ML21291A024

From kanterella
Jump to navigation Jump to search
Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants
ML21291A024
Person / Time
Issue date: 11/09/2021
From: Shilp Vasavada
Office of Nuclear Reactor Regulation
To:
Vasavada S
References
Download: ML21291A024 (17)
v  d  e


Text

This report has been prepared and is being released to support ongoing public discussions. This report has not been subject to NRC management and legal reviews and approvals, and its contents are subject to change and should not be interpreted as official agency positions.

Ground Rules for Regulatory Feasibility of Remote Operations of Nuclear Power Plants U.S. Nuclear Regulatory Commission 1

Contents Executive Summary .................................................................................................................... 3 Key Findings ............................................................................................................................ 4

1. Background .......................................................................................................................... 6
2. Origin and Objectives of the Project.................................................................................. 7
3. Approach to Achieve Project Objectives .......................................................................... 8
4. Key Findings ........................................................................................................................ 9
5. References ......................................................................................................................... 17 2

Executive Summary Due to operational and business reasons (e.g., ability to operate multiple sites from one location, operation of plants sited in challenging locations), remote operations can be the desired operational configuration sought by vendors of advanced reactors, non-light water reactors, microreactors, etc. In this context, remote operation involves primary command and control of a nuclear power plant from a location outside the nuclear reactor site boundary.

Currently, NRCs regulations, from minimum staffing to operator licensing, are focused on the command and control being in the nuclear reactor site boundary (i.e., a main control room and a large contingent of trained operators at the site). Therefore, if presented to the NRC for review, a remote operation concept will represent a paradigm shift.

Therefore, the NRC staff explored the remote operations paradigm to identify what are termed ground rules for such operations. These ground rules identify items and considerations that will likely be crucial to feasible remote operations from both a developmental and decision-making perspective. The NRC staff also identified key attributes that support the achievement of each ground rule. Based on available information, this document reflects the first systematic foray by the NRC into the remote operations concept. Therefore, the NRC staff adopted a high-level perspective. This document lays the groundwork to address the future regulatory needs of developing and establishing a regulatory position on remote operation of nuclear power plants.

Additional granularity and technical details for each ground rule and its associated key attributes can be the subject of future work on remote operations. This document reflects consideration of a project conducted under the Future Focused Research Initiative that was funded by the NRCs Office of Nuclear Regulatory Research (RES).

The NRC staff identified focus areas that are expected to be the most impacted by the remote operations paradigm. These focus areas represent broad categories and are not indicative of the relative importance of other, unidentified, areas. These focus areas were considered in the identification of ground rules and key attributes, as illustrated in Figure ES-1.

The NRC staffs efforts were also informed by knowledge transfer discussions with subject matter experts (SMEs) from two different federal agencies to understand infrastructure and operational requirements, best practices, and lessons learned from industries that currently use remote operations 3

Figure ES-1 Relationship Between Focus Areas, Ground Rules, and Key Attributes Key Findings Based on internal deliberation and knowledge transfer interviews with SMEs from other federal agencies, the NRC staff determined the following ground rules, which constitute the main recommendations for further consideration of remote operation:

1. Remote operations and the criteria that need to be achieved to demonstrate effective remote operations (see subsequent Ground Rule #4) should be part of the design and development from the beginning. Remote operations do not appear to lend themselves to an add on or retrofit approach.
2. Societal impacts and the publics risk perceptions will likely be an important consideration for the NRC staff and reactor vendors in evaluating remote operations.

Therefore, the NRC staff expects to specifically engage with the public on remote operations if the industry demonstrates interest in remote operations or if an application relying on remote operation is received for NRC review.

3. Whether changes to regulations are necessary for remote operations should be determined based on (1) how well existing regulations accommodate the remote operations paradigm, and (2) whether existing regulations adequately address the safety and security issues associated with remote operation.
4. Guidance on acceptable approaches to meet regulations under a remote operations paradigm is unavoidable. Such guidance, and any additional regulation, should provide technology-neutral and performance-based acceptance criteria that achieve the fundamental outcomes of reactor safety (i.e., safety objectives) for all credible initiating events and resulting scenarios. Demonstrated achievement of such criteria is expected to be more effective in assuring safety than prescriptive guidance or regulations.

