ML17233A166

From kanterella
Jump to navigation Jump to search
Comment (11) on Jerud Hanson on Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems
ML17233A166
Person / Time
Site: Nuclear Energy Institute
Issue date: 08/16/2017
From: Hanson J
Nuclear Energy Institute
To: Cindy Bladey
Rules, Announcements, and Directives Branch
References
82FR30913 00011, NRC-2017-0154, RIS-02-022
Download: ML17233A166 (34)
v  d  e


Text

Page 1 of 1 As of: 8/17/17 9:11 AM

,2._ot7 Received: August 16, 2017 Status: Pending_Post PUBLIC SUBMISSIO* 1\UG 17 AM 9: 2i~ Tracking No. lkl-8y4k-kpk7 Comments Due: August 16, 2017 Submission Type: Web

. Docket: NRC-2017-0154 Rrc" 1 C j rn 1ro L_J \J Cl Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems Comment On: NRC-2017-0154-0003 Clarification of Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems; Extension of Comment Period on Draft Regulatory Issue Summary Document: NRC-2017-0154-DRAFT-0011 Comment on FR Doc# 2017-16153 Submitter Information '/'/a /J.&!7 Name: Jerud Hanson ec::vr/f0* (30713 Submitter's Representative: Anya Barry Organization: Nuclear Energy Institute General Comment See attached file( s)

Attachments 08-16-17_NRC_NEI 17-XX-Industry-Comments-NEI-Cover Letter 08-16-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-General Comments_Attachmentl 08-16-17_NRC_NEI_l 7-xx-Consolidated Industry Comment-8-16-17-Editorial Comments_Attachment2 08-17-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-Clarification Comments_Attachment3 SUNSI Review Complete

=

Template ADM - 013 E-RIDS= ADM -03 . )

Add= &* Hqrr16 @k ff i-s- J>rq ke C:5xD d2-3)

--r* f>tJvcrn C79-s.:J) https://www.fdms.gov/fdms/getcontent?objectld=0900006482a4 l 8 I d&fonnat=xml&showorig=false 08/17/2017

~I JERUD E. HANSON Senior Project Manager, Life Extension & New Technology 1201 F Street, NW, Suite 1100 Washington, DC 20004 NUCLEAR ENERGY INSTITUTE P: 202.739.8053 jeh@nei.org nei.org August 16, 2017 Ms. Cindy Bladey Mail Stop: lWFN-8 D 36M Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

Project Number: 689

Dear Ms. Bladey:

The Nuclear Energy Institute (NEI) 1 and the industry appreciate the opportunity to provide integrated industry comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRC's endorsement of NE! 01-01 by providing additional guidance for preparing and documenting the "qualitative assessment" used to provide reasonable assurance that a digital modification will exhibit a low likelihood of failure, which is a key element in 10 CFR 50.59, "Changes, tests and experiments," evaluations of whether the change requires prior NRC approval. This RIS supports our mutual interest in more efficient and effective licensing of digital upgrades across the operating fleet and we look forward to issuance in the third quarter of 2017. Our principal comments are included below and more detailed comments are presented in the attachments for consideration by the NRC staff.

We appreciated the opportunity to participate in a public meeting to conduct a tabletop exercise utilizing the draft RIS 2002-22 Supplement for Digital I&C upgrades at nuclear power reactor facilities under 10 CFR 50.59 on August 2, 2017. The draft RIS provided an effective framework for conducting digital upgrades within the scenarios that were demonstrated.

1 The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEl's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.

NUCLEAR. CLEAN AIR ENERGY

Ms. Bladey August 16, 2017 Page 2 Application to safety-related systems The scope of the RIS and attachment should be clearly stated as intended to be used for safety-related systems only. It should be clear that the RIS could, or might be used as guidance for non-safety related upgrades only if desired by licensees. Therefore, industry requests that the RIS should provide sufficient clarity to avoid an interpretation that it is viewed as "mandatory" for non-safety related systems. Comment

  1. 1 within attachment #1, provides suggestions to address this point.

Impact on digital system common cause failure The draft RIS is characterized as a means to allow for low risk (non-protection systems) changes to safety systems to go forward under 50.59, but there is no discussion of risk considerations. Instead, it includes a recommended level of rigor for the engineering evaluations needed to support the 50.59 process without providing any assurance that these will be accepted for "low risk" systems. These "low risk" systems have been incorrectly included in the current NRC staff position on common cause failure (CCF) policy, due to changes over time to Branch Technical Position (BTP) 7-19. It should be clearly stated how the RIS impacts the current NRC policy/position that addresses digital system CCF. Comment #2 within attachment #1, provides suggestions to address this point.

Application to non-power reactors This RIS should be applicable to include non-power reactors (NPRs). Relevant guidance contained within NEI 96-07 and RG 1.187 is applicable to NPRs, and digital upgrades at NPRs should be addressed within this RIS. Comment #3 within attachment #1, provides suggestions to address this point.

We appreciate the opportunity to comment on the Draft RIS. If you have any questions or require additional information, please contact me.

Sincerely, 4~

Jerud E. Hanson Attachments c: John W. Lubinski, NRR, DE c: Jason Drake, NRR, DE

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- General Comments Comment No. Section/Page # Industry Comment Recommended Change

1. General The scope of the RIS and attachment needs to be limited to safety-related Clearly state the applicability of the RIS and systems only. attachment is intended to be used for safety It should be very clear that the RIS could, or might be used as guidance for related systems only.

non-safety related upgrades if desired. The RIS should provide sufficient clarity to avoid an interpretation that it is to be viewed as "mandatory" for non-safety related systems.

2. General The Draft RIS was characterized as a means to allow for low risk (non Describe how the RIS impacts the current protection systems) changes to safety systems to go forward in 50.59, but NRC policy/position documents that address there is no mention of any sort of risk considerations in the Draft RIS. digital system CCF, such that end users of Instead it mainly provides a recommended level of rigor for the engineering the RIS are clear how, or if, other NRC CCF evaluations needed to support the 50.59 without providing any assurance policy/position documents apply to the that these will be accepted for "low risk" systems that have been incorrectly activities within the scope of the RIS.

pulled into the CCF policy due to changes to BTP 7-19. Nowhere in this RIS is a statement on scope of the policy on CCF, in fact it seems to reinforce the current content of BTP 7-19 into not only safety related components but non safety components that are in the licensee design basis.

