ML22278A024
| ML22278A024 | |
| Person / Time | |
|---|---|
| Issue date: | 09/23/2022 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Antonescu, C., ACRS | |
| References | |
| NRC-2108 | |
| Download: ML22278A024 (175) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Digital I&C Subcommittee Docket Number:
N/A Location:
Video Teleconference Date:
Friday, September 23, 2022 Work Order No.:
NRC-2108 Pages 1-124 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1323 Rhode Island Avenue, N.W.
Washington, D.C. 20005 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 1
UNITED STATES OF AMERICA 2
NUCLEAR REGULATORY COMMISSION 3
+ + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5
(ACRS) 6
+ + + + +
7 DIGITAL I&C SUBCOMMITTEE 8
+ + + + +
9 FRIDAY 10 SEPTEMBER 23, 2022 11
+ + + + +
12 The Subcommittee met via Video 13 Teleconference, at 9:30 a.m. EDT, Charles Brown, Jr.,
14 Chairman, presiding.
15 16 COMMITTEE MEMBERS:
17 CHARLES H. BROWN, JR. Chair 18 VICKI BIER, Member 19 VESNA DIMITRIJEVIC, Member 20 GREGORY HALNON, MEMBER 21 WALTER KIRCHNER, Member 22 JOSE MARCH-LEUBA 23 DAVID PETTI, Member 24 JOY L. REMPE, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
2 1
ACRS CONSULTANT:
2 DENNIS BLEY 3
MYRON HECHT 4
5 DESIGNATED FEDERAL OFFICIAL:
8 ALSO PRESENT:
9 STEVEN ALFERINK, NRR 10 HAN BAO, Public Participant 11 ERIC BENNER, DEX 12 ALAN CAMPBELL, NEI 13 NORBERT CARTE, NRR 14 CLAYTON CROUCH, Public Participant 15 MATT GIBSON, EPRI 16 SAMIR DARBALI, NRR 17 CARL ELKS, Public Participant 18 BHAGWAT JAIN, NRR 19 WARREN ODESS-GILLETT, NEI 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
3 1
TABLE OF CONTENTS 2
Page 3
Opening Remarks by Chairman 4
4 Introductory Remarks 7
5 Background and Status of Final SECY Paper 9
6 Discussion of Final SECY Paper on CCF 11 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
4 1
P-R-O-C-E-E-D-I-N-G-S 2
9:31 a.m.
3 CHAIR BROWN:
- Well, good
- morning, 4
everyone. It's 9:30, plus change. This is Charles 5
Brown. This is the Digital I&C Committee on the 6
proposed SECY, not proposed now, excuse me, SECY 7 0076, an Expansion of the Current Policy on Potential 8
Common Cause Failures in Digital Instrumentation and 9
Control Systems.
10 The meeting will now come to order. I'm 11 Charles Brown, Chairman of this subcommittee meeting.
12 Members in attendance are Jose March-Leuba, Vesna 13 Dimitrijevic, Joy Rempe, Dave Petti, Vicki Bier, Greg 14 Halnon, Walt Kirchner, and consultant Dennis Bley. If 15 I've missed someone, please let me know. And I see 16 that the court reporter is here, so, with that in 17 mind, I'll continue.
18 Christina Antonescu of the ACRS staff is 19 the Designated Federal Official for this meeting. The 20 purpose of this meeting is for the staff to brief the 21 subcommittee on the final SECY paper to allow for 22 consideration of risk-informed alternatives for 23 addressing digital I&C common cause failures.
24 The Advisory Committee was established by 25 statute and is governed by the Federal Advisory NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
5 1
Committee Act (FACA). That means the Committee can 2
only speak through its published letter reports.
3 We hold meetings to gather information to 4
support our deliberations. Interested parties who 5
wish to provide comments can contact our office 6
requesting time. That said, we set aside 15 minutes 7
for comments from members of the public or listening 8
in to our meetings. Written comments are also 9
welcome.
10 The meeting agenda for today's meeting was 11 published on the NRC's public meeting notice website, 12 as well as the ACRS meeting website. On the agenda 13 for this meeting and on the ACRS meeting website are 14 instructions as to how the public may participate. No 15 request for making a statement to the Committee has 16 been received from the public.
17 Due to COVID-19, we are conducting today 18 as a virtual meeting. A transcript of the meeting is 19 being kept and will be made available on our website.
20 Therefore, we request that participants in this 21 meeting should first identify themselves and speak 22 with sufficient clarity and volume so that they can be 23 readily heard.
24 All presenters please pause from time to 25 time to allow members to ask questions. Please also NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
6 1
indicate the slide number you are on when moving to 2
the next slide.
3 We have the MS Teams phone line, audio-4 only, established for the public to listen to the 5
meeting. Based on our experience from previous 6
virtual and hybrid meetings, I'd like to remind the 7
speakers and presenters to speak slowly. We will take 8
a short break after each presentation to allow for 9
screen sharing, as well as at the Chairman's 10 discretion during the longer presentations.
11 Lastly, please do not use any virtual 12 meeting feature to conduct sidebar technical 13 discussion. Rather, contact the DFO if you have any 14 technical questions so we can bring those to the 15 floor.
16 We will now proceed with the meeting, and 17 I'll ask, well, I will not ask him yet, I guess, Mr.
18 Samir Darbali, the Electronics Engineer of the Long-19 Term Operations and Modernization Branch, Division of 20 Engineering and External Hazards in the Office of 21 Nuclear Regulatory Regulation, to share a screen with 22 us. Mr. Eric Benner, the Director of the Division of 23 Engineering and External Hazards in the same office, 24 will make some introductory remarks before we begin 25 today's presentations.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
7 1
Also, Mr. Bhagwat Jain, Senior Project 2
Manager, Plant Licensing Branch, Division of Operating 3
Reactor Licensing in the Office of NRR, will provide 4
some background and status of the final SECY paper.
5 Eric, I think that concludes. The court 6
reporter, I see you're still on; we haven't lost him.
7 Somebody came on in the middle of this. I didn't know 8
whether that was trying to get my attention or not.
9 MS. ANTONESCU: That's all right, Member 10 Brown. We are okay now.
11 CHAIR BROWN: Okay. I just wanted to make 12 sure. Thank you.
13 Eric, I think we're ready to go. If 14 you're ready, we are.
15 MR. BENNER: We're ready, sir. So thank 16 you, Member Brown, for the introduction. You clearly 17 have characterized the reason we're here today as in 18 alignment with why we believe we're here today. We 19 did brief the subcommittee prior to issuing this 20 Commission paper, and we believe that the Commission 21 paper aligns with everything we briefed you on in the 22 subcommittee meeting. But now the members have had 23 the chance to look at the actual paper, so we will, 24 pretty expeditiously, go through the overview of the 25 paper.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
8 1
We will talk a little bit in more detail 2
about what is referred to as point four in the paper 3
because there has been some additional dialogue with 4
stakeholders on that. I believe NEI's presentation is 5
going to focus on that point four. So we'll have some 6
additional detail to present on that matter, and 7
you'll hear from the industry also, and we look 8
forward to the deliberation on it.
9 So with that, I'm just going to turn it 10 over to BP.
11 CHAIR BROWN: Okay. Before you do that, 12 with the additional comments or the additional 13 observations, I saw the briefing that they are 14 providing also, did not see any updated slides, as if 15 you all were going to do anything. I take it this is 16 going to be a discussion of whatever their points were 17 when we get to that point in the meeting.
18 MR. BENNER: Well, our slides have a 19 little more detail on point four.
20 CHAIR BROWN: Did we get those?
21 MR. BENNER: Yes, these slides, these 22 slides. So the sequence of events, NEI had provided 23 a letter, and their slides comport with that letter.
24 So we had seen that letter before, so we had already 25
-- we didn't update our slides. These slides, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
9 1
slide package you received already reflected some 2
additional discussion in that area because we had seen 3
NEI's letter previously.
4 CHAIR BROWN: Okay, all right. That's 5
good. I just wanted to make sure --
6 MR. BENNER: Yes, you have the latest and 7
greatest here.
8 CHAIR BROWN: All right. Thank you very 9
much, Eric.
10 MR. BENNER: Okay.
11 CHAIR BROWN: Let's see. Did you 12 introduce --
13 MR. BENNER: BP Jain.
14 CHAIR BROWN: BP, yes, BP.
15 MR. BENNER: He goes by BP.
16 CHAIR BROWN: All right. Take it away, 17 BP.
18 MR. JAIN: Good morning, everyone. And 19 thank you, Chairman Brown. My name is BP Jain, and 20 I'm a Senior Project Manager in NRR's Division of 21 Operating Reactor Licensing. And along with Michael 22 Marshall, we perform the project management of all 23 things digital in NRR.
24 As Eric mentioned, on May 20th, you know, 25 we had briefed the subcommittee on the outline of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
10 1
draft SECY paper on CCF for Committee's feedback, and 2
the Committee's feedback was positive. Since then, we 3
have had further interaction with external 4
stakeholders and held a public meeting on June 8th.
5 So we have informed the SECY, the current SECY, with 6
the stakeholder's feedback and, in August, we provided 7
SECY to the Commission.
8 Now, currently, the SECY is with the 9
Commission for the wording. If the Commission 10 approves the expanded policy, the staff will update 11 the implementation guidance for draft CCF policies.
12 CHAIR BROWN: Can I --
13 MR. JAIN: Yes, yes, Chairman.
14 CHAIR BROWN: One question, maybe you or 15 Eric, one of the two. The Commission does have the 16 paper, the SECY. And I presume they will vote on what 17 we saw for review; is that correct?
18 MR. JAIN: That is correct.
19 CHAIR BROWN: Okay. That's all I needed 20 to know. Thank you.
21 MR. JAIN: All right. So if the 22 Commission approves the expanded policy, the staff 23 will update the implementation guidance. And we'll 24 continue to engage the stakeholders and the public to 25 see their comments on the staff's implementation of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
11 1
the expanded policy.
2 So as Eric mentioned in today's meeting, 3
the NRR staff will brief the subcommittee on the final 4
SECY paper regarding potential expansion of the 5
current policy on potential common cause failures in 6
digital I&C systems. And we will also discuss new 7
points one through four in the proposed policy.
8 Next slide, please. Okay. So today's 9
presentation will be led by Samir Darbali of the 10 Division of Engineering and External Hazards, the DEX, 11 and will be supported by Norbert Carte, also from the 12 DEX, and Steve Alferink from Division of Risk 13 Assessment.
14 Next slide. So as you can see, the SECY 15 paper is a collaborative effort of several NRR 16 divisions, the Office of Research and Office of 17 General Counsel. And in addition to that, we had 18 input from several internal stakeholders.
19 So with that, I will ask Samir, who is our 20 lead presenter, to make the presentation. Samir.
21 MR. DARBALI: Thank you, BP. And good 22 morning, everyone. Here is the outline for our 23 presentation today.
BP already covered the 24 introductions, and we'll revisit the background and 25 the key messages from our effort to expand the digital NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
12 1
I&C CCF policy. We'll cover the purpose of the 2
proposed expansion --
3 MR. CARTE: Whoever just joined by phone, 4
please mute your phone. That's what's resulting in 5
the echo.
6 MR. DARBALI: Thank you, Norbert. As I 7
was saying, we'll cover the purpose of the proposed 8
expanded policy as described in SECY-22-0076. We'll 9
go over the new points in SECY-22-0076 and the changes 10 from the points in SRM-SECY-9387, and we'll finish by 11 discussing the next steps.
12 Here is some background information, some 13 of which we already presented in the May meeting.
14 Nuclear power plants continue to install digital I&C 15 technology. This results in increased reliability and 16 safety benefits. However, these can also introduce 17 digital common cause failures. SRM-SECY-9387 requires 18 a diverse means if a postulated CCF could disable a 19 safety function. This diverse means may be automatic 20 or include manual actions.
21 The staff has been expanding the use of 22 risk-informed approaches as much as it is allowed by 23 this SRM. However, the current policy does not allow 24 for the use of risk-informed approaches to determine 25 when a diverse means would not be required. Because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
13 1
of this, the staff developed SECY-22-0076 to allow for 2
greater use of risk-informed approaches to address 3
digital I&C CCFs for high safety-significant systems.
4 I am now on slide six, discussing the 5
purpose of the SECY, which is to request the 6
Commission expand the current policy to allow the use 7
of risk-informed approaches to determine the 8
appropriate level of defense-in-depth, including not 9
providing any diverse automatic actuation of safety 10 functions. This expanded policy would be applicable 11 to new or amended licenses and design approvals for 12 all nuclear power plant types under Part 50 and 52.
13 As BP said, we sent the SECY to the 14 Commission in August of this year, and we are 15 currently waiting for direction from the Commission on 16 how to move forward. Today, you're going to be 17 hearing about the language and the purpose and intent 18 of what the SECY says, but a lot of the implementing 19 guidance, especially on the details of using risk-20 informed approaches, will be developed once we receive 21 direction from the Commission.
22 CHAIR BROWN: BP, before you go on, on 23 that first bullet, for those who -- I'm going to focus 24 on the words including not providing any diverse 25 automatic actuation of safety functions. I'm not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
14 1
disagreeing with your words. I'm just trying to put 2
a calibration on what that means as an example. And 3
correct me if I'm incorrect.
4 If you look at, say, a reactor protection 5
system that we've looked at in the past, we have seen 6
in most circumstances or for the software-based 7
systems possibly two different platforms for two of 8
the, one pair of channels and a different platform for 9
another. That's a diverse means. It could be 10 different software in each of those, as well. Those 11 would be, in my mind, you would now allow, based on 12 the evaluations, you could possibly have only one 13 platform and one set of software based on this review 14 and whatever the risk-informed analysis provided.
15 MR. DARBALI: That's correct.
16 CHAIR BROWN: Okay. That's just a 17 calibration for those who are not steeped in the 18 August verbiage of this area. Go ahead, BP.
19 MEMBER KIRCHNER: Charlie, this is Walt.
20 Sorry for the interruption. Are the slides updating?
21 I'm just seeing slide two right now.
22 CHAIR BROWN: The slides are updating so 23 24 MEMBER KIRCHNER: Oh, it must be my Teams 25 connection then. Thank you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
15 1
CHAIR BROWN: Okay. Go ahead, BP.
2 MR. JAIN: It's Samir who is making the 3
presentation, Mr. Brown.
4 CHAIR BROWN: Oh, I'm sorry.
5 MR. DARBALI: No worries. I'm going now 6
to slide seven to discuss the key messages from our 7
presentation. So the proposed expanded policy in 8
SECY-22-0076 encompasses the current points of SRM-9 SECY-93-087 and expands the use of risk-informed 10 approaches in points two and three. When taken 11 together, the four points provide criteria for the 12 assessment of diversity and defense-in-depth against 13 CCFs.
14 Use of risk-informed approaches will be 15 consistent with the safety goal policy statement, the 16 PRA policy statement, and SRM-SECY-98-144. The 17 current policy will continue to remain a valid option, 18 and point four regarding diverse manual controls on 19 displays already incorporates an implicit element of 20 risk informing as it focuses only on those critical 21 safety functions needed to ensure the safety of the 22 facility.
23 I am now on slide eight. So here's what 24 we presented during the main meeting that shows a 25 single expanded policy that encompasses the current NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
16 1
position in SRM-SECY-9387 and provides for risk-2 informed approaches in points two and three to address 3
utilizing CCFs. The current path the left green 4
allows, on the left in green allows for the use of 5
best estimate analysis and diverse means to address a 6
potential CCF while the risk-informed path on the 7
right allows for the use of risk-informed approaches 8
and other design techniques or measures other than 9
diversity to address a potential CCF.
10 In the next slides, we'll show each of the 11 four points in SECY-22-0076. Any questions before I 12 move forward?
13 MEMBER PETTI: Yes, this is Dave. Just a 14 clarification. It's probably fair to say that the 15 green path, the current path, is a more deterministic 16 approach to addressing digital I&C, as opposed to the 17 orange path which is risk informed. But there just 18 seems to be, particularly in this area of all the 19 areas in nuclear safety, a concern about does the 20 risk-informed path provide adequate assurance of 21 safety, given uncertainties associated with both the 22 hardware and the software of digital I&C. Can you 23 comment a little bit on that?
24 MR. DARBALI: Sure. And we'll get into 25 details when we go into points two and three.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
17 1
MEMBER PETTI: Oh, okay. No, that's fine.
2 I can wait. That's good.
3 MR. DARBALI: Yes. But the idea is to be 4
consistent with how we treat risk informing in other 5
topics or technical disciplines. We understand the 6
uniqueness of digital I&C, and so we are cognizant of 7
maintaining the safety of the facility.
8 And I see, Norbert, you have your hand up.
9 MR. CARTE: Right. Norbert Carte, I&C.
10 So the term risk informed might be a little bit 11 inappropriate in some ways. So we think of terms in 12 binary senses risk informed or not risk informed. But 13 in reality, the deterministic path has its own way of 14 risk informing things. Engineers focus on what they 15 think is important. We treat safety systems different 16 than non-safety systems. Some parts of the regulation 17 say commiserate with safety significance. Other parts 18 say to the degree practical.
19 So the regulatory requirements and the 20 practice for deterministic regulation is, in a manner, 21 risk informed. It's just in a different manner than 22 is referred to by a term risk informed. And if you 23 were to oversimplify it, one way of risk informing is 24 using PRA to inform your decisions. And in essence, 25 that's what's hard to do in a deterministic path, and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
18 1
that's what we need a risk-informed path to do to 2
allow us to use PRA in the assessment of the risk. So 3
that's kind of a commentary about risk informed.
4 MEMBER MARCH-LEUBA: Hey, this is Jose 5
March-Leuba. While we have you interrupted, with the 6
understanding that I'm setting you up for a future 7
question, is this expanded policy applicable only to 8
large existing water reactors, light water reactors, 9
or advanced reactors of different designs?
10 MR. DARBALI: And so as we said, the 11 policy is applicable to reactors license under Part 50 12 and 52. Regarding applicability to, let's say, Part 13 53, which is not complete or issued, the SECY does not 14 explicitly include or exclude dose reactors. Those 15 would be treated on a case-by-case basis.
16 MEMBER MARCH-LEUBA: But this policy would 17 apply to a molten salt reactor?
18 MR. DARBALI: That's something that we are 19 still considering. Again, if it's licensed under Part 20 50 or 52, we would be looking at, during development 21 of implementing guidance, we would be looking at --
22 MEMBER MARCH-LEUBA: You're saying as long 23 as it's licensed under Part 50 or 52 this policy would 24 apply?
25 MR. DARBALI: Correct.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
19 1
MEMBER MARCH-LEUBA: Okay. Yes, I told 2
you I'm setting you up for a future question.
