ML21291A024

From kanterella
Jump to navigation Jump to search
Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants
ML21291A024
Person / Time
Issue date: 11/09/2021
From: Shilp Vasavada
Office of Nuclear Reactor Regulation
To:
Vasavada S
References
Download: ML21291A024 (17)
v  d  e


Text

This report has been prepared and is being released to support ongoing public discussions. This report has not been subject to NRC man agement and legal reviews and approvals, and its contents are subject t o change and should not be interpreted as official agency positions.

Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants

U.S. Nuclear Regulatory Commission

1 Contents Executive Summary.................................................................................................................... 3 Key Findings............................................................................................................................ 4

1. Background.......................................................................................................................... 6
2. Origin and Objectives of the Project.................................................................................. 7
3. Approach to Achieve Project Objectives.......................................................................... 8
4. Key Findings........................................................................................................................ 9
5. References......................................................................................................................... 17

2 Executive Summary

Due to operational and business reasons (e.g., ability to opera te multiple sites from one location, operation of plants sited in challenging locations), remote operations can be the desired operational configuration sought by vendors of advanced reactors, non-light water reactors, microreactors, etc. In this context, remote operation involves primary command and control of a nuclear power plant from a location outside the nu clear reactor site boundary.

Currently, NRCs regulations, from minimum staffing to operator licensing, are focused on the command and control being in the nuclear reactor site boundar y (i.e., a main control room and a large contingent of trained operators at the site). Therefor e, if presented to the NRC for review, a remote operation concept will represent a paradigm sh ift.

Therefore, the NRC staff explored the remote operations paradig m to identify what are termed ground rules for such operations. These ground rules identify items and considerations that will likely be crucial to feasible remote operations from both a dev elopmental and decision-making perspective. The NRC staff also identified key attributes that support the achievement of each ground rule. Based on available information, this document reflects the f irst systematic foray by the NRC into the remote operations concept. Therefore, the NRC staff adopted a high-level perspective. This document lays the groundwork to address the f uture regulatory needs of developing and establishing a regulatory position on remote ope ration of nuclear power plants.

Additional granularity and technical details for each ground rule and its associated key attributes can be the subject of future work on remote operations. This do cument reflects consideration of a project conducted under the Future Focused Research Initiativ e that was funded by the NRCs Office of Nuclear Regulatory Research (RES).

The NRC staff identified focus areas that are expected to be th e most impacted by the remote operations paradigm. These focus areas represent broad categori es and are not indicative of the relative importance of other, unidentified, areas. These f ocus areas were considered in the identification of ground rules and key attributes, as illustrat ed in Figure ES-1.

The NRC staffs efforts were also informed by knowledge transfe r discussions with subject matter experts (SMEs) from two different federal agencies to un derstand infrastructure and operational requirements, best practices, and lessons learned f rom industries that currently use remote operations

3 Figure ES-1 Relationship Between Focus Areas, Ground Rules, and Key Attributes

Key Findings

Based on internal deliberation and knowledge transfer interview s with SMEs from other federal agencies, the NRC staff determined the following ground rules, which constitute the main recommendations for further consideration of remote operation:

1. Remote operations and the criteria that need to be achieved to demonstrate effective remote operations (see subsequent Ground Rule #4) should be par t of the design and development from the beginning. Remote operations do not appear to lend themselves to an add on or retrofit approach.
2. Societal impacts and the publics risk perceptions will like ly be an important consideration for the NRC staff and reactor vendors in evaluati ng remote operations.

Therefore, the NRC staff expects to specifically engage with th e public on remote operations if the industry demonstrates interest in remote oper ations or if an application relying on remote operation is received for NRC review.

3. Whether changes to regulations are necessary for remote oper ations should be determined based on (1) how well existing regulations accommoda te the remote operations paradigm, and (2) whether existing regulations adequ ately address the safety and security issues associated with remote operation.
4. Guidance on acceptable approaches to meet regulations under a remote operations paradigm is unavoidable. Such guidance, and any additional regu lation, should provide technology-neutral and performance-based acceptance criteria th at achieve the fundamental outcomes of reactor safety (i.e., safety objectives ) for all credible initiating events and resulting scenarios. D emonstrated achievement of such criteria is expected to be more effective in assuring safety than prescriptive guida nce or regulations.