4

5. The concept of minimal risk conditions is essential to identify safe plant configurations for any credible initiating event and resulting scenarios in the remote operations paradigm, including loss of key data and voice communication. This concept identifies the reactor operational configurations, including modes of operation, that achieve an outcome of minimal risk. It is expected that for certain cases, the final minimal risk condition will be safe and stable shutdown, as defined in the designs Technical Specifications, following a reactor trip.
6. Data and voice communication infrastructure and security, including cybersecurity, are crucial in the remote operations paradigm. These elements need considerable attention beginning from the conceptualization phase of remote operations.
7. The responsibilities of the remote operator(s) (i.e., the operators in the remote control room (CR)) should be based on the level of automation, the reliance on human actions in meeting both the acceptance criteria for remote operation and the technologys minimal risk conditions, and the time in which such human actions need to be completed. The identified responsibilities should support decisions on the number of operators per facility, the number of facilities per remote control room, control room human factors, operator training and licensing, and access control.
8. Licensing and training of operators in the remote CR will be necessary, with flexibility in the licensing and training regimen depending on the technology, the level of automation, and the responsibilities of the operators in the remote CR.
9. A crew that is based on-site or in the vicinity of the site is unavoidable with the remote operations paradigm. Such a crew would be responsible for planned and emergent operational issues, troubleshooting, and emergency response. Although certain regulators allow remote operations without an onsite crew, the NRC staff considers nuclear power reactors to be more complicated technology with different public risk perceptions compared to other technologies or industries. Further, the NRC staff believes that there is currently insufficient data to support the complete elimination of a crew that is based on-site or in the vicinity of the site.
10. Inspections, including physical and cyber security inspections, of the site and remote CR are necessary, although the inspection regime and protocol is expected to change compared to the status quo.
11. Physical security of both the site and the remote CR is necessary.

The NRC staff recognizes that each ground rule crosses multiple, if not all, focus areas and therefore, is not assigned to a particular focus area. Each of the above ground rules, along with the corresponding key attributes, are discussed in Section Error! Reference source not found.

of this report. The NRC staff believes that these ground rules provide the foundation for further work, including guidance development or any necessary rulemaking, to support safe remote operations of nuclear power plants.

5

1. Background

Due to operational and business reasons, remote operations can be the operational configuration desired by vendors for advanced reactors, non-light water reactors, micro reactors, etc. Remote operation, in contrast with the current operational paradigm for nuclear power plants, would involve primary command and control of the plant from a location outside the nuclear reactor site boundary. The business case for remote operations includes the ability to operate multiple sites from one location and operation of plants sited in challenging locations.

It is important to draw a distinction between remote operations and autonomous operations.

NUREG-0700, Human-System Interface Design Review Guidelines, contains the following discussion of automation in Chapter 9, Automation System:

Automation is a device or system that accomplishes (partially or fully) a function or task Historically, the concept of automation was associated with control tasks.

However, in modern plants, the role of automation extends to other applications as well, such as supporting operator decision making and managing the [human-system interface] HSI. In addition to its broad application, automation is more interactive. That is, while in the past, tasks were performed either by personnel or automation, todays automation can be designed to work with personnel, each agent having defined roles and responsibilities.

As discussed in Section Error! Reference source not found. of this report, it may be possible, but difficult, to achieve effective remote operation without a certain level of autonomous operation.

The concept of remote operations, wherein the command and control location is far removed from the feature that is controlled, is not novel and such operations are currently used by multiple industries. Examples include:

  • Remote operation of oil and gas pipelines (regulated by the Department of Transportation)
  • Remote operation of the International Space Station and unmanned rovers on different planets (managed by the National Aeronautics and Space Administration)
  • Remote operation of unmanned arial vehicles, also known as drones (civilian use regulated by the Federal Aviation Administration and military use controlled by the Department of Defense) 6

