ML24103A153

From kanterella
Revision as of 18:00, 4 October 2024 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
NEI Supplemental Information on NRC Comments of NEI 20-07 Rev E (Non-Proprietary) - Slides
ML24103A153
Person / Time
Site: Nuclear Energy Institute
Issue date: 04/12/2024
From:
Nuclear Energy Institute
To:
Office of Nuclear Reactor Regulation
References
Download: ML24103A153 (1)


Text

NEI 20-07 Rev. E Comments - Non-Proprietary

March 28, 2024

©2024 Nuclear Energy Institute Non-Proprietary Topics

EPRI Product Usage Advanced Reactor Considerations Credible and likely sources of CCF Control Method Scoring DEG, HAZCADS, and DRAM Other Comments

©2024 Nuclear Energy Institute 2 EPRI Product Usage (Non-Proprietary)

EPRI Product Usage

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

36. Refer to EPRI DRAM for details regarding the CME Does NEI intend for the NRC staff to review and endorse the DRAM scoring methodology. process?

Does NEI intend to provide this document on the docket?

62. NEI 20-07 lists the following EPRI reports as available Does NEI intend to provide these reports document on the docket?

evidence: EPRI 3002004995, EPRI 3002004997, and EPRI 3002000509.

©2024 Nuclear Energy Institute 4 EPRI Product Usage

NEI is not planning to docket EPRI products, nor request direct endorsement of those products.

NEI 17-06, Guidance on Using IEC 61508 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Related Applications, used a similar approach.

  • NEI did not docket IEC 61508, ISO 17065 or underlying EPRI research documents
  • NEI did not request endorsement of documents other than NEI 17-06

©2024 Nuclear Energy Institute 5 EPRI Product Usage

EPRI products are agnostic to the regulatory environment in which they are used NEI 20-07 Section 4.2 provides criteria intended to adapt EPRI HAZCADS and DRAM to address the SRM-SECY 0076.

Considerations needed to demonstrate compliance with the US regulatory environment will be addressed within NEI 20- 07, not EPRI HAZCADS and DRAM, as needed.

©2024 Nuclear Energy Institute 6 Question 36

Does NEI intend for the NRC staff to review and endorse the DRAM process?

Does NEI intend to provide this document on the docket?

  • NEI does not plan to docket EPRI products.
  • NEI is seeking endorsement of NEI 20- 07.
  • If the NRC needs to review/endorse EPRI products, then NEI recommends it be done like NEI 17- 06.
  • NEI is open to expanding the summaries of the EPRI products being used if that would preclude the need to review/endorse HAZCADS/DRAM.

©2024 Nuclear Energy Institute 7 Question 62

Does NEI intend to provide these reports [EPRI 3002004995, EPRI 3002004997, and EPRI 3002000509] document on the docket?

  • No, these documents are available through EPRIs website.
  • NEI is open to including summaries of the EPRI research products being used if that would preclude the need to review/endorse NEI 20- 07.

©2024 Nuclear Energy Institute 8 Advanced Reactor Considerations (Non-Proprietary)

Advanced Reactor Considerations

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

4. Various sections regarding guidance on non-light-water NEI 20-07, applicable to both operating and new LW Rs and non-LWRs, is written with reactors (non-LWRs) and new LW Rs more details or focus on operating LW Rs. Additional enhancements or clarifications regarding guidance for non-LWRs are needed as discussed in comments below.

Examples include the use of risk metrics, acceptability of the probabilistic risk assessment used, and other guidance on non-LWRs under the licensing modernization project (LMP). The NRC staff suggest a comprehensive evaluation of NEI 20-07 on this topic.

Most new LW Rs have successfully employed the deterministic best-estimate coping analysis to address CCF concerns in accordance the Commission Policy in SRM-SECY-93-087 and may choose to follow the same deterministic approach for future LW R designs. NEI 20-07 should also address use of deterministic approach for addressing the digital I&C CCF concerns.

