Text

STRATEGIC MODERNIZATION OF REGULATORY FRAMEWORK FOR INSTRUMENTATION AND CONTROLS SYSTEMS IN NEW AND ADVANCED REACTORS Luis Betancourt and Dinesh Taneja 1 United States Nuclear Regulatory Commission Washington, D.C. 20555 luis.betancourt@nrc.gov; dinesh.taneja@nrc.gov ABSTRACT The U.S. Nuclear Regulatory Commissions (NRC) instrumentation and controls (I&C) regulatory infrastructure, established and supplemented over the decades, has addressed many safety concerns and issues as they arise, using the best information and techniques available at the time. As a result, the licensing process for new highly integrated I&C systems and digital upgrades of existing I&C systems has become prescriptive, cumbersome, and thereby resource/time-intensive.

In creating a more efficient licensing process for small modular reactors (SMRs), the NRC staff implemented an enhanced safety-focused review approach for the NuScale Power LLC, (NuScale) SMR design. This approach has been successful in the efficient and effective review of the NuScale SMR I&C design. The restructured, safety-focused approach in Chapter 7 of the Design-Specific Review Standard (DSRS) for the NuScale SMR design is a significant step forward for licensing of any future new and advanced reactor applications. Yet, the staff has learned additional insights and lessons that are important to be captured and addressed in order for the agency to be ready for future new light water or advanced non-light water reactor licensing applications. As such, the NRC staff has embarked upon a new initiative to create a performance-based/risk-informed and technology-neutral guidance for future new and advanced reactor design reviews. This paper presents the NRC staffs initiative to modernize the NRCs I&C regulatory infrastructure for the efficient and effective licensing of future I&C designs that account for lessons learned and ever changing I&C technologies.

Key Words: design review guidance, design specific review standard, instrumentation and controls, non-light water reactor, small modular reactor, modernization.

1 BACKGROUND The NRC has developed its I&C regulatory infrastructure over the past 40 years in an evolutionary path. The early U.S. nuclear power plants were licensed using the General Design Criteria or similar plant specific versions of them. Since that time the NRC has developed a set of regulations, policies, staff guidance, and uses industry consensus standards as one way to help regulate I&C systems. As I&C systems evolved and new issues encountered, so too have the NRC regulations and guidance been revised to adapt to these issues. Since the use of digital 1

Although this paper reports on efforts by staff of the NRC, the information and views expressed in the paper are those of the authors and are not necessarily those of the NRC. Neither the U.S. Government nor any agency thereof, nor any of their employees, make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use.

systems for I&C safety and non-safety applications in commercial nuclear power has expanded, the NRC has primarily relied on industry consensus standards to keep the regulatory structure up to date.

Lessons learned from regulatory reviews suggest that the revisions to existing NRC guidance cannot keep up to address the evolving nature of digital systems. Instead, updates to guidance follows in reaction to various new regulatory challenges. In addition, past experience in seeking to reform the NRCs regulatory framework in this area has not kept pace with demand or international deployment, despite broad agreement on the potential overall safety benefits. As a result the existing regulatory framework has limited the NRC staffs capability to adapt to external factors, and create unnecessarily complex and untimely decision-making. For these reasons it has caused stakeholders to view the NRC regulatory approach as unreliable, inefficient, and unclear, contrary to the NRC principles of good regulation 2.

2 SAFETY FOCUSED REVIEW FOR SMALL MODULAR REACTORS 2.1 Design Specific Review Standard for NuScale Chapter 7, Instrumentation and Controls The NRC staff embarked on enhancing the efficiency and effectiveness of new reactor I&C licensing reviews and made a significant progress over the last ten years. The NRC staffs development of digital I&C interim staff guidance along with NUREG-0800 Standard Review Plan (SRP) at the onset of nuclear renaissance served their purposes reasonably well for the new reactor licensing application reviews. During the reviews of the large light-water reactors (LWRs) such as design certification applications (DCAs) for the Advanced Passive 1000 (AP1000) Pressurized Water Reactor, U.S. Economic Simplified Boiling-Water Reactor (US-ESBWR), U.S. Evolutionary Pressurized Water Reactor (US-EPR), U.S. Advanced Pressurized-Water Reactor (US-APWR), and the combined license application for the South Texas Project, Units 3 and 4, the staff has progressively gained significant lessons learned.

