ML24066A051
| ML24066A051 | |
| Person / Time | |
|---|---|
| Issue date: | 02/22/2024 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| NRC-2736 | |
| Download: ML24066A051 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital I&C Subcommittee Docket Number:
(n/a)
Location:
teleconference Date:
Thursday, February 22, 2024 Work Order No.:
NRC-2736 Pages 1-134 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 4
(ACRS) 5
+ + + + +
6 DIGITAL I&C SUBCOMMITTEE 7
+ + + + +
8 THURSDAY 9
FEBRUARY 22, 2024 10
+ + + + +
11 The Subcommittee met via Videoconference, 12 at 1:00 p.m. EST, Charles H. Brown, Jr., Chair, 13 presiding.
14 15 COMMITTEE MEMBERS:
16 CHARLES H. BROWN, JR., Chair 17 RONALD G. BALLINGER, Member 18 VICKI M. BIER, Member 19 VESNA B. DIMITRIJEVIC, Member 20 GREGORY H. HALNON, Member 21 JOSE A. MARCH-LEUBA, Member 22 ROBERT P. MARTIN, Member 23 DAVID A. PETTI, Member 24 WALTER L. KIRCHNER, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 THOMAS E. ROBERTS, Member 1
MATTHEW W. SUNSERI, Member 2
3 4
ACRS CONSULTANTS:
5 DENNIS BLEY 6
MYRON HECHT 7
9 10 DESIGNATED FEDERAL OFFICIAL:
11 CHRISTINA ANTONESCU 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 C-O-N-T-E-N-T-S 1
PAGE 2
Opening Remarks by Chairman 4
3 Introductory Remarks 8
4 Draft Final BTP 7-19, Rev. 9, 5
Guidance for Evaluation of Defense 6
in Depth and Diversity to Address 7
CCF Due to Latent Design Defects 8
in DI&C Systems 21 9
Members Deliberations 123 10 Public Comments 132 11 Closing Remarks by Chairman 133 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 P-R-O-C-E-E-D-I-N-G-S 1
1:10 p.m.
2 CHAIR BROWN: Well, good afternoon, 3
everyone. This is a meeting of the Digital I&C 4
Subcommittee. We will now come to order.
5 I'm Charles Brown, Chairman of this 6
subcommittee meeting. ACRS members in attendance are 7
Tom Roberts, Greg Halnon, Matt Sunseri, Jose March-8 Leuba, Vesna Dimitrijevic, Ron Ballinger, Dave Petti, 9
Walk Kirchner, Vicki Bier, and Robert Martin. Myron 10 Hecht, and Stephen Schultz are consultants are also 11 online. Oh, is Dennis here? Thank you, Dennis. Say 12 hello, Dennis.
13 DR. BLEY: Hello, Dennis.
14 CHAIR BROWN: Okay. Thank you. Christina 15 Antonescu of the ACRS staff is the Designated Federal 16 Official for this meeting. The recorder is on, 17 Christina? Okay, thank you. The purpose of this 18 meeting is for the staff to provide a briefing on the 19 draft final revision, Branch Technical Position 7-19, 20 Guidance for Evaluation of Defense in Depth and 21 Diversity to Address Common Cause Failures Due to 22 Latent Design Defects in Digital I&C Systems.
23 Specifically, the staff will discuss 24 clarifications made throughout the BTP to address 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 discussions in our previous meeting in September of 1
last year, public comments that have been received 2
over the last five or six months, and comments from 3
members in the previous meeting. The ACRS -- a lot of 4
these comments, this is also derived from the new SECY 5
22-0076 for which the Commission has provided the 6
staff requirements memorandum to the staff on the 7
subject of that SECY. The ACRS was established by 8
statute and is governed by the Federal Advisory 9
Committee Act, FACA.
10 That means that the committee can only 11 speak through its published letter reports. We hold 12 meetings to gather information to support our 13 deliberations. Interested parties who wish to provide 14 comments can contact our office requesting time.
15 That said, we have set aside 15 minutes 16 for comments from members of the public or listening 17 to out meeting subsequent to our conclusion of the 18 brief and discussions. Written comments are also 19 welcome. Just a little reminder on this relative to, 20 we speak through our letters.
21 There are plenty of comments by members, 22 both here in the room as well as online. Personal 23 comments, they do not reflect an overall advisory 24 committee agreement with nor disagreement with that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 would only be resolved through our formal letter 1
following a full committee meeting. Written comments 2
are also welcome.
3 The meeting agenda for today's meeting was 4
published on the NRC's public meeting notice website 5
as well as the ACRS meeting website. On the agenda 6
for this meeting and on the ACRS meeting website are 7
instructions as to how the public may participate. No 8
request for making statements of the subcommittee has 9
been received for the public.
10 We are conducted today as a hybrid 11 meeting. A transcript of the meeting is being kept 12 and will be made available on our website. Therefore, 13 we request that participants in this meeting should 14 first identify themselves and speak with sufficient 15 clarity and volume so that they can be readily heard.
16 All present presenters please pause from 17 time to time to allow members to ask questions.
18 Please indicate the slide number you are on when 19 moving to the next slide. I presume you will probably 20 not have any problem with the members interrupting you 21 and knowing when they want to ask a question.
22 So if you miss something, just raise your 23 hand. We have the MST phone line audio only 24 established to the public to listen to the meeting.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 I'd like to remind the public that they are to listen 1
during this part of the meeting and comments should be 2
reserved for the public comment session at the end of 3
the meeting.
4 Based on our experience from previous 5
virtual and hybrid meetings, I would like to remind 6
the speakers and presenters to speak slowly. We will 7
take a short break after each presentation to allow 8
time for screen sharing as well as the chairman's 9
discretion during longer presentations. Lastly, 10 please do not use any virtual meeting feature to 11 conduct sidebar technical discussions.
12 Rather, contact the DFO if you have any 13 technical questions so we can bring those to the 14 floor. We will now proceed with the meeting, and I 15 will -- I guess, first of all, I'm going to ask Mr.
16 Jason Paige, the branch chief for the Long Term 17 Operations and Modernization Branch, Division of 18 Engineering and External Hazards, in the Office of 19 Nuclear Reactor Regulation for any opening comments 20 from the staff. Jason, I'll give it to you first.
21 MR. PAIGE: All right. Thank you. So as 22 Member Brown said --
23 CHAIR BROWN: Get very close to the mic.
24 They have a very short range.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 MR. PAIGE: Can you hear me?
1 CHAIR BROWN: Now that's better, yeah.
2 MR. PAIGE: Okay.
3 CHAIR BROWN: Just don't eat the mic.
4 That's all.
5 MR. PAIGE: I'll try not to. My name is 6
Jason Paige. I'm the branch chief of the Long Term 7
Operations and Modernization Branch. And my branch is 8
responsible for implementing the Commission direction 9
in SRM SECY 22-0076 when expanding the use of risk 10 informed approaches in addressing visual I&C, common 11 cause failures, or CCF.
12 First, just want to thank you for this 13 opportunity to present to you the staff's implementing 14 guidance which is being incorporated in branch 15 technical position or BTP 7-19. This has been a 16 collaborative effort led by our I&C and risk staff in 17 NRR with support from the I&C staff and research. As 18 an update from our last briefing to the ACRS on this 19 topic back in September 2023, the staff incorporated 20 in the draft BTP some of the feedback held during that 21 briefing as well as some of the comments provided in 22 an attachment to the briefing transcript.
23 In addition, we issued the draft BTP 7-19 24 Revision 9 for public comment in October 2023. And 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 the comment period closed in November 2023. During 1
today's briefing, the staff will summarize the changes 2
to the BTP to address the public comments in the 3
committee member discussions and feedback.
4 In preparation for today's meeting, the 5
staff provided the committee with a markup of the BTP, 6
the responses to public comments, and the responses to 7
the members' comments provided in an attachment to the 8
transcript. As a note, the BTP and public comment 9
response table are still under internal review and 10 changes may be made. We will inform the committee of 11 any major changes prior to issuance of the final 12 document.
13 The Commission direction gave the staff 14 one year to develop and complete the implementing 15 guidance. And we appreciate the committee's 16 flexibility on this issue. A full committee briefing 17 is currently scheduled for March 6, and we very much 18 appreciate getting the committee's letter feedback as 19 soon as possible to incorporate into the BTP to meet 20 our one-year deadline.
21 Before I turn the presentation over to the 22 staff, I would like to clarify a discussion that we 23 had during the September 2023 ACRS briefing regarding 24 the staff's approach for implementing the expanded CCF 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 policy. On November 1st, 2023, the staff provided the 1
Commission an annual update on activities to modernize 2
the agency's instrumentation and controls regulatory 3
infrastructure which included the staff's approach for 4
addressing the Commission's direction of developing 5
guidance that is technology inclusive and applies to 6
all reactor types. In summary for light water 7
reactors, the staff is updated BTP 7-19 which is an 8
appendix to NUREG-0800 or the standard review plan or 9
SRP.
10 As indicated in NUREG-0800, the scope of 11 the SRP guidance applies to light water reactors. For 12 Digital I&C reviews for advanced non-light water 13
- reactors, the staff relies on the licensing 14 modernization project which is endorsed by Reg Guide 15 1.233 and the desire review guide or DRG. While the 16 language used in the DRG does not clearly connect to 17 the revisions of the four points in the SRM, the 18 language does not preclude the reviewers from 19 considering alternative approaches which we believe 20 meets the intent of the Commission direction --
21 (Simultaneous speaking.)
22 CHAIR BROWN: Could you repeat that last 23 part on the DRG?
24 MR. PAIGE: Regarding the language?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 CHAIR BROWN: You started to talk about 1
the DRG.
2 MR. PAIGE: Yeah, so --
3 CHAIR BROWN: My brain was still on the 4
1.233.
5 MR. PAIGE: Okay, yes. The language in 6
the DRG, the DRG hasn't been updated since the 7
Commission provided the direction to the staff. So 8
there isn't any specific tie to the four points that 9
are in the draft BTP. But we think that the language 10 does not preclude the reviewers from considering 11 alternative approaches which we believe meets the 12 intent of the Commission direction or policy.
13
- However, the staff will use pre-14 application engagements to discuss the expanded policy 15 with non-light water reactor applicants to address any 16 questions or concerns. In addition, the staff will 17 continue to communicate the Commission's expanded CCF 18 policy to stakeholders during ongoing advanced reactor 19 I&C public workshops. The next workshop is scheduled 20 on March 14, 2024.
21 From our engagements and any lessons 22 learned identified, the staff will ensure that future 23 revisions of Reg Guide 1.233 in the DRG reflect any 24 additional clarifications for implementing the SRM and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 any further improvements that are determined to be 1
appropriate based on feedback from our stakeholders.
2 The staff believes that this approach is necessary to 3
understand what guidance on these matters would be 4
used to non-light water reactor applicants. And if 5
there's any questions that you have regarding our 6
approach, we do have staff of the DRG and the LMP that 7
are participating virtually. So that concludes my 8
opening remarks. I'll turn it back over to you, 9
Member Brown.
10 DR. BLEY: Charlie, can I sneak in a 11 question? This is Dennis Bley.
12 CHAIR BROWN: Fire away. I'll go after 13 you.
14 DR. BLEY: Well, it's probably the same 15 thing. In your responses to comments, you had 16 responses to comments by Charlie and Tom Roberts. Let 17 me ask about including RG 1.233 as a reference here.
18 And the staff responded that this only 19 applies to light water reactors (audio interference).
20 The discussion now was pretty interesting. But it 21 would seem at least reasonable to put some note in 22 here about what non-LWR people ought to do and what 23 Reg Guide 1.233 (audio interference).
24 MR. PAIGE: So I'm going to assume that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 a question for me. So --
1 CHAIR BROWN: Yes. Hold on just a minute.
2 MR. PAIGE: Okay.
3 CHAIR BROWN: Tom would like to make a --l 4
MEMBER ROBERTS:
I think probably 5
consistent with what Dennis was saying. Hey, two 6
questions that I thought we're probably were just 7
teeing up now and then either answering during the 8
presentation or at the end regarding what you just 9
talked about. The first one, is there anything from 10 the public feedback or from the ACRS feedback that 11 made you think about how that applied to the DRG or 12 how that applied to your ongoing discussions with 13 various applicants for how to apply some of the 14 principles that are in the DRG or in the BTP?
15 Again, probably best to answer that during 16 the presentation when the staff talks about the 17 various comments and what they do in the BTP. And the 18 second question is understanding your longer term 19 vision, presumably you don't want to always have a DRG 20 and a BTP because you got basically the same I&C 21 system is being developed by applicants and being 22 reviewed by the same cadre of folks here. And so I 23 was thinking you want to have some more signaling off 24 of the guidance. I was wondering what your near and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 long-term vision was to get there. Again, both of 1
those are probably better discussed after we do the 2
presentation and get a better sense of what's in the 3
BTP.
4 MR. PAIGE: So in terms of the approach, 5
I'll just provide an initial response. And like you 6
said, I'm sure we'll get into more details during the 7
staff's presentation. But in terms of having two 8
separate documents, as you're aware, the SRM, we had 9
one year to complete the implementing guidance.
10 So we thought this was the best approach 11 to develop guidance that's applicable to the different 12 stakeholders, external stakeholders. So we thought it 13 was useful to update the BTP to provide that avenue 14 for light water reactors. And then for the DRG 15 because that guidance is available for non-light water 16 reactors. And we also believe that DRG is already 17 risk informed technology inclusive. So we thought it 18 was best for us to get additional feedback from those 19 external stakeholders so that we can better understand 20 their needs and then proceed with updating the DRG 21 based off of those lessons learned.
22 CHAIR BROWN: Can I comment? From what I 23 understand and correct me if I'm incorrect, but the 24 BTP is fundamentally a review document for the staff 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 whereas the DRG is what I call a general compendium 1
that consolidates all of the design concept type stuff 2
that should be considered during a -- for a licensee 3
to deal with as opposed -- well, not as opposed to.
4 But make sure it's clear relative to architectures and 5
how it's configured and communications, et cetera, et 6
cetera.
7 So I'm not quite sure I agree that it's 8
okay to delete the branch technical position because 9
we're not after reading it again for about the seventh 10 time in 16 years. It is pretty much general and not 11 explicitly. But it gives ideas to the licensees that, 12 hey, this is what the staff is going to be expecting.
13 And when first got here 16 years ago, the 14 first meeting I sat in on, on a -- I think it was 15 ESBWR or something like that. The presentation and 16 the staff response, while it was presented to us at a 17 subcommittee meeting was I don't want to use the word 18 unsatisfactory but not very illuminating because it 19 was just not an understanding at all from the licensee 20 knowing what the staff really was looking for when 21 they came in for their application. So I don't want 22 to lose that connection.
23 With that thought in mind, there's also an 24 ISG-6 which is a beginning licensing process review 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 for the licensees. And so from the design side, you 1
want to make sure they're addressing the design 2
concepts that you expect to see, whether they're 3
different than what you have in the reg guides or not.
4 But you still want them to know what you're expecting.
5 And the branch technical position on 6
defense in depth will always be relevant regardless 7
how safe you think a non-light water reactor is that 8
we won't have that discussion today. But it provides 9
acceptance criteria for the various areas that the 10 defense in depth is expecting to be addressed. And 11 that's not in the design review guide.
12 In trying to pump all that information, 13 staff review stuff into the design review guide is --
14 personal opinion again, this is me, is not really the 15 best approach. You need some separation so that the 16 vendors -- the licensees have some idea of how they 17 should proceed in the beginning. So I'm just saying 18 that now because two months, I won't be a member.
19 I can say that now with some confidence, 20 and it's based on experience. The ISG-6 did not exist 21 when I first got here. And it was developed to try to 22 eliminate in the presentation because the designers 23 did not know what the staff wanted and what depth we 24 wanted to see stuff -- staff and the committee.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 So I'd like to just make that observation 1
as a secondary observation on what you guys do.
2 Hopefully Member Roberts will keep you guys in tow.
3 Go ahead.
4 MEMBER ROBERTS: Yeah, I think waiting 5
until the end is probably the best approach. But just 6
to give you some sense of what I'm thinking, you've 7
got common cause failure guidance in IEEE standards.
8 You've got common cause failure guidance in a BTP.
9 You've got common cause failure guidance 10 in this DRG. To some degree in Reg Guides but not 11 particularly in an integrated way. So you look at all 12 that and you say, well, where do I go?
13 If you're an applicant, if you're staff, 14 if you're an ACRS member, where do you go for the 15 principles and what the overall criteria are? I think 16 that's probably worth some thought in terms of you've 17 got a DRG coming out one way, a BTP coming out of a 18 similar but slightly different way, and you're Reg 19 Guides. Where is the integration of all of it?
20 That's kind of where I'm heading. If 21 you've got a similar thought process in terms of when 22 you go after you've gone through this incredibly short 23 time period. I recognize your constraints if I do 24 something in a year given you credited the DRG.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 You're got all this stuff coming on advanced reactors.
1 I understand why you don't want to go 2
today. It makes sense to me. Do that iteration with 3
a couple of suppliers. You go figure out what it is 4
you really want to do.
5 But then when you get through all that, it 6
seems like a good time to step back and say, we need 7
something different than any of these products. Or is 8
the BTP 7-19 the right construct to try to become the 9
sealant -- the fact that you ask -- now that I'm 10 thinking on it, maybe in the end, we've gone through 11 some more details, we can go through if there's any 12 more thoughts on that.
13 CHAIR BROWN: Thank you. Go ahead. I was 14 going to amplify his comments.
15 MR. PAIGE: I was just going to say okay.
16 That sounds reasonable.
17 CHAIR BROWN: Just another observation.
18 Once, we, the committee identified -- the committee 19 can't do the review that the staff does. There's just 20 no way. We got a day or two, three days at the most 21 to look at any new thing that's coming down the path.
22 We're not just paid. We're not here to 23 check your work. We're here to do an independent look 24 at what's being proposed and does that meet the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 eyeball test relative to its safety posture.
1 And the change from May 2008 till now 2
where I think there's been four, five changes that 3
we've reviewed, four new projects. And I think Diablo 4
Canyon was another one that we looked at. But the 5
idea in the I&C world of developing that architecture 6
that meets the fundamental principles which are 7
elucidated in at least IEEE Standard 603-1991, I 8
- believe, although we didn't have electronic 9
communications in the days when that was written to 10 the state we had today.
11 So electronic communications as opposed 12 from control of access type issues was not the same.
13 And the first two design reviews after that first one 14 went increasingly better. AP1000 was better but still 15 missed a bunch of stuff that we had to argue about and 16 finally get done. But the last two or three, we did 17 between the staff and us.
18 They were done in less than a year because 19 just starting with an architecture and focusing on a 20 safety architecture kind of defines the general 21 ballpark in which you're operating. And as opposed to 22 trying to look at each position and in every Reg Guide 23 and every position and every IEEE standard and seeing 24 if I evaluate the brake pad right or the gas line to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 the distributed or to the carburetor or how many 1
electronic things do with timing. And if you look at 2
all that, you can figure out whether it's really a car 3
or not.