3 MR. DARBALI: Okay. I appreciate it.
4 Thank you.
5 CHAIR BROWN: Dave, did you get an answer?
6 MEMBER PETTI: Yes, that's fine.
7 CHAIR BROWN: Okay. I just would amplify 8
that a little bit. If you go back and look at the BTP 9
7-19 and the ISG-06 and some of the other reg guides 10 we've looked at, we would have termed this engineering 11 judgment in terms of, I phrase it a little bit 12 different than Norbert does. We make judgments about 13 whether we need this or don't need this, but there's 14 no an explicit, but it's made on a judgment basis 15 based on the knowledge of the equipment and reflects 16 knowledge of hardware and/or software. So it's a 17 little bit different in each case.
18 I think Norbert phrased it right. There 19 is some element of judgment in risk informing, 20 although it's done from a different thought process.
21 MEMBER PETTI: Okay. So in essence, in 22 these point one, two, and three, we're trying to 23 expand the space, if you will, and the flexibility in 24 design.
25 CHAIR BROWN: That's the way I viewed it, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
20 1
and that's consistent with what I understood it to be.
2 And that seems to be, after reading the entire package 3
and comparing it to the old one line by line, that 4
seems to be the case.
5 MEMBER PETTI: Yes, that was my sense.
6 Okay. Thanks. That helps.
7 MS. ANTONESCU: Member Brown, Eric Benner 8
also raised his hand.
9 CHAIR BROWN: Okay. Eric, go ahead.
10 MR. BENNER: Yes, just an additional 11 clarification. So I think everyone has characterized 12 it right. I will say, in the old policy, there was a 13 hard deterministic stop. Like Norbert said, we've 14 tried to use risk information where we can, but there 15 was explicit expectations on the staff that, if a CCF 16 could disable a safety function, that there shall be 17 a diverse means to accomplish that safety function.
18 So we have no latitude there, so we've done everything 19 we could around that expectation of the staff and kind 20 of felt like we got as far as we could and now felt 21 like, if we were going to do any additional leveraging 22 of risk information, we had to take on that 23 expectation. So that was sort of the driver for this 24 paper.
25 CHAIR BROWN:
- Eric, that's really NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
21 1
amplified in my mind in point four, if I'm not 2
mistaken. That's where one of the hard stops kind of 3
was in terms of --
4 MR. BENNER: Well, we'll get into the 5
point -- I'll just leave it --
6 CHAIR BROWN: I'm just saying that's an 7
area where there was a hard stop in terms of manual 8
controls and the nature of the manual controls.
9 All right. Samir, you want to go on?
10 MR. DARBALI: Sure. Thank you. Going to 11 slide nine. So this slide shows point one of SECY 12 0076, which calls for defense-in-depth and diversity 13 assessment of the facility incorporating the proposed 14 digital I&C system. This assessment is to demonstrate 15 vulnerabilities to digital I&C CCFs have been 16 adequately identified and addressed. The assessment 17 is also to be commensurate with the risk significance 18 of the digital system.
19 On the next slide, we'll show what changed 20 from 93-087 to SECY-22-0076.
21 So now on slide ten. Here, the text that 22 is in the black font is the language that remains from 23 SRM-SECY-93-087 and is unchanged. The text that is in 24 blue underlined is the new language for SECY-22-0076, 25 and the red striped-out text reflects the language of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
22 1
93-087 that was deleted.
2 So for point one, the wording changes were 3
made to more clearly reflect the current practices.
4 And these language changes do not change the intent of 5
the original point. A new paragraph or that last 6
sentence was added to explain that the D3 assessment 7
is to be commensurate with the risk significance of 8
the proposed digital I&C system.
9 MR. BLEY: This is Dennis Bley. I've been 10 trying to think of how to phrase this comment or 11 question. I don't have a problem with the logic of 12 the risk-informed approach you're proposing. On a 13 practical basis, one point and one kind of question, 14 on a practical basis, if a system that's designated 15 safety system proves to not have risk significance, 16 which is an area we get confused in sometimes, then, 17 on a practical basis, this seems reasonable.
18 If that system has risk significance and 19 the PRA shows that you don't need a diverse method, on 20 a practical basis, this is where I have trouble right 21 now because, for digital I&C systems, the likelihood 22 of common mode failures is pretty fuzzy and quite 23 uncertain, I think, and to practically be able to 24 claim the analysis has covered the case seems 25 difficult and problematic.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
23 1
So that's not quite a question, but the 2
question is how do you decide that the uncertainty has 3
been treated well enough? I don't know if you've 4
gotten to that point yet.
5 MR. DARBALI: Understood. So just a quick 6
overview of the points. So point one refers to 7
performing the D3 assessment. Point two explains the 8
way that that assessment can be performed. Current 9
method is using best estimate methods. We now have an 10 alternative for point two that that's risk informed.
11 And then point three is where the current policy calls 12 for you shall have a diverse means if a CCF can 13 disable a safety function. So point three really, in 14 the risk-informed path, is the one that's going to 15 provide the criteria for determining or addressing 16 your concern. So we'll get to that when we discuss 17 point three.
18 MR. BLEY: Okay. I look forward to that.
19 MEMBER MARCH-LEUBA: Yes, this is Jose.
20 On that same -- I always have problems with this 21 component for systems that the designers saw were a 22 safety, they needed to be safety grade. But then the 23 others did the magic and say, well, you were wrong, 24 they're not risk significant. I have a serious 25 problem with that because the designers are saying, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
24 1
gee, they're low numbers, but it sure looks like 2
safety grade to me. They're able to run some numbers 3
which the risk analysis is always, by nature, 4
incomplete and make mistakes. And overruling the 5
engineering judgment of the guys that know how the 6
system works -- I know that's not in your SECY. This 7
is just a comment to put on the record. If the 8
designers felt it was safety grade, they have a reason 9
for it. And you might have run all your PRA, all your 10 numbers, and then say, well, maybe they were wrong.
11 I don't know. As of today, I'm glad that we have a 12 diverse back-up system because my internet went down 13 in our home and using the diverse back-up system via 14 phone. Your analysis might have shown that we didn't 15 need to have a phone line, but I'm glad we have it and 16 we have this diverse communication system.
17 So I just wanted to put it on the record.
18 You don't need to answer, but there is serious logical 19 concerns with that approach.
20 Keep going.
21 MR. DARBALI: Okay. Thank you. And we 22 understand your concerns, and we share them, as well.
23 Okay.
24 So to finish on point one, so point one 25 does allow the D3 assessment to be commensurate with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
25 1
the risk significance of the proposed digital I&C 2
system, and so it does not preclude the use of risk-3 informed approaches for this D3 assessment. When we 4
use the term commensurate, we mean the level of rigor 5
of the assessment. And the current guidance in BTP 7-6 19 Revision 8 does support a graded approach in 7
applying that level of rigor for the assessment, and 8
we'll continue to refine this guidance in the BTP as 9
we move forward with implementing guidance for the 10 policy.
11 CHAIR BROWN: Will you have to modify Rev 12 8? One of my questions that came up, there's a couple 13 of places you talk about that, and you say it's 14 already implemented. Why does it have to be revised 15 at all if it's already implemented?
16 MR. DARBALI: Maybe the word revised is 17 not the best word. Maybe it's more polished or more 18 applicable to the expanded policy. But we believe 19 that, for this point one, the current guidance is 20 adequate for allowing those risk-informed approaches, 21 but we always, when an update is made, we always 22 consider what improvements can be made.
23 CHAIR BROWN: But that means you add some 24 more word salad to what's there now. It just fuzzes 25 things up. I remember when we included that we had NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
26 1
discussions on that at that time.
2 And the other question -- I'll leave that 3
one alone for right now, but I'm just concerned. I 4
went through this and I didn't see any need to revise 5
7-19 at all, okay, from Rev 8 based on your all's 6
comments and based on the actions we took when we 7
approved Rev 8, but that's another issue that can be 8
debated later.
9 When discussing the risk significance of 10 a proposed I&C system, did anybody lay out any 11 examples in existing plants where, as what does that 12 mean? Are there any there right now where we would 13 consider the risk significance low enough that we 14 wouldn't do what we've got there right now at all, or 15 is this just all hypothetical right now?
16 MR. DARBALI: In some cases, it was hard 17 to come up with some examples, so we did try to go 18 back to what we've approved in the past. But a lot of 19 it really will be determining the implementing 20 guidance. And, again, the current policy doesn't 21 really allow us to consider those approaches, and so 22 our hands have been tied under the current policy.
23 What the expanded policy would allow us to do is be 24 able to consider them. It doesn't mean that --
25 CHAIR BROWN: Samir, Samir, I'm sorry to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
27 1
interrupt, but that's not the point of the question.
2 The point is we have the terminology here that we're 3
going to allow it, and were there any things in our 4
existing systems, even take, for example, the last 5
three application, design applications, as well as one 6
of the backfit applications, were there any systems in 7
there that we would have said, yes, we really didn't 8
need to do that, as opposed to the extra thing that 9
we've done before; and, therefore, this would have 10 allowed us to simplify the system?
11 One of my other concerns when you talk 12 about, and I'll springboard off of Jose's comment a 13 little bit, I'm going to use a very simplified issue 14 or point. In a reactor protection system, we've got 15 four channels. It measures stuff, votes two out of 16 four, trips the plant if there's a problem. There's 17 also a manual backup switch in the main control room 18 that bypasses all the software, okay, that can trip 19 the system. Does this get to the point where you 20 think you're in such good shape that you don't need a 21 manual backup that bypasses all the software or 22 hardware, hard-wired as a matter of fact, which is a 23 point we'll discuss later in point four.
24 MR. DARBALI: Right. No. On point four, 25 for the diverse manual controls and displays. Those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
28 1
would not be affected by the risk-informed decisions 2
made in points two and three. So point four, and 3
Norbert will cover this in more detail, but point 4
four, we believe it already captures a level of risk 5
informing because it's focused solely on those 6
critical safety functions performed by the system, not 7
all safety functions performed by the system. And so 8
we have maintained that aspect of the current point 9
where you still need to provide those controls for 10 critical safety functions.
11 So, hopefully, that clarifies that.
12 Whatever diverse means or decision on the need of a 13 diverse means that is taken on point three, if it's a 14 critical safety function, point four will still 15 require that.
16 CHAIR BROWN: That's what I understood, 17 and I'll amplify my comment when we get there. Go 18 ahead. Thank you.
19 MEMBER MARCH-LEUBA: Don't go ahead. This 20 is Jose again. While we have you off your slides, we 21 can have some discussions here.
22 Related to the comment I made before about 23 advanced new reactors, it's not the question I had; I 24 still have that one waiting for you, so you'll still 25 get those. But it has to do with risk significance.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
29 1
These new advanced reactors are super safe. I love 2
them. I mean, they're so safe. But if you're doing 3
your safety analysis, you can't see all the way to the 4
various isotopes to go to the public. Right. So 5
they're really good. They have a 10 to the minus 8, 6
9, 10, 20, you know.
7 Now, when you now define risk significance 8
for digital I&C CCF, are you going to take the old 9
light water reactor 10 to the minus 4, or are you 10 going to take a significant increase in the number you 11 calculated for your reactor? And let me tell you why.
12 Because this super safe reactor, take advantage of the 13 safety, for example, to define the emergency planning 14 zones to be 20 feet. I mean, to be inside the fence 15 of the reactor so they don't have to have an EPZ.
16 So the rules that used to apply to large 17 light water reactors where you have an EPZ that goes 18 to 20 miles, and now you have taken advantage of the 19 fact that your reactor is super safe, does risk 20 significance go along with the risk of your reactor, 21 is calibrated to the risk of your reactor because you 22 took advantage of it for other safety measures that 23 are not there anymore because your reactor is super 24 safe.
25 And you don't need to answer this. I just NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
30 1
want to put it on the record, but it's something to 2
think about because there are unintended consequences 3
to being too good.
4 Just keep going.
5 MR. DARBALI: Yes, I appreciate it. And 6
as I understand it, if the improvements in safety in 7
the reactor design allow you to, as you say, take 8
advantage on one aspect, you can't just keep taking 9
advantage on that because, at some point, you might 10 make the design less safe. So I appreciate that 11 point.
12 So on that, I believe we can move forward 13 to point two, and I'll turn it over to Steven 14
- Alferink, 15 MR. ALFERINK: Thank you, sir. This is 16 Steven Alferink. We're now on slide 12, and I will 17 address points two and three of the proposed policy.
18 Point two contains the requirements for 19 evaluating postulated digital I&C CCFs. The proposed 20 point two consists of three paragraphs. The first 21 paragraph specifies that applicants shall analyze each 22 postulated CCF, and it allows applicants to use either 23 best estimate methods or risk-informed approaches.
24 The second paragraph describes the evaluation when 25 using best estimate methods. This paragraph meets the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
31 1
intent of the current point two with some minor 2
wording changes. It also specifies that applicants 3
must consider each event evaluated in the accident 4
analysis section of the safety analysis report.
5 Next slide. Slide 13 contains the third 6
paragraph, and the third paragraph of point two 7
describes the evaluation when using a risk-informed 8
approach. This is a new paragraph for point two. The 9
first sentence provides high-level requirements to 10 keep the policy as flexible as possible. The second 11 sentence specifies that the staff will review 12 applications for consistency with established policy 13 and guidance.
14 In contrast to the evaluation using best 15 estimate methods, the staff expects that applicants 16 using a risk-informed approach will consider a broad 17 spectrum of initiating events not limited to only 18 those evaluated in the accident analysis section of 19 the safety analysis report.
20 Next slide. So the next two slides show 21 the changes for --
22 CHAIR BROWN: Steven, can you hold on for 23 a second and back up a slide. Back up a slide. The 24 best estimate. That's not new. That was part of the 25 SRM from 1993, so that's not new. It's only the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
32 1
addition of the risk-informed approach; isn't that 2
correct?
3 MR. ALFERINK: That's correct.
4 CHAIR BROWN: And the second paragraph 5
relative to when using best estimate, that's the new 6
paragraph --
7 (Simultaneous speaking.)
8 MR. ALFERINK: No, the --
9 CHAIR BROWN: -- just the one paragraph, 10 right? If I remember -- I'm looking at the SRM from 11 1993.
12 MR. ALFERINK: The '93 SRM has point two 13 in one paragraph. The current second paragraph still 14 contains the intent of the previous point two.
15 CHAIR BROWN: Yes, I understand. It just 16 further defines it is all I'm saying.
17 MR. ALFERINK: Yes.
18 CHAIR BROWN: Okay. All right. So that's 19 the new what do we mean by best estimate relative to 20 defense-in-depth and diversity.
21 MR. ALFERINK: That second paragraph that 22 you see on slide 12, there's really not much of a 23 change from the previous point two to the current 24 point two.
25 CHAIR BROWN: I agree, based on the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
33 1
Commission's words from 1993. I guess that was the 2
point I was trying to get at. There's not much change 3
there.
4 MR. ALFERINK: That's correct.
5 MR. BENNER: Yes, Dr. Brown, you're 6
absolutely right. The next slide is going to get to 7
the risk-informed approach for point two. As we tried 8
to merge these two, we wanted to, you know, it used to 9
be one paragraph. We wanted to make a preamble that 10 covered it all, and then the two paragraphs talk about 11 the two paths.
12 And just from my simplistic mind, I felt 13 that, you know, the best estimate path that existed 14 allowed us to address, you know, the potential 15 consequences part. I mean, our typical safety 16 analyses use these conservative methodologies to 17 estimate consequences. And we already got some relief 18 there, but we didn't have any relief on the likelihood 19 component of things happening. And to me, that's the 20 major change of this policy is there was 21 acknowledgment that, hey, this stuff is safety 22 related, it has to meet certain requirements, and then 23 we've layered on top of that a beyond design basis 24 situation of a common cause failure. And from a 25 consequence standpoint, we have some latitude for how NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
34 1
to address that. But from a frequency or likelihood 2
standpoint, we did not. And now we believe that, you 3
know, with the advent of more sophisticated risk 4
informing, the time is right for us to be able to look 5
at the likelihood argument for different sequences to 6
help determine the significance of the, you know, of 7
needing a diverse actuation system to address those 8
sequences.
9 CHAIR BROWN: I'm going to spring back to 10 Dennis and Jose's comment a little bit, and I don't 11 want to go back any slides. When we talk about risk 12 analysis and the use of PRA and coming up with numbers 13 for this or that, if I'm a designer and I've been 14 asked by the licensee to design this plant, and I've 15 got a software-based system that's considered safety 16 critical, and I can bypass the entire system with one 17 switch for $5.95, a 20-foot cable that goes right to 18 a contact that starts something or I can spend a 19 couple hundred thousand dollars doing a PRA and 20 deciding I don't need the switch, as a designer or 21 somebody who has built many, many systems, which I do 22 have experience with, that decision gets to be real 23 easy. I'd put in the switch.
24 For a comfort zone, it might be comfort, 25 but it also eliminates cost. I mean, doing a PRA and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
35 1
coming after all the numbers is not a cheap, easy, or 2
quick design, a way to design a system. So that's 3
just a thought process that I have. It doesn't mean 4
we don't do this. It just --
5 MR. BENNER: We agree. And this is where 6
we talk a little bit about the point four aspect. The 7
code, the applicable codes and standards, basically, 8
do require that, if you have a required automatic 9
protective function, you should also have a manual 10 capability. The staff's implementation of that, even 11 before digital, has been, like you noted, that that 12 manual capability shouldn't be subject to the same 13 failure mechanism as the automatic capability. We are 14 not addressing that here.
15 There may be a case where an applicant can 16 make -- just let me tell the story for a second here.
17 The applicant may be able to make that case. We 18 believe they'd need a code, an alternative to the 19 code, or an exemption to do that. Those processes 20 exist. We'd look at it in that forum.
21 This is really focused on, in these 22 systems, if we have had a safety function that could 23 be disabled by a CCF, we also needed a clear diverse 24 means --
25 CHAIR BROWN: I pulled something off. I'm NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
36 1
sorry about that, Eric.
