ML092580016
| ML092580016 | |
| Person / Time | |
|---|---|
| Issue date: | 06/17/2010 |
| From: | Office of Nuclear Regulatory Research |
| To: | |
| O'Donnell, Edward, RES/DE/RGB 251-7455 | |
| Shared Package | |
| ML092530554 | List: |
| References | |
| DG-1190 RG-1.62 | |
| Download: ML092580016 (44) | |
Text
Resolution of Public Comments Received on Draft Regulatory Guide DG-1190, Manual Initiation of Protective Actions During the public comment period for Draft Regulatory Guide DG-1190, which ended on February 20, 2009, the NRC received comments from AREVA NP, Inc., General Electric-Hitachi (GEH), Nuclear Energy Institute (NEI), Data Systems and Solutions (DSS),
South Texas Project (STP), Hurst Technologies, and Westinghouse. The NRC staff has carefully reviewed the draft and addressed the comments as appropriate. The following table summarizes the comments and staffs response to them.
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 Section B Comment 1: The staff partially agrees. The affected paragraph will be revised st to clarify the digital I&C failure vulnerabilities. However, it is not 1 paragraph This paragraph portrays digital instrumentation and control (I&C) the NRCs role to promote a technology that is still evolving and page 3 systems in a negative way only. For balance, the positive capabilities facing challenges. The wording in this paragraph will be revised to of digital I&C should be included. The following modifications are read:
suggested:
Existing instrumentation and control (I&C) equipment in Existing instrumentation and control (I&C) equipment in nuclear nuclear power plants is being replaced with computer-based power plants is currently being replaced with computer-based digital I&C systems or advanced analog systems. However, if digital I&C systems or advanced analog systems to increase designed, installed, operated, or maintained improperly, these reliability and plant safety. However, if designed or operated technologies may pose new vulnerabilities for the nuclear improperly, these technologies may pose new vulnerabilities for the power plant compared to existing I&C systems.
nuclear power plant in a number of aspects compared to existing I&C systems.
Section B Comment 2: The staff partially agrees. Although some language in the draft rd Regulatory Guide (RG) may have caused confusion, there is no 3 paragraph This paragraph is confusing and does not provide any useful blanket or unbounded statement in the draft. The scope of the page 3 guidance. It is suggested that this entire paragraph be removed from draft is confined within protective systems. The purpose of the Draft Regulatory Guide (RG) for the following reasons:
revising the RG is to update the reference to the most recent IEEE
- The need for manual component-level control cannot be stated standard endorsed by NRC and to interpret existing regulations in a blanket manner. Instead, this need is dictated by the and guidance with respect to the use of manual initiation of functional requirements and operating procedures for each protective actions in digital systems to reduce the licensing plant design on a component-by-component basis. uncertainties in the light of aging analog I&C systems being replaced by digital systems. However, to eliminate confusion the
- This guidance expands manual control requirements in an staff agrees to delete the affected paragraph.
unbounded manner. Is component-level control only suggested Page 1 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 for those components that take part in a protective action, or This response also applies to comments 4 and 8.
does this suggestion extend beyond that? The language each appropriate plant system component is ambiguous.
- It is not clear whether the staff expects these manual component-level controls to be part of the safety system. It is not clear if there is overlap between these component-level manual controls and those specified by item (3) in the previous paragraph.
- It is not accurate to state that component-level controls are required to achieve completion of the safety function. For example, many components of the auxiliary supporting systems (e.g., heating, ventilation and air conditioning, diesel generators, and component cooling water) would not require manipulation, following actuation at the system level, to complete the safety function.
- It is not clear how "high functional reliability of the protective system" constitutes a basis for requiring extensive manual component-level controls.
Section B Comment 3: The staff agrees. The affected paragraph will be revised as th proposed.
4 paragraph The provision of manual, system level control of protective actions is page 3 required by IEEE Std 603-1991 Clause 6.2. Clause 6.2 does not provide any requirements that manual controls be provided to cope with failures of the automatic protective actions. Therefore, the use of the term "backup" in describing the manual controls is not consistent with Clause 6.2.
The use of the term "backup" is more appropriate in describing the diverse I&C provided specifically to cope with postulated software common cause failure (CCF) of the automatic protective actions.
Diverse I&C is not the subject of IEEE Std 603-1991 Clause 6.2, and should not be the subject of RG 1.62.
The following modification is suggested:
"The protective actions can involve automatic controls with backup manual controls be initiated automatically, or, in certain cases, can be Page 2 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 accomplished solely by manual controls. Protective actions selected to be controlled initiated solely by manually controls are subject to consideration of..."
Section B Comment 4: The staff partially agrees. While some language in the draft may th have caused confusion, the reference to Section 5.6.3.1 of IEEE 6 paragraph This paragraph is confusing and does not provide any useful Std 603-1991 is a necessary discussion. However, to eliminate page 4 guidance. It is suggested that this entire paragraph be removed from the confusion the affected paragraph will be revised to read:
the Draft RG for the following reasons:
Section 5.6.3.1 of IEEE Std 603-1991 specifies that
- The reference to IEEE Std 603-1991 Clause 5.6.3.1 seems interconnected equipment that is used for both safety and non-inappropriate. When would system-level manual initiation of safety functions shall be classified as part of the safety protective actions be used as a non-safety function? systems. Therefore, equipment that is not classified as part of
- It is not clear if the safety related classification is intended to a safety system must not be credited for performing safety apply to the system level manual functions, or the component functions. Nevertheless, non-safety multidivisional control and level manual functions, or both. display stations may be used to perform functions that support plant safety. The control and monitoring of functions credited
- This paragraph specifies that the manual controls and indications with the protection of the plant in the plant safety analyses must must contain safety related software (i.e., they are part of a digital be capable of being performed using only safety-related safety system). However, Regulatory Position 4 states: "In the resources. Non-safety multidivisional control and display case of automated digital protection systems, the point at which stations may supplement the safety-related control and display the manual controls are connected to safety equipment should be equipment that is credited in the plant safety analyses.
downstream of the plant's digital I&C safety system outputs." How can the manual controls only be connected to safety equipment Also see response for comment 2 with regard to component-level downstream of the digital I&C safety system outputs if the manual manual control and response for comment 10 with regard to controls themselves are part digital I&C safety systems? Position 4.
A better discussion is proposed as follows:
IEEE Std 603-1991, Section 5.6.3.1, specifies that equipment "...
that is used for both safety and nonsafety functions shall be classified as part of the safety systems..." Therefore equipment that is not classified as part of a safety system must not be credited for performing safety functions, if it is the only equipment that supports those safety functions. Nevertheless, non-safety multidivisional control and display stations may be used to perform functions needed to support plant safety, if there is also safety-related equipment available to perform the same plant safety function. The control and monitoring of functions credited with the protection of the plant in the plant safety analyses must be capable of being Page 3 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 performed utilizing only safety-related resources. Non-safety multidivisional control and display stations may supplement the safety related control and display equipment that is credited in the plant safety analyses.
When using non-safety multidivisional control and display stations to perform safety-related actions, plant operators are expected to confirm that appropriate responses have been achieved for the actions taken.
If the operator observes or suspects that the non safety multidivisional control and display station is not responding as expected, or that the nonsafety indications may be inaccurate, or that the plant is not responding as expected, then the operator must utilize the safety-related controls and indications to perform the necessary actions and to assess plant conditions and responses.
Section B Comment 5: The staff agrees. The statement will be revised as proposed.
th However, in an effort to make the distinction between the 8 paragraph This paragraph states: "Credible common-mode failures should be requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 page 4 compensated either by diversity or defense in depth." The use of the in regard to manual initiation of protective actions, the discussion word "or" is incorrect. Diversity can not be separated from defense in on common-mode failures and diversity will be removed from the depth in the context of coping with software CCF. Instead, diversity affected paragraph and will be included in the paragraph that must be incorporated into the lines of defense.
addresses Point 4 of BTP 7-19.
The following modification is suggested:
"Credible common-mode failures should be compensated either by diversity and or defense in depth."
Section B Comment 6: The staff partially agrees. Although some language in the draft th RG may have caused confusion, combining manual controls used 11 This paragraph makes reference to NRC's Branch Technical Position to address BTP 7-19 Point 4 and those used to address IEEE Std paragraph (BTP) 7-19: "Guidance provided to NRC staff in BTP 7-19 asserts that 603-1991 is not the intent of the draft.
page 5 manual controls for safety equipment should be connected downstream of the plant's digital I&C safety system outputs." This The purpose of RG 1.62 is to provide guidance/acceptable paragraph incorrectly interprets the guidance in BTP 7-19 to apply to methods for use in complying with the NRC regulations with all manual controls for safety equipment; it should be removed from respect to the means for manual initiation of protective actions.
this RG. BTP 7-19 provides guidance for evaluating an applicant/licensees diversity and defense-in-depth (D3)
In many I&C designs, the manual controls used to address BTP 7-19 assessment and the design of manual controls and displays to Point 4 are not the same as those used to address IEEE Std 603-1991 ensure conformance with the NRC positions on D3 for I&C Clause 6.2 (i.e., diverse controls). Combining the two issues in this Page 4 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 guidance is confusing and not useful. The purpose of RG 1.62 is to systems incorporating digital computer-based reactor trip systems provide guidance on compliance with IEEE Std 603-1991 Clause 6.2, (RTS) or engineered safety features actuation systems (ESFAS).
not BTP 7-19 Point 4. Both IEEE Std 603-1991 and BTP 7-19 address manual control for protective systems. Thus, (1) there is no conflict between the two, Comment 11 also applies to this paragraph.
and (2) with more and more nuclear power plants participating in digitalization of I&C systems and with the potential for common-cause failure becoming important as the complexity of digital and advanced analog protection systems has increased, addressing BTP 7-19 with respect to diverse manual control for computer-based protective systems is appropriate and necessary. However, to eliminate the confusion, the draft will be revised to make the distinction between the requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 in regard to manual initiation of protective actions. The Discussion section will include the following:
This regulatory guide provides an acceptable method for establishing the design criteria for existing I&C systems and for establishing the design criteria for digital and advanced analog systems for the manual initiation of protective actions. To meet these objectives, (1) manual initiation of protective actions provided by otherwise automatically initiated safety systems must meet requirements in IEEE Std 603-1991 in regard to manual initiation, as incorporated in 10CFR50.55a(h) and (2) manual initiation of protective actions provided as a diverse method for automatic initiation should meet guidance specified in Point 4 of BTP 7-19.