1

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- General Comments Comment No. Section/Page # Industry Comment Recommended Change

3. General The non-power reactor community was not included in consideration of this Please include non-power reactors within RIS. the scope of the RIS.

At the May 25, 2017 public meeting on this proposed RIS there was discussion of the importance of including non-power reactor licensees within this proposed RIS. The general consensus was that non-power reactors should be included within its scope. It appears that the exclusion of non-power reactors from RIS 2002-22 was likely an oversight. EPRI TR-102348 and Generic Letter 95-02 are referenced in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, for use by the non-power NRG staff and licensees in licensing Dl&G upgrades. Though they followed after the issuance of NUREG-1537, the revision to EPRI TR-102348 (NEI 01-01) and related RIS 2002-22 are also used by the non-power NRG staff and licensees in licensing Dl&G upgrades. NEI 96-07 and associated RG 1.187 are also applicable to non-power reactor licensees.

4. General The RIS does not specify whether the NRG expectation is that the Add a statement that the RIS is intended to Qualitative Assessment guidance is to be used for 50.59 screening. be used for 50.59 evaluations, but may be consulted during the 50.59 screening process.

2

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

1. Draft RIS Page 1 In the ninth line of this paragraph, please augment the implicit statement of Replace " ... this RIS is to clarify the NRC's "Intent" Paragraph applicability to ensure that the reader recognizes that RIS 2002-22 is being endorsement of NEI 01-01 ... " with " ... this supplemented rather than supplanted. The text does not make this supplemental RIS clarifies still-active RIS extremely clear and unambiguous. 2002-22 that endorsed NEI 01-01 ... "
2. Draft RIS Page 2 Background Information section, first full paragraph, Correct the title of NEI Correct text as noted.

Section titled 96-07, Evaluations should be Implementation.

"Background Information"

3. Draft RIS Page 3 At the end of the last sentence in the paragraph starting "Specifically, this Revise from " ... methods to demonstrate the Section titled RIS ... " add words that clarify that the problem is in software. likelihood of failure" "Summary of To Issue" Section

".... methods to demonstrate the likelihood of failure" from software design errors"

4. Draft RIS Page 4 For readability, please consider bolding these italicized section headers to Use bold text for section headers.

Section titled make them stand out in the rest of the text.

"Clarification of Guidance for Addressing Digital l&C Changes under 10 CFR 50.59" 1

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

5. Draft RIS Page 4 In the second full paragraph, second line, the word "appropriate" is Replace "appropriate" with something more Section titled ambiguous. like "applicable" "Clarification of Guidance for The last sentence in this paragraph is very long. Split the last sentence into " ... applied to the Addressing Digital proposed design. Using such standards ... "

l&C Changes under 10 CFR 50.59"

6. Draft RIS Page 4 In the paragraph starting "To assist licensees", the second line, the Replace " ... the NRC staff has clarified Section titled sentence should be simplified. within the attachment to this RIS its "Clarification of position ... " with" ... the attachment to this Guidance for RIS clarifies the NRC staff position ... "

Addressing Digital l&C Changes In the last sentence of this paragraph, delete under 10 CFR "clarification within the" as " ... the 50.59" attachment describes ... " is sufficient.

7. Draft RIS Page 4 In the next to last line of the first paragraph, it is not clear what "alter the Replace "alter the conclusions of by the Section titled conclusions of' means to a licensee. safety analysis" with "alter the conclusions "Clarification of of or not be bounded by the safety analysis Guidance for in the UFSAR" Addressing Digital l&C Changes under 10 CFR 50.59" 2

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

8. Draft RIS Page 4 In the first paragraph, please reiterate that this RIS supplements, but does Replace" ... supplements RIS 2002-22 ... "

Section titled not supersede, RIS 2002-22. with " ... supplements but does not "Backfitting and supersede RIS 2022-22 ... "

Issue Finality Discussion" In the second paragraph, the first sentence does not define on whom the Rework the first sentence in the second guidance might be imposed. paragraph.

9. RIS Attachment, The first paragraph, first sentence is excessively long, with the result of Replace" ... 10 CFR 50.59 Rule," for use as page 1, "Purpose" being difficult to read and understand. guidance for implementing ... " with" ... 10 CFR 50.59 Rule." This RIS provides guidance for implementing ... "
10. RIS Attachment, In the second paragraph, reinforce that this is a supplemental RIS. Change" ... to provide clarifying guidance ... "

page 1, "Purpose" with " ... to provide supplemental clarifying

  • guidance ... "

Change "Following this guidance will help ... "

with "Following the guidance in the RIS 2022-22 and NEI 01-01, as augmented by the guidance in this RIS ... "

11. RIS Attachment, This second would be easier to find if it were set in bold type. Change the format to bold on all section page 1, headers throughout the attachment, "Likelihood including those that are underlined.

Justifications"

12. RIS Attachment In the first paragraph, last sentence, there are extra words, and a missing Delete both "that" in the sentence, and Page 2, reference to where the characteristics that should be evaluated are defined. replace "there are some important" with "Regulatory "several important".

Clarification ... " Provide some reference, even within the RIS, to the "important characteristics" that we should evaluate.

3

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

13. RIS Attachment In the paragraph starting "10 CFR 50.59 (c)(2)(vi)" in the fourth line, "that" is Replace " ... reasonable assurance the Page 3 missing. likelihood ... " with "" ... reasonable assurance that the likelihood ... "
14. RIS Attachment Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; Revise bullets 1 and 3 to ensure the quoted Page 4, Section however, in a couple cases, the quoted information is not correct. text is accurate and traceable to the source 2.2, Step 1 document.
15. RIS Attachment Delete the entire paragraph beginning with: "Documentation is needed ..... Replace with the following:

Page 7, last paragraph "Documentation is needed to demonstrate the proposed design will not create malfunctions with different results or initiate a different type of accident not previously analyzed in the UFSAR. Within the concept of layers of defense, acceptable justification for concluding an accident of a different type will not be initiated to include the postulated new accident is only possible after a sequence of multiple unlikely independent failures. This type of justification should also be documented as part of the qualitative assessment."