To the best of the NRC staffs awareness, remote operation of nuclear power plants has not been explored previously from a practical implementation perspective. The feasibility of developing a design for a pressurized water reactor (PWR) that would allow unattended operation was explored in the early 1960s (Reference 1). The study determined that the feasibility of an unattended reactor was dependent on whether systems necessary for safe operation of the reactor can be developed to high reliability such that these systems did not require regular maintenance. The study conceptualized a simplified PWR design with minimum parts to achieve the objective. To the best of the NRC staffs awareness, the conceptualized design did not become a reality. Examples of remote operations of nuclear power reactor facilities are currently unavailable for comparison purposes. Canadas SLOWPOKE-2 reactor is licensed for unattended operation in automatic mode and is the closest available comparison to unattended, if not remote, operations. SLOWPOKE-2s reactor core, which produces a nominal power level of 20 kW, is contained within a beryllium neutron reflector, thus allowing for a relatively small critical mass to be used in its design. Therefore, scalability of unattended operations and extension of unattended operations to remote operations is not straightforward.

Currently, NRCs regulations, from minimum staffing to operator licensing, are focused on the command and control being in the nuclear reactor site boundary (i.e., a main control room and a large contingent of trained operators at the site). Therefore, the remote operations concept represents a paradigm shift in NRCs regulatory framework.

2. Objectives of this Document To support the development of a foundation for future NRC decision-making on remote operation, the NRC staff explored the remote operations paradigm to identify those items and considerations that will likely be crucial for feasible remote operations from both a developmental and decision-making perspective. These items and considerations are termed ground rules. In addition, the NRC staff identified key attributes that support the achievement of each ground rule.

The NRC staff adopted a high-level perspective because, based on available information, this is the first systematic foray by the NRC into a remote operations of nuclear power plants (RONPP) paradigm. This document lays the groundwork for addressing future regulatory needs on RONPP and therefore, technical details and granularity are not included within its scope.

Additional granularity for each ground rule and its associated key attributes can be developed as part of future work on RONPP.

7

3. Approach to Achieve the NRC Staffs Objectives The NRC staff identified focus areas that are expected to be the most impacted by the remote operations paradigm. The focus areas are broad categories that are not indicative of their relative importance compared to unidentified areas. The following focus areas were identified:
  • Operations
  • Inspections
  • Information Exchange and Cybersecurity
  • Physical Security
  • Human Factors
  • Risk
  • Legal The NRC used these focus areas to identify ground rules for remote operations and key attributes for achieving these ground rules, as illustrated in Figure 1.

Figure 1 Relationship Between Focus Areas, Ground Rules, and Key Attributes The NRC staff reviewed relevant literature and maintained awareness of activities which could relate to remote operations. Several literature sources, which are listed in the References section of this report, were considered from a high-level perspective for insights. The NRC staff remained cognizant of the development of Part 53 to Title 10 of the Code of Federal Regulations (10 CFR Part 53), which will include risk-informed and performance-based regulations for advanced reactors. The staffs key findings in this document benefited from progress and stakeholder feedback on Part 53 activities.

8

The NRC staff also conducted knowledge transfer discussions with subject matter experts (SMEs) from two different federal agencies that actively practice remote operations. Knowledge transfer discussions were held with an SME from the Pipeline and Hazardous Materials Safety Administration (PhMSA) of the Department of Transportation (DoT), which regulates the remote operations of oil and gas pipelines and has regulations for such operations codified since 2011, and with an SME from the National Aeronautics and Space Administration (NASA), on the operation of the International Space Station from the control room in Houston, Texas. The purpose of the discussions was to understand infrastructure and operational best practices and lessons learned from remote operations in non-nuclear areas. The information shared by the SMEs in the knowledge transfer discussions was not considered as official positions by their respective agencies. The insights from these discussions were valuable to the NRC staff in developing the key findings described in this document.

The NRC staffs key findings are provided in the next section of this report.

4. Key Findings This section provides the key findings of the NRC staff. The findings are provided in the form of ground rules and, in certain cases, corresponding key attributes. The ground rules and key attributes provide the foundation, direction, and scope for developing additional granularity regarding the regulatory framework for addressing the remote operations paradigm.

Ground Rule #1: Remote operations and the criteria that need to be achieved to demonstrate effective remote operations (see subsequent Ground Rule #4) should be part of the design and development from the beginning. Remote operations do not appear to lend themselves to an add on or retrofit approach.

