Comment (1) of Jerud E. Hanson on Behalf of Nuclear Energy Institute on Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems

ML18088A158
Person / Time
Site:	Nuclear Energy Institute
Issue date:	03/27/2018
From:	Hanson J Nuclear Energy Institute
To:	Borges J Rules, Announcements, and Directives Branch
References
83FR11154 00001, NRC-2018-0044
Download: ML18088A158 (22)
v • d • e

Text

I

/

,/ Page 1 of 1 \,

' As of: 3/28/18 7:11 AM Received: March 27, 2018 Status: Pending_Post PUBLIC SUBMISSION Tracking No. lk2-9299-aq2m Comments Due: March 29, 2018 Submission Type: Web Docket: NRC-2018-0044 Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems Comment On: NRC-2018-0044-0001.

Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems Document: NRC-2018-0044-DRAFT-OOO 1 Comment on FR Doc# 2018-04958 Submitter Information Name: Jerud Hanson Submitter's Representative: Anya Barry Organization: Nuclear Energy Institute r

General Comment See attached file(s)

Attachments 03-27-18 NRC NEI Cover Letter for Member Comments on March 2018 RIS 03-27-18 NRC_NEI Member Feedback Spreadsheet - March 2018 RIS_Attachment 1 03-27-18 NRC_NEI March 2018 RIS with NEI Member Comments Incorporated_Attachment 2 1'3 ~ /ll5t/ ,

{j) 3 //r'/:?P/g-'

SUNSI Review Complete Template= ADM -013 E-RIDS= ADM-03 Add= 1~,t.iq (1.tJtJcut tr)( b lJ https://www.fdms.gov/fdms/getcontent?objectld=0900006483057bb8&format=xml&showorig=false 03/28/2018

JERUD E, HANSON Senior Project Manager, Life Extension & New Technology 1201 F Street, NW, Suite 1100 Washington, DC 20004

~I NUCLEAR ENERGY INSTITUTE P: 202.739.8053 .

• "jeh@nei.org nei.org March 27, 2018 Ms. Jennifer Borges Mail Stop: OWFN-14 A44 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Submitted via Regulations.gov

Subject:

NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2018-0044)

Project Number: 689

Dear Ms. Borges:

The Nuclear Energy Institute (NEI) 1 and our members appreciate the opportunity to provide comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRC's endorsement of NEI 01-01. The RIS provides additional guidance for preparing and documenting the "qualitative assessment" used to provide reasonable assurance that a digital modification . .

will exhibit a low likelihood of failure. This is a key element in 10 CFR 50.59 reviews used to determine if a change requires prior NRC approval. This RIS supports our mutual interest in effective and predictable licensing of digital upgrades.

On August 16, 2017, NEI submitted comments on the draft RIS. On January 26, 2018, we participated in a public meeting to review a revised draft of the RIS that the NRC staff had prepared for final issuance following the public comment period. NEI informed the NRC staff during this. meeting that the revised draft RIS did not adequately address stakeholder feedback and did not provide the regulatory clarity and predictability needed to enable licensing of digital upgrades. We appreciate the NRC staff conducting two additional public meetings (March 6 and March 14) in response to the stakeholder feedback provided at the end of January.

1 lhe Nudear Energy Institute (NEI) is the organization responsible for establishing unified industr/ policy on matters affecting its members, including the regulatory aspects of generic operational and technical issues. NEI's members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, suppliers and nuclear materials licensees, nuclear medicine and radiopharmaceutical companies, companies using nuclear technologies in the agricultural, food, and industrial sectors, universities and research laboratories, law firms, labor unions, and international electric utilities.

NUCLEAR. CLEAN AIR ENERGY

Ms. Borges March 27, 2018 Page 2 Detailed comments on the March 2018 version of the draft RIS are provided in the attachments for consideration by the NRC staff. Included in the attachments is a consolidated list of comments of NEI members, as well as a marked up version of the draft RIS with NEI member feedback incorporated into the document using track changes. This has been provided in order to help facilitate a more effective review.

If you have any questions or require additional information, please contact me.

Sincerely,

£1?-.__---

Jerud E. Hanson Attachments c: Eric J. Benner, NRR, DE

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with the comment spreadsheet.

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION Suggest revising the Intent Section, third paragraph as proposed in Stating that Dl&C upgrades associated with the RPS/ESFAS are out-of-revised RIS included with comment spreadsheet: scope for the RIS Supplement has the potential to communicate that SSCs supporting or actuated by the RPS/ESFAS logic would also be off the table. This change clarifies the scope.

Additionally, this paragraph states, in part, "This RIS does not provide ... guidance for addressing common cause failure ... Additional guidance for addressing potential common cause failure of digital l&C equipment is contained in other NRC guidance documents and NRC-2 of 5 endorsed industry guidance documents." Page 1 of 17 (second to last paragraph) of the RIS attachment states "Thus, the 'qualitative assessment' provides a means of addressing software CCF." The statement provided in the Intent.Section would seem to contradict the statement made on page 1 of 17 of the RIS attachment.

I Summary of Issue Section: Suggest deleting the first two sentences of the The first paragraph sends an unbalanced message to the public and other first paragraph of this section as proposed in revised RIS included with stakeholders, implying that digital modifications are adverse to safety.

comment spreadsheet.

3 of 5 Additionally, it would be appropriate to switch the order of the first two paragraphs of this section to provide a better flow of information.

I L. ~-----

Page 1 of9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with th e commen t sorea d shee. t J

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION Very last statement in the RIS front matter: Suggested rewording as The RIS Supplement should only provide guidance on development of a 5 of 5 proposed in revised RIS included with comment spreadsheet for Qualitative Assessment framework.

"Qualitative Assessment and Engineering Evaluation Framework."

RIS Supplement

Attachment:

Suggested wording proposed in revised RIS Comment 20 (page 10 of 17) recommends deletion of Section 4:

included with comment spreadsheet for changing the title of the Engineering Evaluation" in its entirety.

1 of 17 attachment from "Qualitative Assessment and Engineering Evaluation Framework" to "Qualitative Assessment Framework."

RIS Supplement Attachment, Section 1, Purpose (third paragraph) - Introduction of the term "Dependability Evaluation" is not beneficial and Suggest deleting this paragraph and removing "Dependability Evaluation" could cause confusion.

as proposed in revised RIS included with comment spreadsheet.

1 of 17 The RIS should only provide guidance on development of a qualitative assessment. With the addition of dependability assessments, a licensee will assume that two new documents will need to be produced.

RIS Supplement Attachment, Section 1, Purpose, fourth paragraph: Last sentence of the fourth paragraph seems out of place with the Suggest deleting this sentence as proposed in revised RIS included wi.th paragraph discussion.

1 of 17 comment spreadsheet.

RIS Supplement Attachment, Section 2 (second paragraph): Replace "Adverse" has a distinct meaning in the 50.59 screening process. The use "adverse" with "negative' in the document as proposed in revised RIS of adverse in the RIS does not line up with the meaning of adverse in 2 of 17 included with comment spreadsheet. 50.59 and is not necessary here.

Page 2 of9

- - - - _J

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with the comment spreadsheet.

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION RIS Supplement Attachment, Section 2.1, regarding the statement "This The threshold for determining whether an event is credible or not is

'sufficiently low' threshold is not interchangeable with that for whether it is 'as likely as' (i.e., not 'much lower than') malfunctions distinguishing between events that are 'credible' or 'not credible'. already assumed in the UFSAR." This statement is irrelevant to the 2 of 17 Suggest deleting this statement as proposed in revised RIS included with discussion and may cause confusion. In addition, the terms "credible" and comment spreadsheet. "not credible" are not used anywhere else in the document.

RIS Supplement Attachment, Section 2.1: "For digital modifications, There is no basis for declaring that the potential for single CCF is directly particularly those that introduce software, there may be the potential proportional to the potential increase in likelihood of failure, as not all increase in likelihood of failure, including a single failure. For redundant failures are common cause and the statement is unnecessary.

SSCs, this potential increase in the likelihood of failure creates a similar increase in the likelihood of a common cause failure." Suggest deleting In practice, the introduction of digital equipment has proven to decrease 3 of 17 this statement as proposed in revised RIS included with comment the likelihood of failure due to such things as elimination of single points spreadsheet. of vulnerability and self diagnostics.

RIS Supplement Attachment, Section 2.1: Suggest rewording as proposed Criteria, conflicts with language in 96-07, Appendix D.

in revised RIS included with comment spreadsheet. Note that the proposed Criteria wording consolidates the wording provided on Lines 369 through 442. Therefore, it is also suggested that Lines 369 through 3 of 17 442 be deleted.

Page 3 of9

• NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with the comment spreadsheet.

PAGE NQ. RECOMMENDED CHANGE JUSTIFICATION RIS Supplement Attachment, Section 3 for Qualitative Assessments: Item (1) will be interpreted by licensees such that a non-safety related Suggest rewording as proposed in revised RIS included with comment digital control system would require a LAR to implement and would also spreadsheet. prevent a licensee from a simple one-for-one replacement of analog/pneumatic sequencer timing relays with modern timing relays containing an embedded digital device.

