SECY-22-0076, NRC Presentation 10-20-2022 CCF Public Meeting with Backup Slides: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
 
Line 1: Line 1:
{{Adams
#REDIRECT [[SECY-22-0076, Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems]]
| number = ML22297A213
| issue date = 10/24/2022
| title = NRC Presentation 10-20-2022 CCF Public Meeting with Backup Slides
| author name = Jain B
| author affiliation = NRC/NRR/DORL/LPL4
| addressee name =
| addressee affiliation =
| docket =
| license number =
| contact person =
| case reference number = SECY-22-0076
| document type = Meeting Briefing Package/Handouts, Slides and Viewgraphs
| page count = 1
}}
 
=Text=
{{#Wiki_filter:SECY-22-0076 Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems Public Meeting October 20, 2022
 
Presentation Outline
* Recent Activities and Current Status
* Purpose of Todays Meeting
* Staff Key Messages
* Summary of Proposed Expanded Policy
* Staff Position on ACRS Questions
* Point 4 Applicability and Clarifications
* Open Dialogue with Stakeholders 2
 
Recent Activities and Current Status
* The staff issued SECY-22-0076 on August 10, 2022, proposing an expansion to the digital instrumentation and control (DI&C) common cause failure (CCF) policy contained in the Staff Requirements Memorandum (SRM) to SECY-93-087
* The Nuclear Energy Institute (NEI) provided a letter to the NRC on August 26, 2022, providing comments on the staffs position contained in the SECY on diverse and independent main control room displays and manual controls
* The staff and NEI briefed the Advisory Committee on Reactor Safeguards (ACRS) DI&C Subcommittee on September 23, 2022, and the staff is scheduled to brief the full ACRS on November 1, 2022
* The SECY is currently under Commission review and the Commission will provide its direction to the staff through a Staff Requirements Memorandum 3
 
Purpose of Todays Meeting The staff will use todays meeting to:
: 1) Summarize the expanded policy contained in SECY-22-0076
: 2) Share the staffs position on questions received from the ACRS
: 3) Share the staffs position on diverse and independent main control room displays and manual controls, i.e., Point 4
: 4) Conduct an open dialogue with stakeholders to hear their perspectives 4
 
Staff Key Messages
* The proposed expanded policy in SECY-22-0076 encompasses the current four points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
* Points 1-3 and Point 4 of the policy address two facets needed to ensure safe operation of the plant:
    - Points 1-3 ensure DI&C systems are sufficiently robust to adequately cope with CCF
    - Point 4 ensures operators can manually control critical safety functions even in the event of a DI&C CCF
* Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
* The expanded policy is intended to be technology neutral and applies to any reactors (including non-light-water reactors) licensed under 10 CFR Parts 50 and 52.
* The staff acknowledges that the critical safety functions listed in SRM-SECY-93-087, SECY-22-0076 and Branch Technical Position (BTP) 7-19 (i.e., reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs
* The SECY provides for existing regulatory tools (exemptions and alternatives), if necessary, to accommodate for reactor designs with different critical safety functions
* If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
5
 
Summary of Proposed Expanded Policy Proposed Expanded Policy to Address Digital I&C CCFs Risk-Informed Current Path                                  Path Point 1                            The Risk-Informed Path allows The Current Path allows for the                  SRM-SECY-93-087, Point 1                      for the use of risk-informed use of best estimate analysis                          (Clarified)                          approaches and other design and diverse means to address a                                                                techniques or measures other potential DI&C CCF                                                                        than diversity to address a Point 2 SRM-SECY-93-087, Point 2 Point 2              potential DI&C CCF Risk-Informed Approach (Clarified)
Point 3 Point 3 SRM-SECY-93-087, Point 3 Risk-Informed Approach (Clarified)
Point 4 SRM-SECY-93-087, Point 4 (Clarified) 6
 
Staff Positions on ACRS Questions ACRS Question 1: Would the revised policy be applicable to advanced reactors?
Answer: The proposed expanded policy would apply to requests all nuclear power plant types licensed under 10 CFR Part 50 and 10 CFR Part 52, including advanced reactors.
ACRS Question 2: Do aspects of the policy for which the staff did not request a change carry forward unaltered?
Answer: Yes ACRS Question 3: Might different reactor types warrant consideration of different critical safety functions?
Answer: While the expansion of the policy is intended to be technology neutral it relies on the staffs licensing experience to date and assumptions about the design of the facility, such as the presence of a main control room. The staff acknowledges that the critical safety functions listed in the SECY and BTP 7-19 (reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) may not be the appropriate set for all reactor designs. The staff has existing regulatory tools (exemptions and alternatives), if necessary, to accommodate designs with different critical safety functions and, if the staff encounters a reactor design where the policy would not be applicable, 7
the staff will engage the Commission as appropriate.
 
