Text

Draft Regulatory Guide DG-1141, Setpoints for Safety-Relataed Instrumentation
	ML14149A361
Person / Time
Issue date:	06/30/2014
From:	Paul Rebstock; NRC/RES/DE/MEEB
To:	;
	Orr M
Shared Package
ML081630149	List: ML081630179; ML101820157; ML14149A361;
References
	DG-1141 RG-1.105, Rev 4
	Download: ML14149A361 (33)
	v • d • e

U.S. NUCLEAR REGULATORY COMMISSION June 2014 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 DRAFT REGULATORY GUIDE Technical Lead Paul Rebstock 301-251-7488 DRAFT REGULATORY GUIDE DG-1141 (Proposed Revision 4 of Regulatory Guide 1.105, dated December 1999)

SETPOINTS FOR SAFETYRELATED INSTRUMENTATION A. INTRODUCTION Purpose This regulatory guide (RG) describes practices and criteria that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for compliance with NRC requirements for ensuring that setpoints for safety related instruments are initially within, and should remain within, technical specification limits. It also presents practices and criteria for establishing those technical specification limits and ensuring that those limits will adequately support the proper operation of the associated systems - that is, that establishing and maintaining setpoints in accordance with those limits will provide adequate assurance that a plant will operate as described in the plant safety analyses. To meet these objectives, this RG addresses the selection and application of instrument setpoints and of limits useful in the assessment of channel operability. This includes the establishment of setpoint related limits to be included in plant technical specifications. This RG addresses setpoints from the perspective of sensed parameters and final actuations. Calibration practices and settings associated with individual devices contributing to the final actuation are not addressed here, and should be established by the licensee in such a manner as to support the actuation related objectives presented herein.

Applicable Regulations This guide is applicable to nuclear power plants licensed under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities, (Ref. 1) and also to nuclear power plants licensed under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants (Ref. 2)

Regulations in 10 CFR 50.36, Technical Specifications, require, in part, that technical specifications include limiting safety system settings for nuclear reactors. These settings apply to instruments that monitor nuclear power variables and initiate protective actions - such as reactor trips or the actuation of mitigating safety systems - when monitored variables exceed specified This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not received final staff review or approval and does not represent an official NRC final staff position.

Public comments are being solicited on this draft guide and its associated regulatory analysis. Comments should be accompanied by appropriate supporting data. Comments may be submitted through the Federal rulemaking Web site, http://www.regulations.gov, by searching for Docket ID <INSERT: NRC-2014-XXXX>. Alternatively, comments may be submitted to the Rules, Announcements, and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Comments must be submitted by the date indicated in the Federal Register notice.

Electronic copies of this draft regulatory guide, previous versions of this guide, and other recently issued guides are available through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/reg-guides/. The draft regulatory guide is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML14149A361. The regulatory analysis may be found in ADAMS under Accession No. ML101820157.

limits. These protective actions help to ensure that the nuclear reactor operates within the design parameters and that specified safety limits are not exceeded.

In 10 CFR 50.36(c)(1)(ii)(A), the NRC requires, in part, that Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. The selection of limiting settings is addressed in Section C.8 and in the corresponding discussion in Section B of this RG. In 10 CFR 50.36(c)(1)(ii)(A) the NRC also requires that If, during operation, it is determined that the automatic safety system does not function as required, the licensee shall take appropriate action, which may include shutting down the reactor. One element of a determination that an instrument channel is functioning as required is assessment of a measured setpoint. This is addressed in Section C.7 and in the corresponding discussion in Section B of this RG. Key terms used in these CFR provisions are defined within the CFR:

o Safety Limit (SL) is defined in 10 CFR 50.36(c)(1)(i)(A): Safety limits for nuclear reactors are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity.

o Limiting Safety System Setting (LSSS) is defined in 10 CFR 50.36(c)(1)(ii)(A):

Limiting safety system settings for nuclear reactors are settings for automatic protective devices related to those variables having significant safety functions.

- See the discussion of As-Found Tolerance(AFT) and Limiting Setpoint (LSP) later in this RG for additional guidance.

o Settings is not defined in the regulations. The particular type of setting addressed in this RG is an instrument setpoint, generally recognized as the particular value of a measured or computed variable at which the specified action is expected to be initiated under test or calibration conditions.

In 10 CFR 50.36(c)(2)(i), the NRC defines and establishes requirements relating to Limiting Conditions for Operation: Limiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met. Plant technical specifications typically include limits associated with certain instrument setpoints. This RG addresses the means by which such limits should be established.

In 10 CFR 50.36(c)(2)(ii)(C), the NRC specifies that a limiting condition for operation of a nuclear reactor must be established for each structure, system, or component that is part of the primary success path and which functions or actuates to mitigate a design basis accident or transient that either assumes the failure of or presents a challenge to the integrity of a fission product barrier. This requirement applies to instrumentation for monitoring nuclear power plant variables that initiate reactor trips or actuate systems to mitigate accidents, transients, or anticipated operational occurrences if those variables exceed certain limits.

In 10 CFR 50.36(c)(3), the NRC defines and establishes requirements relating to surveillance requirements: Surveillance requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that DG-1141, Page 2

facility operation will be within safety limits, and that the limiting conditions for operation will be met. This RG includes assessment of an as-found setpoint as one element of confirmation that an instrument channel is functioning as expected.

Other elements of the CFR applicable to the selection and application of setpoint related criteria include:

In 10 CFR 50a(h) the NRC incorporates by reference Institute of Electrical and Electronics Engineers (IEEE) standard (Std.) 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations (Ref. 3), and IEEE standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (including the correction sheet dated January 30, 1995) (Ref. 4), and applies one or the other to nuclear power plants on the basis of the plant licensing date or other criteria. Clauses 3(6) and 4.1 of IEEE 2791971 require the determination and documentation of setpoints for protective actions. Clause 6.8 of IEEE 603-1991 requires that the allowance for uncertainties associated with a setpoint be established in accordance with a documented methodology. This RG presents criteria and considerations that the NRC staff finds acceptable for use as the basis of a methodology for the determination of setpoints in accordance with the provisions of both standards.

In Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50, the following general design criteria (GDC) are of particular interest:

o GDC 13, Instrumentation and Control, requires, in part, that the instrumentation be provided to monitor certain variables and systems and that controls be provided to keep these variables and systems within prescribed operating ranges.

o GDC 20, Protection System Functions, requires, in part, that the protection system be designed to initiate operation of appropriate systems to ensure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational events or as needed in response to accident conditions.

Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50: This appendix requires, in part, that licensees have programs and administrative controls in place that are intended to ensure that safety related structures, systems, and components perform as designed. In particular, this indicates that settings for automatic actions should be developed in such a manner as to provide adequate assurance that those actions are initiated at values of plant parameters that are consistent with applicable design bases and analyses.

10 CFR 52.47, Contents of Applications; Technical Information: In this section, the NRC invokes the above requirements for reactors licensed under 10 CFR Part 52. In particular, 10 CFR 52.47(a)(11) invokes 10 CFR 50.36, Technical Specifications, and 10 CFR 52.47(a)(3)(i) invokes the General Design Criteria (Appendix A to 10 CFR 50).

Related Guidance

RG 1.30, Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment endorses, with modifications, the use of IEEE Std. 336, IEEE Standard Installation, Inspection, and Testing Requirements for Power, Instrumentation, and Control Equipment at Nuclear Facilities as a method for complying with the applicable requirements of Appendix B to 10 CFR Part 50 (Ref. 5).

DG-1141, Page 3

NUREG-1430, Standard Technical Specifications - Babcock and Wilcox Plants is a set of operating conditions and limitations intended to be used as a guide in developing plant specific sets of technical specifications for license applications for the standard Babcox & Wilcox nuclear power plant (Ref. 6).

NUREG-1431, Standard Technical Specifications - Westinghouse Plants is a set of operating conditions and limitations intended to be used as a guide in developing plant specific sets of technical specifications for license applications for the standard Westinghouse nuclear power plant (Ref. 7).

NUREG-1432, Standard Technical Specifications - Combustion Engineering Plants is a set of operating conditions and limitations intended to be used as a guide in developing plant specific sets of technical specifications for license applications for the standard Combustion Engineering nuclear power plant (Ref. 8).

NUREG-1433, Standard Technical Specifications - General Electric Plants (BWR/4) is a set of operating conditions and limitations intended to be used as a guide in developing plant specific sets of technical specifications for license applications for the standard General Electric (BWR/4) nuclear power plant (Ref. 9).

NUREG-1434, Standard Technical Specifications - General Electric Plants (BWR/6) is a set of operating conditions and limitations intended to be used as a guide in developing plant specific sets of technical specifications for license applications for the standard General Electric (BWR/6) nuclear power plant (Ref. 10).

Scope This RG applies to all instrument setpoints that are included in plant technical specifications in accordance with the requirements of 10 CFR 50.36, whether the requirements concerning those setpoints are presented directly in the technical specifications or are incorporated by reference.

