Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 January 25, 2021 MEMORANDUM TO:

Charles H. Brown, Chair Digital I&C Systems Subcommittee FROM:

Christina E. Antonescu, Senior Staff Engineer /RA/

Reactor Safety Branch Advisory Committee on Reactor Safeguards

SUBJECT:

ANALYSIS OF NRR RESPONSE TO ACRS LETTER ON NUREG- 0800, BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DIVERSITY AND DEFENSE-IN-DEPTH IN DIGITAL COMPUTER-BASED INSTRUMENTATION AND CONTROL SYSTEMS, REVISION 8 Attached is a copy of the December 18, 2020, Office of the Nuclear Reactor Regulation (NRR) response to the November 23, 2020, Advisory Committee on Reactor Safeguards (ACRS) letter on the Final Draft Revision 8 of Standard Review Plan (NUREG-0800), Branch Technical Position (BTP) 7-19, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems. A copy of the Committees letter is also attached.

Committee Letter In its November 23, 2020, letter, the Committee provided the following recommendations:

1. BTP 7-19, Revision 8 should be issued subsequent to incorporation of Recommendations 2 and 3.

2. Sections A and B.2.1 discuss the combining or integrating of the Reactor Trip System (RTS) and Engineered Safety Features Actuation System (ESFAS) and associated communications architectures into a single protection system. This approach challenges two critical defense-in-depth and diversity (D3) elements, redundancy and independence. The BTP should ensure that reviewers verify these fundamental architecture principles are maintained.

3. Section B.2.1 should ensure that interconnections between High Safety-Significance systems and those of Lower Safety-Significance are one-way, uni-directional digital communication devices rather than bi-directional communication devices (which reduce independence and defense-indepth) to preclude compromise of High Safety-Significance Systems.

CONTACT: Christina Antonescu, ACRS 301-415-6792

NRR Response NRR response stated that the staff agrees overall with the Committees recommendations.

Also, some specific issues of particular interest to the ACRS on final draft BTP 7-19 Rev.6 were discussed by the U.S. Nuclear Regulatory Commission (NRC) staff:

On ACRS Recommendations 2 the staff incorporated the ACRS recommendation in Section B.2.1 of BTP 7-19, Revision 8, to emphasize to the staff reviewer that reductions in design elements such as independence and redundancy can adversely affect the defense-in-depth of a plant. The staff also revised the Background section of BTP 7-19, Revision 8, to highlight other design elements (and associated NRC guidance) that can contribute to defense-in-depth, such as predictable, real-time (deterministic) process and automated self-testing features. However, design elements such as redundancy and independence are addressed by requirements and guidance documents that are primarily outside the scope of BTP 7-19.

Regarding ACRS Recommendation 3 BTP 7-19, Revision 8, is guidance for staff reviewers and cannot prescribe or impose specific design requirements such as those described in this recommendation regarding the concern that potential interconnections between systems of higher and lower safety significance that pose potential hazards to the systems of high safety significance. Requirements and guidance that govern the design of interconnections between systems (e.g., to ensure uni-directional communication) are addressed outside of BTP 7-19, such as Regulatory Guide (RG) 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, and RG 5.71, Cyber Security Programs for Nuclear Facilities.

attacks.

Analysis I believe the NRR letter did not respond to all the specific recommendations in the ACRS letter of November 23, 2020 concerning final draft BTP 7-19 Rev. 8.

In particular Recommendation 2: The integration of the two major safety systems RTS and ESFAS challenges redundancy and independence, two of the main elements of defense-in-depth, and potentially degrades reliability and fail-safe operation. In addition, integrating communications significantly compromises independence and the assurance that critical data are not put in a priority chain thus compromising transmission to critical safety features. NUREG/CR-6303, Method for Performing Diversity and Defense in Depth Analyses of Reactor Protection Systems, issued December 1994, describes defense-in-depth for nuclear power plants and identifies the normal reactor control systems, the RTS, the ESFAS, and the reactor monitoring and indication systems as individual echelons of defense. The BTP sections discussing the combining or integrating of the RTS and ESFAS and associated communications architectures into a single protection system should ensure that reviewers verify their redundant and independent architectures are maintained.

Recommendation 3: In the November 2019 version of the draft BTP, Section B.2.2, emphasized that interconnections between High Safety-Significance systems and those of Lower Safety-Significance should be accomplished through the use of one-way digital communication devices rather than bi-directional communication devices which reduce independence and defense-in-depth to ensure that failures in lower significance systems do not compromise High Safety-Significance systems. This emphasis has been deleted in all later versions of the draft BTP. Instead, the BTP states that per SECY-18-0090, Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Controls, a D3 assessment is used to demonstrate that failures due to software or failures propagated through connectivity cannot result in a failure to perform safety functions or adverse plant conditions that cannot be reasonably mitigated. The SECY makes no mention of communication other than the single

vague word connectivity. The October 2020 version of the draft BTP, Section B.2.1, System Integration and Interconnectivity, should ensure that interconnections between High Safety-Significance systems and those of Lower Safety-Significance are one-way, uni-directional digital communication devices rather than bi-directional communication devices.

One-way digital communications between High Safety-Significance systems and Lower Safety-Significance systems are key to maintaining redundancy and independence and is a critical defense-in-depth attribute and defensive measure to mitigate common cause failures (CCFs).

These two areas of concerns and recommendations were noted in the ACRS letter of November 23, 2020, that the staff did not incorporate to ensure the critical defense-in-depth defensive measures of redundancy and independence to eliminate and mitigate CCFs are not compromised.

Also, the NRC does not really cover Control of Access and uni-directional communication/digital communication outside BTP 7-19 in RG 1.152 (design review), but in RG 5.71 where cybersecurity is considered as a programmatic review under Title 10 of the Code of Federal Regulations (10 CFR) 73.54. However, cybersecurity and other security controls are applied to the latter phases of the lifecycle that occur at a licensees site (i.e., site installation, operation, maintenance, and retirement) are not part of the 10 CFR 50 licensing process (design review) and fall under the purview of other licensee programs - 10 CFR 73.54.

For example:

Rev. 3 of RG 1.152, Page 8 states: Other NRC staff positions and guidance govern uni-directional and bi-directional data communications between safety and non-safety digital systems.

Rev. 3 of RG 1.152, Page 9 refers to RG 5.71 noting that it describes an acceptable defensive architecture to comply with 10 CFR 73.54. The architecture described in the guidance would have licensees place all digital safety systems in the highest level of their defensive architecture and only permit one-way communication (if any communication is desired) from the digital safety system to other systems in lower levels of the defensive architecture. Licensees should be aware that Section B.1.4 of Appendix B to RG 5.71 notes that one-way communications should be enforced using hardware mechanisms.

RG 5.71 also states:

Only one-way data flow is allowed from Level 4 to Level 3 and from Level 3 to Level 2 and; Initiation of communications from digital assets at lower security levels to digital assets at higher security levels is prohibited.

The Committee should talk further and determine if they want additional actions on these two issues.

Enclosure:

As stated cc:

ACRS Members S. Moore L. Burkhart

ML21029A328

• via e-mail OFFICE ACRS/TSB*

NAME CAntonescu DATE 01/29/21