Nuclear Regulatory Commission Review Plan

Questions and Answers

What does CDF stand for in the context of nuclear facility risk calculation?

Core Damage Frequency

Which document describes an approach acceptable to the NRC staff for developing risk-informed applications for a licensing-basis change?

RG 1.174

Safety significance is evaluated in a Probabilistic Risk Assessment (PRA).

False

RG 1.174 provides guidance on ensuring that designs possess sufficient ________.

safety margins

What are the three levels at which the overall risk of a nuclear facility can be calculated?

Core damage frequency (CDF) (Level 1 PRA), releases (Level 2 PRA), health effects (Level 3 PRA)

What is used to determine the risk significance of a CCF?

CDF

Safety significance is evaluated in a PRA.

False

Section C.2.1.2 of RG 1.174 provides guidance on ensuring that designs possess sufficient ________.

safety margins

Study Notes

U.S. Nuclear Regulatory Commission Standard Review Plan

• The Standard Review Plan (SRP) establishes criteria for evaluating applications to construct and operate nuclear power plants.
• The SRP is not a substitute for NRC regulations, and compliance with it is not required.

Branch Technical Position 7-19

• Provides criteria for evaluating the acceptability of applicant assessments of digital instrumentation and control (DI&C) system common-cause failures (CCFs) due to latent design defects.
• The acceptance criteria address plant performance in response to CCFs of DI&C systems.
• Evaluation activities involve various technical review disciplines, including instrumentation and controls, reactor safety systems, and risk assessments.

Background

• The U.S. Nuclear Regulatory Commission (NRC) has addressed common-cause failures (CCFs) as part of the licensing process throughout its history.
• In 1969, the Atomic Energy Commission (AEC) requested reactor manufacturers to examine their plant designs to address possible effects of common-mode-type failures on nuclear safety functions.
• The NRC's General Design Criteria (GDC) require consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in protection systems and reactivity control systems.

DI&C Systems and Common-Cause Failures

• DI&C systems consist of hardware components and logic elements (e.g., software).
• DI&C systems are susceptible to CCFs due to latent design defects in active hardware components, software, or software-based logic.
• CCFs can cause a loss of safety function or initiate a plant transient, or they can initiate spurious system actions.
• The NRC considers CCFs in DI&C systems to be beyond design-basis events.

Defense in Depth and Diversity

• The principles of defense in depth and diversity (D3) are used to address CCF vulnerabilities of DI&C systems.
• Defense in depth involves multiple layers of defense to prevent unacceptable harm to public health and safety.
• Diversity techniques include redundancy, independence (e.g., communication independence), and other design features to ensure multiple layers of defense.

Regulatory Basis

• The NRC staff evaluates applications using various design features to address CCF vulnerabilities in DI&C systems.
• Regulations and standards, such as IEEE standards and design criteria, provide criteria applicable to protection and safety systems.

Relevant Guidance

• Documents providing guidance on evaluating CCFs in DI&C systems include SECY-93-087, SECY-18-0090, SECY-22-0076, and SRM-SECY-22-0076.### Overview of Branch Technical Position (BTP) 7-19
• BTP 7-19 provides guidance to the NRC staff for reviewing safety assessments of digital instrumentation and control (DI&C) systems
• The guidance is focused on the evaluation of defense-in-depth (D3) assessments to address common-cause failures (CCFs) in DI&C systems

Scope of BTP 7-19

• Intended for the NRC staff review of D3 assessments to address CCFs in DI&C systems
• Provides review guidance for evaluating whether an applicant's proposed DI&C design complies with functional goals, principles of risk-informed decision-making, and regulations
• Does not cover review criteria for single random failures and cascading failures from single random failures in shared resources

Purpose of BTP 7-19

• Provides guidance for evaluating an applicant's assessment of the adequacy of D3 for a proposed DI&C system
• Evaluates the appropriateness of the applicant's chosen methods for performing a D3 assessment
• Reviews the applicant's assessment of vulnerabilities to CCFs and their effects on plant safety