5. Applicability of NEI 20-07, Rev E to advanced reactors The NRC staff notes that some of the advanced reactors may not be vulnerable to including microreactors potential DI&C CCFs of concern. For example, the inherent safety and/or passive features may demonstrate that the designs are safe for the CCF scenarios using the LMP process in RG 1.233. Another example may be that there may not be any HSSSR DI&C systems in some of these designs. The NRC staff suggests that NEI 20-07 consider this feedback and include any additional clarifications as necessary regarding the use of its guidance for this area.
15. This process may be applied to operating reactor licensees The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and or new plant applicants. corresponding thresholds for these risk metrics based on regulatory guidance for Applicants using this guidance for new plant applications operating light-water reactors. Advanced light -water and non-light -water reactors do not using Regulatory Guide 1.233 can use this guidance to use the same risk metrics, so it is not apparent that this process can be applied to all develop a D3 assessment to demonstrate the adequacy of new plant applicants without changes, which will need a detailed review.

special treatments applied to address CCF. There is a need to define the scope of NEI 20- 07.

©2024 Nuclear Energy Institute 10 Advanced Reactor Considerations

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

18. HSSSR SSC definition For non-LW Rs, the LMP in RG 1.233 classifies SSCs as safety -related, safety -related with special treatment, and non-safety -related with no special treatment based on a systematic risk-informed and performance-based approach. NEI 20-07s definition of HSSSR SSCs should include information on what SSCs are considered HSSSR under the LMP.
24. 3.1.2 SRM-SECY-22-0076 Point 4 Consider adding additional guidance for non LW R applicants on addressing Point 4 of For applicants using Regulatory Guide 1.233, special SRM.

treatment considerations and Not clear how guidance in NEI 20 -07 is applied to non-LWR applicants, because a lot of human factors engineering processes should indicate the guidance appear to be LW R specific.

required monitoring parameters that support safety The NRC staff agrees with the statement but provides the following additional functions. information. For non-LWRs, the LMP in RG 1.233, safety functions are defined and discussed mainly in terms of Required Safety Functions (RSFs) and Probabilistic Risk Assessment Safety Functions (PSFs). The NRC staff relies on RG 1.233 and the Design Review Guide (DRG), Instrumentation and Controls for Non-LW Rs Reviews (ML21011A140) for non-LWR I&C reviews. The NRC staff will use pre-application engagement to discuss use of the expanded policy, including critical safety functions in Point 4 for non-LW Rs with interested applicants to address any questions or concerns.

A relevant discussion is in SECY-23-0092.

©2024 Nuclear Energy Institute 11 Advanced Reactor Considerations

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

33. The result may be a change in core damage frequency For advanced light-water and non-light -water reactors, what industry accepted guidance (CDF) and large early release frequency (LERF). Some would be used to determine the risk reduction target?

reactor technologies may use different risk metrics specific For advanced light-water and non-light -water reactors, what risk metrics and associated to the reactor design. For those reactor technologies, the criteria that would be used to determine the risk reduction target?

RRT thresholds should align with industry accepted The NEI 20-07 process primarily focuses on risk metrics of CDF and LERF and guidance. corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light -water and non-light -water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

50. 5.3.1 EPRI HAZCADS and DRAM Efficacy This is another example where the description is more applicable to LW Rs regarding the The graded approach is consistent with the acceptance use of Core Damage and Large Early Release.

guidelines for changes to Core Damage Frequency and Additional clarification should be made on guidance for non-LW Rs.

Large Early Release Frequency described in RG 1.174 Section 2.4. Aspects of the proposed modification that result in changes to CDF or LERF that map to Region 1 in RG 1.174 Figures 4 and 5 apply the most rigorous approach; whereas those that map to Region 3apply the least rigor while maintaining the design basis commitments and consistency with the facilitys defense -in -depth philosophy and safety margins.

66. UCAs that are present in multiple redundancies of a DI&C This description is more applicable to LW Rs regarding the use of core damage and system and impact core damage or large early releases are large early release. It should be revised to be technology -agnostic or additional considered CCF. clarification should be made on guidance for non-LW Rs.

©2024 Nuclear Energy Institute 12 Advanced Reactor Considerations

Comments 4, 5, 15, 18, 24, 33, 50, and 66

  • Describe insufficient or incompatible sections of NEI 20- 07 Rev.

E for application to Advanced Reactor technology

  • In general, NEI agrees with the comments and will reword each accordingly.

©2024 Nuclear Energy Institute 13 Comment 4

NEI 20- 07, applicable to both operating and new LWRs and non-LWRs, is written with more details or focus on operating LWRs. Additional enhancements or clarifications regarding guidance for non-LWRs are needed as discussed in comments below.