2 MR. BENNER: No, no, no problem at all.
3 What we've called a DAS, a whole other system to 4
automatically perform that safety function, that's 5
what we're mainly focused on and that's where, 6
particularly if you say, you know what, the failure of 7
that system, because other things need to fail and 8
there's likelihoods of those other things of failing, 9
there very well may be different layers. For a super 10 top tier system, the reactor trip system, you know, we 11 would have to look at what's there.
12 Now, I would say, for those systems, if 13 you maintain, if you don't request an alternative and 14 have the manual capability and it's clear that you can 15 perform that in a time frame that supports the safety 16 analysis, that likely is going to be your evaluation 17 in the D3 and whatever risk informing you want to do.
18 And this is where we understand we maybe have not been 19 clear enough here, and that's why, I think, we're 20 going to have more discussion on point four. But the 21 things you're talking about, the manual, you know, 22 scram buttons, we've had that for analog systems.
23 We've had that since the dawn of time. That's really 24 been driven by the code requirements to have what I 25 would call functional manual controls for those things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
37 1
you have automatic protective functions for.
2 So that's where we need to be clear that, 3
if you really want to go that far, if you want, if an 4
applicant wants to say I have whatever it is, an 5
analog or a digital reactor protection system, and 6
it's okay that my manual scram buttons can be taken 7
out by the same failure mechanism, our position is you 8
need a code alternative, an alternative to the code or 9
an exemption to do that. It's not point four that is 10 mandating that. Point four, right, just clarifies 11 that; but the code itself talks about those controls 12 and those displays being in the control room for those 13 safety functions that are required.
14 So I just want to keep reiterating that 15 point because I think that's what's caused a lot of 16 the challenges we're having on the discussion of point 17 four. And those code requirements, you're going to 18 hear from industry, were not put in place to address 19 CCF. We agree, but they were put in place to address 20 not having a single failure that could take out both 21 your automatic protective function and your manual 22 controls of those safety functions. And like I said, 23 that is how we have implemented those requirements all 24 along, and we still believe that that application of 25 those standards is appropriate from a safety NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
38 1
perspective.
2 CHAIR BROWN: I don't disagree. I mean, 3
that's kind of a double negative saying I agree with 4
you. I do remember a plant that we looked at, jeez, 5
it must have been 10 or 12 years ago, virtually 6
duplicated the trip system with a diverse actuation 7
system. It was all analog, and it was so cumbersome.
8 It seemed to be overkill. There was a better way to 9
do that, and they didn't do --
10 MR. BENNER: Right. And we agree there's 11 a complexity that implementing or having the policy as 12 it was, you know, we believe the implementation has 13 maybe resulted, likely resulted in some unnecessary 14 complexity that, if you really did step back and look 15 at from a safety basis, that probably was not the best 16 thing to do.
17 CHAIR BROWN: Yes, okay. Yes, I got that, 18 and I do agree from the standpoint it can be overdone.
19 If you look at the recent stuff that we've looked at, 20 there seemed to have been a compromise relative to 21 this complete analog backup which was not in place.
22 You know, there were other ways to do what we've been 23 talking about.
24 All right. Thank you very much, Eric.
25 Samir. Oh, no, it's not Samir. Steven. I'm sorry, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
39 1
Steven.
2 MR. ALFERINK: Thank you. So, Samir, if 3
you can go to slide 14. So slide 14 shows the changes 4
from the 93-087 SRM to the current SECY. And you'll 5
see for paragraphs one and two there's relatively 6
minor changes. Paragraph two, specifically, is just 7
rewording a little bit.
8 And if you go to slide 15, you'll see that 9
paragraph three is now a completely new paragraph.
10 Next slide. The staff's goal is that the 11 acceptance criteria for risk-informed approaches for 12 digital I&C CCFs will be consistent with the NRC's 13 broader practices and guidance for risk-informed 14 decision-making and not specific to digital I&C. As 15 an example, for operating reactors, the staff intends 16 to review license amendment requests that use risk-17 informed approaches for conformance to the guidance in 18 Reg Guide 1.174. The staff does not envision 19 approaches that are radical departures from existing 20 practices.
21 Next slide. So now we're on slide 17, 22 which will start point three. Point three contains 23 the requirements for measures to address digital I&C 24 CCFs. It is important to remember that the current 25 policy states that, if a postulated CCF could disable NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
40 1
a safety function, then the diverse means shall be 2
required to perform either the same function or a 3
different function. So the current approach only 4
provides one way of addressing undesirable outcomes, 5
and that is through the use of diverse means.
6 The proposed entry consists of three 7
paragraphs. The first paragraph that you see on this 8
slide contains a lot of information. The first 9
sentence specifies that a
D3 assessment may 10 demonstrate that a postulated CCF can be reasonable 11 prevented or mitigated or is not risk significant.
12 The second sentence allows applicants to demonstrate 13 the adequacy of any design techniques, prevention 14 measures, or mitigation measures other than diversity.
15 The third sentence allows the level of justification 16 for demonstrating the adequacy of these measures or 17 techniques other than diversity to be commensurate 18 with the risk significance of each postulated CCF.
19 Next slide. The second paragraph meets 20 the intent of the current point three and specifies 21 that automatic or manual actuation within an 22 acceptable time frame is an acceptable means of 23 diverse actuation. BTP 7-19 Revision 8 provides the 24 staff guidance for determining if automatic and manual 25 actuations can be performed within an acceptable time NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
41 1
frame.
2 The third paragraph that specifies, if a 3
postulated CCF is risk significant and measures other 4
than diversity are not demonstrated to be adequate, 5
then diverse means must be used. This is essentially 6
a fallback position. Point three allows options other 7
than diversity to be used with appropriate 8
justification. If justification cannot be provided, 9
then diverse means must be used.
10 Next slide. Yes --
11 CHAIR BROWN: Don't go yet. In the 93-087 12 version, the part that was not modified by the 13 Commission, there was a sentence talked about the 14 types of diversity where it stated either diverse 15 digital or non-digital systems are considered 16 acceptable means. In other words, you could have had 17 a different diverse system or you could have a non-18 digital system. That's not explicitly stated anymore.
19 I mean, it's kind of implied, but it's not explicitly 20 stated, unless I'm not reading the second paragraph 21 correctly. Is there a reason you left that out?
22 MR. ALFERINK: Are you referring to the 23 point three from --
24 CHAIR BROWN: Yes.
25 MR. ALFERINK: -- 93-087?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
42 1
CHAIR BROWN: That just says either 2
automatic or manual within is an acceptable means, but 3
it does not say that a digital system that's diverse 4
from what you've got would also be acceptable.
5 MR. ALFERINK: If we go to the next couple 6
of slides, we can look at the changes and we'll see 7
specifically where we modified it from 93-087. And 8
you'll see that specific sentence that you're 9
referring to at the end, that was actually added in 10 the SECY.
11 CHAIR BROWN: No, I'm talking about what 12 was there before in the original 93-087. Why don't I 13 see it in this?
14 MR. ALFERINK: It's not in the SRM-SECY-15 93-087.
16 CHAIR BROWN: No, it's in the original 98-17 087.
18 MR. ALFERINK: The SECY that was sent to 19 the Commission. Understood. We were comparing ours 20 to the SRM version.
21 CHAIR BROWN: Okay. So is a diverse 22 digital system acceptable based on the words you've 23 got here?
24 MR. CARTE: Norbert Carte. I'd like to 25 interject. So somewhere we have words that you have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
43 1
to have a documented diverse, a demonstration that the 2
diverse means is not subject to the same CCF. So we 3
are open to considering a diverse digital, yes.
4 CHAIR BROWN: So it's implied but not 5
explicitly stated the way it was in the original SECY?
6 MR. CARTE: Correct.
7 CHAIR BROWN: Okay.
8 MR. CARTE: But it's the job of the 9
applicant to demonstrate why it would not be subject 10 to the same CCF.
11 CHAIR BROWN: Okay. So a documented basis 12 showing that the diverse means is unlikely to be 13 subject to the same CCF is what I would call the 14 substitute for that sentence.
15 MR. CARTE: Correct.
16 CHAIR BROWN: Okay, all right. I got it.
17 Okay. Thank you very much, Norbert. Go ahead, 18 Steven.
19 MR. ALFERINK: Samir, if you can go back 20 one slide, I think we're on slide 19, which, once 21 again, just shows that this paragraph in point three 22 is new in SECY-22-0076.
23 And if you can go back to slide 20, 24 please. And now we'll see the changes that were made 25 to the last two paragraphs of the proposed point NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
44 1
three, and, as you can see, there are considerable 2
changes to these two paragraphs, including the last 3
one, which is our fallback.
4 Next slide. So now I'm on slide 21. Now, 5
as an example, for a license amendment request, the 6
staff expects that the risk significance of digital 7
I&C CCFs will be determined by any increase in risk to 8
the facility using the traditional measures of 9
increase in core damage frequency or large early-10 release frequency, and this increase in risk would be 11 determined using a quantitative bounding assessment.
12 Current experience --
13 MEMBER MARCH-LEUBA: This is Jose. I 14 don't understand the language here. Are you saying 15 that if my CCF produces any risk increase whatsoever, 16 say 10 to the minus 45, then it's risk significant and 17 you must have a backup, a diverse backup? Is there a 18 cutoff on -- because any failure increases the risk.
19 If an operator in the control room chips a nail and 20 they start looking at this and not paying attention, 21 that is an event that increases the risk of 22 operability. So the way you have it written, it seems 23 that anything that is negative would be risk 24 significant. What do you mean?
25 MR. ALFERINK: I think that just means NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
45 1
that the significance of the digital I&C CCF will be 2
evaluated. You're correct. Any additional failure 3
mode will increase the risk. We need to develop 4
implementing guidance to determine what those 5
thresholds are.
6 MEMBER MARCH-LEUBA: Yes. And going back 7
to my previous comment on the super safe new advanced 8
reactors, the criteria of 10 to the minus 4 that we 9
typically use for large light water reactors may not 10 apply because those super safe advanced reactors are 11 taking advantage of their super safety to eliminate 12 other systems, like the EPZ, Emergency Planning Zone.
13 I just wanted to put that on the record. I mean, this 14 is something that has to be considered by staff. So 15 don't just, because normally 10 to the minus 4 is 16 considered a cutoff number, it may not apply to these 17 other reactors that have taken advantage of the fact 18 that they are 10 to the minus 10 domain.
19 MR. CARTE: Norbert Carte. Question.
20 Would this first bullet be clearer if the word any in 21 the second line was replaced by the, will be 22 determined by the increase to the facility from a 23 postulated I&C CCF?
24 MEMBER MARCH-LEUBA: Yes. Any increase to 25 me says anything that is not negative. The increase NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
46 1
would be more clearer. Make it clear on the basis or 2
on the discussion so that it is, I mean, that the 3
language doesn't become limiting and we all know, you, 4
the staff, know, the applicants know what you mean.
5 And it has to be calibrated or normalized to what is 6
the safety of my facility and what grade I have taken 7
by eliminating other pre-fail systems.
8 MR. CARTE: Understood. I think we can 9
make sure we implement that in the implementing 10 guidance.
11 MEMBER DIMITRIJEVIC: Hi, this is Vesna 12 Dimitrijevic. You know, there is well-known important 13 measures for risk increase, and then there is what's 14 considered significant risk increase. And don't 15 depend on that, these small numbers with Jose's 16 bringing. For example, this factor which measures 17 risk increase, consider significant risk increases is 18 double your present risk or for the single failure.
19 I think it's the higher factor for common cause 20 failure, but it is well known importance measure which 21 qualify as risk significant certain risk increases.
22 You know, like in the 50 or 69 CFR or something.
23 MR. CARTE: Yes, I think we understand.
24 Well, sorry, Steve, for -- our intent is to implement 25 this consistent with the way risk-informed regulation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
47 1
is implemented. So we don't want to deviate from 2
policy and practices. So to the degree that things 3
are done one way for everything else, we intend to do 4
it that way for digital I&C systems, as well. I mean, 5
we don't want to go off and do something different or 6
separate. We want to be consistent with practices and 7
policy.
8 MR. ALFERINK: And I was just going to add 9
that we understand your point and we will keep it 10 mind.
11 So I'll continue. So current experience 12 is insufficient to establish confidence and in 13 quantifying the probability of occurrence of digital 14 I&C CCFs. However, there may be sufficient data to 15 establish bounding values that can be used in the 16 bounding assessment. The staff has confidence that 17 the bounding assessment can account for the 18 uncertainties in quantifying the probability of 19 occurrence of digital I&C CCFs.
20 Because of the lack of confidence in 21 quantifying the probability of occurrence of digital 22 I&C CCFs, the staff will not be able to approve risk-23 informed quantitative approaches based solely on 24 reducing the probability of occurrence of digital I&C 25 CCFs through design techniques for high safety NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
48 1
significance --
2 MR. BLEY: Samir, it's Dennis Bley. These 3
two bullets get to the point I asked about earlier.
4 I'd like to know why the NRC staff has confidence in 5
a bounding approach that's perhaps undefined right now 6
that will cover the uncertainties in these issues, or 7
is that something you'll have to decide when you get 8
an application?
9 MR. ALFERINK: I think we'll have to look 10 at it on a case-by-case basis. Doing some preliminary 11 work, we're looking at values potentially other than 12 1.0 for the failure, but that may still be suitably 13 large to show that the risk significance is 14 acceptable.
15 MR. BLEY: Is that going to show up in 16 guidance at any point in time --
17 MR. ALFERINK: Yes, yes, that would have 18 to be included in the implementing guidance.
19 MR. BLEY: I think that's crucial. I 20 agree with these two bullets that we can't do it well 21 enough right now, and these kind of say the change 22 doesn't mean much until we can do a better job.
23 MR. ALFERINK: Understood. We still think 24 we can bound it.
25 CHAIR BROWN:
Where would this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
49 1
implementing guidance be? BTP 7-19 or in some other 2
document?
3 MR.
ALFERINK:
It's still to be 4
determined.
5 CHAIR BROWN: But we're working on that.
6 MR. ALFERINK: We will upon approval of 7
the SRM. I'm sorry, on approval of the SECY.
8 MR. BLEY: So Charlie?
9 CHAIR BROWN: Yes.
10 MR. BLEY: This is probably a key point if 11 you're writing a letter. I'll just leave it at that.
12 CHAIR BROWN: Yes, we'll have to discuss 13 that later. But the point being is that the bullet 14 two and three, implementing guidance, it's not really 15 clear yet; is that a correct statement?
16 MR. ALFERINK: That is a correct 17 statement.
18 MEMBER MARCH-LEUBA: Hey, this is Jose.
19 I think, I'm sorry, Dennis, I think you just 20 volunteered to providing a paragraph to Charlie for 21 this letter.
22 MR. BLEY: I cannot do that as a 23 consultant, but I wanted to point out it's an 24 important point.
25 MEMBER MARCH-LEUBA: No, no, hold on. As NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
50 1
a consultant, you can provide input to the committee, 2
and we decide whether we accept it or not. It would 3
be nice if you provide the language that we can use in 4
our letter.
5 MR. BLEY: Go ahead --
6 CHAIR BROWN: Based on my non-PRA 7
background and the risk-informed verbiage, that would 8
be useful if we decide to write a letter, Dennis. Any 9
of your thoughts along that line.
10 MR. BLEY: Okay. As long as you ask for 11 it, I'm happy to provide it, Charlie.
12 CHAIR BROWN: That would be much 13 appreciated. We'll have to decide whether we're going 14 to write a letter or not because there's some other 15 questions that come up later. I have at least one 16 other question on point four later.
17 MEMBER HALNON: Hey, Charlie, this is 18 Greg. I've got a question on that third bullet. The 19 staff is kind of drawing a red line on not being able 20 to approve something. Can you guys give us an example 21 on either side of that red line for me to help me 22 understand? I mean, I thought the risk was largely 23 dependent on probability of occurrence, and now you're 24 saying that the probability of occurrence, even though 25 you can decrease it, that would decrease the overall NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
51 1
risk, that's not an acceptable way to do it.
2 Could you give me an example on either 3
side of that red line that you've drawn?
4 MR. ALFERINK: I see Norbert has his hand 5
up, so I was going to give him a chance to answer that 6
question first.
7 MR. CARTE: So one of the things that's a 8
little bit more difficult to do -- Norbert Carte, I&C 9
-- is, if you look at IEEE 1012 or IEC 880, they have 10 different SIL levels -- not 880, sorry, 61508 or 11 61513. They have different SIL levels. So to 12 quantify the likelihood of a CCF based on a SIL level 13 is sort of is sort of, there's a lot of uncertainty 14 with that. And so that sort of thing is more 15 difficult to do, and that's one example of what we 16 want to avoid is looking at individual techniques at 17 reducing, at the amount it would reduce the likelihood 18 of CCF. Since you can't estimate the likelihood, you 19 can't really quantify the reduction. You can bound 20 the reduction, but you can't quantify it. And so 21 that's why we're interested in bounding approaches, 22 not quantifying approaches.
23 CHAIR BROWN: Then why are we doing it on 24 a risk-informed basis if you can't --
25 MR. CARTE: Well, you can use a bounding NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
52 1
number in your risk analysis. It's just that your --
2 CHAIR BROWN: But the bounding numbers, 3
it's just engineering judgment comes down to.
4 MR. CARTE: Right. But it's sufficiently 5
conservative to address any uncertainty.
6 CHAIR BROWN: What you're also telling me 7
is that a third-party certified programmable logic 8
controller device that's used for each channel of a 9
protection system, you cannot rely on the SIL level to 10 provide the type of quantitative assessment and you'd 11 still need a manual backup.
12 MR. CARTE: On CCF likelihood.
13 CHAIR BROWN: Well, those PLCs, we just 14 had those discussion. You know, the idea was to be 15 able to take something that was kind of off the shelf, 16 plug it into some of these safety critical items, and 17 everybody would walk away happy.
18 MR. CARTE: Okay. Let me let Eric speak.
19 MR. BENNER: Yes, because I don't want, I 20 know this is an area that would need additional 21 attention. There are benefits, nearer-term benefits 22 even if you assume the CCF for the system is one 23 because, right now, we don't have a mechanism within 24 the current policy to allow us to look at the overall 25 risk, which includes the likelihoods of other things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
53 1
that have to happen in order for the consequences to 2
be bad.
3 I believe that, in the proposal that NEI 4
has given us, that they assume the CCF occurs.
5 They're not trying to quantify the likelihood of a 6
CCF, but we want to be able to say, for individual 7
sequences, you look at the overall risk of that 8
sequence even if the CCF occurs, and that allows you 9
to make decisions as to whether a diverse actuation 10 system is required.
