Text

UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 November 26, 2019 MEMORANDUM TO: Peter Riccardella, Chairman Advisory Committee on Reactor Safeguards FROM: Charles Brown, Member /RA/

NuScale Subcommittee Advisory Committee on Reactor Safeguards

SUBJECT:

PROPOSED RECOMMENDATION FOR ACRS REVIEW OF NUSCALE POWER, LLC, DESIGN CERTIFICATION APPLICATION - SAFETY EVALUATION WITH NO OPEN ITEMS FOR CHAPTER 7, INSTRUMENTATION AND CONTROLS In response to the Committees request, I have reviewed the NRC staffs safety evaluation with no open items for Chapter 7, Instrumentation and Controls, dated September 27, 2019 (ML19270F278). The following is my recommended course of action concerning further review of this chapter of the design certification application and the staffs associated safety evaluation.

SER Phase 4 Summary NuScale submitted a request for NRC review of its Highly Integrated Protection System (HIPS)

Topical Report (TR) 1015-18653 in December 2015. The NRC evaluated the TR using acceptance criteria specified in the NuScale Design-Specific Review Standard (DSRS)

Chapter 7. In accordance with Commission Paper SECY-11-0024, the NuScale Safety Evaluation used a risk-informed approach (considering both the safety classification and risk-significance of each system, structure, or component) to determine the appropriate level of review. The staff used IEEE Std. 603-1991 and the DSRS Chapter 7, Instrumentation and Controls, in reviewing instrumentation and control (I&C) systems that are not safety-related but are risk significant.

NuScale submitted an updated HIPS revision in November 2016. The NRC released the Safety Evaluation Report (SER) on the HIPS TR in January 2017. The scope of the SER is limited to the HIPS platform, which consists of various discrete components and modules (SER, p. 4). It does not include the cabinet and peripheral devices, such as sensors, external redundant power supplies, breakers, and terminal boards. The NRC staff found that the TR 1015-18653, Design of the Highly Integrated Protection System Platform, Revision 2, is acceptable for referencing in licensing applications for the NuScale small modular reactor design to the extent specified and under the conditions and limitations delineated in the SER.

The SER defines the basis for acceptance of the TR.

ACRS subcommittee review of the HIPS SER occurred in February 2017. During the 642nd ACRS Full Committee meeting on April 6-7, 2017, the Committee reviewed the HIPS Platform

TR and agreed that the HIPS platform is acceptable for use in plant safety-related I&C provided its implementation satisfies the staff application specific action items (ASAIs). Our ACRS letter dated April 24, 2017, documented our conclusion.

On August 23, 2018, our ACRS subcommittee reviewed the SER for the NuScale Design Certification Application (DCA) Chapter 7 Instrumentation and Controls, Revision 1 which describes the design of I&C systems using the HIPS Platform architecture, including classification, functional requirements, and architecture, and demonstrates the systems capability to perform required safety and nonsafety-related functions. The HIPS was reviewed in its application as a Module Protection System (MPS) for a NuScale Standard Plant design consisting of 12 modules.

During the 656th meeting of the ACRS, September 6-7, 2018, we met with representatives of NuScale and the NRC staff to review Chapter 7, Instrumentation and Controls of the staff SER with open items associated with the NuScale DCA. Our ACRS letter dated September 26, 2018, documented our conclusions and recommendations.

Applicable Concerns from ACRS Phase 3 Letter Report relative to Chapter 7 In our September 26, 2018, letter, the Committee noted under Conclusion and Recommendations:

1. We have identified no major issues at this time. However, there are items, such as those noted below, that need to be resolved because they may alter this conclusion.

2. The staff should ensure that the unidirectional communication interfaces labeled on Figure 7.0-1 in Chapter 7 of NuScales design certification application as PCS Unidirectional Data Diode and MCS Unidirectional Data Diode are one-way, hardware-based devices that neither use nor are configured by software to demonstrate complete isolation from external communications.

At the time of our 656th ACRS meeting, NuScale submitted on September 4, 2018, DCA Chapter 7, Revision 2, where they revised the DCA Chapter 7 description of unidirectional communication interfaces labeled on Figure 7.0-1 in Chapter 7 of NuScales DCA as PCS Unidirectional Data Diode and MCS Unidirectional Data Diode to one-way deterministic isolation device between the connection from the MCS and PCS to the plant network.

NRC Staff Response to September 26, 2018 ACRS Letter Report The EDO response letter, dated October 30, 2018, stated that the staff agreed with ACRS Recommendation 2.