Examples include the use of risk metrics, acceptability of the probabilistic risk assessment used, and other guidance on non-LWRs under the licensing modernization project (LMP). The NRC staff suggest a comprehensive evaluation of NEI 20- 07 on this topic.

  • NEI agrees that NEI 20-07 should include direction for Advanced Reactors risk metrics, PRA, and other guidance.

Most new LWRs have successfully employed the deterministic best-estimate coping analysis to address CCF concerns in accordance the Commission Policy in SRM-SECY-93- 087 and may choose to follow the same deterministic approach for future LWR designs. NEI 20- 07 should also address use of deterministic approach for addressing the digital I&C CCF concerns.

  • NEI 20-07 is not intended to include information regarding the deterministic approach.

©2024 Nuclear Energy Institute 14 Comment 5

The NRC staff notes that some of the advanced reactors may not be vulnerable to potential DI&C CCFs of concern. For example, the inherent safety and/or passive features may demonstrate that the designs are safe for the CCF scenarios using the LMP process in RG 1.233. Another example may be that there may not be any HSSSR DI&C systems in some of these designs. The NRC staff suggests that NEI 20-07 consider this feedback and include any additional clarifications as necessary regarding the use of its guidance for this area.

Agreed. NEI will include information related to this.

In addition to the LMP process, HAZCADS may be used to demonstrate when other safety features are sufficient to provide plant defense-in -

depth.

©2024 Nuclear Energy Institute 15 Comment 15

The NEI 20- 07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light -water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

The scope is intended to address both operating LWRs and Advanced Reactors. NEI will provide additional information to support the use by Advanced Reactors.

©2024 Nuclear Energy Institute 16 Comment 18

For non-LWRs, the LMP in RG 1.233 classifies SSCs as safety-related, safety-related with special treatment, and non-safety-related with no special treatment based on a systematic risk -informed and performance-based approach. NEI 20- 07s definition of HSSSR SSCs should include information on what SSCs are considered HSSSR under the LMP.

NEI will provide information on RG 1.233 safety classification for clarity.

NEI expects HSSSR to be to encompass RG 1.233 safety-related classification.

©2024 Nuclear Energy Institute 17 Comment 24

Consider adding additional guidance for non LWR applicants on addressing Point 4 of SRM.

Not clear how guidance in NEI 20- 07 is applied to non-LWR applicants, because a lot of the guidance appear to be LWR specific.

The NRC staff agrees with the statement but provides the following additional information. For non-LWRs, the LMP in RG 1.233, safety functions are defined and discussed mainly in terms of Required Safety Functions (RSFs) and Probabilistic Risk Assessment Safety Functions (PSFs). The NRC staff relies on RG 1.233 and the Design Review Guide (DRG), Instrumentation and Controls for Non-LWRs Reviews (ML21011A140) for non-LWR I&C reviews. The NRC staff will use pre-application engagement to discuss use of the expanded policy, including critical safety functions in Point 4 for non-LWRs with interested applicants to address any questions or concerns.

A relevant discussion is in SECY 0092.The scope is intended to address both operating LWRs and Advanced Reactors.

NEI will provide additional information to support the use by Advanced Reactors.

©2024 Nuclear Energy Institute 18 Comment 33

For advanced light-water and non-light-water reactors, what industry accepted guidance would be used to determine the risk reduction target?

For advanced light-water and non-light-water reactors, what risk metrics and associated criteria that would be used to determine the risk reduction target?

The NEI 20- 07 process primarily focuses on risk metrics of CDF and LERF and corresponding thresholds for these risk metrics based on regulatory guidance for operating light-water reactors. Advanced light-water and non-light-water reactors do not use the same risk metrics, so it is not apparent that this process can be applied to all new plant applicants without changes, which will need a detailed review.

There is a need to define the scope of NEI 20- 07.

NEI will address this with the Advanced Reactor community to determine any commonalities for risk metrics.

In lieu of prescribing risk metrics for Advanced Reactors, this may need to be discussed and agreed upon in pre-application meetings.

©2024 Nuclear Energy Institute 19 Comment 50

This is another example where the description is more applicable to LWRs regarding the use of Core Damage and Large Early Release.

Additional clarification should be made on guidance for non-LWRs.

Agreed. NEI will incorporate.

©2024 Nuclear Energy Institute 20 Comment 66

This description is more applicable to LWRs regarding the use of core damage and large early release. It should be revised to be technology-agnostic or additional clarification should be made on guidance for non-LWRs.