11 So this is, there's a nearer-term benefit 12 we could get from risk informing the policy. What 13 we're talking about now is a potential even greater 14 longer-term benefit as we look deeper into the can you 15 have a number less than one as a probability of a CCF.
16 MEMBER HALNON: Okay. This is Greg. One 17 of the things I'm being tripped up on, I guess, is to 18 reduce or even eliminate a CCF from even being an 19 issue to talk about, it's in the design of the system, 20 I would assume, or design of the platform. But you've 21 eliminated the use of design here to reduce or 22 eliminate the CCF.
23 I guess I'm reading it too literally, and 24 there's going to be a lot more clarifying language 25 later on but --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
54 1
MR. BENNER: But the likelihood. I mean, 2
we have already allowed design approaches, if you can 3
deterministically say, I mean, really say that the 4
CCF, and this is where you get, you know, you can have 5
internal diversity in systems. So the whole point, 6
the idea of quantifying the likelihood of CCF gets 7
talked about, and it's an area we would continue to 8
talk about. But that science needs more work before 9
we would rely on it in a regulatory context.
10 MEMBER HALNON: Okay. All right. Thank 11 you.
12 CHAIR BROWN: Greg, let me try to provide 13 a little bit of thought process calibration, okay?
14 And I like to pick on the protection system or a 15 safeguard system as an example of how you might assess 16 this in terms of is what we've got in the system 17 enough.
18 If you take a reactor protection system, 19 there's four channels. Let me presume that there's 20 four channels. Each channel is totally, completely 21 independent of each of the other channels. They have 22 separate detectors, separate analog-to-digital 23 converters, everything is totally different. They 24 don't even communicate until they get to a voting 25 unit. They run asynchronously. They can run the same NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
55 1
software. By asynchronously, that means all the data 2
that's coming in fields or would corrupt data. That's 3
the stuff that corrupts microprocessors. You get a 4
corrupt data field, it can lock everything up. If 5
you've got an interrupt-driven system, you can lock 6
everything up in one channel. But if you're running 7
asynchronously, what are the likelihood in three out 8
of those four channels you're going to get a corrupt 9
data set that's exactly the same and lock up three of 10 the four channels? You can run this argument to that 11 standpoint that they're very independent, and the 12 likelihood, I use that word cautiously, of having 13 those all fail simultaneously due to some corrupt data 14 path is pretty darn small. But how do you calculate 15 that? And that's where the difficulty is.
16 In the systems I did years ago, we put in 17 a backup anyway. Based on the nature of our plants, 18 it's different than what's done in the commercial 19 world. But we put it in anyway, so it's really very 20 much a judgment. I've been going along with this 21 because I know people want to start thinking a little 22 bit because the complexity of some of the stuff we've 23 looked at seems to be overdone. But they're driven by 24 what the staff is required to look at, and this just 25 provides, to me, some flexibility of us looking at it NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
56 1
overall. We might get in more arguments when we get 2
a design application that says, hey, there's new stuff 3
and we don't want to do A, B, and C. Well, we'll have 4
to hash those out in the meetings, but the staff will 5
have the flexibility to say yes or no and we'll have 6
the flexibility to agree or disagree.
7 MR. BLEY: Charlie, it's Dennis.
8 CHAIR BROWN: Yes, go ahead.
9 MR. BLEY: Eric's last point, I think, is 10 an important one, and it's close to what you're saying 11 but not quite the same. You're saying it allows us to 12 use judgment. Well, it also allows the staff to 13 consider if a common cause failure is possible and to 14 consider that, if it's guaranteed to occur, if that's 15 not an important effect on risk, then they can look at 16 alternatives. And I think that's a key piece of 17 information. I'll include something about that if I 18 write that paragraph for you.
19 CHAIR BROWN: That would be excellent. I 20 totally agree with you. You know, I'm very 21 deterministic, as you're well aware of, okay. But 22 I've also been very flexible since I developed all the 23 nuclear stuff for the naval plants. And, you know, we 24 looked at this in spades and did probably seven 25 different approaches to this diversity issue, but we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
57 1
maintained some diversity regardless of what we 2
concluded.
3 But your point is valid. I just think, 4
I've been going along with these revisions and 5
including the risk stuff because I think it's an 6
important thing not to discount. I'm not in favor of 7
doing PRAs on this. I already showed you I think 8
there's other ways to get to that point with best 9
estimate, bounding conditions, whatever the right 10 words are. I just think it's important to provide 11 some flexibility for the staff in looking at these 12 systems, so we get these systems incorporated in the 13 plants, which vastly improve their performance. So 14 I'm trying to be flexible.
15 But that would be, I think you captured 16 Eric's point and you know pretty well how I think. So 17 if we do a letter, your input would be much 18 appreciated on this point.
19 Any other comments on this point in this 20 discussion?
21 MEMBER KIRCHNER: Charlie, yes, this is 22 Walt. I have a comment. I think with these last two 23 bullets, at least to me, who is not a practitioner in 24 this particular area, says do not try, it sounds like 25 what the staff is saying, don't come to us with an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
58 1
argument on a probability of occurrence less than one.
2 Do your risk assessment, look at your system 3
architecture, and look at how robust it is, but 4
quantitative arguments on the probability of 5
occurrence of CCF just aren't, we're not in a position 6
to evaluate those.
7 So it takes up, to me, it means that you 8
take, you look at your system, whatever system it is, 9
at a higher level. You're not trying at a sub-10 component level to try and figure out what the 11 probability of occurrence is, test the system out, the 12 architecture, what the probability of one, and see how 13 robust it is and whether it provides enough defense-14 in-depth or diversity or, in my words, robustness to 15 satisfy the safety function.
16 CHAIR BROWN: Okay. I got that.
17 MEMBER KIRCHNER: That was the comment, 18 not a question.
19 CHAIR BROWN: No, I understand that. I 20 even wrote part of it down, if I can remember where it 21 is. All right.
22 MS. ANTONESCU: There is another hand that 23 was raised by two people. I think they're members of 24 the public, but I'm not sure.
25 MR. ELKS: Yes, this is Carl Elks at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
59 1
Virginia Commonwealth University. Can you hear me?
2 MS. ANTONESCU: We have a designated time 3
for public comments, sir.
4 CHAIR BROWN: That comes later.
5 MR. ELKS: Okay. Thank you.
6 CHAIR BROWN: Okay. It will be at the end 7
of the session here. Thank you.
8 MR. HECHT: This is Myron. Can I make a 9
comment?
10 CHAIR BROWN: Yes, you're our consultant.
11 MR. HECHT: Yes. So I just wanted to make 12 the point that, in your earlier discussion, Charlie, 13 of the probability of lockup or the probability of 14 corrupt data affecting the system, you were basically 15 defining two failure modes that would normally be 16 considered random, in the same way that a, you know, 17 a pipe break or a diesel generator failure might be 18 considered to be random. And in consideration of 19 what's called the common cause failure, we have to 20 distinguish between failure modes that are related to 21 the design or the logic, if you will, and things that 22 are random. And if I agree that there's no way really 23 to quantify that you've eliminated all of your design 24 errors, there is a way of quantifying how you can, the 25 occurrence rate or, if you will, the failure rate of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
60 1
the random or probabilistic type failures. Sometimes, 2
they're called heisenbugs, sometimes another word is 3
used.
4 But, in any case, that point has been 5
debated and accepted in the computing community for a 6
long time. That's why we have redundant databases, 7
and that's considered good enough for your banking, 8
for example. And so I just wanted to make that point.
9 CHAIR BROWN: That's one of the reasons, 10 you know, we defaulted, but we had redundant 11 approaches and we knew they were random. We knew they 12 would be random, but we just considered that, if you 13 do enough stuff, you don't necessarily have to do 14 other things, but sometimes you do them anyway.
15 That's fundamentally what we did.
16 Vicki.
17 MR. HECHT: Well, redundancy would work 18 for those kind of random software failures in the same 19 ways it would for random hardware failures.
20 CHAIR BROWN: Yes. Okay. Vicki, you 21 raised your hand.
22 MEMBER BIER: Yes. It's exactly on point 23 here. I don't understand the electronics aspects the 24 way you do, Charlie and other people here. But when 25 you talk about things like could, you know, three out NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
61 1
of the four trays be disabled by the same kind of 2
contaminated input or whatever, is that a point where 3
we need to worry about cyber attacks, or is that not 4
credible here? I don't really know where the scope is 5
of what we're considering.
6 CHAIR BROWN: If we maintain the rigor 7
that we have been so far of preventing nothing but 8
your hardware-based
- outputs, in other words 9
unidirectional, our stuff is pretty well isolated.
10 You're still subject to internal threats, you know, 11 the insider threat, but not from external threats, 12 cyber approaches. That's why we keep fighting for 13 that unidirectional hardware-based data going 14 everywhere out of those systems.
15 All right. Any other --
16 MEMBER MARCH-LEUBA: Yes. To Vicki's 17 question, if it was a competent cyber attack, all four 18 channels would be disabled. That would disable three 19 out of four. And that's why we don't want to give the 20 bad guys access for channels with the diodes.
21 CHAIR BROWN: Exactly. Thank you, Jose.
22 All right.
23 MS. ANTONESCU: Mr. Brown, Norbert Carte 24 also has his hands up.
25 CHAIR BROWN: That's no fair, Norbert. Go NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
62 1
ahead.
2 MR. CARTE: Sorry. So I thought I heard 3
someone summarize the staff position a little 4
incorrectly. We will, we are open to considering 5
probably an occurrence less than one as a bounding, 6
but we're not sure what that value should be or how it 7
should be determined, but it would be a relatively 8
large value, but it may be less than one.
9 So we aren't thinking of making it one, 10 but what Eric was saying is, even at one, you can 11 determine the risk significance of the system because 12 of the alternatives that are represented in the PRA.
13 And the third bullet on this could be 14 clarified a little bit. It may look overly broad, but 15 we do intend to pursue some of the more wonky 16 approaches that might be proposed. So, for instance, 17 someone might say, well, we're doing Appendix B plus; 18 and, therefore, we can reduce the likelihood of a CCF 19 by a thousand. That sort of argument is very fuzzy, 20 imprecise, uncertain.
21 CHAIR BROWN: That's unattractive.
22 (Laughter.)
23 MR. CARTE: Correct.
24 MR. BLEY: Well, it still -- this is 25 Dennis. It still lets staff decide that, you know.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
63 1
I don't know. Maybe in your guidance, you're going to 2
get very specific about this, but one would think at 3
some day in the future we'll be able to do a better 4
job in that kind of analysis and the staff will have 5
to look at what gets submitted to see if it's 6
reasonable.
7 CHAIR BROWN: Any other comments before we 8
go on to the next slide? Okay. Steven, you still up?
9 MR. ALFERINK: Thank you. I will actually 10 turn it over to Norbert to discuss point four.
11 CHAIR BROWN: Okay.
12 MR. CARTE: Norbert Carte, I&C. So if we 13 look at the words in point four, they won't have, we 14 don't think we've changed anything and we'll see that 15 on the next slide. But there's a couple of points to 16 make as long as we're here. We believe that existing 17 regulatory requirements require that there are manual 18 controls and displays associated with the Chapter 15 19 events. Particularly 603 and 279 state that if 20 there's an automatic actuation then there must be a 21 manual means at the division or system level to 22 accomplish that actuation. And they also have 23 different phrasings on the displays requirements.
24 So the requirement for displays and 25 controls has always been there. So point four doesn't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
64 1
create the need for additional displays and controls.
2 And there's been a lot of talk about point four, but 3
another way to oversimplify this would be, if you want 4
to credit controls and displays for addressing CCF, 5
they must be unlikely the subject of the same CCF.
6 That would be another way to phrase point four, but we 7
like this phrasing.
8 Can we go to the next slide?
9 So if we can see, these words were 10 rearranged a little bit, but there's essentially 11 nothing new here, no change. And as we said before, 12 there's already a degree of engineering judgment 13 involved in assessing the deterministic criteria.
14 So can we go to the next slides for the 15 discussion points?
16 So I think industry has expressed some 17 misinterpretations of point four. And as long as we 18 take point four in the context of this SECY, how is 19 point four relevant to addressing digital CCF, we want 20 to ensure that point four ensures that the 21 fundamentals of defense-in-depth, our manual 22 capability to perform functions is there. We believe 23 it's consistent with the existing regulatory 24 requirements. Now, the regulatory requirements don't 25 use the word diverse, but they say with a minimum of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
65 1
equipment. Now, maybe that's a little subjective.
2 Are you saying at the facility level, so a push button 3
into the reactor trip system is, at the facility 4
level, a minimum of equipment or, by itself, a minimum 5
of equipment is just a push button, a wire, and a 6
relay. That would be the minimum of equipment in 7
isolation.
8 So there is some subjectivity in the 9
phrase minimum of equipment, but remember that on 10 existing analog systems they are independent and not 11 subject to the same CCF, and why would you want to do 12 it differently for digital systems.
13 So there's already the engineering 14 judgment element of risk informing. There's also the 15 phrasing about safety functions. That further allows 16 you to risk inform because not all functions are going 17 to be performed by the protection system are critical 18 functions. And the way you get there is, basically, 19 if you credit a function, an automatic function, it 20 must be safety related. However, you could implement 21 functions in safety-related systems that you don't 22 credit in your accident analysis. So there are more 23 functions, there can be more functions than you need 24 to support your accident analysis.
25 But even those functions -- well, if NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
66 1
there's an automatic protective action, there needs to 2
be a manual way to do that regardless of whether it's 3
credited or not. And that's in 279 and 603.
4 So when we're addressing CCF, point four 5
is only applicable to critical safety functions.
6 Next slide, please. And I think what this 7
slide is sort of trying to point out that point four 8
is not applicable to all safety functions. It's 9
applicable to a subset of the safety functions. And 10 we use sort of an engineering judgment to raise 11 critical safety functions, so there is some room for 12 subjectivity at an engineering sense there.
13 If you go to the red on the left-hand 14 side, we're clearly saying it does not necessarily 15 apply to all safety functions. And this is for 16 digital CCF, so, if the critical function is not 17 performed in the digital system, point four kind of 18 doesn't apply because that's not a digital CCF.
19 Next slide, please.
20 MEMBER MARCH-LEUBA: No, no, wait. Are 21 you on slide 25 now?
22 MR. CARTE: Sorry. Yes, we're on slide 23 25.
24 MEMBER MARCH-LEUBA: Yes. So this is 25 where I warned you I was going to make a comment. I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
67 1
like to use an analogy to a Star Trek movie. This 2
slide, to me, is exhibiting two-dimensional thinking, 3
and I'm going back to the issue or large light water 4
reactors where all of these critical safety functions 5
have been developed and demonstrated and proven over 6
the last 50, 60, 80 years. And now you have new 7
advanced reactors which have different critical safety 8
functions. For example, we are, today, we are 9
reviewing a reactor whose limiting design basis event 10 is a tritium release. Are you telling me that, in 11 that reactor, keeping the tritium inside a facility is 12 not a critical safety function?
13 So because they were the critical safety 14 functions on a large light water reactor is two-15 dimensional thinking. Critical safety functions have 16 to be evaluated properly, and staff will understand 17 this because it was on a comment I made a couple of 18 weeks ago on cybersecurity. Defining the critical 19 assets, you need to define it according to the 20 application that you are using.
21 So going back, I mean, maintaining the 22 tritium inside a facility is a critical safety 23 function, and I don't see it listed in here. So --
24 MR. CARTE: Right. We didn't change the 25 words from the original SECY, but there is, from the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
68 1
tech reviewer staff side, there is engineering 2
judgment involved in what is a critical safety 3
function. And we wouldn't specifically exclude 4
something because it's not on this list. In addition, 5
it could be on this list, but it might not be critical 6
for a particular facility. But that all has to be 7
demonstrated, but this is sort of a way to allow for 8
engineering judgment for the safety significance, but 9
on an engineering basis rather than on a PRA basis.
10 MEMBER MARCH-LEUBA: Yes. I just wasn't 11 seeing the language comes out like that. Again, I'm 12 going back to what I said a couple of hours ago. The 13 people that were designing the plant designed a number 14 of functions that they felt were safety significant 15 because they looked at this and said, jeez, this is 16 important to the safety of my reactor. Then you 17 perform some PRA analysis and decided they were not 18 risk significant. I don't know. If the guy that was 19 designing the reactor thought it was safety 20 significant, I think getting it out of the list is not 21 a good idea. Same here with the -- there are safety 22 functions high significance and then there are safety 23 functions that are low significance.
24 That's my comment, and you don't need to 25 answer because you don't have an answer. But let me NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
69 1
put on the record that when you start defining, quote, 2
unquote, critical, you better do it right.
3 MR. BLEY: Norbert, this is Dennis Bley.
4 I agree with Jose on his basic comment here on this 5
slide. I don't remember. Is this spelled out in the 6
same level of detail in the paper or not? Is it more 7
general there?
8 CHAIR BROWN: Hold it, hold it, hold it.
9 If you go back to 93-087, the words safety functions 10 reactivity control, they're identical, so there's no 11 change in what they're alluding to between point four 12 and 83-087 and the new one. They duplicated them.
13 MR. BLEY: Thanks, Charlie. Yes, I guess 14 that's fine. I did want to comment, since Jose has 15 brought it up a couple of times, it's a place I don't 16 think I quite agree with him. In my experience, 17 designers don't sit around and think real hard about 18 and apply their judgment to decide if something is 19 safety significant or not. Mostly, they rely on rules 20 and precedent. I'd agree with Jose more if I had seen 21 evidence of that. In a lot of cases, they don't even 22 think things ought to be safety significant, but, by 23 the rules, they think they have to call them that. So 24 I don't think that case is as strong as stated 25 earlier.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
70 1
MEMBER HALNON: This is Greg. I got one 2
other question for Norbert. Today's technology, it's 3
kind of confusing when we talk about manual controls 4
and displays because it seems to me with the 5
touchscreens that we're having the future and, you 6
know, some of the digital systems that controls and 7
displays are one in the same in some respects. Can 8
you help me with the man-machine interface from a 9
control perspective, manual controls versus displays 10 and how that differs from the actual control system?
11 MR. CARTE: Right. So this is where you 12 have to get into two different ways of thinking. So 13 the traditional control rooms have a certain 14 philosophy, separation of protection and control, 15 safety, non-safety, and then your ideas for the new 16 control room which are essentially all glass control 17 rooms.
