Text

NRC Risk Forum Public Meeting Presentation Slides
	ML23254A388
Person / Time
Issue date:	09/11/2023
From:	Shilp Vasavada; NRC/NRR/DRA
To:	;
References
	Download: ML23254A388 (1)
	v • d • e

Successful Applications of Risk-Informed Decision-Making for Operating and New Reactors Shilp Vasavada Chief, PRA Licensing Branch C Division of Risk Assessment, Office of Nuclear Reactor Regulation Shilp.Vasavada@nrc.gov 1

Approval of NuScales Risk-Informed EPZ Sizing Methodology

Achieved a globally impactful and seminal risk-informed regulatory decision

Demonstrated the value of risk-informed decision-making in balancing safety and flexibility

Demonstrated the value of an integrated multi-disciplinary team spanning three Offices

Expanded the applicability of risk-informed decision-making

Solved significant technical issues while maintaining fidelity with EPZ fundamentals

Present day risk assessment and dose consequence tools applied to EPZ sizing fundamentals (NUREG-0396) using the principles of risk-informed decision-making

Licensing and design EPZ spectrum of accidents

Developed technology-inclusive and reproducible approaches

Event screening, including seismic events, for EPZ sizing 2

Dose-distance acceptance criteria

Use of Risk Insights to Support the NuScale SDAA Review

Collected design-specific risk information and insights during pre-application engagement

Shared insights with reviewers and senior management

Discussions and decisions on challenge areas for acceptance review started with relevant risk insights

Level of effort for different FSAR chapters graded (H, M, L) with support from risk insights

Continued use and communication of risk insights for challenging technical issues

Integrated teams spanning multiple technical disciplines 3

Risk-Informed Process for Evaluations (RIPE)

RIPE is a streamlined NRC-review process for addressing low safety significance license amendment and exemption requests

Focus resources and attention on safety significant issues

Rooted in principles of risk-informed decision-making

Leverages existing regulations and risk-informed initiatives

Application

Applied to a first-of-a-kind exemption request

Process exercised for efficient review and approval (approximately 100 staff review hours)

Feedback from staff resulted in enhanced guidance 4

Open Phase Condition (OPC) Resolution

Open Phase Isolation System (OPIS) installed by several licensees as part of industry initiative on OPC

Spurious actuations were observed during the monitoring phase of OPIS implementation resulting in need to identify and evaluate options

Resolved spurious actuations issue at approximately 65% of plants using a risk-informed approach by implementing manual OPC isolation

Comparison of risk from OPIS and the manual OPC isolation determined to be small

Risk-informed approach balanced safety and operational flexibility 5

Key Takeaways NRC staff continues to apply the principles of risk-informed decision-making across business lines Tangible successes demonstrate progress and provide opportunities to further expand applications 6

Palo Verde RIPE Exemption Success Removal of the Diverse Auxiliary Feedwater Actuation System Matthew Cox Department Leader, Nuclear Regulatory Affairs September 12, 2023

RIPE Exemption Application

10 CFR 50.12 partial exemption from 10 CFR 50.62(c)(1) must have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS

Removed the Diverse Auxiliary Feedwater Actuation System (DAFAS) from the PVNGS licensing basis

Addressed equipment obsolescence 2

Journey Identification of low-risk application for the new RIPE process CDF LERF Increase in risk between Baseline & DAFAS 3.2x10-9 5.9x10-11 Sensitivity NEI 21-01 RIPE Acceptance Guidelines < 1.0x10-7 < 1.0x10-8 Resources associated with maintaining or replacing DAFAS was not commensurate to its safety significance, which represented an undue hardship 3

Journey

Reviewed NRC and NEI guidance for RIPE exemptions

Challenge board with industry including NEI

Initial NRC pre-submittal meeting

Integrated Decision-making Panel (IDP) observed by NRC

Second NRC pre-submittal meeting

Submitted January 2022 and approved March 2022 4

Challenges

Interpreting the new process

Ensuring adequate technical detail and addressing defense-in-depth

Developing RIPE-IDP procedure, training, and qualification

Managing increased observations

Importance of a high quality submittal

Request for additional information (RAI) exits RIPE and enters the traditional exemption process 5

Success

Timely NRC approval within the 13 week guidelines

DAFAS removed from the licensing basis, bypassed by operations, and plant modification in progress to physically remove the system

Open communication from a seek to understand perspective

ADAMS References

Submittal dated 1/14/2022 - ML22014A415

Acceptance review dated 1/31/2022 - ML22032A031

Response to RCI dated 2/22/2022 - ML22053A212

Approved exemption dated 3/23/2022 - ML22054A005 6

Aircraft Radio Altimeters and 5G C-Band Deployment in the United States Presented by:

Chris Hope, Deputy Director (A), Office of Safety Standards, FAA Flight Standards Service NRCs 2023 Risk Forum September 12, 2023Rockville, MD

FCC R&O and the RTCA Report

The FCC Report and Order dated February 28, 2020, established a new and unknown operating environment for aircraft operating in areas where 5G (3.7-3.98 GHz C-Band) emissions will be present

- Under the FCC rules, the wireless C-Band deployment was to start on December 5, 2021 in the lower 100 MHz (3700-3800 MHz) in only 46 markets

- Phase 2 of the deployment included 19 additional license holders and would allow deployment in CONUS (ex: HI and AK) in the full band (3.7-3.98 GHz)

Results from RTCA testing published in October 2020 indicated a major risk that 5G C-Band telecommunications system will cause harmful interference to RADALT of all types of civil aircraft

The RTCA report, public comments to the RTCA report, and analyses from radio altimeter manufacturers and aircraft manufacturers were used in support of the safety risk determination and development if the AD published in Dec 2021 NRCs 2023 Risk Forum 2 September 12, 2023 l Rockville, MD

Radio Altimeter Airworthiness Directives FAA issued two ADs in December 2021 prohibiting certain operations in the presence of 5G (3.7-3.98 GHz C-Band) emissions

- One AD addresses transport category airplanes and the other helicopters

- The Unsafe condition is defined as unreliable radio altimeters in the presence of 5G C-Band

- Notices to Air Missions* (NOTAM) have been issued to limit the impact of the AD to areas and airports where 5G C-Band will be deployed

- These ADs are interim actions. As FAA obtains additional data, we may issue additional ADs to address aircraft specific hazards or choose to revise these ADs

- FAA regulations and advisory guidance allows anyone to propose to the FAA an alternative method of compliance (AMOC) or a change in the compliance time, if the proposal provides an acceptable level of safety

- An AMOC provides an acceptable level of safety for a different way, other than the one specified in the AD, to address the unsafe condition

- 12 additional aircraft specific ADs published NRCs 2023 Risk Forum 3 September 12, 2023 l Rockville, MD

Timeline of 5G Deployment in the U.S.

2022 2015 2019-20

Verizon and AT&T Begin

Mobile C-Band Allocations

Testing by Aviation Deploying 5G C-Band are Proposed at World Demonstrates Potential Services in the U.S.

Radio Communications Interference 2021

FAA brokers Cross-Conference

RTCA Report Industry Information

FCC

ICAO Job Cards Created Published in 10/2020 Sharing to Manage Auctions Operational Impacts 5G C-Band Spectrum 2017 2020 2021 2022

U.S. Initiates Procedures to

U.S. Completes

U.S. Government

FAA Issues Additional Allocate C-Band for 5G Allocation of C-Band Interagency Discussions Airworthiness Directives

Aviation Submits Spectrum for 5G

FAA Issues Safety Mitigating Airplane-Comments Expressing Mitigation Actions Specific Safety Risks Concerns including Airworthiness Directives Restricting Low Visibility Landings NRCs 2023 Risk Forum 4 September 12, 2023 l Rockville, MD

Runway Safety Zone (v1.0) with Performance Buffer NRCs 2023 Risk Forum 5 September 12, 2023 l Rockville, MD

Runway Safety Zone (v2.0) with Performance Buffer Performance Buffer (PB)

FAA AMOCs are issued based on the performance capabilities of the Radio Altimeter.

Runway Safety Zone (RSZ)

The Radio Altimeter must function accurately and reliably in 100% of the RSZ.

Not to scale.

FAAs method for performing this evaluation has evolved several times since January 2022 6 NRCs 2023 Risk Forum 6 September 12, 2023 l Rockville, MD

5G C-Band Real World Measurement Understanding 5G Signal Levels in an airspace

We now know the RA Failure modes and levels of signal that cause it

We needed to know the actual signal levels in real world environment

Historical approach to FAA modeling of RF propagation uses the maximum regulatory limits of a system as operating assumptions:

- For 5G C-Band - that modeling showed no path to safe coexistence (see R&O)

- New method needed to have confidence in the level of signal on the aircraft:

1. Model the Radio Frequency (RF) predicted environment

- FAA worked with wireless to understand their in-house RF modeling tools predicting 5G signal propagation using as-built characteristics

- With those wireless models - they showed that the signal levels were high enough to cause impacts to altimeters

2. Measure the actual RF environment

- Need to empirically assess realistic encounterable 5G signal levels in the airspace

- FAA coordinated a series of flight measurements in partnership with AT&T and Verizon to measurement ambient 5G signal levels NRCs 2023 Risk Forum 7 September 12, 2023 l Rockville, MD

5G C-Band Real World Measurement Signal-in-Space Basics

Runway Safety Zone: Area around an airport that represents a 3D volume of space where normal operation of a radar altimeter is critical to aviation safety

Power Thresholds: The maximum amount of fundamental and spurious 5G signal levels that radar altimeters can experience before producing erroneous results

Predictive Model: The mathematical formulas that convert 5G base station locations into 5G SIS power level predictions throughout the Runway Safety Zone (discussed on previous slides)

FAA assesses the compatibility of the base stations against the applicable Power Thresholds inside the Runway Safety Zone using the Predictive Model to predict the signal levels NRCs 2023 Risk Forum 8 September 12, 2023 l Rockville, MD

Key Safety Systems Affected by RadAlt

Terrain Awareness and Warning System (TAWS)

- Alerts and prevents controlled flight into terrain (CFIT)

- Looks ahead and downward

- Introduced 1998--mandatory since 2002

Traffic Collision Avoidance System (TCAS)

- Alerts the presence of nearby traffic and cooperates among airplanes

- Introduced 1988--mandatory from 2003

Windshear (Reactive) Warning and Guidance

- Alerts aircrew to windshear

- Measures ground clearance during escape maneuver (Inhibited above 2500 feet)

- Mandatory since 1991 NRCs 2023 Risk Forum 9 September 12, 2023 l Rockville, MD

Key Safety Systems, historical examples Precipitants TCAS of TAWS

Alaska 1866, Juneau, 9/4/71. *PSA 182, San 111 fatal Diego, 9/25/78.