16. RIS Attachment In the last line, a reference to the major section we are in is not helpful. Either revise "Section 4.2" to be more Page 8 useful, or remove the reference to a general section in the RIS Attachment.
17. RIS Attachment In the second paragraph, the subject (software and hardware) is plural. Replace" ... modification has ... " with" ...

Page 8,"0perating modification have ... "

Experience" In the last sentence, the phrase "along with consideration of the supplier of Add commas before and after the phrase.

such equipment" should be set off in leading and trailing commas.

4

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page# Industry Comment Recommended Change

18. RIS Attachment 2"d paragraph. Revise the following from:

Page 9, 4.2.1 " .... do not result in a potential. ...

To:

"... do not result in more than minimal... "

19. RIS Attachment In the first paragraph, last sentence, it might be clearer if the three steps in Please consider clarification of this Page 9, 4.2.1 the justification were numbered (e.g., "1) a thorough description of the ... , paragraph. Delete "thorough."
2) the design attributes ... , and 3) a clear description ... "

Further, it is not clear how extensive "thorough" is expected to be.

20. RIS Attachment Sentence beginning with "If the qualitative assessment. .... Revise the following from:

Page 10, 4.2.1.2 ..a new type of accident, a malfunction with a new result, or an unbounded malfunction or accident now exists due to the combing of functions creating new malfunctions, or new inter-system interactions, etc, then .....

To:

... a new type of accident or, a malfunction with a different result now exists due to the combination of functions, then ....

21. RIS Attachment First paragraph. Revise the following from:

Page 10 . ... the potential for new malfunctions or accidents should be evaluated ....

To:

... the potential for malfunctions with a different result or accidents of a different type should be evaluated ......

5

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page# Industry Comment Recommended Change

22. RIS Attachment The first sentence is too long. Replace" ... development organization that Page 11, 1"1 provides for common and repeated use, paragraph rules ... " with " ... development organization.

These quality standards provide rules ... "

and move "for common and repeated use" to the end of the sentence, replacing "context" with "context, for common and repeated use."

23. RIS Attachment In the last sentence of the first paragraph, there are extraneous words and In the last sentence of the first paragraph, Page 11, 4.2.3 an imprecise set of references. delete "other avenues for performing the change, i.e.," and list all avenues.
24. RIS Attachment In the first sentence of the last paragraph, there are extraneous words. Replace" ... guidance provides the kind of Page 11, 4.2.3 process that should be engaged when using this guidance" with .. guidance illustrates the process to use this guidance."
25. RIS Attachment The diamond near the top of the page states "Does the proposed change Change the phrase to state "Does the Figure 1 have the characteristics described in the attachment to the RIS?". It is proposed change have the characteristics suggested that the "characteristics" being reference be pointed out described in RIS attachment section 3?"

specifically in the RIS attachment.

26. RIS Attachment The second decision block language is not consistent with the verbiage Revised the second decision block question Figure 1 used in 10 CFR 50.59. verbiage to align with 10 CFR 50.59.

6

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1- Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

27. RIS Attachment Step 1. Revise wording from:

Table 2 "What are all of the UFSAR design functions .. "

To:

"What are all of the UFSAR described design functions" Alternatively, "What are all of the design functions described in the UFSAR"

28. RIS Attachment Step 4, 2"d bullet. Revise wording from:

Table 2 "The digital components' likelihood of postulated CCF likelihood To:

"The digital components' postulated CCF likelihood"

29. RIS Attachment Step 3. Revise wording from:

Table 2 "Could those potential impacts already be bounded by the results of the design basis analyses, or would the analyses need to be revised to address it?"

To:

"Are potential impacts already bounded by results previously evaluated in the UFSAR or would the safety analyses need to be revised to address potential impacts?"

7

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

1. ALL The DRAFT RIS uses the term, "qualitative assessment" more than 15 Define the term "qualitative assessment" times throughout the RIS. In the context where it is used, in most case, once, then only use the term in the balance either an implicit or explicit definition is stated. This is confusing. of the text.

Also, in a few random cases "effective qualitative assessment" is used. This Suggest using a definition that states that DRAFT RIS does not define the differences between the two. Overall, the purpose of the qualitative assessment is "effective qualitative assessment" seems out of place because either the to demonstrate reasonable assurance of conclusions of a qualitative assessment support the outcomes when used in adequate quality and low likelihood of failure a 10 CFR 50.59 Review or they do not through a review of the system design process and design features. This would be consistent the with NEI 01-01 discussion of dependability (page 5-14).

For clarity and to avoid confusion, remove the word "effective" from "effective qualitative assessment" throughout the text.

1

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page# Industry Comment Recommended Change

2. ALL The terms 'safety significance' and 'safety significant' are used throughout Suggest using 'important to safety as this section without formal definitions. defined in the UFSAR' as it has a formal It is noted that use of these terms is limited to defining the level of regulatory definition associated with the documentation that is worthwhile and is not used as input to answering the design basis.

50.59 questions.

The scope of the draft RIS is such that the definition of 'safety significant' is not consistent with its use in other regulatory applications The term 'safety significant' as used in regulatory applications today generally has a definition that is much broader than just the licensing basis for the plant and often includes risk-insights (e.g., see the definition of safety significant in 10CFR50.69). Throughout the Qualitative Assessment Framework, review of the modification under 50.59 is restricted to the plant design basis as documented in the UFSAR. As the Qualitative Assessment Framework clearly is limited to the licensing basis for the plant and is neither risk-informed nor considers risk insights, the term 'safety significant' should be avoided and replaced with a regulatory term having a formal definition applicable to the scope of this guidance, 'important to safety' (as defined in the UFSAR).

3. Draft RIS The term "reasonable assurance" is used here and in footnote 1. No basis Remove the footnote, or, further define the Page 1 is provided for use of a different standard as used in the RIS, versus the term "adequate degree of certainty."