4 But you still don't know what the 5
framework of the car is. You don't know how many 6
doors there are. You don't know what its weight it.
7 You don't know what the engine horsepower is, et 8
cetera, et cetera.
9 You've got to look at these systems from 10 the top down. And the top down approach which is now 11 summarized in the DRG is -- and I think it initially 12 started with a -- what was it, ESBWR. It was M-13 something. Don't you guys remember that?
14 PARTICIPANT: Mpower.
15 CHAIR BROWN: Mpower. That's right. It 16 was Mpower thing. Was that General Dynamic? No, BMW.
17 I'm sorry, BMW, right. The empire is where we first 18 got them, then it's been improved, expanded.
19 And that really has set the stage. So the 20 DRG in that particular viewpoint is the lynchpin for 21 making sure staff gets the relevant information and 22 doesn't spin their wheels on trying to examine how 23 many legs are on an ant and see if it's really an ant 24 and not a caterpillar. So these are my parting shots.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 I won't get an opportunity except at the 1
full committee meeting. I'll probably take this 2
transcript and repeat it just for spectators. But I 3
think there's been a considerable advance over the 4
last 16 years and the ability of the staff to address 5
these things using that architecture approach.
6 So much simpler because a lot of the other 7
stuff falls into place once you do that. Do you 8
really care how many chips are on a microprocessor?
9 You really don't. You don't really care how many 10 memory units are in an FPGA. You really don't.
11 As long as they can get data in and out, 12 that's all you care about. So anyway, all right. I 13 think I'm done. Tom, anything else? Greg, any other 14 opening remarks?
15 Are there any members opening remarks, 16 Dennis or Steve or Jose? Anybody? Okay. If I don't 17 hear anything else, we're going to proceed. Samir, 18 your turn.
19 MR. DARBALI: Thank you and good 20 afternoon. My name is Samir Darbali. We are on slide 21
- 3. So first, we will provide some background 22 information by going over a timeline of recent 23 activities related to the development of Revision 9 of 24 BTP 7-19, the Commission direction for the SRM, and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 the status of proposed response.
1 We will then provide a summary of the 2
changes from Revision 8 to Revision 9. And we'll go 3
over the changes made to the BTP is the last we 4
provided the committee back in September. And we'll 5
finish with some key messages and next steps for 6
revising BTP. Next slide.
7 So here on slide 4 is a timeline of the 8
main activities related to the development of Revision 9
9 of BTP 7-19. We start with Revision 8 which was 10 issued in January of 2021. Later that year, the staff 11 began to process and develop a SECY to recommend the 12 mission expand the Digital I&C CCF policy to allow the 13 use of risk informed approaches to demonstrate the 14 appropriate level of defense in depth for high safety 15 significant systems.
16 And in August of 2022, SECY 22-0076 was 17 issued. The staff provided a supplement to the SECY 18 in January 2023 to clarify the importance of 0.4 of 19 the policy. In May of 2023, the Commission approved 20 the staff's recommendation with some edits and 21 provided direction to the staff to develop 22 implementing guidance within one year.
23 Staff began drafting Revision 9 of BTP 7-24 19 in the summer of 2023 and briefed the committee in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 September of last year. A public comment period 1
started in October and closed in November. And since 2
then, the staff has been addressing the public 3
comments and going through concurrence reviews.
4 That leads us to today's briefing. And we 5
have the full committee scheduled for March 6th. And 6
finally, we are expecting to issue the final BTP in 7
May of this year. Next slide. So here in slide 5 and 8
6, it's going to be --
9 CHAIR BROWN: You're going to force me to 10 have a letter ready in March, right?
11 MR. DARBALI: Probably, yes.
12 CHAIR BROWN: If we have comments, are you 13 going to be able to commit to resolving them? Because 14 if we do ask, we may ask for a response to the letter 15 depending on the nature of the comments. So if you 16 want to issue it in May, we would have to see 17 something that allows us to say okay so we don't have 18 to have another meeting in April.
19 MEMBER HALNON: Okay. Why don't we 20 address that if we have comments. So then we can --
21 CHAIR BROWN: I won't have a comment. So 22 I'll right the letter. I'm just saying we've got to 23 keep that in mind.
24 MR. DARBALI: Yeah, that's something we 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 can discuss to ensure that.
1 CHAIR BROWN: Okay.
2 MR. DARBALI: And we appreciate the 3
feedback. So here on slide 5 and also on slide 6, 4
basically a repetition of what I just said on that 5
timeline diagram. We received approval or the 6
Commission approved the SECY with some edits and 7
directed staff to clarify in the implemented guidance 8
that the new policy is independent of the licensing 9
pathway and also directed the staff to final implement 10 the credits for the year. Next slide, please.
11 And the staff's proposed response, we're 12 here to discuss is the light water reactors. We are 13 revising the guidance in BTP 7-19 for the review of 14 risk informed approaches which may result in the use 15 of design techniques other than diversity. Because of 16 the one-year metric, we should implement guidance.
17 The staff has spoken, the edit is mostly 18 to incorporate the standard policy and providing some 19 clarification. We have also made changes to address 20 feedback we received during the full committee --
21 sorry, during the September subcommittee briefing and 22 also in response to all the comments.
23 CHAIR BROWN: Before you go on, I've seen 24 the -- I didn't ask this question previously. But 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 you've had the words design techniques other than 1
diversity. Do you have any idea of what you mean by 2
that? I try to think of design techniques other than 3
the one we rely on to try to get a feel for it and 4
could not figure out.
5 MR. DARBALI: So as you'll probably see in 6
one of the follow-up slides.
7 CHAIR BROWN: You could go back to vacuum 8
tubes.
9 MR. DARBALI: So for example, segmentation 10 could be a technique that could be used to eliminate 11 the potential for a common cause failure. There may 12 be some -- we call them design techniques for the 13 development or some changes in the architecture in 14 implementation. But we would be reviewing those as 15 they come in, in the application.
16 DR. BLEY: Charlie, it's Dennis. I'm 17 trying to help out the staff here a little bit. In 18 your section, B-313, they get a little smarter. Then 19 it's talking about design options. They talk about 20 technical approaches including design techniques where 21 you just talk about prevention measures and radiation 22 measures. So that seems to be what their thought is.
23 CHAIR BROWN: Now the difficulty with 24 segmentation is it's not really well defined. And 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 when I see stuff like that where we don't have at 1
least boundary conditions or something with which 2
applicants can deal with, I don't like to see 3
surprises coming in and then having a long time delay 4
trying to get something done because there's so many 5
new design techniques they'd like to try that you now 6
have to go through a stork dance to try to say it's 7
okay. So instead of a year to complete the review, 8
you're into a three-year cycle as you ask 500 RAIs of 9
the answers you want which is actually what we saw in 10 the first couple of design requests when I first got 11 here 16 years ago or at least the second one had a ton 12 of them.
13 I mean, it was a lot. We could barely 14 keep up with the revisions they incorporated RAIs. So 15 there's a -- that's a thorny path to go down. So 16 anyway, all right, I'll stop.
17 MR. DARBALI: Understood. Thank you. All 18 right. So we are on slide 7. And here are the 19 substantive changes made from Revision 8 through 20 Revision 9. And we've explained these back in 21 September.
22 So Section B.1.1 was revised to update 23 the language of the four points in the policy.
24 Section B.1.2 was revised to clarify the term, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 critical safety function. Section B.3.1.3 which 1
Member Bley just mentioned was revised for the 2
evaluation of alternative approaches.
3 Section B.3.4 was added for the evaluation 4
of risk informed assessments. Section B.4 was revised 5
to include guidance for the evaluation of different 6
approaches for meeting point 4. We added five flow 7
charts to facilitate the use of the BTP. And we also 8
added language from Reg Guide 1152 regarding 9
communication independence and control of access.
10 Next slide. Thank you. Here on slide --
11 MEMBER ROBERTS: Just a quick question.
12 I'm a little surprised you didn't include the 13 background information that you added in Section A or 14 8.1, whatever that was at the very beginning. I 15 thought it was really good in terms of getting more 16 background going back to the '60s of what drove this 17 whole issue of concern about common cause failures and 18 defense in depth.
19 And what caught my eye is there was a 20 reference to the front matter of Appendix A or 10 CFR 21 50 where you talked about there is a -- I'm going to 22 call it a hidden requirement. It's kind of subtly 23 buried in the front matter of Appendix A or 10 CFR 50 24 to go assess common cause failures for basically any 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 design. And I was wondering if that was the intent 1
was to highlight that, that was wasn't necessarily 2
widely understood. And then also there's a comment, 3
a quasi-editorial comment. I was wondering why that 4
didn't get in the list of regulatory basis documents 5
that was in the next section.
6 MR. DARBALI: I see Norbert wants to chime 7
in. So we --
8 (Simultaneous speaking.)
9 CHAIR BROWN: -- talk about the expanded 10 background from Rev. 9. Yeah, I noticed. I just 11 liked it. That was a good idea.
12 MR. DARBALI: So what we're highlighting 13 in this slide and the next probably five, six slides 14 is basically what we presented back in September. In 15 the markup that you have, that shows the changes from 16 the September version. And that includes all the 17 additional background and historical information. So 18 later on --
19 CHAIR BROWN: I got that.
20 MR. DARBALI: Okay. So later on, we'll be 21 covering that number.
22 MR. CARTE: All right. So in part, that 23
-- sorry, Norbert Carte, I&C technical reviewer. So 24 in part, that was expanded because in the discussions, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 industry has made assertions in public meetings that 1
this is a new criteria or a new issue. And in order 2
to put an end to those assertions, we've inserted that 3
material.
4 And there are other places you could look 5
to see the history of common cause failures. So 6
common cause failure has been a concern as well in the 7
'50s with the research and test reactors. There's a 8
NUREG/CR-566 that talks about it. It was written in 9
1979.
10 So there are a number of NUREG/CRs that 11 have talked about common cause failure. The only 12 thing that's new and different is that we're talking 13 about a different technology and a different maybe 14 system architect for I&C systems. So the question is, 15 what do you need to do differently for the different 16 technology or methodologies or system design?
17 It's not that we're inventing a new 18 criteria of common cause failure because that's always 19 been there. It's just that what you build -- if you 20 build a stone bridge and then it falls down and you 21 build a wooden one and a regulator asks you, well, 22 what about termites? You said, well, I never had to 23 consider termites when I built the stone bridge. What 24 are you asking about termites now for?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 You're backfitting a requirement. When we 1
talk about it, it seems silly. But that's what's 2
happening with Digital I&C. You're saying, we did 3
this for analog systems, and so those should be the 4
only requirements regardless of the technology of the 5
system design we give you.
6 No, not really. You need to consider the 7
hazards introduced by the technology. And so this is 8
sort of emphasizing that. And I think that was added 9
to Appendix A in 1979.
10 MEMBER ROBERTS: Yeah, so the second 11 paragraph of the introduction. So it's there. It 12 just seemed to me like a regulatory requirement the 13 way it's quoted from Appendix A. And you didn't 14 include it in the regulatory basis section there. So 15 I was trying to understand why.
16 MR. CARTE: Right. So regulatory 17 requirements are an interesting term. So you never 18 right a violation against Appendix A. What the 19 regulatory requirement is that you include principle 20 design criteria in your FSAR and that your application 21 is in conformance with your FSAR.
22 So you get an Appendix B violation, a 23 quality control violation for not meeting your design.
24 So in a sense, Appendix A isn't really a regulatory 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 requirement. It only becomes a requirement or an 1
obligation when you put it in your FSAR and you say 2
that's what you're going to do.
3 And so Appendix A, it's a minimum for 4
light water reactors. But also notes it may not be 5
complete. You may need to add other things, and maybe 6
you should design criteria for digital system. But 7
that's a different discussion.
8 MEMBER ROBERTS: Okay. I understand.
9 From a staff review perspective, having it in the 10 front matter is probably enough. But the way it's 11 written, it seems like if the applicant hasn't 12 addressed common cause failure at that general level, 13 then they would be -- it certainly would be questioned 14 about whether or not the meaning and intent of 15 Appendix A. I suspect that's why you put it there, so 16 I think you've answered my question. Thank you.
17 MR. DARBALI: Thank you. So on slide 8, 18 we have -- it's an overview of Provision 9 of the BTP.
19 This figure shows how the BTP sections are organized 20 to implement the policy. And that's SECY 22-0076.
21 You can see for each point in the policy 22 the applicable section of the BTP. And this is a 23 figure we added to the end of the BTP after the 24 September briefing. So in the next few slides, we'll 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 go over the substantive changes again from Revision 8 1
to Revision 9. Next slide.
2 So on Section B.1.1, we updated the 3
language to reflect the points in FSAR and SECY 22-4 00076 as well as the explanation of the four points.
5 We also added some language to help identify the 6
applicable BTP sections when performing a safety 7
evaluation. On Section B.1.2, we clarified that 8
critical safety functions are those most important 9
safety functions to be accomplished or maintained or 10 prevent any immediate threat to the health and safety 11 of the public.
12 We also clarified that the critical safety 13 functions within the SECY are examples represented of 14 operating light water reactors. And that other types 15 of reactors may have different critical safety 16 functions based on the reactor design safety analysis.
17 And the identification of such functions may be risk 18 informed.
19 MEMBER HALNON: Samir, this is Greg 20 Halnon. I need to go back and look and I should've.
21 The term critical safety function, is that aligned 22 across the definitions that we have for critical 23 safety functions in addition to what we were talking 24 about in Part 53? Is it relatively aligned? I'll 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 give you an out there.
1 MR. DARBALI: So right, we added a 2
footnote to clarify where the term came from. And it 3
goes back to an ANSI/ANS standard.
4 MEMBER HALNON: So it is based somewhere 5
that we can pin that off of for other things.
6 MR. DARBALI: So historically, it's been 7
used for light water reactors. It came after KMI 8
event. But it's applicants or licensees can define 9
their critical safety function based on their 10 particular safety analysis and planned design.
11 So we have a list of critical safety 12 functions. But again, that applies to light water 13 reactor designs. Not only light water reactors or 14 other types of reactor designs can identify their role 15 in particular critical safety functions.
16 MEMBER HALNON: Okay. That's fine. I 17 just want to make sure that we weren't going off on 18 very specific -- it was going to cost me confusion in 19 the future. But I'll say it's relatively aligned with 20 what we've been using all along. It's nothing new.
21 MR. DARBALI: Correct, correct. It's not 22
-- we're not introducing it in here. Thank you.
23 CHAIR BROWN: Excuse me. You really 24 didn't eliminate anything. You used to have it in a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 little table. And all you do is put them in a line in 1
parenthesis --
2 MR. DARBALI: Correct.
3 CHAIR BROWN: -- which seemed kind of 4
unusual. The other thing I noticed in the critical 5
safety functions, you deleted references to SECY 93-6 087. And for the life of me, does that mean it 7
doesn't exist anymore?
8 MR. DARBALI: So that's part of a broader 9
comment. And we'll address that later. But one of 10 the comments --
11 CHAIR BROWN: Let me tell you. Remember 12 we wrote a letter on a SECY.
13 MR. DARBALI: Right.
14 CHAIR BROWN: And we noted in that letter 15 your revised 0.4 had three or four paragraphs. You 16 all only pulled paragraph 1 out and put it in 0076 17 which eliminated the items. So our point was is that 18 still valid, that SECY? The answer came back yes.
19 And then I read this and started seeing references to 20 087 deleted which sounded like you were eviscerating 21 0087. So disregarding it or it was no longer in the 22 process of being applied.
23 MR. DARBALI: We followed the same, I 24 guess, logic that you were using that if we referenced 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 22-0076, we are therefore referencing 93-087 or those 1
parts.
2 CHAIR BROWN: Is that still in place?
3 MR. DARBALI: Yes.
4 CHAIR BROWN: Okay.
5 MR. DARBALI: So when we mentioned 22-6 0076, that includes 22-0076 and whatever 22-0076 did 7
not change from 93-087.
8 CHAIR BROWN: Now the exception to that is 9
paragraph 4 stated that for manual controls, you can 10 have either hardwired or a diverse system or a diverse 11 approach technique. I've forgotten what the exact 12 words are. But yet when you go to 0076, you all now 13 have cranked in to the text of BTP these words about 14 don't bother with hardware wired controls. You don't 15 need to do that.
16 But diverse systems, and I'm going to talk 17 about this later. I'm just kind of giving you a heads 18 up. There's going to be some excoriating comments.
19 MR. DARBALI: Okay. So --
20 CHAIR BROWN: One comment, one comment.
21 MR. DARBALI: But the driver who eliminate 22
-- mentions SRM SECY 93-087 was because we received a 23 public comment that said we would talk about a point 24
-- we said.3 of the policy. And the comment was, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 well, it's not clear. Are you talking about 22-0076 1
2 CHAIR BROWN: I got that.
3 MR. DARBALI: -- 93-087? So we figured, 4
well, if we're mentioning 22-0076, we're also covering 5
those parts of the 93-087 that were not changed. So 6
let's just point to 22-0076 so it'd be less than 7
(audio interference).
8 CHAIR BROWN: How does the point get made 9
in this that 087 still applies but with where it has 10 been changed or modified by 0076. That's what then is 11 relevant for that part?
12 MR. DARBALI: So I --
13 CHAIR BROWN: And you all didn't -- so 14 there's no explanation of the rest of 087 that wasn't 15 changed is okay?
16 MR. DARBALI: Right. You would have to go 17 from the BTP 22-0076 which would make --
18 (Simultaneous speaking.)
19 CHAIR BROWN: That's a long chain to try 20 to figure out what's going on.
21 MR. DARBALI: Right.
22 CHAIR BROWN: And the applicant shouldn't 23 have to do that. They should be using this document, 24 not the -- I didn't have any problem with all the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 other incorporation of the points. It was just the 1
absence of information.
2 I understand why you want to do it because 3
which one are they going to follow. So you tell them 4
what parts are still valid and which parts aren't.
5 And you didn't do that.
6 MR. DARBALI: Okay, understood.
7 CHAIR BROWN: That may be a comment.
8 MR. DARBALI: And you can go to the next 9
slide, slide 10. Okay. And --
10 CHAIR BROWN: So the other point I would 11 make is the Commission also did not say anything at 12 all about the other three paragraphs. They only 13 address the one you provided in your SECY --
14 (Simultaneous speaking.)
