Text

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118)

Several comments recommend consolidating specific information that applies to both the Tiered Process and the AR process in sections The sections about the Tiered Process (C.1 and C.3.2.1) should only contain information that apply to both processes. about the Tiered Process. The sections about AR (C.2 and C.3.2.2) should only contain information about the AR process. Information that is common should be in C or C.3.2.

Various Various There are some paragraphs that repeat the same information in two places.

If the ISG draws a distinction between "compliance" and "conformance," please explain the distinction. In the second to last sentence of B.1.2, the word that is now compliance used to be conformance in an earlier version (4/12/2018, ML18101A514). In some other sections (e.g., D.2.5.2), compliance was changed to conformance, or (e.g., D.6) the term that was Various Various missing was added. Defining the distinction in the ISG will avoid confusion on the use of the two terms possibly resulting in the reader wondering what the difference is.

"Throughout this ISG, the criteria of Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 603-1991, IEEE Standard The way the sentence is structured could imply that IEEE Std 603-1991 is endorsed by RG Criteria for Safety Systems for Nuclear Power Generating Stations, and Regulatory Guide (RG) 1.152 Criteria for Use of Computers in 1.152.

Safety Systems of Nuclear Power Plants, that endorses IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Programmable 1 A Digital Devices in Safety Systems of Nuclear Power Generating Stations, as endorsed by Regulatory Guide (RG) 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, ....

Fourth paragraph, after bullets, insert with reasonable assurance after conclude in the second (last sentence) of the paragraph. Editorial.

1 A In the 5th paragraph, suggest: A review is not being performed throughout the ISG.

1 A Throughout this ISG, criteria are used to perform are invoked for performing the review Change "When a license amendment is submitted, under 10 CFR 50.90 licensees must fully describe the changes desired." to "When a In the first paragraph, the comma after "submitted" should be moved to be after "50.90" 2 B.1 license amendment is submitted under 10 CFR 50.90, licensees must fully describe the changes desired." for clarity. We believe the submission is under 50.90.

Replace "The design information submitted to the NRC for review should have passed the licensees design verification process prior to It is not clear what is expected for the last sentence in the first paragraph if the topical its submission." with "If the information submitted to the NRC for review is being provided by a licensee, the licensee should have report (which is still supported in this ISG) is not being submitted by a licensee.

passed the licensees design control process prior to submission."

3 B.1.2 Suggest using "design control", not "design verification". "Verifying the adequacy of design" is described under Criterion III, Design Control.

This statement needs clarification: Whereas it is understood that technical content of documents will be unique for each Actual document submittals are expected to be unique for each DI&C project. DI&C project (RPS vs. Turbine Controls vs. Core Temperature Monitoring, etc.), from NRC regulatory oversight perspective the expectation should be set for the minimally 3 B.1.2 acceptable documentation/information regardless of application. The difference is level of rigor of the review based on previous staff decisions and familiarity of the technology and application being reviewed/assessed.

Either delete or rewrite the last paragraph in Section B.1.3. The paragraph is misleading in that the NRC staff reviewing the design for conformance with industry standards (as endorsed by NRC guidance, including changes and exceptions) 4 B.1.3 does not necessarily determine if the plant proposed licensing basis criteria are met.

Page 1 of 6

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118) 4 B.1.4 Suggest reversing the order of the two paragraphs. The general statement should appear first, followed by a particular example.

In the last sentence of the 1st paragraph, suggest: The revision is believed to capture the intent more clearly.

4 B.2 This revision also introduces an Alternate Review Process that can lead to an earlier safety determination (i.e., before ).

Change "design, implementation, or testing" to "design, implementation, and testing" In the last sentence of the paragraph, the desire is to have a decision prior to design, 4 B.2 implementation, AND testing is completed, rather than just one or two of the items in the list.

In the 6th paragraph, there is an extra space between "when" and "the." Grammar.

6 C " that may be used when the NRC staff decides "

Recommend revising the statements, However, approval of a digital system or component at one plant does not necessarily serve as Each LAR evaluation report is essentially a regulatory position approved by the the basis for approving the same system or component at another plant. Each LAR is a plant-specific licensing action. with "Each LAR Commission. Even though specific technical bases may be different among 6 C is a plant-specific licensing action that can benefit from experience gained during review of an approved digital system or component Licensees/plants, each LAR is a precedent-setting regulatory decision (or decisions) by the from a prior LAR. staff that each Licensee uses for its own LAR submittals to, for example, gauge level of effort, risk, etc.

For Application of the Alternate Review Process is predicated upon the licensee using a, acceptability of the DI&C platform previously First paragraph is somewhat confusing. If the AR Process is allowable only when a approved is based on the tiered review process (see Section C.1) as documented in the safety evaluatoin report for the applicable previously approved DI&C platform is used as the basis of the LAR, then recommend 7 C topical report. Acceptability of the LAR-specific system-level application of the DI&C platform is based on the following: revising first paragraph.