And the affected paragraph will be revised to read:
- 2. Meeting BTP 7-19 guidance:
The potential for common-cause failure has become increasingly important as the complexity of digital and advanced analog protection systems has increased. Credible common-cause failures should be addressed for D3 in the system design. Approaches to address D3 considerations for automatically initiated protective actions may include the use of diverse non-safety manual controls. IEEE Std 7-4.3.2-2003 provides guidance on using diversity to address common-cause Page 5 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 19), describes a method for analyzing computer-based nuclear reactor protection systems to identify design vulnerabilities to common-cause failure. The fourth point of the Commissions diversity position listed in BTP 7-19 states in part, that independent and diverse displays and manual controls should be available in the main control room so that operators can initiate a system-level actuation of critical safety functions. These displays and controls may be safety or non-safety. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls provided for compliance with Point 4 of NRC position on D3 should be connected downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic. 3. Meeting both IEEE Std 603-1991 requirements and BTP 7-19 guidance:
As an alternative to two different manual controls discussed above, applicants or licensees may also propose, as an optional acceptable method, a single safety-related means of manual initiation of protective actions that satisfies criteria of both IEEE Std 603-1991 and Point 4 of NRC position on D3.
This response also applies to comment 11.
Section C Comment 7: The staff agrees. The phrase on a system-level basis for each division will be revised to read: on a division-level basis to be Regulatory Section C, Regulatory Position 1, page 5 - The phrase, "on a system-consistent with IEEE Std 603-1991.
Position 1 level basis for each division" is very confusing. IEEE Std 279-1971 page 5 uses "system-level" and IEEE Std 603-1991 uses "division level" and This response also applies to comment 8.
certainly the difference in terminology should be addressed. However, simply combining the two provides no clarity on what is meant by Page 6 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 either concept.
The Discussion section of this Draft RG should define "system-level" and "division level" specifically in terms that relate directly to manual initiation of protective functions.
Section C Comment 8: The staff agrees. Regulatory Position 1 will be revised to read:
Regulatory It is suggested that the following statement be removed, as it cannot Means should be provided for manual initiation of each Position 1 be meaningfully applied: protective action (e.g., reactor trip, containment isolation) on a page 5 division-level basis, regardless of whether means are also "Individual means should also be provided for manual initiation of provided to initiate the protective action at the component or each plant system component required for... providing functional channel level (e.g., individual control rod, individual isolation reliability for protective systems as set forth in GDC 13 and GDC 21.
valve).
The wording is ambiguous and no applicant will be able to provide a Also see response for comments 2 and 7.
meaningful list of "components required for providing functional reliability for protective systems" short of all components.
This requirement is a significant expansion of the requirement in the existing RG 1.62. The unbounded scope of additional of controls required in the main control room has significant negative aspects associated with the-added system design-and human factors complexity. These negatives effects are not justified, since the added complexity has no clear and defined safety benefit.
The requirement should be modified to focus on safety-related component-level controls for required manual actions to provide safety functions for accident and transient mitigation and to achieve safe-shutdown (in accordance with BTP 5-4).
Comment 2 also applies to this Regulatory Position.
Section C Comment 9: The staff agrees. The affected statement will be deleted as proposed.
Regulatory The Regulatory Position contains the following statement: "Multiple Position 2 initiations of safety systems (autosequencing) by distinct manual This response also applies to comment 10.
page 6 control manipulations are not precluded. It is not clear what type of functionality is being discussed in this sentence. The use of the term "autosequencing" is confusing. Is it different than "action-sequencing" as used in the previous sentence? The use of "multiple initiations" Page 7 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 combined with "distinct manual control manipulations" is ambiguous.
The intent to allow a series of non-complex component-level actions in lieu of certain providing system-level manual controls should be clearly stated.
Section C Comment 10: The staff partially agrees. The original Regulatory Position 4 (Revision 0 of RG 1.62) included the following guidance for Regulatory The following statement from RG 1.62 was deleted from between the
- manual initiation of protective actions: The amount of equipment Position 4 first two sentences on Regulatory Position 4 :
common to both manual and automatic initiation should be kept to page 6 "However, action-sequencing functions and interlocks (of position 2) a minimum. It is preferable to limit such common equipment to associated with the final actuation devices and actuated equipment the final actuation devices and the actuated equipment. This may be common if individual manual initiation at the component or guidance provided a measure of diversity between the automatic channel level is provided in the control room." and manual initiation in analog based systems. The affected statement excluded action-sequencing functions and interlocks This statement should be reinstated.
from this guidance so that manual initiation would not be It should be noted that Regulatory Position 2 recognizes the existence unnecessarily burdened with sequencing or interlock functions.
(and need) for this additional control logic between the actuation Since (1) IEEE Std 603-1991 does not require that equipment system and the actuated devices.
common to both manual and automatic initiation be minimized "The Manual initiation of a protective action on a system-level basis and (2) with diversity guidance for digital computer-based I&C for each division should perform all actions performed by automatic systems (BTP 7-19) being addressed under new Position 7, initiation such as starting auxiliary or supporting systems, sending Position 4 (subject to IEEE Std 603-1991 requirements) will be signals to appropriate valve-actuating mechanisms to ensure revised to delete The amount of equipment common to both correct valve position, and providing the required action-sequencing manual and automatic initiation should be kept to a minimum. It functions and interlocks." is preferable to limit such common equipment to the final actuation devices and the actuated equipment. Therefore, the In modern plants, this logic layer will be provided using software on affected statement (served as an exception for the above safety function digital I&C processors. The net effect of the deletion of statement) is therefore no longer needed.
the noted sentence would be to preclude design using software logic for-this functionality. Instead, new plant designs would be required to This response also applies to comments 9 and 11.
use conventional hardware equipment (e.g., relays and current-carrying wires) between the digital safety system and the final actuation device, with all related negative safety and reliability issues associated with this dated technology. This approach directly contradicts the "minimum of equipment" statement in Regulatory Position 4, unreasonably increases maintenance burden, decreases reliability of the protection functions, and therefore reduces plant safety.
Page 8 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 Section C Comment 11: The staff partially agrees. The draft RG may have caused confusion by not distinguishing between guidance for manual Regulatory The following statement is a new requirement added to the Draft RG:
controls that are subject to IEEE Std 603-1991 and diverse Position 4 "In the case of automated digital protection systems, the point at manual controls that are subject to BTP 7-19. However, as more page 6 which the manual controls are connected to safety equipment and more nuclear power plants participate in digitalization of I&C should be downstream of the plant's digital I&C safety system systems and the complexity of digital and advanced analog outputs. These connections should not compromise the integrity protection systems has increased, the potential for software of interconnecting cables and interfaces between local electrical or common-cause (CCF) failure has become increasingly important electronic cabinets and the plant's electromechanical equipment." and needs to be addressed.
This passage incorrectly extends guidance in BTP 7-19 to cover all In an effort to eliminate the confusion, the draft will be revised to manual controls for safety equipment and should be removed from this distinguish between IEEE Std 603-1991 requirements and the RG. guidance of BTP 7-19 with respect to manual initiation of protective actions. The diversity guidance subject to BTP 7-19 will BTP 7-19 suggests that: "displays and manual controls provided for be removed from Position 4 and will be addressed under a new compliance with Point 4 of the NRC position on diversity and defense regulatory position (Position 7). Also, new Position 8 will provide in depth (D3)..." should be connected downstream of the plant's digital applicant/licensees an optional method for a safety-related diverse I&C safety system outputs. BTP 7-19 is silent on manual controls that manual control that meets both IEEE Std 603-1991 requirements are not credited for compliance with Point 4. and the guidance of BTP 7-19.
Manual controls that exist to cope with software CCF of a digital safety The opening statement of Section C will be revised to read:
system (those discussed in BTP 7-19) must be independent of the digital safety system, and therefore connected downstream of the Regulatory Positions 1, 2, 3, 4, 5, and 6 below provide an digital safety system outputs. There is no requirement for manual acceptable method for complying with IEEE Std 603-1991 in controls (component-level or system-level) of safety equipment to be regard to manual initiation of protective actions. Position 7 is independent of the digital safety system if they are not credited to cope an acceptable method for diverse manual initiations of with failure of the digital safety system. protective actions that satisfies Point 4 of BTP 7-19. Position 8 is an optional acceptable method for satisfying both IEEE Std In many I&C designs, the manual controls used to address BTP 7-19 603-1991 requirements and Point 4 of BTP 7-19 guidance.
Point 4 are not the same as those used to address IEEE 603 Clause 6.2. Combining the two issues in this guidance is confusing and not The new Position 7 will Read:
useful. The purpose of RG 1.62 is to provide guidance on compliance In providing diverse manual initiation of protective actions, a with IEEE Std 603-1991 Clause 6.2, not BTP 7-19 Point 4. Therefore, set of independent and diverse displays and manual controls it is suggested that this paragraph and the entire discussion section on should be provided in main control room. These displays and D3 be removed from this RG.
controls may be safety or non-safety. The point at which the This passage also invokes the "downstream of digital system" manual controls are connected to safety equipment should be requirement on individual component controls as well as the system downstream of the digital I&C safety system outputs. These level controls. Implementing this guidance for all component level connections should not compromise the integrity of controls of safety equipment would result in extensive addition of interconnecting cables and interfaces between local electrical Page 9 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 hardware between the digital safety system and the final actuation or electronic cabinets and the plants electromechanical device, which unreasonably increases maintenance burden, decreases equipment.
reliability of the I&C systems and therefore reduces plant safety.
The new Position 8 will Read:
An optional acceptable method that satisfies both requirements of IEEE Std 603-1991 and guidance on Point 4 of NRC position on D3, a single safety-related manual initiation of protective actions that satisfies Positions 1, 2, 3, 4, 5, 6, and 7 above can be provided.
See response for comments 2 and 8 with regard to component-level manual control concern. Also see response for comments 6 and 10.
Regulatory Comment 12: The staff partially agrees. As stated in Section D of the draft RG Analysis the NRC does not intend or approve any imposition or backfit in Regulatory Analysis Section 3.2, page 8 - The following statement is connection with its issuance. Therefore, there is no cost impact Section 3.2, made about the cost impact of the changes proposed in the Draft RG:
for existing NPPs that do not involve digital upgrades. One of the page 8; Applicants would incur little or no cost and may, in fact, achieve benefits of revising the RG is that the new revision may result in Section 4, cost savings. cost saving for most (not all) applicants/licensees due to the page 8 reduction of licensing uncertainty with regard to digital upgrades.