15 MR. DARBALI: Correct, yes.
16 CHAIR BROWN: -- which you didn't 17 aggregate anything in 087. It's kind of an 18 amplification of diversity.
19 MR. DARBALI: So here on slide 10, we have 20 the alternatives to diversity. And again, it goes 21 back to the section Member Bley mentioned. The 22 Section B.3.1.3 is for alternative approaches other 23 than diversity and testing to eliminate potential or 24 common cause failure from further consideration.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 Provision 8 of the BTP provide a review 1
guidance for an application that uses an NRC approved 2
method or approach but did not provide for their 3
review and application that uses a new approach. So 4
we revised this section in Revision 9 to remove detail 5
acceptance criteria for methods or approaches 6
previously approved or endorsed because the means of 7
endorsement or approval already capture the 8
application's specific review activities. So the 9
staff only has to ensure that the approach is 10 acceptable and is being followed and if there's any 11 deviations that are justified. In Revision 9, we 12 added acceptance criteria for the use of new 13 approaches not previously endorsed and approved, 14 mainly that the application --
15 CHAIR BROWN: Can you back up a minute?
16 MR. DARBALI: Yes.
17 CHAIR BROWN: The first bullet, previous 18 endorsement or approval.
19 MR. DARBALI: Right.
20 CHAIR BROWN: Pathways for evaluation of 21 alternative -- that first bullet says, if something 22 has already been endorsed or approved, it's still 23 endorsed or approved if something else wants to use 24 it?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 MR. DARBALI: That would be one path.
1 CHAIR BROWN: That's okay. So that's the 2
first path?
3 MR. DARBALI: Yes.
4 CHAIR BROWN: The second is the stuff 5
spelled out. And then you have the acceptance 6
criteria provided?
7 MR. DARBALI: Correct.
8 CHAIR BROWN: Okay. I got it.
9 MR. DARBALI: So mainly for a new approach 10 that hasn't been previously approved or endorsed, the 11 staff would review that the application contains a 12 description of the new alternative approach, a 13 description of the CCF vulnerability being addressed, 14 and a justification for the use of such approach.
15 MEMBER HALNON: Samir, I always get a 16 little bit worried about these iterative approaches 17 where I come in with an alternative rock and we don't 18 like that rock. And it's inefficient, at least at the 19 front end. How are you going to capture lessons 20 learned? And I wouldn't say -- endorse is not the 21 right word. But at least have the license of the 22 applicant see what's been accepted from a methodology 23 perspective.
24 MR. DARBALI: So typically, a new approach 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 would be proposed in the form a topical report that 1
would allow for generic approval that can be 2
referenced. We've had cases in which a new approach 3
is used.
4 MEMBER HALNON: As long as it's not 5
proprietary, people will see that.
6 MR. DARBALI: Correct, right. And topical 7
reports, it could be a redacted version, a public 8
version. If a new approach is using a licensing 9
review and likewise a different applicant can propose 10 to use that as a precedent if they can adequately 11 demonstrate that it applies to their design. There 12 are different ways. I agree and understand that if 13 it's something completely new to the staff and it 14 might be a more arduous process to identify the 15 information that is needed and be able to perform 16 that.
17 MEMBER HALNON: So more and more, we're 18 seeing especially for the advanced reactors lines on 19 this pre-application engagement. And another way of 20 saying that is regulatory uncertainty. So I hope that 21 there's internal conversations going on in how we can 22 get back to our mission of regulatory certainty in 23 these types of approaches because that's going to cost 24 a lot of money, staff time and applicant time, not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 necessarily get to where we want to be quickly.
1 MR. DARBALI: Right. And so ISG-06 for 2
the licensee review of the upgrades, so mostly for 3
operating plans, there's also focus on those pre-4 application engagement meetings. So we've had those 5
for past reviews and current reviewed where an 6
applicant would propose what their design or features 7
they want to incorporate. So right, it does 8
facilitate some of that reduction or regulatory 9
uncertainty. And of course, right, it's going to be 10
-- for the very first few new innovative designs or 11 techniques or alternatives, it's going to be maybe a 12 bit of an uphill process. But the idea, right, is to 13 capture lessons learned and formalize that.
14 MEMBER HALNON: Okay. Yeah, I think 15 that's important to quickly get those lessons learned 16 back out so that folks that are trying to contemplate 17 how I'm going to approach this, they would see what's 18 been accepted or at least an approach that might be 19 more certain. Thank you.
20 CHAIR BROWN: You had to deal with this 21 because you're relative to the plant. I thought ISG-22 06 was a good idea because people were struggling with 23 how to approach submitting their final LAR licensing 24 amendment request or whatever (audio interference).
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 Do you agree or disagree with that approach?
1 I thought that eliminated uncertainty when 2
they finally got into it. They knew what to expect --
3 the staff was going to expect when they submitted 4
their request. And so I don't want to lose ISG-06.
5 MEMBER HALNON: I'm not suggesting that.
6 (Simultaneous speaking.)
7 MEMBER HALNON: I'm not suggesting there's 8
an flaws in that. What I'm saying is that with the 9
continued reliance of if you got a new approach, come 10 on in and talk to us about it.
11 CHAIR BROWN: Before you --
12 MEMBER HALNON: The better you can define 13 the acceptance criteria and how you get from A to B 14 will add more certainty. But at the first, relatively 15 uncertain, how are you going to be received?
16 CHAIR BROWN: That's why we wrote ISG-06.
17 Let's try to define that, what to expect for that. I 18 don't know where that exists in any other area.
19 MEMBER HALNON: Okay. So in the uncertain 20 approaches, 3.1.3, last statement says, ensuring the 21 adequate justification provided for any deviation from 22 the progressive. Then it says therefore, this BTP 23 does not provide additional guidance in this regard.
24 CHAIR BROWN: Was that on the first line?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 Where are you? It's 3.1.3? You print it out 1
differently. Okay.
2 MEMBER HALNON: So after that without 3
additional guidance, you have to go somewhere else.
4 So now you're --
5 (Simultaneous speaking.)
6 CHAIR BROWN: Right, right.
7 MEMBER HALNON: Again, you start getting 8
in this daisy chain of what's going to be accepted and 9
what's not. And it gets more complicated.
10 CHAIR BROWN: Thank you.
11 MR. DARBALI: Thank you. All right.
12 Slide 11, please. So I'll now turn it over to Steven 13 Alferink who will discuss the risk informed D.3 14 assessment process.
15 MR. ALFERINK: Thank you, Samir. As Samir 16 said, my name is Steven Alferink and I'll discuss the 17 review guidance for risk informed D.3 assessment, the 18 new Section D.3.4. This slide illustrates how the 19 staff envisions their risk informed approach getting 20 into the overall D.3 assessment process.
21 The D.3 assessment process starts by 22 defining each postulated CCF. Once the CCF is 23 identified, it can be addressed deterministically or 24 by justifying alternative approaches. These options 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 are shown in the two boxes in the middle.
1 If a CCF is not addressed using either of 2
these two option, then it can be addressed using a 3
risk informed approach which is shown in the colored 4
box on the right. The review of a risk informed D.3 5
assessment was broken down with four steps, each of 6
which is covered in corresponding subsections of 7
Section D.3.4. I'll cover each of these steps at a 8
high level in the following slides. Next slide.
9 So we are now on slide 12. This slide 10 covers the first two steps of the review of a risk 11 informed D.3 assessment. The first step is to 12 determine consistency with NRC policy and guidance on 13 a risk informed decision maker.
14 In this step, the reviewer will review an 15 application that uses a risk informed approach for 16 consistency with established NRC policy and guidance 17 on risk informed decision making as required by 0.2 of 18 the policy. Light water reactors that will be 19 reviewed using BTP 7-19 established NRC policy and 20 guidance on risk informed decision making includes Reg 21 Guide 1.174 and Reg Guide 1.200. The second step is 22 to review how the CCF is modeled in the PRA.
23 In this step, the reviewer will first 24 determine if the base PRA meets the PRA acceptability 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 guidance in Reg Guide 1.200 for approval and guidance 1
for new reactors and reflects the plan or design at 2
the time of application. The reviewer will then 3
evaluate how the CCF is modeled in the PRA and the 4
justification that modeling adequately captures the 5
impact of the CCF. In general, a CCF can be modeled 6
in a PRA through detailed modeling of the Digital I&C 7
system or the use of surg events. Surrogate events 8
can be existing basic events in the PRA or new basic 9
events added to the PRA that capture the impact of the 10 CCF on the plant.
11 CHAIR BROWN: Before you shift, Bob, did 12 you have a comment?
13 MEMBER MARTIN: Yeah, this is Member 14 Martin. I noticed we're kind of reading through this 15 new section. The terminology, risk significance, it's 16 new. Previously, the safety (audio interference).
17 CHAIR BROWN: Dave, you're breaking up.
18 Excuse me. Bob, you're breaking up.
19 MEMBER MARTIN: Am I breaking up?
20 Hopefully, this is better.
21 CHAIR BROWN: You were.
22 MEMBER MARTIN: My question is the 23 terminology of safety significance and risk 24 significance, is the use of risk significance here 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 strictly in the context of this risk informed D.3 1
assessments and terminology for safety significance be 2
more applicable for the best estimate approach?
3 Anyway, those terms should very similar. And the 4
potential for confusion, misuse, I think might be 5
there. I want to hear from you guys on how do you 6
view those two terms and how they're applicable and 7
different pathways in the D.3 assessment?
8 MR. ALFERINK: This is Steven Alferink.
9 So we did include a discussion on the distinction 10 between risk significance and safety significance in 11 the revised BTP. But to answer your question earlier, 12 yes, you would only worry about risk significance if 13 you're -- or if the license or applicant was following 14 risk informed approach.
15 MEMBER MARTIN: Okay, okay.
16 CHAIR BROWN: Is there another hand 17 raised? Dennis? Dennis?
18 DR. BLEY: Yeah, Charlie. I was -- I had 19 already flagged for later a little discussion about 20 this. Let me find my notes because this associated 21 with their slide 22. That's where they get over the 22 Section 3.4.
23 I
was a
little unhappy with the 24 introductory material in 3.1.4 where there's strong 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 statements about risk significance and safety 1
significance are very different concepts. They don't 2
have the same meaning. And it's all used to set up 3
the distinction between risk and safety significance 4
is to emphasize you need to consider safety margins.
5 I would say that any PRA that's done right 6
has to consider the safety margins. The staff in this 7
section refers us to NUREG 2122 which is a glossary.
8 And the glossary makes clear what the glossary is 9
talking about.
10 And the glossary is talking about the 11 definitional difference where risk significance is 12 looking at the impact on risk and really safety where 13 safety significance is the label we use for safety 14 related things that through other methods primarily, 15 expert judgment in the past set up safety significance 16 that if one goes to the end of that definition, that 17 the staff cites -- they point out -- the NUREG points 18 out that when used to qualify an object such a system 19 structure compound accident sequence. The term 20 identifies the object as having an impact on safety, 21 whether determined through risk analysis or other 22 means which exceeds a pre-determined criterion. For 23 me, that's in other words when risk significance is 24 known, it should be used to identify the safety 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 significant items.
1 So there seems to be a real emphasis in 2
that section that these things are totally different.
3 But they're only totally different when you're 4
thinking of safety significance as things that have 5
been designated as safety related. I think the 6
document would be better without that discussion. It 7
isn't very clarifying. And in my opinion, it's a 8
little bit wrong. That's all. That's my speech, 9
Charlie.
10 CHAIR BROWN: Okay. Thank you.
11 MR. ALFERINK: Thank you. Next slide.
12 We're on slide 13 now. The third step is to determine 13 the risk significance of the CCF. The risk 14 significance of a CCF can be obtained by calculating 15 an increase in the risk from the CCF using either a 16 bounding sensitivity analysis that assumes that CCF 17 occurs or a sensitivity analysis that uses the 18 conservative value less than one for the probability 19 of the CCF which we loosely call a conservative 20 sensitivity analysis in this slide.
21 The increase in the risk is calculated 22 using a conservative sensitivity analysis. The 23 reviewer will evaluate a technical basis with a 24 conservative probability of the CCF. The impact of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 this assumption on PRA uncertainty and whether it is 1
considered a key assumption and the impact of this 2
assumption on the key principles of risk informed 3
decision making.
4 The reviewer will determine the risk 5
significance of the CCF by comparing the increase in 6
the risk obtained from the sensitivity analysis 7
thresholds for CDF and LERF. The reviewer will 8
determine that CCF is not risk significant if the 9
increase in CDF is less than one times 10 to the -6 10 per year and the increase in LERF is less than one 11 times 10 to the -7 per year. It is important to note 12 that there's a fundamental difference between the 13 intent of risk evaluations performed or risk informed 14 applications involving BTP 7-19 and those that do not 15 involved BTP 7-19.
16 Evaluations performed for risk informed 17 applications that do not involve BTP 7-19 are intended 18 to calculate the change in risk due to a proposed 19 licensing action and therefore reflect the as-built 20 and as-operated or as to be operated by. As such, 21 proposed licensing actions that result in an increase 22 in risk above 1 times 10 to the -5 per year are 23 normally not considered as discussed in Reg Guide 24 1.174.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 MEMBER ROBERTS: Before we leave this 1
slide, can you explain that second sub bullet under 2
the third bullet, demonstrate that all principles of 3
RIDM are addressed why that's a sub bullet. Because 4
it seems like you already said that in the previous 5
slide as one of the entry conditions into doing a risk 6
informed approach to this.
7 MR. ALFERINK: Our perspective, you're 8
correct. We did discuss the risk informed decision 9
making. We were talking about meeting the overall 10 policy and guidance.
11 Normally, when you have a sensitive 12 analysis that assumes it occurs, there are a lot of 13 things you don't need to worry about, for example, a 14 certain value probability. We were trying to 15 emphasize here that if you are using that assumption, 16 going to emphasize that you need to consider that and 17 address that. I view it more as a point of emphasis 18 if you're following that direction.
19 MEMBER ROBERTS: Okay. I guess this needs 20 some run time. I understand from one of the NEI 21 comments that nobody currently plans to assume a 22 conservative, probably less than one. But there may 23 be a future time where that could be done.
24 Probably that's a good time to revisit 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 this because it just seems to me like it's a 1
duplicative requirement. It may not be clear exactly 2
why you basically restated the same thing under a 3
subheading that you have to have already accomplished 4
just to get this far. Okay, thanks.
5 MR. ALFERINK: Thank you. Now the 6
evaluations performed for risk informed applications 7
involving BTP 7-19 are only intended to determine the 8
risk significance of the postulated CCF. These 9
evaluations are not intended to calculate the change 10 in the risk due to the introduction of the Digital I&C 11 system nor the baseline risk of the Digital I&C system 12 installed. These evaluations do not reflect the as-13 built and as-operated or as to be operated. Next 14 slide.
15 MEMBER ROBERTS: You mentioned this slide 16 helped setup my question. But I was confused by what 17 B.3.4.4. was trying to say. If you start from the 18 SRM, the SRM language says if you're -- basically 19 you're reading it inverted.
20 If your common cause failure is risk 21 significant, then you need to do something else, 22 basically what it says. You can use diversity or 23 other techniques, whatever those are. But your 24 choices are not to go do more risk analysis the way I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 read the SRM.
1 I couldn't get that out of what you wrote 2
at 3.4.4. And it seemed like what 3.4.4 either should 3
say or maybe was intended to say is go back to 3.1 4
through 3.3 and pick something else with the 5
justification. This justification may be shaded by 6
the risk significance.
7 Is that what you were intending to say, 8
that you can't do a risk analysis? You get out of it 9
once you've already had risk significance. What you 10 do is something in the designs, something in hardware, 11 something in analysis space, not risk space. Is that 12 right, or did I not understand whether the SRM said or 13 what this paragraph is intending to say?
14 MR. ALFERINK: I think you had that 15 correctly. You're always welcome or an applicant is 16 always welcome to go back. They like to redesign.
17 But if you're assuming this step occurs, you have to 18 have a bigger change to your system in order to 19 accommodate that.
20 MEMBER ROBERTS: All right. So maybe the 21 suggestion is go back and relook at 3.4.4. I think 22 you don't say that in the section. I think that's 23 pretty important to say that once you concluded that 24 your problem -- your -- I'm sorry, your common cause 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 failure is significant, then you have to go do 1
something. And maybe the justification of how much 2
you have to explain why that's good enough would fit 3
into the chart you got up on the wall here that if you 4
were in Region II, you need maybe less justification 5
of why that's okay if you're in Region I.
6 MR. ALFERINK: So as you see in the graph, 7
if you're in Region III, we would rely on the standard 8
design and verification, validation processes. If 9
you're in Regions I or II, then yes, you need to 10 provide something more than that. In the later 11 review, that would be commensurate with the rest 12 significance of it.
13 MEMBER ROBERTS: Begin the point if you 14 need to something. If you're in Region III, you can 15 say, my design is good enough because the common cause 16 failure is not risk significant. If you're Region I 17 or II, you can't do that. That option is not there.
18 You have to do something.
19 And the something is pretty well defined 20 in 3.1 through 3.3. Lots of options. But I think the 21 point is you need to do one of them and then justify 22 why that's good enough given the risk information is 23 part of the justification. I think it's what you 24 intended. I'd suggest you go back and look at that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 section to see if you think it actually says that 1
because I couldn't get what he said.
2 DR. BLEY: This is Dennis too. I agree 3
with Tom on this one. But I would point out if you 4
really got to the point where you could do any viable 5
risk analysis of a software based Digital I&C system, 6
then when you came up with change back in Section 7
3.1.3, you could certainly update your risk assessment 8
and show that way that it improved the risk.
9 MEMBER ROBERTS: Yeah, Dennis. I agree 10 with that. Depending on the technology of the risk 11 assessment and why you can model the I&C system, the 12 ideal closed form solution is you go redesign your 13 system, repeat the risk analysis, show that you're no 14 longer in Region I or II and say I've done my risk 15 assessment. I've changed the design based on the risk 16 assessment. And now I've concluded basically the risk 17 assessment. I'm good to go.
18 (Simultaneous speaking.)
19 DR. BLEY: I agree with that. But that's 20 not going to happen in our lifetime. So we're --
21 (Simultaneous speaking.)
22 MEMBER ROBERTS: And so the language for 23 the SRM as I read it is you basically. You gave it a 24 shot. You did not succeed in getting their risk 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 space. So you go back to deterministic space.
1 MR. ALFERINK: You need to do something is 2
how characterize it.
3 MEMBER ROBERTS: Right.
4 MR. ALFERINK: And that something could be 5
commensurate with the risks and the events of it.
6 MEMBER ROBERTS: Right.
7 MR. ALFERINK: So it's not going back --
8 totally back to the first. You can do something else 9
other than the first.
10 MEMBER ROBERTS: Right. As already laid 11 out in Section 3.1 through 3.3. There's lots of 12 options, including the premier rock option. You can 13 do it if you come up with a good approach.
14 DR. BLEY: Dennis again. The paragraph 15 comes pointing to us, the second paragraph in 3.4.4.
16 If you read that as is, it kind of sounds like you 17 don't need to do anything. You can make a technical 18 justification. But the language there doesn't say 19 what you guys just said. And I think you ought to 20 clean that up.
