ML25125A023
| ML25125A023 | |
| Person / Time | |
|---|---|
| Issue date: | 05/05/2025 |
| From: | Samir Darbali NRC/NRR/DEX/EICB |
| To: | |
| References | |
| Download: ML25125A023 (1) | |
Text
U.S. NRCs Approaches for Addressing Common-Cause Failures in Nuclear Power Plant Digital Instrumentation and Controls IAEA Workshop on Common Cause Failure Solutions for Instrumentation and Control Systems of Nuclear Power Plants 5 May - 9 May 2025 Samir Darbali Senior Electronics Engineer Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Email: Samir.Darbali@nrc.gov
- The US Nuclear Regulatory Commission (US NRC) approach for addressing systematic common-cause failures (CCFs) in digital instrumentation and control (I&C) systems for nuclear power plants goes back over 30 years.
- This presentation will cover:
- Examples of approved methods Introduction 2
US NRC Regulations on Addressing Systematic CCF 3
Title 10 of the Code of Federal Regulations (10 CFR) Appendix A, General Design Criteria (GDC):
The development of these General Design Criteria is not yet complete. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems and reactivity control systems. (See Criteria 22, 24, 26, and 29.)
GDC 22Protection system independence:
The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
4 SECY-93-087 (1993)
SECY-93-087 and SRM-SECY-93-087 Identify four points to address CCFs:
- 1. Perform a defense-in-depth and diversity (D3) assessment.
- 2. Use best-estimate methods.
- 3. Diverse means required if a CCF can disable a safety function.
- 4. Main control room (MCR) independent and diverse displays and manual controls for critical safety functions.
SRM-SECY-93-087 (1993)
Staff Guidance (LWRs) (Non-LWRs)
Policy Prior to 2023 SECY Papers US NRCs Policy to Address Digital I&C CCFs SRMs The policy in Staff Requirements Memorandum (SRM)-SECY-93-087 has been effectively used to license digital I&C systems in nuclear power plants. However, this policy requires a diverse means of actuation if a CCF could disable a safety function.
- Clarifies the application of the Commissions direction in the four points within SRM-SECY-93-087.
- Recognizes significant effort has been applied to the development of highly reliable digital I&C systems, but residual faults within digital systems may lead to CCFs.
- Provides guiding principles for updating the staffs guidance for addressing CCFs.
SECY-18-0090 (2018)
Staff Guidance (LWRs) (Non-LWRs)
Policy Prior to 2023 SECY Papers US NRCs Policy to Address Digital I&C CCFs SRMs
6 Branch Technical Position 7-19, Rev. 8 Provides guidance to the staff for the evaluation of D3 to address digital I&C CCFs in LWR applications.
Supports a risk-informed, graded approach based on the safety significance of the digital I&C system.
Incorporates lessons learned from previous operating reactor and new reactor reviews.
Supports expanded use of defensive measures to address digital I&C CCFs.
BTP 7-19, Revision 8 (2021)
Staff Guidance (LWRs) (Non-LWRs)
Policy Prior to 2023 SECY Papers US NRCs Policy to Address Digital I&C CCFs SRMs
7 Design Review Guide (DRG)
- Based on the non-LWR licensing framework in RG 1.233.
- DRG Section X.2.2.1.3, Diversity in Support of Defense-in-Depth to Address CCFs, provides risk-informed and performance-based guidance for addressing CCFs for non-LWR digital I&C designs.
- Guidance follows the policy (although it does not directly reference the SRMs).
Staff Guidance (LWRs) (Non-LWRs)
Policy Prior to 2023 SECY Papers US NRCs Policy to Address Digital I&C CCFs Design Review Guide (2021)
SRMs Regulatory Guide (RG) 1.233 includes specific acceptance criteria on risk significance, frequency-consequence targets, and defense-in-depth as part of the systematic risk-informed and performance-based approach.
8 SECY-22-0076 and SRM-SECY-22-0076
- Expand the policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth, including not providing any diverse automatic actuation of safety functions.
- The policy applies independently of the licensing pathway or reactor technology.
- Allows applicants to propose a different approach to independent and diverse MCR displays and manual controls.
SECY-22-0076 (2022)
Staff Guidance (LWRs) (Non-LWRs)
SRM-SECY-22-0076 (2023)
Updated Policy SECY Papers US NRCs Policy to Address Digital I&C CCFs SRMs The policy prior to 2023 will continue to remain a valid option for licensees and applicants.
The acceptance criteria for risk-informed approaches for digital I&C CCFs will be consistent with established NRC practices and guidance for risk-informed decision-making.
SRM-SECY-22-0076 Point 1 The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.
The defense-in-depth and diversity assessment must be commensurate with the risk significance of the proposed digital I&C system.
9
SRM-SECY-22-0076 Point 2 In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both.
When using best-estimate methods, the applicant must demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.
10
SRM-SECY-22-0076 Point 2 (continued)
When using a risk-informed approach, the applicant must include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, RG 1.233, Guidance for a Technology-inclusive, Risk-informed, and Performance-based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors).
