ML18054A045
| ML18054A045 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 08/16/2017 |
| From: | Fregonese V Nuclear Energy Institute |
| To: | Wendell Morton Division of Engineering |
| Shared Package | |
| ML18039A804 | List:
|
| References | |
| Download: ML18054A045 (37) | |
Text
1 NRR-DMPSPEm Resource From:
FREGONESE, Victor <vxf@nei.org>
Sent:
Wednesday, August 16, 2017 4:05 PM To:
Morton, Wendell; Rahn, David
Subject:
[External_Sender] FW: NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)
Attachments:
08-16-17_NRC_NEI 17-XX-Industry-Comments-NEI-Cover Letter.pdf; 08-16-17
_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-General Comments_Attachment1.pdf; 08-16-17_NRC_NEI_17-xx-Consolidated Industry Comment-8-16-17-Editorial Comments_Attachment2.pdf; 08-17-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-Clarification Comments_Attachment3.pdf Vic Fregonese Senior Project Manager Nuclear Generation Division Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004 www.nei.org M: 704-953-4544 E: vxf@nei.org From: HANSON, Jerud Sent: Wednesday, August 16, 2017 4:04 PM To: cindy.bladey@nrc.gov Cc: Jason.Drake@nrc.gov; john.lubinski@nrc.gov
Subject:
NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)
THE ATTACHMENT CONTAINS THE COMPLETE CONTENTS OF THE LETTER August 16, 2017 Ms. Cindy Bladey Mail Stop: TWFN-8 D 36M Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
Subject:
NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)
Project Number: 689
Dear Ms. Bladey:
2 The Nuclear Energy Institute (NEI)[1] and the industry appreciate the opportunity to provide integrated industry comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRCs endorsement of NEI 01-01 by providing additional guidance for preparing and documenting the qualitative assessment used to provide reasonable assurance that a digital modification will exhibit a low likelihood of failure, which is a key element in 10 CFR 50.59, Changes, tests and experiments, evaluations of whether the change requires prior NRC approval. This RIS supports our mutual interest in more efficient and effective licensing of digital upgrades across the operating fleet and we look forward to issuance in the third quarter of 2017. Our principal comments are included below and more detailed comments are presented in the attachments for consideration by the NRC staff.
We appreciated the opportunity to participate in a public meeting to conduct a tabletop exercise utilizing the draft RIS 2002-22 Supplement for Digital I&C upgrades at nuclear power reactor facilities under 10 CFR 50.59 on August 2, 2017. The draft RIS provided an effective framework for conducting digital upgrades within the scenarios that were demonstrated.
We appreciate the opportunity to comment on the Draft RIS. If you have any questions or require additional information, please contact me.
Sincerely, Jerud Hanson Senior Project Manager, Life Extension & New Technology Nuclear Energy Institute 1201 F Street N.W., Suite 1100 Washington, DC 20004 www.nei.org P: 202.739.8053 M: 202.497.2051 E: jeh@nei.org This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.
The linked image cannot be displayed. The file may have been moved, renamed, or deleted. Verify that the link points to the correct file and location.
3 Sent through www.intermedia.com
[1] The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEI's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.
Hearing Identifier:
NRR_DMPS Email Number:
185 Mail Envelope Properties (41207040FCA6A84984074E806C73D73EE20B13)
Subject:
[External_Sender] FW: NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)
Sent Date:
8/16/2017 4:05:06 PM Received Date:
8/16/2017 4:05:32 PM From:
FREGONESE, Victor Created By:
vxf@nei.org Recipients:
"Morton, Wendell" <Wendell.Morton@nrc.gov>
Tracking Status: None "Rahn, David" <David.Rahn@nrc.gov>
Tracking Status: None Post Office:
mbx023-e1-nj-2.exch023.domain.local Files Size Date & Time MESSAGE 4366 8/16/2017 4:05:32 PM 08-16-17_NRC_NEI 17-XX-Industry-Comments-NEI-Cover Letter.pdf 54333 08-16-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-General Comments_Attachment1.pdf 74548 08-16-17_NRC_NEI_17-xx-Consolidated Industry Comment-8-16-17-Editorial Comments_Attachment2.pdf 105134 08-17-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-Clarification Comments_Attachment3.pdf 206858 Options Priority:
Standard Return Notification:
No Reply Requested:
No Sensitivity:
Normal Expiration Date:
Recipients Received:
JERUD E. HANSON Senior Project Manager, Life Extension & New Technology 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8053 jeh@nei.org nei.org August 16, 2017 Ms. Cindy Bladey Mail Stop: TWFN-8 D 36M Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
Subject:
NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)
Project Number: 689
Dear Ms. Bladey:
The Nuclear Energy Institute (NEI)1 and the industry appreciate the opportunity to provide integrated industry comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRCs endorsement of NEI 01-01 by providing additional guidance for preparing and documenting the qualitative assessment used to provide reasonable assurance that a digital modification will exhibit a low likelihood of failure, which is a key element in 10 CFR 50.59, Changes, tests and experiments, evaluations of whether the change requires prior NRC approval. This RIS supports our mutual interest in more efficient and effective licensing of digital upgrades across the operating fleet and we look forward to issuance in the third quarter of 2017. Our principal comments are included below and more detailed comments are presented in the attachments for consideration by the NRC staff.
We appreciated the opportunity to participate in a public meeting to conduct a tabletop exercise utilizing the draft RIS 2002-22 Supplement for Digital I&C upgrades at nuclear power reactor facilities under 10 CFR 50.59 on August 2, 2017. The draft RIS provided an effective framework for conducting digital upgrades within the scenarios that were demonstrated.
1 The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEI's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.
Ms. Bladey August 16, 2017 Page 2 Application to safety-related systems The scope of the RIS and attachment should be clearly stated as intended to be used for safety-related systems only. It should be clear that the RIS could, or might be used as guidance for non-safety related upgrades only if desired by licensees. Therefore, industry requests that the RIS should provide sufficient clarity to avoid an interpretation that it is viewed as mandatory for non-safety related systems. Comment
- 1 within attachment #1, provides suggestions to address this point.
