Text

Licensing and Inspection Lessons Learned from Recent DI&C Modernization NRC Workshop on Digital Instrumentation and Controls (DI&C)

March 23, 2022

RECENT DIGITAL I&C LICENSING LESSONS LEARNED Intent of the Alternate Review Process 2

Deviations from the ISG-06 Guidance Licensing and System Development Schedules Overlap Information Submittals and Licensing Audits Vendor Oversight Plan and Summary Integrated Licensing Reviews Licensing Success Path

o Waterford 3 Core Protection Calculator System LAR submitted in July 2020 LA issued in August 2021 FAT & SAT inspections completed o Turkey Point Units 3 & 4 Reactor Protection System, Engineered Safety Feature Actuation System, Nuclear Instrumentation System Multiple pre-submittal meetings since 2020 LAR submittal expected in 2nd Quarter of 2022 o Limerick Reactor Protection System, Nuclear Steam Supply Shutoff System, Emergency Core Cooling System Multiple pre-submittal meetings since 2020 LAR submittal expected in 3rd Quarter 2022 D3 LAR submitted in February 2022 3

Current DI&C Licensing Activities

o To allow for issuance of a license amendment (LA) prior to completion of the system Implementation and Test life cycles phases.

o Focus is on:

the system design (to demonstrate it meets regulatory requirements),

the development process (to demonstrate it is of sufficiently high quality),

a summary of the licensees vendor oversight plan (VOP),

and additional commitments to perform vendor oversight and implement the remaining development phases under the licensees quality assurance program after the LA is issued.

o Final system implementation and testing (e.g., FAT) is subject to verification through NRC inspection processes, in addition to the site inspections.

4 Intent of the Alternate Review Process Digital Instrumentation and Controls, DI&C-ISG-06, Licensing Process, Revision 2 (ADAMS Accession No. ML18269A259)

5 Tier 3 LAR does not reference a previously approved TR Tier 2 LAR references a previously approved TR with deviations Tier 1 LAR references a previously approved TR ARP LAR references a previously approved TR LICENSE AMENDMENT INSPECTIONS The ARP was developed to address an industry need to expedite the DI&C licensing review process ISG-06 DI&C Licensing Highway Intent of the Alternate Review Process SUPPLEMENTAL INFORMATION INSPECTIONS LA

o To quickly support upcoming DI&C modifications All information provided in a single high-quality submittal i.e., no RAIs or supplemental information o Vision of first applications would be for DI&C upgrades similar to past modifications:

One for one digital replacements of safety systems (e.g., Oconee, Diablo Canyon, Hope Creek)

Major changes to the control room with significant HFE needs were not identified Crediting self-diagnostics to eliminate SRs was not considered o Use of the ARP for more complex modifications would be considered after gathering lessons learned 6

Intent of the Alternate Review Process

o Experience has shown that actual applications tend to deviate from the ISG-06 guidance (e.g., LAR contents, supplemental information, licensing and life cycle development timelines).

o Minor or modest deviations are not necessarily impediments to the review, if addressed early in pre-application meetings.

o A key challenge is attempting to apply a specific ISG-06 process when the scope of the amendment and timing of design information no longer aligns.

7 Deviations from the ISG-06 Guidance

o Licensing review scope/schedule, and staff and licensee expectations need to adjust in order to address these deviations:

Potential for additional information to be audited or docketed Changes to licensing review and LA issuance schedules Changes to licensing audit and inspection scopes and schedules o Staff and licensees need to be flexible to allow for consideration of other characteristics or aspects of the application, such as:

the level of detail in the VOP the use of regulatory commitments the safety significance of the modification 8

Deviations from the ISG-06 Guidance

o The Tier 1 Review Process licensing review schedule overlaps with the system design, implementation and testing life cycle phases.

o The ARP compressed the licensing review schedule to overlap with the system design and early implementation life cycle phases.

o The actual system development schedule appears to have also been compressed.

Implementation is occurring in parallel with the latter half of the requested licensing review.

o Supplemental information submittals (e.g., EQ, SR eliminations) may impact the review schedule:

EQ testing is often deferred to later stages of the project and EQSRs are provided as late supplements to the LAR.

o This has resulted in licensee development and NRC review schedules that are effectively neither the ARP or Tier 1 Review Process as envisioned in ISG-06.