Appendix B to 10 CFR Part 50 requires that programs and administrative controls be in place to provide adequate assurance that systems associated with significant safety functions be designed to perform satisfactorily in service. Therefore setpoints not directly related to safety limits but still associated with significant safety functions must ensure that automatic protective actions are initiated in accordance with the design bases. Such setpoints are therefore within the scope of this RG.

This RG is not intended to address the scope or content of technical specifications. It does, however, address concepts and practices that should be considered in the development of setpoint related technical specification requirements.

Purpose of Regulatory Guides The NRC issues RGs to describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants. RGs are not substitutes for regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the NRC.

DG-1141, Page 4

Paperwork Reduction Act This RG contains information collection requirements covered by 10 CFR Part 50 and 10 CFR Part 52 that the Office of Management and Budget (OMB) approved under OMB control numbers 3150-0011 and 3150-0151, respectively. The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information collection request or requirement unless the requesting document displays a currently valid OMB control number.

DG-1141, Page 5

TABLE OF CONTENTS A. INTRODUCTION ............................................................................................................................. 1 Purpose ....................................................................................................................................... 1 Applicable Regulations ............................................................................................................... 1 Scope .......................................................................................................................................... 4 Purpose of Regulatory Guides ..................................................................................................... 4 Paperwork Reduction Act ........................................................................................................... 5 B. DISCUSSION.................................................................................................................................... 7

1. Reason for Revision ............................................................................................................... 7

2. Background and Overview ..................................................................................................... 7

3. Industry Standards.................................................................................................................. 9

4. Establishing Setpoint Limits ................................................................................................. 10 4.1 Setpoint Related Limits and Parameters ....................................................................... 10 4.2 Digital Technology ...................................................................................................... 13 4.3 Uncertainty Analyses: Establishing Margins and Limits .............................................. 13 4.4 Uncertainty Data and the 95/95 Criterion ..................................................................... 14

5. Assessing and Maintaining Setpoints .................................................................................... 14 5.1 Setpoint Deviation: Evaluating the As-Found Setpoint (AFT, AV) .............................. 14 5.2 Constraining the AsLeft Setpoint (LSP, NSP, ST) ....................................................... 16

6. Harmonization with International Standards ......................................................................... 19

7. Documents Discussed in Staff Regulatory Guidance............................................................. 19 C. STAFF REGULATORY GUIDANCE ............................................................................................. 20

1. Safety Limits and Analytical Limits ..................................................................................... 20

2. Setpoint Criteria for Technical Specifications ....................................................................... 20

3. The Applicability of ANSI/ISA 67.04.01-2006 ..................................................................... 20

4. Uncertainty Analyses ........................................................................................................... 21

5. Graded Uncertainty Analyses ............................................................................................... 24

6. Uncertainty Data and the 95/95 Criterion.............................................................................. 24

7. Setpoint Deviation: Evaluating the As-Found Setpoint......................................................... 25

8. Constraining the As-Left Setpoint ........................................................................................ 26 D. IMPLEMENTATION ...................................................................................................................... 28 Use by Applicants and Licensees .............................................................................................. 28 Use by NRC Staff ..................................................................................................................... 28 GLOSSARY ......................................................................................................................................... 30 REFERENCES...................................................................................................................................... 32 DG-1141, Page 6

B. DISCUSSION

1. Reason for Revision The primary objectives of the changes from the previous revision of this RG are to:

Incorporate applicable provisions of Regulatory Issue Summary (RIS) 2006-017, NRC Staff Position on the Requirements of 10 CFR 50.36, Technical Specifications, Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels. (Ref. 11)

Clarify staff expectations concerning the development of limiting values presented in setpoint related technical specifications.

Clarify staff expectations concerning the development of statistical parameters and the use of the 95/95 criterion.

Clarify staff expectations concerning the use of an Allowable Value for a setpoint, in consideration of its removal from the cited industry standard but continued use in some plant technical specifications.

Address the current version of the associated industry standard, American National Standards Institute (ANSI)/International Society of Automation (ISA) 67.04.01-2006, Setpoints for Nuclear Safety Related Instrumentation (R2011) (Ref. 12).

This revision (Revision 4) includes criteria, guidance, and concepts that have not been addressed in previous revisions of this RG. Those matters result, in part, from the NRC staff concerns and extensive discussions with various stakeholders during the timeframe extending roughly from 2004 through 2006.

Those concerns and associated correspondence are described in RIS 2006-017.

This revision continues to address concerns expressed in the previous revision of this regulatory guide. The previous revision addressed problems with setpoint uncertainty allowances and setpoint discrepancies, which had led to a number of operational problems. It also addressed significant variability that had been observed in licensees surveillance interval evaluations with regard to drift, setpoint methodology, and completeness. It enumerated a number of specific concerns in this area, observing that the listed concerns had been resolved during the development of the 1994 version of ANSI/ISA-S67.04, Part 1-1994, Setpoints for Nuclear Safety-Related Instrumentation (Ref. 13).

2. Background and Overview Safety analyses and design bases for systems and components used in a nuclear power plant demonstrate, or provide assurance that, safety limits will be adequately protected under normal and anticipated conditions. Safety analyses and design bases include, in part, assumptions that certain actions will be initiated when certain parameters exceed certain specified limits. It is important that those analyses and design bases adequately bound both actual plant conditions and actual equipment operation; otherwise, the conclusions of the safety analyses might not be valid, or the protection intended by the design bases might not be attained.

The ability of plant safety systems to achieve their required functional performance depends, in part, on proper selection of instrument setpoints. Therefore, assumptions concerning instrument setpoints DG-1141, Page 7

and other aspects of instrument operation should bound the actual operation of the instruments. The instrument setpoints and operation should be consistent with those assumptions.

It is important to recognize the difference between an instrument channel setpoint and the associated trippoint.

Definitions:

Setpoint: the value of the process variable at which a channel is observed to trip 1 under test or calibration conditions, or is intended to trip under operating or design basis conditions.

Trippoint: the value of the process variable at which a channel actually does trip under operating conditions (including design basis conditions).

Because measurement error is unavoidable, variable, and stochastic, the actual trippoint of an instrument channel cannot be known with certainty. Measurement of the setpoint will always involve some unknowable amount of error:

{trippoint} = {measured setpoint} + {unknown error}

Thus setpoint is a fixed value, and trippoint is a random variable bearing some statistical relationship to that fixed value.

Measurement error can be characterized statistically, and it is possible to establish and apply setpoints based on that statistical characterization in such a manner as to provide reasonable assurance that functions associated with those setpoints will be initiated as required and in accordance with the applicable safety analyses and design bases despite the presence of anticipated error in the actual trippoint.

Acceptance criteria for setpoints should be selected so as to provide adequate assurance that the corresponding trippoints will be consistent with the safety analyses or other design bases as applicable.

This RG presents mathematical and statistical considerations that the staff believes to be important to the development of appropriate setpoint related limits and allowances. It also describes criteria and objectives that the NRC staff believes to be applicable to the uncertainty analyses used to determine suitable setpoint related limits and allowances.

Plant technical specifications 2 are designed to prevent plant safety limits from being exceeded.

Plant safety analyses 3 show that safety limits will not be exceeded if certain actions are initiated before 1 As used in this regulatory guide, the term trip, as in the phrase channel trip and related usage, refers to the transition of the channel or device output from the state that does not call for protective action (the normal state) to the state that does call for protective action (the tripped state). The protective action may be initiation of some automatic action, termination of some action, trip of the reactor, or another action. In this context the normal state refers to the plant normal and is not to be confused with the de energized state (also known as the shelf state) of a component, which is sometimes referred to by means of the same term.

2 Information concerning the form and content of technical specifications is presented for illustrative purposes only.

Refer to 10 CFR 50.36 and to the standard technical specifications for associated requirements and guidance. Also consult the technical specifications applicable to each individual nuclear power plant.

DG-1141, Page 8

certain other limits are exceeded. Those other limits are called analytical limits. Because protection of analytical limit is used to ensure protection of safety limits, the NRC staff considers analytical limits to be surrogate safety limits and therefore to be subject to the same requirements and guidance as safety limits (Section C.1 of this RG). Setpoint related technical specification limits are therefore selected so as to provide adequate protection of analytical limits.

To ensure protection of analytical limit, setpoint related technical specifications typically invoke a limiting setpoint and an As-Found tolerance for each setpoint. Many technical specifications invoke an allowable value in place of, or in addition to, a limiting setpoint and an as-found tolerance. Documents associated with particular plants may employ terminology different from what is presented here. These limits and their significance to plant safety are addressed later in this RG.

In 2006 the NRC staff issued RIS 2006-017. The RIS summarizes the regulatory requirements concerning setpoint related technical specifications, cites the guidance provided in Revision 3 of this RG, and provides additional guidance concerning instrument setpoints associated with technical specifications.

Portions of the information in RIS 2006-017 have been incorporated into this RG.