Regulatory Analysis Section 4,- page 8 - The following statement is Although some language in the draft may have caused confusion Section D made about the cost impact of the changes proposed in the Draft RG:
with regard to component-level manual control and diversity page 6 It could also lead to cost savings for the industry, especially with guidance (BTP 7-19), adding new requirements is not the intent of regard to applications for standard plant design certifications and the draft. The draft will be revised to remove guidance associated combined licenses. with component-level manual controls and to distinguish the existing requirements of IEEE 603-1991 and the guidance of BTP These statements are only true if the new requirements proposed in 7-19 (see above responses). There is no significant cost incurred the Draft RG are not applied to the existing fleet or any certified design as the result of the revision of the RG since no new regulatory or any design current submitted for design certification. requirement/guidance is introduced in the revision.
Section D of the Draft RG supports this perspective in the following The NRC, of course, has not issued a license for any plant based statement: on the USEPR design, nor is the design currently certified.
The NRC does not intend or approve any imposition or backfit in Therefore neither the backfit protection of the 10CFR52.63 apply connection with its issuance. to the USEPR. The staff might consider acknowledging that it could cost AREVA to conform to this revised RG.
However, the third request for additional information issued against ANP-1 0281 P, U.S. EPR Digital Protection System Topical Report, indicates that NRC is already applying these new requirements to Page 10 of 44
AREVA NP, Inc. Comments (ML0901401201)
Section of Comment Resolution DG-1190 designs certification applications even though the guidance post dates the guidance applicable for the U.S. EPR based on 10 CFR 52.47 (a)(9). Significant design modifications would be required to bring these designs into alignment with this guidance. Significant cost would be incurred, both in the design and licensing areas. This new guidance would certainly not result in cost savings for AREVA NP.
Page 11 of 44
General Electric-Hitachi (GEH) Comments (ML090650474)
Section of Comment Resolution DG-1190 Section C In general, GEH found the document to establish acceptable and The staff partially agrees. Although some language in the draft Regulatory useful guidance regarding certain aspects of control systems. RG may have caused confusion, conflating the requirements for Positions 4 & However, there are certain areas where GEH suggests changes to the manually initiation of protective actions with those for diverse 5 wording in order that the guidance does not preclude a vendor from initiation of protective action is not the intent of the draft. However, designing a digital control system that minimizes the potential for some with more and more nuclear power plants participating in of the failure modes of concern. Specifically, GEH disagrees with the digitalization of I&C systems and the potential for common-cause regulatory positions presented in paragraphs C.4 and C.5 of DG-1190 failure becoming increasingly important as the complexity of digital which conflate the requirements for manually initiated protective and advanced analog protection systems has increased, actions with those for diverse initiation of protective actions. addressing diverse manual control for computer-based protective Specifically, paragraph C.4 should be limited to the following systems is appropriate and necessary. In an effort to eliminate the requirement: No single failure within the manual, automatic, or confusion, the draft will be revised to make the distinction between common portions of the protection system should prevent initiation of a the requirements of IEEE Std 603-1991 and the guidance of BTP protective action by manual or automatic means. Paragraph C.5 7-19 in regard to manual initiation of protective actions. The should also be deleted as it places constraints on the design of the Discussion section will include the following:
manual initiation systems and may have a negative impact on plant This regulatory guide provides an acceptable method for safety. The suggested wording and the basis for GEHs comments are establishing the design criteria for existing I&C systems and for provided below.
establishing the design criteria for digital and advanced analog Recommended Modifications to Paragraphs C.4 and C.5 systems for the manual initiation of protective actions. To meet these objectives, (1) manual initiation of protective actions
- 4. The amount of equipment common to manual and automatic provided by otherwise automatically initiated safety systems initiation should be kept to a minimum. It is preferable to limit such must meet requirements in IEEE Std 603-1991 in regard to common equipment to the final actuation devices and the actuated. No manual initiation, as incorporated in 10CFR50.55a(h) and (2) single failure within manual, automatic, or common portions of the manual initiation of protective actions provided as a diverse protection system should prevent initiation of a protective action by method for automatic initiation should meet guidance specified manual or automatic means. In case of automated digital protection in Point 4 of BTP 7-19.
systems, the point at which the manual controls are connected to safety equipment should be downstream of the plants digital I&C Guidance subject to diversity will be removed from Position 4 and safety system outputs. These connections should not compromise the will be addressed under new Position 7 as an effort to distinguish integrity of interconnecting cables and interfaces between local the difference between guidance for manual controls that are electrical or electronic cabinets and the plants electromechanical subject to IEEE Std 603-1991 and diverse manual controls that equipment. are subject to BTP 7-19.
- 5. Manual initiation of protective actions should depend on the Position 4 will be revised to read:
operation of a minimum of equipment, consistent with Positions 1, 2, 3, No single failure within the manual, automatic, or common and 4 above.
portions of the protection system should prevent initiation of a Basis for Comments protective action by manual or automatic means.
In order to conform with the guidance in paragraph C.2 of DG-1190, The new Position 7 will Read:
Page 12 of 44
General Electric-Hitachi (GEH) Comments (ML090650474)
Section of Comment Resolution DG-1190 the position presented in paragraph C.4 would imply complete, parallel In providing diverse manual initiation of protective actions, a hardwiring from the Main Control Room to the safety equipment, set of independent and diverse displays and manual controls bypassing the Digital I&C System (DCIS). This imposes an additional should be provided in main control room. These displays and level of diversity beyond that required by regulation or previous controls may be safety or non-safety. The point at which the regulatory guidance. In addition and importantly, such a design manual controls are connected to safety equipment should be requirement could significantly increase costs without enhancing downstream of the digital I&C safety system outputs. These reactor safety, as well as introducing additional risk, as discussed connections should not compromise the integrity of further below. interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical Imposing limits on the degree of common equipment between equipment.
automated and manual functions is not appropriate because the primary function of manual controls for protective actions is not to The staff disagrees with the proposed deletion of Position 5.
mitigate the effects of a failure in the automated controls; rather Section 6.2.1 of IEEE Std 603-1991 requires, in part, that the manual controls provide additional capabilities to plant operators. The means provided shall minimize the number of discrete operator first sentence of paragraph C.4 may represent a design solution manipulations and shall depend on the operation of a minimum specific to one vendor, but it does not provide flexibility to those of equipment. Position 5 neither imposes the limitation of the vendors using other DCIS concepts. That is, a DCIS with a design amount of equipment nor addresses common cause failure as the approach inconsistent with the regulatory position proposed in concern. Position 5 is consistent with IEEE Std 603-1991 and not paragraph C.4 could provide equivalent protection. For example, a a new regulatory position, and therefore will be retained.
design that has a diversity of platforms to address the protective actions can provide a high degree of safety. The guidance should not be so specific to preclude other design solutions that may use a different approach.
More specifically, the second sentence of paragraph C.4 would preclude the use of standard DCIS designs since it would recommend wiring around DCIS. The direct connection of some plant components to manual controls in the Main Control Room, bypassing the DCIS logic and interlocks, would not - in all cases - enhance plant safety because such a design may increase the probability of inadvertent actuation of components. In fact, such a design also may increase the potential for component damage by operating components without proper process interlocks. For example, manual controls that bypass the DCIS could allow the plant operator to manually start a pump with the pumps suction valve closed.
The last two sentences of C.4 should be deleted since they repeat and expand on the material in the second sentence for the reasons described above.
Finally, item C.5 should be deleted since the minimization of the Page 13 of 44
General Electric-Hitachi (GEH) Comments (ML090650474)
Section of Comment Resolution DG-1190 equipment does not necessarily result in improved safety for the same reasons specified above. Alternately, if the intent of this paragraph is to address manual protective actions implemented specifically to address potential common mode failure of the primary controls for automated and manual protective actions, the paragraph could be modified to limit the scope of the position to a diverse manual approach (although GEH recommends deletion of regulatory position C.5).
In considering risk perspectives, probabilistic risk assessment (PRA) insights also support the conclusion that, without the above-suggested modifications, the proposed guidance in paragraphs C.4 and C.5 could result in designing a plant that is actually less safe. When the pros and cons of this design configuration are combined, the net effect could be a significant reduction in safety. For one plant design, the resulting increased probability of fire-induced shorting alone could significantly increase the Fire PRA core damage frequency, making it the dominant contributor to risk. Moreover, the risk of bypassing the logic and protection interlocks by improper operation of manual controls could result in an increased core damage frequency in all risk models (e.g.,
internal, fire, flood). These risk insights support the above-suggested changes to the proposed guidance in DG-1190.
Page 14 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 Section B Current text: individual means should also be provided to The staff agrees to remove the third paragraph of Section B from rd implement manual initiation at the plant component level since manual the draft.
3 paragraph initiation for each appropriate plant system component (e.g., start page 3 pump, open or close valve) is subsequently required to provide (1) the completion of the safety function and (2) high functional reliability for the protective system as set forth in GDC 13 and GDC 21 of Appendix A to 10 CFR Part 50.
Comment 1:
Component level manual control is a new requirement that goes beyond IEEE-279/603 and beyond the scope of this Regulatory Guide.
IEEE-279/603 requires only system level controls, not component level controls. It is for the initiation of each protective action, not for completion of the protective action. The title and scope of this Regulatory Guide also pertain only to manual initiation of the protective action, not completion of the protective action.
High functional reliability, as set forth in GDC 13 and 21, is achieved through safety functions that comply with the requirements of IEEE-279/603, including compliance to quality, qualification and single failure criteria. Manual controls are not required to achieve high reliability for safety functions.
Recommendation:
The requirement for component level manual control should be eliminated or revised. This paragraph should be replaced with the requirements found in Section 6.2 of IEEE Std 603.
Section B Current text: The staff agrees to remove the 30-minute reference from the draft.
th 4 paragraph Protective actions selected to be controlled manually are subject to page 3 consideration of (1) the time available to the operator to analyze and manually respond to an adverse condition, normally 30 minutes unless specifically justified Comment 2:
A 30 minute prerequisite for manual control is a new requirement that goes beyond IEEE-279/603. The determination of whether a protective Page 15 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 action should be controlled manually or automatically is the result of the human factors engineering process. The function allocation process considers numerous factors including time available based on the safety analysis and time required based on numerous HFE factors such as available indications and alarms, task complexity, task frequency, other concurrent tasks and control room staffing.
Recommendation:
The 30 minute reference should be eliminated.