Ground Rule #2: Societal impacts and the publics risk perceptions will likely be an important consideration for the NRC staff and reactor vendors in evaluating remote operations. Therefore, the NRC staff expects to specifically engage with the public on remote operations if the industry demonstrates interest in remote operations or an application relying on remote operation is received for NRC review. NRCs Enterprise Risk Management guidance (contained in Management Directive 4.4) supports these expectations.

Key Attributes for Ground Rule #2:

  • Increased public educational outreach, potentially with support from the Office of Public Affairs, should be pursued due to the magnitude of conceptual and perception change from remote operations.
  • NRC-initiated public meeting(s) can be effective in ensuring public engagement after receipt of a remote operations application.
  • Industry engagement via the Regulatory Information Conference (RIC) or similar venues as well as multiple pre-application meetings can support improved understanding of the industrys interest and activities on remote operations.

9

Ground Rule #3: Whether changes to regulations are necessary for remote operations should be determined based on (1) how well existing regulations accommodate the remote operations paradigm and (2) whether existing regulations adequately address the safety and security issues associated with remote operation.

Key Attributes for Ground Rule #3:

  • Most regulations that include discussion of control rooms (CRs) are performance-based and independent of the location of the CR. Therefore, these regulations would be applicable to remote CRs.
  • Some regulations apply to CRs without directly mentioning them (e.g., protection from natural hazards). Further deliberation, including an understanding of how the regulations are met in practice, is necessary to determine how such regulations would apply to a remote CR paradigm and whether any regulatory changes are necessary to accommodate this paradigm.

o An example of an important nuance is the meaning of the term on-site in various regulations. If the remote CR is required for safety of the facility then it becomes part of the facility. In such a case, the NRC must determine whether protection from natural hazards or emergency planning applies only to the reactor site or also to the remote CR site (e.g., protection from natural phenomena and human-related hazards for two different locations).

  • The specific reactor technology, the level of automation used, how the applicant proposes to meet the acceptance criteria for remote operations (see Ground Rule #4),

and specific operational details may justify exemptions to applicable regulations.

Ground Rule #4: Guidance on acceptable approaches to meet regulations under a remote operations paradigm is unavoidable. Such guidance and any additional regulation (see Ground Rule #3) should provide technology-neutral and performance-based acceptance criteria that achieve the fundamental outcomes of reactor safety (i.e., safety objectives) under all credible initiating events and resulting scenarios. Demonstrated achievement of such criteria is expected to be more effective in assuring safety than prescriptive guidance or regulations.

Key Attributes for Ground Rule #4:

  • The acceptance criteria should focus on achieving the fundamental outcomes of reactor safety (i.e., safety objectives) under all credible initiating events and resulting scenarios.

Examples of such criteria include:

No human intervention for a minimum duration where the duration can be based on available information (such as severe accident guidance, SAFER centers response time, or design characteristics).

Ability to achieve safe and stable shutdown and/or minimal risk conditions (see Ground Rule #5) for all credible initiating events and resulting scenarios, including loss of all communications and loss of all automation.

Ability to do key surveillances and maintenance online.

  • The concept of safety-significant SSCs and safety-significant data points provides an effective means to identify key systems, structures, and components (SSCs) (including sensors) that are necessary for safe operation and shutdown of a reactor technology.

10

Applicant identifies the SSCs and data points that are needed to demonstrate the achievement of the acceptance criteria for any credible initiating event and resulting scenario (see Ground Rule #4).

These SSCs (including sensors) would need to be redundant and diverse, would need to mitigate common-cause failures (e.g., via independence),

and be designed to facilitate end-to-end checks from the plant site to the remote CR.

Reliability targets can be used for SSCs, including sensors, that are not identified as safety-significant SSCs or safety-significant data points.

  • Due to this ground rule and its key attributes, case-by-case determinations against regulations, guidance, and high-level standards are anticipated during reviews of remote operation applications. This expectation should be factored into resource and schedule estimates.

Ground Rule #5: The concept of minimal risk conditions is essential to identify safe plant configurations for any credible initiating event and resulting scenarios in the remote operations paradigm, including loss of key data and voice communication. This concept identifies the reactor operational configurations, including modes of operation, that achieve an outcome of minimal risk. It is expected that for certain cases, the final minimal risk condition will be safe and stable shutdown, as defined in the designs Technical Specifications, following a reactor trip.