Agreed. NEI will incorporate.

©2024 Nuclear Energy Institute 21 Credible and likely sources of CCF (Non-Proprietary)

Credible and likely

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

7. To prove that vulnerabilities to CCF have been The concept of vulnerability to CCF in SRM-SECY 0076 was adequately addressed, the D3 analysis must be able to understood to mean a situation where a CCF would produce unacceptable dem onstrate that: results. This quotation, and others in this document change the focus to
1. Credible and likely sources of potential CCF have been sources of CCF, but this document does not describe or define what sorts identified and analyzed. of things sources of CCF are (e.g., people, equipment, procedures).
2. Each source of potential CCF has been reasonably There is an implication that not all sources of CCF can be identified, which prevented, mitigated, or adequately dispositioned. is created by this document only addressing credible and likely sources of CCF.

Is it analogous to the distinction between failure mode (e.g., potential CCF) and failure mechanism (e.g., source of potential CCF)?

Does each potential CCF have many sources?

8. Credible and likely sources of potential CCF have been The enclosure to SRM-SECY 0076 states: In performing the defense-identified and analyzed. in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both.

How does addressing the credible and likely sources meet this aspect of the policy?

67. This process is effective at identifying the most likely and The NRC is also concerned about CCFs that are unlikely.

credible CCFs at a nuclear power plant. This conclusion should probably be a bit more precise in terms of Modes, causes, mechanisms, or sources of CCF.

©2024 Nuclear Energy Institute 23 Postulated CCFs

Potential Sources

©2024 Nuclear Energy Institute 24 Postulated CCFs

What makes a Control Action unsafe?

  • Not provided when needed
  • Provided when not needed
  • Provided too early, too late, or in wrong order
  • Stopped too soon or provided too long

©2024 Nuclear Energy Institute 25 Postulated CCFs

This provides a bounded set of postulated CCFs

  • Includes diagnosis of system interactions and requirements Identifies system misbehaviors even if no actual failure occurs Includes consideration of spurious actuation

©2024 Nuclear Energy Institute 26 Potential Sources

Loss Scenarios - causal factors that can lead to UCAs

  • Inadequate controller behavior
  • Inadequate feedback and information
  • Control pathways
  • Inadequate controlled process behaviors

©2024 Nuclear Energy Institute 27 Comment 7

The concept of vulnerability to CCF in SRM -SECY 0076 was understood to mean a situation where a CCF would produce unacceptable results. This quotation, and others in this document change the focus to sources of CCF, but this document does not describe or define what sorts of things sources of CCF are (e.g.,

people, equipment, procedures).

There is an implication that not all sources of CCF can be identified, which is created by this document only addressing credible and likely sources of CCF.

Is it analogous to the distinction between failure mode (e.g., potential CCF) and failure mechanism (e.g., source of potential CCF)?

Does each potential CCF have many sources? ©2024 Nuclear Energy Institute 28 Comment 7

Does each potential CCF have many sources?

  • NEI generally agrees with the comment. The intent is that the UCAs identified represent CCF. To improve the reliability of the controller impacted by the postulated CCF (either operator, equipment, or other) the potential loss scenarios (i.e., failure mechanisms) are identified and addressed.
  • This also informs design decisions throughout an iterative design process.
  • NEI will revise document to reinforce focus on the UCAs representative of potential vulnerabilities to CCF.

©2024 Nuclear Energy Institute 29 Comment 8

The enclosure to SRM-SECY 0076 states: In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best -estimate methods or a risk-informed approach or both.

How does addressing the credible and likely sources meet this aspect of the policy?

  • The applicant is analyzing the postulated CCF using hazards analysis techniques and fault tree analysis to identify and address those postulated CCFs commensurate with their risk.
  • NEI is considering changing credible and likely sources of CCF to bounded set of postulated CCFs.

©2024 Nuclear Energy Institute 30 Comment 67

The NRC is also concerned about CCFs that are unlikely. This conclusion should probably be a bit more precise in terms of Modes, causes, mechanisms, or sources of CCF.

  • NEI generally agrees with the comment. NEI will reword the statement in the conclusion.
  • The process assumes the CCF occurs regardless of likelihood to determine the risk significance, inform design decisions, and apply control methods.