4

5. The concept of minimal risk conditions is essential to ide ntify safe plant configurations for any credible initiating event and resulting scenarios in th e remote operations paradigm, including loss of key data and voice communication. This concept identifies the reactor operational configurations, including modes of oper ation, that achieve an outcome of minimal risk. It is expected that for certain cases, the final minimal risk condition will be safe and stable shutdown, as defined in the designs Technical Specifications, following a reactor trip.
6. Data and voice communication infrastructure and security, in cluding cybersecurity, are crucial in the remote operations paradigm. These elements need considerable attention beginning from the conceptualization phase of remote operations.
7. The responsibilities of the remote operator(s) (i.e., the op erators in the remote control room (CR)) should be based on the level of automation, the reli ance on human actions in meeting both the acceptance criteria for remote operation an d the technologys minimal risk conditions, and the time in which such human act ions need to be completed. The identified responsibilities should support decis ions on the number of operators per facility, the number of facilities per remote con trol room, control room human factors, operator training and licensing, and access cont rol.
8. Licensing and training of operators in the remote CR will be necessary, with flexibility in the licensing and training regimen depending on the technology, the level of automation, and the responsibilities of the operators in the remote CR.
9. A crew that is based on-site or in the vicinity of the site is unavoidable with the remote operations paradigm. Such a crew would be responsible for plann ed and emergent operational issues, troubleshooting, and emergency response. Al though certain regulators allow remote operations without an onsite crew, the NRC staff considers nuclear power reactors to be more complicated technology with d ifferent public risk perceptions compared to other technologies or industries. Furth er, the NRC staff believes that there is currently insufficient data to support t he complete elimination of a crew that is based on-site or in the vicinity of the site.
10. Inspections, including physical and cyber security inspecti ons, of the site and remote CR are necessary, although the inspection regime and protocol is e xpected to change compared to the status quo.
11. Physical security of both the site and the remote CR is nec essary.

The NRC staff recognizes that each ground rule crosses multiple, if not all, focus areas and therefore, is not assigned to a particular focus area. Each of the above ground rules, along with the corresponding key attributes, are discussed in Section Error! Reference source not found.

of this report. The NRC staff believes that these ground rules provide the foundation for further work, including guidance developmen t or any necessary rulemakin g, to support safe remote operations of nuclear power plants.

5

1. Background

Due to operational and business reasons, remote operations can be the operational configuration desired by vendors for advanced reactors, non-lig ht water reactors, micro reactors, etc. Remote operation, in contrast with the current o perational paradigm for nuclear power plants, would involve primary command and control of the plant from a location outside the nuclear reactor site boundary. The business case for remote operations includes the ability to operate multiple sites from one location and operation of pl ants sited in challenging locations.

It is important to draw a distinction between remote operations and autonomous operations.

NUREG-0700, Human-System Interface Design Review Guidelines, contains the following discussion of automation in Chapter 9, Automation System:

Automation is a device or system that accomplishes (partially o r fully) a function or task

Historically, the concept of automation was associated with con trol tasks.

However, in modern plants, the role of automation extends to ot her applications as well, such as supporting operator decision making and managi ng the [human-system interface] HSI. In addition to its broad application, au tomation is more interactive. That is, while in the past, tasks were performed e ither by personnel or automation, todays automation can be designed to work with per sonnel, each agent having defined roles and responsibilities.

As discussed in Section Error! Reference source not found. of this report, it may be possible, but difficult, to achieve effective remote operation without a certain level of autonomous operation.

The concept of remote operations, wherein the command and cont rol location is far removed from the feature that is controlled, is not novel and such oper ations are currently used by multiple industries. Examples include:

  • Remote operation of oil and gas pipelines (regulated by the De partment of Transportation)
  • Remote operation of the International Space Station and unmann ed rovers on different planets (managed by the National Aeronautics and Space Administ ration)
  • Remote operation of unmanned arial vehicles, also known as dro nes (civilian use regulated by the Federal Aviation Administration and military u se controlled by the Department of Defense)

6 To the best of the NRC staffs awareness, remote operation of n uclear power plants has not been explored previously from a practical implementation perspe ctive. The feasibility of developing a design for a pressurized water reactor (PWR) that would allow unattended operation was explored in the early 1960s (Reference 1). The st udy determined that the feasibility of an unattended reactor was dependent on whether s ystems necessary for safe operation of the reactor can be developed to high reliability s uch that these systems did not require regular maintenance. The study conceptualized a simplif ied PWR design with minimum parts to achieve the objective. To the best of the NRC staffs awareness, the conceptualized design did not become a reality. Examples of remote operations of nuclear power reactor facilities are currently unavailable for comparison purposes. Canadas SLOWPOKE-2 reactor is licensed for unattended operation in automatic mode and is the closest available comparison to unattended, if not remote, operations. SLOWPOKE-2s reactor cor e, which produces a nominal power level of 20 kW, is contained within a beryllium neutron reflector, thus allowing for a relatively small critical mass to be used in its design. Theref ore, scalability of unattended operations and extension of unattended operations to remote ope rations is not straightforward.