"Intent" Paragraph broader regulatory standard. What is the source for the footnote?

Identify the Regulatory sources of the Having different definitions of this term will cause confusion. As an example, footnote that clearly defines the difference the RIS uses the term "reasonable assurance" nearly 20 times throughout between "adequate degree of certainty" and the document in various contexts. In many cases, the RIS includes quotes "broader NRC regulatory standard".

from NEI 01-01 with this term included.

2

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

4. Draft RIS Page 2 In the third full paragraph, fifth line, reinforce the idea that this supplement is Replace "This RIS supplements the NRC Section titled to be used with RIS 2002-22. Staff's previous endorsement of the NEI 01-

"Background 01 guidance ... " with "This RIS supplements Information" the still-active RIS 2002-22 endorsement of NEI 01-01 guidance ... " At the end of the paragraph, explain that this RIS is expected to provide the additional detail necessary to ensure resolution of the issues that have occurred when applying RIS 2002-22 and NEI 01-01.

5. Draft RIS Page 2 In the last full paragraph on this page, IAP MP #1 is mentioned in the Explain how the CCF portion of the Section titled context of 50.59. modernization plan interacts with the 50.59 "Background evaluation in the RIS discussion.

Information"

6. Draft RIS With respect to the text including the statement: "there may be a potential Clarify this statement to be clear that digital Page 3 for a marginal increase in the likelihood of ma/functions" upgrades are not always expected to "Summary of Although this statement paraphrases NEI 01-01, Section 4.3.2, it seems to increase malfunction likelihood.

Issue" Section imply that digital upgrades will always result in a marginal increase in malfunction likelihood. In practice, industry has observed the opposite - that Rephrase to use the "no more than minimal digital upgrades tend to decrease malfunction likelihood as most digital increase" text from 50.59.

upgrades eliminate single points of vulnerability, provide for signal validation, afford internal diagnostics and alarming capabilities - to name just a few characteristics that go beyond the capabilities of their analog counterparts.

This sentence may cause confusion within industry and with regional

. inspectors if it is interpreted to mean that digital upgrades are expected to increase malfunction likelihood.

3

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

7. Draft RIS The sentence leading into the last paragraph on the page: Please clarify whether there is a change in Page 3 The RIS pulls out a statement from RIS 2002-22 and states that the Draft NRC staff position from what was previously Section titled RIS does not change NRC staff position, which apparently is that NEI 01-01 endorsed in NEI 01-01.

"Summary of provides an acceptable means. This seems to be at odds with the Issue" Section statements in the final two paragraphs of this section that the appendix will provide content, rationale and evaluating factors to be addressed, along with a short list of design attributes primarily drawn from the existing BTP 7-14.

8. Draft RIS With respect to the text including the statement: "ensuring that the Suggest deleting this portion of the sentence uncertainty of qualitative assessments is sufficiently low" as it may cause confusion.

Page 4, Section What is meant by this statement? Generally speaking, the qualitative titled "Clarification assessment is used to draw the conclusion that the digital change has a low of Guidance for likelihood of failure.

Addressing Digital l&C Changes under 10 CFR 50.59"

9. RIS Attachment I The attachment seems to explicitly specify a quality process, structure and In the "Purpose" section of the Attachment, Pages 1-17 format for the qualitative assessment that if left without clarification, could It should be made clear that the format, result in a significant impact on the industry in the areas of procedures, content, and structure of the Attachment is qualification, and training, if the interpretation is that the qualitative an example of what an acceptable assessment attributes are viewed as mandatory. Qualitative Assessment could contain, and that the implementation details are up to the licensee.

4

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page# Industry Comment Recommended Change

10. RIS Attachment I Outcomes from a qualitative assessment that would in turn be used as Recommend that the outcome of a Pages 1-17 engineering/technical information in a 10 CFR 50.59 review are specified as qualitative assessment be described as "finds", "final determination", "resulting", etc. This inconsistent verbiage is "conclusions" because conclusions are the confusing. translation of the results. Therefore, the Examples of this are: conclusions of an assessment are the Section 2.1, last paragraph engineering/technical information that is Page 2 of 17, 3rd paragraph important to the 10 CFR 50.59 review.

1 Section 3, 1* paragraph

11. RIS Attachment In section 2.1 (likelihood justifications) the attachment discusses the link Recommend reconciling the use of Page 2, 1st between dependability and likelihood of failures, but in the next to the last "reliability" versus "dependability" in the Paragraph paragraph, there seems to be an interchangeable use of reliability and documents.

dependability, recommend sticking to dependability. Furthermore, the inclusion of "reliability" in the next to the last paragraph in this section is a miss-representation of NEI 01-01 which makes this point that for some high risk systems, there may be a need to provide additional assurance of adequate defense in depth and diversity. Since there is no mention of this, in the section, it can only be implied that all changes, without regard to risk will require a demonstration of defense in depth, but some systems do not require defense in depth because there is no requirement to do 03, but this could be construed to put that requirement onto the licensee.

12. RIS Attachment This section discusses a reasonable assurance standard for evaluating low Revise section to include a statement that Page 2, 3rd likelihood of failure. captures the following concept:

Paragraph It's important to note that the new digital equipment must only be as The new digital equipment is not held to a reliable/dependable as the equipment it is replacing. The likelihood of failure higher standard than the analog (or even is relative to the equipment being replaced. digital) equipment it is replacing.

5

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

13. RIS Attachment With respect to the text including the statement: Remove this statement from the paragraph, Page 2, 7th "(whether or not classified as safety-related in accordance with 10 CFR Part and if still necessary, place it elsewhere in Paragraph 50, Appendix B)" the text, in a context that is not tied to 50.59.
14. RIS Attachment Section 2 of this document is titled regulatory clarification, but later in 2.2 it Delete or include in Section 4.

Page 3, Section seems to provide a framework for evaluating malfunctions of a different 2.2 result, I think this is better handled in Appendix D or is sufficiently covered in 96-07, since there is really no new guidance here, any attempt to provide it (which it seems you didn't in step #3), then I recommend this part be deleted. If the framework is deemed important include it in section 4.