Key Attributes for Ground Rule #5:

  • A systematic risk-informed approach, which evaluates the remote CR operations both separately and as integrated with reactor risk, is necessary to identify dominant risk contributors and minimal risk conditions for all credible initiating events and resulting scenarios. Although uncertainties and unavailability of data are expected, the NRC staff determined that insights from systematic risk-informed approaches can still support decisions if defensible estimates and sensitivities are used.
  • The minimal risk conditions for scenarios resulting from loss of key data and voice communication initiators should be included as part of a designs Technical Specifications (i.e., limiting conditions of operations and completion times for these scenarios) and, as applicable, in the design of the reactor protection system. The concept of as last commanded can support operations during the completion time window.
  • The NRC staff determined that several topics important for a risk assessment of the remote operations paradigm would need fresh perspective and technical advances or alignment. Examples of such topics include:
  • Cyber and physical security threats: Reliance on integrated decision-making is the optimal path for assessment of risk from such events.

Integrated decision-making includes consideration of defense-in-depth, safety margins, and performance monitoring in conjunction with risk.

  • Communication failures: It is important to evaluate the risk from scenarios arising from this initiator because of the critical role of communication 11

(data and voice) for remote operations. Such scenarios should include communication failure to or from multiple sites if controlled from a single remote CR. Consideration of such scenarios is supported by the language in General Design Criterion (GDC) 5. An assessment of the risk from scenarios arising from loss of communication (data and voice) initiators would need technical advances compared to the state-of-the art.

  • Safe and stable end state: It is expected that the determination of the safe and stable end state following an initiating event, which also translates into the mission time for probabilistic risk assessments, would have to be revisited for consistency with the criteria to be demonstrated for the remote operations paradigm (see Ground Rule #4).

Ground Rule #6: Data and voice communication infrastructure as well as security, including cybersecurity, are crucial in the remote operations paradigm. Their importance is significantly escalated compared to the current paradigm and therefore, considerable attention is necessary from the conceptualization phase of remote operations.

Key Attributes for Ground Rule #6:

  • Dedicated communication channels for voice and data transfer are considered necessary. Reliance on such transfer over the internet is not expected to provide the necessary level of security and reliability.
  • Adding malfunction of key data and voice signals to the Technical Specifications (TS),

with limiting conditions of operation, can support the demonstration of the achievement of acceptance criteria for remote operations (see Ground Rule #4) for such initiators.

Associated surveillance requirements will address the need to regularly check the reliability of the key data and voice signals.

Completion times (i.e., time to address malfunctions without shutting down the reactor) for such TS are expected to be based on factors including minimal risk conditions, data from non-nuclear facilities on time required to troubleshoot and remedy such malfunctions, and the specific reactor technology.

  • A remotely operating plant is expected to need a dedicated data center with knowledgeable staff to: (1) monitor data and voice communication signals; (2) identify communication failures and provide notification, if not already available, to operators in the remote CR; and (3) check the reliability and fidelity of signals.

Consideration should be given to use of existing guidance for data collection, management, and security, including cybersecurity (e.g.,

guidelines from the National Institute of Standards and Technology

[NIST]).

Redundancy in the communications infrastructure is considered necessary with the ability to detect communication failure during both normal and abnormal operations (including malicious actions) and to switch, either manually or automatically, to the redundant infrastructure.

12

A configuration control protocol is necessary to keep the communication and cybersecurity protocols dynamic and updated to counter emergent threats.

It is considered to be a viable option for reactor technology vendors proposing remote operations to work with established third-party vendors for ensuring, among other things, that communication and cybersecurity guidance is followed, reliability targets are achieved, and communication is monitored.

Vendor inspection framework can be adapted to inspect and/or audit third-party vendors providing data collection, management, or cybersecurity services to the reactor technology vendors.

Ground Rule #7: The responsibilities of the remote operator(s) (i.e., the operators in the remote control room (CR)) should be based on the level of automation, the reliance on human actions in meeting both the acceptance criteria for remote operation (see Ground Rule #4) and the technologys minimal risk conditions (see Ground Rule #5), and the time in which such human actions need to be completed. The identified responsibilities should support decisions on the number of operators per facility, the number of facilities per remote control room, control room human factors, operator training and licensing, and access control.