Currently, NRCs regulations, from minimum staffing to operator licensing, are focused on the command and control being in the nuclear reactor site boundar y (i.e., a main control room and a large contingent of trained operators at the site). Therefor e, the remote operations concept represents a paradigm shift in NRCs regulatory framework.

2. Objectives of this Document

To support the development of a foundation for future NRC decis ion-making on remote operation, the NRC staff explored the remote operations paradig m to identify those items and considerations that will likely be crucial for feasible remote operations from both a developmental and decision-making perspective. These items and considerations are termed ground rules. In addition, the NRC staff identified key attributes that support the achievement of each ground rule.

The NRC staff adopted a high-level perspective because, based o n available information, this is the first systematic foray by the NRC into a remote operations of nuclear power plants (RONPP) paradigm. This document lays the groundwork for addressing futu re regulatory needs on RONPP and therefore, technical details and granularity are not included within its scope.

Additional granularity for each ground rule and its associated key attributes can be developed as part of future work on RONPP.

7

3. Approach to Achieve the NRC Staffs Objectives The NRC staff identified focus areas that are expected to be th e most impacted by the remote operations paradigm. The focus areas are broad categories that are not indicative of their relative importance compared to unidentified areas. The followi ng focus areas were identified:
  • Operations
  • Inspections
  • Information Exchange and Cybersecurity
  • Physical Security
  • Human Factors
  • Risk
  • Legal The NRC used these focus areas to identify ground rules for rem ote operations and key attributes for achieving these ground rules, as illustrated in Figure 1.

Figure 1 Relationship Between Focus Areas, Ground Rules, and Ke y Attributes The NRC staff reviewed relevant literature and maintained aware ness of activities which could relate to remote operations. Several literature sources, which are listed in the References section of this report, were considered from a high-level persp ective for insights. The NRC staff remained cognizant of the development of Part 53 to Title 10 of the Code of Federal Regulations (10 CFR Part 53), which will include risk-informed and performance-based regulations for advanced reactors. The staffs key findings in this document benefited from progress and stakeholder feedback on Part 53 activities.

8 The NRC staff also conducted kn owledge transfer discussions wit h subject matter experts (SMEs) from two different federal agencies that actively practi ce remote operations. Knowledge transfer discussions were held with an SME from the Pipeline an d Hazardous Materials Safety Administration (PhMSA) of the Department of Transportation (DoT ), which regulates the remote operations of oil and gas pipelines and has regulations for suc h operations codified since 2011, and with an SME from the National Aeronautics and Space Adminis tration (NASA), on the operation of the International Space Station from the control r oom in Houston, Texas. The purpose of the discussions was to understand infrastructure and operational best practices and lessons learned from remote operations in non-nuclear areas. T he information shared by the SMEs in the knowledge transfer discussions was not considered a s official positions by their respective agencies. The insights from these discussions were valuable to the NRC staff in developing the key findings described in this document.

The NRC staffs key findings are provided in the next section of this report.

4. Key Findings

This section provides the key findings of the NRC staff. The fi ndings are provided in the form of ground rules and, in certain cases, corresponding key attributes. The ground rules and key attributes provide the foundation, direction, and scope for developing ad ditional granularity regarding the regulatory framework for addressing the remote op erations paradigm.

Ground Rule #1: Remote operations and the criteria that need to be achieved to demonstrate effective remote operations (see subsequent Ground Rule #4) sho uld be part of the design and development from the beginning. Remote operations do not appear to lend themselves to an add on or retrofit approach.

Ground Rule #2: Societal impacts and the publics risk perceptions will likely be an important consideration for the NRC staff and reactor vendors in evaluati ng remote operations. Therefore, the NRC staff expects to specifically engage with the public on remote operations if the industry demonstrates interest in remote operations or an application re lying on remote operation is received for NRC review. NRCs Enterprise Risk Management guida nce (contained in Management Directive 4.4) supports these expectations.