11
SRM-SECY-22-0076 Point 3 The defense-in-depth and diversity assessment must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant must demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs must be commensurate with the risk significance of each postulated CCF.
12
SRM-SECY-22-0076 Point 3 (continued)
A diverse means that performs either the same function or a different function is acceptable to address a postulated CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means must be provided.
13
SRM-SECY-22-0076 Point 4 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) must be provided for manual, system-level actuation of risk-informed critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The applicant may alternatively propose a different approach to this point in the policy if the plant design has a commensurate level of safety.
14
15 BTP 7-19, Revision 9
- Provides review guidance for an application that uses a risk-informed D3 assessment.
- Provides review guidance for design techniques or mitigation measures other than diversity.
- Provides review guidance for applications that propose a different approach to independent and diverse MCR displays and manual controls.
Staff Guidance (LWRs) (Non-LWRs)
Updated Policy BTP 7-19, Revision 9 (2024)
SECY Papers US NRCs Policy to Address Digital I&C CCFs SRMs
16 Design Review Guide (DRG)
- Although issued prior to the updated policy, RG 1.233 and the DRG can be used to address potential CCFs in an integrated, risk-informed and performance-based manner that meets the overall intent of SRM-SECY-22-0076.
Staff Guidance (LWRs) (Non-LWRs)
Updated Policy SECY Papers US NRCs Policy to Address Digital I&C CCFs Design Review Guide (2021)
US NRCs Policy to Address Digital I&C CCFs The deterministic path requires the use of best-estimate methods for performing the D3 assessment, and the use of diverse means to address a potential digital I&C CCF.
The risk-informed path allows for the use of risk-informed approaches for performing the D3 assessment, and the use of design techniques or mitigation measures other than diversity to address a potential digital I&C CCF.
Point 2 Risk-Informed Approach Point 3 Design Techniques or Mitigation Measures Point 2 Best-Estimate Methods Point 3 Diverse Means Deterministic Path Risk-Informed Path Point 4 Independent and Diverse Displays and Manual Controls Point 1 Perform a D3 Assessment 17 Updated CCF Policy
Methods for Addressing Digital I&C CCFs 18
- Methods for addressing systematic CCFs in digital I&C systems and components typically fall within the following categories:
- Eliminate the potential for CCF from further consideration
- Mitigate the consequences of a CCF
- Use of risk-informed approaches
- Accept the consequences of a CCF
Methods for Addressing Digital I&C CCFs 19 Category Method Name and Description Eliminate the Potential for CCF Internal Diversity If sufficient diversity exists within in the protection system, then vulnerabilities to CCF can be considered to be appropriately addressed without further action.
Thorough Testing (Simple Design)
A system is sufficiently simple such that every possible combination of inputs and every possible sequence of device states are tested, and all outputs are verified for every case.
Alternative Methods Design techniques, prevention measures, or mitigation measures other than diversity and testing may be credited if adequately justified.
Qualitative Assessment and Failure Analysis For low safety significance systems or components, a qualitative assessment and failure analysis showing that the likelihood of failure is sufficiently low can be used to eliminate a CCF from further consideration.
Methods for Addressing Digital I&C CCFs 20 Category Method Name and Description Mitigate the Consequences of a CCF Existing Diverse Equipment An existing system or equipment is used to perform the diverse or different function to mitigate the loss of the safety function performed by the digital I&C system during a Design Basis Event (DBE).
Diverse Manual Operator Action (MOA)
Actions that can be reasonably taken by operators to identify CCFs and mitigate consequences within a realistic timeframe during a DBE.
Diverse Actuation System (DAS)
Independent and diverse system that can activate protection systems if the primary system fails during a DBE. The DAS can be based on a system that is not safety-related, if it is of sufficient quality. DAS technology used can be analog or digital.
Methods for Addressing Digital I&C CCFs 21 Category Method Name and Description Use of Risk-Informed Approaches Design Techniques, Prevention Measures or Mitigation Measures, other than Diversity A risk-informed approach that assesses the risk of CCF vulnerabilities and applies design techniques, prevention measures, or mitigation measures commensurate with the risk significance of the postulated CCF.
Accept the Consequences of a CCF Consequence Calculation Consequence models, using best estimate methodologies or conservative methods, that demonstrate that the facility will remain within the acceptable criteria for CCFs concurrent with DBEs and anticipated operational occurrences.
22 Risk-informed approaches are between risk-based and purely deterministic approaches.
A risk-informed approach enhances the deterministic approach by:
a) allowing explicit consideration of a broader set of potential challenges to safety, b) providing a logical means for prioritizing these challenges based on risk significance, operating experience, and/or engineering judgment, c) facilitating consideration of a broader set of resources to defend against these challenges, d) explicitly identifying and quantifying sources of uncertainty in the analysis, and e) leading to better decision-making by providing a means to test the sensitivity of the results to key assumptions.