15. RIS Attachment With respect to the text including the statement: Recommend one term be defined and used Page 3, 2nd " .... the likelihood of common-cause failure (CCF) is much lower than ... " consistently throughout the document.

Paragraph The term "much lower" is used several places in the document, as well as the term "significantly lower".

16. RIS Attachment With respect to the text including the statement: This limitation also should be reflected the Page 3, 2nd " .. ..reasonable assurance the likelihood of common-cause failure (CCF) .. " RIS.

Paragraph NEI 01-01 uses terminology similar to this and, by inference, is endorsed by RIS 2002-22. However, the applicability of the NEI guidance is limited to software failures (including common cause failures) and does not include other sources of CCF (such as hardware failures).

17. RIS Attachment With respect to the text including the statement: Clarify this section.

Page 3, 3rd "The above likelihood thresholds ...... "

Paragraph This conclusion in this section is acceptable, provided the applicability of the CCF statement of the 1 OCFR50.59(c)(2)(vi) threshold is limited to software failures. Otherwise the statement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.

6

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

18. RIS Attachment With respect to the text including the statement: Please clarify ... "meeting the above Page 3, 5th "For activities that introduce a potential failure mode (e.g., CCF) that does thresholds" Paragraph not meet the above thresholds ... "

This section would be acceptable, assuming 'meeting the above thresholds' means the likelihood of common-cause failure (CCF) is much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other CCF that are not considered in the UFSAR. If not clarified, this st~tement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.

Where CCF has been included in the licensing basis of the plants in the past, it has required a regulatory analysis and gone through rulemaking (e.g, ATWS and SBO). Such a regulatory analysis has not been performed for digital CCF.

The statement also is inconsistent with the SRM to SECY 93-087 and BTP-19 which state that CCF is beyond the design basis.

19. RIS Attachment I The following NOTE is stated, "[Note: This likelihood threshold is not Identify the Regulatory source of the Note or Page 3, Section interchangeable with that for "credible"/"not credible," which has a threshold revise the Note to add sufficient clarity 2.1 of "as likely as" (i.e., not "much lower than") malfunctions already assumed (preferably with examples) to ensure it is not in the UFSAR.]" mistranslated by the industry.

However, no basis for the note could be found in NEI 01-01 or NEI 96-07, Rev 1, or regulatory framework.

7

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

20. RIS Attachment With respect to the text including the statement: Add the following clarification/definition:

Page 4,"Step 1" " .. .for the purpose of the 10 CFR 50.59 evaluation, "credible" Section malfunctions .. " For the purposes of the technical evaluation, It is not clear that a credible malfunction considered in the technical a CCF can be considered credible only if the evaluation is the same as a credible malfunction considered in the 50.59 likelihood of a CCF caused by an l&C failure process. source is greater than the likelihood of a CCF caused by other failure sources that are not considered in a deterministic safety analysis described in the UFSAR.

21. RIS Attachment Bullet nine - with respect to the text including the statement: This need to be reworded to something that Page 4, Section "ma/functions previously thought to be incredible." is bounding within the plant design basis.

2.2, Step 1 Step 1 in this process is to develop a list of "possible" malfunctions. Listing malfunctions that are previously thought to be "incredible" is not verifiable criteria and opens up the evaluation to any possible combination of failures (i.e., unrelated multiple failures).

22. RIS Attachment 2nd bullet, with respect to the text including the statement: Remove the statement "including a single Page 4,"Step 2" , "there may be the potential marginal increase in likelihood of failure, failure" Section including a single failure .. "

The statement identified in the bulleted item appears to be from NEI 01-01 Section 4.3.2. Where does the "including a single failure" wording come from?

8

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

23. RIS Attachment 2"d bullet, with respect to the text including the statement: Please clarify the intent of the use of the Page 4, Section "For digital modifications, particularly those that introduce software" term "software" in this section based on the 2.2, Step 2 What is this intended to mean? comment.

- Consider how digital modifications that do not involve software should be defined, as most digital equipment has software/firmware.

Examples are discrete logic chips and FPGAs. Please consider the use of the term

- "Introduce software" phrase could be taken that this only applies to "redundant and independent" versus just the analog to digital mods. It should also address digital to digital mods use of "redundant."

- The use of "redundant" should also have independence stated. Please change to redundant and independent. This is a generic comment wherever redundancy is used. Independence is the key word.

Redundancy can be added in non-safety systems for reliability purposes only.

24. RIS Attachment This statement, although out of NEI 01-01, would seem to imply that digital Add supporting statement(s) that include Page 4,"Step 2" upgrades will always increase the likelihood of failure, which has not been acknowledgement of positive, not just Section observed in actual practice where, in most cases, digital upgrades have negative, impacts of installing digital been shown to decrease failure likelihood. equipment.

Also, in 50.59 it is common practice to consider the balancing of positive effects of installing the digital equipment (e.g., elimination of SPVs, signal Further, rephrase the statements that imply validation, etc.) with the potential negative effects (e.g., SCCF, etc.) when that digital systems will always increase the arriving at the final conclusion of not more than a minimal increase in likelihood of failure to include the idea of "no malfunction likelihood or accident frequency. The RIS does not appear to more than a minimal increase" text from discuss using the balancing effects of the positives and negatives of digital 50.59.

upgrades.

25. RIS Attachment I Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; Revise the last three bullets to ensure Page 4, Section however, the quoted text from the last three bullets could not be traced back quoted information is accurate and traceable 2.2, Step 2 to either source. to the source document.

Provide a reference to the source.

9

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

26. RIS Attachment The title of this section is 'Draft Characteristics of Proposed Modifications Clarify the applicability of the characteristics Page 5, Section 3 that Produce Effective Qualitative Assessments'. The first paragraph of this in this section to digital modifications.

section states: Consider changing "Do not" to:

"Do not create an adverse condition due "The NRG staff finds that proposed digital l&C upgrades and modifications to ... "

having all the characteristics listed below are more suitable to and effective for qualitative assessments and thus more likely to meet the 10 CFR 50. 59 evaluation criteria." Remove 'that Produce Effective Qualitative Assessments' from the title and delete 'more The title and wording in this section imply that the Qualitative Assessment suitable to and effective for qualitative Framework is permitted only for digital modifications having all the assessments and thus' from the last characteristics in this section. sentence of the first paragraph to avoid misinterpretation of this section.