Item (2) addresses a reduction in redundancy, diversity, separation or independence. If these attributes are design features rather than design or regulatory requirements, it may not be necessary to maintain that level of UFSAR described redundancy, diversity, separation, or 4 of 17 independence. In other words, if these are not "credited" then maintaining those design features may not be required. This ls particularly true for non-safety related systems, where these attributes are not typically required.

Item (3) reintroduces 100% testing which is not achieved with software and then introduces an input/output state analysis. Licensees will assume this requirement applies to non-safety related equipment as well as safety related equipment.

RIS Supplement Attachme;nt, Section 3.1.1: Consider striking "need to" in Current wording would indicate a directive rather than an optional the following statement: "!However, design features external to the consideration.

proposed modification (e.g., mechanical stops on valves) may also need 6 of 17 to be considered." Suggested wording as proposed in revised RIS included with comment spreadsheet.

Page 4 of 9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with the comment soreadsheet.

PAGE NO.

• RECOMMENDED CHANGE JUSTIFICATION RIS Supplement Attachment, Section 3.1.1 Suggest deleting last sentence Sentence is unnecessary as commentary and could potentially be in 3.1.1 as proposed in revised RIS included with comment spreadsheet. confusing.

6 of 17 RIS Supplement Attachment, Section 3.1.2 - Quality of the Design Process Licensees will interpret the guidance provided in this section in a way

- Suggest rewording as proposed in revised RIS included with comment that concludes non-safety related e~uipment must now comply with 7 of 17 spreadsheet for Section 3.1.2. Quality of the Design Process. industry standards.

RIS Supplement Attachment, Section 3.1.3, Operating Experience - See The language in this section is focused on applicability with specific sited the proposed revised RIS included with the comment spreadsheet for references or evidence. At the site inspection level, this type of language suggested changes to Section 3.1.3, Operating Experience. would appear to focus on traceability of documented evidence rather .

than evaluating and using operating history to inform the design. Vendors will not usually provide names of customers associated with a given problem report. Thus, traceability or specific references to environmental 7 of 17 conditions and other design attributes are not generally possible to obtain. Also, the guidance does not provide a clear expectation of what the use of operating experience is to accomplish.

RIS Supplement Attachment, Table 1 - See the proposed revised RIS In the first category, some of the guidance is not acheivable. The second included with the comment spreadsheet for suggested changes to Table category does not distinguish between safety and non-safety 9 of 17

1. requirements. In the third category, OE was revised to align with the revised section of OE.

Page 5 of9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with the comment SDreadsheet.

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION RIS Supplement Attachment, Section 4, Engineering Evaluations - Suggest Licensees already have very detailed and proceduralized digital design deletion of Section 4 in its entirety as proposed in revised RIS included guidance along with a quality assurance program. There is also an effort with comment spreadsheet. underway to standardize on an industry digital l&C design process.

NRC and licensees have not been fully aligned on adequate documentation of the design considerations employed in a proposed 10 of 17 digital activity. The new RIS should provide licensees with acceptable methods for developing qualitative assessments in a way that an inspector can understand pertinent design considerations. Therefore, the new RIS should focus only on development and documentation of qualitative assessments and should not provide digital l&C design guidance.

RIS Supplement Attachment, Figure 1 - Suggest deletion of Figure 1 as The process outlined in Figure 1 blurs the line between a dependability proposed in revised RIS included with comment spreadsheet. evaluation and a qualitative assessment. Figure 1 suggests only a dependability evaluation is needed. Figure 1 does not mention qualitative assessment, although the supporting information listed in Figure 1 is the supporting information that makes up a qualitative assessment. In short, 14 of 17 Figure 1 adds confusion to the process.

The RIS should only provide guidance on development of a qualitative assessment for evaluating equ.ipment/SSC reliability and CCF susceptibility.

Page 6 of9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with th ecommen t sorea dshee. t PAGE NO. RECOMMENDED CHANGE JUSTIFICATION RIS Supplement Attachment, Table 2 - Suggest deleting Table 2 in its Table 2 contains approximately 22 questions. NEI 01-01 Appendix A entirety as proposed in revised RIS included with comment spreadsheet contains an additional 42 questions that licensees already address when*

since most of these questions are covered in NEI 01-01. developing a 50.59 Evaluation for digital plant changes. The majority of Table 2 are already covered by the questions in NEI 01-01 Appendix A.

15 of 17 However, licensees will feel obligated to address each Table 2 question individually in addition to the 42 NEI 01-01 Appendix A questions.

The proposed revised RIS included with the comment spreadsheet The draft RIS Supplement addresses digital hardware and software.

contains various editorial changes to specify that hardware within the Industry is concerned that new digital hardware requirements may be scope of the RIS is limited to.hardware on which software resides or implied by the RIS. Digital hardware should not be treated differently hardware which has been programmed using software (i.e., hardware than analog hardware. Analog hardware is not subject to an analysis of that contains a programmable logic device). CCF and likewise digital hardware should not be subject to an analysis of NA CCF. The draft RIS may lead some to believe that a CCF analysis of digital hardware is a requirement.

Page 7 of9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with t he comment screa dsheet.

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION Page 8 of9

NEI MEMBER COMMENTS TO MARCH 2018 DRAFT RIS 17-XX SUPPLEMENT-1 TO RIS 2002-22 C

NOTE: All recommended changes provided below have been incorporated into the proposed revised RIS provided with t he comment sorea dsheet.

PAGE NO. RECOMMENDED CHANGE JUSTIFICATION Page 9 of9

UNITED STATES NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION OFFICE OF NEW REACTORS WASHINGTON, D.C. 20555-0001 Month XX, 2018 DRAFT NRC REGULATORY ISSUE

SUMMARY

2002-22, SUPPLEMENT 1 CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS ADDRESSEES All holders and applicants for power reactor operating licenses or construction permits under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities."

All holders of and applicants for a combined license, standard design approval, or manufacturing license under 10 CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants." All applicants for a standard design certification, including such applicants after initial issuance of a design certification rule.

All holders of, and applicants for, a construction permit or an operating license for non-power production *or utilization facilities under 10 CFR Part 50, including all existing non-power reactors and proposed facilities for the production of medical radioisotopes, such as molybdenum-99, except those that have permanently ceased operations and have returned all of their fuel to the U.S. Department of Energy.

INTENT The U.S. Nuclear Regulatory Commission (NRC) is issuing a supplement to Regulatory Issue Summary (RIS) 2002-22, dated November 25, 2002 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML023160044). In RIS 2002-22, the NRC staff endorsed "Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01:

A Revision of EPRI TR-102348 to Reflect Changes to the 10 CFR 50.59 Rule," (Nuclear Energy Institute (NEI) hereinafter "NEI 01-01") (ADAMS Accession No. ML020860169). NEI 01-01 provides guidance for designing, licensing, and implementing digital upgrades and replacements to instrumentation and control (l&C) systems (hereinafter "digital l&C") in a consistent and comprehensive manner.

The purpose of this RIS Supplement is to clarify RIS 2002-22, which remains in effect. The NRC continues to endorse NEI 01-01 as stated in RIS 2002-22, as clarified by this RIS Supplement. Specifically, the guidance in this RIS Supplement clarifies the NRC staff's endorsement of the guidance pertaining to Sections 4, 5, and Appendices A and B of NEI 01-

01. This RIS Supplement clarifies the guidance for preparing and documenting "qualitative assessments," that can be used to evaluate the likelihood of failure of a proposed digital modification, including the likelihood of failure due to a common cause, i.e., common cause failure (CCF). Licensees can use these qualitative assessments to support a conclusion that a ML 18051AOS4

Draft RIS 2002-22 Supplement 1 Page 2 of 5 l

proposed digital l&C modification has a sufficiently low 1 likelihood of failure. This conclusion, and the reasons for itreaching that conclusion, should be documented as required by-.---j3ef 10 CFR 50.59(d)(1), as part of the evaluations of proposed digital l&C modifications against some of the criteria in 10 CFR 50.59, "Changes, tests and experiments."

This RIS Supplement is not directed toward digital l&G upgFades and replaeements large-scale analog-to-digital upgrades of the reactor protection system {RPS) systems and or engineered safety features actuation system {ESFAS}s, since application of the guidance in this RIS Supplement to such changes would likely involve additional considerations. This RIS Supplement does not provide new design proGess guidance, however, this RIS Supplement does highlight vulnerabilities that could be introduced by a digital modification. for addressing Gommon Gause failure of tho reaGtor proteGtion systems and engineered safety features aGtuation systems. Additional guidanGe for addressing potential Gommon Gause failure of digital l&G equipment is Gontainod in other NRG guidanGo doGuments and fl.JRG endorsed industry guidanGe doGuments.

This RIS Supplement requires no action or written response on the part of an addressee.

