Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 April 14, 2021 The Honorable Christopher T. Hanson, Chairman U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001

SUBJECT:

SUMMARY

REPORT - 683rd MEETING OF THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS, MARCH 3-5, 2021

Dear Chairman Hanson:

During its 683rd meeting, March 3-5, 2021, which was conducted virtually due to the COVID-19 pandemic, the Advisory Committee on Reactor Safeguards (ACRS) discussed several matters. The ACRS completed the following correspondence:

LETTER REPORTS Letter Report to Christopher T. Hanson, Chairman, U.S. Nuclear Regulatory Commission (NRC), from Matthew W. Sunseri, Chairman, ACRS:

Uni-directional Communications (Not Implemented in Software) from High Safety to Lower Safety Systems and Internal Plant to External Systems Connected to the Internet, dated March 31, 2021, Agency-wide Documents Access and Management System (ADAMS)

Accession No. ML21085A014 NRC Human Reliability Methods, dated March 30, 2021, ADAMS Accession No. ML21076A421 MEMORANDA Memoranda to Margaret M. Doane, Executive Director for Operations (EDO), NRC, from Scott W. Moore, Executive Director, ACRS:

Documentation of Receipt of Applicable Official NRC Notices to the Advisory Committee on Reactor Safeguards for March 2021, dated March 25, 2021, ADAMS Accession No. ML21067A654 Regulatory Guide, dated March 25, 2021, ADAMS Accession No. ML21067A662

C. Hanson HIGHLIGHTS OF KEY ISSUES

1. Uni-directional Communications (Not Implemented in Software) from High Safety to Lower Safety Systems and Internal Plant to External Systems Connected to the Internet In the Committees recent letter report of November 23, 2020, describing the review of branch technical position (BTP) 7-19, Revision 8, Guidance for Evaluation of Defense-in-Depth and Diversity to Address Common Cause Failure Due to Latent Defects in Digital Safety Systems, the Committee noted that the earlier November 2019 version of the draft BTP, Section B.2.2, emphasized that interconnections between High Safety Significance systems and those of Lower Safety-Significance should be accomplished through the use of one-way digital communication devices rather than bi-directional communication devices that reduce independence and defense-in-depth. This requirement would have ensured that external plant access and compromised software in Lower Safety Significance systems and in-plant networks do not compromise High Safety-Significance systems. This language was deleted in all later versions of the draft BTP.

As a result, the Committee recommended that Section B.2.1 be revised to ensure that interconnections between High Safety-Significance systems and those of Lower Safety-Significance are one-way, uni-directional (not implemented in software) digital communication devices. Based on the Committees recent reviews of NuScale and APR-1400, both applicants adopted this approach in the design of their digital instrumentation and control (DI&C) systems.

The staffs response to the Committees letter disagreed stating that BTP 7-19, Revision 8, is guidance for staff reviewers and cannot prescribe or impose specific design requirements such as those described in our recommendation. The Committee strongly disagrees that its recommendation imposes a specific component design.

Allowing the use of computer-based DI&C architectures and networks configured for bidirectional data communication using software, threatens control of access and compromises independence and defense-in-depth. It compromises plant safety by leaving High Safety Significance systems open to the kinds of attacks that have seriously impacted other industries and government agencies.

Committee Action The Committee issued a letter on March 31, 2021, with the following conclusion and recommendation:

Commission direction is needed for the staff to assure, during design reviews, that only unidirectional hardware-based data communications mechanisms (not implemented in software) are used when there are communications between High Safety-Significance systems and those of Lower Safety-Significance. Consistent with the Be riskSMART initiative, guidance to the staff in this area would help the staff avoid a case where regulations provide flexibility, but overly rigid interpretation can be detrimental. In other words, this would ensure, at the design review stage, there is not a backdoor or software deficiencies within in-plant networks and systems that can be exploited by internet connected sources resulting in access to in-plant systems and networks. This ensures that independence, redundancy, and defense-in-depth are not compromised.