American 965, 144 fatal Cali, 12/20/95. *Aeromexico 151 fatal, 4 498, LAX, survived 8/31/86. 82 fatal Windshear

Eastern 66, *Delta 191, JFK, 6/24/75. DFW, 8/2/85.

116 fatal, 11 137 fatal, 26 survived survived NRCs 2023 Risk Forum 10 September 12, 2023 l Rockville, MD

Managing Cumulative Fleet Risk Source: ICAO Safety Management Manual (SMM) (Doc 9859)

Major / Minor Hazardous /

Catastrophic Major / Minor

FAA ADs mitigate risks of hazardous/catastrophic outcomes

Numerous major/minor hazards are not addressed by current ADs

Expanded 5G deployments will increase the rate of major/minor events

Residual risk is accumulating globally; FAA, EASA, TCCA, ANAC are discussing how to harmonize our approach to global risk management NRCs 2023 Risk Forum 11 September 12, 2023 l Rockville, MD

5G / RA Coexistence Timeline January 2023 May 2023 June 2023 July 2023 February 2024

FAA issues Notice of

FAA issues

FAA issues

5G C-band

AD requires all Proposed Rulemaking NPRM ADs Final Rule ADs deploys commercial (NPRM) Airworthiness confirming confirming nationwide in the airplanes to meet Directive (AD) additional NPRM 3.7 to 3.98 GHz retrofit establishing retrofit airplane-specific requirements frequency band at requirements requirements for all restrictions increased power airplanes levels

Retrofits underway

Low visibility landings and airplane-specific restrictions apply nationwide for aircraft that are not retrofit NRCs 2023 Risk Forum 12 September 12, 2023 l Rockville, MD

Operator SMS

Associated Systems

- RA systems such as autoflight, TAWS, TCAS, HUD, FD, Anti-ice, etc

Possible System Hazards

- Erroneous indications/annunciations, inoperable systems, takeoff and landing wind limitation hazards, loss of windshear guidance, etc

Aircraft-Level Hazards (Consequences)

- Accidents

Runway excursion/overrun

Hard landing

Tail strike: fuselage drags on contact with pavement

Loss of control inflight

Midair collision

- Long-term effects

Desensitization to flightcrew alerts from increased nuisances

Controls NRCs 2023 Risk Forum 13 September 12, 2023 l Rockville, MD

Enabling Coexistence Long Term (e.g., beyond July 2023)

Focus will remain on getting remainder of aircraft modified to meet February 2024 requirement

All 21 3.8-3.98 GHz licensees have advised FCC that they voluntarily agree to:

- Delay widespread use of these higher frequencies

- Limit spurious (out of band) emissions

- Implement antenna down tilt nationwide

- Reduce power near airports

Sunset date of these agreements is five years with midterm check in

Buys aviation community time to develop and implement more robust RAs NRCs 2023 Risk Forum 14 September 12, 2023 l Rockville, MD

Lessons Learned Summary

U.S. approach is an example of safe integrationother countries have also had success

New generation of performance standards are needed to ensure future technology evolutions wont disrupt coexistence

Government and industries need to work together

Industry and Safety Management System (SMS)

NRCs 2023 Risk Forum 15 September 12, 2023 l Rockville, MD

Discussion NRCs 2023 Risk Forum September 12, 2023Rockville, MD

Risk-Informed Program Benefits Suzanne Loyd Senior Manager, Constellation Risk Management 12 September 2023

Long Standing Risk-Informed Programs at Constellation Surveillance Frequency MSPI Maintenance Rule Control Program

Used to extend

Measures difference in

Configuration Risk surveillance intervals system unavailability and Management and

Equipment with good test unreliability Maintenance Rule (a)(4) history

High-pressure systems,

Planned and emergent

Multi-disciplined panel RHR, Emergency AC, work used for decision-making Cooling Water

Component risk ranking Benefits: Benefits: Benefits:

Focus on important SSC

Focus on risk significant SSCs

Focus on risk significant SSCs surveillances

Encouraged plant

Balance of plant availability

Divisional outage planning improvements to reduce MSPI and reliability through

Reduced half-trips vulnerability maintenance practices

Reduced labor for testing 1 l Risk-Informed Program Benefits

RICT Program Benefits Avoid emergent shutdowns Plan large design changes & Move routine work from Lower organizational stress

Instant use of approved RICT modifications outage to online *Contingency/What-if RICT procedures/Risk Monitor tool *Eliminate one-time LAR(s) *Work performed during less calculations/preparations instead of seeking NOED/LAR *Transformer work stressful times *Possible relaxation of 24/7

Extend very short AOTs *Avoid complex offsite power *Large power transformers requirements

Inverter replacement re-alignments *Common equipment at *Less urgency for contingency

Extended 2hr AOT *Avoided potential human multi-unit sites vendor support and parts errors *Preclude dual unit shutdown *Friday spin-ups 2 l Risk-Informed Program Benefits

SLC relief valve test/replacement 10CFR50.69 Program Benefits

Extending from 8 to 15 years gives annualized savings of

~$30k/year Projected Savings with Alternative SLC EQ PMs for squib valve and level Treatments at Limerick transmitter

Retiring Replacement PMs gives annualized savings of

~$21k/year

Cost avoidance from PM extensions

- ~ $375k/year Materials and Labor PCIG relief valve test & replacement

IST - Projected savings for descoping RISC-3

Extending from 8 to 15 years gives annualized savings of

~$16k/year components from supplementary position indication Drywell HVAC motor

- ~ $200k(one time procedures savings)

Condition-based monitoring, extending PM (previously EQ) ~

- ~ $15k/year (App J reduction) $260k/year

ISI - Reduction in weld exams and pressure Radiation Monitor recorders testing

- $17k/yr.

50% savings in parts; Lead time changed from 12 weeks to In stock 3 l Risk-Informed Program Benefits

10CFR50.69 Case Study - Limerick RHR Service Water Spray Pond Piping - July 2019 RHR Service Water Successful Prompt resolution Spray network categorized as replacement in piping corrosion RISC-3 using September of a significant the 50.69 2019 material condition program issue

One header of two for *Reduced cost each unit of RHR Service using approved Water unavailable alternative

Entry into Action treatment

Fast lead time and turnaround Statements for both *RICT to perform piping *Manufacturing safety-related piping would have units required to repair required delays due to conversion to manufacture replacement without dual- safety related piping unit shutdown *Would have caused additional delays in other orders, impacting supply chain

Overall savings ~ $1M considering materials, labor, QA/QC, etc.

4 l Risk-Informed Program Benefits

Lessons Learned from 10CFR50.69 Program Implementation Benefits from 50.69 are not just money saved

Quicker turnaround on material procurement

Prompt resolution of material condition problems

Prompt restoration of systems

Focus on safety-related systems Innovative risk-informed applications take time

Experience creates new ideas/innovation

Realizing some early wins builds plant confidence 5 l Risk-Informed Program Benefits

Risk-Informed Initiative Success Stories - Oversight Julio Lara, Director Division of Operating Reactor Safety, Region III

Oversight Regional Offices have responsibility for Reactor Oversight o Increased focus on implementation of risk informed initiatives o Modernizing internal processes to enable staff to better integrate risk insights o Focus on risk-informed decision-making Risk Informed Completion Times o Inspector tabletops as RICT amendment requests approved o SRAs proactively engage inspectors in RICT reviews o Safety and operational flexibilities PRA Configuration Control o Operating experience smart sample that will verify that PRA configuration control programs o Verify that PRA models remain technically adequate, reflecting the as-built, as operated plant to ensure confidence in the use of PRA results Risk Focused Inspections o 10 CFR 50.69 Risk-informed categorization and treatment of components o Maintenance Rule o Outage risk management 2

Managing Uncertainty:

The Role of Safety Margins and Performance Monitoring Sunil Weerakkody Senior Level Advisor, PRA Division of Risk Assessment Office of Nuclear Reactor Regulation US Nuclear Regulatory Commission 2023 NRC Risk Forum 1

KEY QUESTION Is NRC making high-quality risk-informed decisions that ensure adequate protection of public health and safety by appropriately treating uncertainties?

2023 NRC Risk Forum 2

OVERVIEW OF THE PRESENTATION Compare and contrast how the Identify Identify several risk- regulator makes high-quality different types informed processes risk-informed decisions for of used by the each of the processes by, in uncertainties regulator part, relying on safety margins and defense in depth 2023 NRC Risk Forum 3

What is aleatory uncertainty?

