Text

August 21, 2009, Page 1 of 5 Resolution of Public Comments Received on Draft of Regulatory Guide DG-1205, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems During the public comment period for Draft Regulatory Guide DG-1205, which ended on December 22, 2008, the NRC received comments from Nuclear Energy Institute (NEI) and General Electric-Hitachi (GEH). The NRC staff has carefully reviewed the draft and addressed the comments as appropriate. The following is the summary of the comments and the staffs responses.

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of DG-1205 Comments Resolutions Section B Pages 4 &

5 Comment 1:

This draft Regulatory Guide DG-1205 creates confusion in the safety classification of the Bypassed and Inoperable Status Indication (BISI) system. Page 4 of the guide states: Clause 5.8.3.1 of IEEE Std. 603-1991 states that this display instrumentation need not be part of the safety systems. The indication system should be designed and installed in a manner that precludes the possibility of adverse effects on plant safety systems. However, the guide follows on page 5 with an extensive discussion on conformance with criteria established for safety systems such as single failure, independence, and qualification would apply: Therefore, if the bypassed and inoperable status indication is used for both safety and non-safety functions, then the indication system will require classification as part of safety systems.

IEEE Standard 603-1991 is a general standard for safety systems.

IEEE Standard 603-1991, Clause 5.6.3.1(1), states that equipment that is used for both safety and non-safety functions be classified as part of the safety systems. IEEE Standard 603-1991 defines a safety function as follows:

Safety function. One of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event.

NOTE: A safety function is achieved by the completion of all required protective actions by the reactor trip system or the engineered safety features concurrent with the completion of all required protective actions by the auxiliary supporting features, or both. (See Appendix A for an illustrative example.)

The staff partially agrees. To eliminate the confusion the draft Regulatory Guide may have caused, paragraph 5 will be revised to read:

Paragraph 5:

Section 5.6.3.1(1) of IEEE Standard 603-1991 specifies, in part, that interconnected equipment that is used for both safety and nonsafety functions shall be classified as part of the safety systems. Equipment that is not classified as part of safety systems must not be credited for performing safety functions. Unless the indication system is designed in conformance with criteria established for safety systems, it should not be used to perform functions that are essential to safety, and administrative procedures should not require immediate operator action based solely on bypass indications. If an operator action is based solely on the bypass indications, and this action is required to maintain the integrity of the safety systems, then the status indication should be classified as part of the safety systems and the following paragraphs addressing single failure, independence, and qualification would apply.

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of DG-1205 Comments Resolutions August 21, 2009, Page 2 of 5 Section B Page 4 A typical bypass or inoperable indication would not meet this definition of a safety function. Thus, it is considered that Clause 5.6.3.1(1) of IEEE Standard 603-1991 is not necessarily intended to apply to a bypass or inoperable indication since such indications do not perform a safety function, and that such indications would normally not be considered part of the safety system with associated single failure requirements.

This interpretation is further supported on page 4 of the draft Regulatory Guide by referencing IEEE 603-1991, Clause 5.8.3.1, which specifically takes exception to the safety system bypass indication being classified as part of the safety system by stating: This display instrumentation need not be part of the safety systems.

An additional concern for applying single failure criteria to bypass and inoperable status indication is highlighted when considering redundancy of safety system divisions. Safety systems address single failure criteria by the use of redundant divisions, any one of which can fail and not prevent the safety system from performing its safety function. Each division by itself cannot meet the single failure criteria.

The application of single failure criteria to the status indication of a single division appears to be inconsistent with the fact that the monitored division cannot meet the single failure criteria.

The bypassed and inoperable status indication is not required to perform any safety related functions; however, additional consideration for classification of the indication as part of the safety system could be necessary if an automatic action or immediate operator action were necessitated based solely on activation or deactivation of the bypass indication.

Recommendation:

Recommend revision of the first paragraph on page 5 of draft Regulatory Guide DG-1205 to read:

However, Clause 5.6.3.1(1) of IEEE Standard 603-1991 specifies that equipment that is used for both safety and nonsafety functions shall be classified as part of the safety systems. Although a status indication by definition would not be used to perform safety functions (as defined by IEEE Standard 603-1991) and it generally needs not be classified as part of the safety systems, activation or deactivation of such an indication could be used as an alert to the

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of DG-1205 Comments Resolutions August 21, 2009, Page 3 of 5 operator of the need to perform immediate actions related to the safety system per administrative procedures. If operator action is based solely on the bypass indication, and this action is required to maintain the integrity of the safety systems, then the indication should be classified as part of the safety system and the following paragraphs addressing single failure, independence, and qualification would apply.

Section B Page 5 Comment 2:

This draft Regulatory Guide DG-1205 endorses the IEEE Standard 603-1991 in place of IEEE Standard 279-1971. The IEEE Standard 603-1991 provides less specific information regarding the bypass and inoperable status indication than IEEE Standard 279-1971; thus, this draft Regulatory Guide DG-1205 leaves plants committed to IEEE Standard 279-1971 in their licensing basis without proper guidance on future digital upgrades of the bypass and inoperable status indication design. Significant differences exist between these two IEEE Standards in terminology and design criteria:

Clause 4.13 of IEEE Standard 279-1971 requires in part that, if the protective action of some part of the protection system has been bypassed or deliberately rendered inoperable for any purpose, this fact shall be continuously indicated in the control room.

