"Draft Supplement" is not in the list (Request, Draft Request, Supplement, Acceptance Review, Meeting, Withholding Request, Withholding Request Acceptance, RAI, Draft RAI, Draft Response to RAI, ...) of allowed values for the "Project stage" property.

Text

NEI Supplemental Information on NRC Comments on NEI 20-07, Draft Revision E - April 18 Meeting (Non-Proprietary)
	ML24114A114
Person / Time
Site:	Nuclear Energy Institute
Issue date:	04/18/2024
From:	; Nuclear Energy Institute
To:	; Division of Operating Reactor Licensing
References
	EPID L-2023-NFN-0012
	Download: ML24114A114 (1)
	v • d • e

DEG, HAZCADS and DRAM (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 21.

Section 4.1 discusses controller beliefs and process model beliefs Please define what is a controller belief and what is a process model belief?

29.

As the system design matures in detail, new hazards may be uncovered and the list of hazardous system states can be revisited and revised, as needed.

What process is used to determine if the list of hazardous system states needs to be revisited and revised?

How often is this process performed?

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

30.

NEI 20-07 states, A control structure model does not typically capture purely physical relationships like physical proximity between components or fire propagation.

Draft BTP 7-19, Revision 9, states, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

How does the NEI 20-07 process address these spatial concerns?

32.

The RRT can be developed from one of five different pathways based upon the scope of the system under analysis, the stage of the design process, and whether the system(s) is modeled in the PRA.

It would be beneficial to include additional information on the five different pathways to develop the risk reduction targets.

©2024 Nuclear Energy Institute 5 HAZCADS and DRAM are both integrated into the EPRI Digital Engineering Guide which provides a systems engineering approach to digital I&C EPRI DEG provides direction for a phased approach as follows:

Initial Scoping Phase Conceptual/Common Design Phase Detailed Design Phase Installation Planning Phase Installation and Test Phase Closeout Phase Operations and Maintenance Phase DEG, HAZCADS and DRAM

©2024 Nuclear Energy Institute 6 Per EPRI DEG, these phases are the main sequence process that implements the Systems Engineering process via iterative activities in each phase of the engineering process.

HAZCADS and DRAM are performed during each iteration within the Conceptual/Common Design Phase and Detailed Design Phase.

DEG, HAZCADS and DRAM

5 types of Relationship Sets:

Programmatic Functional Acquisition Connectivity Spatial For example, all equipment mounted within the same cabinet may be placed in a Relationship Set.

DEG, HAZCADS and DRAM

Per EPRI DRAM:

A process model represents the internal beliefs of a controller.

In an automated controller, the process model is the data used by the control algorithm to make decisions (in a human, the process model is the set of beliefs used to make decisions in accordance with learned procedures). The process model includes beliefs about the controlled process, and it may include beliefs about the plant or the environment.

Comment 21

EPRI Digital Engineering Guide and EPRI HAZCADS How often is this process performed?

No prescriptive limits. The process is iterated until a final design is reached.

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

Hazards are evaluated for completeness each time EPRI HAZCADS is performed within the iterative process.

It is unlikely that new hazards of regulatory concern are identified.

System hazards are identified at a high level of abstraction.

Comment 29

EPRI DEG provides processes to account for all design requirements.

EPRI DEG also provides guidance on developing Relationship Sets that will account for connectivity and spatial concerns.

Comment 30

Agreed. This will be discussed in more detail in the Proprietary comments.

NEI will add information in Section 4 related to the RRT pathways.

Comment 32

Safety Case (Non-Proprietary)

Excerpt or Section Number from NEI 20-07 Question or Feedback 9.

This document provides the safety case which provides the details that demonstrates the output of the EPRI Digital Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital Systems (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY-22-0076 policy.

This statement is misleading and should be changed. This document provides a high-level overarching approach, but it does not provide details.

12.

This document provides the safety case which provides the details that demonstrate the output of the EPRI Digital Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital Systems (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY-22-0076 policy.

In effect, this document does not provide an evidentiary safety caserather at best, it attempts to describe a method one could use to develop a safety case.

13.

Tier 2 provides sub-claims and arguments that demonstrate the efficacy of the EPRI HAZCADS and DRAM processes to identify and establish the criteria for each applicant to demonstrate they adequately executed these processes.

It does not appear that such sub-claims and arguments are conclusive (see NRC staff comments on Section 5.3).

41.

((5 SAFETY CASE DEVELOPMENT The safety case structure provided in this section was adopted from ISO/IEC/IEEE 15026-2:2022.))

NEI does not explain what was changed or what was adopted from the identified standards or what was changed; therefore, it is not clear what NEI understands to be a safety case.

