US NRC Standard Review Plan PDF

Summary

This document is a standard review plan for evaluating the defense in depth and diversity of digital instrumentation and control systems (DI&C) in nuclear power plants. It provides guidance for evaluating the effects of common-cause failures (CCFs).

Full Transcript

NUREG-0800 U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19 GUIDANCE FOR EVALUATI...

NUREG-0800 U.S. NUCLEAR REGULATORY COMMISSION STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19 GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS REVIEW RESPONSIBILITIES Primary – Organization responsible for the review of instrumentation and controls (I&C) to ensure the I&C equipment performs the functions credited in the safety analysis Secondary – Organizations responsible for (1) the review of reactor and containment systems, (2) the review of human factors engineering (HFE), and (3) the review of risk assessments Revision 9 — May 2024 USNRC STANDARD REVIEW PLAN This Standard Review Plan (SRP), NUREG-0800, has been prepared to establish criteria that the U.S. Nuclear Regulatory Commission (NRC) staff responsible for the review of applications to construct and operate nuclear power plants intends to use in evaluating whether an applicant/licensee meets the NRC's regulations. The SRP is not a substitute for the NRC’s regulations, and compliance with it is not required. However, an applicant is required to identify differences between the design features, analytical techniques, and procedural measures proposed for its facility and the SRP acceptance criteria, and to evaluate how the proposed alternatives to the SRP acceptance criteria provide an acceptable method of complying with the NRC’s regulations. The SRP sections are numbered in accordance with corresponding sections in Regulatory Guide (RG) 1.70, “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition).” Not all sections of RG 1.70 have a corresponding review plan section. The SRP sections applicable to a combined license application for a new light-water reactor are based on RG 1.206, “Combined License Applications for Nuclear Power Plants (LWR Edition).” These documents are made available to the public as part of the NRC's policy to inform the nuclear industry and the general public of regulatory procedures and policies. Individual sections of NUREG-0800 will be revised periodically, as appropriate, to accommodate comments and to reflect new information and experience. Comments may be submitted by email to [email protected]. Requests for single copies of SRP sections (which may be reproduced) should be made to the U.S. Nuclear Regulatory Commission, Washington, DC 20555, Attention: Reproduction and Distribution Services Section; by fax to (301) 415-2289; or by email to [email protected]. Electronic copies of this section are available through the NRC's public website at http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0800, or in the NRC's Agencywide Documents Access and Management System, at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML24005A077. The overall objective of this branch technical position (BTP) is to provide criteria for the NRC staff’s evaluation of the acceptability of the applicant’s assessment of the effects of digital I&C (DI&C) system common-cause failures (CCFs). The acceptance criteria provided in this BTP are not limited to performance characteristics of I&C systems but instead address plant performance in response to CCFs of DI&C systems. Therefore, the evaluation activities described in this BTP are not intended to be assigned exclusively to I&C technical review staff. For any given project, the activities should be coordinated and distributed among the various technical review disciplines so that the correct area of review and level of expertise are applied to the evaluation effort. For example, a reactor safety system engineer should perform the evaluation of a best-estimate analysis for each postulated accident (PA) or other event, while the I&C technical reviewer would be responsible for the determination of adequate independence in the design of a proposed diverse actuation system. A. BACKGROUND CCF has been a concern of the U.S. Nuclear Regulatory Commission (NRC) and has been addressed as part of the licensing process throughout its history (in part by defense in depth and diversity). For example, as noted in General Electric Topical Report NEDO-10189, “An Analysis of Functional Common-Mode Failure in General Electric Boiling Water Reactor Protection and Control Instrumentation,” in early 1969, concern for possible effects of common- mode-type failures on plant operation—particularly in regard to nuclear safety functions—led the Atomic Energy Commission (AEC) to request the various reactor manufacturers to systematically examine their plant designs in that respect. Furthermore, in 1971 (36 FR 3255), the AEC promulgated the final version of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, “Domestic Licensing of Production and Utilization Facilities,” Appendix A, “General Design Criteria for Nuclear Power Plants,” which now states the following: The development of these General Design Criteria is not yet complete. For example, some of the definitions need further amplification. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include:...(4) Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of the protection systems and reactivity control systems [emphasis added]. All licensed facilities are considered to have sufficient design features to address CCFs associated with their specific designs and equipment. The use of different designs, equipment, or technology may result in the need for additional design features to address the specific vulnerabilities of the different designs, equipment, or technology. DI&C systems offer significant operational and maintenance benefits for nuclear power plants. DI&C systems consist of both hardware components and logic elements (e.g., software). Hardware components in DI&C systems are susceptible to failures similar to those considered for analog systems. In this guidance, the term “software” refers to software, firmware, and logic developed from software-based development systems (e.g., devices programmed with hardware description languages). BTP 7-19-2 Revision 9 — May 2024 DI&C systems may be vulnerable to CCFs due to latent design defects in active hardware components, software, or software-based logic.1 A CCF occurs when multiple (usually identical) systems fail due to a shared cause.2 Latent design defects in the design of a DI&C system can remain undetected despite traditional design-basis development, verification, validation, and testing processes. Certain events, unexpected external stresses, or plant conditions can trigger latent design defects within redundant portions of a system designed to perform safety functions and thus lead to a systematic failure of the redundant portions. CCFs can have two distinct effects: (1) they can cause a loss of the capability to perform a safety function or can initiate a plant transient, or (2) they can initiate the operation of a function without a valid demand or can cause an erroneous (i.e., spurious) system action. The latter is typically referred to as “spurious operation” or “spurious actuation.” CCFs with a loss of safety function are postulated concurrent with an anticipated operational occurrence (AOO), a PA, or normal operations, while spurious operations are postulated as an initiating event. In accordance with Commission direction in the staff requirements memorandum (SRM), dated July 21, 1993, on SECY-93-087, “Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs,” dated April 2, 1993, the NRC staff considers CCFs in DI&C systems to be beyond design-basis events.3 The likelihood of occurrence of these failures cannot be predicted through traditional design analysis methods, but their effects and consequences can be addressed through other methods, such as best-estimate methods. DI&C system modifications can interconnect design functions that were previously located in separate or dedicated equipment. These modifications could therefore introduce new failure mechanisms. Also, DI&C systems can share resources, such as communications, networks, controllers, power supplies, or multifunction display and control stations. The potential for 1 In this BTP, the term “CCF” always refers to CCF due to a latent design defect in active hardware components, software, or software-based logic. 2 CCFs due to latent design defects in DI&C structures, systems, and components (SSCs) are similar to but distinguishable from cascading failures due to single random failures. Single failures must be addressed by meeting the principal design criteria of the facility or the criteria described in 10 CFR 50.55a(h) (i.e., the safety design criteria in Institute of Electrical and Electronics Engineers (IEEE) Std 279-1971, “Criteria for Protection Systems for Nuclear Power Generating Stations,” or IEEE Std 603-1991, “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations”). Because such failures are likely to occur during the life of the plant, the plant’s design basis needs to include analysis of the possible effects (consequences) of such failures. 3 SRM-SECY-93-087 states, “The staff's position has been modified in essentially two respects: First, inasmuch as common mode failures are beyond design-basis events, the analysis of such events should be on a best-estimate basis…” [emphasis added]. The NRC Glossary defines “beyond design-basis accidents” as follows: This term is used as a technical way to discuss accident sequences that are possible but were not fully considered in the design process because they were judged to be too unlikely. (In that sense, they are considered beyond the scope of design-basis accidents that a nuclear facility must be designed and built to withstand.) As the regulatory process strives to be as thorough as possible, “beyond design-basis” accident sequences are analyzed to fully understand the capability of a design. The design basis of a facility generally addresses certain beyond design-basis events. For example, 10 CFR 50.34, “Contents of applications; technical information,” includes “(i) Mitigation of beyond-design-basis events….” BTP 7-19-3 Revision 9 — May 2024 interdependencies among DI&C systems make it more challenging to identify and evaluate potential consequences of a postulated CCF. Generally, except in a few structures, systems, and components (SSCs) with relatively simple designs, DI&C systems cannot be fully tested, nor can their failure mechanisms be completely known, because their complexity leads to too many potential failure mechanisms. Therefore, DI&C systems may be vulnerable to a CCF if any of the following are present in redundant divisions of the systems: (1) identical system requirements or designs, (2) identical copies of software or software-based logic, or (3) unidentified dependencies, unintended interactions, or emergent behavior, especially when the DI&C systems are interconnected or use shared