Section B Current text: The staff partially agrees. The draft RG updates the system level term used in IEEE Std 279-1971 to division level term used in 6th these manual controls and indications must consist of safety-related th IEEE Std 603-1991. However, to eliminate the confusion, the 6 paragraph devices dedicated to specific safety divisions.
paragraph will be revised to read:
page 4 Comment 3:
Section 5.6.3.1 of IEEE Std 603-1991 specifies that Manual controls dedicated to specific safety division is a new interconnected equipment that is used for both safety and non-requirement that goes beyond IEEE-279/603. There is considerable safety functions shall be classified as part of the safety industry precedence for system level manual initiation pushbuttons systems. Therefore, equipment that is not classified as part of that actuate reactor trip and ESF functions for all divisions a safety system must not be credited for performing safety concurrently; these exist at both CE and Westinghouse plants. In functions. Nevertheless, nonsafety multidivisional control and addition, ISG-04 (Digital I&C Interim Staff Guidance on display stations may be used to perform functions that support communications) allows multi-division safety related workstations. As plant safety. The control and monitoring of functions credited long as the manual controls meet the single failure criteria (i.e. no with the protection of the plant in the plant safety analyses must single failure shall prevent credited manual control of the safety be capable of being performed using only safety-related function), there is no reason to restrict controls to a single division. resources. Nonsafety multidivisional control and display Compliance to the single failure criteria can be assured with redundant stations may supplement the safety-related control and display multi-division safety related pushbuttons or redundant multi-division equipment that is credited in the plants safety analyses.
safety related workstations, where each redundant device is This response also applies to comment 5.
independently powered, physically separated and electrically isolated from the other.
Recommendation:
Rewrite the text to comply with existing guidance.
Section B Current text: The staff partially agrees. The purpose of RG 1.62 is to provide guidance/acceptable methods for use in complying with the NRC 11th This Regulatory Guide focuses on criteria for safety-related regulations with respect to the means for manual initiation of paragraph equipment or systems and does not address diverse manual-initiation protective actions. BTP 7-19 provides guidance for evaluating an Page 16 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 page 5 equipment that is not classified as part of a safety system. applicant/licensees diversity and defense-in-depth (D3) assessment and the design of manual controls and displays to Comment 4:
ensure conformance with the NRC positions on D3 for I&C It is more appropriate to state that this Regulatory Guide focuses on systems incorporating digital computer-based reactor trip systems criteria for compliance with the credited manual control requirements (RTS) or engineered safety features actuation systems (ESFAS).
defined in IEEE-279/603, rather than manual controls that are part of Both IEEE Std 603-1991 and BTP 7-19 address manual control for the safety system. This is because a supplier/licensee may elect to protective systems. Thus, (1) there is no conflict between the two, provide safety related controls for compliance with position 4 of BTP 7- and (2) with more and more nuclear power plants participating in 19 or safety related controls for other functions not required by IEEE- digitalization of I&C systems and the potential for common-cause 279/603. If those controls are not credited for compliance with IEEE- failure becoming important as the complexity of digital and 279/603, it would not be appropriate to extend this regulatory guidance advanced analog protection systems has increased, addressing to those controls. diverse manual control for computer-based protective systems is necessary. However, to eliminate the confusion it may have Recommendation: caused, the draft will be revised to make the distinction between Rewrite the text to comply appropriately limit the scope. the requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 in regard to manual initiation of protective actions. The Discussion section will include the following:
This regulatory guide provides an acceptable method for establishing the design criteria for existing I&C systems and for establishing the design criteria for digital and advanced analog systems for the manual initiation of protective actions. To meet these objectives, (1) manual initiation of protective actions provided by otherwise automatically initiated safety systems must meet requirements in IEEE Std 603-1991 in regard to manual initiation as incorporated in 10CFR50.55a(h) and (2) manual initiation of protective actions provided as a diverse method for automatic initiation should meet the guidance specified in Point 4 of BTP 7-19.
And the affected paragraph will be revised to read:
- 2. Meeting BTP 7-19 guidance:
The potential for common-cause failure has become increasingly important as the complexity of digital and advanced analog protection systems has increased. Credible common-cause failures should be addressed for D3 in the system design. Approaches to address D3 considerations for automatically initiated protective actions may include the use of Page 17 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 diverse non-safety manual controls. IEEE Std 7-4.3.2-2003 provides guidance on using diversity to address common-cause failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 19), describes a method for analyzing computer-based nuclear reactor protection systems to identify design vulnerabilities to common-cause failure. The fourth point of the Commissions diversity position listed in BTP 7-19 states in part, that independent and diverse displays and manual controls should be available in the main control room so that operators can initiate a system-level actuation of critical safety functions. These displays and controls may be safety or non-safety. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls provided for compliance with Point 4 of NRC position on D3 should be connected downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic. 3. Meeting both IEEE Std 603-1991 requirements and BTP 7-19 guidance:
As an alternative to two different manual controls discussed above, applicants or licensees may also propose, as an optional acceptable method, a single safety-related means of manual initiation of protective actions that satisfies criteria of both IEEE Std 603-1991 and Point 4 of NRC position on D3.
Section B Comment 5: See response for comment 3.
th 6 paragraph The paragraph should be expanded to reflect the context of the page 4 referenced section of IEEE Std 603.
Recommendation:
Reword the second sentence adding the following (additions are in Page 18 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 italics) - Clause 5.6.3.1 of IEEE Std 603-1991 specifies that interconnected equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems up to isolation devices provided to effect the safety system boundary.
Section C Current text: The staff agrees. The guidance associated with component-level controls will be removed. Position 1 will be revised to read:
Regulatory Individual means should also be provided for manual initiation of each Position 1 plant system component Means should be provided for manual initiation of each page 5 protective action (e.g., reactor trip, containment isolation) on a Comment 6:
division-level basis, regardless of whether means are also Component level manual control is a new requirement that goes provided to initiate the protective action at the component or beyond IEEE-279/603 and beyond the scope of this Regulatory Guide. channel level (e.g., individual control rod, individual isolation IEEE-279/603 requires only system level controls, not component level valve).
controls. It is for the initiation of each protective action, not for completion of the protective action. The title and scope of this Regulatory Guide also pertain only to manual initiation of the protective action, not completion of the protective action.
Recommendation: This requirement should be deleted.
Section C Current text: The staff agrees. Position 4 of the draft RG may have caused confusion by not distinguishing between guidance for manual Regulatory In the case of automated digital protection systems, the point at which controls that are subject to IEEE Std 603-1991 and diverse Position 4 the manual controls are connected to safety equipment should be manual controls that are subject to BTP 7-19. In an effort to page 6 downstream of the plants digital I&C safety system outputs.
eliminate the confusion, the diversity guidance will be removed Comment 7: from Position 4 and will be addressed in new Position 7. Also, to make the distinction between requirements of IEEE Std 603-1991 This requirement is applicable to the diverse automated and manual and the guidance of BTP 7-19, the opening statement of Section C controls credited for accident mitigation with a concurrent CCF in the will be revised to read:
digital safety systems, per BTP-19. The manual controls credited for compliance with IEEE-279/603 are not required to be downstream of Regulatory Positions 1, 2, 3, 4, 5, and 6 below provide an the plants digital safety system outputs, as long as a CCF of these acceptable method for complying with IEEE Std 603-1991 in manual controls is considered in the BTP-19 analysis. Position 5 is regard to manual initiation of protective actions. Position 7 is sufficient to ensure manual controls are implemented with sufficient an acceptable method for diverse manual initiations of simplicity. protective actions that satisfies Point 4 of BTP 7-19. Position 8 is an optional acceptable method for satisfying both IEEE Std Recommendation: 603-1991 requirements and Point 4 of BTP 7-19 guidance.
The last two sentences of Section C, Position 4 should be deleted.
Page 19 of 44
Nuclear Energy Institute (NEI) Comments (ML090650470)
Section of Comment Resolutions DG-1190 Position 4 will be revised to read:
No single failure within the manual, automatic, or common portions of the protection system should prevent initiation of a protective action by manual or automatic means.
The new Position 7 will Read:
In providing diverse manual initiation of protective actions, a set of independent and diverse displays and manual controls should be provided in main control room. These displays and controls may be safety or non-safety. The point at which the manual controls are connected to safety equipment should be downstream of the digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment.
Page 20 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 rd Section B Comment 1 The staff agrees. The 3 paragraph will be removed from the draft rd RG.
3 paragraph IEEE 603, clause 6.2.3, states Means shall be provided to implement page 3 manual actions necessary to maintain safe conditions after protective actions are completed as specified in 4.10. IEEE 603 does not require that each Class 1E component have individual component controls in the control room if they are not required to maintain the plant in a safe shutdown condition.
Section B Comment 2 The staff agrees. The affected sentence will be revised to reflect nd the content of Section 7.2 of IEEE Std 603-1991. The revised 2 paragraph IEEE 603, clause 7.2 states If manual control of any actuated sentence will read:
page 3 component in the execute features is provided, the additional design features necessary to accomplish such manual control shall not defeat Section 7.2 requires, in part, that additional design features in the requirements of 5.1 and 6.2. It does not state the manual controls the execute features necessary to accomplish manual control of be subject to the single-failure criterion. The wording must be actuated component shall not defeat the requirements of single-changed for a Class 1E component is associated with a division or failure criterion.
train, and the manual controls associated with that component will only be associated with the respective division or train and will not meet the single-failure criterion.
Section B Comment 3 The staff partially agrees. The affected statement presents a fact st in which existing I&C equipment in NPPs has been replaced by 1 paragraph A definition should be provided for the term advanced analog digital or advanced analog equipment. Advanced analog page 3 systems. What types of platforms are encompassed by this term and technology is generally known as a wide range of what are new vulnerabilities associated with their use?
integrated/semiconductor circuits. There is no need to define a well known technology. However, to address the reason why digital I&C and advance analog technologies are subject to new vulnerabilities, the affected paragraph will be revised to read:
Existing instrumentation and control (I&C) equipment in nuclear power plants is being replaced with computer-based digital I&C systems or advanced analog systems. However, if designed, installed, operated, or maintained improperly, these technologies may pose new vulnerabilities for the nuclear power plant, compared to existing I&C systems.
Page 21 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 Section B Comment 4 The staff agrees to remove the 30-minutes reference from the th draft.
4 paragraph ANSI/ANS 58.8 has always been used as a guideline for allowable page 3 operator action times following an anticipated operational occurrence (AOO) or design basis event (DBE), i.e., 5 to 10 minutes for an AOO and 20 to 30 minutes for a DBE. Is this regulatory guide essentially stating that 30 minutes must be assumed for all operator action times in the future? Why is the standard revising the existing guidance that has been used for many years?
