Text

NEI Supplemental Information on NRC Comments of NEI 20-07 Rev E (Non-Proprietary) - Slides
	ML24103A153
Person / Time
Site:	Nuclear Energy Institute
Issue date:	04/12/2024
From:	; Nuclear Energy Institute
To:	; Office of Nuclear Reactor Regulation
References
	Download: ML24103A153 (1)
	v • d • e

©2024 Nuclear Energy Institute 2 EPRI Product Usage Advanced Reactor Considerations Credible and likely sources of CCF Control Method Scoring DEG, HAZCADS, and DRAM Other Comments Non-Proprietary Topics

EPRI Product Usage (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 36.

Refer to EPRI DRAM for details regarding the CME scoring methodology.

Does NEI intend for the NRC staff to review and endorse the DRAM process?

Does NEI intend to provide this document on the docket?

62.

NEI 20-07 lists the following EPRI reports as available evidence: EPRI 3002004995, EPRI 3002004997, and EPRI 3002000509.

Does NEI intend to provide these reports document on the docket?

NEI 17-06, Guidance on Using IEC 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications, used a similar approach.

NEI did not docket IEC 61508, ISO 17065 or underlying EPRI research documents NEI did not request endorsement of documents other than NEI 17-06 Regulatory Guide 1.250 endorses the use of IEC 61508 and ISO 17065 as described in NEI 17-06 (i.e., to the extent they are used in NEI 17-06)

EPRI Product Usage

©2024 Nuclear Energy Institute 6 EPRI products are agnostic to the regulatory environment in which they are used NEI 20-07 Section 4.2 provides criteria intended to adapt EPRI HAZCADS and DRAM to address the SRM-SECY-22-0076.

Considerations needed to demonstrate compliance with the US regulatory environment will be addressed within NEI 20-07, not EPRI HAZCADS and DRAM, as needed.

EPRI Product Usage

Does NEI intend to provide this document on the docket?

NEI does not plan to docket EPRI products.

NEI is seeking endorsement of NEI 20-07.

If the NRC needs to review/endorse EPRI products, then NEI recommends it be done like NEI 17-06.

NEI is open to expanding the summaries of the EPRI products being used if that would preclude the need to review/endorse HAZCADS/DRAM.

Question 36

No, these documents are available through EPRIs website.

NEI is open to including summaries of the EPRI research products being used if that would preclude the need to review/endorse NEI 20-07.

Question 62

Advanced Reactor Considerations (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 4.

Various sections regarding guidance on non-light-water reactors (non-LWRs) and new LWRs NEI 20-07, applicable to both operating and new LWRs and non-LWRs, is written with more details or focus on operating LWRs. Additional enhancements or clarifications regarding guidance for non-LWRs are needed as discussed in comments below.

Examples include the use of risk metrics, acceptability of the probabilistic risk assessment used, and other guidance on non-LWRs under the licensing modernization project (LMP). The NRC staff suggest a comprehensive evaluation of NEI 20-07 on this topic.

Most new LWRs have successfully employed the deterministic best-estimate coping analysis to address CCF concerns in accordance the Commission Policy in SRM-SECY-93-087 and may choose to follow the same deterministic approach for future LWR designs. NEI 20-07 should also address use of deterministic approach for addressing the digital I&C CCF concerns.

5.

Applicability of NEI 20-07, Rev E to advanced reactors including microreactors The NRC staff notes that some of the advanced reactors may not be vulnerable to potential DI&C CCFs of concern. For example, the inherent safety and/or passive features may demonstrate that the designs are safe for the CCF scenarios using the LMP process in RG 1.233. Another example may be that there may not be any HSSSR DI&C systems in some of these designs. The NRC staff suggests that NEI 20-07 consider this feedback and include any additional clarifications as necessary regarding the use of its guidance for this area.

15.

This process may be applied to operating reactor licensees or new plant applicants.

Applicants using this guidance for new plant applications using Regulatory Guide 1.233 can use this guidance to develop a D3 assessment to demonstrate the adequacy of special treatments applied to address CCF.

The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

Excerpt or Section Number from NEI 20-07 Question or Feedback 18.