It is assumed that the term 'effective' actually means 'produces positive results'. The section reads more clearly without the word 'effective.'

27. RIS Attachment This sub-section states "Digital l&C design function-for-design function Unless the phrase "design function-for-Page 5, Section 3 replacements and upgrades to systems and components that:" Is the design function" provides additional criteria (1) qualifier "design function-for-design function" both meaningful and or meaning, it is suggested that it be removed.

necessary?

If the term provides specific meaning, please provide the criteria for determining the function for function alignment.

10

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

28. RIS Attachment This section seems to constrain the digital modification to a very limited Clarify the applicability and limitations of Page 5, Section 3 scope, which does not appear to meet the intent. For instance, it is not clear these constraints to address potential issues whether all of the attributes, or some of the constraints need to be met. with items noted, such as:

Applying these in a strict way would eliminate most digital changes being - DCS Upgrades contemplated, or currently being done. For example: - Safety Chillers

a. "1a)-b)" These conditions appear to only allow designs that don't - Embedded Devices combine functions that were previously separate (this eliminates DCSs from being considered per this criteria, even if you use segmentation on separate controllers because they communicate via shared network, which is not acceptable).
b. "2" could be construed to eliminate all safety systems that have two channels (chillers) from consideration since they will be digital and identical and this will screen them out before we even get a chance to demonstrate low likelihood of CCF.
c. "3" is just a regurgitation of BTP 7-19 criteria, but the prelude to the section says that all criteria must be met, which is pretty much impossible for embedded devices.
29. RIS Attachment The exclusion of systems using common HMI eliminates all non-safety The type of systems that use shared Page 5, Section 3 related DCS upgrades from this RIS scope. resources should be in scope of this RIS 1(a)&1(b) which should describe that the licensee addresses combination of functions and spurious operation in the qualitative assessment.

11

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

30. RIS Attachment With respect to the text including the statement: The RIS should clearly define the scope of 51 Page 5, 1 " ... the qualitative assessment results alone are sufficient that software CCF CCFs (software, etc.) being considered, II paragraph does not need to be assumed ...

The use of "software CCF" appears to limit the use of qualitative methods to demonstrate that CCF does not have to be assumed for other types of potential common cause failures.

31. RIS Attachment With respect to the text including the statement: Clarify whether the different result is at the Page 5, Step 3 SSC level or plant level. The industry position is that the results are evaluated at "Only for possible malfunctions that do not have a sufficiently low likelihood the plant level, as discussed in the recent based on the qualitative assessment in Step 2, determine whether the RIS public meeting.

ma/function has a different result."

32. RIS Attachment With respect to the text including the statement: Remove "implicitly assumed."

Page 5, 1(b) "Do not incorporate new shared resources..... implicitly assumed" Implicit assumptions are impossible to verify. Should provide clarification on whether "system function" equals "design function" and if so, use "design function."

33. RIS Attachment With respect to the text including the statement: Please reword with reasonable assurance Page 6, Section 3 " .... that do not result in reduction of any aspects of independence" language instead of using "do not."

(2) This goes beyond reasonable assurance. Adding any software could and does result in a small quantitatively reduction.

12

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

34. RIS Attachment With respect to the text including the statement: Eliminate the 100% testing criteria as the Page 6, item (3) " ... as demonstrated through 100% testing ... " only test for "simplicity."

There is a lack of clarity with industry (and perhaps regional inspectors) over what constitutes 100% testing, and this "simplicity" concept. Technical individuals working on the NEl/lndustry Dl&C teams have come to understand that any device containing software is not considered to be 100% testable, and we must assume a CCF.

If this is the case, then this RIS will only work for a very limited number of digital changes.

The 100% testing approach does not meet the "qualitative" intent of the RIS, and the reasonable assurance standard.

35. RIS Attachment With respect to the text including the statement: Address the use of the term "bounding" with Page 6, item (3) " ... bounded by previous FSAR analysis .. " respect to "plant level" in this section, and further define FSAR analysis as "safety analyses ... "
36. RIS Attachment With respect to the text including the statement: Add a discussion and clarify methods for Page 6, 4th "demonstration that the resulting replacement or upgrade design can demonstrating what would be an acceptable paragraph tolerate the postulated triggering of that defect" way of "tolerating" the triggering of a defect.

This statement would seem to indicate that we must assume a design defect and then assume the design defect is triggered. If this is the intent, Clarify the statement to indicate whether a the RIS will likely not work for most safety related SSCs (including the design defect must be assumed or not.

safety related chiller mod). If this is not the intent, should clarify the statement. Define the basis for the design defect likelihood needing to be "significantly lower."

13

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

37. RIS Attachment With respect to the text including the statement: Add a clear language in this paragraph that Page 6 last "Alternatively, electrical independence can be demonstrated qualitatively ... " states, "software also can be addressed in a paragraph The real purpose of this RIS is software and SCCF with respect to qualitative manner" and consider using a Page 7, first independence. digital example.

paragraph Using electrical independence may not be the best example for this RIS.

38. RIS Attachment I A new term, "layers of defense" is used and is not defined. If this is intended Either define the term "layers of defense" or Page 7, Section to refer to "defense in depth", then "defense in depth" should be stated. use the term "defense in depth".

4.2 Alternatively, provide a reference to the USNRC or industry document being used to define "layers of defense."

39. RIS Attachment With respect to the paragraph beginning with: Clarify this section to acknowledge a Page 8, Quality "For digital equipment incorporating software ..... " different standard applies for non-safety Design Process These attributes may not be available or well documented for non-safety related upgrades.

related equipment that contains software. NEI 01-01 was primarily written to evaluate changes to safety related SSCs. Quoting this paragraph within the RIS may lead some (including regional inspectors) to believe that all these attributes must be accounted for when implementing a non-safety related digital upgrade with software involved.