Key Points of BTP 7-19

• The applicant must assess the defense-in-depth and diversity of the facility incorporating the proposed DI&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed
• The defense-in-depth and diversity assessment must be commensurate with the risk significance of the proposed DI&C system
• The applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach, or both
• The defense-in-depth and diversity assessment must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant
• Main control room displays and controls that are independent and diverse from the proposed DI&C system must be provided for manual, system-level actuation of risk-informed critical safety functions and monitoring of parameters that support the safety functions

Common-Cause Failure Position and Discussion

• The applicant must demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed
• The applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach, or both
• The defense-in-depth and diversity assessment must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant
• The applicant must provide a documented basis for any safety-significance determinations used in the application

Review of D3 Assessment

• The reviewer should consider whether the applicant's assessment has properly identified and addressed CCFs and whether the applicant has incorporated appropriate means to limit, mitigate, or withstand or cope with possible CCFs and sources of CCF vulnerability that can result in spurious operations
• Alternatively, if the application includes a risk-informed approach, the reviewer should consider whether the assessment demonstrates that the residual CCF is not risk significant### Critical Safety Functions
• Critical safety functions are the most important safety functions to prevent a direct and immediate threat to public health and safety.
• Examples of critical safety functions include reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity.
• Identification of critical safety functions is plant-specific and based on the reactor design safety analysis.

Safety Significance and Effects of Failure

• A safety-significant function is one whose degradation or loss could have a significant adverse effect on defense in depth, safety margin, or risk.
• Examples of safety-significant systems include reactor trip systems and engineered safety features actuation systems.
• The safety significance of a system is determined by its potential effects on plant safety.

System Interconnectivity

• System interconnectivity can introduce additional dependencies and CCF vulnerabilities.
• Interconnectivity should be assessed using methods appropriate for the SSC of most safety significance.
• The reviewer should consider whether the application includes a clear description of the proposed DI&C system, including shared resources, interconnection with other systems, and modifications that could reduce independence, separation, diversity, or redundancy.

Acceptance Criteria for Safety-Significance Determinations

• The three safety-significance determination categories are:
  • High safety significance: safety-related SSCs that perform safety-significant functions.
  • Lower safety significance: safety-related SSCs that do not perform safety-significant functions, and SSCs that are not safety related but perform safety-significant functions.
  • Lowest safety significance: SSCs that are not safety related and do not perform safety-significant functions.
• The acceptance criteria for each category are outlined in the text.

Detailed Defense-in-Depth and Diversity Assessment

• A D3 assessment is a systematic analysis of a proposed DI&C system for CCFs that can occur concurrently within a redundant design.
• The assessment should consider the entire plant performance characteristics in response to CCF.
• The reviewer should evaluate whether the D3 assessment addresses CCF vulnerabilities, including those that could result in spurious operations.

Spurious Operation as a Result of Common-Cause Failure

• Spurious operations can occur due to CCFs and can have unacceptable consequences.
• The evaluation of potential spurious operations is an important part of the overall D3 assessment.
• Sources of spurious operations include latent design defects and CCFs due to shared resources or interconnection with other systems.

Interconnected Systems

• Interconnected systems can reduce a plant's overall defense in depth.
• The reviewer should focus on SSCs that are not safety related and interconnected with safety-related SSCs.
• The level of interconnection between a safety system and other systems should be considered as a potential vulnerability to be addressed in the application.

Branch Technical Position 7-19

• Guidance for evaluation of defense in depth and diversity to address common-cause failure due to latent design defects in digital instrumentation and control systems.

Review Responsibilities

• Primary: Organization responsible for reviewing I&C equipment performance
• Secondary: Organizations responsible for reviewing reactor and containment systems, human factors engineering, and risk assessments

Background

• Common-cause failure (CCF) has been a concern of the U.S. Nuclear Regulatory Commission (NRC) and has been addressed as part of the licensing process throughout its history.
• CCFs can occur due to latent design defects in active hardware components, software, or software-based logic.
• DI&C systems may be vulnerable to CCFs due to latent design defects.