3. Industry Standards The Instrument Society of America 4 (ISA) established Subcommittee SP67.4 in 1975, to review the question of setpoint drift. That subcommittee produced ISA Standard 67.4. ISA has revised and reissued that standard several times since its original publication, with slight variations in the numbering of the standard and with publication of related documents bearing numbers similar to 67.4. The NRC endorsed the 1994 version of the standard (with clarifications and limitations) in Revision 3 of this RG, issued in December of 1999. The NRC did not endorse the 2000 version of this standard.

The NRC staff does not, and has not previously, endorsed the ISAs 67.04 series documents other than ANSI/ISA 67.04.01-2006 and earlier versions of that standard. Those documents concern:

the calculation methodologies described in ANSI/ISA RP67.04.02-2010, Methodologies for the Determination of Setpoints for Nuclear Safety Related Instrumentation (Ref. 14);

setpoint sequencing described in ANSI/ISA TR67.04.08-1996, Setpoints for Sequenced Actions (Ref. 15); and

criteria for the grading of setpoint related analytical detail on the basis of setpoint importance as described in ISA TR67.04.09-2005, Graded Approaches to Setpoint Determination, (Ref. 16).

Reference to those documents is not sufficient for establishing the acceptability of any licensing provision or request.

3 Protection of the SL is usually demonstrated in the plant safety analyses, but there may be instances in which other documents or criteria provide this demonstration. For the sake of simplicity, this regulatory guide will generally refer to the plant safety analyses, with the understanding that the intent is to address whatever provisions provide the requisite demonstration or assurance.

4 The Instrument Society of America (ISA) of Research Triangle Park, NC, changed its name to ISA - The Instrumentation, Systems, and Automation Society, and later to the International Society of Automation. The designation ISA has remained constant. The numbering scheme used for ISA standards has also changed in various editions of various standards. The society names and standard numbers presented in this regulatory guide are as indicated in the cited edition of each individual cited document.

DG-1141, Page 9

ANSI/ISA 67.04.01-2006 presents criteria for computing the uncertainty associated with an instrument setpoint. Various staff regulatory guidance positions in Section C of this RG address the suitability of this standard for use in developing limits for setpoints that fall within the scope of this RG.

4. Establishing Setpoint Limits 4.1 Setpoint Related Limits and Parameters There is no universally accepted terminology for setpoint related limits and parameters. The NRC staff has observed that the terminology used in various plant related documents differs from plant to plant and does not necessarily match the terminology used in the ISA standard or in the NRC Standard Technical Specifications. Therefore, this RG explicitly defines the terminology that it uses. Figure 1 (below) is a qualitative graphical depiction of the relationships among the principal setpoint related limits and parameters. This figure is intended to present more detail than, and to be used in lieu of, the similar figure in Section 4 of ANSI/ISA 67.04.01-2006.

AL Excessive Deviation (see note 4)

TLU due to violation of AV Potentially (see note 3) Excessive Deviation (see note 3)

AV Direction of Increasing Nonconservatism LSP see note 1 optional margin

+AFT As-Left Band

+ST NSP As-Found Reference (pAsL or NSP - see note 2)

-ST

-AFT Potentially Excessive Deviation anticipated excursions (see note 3) normal operating band Figure 1: Setpoint Parameters of Regulatory Interest (This figure supersedes the figure in Section 4 of ISA 67.04.01.)

See Glossary for definitions of setpoint related limits and parameters.

DG-1141, Page 10

Figure 1 Notes:

1. Section C.8 of this RG addresses the relationship among limiting setpoint (LSP), total loop uncertainty (TLU), and setting tolerance (ST). The As-Left setpoint should be no less conservative than limiting setpoint (LSP).

2. Section C.7b. of this RG addresses the acceptability of the evaluation of setpoint deviation relative to the nominal setpoint (NSP). If the indicated conditions are not met, setpoint deviation should be evaluated relative to the previous as-left setpoint (pAsL).

3. Section C.7c of this RG addresses the acceptability of occasional deviation in excess of the as-found tolerance (+/-AFT), provided that the deviations are neither too large nor too frequent. Section C.7e(3) of this RG recommends that the deviation should be deemed excessive if the as-found value (AsF) of the setpoint is less conservative than the allowable value (AV) regardless of whether or not the As-Found tolerance is exceeded and whether or not the occurrence of this condition is chronic.

4. The relationship of allowable value to analytical limit, limiting setpoint, and the as-found tolerance limit is methodology dependent. The allowable value might be more or less conservative than the as-found tolerance limit. See allowable value definition and discussion and Section C.7e later in this RG.

Although licensees and applicants are free to use whatever terminology they wish, a clear and direct mapping of that terminology into the terminology used in this RG could greatly simplify staff reviews and discussions.

The importance of safety limits and the significance of analytical limit in protecting them have already been discussed in this RG, under Background and Overview. That discussion also identifies certain limits typically included in technical specifications to provide protection of the analytical limit.

Those limits are described more fully here.

The overall objectives in the selection of setpoint related limits are to provide adequate assurance that safety limits will not be exceeded, to provide adequate assurance that the criteria and data on which those limits have been based are consistent with the observed operation of the equipment associated with each setpoint, and to support an assessment as to whether the equipment associated with a setpoint has been functioning as expected and required.

This RG addresses two primary considerations regarding acceptability limits on measured values for instrument setpoints:

1. Limits on the acceptable measured value of a setpoint:

Limiting Setpoint (LSP): a limit on the value to which a setpoint may be adjusted (see definition and discussion later in the RG)

Allowable Value (AV): a limit on the value at which a setpoint may be found (see definition and discussion later in this RG) and DG-1141, Page 11

2. Limits on the acceptable change in the measured value of a setpoint during the interval between scheduled measurements:

As-Found Tolerance (AFT): a limit on the amount by which a measured setpoint may differ from the previous setting, in either the positive or the negative direction (see definition and discussion later in this RG)

When properly selected, these limits can provide assurance that the instrument channel with which they are associated is capable of initiating the associated safety function in accordance with the safety analysis or applicable design basis:

The limiting setpoint helps to ensure that the point at which a function is initiated will remain acceptable in the future despite some anticipated (and acceptable) amount of change caused by drift, changes in environment, and other factors. See Section C.8 later in this RG.

- If an appropriate limit is not established for a setpoint as measured at the beginning of an operating period, the actual trippoint later in the interval might fail to meet operational requirements.

The allowable value can provide additional assurance that a channel would trip at an appropriate value at the time the setpoint is measured, with additional margin for environmental changes etc.

that might exist at the time the associated safety function is needed. See Section C.7e of this RG.

The as-found tolerance confirms that the measured value at which a function is initiated has indeed changed by no more than the amount anticipated since the last time it was tested.

Deviation 5 in excess of the as-found tolerance could be an indication of equipment malfunction or of problems with the uncertainty analysis used to compute the setpoint related limits. See Section C.7 of this RG.

- If a setpoint changes between tests by more than the amount anticipated, it might no longer be providing adequate protection. In addition, if a setpoint changes by more than the anticipated amount, the equipment might be malfunctioning or the calculations and assumptions by which the anticipated change was determined might not be accurate. It might be necessary to revise the calculations and to adjust the associated limits accordingly.

Nominal setpoint and setting tolerance (NSP, ST) are addressed later in this RG.

In Summary:

Setpoint limits should be based on limiting values used in plant safety analyses. If there is no applicable plant safety analysis for a particular setpoint, the limits should be based on applicable design bases. (See Section C.1 of this RG.)

Selection of limits on the acceptable amount that a measured setpoint might change over the course of a calibration interval should include consideration of the amount by which that setpoint might reasonably be expected to change between calibrations. (See Section C.7 of this RG.)

5 The term Deviation should not be confused with Drift. See the definition in the Glossary. See also Setpoint Deviation: Evaluating the AsFound Setpoint (AFT, AV).

DG-1141, Page 12

Selection of a limit on the acceptable measured value for a setpoint at the time it is calibrated should include consideration of anticipated error in the actual trippoint over the entire period between measurements. (See Section C.8 of this RG.)

The third bullet of Section 4.3 in ANSI/ISA 67.04.01-2006 uses the term actual trip setpoint and indicates that this setpoint is known only at the time of measurement. This term has no equivalent in this RG. In this RG, the term actual trippoint (as opposed to actual trip setpoint) is used to describe the actual process value at which actuation occurs. The presence of unavoidable measurement error makes it impossible to know the exact value of the actual trippoint at the time of measurement or at any other time. In addition, environmental and other conditions at the time a safety function is needed might differ from those at the time of measurement. The actual trippoint at the time of demand might therefore further differ from the measured setpoint.

4.2 Digital Technology The use of digital technology affects but does not fundamentally alter the relationship between the loop and its component devices. The number of devices may be reduced to just two (the sensor and the digital signal converter). The trip function is implemented through software or firmware, and typically introduces no additional uncertainty to the loop. The setpoint becomes a recorded digital value not subject to drift or to any uncertainty other than the granularity of the digital number system - which is usually much finer than the signal digitization granularity and is usually negligible.