resources. Traditionally, CCF vulnerabilities of DI&C systems have been addressed using the principles of defense in depth and diversity (D3). Under these principles, the operation of facility systems is modeled as a series of successive layers of defense (called “echelons of defense”), all of which would need to be defeated for a CCF to result in unacceptable harm to public health and safety. A CCF could affect multiple echelons of defense and redundant divisions, depending upon, for example, the system architecture, the extent of interconnections, and the types and use of shared resources. Generally, the design technique of independence (e.g., communication independence) is used to ensure that multiple echelons will not fail concurrently. An overall DI&C system architecture that maintains the integrity of multiple layers of defense is key to ensuring a system’s ability to limit, mitigate, withstand, or cope with the effects of a CCF. Traditional design techniques such as redundancy, independence (e.g., communication independence), and diversity provide the basic framework and structure for maintaining defense in depth. Other design features (or design techniques) can also contribute to overall defense in depth. Such features (or design techniques) include segmentation; predictable real-time (deterministic) processing; automated self-test provisions; and measures to control access to physical, electronic, and software-based elements that, if tampered with or corrupted, could cause adverse plant consequences. Over the years, the NRC staff has approved applications that use various design features to address CCF vulnerabilities in DI&C systems. Some of these use multiple design solutions within different parts of a single DI&C system. In reviewing these applications, the NRC staff has evaluated several solutions that successfully address CCF vulnerabilities. Consequently, the NRC staff recognizes that there may be no single solution that applies to all DI&C systems. 1. Regulatory Basis The regulations and standards listed below may not apply to all applicants. Their applicability depends on the plant-specific licensing basis and any proposed changes to the licensing basis associated with the DI&C system under evaluation. The Institute of Electrical and Electronics Engineers (IEEE) standards and design criteria listed are examples of plant-specific licensing-basis items.  IEEE Std 279-1968, “Proposed IEEE Criteria for Nuclear Power Plant Protection Systems;” IEEE Std 279-1971, “Criteria for Protection Systems for Nuclear Power Generating Stations;” and IEEE Std 603-1991, “IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations,” together with the correction sheet dated January 30, 1995, provide criteria applicable to protection and safety systems. BTP 7-19-4 Revision 9 — May 2024  General Design Criterion (GDC) 22, “Protection system independence,” of Appendix A to 10 CFR Part 50 states the following: The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.  GDC 24, “Separation of protection and control systems,” of Appendix A to 10 CFR Part 50 states in part that “interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.”  GDC 25, “Protection system requirements for reactivity control malfunctions,” of Appendix A to 10 CFR Part 50 states, “The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods.”  GDC 26, “Reactivity control system redundancy and capability,” of Appendix A to 10 CFR Part 50 states the following: Two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions. 2. Relevant Guidance The following documents provide useful guidance in the evaluation of possible CCFs affecting DI&C systems:  SECY-93-087, item II.Q, as clarified by SRM-SECY-93-087, item 18, describes the NRC position on defense against potential common-mode failures in DI&C systems.  SECY-18-0090, “Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Controls,” dated September 12, 2018, describes the NRC staff’s plan to clarify the guidance for evaluating and addressing potential CCFs of DI&C systems. BTP 7-19-5 Revision 9 — May 2024  SECY-22-0076, “Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems,” dated August 10, 2022, describes the NRC staff’s proposal to clarify, further risk-inform, and expand the NRC’s policy for evaluating and addressing potential CCFs of DI&C systems. Specifically, the staff requested that the Commission expand the current policy to allow the use of risk-informed approaches to demonstrate the appropriate level of defense in depth, including the option of not providing diverse automatic actuation of safety functions. The staff also requested that this expanded policy apply to all types of nuclear power plants.  The supplement to SECY-22-0076, dated January 23, 2023, clarifies the NRC staff’s proposal in SECY-22-0076.  In SRM-SECY-22-0076, dated May 25, 2023, the Commission approved the staff’s recommendation in SECY-22-0076, with edits, and provided directions to the staff. Specifically, the Commission directed that the proposed revision to the CCF policy (as amended by the SRM) be applied independent of the licensing pathway.  In SRM-SECY-10-0121, dated March 2, 2011, the Commission disapproved the staff’s recommendation to modify risk guidance for new reactors described in SECY-10-0121, “Modifying the Risk-Informed Regulatory Guidance for New Reactors,” dated September 14, 2010. The SRM reaffirmed that the existing safety goals, safety performance expectations, subsidiary risk goals and associated risk guidance (such as the Commission’s Policy Statement on the Regulation of Advanced Reactors (73 FR 60612; October 14, 2008) and Regulatory Guide (RG) 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis”), key principles, and quantitative metrics for implementing risk-informed decision-making are sufficient for new plants.  RG 1.62, “Manual Initiation of Protective Actions,” describes a method that the NRC staff considers acceptable for use in complying with the NRC’s regulations on the means for manual initiation of protective actions provided (1) by otherwise automatically initiated safety systems or (2) as a method diverse from automatic initiation.  Regulatory Issue Summary (RIS) 2002-22, Supplement 1, “Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems,” dated May 31, 2018, clarifies guidance for preparing and documenting qualitative assessments that can be used to evaluate the likelihood of failure of a proposed DI&C system or component modification.  RG 1.152, “Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants,” provides guidance on measures to ensure communication independence and control of access. For an application that describes cybersecurity design features intended to address cybersecurity vulnerabilities, the NRC staff’s review of these features is limited to ensuring that they do not adversely affect or degrade the safety-related system’s reliability or its capability to perform its safety functions. If licensees or applicants consider cybersecurity design features, they should include measures to ensure that safety-related I&C systems do not present an electronic path that could enable unauthorized access to the plant’s safety-related systems. (For BTP 7-19-6 Revision 9 — May 2024  example, the use of a hardware-based unidirectional device is one approach the NRC staff would consider acceptable for implementing such measures.)  RG 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” describes an approach that is acceptable to the NRC staff for developing risk-informed applications for licensing-basis changes that consider engineering issues and apply risk insights.  RG 1.200, “Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities,” describes one approach acceptable to the NRC staff for determining whether a base probabilistic risk assessment (PRA), in total or in the portions that are used to support an application, is sufficient to provide confidence in the results, such that the PRA can be used in regulatory decision-making for light-water reactors.  NUREG/CR-6303, “Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems,” issued December 1994, summarizes several D3 analyses performed after 1990. It presents a method for analyzing proposed DI&C systems to identify vulnerabilities to common-mode failures and to confirm that the design incorporates adequate D3 strategies to address them. This analysis method postulates common-mode failures that could occur within digital reactor protection systems and determines what portions of a design need additional D3 measures to address such failures. This type of analysis is referred to as a D3 assessment in this document.  NUREG/CR-7007, “Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems,” issued February 2010, provides diversity strategies to mitigate CCF vulnerabilities in a safety-related system for which a D3 assessment has shown a need for greater diversity. NUREG/CR-7007 identifies and develops a baseline set of diversity criteria that may be appropriate for addressing potential vulnerabilities to CCFs. While this NUREG describes a method for quantitatively assessing the amount of diversity in a system, this method has not been benchmarked and should not be used as the sole basis for justifying adequate diversity.  NUREG-2122, “Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking,” issued November 2013, defines terms used in risk-informed activities related to commercial nuclear power plants. 3. Scope The guidance in this BTP is intended for the NRC staff review of D3 assessments to address CCF in DI&C systems.4 This BTP provides review guidance to the I&C technical review staff for evaluating whether an applicant’s proposed DI&C design complies with the functional goals established by (1) the applicable safety analysis, (2) principles of risk-informed decision-making, as applicable, (3) specific regulations, and (4) Commission policy. This BTP is intended to provide review guidance to the NRC staff for ensuring that an application meets the policy and applicable regulations—it is not intended as guidance to applicants for developing a D3 assessment. This BTP does not cover review criteria for single random failures and cascading failures from 4 SRM-SECY-22-0076 uses the term “digital I&C system.” BTP 7-19-7 Revision 9 — May 2024 single random failures in shared resources. The reviewer can find guidance for addressing single failures in systems credited to perform safety functions in RG 1.53, “Application of the Single-Failure Criterion to Safety Systems.” 