Key Attributes for Ground Rule #7:

  • NUREG-0700, Table 9.1, Levels of Automation for NPP Applications, summarizes various levels of automation ranging from Manual Operations (Level 1) to Fully Autonomous Operation (Level 5) that are expected to be applicable to remote operations.
  • While remote operations with no automation or very low automation (i.e., Levels 1 and 2 in NUREG-0700, Table 9.1) can be envisioned, it is expected that such operations may not be feasible when considered holistically with the other ground rules identified herein and/or may not afford any benefit compared to the current paradigm.
  • As stated in the Part 53 staffing white paper (draft for discussion; paper does not state staff positions) (Reference 2), fully automated remote operations (i.e., Level 5 in NUREG-0700, Table 9.1) can hypothetically allow for unattended operations. However, unattended remote operations need additional scrutiny. Currently, human decision-making (intervention before execution) is recommended for remote operations, especially for operations such as reactivity changes, due to lack of data and experience for remote operations of nuclear reactors, including increased cybersecurity risks, as well as the need for defense-in-depth (e.g., manual backup to address vulnerabilities to digital I&C common cause failures). Cautions raised in the Part 53 draft staffing white paper for discussion (Reference 2)such as there are other facets to autonomous operation and, more broadly, automation in general, that need to be considered as well and [t]he NRC staff has long recognized that incorporating higher levels of automation into plant designs would create new operational considerations for nuclear power plantsare not only applicable but also exacerbated for a remote operations paradigm.

13

Ground Rule #8: Licensing and training of operators in the remote CR is necessary, with flexibility in the licensing and training regimen depending on the technology, the level of automation, and the responsibilities of the operators in the remote CR (see Ground Rule #5 and Key Attributes to Ground Rule #5).

Key Attributes for Ground Rule #8:

  • Aspects of current requirements for operators (e.g., minimum control room staffing in 10 CFR 50.54(m), operator training in 10 CFR Part 55, fitness-for-duty in 10 CFR Part 26) that could be relaxed in the context of a particular design need to be reviewed on a case-by-case basis through proposed exemptions. The Part 53 draft staffing white paper for discussion (Reference 2) describes a similar approach.
  • Operator license(s) should be site-specific (same as the status quo) and not generic to a particular technology. Use of the same reactor technology at various sites would not obviate site-specific concerns and issues, including hazards and emergency planning.
  • Fatigue, attention, and human factors considerations should determine if an operator can control multiple sites with the same technology from a remote control room and if so, the limit to how many sites can be controlled by an operator.
  • The current approach to validation of operator actions would need to be revisited because the approach for remote operations is expected to be different from the status quo, including coordination between operators in the remote control room and the crew on-site or in the vicinity of the site.

Ground Rule #9: A crew that is based on-site or in the vicinity of the site is unavoidable with the remote operations paradigm. Such a crew would be responsible for planned and emergent operational issues, troubleshooting, and emergency response. Although certain regulators, such as DoTs PhMSA, allow remote operations without an onsite crew, the NRC staff considers nuclear power reactors to be more complicated technology with different public risk perceptions compared to other technologies or industries. Further, the NRC staff believes that the NRC staff and industry do not currently have data to support the complete elimination of a crew that is based on-site or in the vicinity of the site.

Key Attributes for Ground Rule #9:

  • Performance-based guidelines, including consideration of predictive maintenance strategies, and emergency preparedness requirements, including changes that may result from ongoing rulemaking, can support determination of the size of the on-site and/or in-the-vicinity crew.
  • The NRC should not prescriptively define two items on a generic basis, as follows: (1) the types of actions to be performed by the on-site or in-the-vicinity crew or (2) the crews authority to independently take certain consequential actions (e.g., limiting authority only to scramming the reactor versus allowing reactivity manipulation functions). Instead, the NRC should allow for technology and business-case-specific variations if justified.
  • The NRC staff could not entirely rule out the need for the on-site or in-the-vicinity crew to independently take certain consequential actions because 14

such actions can provide defense-in-depth to address unforeseen contingencies.