(NUREG-1855): Aleatory uncertainty is based on the randomness of the nature of the events or phenomena and cannot be reduced by increasing the analysts knowledge of the systems being modeled. Therefore, it is also known as random uncertainty or stochastic uncertainty.

(Oxford English Dictionary): [Uncertainty] dependent on uncertain contingencies; left to or resulting from a chance process.

(Mariam Webster Dictionary): [Uncertainty] dependent on an uncertain event or contingency as to both profit and loss; Deriving from the Latin noun alea, which refers to a kind of dice game, aleatory was first used in English in the late 17th century to describe things that are dependent on uncertain odds, much like a roll of the dice.

2023 NRC Risk Forum 4

What is epistemic uncertainty?

NUREG-1855: Epistemic uncertainty is the uncertainty related to the lack of knowledge about or confidence in the system or model and is also known as state-of-knowledge uncertainty (Includes Parametric uncertainty, Completeness uncertainty, Model uncertainty)

Oxford English Dictionary: [uncertainty] Of or relating to knowledge, or to its extent, linguistic expression, or degree of validation.

Mariam Webster Dictionary: [uncertainty] of or relating to knowledge or knowing; Wherever it is used, epistemic traces back to the knowledge of the Greeks; It comes from epistm, Greek for "knowledge." That Greek word is from the verb epistanai, meaning "to know or understand," a word formed from the prefix epi- (meaning "upon" or "attached to") and histanai (meaning "to cause to stand")

2023 NRC Risk Forum 5

Are PRA models cause or the solution to uncertainties?

What are the contributors to aleatory uncertainty?

How do the PRA models enable NRC address aleatory uncertainties?

Do the PRA practitioners introduce epistemic uncertainties during the modeling process ?

Does NRC have appropriate processes appropriately consider epistemic uncertainties introduced during the modeling process in risk-informed decisionmaking?

2023 NRC Risk Forum 6

All models are wrong, but some are useful Fortunately to be useful, a model does not have to be perfect.

George E. P. Box

University of Wisconsin

(1919-2013) 7 2023 NRC Risk Forum

Risk-Informed Regulatory Processes Description of the regulatory process Key Characteristics that could influence the rigor required to manage uncertainty.

Improve the design of a nuclear plant using PRA insights Use insights from PRAs to identify and eliminate potential risk outliers and improve the design.

Review acceptability of a permanent change to the licensing basis If approved, change will be permanent.

(e.g., change to design, accident analysis, technical specifications)

Review acceptability of a temporary change (weeks, months) to the If approved, change will be temporary.

licensing basis (e.g., changes to design, accident analysis, technical specifications)

Determine appropriate regulatory actions that must be taken based Regulator chooses prompt or longer-term actions that must be taken to on an emerging issue with limited data which requires timely ensure public health and safety based on the risk significance of the regulatory actions issue.

Determine whether the licensee may operate outside of approved If approved, the licensee will be allowed to operate for a few days or technical specifications for a few hours or days hours while outside of conditions imposed by technical specifications.

Determine the risk significance assigned to a performance The regulatory decision has the potential have a significant impact on deficiency that will be corrected. the follow-up resources required by both the regulator and licensee and affects licensees reputational risk.

Determine the magnitude of inspection resources that must be The regulatory decision has the potential have a significant impact on expended to follow-up an event or a degraded condition at a the follow-up resources required by both the regulator and licensee nuclear plant. and on enterprise risk.

8 2023 NRC Risk Forum

Managing Uncertainty: The Role of Safety Margins and Performance Monitoring Purpose & Relevant Guidance Remarks Improve the design a nuclear plant using PRA These documents provide guidance on how defense-in-depth, safety insights {AEA SSG-3, SRP 19.0 (ML#15089A068), RG margins, and safety analyses must be considered in designing NEI 18-04 (ML#19241A472)\RG 1.233 commercial nuclear plants and discusses, in some situations, how (ML#20091L698)} reliability of non-safety related risk significant systems must be monitored Review acceptability of a permanent change to the Section C.2.5 of RG 1.174 (~4 pages) discusses in detail how licensing basis (e.g., changes to design, procedures, uncertainties must be considered and documented by the licensee to technical specifications) {(RG 1.174 address all three components of epistemic uncertainties and refers to (ML#20164A034), RG 1.77 (ML#17317A256), NUREG-1855 Rev. 1 for additional guidance.

NUREG-1855 (ML#20164A034))}

Review acceptability of a permanent change to the Section C.2.5 of RG 1.174 (~4 pages) discusses in detail how licensing basis (e.g., changes to design, accident uncertainties must be considered and documented by the licensee to analysis, technical specifications) (RG 1.174, address all three components of epistemic uncertainties and refer to NUREG-1855) NUREG-1855 Rev. 1 for additional guidance.

2023 NRC Risk Forum 9

Managing Uncertainty: The Role of Safety Margins and Performance Monitoring Purpose & Relevant Guidance Remarks Determine appropriate regulatory actions that must LIC-504 requires consideration of facility-wide safety margin and be taken based on an emerging issue with limited defense-in-depth. Section 4.1 of LIC 504 provides guidance on treatment data which requires timely regulatory actions (LIC- of uncertainty. Since issues reviewed under LIC-504 are emerging, 504, ML#19253D401). there is usually limited information available to perform risk analysis.

Therefore, normally, there is a relatively high reliance on performance measurement strategies that can be used to re-visit regulatory decisions.

Determine whether the licensing may operate Regional senior reactor analysts and NRR risk analysts in collaborations outside of approved technical specifications for a with NRC subject matter experts consider defense-in-depth and safety few hours or days (Appendix F, Notices of margins and uncertainties during the review process.

Enforcement Discretion, to NRC ML#19193A023)

Determine the magnitude of inspection resources Regional senior reactor analysts and NRR risk analysts in collaborations that must be expended to follow-up an event or a with NRC subject matter experts consider defense-in-depth and safety degraded condition at a nuclear plant (IMC0309, margins and uncertainties during the review process.

ML#111801157)

Determines the risk significance that must be Section 0308-03-07 of IMC 308 discusses how uncertainties must be assigned to a performance deficiency that will be treated. Significant efforts are expended by senior reactor analysts and corrected. (IMC 0308 Attachment 3, ML#21271A120) NRR risk analysts to perform sensitivity analyses and uncertainty analyses if necessary to make informed judgements, and present results NRCs decisionmakers.

10 2023 NRC Risk Forum

Matt Forsbacka Director of Mission Assurance Standards and Capabilities Division Office of Safety and Mission Assurance National Aeronautics and Space Administration 10:40 AM Session Managing Uncertainty: The Role of Safter Margins and Performance Monitoring NRCs 2023 Risk Forum

Managing Uncertainty: The Role of Safety Margins and Performance Monitoring NRCs 2023 Fall Risk Forum Fernando Ferrante Program Manager, Risk & Safety Management EPRI September 12, 2023 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Conservatism, Margins, Uncertainties and other Creatures What do we mean when we say Conservatism?

Margins?

Uncertainty?

Defense-in-Depth?

Realism?

Best Estimate?, Reasonable?, Bias?

More importantly, in what context are we saying it?

What is the level of conservatism in your analysis?

Do we have appropriate/sufficient safety margin?

How were the uncertainties addressed in the model?

Was there an impact to the level of defense-in-depth?

These Words Matter The program was operating too close to too many margins Report on Columbia Shuttle Disaster margins need to be sufficiently large to address high level of uncertainty failure to provide sufficient means of protection at each level of DID site did not know how the accident would progress significant uncertainty Fukushima Daiichi Accident Report by the IAEA It's not just as conservative as would have been the norm in the old Boeing Former Boeing flight-controls engineer 3 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

A word about Safety Margins and Uncertainty (in general)

Need to be careful when mixing deterministic/probabilistic Margin Too often, Uncertainty is viewed as a quantification exercise 4 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Reframing Defense-in-Depth (DID)/Safety Margin (SM)

EPRI 3002020763 Consideration of DID and SM in RIDM: Practical Guidance Solution MUST include BOTH deterministic and probabilistic inputs Suggested approach is to include aspects from DESIGN DID PROGRAMMATIC DID SCENARIO DID Consider SM as DID input Localized SM impacts Globalized DID impacts Integrate risk in DID/SM 5 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Reframing Defense-in-Depth (DID)/Safety Margin (SM)

Redefined framework for DID and SM built upon recent efforts for Advanced Reactor Design Licensing Goal is to bring together DESIGN DID, PROGRAMMATIC DID, SCENARIO DID But also to place SM in a better context with better guidance PRA insights are one input into the overall framework Goal is to provide better understanding, justification 6 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

What is the Role of Risk in terms of DID/SM/Uncertainty?

Several deterministic inputs into DID are inputs for PRA Key scenarios considered for DID in licensing of NPPs are part of PRA Hence, PRA overlaps significantly with DID and SM PRA can explicitly consider what we know and dont know But role of PRA is not to quantify DID Using PRA to quantify DID would be a misuse of PRA But not using PRA insights would also misinform DID 7 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Reframing Fire Uncertainty - EPRI 3002018268 Simply saying there is uncertainty, we need to be conservative is not enough

- Where is the uncertainty coming from?

- How can one better understand it?

- Can something be done about it?

- Where does it matter (or doesnt)?