44.

((5.1.1 Safety Case Description The technical process described in EPRI HAZCADS and DRAM produces a diversity and defense-in-depth analysis that demonstrates vulnerabilities to digital CCF have been adequately identified and addressed.))

This is an unsupported claim. How do we know it is true?

Performance-based approach Difficult to make a safety determination without replicating analysis Safety case is intended to provide:

Objective(s)

Criteria that, if true, demonstrate that a system achieves a certain objective

Artifacts that establish facts that demonstrate the criteria are met Used in other critical safety industries, as well as non-US nuclear power, as a means of demonstrating safety/assurance Safety Case

NEI understands safety determinations for performance-based approaches are different than deterministic approaches The goal of the NEI 20-07 safety case is to establish the objectives and criteria (claims, sub-claims, and arguments) with the NRC that will be satisfied by the applicants arguments and artifacts.

The goal of NEI 20-07 is to provide a framework in which:

The underlying technical processes remain technology neutral

Boundaries on the regulatory analysis and review exist

Performance-based reviews can be performed within reasonable time-frames Safety Case

In effect, this document does not provide an evidentiary safety case rather at best, it attempts to describe a method one could use to develop a safety case.

This document provides the framework for a safety case which provides the details that demonstrates the output of the EPRI Digital Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital Systems (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY-22-0076 policy.

Comment 9 and 12

In effect, this document does not provide an evidentiary safety case rather at best, it attempts to describe a method one could use to develop a safety case.

It is NOT NEIs intent for applicants to reproduce the framework with each submittal.

Further discussion necessary during closed session to demonstrate intent with NEI 20-07 Figure 1 Comment 9 and 12

Defer to the proprietary call.

Comment 13

©2024 Nuclear Energy Institute 19 NEI does not explain what was changed or what was adopted from the identified standards or what was changed; therefore, it is not clear what NEI understands to be a safety case.

ISO/IEC/IEEE 15026-2:2022 specifies structure terminology of assurance cases.

In fact, there is only one true requirement (shall statement) in the standard.

ISO/IEC/IEEE 15026-2:2022, Annex C, Table C.1 provides a comparison between commonly used assurance case methodologies and ISO/IEC/IEEE 15026-2:2022 terminology.

NEI utilizes the Claims, Arguments, and Evidence (CAE) framework within NEI 20-07 Rev. E.

NEI will provide this detail in NEI 20-07 to define the safety case.

Comment 41

Defer to the proprietary call.

Comment 44

Excerpt or Section Number from NEI 20-07 Question or Feedback 1.

The enclosure to SRM-SECY-22-0076 states: The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed NEI 20-07 Rev. E states: This document provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document.

Defense in depth has always been part of NPP facilities. The assessment of the facilities defense in depth is not clear from the content of NEI 20-07 Rev. E. Therefore, NEI 20-07 Rev. E does not address the entire SRM.

19.

NEI 20-07 defines a risk reduction target as the risk reduction to be achieved by the [] safety-related systems and/or other risk reduction measures in order to ensure that the tolerable risk is not exceeded.

Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction target?

How do the safety-related systems and/or other risk reduction measures ensure that the tolerable risk is not exceeded? [emphasis added]

23.

3.1.2 SRM-SECY-22-0076 Point 4 BTP 7-19 Since NEI 20-07 was written in July 2023; it does not accurately reflect what is in the new version of BTP 7-19. Therefore, such wording must be checked after the final version 9 of BTP 7-19 is issued. See Section B.1.2 for critical safety function.

34.

For the purposes of this document, only loss scenarios associated with regulatory safety factors (e.g., core damage or radiological release) should be considered.

Are loss scenarios that do not result in core damage or radiological release but affect other regulatory programs such as MSPI and the maintenance rule considered?

Excerpt or Section Number from NEI 20-07 Question or Feedback 53.

EPRI HAZCADS and DRAM have been proven effective in identifying and addressing hazards and sources of failure in DI&C systems NRC has conducted its own research on the efficacy of hazards analysis and STPA. TLR-RES/DE-2022-006, Hazard Analysis: An Outline of Technical Bases for the Evaluation of Criteria, Methodology, and Results, documents an evaluation of the need to develop criteria for technical bases supporting the evaluation of the criteria and methodology for, and of the results from, [] hazards analysis.

The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a complement to existing regulatory activities.

However, it is not clear whether these processes alone, without the complementary regulatory activities are effective at identifying and eliminating all sources of CCF, which is the purpose of this document.

69.

Appendix A This Appendix describes the relationship between the process described in this document and the NRC regulatory framework.