4. Purpose This BTP provides the NRC staff with guidance for evaluating an applicant’s assessment of the adequacy of D3 for a proposed DI&C system. The applicant performs this D3 assessment to identify and address potential CCFs in a proposed DI&C system and to evaluate the effects of any unprevented CCFs on plant safety. This BTP also provides guidance for review of the following:  the appropriateness of an applicant’s chosen methods for performing a D3 assessment, including any categorization of proposed DI&C systems based on the safety significance of the functions they perform  proposed design attributes—such as the use of diverse equipment, testing, or alternative approaches in the design of a DI&C system—that may eliminate a potential CCF from further consideration5  an applicant’s use of diverse equipment (external to the DI&C system), including manual controls and displays, to mitigate a potential CCF, as well as other measures to ensure conformance with the NRC’s position on addressing CCFs in DI&C systems as specified in SRM-SECY-22-0076 This BTP also addresses review of the applicant’s assessment of vulnerabilities to a CCF that can cause a spurious operation. It provides the NRC staff with guidance for evaluating applicant analyses of a DI&C system’s ability to withstand or cope with CCFs resulting in spurious operations. B. BRANCH TECHNICAL POSITION 1. Introduction The overall objective of this BTP is to provide criteria for the NRC staff’s evaluation of the acceptability of the applicant’s D3 assessment of the effects of CCFs in DI&C systems. For this evaluation, the reviewer should confirm that the application includes the following:  a description of the overall defense-in-depth posture to protect the plant from the effects of CCFs if they were to occur  identification and documentation of vulnerabilities to CCF  a documented basis for any safety-significance determinations used in the application  a failure analysis for any SSCs excluded from a D3 assessment 5 Section B.3.1 of this BTP describes how a potential CCF can be eliminated from further consideration. BTP 7-19-8 Revision 9 — May 2024  a description of any D3 assessment, including the following: – an evaluation of vulnerabilities to a CCF, and any means (e.g., design features or design techniques) used to eliminate the potential CCF from further consideration – identification and evaluation for effectiveness of any design features, design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment – identification and evaluation for effectiveness of diverse measures credited by the applicant to mitigate potential consequences from CCF vulnerabilities – an assessment of the effects associated with residual CCF vulnerabilities that have not been either eliminated from further consideration or mitigated in some manner, and whether the assessment demonstrates that (1) the consequences of the residual CCF remain acceptable or (2) the residual CCF is not risk significant The reviewer should consider whether the applicant’s assessment has properly identified and addressed CCFs and whether the applicant has incorporated appropriate means to limit, mitigate, or withstand or cope with (i.e., accept the consequences of) possible CCFs and sources of CCF vulnerability that can result in spurious operations. Alternatively, if the application includes a risk-informed approach, the reviewer should consider whether the assessment demonstrates that the residual CCF is not risk significant. 1.1 Common-Cause Failure Position and Discussion The foundation of BTP 7-19 is the NRC position on D3 from SRM-SECY-22-0076, which is centered on the four points below: 1. The applicant must assess the defense in depth and diversity of the facility incorporating the proposed digital I&C system to demonstrate that vulnerabilities to digital CCFs have been adequately identified and addressed. The defense-in-depth and diversity assessment must be commensurate with the risk significance of the proposed digital I&C system. 2. In performing the defense-in-depth and diversity assessment, the applicant must analyze each postulated CCF using either best-estimate methods or a risk-informed approach or both. When using best-estimate methods, the applicant must demonstrate adequate defense in depth and diversity within the facility’s design for each event evaluated in the accident analysis section of the safety analysis report. When using a risk-informed approach, the applicant must include an evaluation of the approach against the Commission’s policy and BTP 7-19-9 Revision 9 — May 2024 guidance, including any applicable regulations, for risk-informed decision-making. The NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making (e.g., RG 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” RG 1.233, “Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light-Water Reactors”). 3. The defense-in-depth and diversity assessment must demonstrate that a postulated CCF can be reasonably prevented or mitigated or is not risk significant. The applicant must demonstrate the adequacy of any design techniques, prevention measures, or mitigation measures, other than diversity, that are credited in the assessment. The level of technical justification demonstrating the adequacy of these techniques or measures, other than diversity, to address potential CCFs must be commensurate with the risk significance of each postulated CCF. A diverse means that performs either the same function or a different function is acceptable to address a postulated CCF, provided that the assessment includes a documented basis showing that the diverse means is unlikely to be subject to the same CCF. The diverse means may be performed by a system that is not safety-related if the system is of sufficient quality to reliably perform the necessary function under the associated event conditions. Either automatic or manual actuation within an acceptable timeframe is an acceptable means of diverse actuation. If a postulated CCF is risk significant and the assessment does not demonstrate the adequacy of other design techniques, prevention measures, or mitigation measures, then a diverse means must be provided. 4. Main control room displays and controls that are independent and diverse from the proposed digital I&C system (i.e., unlikely to be subject to the same CCF) must be provided for manual, system-level actuation of risk-informed critical safety functions and monitoring of parameters that support the safety functions. These main control room displays and controls may be used to address point 3, above. The applicant may alternatively propose a different approach to this point in the policy if the plant design has a commensurate level of safety. The logical structure of this BTP addresses the four points in SRM-SECY-22-0076, as shown in Figure 7-19-1. The following BTP sections apply to the evaluation of an application against the four points of SRM-SECY-22-0076:  Point 1—determining the need for a detailed D3 assessment: – section B.2.1 for making a safety-significance determination BTP 7-19-10 Revision 9 — May 2024 – section B.2.2 for using the safety significance to determine whether a detailed D3 assessment is necessary – section B.3.1 for determining whether a CCF can be eliminated from further consideration  section B.3.1.1 for the use of diversity within the DI&C system  section B.3.1.2 for the use of testing  section B.3.1.3 for the use of methods other than diversity and testing  section B.3.1.4 for the use of a qualitative assessment and failure analysis  Point 2—performing a detailed D3 assessment to address each CCF: – section B.3.2 for the use of best-estimate methods – section B.3.4 for the use of risk-informed approaches  section B.3.4.1 for determining consistency with NRC policy and guidance on risk-informed decision-making  section B.3.4.2 for modeling a CCF  Point 3—addressing, mitigating, or accepting the consequences of a CCF: – section B.3.2 for crediting diverse means to mitigate the impact of a CCF  section B.3.2.1 for crediting existing systems  section B.3.2.2 for crediting manual operator action  section B.3.2.3 for crediting a new diverse system – section B.3.3 for determining whether the consequences of a CCF may be acceptable – section B.3.4 for design techniques or mitigating measures other than diversity  section B.3.4.3 for determining the risk significance of the CCF  section B.3.4.4 for determining the appropriate means to address the CCF  Point 4—providing independent and diverse displays and manual controls: – section B.4 for manual system-level actuation and indication of critical safety functions to address Point 4 Figures 7-19-2, 7-19-3, 7-19-4, and 7-19-5 at the end of this document provide a visual aid to reviewers for reviewing an application against the four points. The guiding principles in SECY-18-0090 clarify that the D3 assessment described in Point 1 BTP 7-19-11 Revision 9 — May 2024 should be commensurate with the safety significance of the proposed DI&C system. As described in SRM-SECY-22-0076, Point 1 allows for consideration of the risk significance of the DI&C system and the CCF. Specifically, Point 1 calls for the D3 assessment to be commensurate with the risk significance of the proposed DI&C system. Point 2 uses the term best-estimate methods, which is generally understood to refer to methods that use realistic assumptions, that is, the initial plant conditions corresponding to the onset of the event being analyzed. Point 2 also includes acceptance criteria for best-estimate methods that are less conservative than the acceptance criteria defined in the updated final safety analysis report (FSAR) for the applicable limiting events within the design basis. Initial plant event conditions include, but are not limited to, the following:  power levels  temperatures  pressures  flows  alignment of equipment  availability of plant equipment not affected by the postulated CCF SECY-18-0090 clarifies that, in addition to the best-estimate methods using realistic assumptions identified in Point 2, the best-estimate D3 assessment can be performed using a design-basis analysis. The key distinction is that a design-basis analysis uses conservative assumptions. Reviewers should consider whether each event analyzed in the accident analysis is evaluated in the best-estimate D3 assessment independently. For example, if the initiating event is a loss of offsite power, the assessment does not need to assume another concurrent design-basis event (DBE). Point 3 refers to the risk significance of CCFs, whereas Point 1 refers to the risk significance of the proposed DI&C system. Section B.3.4 discusses these concepts. Point 3 calls for an applicant to demonstrate that a postulated CCF will be reasonably prevented or mitigated or that the CCF is not risk significant. An applicant can do this by demonstrating the adequacy of the design techniques and prevention and mitigation measures credited in the D3 assessment. If the D3 assessment demonstrates that a CCF can be reasonably prevented or mitigated by other means (e.g., using other installed systems) or that the CCF is not risk significant, then a diverse means of performing the same or a different function may not be needed. When a diverse means is provided, Point 3 allows for the diverse means to be comprised of safety-related equipment or equipment that is not safety related, together with a documented basis that this equipment is of sufficient quality and is unlikely to be subject to the same CCF. The diverse means may already exist in the facility or may be installed in connection with the DI&C modification. For example, an anticipated transient without scram (ATWS) system may be credited as a diverse means of tripping the reactor, provided it is not vulnerable to the same CCF that could disable the safety function. The displays and controls credited for Point 4 provide for effective manual control of critical safety functions. The same assessment performed to address the first three points may identify whether the main control room (MCR) displays and controls for manual actuation of critical safety functions are independent and diverse from the proposed DI&C system. If so, these displays and controls may be used to credit manual operator actions in Point 3 (see BTP 7-19-12 Revision 9 — May 2024 section B.3.2.2). These independent and diverse displays and manual controls do not have to be safety grade or hardwired. Alternatively, the applicant may propose a different approach to Point 4 of SRM-SECY-22-0076 if the plant design provides a commensurate level of safety (see section B.4). 