Text

SRM-SECY-22 -0076 Implementation:

Branch Technical Position 7-19, Draft Revision 9

Advisory Committee on Reactor Safeguards Digital Instrumentation & Controls Briefing September 7, 2023 Openi ng Remarks Presentation Outl ine

• Background

• SRM-SEC Y 087 and SRM-SEC Y 0076 Points

• SRM-SEC Y 0076 Direction and Staff Proposed Response

• Substantive Changes to BTP 7-19

• Next Steps

• Closing Remarks

3 SRM-S EC Y-93-087 Poi nt 1

The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.

4 SRM-S EC Y-93-087 Poi nt 2

In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate methods. The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.

5 SRM-S EC Y-93-087 Poi nt 3

If a postulated common - mode failure could disable a safety function, then a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common-mode failure, shall be required to perform either the same function or a different function. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.

6 SRM-S EC Y-93-087 Poi nt 4

A set of safety grade displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions.

The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.

7 SRM-S EC Y-22-0076 Po i nt 1

The applicant shall must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed.

The defense-in-depth and diversity assessment shall must be commensurate with the risk significance of the proposed digital I&C system.

8 SRM-S EC Y-22-0076 Po i nt 2

In performing the defense-in-depth and diversity assessment, the applicant shall must analyze each postulated CCF. This assessment may use using either best-estimate methods or a risk-informed approach or both.

When using best-estimate methods, the applicant shall must demonstrate adequate defense in depth and diversity within the facility s design for each event evaluated in the accident analysis section of the safety analysis report.

9 SRM-S EC Y-22-0076 Po i nt 2 ( Conti nued)

When using a risk-informed approach, the applicant shall must include an evaluation of the approach against the Commissions policy and guidance, including any applicable regulations, for risk-informed decision-making.

The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e. g., Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, RG 1.233, Guidance for a Technology-inclusive, Risk-informed, and Performance-based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-L i g ht-Wate r Re a c to rs).

10 SRM-S EC Y-22-0076 Po i nt 3

The defense-in-depth and diversity assessment m ay must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall must demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall must be commensurate with the risk significance of each postulated CCF.

11 SRM-S EC Y-22-0076 Po i nt 3 ( Conti nued)

A diverse means that performs either the same function or a different function is acceptable to address a postulated CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation.

12 SRM-S EC Y-22-0076 Po i nt 3 ( Conti nued)

If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall must be provided.

13 SRM-S EC Y-22-0076 Po i nt 4

Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) shall must be provided for manual, system-level actuation of risk-informed critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The applicant may alternatively propose a different approach to this point in the policy if the plant design has a commensurate level of safety.

14 SRM-S EC Y-22-0076

• The Commission approved the staff s recommendation to expand the existing policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth, subject to the edits provided

• The staff should clarify in the implementing guidance that the new policy is independent of the licensing pathway selected by reactor licensees and applicants

• The staff should complete the final implementing guidance within a year from the date of the SRM

15 Staff Proposed Response to Meet the SRM

Drafted Rev. 9 to SRP BTP 7 -19

• Allows the staff to review risk-informed applications

• May result in use of design techniques other than diversity

• Focused the edits on the expanded policy

16 Substantive Changes to BTP 7-19

• Revised Section B.1.1 to reflect the updated four points in SRM -SECY-22- 0076

• Revised Section B.1.2 for clarification of critical safety functions

• Added Section B.3.4 for evaluation of risk-informed D3 assessment

• Revised Section B.3.1.3 to support Section B.3.4 for evaluation of alternative approaches

• Revised Section B.4 for evaluation of different approaches for meeting Point 4

• Added four flowcharts to facilitate the review

• Added language from RG 1.152 to address a prior commitment to ACRS regarding communication independence and control of access

17 Updated Four Poi nts of the Pol icy ( Section B. 1. 1)

• Replaced the four SRM -SECY-93- 087 points with the SRM -SECY-22- 0076 points

• Updated the explanation of the four points to reflect the language in the SRM-SECY-22- 0076 points

• Identified the applicable BTP sections for the evaluation of an application against these four points

18 Cri tical Safety Functions ( Section B. 1. 2)

• Clarified that critical safety functions are those most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to the health and safety of the public

• Clarified that the critical safety functions identified in SECY-93-087 are examples representative of operating light water reactors

• Clarified that other types of reactors may have different critical safety functions based on the reactor design safety analysis

• the identification of such functions may be risk-informed

19 Risk-Informed D3 Assessment Process

Address the CCF Address the CCF using a deterministically risk-informed approach

Determine consistency with NRC policy and guidance on RIDM (Section B.3.4.1)

Model the CCF in the PRA Identify each (Section B.3.4.2) postulated CCF Determine the risk significance of the CCF

(Section B.3.4.3)

Determine appropriate means to address the CCF (Section B.3.4.4)

Justify alternative approaches

20 Risk-Informed D3 Assessment ( Section B. 3. 4. 1)

Determine Consistency with NRC Policy and Guidance on RIDM

• Review applications that use risk-informed approaches for consistency with established NRC policy and guidance on RIDM

• RG 1.174

• RG 1.200

• Current staff review guidance includes:

• SRP Chapter 19

• DC /COL-ISG-028

• SRP Chapter 19 provides review guidance for addressing the principles of risk-informed decision-making, including defense in depth

21 Risk-Informed D3 Assessment ( Section B. 3. 4. 2)

Model the CCF in the PRA

• Determine if the base PRA meets PRA acceptability guidance

• Evaluate how the CCF is modeled in the PRA and the justification that the modeling adequately captures the impact of the CCF on the plant

• Options for modeling the CCF in the PRA include:

• Detailed modeling of the DI&C system

• Use of surrogate events

22 Risk-Informed D3 Assessment ( Section B. 3. 4. 3)

Determine the Risk Significance of the CCF

• The risk significance of a CCF can be determined using a bounding sensitivity analysis or a conser vative sensitivity analysis

• A bounding sensitivity analysis:

• Assumes the CCF occurs

• Provides a description of the baseline risk

• A conser vative sensitivity analysis:

• Provides a technical basis for a conser vative probability (less than 1) of the CCF demonstrating that defense in depth is addressed

• Addresses the impact of this assumption on PRA uncertainty

23 Risk-Informed D3 Assessment ( Section B. 3. 4. 3)

Determine the Risk Significance of the CCF

• The quantification accounts for any dependencies introduced by the CCF, including the ability for operators to perform manual actions

• A CCF is not risk significant if the following criteria are met for the sensitivity analysis:

• The increase in CDF is less than 1 x 10-6 per year

• The increase in LERF is less than 1 x 10 -7 per year

24 Risk-Informed D3 Assessment ( Section B. 3. 4. 4)

25 Alternatives to Diversity (Section B.3.1.3)

Two Pathways

• Previous endorsement (e. g., RG) or approval (e. g., precedent or Topical Report)

• Ensure it is applicable

• Ensure it is followed

• Justify any deviations

• A new approach proposed as part of an application

• Use the acceptance criteria in BTP 7-19

• Review description of vulnerability being addressed

• Review description of alternative approach and justification (commensurate with the risk significance of the CCF per Section B.3.4.4)

26 Different Approaches for Meeting Point 4

Summary of Acceptance Criteria in Section B.4 Point 4 Different Approach Approach

a. Proposed manual actions credited are both feasible and reliable, as demonstrated through an HFE analysis and assessment process Applies

b. Application identifies the minimum inventory of displays and controls in the MCR that allows the operator to effectively initiate, monitor and control the Applies If justified*

critical safety function parameters

c. Manual operator actions are prescribed by procedures and subject to training Applies

d. Manual controls are at the system or division level and located within the MCR Applies If justified*

e. Quality and reliability of any equipment that is not safety-related is adequate Applies

f. Displays and controls are independent and diverse (not affected by the same postulated CCFs that could disable the corresponding functions within the Applies proposed DI&C systems)

• The application contains appropriate justification based on the commensurate level of safety in the plant design to ensure operators ability to monitor, initiate and control the applicable critical safety function parameters is maintained.

27 Flowcharts to Facilitate the Use of the BTP

• Added four flowcharts at the end of the BTP:

• Figure 7 1. Point 1 - Need for a Detailed D3 Assessment

• Figure 7-19-2. Point 2 - Detailed Assessment

• Figure 7-19-3. Point 3 - Addressing, Mitigating or Accepting the Consequences of Each CCF

• Figure 7-19-4. Point 4 - Independent and Diverse Displays and Manual Controls

• The flowcharts provide a visual aid to the reviewers when reviewing an application against the four points

• identify the conceptual steps for performing the review

• identify the applicable BTP sections

28 Communicat ion I ndependence

Added language from RG 1.152 to address a prior commitment to the ACRS concerning inclusion of communication independence and control of access

• Added a statement that, if licensees and applicants consider the cybersecurity design features, measures should be included to ensure that safety - related I&C systems do not present an electronic path that could enable unauthorized access to the plant s safety -related system

• e. g., the use of a hardware-based unidirectional device is one approach the NRC staff would consider acceptable for implementing such measures

29 N ex t S te ps

• The staff is planning to issue the draft BTP 7-19, Rev. 9 for public comment in October 2023

• The public comment period is expected to end in November 2023

• The staff is planning to issue the final BTP 7-19, Rev. 9 in May 2024

30 Cl osing Remarks A c r o ny m s

ACRS Advisory Committee on Reactor Safeguards LERF Large Early Release Frequency BT P Branch Technical Position LMP Licensing Modernization Project CCF Common Cause Failure LW R Light-Water Reactor CDF Core Damage Frequency NEI Nuclear Energy Institute D3 Defense-in-Depth and Diversity NRC Nuclear Regulatory Commission DA S Diverse Actuation System PRA Probabilistic Risk Assessment DI&C Digital Instrumentation and Control RG Regulatory Guide D RG Design Review Guide RIDM Risk-Informed Decision-Making ESFAS Engineered Safety Features Actuation System RPS Reactor Protection System GDC General Design Criteria S ECY Commission Paper I&C Instrumentation and Control SRM Staff Requirements Memorandum ISG Interim Staff Guidance SRP Standard Review Plan