Rephrase the sentence to read: "In Enclosure B, Column AR (for Alternate Review Process) may be used if the NRC staff decision on the In the paragraph starting: "In Enclosure B, Column AR (for Alternate Review Process) may LAR is to be completed before detailed design, implementation, and/or testing completes." be used if the NRC staff decision of whether to issue or deny the license amendment is to be completed before detailed design, implementation, and/or testing." After edits, it 7 C almost sounds as if the NRC would expect the licensee to continue "detailed design, implementation, and/or testing" after the LAR is denied.

Replace "application system development" with "development of the system and the application software" in the first sentence. In the paragraph starting: "For both the Tier 1, 2, and 3 Review Process, and the Alternate Replace "application system development processes" with "processes for system and application software development." Review Process, the staff reviews information related to the application system development. For the Alternate Review Process, Section D.4 focuses on the application system development processes, since the NRC staff decides whether to issue or deny the 7 C license amendment before system development is completed..." The phrase "application system development" is unclear. Several suggestions are made to make both uses of this phrase more understandable to the industry.

In the 1st sentence under the heading Tier 2, suggest: It is possible that deviations are not application-specific. For example, it is possible that a "Tier 2 applies to license amendments proposing to reference an NRC-approved topical report (on a DI&C platform or component(s) change is made based on experience and could be included in multiple applications. Or, as 9 C.1 including hardware, software, and developmental tools) with deviations to suit the specific application. the next sentence explains, the deviation may be due to a revised software development process, which is not likely to be application-specific.

In the 1st paragraph, suggest: More clear description.

"Because DI&C modifications represent a significant licensee resource commitment, an In addition to the Tier 1, 2, and 3 Review 9 C.2 Process, an alternate approach is provided. The alternate process can lead to for review and approval at an earlier stage in the overall system life cycle."

Page 2 of 6

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118)

The Whereas the Tier 1, 2, and 3 Review Process includes NRC evaluation of software design, implementation, and testing, the Or delete the second sentence entirely, since it does not add to the discussion of the AR 9 C.2 Alternate Review process is a single-step process for licensee use contingent upon satisfying prerequisites. Process.

Delete the parenthetical reference to Section C.2.1. The last sentence in the last paragraph references Section C.2.1, which follows 9 C.2 immediately.

The licensee recognizes that there is a licensee One significant risk to the licensee from using the single-step AR process that should be The last two sentences in the second paragraph, starting with The licensee recognizes, recognized is that the system design submitted and approved by NRC may have implementation challenges that necessitate a may not effectively communicate the point about the risk associated with the AR Process.

modification design change. The modification Depending upon the scope/impact of the design change, it could require NRC review and 10 C.2 approval of a subsequent LAR, or could be completed without NRC approval through the 10 CFR 50.59 process, which is subject to NRC (Note: The last paragraph of Section C.3.3 may be a better place to discuss this issue, since inspection. 10 CFR 50.59 is mentioned at the end of Section C.3.3.)

Consolidate the 2nd and 4th paragraph statements regarding pre-submittal meetings. The 2nd and 4th paragraph makes similar statements:

2nd paragraph: As in the process described in Section C.1 above, the NRC staff encourages the use of public meetings before submittal of the LAR to discuss issues regarding system development.

10 C.2 4th paragraph: The NRC staff encourages the use of pre-application coordination meetings before submittal of the LAR to discuss issues regarding the system development.

In the last paragraph, suggest consolidating the two lists, both of which are numbered (1) through (3) and describe license conditions 1. It is confusing to have two lists the seem to have the same purpose. This will cause (see previous comments on license conditions). Also, the paragraph is ambiguous. Please re-write to reflect intended meaning. ambiguity if some report refers to Item (1), (2), or (3) in ISG-6 Section C.2. As written, the criteria are not clear.

2. How does "such" specifically narrow the set of conditions? Is it all of the potential conditions that meet the first list of 3 conditions?

10 C.2 Also, the "or" after condition #2 (in the second list) means that license conditions should satisfy any one of the three conditions, but it does not seem possible this is intended. It would mean, for example, an acceptable license condition is open ended as long as it does not address voluntary requests. It seems like "not" should appear at the beginning of condition (3)?

Suggest referring to the NRC regulatory guide (1.28) and let the latest version of NQA-1 be applicable (remove the reference to the Avoids having to update a document when a revision changes.

11 C.2.1 2015 NQA 1 edition) 12 C.2.1 First sentence at top of page, change Sections to Section. Editorial.

3b. The LAR should include appropriate regulatory commitments to complete life cycle activities under the licensees QA program (see Clarify that regulator commitments to complete life cycle activities is applicable to the AR Section C.2.2 Licensee Prerequisites for the Alternate Review Process). Note that these activities would be included in a Tier 1, 2, and 3 process.

13 C.2.2 licensing review, but are not covered in the Alternate Review Process because they would take place after the NRC staff decides whether to issue or deny the license amendment.