Guidance is detailed, but basic direction is:

- Use a structured approach Identify, review and screen, characterize, disposition, continue to monitor Relate to margin, DID, within RIDM Dont overfocus on quantification for the sake of adding more complexity 8 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Some additional thoughts, for further discussion/debate Risk assessment (like any other engineering tool) will always have conservatisms and simplifying assumptions - need to move on Best estimate, realism, bias, reasonable, if subjective, not useful Margins, conservatism, uncertainty all speak towards having sufficient confidence in the results, given what we know, regarding a decision:

- Do we understand factors that could change our decision given available information?

- If so, do we know what needs to be done in order to gain confidence in the decision?

Does design meet DECISION What is the level of safety margins? confidence in risk (i.e., confidence in design)

CONFIDENCE assessment results?

Is defense-in-depth Conservatisms, uncertainty maintained? Is there clear guidance on (etc.), has been addressed (e.g., if failures occur) the level of confidence with confidence needed?

Reframing Defense-in-Depth (DID)/Safety Margin (SM)

EPRI 3002020765 discusses reframed context in multiple areas:

Internal events Dry Cask Storage Internal fire Digital Instrumentation & Control Internal flooding Shutdown Risk Seismic Events Periodic Safety Reviews External Flooding Physical Security Multi-unit accidents Portable Equipment Spent Fuel Pool (SFP) Risk-Informed Applications Note that purpose is not how PRA can be used in all these areas, but how DID/SM can be better understood in RIDM (risk insights are leveraged, along with design/programmatic/scenario information) 13 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Role of Risk Insights in DID/SM for RIDM Purposes Account for DID/SM in different hazards Include consideration of varying DID with scenario-specific inputs into DID/SM Risk results can be used as an insight, along with design and programmatic Intent is NOT to measure DID but to assess effectiveness 15 www.epri.com © 2021 Electric Power Research Institute, Inc. All rights reserved.

Managing Uncertainty: The Role of Safety Margins and Performance Monitoring Jennifer Varnedoe, Lead Engineer Duke Energy

The many flavors of uncertainty PRA standard requires identification and characterization of model uncertainties Parameter Uncertainty State-of-Knowledge Initiating Event frequencies Combining different sources of data (generic experience + plant specific operating events)

Component failure probabilities Human error probabilities Calculated probability distributions for the results of the PRA Modeling Uncertainty Some component failure affects are unknown Identifying and quantifying operator errors is complex Common cause failures Completeness Uncertainty Some phenomena, failure mechanisms or other factors may be omitted due to negligible contribution 2

Defining Key Sources of Uncertainty and Assumptions Early 10 CFR 50.69 applications worked through RAIs to gain understanding of key RG 1.200 Revision 2 NUREG-1855 Rev 1 Related references (EPRI 1016737, 1013491, and 1026511)

Evaluation of generic hazard specific issues from EPRI reports Evaluation of Plant-Specific Assumptions and Uncertainties 3

Compensatory Measures Dispositioning key sources of uncertainties and assumptions for the application Compensatory Measures Application specific sensitivity for each categorization Application specific bounding sensitivity to show no impact to the decision (HSS/LSS) 50.69 sensitivity (e.g. HFEs to 5th and 95th) addresses the issue 50.69 sensitivity for reliability - addresses unknown impact of relaxing special treatments 4

Performance Monitoring 50.69 Periodic Review Validates reliability sensitivity remains appropriate Validates impacts from alternative treatment on reliability are appropriate 805 Performance Monitoring Programmatic - Fire Brigade Response time Equipment - Detection and Suppression System Performance Maintenance Rule Reliability and Unavailability Risk Informed Completion Times (TSTF-5050)

RG 1.177, Revision 1, and RG 1.174, Revision 3, establish the need for an implementation and monitoring program to ensure that extensions to TS CTs do not degrade operational safety over time and that no adverse degradation occurs due to unanticipated degradation or common cause mechanisms Intended to ensure that the impact of the proposed TS change continues to reflect the availability of SSCs impacted by the change Cumulative Risk calculated at least once per cycle (in reality it is calculated in real time as RICTs are used) to ensure change in risk is small 5

Decision-Making Goal of assessing PRA model uncertainty is to establish the level of confidence that can be placed in a decision or conclusion based on a quantitative assessment of risk.

The treatment of uncertainties can many times consist of recognition of the uncertainties and the acknowledgment that the decisions are made based on the realistic, best-estimate values from the probabilistic models coupled with margin designed into the acceptance guidelines and with the defense-in-depth deterministic inputs.

6

Changes to the Plant A wide variety of types of applications introduce a wide variety of uncertainties Timing of actions Differences in empirical vs academic approaches

- How long could it really take to fix a component?

Simulator runs vs procedure reviews; Engineering vs Operations Impacts of changes that are not directly represented in the PRA model 50.69 Opportunities - These do not always increase risk!

- Using different code requirements or materials

- Using different NDE techniques

- Differing maintenance strategies

- Buying industrial components Recall these applications introduce small changes with very small changes in overall plant risk 7

All the other controls The layers of programmatic oversight for component / system performance and changes to the plant are significant Design control (design, fabrication, testing)

Supply Chain control (documentation, receipt, etc.)

10 CFR 50.59 requirements Safety Analysis Testing and Maintenance Tech Spec driven surveillances Preventive Maintenance that prevents Run-to-Failure Code Driven Testing (In-Service Testing, In-Service Inspection)

License Renewal for Aging affects Raw Water Program Buried Pipe Program Flow Accelerated Corrosion And the list goes on and on 8

Conclusion Risk-informed, not risk-based, decision making Small uncertainties in tiny numbers have small impacts on risk margin The decision is integratednot based solely on a number An application may change one part of how we operate the plant, but we must consider all of the other requirements that remain unchanged.

Uncertainties addressed via reasonable compensatory actions and performance monitoring Coupled with a robust problem identification and resolution program Provide a reasonable way to utilize risk-insights to optimize resources.

9

10 Developing and Maintaining Risk-Informed Decision Making as Part of Your Organizational Culture 1:00 PM Session NRCs 2023 Risk Forum

Mirela Gavrilas, NRC Director of the Office of Nuclear Security and Incident Response

Cheryl Gayheart, Director of Risk Informed Engineering

& Safety Analysis at Southern Nuclear

Homayoon Dezfuli, NASA Technical Fellow for System Safety

Mark Steinbicker, Acting Director of the Office of Safety Standards, Flight Standards Service at FAA

NRC Facilitator: Brett Klukan, Regional Council, Region I-Office of the Regional Administrator

ANSI/ANS-30.3-2022, Light Water Reactor Risk-Informed, Performance-Based Design N. Prasad Kadambi (Risk-informed, Performance-based Principles and Policy Committee Chair) and Kent B. Welter (ANS-30.3 Working Group Chair)

NRC Risk Forum - September 12, 2023

Outline What is ANS-30.3?

How does ANS-30.3 address risk-informed decision-making?

How does ANS-30.3 address risk-informing licensing basis events?

What significance does ANS-30.3 have for ANS and other voluntary consensus standards?

What is ANS-30.3?

Establishes a minimum set of requirements for the designer to follow in order to appropriately combine deterministic, probabilistic, and performance-based methods during LWR design development.

A distinction is made between the safety design of a reactor product and the overall set of design activities that necessarily includes economic, environmental, and other considerations.

A further distinction is made between the processes associated with safety design and licensing of the product, but the standard does not cover all the licensing matters that may arise.

What is ANS 30.3? (Continued)

Requirement to establish a formal decision analysis process.

Without a formal RIPB decision analysis process, decisions made over the evolution of a design may become ambiguous, conflicting, or inefficient.

Requirement to employ requirements management for establishing requirements, evaluate options, identify acceptable options, and track integration of requirements into the reactor product.

Describes a decision-making structure within which requirements associated with the processes described meet specified acceptance criteria and thereby achieve the standards outcome objectives in a formal way.

A substantial part of the value of ANS-30.3 as a voluntary consensus standard is on account of this formal decision-making structure.

How does ANS-30.3 address risk-informed decision-making (RIDM)?

Although not explicitly called out in ANS-30.3, it is implicit to the particular topics offered in the standard that a framework exists within which design and licensing can proceed efficiently to accomplish overall objectives for the reactor product.

The framework needs to incorporate the necessary and sufficient needs of the design and licensing aspects for gaining regulatory approval.

The decision-making structures associated with design and licensing necessarily overlap to a considerable extent.

Framework as applied here is taken to mean one or more decision-making structures. A decision-making structure may be considered as a scaffolding that holds together various processes within a logical architecture that expresses relationships and dependencies among the various elements.

The RIDM aspect of ANS-30.3 is embedded and nested within the iterative and recursive processes provided in the standard.

How does ANS-30.3 address RIDM? (Continued)

ANS-30.3 takes its cue from the Nuclear Energy Innovation and Modernization Act (NEIMA) and the defined attributes of a technology-inclusive regulatory framework as evidenced by the following:

Technology-inclusive regulatory frameworkThe term technology-inclusive regulatory framework means a regulatory framework developed using methods of evaluation that are flexible and practicable for application to a variety of reactor technologies, including, where appropriate, the use of risk-informed and performance-based techniques and other tools and methods.

NEIMA focuses on NRC and regulation, but ANS-30.3 focuses on the LWR design process.

How does ANS-30.3 address risk-informing LBEs?

The starting point for the user of ANS-30.3 is expected to be a well-defined set of outcome objectives which necessarily need to be supported by technically defensible LBEs.

These outcome objectives are accomplished by using this standard taking into account the needs of reactor safety and licensing of the reactor.

The outcome objectives, which would be explicitly called out in the framework discussed above, provide the context for specific performance objectives associated with a specific LWR design.

How does ANS-30.3 address risk-informing LBEs? (Contd)

A designer using ANS-30.3 is expected to use accepted engineering practices to specify the limiting conditions associated with scenarios that impose design basis challenges on affected systems.