Impact on digital system common cause failure The draft RIS is characterized as a means to allow for low risk (non-protection systems) changes to safety systems to go forward under 50.59, but there is no discussion of risk considerations. Instead, it includes a recommended level of rigor for the engineering evaluations needed to support the 50.59 process without providing any assurance that these will be accepted for low risk systems. These low risk systems have been incorrectly included in the current NRC staff position on common cause failure (CCF) policy, due to changes over time to Branch Technical Position (BTP) 7-19. It should be clearly stated how the RIS impacts the current NRC policy/position that addresses digital system CCF. Comment #2 within attachment #1, provides suggestions to address this point.
Application to non-power reactors This RIS should be applicable to include non-power reactors (NPRs). Relevant guidance contained within NEI 96-07 and RG 1.187 is applicable to NPRs, and digital upgrades at NPRs should be addressed within this RIS. Comment #3 within attachment #1, provides suggestions to address this point.
We appreciate the opportunity to comment on the Draft RIS. If you have any questions or require additional information, please contact me.
Sincerely, Jerud E. Hanson Attachments c:
Jason Drake, NRR, DE
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - General Comments Comment No.
Section/Page #
Industry Comment Recommended Change 1
1.
General The scope of the RIS and attachment needs to be limited to safety-related systems only.
It should be very clear that the RIS could, or might be used as guidance for non-safety related upgrades if desired. The RIS should provide sufficient clarity to avoid an interpretation that it is to be viewed as mandatory for non-safety related systems.
Clearly state the applicability of the RIS and attachment is intended to be used for safety related systems only.
2.
General The Draft RIS was characterized as a means to allow for low risk (non protection systems) changes to safety systems to go forward in 50.59, but there is no mention of any sort of risk considerations in the Draft RIS.
Instead it mainly provides a recommended level of rigor for the engineering evaluations needed to support the 50.59 without providing any assurance that these will be accepted for low risk systems that have been incorrectly pulled into the CCF policy due to changes to BTP 7-19. Nowhere in this RIS is a statement on scope of the policy on CCF, in fact it seems to reinforce the current content of BTP 7-19 into not only safety related components but non safety components that are in the licensee design basis.
Describe how the RIS impacts the current NRC policy/position documents that address digital system CCF, such that end users of the RIS are clear how, or if, other NRC CCF policy/position documents apply to the activities within the scope of the RIS.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - General Comments Comment No.
Section/Page #
Industry Comment Recommended Change 2
3.
General The non-power reactor community was not included in consideration of this RIS.
At the May 25, 2017 public meeting on this proposed RIS there was discussion of the importance of including non-power reactor licensees within this proposed RIS. The general consensus was that non-power reactors should be included within its scope. It appears that the exclusion of non-power reactors from RIS 2002-22 was likely an oversight. EPRI TR-102348 and Generic Letter 95-02 are referenced in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, for use by the non-power NRC staff and licensees in licensing DI&C upgrades. Though they followed after the issuance of NUREG-1537, the revision to EPRI TR-102348 (NEI 01-01) and related RIS 2002-22 are also used by the non-power NRC staff and licensees in licensing DI&C upgrades. NEI 96-07 and associated RG 1.187 are also applicable to non-power reactor licensees.
Please include non-power reactors within the scope of the RIS.
4.
General The RIS does not specify whether the NRC expectation is that the Qualitative Assessment guidance is to be used for 50.59 screening.
Add a statement that the RIS is intended to be used for 50.59 evaluations, but may be consulted during the 50.59 screening process.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 1
1.
Draft RIS Page 1 Intent Paragraph In the ninth line of this paragraph, please augment the implicit statement of applicability to ensure that the reader recognizes that RIS 2002-22 is being supplemented rather than supplanted. The text does not make this extremely clear and unambiguous.
Replace this RIS is to clarify the NRCs endorsement of NEI 01-01 with this supplemental RIS clarifies still-active RIS 2002-22 that endorsed NEI 01-01 2.
Draft RIS Page 2 Section titled
Background
Information Background Information section, first full paragraph, Correct the title of NEI 96-07, Evaluations should be Implementation.
Correct text as noted.
3.
Draft RIS Page 3 Section titled Summary of Issue Section At the end of the last sentence in the paragraph starting Specifically, this RIS add words that clarify that the problem is in software.
Revise from methods to demonstrate the likelihood of failure To
.methods to demonstrate the likelihood of failure from software design errors 4.
Draft RIS Page 4 Section titled Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 For readability, please consider bolding these italicized section headers to make them stand out in the rest of the text.
Use bold text for section headers.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 2
5.
Draft RIS Page 4 Section titled Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 In the second full paragraph, second line, the word appropriate is ambiguous.
The last sentence in this paragraph is very long.
Replace appropriate with something more like applicable Split the last sentence into applied to the proposed design. Using such standards 6.
Draft RIS Page 4 Section titled Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 In the paragraph starting To assist licensees, the second line, the sentence should be simplified.
Replace the NRC staff has clarified within the attachment to this RIS its position with the attachment to this RIS clarifies the NRC staff position In the last sentence of this paragraph, delete clarification within the as the attachment describes is sufficient.
7.
Draft RIS Page 4 Section titled Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 In the next to last line of the first paragraph, it is not clear what alter the conclusions of means to a licensee.
Replace alter the conclusions of by the safety analysis with alter the conclusions of or not be bounded by the safety analysis in the UFSAR
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 3
8.
Draft RIS Page 4 Section titled Backfitting and Issue Finality Discussion In the first paragraph, please reiterate that this RIS supplements, but does not supersede, RIS 2002-22.
In the second paragraph, the first sentence does not define on whom the guidance might be imposed.
Replace supplements RIS 2002-22 with supplements but does not supersede RIS 2022-22 Rework the first sentence in the second paragraph.
9.
RIS Attachment, page 1, Purpose The first paragraph, first sentence is excessively long, with the result of being difficult to read and understand.
Replace 10 CFR 50.59 Rule, for use as guidance for implementing with 10 CFR 50.59 Rule. This RIS provides guidance for implementing 10.
RIS Attachment, page 1, Purpose In the second paragraph, reinforce that this is a supplemental RIS.