Depending on the details of the system implementation, the digital signal converter might include some amount of uncertainty and susceptibility to influences such as ambient temperature. In addition, digital systems are subject to quantification error, or granularity: the signal can have a value of n or n+1 but nothing in between. Digital processing might introduce additional concerns such as aliasing, time delays, and other effects relating to the representation of a continuous signal as a stream of values that are discrete in magnitude and time. All digital effects should be addressed in the uncertainty analysis.

4.3 Uncertainty Analyses: Establishing Margins and Limits Uncertainty analyses establish limiting settings for setpoints in order to provide adequate assurance that system operation will be in accordance with the plant safety analyses despite uncertainties inherent in the statistical nature of the actual trippoint. In order to accomplish this, it is important that the conditions, maintenance practices and schedules, and other aspects of plant operation and maintenance that might influence the operation or accuracy of plant instrumentation be included in the analyses.

ANSI/ISA 67.04.01-2006 does not provide specific criteria relating to uncertainties associated with measurement and test equipment (M&TE). Criteria XI and XII in Appendix B to 10 CFR Part 50 include quality assurance requirements for testing. RG 1.118, Periodic Testing of Electric Power and Protection Systems (Ref. 17) provides guidance on periodic surveillance testing.

It is usually understood that, in establishing a limiting value for a setpoint, it is better to overestimate uncertainties than to underestimate them. However, when establishing a limiting value for acceptable setpoint deviation, it is better to underestimate uncertainties. The objective of deviation assessment is to confirm that a setpoint has not changed by more than the anticipated amount. Excessive deviation could indicate equipment malfunction or problems with the uncertainty analysis on which the anticipated deviation and other setpoint related limits and parameters have been based. If the magnitude or the anticipated deviation were overestimated, the effectiveness of the assessment would be reduced.

DG-1141, Page 13

Detailed guidance concerning the development of uncertainty analyses and the suitability of the provisions of ANSI/ISA 67.04.01-2006 is provided in the staff regulatory guidance presented in Section C of this RG.

4.4 Uncertainty Data and the 95/95 Criterion Instrument uncertainty calculations are typically based on population statistics, whereas individual elements of uncertainty are typically estimated from finite sets of measured values. A random sample of a population might not be adequately representative of the population as a whole: the mean and standard deviation of a sample are likely to differ from the mean and standard deviation of the population.

The magnitude of the difference depends in part on the size of the sample set - for very large sample sets, this difference might be small enough to be ignored. For smaller sample sets, the population statistical estimates must be more conservative than the observed statistics in order to provide confidence that those estimates do in fact envelop the actual population statistics.

The 95/95 criterion is a criterion for estimating population statistics on the basis of data obtained from a finite sample of the population: The population statistics are estimated so as to ensure a probability of at least 95 percent that at least 95 percent of the members of the population will conform to the estimate.

For a particular element of instrument error, there are an unlimited number of possible instances of that error, so the population is essentially infinite. The 95/95 criterion indicates that the statistics relating to a particular set of known values for that element of error should be adjusted so as to provide a 95 percent probability that 95 percent of all instances of that particular element of error will fall within the adjusted statistics. Many statistics texts include tables of multipliers to be used to convert sample statistics to population estimates for 95/95 and other related criteria.

Vendor data are often presented without reference to whether they meet the 95/95 criterion. Use of such data as if it were 95/95 should be justified. If a vendor is unable to confirm that a particular datum meets the 95/95 criterion, it might be possible for the vendor to provide statistical information concerning the number of items used in the determination of that datum and the manner in which the datum was obtained, to support a statistical analysis to develop an equivalent population value that does meet the 95/95 criterion. See Section C.6c of this RG.

5. Assessing and Maintaining Setpoints 5.1 Setpoint Deviation: Evaluating the As-Found Setpoint (AFT, AV)

The measured value of a setpoint at one point in time might differ slightly from the value measured at another point in time. Such variation might result from random errors in the instrument channel or in the test equipment, from changes in ambient conditions, from drift, or from other causes.

An unexpectedly large deviation 6 could be a symptom of equipment malfunction, or it might indicate that the data or the statistical/mathematical model on which the setpoint limits and parameters were selected might be inaccurate. Excessive deviation might indicate a need for repair or replacement of the associated equipment, or might indicate a need for revision of the associated uncertainty calculations to make them more accurately reflect conditions and equipment performance. Excessive deviation in the conservative direction, while not directly resulting in a challenge to the analytical limit, might nevertheless indicate equipment or analytical problems and therefore might be a matter of concern.

6 Setpoint deviation is the observed change in a setpoint - see the definition in the glossary.

DG-1141, Page 14

As-Found Tolerance (AFT)

Definition:

As-Found Tolerance (+/-AFT): the maximum amount by which the measured setpoint is expected to change over the course of a calibration interval.

Note that the as-found tolerance might be expressed as two separate values (one limit each for positive and negative changes), or, more commonly, as a single number (if the amount of change is the same in both directions).

The as-found tolerance constitutes a limit on the value of the as-found setpoint. Because setpoint deviation in excess of the as-found tolerance could be an indication of incorrect operation, NRC staff considers the as-found tolerance (in combination with the reference value with which it is associated - see below) to constitute a limiting safety system setting as described in 10 CFR 50.36(c)(1)(ii)(A).

Because the probability of deviation in excess of the as-found tolerance cannot reasonably be reduced to zero, occasional instances of this condition are to be expected in a normally functioning instrument channel. Therefore acceptance of a particular instance of deviation in excess of the as-found tolerance requires judgment that this condition is neither acute (the deviation is not so large as to be statistically unlikely) nor chronic (the deviation does not occur more frequently than expected in consideration of its magnitude).

Setpoint deviation is the difference between the value measured at the beginning of a calibration test 7 (the As-Found value, [AsF]) and the measured value at the conclusion of the previous calibration (the previous As-Left setpoint, [pAsL]). However, if certain criteria are met, the as-found value may be assessed against the nominal setpoint rather than against previous as-left value without unacceptable reduction in the effectiveness of the assessment. This is addressed in Section C.7b of this RG.

There is a tradeoff between the effectiveness of detection of malfunction induced deviation and the suppression of false detections. The width of the as-found tolerance interval is key: a narrower interval increases the sensitivity in detection of possible malfunctions, while a wider interval might mask the detection of malfunctions. The interval should be constructed so as to encompass 95 percent of the deviations that are anticipated when there is no malfunction induced deviation. This corresponds to a false detection rate of 5 percent for previous as-left value based evaluations. The NRC staff considers this to be an appropriate balance between detection efficiency and the avoidance of spurious actuations. The use of nominal set point based deviation assessment rather than previous as-left value based assessment can result in a significant increase in the likelihood of spurious actuations.

The AFT-related criteria should be applied to deviations in both directions, nonconservative as well as conservative. Excessive deviation, including excessive deviation in the conservative direction, could indicate the existence of potential problems that require explicit consideration, analysis, and disposition. Excessive deviation in the conservative direction might not indicate that analytical limit is in jeopardy, but it could indicate that the operation of the instrument channel is not as expected and that action is therefore warranted.

7 The second paragraph of Section 6.1 of ANSI/ISA 67.04.01-2006 presents criteria concerning the measurement of asfound value.

DG-1141, Page 15

Allowable Value (AV)

Definition:

allowable value (AV): the least conservative As-Found value for a setpoint, as measured under test conditions, that will provide adequate assurance that the associated actual trippoint will not exceed the analytical limit (or other applicable limiting criterion) under design basis conditions.

If an allowable value is established in accordance with Section C.7e of this RG, the separation between allowable value and the analytical limit or other applicable limit will be sufficient to accommodate uncertainties not in effect at the time allowable value is measured. For example, there will be sufficient margin to accommodate the additional uncertainty that might result from the influence of an earthquake or of extreme environmental conditions. A setpoint found to be less conservative than the allowable value could result in an unacceptably high likelihood that the channel will not initiate needed actions even though the measured variable has exceeded the analytical limit or other established limit.

The allowable value alone cannot provide adequate assessment of setpoint deviation. An allowable value based assessment ignores deviation in the conservative direction, which might indicate instrument or analysis problems. Therefore the use of allowable value does not obviate the need for an as-found tolerance based assessment (see As-Found Tolerance [AFT] above).

The use of an allowable value in technical specifications is optional, because the as-found tolerance based assessment of setpoint deviation provides a similar function. The allowable value need not be computed if it is not used.

5.2 Constraining the AsLeft Setpoint (LSP, NSP, ST)

Limiting Setpoint (LSP)

Definition:

Limiting Setpoint (LSP) 8: the least conservative acceptable value for an asleft setpoint.

The measured value of the setpoint at the conclusion of a surveillance test (the as-left value,

[AsL]) should be limited so as to provide adequate assurance that the actual trippoint will continue to remain conservative relative to the analytical limit until the next surveillance test.

Because a setting less conservative than the limiting setpoint would not provide adequate assurance that the system would operate as required, the NRC staff considers the limiting setpoint to constitute a limiting safety system setting as described in 10 CFR 50.36(c)(1)(ii)(A).