18 So considering a situation in isolation, 19 like whether something can be done with a physical 20 button versus a soft control on a display, it might be 21 inappropriate to look at that in isolation as a 22 question. But as Charlie mentioned earlier, if you 23 look at the safety functions of a protection system, 24 like reactor trip, that's one button for reactor trip.
25 Containment isolation, that's one button. So you've NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
71 1
got a dozen or so buttons, basically, in order to 2
implement a lot of the protective actions. So we're 3
not talking about a lot of equipment.
4 There may be some room to implement some 5
of those functions with soft controls, depending on 6
their safety significance. But, again, you really 7
have to argue why it's minimal equipment for that 8
case.
9 CHAIR BROWN: Anybody that uses a 10 touchscreen and self controls for controlling a pump 11 or anything else ought to be fired. Touchscreens are 12 very unreliable.
13 MEMBER HALNON: We're talking about 14 diverse means and stuff and --
15 CHAIR BROWN: Yes, I understand that but 16 17 MEMBER HALNON: -- and we've all had our 18 iPads lock up to where you can't hit any buttons. I 19 mean, is that a common cause failure we have to 20 account for?
21 CHAIR BROWN: It's not only just that, 22 it's how the screen is designed, the sensitivity, 23 what's the pressure that needs to be applied. I was 24 actually riding with my son, my son-in-law, and he 25 picked me up and he's got the latest and greatest NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
72 1
whatever, it's a BMW of some kind in the last year, 2
and he waved his hand to grab something and all of a 3
sudden his whole display and speedometer section all 4
disappeared and the radio choices came up. So that 5
was just waving his hand across the front.
6 So it all depends. They don't do that 7
here, but the touchscreens or motion-activated screens 8
are all very sensitive. We haven't faced that. All 9
the critical functions that we've had to deal with in 10 the designs we've faced so far, backups have been 11 hard-wired switches. They haven't been part of the 12 touchscreen operation, and they've been in the main 13 control room.
14 But you're right. It's an issue that has 15 to be dealt with as people, as Norbert says, want to 16 go to these all-glass controls rooms where there's 17 nothing but screens. You ought to have backup meters 18 for certain parameters just so you know what the plant 19 conditions are if the screens all go blank.
20 MEMBER HALNON: Right. Well, and that's 21 something we all have to understand, and I understand 22 they'll do it on a case basis in a lot of cases. All 23 right. Thank you.
24 MR. CARTE: Well, before we jump to Joyce, 25 I see her hand up, I mean, you have to consider the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
73 1
whole system in context. So right now non-safety 2
systems are not single failure proof. They're not 3
required to be single failure proof. Therefore, a 4
single failure could wipe out all of your displays.
5 Now, if you were to claim that your 6
displays were single failure proof and could 7
demonstrate that, then maybe we could think of 8
something. But you have to put together extra 9
requirements when you -- you have to look at the whole 10 picture in context as part of the problem. But one of 11 the problems with displays right now, non-safety 12 displays, is they're not single failure proof.
13 Joy, I think you had your hand up for a 14 while.
15 MEMBER REMPE: Sure. It's just a minor 16 point, but, as was mentioned earlier today, non-LWRs 17 are in the near-term thinking about Parts 50 and 52, 18 and you might think about expanding or giving room for 19 in your discussion about plant critical safety 20 functions that there may be other ones, such as 21 control chemical reactions.
22 CHAIR BROWN: I think they fall into that 23 category, Joy. This --
24 MEMBER REMPE: Well, Part --
25 CHAIR BROWN: They can be applied to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
74 1
advanced reactors just fine.
2 MEMBER REMPE: Right. But right now, the 3
way that the SECY reads, it basically says these are 4
the critical safety functions. And the way Part 53 5
has, it emphasizes control radiation release and then 6
underlying other ones, and other ones may include 7
things such as control chemical reactions is what I'm 8
trying to say, Charlie.
9 MR. CARTE: Yes. Well, if you were to 10 entertain that change in the SECY, the SRM might, for 11 instance, insert for example before the --
12 MEMBER REMPE: That's what I'm saying.
13 Such as. Just a minor change. But you might think, 14 I know in the existing framework we've got a 15 smattering of different folks identifying different 16 critical safety functions, and so such as would 17 address that comment very easily. Just a minor point.
18 CHAIR BROWN: Norbert, I think you're up.
19 MR. CARTE: Next slide. Okay.
20 CHAIR BROWN: No, you're not up. What's 21 next after this one? I just lost my -- oh, there's my 22 screen. Go back a slide. Let me just ask you this 23 question just to make sure I know what's going on.
24 This is a long dissertation and then a question.
25 In SECY 93-087, after point four in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
75 1
original 93-087, and as part of the original paragraph 2
one in some points, as well, and I'll describe that, 3
had an extensive discussion of the character of manual 4
displays and controls which, in part, stated that they 5
shall be evaluated, shall be sufficient, and shall be 6
hard-wired, et cetera, for actuation at the lowest 7
level of the safety computer system.
8 The Commission's response to SECY-087 9
noted that they accepted what you all had, but then 10 they went on to say the remainder of this discussion 11 is highly prescriptive and that it says shall be 12 evaluated, shall be sufficient, shall be hard-wired, 13 and the Commission approves only that such 14 prescriptiveness be considered as general guidance, 15 the practicality of which should be determined on a 16 case-by-case basis.
17 So the SECY, plus the SRM, still makes it 18 clear that hard-wired type backups to software type 19 stuff are to be considered on a case basis -- not 20 mandated because they changed it -- where needed for 21 safety critical systems, whatever they are. And 22 that's what we followed in most of our reviews that 23 we've been doing on the systems we've gotten over the 24 last 12 years, at least from the Committee standpoint.
25 I can't speak for the staff.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
76 1
The term shall be hard-wired and for 2
actuation at the lowest level in the safety computer 3
system are particularly relevant if this new SECY 4
write-up aggregates or nullifies the 087 discussion 5
and the Commission guidance.
6 So I guess my question comes down to does 7
the page six discussion in your new SECY statement 8
that the position in point four, item 18, in the SRM 9
is maintained in the recommended expanded policy?
10 Because it clarifies the lack of independent diverse 11 displays would prevent manual operation in the event 12 of CCFs. Does that mean the 087 point four 13 discussions still apply, as modified by that SRM? In 14 other words, is the emphasis on hard-wired not being 15 mandatory, which it's already in place, but they are 16 to be considered for safety critical systems. Is that 17 Commission direction still in place across the old 18 SRM, or does this new SECY nullify all that?
19 MR. CARTE: I don't think the SECY 20 nullifies it, and I don't think it's based solely on 21 the SECY itself. So if you go to 279 and 603, the 22 requirement for these manual controls is that they are 23 safety related. I mean, so everything that's required 24 by 279 and 603 must be safety related. Well, 603 has 25 some places where it says may not be part of the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
77 1
safety system, so there are some exceptions in 603, 2
but I don't think that is true for 279.
3 So, basically, the manual controls must be 4
safety related. So all these glass control rooms that 5
you're looking at use non-safety VDU. So it's hard to 6
satisfy the safety-related display criteria, the 7
safety-related controls criteria using the 8
touchscreens that they want to use. And the 9
touchscreens they want to use, they're basically, 10 because the owners requirements on making software 11 safety related, they can't get the fidelity on those 12 displays in a safety-related system; and, therefore, 13 they have to go to a non-safety system. Besides, it 14 would increase the development cost.
15 So the glass control room displays are 16 going to be predominantly non-safety and the --
17 CHAIR BROWN: Hold it. You've missed my 18 point or either that I didn't -- the point is hard-19 wired switches.
20 MR. CARTE: Right, right. So --
21 CHAIR BROWN: Not glass, okay?
22 MR. CARTE: Right, right, right. So what 23 I'm saying is, in effect, the regulatory requirements, 24 as they're implemented in the technology today, can't 25 allow glass anyway, right. How do you use a non-NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
78 1
safety display to implement a safety function?
2 CHAIR BROWN: Okay. Let me back up. Your 3
lead-in on this, is this an expansion of the direction 4
given in SECY-93-087 and the SRM-93-087?
5 MR. CARTE: No. What I'm saying is I 6
don't think we needed to repeat that discussion 7
because --
8 CHAIR BROWN: I got that. But does it 9
still apply? Because it was Commission direction in 10 the 93-087 SECY.
11 MR. CARTE: Actually, I would need OGC 12 help on that. So I don't know how this works, and I 13 guess it depends a little bit on how the Commission 14 writes their SRM, but, if the Commission -- so I would 15 need -- is there OGC on the line that can help on 16 this? Because I don't, I think that's a matter of how 17 the SRM is written, but I don't know the details of 18 that.
19 CHAIR BROWN: Okay. 10.4 of SRM-SECY 20 087, item 18, is maintained in point four, okay, of 21 the recommended expanded policy. Well, that SECY SRM, 22 okay, was written against and addressed paragraphs 23 two, three, and four in the original SECY. So that's 24 the hard spot that I see. That's the only hard spot 25 I came up with this, in all of this. It seems to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
79 1
totally open the door or potentially, although your 2
statement seems to say the SRM and the original 19-3 083, 087 still apply. You make a direct statement to 4
that in your discussion on page six.
5 MR. CARTE: Yes.
6 CHAIR BROWN: Clarifying commentary.
7 MR. CARTE: Right. To be honest, I don't 8
know the answer to that, and I would need some help.
9 But I think the staff's -- so let's start with the 10 legal question in terms of whether it applies and how 11 it applies, but I know the staff does favor simple, 12 diverse, independent, hard-wired. Whether in some 13 cases that could be justified away, the staff might be 14 open to it, as long as it doesn't conflict with any 15 regulatory requirements.
16 CHAIR BROWN: The Commission already said 17 you couldn't be prescriptive. Their words were pretty 18 clear that they approved it only such prescriptiveness 19 be considered as general guidance, the practicality of 20 which should be determined on a case-by-case basis.
21 I'm not trying to change what the Commission did in 22 1993, okay. I'm only trying --
23 MR. CARTE: I think that would be our 24 intent. Our intent would be --
25 CHAIR BROWN: That's not a matter of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
80 1
intent. It's a matter of is that, based on your words 2
that the position in point four of the SRM stays in 3
point, they address that explicitly in their SRM. You 4
didn't address that again in this SECY, and I'm just 5
trying to make sure that, like I say -- that's the 6
only hard point I came up with or that bothered me.
7 MR. DARBALI: And that's a good -- this is 8
Samir. And that's a good point, Charlie. Like 9
Norbert said, there isn't anything in the original SRM 10 that, on Point Four, that we disagreed with.
11 So again, it would be what the Commission 12 tells us in their new SRM. But, we did not have any 13 intention to change what the original policy was on 14 Point Four.
15 And again, we agree on that, because we 16 understand that we want to maintain the intent. That 17 we don't want to prevent operators from being able to 18 perform those functions.
19 MR. CARTE: Right. I guess my comment 20 was, that's our intent. But, I would need a lawyer to 21 look at it and say, did the way we wrote it be --
22 CHAIR BROWN: Oh, that's for the lawyer --
23 how, how can you -- how can you say that the lawyer 24 has to tell us what's necessary technically?
25 MR. CARTE: No, no, no.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
81 1
CHAIR BROWN: I mean, we agree that this 2
is --
3 (Simultaneous speaking.)
4 MR. CARTE: That's just not our intent --
5 CHAIR BROWN: But you make the statement 6
that the position in Point Four of the SRM, which the 7
SRM addresses, hardwired, okay? Is maintained.
8 So, it -- now you're fuzzing it up, okay?
9 And that it seems to me you either intended to include 10 everything in the SRM, or you didn't.
11 And you didn't disavow it.
12 MR. CARTE: Yes, we intended to include 13 it. But, the fact that we didn't say that might have 14 a legal -- it might -- my caveat is, the fact that we 15 didn't explicitly say that may -- may have a legal 16 interpretation that I'm not sure about.
17 Our intent was to yes, do that.
18 CHAIR BROWN: Eric?
19 MR. BENNER: No, I think -- I think 20 Norbert characterized it. We'll have to take that 21 back. Our intentions are what they are.
22 But, regarding what it would strictly mean 23 in expectations, I think we do need to talk to OGC.
24 And if there are some ambiguities as to what the 25 remaining, you know, guidance to the staff would be, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
82 1
we would have to talk internally to, you know, 2
determine what we've got to do.
3 Do we, you know, do we have to provide a 4
clarification to the SECY? I mean, could this be 5
handled in, you know, the -- by making the Commission 6
aware, could they make sure it's crisp what the 7
expectation is in the SRM?
8 So, I think what Norbert's saying, and I 9
agree with, is our intentions on one level don't 10 matter. What matters are the words on the paper.
11 And that's where we would need to consult 12 with OGC to make sure that, you know, whatever words 13 end up on the paper in the guidance to the staff, it's 14 very clear what, you know, the staff is supposed to 15 do.
16 CHAIR BROWN: Okay. So, there's a bit of 17 a quandary then. I mean, because like you say, the 18 SECY is already with the Commission.
19 I don't know how you all work that. It's 20 just that to me we've -- if all of a sudden that the 21 emphasis in this manual operation gets compromised, 22 that seems to me to be kind of a hard spot relative to 23 what I would recommend to for the Committee to want to 24 do, relative to agreeing --
25 MR. BENNER: Yeah.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
83 1
CHAIR BROWN: And going forward.
2 MR. BENNER: Well, and again, coming at it 3
simplistically for me, I guess I assumed that you 4
know, we were looking to change and expand some things 5
in the policy.
6 So, for anything we were silent on, my 7
assumption was, there was no change. We were 8
proposing no change, so there would be no change 9
moving forward.
10 So, but I think with the way you phrased 11 the question, it's causing me at least to say, oh, in 12 the absence of us being explicit that, you know, other 13 than the changes we're asking for, we're not asking 14 for any other changes.
15 I just do feel like Norbert that we need 16 to do some internal communications to make sure that 17 really is how this process works.
18 CHAIR BROWN: Okay. Well, the stuff I 19 hung on was, yes, the SRM only -- there were, in the 20 original SECY 93-087, there were four paragraphs in 21 Point Four.
22 And the SRM -- the Commission addressed 23 the first paragraph, where it talked about originally 24 said a set of safety grade displays. And they said 25 no, they don't have to be safety grade. You struck NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
84 1
that out in the SRM. Okay?
2 Then they went on to comment, the staff's 3
position has been modified into other aspect -- in two 4
aspects. That was common mode failures are beyond 5
design basis events, which you also did not address, 6
I don't think, in this particular SECY.
7 I don't remember that. I have to go 8
keyword it again. And --
9 MR. BENNER: And while we don't, again 10 because we're not asking for a change in that regard.
11 The Commission has spoken, and we abide by that.
12 CHAIR BROWN: Yeah. But, the second --
13 the second item they have on that SRM was the 14 discussion in the third part of its position.
15 That the diverse means maybe performed by 16 non-safety system, et cetera. Therefore, this 17 clarification has been added to the fourth part of the 18 staff's position.
19 And then they go on to say further, the 20 remainder of the discussion under the fourth part of 21 the staff, is highly prescriptive and detailed, e.g.,
22 shall be evaluated sufficiently and it shall be 23 hardwired.
24 The Commission approves only that such 25 prescriptiveness be considered as a general guidance, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
85 1
the practicality of which should be determined on a 2
case by case basis.
3 So, they were very specific in addressing 4
that. And that was in paragraph two of the -- of the 5
original SECY.
6 So, they address paragraph two relative to 7
hardware. So, they addressed it, and you didn't take 8
it out. So, I assumed that it was part of it.
9 I just want to make sure somebody else 10 doesn't go do the twinkies and get rid of at least, I 11 would have liked it to be prescriptive, but it's not.
12 And we've lived with that since '93.
13 And we've made sure we got the case by 14 case consideration. And it has been evalu -- and it 15 has been discussed.
16 So, to me it was still there. But, I've 17 just brought it up, because it seems to me that there 18 was -- you didn't address that again.
19 And you considered the other stuff 20 addressed, even though you didn't. But --
21 MR. BENNER: Yeah. And I -- it's the same 22 for that. I -- my belief system is that if we haven't 23 asked for any sort of change, that all that -- all 24 that is still the body of evidence that the staff uses 25 in doing its reviews.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
86 1
And if the Commission has provided us 2
direction, and we haven't asked for any sort of change 3
in the direction, I believe that there -- we still 4
abide by that direction.
5 I would just want to confirm that with OGC 6
before I definitively say that yes, that's the way it 7
is.
8 CHAIR BROWN: Okay. Just let me finish 9
one thing here. I just finished keywording your 10 document. And there's nothing in there on design 11 basis events.
12 So, you did not -- you did not, you were 13 silent on that part as well. So, the --
14 MR. BENNER: Agreed.
15 CHAIR BROWN: So that the last part of the 16 former, previous SRM seems to me to be open to 17 conjecture right now. Whether it applies.
18 Did anybody else, Dennis? Jose? Anybody 19 else looking at this disagree with my concern?
20 MR. BLEY: Charlie, this is Dennis. You 21 know, back to the one you just had the long discussion 22 about. It's really saying, did the staff write the 23 paper such that there's no ambiguity?
24 And it sounds like that's questionable 25 now. Given that it's already up with the Commission, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
87 1
you know, the Committee could point out that possible 2
problem.
3 And I don't know from the staff, do you 4
get an interaction with the Commission to clarify 5
things such as that?
6 MR. DARBALI: The Commission TAs can ask 7
for clarification.
8 MR. BLEY: I guess where I was, it was 9
sounding like you were agreeing, maybe there is some 10 ambiguity. Can you go to them and say, gee maybe we 11 didn't make this clear enough?
12 I don't know how that process works. The 13 Commission could come back to you and say clarify.
14 But, they might not think of it.
15 CHAIR BROWN: This is pretty nuanced, 16 Dennis. I had to do -- I went through and did this 17 paragraph by paragraph between the two SECYs. And 18 line by line in many case, sentence by sentence.
19 MR. BLEY: Yeah. I don't disagree with 20 you. And it sounds like the staff was sort of 21 agreeing with you, but they didn't know quite what to 22 do about it.
23 It might be something worth, if you do a 24 letter, worth including.
25 CHAIR BROWN: Okay. And the fact that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
88 1
they referenced the SRM, and only address the SRM, 2
that SRM has those words in it.