21 MR. ALFERINK: We're on slide 14 now. And 22 the fourth step is to determine appropriate means to 23 address the CCF. And this slide illustrates a graded 24 approach for the review based on the risk significance 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 of the CCF.
1 The risk significance of the CCF is 2
characterized by mapping its increase in the risk for 3
the regions in figures 4 and 5 are in Reg 1.174. This 4
figure illustrates this mapping based on CDF. A 5
similar figure would illustrate this process based on 6
LERF.
7 If the CCF is not risk significant, 8
meaning if the increase in risk follows Region III, a 9
reviewer should include that standard design and 10 verification validation processes are sufficient to 11 address the CCF. If the CCF is risk significant, 12 meaning if the increase in the risk follows in Regions 13 I or II, the reviewer will evaluate the CCF against 14 the acceptance criteria with a level of technical 15 justification you enter with the risks of CCF. I'll 16 now hand the presentation back to Samir.
17 DR. BLEY: Before you leave that one, can 18 I ask you a question? It's Dennis. What you said all 19 makes sense because it's a change. What isn't quite 20 stated is I guess the change you're looking at is the 21 change between a Digital I&C system that works 22 perfectly and this one that you've either assumed 23 would fail or you assume the common cause would fail 24 it or you assume something kind of short of that. But 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 you are using 1.174 as looking at a change. So it's 1
a change in this system to assume failure with the 2
previous one, right?
3 MR. ALFERINK: That's what I was trying to 4
clarify in the previous slide. So the intent of this 5
risk evaluation is different than what we would 6
normally look at, Reg 1.174. And here we're looking 7
at what would be the maximum increase if a CCF were to 8
occur if you did evaluating since finishing the 9
analysis.
10 DR. BLEY: Compared to the same system 11 without the CCF?
12 MR. ALFERINK: Compared to the baseline.
13 Now assume the I&C system is not modeled in the PRA.
14 And as you add it in there and failing it, and that's 15 what you would be comparing.
16 DR. BLEY: Okay. That's a clarification.
17 There was something in your response to one of the 18 comments that made it sound like you intended 19 something else. But that makes sense now. Okay.
20 MR. ALFERINK: Thank you. So here we are 21 on slide 15. Now we'll talk about the changes made to 22 Section B.4 regarding 0.4 of the policy. For the 23 review of an application, that implements independent 24 and diverse main control room displays and controls 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 for manual actuation of critical safety function.
1 Section B.4 of the BTP provides this 2
acceptance criteria. SRM SECY 22-0076 includes a 3
sentence that allows applicants to propose a different 4
approach if the plan design has commensurate level of 5
safety. We've added review guidance to Section B.4 6
for the review of applications that propose a 7
different approach that does not meet all the 8
acceptance criteria in B.4. Next slide.
9 So here on slide 16, we're now looking at 10 the changes to the BTP since the previous ACRS. So 11 basically, we made clarifications throughout the BTP 12 to address some of the discussions held during that 13 September briefing. Comments from Member Brown and 14 Member Roberts that were provided as an attachment to 15 the transcript and public comments.
16 We received a total of 35 public comments.
17 And they were all provided by NEI. And we appreciate 18 and value all the comments received. And we believe 19 they helped improve quality and the clarity of the 20 BTP.
21 We also made some staffing initiated 22 clarifications. And we removed some references that 23 were either unused, unnecessary, or do not provide 24 historical value to the discussions in the BTP. A key 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 point we want to make is that we have not made 1
substantive changes to the analysis, methodologies for 2
the acceptance criteria in the BTP. Now we're going 3
to go over these changes.
4 Note that we only have slides for the 5
sections that have changes. And initially, the 6
following slides, you will see the change listed. And 7
in parenthesis, you'll see the comment that drove that 8
change.
9 So we're on slide 17. We have the general 10 changes that apply to the whole BTP. First, we revise 11 the BTP to consistently use the term, Digital I&C 12 system, instead of using the many variations of the 13 term.
14 This also ensures that we are using 15 language consistent with the language used in the SRM.
16 Also, whenever we refer to a point in the policy, it 17 wasn't clear which SRM we were referring to. So we 18 revised the BTP to explicitly say that the point being 19 discussed is an SRM SECY 22-0076. And we also revised 20 the BTP to consistently use the term defense in depth 21 and diversity.
22 MEMBER ROBERTS: To follow up on NEI 23 Comment 24, and this may apply more for the DRG and 24 the new reactors than for BTP 7-19. But the DRG calls 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 it diversity and support of defense in depth which is, 1
I think, a more descriptive term and is more 2
consistent with the NEI comment was trying to get at.
3 With that point is that diversity is a means of 4
achieving defense in depth.
5 And what they didn't say in the comment, 6
I guess the question I want to through out to you is 7
their point is that diversity isn't always necessary 8
to achieve defense in depth. And duals of that might 9
be that diversity isn't always sufficient to achieve 10 defense in depth. I just want to throw that out 11 there.
12 And the context would be at a new reactor.
13 And it gets into the term, defense in depth, which is 14 not really clearly defined, I found, in the DRG. It 15 used to be clearly defined in the branch technical 16 position with reference to NUREG/CR-6303. It defines 17 the four echelons of defense for light water reactor 18 which derived pretty well from a more classic defense 19 in depth model of the barriers to radionuclide 20 release.
21 For an advance reactor now, sometimes the 22 defense in depth story is different. It's often 23 different. And sometimes it's not as clear that the 24 level of defense in depth that you achieve in a light 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 water reactor with those four echelons apply directly.
1 An example would be an advanced reactor 2
with a functional containment approach where there is 3
more credit taken for the ability of the fuel itself 4
to support the role of both the fuel integrity and 5
containment. And so you have a categorically 6
justified approach that says that the fuel really is 7
that good. So the kind of design basis or licensing 8
basis events that you look at would show that the 9
containment function is adequately met by the fuel 10 system.
11 But then if you look at the reliance on 12 the reactor trip system, it's now -- it's covering two 13 echelons of defense that used to be covered by two 14 separate functions in the light water reactor space 15 for 6303. And so the question is do you have adequate 16 defense in depth if you only have one barrier that has 17 diversity? So you have diversity.
18 You've got a system that to the best of 19 your ability to demonstrate is not subject to the 20 common cause failures. But you know there's things 21 you missed. And there's now only one barrier that's 22 really effective now, not the two, the RTS and the 23 ESFAS.
24 And so kind of a long set up to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 determining whether diversity is sufficient to support 1
defense in depth, since you rely on defining a defense 2
in depth model similar to 6303. And that's why I 3
didn't really see it in the DRG. Now the DRG I know 4
leverages the licensing modernization process.
5 It has its own defense in depth 6
evaluations. It doesn't run I&C defense in depth 7
models. Those are plant defense in depth. And what 8
6303 did was map the I&C architecture to the plant 9
defense in depth. And so you can then go forward and 10 do your assessments on that. So I was wondering if 11 you thought about that in terms of are there cases in 12 probably the advanced reactor world where you would 13 need to have a clear definition of defense in depth to 14 understand if diversity is sufficient to achieve the 15 safety goal you're trying to achieve.
16 MR. DARBALI: I think question, somebody 17 in the audience for advanced reactors would be better 18 prepared to answer. I'll give it a chance if anybody 19 wants to chime in.
20 DR. BLEY: This is Dennis Bley. I want to 21 follow up on that and just mention to you. I liked 22 everything Tom said and the references he had. But 23 you do have a NUREG/KM-9 which is a knowledge of a 24 NUREG on a full range of history of defense in depth.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 And I think that could help you out here.
1 MR. JUNG: Hi, this is Ian Jung from the 2
Division of Advanced Reactors. Member Tom Roberts 3
question about advanced reactors, I think I appreciate 4
your comment. For the advances in modernization 5
project, the difference in that adequacy evaluation 6
has a set of criteria at the plant level that's based 7
on IAEA layers of defense. I think we're trying to 8
kind of practice that and learn from (audio 9
interference) and see if that's going to work.
10 MEMBER ROBERTS: Yeah, thanks. I 11 understand that. And clearly that needs some run time 12 just like the DRG to see about all the different core 13 cases if you can call it that or come out of that.
14 But I'm thinking more in terms of 603 as a 30-year-old 15 document.
16 And I noticed in Rev. 9, you took out the 17 specific model. It's in there because it's probably 18
-- at 30 years old, it probably doesn't always work 19 for even some of the light water reactors. So it 20 makes sense to step back and make sure you've got the 21 right model.
22 I think even for BTP 7-19, there may be 23 some merit to having some sort of either an 24 expectation from the staff or maybe something written 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 down that the applicant or the staff puts together 1
what is the defense in depth model to assess the 2
diversity against. But I don't know that you could 3
radically depart as much as some of the advanced 4
reactors do from that model. And again, one scenario 5
that occurs to me is an uncontrolled reactivity 6
addition.
7 Some of these reactors have a fair amount 8
of excess reactivity that's in the rods or drums or 9
whatever. If you were to postulate that something 10 happened to the control system, it just drove the rods 11 and drums to the end of their travel, you might get to 12 a temperature that violates all the limits of that 13 fuel system. And so in that case, you're very reliant 14 on the reactor trip system or you're reliant on some 15 other layer of diversity like there's no plausible way 16 to run the rods out without having something else like 17 an analog backup stop it.
18 So that kind of thought process is really 19 what I'm thinking. And it kind of starts with the 20 IAEA Comment 24 and the diversity supports defense in 21 depth concept. It just seems like having a clear 22 definition what defense in depth model you're using 23 which has diversity.
24
- Again, it's something that's worth 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 thinking about. Maybe I'll leave that as a question 1
to think about. We'll consider we want to put 2
something like that in the letter. Thank you.
3 MR. DARBALI: Thank you.
4 CHAIR BROWN: I'm going to be the nagging 5
nelly on this one. I've never liked trying to define 6
how many levels of defense in debt you need. You have 7
to look at circumstances as they come up and 8
determine, hey, is this -- is one going to be enough?
9 And then you -- sometimes you do one type 10 of a risk analysis. The other way, you do an 11 engineering judgment that that's based on experience 12 with those types of systems. Do we conclude that 13 that's okay?
14 I don't like being too prescriptive on how 15 many layers of something I have. But I can make an 16 argument, whether it's valid or not, that a four 17 channel reactive trip system with the same software in 18 every channel is just fine because how likely is it 19 that when you're running asynchronously that all 20 pieces of information flowing through each of those 21 four channels is going to be exactly at the same 22 place, trigger the exact same lockup, or some other 23 malfunction at the same time and take out more than 24 two channels. I'm not arguing one way or the other 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 that you don't do something.
1 I'm just saying that trying to say you 2
always have to define or provide some additional --
3 you make judgments if you go through a design based on 4
the plant, nature of the plant, the nature of the 5
reactivity control systems. There's a lot -- margin 6
has been built into the plant that obviates the need 7
for too much additional stuff. I should argue that 8
divert different software in two as opposed to the 9
other two.
10 I'm not particularly persuaded that that's 11 all good. When you look at FPGAs, people have 12 proposed four channels with two FPGAs that are 13 volatile and two that are non-volatile. A volatile 14 FPGA dumps all of its memory and has to be reloaded 15 every time when the power comes back.
16 Well, you set yourself up for some 17 deviations to occur if it doesn't boot up properly 18 again. So why don't you use two non-volatile FPGAs?
19 I just think you have to look.
20 I don't like a lot of pre-definition for 21 each and every -- you have to look at the plant, look 22 at the systems required, and then evaluate what levels 23 you're satisfied with what you got. In the old analog 24 world, we made four channels at least that I'm 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 familiar with that were all analog components and were 1
identical, piece part by piece part. And people would 2
opine, well, what if these two things fail?
3 Maybe it does. But I can say for sure 4
maybe other people have in. In 35 years, I never say 5
-- the closest I ever came was something to do with a 6
mechanical -- a relay that was improperly manufactured 7
in terms of cooling the laminations.
8 And the oil started squeezing out and made 9
the relays stick and could prolong the withdrawal of 10 rods when you release end hold out switch. So I'm 11 just -- I'm not trying to counter Member Roberts and 12 Dennis. I'm just trying to provide another 13 perspective which should be -- that needs to be, I 14 think, maintained for our evaluation.
15 I am in favor of doing stuff because I 16 think if you can do it and do it without pillaging the 17 system, then it doesn't cost your system to be four 18 times what it cost otherwise. You probably ought to 19 go ahead and do something because it provides an easy 20 feeling in the stomach. And you want to at least have 21 public perception to be that, hey, that you're looking 22 at stuff. So anyway, that's my soliloquy on that.
23 Pass that on since I won't be able to do it again.
24 MEMBER ROBERTS: Yeah, Charlie. I think 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 I agree with you on a couple of things. One is I 1
don't think you'll ever come up with a mathematically 2
deterministic defense in depth model. It's not 3
something that is practical.
4 There's never true independence when 5
there's a defense in depth. There's always some 6
reliance which is kind of why you have to look at the 7
common cause failures and try to find ways to beat 8
your defense in depth. But the second thing is and 9
probably maybe a restatement of what you said is that 10 if you take a prescription like BTP 7-19 and say, I 11 met all these objectives so I'm diverse enough.
12 Well, maybe you aren't depending on what 13 the plans context is. And what do you want to call 14 that, the defense in model -- defense in depth model 15 of your plant or the engineering judgment of how this 16 all fits together. It's really the same thing.
17 It's understanding that this new concept 18 may be that the one wicket between you and really bad 19 day. And how good that wicket is, maybe I'm not 20 satisfied. And that's all process, I think, needs to 21 be in there. That's where, again, I start with NEI 22 Comment 24 because it kind of crystallized in my mind 23 there is a difference between diversity and defense in 24 depth. And this issue may go both ways.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 CHAIR BROWN: I will be asking that 1
question later relative to one other circumstance in 2
the -- folks with BTP. Go ahead, Norbert. I'm sorry.
3 MR. CARTE: A couple comments. So 4
sometimes we have different subcommunities within the 5
NRC. So within the PRA community and you look at 6
1.174, diversity is listed under defense in depth. So 7
it is independence diversity. Those sorts of things 8
are attributes of defense in depth.
9 In the I&C community, we've used the term 10 diversity to refer to kind of what we do differently 11 in I&C. And we've ignored the overall facility 12 defense in depth. So part of this comes to the 13 different regulating communities and how they use the 14 terms.
15 Well, let me jump onto Charlie's point a 16 little bit. So as an engineer, I agree with what 17 you're saying. But as a regulator, I hear this voice 18 in the back of my head that says, bring me a rock, 19 right?
20 So the applicants want something written 21 that we can argue against. We meet this criteria.
22 Therefore, we have sufficient defense in depth. The 23 problem is there isn't a good statement like that in 24 our regulatory requirements.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 And we've always made sure there was 1
plenty defense in depth, although it's not clear what 2
the regulatory basis for that is. So that's the 3
problem. There is no statement in the regulatory 4
requirements what is adequate defense in depth. And 5
that's why it gets a little confusing.
6 CHAIR BROWN: I actually agree with you.
7 We argue about prescription and allowing people to 8
propose different systems, different approaches to do 9
things. Having built and developed and managed the 10 development of probably a couple of different -- a 11 dozen different designs over 35 years, the more 12 prescriptive information you provide to a vendor or a 13 manufacturer for your system, he knows what you're 14 looking for.
15 You know what the accuracy is, time 16 response to this. You want piece parts to be rated by 17 so much or whatever the metric is. It's easier for 18 them to proceed with their design and get it done.
19 Or you could just toss -- build this to do 20 this with a blank sheet of paper. And you're 21 constantly throwing rocks back and forth across the 22 fence to see whose rocks are doing what you want to 23 get done. So there's a balance between providing 24 substantive information that the licensees are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 spinning around in cloud 9.
1 But that still provides for alternative 2
processes and thoughts and approaches to take and to 3
accomplish your end goals, right? It's a balance.
4 That's all I used a -- I just phrased it a little bit 5
differently. That's all. Who's next? Anybody else?
6 MR. DARBALI: So we are on slide 18. So 7
in the background section, we added some historical 8
information to the beginning. Should we discuss that 9
a little bit?
10 We restored the sentence on latent design 11 defects in the design of the I&C system. We added a 12 footnote to provide clarification to the staff on the 13 Commission direction. We removed sentences regarding 14 NUREG/CR-6303 because they did not add value to the 15 discussion.
16 We added a segmentation, the list of some 17 technique samples. And we removed references to other 18 guidance documents which are not explicitly used in 19 BTP. Next slide. And on slide 19, we are still in 20 the background section. We removed references to 21 regulations that are not specifically called for in 22 the BTP criteria.
23 We added a reference to NUREG 2122 in the 24 relevant guidance section. We removed references to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 SRP chapters or sections that are not used or are 1
already referenced in other parties of the BTP. And 2
we clarified that the BTP is intended to provide 3
review guidance to the staff for ensuring an 4
applications meets the policy and applicable 5
regulations. No questions, we can go to slide 20.
6 MEMBER HALNON: This is Greg. I was just 7
going to mention that last bill in the previous one is 8
a pretty important concept where people want -- they 9
want a document that fills all. We're not in that 10 place, right?
11 Maybe in three or four decades we might 12 be. But adding additional guidance, additional 13 criteria, whatnot to this, it's already included in 14 all the references. For example, the different layers 15 of defense in depth, it's pretty prescriptive.
16 You've got control, reactivity, heat 17 removal, and the operator reaction. And then you have 18
-- that's a kind of vertical approach. And you also 19 have the horizontal approach which is design control 20 and making sure you get it.
21 In this, what's good enough is going to 22 have to be a conversation because it's all new 23 technology. For the large light water reactors, we 24 have a really good feel for what's been. And we've 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 got a lot of operators under us.
1 So it's going to have to be. And I don't 2
think we can expand this a lot further than where it's 3
at to add more and more and more guidance. So that's 4
why this last statement, it was an approach for the 5
reviewers to evaluate.
6 It's not necessarily guidance for the 7
applicants. And I think that, like, the set of 8
comments from the industry, the comments here is 9
looking for guidance from the applicant, that's not 10 what this is. So I just wanted to emphasize that last 11 point.
12 MR. DARBALI: Appreciate it.
13 CHAIR BROWN: I made that statement when 14 we had the opening statement. And it is for review.
15 However, if I was a licensee, I would like to know 16 what the staff is going to be reviewing -- looking 17 for.
18 So I don't know that you were saying, 19 don't have it available to licensees. But I think 20 stuff in the SRP is fundamentally staff review 21 guidance. Did I get that wrong?
22 MEMBER HALNON: No, I agree with you, 23 Charlie. And we want to be as specific as possible to 24 help the reviewers out as well.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 CHAIR BROWN: Yeah.
1 MEMBER HALNON: But right now, we have a 2
Wikipedia items criteria, things to look at, 3
knowledge, management, and all this stuff. I don't 4
think we're at the point now for the new reactors that 5
they can get real specific. It totally gets them 6
operation experience so that we know what's good.