BACKGROUND INFORMATION By letter dated March 15, 2002, NEI submitted EPRI TR-102348, Revision 1 (NEI 01-01)for NRC staff review. NEI 01-01 replaced the original version of EPRI TR-102348, dated December 1993, which the NRC endorsed in Generic Letter 1995-02, "Use of NUMARC/EPRI Report TR-102348, 'Guideline on Licensing Digital Upgrades,' in Determining the Acceptability of Performing Analog-to-Digital Replacements Under 10 CFR 50.59, dated April 26, 1995 (ADAMS Accession No. ML031070081). In 2002, the NRC staff issued RIS-2002-22 to notify addressees that the NRC staff had reviewed NEI 01-01 and was endorsing the report for use as guidance in designing and implementing digital upgrades to nuclear power plant instrumentation and control systems.

Following the NRC staff's 2002 endorsement of NEI 01-01, holders of construction permits and operating licenses have used that guidance in support of digital design modifications in conjunction with Regulatory Guide 1.187, "Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, dated November 2000 (ADAMS Accession No. ML003759710), which endorsed NEI 96-07, "Guidelines for 10 CFR 50.59 Implementation,

Revision 1, dated November 2000 (ADAMS Accession No. ML003771157).

NRC inspections of documentation for digital l&C plant modifications prepared by some licensees using the guidance in NEI 01-01 identified inconsistencies in the performance and documentation of licensee engineering evaluations. NRC inspections also identified documentation issues with the written evaluations of the 10 CFR 50.59(c)(2) criteria. The term "engineering evaluation" refers to evaluations performed in designing digital l&G modifieations ofl:ior than the 10 GFR 50.59 evaluation, for example, evaluations performed under the liGensee's NRG approvod quality assuranGe program. This RIS Supplement clarifies the guidance for licensees performing and documenting engineering evaluations and the development of qualitative assessments.

In response to staff requirements memorandum (SRM)-SECY-16-0070 "Integrated Strategy to Modernize the Nuclear Regulatory Commission's Digital Instrumentation and Control Regulatory_

Infrastructure" (ADAMS Accession No. ML16299A157), NRC staff has engaged the public, including NEI and industry representatives, to improve the guidance for applying 10 CFR 50.59 to digital l&C-related design modifications as part of a broader effort to modernize l&C regulatory infrastructure.

1 NEI 01-01, Page 4-20, defines "sufficienUy low" to mean much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors).

Draft RIS 2002-22 Supplement 1 Page 3 of 5 Making available the guidance in this RIS Supplement is described as a near-term action in the integrated action plan to provide specific guidance for documenting qualitative assessments concluding that a proposed digital l&C modification will exhibit a sufficiently low likelihood of failure.

Applicability to Non-Power Reactor Licensees The examples and specific discussion in this RIS Supplement and other guidance referenced by this RIS Supplement (i.e., NEI 01-01 and original RIS 2002-22) primarily focus on power reactors. Nonetheless, licensees of non-power production or utilization facilities (NPUFs) may also use the guidance in RIS 2002-22 and apply the guidance in this RIS Supplement to develop written evaluations addressing the criteria in 10 CFR 50.59(c)(2). In particular, NPUF licensees may use the guidance to prepare qualitative assessments that consider design attributes, quality measures, and applicable operating experience to evaluate proposed digital l&C changes to their facilities as described in Sections 4, 5, and Appendix A of NEI 01-01.

However, certain aspects of the guidance that discuss the relationship of other regulatory requirements to 10 CFR 50.59 may not be fully applicable to NPUFs (e.g., 10 CFR Part 50, Appendix A and Bare not applicable to NPUFs).

SUMMARY

OF ISSUE In general, digital l&C modifications may include a potential f.or an increase in tho likelihood of equipment failures occurring within modified SSCs, including common cause failures. In particular, digital l&C modifications that introduce or modify identical software within independent trains, divisions, or channels within a system, and those that introduce nmv shared resources, hardware, or software among multiple control functions, may include such a potential. /\ qualitative assessment can be used to support a conclusion that there is not more than a minimal increase in the frequency of occurrence of accidents or in the likelihood of occurrence of malfunctions (10 CfR 50.59(c)(2)(i) and (ii)). A qualitative assessment can also be used to support a conclusion that the proposed modification does not create the possibility of an accident of a different type or malfunction with a different result than previously evaluated in the UfS/1.R (10 CfR 50.59(c)(2)(v) and (vi)).

For digital l&C modifications, an adequate basis for a determination that a change involves a sufficiently low likelihood of failure may be derived from a qualitative assessment of factors involving system design features, the quality of the design processes employed, and an evaluation of relevant operating experience of the software integrated software and hardware used and hardware t!Sed--(i.e., product maturity and in-service experience). A licensee may use a qualitative assessment to document the factors and rationale for concluding that there is an adequate basis for determining that a digital l&C modification will exhibit a sufficiently low likelihood of failure. In doing so, a licensee may consider the aggregate of these factors. The attachment to this RIS Supplement provides a framework for preparing and documenting qualitative assessments and engineering evaluations.

A qualitative assessment can be used to support a conclusion that there is not more than a minimal increase in the frequency of occurrence of accidents or in the likelihood of occurrence of malfunctions (10 CFR 50.59(c)(2)(i) and (ii)). A qualitative assessment can also be used to support a conclusion that the proposed modification does not create the possibility of an accident of a different type or malfunction with a different result than previously evaluated in the UFSAR (10 CFR 50.59(c)(2)(v) and (vi)).

In addition, this RIS Supplement clarifies the applicability of some aspects of the NRC policy described in Item 11.Q of SRM/SECY 93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light Water Reactor (ALWR) Designs," (ADAMS No. ML003708056), in regard to the application of 10 CFR 50.59(c)(2) criteria for digital l&C modifications.

Draft RIS 2002-22 Supplement 1 Page 4 of 5 BACKFITTING AND ISSUE FINALITY DISCUSSION This RIS Supplement clarifies but does not supersede RIS 2002-22, and includes additional guidance regarding how to perform and document qualitative assessments for digital l&C changes under 10 CFR 50.59.

The 'NRC does not intend or approve any imposition of the guidance in this RIS Supplement, and this RIS Supplement does not contain new or changed requirements or staff positions that constitute either backfitting under the definition of backfittirig in 10 CFR 50.109(a)(1) or a violation of issue finality under any of the issue finality provisions in 10 CFR Part 52. Therefore, this RIS Supplement does not represent bqckfitting as defined in 10 CFR 50.109(a)(1 ), nor is it otherwise inconsistent with any issue finality provision in 10 CFR Part 52. Consequently, the NRC staff did not perform a backfit analysis for this RIS Supplement or further address the issue finality criteria in 10 CFR Part 52.

FEDERAL REGISTER NOTIFICATION The NRC will publish a notice of opportunity for public comment on this draft RIS in the Federal Register.

CONGRESSIONAL REVIEW ACT This RIS Supplement is a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-I 808). However, the Office of Management and Budget has not found it-this RIS Supplement to be a major rule as defined in the Congressional Review Act.

PAPERWORK REDUCTION ACT STATEMENT This RIS provides guidance for implementing mandatory information collections covered by 10 CFR Part 50 that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et.

seq.). This information collection was approved by the Office of Management and Budget (0MB) under control number 3150-0011. Send comments regarding this information collection to the Information Services Branch, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to lnfocollects.Resource@nrc.gov, and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0011) Office of Management and Budget, Washington, DC 20503.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid 0MB control number.

Draft RIS 2002-22 Supplement 1 Page 5 of 5 CONTACT Please direct any questions about this matter to th_e technical contact(s) or the Lead Project Manager listed below.

Timothy J. McGinty, Director Christopher G. Miller, Director Division of Construction Inspection Division of Inspection and Regional Support and Operation Programs Office of Nuclear Reactor'Regulation Office of New Reactors Technical Contacts: David Rahn, NRR Wendell Morton, NRR 301-415-1315 301-415-1658 e-mail: David.Rahn@nrc.gov e-mail: Wendell.Morton@nrc.gov Norbert Carte, NRR David Beaulieu, NRR 301-415-5890 . 301-415-3243 e-mail: Norbert.Carte@nrc.gov e-mail: David.Beaulieu@nrc.gov Duane Hardesty, NRR 301-415-3724 email: Duane.Hardesty@nrc.gov (Specifically for non-power reactors)

Project Manager

Contact:

Tekia Govan, NRR 301-415-6197 e-mail: Tekia.Govan@nrc.gov Note: NRC generic communications may be found on the NRC public Web site, http://www.nrc.gov, under NRC Library/Document Collections.