Change to provide clarifying guidance with to provide supplemental clarifying guidance Change Following this guidance will help with Following the guidance in the RIS 2022-22 and NEI 01-01, as augmented by the guidance in this RIS 11.
RIS Attachment, page 1, Likelihood Justifications This second would be easier to find if it were set in bold type.
Change the format to bold on all section headers throughout the attachment, including those that are underlined.
12.
RIS Attachment Page 2, Regulatory Clarification In the first paragraph, last sentence, there are extra words, and a missing reference to where the characteristics that should be evaluated are defined.
Delete both that in the sentence, and replace there are some important with several important.
Provide some reference, even within the RIS, to the important characteristics that we should evaluate.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 4
13.
RIS Attachment Page 3 In the paragraph starting 10 CFR 50.59 (c)(2)(vi) in the fourth line, that is missing.
Replace reasonable assurance the likelihood with reasonable assurance that the likelihood 14.
RIS Attachment Page 4, Section 2.2, Step 1 Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; however, in a couple cases, the quoted information is not correct.
Revise bullets 1 and 3 to ensure the quoted text is accurate and traceable to the source document.
15.
RIS Attachment Page 7, last paragraph Delete the entire paragraph beginning with: Documentation is needed..
Replace with the following:
Documentation is needed to demonstrate the proposed design will not create malfunctions with different results or initiate a different type of accident not previously analyzed in the UFSAR. Within the concept of layers of defense, acceptable justification for concluding an accident of a different type will not be initiated to include the postulated new accident is only possible after a sequence of multiple unlikely independent failures. This type of justification should also be documented as part of the qualitative assessment.
16.
RIS Attachment Page 8 In the last line, a reference to the major section we are in is not helpful.
Either revise Section 4.2 to be more useful, or remove the reference to a general section in the RIS Attachment.
17.
RIS Attachment Page 8,Operating Experience In the second paragraph, the subject (software and hardware) is plural.
In the last sentence, the phrase along with consideration of the supplier of such equipment should be set off in leading and trailing commas.
Replace modification has with modification have Add commas before and after the phrase.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 5
18.
RIS Attachment Page 9, 4.2.1 2nd paragraph.
Revise the following from:
.do not result in a potential.
To:
do not result in more than minimal 19.
RIS Attachment Page 9, 4.2.1 In the first paragraph, last sentence, it might be clearer if the three steps in the justification were numbered (e.g., 1) a thorough description of the,
- 2) the design attributes..., and 3) a clear description Further, it is not clear how extensive thorough is expected to be.
Please consider clarification of this paragraph. Delete thorough.
20.
RIS Attachment Page 10, 4.2.1.2 Sentence beginning with If the qualitative assessment..
Revise the following from:
..a new type of accident, a malfunction with a new result, or an unbounded malfunction or accident now exists due to the combing of functions creating new malfunctions, or new inter-system interactions, etc, then..
To:
a new type of accident or, a malfunction with a different result now exists due to the combination of functions, then.
21.
RIS Attachment Page 10 First paragraph.
Revise the following from:
.the potential for new malfunctions or accidents should be evaluated.
To:
the potential for malfunctions with a different result or accidents of a different type should be evaluated
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 6
22.
RIS Attachment Page 11, 1st paragraph The first sentence is too long.
Replace development organization that provides for common and repeated use, rules with development organization.
These quality standards provide rules and move for common and repeated use to the end of the sentence, replacing context with context, for common and repeated use.
23.
RIS Attachment Page 11, 4.2.3 In the last sentence of the first paragraph, there are extraneous words and an imprecise set of references.
In the last sentence of the first paragraph, delete other avenues for performing the change, i.e., and list all avenues.
24.
RIS Attachment Page 11, 4.2.3 In the first sentence of the last paragraph, there are extraneous words.
Replace guidance provides the kind of process that should be engaged when using this guidance with.. guidance illustrates the process to use this guidance.
25.
RIS Attachment Figure 1 The diamond near the top of the page states Does the proposed change have the characteristics described in the attachment to the RIS?. It is suggested that the characteristics being reference be pointed out specifically in the RIS attachment.
Change the phrase to state Does the proposed change have the characteristics described in RIS attachment section 3?
26.
RIS Attachment Figure 1 The second decision block language is not consistent with the verbiage used in 10 CFR 50.59.
Revised the second decision block question verbiage to align with 10 CFR 50.59.
INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 - Editorial Comments Comment No.
Section/Page #
Industry Comment Recommended Change 7
27.
RIS Attachment Table 2 Step 1.
Revise wording from:
What are all of the UFSAR design functions..
To:
What are all of the UFSAR described design functions Alternatively, What are all of the design functions described in the UFSAR 28.
RIS Attachment Table 2 Step 4, 2nd bullet.
Revise wording from:
The digital components likelihood of postulated CCF likelihood To:
The digital components postulated CCF likelihood 29.
RIS Attachment Table 2 Step 3.
Revise wording from:
Could those potential impacts already be bounded by the results of the design basis analyses, or would the analyses need to be revised to address it?
To:
Are potential impacts already bounded by results previously evaluated in the UFSAR or would the safety analyses need to be revised to address potential impacts?
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 1
1.
ALL The DRAFT RIS uses the term, qualitative assessment more than 15 times throughout the RIS. In the context where it is used, in most case, either an implicit or explicit definition is stated. This is confusing.
Also, in a few random cases effective qualitative assessment is used. This DRAFT RIS does not define the differences between the two. Overall, effective qualitative assessment seems out of place because either the conclusions of a qualitative assessment support the outcomes when used in a 10 CFR 50.59 Review or they do not Define the term qualitative assessment once, then only use the term in the balance of the text.
Suggest using a definition that states that the purpose of the qualitative assessment is to demonstrate reasonable assurance of adequate quality and low likelihood of failure through a review of the system design process and design features. This would be consistent the with NEI 01-01 discussion of dependability (page 5-14).
For clarity and to avoid confusion, remove the word effective from effective qualitative assessment throughout the text.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 2
2.
ALL The terms safety significance and safety significant are used throughout this section without formal definitions.
It is noted that use of these terms is limited to defining the level of documentation that is worthwhile and is not used as input to answering the 50.59 questions.