Section 4.4 of ANSI/ISA 67.04.01-2006 indicates that the limiting setpoint should be separated from the analytical limit by an amount not less than the total loop uncertainty (TLU). It identifies the total loop uncertainty as representing expected performance of the instrumentation. Paragraph 3.17 of ANSI/ISA 67.04.01-2006 defines uncertainty as the amount to which an instrument channels output is in doubt due to possible errors Section 4.5 of Reference 7 of ANSI/ISA 67.04.01-2006 addresses the use of the square root of the sum of the squares (SRSS) as an acceptable method for combining uncertainties to find the total loop uncertainty under certain conditions, and indicates that 8 ANSI/ISA 67.04.01 uses the symbol LTSP to represent the limiting value for the nominal setpoint.

DG-1141, Page 16

arithmetic methods should be used when the square root of the sum of the squares is not applicable. None of these provisions, and no other provision of the standard, allows the total loop uncertainty to be established as less than the sum and SRSS combination, as appropriate, of the individual uncertainty elements, nor does any provision of the standard allow separation of the limiting setpoint from the analytical limit by any amount less than the total loop uncertainty.

The NRC staff agrees that the limiting setpoint should be separated from the analytical limit by an amount not less than the total loop uncertainty, and that it is not appropriate to reduce the total loop uncertainty to any value less than the sum and SRSS combination, as appropriate, of the individual uncertainty elements. See Section C.4c(1) of this RG.

Because the limiting setpoint is intended to be used as a limit on the as-left setting, it is applied after adjustment of the setpoint and thus after the setting tolerance (see below) has been used. Therefore, it is not necessary for the setting tolerance to be included in total loop uncertainty for the purpose of establishing the limiting setpoint. This is contrary to items 4.4a4 and 4.5.4 of ANSI/ISA 67.04.01-2006, and can result in a small difference between the limiting trip setpoint (LTSP) as defined in the standard and limiting setpoint as defined in this RG. However, the strict application of the provisions of items 4.4a4 and 4.5.4 of ANSI/ISA 67.04.01-2006 (that is, the inclusion of setting tolerance in the development of total loop uncertainty and of limiting trip setpoint) would increase the degree of conservatism in the limiting setpoint and would therefore be acceptable.

One consequence of the 95/95 criterion is that there will be a 95 percent probability 9 that the actual trippoint for an instrument loop will differ from the As-Left setting by as much as - but not more than - the total loop uncertainty. Figure 2 illustrates this point for an As-Left setting equal to the limiting setpoint and with bias in the actual trippoint (ATP) distribution. Because the random measurement errors are typically disposed symmetrically about zero, those errors are equally likely to place the actual trippoint at a value that is more conservative than intended as they are to place it at a less conservative value. Therefore only half of the anticipated errors will result in an actual trippoint that is beyond the analytical limit. The 95/95 criterion thus results in a probability of not more than 21/2% that the analytical limit will be exceeded as a result of measurement error. This is independent of the shape of the actual trippoint distribution.

If the total loop uncertainty is large enough that separating the limiting setpoint from the analytical limit by the full magnitude of the total loop uncertainty would result in operational problems or excessive spurious actuations, consideration should be given to the use of alterative instrumentation schemes or equipment, to the use of more accurate test equipment or shorter calibration intervals, and to other remedies. Reduction in the separation between the analytical limit and limiting setpoint to anything less than the full value of total loop uncertainty, however, should be strongly avoided.

Nominal Setpoint and Setting Tolerance (NSP, ST)

Definitions:

Nominal Setpoint (NSP) 10: the target value for an as-left setpoint.

9 Unless otherwise indicated, all probabilities cited in this regulatory guide refer strictly to probabilities that result solely from uncertainties in ATP. Equipment failure and software errors will increase the net probability of failure beyond the numbers presented here.

10 ANSI/ISA 67.04.01 uses the symbol NTSP to represent the nominal setpoint.

DG-1141, Page 17

Setting Tolerance (ST): the amount by which the as-left setting is permitted to differ from the nominal setpoint.

Section 4.5.4 of ANSI/ISA 67.04.01-2006 refers to an As-Left band or tolerance to be included in the total loop uncertainty such that leaving the equipment anywhere in the As-Left band will assure a trip before the AL is reached. This as-left band corresponds to the NSP+/-ST as described above and as shown in Figure 1. In the approach described in this RG, the analytical limit is protected by the limiting setpoint, not by the setting tolerance. This accounts for extra margin that is sometimes provided between the limiting setpoint and the nominal setpoint but that is not accommodated in the approach described in the cited paragraph in the standard.

The nominal setpoint and setting tolerance are not usually of regulatory concern except in the case of assessment of an as-found setpoint against the nominal setpoint rather than against the previous as-left value, as described in Section C.7b of this RG and in the associated discussion in Section B of this RG.

100%

97.5%

95%

95% of random errors within 95/95 limits 50%

2.5% of 2.5% of random errors random errors outside 95/95, outside 95/95, within AL beyond AL LSP AL bias random Total Loop Uncertainty Figure 2: Trippoint Probability Distribution NOTE: Figure 2 is constructed for illustrative purposes, using a simple Gaussian distribution for the actual trippoint. The mean and standard deviation are modeled as fixed Gaussian parameters. In actuality, these values would be computed on the basis of estimated uncertainties which are themselves derived from limited sample sets, as described above. Therefore the actual trippoint distribution will be wider than the idealized Gaussian distribution presented in the figure, and the trip probability curve will be correspondingly lower. The figure presents an ideal case, and shows the importance of separating the limiting setpoint from the analytical limit by an amount not less than the total loop uncertainty.

DG-1141, Page 18

6. Harmonization with International Standards The NRC staff has reviewed guidance available from the international community including the International Atomic Energy Agency (IAEA) and did not identify any standards that provide guidance with additional detail, rigor, or flexibility, in ways consistent with NRC regulations that would be useful to NRC staff, applicants, or licensees.

International Electrotechnical Commission (IEC) Standard 61888, Nuclear power plants -

Instrumentation important to safety - Determination and Maintenance of Trip Setpoints (Ref. 18),

presents guidance similar to that found in an earlier version of ANSI/ISA 67.04.01. IEC 61888 is, in some areas, less rigorous than ANSI/ISA 67.04.01-2006. This RG does not endorse IEC 61888.

7. Documents Discussed in Staff Regulatory Guidance This RG endorses, in part, the use of one or more codes or standards developed by external organizations, and other third party guidance documents. These codes, standards and third party guidance documents may contain references to other codes, standards or third party guidance documents (secondary references). If a secondary reference has itself been incorporated by reference into NRC regulations as a requirement, then licensees and applicants must comply with that standard as set forth in the regulation. If the secondary reference has been endorsed in a RG as an acceptable approach for meeting an NRC requirement, then the standard constitutes a method acceptable to the NRC staff for meeting that regulatory requirement as described in the specific RG. If the secondary reference has neither been incorporated by reference into NRC regulations nor endorsed in a RG, then the secondary reference is neither a legally-binding requirement nor a generic NRC approved acceptable approach for meeting an NRC requirement. However, licensees and applicants may consider and use the information in the secondary reference, if appropriately justified, consistent with current regulatory practice, and consistent with applicable NRC requirements.

DG-1141, Page 19

C. STAFF REGULATORY GUIDANCE Section B, Discussion presents clarifying and background information concerning the following staff regulatory guidance positions. These staff regulatory guidance positions presume adherence to those definitions and practices.

1. Safety Limits and Analytical limits

a. Analytical limits and other limits which prevent safety limits from being exceeded constitute surrogate safety limits.

b. Setpoints that prevent surrogate safety limits from being exceeded are subject to the same limits and criteria as setpoints that protect safety limits directly.

2. Setpoint Criteria for Technical Specifications

a. This RG describes an acceptable method for the development of limits used in setpoint related technical specifications. All setpoint related technical specification limits should be at least as conservative as values derived in accordance with this RG.

b. Failure to meet a setpoint as-found or as-left criterion should be taken as an indication that the instrument channel is not functioning as required, and that appropriate corrective actions should therefore be initiated. Such actions may be established in the plant technical specifications, and may include immediate shutdown of the reactor. In addition, the uncertainty analyses used to establish the criterion should be reevaluated to confirm that the data, assumptions, and methodology are appropriate and that the results conservatively bound the expected operation of the channel.

3. The Applicability of ANSI/ISA 67.04.01-2006

a. Subject to the clarifications, modifications, and additional guidance in this RG, industry standard ANSI/ISA 67.04.01-2006 describes an acceptable approach for computing the total loop uncertainty and the limiting setpoint, for establishing performance test requirements and acceptance criteria, and for documenting setpoint related and uncertainty information. This standard does not address all of the issues addressed in this RG, and therefore conformance to the standard alone might not be sufficient for meeting regulatory requirements.

b. Clarifications of, modifications of, and additions to the provisions of ANSI/ISA 67.04.01-2006 are presented immediately below and also in conjunction with other regulatory provisions as deemed appropriate by NRC staff.