In preparation for licensing reviews for SMR applications, the Commission directed the staff, via the Staff Requirements Memorandum (SRM) to SECY-11-0024, Use of Risk Insights to Enhance the Safety Focus of Small Modular Reactor Reviews, to enhance the effectiveness and efficiency of the SMR application reviews through a design-specific, risk-informed and safety-focused approach. For the SMR I&C design reviews, the NRC staff took this opportunity to develop the DSRS Chapter 7, Instrumentation and Controls, initially for the BWX Technologies, Inc., mPowerTM SMR design and subsequently the NuScale SMR design. In addition to complying with the Commission directions, development of the DSRS Chapter 7 took into consideration all of the lessons learned during licensing reviews of new large LWR I&C designs.

The DSRS Chapter 7 emphasizes the focus of review on the fundamental I&C design principles of independence, redundancy, predictability and repeatability, and diversity and 2

In 1991, the Commission established NRCs Principles of Good Regulation to focus the agency on ensuring safety and security while appropriately balancing the interests of NRCs stakeholders, including the public and licensees.

These principles include: Independence, Openness, Efficiency, Clarity, and Reliability.

2

defense-in-depth. Independence ensures that failures are not propagated across independent domains. Redundancy helps ensure that a single failure will not cause the loss of a safety systems ability to perform safety functions. Predictability and repeatability behavior ensures performance of safety functions on-demand and avoidance of spurious actuations. Defense-in-depth and diversity are methods that can be used to protect against potential common cause failures. A simplistic design that highlights the fundamental I&C design principles has shown to be the surest and most efficient way to demonstrate compliance to NRC regulations.

The fundamental I&C design principles apply regardless of the technology (i.e., analog or digital). These principles work hand-in-hand to ensure that safety functions will be accomplished when needed, i.e., that a design should demonstrate adherence to all of the principles and not one versus another.

The DSRS Chapter 7 also incorporates important lessons the NRC staff learned when using the SRP Chapter 7 to review new large LWR designs. For example, while the current SRP serves the NRC staff well in conducting new reactor reviews, it is organized based on I&C for individual plant systems. This led to many regulatory requirements and their supporting guidance being repeated in multiple subsections. In new and advanced reactors reviews, I&C designs are highly integrated, which result in multiple I&C systems serving various plant systems. In addition, because new and advanced reactors have greater reliance on passive designs, their I&C systems may not have the same importance as those in active reactor designs. As such, the NRC staff found that it was more efficient to organize the review according to design principles rather than the system-focused approach of the SRP. The approach of DSRS Chapter 7 minimizes the repetitions of regulatory requirements and their supporting guidance being repeated in multiple subsections.

2.2 Enhanced Safety-Focused Review Approach The NRC staff created NUREG-0800, Introduction, Part 2, specifically for regulatory reviews of SMR designs. It describes early engagement with applicants, DSRS framework, and using risk information to help determine review scope and depth. Consistent with NUREG-0800 Introduction - Part 2, the NRC staff used a graded review approach for the NuScale Final Safety Analysis Report (FSAR) review, where the review focus and resources are aligned with risk-significant structures, systems, and components (SSCs) and other aspects of the design that contribute most to safety to enhance the efficiency of the review process. The graded approach applies the appropriate level of review for an SSC by considering both the safety classification and the risk significance to categorize SSCs as follows:

3

A1 B1 safety- non-safety-related and related and risk- risk-significant significant A2 B2 safety- non-safety-related and related and not risk- not risk-significant significant Figure 1: Safety classification and the risk significance to categorize SSCs The applicant classified SSCs as either safety-related or non-safety-related using the criteria in 10 CFR 50.2 and documented the results in FSAR Section 3.2 Classification of Structures, Systems, and Components. The applicant classified SSCs as either risk-significant or not risk-significant using the process developed for the reliability assurance program (RAP) and documented the results in FSAR Section 17.4 Reliability Assurance Program. The applicant identified SSCs within the scope of the RAP using a combination of probabilistic, deterministic, and other methods of analysis to identify and quantify risk, including probabilistic risk assessment (PRA), severe accident evaluation, assessment of industry operating experience, and expert panel deliberation. The NRC staff reviewed the process used to categorize SSCs in accordance with SRP Section 3.2.2 System Quality Group Classification and SRP Section 17.4.

The final SSC categorization incorporates any design changes resulting from staff review of the FSAR and PRA.

Through this process, the NRC staff identified the appropriate scope and depth of the review based on the safety-significance categorization of the SSC in conjunction with other review considerations. The NuScale DCA proposed a number of new and unique licensing approaches which affected the review. The NRC staff considered these and other factors such as availability of defense-in-depth and safety margins, and operational program requirements in aligning the review focus with the risk-significant SSCs that contribute the most to safety to enhance the effectiveness and efficiency of the review process. In all cases, the NRC staff conducted its review to ensure that the applicants submittal complied with NRC regulations and to ensure that any requests for exemption from regulations contain adequate bases and justification in accordance with the Commissions regulations in 10 CFR 50.12 and 10 CFR 52.7.