The scope of the draft RIS is such that the definition of safety significant is not consistent with its use in other regulatory applications The term safety significant as used in regulatory applications today generally has a definition that is much broader than just the licensing basis for the plant and often includes risk-insights (e.g., see the definition of safety significant in 10CFR50.69). Throughout the Qualitative Assessment Framework, review of the modification under 50.59 is restricted to the plant design basis as documented in the UFSAR. As the Qualitative Assessment Framework clearly is limited to the licensing basis for the plant and is neither risk-informed nor considers risk insights, the term safety significant should be avoided and replaced with a regulatory term having a formal definition applicable to the scope of this guidance, important to safety (as defined in the UFSAR).
Suggest using important to safety as defined in the UFSAR as it has a formal regulatory definition associated with the design basis.
3.
Draft RIS Page 1 Intent Paragraph The term reasonable assurance is used here and in footnote 1. No basis is provided for use of a different standard as used in the RIS, versus the broader regulatory standard. What is the source for the footnote?
Having different definitions of this term will cause confusion. As an example, the RIS uses the term reasonable assurance nearly 20 times throughout the document in various contexts. In many cases, the RIS includes quotes from NEI 01-01 with this term included.
Remove the footnote, or, further define the term adequate degree of certainty.
Identify the Regulatory sources of the footnote that clearly defines the difference between adequate degree of certainty and broader NRC regulatory standard.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 3
4.
Draft RIS Page 2 Section titled
Background
Information In the third full paragraph, fifth line, reinforce the idea that this supplement is to be used with RIS 2002-22.
Replace This RIS supplements the NRC Staffs previous endorsement of the NEI 01-01 guidance with This RIS supplements the still-active RIS 2002-22 endorsement of NEI 01-01 guidance At the end of the paragraph, explain that this RIS is expected to provide the additional detail necessary to ensure resolution of the issues that have occurred when applying RIS 2002-22 and NEI 01-01.
5.
Draft RIS Page 2 Section titled
Background
Information In the last full paragraph on this page, IAP MP #1 is mentioned in the context of 50.59.
Explain how the CCF portion of the modernization plan interacts with the 50.59 evaluation in the RIS discussion.
6.
Draft RIS Page 3 Summary of Issue Section With respect to the text including the statement: there may be a potential for a marginal increase in the likelihood of malfunctions Although this statement paraphrases NEI 01-01, Section 4.3.2, it seems to imply that digital upgrades will always result in a marginal increase in malfunction likelihood. In practice, industry has observed the opposite - that digital upgrades tend to decrease malfunction likelihood as most digital upgrades eliminate single points of vulnerability, provide for signal validation, afford internal diagnostics and alarming capabilities - to name just a few characteristics that go beyond the capabilities of their analog counterparts.
This sentence may cause confusion within industry and with regional inspectors if it is interpreted to mean that digital upgrades are expected to increase malfunction likelihood.
Clarify this statement to be clear that digital upgrades are not always expected to increase malfunction likelihood.
Rephrase to use the no more than minimal increase text from 50.59.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 4
7.
Draft RIS Page 3 Section titled Summary of Issue Section The sentence leading into the last paragraph on the page:
The RIS pulls out a statement from RIS 2002-22 and states that the Draft RIS does not change NRC staff position, which apparently is that NEI 01-01 provides an acceptable means. This seems to be at odds with the statements in the final two paragraphs of this section that the appendix will provide content, rationale and evaluating factors to be addressed, along with a short list of design attributes primarily drawn from the existing BTP 7-14.
Please clarify whether there is a change in NRC staff position from what was previously endorsed in NEI 01-01.
8.
Draft RIS Page 4, Section titled Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 With respect to the text including the statement: ensuring that the uncertainty of qualitative assessments is sufficiently low What is meant by this statement? Generally speaking, the qualitative assessment is used to draw the conclusion that the digital change has a low likelihood of failure.
Suggest deleting this portion of the sentence as it may cause confusion.
9.
RIS Attachment /
Pages 1-17 The attachment seems to explicitly specify a quality process, structure and format for the qualitative assessment that if left without clarification, could result in a significant impact on the industry in the areas of procedures, qualification, and training, if the interpretation is that the qualitative assessment attributes are viewed as mandatory.
In the Purpose section of the Attachment, It should be made clear that the format, content, and structure of the Attachment is an example of what an acceptable Qualitative Assessment could contain, and that the implementation details are up to the licensee.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 5
10.
RIS Attachment /
Pages 1-17 Outcomes from a qualitative assessment that would in turn be used as engineering/technical information in a 10 CFR 50.59 review are specified as finds, final determination, resulting, etc. This inconsistent verbiage is confusing.
Examples of this are:
Section 2.1, last paragraph Page 2 of 17, 3rd paragraph Section 3, 1st paragraph Recommend that the outcome of a qualitative assessment be described as conclusions because conclusions are the translation of the results. Therefore, the conclusions of an assessment are the engineering/technical information that is important to the 10 CFR 50.59 review.
11.
RIS Attachment Page 2, 1st Paragraph In section 2.1 (likelihood justifications) the attachment discusses the link between dependability and likelihood of failures, but in the next to the last paragraph, there seems to be an interchangeable use of reliability and dependability, recommend sticking to dependability. Furthermore, the inclusion of reliability in the next to the last paragraph in this section is a miss-representation of NEI 01-01 which makes this point that for some high risk systems, there may be a need to provide additional assurance of adequate defense in depth and diversity. Since there is no mention of this, in the section, it can only be implied that all changes, without regard to risk will require a demonstration of defense in depth, but some systems do not require defense in depth because there is no requirement to do D3, but this could be construed to put that requirement onto the licensee.
Recommend reconciling the use of reliability versus dependability in the documents.
12.
RIS Attachment Page 2, 3rd Paragraph This section discusses a reasonable assurance standard for evaluating low likelihood of failure.
Its important to note that the new digital equipment must only be as reliable/dependable as the equipment it is replacing. The likelihood of failure is relative to the equipment being replaced.
Revise section to include a statement that captures the following concept:
The new digital equipment is not held to a higher standard than the analog (or even digital) equipment it is replacing.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 6
13.