Licensing and System Development Schedules Overlap Deviations from ISG-06 ISG-06

10 Modification Concept &

Pre-Application Meetings High Level

System Design

& Planning Timeline Implementation Test (including FAT)

System & HW/SW Requirements Detailed HW/SW Design Regional Inspections of Site Activities Licensing and System Development Schedules Overlap - Model Case ARP LAR Submitted LA Issued VOP & Vendor Inspections of Implementation &

Test Activities Post FAT Licensee Activities & SAT Installation

& Startup Licensee & Vendor Activities LAR Review and Regulatory Audit(s)

Draft SE Complete

NRC Licensing & Inspection Activities

11 Modification Concept &

Pre-Application Meetings High Level

System Design

& Planning Timeline Implementation Test (including FAT)

System & HW/SW Requirements Detailed HW/SW Design Regional Inspections of Site Activities Licensing and System Development Schedules Overlap - Actual LAR Submitted LA Issued VOP & Vendor Inspections of Test Activities Post FAT Licensee Activities & SAT Installation

& Startup Licensee & Vendor Activities LAR Review and Regulatory Audit(s)

Draft SE Complete

Supplemental Information Submittals NRC Licensing & Inspection Activities

12 Licensing and System Development Schedules Overlap - Factors When can the LA be issued?

What are the post-draft SE activities?

When can the NRC staff complete the draft SE?

What is the time needed to perform the licensing review?

When is the LAR going to be submitted?

When will all the information be submitted?

When are the development life cycle phases started and completed?

When is the license amendment (LA) needed?

When is the modification going to be installed?

13 Tier Plant-Specific Information Submitted with License Amendment Request (Phase 1 for Tier 1, Tier 2, and Tier 3)

AR 1

2 3

1.1 X

(Summary of) Application Software Planning and Processes (see D.4) 1.2 X

(Summary of) Vendor Oversight Plan (see C.2.2) 1.3 X

X X

Approved Topical Report Safety Evaluation (see D.5) 1.4 X

X X

X System Description (see D.1) 1.5 X

X X

X System Architecture (see D.2) 1.6 X

X X

X (Summary of) Hardware Equipment Qualification (see D.3) 1.7 X

X X

X (Unified Compliance/Conformance Matrix for) IEEE Stds 603-1991 and 7-4.3.2-2003 (see D.6) 1.8 X

X X

X (Changes to) Technical Specifications (see D.7) 1.9 X

X X

X Setpoint Methodology and Calculations (see D.7) 1.10 X

X X

X Secure Development and Operational Environment (see D.8) 1.11 X

X X

Software Requirements Specification (see D.9.1) 1.12 X

X X

Software Design Specification (see D.9.2) 1.13 X

X X

Design Analysis Reports for Platform Changes (see D.9.3) 1.14 X

X X

System Response Time Analysis Report (see D.9.7) 1.15 X

X Design Report on Computer Integrity, Test and Calibration, and Fault Detection (see D.9.7) 1.16 X

Commercial-Grade Dedication Plan (see D.9.9) 1.17 X

Quality Assurance Plan for Hardware (see D.9.10) 1.18 X

(Summary of) Hardware Development Process (see D.9.10)

Information Submittals ISG-06 Enclosure B

14 Information Submittals ISG-06 Enclosure B o The ISG-06 Enclosure B tables identify the typical information to be submitted depending on the applicable review process.

This information is based on the life cycle information and outputs subject to staff review or audit, as well as on any application-specific aspects of the LAR.

Note that the tables assume a model case application and do not account for deviations from the ISG-06 guidance.

o Different information from that identified in Enclosure B may need to be provided, depending on the scope and complexity of the system modification and other associated requests.

o The information submitted for an actual application and the timing of submittal may resemble something in between the ARP and Tier 1 columns.

The following information needs to be clearly identified in the LAR:

o Self-diagnostics of digital I&C safety-related systems could be credited to either reduce or eliminate I&C surveillance testing.

o Supporting FMEA needs to be provided as part of technical basis.

o Licensees will need to provide analyses to justify the crediting of self-diagnostics for TS surveillance requirement reduction or elimination.

o Licensees will need to still perform periodic functional tests of the self-diagnostics features to satisfy BTP 7-17 guidance.

o Licensees will need to provide a description of plant administrative controls that will provide assurance (defense-in-depth) that faults are captured and investigated.