Section B Comment 5 The staff agrees to remove the specific version and issue date th associated with referenced regulatory guides.
7 paragraph It would be better if the regulatory guide only referred to Regulatory page 4 Guide 1.97, and not to a specific revision. There are no operating plants licensed to revision 4 which endorses IEEE 497-2002. Most operating plants are licensed to Regulatory Guide 1.97, revision 3.
Section B Comment 6 The staff partially agrees. As more and more nuclear power plants th participate in digitalization of I&C systems and the complexity of 8 paragraph Why is this regulatory guide even addressing software common cause digital and advanced analog protection systems has increased, the page 4 failure (CCF) since scenarios resulting from an initiating event potential for software common-cause (CCF) failure has become concurrent with a postulated software CCF are beyond design basis increasingly important and needs to be addressed. However, to events? The last four sentences of this paragraph should be distinguish the requirements of IEEE Std 603-1991 and the removed beginning with IEEE Std 7-4.3.2-2003 guidance of BTP 7-19 in regard to manual initiation of protective actions, the discussion on CCF and diversity will be moved to the end of the discussion section, where it addresses the need of Diversity and Defense-in-Depth (D3) for manual initiation of protective actions that is subject to BTP 7-19.
This response also applies to comment 7.
Section B Comment 7 The staff disagrees. As stated in the response for comment 6 th above, it is important and necessary to address the need of D3 for 11 Again, this paragraph is discussing requirements following an initiating manual initiation of protective actions that are not subject to IEEE paragraph event concurrent with a postulated software CCF which is beyond a Std 603-1991 requirements. The affected paragraph will be page 5 design basis event. IEEE 603 is only applicable to AOOs and DBEs.
revised to address this need and also to clarify the scope of the This paragraph should be removed and addressed in a D3 document, draft, which covers IEEE Std 603-1991 requirements separately e.g, DI&C-ISG-02.
from the guidance of BTP 7-19 in regards to manual initiation for protective actions. The opening statement of the Discussion Page 22 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 section includes the following:
This regulatory guide provides an acceptable method for establishing the design criteria for existing I&C systems and for establishing the design criteria for digital and advanced analog systems for the manual initiation of protective actions. To meet these objectives, (1) manual initiation of protective actions provided by otherwise automatically initiated safety systems must meet requirements in IEEE Std 603-1991 in regard to manual initiation, as incorporated in 10CFR50.55a(h) and (2) manual initiation of protective actions provided as a diverse method for automatic initiation should meet the guidance specified in Point 4 of BTP 7-19.
And the affected paragraph will be revised to read:
- 2. Meeting BTP 7-19 guidance:
The potential for common-cause failure has become increasingly important as the complexity of digital and advanced analog protection systems has increased. Credible common-cause failures should be addressed for D3 in the system design. Approaches to address D3 considerations for automatically initiated protective actions may include the use of diverse non-safety manual controls. IEEE Std 7-4.3.2-2003 provides guidance on using diversity to address common-cause failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 19), describes a method for analyzing computer-based nuclear reactor protection systems to identify design vulnerabilities to common-cause failure. The fourth point of the Commissions diversity position listed in BTP 7-19 states in part, that independent and diverse displays and manual controls should be available in the main control room so that operators can initiate a system-level actuation of critical safety functions. These displays and controls may be safety or non-safety. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls provided for compliance with Point 4 of NRC position on D3 should be connected downstream of Page 23 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic.
- 3. Meeting both IEEE Std 603-1991 requirements and BTP 7-19 guidance:
As an alternative to two different manual controls discussed above, applicants or licensees may also propose, as an optional acceptable method, a single safety-related means of manual initiation of protective actions that satisfies criteria of both IEEE Std 603-1991 and Point 4 of NRC position on D3.
Also see response for comment 6.
Section C Comment 8 The staff agrees to remove the guidance associated with Regulatory component level manual control. Regulatory Position 1 will be Refer to comment 2 above Position 1 revised to read:
page 5 Means should be provided for manual initiation of each protective action (e.g., reactor trip, containment isolation) on a division-level basis, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g., individual control rod, individual isolation valve).
Also see response for comment 1.
Section C Comment 9 The staff agrees to remove guidance associated with component level. Position 3 will be revised to read:
Regulatory The first sentence should be modified to state the following: The Position 3 control interfaces for manual initiation of protective actions on a plant The control interfaces for manual initiation of protective actions page 6 system component basis (required to maintain safe plant conditions) on a division-level basis should be located in the control room.
and on a system-level basis for each division should be located in the They should be easily accessible to the operator so that action control room. can be taken in an expeditious manner at the point in time or under the plant conditions for which the protective actions of the Page 24 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 safety system shall be initiated as required in Section 4.10.1 of IEEE Std 603-1991. Information displays associated with manual controls should (i) be readily present during the time that manual actuation is necessary, (ii) be visible from the location of the manual controls, and (iii) provide unambiguous indications that will not confuse the operator.
Section C Comment 10 The staff partially agrees. Although Position 4 of the draft may have caused confusion by not distinguishing between the Regulatory This paragraph essentially requires that the component manual requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 Position 4 controls not be implemented through a software path for a digital with respect to manual initiation of protective actions, this position page 6 protection system implementation. In other words, the signal does not imply the stated concern. However, as an effort to prioritization between automatic and manual command signals from eliminate the confusion, the diversity guidance will be removed the protection system must be performed in the priority module (as is from Position 4 and will be addressed in new Position 7. Also, to implemented in the relay logic of most operating plants). This make the distinction between the requirements of IEEE Std 603-requirement increases the complexity of the priority module which 1991 and the guidance of BTP 7-19, the opening statement of makes it more difficult to use FPGAs upon which to implement the Section C will be revised to read:
logic (100% testability). I recommend that additional discussion be added to this paragraph discussing the conflicting requirements if the Regulatory Positions 1, 2, 3, 4, 5, and 6 below provide an manual component controls are excluded from the protection system acceptable method for complying with IEEE Std 603-1991 in software and the increased complexity in the protection system priority regard to manual initiation of protective actions. Position 7 is logic. an acceptable method for diverse manual initiations of protective actions that satisfies Point 4 of BTP 7-19. Position 8 is an optional acceptable method for satisfying both IEEE Std 603-1991 requirements and Point 4 of BTP 7-19 guidance.
Position 4 will be revised to read:
No single failure within the manual, automatic, or common portions of the protection system should prevent initiation of a protective action by manual or automatic means.
The new Position 7 will Read:
In providing diverse manual initiation of protective actions, a set of independent and diverse displays and manual controls should be provided in main control room. These displays and controls may be safety or non-safety. The point at which the manual controls are connected to safety equipment should be downstream of the digital I&C safety system outputs. These Page 25 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment.
Section A Comment 11 See response for comments 6 and 7.
th 4 paragraph The author should note that IEEE 603 is written for Design Basis page 2 Events and not Beyond Design Basis Events, which later in this draft guide becomes a dominant issue (SWCMFs).
Section A Comment 12 See response for comment 1 with regard to component-level th manual control.
6 paragraph In this area, IEEE 603 is referring to divisional level manual switches page 2 and not component level switches. Component control is only discussed if necessary for safe shutdown.
Section B Comment 13 The staff disagrees. Section 5.4 of IEEE 603-1991 requires that th safety system equipment be environmentally qualified. Reference 10 Why is the draft RG referencing a computer-based Equipment to regulatory guides and IEEE standards in regard to environment paragraph Qualification RG? Most of this paragraph deals with computer based qualification for Class 1E equipment is appropriate.
pages 4 & 5 qualification such as IEEE 7-4.3.2 and RG 1.209. These areas should be removed from the draft RG.
Regulatory Comment 14 See response for comments 1, 4, 6, 7, 8, 10, and 13.
Analysis This draft RG has included more than the referencing of IEEE 603 and Sections 1 & digital capabilities. It has included Beyond Design Basis Event 2 pages 6 & guidance for manual initiation, actual guidance for allowed times (30 7 minutes), computer qualification criteria, and increased guidance for component controls.
Regulatory Comment 15 The staff partially agrees. As stated in Section D of the draft RG Analysis the NRC does not intend or approve any imposition or backfit in The NRC should identify where the cost savings will be for a plant to Section 4 connection with its issuance. Therefore, there is no cost impact implement this draft RG.
for existing NPPs that do not involve digital upgrades. One of the page 8 benefits of revising the RG is that the new revision may result in Page 26 of 44
Data Systems and Solutions (DSS) Comments (ML090650473)
Section of Comment Resolution DG-1190 cost saving for most (not all) of applicants/licensees due to reduction of licensing uncertainty with regard to digital upgrade.
Although some language in the draft may have caused confusion with regard to component-level manual control and diversity guidance (BTP 7-19), adding new requirements is not the intent of the draft. The draft will be revised to remove guidance associated with component-level manual controls and to distinguish the existing requirements of IEEE 603-1991 and the guidance of BTP 7-19 (see above responses). There is no significant cost incurred as the result of the revision of the RG since no new regulatory requirement/guidance is introduced in the revision.
Page 27 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 Section A Comment 1 The staff agrees. The affected sentence will be revised to read:
th 6 paragraph Clause 6.2 (.3) of IEEE 603 requires (in part) that means be provided Section 6.2 of IEEE Std 603-1991 requires, in part, that page 2 to implement manual actions necessary to maintain safe conditions means be provided in the control room to implement the these controls shall be located in areas that are accessible. It does manual actions necessary to maintain safe controls after the not state specifically in the control room. protective actions are completed.
Section B Comment 2 The staff partially agrees. The affected statement presents a fact st in which existing I&C equipment in NPPs has been replaced by 1 paragraph A definition should be provided for advanced analog controls and why digital or advanced analog equipment. Advanced analog page 3 they are subject to new vulnerabilities.
technology is generally known as a wide range of integrated/semiconductor circuits. There is no need to define a well known technology. However to address the reason why digital I&C and advance analog technologies are subject to new vulnerabilities, the affected paragraph will be revised to read:
Existing instrumentation and control (I&C) equipment in nuclear power plants is being replaced with computer-based digital I&C systems or advanced analog systems. However, if designed, installed, operated, or maintained improperly, these technologies may pose new vulnerabilities for the nuclear power plant compared to existing I&C systems.