HSSSR SSC definition For non-LWRs, the LMP in RG 1.233 classifies SSCs as safety-related, safety-related with special treatment, and non-safety-related with no special treatment based on a systematic risk-informed and performance-based approach. NEI 20-07s definition of HSSSR SSCs should include information on what SSCs are considered HSSSR under the LMP.

24.

3.1.2 SRM-SECY-22-0076 Point 4 For applicants using Regulatory Guide 1.233, special treatment considerations and human factors engineering processes should indicate required monitoring parameters that support safety functions.

Consider adding additional guidance for non LWR applicants on addressing Point 4 of SRM.

Not clear how guidance in NEI 20-07 is applied to non-LWR applicants, because a lot of the guidance appear to be LWR specific.

The NRC staff agrees with the statement but provides the following additional information. For non-LWRs, the LMP in RG 1.233, safety functions are defined and discussed mainly in terms of Required Safety Functions (RSFs) and Probabilistic Risk Assessment Safety Functions (PSFs). The NRC staff relies on RG 1.233 and the Design Review Guide (DRG), Instrumentation and Controls for Non-LWRs Reviews (ML21011A140) for non-LWR I&C reviews. The NRC staff will use pre-application engagement to discuss use of the expanded policy, including critical safety functions in Point 4 for non-LWRs with interested applicants to address any questions or concerns.

A relevant discussion is in SECY-23-0092.

Excerpt or Section Number from NEI 20-07 Question or Feedback 33.

The result may be a change in core damage frequency (CDF) and large early release frequency (LERF). Some reactor technologies may use different risk metrics specific to the reactor design. For those reactor technologies, the RRT thresholds should align with industry accepted guidance.

For advanced light-water and non-light-water reactors, what industry accepted guidance would be used to determine the risk reduction target?

For advanced light-water and non-light-water reactors, what risk metrics and associated criteria that would be used to determine the risk reduction target?

The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

50.

5.3.1 EPRI HAZCADS and DRAM Efficacy The graded approach is consistent with the acceptance guidelines for changes to Core Damage Frequency and Large Early Release Frequency described in RG 1.174 Section 2.4. Aspects of the proposed modification that result in changes to CDF or LERF that map to Region 1 in RG 1.174 Figures 4 and 5 apply the most rigorous approach; whereas those that map to Region 3apply the least rigor while maintaining the design basis commitments and consistency with the facilitys defense-in-depth philosophy and safety margins.

This is another example where the description is more applicable to LWRs regarding the use of Core Damage and Large Early Release.

Additional clarification should be made on guidance for non-LWRs.

66.

UCAs that are present in multiple redundancies of a DI&C system and impact core damage or large early releases are considered CCF.

This description is more applicable to LWRs regarding the use of core damage and large early release. It should be revised to be technology-agnostic or additional clarification should be made on guidance for non-LWRs.

E for application to Advanced Reactor technology In general, NEI agrees with the comments and will reword each accordingly.

Advanced Reactor Considerations

©2024 Nuclear Energy Institute 14 NEI 20-07, applicable to both operating and new LWRs and non-LWRs, is written with more details or focus on operating LWRs. Additional enhancements or clarifications regarding guidance for non-LWRs are needed as discussed in comments below.

Examples include the use of risk metrics, acceptability of the probabilistic risk assessment used, and other guidance on non-LWRs under the licensing modernization project (LMP). The NRC staff suggest a comprehensive evaluation of NEI 20-07 on this topic.

NEI agrees that NEI 20-07 should include direction for Advanced Reactors risk metrics, PRA, and other guidance.

Most new LWRs have successfully employed the deterministic best-estimate coping analysis to address CCF concerns in accordance the Commission Policy in SRM-SECY-93-087 and may choose to follow the same deterministic approach for future LWR designs. NEI 20-07 should also address use of deterministic approach for addressing the digital I&C CCF concerns.

NEI 20-07 is not intended to include information regarding the deterministic approach.