The NRC staff considered alternate methods to apply the graded review approach to programmatic and other non-safety SSC topics. While risk-significance associated with these non-safety SSC topics is not directly quantified, the NRC staff determined the appropriate method for demonstrating compliance of the regulatory requirements considering the same qualitative factors (e.g., unique design features, new and unique licensing approaches, availability of defense-in-depth and safety margins) used for the SSC review to focus the review effort based on safety-significance. Consideration of defense-in-depth and safety margins is consistent with Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis. The NRC staff used the 4

safety- and risk-significance of the SSCs to inform the review focus areas for the non-safety SSC or programmatic topics where these non-safety SSC or programmatic topics interrelate with an SSC.

To conclude, the overall objective of the graded review approach was to align the review focus on those aspects that contribute the most to safety, thereby improving the effectiveness of the review.

2.3 Lessons Learned from DSRS Chapter 7 of the NuScale Design Certification Review A key lesson learned from the NuScale I&C system DCA review is the importance of conducting pre-application coordination meetings. The pre-application meetings allowed the NRC staff to gain a better understanding of the NuScale design prior to the applicant docketing the DCA. These extensive pre-application interactions resulted in NuScale embracing the concepts of DSRS fundamental I&C design principles in developing the Highly Integrated Protection System (HIPS) platform and the NuScale I&C safety systems. Public meetings held shortly after the DCA was docketed, with the purpose of allowing the applicant to answer the staffs questions on the submitted information, helped minimizing the number of resulting request for additional information in the I&C area. Overall, having both the pre-application and post-docketed DCA meetings allowed the staff to perform an adequate and timely safety review of the FSAR. Chapter 7 This was the first time the NRC staff used the DSRS Chapter 7 to review a DCA. NuScales design approach, consistent with DSRS Chapter 7 resulted in a simple I&C architecture and HIPS platform design based on the fundamental design principles was easily conveyed to and understood by the NRC staff. This approach also resulted in completion of the safety evaluation in an efficient and effective safety-focused manner. Yet, the staff has learned additional insights and lessons that are important to be captured and addressed in order for the agency to prepare for future new and advanced reactor licensing applications.

3 DESIGN REVIEW GUIDANCE FON NEW AND ADVANCED REACTORS The NRC staff is committed to enabling the safe use of new and continuously evolving I&C technology, especially those that can improve the regulatory efficiency and predictability of licensing I&C systems. Consistent with the NRCs principles of good regulation and statutory requirements, the NRC initiated a project to improve the regulatory efficiency and predictability of licensing I&C systems for new and advanced reactors. The new design review guidance (DRG) will leverage the existing DSRS Chapter 7 concepts, which includes a safety-focused approach that is anchored on the fundamental I&C design principles and is supplemented to be performance based, technology neutral, and risk-informed.

3.1 Non-Light Water Reactors Policy Statement The Commission communicated their expectations for advanced reactors in the 2008 NRC Policy Statement on the Regulation of Advanced Reactors the Commission expects that advanced reactors will provide enhanced margins of safety and/or use simplified, inherent, passive, or other innovative means to accomplish their safety and security functions. The advanced non-LWR developers are proposing new and innovative designs which promise to meet these Commission expectations. The NRC intends to achieve its mission through adherence to the principles of good regulation.

5

3.2 Non-Light Water Reactors Modernization Project This effort is consistent with the staffs recommendations documented in SECY-18-0060, Achieving Modern Risk-Informed Regulation, related to several significant and specific revisions to the agencys regulatory framework and approaches to better enable the safe and secure use of new technology in civilian nuclear applications. This effort directly supports the NRCs Vision and Strategy document entitled Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness, and the Non-LWR Vision and Strategy Near-Term Implementation Action Plans. Specifically, this effort supports Implementation Action Plan Strategy 3 which involves developing guidance for flexible regulatory review processes for non-LWRs within the bounds of existing regulations. Strategy 3 also includes efforts to develop a new non-LWR regulatory framework that is risk-informed and performance-based, and that features staffs review efforts commensurate with the demonstrated safety performance of the non-LWR designs being considered. Thus, the DRG is a proactive way to modernize the I&C safety review process in support of advanced reactor licensing applications by making it technology-inclusive, risk-informed, and safety-focused.