C. Hanson 2. NRC Human Reliability Methods In a November 8, 2006 Staff Requirements Memorandum (SRM), resulting from the October 20, 2006 meeting with the ACRS, the Commission directed the Committee to "work with the staff and external stakeholders to evaluate the different Human Reliability models in an effort to propose either a single model for the agency to use or guidance on which model(s) should be used in specific circumstances."

Over the years, the Committee held a series of subcommittee meetings on draft and final reports covering the cognitive basis for human reliability analysis (HRA), a method for HRA of nuclear power plants atpower internal events, and early drafts of the Integrated Human Event Analysis System general methodology, IDHEASG.

IDHEAS-G IDHEAS-G presents the overall general framework that has been needed for providing a scientific underpinning to HRA models, a general structure that can be applied to any human activity, and an understanding of how to organize a coherent description and analysis of human actions in complex environments. It fills an important gap in the current state of HRA. It enhances the ability to analyze scenarios from the perspective of the cognitive and collaborative challenges they pose. The staff developed important links to the cognitive and behavioral literature in their Cognitive Basis Document and in IDHEAS-DATA. They received substantial help from a number of reviewers to integrate knowledge of the collaborative performance of teams and probabilistic risk assessment (PRA)-related ideas, such as modeling of available time, modeling dependency between human failure events, and treatment of uncertainty. It appears that the authors addressed most of the concerns raised by reviewers, trial users, and the ACRS. With a few exceptions, the current version of the report is well-structured and organized to force analysts to consider the important issues in human performance.

The discussion of the cognition model in Chapters 2 and 3 is comprehensive and is supported by the Cognitive Basis Document. It is important information to understand, before attempting to use the HRA process of Chapter 4. The HRA process is straightforward, derived from the best of previous methods and includes four stages: scenario analysis, modeling of important human actions, human error probability quantification, and integrative analysis. The text thoroughly explains what is to be done in each stage. The emphasis on various types of context is an expansion and clarification of previous methods. The focus on qualitative analysis with the associated narratives is an improvement directed by the results of the international and U.S.

empirical studies performed to support the SRM-directed objectives. The report contains thirteen appendices that provide useful background information, guidance on selected issues, and illustrative examples. The staff discussed with the Committee three sources of variability in HRA results: uncertainties in the scenario, analysts practices, and HRA methods. IDHEAS-G provides strong guidance to control the last two sources of variability. It also provides an approach to help control variability caused by uncertainties in the scenario, which can have major impact on the analysis. This comes in the way of searching for and identifying deviation scenariosboth changes in the physics assumptions of the PRA that can affect human performance (through a mismatch of procedures and training against the actual scenario) and changes in the progression as a result of particular human actions.

The supplemental report, IDHEAS-DATA, is expected to support many of the assumptions asserted in IDHEAS-G and will provide a source of data and information to assist in the quantification of IDHEAS-G derived models.

C. Hanson REMAINING ISSUES IN THE IDHEAS-G REPORT There is an issue of presentation in Chapter 2, Cognition ModelCognitive Basis Structure, of the report that should be correctedeither by changing the text or by improving the accompanying figures. The Committee prefers the latter. In many places, the text claims that the associated figures show how elements (such as cognitive activities, processors, and cognitive mechanisms) are linked. The figures do not show such links. It appears that someone simplified the figures, but not the language. The Cognitive Basis Document actually does illustrate such linkages.

The report makes two strong assumptions: 1) there are three base PIFs that affect human error probabilities significantly more than other modification performance influencing factors (PIFs), and 2) a linear combination of PIF effects is appropriate for multiple PIFs. The basis for these two assumptions is lacking and must be provided, either in this report or in IDHEAS-DATA.

ISSUES IN THE SUPPORTING AND DERIVATIVE REPORTS The supporting and derivative reports have not yet been subjected to the rigorous peer reviews that were done for IDHEAS-G. Before they are issued as NUREG reports, peer review is essential.

IDHEAS-DATA promises to be an important element supporting IDHEAS--G and the derivative methods. However, it remains in rough condition, is difficult to parse, and does not yet provide the needed justification for the two strong assumptions discussed above. It brings together data developed from an extensive review of the literature and nuclear plant training data from the SACADA program and other sources. The data and report are currently under review by a national laboratory.