1.2 Critical Safety Functions Critical safety functions are those most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to public health and safety.6 The critical safety functions listed in SECY-22-0076 (i.e., reactivity control, core heat removal, reactor coolant inventory, containment isolation, and containment integrity) are examples representative of operating light-water reactors. Other types of reactors may have different critical safety functions. The identification of these critical safety functions is a plant-specific activity performed by applicants that is based on the reactor design safety analysis and may be risk-informed. Risk-informed approaches may be used to identify the most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to public health and safety. Section 4 of this BTP provides acceptance criteria for the implementation of diverse and independent displays and manual controls for actuation of critical safety functions. 2. Safety Significance and Effects of Failure Principle 3 of SECY-18-0090 explains that the D3 assessment “may not be necessary for some low-safety-significance l&C systems whose failure would not adversely affect a safety function or place a plant in a condition that cannot be reasonably mitigated.” Point 1 of SRM-SECY-22-0076 states that the D3 assessment must be commensurate with the risk significance of the DI&C system, as described further below. Furthermore, Point 3 of SRM-SECY-22-0076 states that the level of technical justification demonstrating the adequacy of design techniques, prevention measures, or mitigation measures, other than diversity, credited in the assessment to address potential CCFs must be commensurate with the risk significance of each postulated CCF. This section provides guidance for reviewing (1) the relative safety significance of the functions performed by an SSC and (2) an application that does not include a detailed D3 assessment for an SSC of lowest safety significance based on the potential effects of the SSC’s failure. 2.1 Safety-Significance Determination For the purposes of this BTP, a safety-significant function is one whose degradation or loss could have a significant adverse effect on defense in depth, safety margin, or risk. For example, because immediate responses are needed for certain adverse reactor conditions, the reactor trip system (RTS) and engineered safety features actuation system are generally deemed more critical than those systems that perform auxiliary safety functions not directly credited in the accident analysis. Consequently, a CCF assessment for an RTS should generally be more 6 The use of the term “critical safety functions” goes back to American National Standards Institute/American Nuclear Society-4.5-1980, “Criteria for Accident Monitoring Functions in Light-Water-Cooled Reactors,” and IEEE Std 497-1981, “IEEE Standard Criteria for Accident Monitoring Instrumentation for Nuclear Power Generating Stations.” The most important safety functions may not always be called “critical safety functions.” BTP 7-19-13 Revision 9 — May 2024 rigorous than, for example, a CCF assessment for a safety-related MCR heating, ventilation, and air conditioning (HVAC) chiller. While the HVAC chiller is a safety-related system, maintaining a certain temperature and humidity in the MCR to allow equipment and personnel to operate properly, a failure of this system is not as significant as an RTS failure, because personnel have operating procedures or diverse means to control MCR temperature and humidity and can shut down the plant for this purpose if necessary. Therefore, the reviewer should evaluate the applicant’s safety-significance determination for the SSC subject to the D3 assessment. The reviewer should consider whether the applicant used risk insights from site-specific PRAs, if available, to support its determination. The reviewer should confirm that the application documents the basis for the safety-significance determination, including any use of risk insights. The reviewer should also determine whether the use of risk insights is reasonable. System Interconnectivity System interconnectivity has the potential to introduce additional dependencies and CCF vulnerabilities. If there is interconnectivity, the system should be assessed using the methods appropriate for the SSC of most safety significance that is interconnected. The reviewer should consider whether the application includes a clear description of the proposed DI&C system that identifies (1) shared resources, (2) interconnection with other systems, and (3) whether a modification could reduce the redundancy, diversity, separation, or independence of systems described in the facility’s FSAR. Reductions in independence, separation, diversity, or redundancy can adversely affect a plant’s defense in depth. For data communication interconnectivity, the reviewer should verify that such interconnectivity does not adversely affect or degrade the safety-related system’s reliability or its capability to perform its safety functions. RG 1.152 provides, in part, guidance for data communication independence, control of access, and prioritization of control and protection systems sharing components. The reviewer should also determine whether the assessment of the most safety-significant SSCs considers the vulnerability to CCF resulting from system interconnectivity and the consequences of a CCF that could affect the proper operation of the interconnected systems. If the reactor trip or engineered safety feature initiation signal in such a system reaches the final actuation device only through the equipment that performs control functions, then the reviewer should determine whether all the SSCs in that pathway have been assigned to the SSC category of most safety significance. Acceptance Criteria for Safety-Significance Determinations The three safety-significance determination categories7 below should reasonably conform to the criteria below. If the applicant uses risk insights (e.g., from a site-specific PRA) to demonstrate that an SSC is less safety significant than these criteria would indicate, the NRC staff should review these on a case-by-case basis. The following acceptance criteria apply: a. High safety significance: safety-related SSCs that perform safety-significant functions SSCs in this category have one or more of the following characteristics:  They are credited in the FSAR to perform design functions that contribute 7 The safety-significance determination categories used in this BTP are consistent with SECY-18-0090. BTP 7-19-14 Revision 9 — May 2024 significantly to plant safety.  They are relied upon to initiate and complete control actions essential to maintaining plant parameters within acceptable limits established for a DBE or to maintaining the plant in a safe state after it has reached safe shutdown.  Their failure could directly lead to accident conditions that may have unacceptable consequences (e.g., exceeding dose guidelines) if no other automatic systems are available to provide the safety function or no preplanned manual operator actions have been validated to provide the safety function. b. Lower safety significance: safety-related SSCs that do not perform safety-significant functions, and SSCs that are not safety related that do perform safety-significant functions SSCs in this category have one or more of the following characteristics:  They provide an auxiliary or indirect function in the achievement or maintenance of a safety-related function.  They perform a design function that is not safety related but that contributes significantly to plant safety.  They are capable of directly changing the reactivity or power level of the reactor, and their failure could initiate an accident sequence or could adversely affect the integrity of a safety barrier (i.e., fuel cladding, reactor vessel, or containment).  They are credited in the FSAR for meeting diversity requirements. c. Lowest safety significance: SSCs that are not safety related that do not perform safety-significant functions SSCs in this category have one or more of the following characteristics:  They perform functions that are not considered significant contributors to plant safety.  They have no direct effect on the reactivity or power level of the reactor and do not affect the integrity of a safety barrier (i.e., fuel cladding, reactor vessel, or containment). 2.2 Using Safety Significance to Determine When a Detailed Defense-in-Depth and Diversity Assessment Is Necessary A detailed D3 assessment is necessary for all systems determined to be of high safety significance. As stated in SECY-18-0090, a D3 assessment demonstrates “that failures due to software or failures propagated through connectivity cannot result in a failure to perform safety functions or adverse plant conditions that cannot be reasonably mitigated.” Therefore, in accordance with Principle 3 in SECY-18-0090, a D3 assessment “may not be necessary for some low-safety-significance l&C systems” if the application demonstrates that the failure of the BTP 7-19-15 Revision 9 — May 2024 SSC “would not adversely affect a safety function or place a plant in a condition that cannot be reasonably mitigated.” Acceptance Criteria for Elimination of Further Consideration of Defense in Depth and Diversity If an SSC meets the following acceptance criteria, the reviewer should conclude that a detailed D3 assessment is not necessary because a failure analysis demonstrates that failure of the specified SSC cannot adversely affect a safety function or place the plant in a condition that cannot reasonably be mitigated: a. The SSC has the characteristics listed in item (c) of section B.2.1 above, or documented risk insights demonstrate that its level of safety significance is similar to that of SSCs with those characteristics. b. The SSC is not interconnected with a more safety-significant SSC. c. The application includes an analysis of a postulated failure of the SSC to perform its design functions and evaluates the effects of that failure, including potential spurious operations. d. The failure does not adversely affect a safety function or place the plant in a condition that cannot reasonably be mitigated. 