3 So, my conclusion was, it still applies.
4 But, I did not want to get into a dog fight here later 5
on any specific design approaches.
6 MR. DARBALI: And Charlie, right, in our 7
language in the SECY, we mention expanding the policy.
8 We never mentioned replacing the current policy in 93-9 087.
10 CHAIR BROWN: Yeah. That's exactly. So, 11 to me it still, it still applies as is. And the only 12 changes you made were where you changed point one, 13 two, or three, explicitly.
14 And you didn't change any of the guidance.
15 You did incorporate the one line in the safety grade.
16 It doesn't -- it's not in there anymore.
17 And you got the design basis event stuff.
18 The best estimate, excuse me, best estimate methods.
19 So, those were incorporated in your rewording of 20 stuff.
21 MR. DARBALI: Correct.
22 CHAIR BROWN: But, you didn't --
23 MR. BLEY: Charlie?
24 CHAIR BROWN: Yeah, go ahead.
25 MR. BLEY: It seemed to me that it was NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
89 1
obvious that it should apply. But, this discussion 2
makes me uncomfortable. It really does.
3 MR. BENNER: Thank you, Member Bley.
4 That's my exact reaction. That's why I just want to 5
talk with our lawyers, because I think we all assumed 6
the same thing that Member Brown thought carried 7
forward.
8 But, being -- having it being asked in 9
that clear and crystal a manner, I do want us to 10 confirm that that's the case.
11 CHAIR BROWN: Okay. That one slot --
12 MR. CARTE: My --
13 CHAIR BROWN: Go ahead. Who's --
14 MR. CARTE: Norbert Carte. One other 15 point. So, the other point that gets confused on 16 here, is what does it mean to be beyond design basis?
17 Or what does beyond design basis mean?
18 And there is an NRC glossary available on 19 the public website that defines beyond design basis 20 accidents. But, some people think about two types of 21 events.
22 There's design basis events and everything 23 else. So, it's a binary view of the world. And in 24 reality, it's probably a trinary view of the world.
25 There are design basis events. And then NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
90 1
there are beyond design basis events which are 2
uniquely identified as beyond design basis.
3 And then the particular criterion to 4
address each of those uniquely identified events is 5
articulated individually as part of the staff.
6 And there are things that are not 7
considered at all. Like a zombie apocalypse or 8
something like that. Right?
9 So, there are actually three categories of 10 events. And one example of that would be if you look 11 at the regulations, at 50.34(I), right, it's 12 mitigation of beyond design basis events.
13 So, the design basis and the licensing 14 basis of many facilities today, include features, 15 functions, to address beyond design basis events.
16 So, saying that it's beyond design basis, 17 is just saying that it's considered in a unique way 18 rather than saying that it meets all the criteria of 19 design basis events analyzed in Chapter 15.
20 CHAIR BROWN: That's not the point. The 21 point is, the Commission very clearly stated, in as 22 much as common mode failures are beyond design basis 23 events.
24 They made that specific statement.
25 They're telling you what it is. So no, a CCF is a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
91 1
beyond design basis event of that, a failure of that, 2
from that. And that analysis should be on a best 3
estimate basis.
4 So, we've got the best estimate stuff in 5
there relative to doing an analysis for, you know, 6
various events that are in the analysis section.
7 Okay?
8 But, it doesn't call out the beyond the --
9 CCS, or beyond design basis consideration. Based on 10 the Commission direction in 93.
11 And so there are two loose ends that are 12 now --
13 MR. CARTE: Right.
14 CHAIR BROWN: Hanging out there. So, all 15 the other stuff about all these other regulations and 16 documents that nobody will ever find the stuff, this 17 stuff is pretty specific in terms of how we do our 18 reviews.
19 Because they directly affect the review of 20 everything we're going to be looking at.
21 MR. CARTE: Yes. So, I agree with Dennis 22 and Eric, that we need to look at that a little bit 23 more carefully.
24 CHAIR BROWN: Could you all get that? If 25 you all can't get this resolved from that standpoint, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
92 1
and get it clarified, or whatever appropriate words 2
are, this would be something, these two points would 3
be addressed in a letter that we would recommend that 4
they be reemphasized.
5 Or something like that. I'm not quite 6
sure how. But, I've got the write up. It's just a 7
matter.
8 So, any other comments? We need to move 9
on, because we've got another presentation from NEI.
10 You want to go ahead and finish your slides?
11 MR. CARTE: Right. So, I think we've sort 12 of addressed what's on these last points. We do 13 believe there is some room for engineering judgment.
14 And we don't think that there's a -- it's 15 useful to PRA inform manual displays and controls, 16 especially the ones that you're trying to credit for 17 CCF. It's hard to do.
18 So, I think we're done with Point Four.
19 And then Samir, next slides. And I think you've got 20 the key messages again. These are the same as before.
21 MR. DARBALI: Yeah. Thank you, Norbert.
22 So, these are the same key messages, so I won't repeat 23 them for the sake of time.
24 And our next steps if the Commission 25 approves the recommended expanded policy, will be to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
93 1
update the existing implementation guidance.
2 And we talked about BTP 7-19 earlier, and 3
continue to engage stakeholders and the public to seek 4
public comments on how we'll implement the policy.
5 And that concludes our presentation.
6 CHAIR BROWN: Okay. Any other comments 7
from any of the other Members before we take a quick 8
break?
9 I think probably everybody would like a 10 quick break, before we go to the NEI presentation. Is 11 that okay?
12 Okay. Well, hearing no disagreement, NEI, 13 are you there?
14 MR. CAMPBELL: Good morning. This is Alan 15 Campbell from NEI.
16 CHAIR BROWN: Okay. I'm going to take a 17 break here for 15 minutes. And then we'll come back 18 and wrap up your presentation.
19 Is that satisfactory?
20 MR. CAMPBELL: That sounds great.
21 CHAIR BROWN: Okay. Let's -- I'm going to 22 pull a fast one. I'm not going to go just to 12:00.
23 I'm going to take a 15 minute break. Take care of 24 your businesses, and we'll be back here in -- at 25 11:57. Maybe I'll make it on time.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
94 1
MEMBER MARCH-LEUBA: Hey Charlie?
2 CHAIR BROWN: Yeah?
3 MEMBER MARCH-LEUBA: Charlie, before you 4
go off the record, I have some technical difficulties 5
at home. And I need to drop off this conference call.
6 CHAIR BROWN: Okay.
7 MEMBER MARCH-LEUBA: So, I won't be here 8
at the end.
9 CHAIR BROWN: All right.
10 MEMBER MARCH-LEUBA: But, if you ask 11 whether we should have a letter or not, my vote is 12 this is an important enough topic that it will be 13 request a letter.
14 CHAIR BROWN: Okay. Got it.
15 MEMBER MARCH-LEUBA: So, my vote is to 16 have a letter.
17 CHAIR BROWN: I'm making a note.
18 MEMBER MARCH-LEUBA: Thank you.
19 CHAIR BROWN: Okay. Thank you, Jose.
20 MEMBER MARCH-LEUBA: You have a good 21 afternoon.
22 CHAIR BROWN: Yep. Okay. We'll be back 23 at 11:57. All right.
24 (Whereupon, the above-entitled matter went 25 off the record at 11:42 a.m. and resumed at 11:57 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
95 1
a.m.)
2 CHAIR BROWN: Okay. It's 11:57. I'm not 3
going to call the roll again. I'm going to assume 4
that people are back.
5 NEI?
6 MR. CAMPBELL: I'm here.
7 CHAIR BROWN: Okay. Who -- is this Alan?
8 MR. CAMPBELL: Yes, this is Alan Campbell 9
with NEI.
10 CHAIR BROWN: Okay. All right, are you 11 ready to proceed?
12 MR. CAMPBELL: Yes, sir.
13 CHAIR BROWN: Okie doke. Have at it.
14 MR. CAMPBELL: All right. Well, thank you 15 very much for the time. As just mentioned, my name is 16 Alan Campbell. I'm with NEI and I'm a Technical 17 Advisor in our Engineering and Risk Department. And 18 I lead our work on Digital INC.
19 So, to start today, I'd just like to start 20 by thanking the NRC for, the NRC staff for their 21 efforts on the SECY paper.
22 This -- to my knowledge, this effort 23 kicked off late last year during some discussions 24 regarding NEI 20-07, which we've discussed in previous 25 ACRS Subcommittee meetings, which is our proposed NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
96 1
implementation guidance for addressing the common 2
cause failure.
3 During those discussions and our submittal 4
of Revision Delta, it was identified that the policy 5
would need to be addressed. And I would just like to 6
thank the staff for their efficiency in addressing 7
this, to allow for these potential implementation 8
methods to be applied.
9 And also for the healthy amounts of 10 dialog, the exchange of technical information through 11 various public stakeholder meetings, as well as some 12 letters that NEI provided to the NRC staff during the 13 development of the SECY.
14 Regarding SECY 22-0076, Points One through 15 Three, we appreciate the work that's been put in 16 there. And agree with the statements and believe that 17 it maintains the safety of our plants. And addresses 18 the industry needs for a risk-informed alternate 19 approach.
20 These points are consistent with the 21 dialogs that we've had through the various stakeholder 22 engagements. And again, we believe that it provides 23 the means to allow for something like our NEI 20-07 24 recommendation to be reviewed by the staff.
25 This is a significant step forward for our NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
97 1
industry. And it highlights the need, or highlights 2
NRC's position as a modern risk-informed regulator.
3 Moving onto slide three, during one of the 4
stakeholder engagement meetings, there was discussion 5
regarding Point Four, and that's where our slides and 6
my presentation will focus on today. Regarding the 7
way that the industry has interpreted Point Four in 8
the existing policy, and how that should be applied 9
moving forward.
10 As part of the presentation package, I've 11 provided backup slides that show an example of how 12 Point Four has been interpreted by the industry. This 13 example highlights the fact that the industry has 14 primarily seen Point Four as requiring an additional 15 set of displays and controls in addition to the IEEE 16 required manual dis -- or manual controls and 17 displays.
18 During our discussion, the NRC staff 19 provided an interpretation that Point Four is intended 20 to be treated within the context of the D3 analysis.
21 And as one of the recommendations that we provided in 22 that stakeholder meeting, we recommended that a 23 clarification be provided such that we're aligned in 24 the interpretation of this requirement or this policy 25 statement moving forward.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
98 1
Looking at SECY 22-0076 and understanding 2
the NRC staff's perspective shared with us earlier 3
today, we do not believe that a major philosophical 4
difference exists. We're not looking to change or 5
exempt any IEEE requirements.
6 We just want clarity in the language.
7 We're searching for clarity in the language regarding 8
the scope of Point Four, and minimize the potential 9
for misinterpretation in the future.
10 MR. BLEY: Can I interrupt you? This is 11 Dennis Bley.
12 MR. CAMPBELL: Yes.
13 MR. BLEY: From your discussion, it sounds 14 like you feel that in your interactions with the 15 staff, you agree, and you just want clarification to 16 make sure that doesn't get lost or something in the 17 future.
18 MR. CAMPBELL: We -- so we agree that the 19 IEEE functions -- that we're not looking to change the 20 requirements of the IEEE re -- that are in IEEE 603 or 21 279.
22 And I think that's where the staff has 23 primarily expressed a concern and can be seen in some 24 of the language that was included regarding 25 exemptions. We're not looking to exempt from those NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
99 1
requirements.
2 You
- know, the punch line in our 3
presentation today, is that we believe that the scope 4
of supplemental requirements for manual controls and 5
displays, should be limited to only those that are 6
required by the coping analysis.
7 So, where we -- the coping analysis states 8
that we need a manual control or operator display, 9
then supplemental requirements should be brought in.
10 MR. BLEY: Go ahead.
11 MR. CAMPBELL: Okay. So, this slide here, 12 I'm on slide four now. This slide just highlights the 13 difference in the language from the existing SRM SECY 14 93-0087 and the new SECY 22-0076.
15 I won't go over this in detail. Obviously 16 we've spent a lot of time on this already. The 17 language is very similar.
18 I did highlight the one area where we 19 believe that this clarification was intended to tie 20 this Point Four more directly into the other three 21 points, specifically Point Three here.
22 However, our interpretation of this 23 clarification is, that it implies Point Four is still 24 a distinct assessment or analysis from the one 25 performed in Points One through Three. And we'll get NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
100 1
into that a little bit more in the next slide.
2 So, now I'm on slide five. The NRC staff 3
did provide clarification in some of the -- or I'm 4
sorry, in the clarifying language portion of SECY 22-5 0076 that states that the recommended expanded policy 6
clarifies that it's intended to be addressed in the 7
same assessment as the first three points.
8
- But, as we just highlighted, our 9
understanding and interpretation of the language 10 provided, states that the applicant can credit the 11 additional displays and controls in the D3 assessment, 12 but it still requires a separate set of displays and 13 manual controls regardless of whether they're credited 14 in the coping analysis.
15 Moving onto slide six. So, a couple of 16 key points here that have been made earlier in the NRC 17 staff presentation, but by the staff and by members of 18 the Subcommittee.
19 We acknowledge that the existing 20 regulation does not address CCF. I believe Mr. Benner 21 highlighted that as well.
22 That the requirements in 55a(h), the 23 endorsed standards which were for the IEEE 279 and 24 603, those are intended to address design basis 25 events.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
101 1
As was discussed, the SRM SECY 93-0087 2
states that common mode failures are beyond design 3
basis events.
4 So, a couple of points on this is that 5
first of all, the existing, the IEEE 603 and 279 6
requirements used redundancy and independence to 7
address random failure.
8 So, the unique treatment that Mr. Carte 9
provided, or stated as being required for a beyond 10 design basis event, should only be limited to the 11 credited coping mechanisms.
12 The policy in SECY 22-0076, our 13 interpretation is that it still requires both the IEEE 14 manual controls and the diverse manual controls.
15 And Points One through Three, we already 16 go through an analysis there to determine one, what is 17 required to cope with CCF. And then what is required 18 to mitigate the CCF as well.
19 The example that we provided in the back, 20 this came from the US-APWR design certification 21 documents, highlights the fact that the industry has 22 primarily seen, or primarily implemented this as two 23 different sets of controls.
24 There's a table that I'll just refer to.
25 But, if there's some discussion that we want to get NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
102 1
into, we can highlight it later.
2 On slide 13 that provides a list of the 3
protection system functions, whether they're performed 4
through RPS or SFAS. The manual functions that are 5
required by IEEE, it lists those, how those are 6
implemented.
7 And then it also provides the diverse, the 8
diverse functions, both automatic and manual. And you 9
can clearly see here that there are two sets of manual 10 functions.
11 There's approximately 40 manual switches 12 for the SFAS functions, and another 17 that have been 13 applied for the diverse manual functions.
14 The text on the left, so I've moved over 15 to slide seven now. The text on the left comes from 16 the IAEA report on protecting against common cause 17 failures.
18 It highlights the importance of addressing 19 complexity in INC system design. We've also presented 20 on this fact in previous Subcommittee meetings, and I 21 know it's clearly stated as in ISG-06, regarding 22 simplicity as a fundamental of INC architecture 23 design.
24 Our goal from the industry perspective, 25 and I believe it's everybody's goal here in the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
103 1
meeting today, is to enhance the safety of our plants.
2 And regarding this specific topic, we're doing so by 3
reducing system complexity.
4 Again, I'll just restate that our goal 5
here is that only displays and manual controls 6
required to cope with the CCF should be within the 7
scope of the CCF policy. And again, this does 8
support, or is supported by the INC design fundamental 9
of simplicity.
10 As we all know, simpler systems are safer 11 systems. And ISG-06 describes some -- in the design 12 fundamentals there, that there needs to be a 13 justifiable benefit obtained from more complex 14 approaches.
15 So, if manual controls or displays aren't 16 credited, then we don't believe that there's a 17 justifiable benefit to having those, those manual 18 controls and displays.
19 Here in the example on page, back on slide 20 13, there are two functions that are --
21 CHAIR BROWN: Alan, this is Charlie. Can 22 I interrupt you for a second?
23 MR. CAMPBELL: Absolutely.
24 CHAIR BROWN: Only those displays that are 25 involved being credited for coping with an event, is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
104 1
that -- that's what you're taking about, right?
2 MR. CAMPBELL: That's correct.
3 CHAIR BROWN: But, there are other 4
displays that still provide information relative to 5
the plant condition that aren't necessarily credited.
6 And if they all disappear, how do you --
7 that leaves -- that leaves the operators with, you 8
know, a lack of general information of, are there 9
other systems in place or not?
10 I'm just struggling a little bit with the 11 only applying it to coping. I understand the rule-12 based aspect of it. But, I look at it more from a 13 practical standpoint.
14 Just an example, in my Naval nuclear 15 experience, and I
can say all this without 16 compromising anything, we moved to displays because 17 they significantly enhanced their performance 18 capability of our
- plants, and the operator 19 understanding of where they were relative to operating 20 limits and everything.
21 It was very much an improvement. But, we 22 also provided independent digital displays of every 23 plant parameter that's included, and referenced on 24 those displays, regardless of where they fell in the 25 quote, coping, or coping or the analysis basis.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
105 1
Because the operators if they failed, they 2
needed to know if they'll be able to fall back to the 3
way it was with the old analog KX241 type meters.
4 So, I struggle a little bit with this idea 5
that the only displays where you need an independent 6
backup if everything goes blank, it should be only 7
limited to coping. Those displays found necessary for 8
being credit for coping analysis or what have you.
9 That's just a point. That's all I'm just 10 saying. I've got a little bit of struggle with that.
11 So, I'll let you go on. But, that's just my thought 12 process.
13 MR. CAMPBELL: Well, just to address that 14 point as well. We, you know, the CCF policy does not 15 preclude you from having to comply with requirements 16 for post-accident monitoring systems and safety 17 parameter display systems as well.
18 So, you would also have additional 19 information coming in through those means that would 20 provide operators critical attributes for their 21 situational awareness.
22 CHAIR BROWN: And you think that -- that 23 you're talking about the PAMS systems? Or whatever 24 it's called in various play.
25 MR. CAMPBELL: PAMS EESP, yes.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
106 1
CHAIR BROWN: Yeah. They aren't -- but 2
they're looking -- the plant layouts I've seen before, 3
the PAMS stuff was not immediately within the eyesight 4
of the operator. They -- somebody had to go look at 5
it. It was another panel sitting off to the side, 6
which makes it a little bit difficult.
7 I'm not familiar with whether you've gone 8
through this discussion, whether the PAMS could be a 9
substitute for those indications or not.