40. RIS Attachment With respect to the text including the statement: Please clarify the intent of this statement.

Page 8, Last " .... thoroughly documented within the licensee's quality assurance (QA) paragraph program .. "

What is specifically meant by "... documented within the licensee's QA program"? Does this mean a formal qualitative assessment document must be developed and placed within the engineering change package for future retrieval?

14

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page# Industry Comment Recommended Change

41. RIS Attachment In section 4.2 the last paragraph on page 8 says "All of these categories Please clarify intent of QA program Page 8, Last should be addressed and thoroughly addressed in the licensee's quality reference.

paragraph assurance program, in consideration of the safety significance of SSCs Clarify QA program applicability is not based described below in Section 4.2 (See table 1)" There may be confusion on safety significance of SSCs, but on the about what this means .... to be described in the QA program. licensees Quality Assurance Program.

42. RIS Attachment Please add endorsed EPRI TR-106439 as an acceptable example for digital Please add the reference as noted.

Page 8 commercial grade dedication mods.

Page 9, Table 1

43. RIS Attachment For Table 1, the list of acceptable examples, is this list intended to be Please clarify the applicability of the Table 1 addressed by each evaluation, or is this just a suggested list? For the examples cited in Table 1, and their design attributes, what is the expectation on behalf of the NRC that there be intended use.

all items, or some items? Is the determination of adequacy up to the licensee or will this list constitute the basis for a Mods or 50.59 inspection?

44. RIS Attachment I "Environmental Qualification" implies a Regulatory programmatic Revise "environmental qualification" to Page 9, Table 1 requirement; however, based on the subsequent examples, "(e.g., EMl/RFI, "demonstrated tolerance (e.g., through Seismic)", this does not appear to be the context. qualification testing) to withstand environmental conditions within which the SSC is required to perform its design function (e.g., EMl/RFI, Seismic)."
45. RIS Attachment Watchdog Timers - The RIS should not limit credit for external watchdog Suggest changing to "Watchdog timers that Table 1 timers only. There are designs that have internal watchdog timers that operate independent of software" or Design Attributes operate independent of the software and are considered just a reliable as something to that effect.

external watchdog timers (the digital reference adjuster used on the EDG voltage regulator project is an example of an independent internal watchdog An acceptable alternative might be timer). "Watchdog timers that time out in hardware.".

15

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO. RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

46. RIS Attachment "Sufficiently simple" and 100% testing are used here. See previous comments on this subject.

Table 1 Suggest acknowledging other types of Design Attributes testing to demonstrate the design is sufficiently simple, such as comprehensive, or exhaustive testing, versus just 100%

testing.

47. RIS Attachment Failure state always know to be Safe - An acceptable failure state could Revise to describe that the failure state of Table 1 also simply be equivalent to the failure state of the device being replaced, the new digital equipment can be the same Design Attributes not necessarily to the safe state. as the failure state of the existing equipment (whether or not the failure state is considered safe).
48. RIS Attachment The last bullet indicates that high volume commercial products are less Augment the discussion to suggest that Table 1 likely to have deficiencies. "High volume, high quality commercial Operating products with applicable operating history Experience used in other applications have the potential to not include as many design errors."
49. RIS Attachment This paragraph does not clearly distinguish between safety related and non- Please clarify applicable scope for digital Page 10, 4.2.1.1 safety related SSCs. Digital communications (ISG-04) is a concern primarily communications criteria, to clearly specify with Safety Systems and is not applicable to non-safety systems. Though that ISG-04 is applicable to only safety there is very good guidance in ISG-04, this section seems to make it related modifications.

required to be addressed for all classes of systems that might be evaluated by this process. Would digital communication between non-safety SSCs Please clarify to address how this might be considered out-of-scope of this RIS? For example, a plant may have two applied to non-safety related examples.

(redundant) feedwater pumps - not for plant safety but for operational convenience. Would digital communication between the two feedwater Also, while ISG-04 is good guidance, and pump controllers be out-of-scope for this RIS? has been in place for more than a decade, it would be preferable to refer to more durable guidance.

16

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

50. RIS Attachment For section 4.2.1.2 the gist of this section is that combination is bad in all Revise to acknowledge cases where Page 10, 4.2.1.2 cases, however, there are cases where combination of previously separate combination of functions may result in a components results in a more dependable system due to the tightly coupled more reliable and safer system.

nature and a reduction in complexity. A good example is the combination of Main Feed regulating valves with Feed bypass valves into one controller, this has allowed the industry to use one controller to control steam generator level through all power levels, where previously there was a manual cross over at a low power that often resulted in spurious level changes and plant trips due to loss of level control, those types of plant upsets are much less frequent with a combined system where both valves are controlled by one controller. A plant transient from both a bypass and MFRV may not be evaluated in the License but if the overall result from combining the two is a marked increase in dependability, in the aggregate.

51. RIS Attachment With respect to the discussion on combination of functions: Please add language that allows Page 10, 4.2.1.2, This section should acknowledge that combination of functions is allowable combination of functions where it does not 3rd sentence where it does not create an adverse condition; the 3rd sentence does not create an adverse condition.

accurately reflect verbiage consistent with 10 GFR 50.59.

52. RIS Attachment I The phrase "the other NRG-approved processes" does not provide If "the other NRG-approved processes" is Page 10, 4.2.1.2, guidance. intended to be license amendment request, last sentence so state. Else, define all the other processes that could be followed.
53. RIS Attachment This section should include reference of EPRI TR-106439 as an acceptable Add the noted reference.

Page 10, 4.2.2 example for digital commercial grade dedication mods.

17

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

54. RIS Attachment There is no expanded discussion on the Operating Experience topic. Revise document to use Section 4.2.3 as an Page 11 Sections 4.2.1 and 4.2.2 expand on the other "bullet" points noted on Page expanded discussion on Operating 7 and Page 8 of the attachment (Design Attributes and Quality Design Experience. Move current Section 4.2.3 Process). content to another section of the document.
55. RIS Attachment Quality Standards - please clarify the use of the term "quality standards" in Clarify the use of the term "quality Page 11, 1"1 the RIS. If the intent is to define a high quality design process, then the standards."

paragraph licensee Appendix 8 program should govern the activities as applicable.