This may include items such as operator rounds, and system engineer monthly reports that evaluate and document the health, errors, and faults of the safety system.

15 Information Submittals Surveillance Requirements Elimination

o Virtual audits of undocketed material and living documents (e.g., the VOP) have proven to be very effective.

o Providing questions (e.g., open items) to the licensee in advance of virtual audit calls improved the effective use of the audit time.

o In-person audits of the vendor should be performed during the licensing review to familiarize the technical reviewers and inspectors with the system and interfaces.

o The scope of the information to be audited should include those vendor and licensee documents that are developed during the licensing review in order to support the draft SE.

16 Licensing Audits

o A DI&C modification encompasses various technical review disciplines, including:

Instrumentation and Controls Human Factors Engineering Reactor Systems Cyber Security Electrical Engineering Technical Specifications Vendor Inspections o Depending on the application, the staff responsible for these disciplines may be involved in the licensing review and/or inspections.

o The responsible staff reviews the information necessary to make a safety determination using the review criteria found in the SRP for all relevant review areas.

o The guidance in ISG-06 is primarily focused on the DI&C portion of the review.

17 Integrated Licensing Reviews

18 Integrated Licensing Reviews Diversity and Defense-in-Depth Overview o Depending on the application, I&C, Reactor Systems and HFE staff may be involved in the diversity and defense-in-depth (D3) portion of the review.

o A systematic approach used to analyze a proposed DI&C system for common cause failures (CCFs) that can occur concurrently within a redundant design.

o Per Branch Technical Position (BTP) 7-19, CCFs can be addressed through the following ways:

Eliminate the potential for CCFs from further consideration Use of diverse means to mitigate CCFs Consequences of a CCF may be acceptable o Reactor Systems reviews are focused on the reanalysis of the SAR Safety Analysis (Chapter 15) events with assumed CCFs.

19 Reactor Systems For Reactor Systems reviews, the following items, at a minimum, are expected to be includes in the D3 Analysis:

o Identification and selection of Transients and Accidents to be considered in combination with a CCF Addresses all Chapter 15 events Including both anticipated operational occurrences and postulated accidents Other credible events, such as those initiated by spurious actuation, that are not already analyzed in Chapter 15 o Description of what systems are lost due to CCF (i.e., reactor trip system, engineered safety features actuation system, etc.)

o Identification and description of credited diverse equipment Both existing and new systems if applicable May be non-safety grade if it is of sufficient quality o Identification and description of credited operator actions (reviewed by HFE as appropriate) o Evaluation and/or analysis of each event Integrated Licensing Reviews Diversity and Defense-in-Depth

20 Event Categorization and Analysis Events may be categorized in determining what level of detail is required to be provided.

Example categories include:

o Events where the CCF has no adverse effect The assumed failed system (i.e., reactor trip) is not credited in the analysis Fuel handling accident, single dropped PWR control rod Other than identification, these events require no analysis o Events terminated by a diverse system Diverse system may include existing systems, manual operator actions, or new diverse systems Description of the event should be provided including comparison of diverse system actuation timing versus base times New analysis may need to be performed if diverse system timing is significantly different than base time (i.e., Chapter 15 event had reactor scram at ~5 seconds while operator action is credited to scram at 10 minutes) little to no margin to acceptance criteria Integrated Licensing Reviews Diversity and Defense-in-Depth

21 Event Categorization and Analysis (continued)

Events may be categorized in determining what level of detail is required to be provided Example categories include:

o Events bounded by another event Inadvertent SG relieve valve opening may be bounded by steam line break Other than identification, these events require no analysis o Events that analysis is required to demonstrate acceptance criteria are met Events that were not eliminated by other categories May be analyzed using either best estimate methods (i.e., using realistic assumptions to analyze the plants response to DBEs) or conservative methods (i.e., design-basis analysis)

Analysis must demonstrate events meet acceptance criteria as defined in Section B.3.3 of BTP 7-19 Integrated Licensing Reviews Diversity and Defense-in-Depth