(1) Sections 1 and 2: The purpose and scope of this RG are broader than those of ANSI/ISA 67.04.01-2006.

(2) Section 3: The terminology used in this RG is as described in Setpoint Related Limits and Parameters in Section B and in the Glossary. Although not necessarily in accordance with the terminology used in this RG, the definitions in Section 3 of the industry standard might be useful in interpreting the provisions of the industry standard.

DG-1141, Page 20

(3) Sections 4.1 and 4.2: These sections describe safety and analytical limit. These terms are also defined in Section 3. The definitions for the purposes of this RG are as presented in this RG.

(4) Section 4.3: The third bullet in this section uses the term actual trip setpoint.

This should not be confused with the term actual trippoint as defined and used in this RG. This point is discussed in more detail under Setpoint Related Limits and Parameters in this RG.

(5) Section 4.3: Figure 1 in this RG should be used in lieu of the figure in the industry standard.

(6) Sections 4.4 and 4.5 are addressed in Sections C.4 and C.8 of this RG.

(7) Sections 4.6 and 6 are addressed in Sections C.4 and C.7 of this RG.

(8) Section 5: The second sentences of items 5a and 5b in ANSI/ISA 67.04.01-2006 should both read The documentation should include, as applicable, rather than may include, as appropriate (emphasis added).

4. Uncertainty Analyses

a. An uncertainty analysis should be prepared and documented for each setpoint to which this RG applies. Each uncertainty analysis should explicitly compute the total loop uncertainty, the limiting setpoint, the as-found tolerance, and other setpoint related limits and parameters as appropriate.

b. The data used in uncertainty analyses should meet the provisions of Section C.6, Uncertainty Data and the 95/95 Criterion of this RG.

c. The provisions of Sections 4.4, 4.5, and 4.6, and of applicable portions of Section 6, of industry standard ANSI/ISA 67.04.01-2006 constitute a reasonable approach to uncertainty analyses, subject to the clarifications, modifications, and additional guidance provided below and in other staff regulatory guidance positions.

(1) Section 4.4: The limiting setpoint should be separated from the analytical limit by no less than the total loop uncertainty, and the total loop uncertainty should be computed as not less than the sum and SRSS combination, as appropriate, of the individual uncertainty elements. For the purpose of establishing the limiting setpoint, the total loop uncertainty does not need to include the setting tolerance.

See Limiting Setpoint (LSP) in this RG.

(2) Sections 4.4c, 4.4d & 4.5.3: Time related uncertainties should be determined by linear extrapolation of the uncertainty specification, not by the SRSS of multiple intervals.

EXAMPLE: 1% per 6 months for 1 year => 1%+1% = 2%,

not SRSS(1%,1%) = = 1.4%

(3) Section 4.4g: Consideration of dynamic effects should include dynamic effects related to the relationship between the parameter of interest and the parameter DG-1141, Page 21

actually sensed by the instrument, as well as consideration of the time required for a demand signal to result in the needed action. Some examples include:

transport delays associated with the sensing line; delays related to the physical process whereby the parameter of interest is realized at the sensing instrument; and time required for actuated equipment (such as a large gate valve) to perform its safety function. Delays already accounted for in the safety analyses should be recognized in the uncertainty analyses, with a brief description of how they have been accounted for.

(4) Section 4.5, paragraph 2: Square Root of the Sum of the Squares (SRSS) is acceptable for combining uncertainties only if the uncertainties are statistically independent and are based on normal probability distributions that provide adequate coverage of the underlying data. Other techniques mentioned in this paragraph are not formally defined and are therefore not endorsed by NRC staff.

Regardless of the method used to combine uncertainties in any particular computation, the suitability of that method for the particular application should be explained and justified.

(5) Section 4.5, paragraph 3: The NRC has not endorsed any edition of ANSI/ISA RP67.04.02. Reference to any edition of ANSI/ISA RP67.04.02 does not constitute sufficient indication of conformance to any regulatory requirement.

See the paragraph titled Documents Discussed in Staff Regulatory Guidance in Section B of this RG.

(6) Section 6.1, paragraph 3: In addition: If observations suggest that assumed distributions or statistical parameters do not accurately represent instrument performance, those distributions and parameters should be corrected as appropriate, the affected uncertainty analyses should be revised on the basis of the corrected information, and the setpoint related limits and technical specifications should be modified accordingly.

(7) Section 6.2: In addition: Changes in test procedures, surveillance intervals, test equipment, or any other item addressed in the uncertainty analyses should be reflected in revised uncertainty analyses and associated changes in the setpoint related limits unless it is shown that the likelihood of an actual trippoint in excess of the analytical limit would not be increased if the limits were to remain unchanged.

(8) Section 6.2: If an instrument channel is modified so as to become more accurate, reduction in the margin between the limiting setpoint and the analytical limit is optional. However, because improved accuracy is likely to reduce the expected deviation, the as-found tolerance should be revised accordingly or the lack of need for adjustment should be justified and documented.

d. Uncertainty analyses should account for all sources of error and uncertainty in the operation of each device, including the effects of digital quantization and digital signal processing, aliasing effects, the effects of electrical noise and other environmental influences, the effects addressed in section 4.4 of ANSI/ISA 67.04.01-2006, and any other effects that might influence the accuracy with which a device performs its safety function.

DG-1141, Page 22

e. Each uncertainty analysis should explicitly identify and justify all details of the analysis, including, as a minimum:

(1) a description of the basis for the selection of the associated analytical limit(s);

(2) the specific modeling and assumptions used in the analysis (including assumed probability distributions and associated parameters, the bases for the selection of the assumed distributions and parameters, and the manner of ensuring that all uncertainty data are consistent with appropriate confidence criteria);

(3) references to each industry, corporate, and site specific standard and procedure used in the analysis; (4) the basis for the treatment of each uncertainty element for each device as bias or random; (5) the sources of all data, including both uncertainty data and the values used for analytical limit; and (6) the basis for the selection of the time periods used to estimate drift or other time related uncertainties for each component - such time periods should include allowances for delays beyond the established normal time periods.

f. The assumptions used in each uncertainty analysis should be consistent with the plant safety analyses and with all applicable surveillance test procedures, test acceptance criteria, test scheduling, test equipment, plant environmental conditions, and other factors involved in the demonstration that safety is adequately protected.

g. Uncertainty analyses should show that elements combined by means of the square root of the sum of the squares are statistically independent, and that they are either normally distributed or bounded by a normal distribution. For uncertainties having a non-normal distribution, the analyses should use the parameters of the enveloping normal distribution rather than those of the enveloped non normal distribution - otherwise, the analysis should include demonstration of the statistical validity of the approach used.

h. The basis for assumed distributions and statistical parameters should be specified and justified. A calibration monitoring program should be implemented to support periodic validation of the assumptions and to reveal cases in which assumptions might have been inaccurate and corrective actions might be needed.

i. Setpoint related limits that are not generally subject to NRC review - such as for setpoints in a setpoint control program under NRC Technical Specifications Task Force Traveler TSTF-493, Clarify Application of Setpoint Methodology for Limiting Safety System Settings, option B, (Ref. 19) controlled under 10 CFR 50.59, Changes, Tests, and Experiments - should be developed in accordance with a methodology that conforms to this or a later version of this RG. Prior NRC reviews not based on this or a later version of this RG might have been application specific, and might not have addressed these provisions adequately to support applications outside the original context.

DG-1141, Page 23

j. Methodologies used in the performance of uncertainty analyses and in the derivation of setpoint related limits and parameters should be sufficiently explicit, quantitative, and unambiguous to ensure that multiple analysts working independently will come to the same conclusions concerning each setpoint related limit or parameter for each instrument loop.

5. Graded Uncertainty Analyses

a. Any setpoint that falls under the defined scope of this RG should be considered to be of the highest grade and therefore should be subject to full analytical rigor.

b. Simplified analyses may be used for setpoints that fall within the scope of this RG if it is demonstrated that the resulting setpoints and related limits will be no less conservative than they would be if he simplifications were not applied, and if suitable justification is provided that the methodology meets the regulatory criteria presented in this RG.

c. Grading should not be applied to setpoints that initiate safety functions.

d. This RG does not endorse the grading criteria presented in the opening paragraphs of section 4 of ANSI/ISA 67.04.01-2006 or in ISA TR67.04.09.

