ML24114A114

From kanterella
Revision as of 10:53, 29 August 2024 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

NEI Supplemental Information on NRC Comments on NEI 20-07, Draft Revision E - April 18 Meeting (Non-Proprietary)
ML24114A114
Person / Time
Site: Nuclear Energy Institute
Issue date: 04/18/2024
From:
Nuclear Energy Institute
To:
Division of Operating Reactor Licensing
References
EPID L-2023-NFN-0012
Download: ML24114A114 (1)


Text

NEI 20-07 Rev. E Comments - Non-Proprietary

April 18, 2024

©2024 Nuclear Energy Institute Non- Proprietary Topics

DEG, HAZCADS, and DRAM Safety Case Other Com m ents

©2024 N uc lear E ner g y I ns t it ut e 2 DEG, HAZCADS and DRAM (Non-Proprietary)

DEG, HAZCADS and DRAM Comments

Comment # Excerpt or Section Num ber from NEI 20-07 Question or Feedback

21. Section 4.1 discusses controller beliefs and process m odel Please define what is a controller belief and what is a process m odel belief?

bel i ef s

29. As the system design m atures in detail, new hazards m ay W hat process is used to determ ine if the list of hazardous system states needs to be be uncovered and the list of hazardous system states can be revisited and revised?

revisited and revised, as needed. How often is this process perform ed?

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

30. NEI 20-07 states, A control structure m odel does not How does the NEI 20-07 process address these spatial concerns?

typically capture purely physical relationships like physical proxim ity between com ponents or fire propagation.

Draft BTP 7-19, Revision 9, states, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

32. The RRT can be developed from one of five different It would be beneficial to include additional information on the five different pathways to pathways based upon the scope of the system under develop the risk reduction targets.

analysis, the stage of the design process, and whether the system (s) is m odeled in the PRA.

©2024 N uc lear E ner g y I ns t it ut e 4 DEG, HAZCADS and DRAM

HAZCADS and DRAM are both integrated into the EPRI Digital Engineering Guide which provides a system s engineering approach to digital I&C EPRI DEG provides direction for a phased approach as follows:

  • Initial Scoping Phase
  • Conceptual/Common Design Phase
  • Detailed Design Phase
  • Installation Planning Phase
  • Installation and Test Phase
  • Closeout Phase
  • Operations and Maintenance Phase

©2024 N uc lear E ner g y I ns t it ut e 5 DEG, HAZCADS and DRAM

Per EPRI DEG, these phases are the m ain sequence process that im plem ents the System s Engineering process via iterative activities in each phase of the engineering process.

HAZCADS and DRAM are perform ed during each iteration within the Conceptual/Com m on Design Phase and Detailed Design Phase.

©2024 N uc lear E ner g y I ns t it ut e 6 DEG, HAZCADS and DRAM

Relationship Sets are used to express associations between system elem ents.

5 types of Relationship Sets:

  • Program m atic
  • Functional
  • Acquisition
  • Connectivity
  • Spatial For exam ple, all equipm ent m ounted within the sam e cabinet m ay be placed in a Relationship Set.

©2024 N uc lear E ner g y I ns t it ut e 7 Comment 21

Please define what is a controller belief and what is a process m odel belief?

A process model represents the internal beliefs of a controller.

In an automated controller, the process model is the data used by the control algorithm to make decisions (in a human, the process model is the set of beliefs used to make decisions in accordance with learned procedures). The process model includes beliefs about the controlled process, and it may include beliefs about the plant or the environment.

©2024 N uc lear E ner g y I ns t it ut e 8 Comment 29

W hat process is used to determine if the list of hazardous system states needs to be revisited and revised?

  • EPRI Digital Engineering Guide and EPRI HAZCADS How often is this process performed?
  • No prescriptive limits. The process is iterated until a final design is reached.

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

  • Hazards are evaluated for completeness each time EPRI HAZCADS is performed within the iterative process.
  • It is unlikely that new hazards of regulatory concern are identified.

System hazards are identified at a high level of abstraction.

©2024 N uc lear E ner g y I ns t it ut e 9 Comment 30

How does the NEI 20- 07 process address these spatial concerns?

  • EPRI DEG provides processes to account for all design requirem ents.
  • EPRI DEG also provides guidance on developing Relationship Sets that will account for connectivity and spatial concerns.

©2024 N uc lear E ner g y I ns t it ut e 10 Comment 32

It would be beneficial to include additional inform ation on the five different pathways to develop the risk reduction targets.

