Text

Risk Management Committee Meeting PWROG Meeting: December 14, 2022 Mike Franovich, Director Division of Risk Assessment Office of Nuclear Reactor Regulation 1

AGENDA FRIAS Afterthoughts and Path Forward/Ideas PRA Configuration Control Tabletops:

Perspectives Thus Far - The Good & The Opportunities & The Inspection Ideas SPAR: KM/KT Digital I&C Initiative Status 2

FRIAS Afterthoughts and Path Forward/Ideas Mike Franovich, Division Director, DRA 3

4 Risk-Informing Aging Management

• The staffs audit of industrys proposed risk-informed Selective Leaching Aging Management Program (AMP) is complete, and the audit report is in preparation (to be issued in December or January)

• The audit was valuable in establishing a better understanding of the technical bases of the proposal, and the staff appreciates industrys support of the audit discussions and information requests

• The audit revealed several areas of common understanding, or areas with promising paths to resolution; however, some issues remain to be resolved prior to incorporating the AMP (or some version of it) into staff guidance

• The staff looks forward to additional engagement with the industry to successfully incorporate risk insights in the Selective Leaching AMP 5

PRA Configuration Control Table-Top:

Perspectives Thus Far - The Good, The Opportunities, and The Inspection Ideas Antonios Zoulis, PRA Oversight Branch, DRA 6

Key Messages

• The existing oversight process is adequate to ensure implementation of programs informed by PRA models.

• However, we believe that there is a current gap in the oversight of PRA Configuration Control programs.

• A balanced approach of focused inspections/safety enhancements within the existing ROP baseline inspection program of PRA changes and upgrades are being proposed to monitor appropriate implementation of configuration control programs for licensee PRA models that support risk-informed decision-making.

7

Key Messages (Contd)

• PRA Configuration Control framework will be informed and developed by the NRC working group recommendations, based on the information gathering and guidance development efforts, as well as with industry and the public through multiple public meetings.

• All eight tabletops have been completed:

- Based on the reviews conducted to date, NRC staff have confirmed licensees are meeting the consensus standard but identified several observations on how licensees are implementing their programs

- Based on the team's findings and observations of all eight tabletops, the team will propose recommendations to enhance oversight activities for management approval

- The approach we are taking in addressing this initiative demonstrates our commitment to our principles of good regulation of openness.

8

High-Level Plan Refine guidance Finalize and share PRA ROP Change Information Conduct Configuration Control Gathering Tabletops Control Framework Process Needs recommendations for feedback 9

Overall Plan Brief NRR Discuss any Begin Conducted table- management on feedback at final ROP Revise Tier 2 2 public tops/site Monthly meetings visits at recommendations inspection of effort public guidance February & facilities meeting April 2022 July 2022 March 2023 December June 2023 2023 Identify and Complete Discuss select eight assessment of findings Enter facilities for information at ROP ROP table-tops/ gathered via monthly change site visits site visits public control and guidance meeting process May 2022 development effort May July 2023 2023 December 2022 10

The Good

• Understanding of Licensees PRA Configuration Control Programs

- Monitoring of Engineering Changes

• Exercise potential inspection guidance with licensees PRA staff

• Representative picture of PRA Configuration Control program implementation

• Licensees support, responsiveness, and feedback 11

The Opportunities

• PRA Configuration Control (PCC) vs. Peer Review Process:

- PCC inspection will have an element of technical adequacy as part of effort per ASME standard

- Through the course of a change review of PCC implementation, plant representation will remain a priority

- PCC Upgrades, if selected, will be based on F&O reviews 12

The Opportunities, Contd Implementation of PCC Under Existing Regulatory Framework (Not Appendix B)

- Potential Program Vulnerabilities:

• (One) Knowledge based program w/ inconsistent implementation

• (General) Operations, Maintenance and Industry-Wide Operational History monitoring, less formal than Engineering Changes

- Observations:

• (General) RG 1.200 Rev 3, Upgrade definition not incorporated

• (One) Generic data update not completed since 2010, last data update 2016. Approved: SFCP, RICT, 50.69

• (One) Industry Wide Operating Experience (i.e., OPC)impact on Initiating Events Technical Element not evaluated

• Implementation: HRA pre - post initiators, data analysis, system analysis, initiating events 13

Inspection Enhancement - Initial Thoughts Three possible ideas (So-Far):

- Comprehensive Engineering Team Inspection (CETI)

(Internal Events, Internal Flooding & Other Approved Hazards)

• Focused Engineering Inspection (FEI) Internal Fire

- Resident Inspector Baseline Procedures. All hazards.