7 Certainly, you can design redundancy over 8
redundancy and certainly never get of a control layer 9
of defense in depth. You never challenge your 10 reactivity control systems. You never have to have an 11 ESFAS system (audio interference) that away.
12 But it's too expensive. It's too much.
13 So my point is, is that there's a lot of stuff here.
14 There's a lot of stuff in the references. I don't 15 think we know all the specifics.
16 We probably know more and more each year.
17 But every time we do an application like we did 18
- Kairos, SHINE, through conversation with the 19 applicant, we start learning more and more and more 20 about it. And we start talking more and more about 21 the risk numbers and whatnot.
22 But the classic PRA might not apply in 23 some new technologies. So hence, we're trying to do 24 PRAs for when these other types of reactors, some that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 don't even have a core like molten salt. But anyway, 1
I'm rambling.
2 But I just want to emphasize the point 3
that this is going to be an evolutionary thing. Rev.
4 9 is certainly not going to get into where we see we 5
have to be light on our feet to revise it quickly.
6 MEMBER ROBERTS: Greg, the comment I made 7
at the outset was that there's a Reg Guide for 8
diversity, defense in depth, common cause failures, 9
whatever you want to call it. And I'm kind of curious 10 is industry or the applicants have asked for something 11 like that or whether you think they had enough. And 12 I'm trying to get later to a specific question.
13 But one Reg Guide that does exist is Reg 14 Guide 1.53 which is for single failure criteria. That 15 Reg Guide is 20 years old. It endorses a 20-year-old 16 version of the single failure criterion IEEE standard.
17 And that IEEE standard says there's a 18 whole bunch of common cause failures you don't have to 19 consider. So I look at that and say, well, a design 20 basic space, that probably makes sense because you got 21 reasons why you have design criteria that addressed 22 those. And beyond deign basis space, I'm not sure 23 what it means.
24 And the BTP Rev. 8 added a requirement to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 cover hardware common cause failures which was new.
1 And before Rev. 8, that didn't exist. So I find 2
myself wondering what that even means if I were an 3
applicant.
4 I don't know quite where to go with that 5
because my guidance says that I don't have cover these 6
common cause failures. But then Branch Technical 7
Position 7-19 says I do. That's just one example.
8 So probably -- and there is on the NRC's 9
website, there's one of those Reg Guide assessments 10 that says that's one that you think needs revision.
11 So I would tend to agree there are more up to date 12 versions of IEEE-379 that are a little clearer. And 13 I'm not quite sure where you stand on that. But it 14 kind of takes in the bigger question that this beyond 15 design basis space, what do you expect?
16 MR. CARTE: Norbert Carte, different 17 rules. So that question comes up sometimes. So what 18 Reg Guide 1.53 addresses is a single failure criteria.
19 And under the single failure criteria, you do not 20 consider CCF.
21 It's not a single failure as defined by 22 the single failure criteria. That doesn't mean it's 23 nowhere addressed anyone in the regulations. There 24 are other regulatory requirements that you have.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 And that's part of the introduction of the 1
GDCs. The independence criteria in the GDCs is there 2
to prevent systematic concurrent failures of redundant 3
elements, right? So there are these requirements in 4
there against CCFs, but they're not a single failure 5
criteria.
6 So what people -- industry often reads 7
that and say we don't have to consider CCF. Well, you 8
don't have to consider CCF as a single failure. You 9
do need to consider it light of other criteria. So 10 that's the clarification I would offer there.
11 MEMBER ROBERTS: Right, and where going to 12 find that isn't entirely clear. And looking at just 13 the NRC's website in terms of the reasoning of Reg 14 Guide 1.53, one of the revisions to IEEE-379 15 references IEEE-352 which has a prescription for how 16 to go assess the common cause failures in hardware.
17 And it goes on to say, but you don't need to cover 18 those as a single failure analysis.
19 Okay. I got what you just said. That's 20 a design basis assumption. And so design bases don't 21 include common cause failure and single failure 22 criterion.
23 But it seems like something in the NRC's 24 guidance would evoke that, yeah, we do expect you to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 do this assessment that IEEE-352 calls out. And that 1
would presumably be a feed to the BTP 7-19 assessment 2
because that would be the -- basically the give me a 3
rock, a rock that says, we looked at our common cause 4
failures and here's our story. But I couldn't figure 5
that out and look at the vacuum. It's exactly what 6
you expect.
7 MR. CARTE: Right, I agree. Our 8
regulatory guidance could be improved. So in terms of 9
another comment in terms of design bases, so first of 10 all, the design bases of a facility includes features 11 to address beyond design basis events.
12 And you'd look at 50.34(i), for instance.
13 So the design bases are the functions and values in 14 the FSAR. Now sometimes people use the term design 15 bases to refer to what's analyzed in the accident 16 analysis which are different, right?
17 So a CCF is not postulated in the accident 18 analysis. But there are other requirements that you 19 shouldn't have a CCF. And because you meet those 20 requirements, you don't need to do the analysis of the 21 CCF.
22 And independence is one of those 23 requirements. The redundant portion should be 24 independent. In other words, they shouldn't fail 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 concurrently. Well, since that's a requirement and 1
you meet that requirement, you don't have to do an 2
analysis where they do fail concurrently. So the 3
design bases includes features to address CCF. It's 4
just that CCF is not analyzed in the accident 5
analysis.
6 MEMBER ROBERTS: Yeah, I think that makes 7
sense. But how do you get there to what the BTP 7-19 8
reviewer is looking for when they face the requirement 9
to cover hardware and Digital I&C and CCF. Is it 10 clear to the reviewer that that's the place they're 11 going to look? Or is something more intended?
12 MR. CARTE: Yeah, it takes a while to 13 train a reviewer.
14 MEMBER ROBERTS: So maybe the takeaway for 15 that, I'm personally interested in what the current 16 plan is, Reg Guide 1.53 because the item on the 17 website is almost eight years old. And it seemed to 18 be pretty well written in terms of why the Reg Guide 19 should be reviewed for revision. But I guess that 20 it's almost eight years old.
21 I'm not quite sure where that stands. But 22 it seems like that would be a way to have this 23 discussion is we look at the Reg Guide and whether the 24 later versions of IEEE-379 are consistent with some of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 the principles you just outlined in terms of the way 1
they refer back to common cause failure analysis.
2 That'd be probably a good place to try to put this all 3
together. Do you know where that stands?
4 MR.
CARTE:
- Well, I
think 5
organizationally, the responsibility to update the Reg 6
Guide falls within the research. So they periodically 7
evaluate the Reg Guides and determine -- and decide 8
whether they need to be updated or not, although I 9
think we could ask for a Reg Guide to be updated.
10 That's generally not in the NRR's scope.
11 MEMBER ROBERTS:
I probably don't 12 understand the overall system. The assessment was 13 done in 2016. It says, this needs revision. I'm just 14 kind of curious what that means in terms of --
15 MEMBER HALNON: That's not long ago in NRC 16 specs.
17 MEMBER ROBERTS: Well, that could be.
18 MEMBER HALNON: I'm serious. That's 19 pretty -- you look at some of them are 1989.
20 MEMBER ROBERTS:
So we've got a
21 subcommittee meeting I think at the end of June to go 22 over the overall progress on July. Maybe that's a 23 good topic. I'll refer that to Christina just to go 24 over what the current thought is on that Reg Guide and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 maybe all the other Reg Guides, 1.53.
1 There may be -- that's the one I ran into 2
when looking into this branch technical position. It 3
was referenced in the BTP. And I personally agreed 4
with the reason why the Reg Guide should be revised.
5 Kind of wonder where that stands.
6 MR. CARTE: Well, so we have targeted 7
research about that. Actually, that's sort of fallen 8
between the cracks right now. But we have said that 9
we wanted them updated.
10 What we're not sure of is exactly how to 11 update them. We have contemplated rolling the I&C Reg 12 Guides basically into one Reg Guide or not or a 13 smaller number of Reg Guides. We just haven't decided 14 exactly on the path forward on that. There is a 15 desire to update the Reg Guides. Just the exact plan 16 of how to do that has not been decided.
17 MR. PAIGE: So this is Jason Paige. So we 18 can definitely provide an update during our June 27th 19 ACRS briefing. And we just have to look at the 20 history of that periodic review that you're mentioning 21 and provide a complete story during that briefing. So 22 we'll take that as an action.
23 MR. MOORE: This is Scott Moore, Executive 24 Director. As NRR noted, the Office of Nuclear 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 Regulatory Research has a responsibility to promulgate 1
the Reg Guides. And it also goes back and looks to 2
see when it needs to be updated.
3 They do that in conjunction with the 4
program office. And so they don't have to have 5
Digital I&C experts in research on the Reg Guide.
6 They do. But they don't have to have them there in 7
the Reg Guide group. But they have to coordinate with 8
NRR on. And then they jointly make a decision on how 9
it's going to move forward. So if you want to hear 10 the status in the June meeting, I think it would be 11 appropriate for Christina to get research to come down 12 and talk about it.
13 MR. CARTE: Thanks, Scott.
14 CHAIR BROWN: Okay. We are about to start 15 a new section. I was going to suggest that we take a 16 15-minute break and return. At that point, we will 17 begin Section B. Okay. We're in recess.
18 (Whereupon, the above-entitled matter went 19 off the record at 2:57 p.m. and resumed at 3:15 p.m.)
20 CHAIR BROWN: Okay. We're back in service 21 now. In session, excuse me. Get the words right.
22 MR. DARBALI: So this is Samir Darbali.
23 We are on slide 20.
24 CHAIR BROWN: You have to wait till I get 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 to B.1 --
1 MR. DARBALI: Okay.
2 CHAIR BROWN: -- in the document.
3 MR. DARBALI: Okay. Let me know.
4 CHAIR BROWN: Okay. I'm ready.
5 MR. DARBALI: Okay. So in Section B.1 6
which is the introduction to the four points, we added 7
a point curve to that new overview figure we showed 8
earlier which is now at the end of the document and 9
depicts the applicable BTP sections for addressing 10 each of the four points. We further clarified the 11 discussion on points 3 and 4. And we clarified the 12 discussion on critical safety functions. Next slide.
13 In Section B.3.1. which is the use of 14 diversity within the design to eliminate the potential 15 for common cause failure, we remove the references to 16 NUREG/CR-6303 and NUREG/CR-7007 because they may be 17 seen or interpreted as review guidance which is not 18 the staff's intention. And as we have mentioned 19 earlier or it was mentioned earlier some of these 20 documents are a bit outdated. The exchange was not 21 made a direct response to NEI Comment 30 that you see 22 there. But it was a change made as we were evaluating 23 how to address that particular comment. And we also 24 rewarded acceptance Criterion C to use language 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 consistent with SECY 1890.
1 CHAIR BROWN: Sorry, I lost track of the 2
slides.
3 MR. DARBALI: Okay.
4 CHAIR BROWN: They're double sided.
5 MR. DARBALI: We are now going to slide 6
21.
7 CHAIR BROWN: Okay, got it. All right.
8 I'm back in sync. Thank you.
9 MR. DARBALI: Okay. We were just on slide 10
- 21. We're going to 22. Okay. So for Section 3.1.3 11 which is the use for alternative approaches other than 12 diversity and testing to eliminate the potential for 13 common cause failure, we removed draft language that 14 had been added on the risk significance of the CCF.
15 And we also removed a pointer to Section 16 B.3.4 that had been added previously. That clarifies 17 and simplifies the discussion. We added as an example 18 of an alternative approach a well-designed watchdog 19 timer that is not dependent on the platform software 20 and puts the actuators in the safe state. And we 21 clarified acceptance Criterion A for identification of 22 23 (Simultaneous speaking.)
24 CHAIR BROWN: I have a comment.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 MR. DARBALI: Yes.
1 CHAIR BROWN: Or a question.
2 MR. DARBALI: Yeah.
3 CHAIR BROWN: On the second bullet, no 4
problem with adding. It was needed after all the 5
designs we've been through. I wouldn't call it an 6
alternative approach. I would call it a mandated 7
requirement that you all are not allowed to do.
8 But if you're missing it in any designs 9
that come in, if I was a member I would be 10 recommending, not approving the designs. Not 11 dependent on platform software, that's just fine.
12 Puts it in a safe state, that's just fine. But it 13 doesn't say it should be hardware based. It says it 14 should be not dependent on platform software --
15 MR. DARBALI: Correct.
16 CHAIR BROWN: But implies that it could be 17 a software based watchdog timer which is not really a 18 good idea.
19 MR. DARBALI: So for this particular 20 application, it would be so that you're highly unlike 21 you would have a CCF with that timer and a CCF of the 22 system. But I understand your point. That's too 23 hardware based.
24 CHAIR BROWN: It's just we've made that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 point in each and every one of the design approvals 1
that we've made for the last four or five from AP1000 2
through Diablo Canyon. I think there were four or 3
five design changes.
4 MR. DARBALI: Right.
5 CHAIR BROWN: One was a plant and the 6
other one were new designs. And I think we stuck with 7
that each time. Just making that point. I don't know 8
what I'm going to do with that letter-wise, right?
9 But go ahead.
10 MEMBER ROBERTS: Yeah, adding to Charlie's 11 point, I would tend to agree that one designed 12 watchdog timer is kind of a necessary element of a 13 digital control system. But I'm not sure that it's 14 sufficient. And putting it in Section B.3.1.3, an 15 example of an alternate approach would imply that you 16 think it is.
17 And I guess I'm wondering why having a 18 watchdog timer would be a substitute for diversity, 19 for all the other options that are in Section B.3.
20 And part of my thinking is the addition of digital 21 hardware common cause failures would then require you 22 to ensure the watchdog timer could get around any 23 hardware common cause failure. And I'm not sure how 24 you do that. If you use hardware, you'd postulate a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 hard lockup of all redundant channels from the common 1
cause failure.
2 MR. DARBALI: Right. I mean, so we added 3
as an example an applicant can propose it. But they 4
would have to appropriately justify and identify which 5
particular CCF vulnerabilities that watchdog timer is 6
intended to address. So it's an example to kind of 7
inform the reviewer. Applicants can also look at 8
this. But it would be whatever the applicant submits 9
that really has made the criteria in 3.1.
10 MEMBER ROBERTS: You're thinking it's 11 probable that an applicant could come in and say, I 12 have a watchdog timer, and no other argument for 13 common cause failures and that would be good enough?
14 MR. DARBALI: No, no.
15 MEMBER ROBERTS: Okay. Because that's 16 what I read, putting in B.3.1.3 means. They might put 17 it in a different section like maybe 3.2.1 where it 18 talks about what you would need to have diversity as 19 opposed to 3.1.3. This is a substitute for diversity.
20 I mean, a watchdog timer is sufficient.
21 That's at least what I read is putting it in 3.1.3.
22 And again, I think putting it in the baseline position 23 is a good idea. But I'm not sure it belongs here.
24 CHAIR BROWN: Here's where Tom and I would 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 probably disagree to some extent. I don't consider a 1
watchdog timer a diversity issue. It's a device to 2
protect you against processes in lockup or whatever 3
reason, regardless of all other diversity conclusions.
4 So you could have all kinds in my opinion.
5 And you're going to have to deal with him, not me in 6
the future. So we have a small disagreement on the 7
process. To me, it is a design approach to ensuring 8
your process would work properly.
9 DR. BLEY: Charlie, it's Dennis.
10 CHAIR BROWN: Yes.
11 DR. BLEY: To me, it sounds like you're 12 saying the same thing Tom said. I don't see the 13 disagreement.
14 CHAIR BROWN: He's --
15 DR. BLEY: He said it's not adequate as a 16 substitute for diversity. I think you're saying the 17 same thing.
18 CHAIR BROWN: Well, I could argue and I'm 19 not advocating this one way or the other. Like I said 20 in an earlier comment, that you can have four channels 21 with the same software and the watchdog timer is a 22 method of saying, hey, look. If you make some other 23 assumptions, engineering judgments, about asynchronous 24 operation, not data come out of all four of the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 separate detectors going to them is always ever going 1
to have the same byte configuration or corruption 2
introduced.
3 And a watchdog timer is a way to ensure 4
that the processor always completes its function. So 5
it's to me without any diversity anyplace else. I'm 6
not advocating that.
7 I'm just saying to me it's part of the 8
design if you're going to use a software, a 9
microprocessor type approach. But you can argue, do 10 I need it everywhere? Just in the voting units, or 11 should I put it in every one of the processors that is 12 processing data that is then sending data?
13 I'm leaving it open. I'm just saying 14 there's -- to me, it's a hardware design issue. But 15 we don't have to settle that. I'm not going to argue.
16 I'm just planting the thought process.
17 It's not a -- to me, it's not an application of 18 diversity. Is that what you said, yes or no?
19 MEMBER ROBERTS: No, I think it fits in 20 section that's entitled diversity.
21 CHAIR BROWN: And I don't agree.
22 MEMBER ROBERTS: On the other hand, that's 23 what the section is entitled as opposed to -- it gets 24 into why you could credit the one reactor trip system 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 you have that's officially diverse to meet the 1
objectives. And three, that's where this belongs.
2 But there may be some wiggle room on the word 3
diversity as the title's section.
4 CHAIR BROWN: I wouldn't worry about it.
5 As long as it's in the BTP, I don't care.
6 MEMBER ROBERTS: And again, my problem 7
with putting it here is it implies it's sufficient.
8 And maybe you would argue that. But I think you'd 9
have to go a lot more originating of why the software 10 isn't susceptible to common cause failure, even if 11 it's asynchronously and whether there's some potential 12 or common cause.
13 (Simultaneous speaking.)
14 CHAIR BROWN: -- where we believe in that, 15 right?
16 MEMBER ROBERTS: It depends on the 17 consequence of failure.
18 CHAIR BROWN: We ought not discuss that 19 anymore. No, I just wanted to make the point I don't 20 put it into a diversity issue. To me, it's part of 21 the basic reliable hardware design that you would 22 always incorporate where the process would create a 23 problem if it locked up. That's all.
24 MR. HECHT: This is Myron. Could I access 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 something?
1 CHAIR BROWN: I didn't hear you. Who's 2
that? Oh, Myron. Go ahead. I'm sorry. Go ahead, 3
Myron.
4 (Simultaneous speaking.)
5 MR. HECHT: -- I'm going to try because 6
it's risk quality is not very good. All right. This 7
is the best I can do. I just want to make a comment.
8 Without a watchdog timer (audio interference) of 9
detection, not really completion of the function. So 10 you would need something warmer than the watchdog 11 timer in order to complete the function. And that 12 might be where the diversity comes in.
13 CHAIR BROWN: I agree with you. But 14 there's ways that you either generate a trip, that's 15 the thing that occurs, or you fire off an alarm to 16 tell you the processor is locked out. That's another 17 approach.