Section B Comment 3 The staff agrees. The affected sentence will be revised to reflect nd the content of IEEE Std 603-1991, Section 7.2. The revised 2 paragraph Clause 7.2 actually states in part that manual control should not defeat sentence will read:
page 3 the single failure criterion. Component controls are part of a division/train and as such are not required to separately or individually Section 7.2 requires, in part, that additional design features in meet the SF criterion. the execute features necessary to accomplish manual control of the actuated component shall not defeat the requirements of single-failure criterion.
Section B Comment 4 The staff agrees to remove the guidance associated with rd component-level manual control. As the result, the affected 3 paragraph Not all component controls are required for completion of the safety paragraph will be deleted.
page 3 function and the claim of increased reliability is questionable. IEEE 603 does not require this nor did the previous RG 1.62 This response also applies to comment 12.
Page 28 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 Section B Comment 5 The staff agrees to remove the 30-minutes reference from the th draft.
4 paragraph What is the reason for requiring a specific manual action time of 30 page 3 minutes. It is recognized that this is used for the D3 ISG and the reasoning was the unknowns associated with a SWCMF. The ANS standard is written differently with two distinct times for AOOs and DBAs.
Section B Comment 6 The staff agrees. Also, to incorporate other public comments the th paragraph will be revised to read:
6 paragraph The statement is made that manual controls and indications consist of page 4 safety-related devices with safety-related software. Why is the NRC Section 5.6.3.1 of IEEE Std 603-1991 specifies that requiring this (software) for manual controls and indications. equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems. Therefore, equipment that is not classified as part of a safety system must not be credited for performing safety functions. Nevertheless, non-safety multidivisional control and display stations may be used to perform functions that support plant safety. The control and monitoring of functions credited with the protection of the plant in the plant safety analyses must be capable of being performed using only safety-related resources. Non-safety multidivisional control and display stations may supplement the safety related control and display equipment that is credited in the plant safety analyses.
Section B Comment 7 The staff agrees to remove the specific version or issue date th associated with referenced regulatory guides.
7 paragraph The RG should not reference a RG with a particular revision. Most page 4 operating plants use Revision 3 of RG 1.97. IEEE 603 references an earlier version of IEEE 497. Operating plants are not licensed to the 2002 version.
Section B Comment 8 The staff partially agrees. Although the affected paragraph may th have caused confusion by not distinguishing between 8 paragraph Why is this RG discussing beyond design basis events since IEEE 603 st requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 page 4 does not (1 comment). The last four sentences of this paragraph in regard to manual initiation of protective actions, addressing should be removed.
diversity (BTP 7-19) with respect to manual control for computer-based protective systems to reduce licensing uncertainties is Page 29 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 appropriate and necessary.
The purpose of RG 1.62 is to provide guidance/acceptable methods for use in complying with the NRC regulations with respect to the means for manual initiation of protective actions.
BTP 7-19 provides guidance for evaluating an applicant/licensees diversity and defense-in-depth (D3) assessment and the design of manual controls and displays to ensure conformance with the NRC positions on D3 for I&C systems incorporating digital computer-based reactor trip systems (RTS) or engineered safety features actuation systems (ESFAS).
Both IEEE Std 603-1991 and BTP 7-19 address manual control for protective systems. Thus, (1) there is no conflict between the two and (2) as more nuclear power plants participate in digitalization of I&C systems and the potential for common-cause failure has become increasingly important as the complexity of digital and advanced analog protection systems has increased, addressing diversity for manual control is appropriate and necessary.
However, to eliminate the confusion it may have caused, the draft will be revised to make the distinction between the requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 in regard to manual initiation of protective actions. The diversity guidance will be removed from the affected paragraph and will be addressed at the end of the Discussion section.
This response also applies to comment 11.
Section B Comment 9 The staff disagrees. Maintaining independence between th redundant portions of the safety system is essential to the effective 9 paragraph This comment is the same as above. The remainder of the paragraph use of the single-failure criterion. Reference to regulatory guide page 4 starting with Regulatory Guide 1.152 should be deleted.
and IEEE standard within regard to independent guidance for safety-related equipment is appropriate.
Section B Comment 10 The staff disagrees. Section 5.4 of IEEE 603-1991 requires that th safety system equipment be environmentally qualified. Reference 10 Discussing computer qualification and harsh environment is to regulatory guides and IEEE standards in regard to environment paragraph questionable for this RG. The qualification effort should be restricted qualification for Class 1E equipment is appropriate.
pages 4 & 5 unless the manual components are part of a computer-based system, which is usually not the case for simplicity and automatic failure Page 30 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 reasons.
Section B Comment 11 The staff disagrees. As stated in the response for comment 8 th above, addressing diversity (BTP 7-19) with respect to manual 11 Same as comment 10. This entire paragraph should be deleted. It is control for computer-based protective systems to reduce licensing paragraph already covered in BTP 7-19 and the ISG.
uncertainties is appropriate and necessary. However, to eliminate page 5 the confusion it may have caused, the draft RG will be revised to make the distinction between the requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 with regard to manual initiation of protective actions. The opening statement of the Discussion section includes the following:
This regulatory guide provides an acceptable method for establishing the design criteria for existing I&C systems and for establishing the design criteria for digital and advanced analog systems for the manual initiation of protective actions. To meet these objectives, (1) manual initiation of protective actions provided by otherwise automatically initiated safety systems must meet requirements in IEEE Std 603-1991 in regard to manual initiation and (2) manual initiation of protective actions provided as a diverse method for automatic initiation should meet the guidance specified in Point 4 of BTP 7-19.
And the affected paragraph will be revised to read:
- 2. Meeting BTP 7-19 guidance:
The potential for common-cause failure has become increasingly important as the complexity of digital and advanced analog protection systems has increased. Credible common-cause failures should be addressed for D3 in the system design. Approaches to address D3 considerations for automatically initiated protective actions may include the use of diverse non-safety manual controls. IEEE Std 7-4.3.2-2003 provides guidance on using diversity to address common-cause failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 19), describes a method for analyzing computer-based nuclear reactor protection systems Page 31 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 to identify design vulnerabilities to common-cause failure. The fourth point of the Commissions diversity position, listed in BTP 7-19 states, in part, that independent and diverse displays and manual controls should be available in the main control room so that operators can initiate a system-level actuation of critical safety functions. These displays and controls may be safety or non-safety. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls provided for compliance with Point 4 of NRC position on D3 should be connected downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic. 3. Meeting both IEEE Std 603-1991 requirements and BTP 7-19 guidance:
As an alternative to two different manual controls discussed above, applicants or licensees may also propose, as an optional acceptable method, a single safety-related means of manual initiation of protective actions that satisfies criteria of both IEEE Std 603-1991 and Point 4 of NRC position on D3.
Section C Comment 12 The staff agrees to remove the guidance associated with component level manual control. Regulatory Position 1 will be Regulatory The requirement for manual component controls needs to be rewritten.
revised to read:
Position 1 It seems that NRC is requiring plant system component level controls page 5 for the completion of all safety functions and to increase reliability. This Means should be provided for manual initiation of each is beyond IEEE 603. protective action (e.g., reactor trip, containment isolation) on a division-level basis, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g., individual control rod, individual isolation valve).
This response also applies to comments 3, 4, 13, 15, 16, and 17.
Section C Comment 13 The staff agrees to remove the guidance associated with Page 32 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 Regulatory The requirement for all component controls being in the control room component-level manual control from Regulatory Position 3. The Position 3 is new and needs to be justified. IEEE 603 only requires those revised Regulatory Position 3 will read:
page 6 component controls necessary for safe shutdown action to be in the The control interfaces for manual initiation of protective actions control room.
on a division-level basis should be located in the control room.
They should be easily accessible to the operator so that action can be taken in an expeditious manner at the point in time or under the plant conditions for which the protective actions of the safety system shall be initiated as required in Section 4.10.1 of IEEE Std 603-1991. Information displays associated with manual controls should (i) be readily present during the time that manual actuation is necessary, (ii) be visible from the location of the manual controls, and (iii) provide unambiguous indications that will not confuse the operator.
This response also applies to comments 15, 16, and 17.
Section C Comment 14 The staff partially agrees. Although Position 4 of the draft may have caused confusion by not distinguishing between the Regulatory Item 4 seems to require a priority logic module such as a FPGA. This requirements of IEEE Std 603-1991 and the guidance of BTP 7-19 Position 4 needs to be justified and explained. How is the manual actuation to be with respect to manual initiation of protective actions, this position page 6 kept simple?
does not imply the stated concern. However, as an effort to eliminate the confusion, the diversity guidance will be removed from Position 4 and will be addressed in new Position 7. Also, to make the distinction between requirements of IEEE Std 603-1991 and the guidance of BTP 7-19, the opening statement of Section C will be revised to read:
Regulatory Positions 1, 2, 3, 4, 5, and 6 below provide an acceptable method for complying with IEEE Std 603-1991 in regard to manual initiation of protective actions. Position 7 is an acceptable method for diverse manual initiations of protective actions that satisfies Point 4 of BTP 7-19. Position 8 is an optional acceptable method for satisfying regulatory requirements for both IEEE Std 603-1991 requirements and Point 4 of BTP 7-19 guidance.
Position 4 will be revised to read:
No single failure within the manual, automatic, or common Page 33 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 portions of the protection system should prevent initiation of a protective action by manual or automatic means.
The new Position 7 will Read:
In providing diverse manual initiation of protective actions, a set of independent and diverse displays and manual controls should be provided in main control room. These displays and controls may be safety or non-safety. The point at which the manual controls are connected to safety equipment should be downstream of the digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment.
Regulatory Comment 15 See response for comments 12 and 13.
Analysis The draft RG content goes beyond the purpose stated and formulates Sections 1 & new positions not based on IEEE 603.
2 pages 6 &7 Regulatory Comment 16 See response for comments 12 and 13.
Analysis The draft RG cites the benefit of enhancing reactor safety by Sections 3.2 endorsing the most current IEEE on safety systems endorsed by the nd 2 paragraph NRC. The Draft RG goes beyond this endorsement.
page 8 Regulatory Comment 17 The staff partially agrees. As stated in Section D of the draft RG Analysis the NRC does not intend or approve any imposition or backfit in Does the NRC have actual numbers for the cost savings and where nd connection with its issuance. Therefore, there is no cost impact 2 paragraph does the draft RG actually achieve this? Based on the high cost of for existing NPPs that do not involve digital upgrades. One of the of Section 3.2 any safety related system/equipment, the impact of this RG will be benefits of revising the RG is that the new revision may result in (page 7) extremely high and not cost affective.
cost saving for most (not all) of applicants/licensees due to
& Section 4 reduction of licensing uncertainty with regard to digital upgrade.