Applicability of Point 4 Point 4 only applies to:
* The critical safety                                  Plant Critical Safety Plant Safety Functions Functions functions performed
* reactivity control by the digital I&C
* core heat removal        The diverse manual system.
* reactor coolant inventory controls and displays for
* containment isolation
* containment integrity    critical safety functions ensure the safety of the Point 4 does not apply to:                                                          facility.
* All safety functions                Functions Performed by the Digital I&C System performed by the digital I&C system.
* Critical safety                                      Scope of functions not performed by the Point 4 digital I&C system.
8
 
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls
* In SECY-93-087, the staff recommended that safety-grade displays and controls located in the main control room and hardwired to the lowest level of the safety computer system architecture, be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions and that the displays and controls should be independent and diverse from the safety computer system identified in Points 1 and 3 of the policy.
* The staff recommended this because such controls and displays provide the plant operators with unambiguous information and control capabilities to enable the operators to expeditiously mitigate the effects of the postulated common-cause software failure of the digital safety I&C system. The control room would be the center of activities to safely cope with the event, which could also involve the initiation and implementation of the plant emergency plan. The design of the plant should not require operators to leave the control room for such an event.
9
 
Staffs Position on Diverse and Independent Main Control Room Displays and Manual Controls (contd.)
* While the Commissions Staff Requirements Memorandum to SECY-93-087 modified the policy to permit non-safety grade displays and controls and more flexible architectural implementation, the Commission supported the staffs recommendation on diverse displays and controls, and the staff continues to believe this position remains appropriate for critical safety functions to provide reasonable assurance of adequate protection.
* Point 4 incorporates an implicit element of risk-informing as it focuses only on those critical safety functions needed to ensure the safety of the facility.
* Requests for exemptions (under 10 CFR 50.12 or 52.7) or alternatives (under 10 CFR 50.55a(z)) provide avenues for applicants to request a deviation from the regulations based on risk information on a case-by-case basis.
* If the staff encounters a reactor design where the policy would not be applicable, the staff will engage the Commission as appropriate.
10
 
SECY-22-0076: Addressing DI&C CCFs &
Ensuring the Ability to Perform Manual Actions Points 1-3 and Point 4 address two facets needed to ensure the safe operation of the plant Protection against DI&C CCFs                        Allow operators to take manual actions to cope with the loss of a safety function          when needed, after a DI&C CCF
* Point 1 - Perform a D3 Assessment
* Point 4 - Diverse displays and manual controls for
* Point 2 - Ways of performing the assessment                    critical safety functions
* Point 3 - Ways of addressing a postulated DI&C CCF
* If not addressed, a DI&C CCF can affect both the DI&C system and manual controls and displays
* The four points when taken together provide criteria for the assessment of diversity and defense in depth against CCF, and ensure DI&C CCFs do not:
        - Defeat safety functions (Points 1-3)
        - Impede operators ability to take manual actions when needed (Point 4) 11
 
Open Dialogue with Stakeholders Acronyms BTP  Branch Technical Position                  NRC  Nuclear Regulatory Commission CCF  Common Cause Failure                        PRA  Probabilistic Risk Assessment D3    Defense-in-Depth and Diversity              RG  Regulatory Guide DI&C  Digital Instrumentation and Control        RPS  Reactor Protection System ESFAS Engineered Safety Features Actuation System SAR  Safety Analysis Report GDC  General Design Criteria                    SECY Commission Paper I&C  Instrumentation and control                SRM  Staff Requirements Memorandum NEI  Nuclear Energy Institute
 
Backup Slides SECY-22-0076: Point 1 The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.
The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.
15
 
SECY-22-0076: Point 2 In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk informed approach.
When using best-estimate methods, the applicant shall demonstrate adequate defense in depth and diversity within the facilitys design for each event evaluated in the accident analysis section of the safety analysis report.
When using a risk-informed approach, the applicant shall include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision making (e.g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk Informed Decisions on Plant Specific Changes to the Licensing Basis).
16
 
SECY-22-0076: Point 3 The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF.
A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.
If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, 17 then a diverse means shall be provided.
 
SECY-22-0076: Point 4 Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above.
18
 
IEEE Std 279
* 4.17 Manual Initiation. The protection system shall include means for manual initiation of each protective action at the system level (for example, reactor trip, containment isolation, safety injection, core spray, etc). No single failure, as defined by the note following Section 4.2, within the manual, automatic, or common portions of the protection system shall prevent initiation of protective action by manual or automatic means. Manual initiation should depend upon the operation of a minimum of equipment. [emphasis added]
* 4.20 Information Read-Out. The protection system shall be designed to provide the operator with accurate, complete, and timely information pertinent to its own status and to generating station safety. The design shall minimize the development of conditions which would cause meters, annunciators, recorders, alarms, etc, to give anomalous indications confusing to the operator.
19
 
IEEE Std 603-1991
* 6.2 Manual Control
* 6.2.1 Means shall be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.
[emphasis added]
20}}

Latest revision as of 02:04, 12 December 2022

Redirect to:

Retrieved from "https://kanterella.com/w/index.php?title=SECY-22-0076,_NRC_Presentation_10-20-2022_CCF_Public_Meeting_with_Backup_Slides&oldid=3522205"