Key Attributes for Ground Rule #2:

  • Increased public educational outreach, potentially with suppor t from the Office of Public Affairs, should be pursued due to the magnitude of conceptual a nd perception change from remote operations.
  • NRC-initiated public meeting(s) can be effective in ensuring p ublic engagement after receipt of a remote operations application.
  • Industry engagement via the Regulatory Information Conference (RIC) or similar venues as well as multiple pre-application meetings can support improv ed understanding of the industrys interest and activities on remote operations.

9 Ground Rule #3: Whether changes to regulations are necessary for remote operat ions should be determined based on (1) how well existing regulations accomm odate the remote operations paradigm and (2) whether existing regulations adequately addres s the safety and security issues associated with remote operation.

Key Attributes for Ground Rule #3:

  • Most regulations that include discussion of control rooms (CRs ) are performance-based and independent of the location of the CR. Therefore, these reg ulations would be applicable to remote CRs.
  • Some regulations apply to CRs without directly mentioning them (e.g., protection from natural hazards). Further deliberation, including an understan ding of how the regulations are met in practice, is necessary to determine how such regulations would apply to a remote CR paradigm and whether any regulatory change s are necessary to accommodate this paradigm.

o An example of an important nuance is the meaning of the term on-site in various regulations. If the remote CR is required for safety of the facility then it becomes part of the facility. In such a case, the NRC must d etermine whether protection from natural hazards or emergency planning a pplies only to the reactor site or also to the remote CR site (e.g., protec tion from natural phenomena and human-related hazards for two different locations ).

  • The specific reactor technology, the level of automation used, how the applicant proposes to meet the acceptance criteria for remote operations (see Ground Rule #4),

and specific operational details may justify exemptions to appl icable regulations.

Ground Rule #4: Guidance on acceptable approaches to meet regulations under a remote operations paradigm is unavoidable. Such guidance and any addit ional regulation (see Ground Rule #3) should provide technology-neutral and performance-base d acceptance criteria that achieve the fundamental outcomes of reactor safety (i.e., safet y objectives) under all credible initiating events and resulting scenarios. Demonstrated achieve ment of such criteria is expected to be more effective in assuring safety than prescriptive guida nce or regulations.

Key Attributes for Ground Rule #4:

  • The acceptance criteria should focus on achieving the fundamen tal outcomes of reactor safety (i.e., safety objectives) under all credible initiating events and resulting scenarios.

Examples of such criteria include:

No human intervention for a minimum duration where the duratio n can be based on available information (such as severe accident guidanc e, SAFER centers response time, or design characteristics).

Ability to achieve safe and stable shutdown and/or minimal ri sk conditions (see Ground Rule #5) for all credible initiating ev ents and resulting scenarios, including loss of all communications and l oss of all automation.

Ability to do key surveillances and maintenance online.

  • The concept of safety-significant SSCs and safety-significa nt data points provides an effective means to identify key systems, structures, and compon ents (SSCs) (including sensors) that are necessary for safe operation and shutdown of a reactor technology.

10 Applicant identifies the SSCs and data points that are needed to demonstrate the achievement of the acceptance criteria for any credible initiating event and resulting scenario (see Ground Rule #4).

These SSCs (including sensors) would need to be redundant and diverse, would need to mitigate common-cause failures (e.g., via indepen dence),

and be designed to facilitate end-to-end checks from the plan t site to the remote CR.

Reliability targets can be used for SSCs, including sensors, t hat are not identified as safety-significant SSCs or safety-significant data points.

  • Due to this ground rule and its key attributes, case-by-case d eterminations against regulations, guidance, and high-level standards are anticipated during reviews of remote operation applications. This expectation should be factored int o resource and schedule estimates.

Ground Rule #5: The concept of minimal risk conditions is essential to iden tify safe plant configurations for any credible initiating event and resulting scenarios in the remote operations paradigm, including loss of key data and voice communication. This concept identifies the reactor operational configurations, including modes of operatio n, that achieve an outcome of minimal risk. It is expected that for certain cases, the final minimal risk condition will be safe and stable shutdown, as defined in the designs Technical Speci fications, following a reactor trip.