3. Detailed Defense-in-Depth and Diversity Assessment A D3 assessment is a systematic analysis of a proposed DI&C system for CCFs that can occur concurrently within a redundant design, for example, within two or more independent divisions. These CCFs could cause the DI&C system to fail to perform its intended safety function or could lead to spurious operations. The reviewer should evaluate whether the D3 assessment considers the entire plant performance characteristics in response to CCF. CCFs for DI&C systems of both high and lower safety significance, and SSCs of lowest safety significance that need a detailed D3 assessment, should be evaluated and addressed by considering, as a minimum, the functional partitioning within the DI&C architecture, and whether the CCF could originate in shared resources or could adversely affect any interconnected portions of the DI&C system. Reviewers should determine whether the applicant’s D3 assessment is adequate to protect against CCFs that are either (1) identified through design analysis or (2) postulated as design defects that are not identifiable through design analysis. The reviewer should also consider whether the D3 assessment includes an analysis of the effects of CCFs to verify that these effects are bounded by the acceptance criteria defined in the FSAR or in the license amendment request (LAR) for the limiting events applicable to the proposed DI&C system. A D3 assessment should include the information necessary for the NRC staff to perform its review. When evaluating a D3 assessment, the reviewer should do the following:  Confirm that a D3 assessment was performed for the proposed system to determine whether CCF vulnerabilities have been adequately addressed.  Evaluate whether the D3 assessment indicates that CCF vulnerabilities have been BTP 7-19-16 Revision 9 — May 2024 adequately addressed.  Evaluate whether the D3 assessment indicates that CCF vulnerabilities that might result in spurious operations have been adequately addressed.  Confirm that the potential consequences of any residual CCF vulnerabilities not previously addressed have been evaluated and fall within the limiting plant design-basis consequences. General Approach The reviewer should consider whether the D3 assessment is adequate to identify and defend against CCF vulnerabilities. Acceptable methods for an applicant to use to address or defend against vulnerabilities include, but are not limited to, the following:  The applicant eliminated CCF vulnerabilities from further consideration through any of the methods below, either alone or in combination: – using diversity within the DI&C system (section B.3.1.1) – using testing (section B.3.1.2) – using alternative approaches (section B.3.1.3) – for SSCs of lower or lowest safety significance, using a qualitative assessment and failure analysis (section B.3.1.4)  The applicant mitigated consequences of CCF vulnerabilities using one or more of the measures in section B.3.2.  The applicant analyzed consequences of CCF vulnerabilities and found them to remain within the acceptance criteria defined in the FSAR or the LAR for the limiting events applicable to the proposed DI&C system (section B.3.3).  The applicant assessed the risk of CCF vulnerabilities using a risk-informed approach and applied design techniques, prevention measures, or mitigation measures commensurate with the risk significance of the postulated CCF (section B.3.4). If the applicant used multiple strategies to address CCF vulnerabilities in different portions of a system, then the reviewer should evaluate the applicant’s analysis of the CCF vulnerabilities in each portion and identify how each method was applied. For example, in one portion of the system, the applicant might eliminate a CCF from further consideration, while in another portion, the applicant might mitigate the CCF vulnerability using diverse I&C systems. Spurious Operation as a Result of Common-Cause Failure The evaluation of potential spurious operations is an important part of the overall D3 assessment for a proposed DI&C system, to ensure that spurious operations do not lead to events with unacceptable consequences. BTP 7-19-17 Revision 9 — May 2024 Although a spurious operation is not always anticipated, it can be detected, because this type of failure is normally self-announcing through instrumentation on the actuated system. However, in some circumstances, a spurious operation may not occur until a particular signal or set of signals is present. In these cases, rather than occurring immediately upon system startup, the spurious operation would occur only under certain plant conditions. Such a spurious operation is still self-announcing (by the actuated system), even if failure did not occur on initial test or startup. Because of the potential consequences of a spurious operation, a system’s failure to actuate might not be the most limiting failure. This is especially true in view of the time needed to identify and respond to conditions resulting from spurious operation in DI&C systems. In some cases, a failure to trip might be less limiting than a partial actuation. For example, a partial actuation of an emergency core cooling system (i.e., spurious operation of a single division), together with a false indication of a successful actuation, may take an operator longer to evaluate and correct than a total failure to send any actuation signal would. Therefore, the reviewer should consider the possibilities of both partial actuation and total failure to actuate, together with false indications, stemming from a CCF. Sources of Spurious Operation Spurious operations originating from CCFs due to latent design defects are considered beyond design-basis events and are within the scope of this BTP.8 As stated in the background section of this BTP, CCFs should be evaluated in a manner consistent with SRM-SECY-22-0076. Therefore, the reviewer may apply the methodologies described in this BTP when evaluating spurious operations resulting from CCFs. Spurious Operation and Interconnected Systems As stated in the background section of this BTP, the interconnection of design functions in a DI&C system makes it challenging to identify CCF vulnerabilities and evaluate their potential consequences. System interconnectivities, including shared resources, could reduce a plant’s overall defense in depth (e.g., by reducing independence). When evaluating interconnected systems, the reviewer should focus primarily on SSCs that are not safety related and that are interconnected with safety-related SSCs. This is because safety-related SSCs have particular regulatory requirements (e.g., for independence and quality) that separately address CCF vulnerabilities in interconnected systems. A secondary focus should be on interconnection of SSCs that can directly or indirectly affect reactivity. In some cases, a system may be susceptible to failures not analyzed in the design bases. The reviewer should consider whether a CCF of an interconnected DI&C system or platform (e.g., a single platform controlling multiple system functions) could result in a spurious operation that would have unacceptable consequences. The reviewer should also consider the level of interconnection between a safety system and other systems as a potential vulnerability to be addressed in the application.9 8 Spurious operations addressed “within the design basis” include spurious operations resulting from single failures (including cascading effects) or single malfunctions. Consistent with regulatory requirements such as those of GDC 25 or those incorporated by reference in 10 CFR 50.55a(h) (namely, IEEE Std 279-1971 or IEEE Std 603-1991), spurious operations resulting from single failures and single malfunctions are expected during the lifetime of the plant and are addressed as part of the design basis. 9 See IEEE Std 603-1991. BTP 7-19-18 Revision 9 — May 2024 The NRC Staff’s Evaluation of Spurious Operation The reviewer should consider whether the D3 assessment addresses spurious operation resulting from CCF along with loss of function resulting from CCF. One important distinction between these two events is that, unlike loss of function, spurious operation is considered an initiating event only, that is, without a concurrent DBE for the purposes of this assessment. 3.1 Means to Eliminate the Potential for Common-Cause Failures from Further Consideration In a D3 assessment, the following methods can be used to eliminate a potential CCF from further consideration: (1) demonstration of adequate diversity within the DI&C system, (2) testing, and (3) alternative approaches within the application. In addition, for SSCs with lower or lowest safety significance, a qualitative assessment and failure analysis showing that the likelihood of failure is sufficiently low can be used to eliminate a CCF from further consideration. The reviewer should determine whether the application demonstrates that the use of these methods, alone or in any combination, meets the criteria in this BTP to eliminate the potential CCF from further consideration. Even if the applicant does not eliminate all CCF vulnerabilities from further consideration using these methods, the reviewer should consider whether there is any portion of the SSC for which the applicant has sufficiently reduced the likelihood of a CCF so that further evaluation is unnecessary for that portion of the SSC. The following sections discuss each of the acceptable methods for eliminating the potential for CCFs from further consideration. 3.1.1 Use of Diversity within the Digital Instrumentation and Control System to Eliminate the Potential for Common-Cause Failures from Further Consideration Diversity within a DI&C system constitutes the use of different techniques, schemes, features, or additions to eliminate a CCF from further consideration. If diversity is used, then each portion of the system will have different potential latent design defects, so that a failure in one portion will not result in a failure in other portions. Diversity can be implemented in various ways, such as through the use of different technologies, algorithms, or logic; sensing devices; or actuation devices. However, diversity needs to be paired with independence from equipment performing the same function within the DI&C system; otherwise, the diverse means could be susceptible to the same CCF. The reviewer should determine whether the proposed system contains sufficient diversity to perform the safety function, including diversity within each safety division or among redundant safety divisions of a system. If so, then the potential CCF can be eliminated from further consideration. Acceptance Criteria for Use of Diversity within the Digital Instrumentation and Control System If the following acceptance criteria are met, the reviewer should conclude that the application provides adequate information on the use of diversity within the DI&C system to eliminate the potential CCF from further consideration: BTP 7-19-19 Revision 9 — May 2024 a. Each safety function to be achieved by the proposed design is shown to be independently achievable by each diverse portion in the DI&C system. Diversity between the different portions of the DI&C system is sufficient to account for potential spurious operation. b. The different portions of the DI&C system are sufficiently diverse to perform the safety function without relying on the performance of common components, and the SSCs and software of the different portions are not vulnerable to the same CCFs. c. The diverse portions of the DI&C system do not have common or shared resources, such as power supplies, memory, bus, or communications modules, whose failure could result in a failure to perform safety functions or in adverse plant conditions that cannot be reasonably mitigated. Also, the diverse portions of the DI&C system do not share engineering or maintenance tools whose failure could affect both or all portions. d. Each diverse portion used to perform the credited safety functions is shown to be reliable and available in the plant conditions during which the associated event needs to be prevented or mitigated. e. Periodic surveillance criteria are used to verify the continuing functionality of each diverse portion. 