6. Uncertainty Data and the 95/95 Criterion

a. Uncertainty data should be modeled using population statistics based on the 95/95 criterion as described under Uncertainty Data and the 95/95 Criterion in this RG. This applies to the individual uncertainty elements for each device and to all intermediate and final statistical results.

b. It is generally assumed that setpoint errors are distributed normally, or that if they are not distributed normally, that they can be conservatively enveloped by a normal distribution with suitable parameters. It is important that the assumed distribution be wide enough (that is, have a sufficiently large variance) and include appropriate bias to ensure that there is at least a 95 percent probability that the distribution encompasses at least 95 percent of all credible observations. The assumed or enveloping distribution affects the values of the uncertainty parameters and is affected by the amount and quality of the data on which the distribution is based.

c. Use of statistical estimates or parameters that do not meet the 95/95 criterion should be justified, and the resulting setpoint limits should be shown to be consistent with the staffs intent to achieve assurance that analytical limit will be protected. This justification should include the basis for the correction factors used to estimate population statistics from sample observations. The justification should also include demonstration that the negative impact on plant safety is acceptably small.

d. All data used in the uncertainty calculations should be adjusted as appropriate to adequately represent population statistics.

e. For channel performance uncertainty data that are typically not based on a large number of observations, such as device performance data relating to post accident or seismic conditions, the NRC staff expects licensees and applicants to account for such values in DG-1141, Page 24

the form of bounding estimate values, accompanied by supporting analyses that demonstrate the bounding values to be appropriate.

f. For some uncertainties under some conditions, it might be appropriate to assert that the error bias is zero even though the mean of the observed values is not zero. Because the standard deviation is a measure of the deviation from the mean, an assertion of zero mean will affect the standard deviation, generally requiring a larger value than might otherwise be needed. Assertions of zero mean and the associated treatment of standard deviation should be justified.

7. Setpoint Deviation: Evaluating the As-Found Setpoint The provisions of Sections 4.6 and 6 of ANSI/ISA 67.04.01-2006 are suitable for the assessment of As-Found setpoints, subject to the clarifications, modifications, and additional guidance provided below and in other staff regulatory guidance positions:

a. The limiting value for acceptable setpoint deviation, the as-found tolerance, should be computed in the setpoint uncertainty analysis.

b. Setpoint deviation is the difference between the as-found value of the setpoint and the previous as-left value. Setpoint deviation may be computed as the difference between the as-found value of the setpoint and the nominal setpoint if all of the following conditions are met: 11 (1) The setting tolerance should be less than the as-found tolerance.

(2) The total loop uncertainty should include the setting tolerance, or the setting tolerance should be included as a bias term in additional margin between the nominal setpoint and limiting setpoint.

(3) The as-found tolerance may include either the setting tolerance or the uncertainties included in the setting tolerance, but should not include both.

c. In addition to the provisions of Section 6.1 of the industry standard: If the magnitude of an observed deviation exceeds the as-found tolerance but this deviation is determined to be neither acute nor chronic and therefore to be acceptable, the basis for that determination should be justified and documented. The justification should address the magnitude of the present deviation and of past deviations, in particular addressing all past deviations in excess of the as-found tolerance. The justification should include consideration of the probability that the deviation of the observed magnitude might occur in a properly functioning channel, given the properties of the associated probability distributions. The justification should also include consideration of any similar events concerning substantially similar plant devices.

d. The as-found tolerance should be established so as to provide a high degree of assurance that malfunction induced deviations will be detected.

11 These conditions differ slightly from those presented in RIS 2006-017.

DG-1141, Page 25

(1) The as-found tolerance should not be overestimated. Unlike setpoint uncertainty, a conservative estimate of the as-found tolerance would be smaller so that excessive deviations would be more likely to be detected.

(2) The as-found tolerance should include only those uncertainty components which are applicable to the as-found value measurement at the time the measurement is taken.

(3) If the assessment of the as-found value is based on the nominal setpoint rather than on the previous as-left value, the staff expects that the licensee will establish suitable practices to ensure that the resulting high incidence of false detections will not compromise the credibility of the assessment or result in spurious actuations to an extent that could have an adverse impact on safety related equipment or could cause other effects detrimental to the overall safety of the plant.

e. The allowable value may be used as an additional basis for assessment of the as-found setpoint, but is not suitable as a substitute for the as-found tolerance based assessment described above. Use of allowable value alone would ignore excessive deviation in the conservative direction, and therefore is not adequate as an indication of proper channel operation.

(1) Allowable values that are used as technical specification limits should be selected in such a manner as to provide adequate assurance that the actual trippoint will be conservative relative to the associated analytical limit (or other applicable criterion) when the measured setpoint is equal to the allowable value and all conditions that might contribute to uncertainty in the actual trippoint are in effect.

(2) The allowable value should be conservative relative to the analytical limit by an amount sufficient to accommodate all uncertainties not present at the time of testing. For example, the separation between the allowable value and the analytical limit should include allowances for seismic effects, for the effects of extreme environments, and for any other conditions that could influence the actual trippoint but that are not present at the time of testing.

(3) The final paragraph of Section 4.6 of ANSI/ISA 67.04.01-2006 states: If an AV is included [in the technical specifications], it should be an upper limit of a performance test acceptance criterion. The NRC staff agrees that the acceptance criteria should be no less conservative than the allowable value if allowable value is included in the technical specifications. Staff also observes that the limits related to setpoint deviation might be more conservative than the allowable value. The more conservative limit should always be used.

8. Constraining the As-Left Setpoint

a. The provisions of Sections 4.4 and 4.5 of ANSI/ISA 67.04.01-2006 are suitable for the selection of limiting setpoints, subject to the clarifications, modifications, and additional guidance in this RG.

b. The limiting setpoint, the limiting value for the as-left setpoint, should be more conservative than the analytical limit by an amount not less than the total loop DG-1141, Page 26

uncertainty. The total loop uncertainty and the limiting setpoint should be explicitly computed in the setpoint uncertainty analysis. If the limiting setpoint is separated from the analytical limit by an amount less than the total loop uncertainty, the licensee should provide justification showing that the resulting increase in the probability of operation beyond the analytical limit will not significantly degrade plant safety.

c. The As-Left setpoint should be no less conservative than the limiting setpoint.

d. As used to determine the limiting setpoint, the total loop uncertainty does not need to include setting tolerance. If the setting tolerance is included in the total loop uncertainty but is not to be included in the determination of the limiting setpoint, then, for the purpose of determining the limiting setpoint, the setting tolerance should be removed from the total loop uncertainty by the same process by which it was included - in particular, if it was included in the total loop uncertainty by means of the square root of the sum of the squares, it should be removed by reversal of the square root of the sum of the squares process rather than by simple subtraction.

DG-1141, Page 27

D. IMPLEMENTATION The purpose of this section is to provide information on how applicants and licensees 12 may use this guide and information regarding the NRCs plans for using this RG. In addition, it describes how the NRC staff complies with 10 CFR 50.109, Backfitting and any applicable finality provisions in 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.

Use by Applicants and Licensees Applicants and licensees may voluntarily 13 use the guidance in this document to demonstrate compliance with the underlying NRC regulations. Methods or solutions that differ from those described in this RG may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations.

Current licensees may continue to use guidance the NRC found acceptable for complying with the identified regulations as long as their current licensing basis remains unchanged.

Licensees may use the information in this RG for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59, Changes, Tests, and Experiments.

Licensees may use the information in this RG or applicable parts to resolve regulatory or inspection issues.

Use by NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this RG. The NRC staff does not expect any existing licensee to use or commit to using the guidance in this RG, unless the licensee makes a change to its licensing basis. The NRC staff does not expect or plan to request licensees to voluntarily adopt this RG to resolve a generic regulatory issue. The NRC staff does not expect or plan to initiate NRC regulatory action which would require the use of this RG. Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the RG, requests for information under 10 CFR 50.54(f) as to whether a licensee intends to commit to use of this RG, generic communication, or promulgation of a rule requiring the use of this RG without further backfit consideration.

During regulatory discussions on plant specific operational issues, the staff may discuss with licensees various actions consistent with staff positions in this RG, as one acceptable means of meeting the underlying NRC regulatory requirement. Such discussions would not ordinarily be considered backfitting even if prior versions of this RG are part of the licensing basis of the facility. However, unless this RG is part of the licensing basis for a facility, the staff may not represent to the licensee that the licensees failure to comply with the positions in this RG constitutes a violation.

If an existing licensee voluntarily seeks a license amendment or change and (1) the NRC staffs consideration of the request involves a regulatory issue directly relevant to this new or revised RG and (2) the specific subject matter of this RG is an essential consideration in the staffs determination of the acceptability of the licensees request, then the staff may request that the licensee either follow the 12 In this section, licensees refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52; and the term applicants, refers to applicants for licenses and permits for (or relating to) nuclear power plants under 10 CFR Parts 50 and 52, and applicants for standard design approvals and standard design certifications under 10 CFR Part 52.

13 In this section, voluntary and voluntarily means that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.

DG-1141, Page 28

guidance in this RG or provide an equivalent alternative process that demonstrates compliance with the underlying NRC regulatory requirements. This is not considered backfitting as defined in 10 CFR 50.109(a)(1) or a violation of any of the issue finality provisions in 10 CFR Part 52.

Additionally, an existing applicant may be required to comply with new rules, orders, or guidance if 10 CFR 50.109(a)(3) applies.

If a licensee believes that the NRC is either using this RG or requesting or requiring the licensee to implement the methods or processes in this RG in a manner inconsistent with the discussion in this Implementation section, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG-1409, Backfitting Guidelines, (Ref. 20) and the NRC Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection (Ref. 21).