IDHEAS-ECA and IDHEAS-FLEX were both issued as Research Information Letters (RILs), as the staff explained, to get the methods out to the staff and industry trial users. Neither has been subjected to peer review, but licensee and owners group representatives participated in the FLEX trials. ECA has had favorable reviews by users. While issuing the reports quickly as RILs was a reasonable approach, they will have lasting value only if peer reviewed and revised to be consistent with other reports in the series.

IDHEAS-ECA. The Committee has not performed a review of this report. After it is updated based on comments from trial users, the Committee would like to review it. However, from initial discussions with the staff and demonstrations provided by them, the Committee has some concerns. When an analysis that requires detailed understanding of the scenarios to be analyzed is automated, computer prompts should be provided to ensure the analyst is consciously making informed decisions consistent with the principles of IDHEAS-G. The Committee is not sure how thoroughly such prompts have been implemented. One of the more creative tasks is the search to identify possible deviation scenarios that can change the PRA model and lead to more error-prone situations. This and similar elements of the general methodology may have been short-circuited. Also, it appears that some data are embedded in the code; this needs to be examined to ensure it accounts for scenario-specific aspects of human performance. The data embedded in the computer code need to be justified and may require adjustments, after the data report is revised. Simplifications of the cognition model and new rules to help analysts move quickly need to be justified and reviewed.

C. Hanson IDHEAS-FLEX. There is no direct connection between Volumes 1 and 2 of the FLEX reports.

Rather than a comparison of using expert elicitation (Volume 1) and ECA (Volume 2) to model and quantify FLEX actions, the reports document work performed years apart and do not address the same situations. No direct comparisons are possible. There was an important lesson learned from the analyses. It had been hoped that a limited set of crew failure modes and PIFs would be found for FLEX actions. That was not the case. The PIFs were found to be scenario-specific, rather than FLEX-specific.

The expert elicitation work in Volume 1 has a number of flaws. First, the method used to combine probability distributions is wrong. The report cites a staff White Paper on using expert elicitation. That paper is very good, but its recommendations are ignored. Substantial changes will be required if the report is to be reissued as a NUREG document. The RIL suggests that one either uses data or uses expert judgment. Actually, it is best to use both. First, there is no objectively appropriate data, some tempering with judgment is always needed. Second, if judgment is used in the absence of data, Bayesian updating is appropriate as data accumulate.

Again, we use both judgment and data, rather than either/or. There are methods to ensure that overly restrictive initial probability distributions (priors) are not overriding the accumulating data.

There also seems to be a disconnect between Volume 1 and IDHEAS-G in that the cognition model language of IDHEAS-G (macro-cognitive functions names) is not used. That also could be an issue of timing, but should be updated, if the reports are reissued. Many of the geometric mean calculations in Appendix D are incorrect, but rather than correcting them, the approach for combining distributions should be revised.

Committee Action The Committee issued a letter on March 30, 2021, with the following conclusions and recommendations:

IDHEAS-G meets the primary intent of the 2006 Commission SRM, as a single HRA model for the agency to use.

The derived detailed application methods are expected to meet the intent of the Commission direction in the SRM for guidance on which model(s) should be used in specific circumstances.

IDHEAS-G should be issued after further editing to clarify presentation problems identified in the discussion that follows.

IDHEAS-FLEX Volumes 1 and 2 are not yet ready to be re-issued as a set of NUREG reports.

IDHEAS-DATA will be important to the general model but requires further work and peer review.

IDHEAS-ECA provides a specific derived application. It should be updated periodically to reflect user feedback and to synchronize with model and guidance refinements. Peer review is needed.

C. Hanson 3. INFORMATION BRIEFING ON NEW REGULATORY GUIDE 1.240, FRESH AND SPENT FUEL CRITICALITY ANALYSES The Committee was briefed by the NRC staff on a proposed new regulatory guide on fresh and spent fuel criticality analyses. The Committee decided that no letter would be written on this topic.

Member Rempe recused herself from these discussions due to a possible conflict of interest.