3.1.2 Use of Testing to Eliminate the Potential for Common-Cause Failures from Further Consideration CCF vulnerabilities in DI&C systems have two general causes: (1) errors introduced by the system hardware or software design, and (2) errors or defects introduced during the development of the software, hardware, or software-based logic. When designing a DI&C system, the applicant might use a robust (high-quality) development process, in conjunction with thorough system analysis (e.g., failure modes and effects analysis, system-theoretic process analysis), to correct many potential design errors in the requirements or specifications for both analog and digital equipment. Thorough testing can help to identify latent design defects in DI&C systems, provided the design is simple enough to allow such testing. Testing can be used to uncover latent design defects for correction in the design process and to demonstrate that any identified latent design defects have been corrected. The reviewer should determine whether testing of the proposed DI&C system shows that all latent design defects have been identified and corrected, so that the system will function as specified under the AOOs. If so, the CCF can be eliminated from further consideration. The applicant may use various testing methods, which the reviewer should consider on a case-by-case basis. In each case, the reviewer should consider whether the technical basis for these testing methods is acceptable. Acceptance Criteria for Use of Testing If the following acceptance criteria are met, the reviewer should conclude that the application provides sufficient information on the test results and testing methodology for the DI&C system to eliminate the potential CCF from further consideration: BTP 7-19-20 Revision 9 — May 2024 a. Testing covers the expected performance of the proposed DI&C system in each of its functional modes of operation and for all transitions between modes. For this purpose, testing should include the following:  every possible combination of inputs, including every possible sequence of inputs (if the system has unused inputs, and the system can force them to a defined safe state (e.g., during a system failure), then those inputs need not meet this criterion)  for systems with analog inputs, every combination of inputs over the entire operational range of the analog inputs, including defined over-range and under-range conditions  every possible executable logic path (includes nonsequential logic paths)  every functional state transition among all modes of operation  testing results that conform to preestablished test cases to monitor for correctness of all outputs for every case b. Testing for latent design defects was conducted on a DI&C system that accurately represents the system to be installed, guaranteeing that the DI&C system installed will perform the same functions as the system tested. c. Testing results account for potential spurious operations. 3.1.3 Use of Alternative Approaches Other than Diversity and Testing to Eliminate the Potential for Common-Cause Failures from Further Consideration Applicants may propose technical approaches to address CCF that this BTP does not describe (e.g., a watchdog timer not dependent on the DI&C system software that puts the actuators in the safe state may address certain CCF vulnerabilities). These approaches may consist of design techniques, prevention measures, or mitigation measures other than diversity. The reviewer should determine whether an application requesting the use of an approach not described in this BTP includes a sufficient supporting technical basis, conditions of use, and acceptance criteria for its implementation. The NRC staff can approve methods through guidance (e.g., endorsement of a standard) or a safety evaluation (e.g., precedent, topical report). Generally, the review of the implementation of a method previously approved by the NRC consists of (1) ensuring that the method is implemented in a manner consistent with the purpose and conditions of use for which it was approved, and (2) ensuring that adequate justification is provided for any deviations from the approved method. Therefore, this BTP does not provide additional guidance in this regard. If the application credits an approach not previously approved by the NRC, the reviewer should determine the acceptability of the proposed method in accordance with the acceptance criteria described below. Generally, the proposal of an approach other than diversity or testing should consist of (1) a BTP 7-19-21 Revision 9 — May 2024 description of its purpose and conditions of use, (2) a description of the method, (3) criteria for determining that the method will achieve its purpose, and (4) supporting information and reasoning demonstrating that the applicant’s implementation satisfies these criteria with appropriate means to address the CCF. Acceptance Criteria for Use of a Proposed Alternative Approach If an application proposes an alternative approach to eliminate a CCF from further consideration, the reviewer should conclude that the application provides sufficient information on the alternative approach if the application includes the following: a. the identification of the CCF vulnerabilities or causes that the proposed alternative approach addresses (if these CCF vulnerabilities or causes are identified using a hazard analysis technique, then the analysis should be demonstrated to be sufficiently correct and complete) b. a description (including supporting information and reasoning) of how the proposed alternative approach addresses the CCF vulnerabilities or causes and any potential spurious operations, including any conditions or limitations for the alternative approach c. a technical basis explaining how the alternative approach addresses the identified CCF vulnerabilities or causes and prevents or mitigates their effects, including an analysis of how the methods’ effectiveness will be demonstrated 3.1.4 Use of a Qualitative Assessment and Failure Analysis to Eliminate the Potential for Common-Cause Failures from Further Consideration RIS 2002-22, Supplement 1, describes a methodology, called “qualitative assessment,” to assess the likelihood of failure due to CCF in DI&C systems and components. RIS 2002-22, Supplement 1, identifies acceptance criteria to determine whether a DI&C system’s likelihood of failure due to CCF is low enough so that current licensing assumptions will continue to be met, because the likelihood of CCF is much lower than that of other kinds of failures considered in the FSAR. This level of likelihood of CCF is referred to as “sufficiently low,” and its definition compares the likelihood of failure of a proposed DI&C system to that of other failures documented in the FSAR. The qualitative assessment is a less technically rigorous type of D3 assessment, and, as such, is sufficient to eliminate CCF vulnerabilities from further consideration only for systems of lower or lowest safety significance. As described in RIS 2002-22, Supplement 1, the qualitative assessment is a technical basis for demonstrating that a proposed DI&C system will exhibit a low likelihood of failure (i.e., a low likelihood of CCF). The technical basis includes (1) three factors used to demonstrate that the proposed system will exhibit a low likelihood of failure, and (2) failure analyses (e.g., failure modes and effects analyses (FMEA), fault tree analyses (FTA)) to support the qualitative assessment. First, the reviewer should consider the factors used in the qualitative assessment to demonstrate that the DI&C system will exhibit a low likelihood of failure (i.e., a low likelihood of CCF). The reviewer should confirm that the likelihood of failure of the proposed DI&C system remains consistent with the assumptions in the licensing basis. A qualitative assessment should consider the following factors: BTP 7-19-22 Revision 9 — May 2024  the design attributes and features of the DI&C system  the quality of the design process for the DI&C system  any applicable operating experience for the DI&C system Second, the reviewer should consider any failure analyses used in the qualitative assessment, including information from engineering design work, such as FMEA and FTA. The reviewer should consider whether the failure analyses support the factors above and whether they demonstrate, for example, that identified potential CCFs exhibit a low likelihood of occurrence. Acceptance Criteria for Use of Qualitative Assessment If the following acceptance criteria are met, the reviewer should conclude that the application includes a qualitative assessment (consistent with the methodology described in RIS 2002-22, Supplement 1) that demonstrates, for SSCs of low safety significance, that the likelihood of CCF is sufficiently low: a. The proposed DI&C system has design attributes and features that reduce the likelihood of CCFs. b. The quality of the design process for the proposed DI&C system reduces the likelihood of CCFs, including CCFs potentially resulting in spurious operations. c. The applicable operating experience collectively supports the conclusion that the proposed DI&C system will operate with high reliability for the intended application. In some cases, operating experience can compensate for uncertainties in addressing criteria (a) and (b). d. The proposed DI&C system will not cause a failure or spurious operation that could invalidate the plant licensing basis (e.g., the maintenance of diverse systems for reactivity control). e. The application documents the hazard analysis that demonstrates how hazardous effects, including spurious operations, are bounded or taken into account. 