It should be noted that there is no requirement for mandatory use of any other type of quality standard for non-safety related applications.

56. RIS Attachment It appears that the YES/NO labels should be reversed on the diamond near Flip the YES I NO labels.

Figure 1 the top of the page which states "Does the proposed change have the characteristics described in the attachment to the RIS?" Suggest being more specific by adding a Also, the first box appears to be selecting criteria. That is, if the specific section number of the RIS that characteristics don't match (e.g. no combinations, no communications, etc.) details the characteristics. (RIS Section 3?)

they you can't use this process. If you exit the RIS 2017-xx process, then are on your own to use NEI 01-01 as originally endorsed in RIS 2002-22? Consider an exit to this process that shows the previous RIS/NEI 01-01 process.

57. RIS Attachment The flowchart only addresses 50.59 Evaluations Questions 2 and 6. Suggest addressing Questions 1 and 5.

Figure 1 Questions 1 and 5 do not appear to be addressed in the flowchart.

58. RIS Attachment Conduct the Technical Analysis and Assess Vulnerabilities is split into two Provide explanation as to why this process Figure 1 boxes, but in reality the vulnerabilities will be assessed in the design is split into 2 boxes, and/or update Figure 1.

change (in the box that feed into the Conduct Technical Analysis). Is this split into two boxes because the RIS expect two distinct documents? Or do both of the boxes constitute the single "Qualitative assessment" as outlined in Table 2. The assumption is that it is broken out based on some thought model held by the staff, but in actuality this is all done under the design change process and is only documented in the 50.59 as a high level summary with sufficient detail to assist the approver of the 50.59 (and to support the NRC review under Mods inspections).

18

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

59. RIS Attachment This section appears to be written for safety-related software. In most Update this section to reflect the level of Page 13, Section cases, the evidence required in Section 5.1 would be difficult to compile for documentation that might be typically seen 5.1 non-safety software containing COTS devices. for non-safety related upgrades.

Augment the "software safety analysis" to "software safety analysis (as applicable)" to capture the non-safety related equipment.

60. RIS Attachment In Section 5.1 there is a statement that says that the Qualitative Revise document to address the software Page 13, Section Assessment should provide evidence that a well-defined process for - and process typically seen for non-safety related 5.1 it continues on with a statement of components from BTP 7-14, which again and commercially dedicated equipment.

is only applicable to safety-related software and would also be germane (but not required) for non-safety related software. What if any concessions are allowed for those non-safety and even those components that are Commercially dedicated where we will often credit extensive operating history and testing along with "largely equivalent" software processes, where portions of the software lifecycle are less relevant and not needed to make the Qualitative Assessment for less risk significant system that screen into 50.59 evaluation? See comment below on section 5.2 19

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

61. RIS Attachment In Section 5.2 there appears to be a hint of grading by safety significance, Please clarify basis and applicability of Page 13, Section which is in keeping with the original NEI 01-01, but the two lists are not well these grading criteria.

5.2 defined, are you saying that the items on the list constitute a risk significant system? Are they in any order of risk significance, or are they all considered equally risk significant? With the contrary being deemed less risk significant and therefore less documentation required and the second list seems to have a function based criteria. Same question as above, (all risk significant; any sort of hierarchy implied?). Will this grading be up to the utility? Or will this RIS address which would be acceptable?

62. RIS Attachment 2"d bullet -With respect to the term "accident mitigation system" Suggest clarifying by stating "... accident Page 13,Section Is this statement referring to accident mitigation systems that are credited in mitigation system credited in the safety 5.2 the safety (or accident) analysis? There are some non-safety systems that analysis."

can be used for accident mitigation but are not credited in the safety (accident) analysis (e.g., off-site power is the preferred source of power for mitigating accidents but is not generally credited as an accident mitigator in the safety (accident) analysis). There is some confusion in the industry when it comes to defining a SSCs that are considered accident mitigators.

63. RIS Attachment With respect to the following statement: Request this section be clarified to Page 14, last "It is the responsibility of the licensee's 10 CFR 50. 59 evaluator to differentiate between where design basis paragraph demonstrate that the documentation of the design basis ... " information is documented (for instance, the plant modification process), versus where licensing basis information is documented (for instance in the 50.59 evaluation).

20

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page# Industry Comment Recommended Change

64. RIS Attachment Step 1, last bullet: Add clarification as described in comment.

Table 2 Please add clarification that the evaluation should consider both active and inactive states.

65. RIS Attachment Step 1, 3'd bullet - Safety and power generation functions. Please clarify what this statement is asking Table 2 for, it is not entirely clear.
66. RIS Attachment Step 3 - Enhanced Safety Analysis. Please define or clarify what "enhanced" is Table 2 referring to.
67. RIS Attachment Step 3 - Failure Modes. Please add a note stating that the failure Table 2 mechanisms can change. Please add a note allowing us to eliminate failure modes of the original equipment in the replacement equipment.
68. RIS Attachment Step 4 - last paragraph, beginning with ... "All assertions ... " If this is the case, please explain. If this is Table 2 This statement implies that the licensee must assume a CCF. not the case, please reword or provide clarificatjon.
69. RIS Attachment In Table 2: Steps 4 and 6 seem to be repeats, you make the assertions and Leave one or the other out, the evidence Table 2 provide the evidence, then repeat the assertions. needs to support the assertions either way.

If not repeats, but rather two steps in a process, where identification is done Clarify why the two steps are provided.

in one step, and verification of resolution is provided in a separate process, then suggest clarification.

70. RIS Attachment Step 5, 2"d paragraph, "vectors to malfunctions." If definition exists, please provide it; Table 2 otherwise recommend deletion.

21

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

71. RIS Attachment Step 5, first paragraph, "evidence of the three qualitative assessment Please provide a reference to an earlier Table 2 justifications." section in the RIS or RIS Attachment where the three qualitative assessment justifications are provided for completeness.

22

Retrieved from "https://kanterella.com/w/index.php?title=ML17233A166&oldid=2435844"