Comment 4

©2024 Nuclear Energy Institute 15 The NRC staff notes that some of the advanced reactors may not be vulnerable to potential DI&C CCFs of concern. For example, the inherent safety and/or passive features may demonstrate that the designs are safe for the CCF scenarios using the LMP process in RG 1.233. Another example may be that there may not be any HSSSR DI&C systems in some of these designs. The NRC staff suggests that NEI 20-07 consider this feedback and include any additional clarifications as necessary regarding the use of its guidance for this area.

Agreed. NEI will include information related to this.

In addition to the LMP process, HAZCADS may be used to demonstrate when other safety features are sufficient to provide plant defense-in-depth.

Comment 5

©2024 Nuclear Energy Institute 16 The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

The scope is intended to address both operating LWRs and Advanced Reactors. NEI will provide additional information to support the use by Advanced Reactors.

Comment 15

©2024 Nuclear Energy Institute 17 For non-LWRs, the LMP in RG 1.233 classifies SSCs as safety-related, safety-related with special treatment, and non-safety-related with no special treatment based on a systematic risk-informed and performance-based approach. NEI 20-07s definition of HSSSR SSCs should include information on what SSCs are considered HSSSR under the LMP.

NEI will provide information on RG 1.233 safety classification for clarity.

NEI expects HSSSR to be to encompass RG 1.233 safety-related classification.

Comment 18

Not clear how guidance in NEI 20-07 is applied to non-LWR applicants, because a lot of the guidance appear to be LWR specific.

The NRC staff agrees with the statement but provides the following additional information. For non-LWRs, the LMP in RG 1.233, safety functions are defined and discussed mainly in terms of Required Safety Functions (RSFs) and Probabilistic Risk Assessment Safety Functions (PSFs). The NRC staff relies on RG 1.233 and the Design Review Guide (DRG), Instrumentation and Controls for Non-LWRs Reviews (ML21011A140) for non-LWR I&C reviews. The NRC staff will use pre-application engagement to discuss use of the expanded policy, including critical safety functions in Point 4 for non-LWRs with interested applicants to address any questions or concerns.

A relevant discussion is in SECY-23-0092.The scope is intended to address both operating LWRs and Advanced Reactors.

NEI will provide additional information to support the use by Advanced Reactors.

Comment 24

For advanced light-water and non-light-water reactors, what risk metrics and associated criteria that would be used to determine the risk reduction target?

The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

NEI will address this with the Advanced Reactor community to determine any commonalities for risk metrics.

In lieu of prescribing risk metrics for Advanced Reactors, this may need to be discussed and agreed upon in pre-application meetings.

Comment 33

Additional clarification should be made on guidance for non-LWRs.

Agreed. NEI will incorporate.

Comment 50

©2024 Nuclear Energy Institute 21 This description is more applicable to LWRs regarding the use of core damage and large early release. It should be revised to be technology-agnostic or additional clarification should be made on guidance for non-LWRs.

Agreed. NEI will incorporate.

Comment 66

Credible and likely sources of CCF (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 7.

To prove that vulnerabilities to CCF have been adequately addressed, the D3 analysis must be able to demonstrate that:

1. Credible and likely sources of potential CCF have been identified and analyzed.

2. Each source of potential CCF has been reasonably prevented, mitigated, or adequately dispositioned.

The concept of vulnerability to CCF in SRM-SECY-22-0076 was understood to mean a situation where a CCF would produce unacceptable results. This quotation, and others in this document change the focus to sources of CCF, but this document does not describe or define what sorts of things sources of CCF are (e.g., people, equipment, procedures).

There is an implication that not all sources of CCF can be identified, which is created by this document only addressing credible and likely sources of CCF.

Is it analogous to the distinction between failure mode (e.g., potential CCF) and failure mechanism (e.g., source of potential CCF)?

Does each potential CCF have many sources?

8.

Credible and likely sources of potential CCF have been identified and analyzed.

The enclosure to SRM-SECY-22-0076 states: In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both.

How does addressing the credible and likely sources meet this aspect of the policy?

67.

This process is effective at identifying the most likely and credible CCFs at a nuclear power plant.

The NRC is also concerned about CCFs that are unlikely.

This conclusion should probably be a bit more precise in terms of Modes, causes, mechanisms, or sources of CCF.