©2024 Nuclear Energy Institute 31 Control Method Scoring (Non-Proprietary)

Control Method Scoring

Comment Excerpt or Section Number from NEI 20-07 Question or Feedback

3. Scoring of systematic control methods. W hat is the technical basis for the validity of the scoring method?

Section 4.1.2 states Once a set of systematic Control Methods Provide an example that illustrates the scoring method.

has been identified for a given Loss Scenario, each Control Generally, each different control method is good for addressing some specific Method is individually scored to provide an objective comparison source(s) of concern, but not others. The selection of control methods should, when of the relative effectiveness of the Control Methods. A scoring taken together, broadly address all the sources of concerns. Please explain how this method is used as a tool to concept is addressed by the process in NEI 20-07 Rev. E.

perform a qualitative assessment of the Control Method effectiveness. A scoring method removes potential bias in the qualitative assessment. Each Control Method is evaluated separately for its Control Method effectiveness and in combination when more than one Control Method is applied to an I&C element or relationship set of I&C elements.

35. A set of pre-scored systematic control methods are established to W hat process is used to provide scores to the control methods?

mitigate the loss scenarios of an inadequate control algorithm. Additional details and justification of the scoring process are necessary, including examples demonstrating how the scoring process is performed. The justification needs to explain how the scoring process is objective, structured, and consensus -

based.

63. A combined control method effectiveness score provides a Is the phrase geometrically weighted value intended to represent a weighted geometrically weighted value. geometric mean or a different mathematical value?

Additional details and justification of the geometrically weighted combined control method effectiveness score calculation are necessary, including examples demonstrating how the combined control method effectiveness score is calculated.

The justification needs to explain how the calculation is objective, structured, and consensus based.

©2024 Nuclear Energy Institute 33 Control Method Scoring

What is the EPRI DRAM Control Method Scoring?

  • An indicator of the relative effectiveness of a control method (or combined control methods)
  • Qualitative and based upon subject matter expert input
  • Supports engineering justification that the systematic Loss Scenario is sufficiently addressed.

How do Control Methods get applied?

  • Control Methods are allocated to Loss Scenarios based upon risk significance as indicated by the Risk Reduction Threshold (RRT)
  • When multiple Control Methods are applied, the effectiveness of each subsequent Control Method is diminished.

This is to avoid stacking low effectiveness Control Methods to artificially raise the Combined Control Method Effectiveness qualitative score

©2024 Nuclear Energy Institute 34 Postulated CCFs

Many to One Relationship

©2024 Nuclear Energy Institute 35 Control Method Scoring

Control Method Effectiveness (CME) qualitative scoring technique was developed by Sandia National Laboratory for initial use in the EPRI Technical Assessment Methodology (TAM)

  • Vogtle 3 and 4 use the EPRI TAM for CDA assessments
  • Vogtle 3 completed the Cyber Security inspection with no findings associated with implementation of EPRI TAM EPRI developed the DRAM Control Method Effectiveness qualitative scoring using the same approach

©2024 Nuclear Energy Institute 36 Control Method Scoring

CME = log2(CMT*CMS*Constant)

  • CME = Control Method Effectiveness
  • CMT = Control Method Type
  • CMS = Control Method Strength
  • Constant = scaling factor that provides consistent boundaries and forces a lower CME limit to 0.10 in order to avoid a zero-information entropy situation

©2024 Nuclear Energy Institute 37 Control Method Scoring

CME = log2(CMT*CMS*Constant)

  • CME = Control Method Effectiveness
  • CMT = Control Method Type
  • CMS = Control Method Strength
  • Constant = scaling factor that provides consistent boundaries and forces a lower CME limit to 0.10 in order to avoid a zero-information entropy situation

©2024 Nuclear Energy Institute 38 Control Method Scoring

21

= =1 3

  • CCME = Combined Control Method Effectiveness
  • CMEi = the i th CME score, sorted highest to lowest
  • n = number of Control Methods

©2024 Nuclear Energy Institute 39 Control Method Scoring

Example 1 Example 2

  • CME1 - 2.03 (Technical, Limited)* CME1 - 0.87 (Plant Procedure, Low)
  • CME2 - 1.44 (Plant Procedure,
  • CME2 - 0.67 (Ad Hoc, Limited)

Limited)

  • CME3 - 0.1 (Ad Hoc, Low) 221 221 + 231
  • = 1 + 2 3 * = 1 + 2 3 2 3 3
  • = 2.03 + (1.44 2 22
3) * = 0.87 +0.67 3 +0.1 3
  • = 2.03 + 0.96 = 2.99 ()* = 0.87 + 0.45 + 0.04 = 1.36 ()

©2024 Nuclear Energy Institute 40 Comment 3

What is the technical basis for the validity of the scoring method?