Attachment:

Qualitative Assessment ans Engineering Evaluation Framework

.i

\

'i I

__ _ _ J

Qualitative Assessment and Engineering E'.'aluation Framework

1. Purpose Regulatory Issue Summary (RIS) 2002-22 provided the U.S. Nuclear Regulatory Commission (NRC) staff's endorsement of Nuclear Energy Institute (NEI} Guidance document NEI 01-01, "Guideline on Licensing Digital Upgrades: EPRI TR-102348, Revision 1, NEI 01-01: A Revision of EPRI TR-102348 To Reflect Changes to the 10 CFR 50.59 Rule." NEI 01-01 provides guidance for implementing and licensing digital upgrades, in a consistent, comprehensive, and predictable manner, as well as guidance in performing qualitative assessments of the dependability of digital instrumentation and control (l&C) systems.

The purpose of this attachment is to provide supplemental clarifying guidance to licensees to ensure that, if qualitative assessments are used, they are described and documented consistently, through an evaluation of applicable qualitative evidence. Following the guidance in RIS 2002-22 and NEI 01-01, as clarified by the guidance in this RIS Supplement, will help licensees document engineering judgements used in qualitative assessments are of "m--

sufficient detail ... that an independent third party can verify the judgements," as stated in NEI 01-01. While this qualitative assessment is used to support the Title 10 of the Code of Federal Regulations (10 CFR) 50.59, "Changes tests and experiments," evaluation, it-this RIS Supplement does not provide guidance for screening and it does not presume that all digital modifications "screen in."

Nel 01 01 uses the terms "qualitative assessment" and "dependability evaluations" interchangeably. Within this document only the terms "qualitath1 assessment" and "sufficiently

~ " are used in conjunotion with performance of 10 CFR aO.aQ evaluations. The term "dependability evaluation" is used in the context of engineering evaluations, which are not performed or documented as part of a 10 CFR a0.a9 evaluation, but engineering evaluations are performed in accordance with the licensee's ~IRC quality assurance program in developing digital l&C modification.

If a qualitative assessment determines that a potential failure (e.g., software common cause 2

failure (CCF)} has a sufficiently low likelihood, then the effects of the failure do not need to be considered in the 10 CFR 50.59 reviewevaluation. Thus, the "qualitative assessment" provides a means of addressing software CCF. In some cases, the effects of a software CCF may not create a different result than any previously evaluated in the updated final safety analysis report (UFSAR).

Sections 2 and 3 of this attachment provide acceptable approaches for describing the scope, form, and content of the type of a qualitative assessment described above. Section 4 of this attachment provides acceptable approaches for engineering evaluations that may be used in performing and documenting a qualitati>~e assessment.

2. Regulatory Clarification-Application of Qualitative Assessments to Title 10 of the Code of Federal Regulations, Section 50.59 When a licensee decides to undertake an activity that changes their facility as described in the updated final safety evaluation report, the licensee first performs the engineering and technical evaluations in accordance with plant procedures. If the licensee determines that an activity is acceptable through appropriate engineering and technical evaluations, the licensee enters the 2

NEI 01°01, Page 4-20, defines "sufficiently low to mean much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design fiaws, maintenance errors, calibration errors).

10 CFR 50.59 process. The regulations in 10 CFR 50.59 provide a threshold for regulatory review, not a determination of safety, for the proposed activities. In addition, 10 CFR 50.59 establishes the conditions under which licensees may make changes to the facility or procedures and conduct tests or experiments without prior NRC approval.

Evaluations 10 CFR 50.59 reviews must address all elements of proposed changes. Some elements of a change may have positive effects on SSC failure likelihood while other elements of a change may have adverse negative effects. As derived from the guidance in NEI 96-07, positive and negative elements can be considered together if they are interdependent. +Ais-means thatConversely, if elements are not interdependent, they must be evaluated separately.

2.1 Likelihood Properly documented qQualitative assessments may be used to support a conclusion that a proposed digital l&C modification has a sufficiently low likelihood of failure, consistent with the UFSAR analysis assumptions. This conclusion is used in the 10 CFR 50.59 WFittefl-..

evaluationreview to determine whether prior NRC approval is required.

Qualitative Assessment The determination that a digital l&C modification will exhibit a sufficiently low likelihood of failure can be derived from a qualitative assessment of factors involving system design attributes, the quality of the design processes employed, and the operating experience with the integrated software and hardware used---t!SeG-_(i.e., product maturity and in-service experience). Documenting the qualitative assessment includes describing the factors, rationale, and reasoning (including engineering judgement) for determining that the digital l&C modification exhibits a sufficiently low likelihood of failure.

The determination of likelihood of failure may consider the aggregate of all the factors described above. Some of these factors may compensate for weaknesses in other areas. For example, for a digital device that is simple and highly testable, thorough testing may provide additional assurance of a sufficiently low likelihood of failure that helps compensate for a lack of operating experience.

Qualitative Assessment Outcome There are two possible outcomes of the qualitative assessment: (1) failure likelihood is "sufficiently low," and (2) failure likelihood is not "sufficiently low." Guidance in NEI 01-01, Section 4.3.6, states, "sufficiently low" means much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other common cause failures that are not considered in the UFSAR (e.g., design flaws, maintenance error§, calibration errors).This "sufficiently low" threshold is not interchangeable with that for distinguishing between events that are "credible" or "not credible."

The threshold for determining whether an event is

credible or not is whether it is "as likely as" (i.e., not "much lower than") malfunctions already assumed in the UFS.A.R LjkeHhood Thresholds for 10 CfB 5Q,59tc)(2)0). W), ty), and tyj)

A key element of 10 CFR 50.59 evaluations reviews is demonstrating whether the modification considered will exhibit a sufficiently low likelihood of failure.For digital modifications, particularly those that introduce software, there may be a potential increase in likelihood of failure. For redundant SSCs, this potential increase in the likelihood of failure creates a similar increase in the likelihood of a common cause failure.

The "sufficiently low" threshold discussions have been developed using criteria from NEI 96-07, Revision 1, and NEI 01-01. They are intended to clarify the existing 10 CFR 50.59 guidance and should not be interpreted as a new or modified NRC position.

• Accident frequency and malfunction likelihood are directly related to the likelihood of failure of equipment that can initiate the accident or malfunction. If the outcome of the qualitative assessment of a proposed change concludes the likelihood of failure is sufficiently low, then there will be no more than a minimal increase in the frequency of occurrence of an accident or likelihood of a malfunction previously evaluated in the UFSAR by implementation of the proposed activity.

Similarly, accidents of a different type and malfunctions with a different result are limited to those that are as likely to happen as those previously evaluated in the UFSAR. If the outcome of the qualitative assessment of a proposed change concludes the likelihood of failure is sufficiently low, then there will be no failures introduced by the activity that are as likely to happen as those in the UFSAR that can initiate an accident of a different type or malfunction with a different result.

Therefore. A.§.lthough it-prior NRC approval may be required by other criteria, prior NRC approval willis not be required by 10 CFR 50.59(c)(2)(i), (ii), (v), and (vi) if-the outcome of the qualitative assessment concludes the likelihood of failure is sufficiently low.there is a qualitative

• assessment outcome of sufficiently low, as described below:

10 CFR 50.59(c)(2)(i)

Does the activity result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the UFS.A.R?

"Sufficiently low" threshold The frequency of occurrence of an accident is directly related to the likelihood of failure of equipment that initiates the accident (e.g., an increase in the likelihood of a steam generator tube failure has a corresponding increase in tho frequency of a steam generator tube rupture accident). Thus, an increase in likelihood of failure of the modified equipment results in an increase in the frequency of the accident. Therefore, if the qualitati1,1e assessment outcome is "sufficiently low," then there is a no more than a minimal increase in the frequency of occurrence of an accident*

-***--. i

_: .  : *i*

...

Draft RIS 2002-22 Supplement 1, Attachment Page 2 of 15 likelihood of failure of an auxiliary feedwater (Af:JJI/) pump has a corresponding increase in the lil<elihood of occurrence of a malfunction of SSCs the A'F'N pump and AFW system).

Thus, the lil<elihood of failure of modified equipment that causes the failure of SSCs to perform their intended design funotions is directly related to the likelihood of occurrence of a malfunction of an SSC important to safety. Therefore, if the qualitative assessment outcome is "sufficiently low," then the astivity does not result in more than a minimal insrease in the lil<elihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR.

10 crn aO.a9{c){2){vl Does the astivity sreate a possibility for an accident of a different type than any previously evaluated in the UFSAR?

"Sufficiently 10111' threshold ~IEI 9e 07, Revision 1, Seotion 4.3.6, states, "Acsidents of a different type are limited to those that are as lil~ely to happen as those previously e11aluated in the UFSAR." Acsidents of a different type are saused by failures of equipment that initiate an ascident of a different type. If the outcome of the qualitative assessment of the proposed change is that the likelihood of failure assosiated with the proposed astivity is "suffisiently low," then there are no failures introduced by the aotivity that are as lilrnly to happen as those in the UFS/\R that can initiate an accident of a different type. Therefore, tho astivity does not create a possibility for an accident of a different type than any previously evaluated in the UFS/\R. If the qualitative assessment determines that a potential failure (e.g., software CCF) does not have a suffioiently low lil<elihood, then the effeots of this failure need to be oonsidered in the 10 CFR §0.§9 evaluation.