Although some language in the draft may have caused confusion page 8 with regard to component-level manual control and diversity guidance (BTP 7-19), adding new guidance is not the intent of the draft. The draft will be revised to remove guidance associated Page 34 of 44
South Texas Project (STP) Comments (ML090650472)
Section of Comment Resolution DG-1190 with component-level manual controls and to distinguish the existing requirements of IEEE 603-1991 and the guidance of BTP 7-19 (see above responses). There is no significant cost incurred as the result of the revision of the RG since no new regulatory requirement/guidance is introduced in the revision.
Page 35 of 44
Hurst Technologies Comments (ML090650469)
Section of Comment Resolution DG-1190 General Comment 1: The staff disagrees. As more and more nuclear power plants participate in digitalization of I&C systems and the complexity of The requirements as stipulated in the draft RG appear to be an digital and advanced analog protection systems has been attempt to move, what is currently a beyond design bases event increased, the potential for software common-cause (CCF) failure (software common cause failure; SWCMF), to the level of a DBE and has become increasingly important and needs to be addressed.
require full implementation of codes and standards previously not However, to eliminate the confusion, the draft RG will be revised to required for manual initiation. The issue of SCMF is already make the distinction between the requirements of IEEE Std 603-addressed in existing regulatory guidance and should not be included 1991 and the guidance of BTP 7-19 with regard to manual in this issue.
initiation of protective actions.
th Section B Comment 2: The staff disagrees. As stated in 8 paragraph of Section B: The single-failure criterion of IEEE Std 603-1991, Section 5.1, applies Interpretation of IEEE-603 Requirements: In Section B. Discussion, to safety systems whether control is by automatic or manual the descriptions of IEEE-603 requirements go beyond the specific means. Therefore, addressing single failure criterion is not requirements of the standard and add additional requirements with no beyond IEEE Std 603-1991 requirements.
real bases. Example, the requirement that manual control must meet the single failure criterion.
Section C Comment 3: The staff agrees to remove the guidance associated with component-level manual control from Regulatory Position 1. The Regulatory This is a significant expansion of the current requirements and designs revised Regulatory Position 1 will read:
Position 1 with no defined benefit or bases. The need is to have manual page 5 capability to support safety functions defined and not just because a Means should be provided for manual initiation of each piece of equipment is part of a system performing a safety function. protective action (e.g., reactor trip, containment isolation) on a division-level basis, regardless of whether means are also provided to initiate the protective action at the component or channel level (e.g., individual control rod, individual isolation valve).
Section C Comment 4: The staff agrees to remove the guidance associated with component-level manual control from Regulatory Position 3. The Regulatory The requirement to have individual manual controls in the main control revised Regulatory Position 3 will read:
Position 3 room far exceeds the safety need. The need for what and where page6 manual controls should be part of the design and safety evaluation as The control interfaces for manual initiation of protective actions generally defined by IEEE-603. on a division-level basis should be located in the control room.
They should be easily accessible to the operator so that action can be taken in an expeditious manner at the point in time or under the plant conditions for which the protective actions of the safety system shall be initiated as required in Section 4.10.1 of Page 36 of 44
Hurst Technologies Comments (ML090650469)
Section of Comment Resolution DG-1190 IEEE Std 603-1991. Information displays associated with manual controls should (i) be readily present during the time that manual actuation is necessary, (ii) be visible from the location of the manual controls, and (iii) provide unambiguous indications that will not confuse the operator.
Section C Comment 5: The staff disagrees. Position 5 does not imply the stated concern.
Section 6.2.1 of IEEE Std 603-1991 requires, in part, that the Regulatory To meet the requirements of system level actuation beyond the digital means provided shall minimize the number of discrete operator Position 5 I&C requires an additional automatic type control system (either manipulations and shall depend on the operation of a minimum of page 6 conventional or digital) this leads to then having a third level of equipment. Position 5 is consistent with IEEE Std 603-1991 and individual controls and an even more complex design. Once again, not a new regulatory position.
the prescriptive requirements should not be added as IEEE-603 addresses this issue appropriately.
Regulatory Comment 6: The staff partially agrees. As stated in Section D of the draft RG Analysis the NRC does not intend or approve any imposition or backfit in The statement that this RG could lead to cost savings has no bases connection with its issuance. Therefore, there is no cost impact pages 6, 7, & and based on our experience it will be a significant cost adder to for existing NPPs that do not involve digital upgrades. One of the 8 current and new plants.
benefits of revising the RG is that the new revision may result in cost saving for most (not all) of applicants/licensees due to reduction of licensing uncertainty with regard to digital upgrade.
Although some language in the draft may have caused confusion with regard to component-level manual control and diversity guidance (BTP 7-19), adding new guidance is not the intent of the draft. The draft will be revised to remove guidance associated with component-level manual controls and to distinguish the existing requirements of IEEE 603-1991 and the guidance of BTP 7-19 (see above responses). There is no significant cost incurred as the result of the revision of the RG since no new regulatory requirement/guidance is introduced in the revision.
Page 37 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 Section B Comment 1: The staff agrees to remove guidance associated with component-rd rd level for manual controls. As the result, 3 paragraph of Section B 3 paragraph There appears to be a significantly expanded expectation for safety-will be deleted and Regulatory Position 1 (Section C) will be page 3 related controls at the component level. The expectation and basis are revised to read:
not clear. For example, the third paragraph in Section B states "...,
individual means should also be provided to implement manual Means should be provided for manual initiation of each initiation at the plant component level..." This appears to be a new protective action (e.g., reactor trip, containment isolation) on a Regulatory Position; however, it does not appear in Section C. If this is division-level basis, regardless of whether means are also a new Regulatory Position, Westinghouse believes it is a significant provided to initiate the protective action at the component or expansion of the existing guidance in Regulatory Guide 1.62, Revision channel level (e.g., individual control rod, individual isolation 0, beyond the scope of any requirement in IEEE Std 603. Moreover, it valve).
is not clear whether these additional controls are expected to be This response also applies to comments 9 and 10.
safety-related. If so, the single failure criteria should be applied at the protective action level (e.g., SI, Containment Spray, etc.), not at the individual component level within each division. If the intent is to add additional controls, added equipment complexity with no clear safety benefit may result.
Section B Comment 2: The staff agrees. Also to eliminate the confusion between IEEE th Std 603-1991 requirements and the guidance of BTP 7-19 with 11 The last sentence of Section B states, .... this regulatory guide respect to manual initiation of protective actions, the opening paragraph focuses on criteria for safety-related equipment of systems and does statement of the Discussion section includes the following:
page 5 not address diverse manual-initiation equipment that is not classified as part of a safety system." However, there is a relationship between This regulatory guide provides an acceptable method for IEEE Std 603, BTP 7-19, this regulatory guide and the concept of establishing the design criteria for existing I&C systems and for manual initiation of protective actions to cope with software common establishing the design criteria for digital and advanced analog cause failure. Therefore, it is suggested that the last sentence in systems for the manual initiation of protective actions. To meet Section B be deleted and additional clarification be added. these objectives, (1) manual initiation of protective actions provided by otherwise automatically initiated safety systems must meet requirements in IEEE Std 603-1991 in regard to manual initiation, as incorporated in 10CFR50.55a(h) and (2) manual initiation of protective actions provided as a diverse method for automatic initiation should meet the guidance specified in Point 4 of BTP 7-19.
And the affected paragraph will be revised to read:
- 2. Meeting BTP 7-19 guidance:
The potential for common-cause failure has become Page 38 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 increasingly important as the complexity of digital and advanced analog protection systems has increased. Credible common-cause failures should be addressed for D3 in the system design. Approaches to address D3 considerations for automatically initiated protective actions may include the use of diverse non-safety manual controls. IEEE Std 7-4.3.2-2003 provides guidance on using diversity to address common-cause failures in computer-based safety systems. In addition, NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, issued December 1994 (Ref. 19), describes a method for analyzing computer-based nuclear reactor protection systems to identify design vulnerabilities to common-cause failure. The fourth point of the Commissions diversity position, listed in BTP 7-19 states, in part, that independent and diverse displays and manual controls should be available in the main control room so that operators can initiate a system-level actuation of critical safety functions. These displays and controls may be safety or non-safety. Guidance provided to NRC staff in BTP 7-19 asserts that manual controls provided for compliance with Point 4 of NRC position on D3 should be connected downstream of the plants digital I&C safety system outputs. These connections should not compromise the integrity of interconnecting cables and interfaces between local electrical or electronic cabinets and the plants electromechanical equipment. The manual controls may be connected either to discrete hardwired components or to simple, dedicated, and diverse, software-based digital equipment that performs the coordinated actuation logic.
- 3. Meeting both IEEE Std 603-1991 requirements and BTP 7-19 guidance :
As an alternative to two different manual controls discussed above, applicants or licensees may also propose, as an optional acceptable method, a single safety-related means of manual initiation of protective actions that satisfies criteria of both IEEE Std 603-1991 and Point 4 of NRC position on D3.
