Text

Risk Management Committee Meeting PWROG Meeting: December 14, 2022 Mike Franovich, Director Division of Risk Assessment Office of Nuclear Reactor Regulation 1

AGENDA PRA Configuration Control Tabletops:

Perspectives Thus Far - The Good & The Opportunities & The Inspection Ideas 2

Digital I&C Initiative Status FRIAS Afterthoughts and Path Forward/Ideas SPAR: KM/KT

3 FRIAS Afterthoughts and Path Forward/Ideas Mike Franovich, Division Director, DRA

4

5 Risk-Informing Aging Management

• The staffs audit of industrys proposed risk-informed Selective Leaching Aging Management Program (AMP) is complete, and the audit report is in preparation (to be issued in December or January)

• The audit was valuable in establishing a better understanding of the technical bases of the proposal, and the staff appreciates industrys support of the audit discussions and information requests

• The audit revealed several areas of common understanding, or areas with promising paths to resolution; however, some issues remain to be resolved prior to incorporating the AMP (or some version of it) into staff guidance

• The staff looks forward to additional engagement with the industry to successfully incorporate risk insights in the Selective Leaching AMP

6 PRA Configuration Control Table-Top:

Perspectives Thus Far - The Good, The Opportunities, and The Inspection Ideas Antonios Zoulis, PRA Oversight Branch, DRA

7 Key Messages

• The existing oversight process is adequate to ensure implementation of programs informed by PRA models.

• However, we believe that there is a current gap in the oversight of PRA Configuration Control programs.

• A balanced approach of focused inspections/safety enhancements within the existing ROP baseline inspection program of PRA changes and upgrades are being proposed to monitor appropriate implementation of configuration control programs for licensee PRA models that support risk-informed decision-making.

8 Key Messages (Contd)

• PRA Configuration Control framework will be informed and developed by the NRC working group recommendations, based on the information gathering and guidance development efforts, as well as with industry and the public through multiple public meetings.

• All eight tabletops have been completed:

- Based on the reviews conducted to date, NRC staff have confirmed licensees are meeting the consensus standard but identified several observations on how licensees are implementing their programs

- Based on the team's findings and observations of all eight tabletops, the team will propose recommendations to enhance oversight activities for management approval

- The approach we are taking in addressing this initiative demonstrates our commitment to our principles of good regulation of openness.

9 High-Level Plan ROP Change Control Process Conduct Tabletops Finalize Information Gathering Needs Refine guidance and share PRA Configuration Control Framework recommendations for feedback

10 Conducted 2 public meetings February &

April 2022 Identify and select eight facilities for table-tops/

site visits May 2022 Begin table-tops/site visits at facilities July 2022 Complete assessment of information gathered via site visits and guidance development effort December 2022 Brief NRR management on final recommendations of effort March 2023 Discuss findings at ROP monthly public meeting May 2023 Discuss any feedback at ROP Monthly public meeting June 2023 Revise Tier 2 inspection guidance December 2023 Overall Plan Enter ROP change control process July 2023

11 The Good

• Understanding of Licensees PRA Configuration Control Programs

- Monitoring of Engineering Changes

• Exercise potential inspection guidance with licensees PRA staff

• Representative picture of PRA Configuration Control program implementation

• Licensees support, responsiveness, and feedback

12 The Opportunities

• PRA Configuration Control (PCC) vs. Peer Review Process:

- PCC inspection will have an element of technical adequacy as part of effort per ASME standard

- Through the course of a change review of PCC implementation, plant representation will remain a priority

- PCC Upgrades, if selected, will be based on F&O reviews

13 The Opportunities, Contd Implementation of PCC Under Existing Regulatory Framework (Not Appendix B)

Potential Program Vulnerabilities:

• (One) Knowledge based program w/ inconsistent implementation

• (General) Operations, Maintenance and Industry-Wide Operational History monitoring, less formal than Engineering Changes Observations:

• (General) RG 1.200 Rev 3, Upgrade definition not incorporated

• (One) Generic data update not completed since 2010, last data update 2016. Approved: SFCP, RICT, 50.69

• (One) Industry Wide Operating Experience (i.e., OPC)impact on Initiating Events Technical Element not evaluated

• Implementation: HRA pre - post initiators, data analysis, system analysis, initiating events

14 Inspection Enhancement - Initial Thoughts Three possible ideas (So-Far):

- Comprehensive Engineering Team Inspection (CETI)

(Internal Events, Internal Flooding & Other Approved Hazards)

• Focused Engineering Inspection (FEI) Internal Fire

- Resident Inspector Baseline Procedures. All hazards.

- Standalone IMC 2515 Appendix C, Infrequent Inspection.

All hazards.

SPAR - KM/KT Antonios Zoulis, DRA 15

16 Updating &

Benchmarking SPAR Models Benchmarking against the licensees models allows the SPAR models to reflect the as-built, as-operated plants Increased use of risk insights highlights the need to maintain the plant-specific PRA tools to support licensing and inspection activities Differences due to outdated models could lead to additional time/resource needed during oversight or licensing Voluntarily provide PRA information to support INL and NRC updating of the SPAR models Contact Selim Sancaktar (Selim.Sancaktar@nrc.gov) or Ching Ng (Ching.Ng@nrc.gov)

17 FY2021 Model update completed for Brunswick 1, Brunswick 2, Riverbend, Grand Gulf, Davis-Besse, Beaver Valley 1, Beaver Valley 2.

Added Fire & Internal Flooding Hazards: Brunswick 1 Added Internal Flooding Hazard: Brunswick 2, Riverbend Completed Vogtle 1&2 FY2022 Model update completed for Diablo Canyon, Comanche Peak, South Texas Project, Harris, Monticello.