Key Attributes for Ground Rule #5:

  • A systematic risk-informed approach, which evaluates the remot e CR operations both separately and as integrated with reactor risk, is necessary to identify dominant risk contributors and minimal risk conditions for all credible ini tiating events and resulting scenarios. Although uncertainties and unavailability of data ar e expected, the NRC staff determined that insights from systematic risk-informed approach es can still support decisions if defensible estimates and sensitivities are used.
  • The minimal risk conditions for scenarios resulting from los s of key data and voice communication initiators should be included as part of a design s Technical Specifications (i.e., limiting conditions of operations and com pletion times for these scenarios) and, as applicable, in the design of the reactor pro tection system. The concept of as last commanded can support operations during th e completion time window.
  • The NRC staff determined that several topics important for a r isk assessment of the remote operations paradigm would need fresh perspective and tec hnical advances or alignment. Examples of such topics include:
  • Cyber and physical security threats: Reliance on integrated de cision-making is the optimal path for assessment of risk from such eve nts.

Integrated decision-making includes consideration of defense-in -depth, safety margins, and performance monitoring in conjunction with risk.

  • Communication failures: It is important to evaluate the risk f rom scenarios arising from this initiator because of the critical role of com munication

11 (data and voice) for remote operations. Such scenarios should i nclude communication failure to or from multiple sites if controlled f rom a single remote CR. Consideration of such scenarios is supported by the language in General Design Criterion (GDC) 5. An assessment of the risk from scenarios arising from loss of communication (data and voi ce) initiators would need technical advances compared to the state-of-the art.

  • Safe and stable end state: It is expected that the determinati on of the safe and stable end state following an initiating event, which also translates into the mission time for probabilistic risk assessments, would have to be revisited for consistency with the criteria to be demonstrated for the remote operations paradigm (see Ground Rule #4).

Ground Rule #6: Data and voice communication infrastructure as well as securit y, including cybersecurity, are crucial in the remote operations paradigm. T heir importance is significantly escalated compared to the current paradigm and therefore, consi derable attention is necessary from the conceptualization phase of remote operations.

Key Attributes for Ground Rule #6:

  • Dedicated communication channels for voice and data transfer a re considered necessary. Reliance on such transfer over the internet is not e xpected to provide the necessary level of security and reliability.
  • Adding malfunction of key data and voice signals to the Techni cal Specifications (TS),

with limiting conditions of operation, can support the demonstr ation of the achievement of acceptance criteria for remote operations (see Ground Rule # 4) for such initiators.

Associated surveillance requirements will address the need to regularly check the reliability of the key data and voice signals.

Completion times (i.e., time to address malfunctions without s hutting down the reactor) for such TS are expected to be based on facto rs including minimal risk conditions, data from non-nuclear faci lities on time required to troubleshoot and remedy such malfunctions, and the specific reactor technology.

  • A remotely operating plant is expected to need a dedicated dat a center with knowledgeable staff to: (1) monitor data and voice communicatio n signals; (2) identify communication failures and provide notification, if not already available, to operators in the remote CR; and (3) check the reliability and fidelity of si gnals.

Consideration should be given to use of existing guidance for data collection, management, and security, including cybersecurity ( e.g.,

guidelines from the National Institute of Standards and Technol ogy

[NIST]).

Redundancy in the communications infrastructure is considered necessary with the ability to detect communication failure duri ng both normal and abnormal operations (including malicious actions) an d to switch, either manually or automatically, to the redundant infr astructure.

12 A configuration control protocol is necessary to keep the comm unication and cybersecurity protocols dynamic and updated to counter emer gent threats.

It is considered to be a viable option for reactor technology vendors proposing remote operations to work with established third-part y vendors for ensuring, among other things, that communication and cybers ecurity guidance is followed, reliability targets are achieved, and com munication is monitored.

Vendor inspection framework can be adapted to inspect and/or au dit third-party vendors providing data collection, management, or cybersecurity service s to the reactor technology vendors.

Ground Rule #7: The responsibilities of the remote operator(s) (i.e., the oper ators in the remote control room (CR)) should be based on the level of automation, the reliance on human actions in meeting both the acceptance criteria for remote operation (s ee Ground Rule #4) and the technologys minimal risk conditions (see Ground Rule #5), an d the time in which such human actions need to be completed. The identified responsibilities should support decisions on the number of operators per facility, the number of facilities per remote control room, control room human factors, operator training and licensing, and access cont rol.