  • Agreed. T his will be discussed in m ore detail in the Proprietary com m ents.
  • NEI will add inform ation in Section 4 related to the RRT pathways.

©2024 N uc lear E ner g y I ns t it ut e 11 Safety Case (Non- Proprietary)

Safety Case Comments

Comment # Excerpt or Section Num ber from NEI 20-07 Question or Feedback

9. This docum ent provides the safety case which provides the This statem ent is m isleading and should be changed. This docum ent provides a high-details that dem onstrates the output of the EPRI Digital level overarching approach, but it does not provide details.

Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital System s (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY- 22- 0076 policy.

12. This docum ent provides the safety case which provides the In effect, this docum ent does not provide an evidentiary safety caserather at best, it details that dem onstrate the output of the EPRI Digital attem pts to describe a m ethod one could use to develop a safety case.

Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital System s (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY- 22- 0076 policy.

13. Tier 2 provides sub-claims and argum ents that dem onstrate It does not appear that such sub-claims and argum ents are conclusive (see NRC staff the efficacy of the EPRI HAZCADS and DRAM processes to com ments on Section 5.3).

identify and establish the criteria for each applicant to dem onstrate they adequately executed these processes.

41. ((5 SAFETY CASE DEVELOPM ENT NEI does not explain what was changed or what was adopted from the identified The safety case structure provided in this section was standards or what was changed; therefore, it is not clear what NEI understands to be a adopted from ISO/IEC/IEEE 15026 -2:2022. )) safety case.
44. ((5.1.1 Safety Case Description This is an unsupported claim. How do we know it is true?

The technical process described in EPRI HAZCADS and DRAM produces a diversity and defense-in-depth analysis that dem onstrates vulnerabilities to digital CCF have been adequately identified and addressed.))

©2024 N uc lear E ner g y I ns t it ut e 13 Safety Case

W hy did NEI choose to use this form at?

  • Performance-based approach
  • Difficult to make a safety determination without replicating analysis
  • Safety case is intended to provide:

Objective(s)

Criteria that, if true, demonstrate that a system achieves a certain objective

Artifacts that establish facts that demonstrate the criteria are met

  • Used in other critical safety industries, as well as non-US nuclear power, as a means of demonstrating safety/assurance

©2024 N uc lear E ner g y I ns t it ut e 14 Safety Case

W hy did NEI choose to use this form at?

  • NEI understands safety determinations for performance-bas ed approaches are different than deterministic approaches
  • The goal of the NEI 20-07 safety case is to establish the objectives and criteria (claims, sub -claims, and arguments) with the NRC that will be satisfied by the applicants arguments and artifacts.
  • The goal of NEI 20-07 is to provide a framework in which:

The underlying technical processes remain technology neutral

Boundaries on the regulatory analysis and review exist

Performance-based reviews can be performed within reasonable time-frames

©2024 N uc lear E ner g y I ns t it ut e 15 Comment 9 and 12

T his statem ent is m isleading and should be changed. T his docum ent provides a high- level overarching approach, but it does not provide details.

In effect, this docum ent does not provide an evidentiar y safety case rather at best, it attem pts to describe a m ethod one could use to develop a safety case.

This document provides the framework for a safety case which provides the details that demonstrates the output of the EPRI Digital Engineering Guideline (DEG), Hazards and Consequence Analysis in Digital Systems (HAZCADS), and Digital Reliability Analysis Methodology (DRAM) processes (References 13, 14, and 15) provide a D3 analysis addressing the SRM-SECY 0076 policy.

©2024 N uc lear E ner g y I ns t it ut e 16 Comment 9 and 12

T his statem ent is m isleading and should be changed. T his docum ent provides a high- level overarching approach, but it does not provide details.

In effect, this docum ent does not provide an evidentiar y safety case rather at best, it attem pts to describe a m ethod one could use to develop a safety case.

  • It is NOT NEIs intent for applicants to reproduce the fram ework with each subm ittal.
  • Further discussion necessary during closed session to dem onstrate intent with NEI 20- 07 Figure 1

©2024 N uc lear E ner g y I ns t it ut e 17 Comment 13

It does not appear that such sub- claim s and argum ents are conclusive (see NRC staff com m ents on Section 5.3).

  • Defer to the proprietary call.

©2024 N uc lear E ner g y I ns t it ut e 18 Comment 41

NEI does not explain what was changed or what was adopted from the identified standards or what was changed; therefore, it is not clear what NEI understands to be a safety case.

  • ISO/IEC/IEEE 15026 -2:2022 specifies structure term inology of assurance cases.