'v 10 CFR 50.59{c)(2)(vi)

Doos the activity create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the UFSAR?

"Suffioiently lew" thresheld NEI 9e 07, Seotien 4.3.e, states, " ... malfunotions with a different result are limited te these that are as likely to happen as these in the UFS/\R." /\

malfunotion of an SSC important to safety is an equipment failure that oauses the failure of SSCs to perform their intended design funotions. If the outoome of the qualitative assessment of the proposed ohange is that the likelihood of failure assooiated with the proposed aotivity is "suffioiently low," then there are no failures introduoed by the acti>,ity that are as lil<ely to happen as those in the UFSAR. Therefore, the activity does not oreate a possibility for a malfunotion of an SSC important to safety with a different result than any previously evaluated in the UFSAR. If the qualitative assessment determines that a potential failure (e.g., software CCF) does not have a sufficiently low lilrnlihood, then the effeots of this

Draft RIS 2002-22 Supplement 1, Attachment Page 3 of 15 failure need to be considered in the 10 CFR 50.59 e1Jaluation using methods consistent with the plant's UFSAR

3. Qualitative Assessments The following examples of proposed changes are considered within the scope of this RIS. The list is by no means all-inclusive and is simply provided to illustrate the nature and relative complexity of proposed changes targeted by the RIS:The NRG staff has determined that proposed digital l&C modifications having the characteristics listed below are likely to result in qualitative assessment outcomes that support a sufficiently low likelihood determination: *

• Replacement of analog timing relays with digital timing relays on redundant load sequencer trains

• Replacement of analog voltage regulators and auxiliary support systems with digital equipment on redundant emergency diesel generators

• Replacement of turbine driven auxiliary feedwater system controls with digital controls

• Installation of breakers and relays (including timing relays) containing embedded digital devices on redundant safety related equipment

• Replacement of analog and electromechanical protective relays with digital multifunction relays on redundant safety related busses

• Replacement of analog controls on redundant *safety related chiller (HVAC} systems with digital controls

• Replacement of safety related analog recorders with digital recorders

• Replacement of safety related analog transmitters with digital (smart) transmitters

• Digital upgrades to non-safety related systems are within the scope of this RIS A complete analog-to-digital upgrade of the reactor protection system (RPS) or engineered safety features actuation system (ESFAS) or proposed changes that add new cross-channel communications between redundant safety related trains/equipment. would be considered beyond the scope of this RIS.

1. Digital l&C modifications that:

a) Do not create a CCF vulnerability due to the integration of subsystems or components from different systems that combine design functions that were not previously combined within the same system, subsystem, or component being replaced.

Note: "Integration," as used in this RIS supplement refers to the prooess of combining software oomponents, hardware components, or both into an overall system, or the merger of the design funotion of two or more systems or components into a functioning, unified system or oomponent. Integration also refers to the coupling of design funotions (software/ hardware) via bi direotional digital communioations. Modifioations can result in design funotions of different systems being integrated or oombined either directly in the same digital device or indireotly via shared resouroes, suoh as bi direotional digital oommunioations or networks, common oontrollers, power supplies, or visual display units. Suoh integration could be problematic because the safety analysis may have explioitly or implicitly modeled the equipment performing the design functions that would bo integrated on the basis

Draft RIS 2002-22 Supplement 1, Attachment Page 4 of 15 that it is not subjeot to any potential souroe of oommon cause failure.

b) Do not create a CCF vulnerability duo lo new shared rosouroes (such as pmvor supplies, controllers, and human maohino interfaces) with other design funotions that are (i) oxplioilly or implicitly dosoribod in tho UFSAR as funotioning independently from other plant design funolions, or (ii) modeled in the ourrent design basis lo be funotioning independently from other plant design funotions.

o) Do not affeot reaotor trip or engineered safety feature initiation/oontrol logio or emergenoy power bus load sequenoers.

2. Digital l&C modifioations that maintain the level of diversity, separation, and independence of design funotions desoribed in the UFSAR. A ohange that reduoes redundanoy, diversity, separation or independenoe of USFAR desoribod design funotions is oonsidered a more than minimal inorease in the likelihood of malfunotion.

3. Digital l&C modifioations that are sufficiently simple (as demonstrated through 100 peroent testing or a combination of testing and input/output state analysis); or demonstrate adequate internal diversity.

3.1 Qualitative Assessment Categories Consistent with the guidance provided in NEI 01-01, this attachment specifies three general categories of characteristics: design attributes, quality of the design process, and operating experience. Qualitatively assessing and then documenting these characteristics separately, by category, and in the aggregate provides a common framework that will better enable licensees_to document qualitative assessments "in sufficient detail ... that an independent third party can verify the judgements.:

Table 1 provides acceptable examples of design attributes, quality of the design processes, and documentation of operating experience. This listing is not-neither all inolusiveall-inclusive nor does the qualitative assessment need to address each specific item.

3.1.1 Design attributes

~lEI 01 01 Seolion 5.3.1 states:

To determine whether a digital system is suffioiently dependable, and therefore that the likelihood of failure is sufficiently low, there are some important oharaoteristics that should be evaluated. These oharaoteristies, discussed in more detail in the following seotions inoludo: Hardware and sofli.vare design features that oontribute to high dependability (See Scotian 5.3.4). Suoh [hardware and software design]

features inolude built in fault deteotion and failure management schemes, internal redundanoy and diagnostios, and use of softvvare and hardware arohiteotures designed to minimize failure consequenoes and faoilitate problem diagnosis.

Draft RIS 2002-22 Supplement 1, Attachment Page 5 of 15 Consistent with the above quoted text, d.Qesign attributes of a proposed modification can prevent or limit failures from occurring. A qualitative assessment describes and documents the integrated hardware and software design features that contribute to high dependabilityreliability. Design attributes focus primarily on built-in features such as fault detection and failure management schemes, internal redundancy and diagnostics, and use of integrated software and hardware used in the architectures aoo-to facilitate problem diagnosis. However, design features external to the proposed modification (e.g., mechanical stops on valves) may also fleeEl...te..be considered.

Many system design attributes, procedures, and practices can contribute to significantly reducing the likelihood of failure (e.g., CCF). A licensee can account for this by deterministically assessing the specific vulnerabilities through postulated failure modes (e.g., software CCF) within a proposed modification and applying specific design attributes to address those vulnerabilities (see Table 1).

An adequate qualitative assessment regarding the likelihood of failure of a proposed modification would consist of a description of: (a) the potential failures introduced by the proposed modificat_ion,

{b) the design attributes used to resolve identified potential failures, and (c) how the chosen design attributes and features resolve identified potential failures.

Diversity is one example of a design attribute that can be used to demonstrate an SSC modified Formatted: Indent: Left: 0.35", Right: 0.4",

with digital technology is protected from a loss of design function due to a potential common cause Widow/Orphan control, Keep with next failure. In some cases, a plant's design basis may specify diversity as part of the design. In all other cases, the licensees need not consider the use of diversity_ {e.g., as described in the staff requirements memorandum *on SECY 9a 087) in evaluating a proposed modification._Hmvever, diversity within the proposed designj§_g_, and any affected 88Cs is a powerful means for significantly reducing tho effects occurrence of failures affecting that affect tho accomplishment of design functions.

3.1.2 Quality of the Design Process Section 5.3.3 of r>IEI 01 01 states:

... f=or digital equipment incorporating software, it is well recognized that prerequisites for quality and dependability are experienced software engineering professionals combined with well defined processes for project management, softi.vare design, development, implementation, verification, validation, software safety analysis, change control, and configuration control.

Consistent with tho guidance provided in r>IEI 01 01, "Quality Design Processes" means those processes employed in the development of the proposed modification. Such processes include software development, hardware and software integration processes, hardware design, and validation and testing processes that have been incorporated into the development process. Quality of the design process is a key element in determining the dependability of SSCs affected by proposed modifications. Licensees employing design processes consistent with their NRG-approved quality assurance programs will result in a quality design process.

For safety-related digital equipment composed of hardware and software. this development process would be documented and available for referencing in the qualitative assessment for proposed modifications. However, for commercial-grade-dedicated or non-safety related digital equipment composed of hardware and software. documentation of the development process may not be readily available. In such cases, the qualitative assessment may place greater emphasis on the design attributes included and the extent of successful operating experience for the equipment proposed.

Quality of tho design process is a key element in determining the dependability of proposed

Draft RIS 2002-22 Supplement 1, Attachment Page 6 of 15 modifisations. Lisensees employing design prosesses consistent with their NRG approved quality assurance programs will result in a quality design prosess.The use of applicable industry consensus standards contributes to a quality design process and provides a previously established acceptable approach. In some cases, other nuclear or non-nuclear standards also provide technically justifiable approaches that can be used if confirmed applicable for the specific application.

