Text

Resolution of Public Comments Received on Draft of Regulatory Guide DG-1205, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems During the public comment period for Draft Regulatory Guide DG-1205, which ended on December 22, 2008, the NRC received comments from Nuclear Energy Institute (NEI) and General Electric-Hitachi (GEH). The NRC staff has carefully reviewed the draft and addressed the comments as appropriate. The following is the summary of the comments and the staffs responses.

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of Comments Resolutions DG-1205 Section B Comment 1: The staff partially agrees. To eliminate the confusion the draft Regulatory Guide may have caused, paragraph 5 will be revised to Pages 4 & This draft Regulatory Guide DG-1205 creates confusion in the safety read:

5 classification of the Bypassed and Inoperable Status Indication (BISI) system. Page 4 of the guide states: Clause 5.8.3.1 of IEEE Std. 603- Paragraph 5:

1991 states that this display instrumentation need not be part of the Section 5.6.3.1(1) of IEEE Standard 603-1991 specifies, in part, that safety systems. The indication system should be designed and interconnected equipment that is used for both safety and nonsafety installed in a manner that precludes the possibility of adverse effects functions shall be classified as part of the safety systems. Equipment on plant safety systems. However, the guide follows on page 5 with that is not classified as part of safety systems must not be credited for an extensive discussion on conformance with criteria established for performing safety functions. Unless the indication system is designed safety systems such as single failure, independence, and qualification in conformance with criteria established for safety systems, it should would apply: Therefore, if the bypassed and inoperable status not be used to perform functions that are essential to safety, and indication is used for both safety and non-safety functions, then the administrative procedures should not require immediate operator indication system will require classification as part of safety systems.

action based solely on bypass indications. If an operator action is IEEE Standard 603-1991 is a general standard for safety systems. based solely on the bypass indications, and this action is required to IEEE Standard 603-1991, Clause 5.6.3.1(1), states that equipment maintain the integrity of the safety systems, then the status indication that is used for both safety and non-safety functions be classified as should be classified as part of the safety systems and the following part of the safety systems. IEEE Standard 603-1991 defines a safety paragraphs addressing single failure, independence, and qualification function as follows: would apply.

Safety function. One of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event.

NOTE: A safety function is achieved by the completion of all required protective actions by the reactor trip system or the engineered safety features concurrent with the completion of all required protective actions by the auxiliary supporting features, or both. (See Appendix A for an illustrative example.)

August 21, 2009, Page 1 of 5

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of Comments Resolutions DG-1205 A typical bypass or inoperable indication would not meet this definition Section B of a safety function. Thus, it is considered that Clause 5.6.3.1(1) of Page 4 IEEE Standard 603-1991 is not necessarily intended to apply to a bypass or inoperable indication since such indications do not perform a safety function, and that such indications would normally not be considered part of the safety system with associated single failure requirements.

This interpretation is further supported on page 4 of the draft Regulatory Guide by referencing IEEE 603-1991, Clause 5.8.3.1, which specifically takes exception to the safety system bypass indication being classified as part of the safety system by stating: This display instrumentation need not be part of the safety systems.

An additional concern for applying single failure criteria to bypass and inoperable status indication is highlighted when considering redundancy of safety system divisions. Safety systems address single failure criteria by the use of redundant divisions, any one of which can fail and not prevent the safety system from performing its safety function. Each division by itself cannot meet the single failure criteria.

The application of single failure criteria to the status indication of a single division appears to be inconsistent with the fact that the monitored division cannot meet the single failure criteria.

The bypassed and inoperable status indication is not required to perform any safety related functions; however, additional consideration for classification of the indication as part of the safety system could be necessary if an automatic action or immediate operator action were necessitated based solely on activation or deactivation of the bypass indication.

Recommendation:

Recommend revision of the first paragraph on page 5 of draft Regulatory Guide DG-1205 to read:

However, Clause 5.6.3.1(1) of IEEE Standard 603-1991 specifies that equipment that is used for both safety and nonsafety functions shall be classified as part of the safety systems. Although a status indication by definition would not be used to perform safety functions (as defined by IEEE Standard 603-1991) and it generally needs not be classified as part of the safety systems, activation or deactivation of such an indication could be used as an alert to the August 21, 2009, Page 2 of 5

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of Comments Resolutions DG-1205 operator of the need to perform immediate actions related to the safety system per administrative procedures. If operator action is based solely on the bypass indication, and this action is required to maintain the integrity of the safety systems, then the indication should be classified as part of the safety system and the following paragraphs addressing single failure, independence, and qualification would apply.

Section B Comment 2: The staff partially agrees with the comment. IEEE Std 603-1991 is more specific than IEEE Standard 279-1971. However, the staff will Page 5 This draft Regulatory Guide DG-1205 endorses the IEEE Standard revise the recommended sentences as follows:

603-1991 in place of IEEE Standard 279-1971. The IEEE Standard st nd 603-1991 provides less specific information regarding the bypass and 1 sentence of 2 paragraph of page 5 inoperable status indication than IEEE Standard 279-1971; thus, this If bypass and inoperable status indication is part of the safety draft Regulatory Guide DG-1205 leaves plants committed to IEEE systems, then the single-failure criterion of IEEE Standard 603-Standard 279-1971 in their licensing basis without proper guidance on 1991, Section 5.1, would apply to the indication system.

future digital upgrades of the bypass and inoperable status indication st rd design. Significant differences exist between these two IEEE 1 sentence of 3 paragraph of page 5 Standards in terminology and design criteria:

In addition to meeting the single-failure criterion, if bypass and

• Clause 4.13 of IEEE Standard 279-1971 requires in part that, inoperable status indication is part of the safety systems, then if the protective action of some part of the protection system maintaining independence between redundant portions of the safety has been bypassed or deliberately rendered inoperable for system is essential to the effective utilization of the single-failure any purpose, this fact shall be continuously indicated in the criterion.

control room. st th 1 sentence of 4 paragraph of page 5

• Clause 5.8.3 of IEEE Standard 603-1991 requires that, if the protective actions of some part of a safety system have been If bypass and inoperable status indication is part of the safety bypassed or deliberately rendered inoperative for any purpose systems, the equipment qualification criterion of IEEE Standard 603-1991, Section 5.4, would apply to the indication system.

other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the With regard to the comment on preserving the existing guidance from control room. IEEE Std 279-1971, there is no regulatory position lost. The draft This proposed loss of guidance could be maintained by preserving uses safety system in place of protection system for consistency guidance on the bypass and inoperable status indication for IEEE with IEEE Std 603-1991. Existing Positions 3 and 4 were removed as they are now explicitly presented in IEEE 603-1991.

Standard 279-1971 based plants.

With regard to a discussion of partial digital upgrade for IEEE Recommendation:

Standard 279-1971 based plants, the Discussion section of the draft Recommend additional revisions to page 5 of draft Regulatory Guide includes the reference to IEEE Std 7-4.3.2-2003 as an acceptable DG-1205 as follows: method for addressing high functional reliability and design requirements for computers used in safety systems of nuclear power August 21, 2009, Page 3 of 5

Nuclear Energy Institute (NEI) Comments (ML0900801031)

Section of Comments Resolutions DG-1205 First sentence of second paragraph on Page 5 - revise as shown: plants, including safety-related digital communications, independence, and integrity.

If bypass and inoperable status indication is used for a safety function, then the single-failure criterion of IEEE Standard 603-1991, Clause 5.1, would apply to the indication system.

First sentence of third paragraph on Page 5 - revise as shown:

In addition to meeting the single-failure criterion, if bypass and inoperable status indication is used for a safety function, then maintaining independence between redundant portions of the safety system is essential to the effective utilization of the single-failure criterion.

First sentence of fourth paragraph on Page 5 - revise as shown:

If bypass and inoperable status indication is used for a safety function, the equipment qualification criterion of IEEE Standard 603-1991, Clause 5.4, would apply to the indication system.

It is recommended that the draft Regulatory Guide preserve the existing guidance on the bypass and inoperable status indication and include a discussion of its regulatory position with regard to partial digital upgrade for IEEE Standard 279-1971 based plants.

Section C Comment 3: The staff partially agrees. Bypass and inoperable status indicators should not be used to perform functions that are essential to safety Regulatory The draft Regulatory Guide DG-1205 Regulatory Position item 6 on unless it is designed in conformance with criteria established for Position 6 page 6 states that Bypass and inoperable status indicators should be safety systems and Regulatory Position 6 emphasizes this provision.

designed and installed in a manner that precludes the possibility of page 6 adverse effects on plant safety systems. The indicator system should not be used to perform functions that are essential to safety, unless it is designed in conformance with criteria established for safety systems. Typically, the bypass and inoperable status indication system of the automatically actuated components is part of an integrated plant computer system. This computer system does not perform any functions that are essential to safety. It is an aid to the operator in the determination of the bypassed or inoperable status of protective systems. Operator actions are not expected based solely on the abnormal status indication.

August 21, 2009, Page 4 of 5

General Electric-Hitachi (GEH) Comments (ML091100406)

Section of Comments Resolutions DG-1205 Comment 1: The staff disagrees. The intent of Section 5.8.3.3 of IEEE Std 603-1991 is to provide a capability in the control room to manually activate The draft guide states:

the bypassed indication otherwise automatically actuated if the "Clause 5.8.3.3 of IEEE Std 603-1991 requires that, for indication protective actions of some part of a safety system have been of bypasses, "the capability shall exist in the control room to manually bypassed or rendered inoperative for any purpose other than activate this display indication." operating bypass. This section does not include requirements for operation of bypass.

GEH would like to clarify the intent of this requirement. GEH believes the intent is to provide for manual bypass of a system and the display of the bypass condition. It would be undesirable for the display to indicate a bypass condition, if the bypass condition were not present in the system logic.

Comment 2: The staff disagrees. Clause 5.16 of IEEE Std 338-1987 is consistent with Clause 5.8.3 of IEEE Std 603-1991, which states that If the The draft guide also states:

protective actions of some part of a safety system have been Clause 5.16 of IEEE Std 338-1987 states that "indication should bypassed or deliberately rendered inoperative for any purpose other be provided in the control room if a portion of the safety system is than operating bypass, continued indication of this fact for each inoperable or bypassed." affected safety group shall be provided in the control room.

GEH would like to clarify that the intent of this paragraph is to This is not a new requirement to meet IEEE Std 603-1991.

provide indication that the system is in an off-normal condition (either inoperable or bypassed), and that the continuously available indication does not need to differentiate between inoperable and bypassed.

Since the equipment will generally be in the normal condition, a requirement to display the inop and bypassed conditions separately provides an additional constraint on the HFE design process and may result in a less desirable configuration.

August 21, 2009, Page 5 of 5