3.3 Design Review Guidance Chapter 7 The purpose of the DRG Chapter 7 is to make the NRCs I&C regulatory framework simpler, streamlined and agile for future new reactor designs. Using the DRG Chapter 7, the NRC staff expects to conduct a safety-focused review for new and advanced reactors and verify whether the I&C design is reliable and robust commensurate with its safety and/or risk-significance. Figure 2 below depicts the proposed DRG framework for the I&C systems review.

6

Figure 2: Proposed DRG Chapter 7 Framework 7

At a high-level, the overall I&C safety goal is as follows: the I&C design shall be reliable and robust commensurate with its safety and/or risk-significance. The I&C portions of applications for new DCAs and COL applications should demonstrate how the specified I&C safety goal supports the overall plant safety goals for a particular plant design.

Consistent with the aforementioned high-level, overall I&C safety goal, the I&C design shall be such as to ensure that the I&C equipment or components can be qualified, procured, installed, commissioned, operated, and maintained to be capable of withstanding, with sufficient reliability and robustness, all conditions specified in the plant design basis.

Reliability is achieved using quantifiable performance measures or criteria. These measures include but are not limited to surveillance tests, verification and validation, mean time between failures, self-diagnostic features, fail-safe design etc. Robustness is achieved by having various measures of defense-in-depth (DID) which are implemented using fundamental design principles and simplicity. Simplicity of the I&C design allows for easy understanding of how the design conforms to design criteria and does not challenge safety conclusions. The various performance and DID measures are evaluated against NRC regulations, policies, staff guidance, and industry consensus standards.

A systematic assessment of the I&C design is required to validate its robustness and reliability by ensuring that all credible hazards and failure modes of the design are identified and understood. The event sequences considered in such systematic assessment would help determine the level of reliability and robustness required. The overall evaluation is complemented with risk insights using PRA or other risk models.

4 CONCLUSIONS The NRC staff found the DSRS Chapter 7 for NuScale to be an excellent document for reviewing the NuScale design certification. This was the first time the NRC staff used the DSRS Chapter 7 to review a design application. NuScales design approach, which was consistent with DSRS Chapter 7, mainly, a simple and easy to understand I&C architecture focusing on the fundamental design principles resulted in completion of the staffs safety evaluation in an efficient and effective safety-focused manner.

Throughout these efforts, the NRC staff has worked closely with the stakeholders and the public to refine its regulatory guidance by addressing a number of technical issues associated with applications of digital I&C technology. This has resulted in a much more predictable and efficient regulatory review of DCAs. The NRC staff will continue to work collaboratively with the stakeholders and the public to resolve digital technology-related issues affecting operating and new nuclear power plants and will periodically meet with stakeholders and members of the public to ensure effective implementations.

As a part of efforts to continue to improve NRC regulatory guidance, the NRC staff will use the lessons learned from the DSRS to make the DRG Chapter 7 simpler, streamlined and agile for future new and advanced reactor I&C design reviews.

8

5 REFERENCES 1 U.S. Nuclear Regulatory Commission, Design-Specific Review Standard for NuScale Small Modular Reactor Design - Chapter 7: Instrumentation and Controls, August 5, 2016.

(Agencywide Documents Access and Management System (ADAMS) Accession No. ML15355A295).

2 U.S. Nuclear Regulatory Commission, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, 2016. Retrieved from:

http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0800/ch7/.

3 U.S. Nuclear Regulatory Commission, Principles of Good Regulation, 2011. Retrieved from: https://www.nrc.gov/about-nrc/values.html#principles.

4 U.S. Nuclear Regulatory Commission, Regulatory Guide 1.174: An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3, January 2018, (ADAMS Accession No. ML17317A256).

5 U. S. Nuclear Regulatory Commission, Safety Evaluation of the NuScale Power, LLC Topical Report TR-1015-18653-A, Design of the Highly Integrated Protection System Platform, Revision 2, September 13, 2017 (ML17256A892).

6 U. S. Nuclear Regulatory Commission, 2008 NRC Policy Statement on the Regulation of Advanced Reactors, October 14, 2008, (ADAMS Accession No. ML082750370).

7 U. S. Nuclear Regulatory Commission, SECY-18-0060: Achieving Modern Risk-Informed Regulation, June 8, 2018, (ADAMS Accession No. ML18110A186).

8 U. S. Nuclear Regulatory Commission, Safely Achieving Effective and Efficient Non-Light Water Reactor Mission Readiness, December 2016, (ADAMS Accession No. ML16356A670).

9 U. S. Nuclear Regulatory Commission, Non-LWR Vision and Strategy Near-Term Implementation Action Plans, July 2017, (ADAMS Accession No. ML17165A069).

9