Note that the regulations listed below may not necessarily apply to all applicants and licensees. The applicability of the regulatory requirements is determined by the plant-specific licensing basis and any proposed changes to the licensing basis associated with the proposed DI&C system under evaluation.

Conceptually, NEI 20-07 is proposed to be used as an alternative way to meet the Commission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory framework applicable to the Commission policy on CCF. It appears that this appendix is incomplete in that respect. For example, it does not include the SRM.

The NRC regulatory framework includes more than just regulatory requirements.

72.

Appendix A, Section A.2.1 Pre-scored Systematic Control Methods are techniques and measures that may, synthesized from the industry standard IEC 61508 Part 3, normative Annex A which is a recognized safety standard in the petrochemical industry.

Doing a part of a standard is not the same as following the standard. These use of these methods in this document differs from how they are used in the standard.

©2024 Nuclear Energy Institute 24 Defense in depth has always been part of NPP facilities. The assessment of the facilities defense in depth is not clear from the content of NEI 20-07 Rev. E. Therefore, NEI 20-07 Rev. E does not address the entire SRM.

This document provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis for the facility. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document.

Comment 1

Yes. The Control Method process does not consider the safety classification if additional SSCs are required.

This is consistent with SRM-SECY-22-0076.

How do the safety-related systems and/or other risk reduction measures ensure that the tolerable risk is not exceeded? [emphasis added]

EPRI HAZCADS Risk Reduction Target pathways establish the graded approach based upon risk. If the RRT exceeds approved thresholds (e.g., Reg. Guide 1.174 for operating LWRs), then the design is changed.

EPRI DRAM provides a structure, objective process for providing engineering justification for the methods used to improve the system reliability.

Control methods are not individually modeled in PRA to determine risk impact.

Comment 19

©2024 Nuclear Energy Institute 26 Since NEI 20-07 was written in July 2023; it does not accurately reflect what is in the new version of BTP 7-19. Therefore, such wording must be checked after the final version 9 of BTP 7-19 is issued. See Section B.1.2 for critical safety function.

Agreed. NEI 20-07 Rev. 0 will take into consideration BTP-7-19 Rev. 9.

Comment 23

No. This process is focused on hazards that impact the approved risk metrics for a given design.

The subject sentence will be edited to direct the user to focus on hazards, not loss scenarios.

Comment 34

©2024 Nuclear Energy Institute 28 The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a complement to existing regulatory activities.

However, it is not clear whether these processes alone, without the complementary regulatory activities are effective at identifying and eliminating all sources of CCF, which is the purpose of this document.

This NEI 20-07 section is intended to demonstrate the efficacy of STPA as a hazards analysis tool as a contributing factor to NEI 20-07 approach.

STPA is not the only technique relied upon to demonstrate that vulnerabilities to CCF have been addressed. HAZCADS and DRAM combine this with Fault Tree Analysis and the Control Method allocation/scoring developed by Sandia National Labs.

The purpose of this document is not to identify and eliminate all sources of CCF as stated in the comment.

Comment 53

©2024 Nuclear Energy Institute 29 Conceptually, NEI 20-07 is proposed to be used as an alternative way to meet the Commission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory framework applicable to the Commission policy on CCF. It appears that this appendix is incomplete in that respect. For example, it does not include the SRM.

The NRC regulatory framework includes more than just regulatory requirements.

NEI 20-07 Section 3.1 explicitly addresses SRM-SECY-22-0076.

NEI 20-07 Section 3.2 references Appendix A for additional regulatory requirements to be considered.

Appendix A provides further detail on relevant regulatory requirements that are considered in the development of this process OR are required to be considered by the applicant using this methodology.

NEI would like to better understand how NEI 20-07 is considered an alternative way to meet the Commission policy.

NEI would like to better understand what else is considered other than just regulatory requirements. NUREGs, Regulatory Guides, etc.?

Comment 69

©2024 Nuclear Energy Institute 30 Doing a part of a standard [IEC 61508 Part 3] is not the same as following the standard. These use of these methods in this document differs from how they are used in the standard.

NEI 20-07 is not claiming to follow IEC 61508 Part 3.

EPRI DRAM uses pre-scored systematic control methods based upon IEC 61508 Part 3 Annex A.

The intent of the statement is to provide a basis for their inclusion not to imply compliance with the standard.

Comment 72

v t e Letter Sequence '
EPID:L-2023-NFN-0012, (Open)
Initiation Request Acceptance... Administration Questions Answers Results Approval... Other:
MONTHYEAR2024-11-04 [Table View]

ML24114A114

Text

Navigation menu

Search