Such scenarios are generally defined by plant responses to postulated initiating events including coincident equipment failures and malfunctions that could challenge plant safety.

In this context, requirements management, as part of a set of systems engineering best-practices, involves identifying and specifying such events with a formality that enables discussions regarding LBEs in relation to regulatory needs.

ANS-30.3 provides for a range of options that a designer may invoke given current U.S. regulatory practices in which combinations occur of conventional, risk-informed, and performance-based requirements.

Specified under the definitions that the Commission provided in SRM-SECY-98-144.

Given that the development of ANS-30.3 was motivated and significantly resourced by the successful deployment of an LWR SMR, the applicability is specifically focused on LWR technology.

A key outcome objective for ANS-30.3 is achievement of a successful design and not just success at licensing.

Significance of ANS-30.3 for ANS and other voluntary consensus standards?

ANS-30.3 is a transitional, voluntary consensus standard that bridges the gap between design practices that have provided the solid basis for demonstrating the viability of LWRs as a well-known technology.

ANS views ANS-30.1*, 30.2, and 30.3 as being a suite of interrelated standards which can help make progress on efforts such as the North American Advanced Reactor Roadmap.

Additionally, ANS sees opportunities for working with ASME on standards such asSection III, Division 5, and Section XI, Division 2.

ANS-30.1 is now being prepared as an ANS guidance standard, not as an ANSI consensus standard.

Enabling the Use of Industrys Licensing Modernization Project (LMP) Methodology Marty Stutzke Senior Technical Advisor for PRA Division of Advanced Reactors and Non-Power Production and Utilization Facilities Office of Nuclear Reactor Regulation NRC Fall Risk Forum September 12, 2023 1

Industrys Licensing Modernization Project (LMP)

The idea: Use the PRA up-front to help define the licensing basis, rather than after-the-fact to confirm the acceptability of a design that has been developed using the traditional, deterministic approach.

Origins

Methodology and Endorsement

Original concepts developed in late 1980s for the

NEI 18-04, Rev. 1, August 2019 (Ref. 4) modular high-temperature gas-cooled reactor

SECY-19-0117, December 2, 2019 (Ref. 5)

(MHTGR) (Ref. 1)

SRM-SECY-19-0117, May 26, 2020 (Ref. 6)

NUREG-1860, December 2007 (Ref. 2)

RG 1.233, June 2020 (Ref. 7)

Next Generation Nuclear Plant (NGNP) Licensing Strategy, 2006-2013 (Ref. 3)

Applicability

Industry initiative (beginning in 2017):

Non-light-water reactors

Lead by Southern Company

Part 50 construction permit (CP) and operating license (OL) applications

Cost-shared with Department of Energy (DOE)

Part 52 standard design certification (DC), standard

Coordinated with Nuclear Energy Institute (NEI) design approval (SDA), manufacturing license (ML),

Scope and combined license (COL) applications

Licensing basis event (LBE) selection

System, structure, and component (SSC) safety classification

Defense-in-depth evaluation 2

LMP Methodology: Licensing Basis Event Selection more risk significant Frequency-Consequence Target (not a regulatory acceptance criterion)

LBEs selected AOO DBAs selected by an Integrated Decision-Making Process according to event Panel (IDPP) considering:

sequence frequency

AOOs with 5th percentile frequency < 1E-2/plant-year DBE

All DBEs (not initiating event frequency)

BDBEs with 95th percentile frequency > 1E-4/plant-year

BDBEs with high consequences (> 25 rem)

BDBE LBEs are identified by plotting PRA results for each event sequence family on this figure:

Frequency

Mean values, and Use of absolute (not relative)

Uncertainty range (5th and risk significance to identify 95th percentiles) risk-significant LBEs less risk significant Consequence 3

LMP Implementation Guidance Industrys Technology-Inclusive Content of Application (TICAP): NEI 21-07, Rev. 1 ARCAP Roadmap: DANU-ISG-001

1. General Plant Information, Site Additional SAR Content Description, and Overview Outside the Scope of TICAP

2. Methodologies and Analyses and Site

2. Site Information: DANU-ISG-002 Information

9. Control of Routine Plant Radioactive Effluents, Plant

3. Licensing Basis Event (LBE) Analysis Contamination, and Solid Waste: DANU-ISG-2022

4. Integrated Evaluations

10. Control of Occupational Doses: DANU-ISG-2022-004

5. Safety Functions, Design Criteria, and SSC

11. Organization and Human-System Considerations: DANU-Clean sheet Safety Classification ISG-2022-005 approach! 6. Safety Related SSC Criteria and

12. Post-construction Inspection, Testing and Analysis Capabilities Programs: DANU-ISG-2022-006

7. Non-safety related with special treatment SSC Criteria and Capabilities

8. Plant Programs Additional ARCAP Guidance

Risk-informed Inservice Inspection and Inservice Testing:

Applies to: DANU-ISG-007

Non-LWRs

Risk-informed Technical Specifications: DANU-ISG-008

Part 50 CP and OL applications

Fire Protection for Operations: DANU-ISG-009

Part 52 DC and COL applications NRCs Advanced Reactor Content of Application (ARCAP) Project NRCs TICAP Endorsement DG-1404, Rev. 1 (proposed new RG 1.253) Additional contents of application may exist only in the SAR, may be in a separate document incorporated into the SAR, or may exist only outside the SAR.

4

Acronyms and Initialisms AOO anticipated operational occurrence ARCAP Advanced Reactor Content of Application BDBE beyond design basis event DBA design basis accident DBE design basis event DOE Department of Energy LBE licensing basis event LMP Licensing Modernization Project MHTGR modular high temperature gas-cooled reactor NEI Nuclear Energy Institute Non-LWR non-light-water reactor PRA probabilistic risk assessment SSC systems, structures, and components TICAP Technology-Inclusive Content of Application 5

References

1. Nuclear Regulatory Commission (NRC), Draft Preapplication Safety Evaluation Report for the Modular High-Temperature Gas-Cooled Reactor, NUREG-1338, March 1989, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML05278049)

2. NRC, NUREG-1860, Feasibility Study for a Risk-Informed and Performance-Based Regulatory Structure for Future Plant Licensing, December 2007.

3. Idaho National Laboratory, INL/EXT-10-19521,Next Generation Nuclear Plant Licensing Basis Event Selection White Paper, September 2010. (ML102630246)

4. Nuclear Energy Institute (NEI), NEI 18-04, Modernization of Technical Requirements for Licensing of Advanced Non-Light Water Reactors Risk-Informed Performance-Based Technology Inclusive Guidance for Non-Light Water Reactor Licensing Basis Development, August 2019.

5. NRC, SECY-19-0117, Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors, December 2, 2019.

6. NRC, SRM-SECY-19-0117, Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors, May 26, 2020.

7. NRC, RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, June 2020.

6

Risk-Informing Licensing Basis Events for Operating and New Reactors NRC Fall Risk Forum September 12, 2023 Mihaela Biro Division of Risk Assessment Office of Nuclear Reactor Regulation 1

Licensing Basis Events under Parts 50 and 52

Design basis events (§ 50.2 definition of safety-related SSCs; § 50.49 specifies four subcategories):

o Anticipated operational occurrences (AOOs) o Design basis accidents (i.e., postulated accidents) o External events o Natural phenomena

Non-DBA (§ 50.2, definition of safe shutdown, for Station Blackout (SBO) only)

Beyond design basis events (BDBEs)

Anticipated Transients Without Scram (ATWS)

Station Blackout 2 2

Operating Fleet Risk-Informed Journey Meet Maintain current defense Operating Reactor regulations in depth Fleet Benefits from RG Monitor 1.174 Maintain Deterministic safety perform margins Design ance Small risk Supplemented increases with Risk Informed Approaches Voluntary Policy Statements Risk Informed Programs 10 CFR 50 and Risk Studies Regulatory NFPA 805 Risk Informed Note: The proposed Plants designed WASH-1400, 1975 Guides Performance Based Fire revision to 10 CFR 50 and licensed under Protection aligns PRA requirements Safety Goal Policy RG 1.174 Risk-informed 10 CFR 50 are not for 10 CFR 50 with PRA Statement, 1986 Changes Risk Informed Technical requirements for required to PRA Policy Statement, Specifications (TSTF-505 & 425) 10 CFR 52 perform PRAs. RG 1.200 PRA Technical 1985 50.69 Risk-Informed (SECY 22-0052)

Acceptability Categorization and Treatment Inservice Inspection

10 CFR Part 52 Motivation for the Required Use of PRA in Review of Reactor Designs and Licensing

+ WASH-1400, "Reactor Safety Study" (1975)

+ Three Mile Island Accident (1979)

+ Severe Reactor Accidents Regarding Future Designs and Existing Plants (50 FR 32138; August 8, 1985)

+ Safety Goals for the Operation of Nuclear Power Plants (51 FR 28044; August 4, 1986, as corrected and republished at 51 FR 30028; August 21, 1986)

+ Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities (60 FR 42622; August 16, 1995)

+ Regulation of Advanced Nuclear Power Plants (59 FR 35461; July 12, 1994)

+ The Policy Statement on the Regulation of Advanced Reactors (73 FR 60612; October 14, 2008)

Plant designs approved (10 CFR 52.47(a)(27)) and licensed (10 CFR 52.47(a)(46)) under part 52 are required to perform PRAs for all operating modes in areas for which NRC-endorsed consensus standards exist at the time of the application for the construction permit or combined license (10 CFR 50.71(h) references to 10 CFR 52).