- Standalone IMC 2515 Appendix C, Infrequent Inspection.

All hazards.

14

SPAR - KM/KT Antonios Zoulis, DRA 15

Benchmarking against the licensees models allows the SPAR models to reflect the as-built, as-operated plants Increased use of risk insights highlights the need to maintain the plant-specific PRA tools to Updating & support licensing and inspection activities Differences due to outdated models could lead Benchmarking to additional time/resource needed during SPAR Models oversight or licensing Voluntarily provide PRA information to support INL and NRC updating of the SPAR models Contact Selim Sancaktar (Selim.Sancaktar@nrc.gov) or Ching Ng (Ching.Ng@nrc.gov) 16

SPAR Models Update FY2021

• Model update completed for Brunswick 1, Brunswick 2, Riverbend, Grand Gulf, Davis-Besse, Beaver Valley 1, Beaver Valley 2.

• Added Fire & Internal Flooding Hazards: Brunswick 1

• Added Internal Flooding Hazard: Brunswick 2, Riverbend

• Completed Vogtle 1&2 FY2022

• Model update completed for Diablo Canyon, Comanche Peak, South Texas Project, Harris, Monticello.

• Added Internal Flooding Hazard: David-Besse

• Incorporated 2020 INL Industry Average Parameters Estimates into all SPAR Models 17

Make risk information accessible to all NRC staff Gather key risk results in an easy-to-use interactive dashboard Remove barriers and support communication SPAR-DASH of risk insights Support Be RiskSMART and our path to becoming a modern, risk-informed regulator 18

Assess Plant-to-events & plant hazards comparison Ranking risk Off-normal importance conditions Periodic update 19

Status of Digital I&C Initiative: Regulatory and Technical Challenges in Risk-Informing Sunil Weerakkody, Senior Level Advisor NRR/DRA 20

OUTLINE Modeling Software Modeling Computer-Changing the Policy Failures within the Based Systems/Digital and Regulatory Computer-I&C Systems in PRA Framework Based/Digital I&C Models Systems 21

SRM-SECY-93-087 - Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor Designs 1.I.E Fire Protection 2.I.F Intersystem LOC 6.I.J Containment Performance 17 II.N. Site-Specific PRA and Analysis of External Events

18. Q. Defense Against Common-Mode Failures in Digital I&CS 22

SRM-SECY-93-087 - II. Q Point assess the defense-in-depth and diversity of the proposed I&C system to 1 demonstrate that vulnerabilities to common-mode failures have adequately been addressed.

Point analyze each postulated common-mode failure for each event that is evaluated in 2 the accident analysis section of the safety analysis report (SAR) using best estimate methods If a postulated common-mode failure could disable a safety function, then a diverse Point means with a documented basis that the diverse means is unlikely to be subject to the 3 same common-made failure, shall be required to perform either the same function or a different function A set of displays and controls located in the main control room shall be provided for manual, Point system-level actuation of critical safety functions and monitoring of parameters that support the 4 safety functions that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.

23

Summary of Proposed Expanded Policy Proposed Expanded Policy to Address Digital I&C CCFs Risk-Informed Current Path Path Point 1 SRM-SECY-93-087, Point 1 (Clarified) The Risk-Informed Path The Current Path allows for allows for the use of risk-the use of best estimate informed approaches and analysis and diverse Point 2 other design techniques or means to address a Point 2 measures other than SRM-SECY-93-087, Point 2 potential DI&C CCF Risk-Informed Approach diversity to address a (Clarified) potential DI&C CCF Point 3 Point 3 SRM-SECY-93-087, Point 3 Risk-Informed Approach (Clarified)

Point 4 SRM-SECY-93-087, Point 4 (Clarified) 24

SECY-22-0076 (Under Commission Review)

1) The applicant shall assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed. The defense-in-depth and diversity assessment shall be commensurate with the risk significance of the proposed digital I&C system.