In fact, there is only one true requirem ent (shall statem ent) in the standard.

  • ISO/IEC/IEEE 15026 -2:2022, Annex C, Table C.1 provides a com parison between com m only used assurance case m ethodologies and ISO/IEC/IEEE 15026- 2:2022 term inology.
  • NEI utilizes the Claim s, Argum ents, and Evidence (CAE) fram ework within NEI 20- 07 Rev. E.
  • NEI will provide this detail in NEI 20- 07 to define the safety case.

©2024 N uc lear E ner g y I ns t it ut e 19 Comment 44

T his is an unsupported claim . How do we k now it is true?

  • Defer to the proprietary call.

©2024 N uc lear E ner g y I ns t it ut e 20 Other Comments (Non- Proprietary)

©2024 N uc lear E ner g y I ns t it ut e 21 Other Comments

Comment # Excerpt or Section Num ber from NEI 20-07 Question or Feedback

1. The enclosure to SRM-SECY- 22-0076 states: The applicant Defense in depth has always been part of NPP facilities. The assessm ent of the facilities m ust assess the defense in depth and diversity of the facility defense in depth is not clear from the content of NEI 20- 07 Rev. E. Therefore, NEI 20-07 incorporating the proposed digital I&C system to Rev. E does not address the entire SRM.

dem onstrate that vulnerabilities to digital CCFs have been adequately identified and addressed NEI 20-07 Rev. E states: This docum ent provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis. This docum ent establishes a safety case using claim s, argum ents, and evidence to dem onstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claim s and argum ents described in this docum ent.

19. NEI 20-07 defines a risk reduction target as the risk Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction to be achieved by the [] safety-related system s reduction target?

and/or other risk reduction m easures in order to ensure that How do the safety-related system s and/or other risk reduction m easures ensure that the the tolerable risk is not exceeded. tolerable risk is not exceeded? [em phasis added]

23. 3.1.2 SRM-SECY- 22- 0076 Point 4Since NEI 20-07 was written in July 2023; it does not accurately reflect what is in the BTP 7-19 new version of BTP 7- 19. Therefore, such wording m ust be checked after the final version 9 of BTP 7- 19 is issued. See Section B.1.2 for critical safety function.
34. For the purposes of this docum ent, only loss scenarios Are loss scenarios that do not result in core dam age or radiological release but affect associated with regulatory safety factors (e.g., core dam age other regulatory program s such as MSPI and the m aintenance rule considered?

or radiological release) should be considered.

©2024 N uc lear E ner g y I ns t it ut e 22 Other Comments

Comment # Excerpt or Section Num ber from NEI 20-07 Question or Feedback

53. EPRI HAZCADS and DRAM have been proven effective in The staff can recognize how the processes described can provide insights toward identifying and addressing hazards and sources of failure in attaining a degree of reliability of operations as a com plement to existing regulatory DI&C system s NRC has conducted its own research on the activities.

efficacy of hazards analysis and STPA. TLR-RES/DE-2022- However, it is not clear whether these processes alone, without the com plementary 006, Hazard Analysis: An Outline of Technical Bases for the regulatory activities are effective at identifying and elim inating all sources of CCF, which Evaluation of Criteria, Methodology, and Results, is the purpose of this docum ent.

docum ents an evaluation of the need to develop criteria for technical bases supporting the evaluation of the criteria and m ethodology for, and of the results from , [] hazards analysis.

69. Appendix A Conceptually, NEI 20-07 is proposed to be used as an alternative way to m eet the This Appendix describes the relationship between the Com mission policy on CCF; therefore, this appendix should explicitly include the NRC process described in this docum ent and the NRC regulatory regulatory fram ework applicable to the Com mission policy on CCF. It appears that this fram ework. appendix is incom plete in that respect. For exam ple, it does not include the SRM.

Note that the regulations listed below m ay not necessarily The NRC regulatory fram ework includes m ore than just regulatory requirem ents.

apply to all applicants and licensees. The applicability of the regulatory requirem ents is determ ined by the plant- specific licensing basis and any proposed changes to the licensing basis associated with the proposed DI&C system under evaluation.

72. Appendix A, Section A.2.1 Doing a part of a standard is not the sam e as following the standard. These use of these Pre-scored System atic Control Methods are techniques and m ethods in this docum ent differs from how they are used in the standard.

m easures that m ay, synthesized from the industry standard IEC 61508 Part 3, norm ative Annex A which is a recognized safety standard in the petrochem ical industry.