Not provided when needed Provided when not needed Provided too early, too late, or in wrong order Stopped too soon or provided too long

©2024 Nuclear Energy Institute 26 Postulated CCFs This provides a bounded set of postulated CCFs Includes diagnosis of system interactions and requirements Identifies system misbehaviors even if no actual failure occurs Includes consideration of spurious actuation

©2024 Nuclear Energy Institute 27 Potential Sources Loss Scenarios - causal factors that can lead to UCAs Inadequate controller behavior Inadequate feedback and information Control pathways Inadequate controlled process behaviors

©2024 Nuclear Energy Institute 28 The concept of vulnerability to CCF in SRM-SECY-22-0076 was understood to mean a situation where a CCF would produce unacceptable results. This quotation, and others in this document change the focus to sources of CCF, but this document does not describe or define what sorts of things sources of CCF are (e.g.,

people, equipment, procedures).

There is an implication that not all sources of CCF can be identified, which is created by this document only addressing credible and likely sources of CCF.

Is it analogous to the distinction between failure mode (e.g., potential CCF) and failure mechanism (e.g., source of potential CCF)?

Does each potential CCF have many sources?

Comment 7

NEI generally agrees with the comment. The intent is that the UCAs identified represent CCF. To improve the reliability of the controller impacted by the postulated CCF (either operator, equipment, or other) the potential loss scenarios (i.e., failure mechanisms) are identified and addressed.

This also informs design decisions throughout an iterative design process.

NEI will revise document to reinforce focus on the UCAs representative of potential vulnerabilities to CCF.

Comment 7

©2024 Nuclear Energy Institute 30 The enclosure to SRM-SECY-22-0076 states: In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both.

How does addressing the credible and likely sources meet this aspect of the policy?

The applicant is analyzing the postulated CCF using hazards analysis techniques and fault tree analysis to identify and address those postulated CCFs commensurate with their risk.

NEI is considering changing credible and likely sources of CCF to bounded set of postulated CCFs.

Comment 8

©2024 Nuclear Energy Institute 31 The NRC is also concerned about CCFs that are unlikely. This conclusion should probably be a bit more precise in terms of Modes, causes, mechanisms, or sources of CCF.

NEI generally agrees with the comment. NEI will reword the statement in the conclusion.

The process assumes the CCF occurs regardless of likelihood to determine the risk significance, inform design decisions, and apply control methods.

Comment 67

Control Method Scoring (Non-Proprietary)

Scoring of systematic control methods.

Section 4.1.2 states Once a set of systematic Control Methods has been identified for a given Loss Scenario, each Control Method is individually scored to provide an objective comparison of the relative effectiveness of the Control Methods. A scoring method is used as a tool to perform a qualitative assessment of the Control Method effectiveness. A scoring method removes potential bias in the qualitative assessment. Each Control Method is evaluated separately for its Control Method effectiveness and in combination when more than one Control Method is applied to an I&C element or relationship set of I&C elements.

What is the technical basis for the validity of the scoring method?

Provide an example that illustrates the scoring method.

Generally, each different control method is good for addressing some specific source(s) of concern, but not others. The selection of control methods should, when taken together, broadly address all the sources of concerns. Please explain how this concept is addressed by the process in NEI 20-07 Rev. E.

35.

A set of pre-scored systematic control methods are established to mitigate the loss scenarios of an inadequate control algorithm.

What process is used to provide scores to the control methods?

Additional details and justification of the scoring process are necessary, including examples demonstrating how the scoring process is performed. The justification needs to explain how the scoring process is objective, structured, and consensus-based.

63.

A combined control method effectiveness score provides a geometrically weighted value.

Is the phrase geometrically weighted value intended to represent a weighted geometric mean or a different mathematical value?

Additional details and justification of the geometrically weighted combined control method effectiveness score calculation are necessary, including examples demonstrating how the combined control method effectiveness score is calculated.

The justification needs to explain how the calculation is objective, structured, and consensus based.

An indicator of the relative effectiveness of a control method (or combined control methods)

Qualitative and based upon subject matter expert input Supports engineering justification that the systematic Loss Scenario is sufficiently addressed.

