Text

July 24, 2023 MEMORANDUM TO: Office of Nuclear Reactor Regulation Staff and Management Kock, Andrea signing on behalf FROM: Andrea D. Veil, Director of Veil, Andrea on 07/24/23 Office of Nuclear Reactor Regulation

SUBJECT:

REVISION OF POLICY ON POTENTIAL COMMON-CAUSE FAILURES IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS In SECY-22-0076, Expansion of Current Policy on Potential Common-Cause Failures (CCFs) in Digital Instrumentation and Control (I&C) Systems (Agencywide Documents Access and Management System (ADAMS) Accession No. ML22193A290), the U.S. Nuclear Regulatory Commission (NRC) staff recommended changes to the Commissions existing policy on CCFs for digital I&C systems (contained in Staff Requirements Memorandum (SRM)-SECY-93-087) to expand the acceptable use of risk information. Specifically, the NRC staff requested that the policy be expanded to allow the use of risk-informed approaches as a means to justify an appropriate level of defense-in-depth and diversity for submitted digital I&C systems or approaches.

On May 25, 2023, the Commission approved the NRC staffs recommendation with edits as contained in SRM-SECY-22-0076 (ML23145A176). Any sections of SRM-SECY-93-087, not changed by SRM-SECY-22-0076 are still in effect (e.g., the Commissions direction in SRM-SECY-93-087 that diverse displays and manual controls do not have to be hardwired). In the enclosure to this memorandum is a copy of the revised policy.

This memo serves as issuance of the revised policy to impacted NRC staff. Additionally, the staff will be issuing final implementing guidance for the revised policy, which will be independent of the licensing pathway selected by reactor licensees and applicants, by May 24, 2024, as directed by the SRM.

Enclosure:

As stated CONTACT: Samir Darbali, NRR/DEX 301-415-1360

SUBJECT:

REVISION OF POLICY ON POTENTIAL COMMON-CAUSE FAILURES IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS DATE: JULY 24, 2023 DISTRIBUTION: SRM-S22-0076-1 PUBLIC RidsNrrDrma Resource RidsNrrDorl Resource RidsNrrVpo Resource RidsNrrDex Resource RidsResDe Resource RidsNrrDanu Resource RES_DRA RidsNrrDnrl Resource RidsRgn1MailCenter Resource RidsNrrDra Resource RidsRgn2MailCenter Resource RidsNrrDss Resource RidsRgn3MailCenter Resource RidsNrrDro Resource RidsRgn4MailCenter Resource ADAMS Accession Number: ML23193A379 NRR-106 OFFICE DORL/LLPB/PM DEX/ELTB DORL/LLPB/LA NAME NSmith SDarbali DHarrison DATE 07/12/2023 07/12/2023 07/12/2023 OFFICE DEX/ELTB/BC DEX/D NRR/D NAME JPaige EBenner AVeil (AKock for)

DATE 07/12/2023 07/13/2023 07/24/2023 OFFICIAL RECORD COPY

Revised Sections of Policy on Defense Against CCF in Digital I&C systems

1. The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.

The defense-in-depth and diversity assessment must be commensurate with the risk significance of the proposed digital I&C system.

2. In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both.

When using best-estimate methods, the applicant must demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.

When using a risk-informed approach, the applicant must include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, RG 1.233, Guidance for a Technology-inclusive, Risk-informed, and Performance-based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors).

3. The defense-in-depth and diversity assessment must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant must demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs must be commensurate with the risk significance of each postulated CCF.

A diverse means that performs either the same function or a different function is acceptable to address a postulated CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation Enclosure

within an acceptable timeframe is an acceptable means of diverse actuation.

If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means must be provided.

4. Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) must be provided for manual, system-level actuation of risk-informed critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The applicant may alternatively propose a different approach to this point in the policy if the plant design has a commensurate level of safety.