RIS Attachment Page 2, 7th Paragraph With respect to the text including the statement:
(whether or not classified as safety-related in accordance with 10 CFR Part 50, Appendix B)
Remove this statement from the paragraph, and if still necessary, place it elsewhere in the text, in a context that is not tied to 50.59.
14.
RIS Attachment Page 3, Section 2.2 Section 2 of this document is titled regulatory clarification, but later in 2.2 it seems to provide a framework for evaluating malfunctions of a different result, I think this is better handled in Appendix D or is sufficiently covered in 96-07, since there is really no new guidance here, any attempt to provide it (which it seems you didnt in step #3), then I recommend this part be deleted. If the framework is deemed important include it in section 4.
Delete or include in Section 4.
15.
RIS Attachment Page 3, 2nd Paragraph With respect to the text including the statement:
.the likelihood of common-cause failure (CCF) is much lower than The term much lower is used several places in the document, as well as the term significantly lower.
Recommend one term be defined and used consistently throughout the document.
16.
RIS Attachment Page 3, 2nd Paragraph With respect to the text including the statement:
.reasonable assurance the likelihood of common-cause failure (CCF)..
NEI 01-01 uses terminology similar to this and, by inference, is endorsed by RIS 2002-22. However, the applicability of the NEI guidance is limited to software failures (including common cause failures) and does not include other sources of CCF (such as hardware failures).
This limitation also should be reflected the RIS.
17.
RIS Attachment Page 3, 3rd Paragraph With respect to the text including the statement:
The above likelihood thresholds This conclusion in this section is acceptable, provided the applicability of the CCF statement of the 10CFR50.59(c)(2)(vi) threshold is limited to software failures. Otherwise the statement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.
Clarify this section.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 7
18.
RIS Attachment Page 3, 5th Paragraph With respect to the text including the statement:
For activities that introduce a potential failure mode (e.g., CCF) that does not meet the above thresholds This section would be acceptable, assuming meeting the above thresholds means the likelihood of common-cause failure (CCF) is much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other CCF that are not considered in the UFSAR. If not clarified, this statement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.
Where CCF has been included in the licensing basis of the plants in the past, it has required a regulatory analysis and gone through rulemaking (e.g, ATWS and SBO). Such a regulatory analysis has not been performed for digital CCF.
The statement also is inconsistent with the SRM to SECY 93-087 and BTP-19 which state that CCF is beyond the design basis.
Please clarify meeting the above thresholds 19.
RIS Attachment /
Page 3, Section 2.1 The following NOTE is stated, [Note: This likelihood threshold is not interchangeable with that for credible/not credible, which has a threshold of as likely as (i.e., not much lower than) malfunctions already assumed in the UFSAR.]
However, no basis for the note could be found in NEI 01-01 or NEI 96-07, Rev 1, or regulatory framework.
Identify the Regulatory source of the Note or revise the Note to add sufficient clarity (preferably with examples) to ensure it is not mistranslated by the industry.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 8
20.
RIS Attachment Page 4,Step 1 Section With respect to the text including the statement:
for the purpose of the 10 CFR 50.59 evaluation, credible malfunctions..
It is not clear that a credible malfunction considered in the technical evaluation is the same as a credible malfunction considered in the 50.59 process.
Add the following clarification/definition:
For the purposes of the technical evaluation, a CCF can be considered credible only if the likelihood of a CCF caused by an I&C failure source is greater than the likelihood of a CCF caused by other failure sources that are not considered in a deterministic safety analysis described in the UFSAR.
21.
RIS Attachment Page 4, Section 2.2, Step 1 Bullet nine - with respect to the text including the statement:
malfunctions previously thought to be incredible.
Step 1 in this process is to develop a list of possible malfunctions. Listing malfunctions that are previously thought to be incredible is not verifiable criteria and opens up the evaluation to any possible combination of failures (i.e., unrelated multiple failures).
This need to be reworded to something that is bounding within the plant design basis.
22.
RIS Attachment Page 4,Step 2 Section 2nd bullet, with respect to the text including the statement:
, there may be the potential marginal increase in likelihood of failure, including a single failure..
The statement identified in the bulleted item appears to be from NEI 01-01 Section 4.3.2. Where does the including a single failure wording come from?
Remove the statement including a single failure
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 9
23.
RIS Attachment Page 4, Section 2.2, Step 2 2nd bullet, with respect to the text including the statement:
For digital modifications, particularly those that introduce software What is this intended to mean?
Consider how digital modifications that do not involve software should be defined, as most digital equipment has software/firmware.
Examples are discrete logic chips and FPGAs.
Introduce software phrase could be taken that this only applies to analog to digital mods. It should also address digital to digital mods The use of redundant should also have independence stated. Please change to redundant and independent. This is a generic comment wherever redundancy is used. Independence is the key word.
Redundancy can be added in non-safety systems for reliability purposes only.
Please clarify the intent of the use of the term software in this section based on the comment.
Please consider the use of the term redundant and independent versus just the use of redundant.
24.
RIS Attachment Page 4,Step 2 Section This statement, although out of NEI 01-01, would seem to imply that digital upgrades will always increase the likelihood of failure, which has not been observed in actual practice where, in most cases, digital upgrades have been shown to decrease failure likelihood.
Also, in 50.59 it is common practice to consider the balancing of positive effects of installing the digital equipment (e.g., elimination of SPVs, signal validation, etc.) with the potential negative effects (e.g., SCCF, etc.) when arriving at the final conclusion of not more than a minimal increase in malfunction likelihood or accident frequency. The RIS does not appear to discuss using the balancing effects of the positives and negatives of digital upgrades.
Add supporting statement(s) that include acknowledgement of positive, not just negative, impacts of installing digital equipment.
Further, rephrase the statements that imply that digital systems will always increase the likelihood of failure to include the idea of no more than a minimal increase text from 50.59.
25.
RIS Attachment /
Page 4, Section 2.2, Step 2 Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; however, the quoted text from the last three bullets could not be traced back to either source.
Revise the last three bullets to ensure quoted information is accurate and traceable to the source document.
Provide a reference to the source.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 10 26.