How do Control Methods get applied?

Control Methods are allocated to Loss Scenarios based upon risk significance as indicated by the Risk Reduction Threshold (RRT)

When multiple Control Methods are applied, the effectiveness of each subsequent Control Method is diminished.

This is to avoid stacking low effectiveness Control Methods to artificially raise the Combined Control Method Effectiveness qualitative score Control Method Scoring

©2024 Nuclear Energy Institute 36 Control Method Effectiveness (CME) qualitative scoring technique was developed by Sandia National Laboratory for initial use in the EPRI Technical Assessment Methodology (TAM)

Vogtle 3 and 4 use the EPRI TAM for CDA assessments Vogtle 3 completed the Cyber Security inspection with no findings associated with implementation of EPRI TAM EPRI developed the DRAM Control Method Effectiveness qualitative scoring using the same approach Control Method Scoring

CME = Control Method Effectiveness CMT = Control Method Type CMS = Control Method Strength Constant = scaling factor that provides consistent boundaries and forces a lower CME limit to 0.10 in order to avoid a zero-information entropy situation Control Method Scoring

= =1

2 3

1 CCME = Combined Control Method Effectiveness CMEi = the ith CME score, sorted highest to lowest n = number of Control Methods Control Method Scoring

CME2 - 1.44 (Plant Procedure, Limited)

= 1 + 2 2

3 21

= 2.03 + (1.44 2

3)

= 2.03 + 0.96 = 2.99 ()

Control Method Scoring Example 2 CME1 - 0.87 (Plant Procedure, Low)

CME2 - 0.67 (Ad Hoc, Limited)

CME3 - 0.1 (Ad Hoc, Low)

= 1 + 2 2

3 21

+ 3 2

3 31

= 0.87 + 0.67 2

3 + 0.1 2

3 2

= 0.87 + 0.45 + 0.04 = 1.36 ()

Developed by Sandia National Laboratory using information entropy concepts.

Information entropy quantifies the amount of information in a given message. In this application, the concept quantifies the relative effectiveness of control methods compared to other control methods.

Provide an example that illustrates the scoring method.

See previous slides.

Generally, each different control method is good for addressing some specific source(s) of concern, but not others. The selection of control methods should, when taken together, broadly address all the sources of concerns. Please explain how this concept is addressed by the process in NEI 20-07 Rev. E.

Generally, agree. See previous slides.

This is explained in EPRI DRAM.

Comment 3

EPRI DRAM. See previous slides Additional details and justification of the scoring process are necessary, including examples demonstrating how the scoring process is performed.

See previous slides. Potential for public meeting with EPRI involvement, if needed.

The justification needs to explain how the scoring process is objective, structured, and consensus-based.

The scoring process is structured and provides objective criteria for CMT/CMS categorization; however, the plant-specific results are based upon SME input (with the exception of pre-scored Control Methods provided in DRAM).

Comment 35

EPRI DRAM uses this term to describe how individual CME scores depreciate when they are stacked to determine the CCME.

= =1

2 3

1 Additional details and justification of the geometrically weighted combined control method effectiveness score calculation are necessary, including examples demonstrating how the combined control method effectiveness score is calculated.

See previous slides with examples.

The justification needs to explain how the calculation is objective, structured, and consensus based.

See Comment 35 response.

Comment 63

DEG, HAZCADS and DRAM (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 21.

Section 4.1 discusses controller beliefs and process model beliefs Please define what is a controller belief and what is a process model belief?

29.

As the system design matures in detail, new hazards may be uncovered and the list of hazardous system states can be revisited and revised, as needed.

What process is used to determine if the list of hazardous system states needs to be revisited and revised?

How often is this process performed?

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

30.

NEI 20-07 states, A control structure model does not typically capture purely physical relationships like physical proximity between components or fire propagation.

Draft BTP 7-19, Revision 9, states, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

How does the NEI 20-07 process address these spatial concerns?

32.

The RRT can be developed from one of five different pathways based upon the scope of the system under analysis, the stage of the design process, and whether the system(s) is modeled in the PRA.

It would be beneficial to include additional information on the five different pathways to develop the risk reduction targets.