For non-safety related SSGs, adherence to generally accepted commercial quality standards is sufficient. The qualitative assessment should list the generally accepted commercial industry standards (e.g., ISO 9001) used in development of the equipment. If NRG-endorsed industry standards were applied during the design and/or manufacturing process for non-safety related equipment, these standards may be documented in the qualitative assessment to provide additional evidence of quality.

Specific NRG-endorsed industry standards may be required for qualification of safety related equipment depending on the licensees Appendix B quality assurance program and specific commitments made within their licensing bases. The qualitative assessment should document the required industry standards used in the design as applicable. Any additional industry standards used may also be documented as this can help support the quality argument.When possible, the use of applicable industry sonsensus standards contributes to a quality design process and provides a previously established acseptable approash (e.g., Institute of Electrical and Electronics Engineers (IEEE) Standard 1074 2006, "IEEE Standard for Developing a Software Project Life Cycle Process," endorsed in Regulatory Guide 1.173, "Developing Software Life Cycle Prosesses for Digital Computer Software Used in Safety Systems of Nuclear Power Plant"). In some cases, other nuslear or non nuclear standards also provide technically justifiable approaches that can be used if sonfirmod applicable for the specifis application.

Quality standards should not be confused with quality assurance programs or procedures. Quality standards are those standards which describe the benchmarks that are specified to be achieved in a design. Quality standards should be documents that are established by consensus and approved by an accredited standards de>Jelopment organization. For example, IEEE publishes consensus based quality standards relevant to digital l&C modifications and is a recognized standards development organization. Quality standards used to ensure the proposed change has been developed using a quality design process do not need to be solely those endorsed by the NRG staff. The qualitative assessment document should demonstrate that the standard being applied is

\<alid for tho circumstances for which it is being used.

Draft RIS 2002-22 Supplement 1, Attachment Page 7 of 15 3.1.3 Operating Experience J

Section 5.3.1 of NEI 01 01 states, "Substantial applicable operating history reduces uncertainty in demonstrating adequate dependability."

Consistent with the above quoted te>G, rBelevant operating experience can be used to help evaluate and demonstrate that software and hardwarethe equipment employed in a proposed modification l=lave-has adequate dopondabilityreliability. The licensee may document information showing that the proposed system or component modification employs equipment with significant operating experience in nuclear power plant applications,_or in non-nuclear applications with comparable performance standards and operating environment. With a large population of in-service components/systems. operating experience provides a large installed test bed with many different environments and applications.

Operating experience can be used -is-in two basic ways: 1) calculation of an actual failure rate numbers or 2) a qualitative method that mines the failure data for both positives and negatives. Failure rate numbers based upon real performance data is the best quality indicator Wand calculated failure rate numbers can provide a comparison to the plant's existing components/systems. /\s for the gQualitative methods ,tRis-involves review of the reported failure descriptions. These reviews can provide supporting evidence and trends of either goodstrengths or sometimes weaknesses in the manufacture's quality processes. such as design control processes and product testing effectiveness.--Btc. The licensee may also consider whether the manufacturer suppliers of such equipment incorporates quality processes such as continual process improvement. incorporation of lessons learned. etc.* and document how that information demonstrates adequate equipment reliability.

Some key areas that may be used in evaluating operating experience include:

• Strength of the manufacturer's problem reporting system;.

• Identification of the manufacturer's threshold for problems reporting and how wl=laHs--

OOAethis with this information is utli2eautilized (i.e .* fu% ishow are-problems are --tl=lefe-trackediREI. are critical problems fixed in a timely manner. is data used for continuous improvement,et&.-)

• Evaluating for repetitive problem or failure trends which could be be possibleindicative of -siaB---Bf:a process weakness that requires further evaluation

• Evaluate different revisions and versions of the integrated equipment (composed of hardware and software) for issues that occur during design or manufacturing changes

• How "no problem found" is addressed and how large this population isThe licensee may also consider whether the suppliers of such equipment incorporate quality processes such as continual process improvement, incorporation of lessons learned, etc., and document how that information demonstrates adequate equipment dependability.

Operating experience relevant to a proposed digital l&C change may be credited as part of an adequate basis for a determination that the proposed change does not result in more than a minimal increase in the frequency of occurrence of initiating events that can lead to accidents or in more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the UFSAR. Differences may exist in the specific digital l&C application between the proposed digital l&C modification and that of the equipment integrated hardware and software whose operating experience is being credited. In all cases, however, tihe architecture of the referenced equipment and software should be substantially similar to that of the system being proposed. Note that an evaluation of multiple versions can provide evidence of stable

Draft RIS 2002-22 Supplement 1, Attachment Page 8 of 15 design and manufacturing processes. Further, the design conditions and modes of operation of the equipment whose operating experience is being referenced also needs to be substantially similar to that being proposed as a digital l&C modification.

For exaR1ple, one needs to understand what operating eonditions (e.g., ambient environR1ent, eontinuous duty, eta.) were experienced by the refereneed design. In addition, ijt is important to recognize that when crediting operating experience froR1 other faeilities, one needs to understand what design features were-are present in the design whose operating experienee is being credited.

Highly-configurable thea--components is R1eansindieates that may require a larger population of in-service data isR1ay be needed to GGVefaddress the potential different applications. Customized or rarely used functions should be avoided in operatingenal experience evaluations. Design features that serve to prevent or limit possible common cause failures in a design refereneed as relevant operating experienee should be noted and considered for inclusion in the proposed design. Doing so W8tlla-will provide additional support for a determination that the dependability reliability of the proposed design will be similar to the referenced application.

Table 1-Qualitative Assessment Category Examples Categories Examples for Each Catego[Y Design

• Defense-in-depth, functional diversity, independence, and redundancy (if Attributes applicable)gesign eriteria giversity (if: ap131ieable), Independence, and Redundaney.

• Inherent design features for integrated software and, hardware or architectural/network- @.&.,_W)!Yatchdog timers that interface with but operate independent of software, isolation devices, segmentation of distributed networks, self-testing, and self-diagnostic features}.

• Basis for identifying that possible postulated triggers are non-concurrent.

_*_Sufficiently s§Jmple ~and highly testableenabling ~ QQ pereent testing orcoR1prehensive testing in eoR1binatien with analysis of likelihood of occurrence of input/output states not tested).

• Unlikely series of events - evaluation of a given digital l&C modification requires postulating multiple independent detected and/or undetected random failures in order to arrive at a state in which a CCF is actually a concern.

• Elimination of single points of vulnerability.

• Assurance that failures in the new equipment either (1) places the affected SSC in a safe state, (2) are equivalent to or bounded by the failure state of the equipment being replaced, or (3) result in a failure state that is irrelevant at the plant level.Failt1re state always l~nown to be safe, er at least the saR1e state as allowed by the previot1sly installed eqt1ipR1ent safety analysis.

Quality of Safety Related Equipment:

the Design Process

• Compliance with industr:y standards as applicable and required by the plant's licensing basis and preferably those consensus standards currently endorsed by the NRC.

• For non-NRC endorsed codes and standards, the licensee should provide a documented explanation for why use of the particular non-endorsed software or system standard is acceptable.

• Use of Annendix 8 vendors or use of the commercial arade dedication

Draft RIS 2002-22 Supplement 1, Attachment Page 9 of 15 Table 1-Qualitative Assessment Category Examples Categories Exam12les for Each Catego!}'.

12rocess based on the guidance 12rovided in EPRI TR-106439.

• Demonstrated gualification testing to withstand environmental conditions within which the SSC is credited to 12erform its design function (e.g.,

tem12erature, humidity, seismic, and EMI/RFI susce12tibility) as well as not creating unacce12table EMI/RFI emissions.

Non-Safety Related Egui12ment:

• Adherence to generally acce12ted commercial guality standards .

-Documentation that egui12ment manufacturer s12ecifications meet or exceed a1212ro12riate critical characteristics (e.g., 012erating environment) to a level egual to, or better than, the egui12ment being re12laced.d1c1stifieatieA ffiF lJS8 ef iASlJStFy G9AS8ASlJS staAElaFEls ffiF eeaes aAEl staAElaFEls Aet eAElersea 13y Hie NRG.

• d1c1stifieatieA feF 1c1se ef etl=leF staAElaFEls .

• Yse ef A1313eAEli* B >;eAElers. If Aet aA A1313eAEli* B veAEleF, tl=le aAalysis eaA state wl=liel=l §SAeFally aeee13tea iAEl1c1stFial ei1c1ality (3F9§Fam was a1313liea.

• Yse ef Gemmernial GFaae QeaieatieA 13Feeesses 13eF §1c1iElaAee ef ePRI +R Hle4d9, AFIAe* g ef leee + 4.d.~, aAEl 8*8FH(31es wilJliA ePRI +R HlndG.

• QemeAstFatea ea13al3ility (e.§., tl=lFelcl§A ei1c1alifleatieA testiA§) te witl=lstaAEl eA>liF9AFH8Atal GeAElitieAS witAiA WAiGA tl=le SSG is GFeElitea te (38FffiFFH its Elesi§A f1c1AGtieA (e.§., eMl,lRi;I, Seismie).