Risk-Informing Approaches Source: https://www.nrc.gov/docs/ML0037/ML003753601.pdf
Risk-Informed D3 Assessment Process 23 Identify each postulated CCF Address the CCF using a risk-informed approach Determine the risk significance of the CCF.
Determine appropriate means to address the CCF.
Determine consistency with NRC policy and guidance on risk-informed decision-making.
Model the CCF in the Probabilistic Risk Assessment (PRA) model.
Examples of Approved Methods 24 Examples Methods Credited Summary Description Oconee (Reactor Protection System &
Engineered Safety Features Actuation System)
Existing Equipment Manual Operator Action Diverse Actuation System Consequence Calculation Anticipated Transient Without Scram (ATWS) equipment and MOA credited for most safety functions.
Diverse Manual controls added to support MOAs.
Two automatic DAS added for High Pressure Injection and Low Pressure Injection. Use of analog DAS was design choice by licensee.
Diablo Canyon (Reactor Protection System &
Engineered Safety Features Actuation System)
Internal Diversity Existing Equipment The safety system design is composed to two diverse digital platforms, which allowed for crediting internal diversity.
Existing diverse systems, including ATWS were credited.
Examples of Approved Methods 25 Examples Methods Credited Summary Description NuScale (Reactor Protection System & Engineered Safety Features Actuation System)
Internal Diversity Consequence Calculation Internal diversity was credited, where the Field Programmable Gate Arrays (FPGAs) used for two divisions were diverse from the FPGA in the other two divisions.
AP1000 &
APR1400 (Integrated Control and Protection System)
Diverse Actuation System Manual Operator Action Consequence Calculation AP1000 - FPGA-based DAS with hardwired system-level manual controls on a separate panel. The MOA capability within the DAS is credited for a few safety functions such as initiating the automatic depressurization system.
APR1400 - FPGA-based Automatic Diverse Protection System that initiates three automatic functions. One manual reactor trip function is also credited. A FPGA-based diverse indication system is included to display plant parameters during a CCF on the safety-related displays.
Examples of Approved Methods 26 Examples Methods Credited Summary Description Waterford (Core Protection Calculator System)
Existing Equipment Existing diverse systems, including ATWS were credited.
Hope Creek &
Browns Ferry (Power Range Neutron Monitoring System)
Manual Operator Action Existing MOAs Credited.
Wolf Creek (Main Steam &
Feedwater Isolation System)
Internal Diversity Internal diversity among the different channels of the system were credited, where the software algorithms used to program two channels were different from the ones used for the other two channels.
Summary 27
- The previous policy has been effectively used to license digital I&C systems in nuclear power plants, but it required a diverse means of actuation if a CCF could disable a safety function.
- In May 2023, the Commission approved the staffs recommendation to expand the policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth for high safety significance systems.
- Approved methods to address a CCF include elimination, mitigation, risk-informed approaches, and acceptance of the consequences.
Acronyms ATWS Anticipated Transient Without Scram BTP Branch Technical Position CCF Common Cause Failure CFR Code of Federal Regulations D3 Defense-in-Depth and Diversity DAS Diverse Actuation System DBE Design Basis Event DI&C Digital Instrumentation and Control DRG Design Review Guide ESFAS Engineered Safety Features Actuation System FPGA Field Programable Gate Array GDC General Design Criteria IAEA International Atomic Energy Agency I&C Instrumentation and control LWR Light-Water Reactor MCR Main Control Room MOA Manual Operator Action NRC Nuclear Regulatory Commission PRA Probabilistic Risk Assessment RG Regulatory Guide RIDM Risk-Informed Decision-Making SECY Commission Paper SRM Staff Requirements Memorandum
References 29
- SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, April 1993 (ML003708056)
- SRM-SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, July 1993 (ML18145A018)
- SECY-18-0090, Plan for Addressing Common Cause Failure in Digital Instrumentation and Controls, September 2018 (ML18179A066)
- BTP 7-19, Revision 8, Review of NUREG-0800, Branch Technical Position 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common Cause Failure Due to Latent Design Defects in Digital Safety Systems, Revision 8, December 2020 (ML20339A647)
- SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, August 2022 (ML22193A290)
- Supplement to SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, January 2023 (ML22357A037)
- SRM-SECY-22-0076, Expansion of Current Policy on Potential Common Cause Failures in Digital Instrumentation and Control Systems, May 2023 (ML23145A181 and ML23145A182)
- RG 1.200, Revision 3, Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities, December 2020 (ML20238B871)
- RG 1.174, Revision 3, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, January 2018 (ML17317A256)
- RG 1.233, Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, June 2020 (ML20091L698)
- Design Review Guide (DRG): Instrumentation And Controls for Non-light-water Reactor (Non-LWR) Reviews, February 2021 (ML21011A140)
- Summary of Previous D3 Assessments for Digital Systems, April 4, 2019 - Public Meeting on BTP 7-19 Revision (ML19092A403)