22 Reactor Systems Review Findings o D3 analysis considered all relevant events o Events were categorized correctly Events where CCF has no adverse effect Events terminated by a diverse system Events needing to be analyzed o Verified that the D3 analysis demonstrated that consequences of identified CCF remain acceptable Should the CCF occur, the facility will remain within the appropriate acceptance criteria for the limiting events applicable to the proposed DI&C system or component Integrated Licensing Reviews Diversity and Defense-in-Depth

23 Precedents Integrated Licensing Reviews Diversity and Defense-in-Depth

24 Integrated Licensing Reviews Human Factors Engineering o As discussed in ISG-06, HFE review guidance is an area not within the scope of ISG-06.

o Guidance on NRC Human Factors Engineering (HFE) technical reviews is contained primarily in NUREG-0711, Rev.3, Human Factors Engineering Program Review Model (ADAMS Accession No. ML12324A013).

o Industry is proposing more significant control room modifications than were considered when ISG-06 was revised with the ARP.

o NRC staff have identified possible scheduling challenges with regards to the review of integrated system validation (ISV) testing and development timelines proposed by applicants.

o NRC staff are considering possible alternatives to having completed ISV test results available prior to issuance of a licensing amendment:

Early-stage results from a multi-stage validation (MSV) test program Alternative testbeds for the completion of ISV testing o This topic will be discussed further later during this workshop.

25 o IEEE Std. 603-1991, Clause 5.9 Control of Access is the basis for the review of the secure development and operational environment (SDOE).

o Section D.8 of ISG-06 discusses SDOE reviews and refers to the guidance in RG 1.152, Rev. 3.

o ISG-06 provides guidance to the Office of Nuclear Reactor Regulation (NRR) staff to coordinate with the Office of Nuclear Security and Incident Response (NSIR) staff on matters related to cyber security.

o The licensing review of a DI&C modification does not include a cyber security review (compliance with 10 CFR 73.54). However, the DI&C modifications are subject to NRC inspections.

o The Regions, with NSIR support, perform cyber security inspections of the DI&C modification.

o NRR, NSIR and Regional staff work together to ensure adequate coverage and understanding of the SDOE and cyber security aspects of the modification:

Security requirements for technical security controls to be implemented by the vendor Supply chain requirements of the cyber security plan Security impact analysis of the modification (NEI 08-09 E.10.5, RG 5.71 C.10.5)

Integrated Licensing Reviews SDOE and Cyber Security Considerations

26 SDOE Cyber Security Focus Safety Quality and integrity of the safety system.

(non-malicious act)

Security Prevention of radiological sabotage.

(malicious act)

Regulation 10 CFR 50, Domestic Licensing of Production and Utilization Facilities 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks Regulatory Guide (RG)

RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants RG 5.71, Cyber Security Programs for Nuclear Facilities.

The combination of SDOE and the cyber security programmatic provisions address the secure design, development, and operation of digital safety systems.

Integrated Licensing Reviews SDOE and Cyber Security Considerations

o The staff recognizes the need for guidance for developing the VOP and VOP Summary.

o The staff plans to develop this guidance after the licensing actions for the Turkey Point and Limerick applications.

o For the Waterford 3 LAR review, the staff evaluated whether the licensees oversight activities, as described in the VOP Summary, meet the following criteria to Appendix B of 10 CFR Part 50:

Criterion III, Design Control Criterion V, Instructions, Procedures, and Drawings Criterion VII, Control of Purchased Material, Equipment, and Services Criterion XVI, Corrective Action 27 Vendor Oversight Plan (VOP) and Summary

o The VOP framework should supplement the licensees overall QA program descriptions with specific system, hardware, and software development activities, including a description of the proposed development life cycles, development documents to be produced, and management activities that will be implemented in the design and development of digital I&C safety-related systems.

o The VOP and VOP Summary should address how the licensees oversight activities that will verify the software development processes and the lifecycle design outputs meet the software development process descriptions summarized in the LAR or any referenced SPM.