Clause 5.8.3 of IEEE Standard 603-1991 requires that, if the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.

This proposed loss of guidance could be maintained by preserving guidance on the bypass and inoperable status indication for IEEE Standard 279-1971 based plants.

Recommendation:

Recommend additional revisions to page 5 of draft Regulatory Guide DG-1205 as follows:

The staff partially agrees with the comment. IEEE Std 603-1991 is more specific than IEEE Standard 279-1971. However, the staff will revise the recommended sentences as follows:

1st sentence of 2nd paragraph of page 5 If bypass and inoperable status indication is part of the safety systems, then the single-failure criterion of IEEE Standard 603-1991, Section 5.1, would apply to the indication system.

1st sentence of 3rd paragraph of page 5 In addition to meeting the single-failure criterion, if bypass and inoperable status indication is part of the safety systems, then maintaining independence between redundant portions of the safety system is essential to the effective utilization of the single-failure criterion.

1st sentence of 4th paragraph of page 5 If bypass and inoperable status indication is part of the safety systems, the equipment qualification criterion of IEEE Standard 603-1991, Section 5.4, would apply to the indication system.

With regard to the comment on preserving the existing guidance from IEEE Std 279-1971, there is no regulatory position lost. The draft uses safety system in place of protection system for consistency with IEEE Std 603-1991. Existing Positions 3 and 4 were removed as they are now explicitly presented in IEEE 603-1991.

With regard to a discussion of partial digital upgrade for IEEE Standard 279-1971 based plants, the Discussion section of the draft includes the reference to IEEE Std 7-4.3.2-2003 as an acceptable method for addressing high functional reliability and design requirements for computers used in safety systems of nuclear power

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of DG-1205 Comments Resolutions August 21, 2009, Page 4 of 5 First sentence of second paragraph on Page 5 - revise as shown:

If bypass and inoperable status indication is used for a safety function, then the single-failure criterion of IEEE Standard 603-1991, Clause 5.1, would apply to the indication system.

First sentence of third paragraph on Page 5 - revise as shown:

In addition to meeting the single-failure criterion, if bypass and inoperable status indication is used for a safety function, then maintaining independence between redundant portions of the safety system is essential to the effective utilization of the single-failure criterion.

First sentence of fourth paragraph on Page 5 - revise as shown:

If bypass and inoperable status indication is used for a safety function, the equipment qualification criterion of IEEE Standard 603-1991, Clause 5.4, would apply to the indication system.

It is recommended that the draft Regulatory Guide preserve the existing guidance on the bypass and inoperable status indication and include a discussion of its regulatory position with regard to partial digital upgrade for IEEE Standard 279-1971 based plants.

plants, including safety-related digital communications, independence, and integrity.

Section C Regulatory Position 6 page 6 Comment 3:

The draft Regulatory Guide DG-1205 Regulatory Position item 6 on page 6 states that Bypass and inoperable status indicators should be designed and installed in a manner that precludes the possibility of adverse effects on plant safety systems. The indicator system should not be used to perform functions that are essential to safety, unless it is designed in conformance with criteria established for safety systems. Typically, the bypass and inoperable status indication system of the automatically actuated components is part of an integrated plant computer system. This computer system does not perform any functions that are essential to safety. It is an aid to the operator in the determination of the bypassed or inoperable status of protective systems. Operator actions are not expected based solely on the abnormal status indication.

The staff partially agrees. Bypass and inoperable status indicators should not be used to perform functions that are essential to safety unless it is designed in conformance with criteria established for safety systems and Regulatory Position 6 emphasizes this provision.

General Electric-Hitachi (GEH) Comments (ML091100406)

Section of DG-1205 Comments Resolutions August 21, 2009, Page 5 of 5 Comment 1:

The draft guide states:

"Clause 5.8.3.3 of IEEE Std 603-1991 requires that, for indication of bypasses, "the capability shall exist in the control room to manually activate this display indication."

GEH would like to clarify the intent of this requirement. GEH believes the intent is to provide for manual bypass of a system and the display of the bypass condition. It would be undesirable for the display to indicate a bypass condition, if the bypass condition were not present in the system logic.

The staff disagrees. The intent of Section 5.8.3.3 of IEEE Std 603-1991 is to provide a capability in the control room to manually activate the bypassed indication otherwise automatically actuated if the protective actions of some part of a safety system have been bypassed or rendered inoperative for any purpose other than operating bypass. This section does not include requirements for operation of bypass.

Comment 2:

The draft guide also states:

Clause 5.16 of IEEE Std 338-1987 states that "indication should be provided in the control room if a portion of the safety system is inoperable or bypassed."

GEH would like to clarify that the intent of this paragraph is to provide indication that the system is in an off-normal condition (either inoperable or bypassed), and that the continuously available indication does not need to differentiate between inoperable and bypassed.

Since the equipment will generally be in the normal condition, a requirement to display the inop and bypassed conditions separately provides an additional constraint on the HFE design process and may result in a less desirable configuration.

The staff disagrees. Clause 5.16 of IEEE Std 338-1987 is consistent with Clause 5.8.3 of IEEE Std 603-1991, which states that If the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.

This is not a new requirement to meet IEEE Std 603-1991.