©2024 N uc lear E ner g y I ns t it ut e 23 Comment 1

Defense in depth has always been part of NPP facilities. T he assessm ent of the facilities defense in depth is not clear from the content of NEI 20- 07 Rev. E. T herefore, NEI 20- 07 Rev. E does not address the entire SRM.

  • T his docum ent provides a process for developing a new type of Diversity and Defense- in-Depth (D3) analysis for the facility. T his docum ent establishes a safety case using claim s, argum ents, and evidence to dem onstrate that vulnerabilities to digital CCF have been adequately addressed. T he safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claim s and argum ents described in this docum ent. ©2024 N uc lear E ner g y I ns t it ut e 24 Comment 19

Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction target?

  • Yes. The Control Method process does not consider the safety classification if additional SSCs are required.
  • This is consistent with SRM-SECY 0076.

How do the safety-related system s and/or other risk reduction m easures ensure that the tolerable risk is not exceeded? [em phasis added]

  • EPRI HAZCADS Risk Reduction Target pathways establish the graded approach based upon risk. If the RRT exceeds approved thresholds (e.g., Reg. Guide 1.174 for operating LW Rs), then the design is changed.
  • EPRI DRAM provides a structure, objective process for providing engineering justification for the m ethods used to im prove the system reliability.
  • Control m ethods are not individually m odeled in PRA to determ ine risk im pact.

©2024 N uc lear E ner g y I ns t it ut e 25 Comment 23

Since NEI 20- 07 was written in July 2023; it does not accurately reflect what is in the new version of BT P 7- 19. T heref ore, such wording m ust be check ed after the final version 9 of BT P 7- 19 is issued. See Section B.1.2 for critical safety function.

  • Agreed. NEI 20- 07 Rev. 0 will tak e into consideration BT P-7-19 Rev. 9.

©2024 N uc lear E ner g y I ns t it ut e 26 Comment 34

Are loss scenarios that do not result in core dam age or radiological release but affect other regulatory program s such as MSPI and the m aintenance rule considered?

  • No. T his process is focused on hazards that im pact the approved risk m etrics for a given design.
  • T he subject sentence will be edited to direct the user to focus on hazards, not loss scenarios.

©2024 N uc lear E ner g y I ns t it ut e 27 Comment 53

The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a com plement to existing regulatory activities.

However, it is not clear whether these processes alone, without the com plementary regulatory activities are effective at identifying and elim inating all sources of CCF, which is the purpose of this docum ent.

  • This NEI 20- 07 section is intended to dem onstrate the efficacy of STPA as a hazards analysis tool as a contributing factor to NEI 20- 07 approach.
  • STPA is not the only technique relied upon to dem onstrate that vulnerabilities to CCF have been addressed. HAZCADS and DRAM com bine this with Fault Tree Analysis and the Control Method allocation/scoring developed by Sandia National Labs.
  • The purpose of this docum ent is not to identify and elim inate all sources of CCF as stated in the com m ent.

©2024 N uc lear E ner g y I ns t it ut e 28 Comment 69

Conceptually, NEI 20- 07 is proposed to be used as an alternative way to m eet the Com m ission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory fram ework applicable to the Com m ission policy on CCF. It appears that this appendix is incom plete in that respect. For exam ple, it does not include the SRM.

The NRC regulatory fram ework includes m ore than just regulatory requirem ents.

  • NE I 20-07 Section 3.1 explicitly addresses SRM-SECY 0076.
  • NE I 20-07 Section 3.2 references Appendix A for additional regulatory requirements to be considered.

Appendix A provides further detail on relevant regulatory requirements that are considered in the development of this process OR are required to be considered by the applicant using this methodology.

  • NEI would like to better understand how NEI 20- 07 is considered an alternative way to meet the Commission policy.
  • NEI would like to better understand what else is considered other than just regulatory requirements. NUREGs, Regulatory Guides, etc.?

©2024 N uc lear E ner g y I ns t it ut e 29 Comment 72

Doing a part of a standard [IEC 61508 Part 3] is not the sam e as following the standard. T hese use of these m ethods in this docum ent differs from how they are used in the standard.

  • NEI 20-07 is not claim ing to follow IEC 61508 Part 3.
  • EPRI DRAM uses pre- scored system atic control m ethods based upon IEC 61508 Part 3 Annex A.
  • T he intent of the statem ent is to provide a basis for their inclusion not to im ply com pliance with the standard.

©2024 N uc lear E ner g y I ns t it ut e 30