RIS Attachment Page 5, Section 3 The title of this section is Draft Characteristics of Proposed Modifications that Produce Effective Qualitative Assessments. The first paragraph of this section states:
The NRC staff finds that proposed digital I&C upgrades and modifications having all the characteristics listed below are more suitable to and effective for qualitative assessments and thus more likely to meet the 10 CFR 50.59 evaluation criteria.
The title and wording in this section imply that the Qualitative Assessment Framework is permitted only for digital modifications having all the characteristics in this section.
It is assumed that the term effective actually means produces positive results. The section reads more clearly without the word effective.
Clarify the applicability of the characteristics in this section to digital modifications.
Consider changing Do not to:
Do not create an adverse condition due to Remove that Produce Effective Qualitative Assessments from the title and delete more suitable to and effective for qualitative assessments and thus from the last sentence of the first paragraph to avoid misinterpretation of this section.
27.
RIS Attachment Page 5, Section 3 (1)
This sub-section states Digital I&C design function-for-design function replacements and upgrades to systems and components that: Is the qualifier design function-for-design function both meaningful and necessary?
Unless the phrase design function-for-design function provides additional criteria or meaning, it is suggested that it be removed.
If the term provides specific meaning, please provide the criteria for determining the function for function alignment.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 11 28.
RIS Attachment Page 5, Section 3 This section seems to constrain the digital modification to a very limited scope, which does not appear to meet the intent. For instance, it is not clear whether all of the attributes, or some of the constraints need to be met.
Applying these in a strict way would eliminate most digital changes being contemplated, or currently being done. For example:
- a. 1a)-b) These conditions appear to only allow designs that dont combine functions that were previously separate (this eliminates DCSs from being considered per this criteria, even if you use segmentation on separate controllers because they communicate via shared network, which is not acceptable).
- b. 2 could be construed to eliminate all safety systems that have two channels (chillers) from consideration since they will be digital and identical and this will screen them out before we even get a chance to demonstrate low likelihood of CCF.
- c. 3 is just a regurgitation of BTP 7-19 criteria, but the prelude to the section says that all criteria must be met, which is pretty much impossible for embedded devices.
Clarify the applicability and limitations of these constraints to address potential issues with items noted, such as:
DCS Upgrades Safety Chillers Embedded Devices 29.
RIS Attachment Page 5, Section 3 1(a) & 1(b)
The exclusion of systems using common HMI eliminates all non-safety related DCS upgrades from this RIS scope.
The type of systems that use shared resources should be in scope of this RIS which should describe that the licensee addresses combination of functions and spurious operation in the qualitative assessment.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 12 30.
RIS Attachment Page 5, 1st paragraph With respect to the text including the statement:
the qualitative assessment results alone are sufficient that software CCF does not need to be assumed The use of software CCF appears to limit the use of qualitative methods to demonstrate that CCF does not have to be assumed for other types of potential common cause failures.
The RIS should clearly define the scope of CCFs (software, etc.) being considered.
31.
RIS Attachment Page 5, Step 3 With respect to the text including the statement:
Only for possible malfunctions that do not have a sufficiently low likelihood based on the qualitative assessment in Step 2, determine whether the malfunction has a different result.
Clarify whether the different result is at the SSC level or plant level. The industry position is that the results are evaluated at the plant level, as discussed in the recent RIS public meeting.
32.
RIS Attachment Page 5, 1(b)
With respect to the text including the statement:
Do not incorporate new shared resources..... implicitly assumed Implicit assumptions are impossible to verify. Should provide clarification on whether system function equals design function and if so, use design function.
Remove implicitly assumed.
33.
RIS Attachment Page 6, Section 3 (2)
With respect to the text including the statement:
.that do not result in reduction of any aspects of independence This goes beyond reasonable assurance. Adding any software could and does result in a small quantitatively reduction.
Please reword with reasonable assurance language instead of using do not.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 13 34.
RIS Attachment Page 6, item (3)
With respect to the text including the statement:
as demonstrated through 100% testing There is a lack of clarity with industry (and perhaps regional inspectors) over what constitutes 100% testing, and this simplicity concept. Technical individuals working on the NEI/Industry DI&C teams have come to understand that any device containing software is not considered to be 100% testable, and we must assume a CCF.
If this is the case, then this RIS will only work for a very limited number of digital changes.
The 100% testing approach does not meet the qualitative intent of the RIS, and the reasonable assurance standard.
Eliminate the 100% testing criteria as the only test for simplicity.
35.
RIS Attachment Page 6, item (3)
With respect to the text including the statement:
bounded by previous FSAR analysis..
Address the use of the term bounding with respect to plant level in this section, and further define FSAR analysis as safety analyses 36.
RIS Attachment Page 6, 4th paragraph With respect to the text including the statement:
demonstration that the resulting replacement or upgrade design can tolerate the postulated triggering of that defect This statement would seem to indicate that we must assume a design defect and then assume the design defect is triggered. If this is the intent, the RIS will likely not work for most safety related SSCs (including the safety related chiller mod). If this is not the intent, should clarify the statement.
Add a discussion and clarify methods for demonstrating what would be an acceptable way of tolerating the triggering of a defect.
Clarify the statement to indicate whether a design defect must be assumed or not.
Define the basis for the design defect likelihood needing to be significantly lower.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 14 37.
RIS Attachment Page 6 last paragraph Page 7, first paragraph With respect to the text including the statement:
Alternatively, electrical independence can be demonstrated qualitatively The real purpose of this RIS is software and SCCF with respect to independence.
Using electrical independence may not be the best example for this RIS.
Add a clear language in this paragraph that states, software also can be addressed in a qualitative manner and consider using a digital example.
38.
RIS Attachment /
Page 7, Section 4.2 A new term, layers of defense is used and is not defined. If this is intended to refer to defense in depth, then defense in depth should be stated.
Either define the term layers of defense or use the term defense in depth.
Alternatively, provide a reference to the USNRC or industry document being used to define layers of defense.
39.
RIS Attachment Page 8, Quality Design Process With respect to the paragraph beginning with:
For digital equipment incorporating software..