Page 39 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 Section C Comment 3: The staff partially agrees. Position 4 of the draft may have caused confusion by not distinguishing between the requirements of IEEE Regulatory The proposed Regulatory Position C.4 is a misapplication of the Std 603-1991 and the guidance of BTP 7-19 with respect to Position 4 principle of diversity as described in Branch Technical Position (BTP) manual initiation of protective actions. To eliminate the confusion, page 6 7-19. The manual controls used to address Point 4 of BTP 7-19 and guidance subject to BTP 7-19 will be removed from Position 4 and IEEE Std 603 only confuses the complicated and controversial topic of will be addressed under a new regulatory position (Position 7).
defense-in-depth and diversity. There is no provision in IEEE Std 603, Also, as an effort to make the distinction between requirements of and its companion standard IEEE Std 7-4.3.2, that precludes the use IEEE Std 603-1991 and the guidance of BTP 7-19 with respect to of digital circuitry in the manual actuation path. Westinghouse believes manual initiation of protective actions, the opening statement of that the manual system-level actuation path can, and generally should, Section C will be revised to read:
include digital circuitry. Digital circuitry is more reliable than the alternative discrete analog logic (relays, timers, etc.) Furthermore, Regulatory Positions 1, 2, 3, 4, 5, and 6 below provide an Westinghouse believes that requiring the manual and automatic acceptable method for complying with IEEE Std 603-1991 in actuation paths to be separate is not the best method to achieve the regard to manual initiation of protective actions. Position 7 is goal of high reliability. an acceptable method for diverse manual initiations of protective actions that satisfies Point 4 of BTP 7-19. Position 8 Section B eleventh paragraph states that, "BTP 7-19 asserts that is an optional acceptable method for satisfying regulatory manual controls for safety equipment should be connected requirements for both IEEE Std 603-1991 requirements and downstream of the plant's digital I&C safety system outputs." This Point 4 of BTP 7-19 guidance.
paragraph (C.4) incorrectly interprets the guidance in BTP 7-19 to apply to all manual controls for safety equipment. Therefore, the The new Position 7 will Read:
sentence, "In the case of automated digital protection systems, the In providing diverse manual initiation of protective actions, a point at which the manual controls are connected to safety equipment set of independent and diverse displays and manual controls should be downstream of the plant's digital I&C safety system should be provided in main control room. These displays and outputs," should be deleted.
controls may be safety or non-safety. The point at which the Manual controls that exist to cope with software common cause failure manual controls are connected to safety equipment should be (CCF) of a digital safety system (those addressed in BTP 7-19) must downstream of the digital I&C safety system outputs. These not be susceptible to the same CCF as the digital safety system, and connections should not compromise the integrity of therefore are generally connected downstream of the digital safety interconnecting cables and interfaces between local electrical system outputs. There is no requirement for manual controls of safety or electronic cabinets and the plants electromechanical equipment to be independent of, or separate from, the digital safety equipment.
system if they are not credited for coping with a failure of the digital New Position 8 will provide applicant/licensees an optional safety system.
guidance for a safety-related diverse manual control that meets the requirements of IEEE Std 603-1991 and the guidance of BTP 7-19. Position 8 will Read:
An optional acceptable method that satisfies both requirements of IEEE Std 603-1991 and guidance on Point 4 of NRC position Page 40 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 on D3, a single safety-related manual initiation of protective actions that satisfies Positions 1, 2, 3, 4, 5, 6, and 7 above can be provided.
This response also applies to comments 4, 5 and 7.
Section C Comment 4: The staff partially agrees. The original Regulatory Position 4 (Revision 0 of RG 1.62) included the following guidance for Regulatory The existing guidance in Regulatory Guide 1.62, Revision 0, manual initiation of protective actions: The amount of equipment Position 4 Regulatory Position 4 allows that "...action-sequencing functions ...
common to both manual and automatic initiation should be kept to page 6 may be common if individual manual initiation at the component or a minimum. It is preferable to limit such common equipment to channel level is provided in the control room." This provision is the final actuation devices and the actuated equipment. This removed in DG-1 190. The removal of this provision is not justified.
guidance provided a measure of diversity between the automatic and manual initiation in analog based systems. The affected provision excludes action-sequencing functions and interlocks from this guidance so that manual initiation would not be unnecessarily burdened with sequencing or interlock functions.
Since (1) IEEE Std 603-1991 does not require that equipment common to both manual and automatic initiation be minimized and (2) with diversity guidance for digital computer-based I&C systems (BTP 7-19) being addressed under new Position 7, Position 4 (subject to IEEE Std 603-1991 requirements) will be revised to delete The amount of equipment common to both manual and automatic initiation should be kept to a minimum. It is preferable to limit such common equipment to the final actuation devices and the actuated equipment. Therefore, the affected provision (served as an exception for the above statement) is therefore no longer needed.
Section B Comment 5: The staff agrees. The affected paragraph will be revised to read:
th 4 paragraph Section B, fourth paragraph, indicates that manual actuation is a Design analyses determine the appropriate safety functions page 3 backup to automatic actuation. IEEE Std 603 does not require the and corresponding protective actions for each plant design.
manual controls to cope with a failure of the automatic actuation. They The protective actions can be initiated automatically, or, in are simply another method to achieve the actuation. The certain cases, can be accomplished solely by manual controls.
use of the term "backup" is not appropriate. The term "backup" would Protective actions initiated solely by manual controls are be appropriate if describing the manual controls addressed in BTP 7- subject to consideration of (1) the time for the operator to
- 19. As stated in Item 3 above, DG-1190 is confusing the requirements analyze and manually respond to an adverse plant condition, Page 41 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 of IEEE Std 603 and the diversity issues of BTP 7- (2) the time available for actions to be taken to mitigate adverse
- 19. plant conditions, (3) the plant conditions expected at the time manual controls is credited, (4) the range of conditions over which the manual controls are expected to be in effect, and (5) the display variables necessary to provide for effective manual control.
Also see response for comment 3.
Section B Comment 6: The staff partially agrees. While some language in the draft may th have caused confusion, the reference to Section 5.6.3.1 of IEEE 6 paragraph Section B, sixth paragraph, states that "Safety-related controls and Std 603-1991 is appropriate and necessary. However, to page 4 displays should be provided." Although it is true that these controls eliminate the confusion it may have caused, the affected and displays must be provided, this entire paragraph is confusing, paragraph will be revised to read:
adds no value, and thus should be deleted.
Section 5.6.3.1 of IEEE Std 603-1991 specifies that interconnected equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems. Therefore, equipment that is not classified as part of a safety system must not be credited for performing safety functions. Nevertheless, non-safety multidivisional control and display stations may be used to perform functions that support plant safety. The control and monitoring of functions credited with the protection of the plant in the plant safety analyses must be capable of being performed using only safety-related resources. Non-safety multidivisional control and display stations may supplement the safety-related control and display equipment that is credited in the plant safety analyses.
Section B Comment 7: The staff partially agrees. As more and more nuclear power plants th participate in digitalization of I&C systems and the complexity of 8 paragraph Section B, eighth paragraph, addresses CCF and Regulatory Guide digital and advanced analog protection systems has been page 4 1.53. It is recommended that this paragraph be replaced with a simple increased, the potential for software common-cause (CCF) failure reference to Regulatory Guide 1.53. This entire discussion on how to has become increasingly important and needs to be addressed.
address single failures and software CCF is not unique to manual However, the draft RG may have caused confusion by not actuation.
distinguishing between requirements of IEEE Std 603-1991 and the guidance of BTP 7-19. To eliminate the confusion the draft RG will be revised to distinguish the requirements of IEEE Std-1991 and the guidance of BTP 7-19 in regards to manual initiation Page 42 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 of protective actions. The discussion on CCF and diversity will be moved to the end of the discussion section, where it addresses the need of Diversity and Defense-in-Depth (D3) for manual initiation of protective actions that are not subject to IEEE Std 603-1991 requirements.
Section C Comment 8: The staff agrees. The phrase on a system-level basis for each division will be replaced with on a division-level to be consistent Regulatory The words "for each division" have been added to Regulatory Position with IEEE Std 603-1991.
Position 1 C.1 (second line) and C.2 (first line). The intent of this addition is not page 5 clear. Westinghouse has traditionally provided actuation switches on the control board for engineered safety feature (ESF) actuations and reactor trip. One switch actuates the function in all divisions, minimizing discrete operator manipulations as required by IEEE Std 603, Clause 6.2.1. It appears that these switches should now be designed such that each switch only communicates with one division, thus requiring an operator manipulation for each division for each function. The intent of this change should be clarified; or, the words "for each division" should be deleted.
Section C Comment 9: See response for comment 1.
Regulatory Proposed Regulatory Position C.1 includes the words "..., regardless Position 1 of whether means are also provided to initiate the protective action at page 5 the component or channel level..." These words seem to indicate that component-level control is not necessarily required, further confusing the issue raised in Item 1 above.
Section B Comment 10: See response for comment 1.
rd 3 paragraph Section B, third paragraph, states that "manual initiation for each page 3 appropriate plant system component (e.g., start pump, open or close valve) is subsequently required..." It is not clear how "appropriate plant system components" are identified. The AP1000 is a passive plant.
ESF actuations are automatic and require no further component-level manipulations. Therefore, Westinghouse would conclude that AP1000 has none of these components. Clarify the criteria for identifying "appropriate plant system components."
Westinghouse agrees that high functional reliability is needed. There Page 43 of 44
Westinghouse Comments (ML0905404451)
Section of Comment Resolution DG-1190 are many methods to achieve high reliability. Many of these alternate methods provide higher reliability than simply adding circuitry for manual actuation. Alternative methods to achieve high reliability should be allowed and encouraged.
Section C Comment 11: The staff agrees. Position 2 will be revised to read:
Regulatory Proposed Regulatory Position C.2 has added the sentence "Multiple Manual initiation of a protective action on a division-level basis Position 2 initiations of safety systems (autosequencing) by distinct manual control should perform all actions performed by automatic initiation pages 5 & 6 manipulations are not precluded." This sentence is confusing. For such as starting auxiliary or supporting systems, sending example, is "autosequencing" the same thing as "actionsequencing" in signals to appropriate valve-actuating mechanisms to ensure the previous sentence? If there is intent to soften the requirement that correct valve position, and providing the credited action-manual initiation perform all actions performed by the automatic means, sequencing functions and interlocks.
then this should be clearly explained.
The staff partially agrees. Although some language in the draft Regulatory Comment 12:
may have caused confusion with regard to component-level Analysis Regulatory Analysis Section 3.2 states "Applicants would incur little or manual control and diversity guidance (BTP 7-19), adding new Section 3.2 no cost and may, in fact, achieve cost savings." Westinghouse does requirements that results in high cost to applicants/licensees is not rd not agree. If the suggestions in this draft regulatory guide were the intent of the draft. The draft will be revised to remove 3 paragraph incorporated into the AP1000 design, specifically the added circuitry guidance associated with component-level manual controls and to page 8 for separate non-digital circuits for all manual controls, many additional distinguish the existing requirements of IEEE 603-1991 and the cabinets for the analog circuitry and their associated costs would be guidance of BTP 7-19 (see above responses). There is no required. The AP1000 is a compact plant design. It is not apparent that significant cost incurred as the result of the revision of the RG the currently-designed buildings can hold these additional cabinets. since no new regulatory requirement is introduced in the revision.
The added circuitry must also be designed, purchased and installed. In This response also applies to comment 13.
addition, periodic surveillance and corrective maintenance on this additional analog circuitry will be a significant recurring operations/maintenance cost.
Regulatory Comment 13: See response for comment 12.
Analysis Section 4, Conclusion, indicates that the primary benefit to the Section 4 proposed regulatory guide is reference to the modem standards. This page 8 proposed revision does much more than update the standards references. There is also a statement that alludes to cost savings. No cost savings have been identified in the draft regulatory guide and Westinghouse can only identify cost increases for these added requirements and added circuitry as indicated above.
Page 44 of 44