In this response, the staff based their evaluation on the proposed markups to DCA Tier 2 Chapter 7 transmitted on September 4, 2018 (ML18247A186) where NuScale revised the term unidirectional data diode to one-way deterministic isolation device from the MCS and PCS control network to the plant network. The staff found that the design provides sufficient information to demonstrate that the proposed administrative provisions for controlling access to I&C safety systems and equipment are adequate to prevent unauthorized access and modification to the safety I&C systems. The staffs review takes credit for the future combined license (COL) applicants Cyber Security Program, where a COL applicant is responsible for assuring that these deterministic one-way data communication devices comply with the

regulations and are adequately protected from external threats. On this basis, the staffs conclusion is affirmed that the design of I&C systems satisfies the control of access requirements of Section 5.9 of IEEE Std. 603-1991.

Subsequent to their September 4, 2018 letter with Revision 2, NuScale submitted a mark-up of the DCA, Tier 2, Chapter 7 Draft Revision 3 documented in NuScale letter LO-1018-62193, Docket No.52-048 on October 24, 2018 (ML18298A222) that provided additional explicit clarifications to the following Chapter 7 FSAR Sections to specifically clarify the design of one-way deterministic isolation devices:

Section 7.0.4.5 Module Control System The one-way deterministic isolation device between the MCS and plant network shown in Figure 7.0-1 transmits network traffic from the MCS to the plant network in one direction only, which is enforced in the hardware design, not software. No software configuration or misconfiguration will cause the boundary device to reverse the direction of data flow.

Section 7.0.4.6 Plant Control System The one-way deterministic isolation device between the PCS and plant network shown in Figure 7.0-1 transmits network traffic from the PCS to the plant network in one direction only, which is enforced in the hardware design, not software. No software configuration or misconfiguration will cause the boundary device to reverse the direction of data flow.

Section 7.2.13.7 Other Information Systems There is a unidirectional communication interface between the MCS and PCS networks and the plant network and is shown in Figure 7.0-1. The one-way deterministic isolation devices transmit network traffic from the MCS and PCS to the plant network in one direction only, which is enforced in the hardware design, not software. No software configuration or misconfiguration will cause the boundary device to reverse the direction of data flow.

I reviewed the Draft Revision 3 mark-up DCA changes and I agree that they provide sufficient clarification and resolve our recommendation.

Since the EDO response did not address the Draft Revision 3 mark-up changes of the DCA Chapter 7 in the NuScale letter LO-1018-62193, on October 24, 2018 (ML18298A222), I recommended that the Committee review and issue my draft response letter to the EDO October 30, 2018, response letter.

During the 660th meeting of the ACRS, February 6-8, 2019, we reviewed the NuScale proposed changes to be incorporated in Revision 3 of the DCA Chapter 7. Our letter dated March 7, 2019, stated that we agree that our Recommendation 2 is resolved based on the changes documented in the above NuScale Draft Revision 3 DCA Chapter 7 mark-up, October 24, 2018, docketed letter when they are formally issued as a revision.

NRC Staff Response to our March 7, 2019 ACRS Letter Report dated April 10, 2019 The NRO response letter of April 10, 2019, states that the staff agreed with ACRS Recommendation 2. Also, the staff discussed that the staffs evaluation report with open items will be resolved when NuScale incorporates its proposed changes, submitted via a letter on October 24, 2018, into the DCA. In particular, NuScale will incorporate the proposed changes in Revision 3 of the DCA.

Open Items from Phase 3 Requiring Further ACRS Review None Recommendation The staff has addressed all open items from the Phase 3 review. Staff also addressed our Phase 3 letter report recommendation. There are no unresolved items related to NuScale DCA Chapter 7 and the associated SER. As lead ACRS reviewer for NuScale Chapter 7 DCA, I recommend that we accept responses to our letter reports and no additional Phase 5 review by the Committee is necessary. NuScale DCA Chapter 7 Revision 3 incorporated the changes.

November 26, 2019

SUBJECT:

PROPOSED RECOMMENDATION FOR ACRS REVIEW OF NUSCALE POWER, LLC, DESIGN CERTIFICATION APPLICATION - SAFETY EVALUATION WITH NO OPEN ITEMS FOR CHAPTER 7, INSTRUMENTATION AND CONTROLS Package No.: ML19297D008 Accession No: ML19297D108 Publicly Available Y Sensitive N Viewing Rights: NRC Users or ACRS Only or See Restricted distribution *via email OFFICE ACRS/TSB SUNSI Review ACRS/TSB ACRS NAME MSnodderly MSnodderly LBurkhart CBrown (KHoward for)

DATE 10/24/2019 10/24/2019 11/12/2019 11/26/2019 OFFICIAL RECORD COPY