These attributes may not be available or well documented for non-safety related equipment that contains software. NEI 01-01 was primarily written to evaluate changes to safety related SSCs. Quoting this paragraph within the RIS may lead some (including regional inspectors) to believe that all these attributes must be accounted for when implementing a non-safety related digital upgrade with software involved.
Clarify this section to acknowledge a different standard applies for non-safety related upgrades.
40.
RIS Attachment Page 8, Last paragraph With respect to the text including the statement:
.thoroughly documented within the licensees quality assurance (QA) program..
What is specifically meant by... documented within the licensees QA program? Does this mean a formal qualitative assessment document must be developed and placed within the engineering change package for future retrieval?
Please clarify the intent of this statement.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 15 41.
RIS Attachment Page 8, Last paragraph In section 4.2 the last paragraph on page 8 says All of these categories should be addressed and thoroughly addressed in the licensees quality assurance program, in consideration of the safety significance of SSCs described below in Section 4.2 (See table 1) There may be confusion about what this means.to be described in the QA program.
Please clarify intent of QA program reference.
Clarify QA program applicability is not based on safety significance of SSCs, but on the licensees Quality Assurance Program.
42.
RIS Attachment Page 8 Page 9, Table 1 Please add endorsed EPRI TR-106439 as an acceptable example for digital commercial grade dedication mods.
Please add the reference as noted.
43.
RIS Attachment Table 1 For Table 1, the list of acceptable examples, is this list intended to be addressed by each evaluation, or is this just a suggested list? For the design attributes, what is the expectation on behalf of the NRC that there be all items, or some items? Is the determination of adequacy up to the licensee or will this list constitute the basis for a Mods or 50.59 inspection?
Please clarify the applicability of the examples cited in Table 1, and their intended use.
44.
RIS Attachment /
Page 9, Table 1 Environmental Qualification implies a Regulatory programmatic requirement; however, based on the subsequent examples, (e.g., EMI/RFI, Seismic), this does not appear to be the context.
Revise environmental qualification to demonstrated tolerance (e.g., through qualification testing) to withstand environmental conditions within which the SSC is required to perform its design function (e.g., EMI/RFI, Seismic).
45.
RIS Attachment Table 1 Design Attributes Watchdog Timers - The RIS should not limit credit for external watchdog timers only. There are designs that have internal watchdog timers that operate independent of the software and are considered just a reliable as external watchdog timers (the digital reference adjuster used on the EDG voltage regulator project is an example of an independent internal watchdog timer).
Suggest changing to Watchdog timers that operate independent of software or something to that effect.
An acceptable alternative might be Watchdog timers that time out in hardware..
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 16 46.
RIS Attachment Table 1 Design Attributes Sufficiently simple and 100% testing are used here.
See previous comments on this subject.
Suggest acknowledging other types of testing to demonstrate the design is sufficiently simple, such as comprehensive, or exhaustive testing, versus just 100%
testing.
47.
RIS Attachment Table 1 Design Attributes Failure state always know to be Safe - An acceptable failure state could also simply be equivalent to the failure state of the device being replaced, not necessarily to the safe state.
Revise to describe that the failure state of the new digital equipment can be the same as the failure state of the existing equipment (whether or not the failure state is considered safe).
48.
RIS Attachment Table 1 Operating Experience The last bullet indicates that high volume commercial products are less likely to have deficiencies.
Augment the discussion to suggest that High volume, high quality commercial products with applicable operating history used in other applications have the potential to not include as many design errors.
49.
RIS Attachment Page 10, 4.2.1.1 This paragraph does not clearly distinguish between safety related and non-safety related SSCs. Digital communications (ISG-04) is a concern primarily with Safety Systems and is not applicable to non-safety systems. Though there is very good guidance in ISG-04, this section seems to make it required to be addressed for all classes of systems that might be evaluated by this process. Would digital communication between non-safety SSCs considered out-of-scope of this RIS? For example, a plant may have two (redundant) feedwater pumps - not for plant safety but for operational convenience. Would digital communication between the two feedwater pump controllers be out-of-scope for this RIS?
Please clarify applicable scope for digital communications criteria, to clearly specify that ISG-04 is applicable to only safety related modifications.
Please clarify to address how this might be applied to non-safety related examples.
Also, while ISG-04 is good guidance, and has been in place for more than a decade, it would be preferable to refer to more durable guidance.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 17 50.
RIS Attachment Page 10, 4.2.1.2 For section 4.2.1.2 the gist of this section is that combination is bad in all cases, however, there are cases where combination of previously separate components results in a more dependable system due to the tightly coupled nature and a reduction in complexity. A good example is the combination of Main Feed regulating valves with Feed bypass valves into one controller, this has allowed the industry to use one controller to control steam generator level through all power levels, where previously there was a manual cross over at a low power that often resulted in spurious level changes and plant trips due to loss of level control, those types of plant upsets are much less frequent with a combined system where both valves are controlled by one controller. A plant transient from both a bypass and MFRV may not be evaluated in the License but if the overall result from combining the two is a marked increase in dependability, in the aggregate.
Revise to acknowledge cases where combination of functions may result in a more reliable and safer system.
51.
RIS Attachment Page 10, 4.2.1.2, 3rd sentence With respect to the discussion on combination of functions:
This section should acknowledge that combination of functions is allowable where it does not create an adverse condition; the 3rd sentence does not accurately reflect verbiage consistent with 10 CFR 50.59.
Please add language that allows combination of functions where it does not create an adverse condition.
52.
RIS Attachment /
Page 10, 4.2.1.2, last sentence The phrase the other NRC-approved processes does not provide guidance.
If the other NRC-approved processes is intended to be license amendment request, so state. Else, define all the other processes that could be followed.
53.
RIS Attachment Page 10, 4.2.2 This section should include reference of EPRI TR-106439 as an acceptable example for digital commercial grade dedication mods.
Add the noted reference.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 18 54.
RIS Attachment Page 11 There is no expanded discussion on the Operating Experience topic.
Sections 4.2.1 and 4.2.2 expand on the other bullet points noted on Page 7 and Page 8 of the attachment (Design Attributes and Quality Design Process).
Revise document to use Section 4.2.3 as an expanded discussion on Operating Experience. Move current Section 4.2.3 content to another section of the document.
55.