DG-1141, Page 29

GLOSSARY 95/95 criterion - a criterion for estimating population statistics on the basis of data obtained from a finite sample of the population.

Actual trippoint (ATP) - the value of the process variable at which a channel actually does trip under operating conditions (including design basis conditions). Because of the unavoidable presence of measurement uncertainty, ATP is a random, rather than a fixed, value.

(See related discussion under Setpoint Related Limits and Parameters) Sometimes referred to as Trippoint. Compare with setpoint. The actual trippoint should not be confused with the phrase Actual Trip Setpoint that appears in ISA 67.04.01-2006 and refers to a related but not identical concept.

Allowable value (AV) - the least conservative as-found value for a setpoint, as measured under test conditions, that will provide adequate assurance that the associated actual trippoint will not exceed the analytical limit (or other applicable limiting criterion) under design-basis conditions.

Analytical limit (AL) - the value of a measured variable at which a corrective action is assumed to be initiated in a plant safety analysis (see footnote 3).

As-found setpoint (AsF) - the value of a setpoint measured at the beginning of a surveillance test.

As-found tolerance (AFT) - the maximum amount by which the measured setpoint is expected to change over the course of a calibration interval.

As-left setpoint (AsL) - the value of a setpoint measured at the end of a surveillance test.

Deviation - (sometimes referred to as setpoint deviation) - the amount of change in a setpoint during the interval between scheduled setpoint assessments. This is the difference between the as-found value and the previous as-left value.

NOTE - Deviation should not be confused with drift. Drift generally includes only time related change and specifically excludes other influences such as changes in ambient temperature and the influence of measurement and test equipment uncertainty. Drift is generally measurable only under strictly controlled laboratory conditions. Under certain circumstances, the nominal setpoint may be used in lieu of previous as-left value in the determination of setpoint deviation.

Drift - see the related (but not equivalent) term deviation.

Limiting safety system setting (LSSS) - defined in 10 CFR 50.36(c)(1)(ii)(A) - Limiting safety system settings for nuclear reactors are settings for automatic protective devices related to those variables having significant safety functions.

Limiting setpoint (LSP, LTSP) - the least conservative acceptable value for an As-Left setpoint.

Section 3.15 of ANSI/ISA 67.04.01 uses the symbol LTSP to represent a similar value, but LSP as used in this RG applies to the as-left value whereas LTSP as used in the standard applies to the nominal setpoint.

Nominal setpoint (NSP, NTSP) - the target value for an As-Left setpoint. Section 3.16 of ANSI/ISA 67.04.01 uses the symbol NTSP to represent this value.

DG-1141, Page 30

Plant safety analysis - an analysis showing the consequences of an anticipated abnormal event (see footnote 3).

Previous as-left setpoint (pAsL) - the As-Left value of the setpoint at the conclusion of the previous surveillance test.

Safety limit (SL) - defined in 10 CFR 50.36(c)(1)(i)(A) - Safety limits for nuclear reactors are limits upon important process variables that are found to be necessary to reasonably protect the integrity of certain of the physical barriers that guard against the uncontrolled release of radioactivity.

Setpoint - the value of the process variable at which a channel is observed to trip under test or calibration conditions, or is intended to trip under operating or design basis conditions. (as opposed to the value at which the trip actually does occur under operating conditions) (See also the related discussion under Setpoint Related Limits and Parameters. Compare with actual trippoint.)

Setting tolerance (ST) - the amount by which the as-left setting is permitted to differ from the nominal setpoint.

Sometimes referred to as As-Left Tolerance, or ALT. The range of acceptable as-left setpoint values is sometimes referred to as an as-left tolerance band or by similar language.

Such designations generally include both the setting tolerance and the nominal setpoint value to which it applies.

NOTE: The regulatory limit for the as-left value is the limiting setpoint, regardless of the values associated with the as-left tolerance band. See Section C.8 of this RG.

Square Root of the Sum of the Squares (SRSS) - the means by which the standard deviations of random variables are combined to find the standard deviation of the sum of those variables.

If A, B, C, and D are random variables with corresponding standard deviations a, b, c, and d, and if A = B+C+D, then a = SRSS(b,c,d) = .

Total loop uncertainty (TLU) - a measure of the amount by which an actual trippoint at the end of the device service interval may differ from the setpoint measured at the beginning of the service interval, in consideration of all credible influences, drift, environmental variation, seismic influence, etc. TLU is defined in Section 4.4 of ANSI/ISA 67.04.01 2006. As described in the discussion of LSP in this RG, ST may be omitted from TLU as used for determination of LSP.

Trippoint - See Actual Trippoint.

Uncertainty analysis - the analysis of uncertainties relating to a setpoint, by which the limiting setpoint, the as-found tolerance, and other setpoint related limits and parameters are derived.

DG-1141, Page 31

REFERENCES 14

1. Code of Federal Regulations (CFR), Title 10, Energy, Part 50, Domestic Licensing of Production and Utilization Facilities

2. CFR, Title 10, Energy, Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants

3. Institute of Electrical and Electronics Engineers (IEEE) standard (Std.) 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, Piscataway, NJ, 1971. 15

4. IEEE Std. 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (including the correction sheet dated January 30, 1995), Piscataway, NJ, 1995.

5. NRC, RG 1.30, Requirements for the Installation, Inspection, and Testing of Instrumentation and Electric Equipment NRC, Washington, DC.

6. NRC, NUREG-1430, Standard Technical Specifications - Babcock and Wilcox Plants Washington, DC.

7. NRC, NUREG-1431, Standard Technical Specifications - Westinghouse Plants Washington, DC.

8. NRC, NUREG-1432, Standard Technical Specifications - Combustion Engineering Plants Washington, DC.

9. NRC, NUREG-1433, Standard Technical Specifications - General Electric Plants (BWR/4)

Washington, DC.

10. NRC, NUREG-1434, Standard Technical Specifications - General Electric Plants (BWR/6)

Washington, DC.

11. NRC, Regulatory Issue Summary (RIS) 2006-017, NRC Staff Position on the Requirements of 10 CFR 50.36, Technical Specifications, Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels, Washington, DC, 2006. (ADAMS Accession No. ML051810077)

12. American National Standards Institute (ANSI)/International Society of Automation (ISA)

Standard (Std.) 67.04.01-2006 (R2011), Setpoints for Nuclear Safety Related Instrumentation, ISA, Research Triangle Park, NC, 2010. 16 14 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html. The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

15 Copies of Institute of Electrical and Electronics Engineers (IEEE) documents may be purchased from the Institute of Electrical and Electronics Engineers Service Center, 445 Hoes Lane, PO Box 1331, Piscataway, NJ 08855 or through the IEEEs public Web site at http://www.ieee.org/publications_standards/index.html.

DG-1141, Page 32

13. ANSI/ISA 67.04, Part 1-1994, Setpoints for Nuclear Safety-Related Instrumentation, ISA, Research Triangle Park, NC, 1995.

14. ANSI/ISA, RP67.04.02-2010, Methodologies for the Determination of Setpoints for Nuclear Safety Related Instrumentation, ISA, Research Triangle Park, NC. 2010

15. ANSI/ISA, TR67.04.08-1996, Setpoints for Sequenced Actions, ISA Research Triangle Park, NC, 1996.

16. ISA, TR67.04.09-2005, Graded Approaches to Setpoint Determination, ISA, Research Triangle Park, NC, 2005.

17. NRC, RG 1.118, "Periodic Testing of Electric Power and Protection Systems," NRC, Washington, DC.

18. International Electrotechnical Commission (IEC), Standard (Std.) 61888, "Nuclear power plants-Instrumentation Important to Safety - Determination and Maintenance of Trip Setpoints," Rev. 1, IEC, Geneva, Switzerland, 2002 17

19. NRC, Technical Specifications Task Force Traveler TSTF-493, Clarify Application of Setpoint Methodology for Limiting Safety System Settings, Option B, Washington, DC.

(The NRC Notice of Availability for TSTF 493 Revision 4 was issued on May 11, 2010, in Federal Register Notice 75 FR 26294. It is also available in ADAMS at accession No.

ML093410581)

20. NRC, NUREG-1409, Backfitting Guidelines, Washington, DC. (ADAMS Accession No. ML032230247)

21. NRC, Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection, NRC, Washington DC.

16 Copies of International Society of Automation (ISA) documents may be obtained through their Web site at www.isa.org or by writing to the International Society of Automation, 67 T.W. Alexander Dr., P.O. Box 12277, Research Triangle Park, NC 27709, by E-Mail at info@isa.org, by phone at (919) 549-8411, or fax at (919) 549-8288 17 Copies of IEC documents may be obtained from the International Electrotechnical Commission, at 3 rue de Varembé, P O Box 131, CH 1211 Geneva 20, Switzerland. The IEC can be contacted by phone at +41 22 919 02 11, by fax at +41 22 919 03 00, by e-mail to inmail@iec.ch , or through their Web site at http://www.iec.ch.

DG-1141, Page 33

ML14149A361

Text

Navigation menu

Search