3.2 Use of Diverse Means to Mitigate the Impact of a Common-Cause Failure This section addresses applications that credit a diverse means to mitigate the impact of a postulated CCF, either by accomplishing a function that is the same as, or is different from the safety function disabled by the CCF; or by mitigating spurious operations resulting from the CCF. An application that credits any of the diverse means described in sections B.3.2.1–B.3.2.3 of this BTP is considered to have acceptably addressed Point 3 of the NRC position on D3. These diverse means include existing systems, manual operator actions, and new diverse systems. 3.2.1 Crediting Existing Instrumentation and Control Systems An existing reliable I&C system can be used as a diverse means either to accomplish the same or a different function credited in the D3 assessment or to mitigate spurious operations resulting from CCF. The analysis in the LAR of the function performed by this existing I&C system should BTP 7-19-23 Revision 9 — May 2024 show that the consequences of the CCF meet the acceptance criteria defined in the FSAR or the LAR for the limiting events applicable to the proposed DI&C system. If an existing I&C system is credited, then the reviewer should verify that the applicant has performed an analysis demonstrating that the credited system and the proposed DI&C system are not both vulnerable to the same CCF. The reviewer should verify that the applicant has considered how the existing I&C system is credited in the facility’s licensing basis and described in the existing I&C system’s documentation (e.g., the FSAR, detailed design documents). Among other things, the reviewer should consider whether the applicant has appropriately accounted for any unique I&C system design attributes and requirements and for any potential interconnectivities, including resource sharing, with other systems. The reviewer should pay particular attention to whether there may be interconnectivities (including resource sharing) not accounted for in the LAR that could result in the existing I&C system being subject to the same CCF as the proposed DI&C system. The reviewer should verify that the application identifies all the features of the existing I&C system that are relevant to demonstrating diversity. In addition, if crediting an existing I&C system could affect the facility’s existing licensing basis, then the reviewer should verify that the LAR addresses how the existing I&C system functions would be credited and justified in a revised licensing basis. The credited existing I&C system may be a system that is not safety related, as long as it is of sufficient quality and can reliably perform the credited functions under the associated event conditions. If the applicant credits existing I&C systems that are not safety related that are in continuous use (e.g., the normal control systems for the reactor coolant system inventory or the steam generator level), these systems need not meet augmented quality standards. However, if the applicant credits existing I&C systems that are not safety related and that are not in continuous use (i.e., that are normally in standby mode), then the reviewer should verify that the applicant has demonstrated that the system will reliably perform its intended function. For example, the applicant may credit the plant ATWS system as a diverse means of achieving reactor shutdown, provided that the ATWS system is capable of responding to the same analyzed events as the proposed DI&C system. In this case, the reviewer should consider whether the D3 analysis demonstrates that the ATWS system (1) is not vulnerable to the same CCF as the equipment performing the reactor trip function within the proposed DI&C system, (2) is of sufficient quality and is capable of functioning under the event conditions expected, and (3) is responsive to the AOO or PA sequences. If prioritization is used, the reviewer should verify that signals to actuate components coming from the new use of the credited existing I&C system and other systems are adequately prioritized to maintain the overall defense-in-depth strategy and existing licensing basis. The reviewer should also verify that changes to an existing prioritization scheme due to the new use of the credited system are consistent with the existing licensing basis. If there are shared resources (e.g., priority modules), the reviewer should consider whether the credited existing I&C system has priority over the resources (e.g., operational control functions) in regard to its safety and protection functions, so that safety and protection functions are always carried out first. RG 1.152 provides guidance on prioritization of control and protection systems sharing components. (In some cases, certain components may have more than one safe state; the reviewer should consider whether the priority scheme describes all safe states.) BTP 7-19-24 Revision 9 — May 2024 Acceptance Criteria for Crediting Existing I&C Systems If the acceptance criteria below are met, the reviewer should conclude that the application includes a D3 assessment justifying the use of an existing I&C plant system as a diverse means. The existing I&C system may perform the same function as the one disabled by the postulated CCF, or it may perform a different function to compensate for or mitigate the loss of the disabled function. a. If the diverse I&C system uses equipment that is not safety related, the equipment is of sufficient quality to perform the necessary function(s) during the associated event conditions. b. Sufficient diversity exists between the diverse I&C system and the proposed DI&C system so that they are not subject to the same postulated CCF. c. The equipment to be credited has functional capabilities sufficient to maintain the plant within the acceptance criteria defined in the FSAR or the LAR for the limiting events applicable to the proposed DI&C system. d. The LAR maintains the existing I&C system’s licensing basis in view of the new credited use, or the LAR identifies and analyzes those parts of the existing I&C system’s licensing basis that are being updated as a result of the proposed change. e. If prioritization is used, the new use of the credited existing I&C system maintains the existing prioritization scheme. If the new use of the existing I&C system requires changes to the existing prioritization scheme, the changes are consistent with the plant’s licensing basis, and safety and protection functions have the highest priority when resources are shared. The commands to actuate components needed for safety and protection are always performed over other functions. 3.2.2 Crediting Manual Operator Action10 When addressing Point 3 of SRM-SECY-22-0076, the applicant may credit a manual operator action as a diverse means either to accomplish a function that is the same as, or is different from the function credited in the D3 assessment or to mitigate spurious operation. To be creditable, manual operator actions should be performed within a time frame adequate to effectively mitigate the event. In addition, a human factors evaluation process, such as the process outlined in NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition” (SRP), Chapter 18, “Human Factors Engineering,” should show that the proposed manual operator actions are both feasible and reliable. The reviewer may use a risk-informed approach to determine the appropriate level of HFE review needed for proposed changes to existing credited manual actions or for proposed new manual operator actions. The reviewer should consider whether the equipment necessary to perform these actions, including the supporting indications and controls, is diverse from (i.e., unlikely to be subject to 10 IEEE Std 279-1968, IEEE Std 279-1971, and IEEE Std 603-1991 require that certain manual controls or means of manual initiation be of the same quality as the protection or safety systems; SRM-SECY-22-0076 does not eliminate these regulatory requirements. However, other means of manual control or initiation may not need to be of the same quality. BTP 7-19-25 Revision 9 — May 2024 the same CCF as) the equipment performing the same function within the DI&C system. For example, the point at which the credited manual controls are connected should be downstream of the equipment that can be adversely affected by a CCF. If the equipment used to perform the credited manual operator action is not safety related, then the applicant should demonstrate that the equipment is of adequate quality. If the applicant has proposed the use of equipment outside the MCR to perform the credited manual operator action, the reviewer should consider whether this equipment is vulnerable to the same CCF as the DI&C system and whether the applicant has demonstrated that the equipment will be reliable, available, and accessible under the postulated event conditions. The reviewer may use the HFE principles and criteria identified in SRP Chapter 18 to evaluate the applicant’s selection and design of the displays and controls. In addition, the reviewer may use the guidance in NUREG-1764, Revision 1, “Guidance for the Review of Changes to Human Actions,” issued September 2007, to perform a risk-informed evaluation of the application. In most cases, when displays and manual controls are credited as the diverse means for Point 3, they may also be credited for Point 4 for manual actuation of critical safety functions (see sections B.1.2 and B.4). Protective Actions Initiated Solely by Manual Actions For protective actions initiated solely by manual controls, the reviewer should consider appropriate HFE criteria and adequate equipment and controls. RG 1.62 provides guidance for evaluating the adequacy of equipment and controls used to manually initiate protective actions that are otherwise provided by automatically initiated safety systems. SRP Chapter 18 provides guidance for evaluating credited manual actions. Acceptance Criteria for Manual Actions If the following acceptance criteria are met, the reviewer should conclude that the proposed manual operator action is acceptable: a. The proposed manual operator action has been validated as both feasible and reliable, using an HFE process such as that specified in SRP Chapter 18. The application describes human performance requirements and relates them to the plant safety criteria. The application employs recognized human factors standards and design techniques to support the described human performance requirements. b. The SSCs used to support the manual operator action are diverse from (i.e., unlikely to be subject to the same CCF as) the equipment performing the same function within the DI&C system. c. The credited SSC is accessible to the operator during the associated event conditions, is capable of functioning under the expected conditions, and is of adequate quality. d. The indications and controls needed to support the manual operator action have the functional characteristics necessary to maintain the plant within the facility operating limits. BTP 7-19-26 Revision 9 — May 2024 3.2.3 Crediting a New Diverse Instrumentation and Control System The applicant may propose a new diverse system (e.g., a diverse actuation system) as a diverse means either of accomplishing a function that is the same as or is different from the function credited in the D3 assessment; or of mitigating spurious operation