  • Developed by Sandia National Laboratory using information entropy concepts.

Information entropy quantifies the amount of information in a given message. In this application, the concept quantifies the relative effectiveness of control methods compared to other control methods.

Provide an example that illustrates the scoring method.

  • See previous slides.

Generally, each different control method is good for addressing some specific source(s) of concern, but not others. The selection of control methods should, when taken together, broadly address all the sources of concerns. Please explain how this concept is addressed by the process in NEI 20- 07 Rev. E.

  • Generally, agree. See previous slides.
  • This is explained in EPRI DRAM.

©2024 Nuclear Energy Institute 41 Comment 35

What process is used to provide scores to the control methods?

  • EPRI DRAM. See previous slides Additional details and justification of the scoring process are necessary, including examples demonstrating how the scoring process is performed.
  • See previous slides. Potential for public meeting with EPRI involvement, if needed.

The justification needs to explain how the scoring process is objective, structured, and consensus-based.

  • The scoring process is structured and provides objective criteria for CMT/CMS categorization; however, the plant-specific results are based upon SME input (with the exception of pre-scored Control Methods provided in DRAM).

©2024 Nuclear Energy Institute 42 Comment 63

Is the phrase geometrically weighted value intended to represent a weighted geometric mean or a different mathematical value?

  • EPRI DRAM uses this term to describe how individual CME scores depreciate when they are stacked to determine the CCME.

21

  • = =13 Additional details and justification of the geometrically weighted combined control method effectiveness score calculation are necessary, including examples demonstrating how the combined control method effectiveness score is calculated.
  • See previous slides with examples.

The justification needs to explain how the calculation is objective, structured, and consensus based.

  • See Comment 35 response.

©2024 Nuclear Energy Institute 43 DEG, HAZCADS and DRAM (Non-Proprietary)

DEG, HAZCADS and DRAM Comments

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

21. Section 4.1 discusses controller beliefs and process model Please define what is a controller belief and what is a process model belief?

beliefs

29. As the system design matures in detail, new hazards may W hat process is used to determine if the list of hazardous system states needs to be be uncovered and the list of hazardous system states can be revisited and revised?

revisited and revised, as needed. How often is this process performed?

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

30. NEI 20-07 states, A control structure model does not How does the NEI 20-07 process address these spatial concerns?

typically capture purely physical relationships like physical proximity between components or fire propagation.

Draft BTP 7-19, Revision 9, states, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

32. The RRT can be developed from one of five different It would be beneficial to include additional information on the five different pathways to pathways based upon the scope of the system under develop the risk reduction targets.

analysis, the stage of the design process, and whether the system(s) is modeled in the PRA.

©2024 Nuclear Energy Institute 45 DEG, HAZCADS and DRAM

HAZCADS and DRAM are both integrated into the EPRI Digital Engineering Guide which provides a systems engineering approach to digital I&C EPRI DEG provides direction for a phased approach as follows:

  • Initial Scoping Phase
  • Conceptual/Common Design Phase
  • Detailed Design Phase
  • Installation Planning Phase
  • Installation and Test Phase
  • Closeout Phase
  • Operations and Maintenance Phase

©2024 Nuclear Energy Institute 46 DEG, HAZCADS and DRAM

Per EPRI DEG, these phases are the main sequence process that implements the Systems Engineering process via iterative activities in each phase of the engineering process.

HAZCADS and DRAM are performed during each iteration within the Conceptual/Common Design Phase and Detailed Design Phase.

©2024 Nuclear Energy Institute 47 DEG, HAZCADS and DRAM

Relationship Sets are used to express associations between system elements.

5 types of Relationship Sets:

  • Programmatic
  • Functional
  • Acquisition
  • Connectivity
  • Spatial For example, all equipment mounted within the same cabinet may be placed in a Relationship Set.

©2024 Nuclear Energy Institute 48 Comment 21

Please define what is a controller belief and what is a process model belief?

A process model represents the internal beliefs of a controller.