Added Internal Flooding Hazard: David-Besse Incorporated 2020 INL Industry Average Parameters Estimates into all SPAR Models SPAR Models Update

18 Make risk information accessible to all NRC staff Gather key risk results in an easy-to-use interactive dashboard Remove barriers and support communication of risk insights Support Be RiskSMART and our path to becoming a modern, risk-informed regulator SPAR-DASH

19 Assess events &

hazards Plant-to-plant comparison Ranking risk importance Off-normal conditions Periodic update

Status of Digital I&C Initiative: Regulatory and Technical Challenges in Risk-Informing Sunil Weerakkody, Senior Level Advisor NRR/DRA 20

21 OUTLINE Changing the Policy and Regulatory Framework Modeling Computer-Based Systems/Digital I&C Systems in PRA Models Modeling Software Failures within the Computer-Based/Digital I&C Systems

22 SRM-SECY-93-087 - Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor Designs 1.I.E Fire Protection 2.I.F Intersystem LOC 6.I.J Containment Performance 17 II.N. Site-Specific PRA and Analysis of External Events

18. Q. Defense Against Common-Mode Failures in Digital I&CS

23 SRM-SECY-93-087 - II. Q assess the defense-in-depth and diversity of the proposed I&C system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.

Point 1

analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best estimate methods Point 2

If a postulated common-mode failure could disable a safety function, then a diverse means with a documented basis that the diverse means is unlikely to be subject to the same common-made failure, shall be required to perform either the same function or a different function Point 3

A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.

Point 4

24 Summary of Proposed Expanded Policy Point 2 Risk-Informed Approach Point 3 Risk-Informed Approach Point 2 SRM-SECY-93-087, Point 2 (Clarified)

Point 3 SRM-SECY-93-087, Point 3 (Clarified)

Current Path Risk-Informed Path Proposed Expanded Policy to Address Digital I&C CCFs The Current Path allows for the use of best estimate analysis and diverse means to address a potential DI&C CCF The Risk-Informed Path allows for the use of risk-informed approaches and other design techniques or measures other than diversity to address a potential DI&C CCF Point 4 SRM-SECY-93-087, Point 4 (Clarified)

Point 1 SRM-SECY-93-087, Point 1 (Clarified)

25 SECY-22-0076 (Under Commission Review) 1)

The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed. The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.

2)

In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk-informed approach. When using best-estimate methods, the applicant shall demonstrate adequate defense in analysis section of the safety analysis report. When using a risk-informed approach, the applicant shall include an evaluation of the approach against policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., Regulatory Guide (RG) 1.174 An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis).

26 SECY-22-0076 (Under Commission Review)(Cont'd.)

3)

The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF. A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation. If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall be provided.

4)

Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e.,

unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The recommended expanded policy for digital I&C CCFs would apply to requests for new or amended licenses and design approvals, for all nuclear power plant types, under 10 CFR Part 50 and 10 CFR Part 52. The expansion of the policy is intended to be technology neutral but relies on assumptions about the design of the facility, such as the presence of a main control room. Therefore, if the staff encounters a design where the policy would not be applicable, the staff will engage the Commission as appropriate.

27 August 10, 2022:

The staff issued SECY-22-0076 September 23, 2022: The staff and NEI briefed ACRS subcommittee November 1, 2022:

The staff briefed the full ACRS on November 1, 2022 The SECY is currently under Commission review.

Recent Activities and Current Status

28 Modeling Computer-Based/Digital I&C Systems What needs to be done to appropriately model the systems?

How do you model at a sufficient level of detail in the PRA model?

What are the challenges that the PRA community may encounter in modeling Computer-Based/Digital I&C systems, and how could they be effectively addressed to meet short-term needs? Longer-term needs?

29 What Needs to be Modeled?

ASME/ANS RA-Sa-2009, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications.

(Endorsed via RG 1.200)?

ASME/ANS RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants. (Endorsed via RG 1.247)?

NRC Standard Review Plan Section 19.0 PRA and Severe Accident Evaluation for New Reactors. (ADAMS Accession No. ML15089A068)?

DI&C/COL-ISG-003, Review of Digital I&C PRA Interim Guidance, (ADAMS Accession No. ML080570048)?

30 References Relating to Modeling Computer-Based/Digital I&C Systems IAEA Draft Safety Guide DS 523, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants (Draft in Preparation):

Consider risk significance to decide the required level of modeling details.

Include dependencies (e.g., hardware, operator interfaces, spatial)

Consider hardware and software Have an acceptable method/goal to model software CCF and more OECD/NEA, Failure Modes Taxonomy for Reliability Assessment of Digital Instrumentation and Control Systems for Probabilistic Risk Analysis, NEA/CSNI/R(2014)16, Paris (2015).

IAEA Nuclear Energy Series, No. NP-T-3.27, Dependability Assessment of Software for Safety Instrumentation and Control Systems at Nuclear Power Plants, IAEA, Vienna (2018).

IAEA, Design of Instrumentation and Control Systems for Nuclear Power Plants, IAEA Specific Safety Guide SSG-39, IAEA, Vienna (2016)

31 What challenges would you encounter and how would you effectively address them?

Software failure probabilities Software CCF probabilities Set realistic goals

Develop a conservative upper bound sufficient to use risk-informed approaches in design reviews (assuming Commission approves proposed policy change)?

Develop an upper bound sufficient to support PRA configuration control?

Workshop on Philosophical Basis for Incorporating Software Failures in Probabilistic Risk Assessment (ADAMS No. ML092780607) https://www.nrc.gov/about-nrc/regulatory/research/digital.html#2

Estimate a realistic failure probabilities to support other risk-informed initiatives?

32 Questions?