due to CCF. In this case, the reviewer should determine whether the application demonstrates that (1) the functions performed by this diverse means suffice to maintain plant conditions within specified acceptance criteria for the associated DBE, and (2) sufficient diversity exists between the new system and the proposed DI&C system so that they are not vulnerable to the same postulated CCF. The reviewer should determine whether the diverse means credited and the digital design of the proposed system are vulnerable to the same CCF. The new diverse I&C system may be a system that is not safety related if it is of sufficient quality to perform the necessary functions under the associated event conditions. The reviewer should consider whether the new diverse I&C system can function under the event conditions expected and whether it is of adequate quality. Prioritization If a new diverse I&C system is implemented, the reviewer should verify that the signals to actuate components coming from the different systems are appropriately prioritized to maintain the overall defense-in-depth strategy. If the proposed DI&C system and the new diverse I&C system share resources (e.g., priority modules), the reviewer should consider the priority in the use of shared resources in regard to its safety and protection functions, so that safety and protection functions are always carried out first. RG 1.152 provides guidance on prioritization of control and protection systems sharing components. (In some cases, certain components may have more than one safe state; the reviewer should consider whether the priority scheme describes all safe states.) Acceptance Criteria for Crediting a New Diverse Instrumentation and Control System If the following acceptance criteria are met, the reviewer should conclude that the use of a new diverse I&C system is acceptable: a. If the diverse I&C system uses equipment that is not safety related, the equipment is of sufficient quality to perform the necessary function(s) during the associated event conditions. b. Sufficient diversity exists between the diverse system and the proposed system so that they are not vulnerable to the same postulated CCF. c. The equipment credited has functional capabilities sufficient to maintain the plant within the acceptance criteria defined in the FSAR or the LAR for the limiting events applicable to the proposed DI&C system. d. Resources shared by the proposed DI&C system(s), other systems, and manual operator actions are controlled by prioritization of commands consistent with the guidance in RG 1.152. The basis for the prioritization should be documented. BTP 7-19-27 Revision 9 — May 2024 3.3 Consequences of a Digital Instrumentation and Control System Common-Cause Failure May Be Acceptable This section addresses applications that propose that the consequences of a residual identified CCF remain acceptable. For such applications, the reviewer should consider whether the applicant’s analysis demonstrates that, should the CCF occur, the facility will remain within the acceptance criteria defined in the FSAR or the LAR for the limiting events applicable to the proposed DI&C system. For each event considered in the accident analysis, the applicant may perform the D3 assessment using either best-estimate methods (i.e., using realistic assumptions to analyze the plant’s response to DBEs) or conservative methods (i.e., design-basis analysis). The reviewer should consider whether the D3 assessment shows that the consequences of potential CCFs of the proposed DI&C system are acceptable. Acceptance Criteria for Determination of Acceptable Consequences If the following acceptance criteria are met, the reviewer should conclude that the application shows that the consequences of potential CCFs of the proposed system are acceptable: a. For those postulated spurious operations that have not been fully mitigated or eliminated from further consideration, the consequences of the spurious operation are bounded by the acceptance criteria defined in the FSAR or the LAR. b. For each AOO in the design basis that occurs concurrently with the CCF, the plant response, calculated using realistic or conservative assumptions, does not result either in radiation release exceeding 10 percent of the applicable dose guideline values, or in a loss of integrity of the primary coolant pressure boundary. c. For each PA in the design basis that occurs concurrently with each single postulated CCF, the plant response, calculated using realistic or conservative assumptions, does not result in radiation release exceeding the applicable dose guideline values, in violation of the integrity of the primary coolant pressure boundary, or in violation of the integrity of the containment. 3.4 Risk-Informed Defense-in-Depth and Diversity Assessment A risk-informed approach to address a CCF generally consists of (1) analyzing the functional impact of the CCF, (2) determining the risk significance of the CCF, and (3) determining appropriate means to address the CCF commensurate with its risk significance. The risk significance of a CCF is distinct from the risk significance of the DI&C systems it may affect. Point 1 of SRM-SECY-22-0076 refers to the risk significance of the DI&C system. Under Point 1, the D3 assessment must be commensurate with the risk significance of the DI&C system. It is possible for a system to be risk significant because of the combined effects of system functions, hidden interdependencies, corresponding interactions, and emergent behaviors, even if each system function alone may not be risk significant. Therefore, when there is potential for such behaviors, correspondingly more comprehensive modeling and evaluation of the plant are needed. BTP 7-19-28 Revision 9 — May 2024 Point 3 of SRM-SECY-22-0076, however, refers to the risk significance of a CCF. Under Point 3, one option is for the D3 assessment to demonstrate that a postulated CCF is not risk significant. While the risk significance of a DI&C system is different from the risk significance of a CCF, the same causes may degrade different safety functions, thus increasing the risk significance of a CCF beyond the increase in risk from the loss of a single safety function. Risk significance and safety significance are different concepts. NUREG-2122 states the following: A principal focus of a PRA is to determine the risk significance of the various “features,” i.e., the systems, structures, and components (SSCs), human actions or the accident sequences involving those SSCs, of the facility being analyzed. Usually, an item is considered risk significant when the risk associated with it exceeds a predetermined limit for contributing to the risk associated with the facility. Since the overall risk of a nuclear facility can be calculated in terms of core damage frequency (CDF) (Level 1 PRA), or releases (Level 2 PRA), or health effects (Level 3 PRA), risk significance can also be determined as related to these various risk measures. NUREG-2122 also states that the term “risk significant” does not have the same meaning as the term “safety significant,” and safety significance is not evaluated in a PRA. This distinction between risk significance and safety significance is used, in part, to emphasize the need to consider safety margins when an application uses a risk-informed approach since the application should not overly rely on changes in CDF and large early release frequency (LERF) alone. Section B.3.4.4 describes how the risk significance of a CCF, as opposed to the safety significance of an SSC, is used in part to determine appropriate means to address the CCF. Because a risk-informed approach considers other factors to determine acceptability, the reviewer should verify that an application using a risk-informed approach demonstrates that sufficient safety margins exist so that DI&C and associated D3 systems remain capable of performing their safety functions. Section C.2.1.2 of RG 1.174 provides guidance on ensuring that designs possess sufficient safety margins. With sufficient safety margins, (1) the codes and standards or their alternatives approved for use by the NRC are met, and (2) safety analysis acceptance criteria in the licensing basis (e.g., FSAR, supporting analyses) are met or proposed revisions provide sufficient margin to account for uncertainty in the analysis and data. 3.4.1 Determining Consistency with NRC Policy and Guidance on Risk-Informed Decision-Making Point 2 of SRM-SECY-22-0076 states that applicants using a risk-informed approach must include an evaluation of the approach against the Commission’s policy and guidance, including any applicable regulations, for risk-informed decision-making. Point 2 also states that the NRC staff will review applications that use risk-informed approaches for consistency with established NRC policy and guidance on risk-informed decision-making, and Point 2 provides RG 1.174 as an example. BTP 7-19-29 Revision 9 — May 2024 RG 1.174 describes an approach that is acceptable to the NRC staff for developing risk-informed applications for a licensing-basis change. RG 1.174 references RG 1.200, which provides an approach for determining whether the base PRA (in total or in the portions that are used to support an application) is acceptable for use in regulatory decision-making. If an application uses a risk-informed approach to address a CCF, the reviewer should follow current NRC staff review guidance, as applicable, to confirm that the risk-informed approach is consistent with the Commission’s policy and guidance. The following examples provide NRC staff review guidance for applications that use a risk-informed approach for modeling DI&C systems in PRA models:  SRP Section 19.0, “Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors,” provides review guidance for the design-specific PRA for a design certification and plant-specific PRA for a combined license, respectively. SRP Section 19.0 also provides guidance for reviewing DI&C system risk assessments for new reactors.  SRP Section 19.1, “Determining the Technical Adequacy of Probabilistic Risk Assessment for Risk-Informed License Amendment Requests after Initial Fuel Load,” provides review guidance for assessing the technical adequacy of a baseline PRA used to support license amendments for operating reactors, as well as LARs submitted after initial fuel load for new reactors.  SRP Section 19.2, “Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance,” provides review guidance for PRAs used by licensees or applicants to support licensing applications.  Design Certification / Combined License (DC/COL)-ISG-028, “Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification Application and Combined License Application,” issued November 2016, provides review guidance for assessing the technical adequacy of the PRA needed for either a design certification application under 10 CFR 52.47(a)(27) or a combined license application under 10 CFR 52.79(a)(46). Acceptance Criteria for Determining Consistency with NRC Policy and Guidance on Risk-Informed Decision-Ma

Use Quizgecko on...
Browser
Browser