2) In performing the defense-in-depth and diversity assessment, the applicant shall analyze each postulated CCF. This assessment may use either best-estimate methods or a risk-informed approach. When using best-estimate methods, the applicant shall demonstrate adequate defense in analysis section of the safety analysis report. When using a risk-informed approach, the applicant shall include an evaluation of the approach against policy and guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., Regulatory Guide (RG) 1.174 An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis).

25

SECY-22-0076 (Under Commission Review)(Cont'd.)

3) The defense-in-depth and diversity assessment may demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant shall demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs shall be commensurate with the risk significance of each postulated CCF. A diverse means that performs either the same function or a different function is acceptable to address a CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation. If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means shall be provided.

4) Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e.,

unlikely to be subject to the same CCF) shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The recommended expanded policy for digital I&C CCFs would apply to requests for new or amended licenses and design approvals, for all nuclear power plant types, under 10 CFR Part 50 and 10 CFR Part 52. The expansion of the policy is intended to be technology neutral but relies on assumptions about the design of the facility, such as the presence of a main control room. Therefore, if the staff encounters a design where the policy would not be applicable, the staff will engage the Commission as appropriate.

26

Recent Activities and Current Status September 23, November 1, 2022: The SECY is August 10, 2022:

2022: The staff and The staff briefed currently under The staff issued NEI briefed ACRS the full ACRS on Commission SECY-22-0076 subcommittee November 1, 2022 review.

27

Modeling Computer-Based/Digital I&C Systems What needs to be done to appropriately model the systems?

How do you model at a sufficient level of detail in the PRA model?

What are the challenges that the PRA community may encounter in modeling Computer-Based/Digital I&C systems, and how could they be effectively addressed to meet short-term needs? Longer-term needs?

28

What Needs to be Modeled?

ASME/ANS RA-Sa-2009, Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications.

(Endorsed via RG 1.200)?

ASME/ANS RA-S-1.4-2021, Probabilistic Risk Assessment Standard for Advanced Non-Light Water Reactor Nuclear Power Plants. (Endorsed via RG 1.247)?

NRC Standard Review Plan Section 19.0 PRA and Severe Accident Evaluation for New Reactors. (ADAMS Accession No. ML15089A068)?

DI&C/COL-ISG-003, Review of Digital I&C PRA Interim Guidance, (ADAMS Accession No. ML080570048)?

29

References Relating to Modeling Computer-Based/Digital I&C Systems IAEA Draft Safety Guide DS 523, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants (Draft in Preparation):

- Consider risk significance to decide the required level of modeling details.

- Include dependencies (e.g., hardware, operator interfaces, spatial)

- Consider hardware and software

- Have an acceptable method/goal to model software CCF

- and more OECD/NEA, Failure Modes Taxonomy for Reliability Assessment of Digital Instrumentation and Control Systems for Probabilistic Risk Analysis, NEA/CSNI/R(2014)16, Paris (2015).

IAEA Nuclear Energy Series, No. NP-T-3.27, Dependability Assessment of Software for Safety Instrumentation and Control Systems at Nuclear Power Plants, IAEA, Vienna (2018).

IAEA, Design of Instrumentation and Control Systems for Nuclear Power Plants, IAEA Specific Safety Guide SSG-39, IAEA, Vienna (2016) 30

What challenges would you encounter and how would you effectively address them?

Software failure probabilities Software CCF probabilities Set realistic goals Develop a conservative upper bound sufficient to use risk-informed approaches in design reviews (assuming Commission approves proposed policy change)?

Develop an upper bound sufficient to support PRA configuration control?

Estimate a realistic failure probabilities to support other risk-informed initiatives?

Workshop on Philosophical Basis for Incorporating Software Failures in Probabilistic Risk Assessment (ADAMS No. ML092780607) https://www.nrc.gov/about-nrc/regulatory/research/digital.html#2 31

Questions?

32