18 There are different ways to apply the 19 results. I agree with your comment, by the way, that 20 it is there to provide something and can reset the 21 entire channel, have it reboot. So I think Norbert 22 wants -- is that it, Myron? You have something else?
23 Or I'm going to let Norbert talk now.
24 MR. HECHT: No, that's fine. Let's get 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 started for device quality.
1 CHAIR BROWN: Okay. We'll accept that.
2 Go ahead, Norbert.
3 MR. CARTE: Norbert Carte. So looking at 4
the wording in the BTP, I now see the interpretation.
5 Our understanding of technical approaches weren't 6
necessarily single measures. So the good thing about 7
diversity and testing is they are singular measures 8
that if applied are sufficient.
9 If you apply other measures, you probably 10 need to apply them in sets because different measures 11 address different sources of CCF. And so in that 12 sense, maybe this example is a little misleading in 13 the sense that we would accept the one measure. You 14 could understand to mean we would accept one 15 particular measure as being equivalent to diversity 16 which are very low safety -- on a low safety 17 significant system might increase it to the point 18 where it's good enough.
19 But that's going to be a corner case. But 20 in general, we would expect a basket of measures with 21 appropriate justification. And so maybe that example 22 is misleading in that way because I don't think -- the 23 intent was not to say that a watchdog timer is 24 equivalent to diversity. That was not the intent.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 CHAIR BROWN: Okay. Go on.
1 MR. DARBALI: And on the last bullet, we 2
clarified acceptance Criterion A for identification of 3
CCF vulnerabilities using a hazard analysis technique.
4 On Section B.3.1.4 which is for the use of a 5
qualitative assessment to eliminate the potential for 6
CCF, we added a footnote to clarify that the SRM SECY 7
22-0076 did not modify the SECY 18-090 reference to 8
the Risk 2022 Supplement 1. Next slide.
9 CHAIR BROWN: What's the title of that 10 risk? I've heard it before. Now I've forgotten 11 exactly what the title is.
12 MR. DARBALI: I'm looking for it.
13 CHAIR BROWN: That's okay. We don't need 14 to take up time with that. I can clear that out 15 later.
16 MR. DARBALI: Okay.
17 CHAIR BROWN: Go ahead.
18 MR. DARBALI: Next slide, slide 24, 19 changes to Section B.3.2 which is for the use of 20 diverse means to mitigate the impact of a CCF. We 21 clarified the term diverse. We removed references to 22 NUREG/CR-6303 and NUREG/CR-7007 because again they may 23 be interpreted as your new guidance which was not the 24 staff's intention.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 MEMBER ROBERTS: Can I offer you an 1
editorial comment on the previous slide? Printout 11, 2
I read that probably five times. I couldn't figure 3
out why you put it in there. That's why I saw the 4
slide.
5 So reading it again now that I've seen the 6
slide, there's the last line, I think, of the 15-line 7
long footnote is where it says. So you might want to 8
look at clarifying the footnote just to put that up 9
front so it's clear why you say that. I'll just leave 10 that for your consideration. Thanks.
11 MR. DARBALI: Okay. Appreciate that 12 comment. I'm on the third bullet of slide 24. We 13 removed references to 10 CFR 6069 and generic letter 14 8506 to avoid potential confusion with different 15 safety significance categorizations.
16 We added a sentence on manual control 17 connections. We added a clarification that is placed 18 in manual controls, credited as a diverse means for 19 0.3 and credited for 0.4. And we added a footnote 20 regarding the IEEE-279 and 603 requirements for 21 certain manual control. Next slide. And on slide --
22 now I'll turn it over to Steve for discussion of 23 Section B.3.4.
24 MR. ALFERINK: Thank you, Samir. This is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 Steven Alferink again. And I will discuss the changes 1
to Section B.3.4 in the next two slides. There are a 2
few changes to this section, all of which were made 3
for clarity. The first change clarified the language 4
to address concerns with references to SRP Chapter 19.
5 We revised Section B.3.4.
6 CHAIR BROWN: Steve, can I interrupt you 7
for a second --
8 MR. ALFERINK: Yes.
9 CHAIR BROWN: -- please? Can we go back 10 to that slide 24? Okay. It's 3.2.2, acceptance 11 criteria for manual operations. This is under the 12 section crediting manual operator action.
13 We now passed that on the next slide.
14 That's -- I have to back up. One of your acceptance 15 Criterion B was the following the criteria are met.
16 We'll conclude that the proposed manual operator 17 action is acceptable.
18 The SFC is used to support manual 19 operation or diverse from the equipment performing the 20 same function within the Digital I&C system unlikely 21 to be subject to the CCF. What happened to the 22 comment concept of independence? These are manual 23 operations. These are manual controls.
24 And I don't know how -- I'm not quite sure 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 where this crediting manual operations come in. That 1
implies to me I go to someplace where there's a switch 2
I turn or a button I pushed. That's a manual control.
3 And is it integrated into the software 4
system? Or is it independent of the software system?
5 Because otherwise you can't credit the manual control 6
if it's subject to the system.
7 MR. DARBALI: So above the acceptance 8
criteria, a second paragraph of 3.2.2, second 9
sentence.
10 CHAIR BROWN: Which page is this in the 11 acceptance criterial?
12 MR. DARBALI: Before the acceptance 13 criteria. So go to Section 3.2.2, second paragraph.
14 CHAIR BROWN: Okay.
15 MR. DARBALI: Second sentence, it says, 16 for example, the point at which the created manual 17 controls are connected should be downstream of the 18 equipment that can be adversely affected by CCF. So 19 I think that addresses the concern that --
20 CHAIR BROWN: It's independent. I 21 understand. I was not connecting the dots. That's 22 not as clear from looking at B. I understand. It's 23 the general concept if you're going to have a manual 24
-- or be downstream of the software. I guess that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 okay.
1 I had a note here. I like that paragraph.
2 And then I was taken aback by a sentence. I didn't 3
see that downstream. It seems to me part of the 4
acceptance criteria that any manual control should be 5
downstream. And that should be under the acceptance 6
criteria, not just as a statement in the text.
7 MR. DARBALI: Understood.
8 CHAIR BROWN: That's all.
9 MR. DARBALI: Okay. Thank you. Go back 10 to Steve on slide 25.
11 MR. ALFERINK: As I mentioned, the first 12 change, clarify the language, address concerns of 13 references, SRP Chapter 19. Specifically, we revised 14 Section B.3.4.1 that summarized the staff review 15 guidance in the different sections of SRP Chapter 19 16 and DC-0 ISG-28 and clarified that the reviewer should 17 follow applicable staff review guidance. The second 18 change added the discussion of the base PRA.
19 We've revised Section B.3.4.2 to include 20 a discussion of the base PRA used for the risk 21 informed B.3 assessment and update the acceptance 22 criteria to ensure the application identifies the base 23 PRA used for the risk informed B.3 assessment. In 24 addition, we added a statement that the application 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 may identify an approved risk informed application 1
that was supported by the same base PRA which the 2
reviewer can leverage to aid in the determination of 3
a technical acceptability of the base PRA used to 4
support the risk informed B.3 assessment. A third 5
change clarified the language to address concerns 6
regarding the need to consider inter-system CCFs in 7
Digital I&C systems.
8 We revised the acceptance criteria in 9
Section B.3.4.2 to remove terminology that is not 10 typically used in PRA and clarify the modeling needs 11 to address the impact of the CCF on plant equipment in 12 multiple systems if the Digital I&C system combines 13 functions. Next slide. So we are on slide 26 now.
14 The next change clarified the acceptance criterion for 15 risk quantification associated with operator manual 16 action.
17 We've revised the acceptance criteria in 18 Section B.3.4.3 to clarify the staff's position that 19 all operator actions impacted by the CCF need to be 20 considered. The last change provided acceptance 21 criteria for determining appropriate means to address 22 the CCF. Based on the session during the previous 23 ACRS briefing, we broke the link between Sections 24 B.3.1.3 and B.3.4.4 and placed the acceptance 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 criterion in Section B.3.4.4. And I'll hand the 1
presentation back over to Samir.
2 MR. DARBALI: Thank you, Steve. You're on 3
slide 27 for Section B.4 for meeting 0.4 of the 4
policy. We made various edits to improve the clarity 5
of the 0.4 decision and ensured consistency with SRM 6
7 We removed the reference to Regulatory 8
Guide 1.162 as it is not intended to address 0.4. We 9
removed a paragraph of long-term management of 10 critical safety functions because it did not contain 11 any acceptance criteria. And we replaced the phrase 12 risk informed critical safety functions with critical 13 safety functions which mean have been determined in 14 using risk information.
15 CHAIR BROWN: Okay.
16 MR. DARBALI: Okay.
17 CHAIR BROWN: Trying to get my phraseology 18 right here. Let's get back to the fact that 0.4 was 19 modified by the Commission which was really not an 20 overwhelmingly -- it's a different approach. We made 21 a point in our letter on main control room --
22 recognize that paragraphs 2, 3, and 4 from SECY 93-087 23 where not addressed.
24 Now you told me they are still in place.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 Our letter had suggested that manual backup means it's 1
critical for safety and should not be dependent on 2
software. Actually, your subsequent supplement 3
commented that the importance of uncompromised reactor 4
operator controls reinforced by events such as Boeing 5
737 MAX events which I agree with that.
6 But then when you wind your way through 7
the rest, it's still not as prescriptive. You said 8
you did not use the same prescriptive language that we 9
used in our letter. I didn't think we were 10 overwhelmingly prescriptive.
11 But then the last paragraph got modified 12 on B.1, the last paragraph. It highlighted -- it's 13 the same. It displays and controls credit for 0.4.
14 It must provide for effective manual control of 15 critical safety functions.
16 SECY 087 then had words that manual 17 hardware -- manual controls can be hardwired or be 18 diverse. You all then eviscerated that comment, that 19 sentence by saying these independent and diverse 20 displays in controls do not have to be safety related 21 or hardwired. I'm quoting that right out of your 22 text.
23 And then you can propose alternative 24 approaches. And you went on and talked about 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 downstream as in before, second paragraph. The point 1
I get to at the end of all this, the diverse seemed to 2
be a substitute. Because it's diverse, it's going to 3
be okay.
4 Reg Guide 162 actually states that diverse 5
manual operations should be provided in the main 6
control rooms. They should be downstream so the 7
downstream is covered. Single failure still applies.
8 And the problem is the emphasis on diverse 9
essentially says do not -- since we've eviscerated, 10 you don't have to do hardware, hardwired stuff. A 11 licensee could come in and say, okay, I've got a main 12 control panel. This is part of -- it's phrased in 13 your all's text.
14 It's the Digital I&C system which is 15 ESFAS, all that other kind of fancy normal control.
16 What does diverse mean? It's fine. You can apply it 17 to a four channel system where you have diverse 18 software so you can have other mechanisms or what have 19 you.
20 But when I take 10 or 12 manual controls 21 from the main control panel that are all being 22 processed via the software in the basic Digital I&C 23 integrated system. Now you're going to provide manual 24 backups. And they can be diverse software also, and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 that's stated somewhere.
1 How does that get configured? If I build 2
another panel that's got diverse software and I 3
incorporate 12 manual controls that I have to have for 4
safety or safety-related, they're considered whatever 5
it is, system, ESFAS plus valves, certain pumps, 6
whatever. Now I have a separate software package 7
which is now subject to single failure because it's a 8
single package.
9 So I can lose all my controls, and there's 10 no backup at all. Effectively, you've introduced a 11 single failure. What have you destroyed? The good 12 thing about hardwired manual controls is they are 13 independent.
14 Independence is not stressed. It talks 15 about they need to be independent. But yet the 16 extensive use of diverse, another panel which has 17 diverse software.
18 Now you incorporate all the controls into 19 that. That makes it good. But is it independent 20 because it's now independent from the main control 21 panel? That doesn't fly.
22 To me, that whole paragraph, I'd have to 23 go pick out the paragraph again where we need to say 24 in my own mind it's hardwired or diverse. Any diverse 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 system must maintain the independence of all the 1
manual controls that were initially that are being 2
reapplied via a different system. I mean, there's 3
other ways you can do it.
4 You can have a separate I&C system that 5
has four channels where everything votes. If you lose 6
this, you're still going to get something out as long 7
as everything doesn't go. Or you can put a little 8
digital processor for every control switch that's got 9
a manual switch.
10 And now I'm processing with digital 11 processing all the way down to whatever you're 12 triggering it with before. So now I've got 12 13 software systems. So I'm substituting software for a 14 50-dollar switch and 150 dollars' worth of cable. And 15 I've lost all my independence.
16 I'm struggling with how to address this.
17 I mean, there's enough other words talking about 18 independence. But yet it's difficult to see how that 19 diverse software could be interpreted as being diverse 20 from the main control Digital I&C system. And now 21 I've got my independent system which is another 22 diverse software package.
23 But all my manual controls are now 24 aggregated in that new control system whereas I've 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 lost a lot of independence. To me, that's a serious 1
degradation of safety. That's a personal opinion, not 2
necessarily the committee opinion.
3 So I'm figuring out a way to address that.
4 I don't even know if I'll get the committee to agree 5
with me. Some would argue that Reg Guide 1.62 has 6
enough other words and providing diverse manual 7
operation instead of independent and diverse displays 8
in manual controls.
9 Well, what does that mean? That's still 10 vague because it does not -- it talks about them being 11 independent. But again, since we've got a main 12 control panel. And I just now provided another 13 software highlighted integrated panel for just the 14 manual controls.
15 So how do you differentiate that other 16 than saying that the functionality failure of any one 17 main control in this integrated, aggregated system 18 cannot impact the other -- any of the other 10 or 11, 19 whatever the number is controls. But that's also a 20 function. It's all basically one software package.
21 How do you segregate or segment it if you 22 wanted to use that terminology such that one segment 23 of the software can fail but the other one is not 24 going to. But there is still communication from 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 segment to segment. There has to be in general from 1
timing and other data inputs.
2 I'm struggling what to do with that. And 3
I've never -- diverse has been here for Reg Guide Rev.
4 10 -- Rev. 2 which was 2010. Or Rev. 1, I think, 5
talked about diverse -- could be diverse also, 6
although there was no definition of what diverse 7
means.
8 I suspect if I walked into a plant today, 9
I'd see switches and wires going in. There'd be 10 separate rooms. They would not be integrated into a 11 common delivering system.
12 And we didn't modify O-87, although we 13 told -- one place, they said hardware -- hardwired or 14 diverse. The other place said, you don't need to do 15 hardwired. I didn't like the way you all translated 16 our comments.
17 MEMBER HALNON: I notice that Dennis 18 Bley's hand is up.
19 CHAIR BROWN: Yeah, I haven't called on 20 him yet. Dennis?
21 DR. BLEY: Yeah, I've been trying to 22 follow, Charlie, but it was long and convoluted. And 23 I lost my way.
24 CHAIR BROWN: Right.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 DR. BLEY: I think what you're suggesting 1
is if you offer up -- come up with a manual action to 2
solve one problem. But you have to make sure it 3
doesn't create other problems and degrade the things 4
you've already thought were good. If that's it, I 5
don't see anything in the BTP that says you don't have 6
to meet the existing criteria we can change. So I'm 7
a little confused what you're trying to get him to 8
think about.
9 CHAIR BROWN: If you had -- figure in your 10 head, say, 10 manual control switches on a panel. Now 11 you're going to use a diverse means from your main 12 control panel, okay, where they're integrated. You 13 could just have one other software developed control 14 panel. And they're all aggregated in that. And my 15 point being is the things we've lost is the 16 independence of the manual controls. That would say 17 18 (Simultaneous speaking.)
19 CHAIR BROWN: That would say you can't do 20 that. To me, that would say you can't do that.
21 MEMBER HALNON: Independence of the manual 22 action controls.
23 CHAIR BROWN: Yeah, that you've lost the 24 independence of independent manual because now they're 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
107 all aggregated in one software based --
1 (Simultaneous speaking.)
2 MEMBER HALNON: But that in itself --
3 CHAIR BROWN: Says you won't pass.
4 MEMBER HALNON: Well, that in itself has 5
to have no common cause failure aspect as well.
6 CHAIR BROWN: Oh, some people would argue 7
that now I've got diverse software. And now since 8
it's diverse from my main control panel. But I've 9
aggregated again all my 12 controls into that new 10 thing. And it's now subject to single failure.
11 MEMBER HALNON: so the crux of the issue 12 is Charlie wants everything hardwired for backup. But 13 I mean, that's clearly probably the best way to go.
14 I think what you guys are doing is allowing some other 15 approach that meets all the criteria of being single 16 failure proof and it's not going to have the same 17 common cause failure.
18 I'm wondering if -- the common cause 19 failure, we say that's like beyond the design basis.
20 Now two common cause failures, coincident would be 21 well beyond the design basis. So I'm thinking that 22 are we trying to paralyze ourselves by saying the what 23 ifs to the nth degree that it's just going to be 24 impossible to postulate.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
108 Interesting comment because we had one of 1
our meetings we had a whole number of plant people 2
that were here. And we actually were talking about 3
manual controls and one way or another. This was 4
months ago.
5 And so I was talking with him at one of 6
the breaks. And there were four of them, I believe.
7 All four of them said, nobody in their right mind 8
would ever hardwire manual control switches down to 9
(audio interference). But that's just their thoughts.
10 MEMBER HALNON: But that makes the most 11 sense. Maybe in some of the new reactors, it won't.
12 But clearly, you can meet the criteria that way. But 13 I'm just not sure that we're in a position of saying, 14 okay, you have cascading common cause failures at the 15 same time that prevents you from implementing a manual 16 operator action. I just think that's maybe 17 unreasonable to --
18 CHAIR BROWN: Diversity does not mean you 19 can have one additional panel but all of them are 20 aggregated where a single common -- single failure --
21 MEMBER HALNON: As long as our two panels 22 are diverse.
23 CHAIR BROWN: But that's still -- if you 24 read Reg Guide 1.6, it says you have to -- any other 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
109 system has to be single failure. Hardwiring is single 1
failure of one switch can fail if there's 12 other 2
switches for whatever they do. So you can always --
3 and you have to stay on one failure to do it.
4 MEMBER HALNON: Well, I take it that you 5
have 12 different functions you had to do. And you're 6
just aggregating all those different functions --
7 (Simultaneous speaking.)
8 CHAIR BROWN: You've got a manual scram 9
switch. You've got, for example, Manual SF switch.
10 Then you've got some pumps and valves you've got to 11 operate. So there's a manual. So all 12 of those are 12 separate, separate switch, separate wires going to 13 their functions. The ESFAS and RTS, they bypass all 14 the software. If the other functions have some 15 software in between, they would bypass those.
16 MEMBER HALNON: Don't we cover that with 17 redundancy and the single third proof at the FSC level 18 or if you have Train A and Train B --
19 CHAIR BROWN: Don't know. Right now it's 20 clean.
21 MEMBER HALNON: I think those are the 22 questions that would be asked if you tried something 23 like that.
24 CHAIR BROWN: I'm going to figure out a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
110 way to try to put this into the letter some way and 1
even get committee agreement. If they don't agreement 2
with me, that's fine.