©2024 Nuclear Energy Institute 46 HAZCADS and DRAM are both integrated into the EPRI Digital Engineering Guide which provides a systems engineering approach to digital I&C EPRI DEG provides direction for a phased approach as follows:

Initial Scoping Phase Conceptual/Common Design Phase Detailed Design Phase Installation Planning Phase Installation and Test Phase Closeout Phase Operations and Maintenance Phase DEG, HAZCADS and DRAM

©2024 Nuclear Energy Institute 47 Per EPRI DEG, these phases are the main sequence process that implements the Systems Engineering process via iterative activities in each phase of the engineering process.

HAZCADS and DRAM are performed during each iteration within the Conceptual/Common Design Phase and Detailed Design Phase.

DEG, HAZCADS and DRAM

5 types of Relationship Sets:

Programmatic Functional Acquisition Connectivity Spatial For example, all equipment mounted within the same cabinet may be placed in a Relationship Set.

DEG, HAZCADS and DRAM

Per EPRI DRAM:

A process model represents the internal beliefs of a controller.

In an automated controller, the process model is the data used by the control algorithm to make decisions (in a human, the process model is the set of beliefs used to make decisions in accordance with learned procedures). The process model includes beliefs about the controlled process, and it may include beliefs about the plant or the environment.

Comment 21

EPRI Digital Engineering Guide and EPRI HAZCADS How often is this process performed?

No prescriptive limits. The process is iterated until a final design is reached.

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

Hazards are evaluated for completeness each time EPRI HAZCADS is performed within the iterative process.

It is unlikely that new hazards of regulatory concern are identified.

System hazards are identified at a high level of abstraction.

Comment 29

EPRI DEG provides processes to account for all design requirements.

EPRI DEG also provides guidance on developing Relationship Sets that will account for connectivity and spatial concerns.

Comment 30

Agreed. This will be discussed in more detail in the Proprietary comments.

NEI will add information in Section 4 related to the RRT pathways.

Comment 32

Other Comments (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 1.

The enclosure to SRM-SECY-22-0076 states: The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed NEI 20-07 Rev. E states: This document provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document.

Defense in depth has always been part of NPP facilities. The assessment of the facilities defense in depth is not clear from the content of NEI 20-07 Rev. E. Therefore, NEI 20-07 Rev. E does not address the entire SRM.

19.

NEI 20-07 defines a risk reduction target as the risk reduction to be achieved by the [] safety-related systems and/or other risk reduction measures in order to ensure that the tolerable risk is not exceeded.

Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction target?

How do the safety-related systems and/or other risk reduction measures ensure that the tolerable risk is not exceeded? [emphasis added]

34.

For the purposes of this document, only loss scenarios associated with regulatory safety factors (e.g., core damage or radiological release) should be considered.

Are loss scenarios that do not result in core damage or radiological release but affect other regulatory programs such as MSPI and the maintenance rule considered?

Excerpt or Section Number from NEI 20-07 Question or Feedback 53.

((EPRI HAZCADS and DRAM have been proven effective in identifying and addressing hazards and sources of failure in DI&C systems NRC has conducted its own research on the efficacy of hazards analysis and STPA. TLR-RES/DE-2022-006, Hazard Analysis: An Outline of Technical Bases for the Evaluation of Criteria, Methodology, and Results, documents an evaluation of the need to develop criteria for technical bases supporting the evaluation of the criteria and methodology for, and of the results from, [] hazards analysis.))

The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a complement to existing regulatory activities.

However, it is not clear whether these processes alone, without the complementary regulatory activities are effective at identifying and eliminating all sources of CCF, which is the purpose of this document.

69.

Appendix A This Appendix describes the relationship between the process described in this document and the NRC regulatory framework.

Note that the regulations listed below may not necessarily apply to all applicants and licensees. The applicability of the regulatory requirements is determined by the plant-specific licensing basis and any proposed changes to the licensing basis associated with the proposed DI&C system under evaluation.

Conceptually, NEI 20-07 is proposed to be used as an alternative way to meet the Commission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory framework applicable to the Commission policy on CCF. It appears that this appendix is incomplete in that respect. For example, it does not include the SRM.