10 But, that would seem to me it would be 11 require a better location relative to the operator to 12 being able to see them as part of their operation once 13 the screens go dark. And they maybe shutting stuff 14 down, or what have you.
15 I understand your point. You can go on.
16 MR. CAMPBELL: Okay. Thank you.
17 MR. ODESS-GILLETT: Member Brown -- Member 18 Brown, before you begin. This is Warren Odess-19 Gillett.
20 CHAIR BROWN: Yes, sir?
21 MR. ODESS-GILLETT: From NEI. The other 22 aspect is that you have protection and control.
23 And so, if your protection system goes 24 down and the displays associated with it, that doesn't 25 imply that the control systems that also have the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
107 1
displays for the plant parameters, are not available.
2 CHAIR BROWN: If there's other -- if 3
there's a substitute or some other displays that do 4
that, it would seem that's well within the mode of 5
people using that and saying hey, we've complied.
6 So, it doesn't seem to me that you only 7
have to rely on the coping -- I still don't know why 8
you would only dictate via coping.
9 That's my only point. You're saying 10 there's other stuff. Well, that stuff, those other 11 indications could be used and -- as the backup 12 displays.
13 Just I hate seeing stuff only being aimed 14 at coping. That's all. Just -- that's just my 15 opinion. That's not a committee position by any 16 stretch.
17 MR. CAMPBELL: Okay.
18 CHAIR BROWN: Well yeah, go on.
19 MR. CAMPBELL: Okay. And thank you, 20 Charlie, or Member -- sorry, Chairman Brown.
21 CHAIR BROWN: That's -- anyway you want to 22 call me. That's just fine.
23 MR. CAMPBELL: Okay. Okay, so in the 24 example, it does highlight the fact that there are two 25 protection system functions, emergency core cooling NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
108 1
system, and the EFW, emergency feedwater actuation.
2 These two protection functions have an 3
automatic function from the protection system actuated 4
through the SFAS system. They do have manual SFAS 5
controls.
6 They have one switch per train. They also 7
have automatic diverse functions performed through the 8
DAS system, diverse automatic -- or actuation system.
9 And then they also have a diverse manual switch.
10 So, four different actuation signals for 11 these two functions. And we'll just note here that 12 these would be considered critical safety functions.
13 However, these are not credited in the CCF 14 coping analysis. The -- from our documentation 15 review, the two switches that were added for the 16 diverse manual functions, were added to comply with 17 Point Four. But, are not, again, not credited in the 18 CCF coping analysis.
19 So, we did issue a letter, we being NEI, 20 issued a letter that provides this same context and 21 commentary regarding Point Four.
22 In that letter we recommended language 23 that we believe still provides supplemental 24 requirements for displays and controls that are 25 required to cope with a common cause failure.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
109 1
These, you know, a couple of main points 2
that we'd like to make here is that again, the IEEE 3
279 and 603 requirements still apply.
4 Those, that set of manual controls and 5
displays, you know, are still required. We're not 6
asking to be exempted from those.
7 We acknowledge and are aligned with the 8
NRC staff in the fact that if we can demonstrate that 9
those controls, as they're implemented to meet the 10 IEEE requirements, display adequate diversity or are 11 not subject to the same CCF that they maybe credited 12 I the CCF analysis.
13 So, we're aligned on that perspective.
14 However, based on how this has been implemented in the 15 industry, what we're seeing is that a completely 16 different set of controls and displays are being 17 provided.
18 So, because of that, we'd like to clarify 19 that supplemental requirements are only for the 20 credited displays and manual controls. And again, 21 credited in the coping analysis for common cause 22 failure.
23 Our third point here, we haven't spent a 24 lot of time with, but we do go through some level of 25 discussion in the example, if you've been able to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
110 1
review that, about the location requirements.
2 In Point Four, both in the SRM SECY 93-3 0087 and in SECY 22-0076, there's location base 4
requirements for the main control room.
5 Back when the 1993 policy was developed, 6
our human factors' guidance was fairly limited. I 7
believe at the time NUREG-0737 Supplement One was the 8
primary guidance. We did not yet have Chapter 18 or 9
10 And specifically, Chapter 18 Appendix, I 11 believe it's Appendix One, let me check my notes here.
12 Yes, anyway so there's an Appendix that addresses 13 specifically the -- I'm sorry, it's Appendix 18-Alpha.
14 It specifically addresses credited 15 operator actions. And discusses the need for operator 16 completion time analysis.
17 So, we believe that within policy, we 18 should be consistent with the guidance that we do have 19 for human factors engineering. And that we're no 20 longer -- we can create the policy based off of the 21 operation completion time analysis, and not specify a 22 location within policy.
23 Lastly, based upon the fact that we're 24 not, the manual functions, the manual displays and 25 controls that we're discussing, are not necessarily NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
111 1
the same controls and displays that are being 2
implemented to make regulatory requirements that are 3
a basis that we can use risk significance as a factor 4
when addressing these.
5 So, previously I believe, there was a 6
statement that, and this was possibly back in the 7
earlier meeting, that Point Four was not -- it was not 8
appropriate for risk significance to be considered in 9
Point Four, because it was being used to address 10 regulatory requirements.
11 This is a different set of displays and 12 controls as it's been implemented in the industry 13 today. So, because of that, we do believe that it is 14 an appropriate candidate for risk significance to be 15 considered.
16 So, we do have the backup slides if there 17 are any questions or comments on those that we can get 18 to. We would also just, I'd like to add, just based 19 off of the last conversation that we had as we were, 20 as the NRC staff was closing their presentation.
21 Regarding the clarity of Point Four, 22 specifically with regards to the Commission 23 clarifications that were added from SR -- in SRM SECY 24 93-0087, specifically, the points being made about the 25 non-safety aspects of the manual controls and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
112 1
displays, as well as the specification by the 2
Commission that common cause failure is a beyond 3
design basis event.
4 We would, I think from the industry 5
perspective, it's always appreciated when complete 6
guidance is provided in a, one document. That way 7
there's a lower likelihood of misinterpretation or 8
missing a pertinent document in the future.
9 So, I would just like to state that we do 10 appreciate that conversation and would like -- and 11 appreciate consideration to consolidate that into 12 either the SRM or in the SECY, whichever is 13 appropriate.
14 And that really concludes. I wanted to 15 keep my comments brief today, and to the point on 16 Point Four. So, that concludes our prepared comments.
17 CHAIR BROWN: When you're talking about 18 the one document, you're talking about that discussion 19 we had towards the end on terms of the subsequent --
20 what parts of the old SRM still apply or not apply?
21 MR. CAMPBELL: That's correct.
22 CHAIR BROWN: So, I mean, it's -- to me 23 it's fairly clear. But, obviously the staff is 24 concerned that there's app -- how you -- on the 25 phraseology, not being expressed.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
113 1
MR. CAMPBELL: Right.
2 CHAIR BROWN: We were going -- I think 3
hopefully we will attempt to resolve that here in the 4
near future, based on some additional discussions.
5 But, that -- that still doesn't --
6 fundamentally the expansion, the new one, does not 7
throw the baby out with the bath water. The SRM 93-8 0087, theoretically everything that's in there that's 9
not changed, applies.
10 That's why I asked the question, just to 11 make sure that it was in a couple of specific areas.
12 Because they did not address, or readdress.
13 So, I understand your point. But, that's 14 not where we are relative to the expansion. It does 15 not nullify or put out a service, the old SRM and the 16 previous SECY, they are still in play.
17 So, the ability to consolidate all that 18 into one document, I think that seems to me, that boat 19 has already sailed, or ship has already sailed, or 20 steamed, whatever the appropriate term is.
21 MR. CAMPBELL: Understood. And I think 22 any level of clarification that we can get documented, 23 you know, I -- the existing policy has served us for 24 close to 30 years now.
25 And surely somewhere along the way, you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
114 1
know, there's -- the levels of turnover and 2
everything, what we understand today may not be what 3
our successors understand later.
4 So, the more we have written down, we want 5
to make sure that the clarity is there from the 6
industry perspective, and such that there aren't 7
missing elements of this in our future understanding.
8 CHAIR BROWN: I agree with you on that 9
point. And I think that came out in our discussion.
10 Eric, are you still there?
11 MR. BENNER: I am still here. We are 12 going to do internal communications on that. We --
13 CHAIR BROWN: That's fine. I don't want 14
-- I don't want to go any further. I just want to 15 make sure --
16 (Simultaneous speaking.)
17 MR. BENNER: Yeah.
18 CHAIR BROWN: That that was like --
19 MR. BENNER: Well, I was -- I was going to 20 say that no matter what comes out of our internal 21 deliberations, we certainly have no objection to the 22 Committee clarifying that that's your belief also.
23 Right? I mean, we'll -- we would have to 24 decide whether we want to go as far as to, you know, 25 pull back and resubmit the SECY. I don't think we NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
115 1
will do that.
2 I mean, I think we will try to communicate 3
in other ways and do whatever we could to get this 4
clarity. And part of, you know, whatever other ways 5
are available, it could be the Committee clarifying 6
your interpretation and belief too.
7 So, I mean, certainly the Committee is 8
going to do what it wants to do. But, we have no 9
objection to the -- at all to the Committee also 10 clarifying your interpretations, expectations, 11 beliefs, whatever.
12 And like I said, we are going to do some 13 internal communications and we'll, you know, we'll 14 feedback whatever we learn.
15 CHAIR BROWN: Okay. Yeah, we just need to 16 make sure we communicate.
17 MR. BENNER: Yeah.
18 CHAIR BROWN: Obviously, I think the 19 Committee --
20 (Simultaneous speaking.)
21 MR. BENNER: And, you know, I -- you know, 22 I can't promise, but we certainly, whenever we do 23 implementing guidance, if it doesn't get addressed in 24 some other means, we would carry this interpretation 25 forward and document it in our implementing guidance, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
116 1
so.
2 CHAIR BROWN: Yeah, I think, Obviously I 3
think our letter is going to be addressing this issue 4
5 MR. BENNER: Okay.
6 CHAIR BROWN: In the best manner that we 7
can. And hopefully we cannot get it buried in ifs, 8
ands, buts, or ors.
9 MR. BENNER: Yeah.
10 CHAIR BROWN: But, I felt that the 11 discussion we had, I thought it was fairly crisp. It 12 was --
13 MR. BENNER: Yeah. I don't think it's 14 that very complicated. We're just trying to make sure 15 it's all in lock step in --
16 CHAIR BROWN: Yeah, sure.
17 MR. BENNER: And so that like Alan said, 18 so that there is no ambiguity for someone who looks at 19 this ten years from now to know what the Commission's 20 expectations for what the staff are.
21 CHAIR BROWN: Yep.
22 MR. BENNER: We want that clarity also.
23 CHAIR BROWN: Okay. I got that. I will 24 do that as best I can with the help of my colleagues.
25 They've already kind of indicated that that's, you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
117 1
know, we will prepare a letter, I think, on this.
2 I will ask them if they uniformly agree.
3 Jose has already made that comment. So, are there any 4
other comments or questions from the Committee?
5 Okay. Hearing none, Christina, how do I 6
go about, it's been a while. I'm going to go out for 7
public comments.
8 MS. ANTONESCU: Yes. There were two 9
members before that raised their hands. I think one 10 of them left.
11 But there's still Mr. Bao here. And I 12 think he raised his hand before.
13 CHAIR BROWN: Okay.
14 MR. BAO: Yeah, thank you, I'm good.
15 CHAIR BROWN: Yeah, go ahead.
16 MR. BAO: I mean, I'm good now. Some of 17 your statements have answered my question. Thank you.
18 CHAIR BROWN: Oh, okay. All right. If 19 anybody else on the public line that would like to 20 make a comment?
21 MR. CROUCH: Yeah. This is Clayton 22 Crouch. I'm a Project Manager from Dominion 23 Engineering in Richmond, Virginia.
24 CHAIR BROWN: Okay.
25 MR. CROUCH: One of them was sort of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
118 1
administrative. The meeting today, trying to weave 2
through the website.
3 I was able to get to the ACRS. It had the 4
meeting agenda. But, it didn't have any of the 5
presentations that were associated with it. They were 6
on some of the earlier ones.
7 Was it just too late to put them on this 8
time? Or, will they be available later?
9 MS. ANTONESCU: The presentation material 10 is always available with the transcripts that we 11 publish on our website.
12 MR. CROUCH: Okay. So, they will be 13 available in a month or so. They weren't available.
14 MS. ANTONESCU: They will be available in 15 a month or so, yes.
16 MR. CROUCH: Oh, okay. The other thing 17 that I was wondering is, we're in the process of 18 looking at a digital, major digital upgrade at our 19 plants.
20 We're looking at two utilities, three 21 utilities that have already gone before using the new 22 ISG-06 process. And there's been a D3 analysis, 23 detailed D3 analysis associated with those.
24 This new SECY, it talks about CCFs. Is it 25 embedded in the D3 analysis that was done? Or is this NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
119 1
going to sort of change that whole process if this 2
gets approved?
3 CHAIR BROWN: Eric?
4 MEMBER REMPE: Charlie, this is Joy.
5 CHAIR BROWN: Yeah.
6 MEMBER REMPE: And we appreciate comments 7
from the public. But, it's not a Q and A session.
8 CHAIR BROWN: Oh, that's right. That's 9
right. I got it.
10 MEMBER REMPE: So, we'll have to --
11 CHAIR BROWN: I got it.
12 MEMBER REMPE: Thank you.
13 CHAIR BROWN: I got it. Okay.
14 MR. CROUCH: Okay. All right. So, my 15 other question --
16 CHAIR BROWN: Yeah, my calibration there, 17 it's late.
18 MR. CROUCH: No, that's all right. I 19 understand. I appreciate that.
20 The other comment that I did have was, 21 I've heard the, you know, kind of comparisons between 22 an IPad and a carved glass top screen. And those are 23 really kind of false equivalencies.
24 The control rooms are going to have glass 25 panels that are hardwired. There's no internet NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
120 1
connection. There's nothing like that.
2 And there's no proximity, I know some 3
screens will have proximity where if you get your hand 4
near it, it will turn on or turn off. That certainly 5
isn't it.
6 So, that's kind of false equivalency 7
trying to compare the two. So, I just wanted to make 8
a comment and kind of clear that up.
9 CHAIR BROWN: Yeah, I don't -- I don't 10 disa -- I agree with you in a way. It was trying to 11 make it just a point where it would be very clear 12 without all the little nuances that there are a bunch 13 of applications.
14 MR. CROUCH: Um-hum.
15 CHAIR BROWN: Touch screens have their 16 limitations.
17 MR. CROUCH: Right.
18 CHAIR BROWN: Even if they're hardwired 19 and no internet. I'm not, you know -- and no internet 20 21 (Simultaneous speaking.)
22 MEMBER REMPE: Again Charlie, this is not 23 a Q and A session.
24 CHAIR BROWN: Ah, yeah, yeah, yeah. I got 25 it. Yeah, I got it. But, I've got five minutes. So, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
121 1
you know, it's --
2 (Simultaneous speaking.)
3 MR. CROUCH: It's tough for engineers not 4
to answer questions.
5 CHAIR BROWN: Yeah. It's very, very 6
tough.
7 MR. CROUCH: Yeah, that's right.
8 CHAIR BROWN: And I agree with you. I'll 9
tell you what, if you've got any other comments, write 10 them down and send them into the staff.
11 If, you know, if that's something that 12 you've, you know, the previous question you just 13 asked. Since we're not going to do Q and A here.
14 MR. CROUCH: Okay.
15 CHAIR BROWN: You have the opportunity to 16 ask them that question.
17 MR. CROUCH: Okay. Thank you very much.
18 I appreciate your time.
19 CHAIR BROWN: All right. That's an 20 answer. Anybody else on the line?
21 Okay. With that, if there's no other 22 comments from anybody else, I would like to poll the 23 Committee quickly.
24 My sense is that we need to write a letter 25 on this. Are there any input or comments that the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
122 1
Committee Members would like to make relative to that?
2 Jose already voted.
3 Okay. My intention is then to go ahead 4
and write a letter. Joy, is that what your 5
expectation was?
6 MEMBER REMPE: Yes. I think that's fine.
7 I agree that the letter should be written. And it 8
would be nice to know what the staff's planning on 9
doing.
10 But, I think in my -- we do have until 11 November, --
12 CHAIR BROWN: Yep.
13 MEMBER REMPE: As I recall, when this 14 letter is scheduled.
15 CHAIR BROWN: That's right.
16 MEMBER REMPE: And so, it sounds like the, 17 from what I heard the staff say, it's best for us to 18 go ahead and document our concerns.
19 And not worry about what the staff may do 20 with respect to changes on the SECY we were provided.
21 Right?
22 CHAIR BROWN: I'm not going to wait. I 23 will --
24 MEMBER REMPE: Yeah.
25 CHAIR BROWN: I will see. I've only got NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
123 1
about a week before I leave, was you're well aware of.
2 And I'm burning up days like crazy recently.
3 I will attempt to try to -- I'm not 4
guaranteeing this. I will attempt to try to at least 5
put an outline or a strawman letter together with 6
these points.
7 And send them to the members. If I can 8
get it and make it coherent. Otherwise, I'll have to 9
wait until I get back later in October.
10 MEMBER REMPE: Well, that's fine. And 11 again, Subcommittee Members can provide input and 12 comments in advance. And hopefully that will help.
13 Because I do believe there's the potential, you may 14 have two letters in November.
15 CHAIR BROWN: Oh, yeah.
16 MEMBER REMPE: So, you'll have a very busy 17 time in November.
18 CHAIR BROWN: Yeah don't -- don't even 19 remind me.
20 MEMBER REMPE: Okay. But, thanks to the 21 staff, and to NEI for their presentation.
22 CHAIR BROWN: I'll care of that.
23 MEMBER REMPE: Okay.
24 CHAIR BROWN: I'll take care of that. I 25 did want to say thanks to Eric. I thought you guys NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
124 1
did a very good job. We had a great discussion.
2 And NEI, I appreciated you all's input.
3 I think, you know, we're not really all that -- I 4
don't think you guys are really all that far apart.
5 There's some nuances in there. And you 6
would have like to have had something a little bit 7
different.
8 But, if -- I presume you all can have some 9
other interactions relative to implementing things in 10 other places when we come out with -- when they come 11 out with whatever Reg Guides or BTPs they want to 12 operate on.
