Text

Challenges in assuring safety of nuclear reactor protection systems one perspective Sushil Birla Senior Technical Advisor U.S. Nuclear Regulatory Commission 21st Software Certification Consortium Meeting, May 11-12, 2023, Annapolis The views expressed herein are those of the author and do not represent an official position of the U.S. NRC.

Reactor protection concept Source: IAEA

1. NP-T-1.5

The industry is not homogeneous The Regulated Operators Technical Service Vendors (licensee) Providers Different Drivers & Knowledge levels UK Canada USA France Finland Ukraine Japan China Regulators

Vocabulary around CCF: Hardware failure is random Software systemic Defense in depth Unknown and diversity unknowns are intended to protect against Unintended behavior caused by dependencies unknown unknowns Common cause failure (CCF)

Common mode failure The term used in (CMF)

PRA NUREGs The term used in review guidance The term used in SRM/SECY-93-087, SECY-91-292, SECY-93-087

Current State & Trends Trends Interconnections Comprehensibility Complexity Verifiability Feedback paths Analyzability Deterministic behavior Side effects Unwanted Hidden dependencies Redundancy interactions Independence Diversity Common cause Defense in depth Safety margins Consequence Traditional HA techniques (FTA; DFMEA) ineffective

[RIL-1001; RIL-1002; NUREG/IA-0254; EPRI]

5 NRCs technical basis eroded

Contributory Hazard Scenario (1/2):

S - NS Interconnections SS1 N-SS1 PDN1 I N

B N T Service U Unit E E S

T R SS2 N-SS2 PDN2 I W N N

O E E R

S T N-SSn K SSn PDNn S HIDDEN INTERDEPENDENCY LEGEND Safety Non-Safety Plant Data Business Data System Internet System System System 6

Contributory Hazard Scenario (2/2):

Cross-Divisional Interconnections A

core B

Nd Nd Nd Voting NPP Nd Unit Actuators C

D Neutron Detectors (Nd) 7

Dependency Example:

System Architecture Dimension Elementij Elementi Supporting function (Internal Provided too late dependency) not provided Degradation of system safety function Interference External system (External dependency) 8

Factors Affecting Quality of HA Competence Quality of HA Quality of Technique Input 9

Challenges in the current paradigm C

o Where we would be R m Without diversity in design, U e p In the current process:

n v e

• More left to judgment c i t e e e r w n t c a e e i f n f n t o e y r e t d Where we are now e

d Performance-based, outcome-oriented Prescriptive, e.g., diversity in design Industry push (e.g., NEI 20-07) Current Regul. Review Approach

Quality Diversity (fault prevention) (fault tolerance)

Q Changes needed to prevent CCF u

• Objective evaluation criteria a Assurance l

• Paradigm with i

• State of practice High flexibility t

• Competence y

• Culture O

f d Assurance e with s Low flexibility i

g n

Diversity in design

Technical challenges - recap Performance-based assurance of a system

• Identifying what can go wrong

- The specific causes

• Formulating commensurate requirements

- Validation

• Verification

- Ability to evaluate the effect of gaps on the system function