In an automated controller, the process model is the data used by the control algorithm to make decisions (in a human, the process model is the set of beliefs used to make decisions in accordance with learned procedures). The process model includes beliefs about the controlled process, and it may include beliefs about the plant or the environment.

©2024 Nuclear Energy Institute 49 Comment 29

What process is used to determine if the list of hazardous system states needs to be revisited and revised?

  • EPRI Digital Engineering Guide and EPRI HAZCADS How often is this process performed?
  • No prescriptive limits. The process is iterated until a final design is reached.

Alternatively, describe how an iterative design process is used which continues to uncover new hazards as the design evolves.

  • Hazards are evaluated for completeness each time EPRI HAZCADS is performed within the iterative process.
  • It is unlikely that new hazards of regulatory concern are identified.

System hazards are identified at a high level of abstraction.

©2024 Nuclear Energy Institute 50 Comment 30

How does the NEI 20- 07 process address these spatial concerns?

  • EPRI DEG provides processes to account for all design requirements.
  • EPRI DEG also provides guidance on developing Relationship Sets that will account for connectivity and spatial concerns.

©2024 Nuclear Energy Institute 51 Comment 32

It would be beneficial to include additional information on the five different pathways to develop the risk reduction targets.

  • Agreed. This will be discussed in more detail in the Proprietary comments.
  • NEI will add information in Section 4 related to the RRT pathways.

©2024 Nuclear Energy Institute 52 Other Comments (Non-Proprietary)

Other Comments

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

1. The enclosure to SRM-SECY 0076 states: The applicant Defense in depth has always been part of NPP facilities. The assessment of the facilities must assess the defense in depth and diversity of the facility defense in depth is not clear from the content of NEI 20-07 Rev. E. Therefore, NEI 20- 07 incorporating the proposed digital I&C system to Rev. E does not address the entire SRM.

demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed NEI 20-07 Rev. E states: This document provides a process for developing a new type of Diversity and Defense-in -Depth (D3) analysis. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document.

19. NEI 20-07 defines a risk reduction target as the risk Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction to be achieved by the [] safety -related systems reduction target?

and/or other risk reduction measures in order to ensure that How do the safety-related systems and/or other risk reduction measures ensurethat the the tolerable risk is not exceeded. tolerable risk is not exceeded? [emphasis added]

34. For the purposes of this document, only loss scenarios Are loss scenarios that do not result in core damage or radiological release but affect associated with regulatory safety factors (e.g., core damage other regulatory programs such as MSPI and the maintenance rule considered?

or radiological release) should be considered.

©2024 Nuclear Energy Institute 54 Other Comments

Comment # Excerpt or Section Number from NEI 20-07 Question or Feedback

53. ((EPRI HAZCADS and DRAM have been proven effective The staff can recognize how the processes described can provide insights toward in identifying and addressing hazards and sources of failure attaining a degree of reliability of operations as a complement to existing regulatory in DI&C systems NRC has conducted its own research on activities.

the efficacy of hazards analysis and STPA. TLR-RES/DE -However, it is not clear whether these processes alone, without the complementary 2022-006, Hazard Analysis: An Outline of Technical Bases regulatory activities are effective at identifying and eliminating all sources of CCF, which for the Evaluation of Criteria, Methodology, and Results, is the purpose of this document.

documents an evaluation of the need to develop criteria for technical bases supporting the evaluation of the criteria and methodology for, and of the results from, [] hazards analysis.))

69. Appendix A Conceptually, NEI 20-07 is proposed to be used as an alternative way to meet the This Appendix describes the relationship between the Commission policy on CCF; therefore, this appendix should explicitly include the NRC process described in this document and the NRC regulatory regulatory framework applicable to the Commission policy on CCF. It appears that this framework. appendix is incomplete in that respect. For example, it does not include the SRM.

Note that the regulations listed below may not necessarily The NRC regulatory framework includes more than just regulatory requirements.

apply to all applicants and licensees. The applicability of the regulatory requirements is determined by the plant-specific licensing basis and any proposed changes to the licensing basis associated with the proposed DI&C system under evaluation.

72. Appendix A, Section A.2.1 Doing a part of a standard is not the same as following the standard. These use of these Pre-scored Systematic Control Methods are techniques and methods in this document differs from how they are used in the standard.

measures that may, synthesized from the industry standard IEC 61508 Part 3, normative Annex A which is a recognized safety standard in the petrochemical industry.