During design and certification stages, PRA is used to identify/address potential design features and operational vulnerabilities and to reduce/eliminate the significant risk contributors.

4 4

Risk-Informed Licensing for New Nuclear Applications:

NRC Fall Risk Forum September 12th, 2023 Ben Holtzman Director, New Nuclear

Advanced Nuclear Technologies*

Water Cooled Gas Cooled Metal Molten Salt 1000 MWe AP1000 Elysium NuScale (6) Westinghouse BWRX-300 Natrium Thorcon PRISM SMR-160 KP-FHR Small 100 MWe Size (MWe)

Adv. Reactor Modular Xe-100 Concepts Reactor (SMR)

Flibe Energy Oklo Mini 10 MWe Micro Reactor NuScale Micro BWXT BANR Westinghouse eVinci 1 MWe Xe-Mobile Oklo Aurora Advanced (Non-Light Water) Reactors

- partial list of technologies

Triangulating New Nuclear Demand - Grid Only 400 GW SURVEY MODELING Number of 300MWe SMRs 1,200 SMRs Installed New Capacity 336 GW Nominal 300 GW 900 SMRs 219 GW Nominal 200 GW 163 GW Nominal 600 SMRs 133 GW High Cost 100 GW 300 SMRs 92 GW Nominal 60 GW Constrained 57 GW High Cost NEI NEI Survey VCE INL/DOE Member Scaled to Model Model Survey All of U.S. ©2020 Nuclear Energy Institute 3

Risk-Informed Regulatory Efforts Problem: existing regulations and guidance designed for large light water reactors Solution: risk-inform and modernize the regulatory framework such that it can be applied to any technology

Developing adaptations of light water reactor (LWR) based regulations for advanced non-LWRs

Establishing risk-informed performance-based NRC license application content and review criteria guidance

Establishing risk-informed regulatory approaches for key parts of the plant operations phase INL

Questions?

Reactor Accident Analysis Modernization (RAAM)

Christopher Van Wert Senior Technical Advisor for Reactor Fuel, Division of Safety Systems, NRR 0

What is RAAM?

Risk Information RAAM Accident Analysis Operating Experience Working Modernization Group Opportunities Implementation Cost/Benefit 1

RAAM Tasks Development of Recommendations Report to Management Identification of Considerations and Development of Recommendations Identification of Scope and Development of Charter 2

3 NRCs 2023 Fall Risk Forum September 12, 2023 NRCs Approach to Risk-Inform the Policy for Addressing Digital Instrumentation and Controls Common-Cause Failures Samir Darbali Long-Term Operations and Modernization Branch Division of Engineering and External Hazards Office of Nuclear Reactor Regulation

NRCs Approach to Risk-Informing the CCF Policy

Nuclear power plants continue to install digital I&C (DI&C) technology

increased reliability and safety benefits

can introduce new types of potential systematic, nonrandom, concurrent failures of redundant elements (i.e., common-cause failures (CCFs))

NRCs policy for addressing DI&C CCFs goes back 30 years

first established in SRM-SECY-93-087

has been effectively used to license DI&C systems in nuclear power plants

requires a diverse means of actuation if a CCF could disable a safety function

The NRC staff recognized the opportunity to further risk-inform the policy to address DI&C CCFs for high safety significance systems 2

NRCs Approach to Risk-Informing the CCF Policy

In August 2022, the staff issued SECY-22-0076 - Expansion of current policy on potential common-cause failures in digital instrumentation and control systems

requests that the Commission expand the DI&C CCF policy to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth

this may include not providing any diverse automatic actuation of safety functions

The staffs goals:

the current policy will continue to remain a valid option for licensees and applicants

the acceptance criteria for risk-informed approaches for DI&C CCFs will be consistent with established NRC practices and guidance for risk-informed decision-making

provide more flexibility in addressing the DI&C CCF challenge while continuing to ensure safety 3

NRCs Approach to Risk-Informing the CCF Policy Expanded Policy to Address DI&C CCFs Deterministic Path Risk-Informed Path The risk-informed path The deterministic path allows for the use of requires the use of risk-informed Point 1 best-estimate methods Perform a D3 Assessment approaches for for performing the performing the D3 defense-in-depth and assessment, and the Point 2 Point 2 diversity (D3) Best-Estimate Methods Risk-Informed Approach use of design assessment, and the techniques or mitigation use of diverse means Point 3 measures other than Point 3 to address a potential Diverse Means Design Techniques or diversity to address a Mitigation Measures DI&C CCF potential DI&C CCF Point 4 Independent and Diverse Displays and Manual Controls 4

NRCs Approach to Risk-Informing the CCF Policy

In May 2023, the Commission approved in SRM-SECY-22-0076 the staffs recommendation to expand the existing policy

The Commission directed the staff to:

clarify in the implementing guidance that the new policy is independent of the licensing pathway selected by reactor licensees and applicants

complete the final implementing guidance within a year from the date of the SRM

To meet the Commission direction, the staff evaluated what updates were necessary to existing guidance for addressing DI&C CCFs

guidance for operating light-water reactor (LWR) DI&C licensing reviews

guidance for non-LWR DI&C licensing reviews 5

Guidance for LWR Digital I&C Licensing Reviews

The existing guidance is found in Standard Review Plan (SRP) Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-cause Failure Due to Latent Design Defects in Digital Safety Systems, Revision 8

BTP 7-19, Revision 8 explicitly addresses the CCF policy in SRM-SECY-93-087 (i.e., use of only best-estimate methods and requirement of diverse means)

The staff is currently working on a draft Revision 9 to BTP 7-19

allows the staff to review risk-informed applications

may result in use of design techniques or mitigation measures other than diversity

focuses the edits on the expanded policy 6

Risk-Informed D3 Assessment Process Address the CCF using a Address the CCF risk-informed approach (BTP 7-19, Section 3.4) deterministically Determine consistency with NRC policy and guidance on RIDM (Section B.3.4.1)

Model the CCF in the PRA Identify each (Section B.3.4.2) postulated CCF Determine the risk significance of the CCF (Section B.3.4.3)

Determine appropriate means to address the CCF (Section B.3.4.4)

Justify alternative approaches 7

Guidance for non-LWR DI&C Licensing Reviews

RG 1.233 includes specific acceptance criteria on risk significance, frequency-consequence targets, and defense-in-depth as part of the systematic risk-informed and performance-based approach

NRC staff review of DI&C design is performed in a risk-informed and performance-based manner using the Design Review Guide (DRG)

RG 1.233 and the DRG can be used to address potential CCFs in a risk-informed and performance-based manner that meets the overall intent of SRM-SECY-22-0076

The staff will continue to engage the stakeholders through pre-application engagement and ongoing advanced reactor I&C workshops 8

Guidance for non-LWR DI&C Licensing Reviews

The staff will update RG 1.233 and the DRG in the future, as appropriate, to reflect the lessons learned from the staff and industry stakeholders

based on the use of these guidance documents during the initial licensing reviews of the near-term applications

input received from the stakeholders during the ongoing advanced reactor I&C public workshops

These updates to RG 1.233 and the DRG will also reflect SRM-SECY-22-0076 9

Next Steps

The staff is planning to issue draft BTP 7-19, Revision 9 for public comment in October 2023

The public comment period is expected to end in November 2023

The staff is planning to issue the final BTP 7-19, Revision 9 in May 2024 10

THANK YOU!

Acronyms BTP Branch Technical Position LMP Licensing Modernization Project CCF Common Cause Failure LWR Light-Water Reactor CDF Core Damage Frequency NRC Nuclear Regulatory Commission D3 Defense-in-Depth and Diversity PRA Probabilistic Risk Assessment DAS Diverse Actuation System RG Regulatory Guide DI&C Digital Instrumentation and Control RIDM Risk-Informed Decision-Making DRG Design Review Guide RPS Reactor Protection System ESFAS Engineered Safety Features Actuation System SECY Commission Paper I&C Instrumentation and control SRM Staff Requirements Memorandum LERF Large Early Release Frequency SRP Standard Review Plan 12

References

SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, April 1993 (ML003708056)

SRM-SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, July 1993 (ML18145A018)

SECY-18-0090, Plan for Addressing Common Cause Failure in Digital Instrumentation and Controls, September 2018 (ML18179A066)

BTP 7-19, Revision 8, Review of NUREG-0800, Branch Technical Position 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common Cause Failure Due to Latent Design Defects in Digital Safety Systems, Revision 8, December 2020 (ML20339A647)

SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, August 2022 (ML22193A290)

Supplement to SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, January 2023 (ML22357A037)

SRM-SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, May 2023 (ML23145A181 and ML23145A182)

RG 1.200, Revision 3, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, December 2020 (ML20238B871)

RG 1.174, Revision 3, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, January 2018 (ML17317A256)

RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, June 2020 (ML20091L698)

Design Review Guide (DRG): Instrumentation And Controls for Non-light-water Reactor (Non-LWR) Reviews, February 2021 (ML21011A140) 13

EPRI Digital Systems Engineering Framework A Modern Approach Matt Gibson-Technical Executive EPRI NRCs 2023 Risk Forum- Digital CCF Panel NRC Headquarter North Bethesda , Maryland September 12th , 2023 www.epri.com © 2023 Electric Power Research Institute, Inc. All rights reserved.