• Qevele13meAt 13meess Fi§eF (aal=lernAeo te §SAernlly aeee13tea eemmernial eF AlclGleaF staAElaFEls.)

• QemeAstratea Ele13eAElal3ility ef e1c1stem seffwaFe eeae feF a1313lieatieA seftwaFe tl=lFelcl§A e*eAsive e11al1c1atieA eF testiA§.

Operating Experience

• Wide range of operating experience in similar applications, operating environments, duty cycles, loading, comparable configurations, etc., to that of the proposed modification.

• History of lessons learned from field experience addressed in the design .

• Relevant operating experience: Architecture of the referenced equipment and software (operating system and application) along with the design conditions and modes of operation of the equipment should be s1c113staAtially similar to tl=lese ef tl=le systeRl 13eiA§ proposed_

egui12ment. as a Eli§ital l&G meaifleatieA. ~i§A vel1c1Rle 13ma1c1etieA 1c1sa§e iA EliffernAt a1313lieatieAs ~Jete tl=lat ffor software, the concern is centered on lower volume, custom, or user-configurable software applications. High volume, high quality commercial products with relevant operating experience 12rovides a greater 01212ortunity for identifying latent1c1sea iA etl=leF a1313lieatieAs !=lave tl=le 13eteAtial te aveia.

design errors that can be corrected by the manufacturer.

• Experience werkiA§ with the software development tools used to create configuration files.

3.2 Qualitative Assessment Documentation The U.S. Nuclear Regulatory Commission endorsed guidance for documenting 10 CFR 50.59

Draft RIS 2002-22 Supplement 1, Attachment Page 10 of 15 evaluations to meet the requirements of 10 CFR 50.59 (d) is provided in both NEI 96-07, Revision 1 in Section 5.0, "Documentation and Reporting" and NEI 01-01, Appendix B. Both of these documents reiterate the principles that documentation should include an" ... explanation providing adequate basis for the conclusion" so that a "knowledgeable reviewer could draw the same conclusion."

Considerations and conclusions reached while performing qualitative assessments supporting the evaluation criteria of 10 CFR 50.59, are subject to the aforementioned principles. In order for a knowledgeable reviewer to draw the same conclusion regarding qualitative assessments, details of the considerations made, and their separate and aggregate effect on any qualitative assessments need to be included or clearly referenced in the 10 CFR 50.59 evaluation review documentation.

References to other documents should include the document name and location of the information within any referenced document.

If qualitative assessment categories are used, each category would be discussed in the documentation including positive and negative aspects considered, consistent with the examples provided in Table 1. In addition, a discussion of the degree to which each of the categories was relied on to reach the qualitative assessment conclusion would be documented.

4. Engineering Evaluations 4.1 Overview This section describes approaches that could be used for conducting and documenting engineering evaluations. completed in accordance with the licensee's ~IRG approved quality assurance program.

The term "engineering evaluation" refers to evaluations performed in designing digital l&G modifications. These evaluations are performed under the licensee's NRG approved quality assurance program. These engineering evaluations may include, but are not limited to discussion of compliance with regulatory requirements and conformity to the UFS/\R, regulatory guidance, and design standards.

In addition, these engineering evaluations may include discussions of: a) the performance of deterministic failure analyses, including analysis of the effects of digital l&G failures at the component level, system level, and plant level; b) the evaluation of defense in depth; and c) the evaluation of the proposed modification f-Or its overall "dependability." The qualitatiiJe assessment framework discussed in the previous sections of this attachment may rely, in part, on the technical bases and conclusions documented within these engineering evaluations.

Thus, improved performance and documentation of engineering evaluations can enable better qualitative assessments.

One result of performing these evaluations is to provide insights as to whether a proposed digital l&G design modification may need to be enhanced with the inclusion of different or additional design attributes. Such different or additional design attributes 1A1ould serve to prevent the occurrenoe of a possible GGF or reduce the potential for a software GGF to cause a loss of design funotion.

These approaches are proi.*ided f-Or oonsideration only. They do not represent NRG requirements and may be used at the discretion of lioensees.

4.2 Selected Design Considerations During the design prooess, it is important to consider both the positive effoots of installing the digital

Draft RIS 2002-22 Supplement 1, Attachment Page 11 of 15 equipment (e.g., elimination of single point vulnerabilities (SPVs), ability to perform signal validation, diagnostis sapabilities) with the potential negative effests (e.g., software CCF).

Digital l&C modifisations can reduce SSC independence. Reduction in independence of design funotions from that desoribed in the USFAR would require prior NRG approval.

4.2.1 Digital Communisations Careful oonsideration of digital oommunioations is needed to preolude adverse effeots on SSC independonoe. Dl&C ISG 04, Revision 1, "Highly Integrated Control Rooms Communioations Issues" (Agenoywide Doouments Assess and Management System Asoession Number ML083310185) provides guidanoo for NRG staff reviewing digital communioations. This ISG desoribes oonsiderations for the design of communications between redundant SSCs, echelons of defense in depth 3-or SSCs with different safety olassifications. The prinoiples of this ISG or other technioally justifiable oonsiderations, may be used to assess non safety related SSCs.

4.2.2 Combining Design Functions Combining design funstions of different safety related or non safety related SSCs in a manner not previously evaluated or described in the UFSAR oould introduse new interdependencies and interactions that make it more diffioult to assount for new potential failure modes. Failure of sombined design funotions that: 1) oan oftest malfunctions of SSCs or aooidents evaluated in the UFSAR; or 2) involve different defense in depth eohelons; are of signifisant oonoern.

Combining previously separate component functions oan result in more dependable system performance due to the tightly soupled nature of the components and a reduotion in somplexity. If a lioensee proposes to combine previously separate design funotions in a safety related andJor non safety related digital l&C modifioation, possible new failures need to be sarefully weighed with respest to the benefits of oombining the previous separately oontrolled funotions. Failure analyses and oontrol system segmentation analyses can help identify potential issues. Segmentation analyses are partioularly helpful for the evaluation of the design of non safety related distributed networks.

4.3 Failure Analyses Failure analysis oan be used to identify possible CCFs in order to assess the need to further modify the design. In some cases, potential failures maybe exsluded from oonsideration if the failure has been determined to be implausible as a result of tasters suoh as design features/attributes, and prooedures. Modifications that employ design attributes and features, such as internal diversity, help to minimize the potential for CCFs. Sources of CCF, oould inolude the introduotion of identioal sofuYare into redundant channels, the use of shared resources; or the use of oommon hardware and software among systems performing different design funotions. Therefore, it is essential that sush souroes of CCF be identified, to the extent practioable, and addressed during the design stage as one aooeptable method to support the teohnioal basis fer tho proposed modifioation.

Digital designs having sources of CCF that sould attest more than one SSC need to be closely reviewed to ensure that an aooident of a different type from those previously evaluated in the UFSAR has not been sreated. This is partisularly the ease when sush oommon sourses of CCF also are subjeot to common triggers. For example, the interface of the modified SSCs with other 0

As states iR ~lei Q1 Q1, SeotioR a.2, "A ftJRElameRtal GORGe13t iR the roQUlatory reE1UiremeRts aREI 8J(i38GlatioRS fer iRstrnmeRtatioR aREI soRtrol systems iR Rusi ear 13ower 13laRts is the use ef four esheloRs of ElefeRse iR Ele13th: 1) CoRtrsl Systems; 2) Reastor Tri13 System (RTS) am:l l'J1tisi13ateEI TraRsieRt without SCRA'.4 (AT'JI/S); 3) leR§iReereEI Safety Features AotualieR System (ES FAS); aREI 4)

MonitoriR§ aREI iRElisalioRs."

Draft RIS 2002-22 Supplement 1, Attachment Page 12 of 15 SSCs using identioal hardware and software, power supplies, human maohine interfaoes, needs to be olosely reviewed to ensure that possible oommon triggers have been addressed.

A software CCF may be assessed using best estimate methods and realistio assumptions.

Unless already inoorporated into the lioensee's UFSAR, "best estimate" methods oannot be used for evaluating different results than those previously evaluated in the UFSAR 4.4 Defense in Depth Analyses

[}.!El 01 01 desoribes the need for defense in depth analysis as liITTited te substantial digital replaoeITTents of reactor proteotion systeffi and ES FAS. A defense in depth analysis for ooITTplex digital Ff\odifioations of systems other than proteotion systeffis may also reveal the iITTpaot of any new potential CCFs due to the introduotion of shared resouroes, ooITTmon hardv,r.are and software, or the oombination of design funotions of systems that were previously oonsidered to be independent of one another. Additionally, defense in depth analysis may reveal direot or indireot impaots on interfaoes with existing plant SSCs. This typo of analysis may show that existing SSCs and/or prooedures oould serve to mitigate effeots of possible CCFs introduoed through the proposed modifioation.

