can be either a best estimate analysis or a design-basis analysis.
3.
This analyses should also be commensurate with the safety significance of the system. An analysis may not be necessary for some low-significance I&C systems whose failure would not adversely affect a safety function or place a plant in a condition that cannot be reasonably mitigated.
19
Five Guiding Principles continued 4.
If a postulated CCF could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same CCF, should perform either the same function or a different function. The diverse or different function may be performed by either a safety or a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions in a reliable manner. Use of either automatic or manual actuation within an acceptable time frame is an acceptable means of diverse actuation. If the defense-in-depth and diversity analysis demonstrates that a CCF, when evaluated in the accident analysis section of the safety analysis report, can be reasonably mitigated through other means (such as with current systems), a diverse means that performs the same or a different function may not be needed.
5.
The level of technical justification needed to demonstrate that defensive measures (i.e., prevention and mitigation measures) are adequate to address potential CCFs should be commensurate with the safety significance of the DI&C system. For the systems of higher safety significance, any defensive measures credited need technical justification that demonstrates that an effective alternative to internal diversity and testability has been implemented.
20