Looking at the Whole Elephant Systematic Failures Human Interactions Automation Cyber Security Hardware Reliability Functional Reliability How to address design requirements, risks, and hazards from various sources in one integrated process 2 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Framework Highlights Systems Engineering Based- Single Process Addresses all elements of new and modified I&C designs Usable for both new reactor and legacy plant upgrades Risk-Informs: Digital Reliability, Cyber Security, Human Factors Achieves requirement completeness via hazards analysis, iteration and validation. Systems Theoretic Process Analysis ( STPA) is a key tool Fully addresses technical common cause failure (CCF) concerns Provides feedback to the PRA/PSA process to close the loop on risk determinations Developed over 8 ears using blind studies, comparative analysis, usability exercises, and insights from other industries.

RRT & UCA DEG -Synthesizes the Systems Engineering framework HAZCADS DRAM from IEC-15288. Includes all relevant Lifecycle topics.

IEC-61511 IEC-61508 Takes strategic input from the Lifecycle guide control methods HAZCADS -Uses STPA/FTA to identify hazards and associated UCA . FTA and Risk Matrices develop a Risk Reduction Target (RRT) which informs the downstream TAM IEC-62443 processes. Implements a PHA/LOPA from IEC-61511.

Strategies Lifecycle DRAM - Identifies Hardware and Software reliability DEG Guide vulnerabilities and develops loss scenarios. Develops and Scores protect, detect , and respond/recover IEC-61511 HFAM control methods using the RRT IEC-15288 Design Elements TAM -Identifies cyber security vulnerability classes.

IEC-15289 Develops Exploit Sequences. Develops and Scores IEC-12207 protect, detect , and respond/ recover control IEC-62443 control methods EMCAM methods using the RRT Design Description HFAM - Develops human actions and interfaces.

Design Elements Identifies and scores Human Reliability using the RRT Requirements EMCAM - Identifies EMC vulnerability classes.

Configuration Network Management Engineering Testing Guide Develops and scores protect, detect , and respond/

Design Guide Guide Guide recover control methods using the RRT RRT= Risk Reduction Target STPA=System Theoretic Process Analysis LOPA= Layers of Protection Analysis UCA= Unsafe Control Action FTA= Fault Tree Analysis EMC= Electromagnetic Compatibility 4 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Digital Reliability Model Reliability Axioms Facility Level Reliability Common Cause Failures must first have a failure or systematic error (including emergent behavior)

System Level Reliability Achieved Systematic and Random Reliability is inversely proportional to the likelihood of a CCF Component Level Reliability Reliability is best achieved via a cost, likelihood, and consequence equilibrium Net Functional Reliability is the prime objective ( at the system/facility level)

Random Systematic Failure Error Focused Models can provide actionable reliability Insights ( FTA, STPA, Relationship Sets)

Use of Models for Engineering within the Framework The Digital Engineering Framework Currently leverages seven distinct focused models:

Model Question to be Answered Systems Engineering What are the key systems elements, the functional allocation of those elements, and what is the reliability of those elements? (DEG)

Fault Trees What are the Risk Sensitivities within a Dependency Scope? (HAZCADS,PRA)

STPA What are the Systematic Hazards and Pathways? (HAZCADS, DRAM, TAM, HFAM,EMCAM)

Relationship sets What are the system element dependencies and degree of independence across multiple relationships? (DEG)

HRA What is the reliability of Human Actions? (HFAM)

Exploit Sequences What are the exploit objectives, pathways to those objectives, and the method of exploit? (TAM)

Reliability Analysis What are the failure frequencies/errors that impact Probability of Failure on Demand-PFD?

(DRAM)

EPRI continues to leverage or develop additional models as the questions become better defined.

Performance based design requires the design questions to be defined and bounded.

Safety Integrity Level (SIL) efficacy for Nuclear Power EPRI research on field failure data from SIL certified logic solvers revealed no platform level Software Common Cause Failures (SCCF) after over 2 billion combined hours of operation for IEC-61508 SIL certified PLCs (3002011817)

Indicates that using existing SIL certifications, at the platform level, has a high efficacy for use as surrogates for some existing design and review processes.

Leveraged for NEI 17-06/RG-1.250 and NEI 20-07 in US Correlates well with EPRI review of global OE (Korea, France, China, etc.) that indicates:

- Safety related software is no more problematic than other CCF contributors when subjected to deliberate safety and reliability design processes. Digital Reliability Layers

Reliability Layers Functional Reliability, which includes software, hardware, and human elements should be segmented by layers:

platform, integration, and application.

Then Considered Separately Less Mature (most uncertainty)

Applications Functional Reliability Baseline Integration Platform More Mature ( least uncertainty)

Relationship Sets Relationship sets are an architecture view and contain all system elements scoped within the new design or design change.

There four of system elements Functional Hardware Software Programmatic Human Spatial Equipment Under Control There are five relationship set types:

Functional Hardware Element Connectivity Software Element Spatial Acquisition Human Element Programmatic Equipment Under Control Acquisition Connectivity Relationship Sets Models the Relationship/Dependencies Between System Elements 9 © 2023 Electric Power Research Institute, Inc. All rights reserved.

HAZCADS Basis: Hazard Analysis via STPA IEC Std. 61508-1 requires a determination of hazards of the Equipment Under Control (EUC) and the EUC control system, and consideration shall be given to the elimination or reduction of the hazards.

System Hazards are Challenges to Critical (Safety) Functions Risk and Reliability analysis extend the STPA Process For the determination of hazards and their causes, HAZCADS and DRAM/TAM/etc. apply the four-part Systems Theoretic Process Analysis (STPA). Insights from this diagnostic process are pipelined back to the DEG for aggregation and requirements updates.

STPA Step One STPA Step Two STPA Step Three STPA Step Four +

Identify Identify Identify Identify Stakeholder Losses System Hazards Unsafe Control Actions Loss Scenarios + Reliability Insights These steps are in HAZCADS DRAM/TAM/HFAM/EMCAM 10 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Systems and STPA Notional 1oo2 RPS Concept STPA Control Structure Indicator A1 Indicator A2 HSI A HS A

Digital System Operator Under Analysis Sensor A1 PLC A Sensor DO DO A2 RPS UPS RTB M/G 1 UV 1 X UPS Manual Automatic 2 UV RTB 2 Trip Trip RCS DSS Power Supply DSS Conditions X

Process X Variables CRDM CRD Breakers DSS Power Reactor Y

Supply Deenergize Y

Deenergize Power UPS RTB RCS 3 UV 3 Control Rod Pressure Single Rod Power Supplies Acronyms UPS RTB M/G RPS - Reactor Protective System 4 UV 4 Y RCS - Reactor Coolant System Sensor Acronyms DSS - Diverse Scram System B1 DSS - Diverse Scram System CRD Motors DO DO RTB - Reactor Trip Breaker M/G - Motor Generator CRD - Control Rod Drive Sensor PLC B HS - Handswitch B2 PLC - Programmable Logic Controller UPS - Uninterruptible Power Supply UV - Undervoltage Trip Indicator B1 Indicator B2 HSI B HS B

Workflow- Conceptual Phase Diagnostic Process to Identify Digital Hazards & Risk Sensitivities and Refine Requirements Models System and Plant level Hazards and Identifies Hardware, Software, and Human Reliability criticality (Risk Sensitivity) Vulnerabilities and Mitigations associated with Hazards HAZCADS DRAM STPA/PRA IEC-61508/61511 List of Hazards and Control Methods and Risk Sensitivity (RRT) Revised Requirements Iterates until requirements are complete Conceptual Design and hazards addressed Interface Analysis TAM/HFAM/

Promotes Reliability Growth and a Function Analysis/Allocation EMCAM Reduction in Uncertainty Relationship Sets (Architecture Model)

Integrating Design Insights into the PRA/LMP/PSA Research in progress

- Collecting/developing examples and use cases to test proposed approach

- Re-look at the data, existing guidance and lessons from HAZCADS

- Ensure consistency with RIDM framework

- Ensure plant reflects as built, as operated, including change management Incorporation of the design into the PRA should

- Be consistent in insights from the design process

- Be consistent with overall PRA modelling approach

Integrating Design Insights into the PRA/LMP/PSA (cont.)

Digital systems should be modeled at a reasonable level of detail adequate to support decision making

- Over decomposition introduces unnecessary modeling complexity

- Modeling level should match boundary conditions of collected data

- Software should not be separated from hardware (all software is implemented through a hardware system) Functional Reliability Fundamental Assumption: Control Methods implemented through the design process reduces the risk to acceptably low levels of risk

- Both for functional reliability and common cause failures

- Qualitative analysis reflects the best state of knowledge (best-estimate); this is key for consistency between design and assessment phases 14 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Capturing Consequence of Digital Failures* in the PRA The cause-effect relationship of OR potential unsafe control actions (UCAs) that survived to final design should be AND retained in the PRA or documentation:

- UCAs with non-unique consequences should be mapped to existing basic events for Element 1 Element 2 CCF of 1&2 documentation

- UCAs with unique consequences can be included explicitly in the model Cause and Effect Relationship Logic reassessed as the PRA evolves to reflect the as-built, as-operated plant

Can be hardware, software or human error; systematic or random.

EPRIs Digital Framework Elements EPRIs high-quality engineering process uses the same modern methods and international standards used in other safety related industries to reduce implementation cost Use the same proven design and supply chain structures that non-Utilize Industry nuclear safety related industries use (IEC-61508/61511/62443).

Standards This leverages the economies-of-scale achieved in other Capable Workforce industries.

Use of a modern, high performance, single engineering process Use of Systems that leverages systems engineering in the transition to team-Engineering based engineering for conception, design, and implementation(IEC-15288,IEC-15289, IEC-12207,STPA).