13 So, you will get another shot at providing 14 some input. Is that correct, Eric?
15 MR. BENNER: That is correct.
16 CHAIR BROWN: Okay. All right. With that 17 in mind, we will adjourn this meeting, as long as 18 nobody else has any objections?
19 Okay. Meeting is adjourned.
20 (Whereupon, the above-entitled matter went 21 off the record at 12:37 p.m.)
22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 (202) 234-4433
©2022 Nuclear Energy Institute SECY-22-0076 -
Point 4 Discussion Alan Campbell Technical Advisor
©2022 Nuclear Energy Institute 2 NRC staff response and engagement NEI 20-07 Rev. D provided in September 2021 NRC responded efficiently to address required changes to allow consideration of new methods to address Common Cause Failure (CCF)
SECY-22-0076 Points 1-3 Maintains safety and addresses industry needs for NRC-approved alternate approaches Consistent with public stakeholder engagements Provide the means to allow for risk-informed approaches SECY-22-0076
©2022 Nuclear Energy Institute 3 June 8th Stakeholder Engagement Industry has primarily interpreted Point 4 as a separate analysis resulting in additional displays and manual controls regardless of their impact to coping with CCF, i.e., Points 1-3.
See Back-Up Slides for an example of how Point 4 has been interpreted by industry NRC staff provided an interpretation that Point 4 is intended to be treated within the context of the Diversity and Defense-in-Depth (D3) analysis (Points 1-3).
Industry recommended that a clarification be provided to align with the NRC interpretation.
©2022 Nuclear Energy Institute 4 SECY-22-0076 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above.
SECY-22-0076 Point 4 Clarification SRM-SECY-93-087 A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.
©2022 Nuclear Energy Institute 5 SECY-22-0076 further states:
Point 4 of the recommended expanded policy clarifies that it is intended to be addressed in the same assessment as the first three points.
Point 4 states that the applicant may credit the additional displays and controls in the D3 assessment. It still requires displays and manual controls regardless of whether they are credited in coping with a CCF.
SECY-22-0076 Point 4 Clarification
©2022 Nuclear Energy Institute 6 SECY-22-0076 states:
The position in point 4 of SRM-SECY 087, Item 18, is maintained in point 4 of the recommended expanded policy because (1) it clarifies the implementation of existing regulatory requirements [] for addressing digital I&C CCFs and (2) the lack of independent and diverse displays and controls in the control room would prevent the manual operation of critical safety functions in the event that a CCF disables the digital I&C system. [emphasis added]
SECY-22-0076 Point 4 Discussion Existing regulation does not address CCF; rather, the 10 CFR 50.55a(h) endorsed standards address Design Basis Events (DBEs)
SRM-SECY-93-087 states common mode failures are beyond design-basis events This policy requires IEEE manual controls AND diverse manual controls Points 1-3 already protect the systems against DI&C CCF
©2022 Nuclear Energy Institute 7 Industry Goal: Enhance safety by reducing system complexity.
Only displays and manual controls required to cope with a CCF should be within scope.
Supports the I&C design fundamental of simplicity Enhance Safety, Reduce Complexity The interactions of these digital I&C systems are much more complex than the analogue systems that have been deployed previously. This complexity of interaction between subsystems increases the possibility that a latent fault can exist in the system that could be triggered and propagate and thus cause the system to not perform as expected. [emphasis added]
IAEA NP-T-1.5, Protecting against Common Cause Failures in Digital I&C Systems of Nuclear Power Plants
©2022 Nuclear Energy Institute 8 Diverse displays and manual controls, if credited in the defense-in-depth CCF analysis, shall be located such that the action can be accomplished within the time period required. The applicant shall demonstrate the adequacy of the credited diverse displays and manual controls commensurate with the risk significance of the associated postulated CCF.
1.
IEEE 279 or IEEE 603 requirements still apply and may be credited IF the applicant demonstrates adequacy.
2.
Provides supplemental requirements for credited displays and manual controls.
Recommended Point 4
©2022 Nuclear Energy Institute 9 Diverse displays and manual controls, if credited in the defense-in-depth CCF analysis, shall be located such that the action can be accomplished within the time period required. The applicant shall demonstrate the adequacy of the credited diverse displays and manual controls commensurate with the risk significance of the associated postulated CCF.
3.
Location based upon operator completion time analysis.
4.
Adequacy based upon risk significance and not an expansion of IEEE 279 or IEEE 603.
Recommended Point 4
Questions?
Back-Up Slides
©2022 Nuclear Energy Institute 12 US-APWR DCD Chapter 7 and its supporting documents demonstrate the common industry interpretation that results in unnecessary complexity.
The following table provides the DCD Chapter 7 RPS/ESFAS automatic/manual capabilities, diverse automatic/manual capabilities associated with the protection systems, and diverse capabilities required to cope with CCF.
Gen IV Light Water Reactor Example
©2022 Nuclear Energy Institute 13 Gen IV Light Water Reactor Example Note 1: Initiated upon Manual Core Spray actuation Note 2: Initiated upon Manual Core Spray or Manual Containment Isolation Phase A actuation Note 3: Also includes Turbine Trip and Main Feedwater Isolation Note 4: Manual trip required for Steam Generator Tube Rupture. Other scenarios credit DAS automatic signal.
Protection System Function Automatic Function Manual Function Diverse Automatic Function Diverse Manual Function Manual Action Credited in D3 Analysis?
Reactor Trip RPS 1 switch/train DAS (Note 3) 1 switch Yes (Note 4)
Containment Isolation Phase A ESF 2 switches 1 switch Yes Containment Isolation Phase B ESF Note 1 Containment Purge Isolation ESF Note 2 Containment Spray Actuation ESF 2 switches/train CVCS Isolation ESF 2 switches Emergency Core Cooling System (ECCS)
ESF 1 switch/train DAS 1 switch Emergency Feedwater (EFW) Actuation ESF 1 switch/train DAS 1 switch Emergency Feedwater (EFW) Isolation ESF 2 switches/train 1 switch/SG Yes Main Feedwater Isolation ESF 2 switches Main Steam Line Isolation ESF 2 switches 1 switch/SG Yes MCR Isolation ESF 1 switch/train Main Steam Depressurization Valve 1 switch/SG Yes Safety Depressurization Valve 1 switch Yes
©2022 Nuclear Energy Institute 14 ECCS and EFW Actuation diverse manual controls are NOT credited in the D3 coping analysis.
Automatic DAS functions are credited in D3 coping analysis due to time requirements ECCS and EFW Actuation have four (4) actuation signals (not including local control):
Automatic ESF Manual ESF Automatic DAS Diverse Manual SECY-22-0076 (and SRM-SECY-93-087) Point 4 requires these diverse, manual controls despite their impact to coping with CCF resulting in unnecessary complexity.
Additional priority logic, operator knowledge, maintenance activities, etc.
Opposes I&C fundamental design principle of Simplicity of Design Gen IV Light Water Reactor Example
©2022 Nuclear Energy Institute 15 Main Steam Depressurization Valve and Safety Depressurization Valve manual operator actions are NOT part of the RPS/ESFAS functions.
Applicant identified these manual operator actions that support coping with CCF and provided manual controls diverse from the digital protection system.
This is an example of defensive measures that can be implemented using a risk-informed Point 4 policy such as that proposed by NEI.
Gen IV Light Water Reactor Example
©2022 Nuclear Energy Institute 16 Gen IV Light Water Reactor Example Design Basis Event Requiring Manual Action Credited Manual Actions Feedwater System Pipe Break Inside and Outside Containment Emergency Feedwater Isolation Inadvertent Decrease in Boron Concentration in RCS Local Control CVCS Malfunction that Increases Reactor Coolant Inventory Local Control Radiological Consequences of the Failure of Small Lines Carrying Primary Coolant Outside Containment Local Control Radiological Consequences of Steam Generator Tube Failure Reactor Trip Main Steam Line Isolation Main Steam Depressurization Valve Safety Depressurization Valve LOCA Resulting from Spectrum of Postulated Piping Breaks within the RCS Boundary Containment Isolation Phase A This table shows the DBEs requiring manual actions to cope with CCF and the credited manual action.
Local controls were demonstrated to provide credible manual operator action to cope with CCF.
©2022 Nuclear Energy Institute 17 Guidance already exists to demonstrate credited manual operator actions can be completed within the required timeframe.
NUREG-0800 Chapter 18, Appendix 18-A, Crediting Manual Operator Actions in Diversity and Defense-in-Depth Analyses NUREG-1764, Guidance for the Review of Changes to Human Actions SECY-22-0076 should NOT limit the acceptability of credited displays and manual operator actions required to cope with a CCF to the Main Control Room.
The operator completion time analysis should demonstrate the acceptability of the location chosen from credited displays and manual operator actions.
Gen IV Light Water Reactor Example
©2022 Nuclear Energy Institute 18 Conclusions from the Gen IV Light Water Reactor example:
SRM-SECY-93-087 Point 4 can lead to displays and manual controls that are NOT required to cope with CCF. SECY-22-0076 Point 4 should be limited to only displays and manual controls credited by the D3 coping analysis.
Operator completion time analysis should be used to determine the acceptable location of credited displays and manual controls, not prescriptively defined in policy.
Defensive measures, such as manual operator actions not already required by the protection system requirements, can be effective at coping with CCF.
Gen IV Light Water Reactor Example
©2022 Nuclear Energy Institute 19
References:
MUAP-DC007, Rev. 4, Design Control Document for the US-APWR, Chapter 7, Instrumentation and Controls August 2013 MUAP-07006-NP-A, Rev. 2, Defense-in-Depth and Diversity June 2008 MUAP-07014-NP, Rev. 6, Defense-in-Depth and Diversity Coping Analysis September 2013 Gen IV Light Water Reactor Example
Advisory Committee on Reactor Safeguards Digital Instrumentation & Controls Subcommittee Briefing September 23, 2022 SECY-22-0076 Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems
Technical Staff Presenters
- Samir Darbali - Electronics Engineer, NRR/DEX
- Steven Alferink - Reliability and Risk Analyst, NRR/DRA
- Norbert Carte - Senior Electronics Engineer, NRR/DEX Digital I&C Project Managers
- Bhagwat Jain - Senior Project Manager, NRR/DORL
- Michael Marshall - Senior Project Manager, NRR/DORL 2
Working Group Members
- NRR/DEX
- NRR/DRA
- NRR/DSS
- Charley Peabody 3
- Ming Li
- Michael Marshall
- NRR/DORL
- RES/DE
- Sergiu Basturescu
Presentation Outline 4
- Introduction
- Background and Key Messages
- Purpose of SECY-22-0076
- Proposed Expanded Policy
- SECY-22-0076 Points
- Changes from SRM-SECY-93-087
- Next Steps
=
Background===
- Nuclear power plants continue to install digital I&C technology
- SRM-SECY-93-087 directs that, if the D3 assessment shows that a postulated CCF could disable a safety function, then a diverse means be provided to perform that safety function or a different function
- The staff developed SECY-22-0076 which provides recommended language for an expanded policy that allows for greater use of risk-informed approaches to address DI&C CCFs for high safety significance systems 5
SECY-22-0076 Purpose
- To request that the Commission expand the current policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth, including not providing any diverse automatic actuation of safety functions.
- This expanded policy would apply to requests for new or amended licenses and design approvals, for all nuclear power plant types, under 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, and 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.
6
Key Messages
- The proposed expanded policy in SECY-22-0076 encompasses the current points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
- The four points when taken together provide criteria for the assessment of diversity and defense in depth against CCF.
- Use of risk-informed approaches will be expected to be consistent with the Safety Goal Policy Statement, PRA Policy Statement, and SRM-SECY-98-0144.
- The current DI&C CCF policy will continue to remain a valid option for licensees and applicants.
- Point 4 (diverse manual controls and displays) already incorporates an implicit element of risk informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
7
Proposed Expanded Policy to Address DI&C CCFs 8
Point 2 Risk-Informed Approach Point 3 Risk-Informed Approach Point 2 SRM-SECY-93-087, Point 2 (Clarified)
Point 3 SRM-SECY-93-087, Point 3 (Clarified)
Current Path Risk-Informed Path Proposed Expanded Policy to Address Digital I&C CCFs The Current Path allows for the use of best estimate analysis and diverse means to address a potential DI&C CCF The Risk-Informed Path allows for the use of risk-informed approaches and other design techniques or measures other than diversity to address a potential DI&C CCF Point 4 SRM-SECY-93-087, Point 4 (Clarified)
Point 1 SRM-SECY-93-087, Point 1 (Clarified)
SECY-22-0076: Point 1 The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.
The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.
9
SECY-22-0076 vs SRM-SECY-93-087: Point 1 The applicant shall assess the defense-in-depth and diversity of the facility incorporating the proposed instrumentation and control digital I&C system to demonstrate that vulnerabilities to common mode failures digital CCFs have been adequately been identified and addressed.
The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.
10 Language from SRM-SECY-93-087 kept in SECY-22-0076 New language added in SECY-22-0076 Deleted language from SRM-SECY-93-087
SECY-22-0076: Point 1 Commentary
- Allows the defense-in-depth and diversity assessment to be commensurate with the risk significance of the proposed digital I&C system.
- This clarifying aspect of point 1 would be implemented consistent with the review guidance for graded approaches to digital I&C CCF in BTP 7-19, Revision 8.
11
SECY-22-0076: Point 2 In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk informed approach.
When using best-estimate methods, the applicant shall demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.
12
SECY-22-0076: Point 2 (contd.)
When using a risk-informed approach, the applicant shall include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis).
13
SECY-22-0076 vs SRM-SECY-93-087: Point 2 In performing the defense-in-depth and diversity assessment, the vendor or applicant shall analyze each postulated common-mode failure CCF. This assessment may use either best-estimate methods or a risk-informed approach.
When using best-estimate methods, the applicant shall demonstrate adequate defense in depth and diversity within the facilitys design for each event that is evaluated in the accident analysis section of the safety analysis report using best estimate methods. The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.
14
SECY-22-0076 vs SRM-SECY-93-087: Point 2 (contd.)
When using a risk-informed approach, the applicant shall include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis).
15
SECY-22-0076: Point 2 Commentary
- Staffs goal is that the acceptance criteria for risk-informed approaches for digital I&C CCFs will be consistent with the NRCs broader (i.e., not specific to digital I&C) practices and guidance for risk-informed decision making.
- For example, the NRC staff will review license amendment requests for conformance to the guidance in RG 1.174 for applications employing risk-informed approaches.
16
SECY-22-0076: Point 3 The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF.
17
SECY-22-0076: Point 3 (contd.)
A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall be provided.
18
SECY-22-0076 vs SRM-SECY-93-087: Point 3 The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF.
19
SECY-22-0076 vs SRM-SECY-93-087: Point 3 (contd.)
A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes If a postulated common-mode failure could disable a safety function, then a diverse means, with a documented basis showing that the diverse means is unlikely to be subject to the same CCF common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function means may be performed by a system that is not non-safety system-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall be provided.
20
SECY-22-0076: Point 3 Commentary
- The staff expects that for a license amendment request, the risk significance of CCFs will be determined by any increase in risk to the facility from a postulated digital I&C CCF and that this risk increase would be determined using a quantitative bounding assessment.
- Current experience is insufficient to establish confidence in quantifying the probability of occurrence of digital I&C CCFs.
- The NRC staff will not be able to approve risk-informed quantitative approaches based on reducing the probability of occurrence of digital I&C CCFs through design techniques for high safety significance SSCs.
21
SECY-22-0076: Point 4 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above.
22
SECY-22-0076 vs SRM-SECY-93-087: Point 4 A set of displays and controls located in the main Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The These main control room displays and controls shall may be independent and diverse from the safety computer system identified in items 1 and used to address point 3, above.
23
SECY-22-0076: Point 4 Commentary
- Taken within the context of Points 1-3, Point 4:
- ensures fundamental defense-in-depth for manual operator intervention when necessary, and therefore provides for reasonable assurance of adequate safety
- is consistent with the application of existing regulatory requirements for independence that are incorporated into the regulation (10 CFR 50.55a(h) and GDC 22)
- Point 4 already incorporates an implicit element of risk informing (in both SRM-SECY-93-087 and SECY-22-0076).
- Point 4 is only applicable to critical safety functions (defined in SECY-93-087 and SECY-22-0076) and not to all the safety functions performed by the digital I&C system.
24
SECY-22-0076: Point 4 Commentary (contd.)
25 Plant Safety Functions Plant Critical Safety Functions reactivity control core heat removal reactor coolant inventory containment isolation containment integrity Scope of Point 4 Functions Performed by the Digital I&C System The diverse manual controls and displays for critical safety functions ensure the safety of the facility.
Point 4 only applies to:
The critical safety functions performed by the digital I&C system.
Point 4 does not apply to:
All safety functions performed by the digital I&C system.
Critical safety functions not performed by the digital I&C system.
SECY-22-0076: Point 4 Commentary (contd.)
- Licensees that want to use risk information to reduce the requirements for manual controls can request an exemption or an alternative to 10 CFR 50.55a(h) and the staff would inform the Commission before approving or denying such exemptions and alternatives.
- The staff does not believe that Point 4 can be meaningfully further risk-informed without more engagement with industry on design challenges, and some industry concerns can be addressed in implementing guidance.
26
Key Messages
- The proposed expanded policy in SECY-22-0076 encompasses the current points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
- The four points when taken together provide criteria for the assessment of diversity and defense in depth against CCF.
- Use of risk-informed approaches will be expected to be consistent with the Safety Goal Policy Statement, PRA Policy Statement, and SRM-SECY-98-0144.
- The current DI&C CCF policy will continue to remain a valid option for licensees and applicants.
- Point 4 (diverse manual controls and displays) already incorporates an implicit element of risk informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
27
Next Steps
- If the Commission approves the expanded policy, the staff will:
- update the existing implementation guidance to address digital I&C CCFs, and
- continue to engage stakeholders and the public to seek comments on the staffs implementation of the expanded policy.
28
Questions?
BTP Branch Technical Position CCF Common Cause Failure D3 Defense-in-Depth and Diversity DI&C Digital Instrumentation and Control ESFAS Engineered Safety Features Actuation System GDC General Design Criteria I&C Instrumentation and control NEI Nuclear Energy Institute Acronyms NRC Nuclear Regulatory Commission PRA Probabilistic Risk Assessment RG Regulatory Guide RPS Reactor Protection System SAR Safety Analysis Report SECY Commission Paper SRM Staff Requirements Memorandum