4.li Dependability E'.'aluation Seotion 5.3.1 of NEI 01 01 states that a digital system that is suffioiently dependable will have a likelihood of failure that is suffioiently low. This seotion desoribes oonsiderations that oan be used to .

determine whether a digital system is "suffioiently dependable."

The dependability evaluation relies on some degree of engineering judgment to support a oonolusion that the digital modifioation is oonsidered to be "suffioiently dependable." When performing a dependability evaluation, one aooeptable method is to oonsider: (1) inolusion of any deterministioally applied defensive design features and attributes; (2) oonformanoe with applioable standards regarding quality of the design prooess for software and hardware; and (3) relevant operating experienoo. Although not stated in NEI 01 01, judgments regarding the quality of the design prooess and operating experienoe may supplement, but not replaoe the inolusion of design features and attributes.

For proposed designs that are more oomplex or more risk signifioant, the inolusion of design features and attributes that: serve to prevent CCF, signifioantly reduoe the possible ooourrenoe of software CCF, or signifioantly limit the oonsequenoes of suoh software CCF, should be key oonsiderations for supporting a "sufficiently dependable" determination. Design features maximizing reliable system performanoe, to the extent praotioable, oan also be oritioal in establishing a basis for the dependability of eomplex or risl{ signifioant designs.

Seotion 5.1.3 of NEI 01 01 states that ***Judgments regarding dependability, likelihood of failures, and signifioanoe of identified potential failures should be dooumented .... " Depending on the SSCs being modified and the eomplexity of the proposed modifieation, it may be ehallenging to demonstrate "suffioient dependability" based solely upon the quality of the design prooess and/or

Draft RIS 2002-22 Supplement 1, Attachment Page 13 of 15 operating history. Engineering judgments regarding the quality of the design process and operating experience may supplement, but not replace the inclusion of design features and attributes when considering complex modifications.

Figure 1 of this attachment provides a simplified illustration of the engineering evaluations process described in Section 4 of this attachment.

4.6 Engineering Documentation Documentation for a proposed digital l&C modification is developed and retained in aceordance with the lieensee's design engineering proeedures, and the NRG approved QA program. The doeumentation of an engineering evaluation identifies the possible failures introdueed in the design and the effeets of these failures. It also identifies the design features and/or procedures that doeument resolutions to identified failures, as deseribed in ~IEI 01 01, Seetion 5.1.4. The level of detail used may be commensurate with the safety significanee and eomplexity of the modifieation in aeeordanee with lieensee's proeedures .

. Although not required, lieensees may use Table 2 of this attaehment to document qualitative assessment. Doeumentation should inelude an explan9tion providing adequate bases for eonelusions so that a lmowledgeable reviewer could draw the same eonclusion.

Draft RIS 2002-22 Supplement 1, Attachment Page 14 of 15 Fjgure 1- EXAMPLE.ENGINEERING EVALUATION PROCESS Initial Conditions:

START The licensee is performing a modification to an SSC(s that would incor orate di ital technol Design Change Package.and Supporting Information TECHNICAL DESIGN QUALITY OF DESIGN OPERATING INFORMATION PROCESS EXPERIENCE PERFORM ENGINEERING EVALUATIONS (AS NEEDED)

Failure Analysis / FMEA Defense-in-Depth Other types of analyses Documentation Perform

'Dependability Evaluation YES NO Exit design process_9r

.consider other options Apply to (e.g. License 50.59 !:!*valuation criteria Amendment) as needed Note: This example presumes the proposed modification has D Completed as part or technical design-process

'screened in' for an evaluation under 10 CFR 50.59 D Completed as part or the 50.59 evaluation

Draft RIS 2002-22 Supplement 1, Attachment Page 2 of 4-G§.

Topioal Area Desoription Stej:)4- Desoribe the full extent of the SSCs to be modified ldentifioation boundaries of the design change, interconnections with other SSCs, and potential oommonality to vulnerabilities with existing equipment.

• What are all of the UFSAR dosoribod design functions of tho upgraded/modified components within the context of the plant system, subsystem, etc.?

• \/Vhat design funotion(s) provided by the previously installed equipment are affected and how will those design functions be aooomplished by the modified design? Also dosoribe any now design funotions that were not part of tho original design.

• 'Nhat assumptions and oonditions are expected for each associated design function? For example, the evaluation should consider both active and inactive states, as well as transitions from one mode of operation to another.

Stop 2 Identify Consider the possibility that the proposed modification may have potential failure introduood potential failures.

modes and

• Are there potential failure modes or undesirable behaviors as undesirable behavior a result of tho modification? A lrny consideration is that undesirable behaviors may not necessarily constitute an SSC failure, but a misoperation. (e.g., spurious actuation)

• Are failures including, but not limited to, hardware, software, combining of functions, shared resources, or common hardware/software considered?

• Are there interoonnoctions or intordopendonoies among tho modified SSC and other SSCs?

• Aro there souroes of CCF being introduced that are also subject to common triggering mechanisms with those of other SSCs not being modified?

• Aro potential failure modes introduoed by soft>Nare tools Step 3 Assess the effects of identified faHtlres.

-<--( Formatted: Indent: Left: O" Step 4 Identify V'lhat actions are being taken (or were taken) to address significant appropriate identified failures?

resolutions for oaoh identified failures Aro further aotions warranted?

Draft RIS 2002-22 Supplement 1, Attachment Page 3 of 4-0§.

• - - ... - -r - -"' .., .. *-"'

• ~ -*-*--* .. -AssessmeAt

-** - ,..- *********- ....*- - T~

- n . ***-

+e~isal Area DessFi~tieR Is Fe ElesigR waFFaRteEI te aEIEI aEIElitieRal ElesigR featlJFes eF attFil31cJtes'.?

'Is tl'le essllFFeRse ef failllFe self FevealiRg eF aFe tl'leFe FReaRs te aRRllRSiate tl'le failllF9 eF FRisl3el'lavieF te tl'le epeFateF'.?

Step e DessFil3e tl'le rnsellltieRs iEleRtifleEI iR Step 4 ef tl'lis tal31e tl'lat DesllmentatioR aEIEIFess U,e iEleRtifieEI failllFes.

DeseFil3e tl'le 69RffiFFR8RSe te FeglllateFy F9EjlliFeFReRts, plaRt's blFSAR, FeglllateFy glliElaRse, aREI iRElllStFy 69RSeRSllS staRElaFEIS (e.g., seisFRiS, eM IIRFI, aFRl3ieRt teFRpeFatllFe, l'leat seRtFil3lltieR).

DessFil3e tl'le Ejllality ef tl'le ElesigR pFesesses lJSeEI witi'liR tl'le seftwaFe life sysle ElevelepFReRt (e.g., veFifisatieR aREI valiElatieR prnsess, tmseal3ility FRatFix, Ejllality assllmRse EleslJFReRtatien, llRit test aREI systeFR test Feslllts).

DessFil3e FelevaRt epeFating RiSt9FY (e.g., platfeFFR lJSeEI iR RlJFReFelJS applisatieRs *.veFIElwiEle witl'l FRiRiFRal J:ailllFe l'listeFJ<).

DessFil3e tl'le ElesigR J:eatlJFestattFil3lltes tl'lat sllppeFt tl'le ElepeRElal3ility seRsllclsieR (e.g., iRteFRal ElesigR featllFes witRiR tl'le Eligital l&G aFGl'litestllFes SllSR as self Elia§Restis aREI self testiRg featllFes eF pl'lysisal FestFistieRs exteFRal te tl'le Eligital l&G peFtieRs ef tl'le FReElifieEI SSG), ElefeRse iR Eleptl'l (e.§., iRteFRal EliveFsity, FeElllRElaRsy, segFReRtatieR ef ElistFil3llteEI Retwmks, eF alteFRate FReaRs te asseFRplisl'l tl'le ElesigR flclRstieR).

SllFRFRaFize tl'le FeSlllts ef tl'le eRgiReeFiRg evalllatieR iRslllEliRg tl'le ElepeRElal3ility EleteFFRiRatien.

• - - -- J

Draft RIS 2002-22 Supplement 1, Attachment Page 4 of 4-G§_

DRAFT NRC REGULATORY ISSUE

SUMMARY

2002-22, .SUPPLEMENT 1, CLARIFICATION ON ENDORSEMENT OF NUCLEAR ENERGY INSTITUTE GUIDANCE IN DESIGNING DIGITAL UPGRADES IN INSTRUMENTATION AND CONTROL SYSTEMS DATE: Jl4sm1b xx 2018 OFFICE NRR/DIRS/IRGB/PM NRR/PMDA OE/EB OCIO NAME TGovan LHill JPeralta DCullison DATE 02/16/2018 01/18/2018 01/22/2018 01/17/2018 OFFICE NRR/DE/EICB/BC NRR/DIRS/IRGB/LA NRR/DIRS/IRGB/PM NRR/DIRS/IRGB/BC NAME MWaters ELee TGovan HChemoff DATE 03/01/2018 02/22/2018 03/01/2018 03/01/2018