Risk Informed Making effective engineering decisions via hazards and risk analysis to integrate all digital engineering topics into a single Engineering engineering process. (STPA,FTA)

Supplemental Funded:

Digital Systems Engineering User Group - 3002022140 Fall Meeting 2023 A forum for information sharing of digital specific material September 19th & 20th Current Members to Date Operational Experience Common Design Packages Framatome Constellation Energy Lessons Learned Cyber Security Evaluations Dominion Energy South Carolina, Inc.

Dominion Energy, Inc.

Interactive community Member Feedback Duke Energy Corp.

Entergy Services, Inc.

Evergy Services (Wolf Creek)

Current Activities: Callaway (Ameren)

Palo Verde Sargent & Lundy Engineers Harmonization of the DEG,HAZCADS,DRAM,TAM,EMCAM,HFAM, and Digital Lifecycle Southern Company Strategy Guide. Improves coordination between products and updates with current Tennessee Valley Authority (TVA)

Vistra Corp. (Comanche Peak)

OE. Westinghouse Electric Company, LLC Xcel Energy Roll out of the member sharing website. PSEG (Salem/Hope Creek)

South Texas Project (STP)

Nuclear Digital Project Experience Baseline 2022 published. Updated annually, NPPD (Cooper) members of this supplemental can download EPRI Technical Report 3002023748. Enercon Services Curtiss Wright This report provides a baseline of installed digital equipment across members. Bruce Power 18 © 2023 Electric Power Research Institute, Inc. All rights reserved.

US DEG Implementation Procedure IP-ENG-001 (Standard Design Process)- Main IP-ENG-001 Procedure (February Process Phase 2017)

Attachments NISP-EN-04 is the Digital Specific Addendum to the SDP under the same mandatory Detailed Efficiency Bulletin (EB 17-06) Considerations NISP-EN-04 (Spring 2018)

Same process phases as IP-ENG-001, tailored with DEG-specific supplemental information for digital Primary Methods implementations. Including Cyber Security. DEG (Fall 2018)

Provides the user with what to do DEG provides detailed guidance using a modern engineering process with digital design considerations, information item guidance, and division of responsibility methods to improve skill of the craft, Provides the user with How to Do Guidance Digital Training/Tech Transfer completes the framework 19 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Systems Engineering - Discovery, Iterations & Refinements Systems Thinking is the key skill required to use Systems Engineering It is multidisciplinary and requires teamwork Requires ability to see system relationships in a holistic manner Ability to communicate across disciplines Ability to understand complexity 20 © 2023 Electric Power Research Institute, Inc. All rights reserved.

Risk-Informed Forum Alan Campbell, PE September 12, 2023

Common Cause Failure Policy Previous policy requires a Diversity and Defense-in-Depth (D3) analysis:

For each UFSAR Chapter 15 events, postulate a complete failure of RPS/ESFAS systems and analyze coping mechanisms

Any loss of a safety function will require a diverse means of achieving that safety function Impact of new, expanded policy:

Specifies defense-in-depth of the facility, not the proposed system

Software Reliability Limitations Due to challenges modeling Digital I&C software reliability in PRA:

The absolute risk impact of software reliability cannot be quantitatively measured without substantial uncertainties

The effectiveness of applied design techniques cannot be quantitively measured without substantial uncertainties

There are no means of comparing design techniques to using diversity without substantial uncertainties

How Can We Use Risk Insights?

NEI 20-07 utilizes Fault Tree Analysis to assess the risk sensitivity of each loss scenario The result of the sensitivity analysis is mapped to the CDF/LERF regions and used in a graded approach to apply control measures

NEI 20-07, Rev. E Leverages EPRI Digital Engineering Guideline, HAZCADS, and DRAM processes to demonstrate that CCF has been adequately addressed HAZCADS:

Hazards analysis methodology that identifies stakeholder losses, system hazards and unsafe control actions

Provides risk insights based on PRA sensitivity analysis DRAM:

Reliability assessment that identifies loss scenarios and applies control methods

NEI 20-07, Rev. E Why are we using HAZCADS and DRAM?

DEG is adopted into the Standardized Design Process via NISP-EN-04.

Efficacy studies demonstrate that underlying methodologies are compatible (i.e., limit weaknesses)

Technology agnostic

Accounts for the defense-in-depth of the facility

Improves overall reliability of the system by addressing credible and likely sources of systematic failures (including poor requirements, latent design errors, etc.)

2023 NRC Fall Risk Forum Han Bao LWRS Program Research on Risk Idaho National Laboratory Assessment of Safety-related Digital 09/12/2023 I&C Systems

Light Water Reactor Sustainability (LWRS) Program LWRS Goal Enhance the safe, efficient, and economical performance of our nation's nuclear fleet and extend the operating lifetimes of this reliable source of electricity Plant Modernization Enable plant efficiency improvements through a strategy for long-term modernization Flexible Plant Enable diversification and increase revenue of light water reactors by extracting electrical and thermal Operation &

Generation energy to produce non-electrical products Risk Informed Develop risk assessment methods and tools to optimize the System Analysis safety, reliability, and economics of plants Understand and predict long-term behavior of materials in nuclear Materials Research power plants Physical Security Develop technologies and the technical bases to optimize physical security postures 2

Goals of LWRS-RISA Efforts on DI&C Risk Assessment

Offer a capability of design architecture evaluation of various DI&C systems to support system design decisions on diversity and redundancy applications;

Develop approaches to address CCFs and estimate corresponding failure probabilities for DI&C technologies;

Support existing risk-informed DI&C design guides by providing quantitative risk-informed evidence.

3

Value Proposition

The framework is envisioned and developed as an integrated risk-informed tool to support vendors and utilities with optimization of design solutions from economical perspectives GIVEN the constrain of meeting risk-informed safety requirements.

Quantitative Risk Analysis

Software reliability metrics DI&C system reliability Plant safety analysis

Risk-informed Design

Management strategy of CCFs

All elimination vs. selective elimination

Level of redundancy

4 divisions vs. 2 divisions

4 vs. 2 local logic processors per division

Level of diversity

Design: Analog? Digital? A combination of both?

Software: Design requirements, programming language, etc.

Hardware Equipment: Manufacturers, designs, architectures, etc.

A Four-Division Digital Reactor Trip System 4

LWRS-developed DI&C Risk Assessment Framework LWRS-developed Digital I&C Risk Assessment Failure Modes Designs of Digital I&C Framework Systems and Plants Hazard Analysis Reliability Analysis Consequence Analysis System Failure Probabilities RESHA PRA + UQ (Redundancy-Guided Systems-Theoretic (Probabilistic Risk Assessment + Uncertainty Hazard Analysis) Quantification) Probabilistic Estimation of Failure Consequences Multiscale Quantitative Reliability Analysis BAHAMAS (Bayesian and HRA-Aided Method for the Reliability Analysis of Software) Suggestions to optimize designs and ORCAS upgrades by quantitatively reducing (Orthogonal Defect Classification for Assessing Software Reliability) risks and costs CCF Modeling and Estimation What can go wrong? How likely is it? What are the consequences? How to improve the design?

5

Redundancy-guided System-theoretic Hazard Analysis (RESHA)

Hazard analysis in the LWRS-developed framework:

Incorporates the concept of combining FTA and STPA from HAZCADS.

Reframes STPA in a redundancy-guided way to identify various CCFs in highly redundant DI&C systems.

Identifies and traces failures in both the actuation and information feedback pathway of DI&C systems due to unintended latent design or implementation defects or intended cyber attacks.

Workflow of the Redundant-guided System-theoretic Hazard Analysis (RESHA) 6

Multiscale Quantitative Reliability Analysis 7

Major Accomplishments in FY-23 Completed an industry peer review with reviewers from the NRC, GEH, EPRI, and RPI.

Feedbacks are positive pointing that framework addresses industry needs and closes gaps in the current state of practice.

Constructive suggestions are offered for methodology advancement and maturation, and integration with other toolsets (i.e.,

EPRIs framework) to gain the most benefits for the industry.

Delivered a peer review report in March 2023.

Completed the reliability analysis of a safety-related DI&C system in collaboration with PWROG.

Feedback provided by the industrial collaborators for methodology refinement in FY-24.

Delivered a technical report in February 2023.

Improved the current methods for identifying, quantifying, and evaluating potential software CCFs in highly redundant and diverse safety-related DI&C systems in collaboration with university partners.

Will deliver a technical report in September 2023.

8

Publications

Published 6 journal articles, 7 milestone technical reports, 15 conference papers.

9

Research Activities in FY-24

Improve and further develop the current framework and methods for risk assessment of multi-function DI&C systems in collaboration with the industry (e.g., GE Hitachi).

Refine the current methods to (1) keep supporting the need of DI&C reliability analysis from the industry (e.g., PWROG); (2) align better with international standards and existing risk-informed approaches and guides (e.g., EPRI).

Develop capabilities on risk-informed evidence generation and evaluation to support DI&C safety assurance and design optimization with the industry and other research institutions (e.g., Halden and KAERI).

Develop novel approaches to inform risk management and design optimization of advanced (semi-) autonomous DI&C systems designed for existing LWR fleets. (with NCSU and KAERI) 10

Collaborations

Industry:

PWROG: DI&C reliability analysis and CCF evaluation

GE Hitachi: Risk assessment of multi-function DI&C platforms

Halden: DI&C hazard analysis and safety assurance

Universities (for new methodology exploration):

University of Pittsburgh: Modeling and estimation of software CCF in safety-related DI&C systems.

North Carolina State University:

Development of a risk assessment framework for AI-aided control system designs

Software CCF modeling using model-based approaches.

Ohio State University: Software CCF modeling using dynamic methodologies.

11

Sustaining National Nuclear Assets lwrs.inl.gov 12

ML23254A388

Text

Navigation menu

Search