3 MR. DARBALI: So if I may, I think the 4
discussion that is happening is something that is 5
still -- in the scenario that you're envisioning that 6
example, that's something that can happen with 7
Revision 8.
8 CHAIR BROWN: Oh, yes. I'm not 9
disagreeing. I agree with you.
10 MR. DARBALI: Right, so just to go back to 11 that hardwired part. So in SRM SECY 93-087, the 12 Commission said the fourth part of the staff position 13 is highly prescriptive and detailed. For example, 14 shall be evaluated, shall be sufficient, shall be 15 hardwired. So the Commission was the one that said 16 the requirement that the staff had provided back in 17 SECY 93-087 for those diverse and independent controls 18 to be hardwired, that's too prescriptive.
19 CHAIR BROWN: That's right.
20 MR. DARBALI: And then he also said, it 21 doesn't even have to be safe to relate it. So we've 22 carried that --
23 CHAIR BROWN: You carried that forward?
24 MR. DARBALI: Yeah. And so --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
111 CHAIR BROWN: And I don't have a problem 1
with that.
2 MR. DARBALI: Right. So as far as --
3 CHAIR BROWN: They changed the shell to --
4 (Simultaneous speaking.)
5 CHAIR BROWN: No, they said they should be 6
considered on a case basis.
7 MR. DARBALI: Right.
8 CHAIR BROWN: If I remember that 9
correctly.
10 MR. DARBALI: So what we do with 22-0076, 11 we kept that. The Commission and the SRM added the 12 last part. And applicant can propose an alternate 13 approach. But we haven't gone into that part in this 14 discussion.
15 CHAIR BROWN: Well, you also did address 16 that paragraph. One other approach would be a valid 17 date in the BTP where you're talking about all this up 18 in the front piece. I've forgotten where it was.
19 MR. DARBALI: So --
20 CHAIR BROWN: With 087, those items not 21 addressed in 087 are still applicable. It's --
22 diverse has been around for a long, long time. So I'm 23 addressing a problem that nobody -- in my own mind 24 that nobody has taken up before. It was there in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
112 1.62.
1 And therefore, the same thing could've 2
happened even with 087 and 1.62. I don't know what 3
Rev. 0 said. So I'm just struggling with how do we --
4 it's time to take a grasp on this and at least come to 5
a conclusion somehow.
6 MR. DARBALI: I agree with the way Greg 7
characterized it. You can correct me. That for a 8
diverse and independent visual control which has to be 9
quality and reliability are adequate for the function 10 that if we're going to postulate a CCF for that or 11 even a single failure of that diverse control system 12 at the same time as the CCF of your main safety 13 system, that really goes beyond, beyond design basis.
14 CHAIR BROWN: That's not what 1.62 says.
15 It says your other system -- IEEE applies safety 16 systems, whether control is automatic or manual.
17 That's page 4 and position 4. No single failure was 18 in the manual, automatic or common portions of the 19 protection system should prevent initiation of a 20 protective action by manual or automatic means.
21 So there's two different areas covered.
22 One is more general. One's a little bit more towards 23 the protection side. The dichotomy is there. Don't 24 know how to deal with it. But I thought I'd bring it 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
113 up and let people agree or disagree.
1 To me, I think some more even in this 2
thing where it says the independence of individual 3
hardwired controls should be maintained or something, 4
whatever that means. And if you can do that on 5
software-based systems, have at it. But somehow I've 6
got main panel fails. I got 10 or 12 switches or 7
control pieces that I need to make sure the plant is 8
cooled and shut down.
9 And they're all totally independent. You 10 don't want to lose that independence regardless of the 11 diverse means you put in place to use all of the, you 12 know, to substitute. So it's that inherent 13 independence that a hardwired approach should not be 14 lost when you use a diverse approach or control 15 system.
16 MEMBER HALNON: So just a minute. Let's 17 just take it -- let's say it's one pressure injection.
18 You're saying the failure is your bravo train is dead, 19 whatever failed. Now you postulate a common cause 20 failure and control system that would've started A.
21 Not working. Now you're saying that the panel --
22 clearly if it's hardwired, you're going to get it 23 started. But you're saying that now we have to assume 24 that the backup panel is broken from a common cause 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
114 failure.
1 (Simultaneous speaking.)
2 MEMBER HALNON: It's a separate -- well, 3
you've already taken --
4 (Simultaneous speaking.)
5 MEMBER HALNON: You don't take multiple 6
single failures. That's what single means. That is 7
out of bounds. So we've already taken your single 8
failure.
9 Now you're taking a common cause failure, 10 the normal system that would've started off a pump.
11 And you're saying we can't say -- I don't think that 12
-- this will be an independent system. It's not 13 susceptible to the same common cause.
14 You shouldn't have to take another single 15 common cause failure and takes out the control that 16 start the pump on the backup panel. That's what I'm 17 saying. I think it's postulating way down into the 18 realm of -- well, legally, it's not even our purview 19 to require that.
20 Now if the words don't say that in the Reg 21 Guide in BTP, then we need to make sure that it 22 doesn't imply that. But clearly, like I said, 23 hardwired is the best way to go. And that's why the 24 industry folks all say, yeah, we're going to hardwire 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
115 it.
1 Because when the operator pushes that 2
button, who knows that's where to start. I think 3
we're just not used to the software running plants 4
yet. I just want to get clear.
5 That seems to me unreasonable. If the 6
words don't say that correctly, then the words are 7
unreasonable from a designer's perspective. But isn't 8
the independence -- again, it's at the train level and 9
it's at the not susceptible to the same common cause 10 level.
11 In other words, you can't -- you're 12 independent from the other system because you can't --
13 you can have the same common cause. Otherwise it 14 wouldn't be (audio interference). And then you have 15 it -- for the safety system, you have a alpha and 16 bravo train or even for reactivity control, you have 17 four channels and diverse ways of tripping rods. So 18 I'm having trouble getting it in my mind. But when 19 you come up with your words, let's talk more about it.
20 CHAIR BROWN: I figured this was not going 21 to be easy to sell. It's one of the difficulties.
22 This is not the first time. Who is that?
23 PARTICIPANT: Someone is projecting?
24 MEMBER HALNON: Did we lose it again?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
116 PARTICIPANT: Who's projecting? Did we 1
lose the feed?
2 DR. BLEY: No.
3 MEMBER PETTI: I still see the same slide.
4 Slide 27 is showing.
5 (Whereupon, the above-entitled matter went 6
off the record at 4:04 p.m. and resumed at 4:05 p.m.)
7 PARTICIPANT: A minimum of equipment. And 8
that needs to be interpreted a little bit. And the 9
other part is the historical context. So 92-087 was 10 written obviously in '93.
11 603 was incorporated in '99. So you have 12 a rule that comes after the policy. And the wording 13 in 603, that's referenced in the independence criteria 14 and a minimum of equipment criteria.
15 And the designs we're talking about, you 16 can even think of a design as being split up into 17 three pieces. Say a bistable piece where you have a 18 sensor and bistable, then you have a voting piece.
19 Those can be on separate boxes. And then once you 20 generate a voted signal like containment isolation, 21 containment spray, safety injection, you have a 22 separate system that implements that.
23 So at what point does the -- which CCF are 24 you worried about? Are you worried about a CCF in the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
117 bistable -- or the sensor and bistable processor in 1
which case your manual input goes into the your voter.
2 Or are you worried about a CCF in your digital voter, 3
right?
4 So if it's a digital voter and it locks 5
up, it doesn't matter. Both the bistables and the 6
manual controls are bad. Well, okay, what if it goes 7
directly to the implementation processor?
8 Well, if the implementation processor has 9
two channels, one from the automatic system and one 10 from the manual system, what about a CCF in the 11 implementation processor, the a diesel sequencer, for 12 instance? You could have the automatic system fail to 13 tell the diesel to start. Or you can have the 14 automatic system work and the manual system work but 15 the diesel has the CCF.
16 So it's a complicated issue and it will 17 require engineering judgment. And it would be -- I'm 18 not sure that we could come up with criteria in this 19 BTP to cover all design options. And so I think there 20 will be some engineering judgment in the application 21 of the design criteria and other standard incorporated 22 by reference.
23 I think it's you're either prescriptive 24 and say it's hardwired which the Commission didn't let 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
118 us do. Or you're flexible and will require 1
engineering judgment. And we're sort of in that 2
latter space.
3 CHAIR BROWN: One way to look at me how I 4
came to this is that I read the -- multiple times, 5
I've read the 087. And I looked at it and I didn't 6
really overwhelmingly disagree because it just said it 7
should be considered on a case basis based on the 8
design. I could accept those.
9 Then I got to BTP 7-19 where in mine it 10 says you don't have to do it. Or it says you do not 11 have to use -- you do not have to use hardwired. I 12 could quote the words. I've got them in here 13 somewhere as part of the BTP.
14 A totally different way of framing it as 15 opposed to you have hardwired or diverse. Determine 16 that based on a case by case basis. And I've been 17 reading that now for 16 years. And now the words 18 change which effectively puts a different color of 19 lipstick on the pig.
20 MEMBER HALNON: It doesn't preclude 21 hardwiring.
22 CHAIR BROWN: Yeah, but it kind of says 23 you don't have to do it.
24 MEMBER HALNON: But if that's the most 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
119 preferred way, most designers do that.
1 CHAIR BROWN: There's a lot of things, as 2
has been a reviewer of design.
3 MEMBER HALNON: Well, I mean, the 4
conversation we had, the bring me a rock issue on 5
uncertainty, that would take that part of the equation 6
out of it. The regulatory process, if you came in and 7
said, well, it's diverse because it's hardwired. So 8
I mean, it's a choice.
9 CHAIR BROWN: Oh, I agree with that.
10 MEMBER HALNON: It's a choice. It's a 11 choice.
12 CHAIR BROWN: It's also cheap.
13 MEMBER HALNON: Well, I don't know if it's 14 the 150 bucks for cable.
15 CHAIR BROWN: Oh, it doesn't matter. A 16 lot less than two million, another software design, or 17 the five million or whatever it costs these days.
18 MEMBER HALNON: Anyway, I mean, it does 19 open up the choice early on, on the designer's 20 perspective. Do I want to go, for lack of a better 21 term, fight this with a regulatory person to convince 22 them it's diverse enough? Or do I just say hardwired 23 and there's no question?
24 CHAIR BROWN: The other question that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
120 comes up is, how often do you exercise the backup 1
manual control panel? Do you do that quarterly, 2
semiannually to make sure all the switches work? Or 3
are you going to do that -- the problem with a diverse 4
system that's all software based, you're not using it 5
all the time. You have no idea what it's doing.
6 MEMBER HALNON: You can start with the 7
remote shutdown panel system. It's not -- I don't 8
recall the surveillance frequency on them. But they 9
do exercise (audio interference).
10 CHAIR BROWN: Anyway, I wanted to just 11 voice the concern. As you can see, we have divergent 12 views on how it should be interpreted.
13 MR. DARBALI: I just wanted to note on the 14 issue of not having the requirement for independence, 15 the six acceptance criteria, acceptance Criterion Item 16 F says --
17 CHAIR BROWN: Oh, yeah. I agree with 18 that. I don't disagree with Item F. It's still --
19 but it's --
20 MR. DARBALI: It requires them to be 21 independent and diverse.
22 CHAIR BROWN: Yeah. Or independent and 23 diverse from the equipment performing the same 24 function with the proposed DI&C systems which are new 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
121 terminology. And like I say, diversity has a lot of 1
different flavors. They can be all hardwired. That's 2
diversity.
3 They can be all aggregated into one new 4
brand new integrated software panel which now carries 5
its own -- in spite of Greg's protest to common mode 6
failures. I do not trust software for basic reactor 7
safety additions in both normal and backup 8
circumstances. All the right words are in there.
9 Bypass software.
10 But if you create a new software bypass 11 how did you bypass software, downstream of software.
12 New system would not be downstream of software. It'd 13 be creating its own software.
14 Got to remember that and put it in the 15 letter. I'll have to counter your discussion.
16 Anyways, that's the purpose of these discussions, 17 bring issues up and their thought processes up.
18 There's a hand that's up. Whose hand is up?
19 MR. DARBALI: I think that's the cursor.
20 CHAIR BROWN: Oh, is that -- so you're out 21 of control over there, Greg? All right. Go ahead.
22 MEMBER ROBERTS: Just maybe a closing 23 observation. I think the DRG is a lot clearer on 24 this. It's another example of when you get to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
122 singling up on one guidance document, here's one where 1
maybe the DRG is clearer description of what the 2
overall goals is.
3 CHAIR BROWN: What does it say?
4 MEMBER ROBERTS: It says the reviewer to 5
confirm the manual controls are independent and 6
diverse --
7 CHAIR BROWN: You're going too fast. My 8
brain --
9 MEMBER ROBERTS: The reviewer to confirm 10 11 CHAIR BROWN: What did you say?
12 MEMBER ROBERTS: The reviewer to confirm 13 the manual controls are independent and diverse from 14 the Digital I&C safety systems, parenthesis, e.g.,
15
- simple, dedicated,
- discrete, hardwired logic 16 components, end parenthesis. And then it goes on from 17 there. But by putting an e.g., it clearly expresses 18 as a preference. That's not a requirement which is 19 consistent with what Charlie has been saying about 20 putting the first solution forward first and then 21 allowing the flexibility that the Commission asked for 22 30 years ago.
23 CHAIR BROWN: I did not like the words, 24 you do not have to. I prefer the words that were 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
123 similar in the previous -- similar to that. It's just 1
a different flavor enhancer and it carries a certain 2
amount of -- if I was a designer, I would look at that 3
and say, it's going to be easier to get acceptance of 4
this than that. So all right.
5 MR. DARBALI: Okay. So we are now on 6
Slide 28.
7 CHAIR BROWN: There are two slides. What 8
did I do with them? Here they are.
9 MR. DARBALI: So to summarize, the staff 10 provides BTP 7-19 to incorporate SRM SECY 22-0076. We 11 made changes after the September briefing in response 12 to public comments and feedback received from ACRS 13 members. We also made clarifications throughout the 14 BTP. And most importantly, there were no substantive 15 changes made to the analysis of the technology for the 16 acceptance criteria in the BTP. Next slide.
17 CHAIR BROWN: Go ahead.
18 MR. DARBALI: Okay. And so our next 19 steps, we are scheduled to brief the full committee on 20 March 6th. And we are still trying to reach for the 21 final BTP in May.
And that concludes our 22 presentation.
23 CHAIR BROWN: You might address this last 24 discussion in your presentation on the full committee.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
124 Even though everybody is here, you've had time to 1
think about it. And I think if we're going to have a 2
discussion on it, since all the other members, 3
particularly Dennis and some of the other risk people.
4 MEMBER HALNON: I've shot all my bullets 5
for you guys. You'll have to put up with --
6 CHAIR BROWN: Can we get a copy of the 7
transcript pretty quick -- very quickly for them, 8
okay, as well as us. Okay. Thank you. Oh, I guess 9
my suggestion would be to -- of all the discussions, 10 there was one. Did you get your ones on the risk 11 informed or the non-light water?
12 MEMBER HALNON: Yeah, Tom. You mentioned 13 a couple times when you made some suggestions and some 14 maybe a little bit stronger than suggestions that you 15 might want to summarize those, at least --
16 CHAIR BROWN: This is the only one I --
17 (Simultaneous speaking.)
18 MEMBER ROBERTS: I think if I -- I'll go 19 by my list coming in of four items. I think it's 20 still the same four. The first one is a question I 21 asked at the outset is whether there's anything from 22 public comments or discussions about the -- that would 23 change the DRG or be considered, somebody applicable 24 to advanced reactors that you had and those you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
125 considered.
1 So even if it doesn't change the PRG, it 2
factors back into the review team so they understand 3
what came out of the public comments in this 4
discussion as well as the question of the long-term 5
vision of the DRG and the BTP, what your thoughts are 6
in terms of delivering that into a Reg Guide or a 7
simple guidance. They have a guidance document or 8
something else, whatever your thought is. So that's 9
one area that they could talk about at the committee 10 meeting in two weeks.
11 Second one was they had on the model 12 defense in depth, again, primarily for advanced 13 reactors and not looking for mathematically self-14 consistent model that you could put through a 15 calculator. But just the overall guide for what 16 you're judging your diversity against in terms of the 17 defense in -- it's diversity adequate for the defense 18 in depth. It starts with what's defense in depth 19 model and some thoughts, especially with some of the 20 concepts that are quite a bit different from the light 21 water reactor work, what's the foundation for this 22 BTP.
23 Third one is potentially editorial. But 24 for Steve to take a look at that 3.4.4 section to see 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
126 if it really says what the intent is. I don't think 1
it does, but take another look and see if there's some 2
clarification required to get it to say what you meant 3
to say.
4 And the fourth one has to do with maybe 5
independent of the cycle position. But just the 6
overall expect changes for hardware common cause 7
failures and to have that factor into Reg Guide 1.53 8
and the work there. And my view is two weeks is 9
probably not a reasonable time to come up with a 10 position on that. The meeting they have in June is 11 probably the right time to cover that.
12 And it's very -- nothing in Rev. 9, I 13 don't think the change is there. That was added in 14 Rev. 8. And so I think that's really an independent 15 discussion, but it's probably worth just making clear 16 what it is. This one thing is an issue that's worth 17 talking about then.
18 MEMBER HALNON: Good summary. I had a 19 couple housekeeping items. I just wanted to check and 20 make sure that I understood. In the background 21 section, Dennis said that all license facilities are 22 considered to have sufficient design features to 23 address CCFs, especially with the designs. Is that 24 back to what you were talking about, Norbert? Or it's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
127 beyond design basis that we're assuming?
1 MR. CARTE: I guess the concept is the 2
fact that they have a license means we have determined 3
they have adequate defense in depth.
4 MEMBER HALNON: More adequate protection 5
of safety.
6 MR. CARTE: Right. So the question is 7
when they make a change to the facility and have a 8
different architecture of their systems or use a 9
different technology. That's part of this discussion.
10 What other things do they need to consider? And they 11 need to consider only defense -- only additional 12 defense in depth to address the new hazards introduced 13 by the new design or the new technology.
14 MEMBER HALNON: Okay. And if there's some 15 issue with the design, that's going to be handled in 16 the traditional inspection oversight process. They're 17 not making a change. Or during their change you 18 review and you see something, hey, that design of that 19 system doesn't have the appropriate --
20 MR. CARTE: Well, there's a backfit 21 criteria for that. So if we approved it in --
22 MEMBER HALNON: That's what I meant.
23 MR. CARTE: -- we now don't like it.
24 MEMBER HALNON: Normal oversight, it'd 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
128 have to be a violation and/or something like that.
1 MR. CARTE: We would compare it to a 2
backfit criteria to see if it crossed threshold.