Key Attributes for Ground Rule #7:

  • NUREG-0700, Table 9.1, Levels of Automation for NPP Applicati ons, summarizes various levels of automation ranging from Manual Operations (Le vel 1) to Fully Autonomous Operation (Level 5) that are expected to be applicab le to remote operations.
  • While remote operations with no automation or very low automat ion (i.e., Levels 1 and 2 in NUREG-0700, Table 9.1) can be envisioned, it is expected tha t such operations may not be feasible when considered holistically with the other ground rules identified herein and/or may not afford any benefit compared to the current parad igm.
  • As stated in the Part 53 staffing white paper (draft for discu ssion; paper does not state staff positions) (Reference 2), fully automated remote operatio ns (i.e., Level 5 in NUREG-0700, Table 9.1) can hypothetically allow for unattended operations. However, unattended remote operations need additional scrutiny. Currentl y, human decision-making (intervention before execution) is recommended for remot e operations, especially for operations such as reactivity changes, due to la ck of data and experience for remote operations of nuclear reactors, including increased cybersecurity risks, as well as the need for defense-in-depth (e.g., manual backup to a ddress vulnerabilities to digital I&C common cause failures). Cautions raised in the Part 53 draft staffing white paper for discussion (Reference 2)such as there are other fac ets to autonomous operation and, more broadly, automation in general, that need t o be considered as well and [t]he NRC staff has long recognized that incorporating hig her levels of automation into plant designs would create new operational considerations for nuclear power plantsare not only applicable but also exacerbated for a remo te operations paradigm.

13 Ground Rule #8: Licensing and training of operators in the remote CR is necess ary, with flexibility in the licensing and training regimen depending on the technology, the level of automation, and the responsibilities of the operators in the re mote CR (see Ground Rule #5 and Key Attributes to Ground Rule #5).

Key Attributes for Ground Rule #8:

  • Aspects of current requirements for operators (e.g., minimum c ontrol room staffing in 10 CFR 50.54(m), operator training in 10 CFR Part 55, fitness-f or-duty in 10 CFR Part 26) that could be relaxed in the context of a particular d esign need to be reviewed on a case-by-case basis through proposed exemptions. T he Part 53 draft staffing white paper for discussion (Reference 2) describes a s imilar approach.
  • Operator license(s) should be site-specific (same as the statu s quo) and not generic to a particular technology. Use of the same reactor technology at various sites would not obviate site-specific concerns and issues, including hazard s and emergency planning.
  • Fatigue, attention, and human factors considerations should de termine if an operator can control multiple sites with the same technology from a remo te control room and if so, the limit to how many sites can be controlled by an operato r.
  • The current approach to validation of operator actions would n eed to be revisited because the approach for remote operations is expected to be di fferent from the status quo, including coordination between operators in the rem ote control room and the crew on-site or in the vicinity of the site.

Ground Rule #9: A crew that is based on-site or in the vicinity of the site is unavoidable with the remote operations paradigm. Such a crew would be responsible fo r planned and emergent operational issues, troubleshooting, and emergency response. Al though certain regulators, such as DoTs PhMSA, allow remote operations without an onsite crew, the NRC staff considers nuclear power reactors to be more complicated technology with d ifferent public risk perceptions compared to other technologies or industries. Further, the NRC staff believes that the NRC staff and industry do not currently have data to support the complete elimination of a crew that is based on-site or in the vicinity of the site.

Key Attributes for Ground Rule #9:

  • Performance-based guidelines, inc luding consideration of predictive maintenance strategies, and emergency preparedness requirements, including changes that may result from ongoing rulemaking, can support determination of th e size of the on-site and/or in-the-vicinity crew.
  • The NRC should not prescriptively define two items on a generi c basis, as follows: (1) the types of actions to be performed by the on-site or in-the-v icinity crew or (2) the crews authority to independently take certain consequential ac tions (e.g., limiting authority only to scramming the reactor versus allowing reactiv ity manipulation functions). Instead, the NRC shoul d allow for technology and business-case-specific variations if justified.
  • The NRC staff could not entirely rule out the need for the on-site or in-the-vicinity crew to independently take certain consequential actio ns because

14 such actions can provide defense-in-depth to address unforeseen contingencies.