4. INFORMATION BRIEFING ON PARTS 50 AND 52 RULEMAKING ACTIVITIES NRC staff members briefed the Committee on the status of Part 50 and Part 52 rulemaking activities.

5. INFORMATION BRIEFING ON THE DEPARTMENT OF ENERGYS GATEWAY FOR ACCELERATION INNOVATION IN NUCLEAR (GAIN) AND ADVANCED REACTOR DEMONSTRATION PROGRAM (ARDP)

Department of Energy representations briefed the Committee on the GAIN and ARDP initiatives. NRC representatives also provided presentations on NRCs role in these activities.

6. INFORMATION BRIEFINGS ON BE RISKSMART AND EMBARK VENTURE STUDIO ACTIVITIES With the goal of keeping abreast of transformation activities being undertaken by the NRC Staff, representatives from the staff provided updates to the Committee on efforts associated with the Be RiskSMART initiative and the efforts associated with the Embark Venture Studio.

7. DISCUSSIONS AT THE PLANNING AND PROCEDURES SESSION The Committee discussed the Full Committee and Subcommittee schedules through July 2021 as well as the planned agenda items for Full Committee meetings.

The ACRS Executive Director also led a discussion of significant notices issued by the Agency since the last Full Committee meeting in February 2021 (this activity is documented in the memorandum dated March 25, 2021).

The Committee discussed recommendations on review of a final regulatory guide as documented in the memorandum dated March 25, 2021.

Chairman Sunseri led a continuation of the discussion of proposed changes to the bylaws. A line by line review of the bylaws was started during the preparation of reports session.

Chairman Sunseri also led a discussion about a proposed final rule to revise Title 10 of the Code of Federal Regulations (10 CFR) Part 26 regarding fitness for duty requirements. The Committee agreed with Chairman Sunseris recommendation that the Committee does not need to be briefed on this issue.

C. Hanson Member Bley led a discussion about a proposed plan for the Committee to provide its official comments on the proposed rulemaking for 10 CFR Part 53 regarding advanced reactor licensing requirements. There are multiple future plant designs subcommittee meetings planned on this subject over the next several months. The Committee agreed with Member Bleys recommendation to provide Committee comments on this issue in an interim letter that would be discussed at the May 2021 Full Committee meeting. It was also agreed that the Committee would provide additional input on this subject in other letters, as warranted and as decided by the Committee.

Chairman Sunseri led a discussion about the addition of Committee Deliberation agenda items to future Full Committee meeting agendas.

During the reconciliation portion of this session, the topic of the staffs response to the Committees letter, dated December 16, 2020, Design Review Guide (DRG): Instrumentation and Controls for Non-Light-Water Reactor (Non-LWR) Reviews. The Committee agreed with Member Browns recommendation that no further Committee action was necessary on this topic.

During the closed session of the planning and procedures session, Member Ballinger led a discussion of the status of the SHINE operating license application review; Chairman Sunseri led discussions about the future activities with Naval Reactors, and recent correspondence from NuScale about lessons learned from design certification reviews.

8. SCHEDULED TOPICS FOR THE 684th ACRS MEETING The following topics are on the agenda for the 683rd ACRS meeting scheduled for April 8-10, 2021:

NuScale Topical Report on control room staffing, Overview of the NRC safety research program, and Regulatory Guide 4.26, Volcanic Hazard Assessments for Nuclear Power Reactor sites.

Sincerely, Signed by Sunseri, Matthew on 04/14/21 Matthew W. Sunseri Chairman

C. Hanson April 14, 2021

SUBJECT:

SUMMARY

REPORT - 683rd MEETINGS OF THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS, MARCH 3-5, 2021 Accession No: ML21091A289 Publicly Available (Y/N): Y Sensitive (Y/N): N If Sensitive, which category?

Viewing Rights: NRC Users or ACRS only or See restricted distribution OFFICE ACRS SUNSI Review ACRS ACRS NAME LBurkhart LBurkhart SMoore (SWM) MSunseri DATE 3/31/21 3/31/21 4/13/21 4/13/21 OFFICIAL RECORD COPY