  • Clear triggers and chain-of-command for any planned or emergent actions by the on-site and/or in-the-vicinity crew need to be established.
  • The type of actions AND the independence in performing those actions should inform the training regimen and the need for any operator licensing for the crew (e.g., if independent reactivity manipulations are part of the actions).
  • Guidelines need to be developed for determining the appropriate response times for actions by the on-site or in-the-vicinity crew.
  • The guidelines should be technology-neutral and performance-based, consider insights from minimal risk conditions (e.g., analysis performed to determine time required to complete an action necessary to achieve a minimal risk condition), emergent or planned configuration (e.g.,

changes to completion time due to unavailability of mitigating equipment similar to the risk-informed completion time program for operating light-water reactors), and, if applicable, a designs Technical Specifications (TS) completion times.

Ground Rule #10: Inspections of the site and remote control room, including physical and cybersecurity inspections, are necessary although the inspection regime and protocol is expected to change compared to the status quo.

Key Attributes for Ground Rule #10:

  • Inspections of the remote control room are necessary to obtain information about plant status and emergent issues similar to the current practice of visiting the control room and talking with operators. However, periodic inspections similar to those used for non-power production facilities may be viable for the remote operations paradigm.
  • The number of inspectors assigned to the site and the remote control room, as well as their proximity to these locations and the frequency of inspections, is expected to be case-specific based on several factors, such as the reactor technology, how many sites are controlled from the same remote control room, actions that the on-site and/or in-the-vicinity crew can take, and the response time for incident response.
  • Data and voice communication protocols, with contingencies for loss of communication, are considered important to support transfer of information between inspectors assigned to the site and the remote control room.
  • Increased inspector knowledge and inspection frequency for data and voice communication security, including cybersecurity, is considered necessary to allow independent NRC checks of the licensees protocols. If the licensee uses third-party vendors for such services, such inspections would fall under the agencys vendor inspection program.

Ground Rule #11: Physical security of both the site and the remote control room is considered necessary. Physical security at the remote control room would counter threats such as sabotage.

15

Key Attributes for Ground Rule #11:

  • A performance-based concept can support the determination of the size of the security forces at the site and the remote control room. An ongoing rulemaking activity on Alternative Physical Security Requirements for Advanced Reactors (Reference 11) can provide such a framework and should be reviewed for applicability.
  • An approach that uses a tiered access control should be employed. Such an approach would make access controls more stringent based on the ability to manipulate the reactor (either remotely or from on-site).

16

5. References
1. Rosenthal, M.W., et al., The Feasibility of an Unattended Nuclear Power Plant, Oak Ridge National Laboratory Report, ORNL-2985, August 1960.
2. U.S. Nuclear Regulatory Commission, Risk-Informed and Performance-Based Human-System Considerations, March 2021, ADAMS Accession No. ML21069A003.
3. Department of Transportation, Pipeline Safety: Potential Service Disruptions in Supervisory Control and Data Acquisition Systems, Advisory Bulletin, ADB-03-09, 68 FR 74289.
4. Pipeline and Hazardous Material Safety Administration, Human Factors Analysis of Pipeline Monitoring and Control Operations: Final Technical Report, November 2008.
5. National Highway Transportation Safety Administration, Automated Driving Systems 2.0: A Vision for Safety, September 2017.
6. International Atomic Energy Agency, Non-baseload Operation in Nuclear Power Plants:

Load Following and Frequency Control Modes of Flexible Operation, April 2018.

7. U.S. Nuclear Regulatory Commission, Human-Performance Issues Related to the Design and Operation of Small Modular Reactors, NUREG/CR-7126, June 2012, ADAMS Accession No. ML12179A170.
8. U.S. Nuclear Regulatory Commission, Adaptive Automation: Current Status and Challenges, Research Information Letter (RIL) 2020-05, November 2020, ADAMS Accession No. ML20176A199.
9. Fleming, E.S., et al., Human Factors Considerations for Automating Microreactors Sandia report automating microreactors, Sandia National Laboratory Report, SAND2020-5635, June 2020.
10. National Institute of Standards and Technology, Cybersecurity Framework, accessed online at https://www.nist.gov/cyberframework.
11. U.S. Nuclear Regulatory Commission, Alternative Physical Security Requirements for Advanced Reactors, accessible online at www.regulations.gov using docket ID NRC-2017-0227.

17

Retrieved from "https://kanterella.com/w/index.php?title=ML21291A024&oldid=3404332"