  • Clear triggers and chain-of-command for any planned or emerg ent actions by the on-site and/or in-the-vicinity crew need to be e stablished.
  • The type of actions AND the independence in performing those a ctions should inform the training regimen and the need for any operato r licensing for the crew (e.g., if independent reactivity manipul ations are part of the actions).
  • Guidelines need to be developed for determining the appropriat e response times for actions by the on-site or in-the-vicinity crew.
  • The guidelines should be technology-neutral and performance-ba sed, consider insights from minimal risk conditions (e.g., analysi s performed to determine time required to complete an action necessary to a chieve a minimal risk condition), emergent or planned configuration (e.g.,

changes to completion time due to unavailability of mitigating equipment similar to the risk-informed completion time program for operat ing light-water reactors), and, if applicable, a designs Technical Speci fications (TS) completion times.

Ground Rule #10: Inspections of the site and remote control room, including phy sical and cybersecurity inspections, are necessary although the inspectio n regime and protocol is expected to change compared to the status quo.

Key Attributes for Ground Rule #10:

  • Inspections of the remote control room are necessary to obtain information about plant status and emergent issues similar to the current practice of v isiting the control room and talking with operators. However, periodic inspections similar t o those used for non-power production facilities may be viable for the remote operations p aradigm.
  • The number of inspectors assigned to the site and the remote c ontrol room, as well as their proximity to these locations and the frequency of inspect ions, is expected to be case-specific based on several factors, such as the reactor tec hnology, how many sites are controlled from the same remote control room, actions that the on-site and/or in-the-vicinity crew can take, and the response time for incident resp onse.
  • Data and voice communication protocols, with contingencies for loss of communication, are considered important to support transfer of information bet ween inspectors assigned to the site and the remote control room.
  • Increased inspector knowledge and inspection frequency for dat a and voice communication security, including cybersecurity, is considered necessary to allow independent NRC checks of the licensees protocols. If the lice nsee uses third-party vendors for such services, such inspections would fall under th e agencys vendor inspection program.

Ground Rule #11: Physical security of both the site and the remote control room is considered necessary. Physical security at the remote control room would c ounter threats such as sabotage.

15 Key Attributes for Ground Rule #11:

  • A performance-based concept can support the determination of t he size of the security forces at the site and the remote control room. An ongoing rule making activity on Alternative Physical Security Requirements for Advanced Reacto rs (Reference 11) can provide such a framework and should be reviewed for applicabili ty.
  • An approach that uses a tiered access control should be employ ed. Such an approach would make access controls more stringent based on the ability to manipulate the reactor (either remotely or from on-site).

16

5. References
1. Rosenthal, M.W., et al., The Feasibility of an Unattended N uclear Power Plant, Oak Ridge National Laboratory Report, ORNL-2985, August 1960.
2. U.S. Nuclear Regulatory Commission, Risk-Informed and Perfo rmance-Based Human-System Considerations, March 2021, ADAMS Accession No. ML21069A003.
3. Department of Transportation, Pipeline Safety: Potential Se rvice Disruptions in Supervisory Control and Data Acquisition Systems, Advisory Bul letin, ADB-03-09, 68 FR 74289.
4. Pipeline and Hazardous Material Safety Administration, Huma n Factors Analysis of Pipeline Monitoring and Control Operations: Final Technical Rep ort, November 2008.
5. National Highway Transportation Safety Administration, Auto mated Driving Systems 2.0: A Vision for Safety, September 2017.
6. International Atomic Energy Agency, Non-baseload Operation in Nuclear Power Plants:

Load Following and Frequency Control Modes of Flexible Operatio n, April 2018.

7. U.S. Nuclear Regulatory Commission, Human-Performance Issue s Related to the Design and Operation of Small Modular Reactors, NUREG/CR-7126, June 2012, ADAMS Accession No. ML12179A170.
8. U.S. Nuclear Regulatory Commission, Adaptive Automation: Cu rrent Status and Challenges, Research Information Letter (RIL) 2020-05, Novembe r 2020, ADAMS Accession No. ML20176A199.
9. Fleming, E.S., et al., Human Factors Considerations for Aut omating Microreactors Sandia report automating microreactors, Sandia National Labora tory Report, SAND2020-5635, June 2020.
10. National Institute of Standards and Technology, Cybersecur ity Framework, accessed online at https://www.nist.gov/cyberframework.
11. U.S. Nuclear Regulatory Commission, Alternative Physical S ecurity Requirements for Advanced Reactors, accessible online at www.regulations.gov using docket ID NRC-2017-0227.

17

Retrieved from "https://kanterella.com/w/index.php?title=ML21291A024&oldid=3744237"