RIS Attachment Page 11, 1st paragraph Quality Standards - please clarify the use of the term quality standards in the RIS. If the intent is to define a high quality design process, then the licensee Appendix B program should govern the activities as applicable.
It should be noted that there is no requirement for mandatory use of any other type of quality standard for non-safety related applications.
Clarify the use of the term quality standards.
56.
RIS Attachment Figure 1 It appears that the YES/NO labels should be reversed on the diamond near the top of the page which states Does the proposed change have the characteristics described in the attachment to the RIS?
Also, the first box appears to be selecting criteria. That is, if the characteristics dont match (e.g. no combinations, no communications, etc.)
they you cant use this process. If you exit the RIS 2017-xx process, then are on your own to use NEI 01-01 as originally endorsed in RIS 2002-22?
Flip the YES / NO labels.
Suggest being more specific by adding a specific section number of the RIS that details the characteristics. (RIS Section 3?)
Consider an exit to this process that shows the previous RIS/NEI 01-01 process.
57.
RIS Attachment Figure 1 The flowchart only addresses 50.59 Evaluations Questions 2 and 6.
Questions 1 and 5 do not appear to be addressed in the flowchart.
Suggest addressing Questions 1 and 5.
58.
RIS Attachment Figure 1 Conduct the Technical Analysis and Assess Vulnerabilities is split into two boxes, but in reality the vulnerabilities will be assessed in the design change (in the box that feed into the Conduct Technical Analysis). Is this split into two boxes because the RIS expect two distinct documents? Or do both of the boxes constitute the single Qualitative assessment as outlined in Table 2. The assumption is that it is broken out based on some thought model held by the staff, but in actuality this is all done under the design change process and is only documented in the 50.59 as a high level summary with sufficient detail to assist the approver of the 50.59 (and to support the NRC review under Mods inspections).
Provide explanation as to why this process is split into 2 boxes, and/or update Figure 1.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 19 59.
RIS Attachment Page 13, Section 5.1 This section appears to be written for safety-related software. In most cases, the evidence required in Section 5.1 would be difficult to compile for non-safety software containing COTS devices.
Update this section to reflect the level of documentation that might be typically seen for non-safety related upgrades.
Augment the software safety analysis to software safety analysis (as applicable) to capture the non-safety related equipment.
60.
RIS Attachment Page 13, Section 5.1 In Section 5.1 there is a statement that says that the Qualitative Assessment should provide evidence that a well-defined process for - and it continues on with a statement of components from BTP 7-14, which again is only applicable to safety-related software and would also be germane (but not required) for non-safety related software. What if any concessions are allowed for those non-safety and even those components that are Commercially dedicated where we will often credit extensive operating history and testing along with largely equivalent software processes, where portions of the software lifecycle are less relevant and not needed to make the Qualitative Assessment for less risk significant system that screen into 50.59 evaluation? See comment below on section 5.2 Revise document to address the software process typically seen for non-safety related and commercially dedicated equipment.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 20 61.
RIS Attachment Page 13, Section 5.2 In Section 5.2 there appears to be a hint of grading by safety significance, which is in keeping with the original NEI 01-01, but the two lists are not well defined, are you saying that the items on the list constitute a risk significant system? Are they in any order of risk significance, or are they all considered equally risk significant? With the contrary being deemed less risk significant and therefore less documentation required and the second list seems to have a function based criteria. Same question as above, (all risk significant; any sort of hierarchy implied?). Will this grading be up to the utility? Or will this RIS address which would be acceptable?
Please clarify basis and applicability of these grading criteria.
62.
RIS Attachment Page 13, Section 5.2 2nd bullet - With respect to the term accident mitigation system Is this statement referring to accident mitigation systems that are credited in the safety (or accident) analysis? There are some non-safety systems that can be used for accident mitigation but are not credited in the safety (accident) analysis (e.g., off-site power is the preferred source of power for mitigating accidents but is not generally credited as an accident mitigator in the safety (accident) analysis). There is some confusion in the industry when it comes to defining a SSCs that are considered accident mitigators.
Suggest clarifying by stating... accident mitigation system credited in the safety analysis.
63.
RIS Attachment Page 14, last paragraph With respect to the following statement:
It is the responsibility of the licensees 10 CFR 50.59 evaluator to demonstrate that the documentation of the design basis Request this section be clarified to differentiate between where design basis information is documented (for instance, the plant modification process), versus where licensing basis information is documented (for instance in the 50.59 evaluation).
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 21 64.
RIS Attachment Table 2 Step 1, last bullet:
Please add clarification that the evaluation should consider both active and inactive states.
Add clarification as described in comment.
65.
RIS Attachment Table 2 Step 1, 3rd bullet - Safety and power generation functions.
Please clarify what this statement is asking for, it is not entirely clear.
66.
RIS Attachment Table 2 Step 3 - Enhanced Safety Analysis.
Please define or clarify what enhanced is referring to.
67.
RIS Attachment Table 2 Step 3 - Failure Modes.
Please add a note stating that the failure mechanisms can change. Please add a note allowing us to eliminate failure modes of the original equipment in the replacement equipment.
68.
RIS Attachment Table 2 Step 4 - last paragraph, beginning with All assertions This statement implies that the licensee must assume a CCF.
If this is the case, please explain. If this is not the case, please reword or provide clarification.
69.
RIS Attachment Table 2 In Table 2: Steps 4 and 6 seem to be repeats, you make the assertions and provide the evidence, then repeat the assertions.
If not repeats, but rather two steps in a process, where identification is done in one step, and verification of resolution is provided in a separate process, then suggest clarification.
Leave one or the other out, the evidence needs to support the assertions either way.
Clarify why the two steps are provided.
70.
RIS Attachment Table 2 Step 5, 2nd paragraph, vectors to malfunctions.
If definition exists, please provide it; otherwise recommend deletion.
INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 - Clarifications Comment No.
Section/Page #
Industry Comment Recommended Change 22 71.
RIS Attachment Table 2 Step 5, first paragraph, evidence of the three qualitative assessment justifications.
Please provide a reference to an earlier section in the RIS or RIS Attachment where the three qualitative assessment justifications are provided for completeness.