3 MEMBER HALNON: That's where I was going 4
with that. On the next page, it talks about the 5
evolutionary and (audio interference). In accordance 6
with Commission direction and NRC staff SRM of SECY 7
93-087, it says the NRC typically considers CCF and 8
the I&C systems beyond design basis. And we talked 9
about that earlier. When is it no? It says 10 typically. I mean, that gives me this opening of 11 saying, well, when is it atypical?
12 MR. CARTE: Right. So the assumption that 13 CCF is beyond design basis makes a -- it's written in 14 a certain context in that you have requirement 15 independent. Redundant portions of a safety system 16 are independent and that you follow a QA program. So 17 you have all these other requirements that you rely 18 on.
19 And because of all these other 20 requirements, CCF is beyond design basis. So the 21 question then becomes, well, if you were to eliminate 22 or erode those other requirements, you're right. I 23 won't point you across the threshold and should you 24 consider CCF within design basis.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
129 And we haven't figured that out. But 1
there's always that potential. It's not beyond design 2
basis. You can change everything else no matter what 3
you do. CCF is beyond design basis. No, that can't 4
be true.
5 MEMBER HALNON: So what was the purpose of 6
adding the word typically? Is that just to give you 7
that out just in case?
8 MR. CARTE: Basically, yes. So what 9
happens is often people look at one statement and take 10 it out of context. And first of all, inasmuch -- the 11 Commission statement was inasmuch as. It didn't just 12 say simply CCF is beyond design basis. So that lifts 13 some room for when is it and when is it not beyond 14 design basis.
15 MEMBER HALNON: Rather than transliterate 16 it, you translate it into -- okay. That's fine. I 17 wanted to make sure that I understood that it wasn't 18 something else like a design coming through that you 19 say, hey, that common cause failure could be within 20 the design basis. But I understand what you meant.
21 It's almost like a problematic defense in depth of all 22 these things.
23 MR. CARTE: Right. This statement was 24 made within a context. If you change the context, the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
130 statement may no longer be valid.
1 MEMBER HALNON: Okay. I got it. Thanks.
2 That's all I got.
3 CHAIR BROWN: And one other one relative 4
to 087. Under your relevant guidance, you do list 5
SECY 93l-087. And then you talk about the 22-076.
6 And you talk about the SRMs at 22-0076.
7 I would just suggest that under the bullet 8
for the 087 that you just note in there that positions 9
not modified by SECY -- or SRM whatever it is until --
10 I mean, still apply whatever the appropriate words 11 are, just to make it clear that that's still relevant 12 to the overall processes. So there's a lot of stuff 13 in that 2Q -- page 18, Section 2Q, that are 14 applicable, okay, in the last three paragraphs.
15 (Simultaneous speaking.)
16 MEMBER ROBERTS: And actually to follow up 17 to Greg's comment on the word typically. So footnote 18 3 of the document has a sentence that says typically 19 when the NRC uses the term, beyond design basis, it is 20 prior to stipulating particular criteria or a 21 particular situation. It's probably where that 22 sentence came from. It doesn't seem like that's 23 necessary true.
24 MR. CARTE: Well, if you look at practices 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
131 like SBO, so every once in a while, the NRC says, this 1
is beyond design basis and then do X, Y, and Z. So 2
whenever we specifically talk about events that are 3
beyond design basis, we stipulate particular criteria 4
for those events. So the problem is a difference 5
between, say, binary thinking and trinary thinking.
6 So there's design basis events, beyond 7
design basis events, and then events not considered, 8
right? So there are some beyond design basis events 9
that are considered. And as 50.34(i) says that you 10 have design basis features to address beyond design 11 basis events.
12 So some beyond design basis events are 13 addressed in the FSAR in the application and some are 14 not. Primary vessel breach is not addressed. So we 15 talk about in a binary sense of design basis, beyond 16 design basis.
17 And it's really a trinary concept: design 18 basis, beyond design basis, and not considered. And 19 I'm trying to elicit or enlighten in that area. And 20 particularly whenever you see, like, ATWS being 21 discussed, it says beyond design basis and then do 22 these criteria. And so it's how we -- it's a practice 23 we engage in. But I don't know if it's summarized 24 anywhere else.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
132 MEMBER ROBERTS: I was thinking about 1
action mitigation alternatives that are required by 2
the 10 CFR 51. And there's pretty much a general 3
requirement that at some point as part of the EIS the 4
-- you asked me the assessment of the cost benefit of 5
various action management alternatives. And that 6
didn't seem to me to fit this definition.
7 (Simultaneous speaking.)
8 MEMBER ROBERTS: That's why this stanza 9
maybe could be deleted. It doesn't seem to add 10 anything either.
11 MR. CARTE: I'll think about that. But 12 the problem is I'm trying to get people out of this, 13 it's beyond design basis. Therefore, we don't 14 consider it. And --
15 MEMBER ROBERTS: I agree with that.
16 MR. CARTE: And maybe that sentence 17 doesn't convey the message properly. But that's what 18 I was trying to do.
19 CHAIR BROWN: Everybody -- all members 20 that are online, anybody else have any comments or 21 things they'd like to say?
22 I waited 15 seconds. I hear nothing. Is 23 there anybody on the public lines right now that would 24 like to make a comment relative to this meeting?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
133 MEMBER HALNON: Just if you do have a 1
public comment, just unmute your mic and state your 2
name and affiliation if appropriate and state your 3
comment.
4 CHAIR BROWN: Hearing none --
5 MEMBER PETTI: Can we test if there's 6
someone from the public we can hear the public. Can 7
we just get someone from the public to say hello?
8 CHAIR BROWN: That's a good idea.
9 MR. BURKHART: Hello. This is Larry 10 Burkhart.
11 CHAIR BROWN: Good. The line is working.
12 Thank you.
13 MR. BURKHART: I'm virtual, not public but 14 virtual.
15 CHAIR BROWN: Okay. Thank you. At least 16 we know it works. With that, any additional?
17 MEMBER HALNON: No, I want to thank you.
18 You did a great job today, a lot of good information.
19 I look forward to the full committee meeting and then 20 learning more in June as you come back. So I really 21 appreciate the work you put into this. Thanks.
22 CHAIR BROWN: I've lost my train of 23 thought. Where are we? Do you got anything else?
24 You're done? Yeah, I wanted to go ahead and thank 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
134 you.
1 Another enlightening Digital I&C 2
subcommittee meeting with plenty of issues and 3
agreements and disagreements, the back and forth which 4
is always entertaining and fun. And other thing, it's 5
nice to see some young folks starting to come up 6
through the ranks. You're not a young folk. I'm the 7
young folk here.
8 But it was a good briefing, a good 9
discussion. It was nice that you were able to answer 10 the questions. That's even better. And it just 11 demonstrates the value of our in-person meetings as 12 opposed to -- we could've never I don't think achieve 13 the depth of which we discussed today without having 14 you all show up personally.
15 So as a subcommittee chairman, I much 16 appreciate your all's personal appearances here today 17 as well as senior staff to maintain continuity and to 18 take care of the slides and stuff. So I think it was 19 very productive, much appreciated. And we will see 20 you on -- well, whatever it is in March, when it's 21 March full committee week. We are recessed. No, 22 we're adjourned.
23 (Whereupon, the above-entitled matter went 24 off the record at 4:31 p.m.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Advisory Committee on Reactor Safeguards Digital Instrumentation & Controls Briefing February 22, 2024 SRM-SECY-22-0076 Implementation:
Branch Technical Position 7-19, Revision 9
Opening Remarks
Presentation Outline
- Background
- Timeline
- SRM-SECY-22-0076 Direction and Staff Response
- Changes from Revision 8 to Revision 9
- Changes since the September 7, 2023, ACRS Briefing
- Key Messages and Next Steps
- Closing Remarks 3
Recent Activities 01/25/2021 Revision 8 of BTP 7-19 issued 09/07/23 ACRS Full Committee briefing 05/24/24 Revision 9 of BTP 7-19 issued 02/22/24 ACRS DI&C Subcommittee briefing 10/24/23 -
11/24/23 Public comment period 01/23/23 Supplement to SECY-22-0076 submitted to Commission 03/06/24 ACRS Full Committee briefing 08/10/2022 SECY-22-0076 submitted to Commission 05/25/23 SRM-SECY-22-0076 issued 4
SRM-SECY-22-0076
- The Commission approved the staffs recommendation to expand the existing policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth, subject to the edits provided
- The Commission directed the staff to clarify, in the implementing guidance, that the new policy is independent of the licensing pathway selected by the reactor licensees and applicants
- The Commission directed the staff to complete the final implementing guidance within a year from the date of the SRM (May 24, 2024) 5
Staff Response to Meet the SRM
- Allows the staff to review risk-informed applications
- May result in use of design techniques other than diversity
- Focused the revisions on implementing the expanded policy
- Staff briefed the ACRS Full Committee on September 7, 2023
- Staff received and dispositioned public comments 6
Substantive Changes to BTP 7-19 (Rev. 8 - Rev. 9)
- Revised Section B.1.1 to reflect the updated four points in SRM-SECY-22-0076
- Revised Section B.1.2 for clarification of critical safety functions
- Revised Section B.3.1.3 for evaluation of alternative approaches
- Added Section B.3.4 for evaluation of risk-informed D3 assessment
- Revised Section B.4 for evaluation of different approaches for meeting Point 4
- Added five flowcharts to facilitate the review
- Added language from RG 1.152 to address a prior commitment to ACRS regarding communication independence and control of access 7
Overview of BTP 7-19, Revision 9 8
Point 2 Detailed D3 Assessment:
Risk-Informed Approaches (Sections B.3.4.1, B.3.4.2)
Point 2 Detailed D3 Assessment:
Best-Estimate Methods (Section B.3.2)
Point 3 Addressing, Mitigating, or Accepting the Consequences of Each CCF Using Design Techniques or Mitigation Measures Other than Diversity (Sections B.3.4.3, B.3.4.4)
Deterministic Path Risk-Informed Path Point 1 Need for a Detailed D3 Assessment (Sections B.2, B.3.1)
Point 3 Addressing, Mitigating, or Accepting the Consequences of Each CCF Using Diverse Means (Sections B.3.2, B.3.3)
Point 4 Independent and Diverse Displays and Manual Controls (Section B.4)
Changes to Sections B.1.1 and B.1.2
- Updated Four Points of the Policy (Section B.1.1)
- Replaced the four SRM-SECY-93-087 points with the SRM-SECY-22-0076 points and updated the explanation of the points
- Critical Safety Functions (Section B.1.2)
- Clarified the term critical safety functions and that the list of these functions in SECY-22-0076 are examples representative of operating light water reactors
- Clarified that other types of reactors may have different critical safety functions based on the reactor design safety analysis
- The identification of such functions may be risk-informed 9
Alternative Approaches (Section B.3.1.3)
Two Pathways for the evaluation of alternative approaches other than diversity and testing to eliminate the potential for CCF from further consideration
- Previous endorsement or approval
- Ensure it is applicable
- Ensure it is followed
- Justify any deviations
- A new approach proposed as part of an application
- Use the acceptance criteria in BTP 7-19
- Review description of vulnerability being addressed
- Review description of alternative approach and justification 10
Risk-Informed D3 Assessment Process (Section B.3.4) 11 Identify each postulated CCF Address the CCF using a risk-informed approach Model the CCF in the PRA (Section B.3.4.2)
Determine the risk significance of the CCF (Section B.3.4.3)
Determine appropriate means to address the CCF (Section B.3.4.4)
Determine consistency with NRC policy and guidance on RIDM (Section B.3.4.1)
Address the CCF deterministically Justify alternative approaches
Risk-Informed D3 Assessment Determine Consistency with NRC Policy and Guidance on RIDM
- Review applications that use risk-informed approaches for consistency with established NRC policy and guidance on RIDM Model the CCF in the PRA
- Evaluate how the CCF is modeled in the PRA and the justification that the modeling adequately captures the impact of the CCF on the plant 12
Risk-Informed D3 Assessment Determine the Risk Significance of the CCF
- The risk significance of a CCF can be determined using a bounding sensitivity analysis or a conservative sensitivity analysis
- A bounding sensitivity analysis assumes the CCF occurs
- A conservative sensitivity analysis assumes a probability less than 1
- Provides a technical basis for a conservative probability of the CCF
- Demonstrates that all principles of RIDM are addressed
- Addresses the impact of this assumption on PRA uncertainty
- A CCF is not risk significant if the following criteria are met:
- The increase in CDF is less than 1 x 10-6 per year
- The increase in LERF is less than 1 x 10-7 per year 13
Risk-Informed D3 Assessment 14
Approaches for Meeting Point 4 (Section B.4) 15
- Section B.4 provides six acceptance criteria for independent and diverse main control room displays and controls for manual actuation of critical safety functions
- Applications that propose a different approach (i.e., one that does not meet all the acceptance criteria in B.4) provide appropriate justification
- Clarifications made throughout the BTP to address:
- Public comments
- Discussions during the September 7, 2023, ACRS briefing
- Comments from Member Brown and Member Roberts (attachment to transcript)
- No substantive changes made to analysis methodologies or acceptance criteria 16 Changes to BTP Since Previous ACRS Briefing
General Changes to the BTP
- Revised the BTP to consistently use the term digital I&C system instead of the multiple variations of the term (e.g., digital safety system, I&C equipment, I&C systems, digital I&C system or component, digital technology, etc.)
- This also ensures the BTP uses language consistent with SRM-SECY-22-0076 (NEI 1)
- Replaced point X of the policy with point X of SRM-SECY-22-0076 to clarify which point is being referred to (NEI 18)
- Revised the BTP to consistently use the term defense in depth and diversity (NEI 24) 17
Changes to Section A. Background
- Added historical information at the beginning of the section
- Restored the sentence on latent design defects in the design of the DI&C system (ACRS Member Comment 8a)
- Added footnote 3 to provide clarification to the NRC staff on the Commission direction
- Removed the sentences regarding NUREG/CR-6303 because they did not add value to the discussion
- Added segmentation to the list of design technique examples (NEI 26)
- Removed references to other guidance documents which are not explicitly used in the BTP (NEI 1) 18
Changes to Section A. Background
- Removed references to regulations from the Regulatory Basis section that are not specifically called for in the BTP criteria
- Added a reference to NUREG-2122 in the Relevant Guidance section (ACRS Member Comment 3)
- Removed references to SRP chapters or sections that are not used or are already referenced in specific parts of the BTP
- Clarified that the BTP is intended to provide review guidance to the NRC staff for ensuring an application meets the policy and applicable regulations (i.e., it is not intended as guidance to applicants for developing a D3 assessment) (NEI 2) 19
Changes to Section B.1
- Added a new figure at the end of the document depicting the applicable BTP sections for addressing each of the four points in SRM-SECY-22-0076 (NEI 2)
- Clarified the discussion on Points 3 and 4 of SRM-SECY-22-0076 (NEI 1, 10, and 11)
- Clarified the discussion on critical safety functions in Section B.1.2 (NEI 12) 20
Changes to Section B.3.1.1
- Removed references to NUREG/CR-6303 and NUREG/CR-7007 because they may be interpreted as review guidance, which is not the staffs intent (NEI 30)
- Reworded acceptance criterion c. to use language consistent with SECY-18-0090 21
Changes to Section B.3.1.3
- Removed language that was added on risk-significance of the CCF and the pointer to B.3.4 (discussions during ACRS DI&C SC briefing)
- Provided a well-designed watchdog timer as an example of an alternative approach (NEI 16)
- Not dependent on the platform software
- Puts the actuators in a safe (i.e., actuated) state
- Clarified acceptance criterion a. for identification of CCF vulnerabilities using a hazards analysis technique (NEI 3) 22
Changes to Section B.3.1.4
- Added a footnote to clarify that SRM-SECY-22-0076 did not modify the reference to RIS 2002-22, Supplement 1, in SECY-18-0090 23
Changes to Section B.3.2
- Clarified the term diverse (NEI 17)
- Removed references to NUREG/CR-6303 and NUREG/CR-7007 because they may be interpreted as review guidance, which is not the staffs intent (NEI 30)
- Removed references to 10 CFR 50.69 and GL 85-06 to avoid potential confusion with different safety significance categorization schemes
- Added a sentence on manual control connections (ACRS Member Comment 5a)
- Added a clarification that displays and manual controls credited as the diverse means for Point 3 may also be credited for Point 4 (NEI 32)
- Added a footnote regarding the IEEE Std 279 and IEEE Std 603 requirements for certain manual controls 24
Changes to Section B.3.4
- Clarified the language to address concerns associated with references to SRP Chapter 19 (NEI 4, 22)
- Included a discussion of the base PRA model (NEI 6)
- Added reference to previously approved risk-informed applications
- Clarified the language to address concerns regarding the need to consider intersystem CCFs of DI&C
- Removed terminology not typically used in PRA (NEI 19)
- Clarified modeling the impact on multiple systems (NEI 5) 25
Changes to Section B.3.4
- Clarified acceptance criteria for risk involving operator actions (NEI 8)
- Provided specific acceptance criteria for determining the appropriate means to address the CCF instead of referencing the criteria in Section B.3.1.3 (discussions during ACRS DI&C SC briefing) 26
Changes to Section B.4
- Various edits made to improve the clarity of the Point 4 discussion and ensure consistency with SRM-SECY-22-0076 (NEI 9, 34, and 35)
- Removed reference to RG 1.62 as it is not intended to address Point 4 (NEI 20)
- Removed paragraph on long-term management of critical safety functions because it did not contain related acceptance criteria (NEI 21)
- Replaced risk-informed critical safety functions with critical safety functions (which may have been determined using risk information)
(discussions during ACRS DI&C SC briefing) 27
Key Messages
- BTP 7-19 revised to incorporate SRM-SECY-22-0076
- Changes made after September 2023 ACRS Full Committee briefing in response to public comments and ACRS member feedback
- Clarifications made throughout the BTP
- No substantive changes made to analysis methodologies or acceptance criteria 28
Next Steps
- ACRS Full Committee briefing scheduled for March 6, 2024
- The staff is planning to issue the final BTP 7-19, Rev. 9 in May 2024 29
Closing Remarks
Acronyms ACRS Advisory Committee on Reactor Safeguards BTP Branch Technical Position CCF Common Cause Failure D3 Defense-in-Depth and Diversity DI&C Digital Instrumentation and Control I&C Instrumentation and Control NEI Nuclear Energy Institute NRC Nuclear Regulatory Commission PRA Probabilistic Risk Assessment RG Regulatory Guide SECY Commission Paper SRM Staff Requirements Memorandum SRP Standard Review Plan
References
- Transcript of September 7, 2023, ACRS Full Committee briefing and attachment with comments provided by Member Charles Brown and Member Thomas Roberts (ML23264A865)
- NEI Comments on Draft BTP 7-19, Revision 9, dated November 21, 2023 (ML23326A117)