The NRC regulatory framework includes more than just regulatory requirements.

72.

Appendix A, Section A.2.1 Pre-scored Systematic Control Methods are techniques and measures that may, synthesized from the industry standard IEC 61508 Part 3, normative Annex A which is a recognized safety standard in the petrochemical industry.

Doing a part of a standard is not the same as following the standard. These use of these methods in this document differs from how they are used in the standard.

©2024 Nuclear Energy Institute 56 Defense in depth has always been part of NPP facilities. The assessment of the facilities defense in depth is not clear from the content of NEI 20-07 Rev. E. Therefore, NEI 20-07 Rev. E does not address the entire SRM.

This document provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis for the facility. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document.

Comment 1

Yes. The Control Method process does not consider the safety classification if additional SSCs are required.

This is consistent with SRM-SECY-22-0076.

How do the safety-related systems and/or other risk reduction measures ensure that the tolerable risk is not exceeded? [emphasis added]

EPRI HAZCADS Risk Reduction Target pathways establish the graded approach based upon risk. If the RRT exceeds approved thresholds (e.g., Reg. Guide 1.174 for operating LWRs), then the design is changed.

EPRI DRAM provides a structure, objective process for providing engineering justification for the methods used to improve the system reliability.

Control methods are not individually modeled in PRA to determine risk impact.

Comment 19

No. This process is focused on hazards that impact the approved risk metrics for a given design.

The subject sentence will be edited to direct the user to focus on hazards, not loss scenarios.

Comment 34

©2024 Nuclear Energy Institute 59 The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a complement to existing regulatory activities.

However, it is not clear whether these processes alone, without the complementary regulatory activities are effective at identifying and eliminating all sources of CCF, which is the purpose of this document.

This NEI 20-07 section is intended to demonstrate the efficacy of STPA as a hazards analysis tool as a contributing factor to NEI 20-07 approach.

STPA is not the only technique relied upon to demonstrate that vulnerabilities to CCF have been addressed. HAZCADS and DRAM combine this with Fault Tree Analysis and the Control Method allocation/scoring developed by Sandia National Labs.

The purpose of this document is not to identify and eliminate all sources of CCF as stated in the comment.

Comment 53

©2024 Nuclear Energy Institute 60 Conceptually, NEI 20-07 is proposed to be used as an alternative way to meet the Commission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory framework applicable to the Commission policy on CCF. It appears that this appendix is incomplete in that respect. For example, it does not include the SRM.

The NRC regulatory framework includes more than just regulatory requirements.

NEI 20-07 Section 3.1 explicitly addresses SRM-SECY-22-0076.

NEI 20-07 Section 3.2 references Appendix A for additional regulatory requirements to be considered.

Appendix A provides further detail on relevant regulatory requirements that are considered in the development of this process OR are required to be considered by the applicant using this methodology.

NEI would like to better understand how NEI 20-07 is considered an alternative way to meet the Commission policy.

NEI would like to better understand what else is considered other than just regulatory requirements. NUREGs, Regulatory Guides, etc.?

Comment 69

©2024 Nuclear Energy Institute 61 Doing a part of a standard [IEC 61508 Part 3] is not the same as following the standard. These use of these methods in this document differs from how they are used in the standard.

NEI 20-07 is not claiming to follow IEC 61508 Part 3.

EPRI DRAM uses pre-scored systematic control methods based upon IEC 61508 Part 3 Annex A.

The intent of the statement is to provide a basis for their inclusion not to imply compliance with the standard.

Comment 72

Incorporate comments and review with NRC staff Goal is to demonstrate how comments are addressed for alignment prior to Rev. 0 submittal Prepare NEI 20-07 Rev. 0 and submit to staff Timing based upon decision to use EPRI products released later in 2024 Next Steps

v t e Letter Sequence Request
EPID:L-2023-NFN-0012, (Open)
Initiation Request Acceptance... Administration Questions Answers Results Approval... Other:
MONTHYEAR2024-11-04 [Table View]

ML24103A153

Text

Navigation menu

Search