DI&C Systems

• Offer significant operational and maintenance benefits for nuclear power plants
• Consist of both hardware components and logic elements (e.g., software)
• Hardware components in DI&C systems are susceptible to failures similar to those considered for analog systems
• Software refers to software, firmware, and logic developed from software-based development systems

Common-Cause Failure (CCF)

• Occurs when multiple (usually identical) systems fail due to a shared cause
• Can have two distinct effects:
  • Loss of safety function or initiation of plant transient
  • Spurious operation or spurious actuation

Defense in Depth and Diversity (D3)

• Traditionally, CCF vulnerabilities of DI&C systems have been addressed using the principles of D3
• Operation of facility systems is modeled as a series of successive layers of defense
• Design technique of independence is used to ensure that multiple echelons will not fail concurrently

Regulatory Basis

• Regulations and standards may not apply to all applicants, depending on the plant-specific licensing basis and any proposed changes to the licensing basis associated with the DI&C system under evaluation.### Nuclear Regulatory Commission Guidance
• The NRC reaffirmed that existing safety goals, performance expectations, and risk guidance are sufficient for new plants.

Regulatory Guides

• RG 1.62: describes a method for manual initiation of protective actions
• RG 1.152: provides guidance on measures to ensure communication independence and control of access for programmable digital devices
• RG 1.174: describes an approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis
• RG 1.200: describes one approach for determining whether a base probabilistic risk assessment is sufficient to provide confidence in the results

NUREG Reports

• NUREG/CR-6303: summarizes several diversity and defense-in-depth (D3) analyses performed after 1990
• NUREG/CR-7007: provides diversity strategies to mitigate common-cause failure vulnerabilities in a safety-related system
• NUREG-2122: defines terms used in risk-informed activities related to commercial nuclear power plants

Branch Technical Position (BTP) 7-19

• Provides guidance for the NRC staff review of D3 assessments to address common-cause failures in digital instrumentation and control systems
• Intended for NRC staff review of applications, not for applicant guidance
• Covers review of:
  • Appropriateness of applicant's chosen methods for performing a D3 assessment
  • Proposed design attributes to eliminate or mitigate common-cause failures
  • Applicant's use of diverse equipment to mitigate common-cause failures
  • Assessment of vulnerabilities to common-cause failures that can cause spurious operations

SRM-SECY-22-0076 Position

• The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system
• The applicant must analyze each postulated common-cause failure using either best-estimate methods or a risk-informed approach or both
• The defense-in-depth and diversity assessment must demonstrate that a postulated common-cause failure can be reasonably prevented or mitigated or is not risk significant### Critical Safety Functions
• Critical safety functions are the most important safety functions required to prevent a direct and immediate threat to public health and safety.
• Examples of critical safety functions include reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity.

Displays and Controls for Critical Safety Functions

• Displays and controls for manual actuation of critical safety functions should be independent and diverse from the proposed DI&C system.
• These displays and controls do not need to be safety-grade or hardwired.

Safety Significance Determination

• A safety-significant function is one whose degradation or loss could have a significant adverse effect on defense in depth, safety margin, or risk.
• Examples of safety-significant functions include reactor trip and engineered safety features actuation.
• The safety significance of a function should be determined based on its potential effects on plant safety.

Acceptance Criteria for Safety-Significance Determinations

• High safety significance: SSCs that perform safety-significant functions, such as credited in the FSAR to perform design functions that contribute significantly to plant safety.
• Lower safety significance: SSCs that do not perform safety-significant functions, but are safety-related; or SSCs that are not safety-related but perform safety-significant functions.
• Lowest safety significance: SSCs that are not safety-related and do not perform safety-significant functions.

Defense-in-Depth and Diversity Assessment

• A D3 assessment is necessary for all systems determined to be of high safety significance.
• The assessment should evaluate the potential consequences of CCF vulnerabilities and demonstrate that failures cannot result in a failure to perform safety functions or adverse plant conditions that cannot be reasonably mitigated.

Common-Cause Failure

• A common-cause failure (CCF) is a failure that affects multiple systems or components due to a shared fault or deficiency.
• CCFs can occur concurrently within a redundant design, leading to the failure of multiple systems or components.
• The reviewer should evaluate whether the D3 assessment considers the entire plant performance characteristics in response to CCF.

Spurious Operation

• A spurious operation is an unintended or unauthorized operation of a system or component, which can lead to unacceptable consequences.
• Spurious operations can result from CCFs or latent design defects.
• The reviewer should evaluate the potential consequences of spurious operations and determine whether they are within the limiting plant design-basis consequences.