28 Vendor Oversight Plan (VOP) and Summary

o If the full VOP is not a lengthy document, it may be beneficial for the licensee and the staff if it is submitted with the LAR, instead of the VOP Summary.

o Engineering procedures that are used to implement the VOP should be described, including how they fit into the overall site QA program.

o Critical characteristics that will be verified by VOP activities should reflect system and architecture design specific to the application reviewed.

o Identification of all documents that will be reviewed and approved as an engineering design document should be identified.

o Identification of all lifecycle activities, including V&V activities should be described.

o The VOP and VOP Summary should describe the VOP change controls.

29 Vendor Oversight Plan (VOP) and Summary

o VOP audits during the licensing review serve several purposes:

The review the full VOP (in the case when only the VOP Summary was docketed)

To verify how the licensee is implementing the VOP To determine if there is reasonable assurance that the licensee will implement the VOP after issuance of the LA o For Waterford 3, VOP audits were conducted essentially throughout the LAR review timeframe:

Focus was on VOP activities described in the VOP Summary plus details of implementation provided in the VOP to ensure consistency.

The pandemic required these activities to be conducted virtually.

o The VOP audit should occur after the vendor audit (or vendor inspection) to be able to focus on specific items that will be audited.

30 Vendor Oversight Plan (VOP) and Summary

o The licensees implementation of VOP activities may not occur sequentially in accordance with the development lifecycle.

For example, oversight activities for the implementation phase may take place after observance of the FAT.

o Licensees VOP audit reports may lag the actual observed vendor activity by over a month.

This creates a challenge to the staff reviewing the licensees VOP audit reports, as they are seeing issues identified months in the past and may be not aware of their resolution in a timely manner.

o If the licensees VOP audit report will be issued after the completion of the draft SE, the staff may need to consider if an NRC audit of the vendor is more practical to support the licensing review.

31 Vendor Oversight Plan (VOP) and Summary

o If an application follows the Tiered or ARP guidance according to the ISG, this maximizes the regulatory certainty and scheduler certainty.

o If not, then the staff and the licensee need to consider:

the licensing review schedule - what is a reasonable review time (based on the complexity of the modification and information availability) and does the schedule support the installation date?

information needs - it could be a mix of ARP and Tier 1 information from Enclosure B (depending on the modification and the review schedule) information availability - what is submitted and when?

o This approach could be more efficient and provide advantages to the licensee in terms of flexibility to address licensing process deviations.

32 Licensing Success Path

o Staff and licensees need to be flexible to allow for consideration of other characteristics or aspects of the application, such as: the level of detail in the VOP, the use of regulatory commitments, and the safety significance of the modification.

o This may:

likely still result in a LA issuance date being earlier than that of the Tier 1 process decrease some inspection activities that could be captured instead through traditional licensing audit processes o If the necessary information can be provided in a timely manner to support the licensing review, and the license amendment is issued in time to support the planned installation date, then thats a 33 Licensing Success Path

34 Licensing Success Path Leverage Flexibility Openness Realistic Expectations Accountability Lessons Learned Innovative Tools Licensing Successes Communication Adaptability

OPEN DISCUSSION

36 Acronyms ADAMS - Agencywide Documents Access and Management System ARP - Alternate Review Process BTP - Branch Technical Position CCF - common cause failure D3 - Defense-in-Depth and Diversity DI&C - Digital Instrumentation and Controls FAT - Factory Acceptance Test FMEA - Failure Modes and Effects Analysis GDC - General Design Criteria HW - Hardware HFE - Human Factors Engineering IEEE - Institute of Electrical and Electronics Engineers I&C - Instrumentation and Controls IP - Inspection Procedure ISG - Interim Staff Guidance ISV - Integrated System Validation LAR - License Amendment Request MSV - Multi-Stage Validation NEI - Nuclear Energy Institute NQA - Nuclear Quality Assurance NRC - Nuclear Regulatory Commission NRR - Office of Nuclear Reactor Regulation NSIR - Office of Nuclear Security and Incident Response OpE - operational experience QA - Quality Assurance RAI - Requests for Additional Information RG - Regulatory Guide SAT - Site Acceptance Test SDOE - Secure Development and Operational Environment SPM - Software Program Manual SW - Software TR - Topical Report TS - Technical Specifications VOP - Vendor Oversight Plan V&V - Verification and Validation