©2024 Nuclear Energy Institute 55 Comment 1

Defense in depth has always been part of NPP facilities. The assessment of the facilities defense in depth is not clear from the content of NEI 20- 07 Rev. E. Therefore, NEI 20- 07 Rev. E does not address the entire SRM.

  • This document provides a process for developing a new type of Diversity and Defense-in-Depth (D3) analysis for the facility. This document establishes a safety case using claims, arguments, and evidence to demonstrate that vulnerabilities to digital CCF have been adequately addressed. The safety case depends on outputs from EPRI engineering and diagnostic tools to provide evidence that supports claims and arguments described in this document. ©2024 Nuclear Energy Institute 56 Comment 19

Can SSCs that are not safety-related be credited to reduce risk to achieve the risk reduction target?

  • Yes. The Control Method process does not consider the safety classification if additional SSCs are required.
  • This is consistent with SRM-SECY 0076.

How do the safety-related systems and/or other risk reduction measures ensure that the tolerable risk is not exceeded? [emphasis added]

  • EPRI HAZCADS Risk Reduction Target pathways establish the graded approach based upon risk. If the RRT exceeds approved thresholds (e.g., Reg. Guide 1.174 for operating LWRs), then the design is changed.
  • EPRI DRAM provides a structure, objective process for providing engineering justification for the methods used to improve the system reliability.
  • Control methods are not individually modeled in PRA to determine risk impact.

©2024 Nuclear Energy Institute 57 Comment 34

Are loss scenarios that do not result in core damage or radiological release but affect other regulatory programs such as MSPI and the maintenance rule considered?

  • No. This process is focused on hazards that impact the approved risk metrics for a given design.
  • The subject sentence will be edited to direct the user to focus on hazards, not loss scenarios.

©2024 Nuclear Energy Institute 58 Comment 53

The staff can recognize how the processes described can provide insights toward attaining a degree of reliability of operations as a complement to existing regulatory activities.

However, it is not clear whether these processes alone, without the complementary regulatory activities are effective at identifying and eliminating all sources of CCF, which is the purpose of this document.

  • This NEI 20- 07 section is intended to demonstrate the efficacy of STPA as a hazards analysis tool as a contributing factor to NEI 20- 07 approach.
  • STPA is not the only technique relied upon to demonstrate that vulnerabilities to CCF have been addressed. HAZCADS and DRAM combine this with Fault Tree Analysis and the Control Method allocation/scoring developed by Sandia National Labs.
  • The purpose of this document is not to identify and eliminate all sources of CCF as stated in the comment.

©2024 Nuclear Energy Institute 59 Comment 69

Conceptually, NEI 20- 07 is proposed to be used as an alternative way to meet the Commission policy on CCF; therefore, this appendix should explicitly include the NRC regulatory framework applicable to the Commission policy on CCF. It appears that this appendix is incomplete in that respect. For example, it does not include the SRM.

The NRC regulatory framework includes more than just regulatory requirements.

  • NEI 20-07 Section 3.1 explicitly addresses SRM -SECY -22 -0076.
  • NEI 20-07 Section 3.2 references Appendix A for additional regulatory requirements to be considered.

Appendix A provides further detail on relevant regulatory requirements that are considered in the development of this process OR are required to be considered by the applicant using this methodology.

  • NEI would like to better understand how NEI 20-07 is considered an alternative way to meet the Commission policy.
  • NEI would like to better understand what else is considered other than just regulatory requirements. NUREGs, Regulatory Guides, etc.?

©2024 Nuclear Energy Institute 60 Comment 72

Doing a part of a standard [IEC 61508 Part 3] is not the same as following the standard. These use of these methods in this document differs from how they are used in the standard.

  • NEI 20-07 is not claiming to follow IEC 61508 Part 3.
  • EPRI DRAM uses pre-scored systematic control methods based upon IEC 61508 Part 3 Annex A.
  • The intent of the statement is to provide a basis for their inclusion not to imply compliance with the standard.

©2024 Nuclear Energy Institute 61 Next Steps

Meeting to discuss remaining comments

Incorporate comments and review with NRC staff

  • Goal is to demonstrate how comments are addressed for alignment prior to Rev. 0 submittal Prepare NEI 20- 07 Rev. 0 and submit to staff
  • Timing based upon decision to use EPRI products released later in 2024

©2024 Nuclear Energy Institute 62