Ensure that mention of "Phase 0" points to the Pre-Application Coordination Meeting, and then remove "Phase 0" from the document. Industry interpretation is that Enclosure B is just a suggested list.

13 C.3.1 Else, ensure that it is clear that the Pre-Application Coordination Meetings apply to the AR process (which never mentions Phase 0) as well as the Tier 1/2/3 process.

Page 3 of 6

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118)

Replace the entire sentence with "the appropriate review process is selected: Tier 1, Tier 2, Tier 3, or Alternate Review Process. (See The sentence does not provide clarity, especially in the doubled selection of the tier 13 C.3.1.a Sections C.1 and C.2) process. Clarity should be enhanced.

13 C.3.1 In item (f), suggest "definition of" instead of "defining." Maintain parallelism with the rest of the list.

Please add the missing comma after "Implementation" and before "and testing activities" In the paragraph starting "These discussions should also address the level of licensee 14 C.3.1 involvement" there is inconsistent use of the so-called Oxford comma.

14 C.3.1 Last paragraph on page - end of third sentence - delete "is applicable" for the proposed modification grammatical error - appears to be holdover from previous revision In the 2nd sentence of the 3rd paragraph, suggest "enables" intead of "ensures." Holding a discussion does not ensure the licensee will do something in particular.

14 C.3.1 "Having this discussion before a LAR is prepared ensures enables that the licensee takes into account "

Suggest moving the 2nd paragraph (about making documents available) and the 6th paragraph (about communication) to Section C.3.2. The content of these paragraphs seem applicable to both Tiered approach and the AR, so 15 C.3.2.1.1 it should be moved to a section that discusses both.

Suggest deleting the 5th paragraph (about sequence of submittals). The paragraph is superfluous because the next paragraph is about maintaining close communication, including communication about due dates and schedule. The topic of 15 C.3.2.1.1 sequence will be addressed when "the NRC and the licensee communicate closely."

All information information required to support the completion of the required audits, RAI responses, and Safety Evaluation must be submitted Using "All" with the context of what is necessary makes a more precise statement.

16 C.3.2.1.2 before the safety evaluation can be completed Suggest deleting the last paragraph (about audits). The subject is already covered in C.3.2 (2nd paragraph). If additional detail from C.3.2.1.1 is deemed important, it can be moved to C.3.2. Only what is unique to Tiered Process 16 C.3.2.1.1 should be retained in C.3.2.1.1. Also, note that the same text appears in C.3.2.2 (about AR). It should only appear once.

In the 1st paragraph, suggest: As the sentence was originally worded, it meant the NRC responds to RAI's and then "After The licensee should submit the supplement after responding to the Phase 1 RAIs, and with sufficient lead time to support the verifies the licensee submits a supplement.

16 C.3.2.1.2 requested approval date. , the staff should verify that the licensee has submitted a supplement containing The supplement should contain sufficient information to address aspects of the review areas not submitted in the initial LAR or subsequent responses to RAIs (see Enclosure B for information to be submitted before the requested approval date).

16 C.3.2.1.2 Near the end of the the 2nd sentence of the 6th paragraph, "requlatory" should be "regulatory." Editorial.

Suggest moving the 2nd paragraph (about making documents available) and the 3rd paragraph (about communication) to Section C.3.2. The content of these paragraphs applies to both Tiered approach and AR, so it should be 17 C.3.2.2 moved to a section that discusses both.

Suggest deleting the 2nd paragraph. Why is it necessary for NRC QA and vendor inspection staff to review the same thing? Also If the paragraph is retained, please clarify what is meant by "its"? inspections and audits are covered elsewhere in the ISG.

Concerning the word "its," it seems the intended antecedent is the equipment or the 18 C.3.3 software, not activitites.

Most importantly, this paragraph re-introduces schedule uncertainty that the AR process is intended to remedy.

When multiple lettered lists appear under the same heading, consider reorganizing so only one list appears within a subsection, or This could be confusing and ambigous. For example, a reference to D.2.3.1 Item a would Various D.2 change the letters to bullets. be ambiguous.

Item c - first line - How the design prevents software failures from affecting the watchdog timer timing and timeout. Should read how It is my understanding and experience that software and independent hardware watchdog the design utlizes watchdog timers to detect and alarm software failures.. timers are intended to detect and alarm software failures or lock-up - the design should 22 D.2.2.1 not prevent watchdog time out in response to a software failure.

Page 4 of 6

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118)

Replace the phrase "indication of bypasses" with "bypass indication" (multiple places). Throughout the document, "indication of bypasses" is used as a phrase. It is inconsistent with standards and RG usage. The document should be internally consistent. If standard terminology (bypass indications) is replaced in one spot, the NRC reviewer or industry 23 D.2.2.1 author may ask What is the reason for that change? What am I missing? Is there a difference? If so, what?. It is preferred to keep the industry standard Bypass Indication /

Status Indication terminology of RG 1.47 and IEEE Std. 603.

For clarity, change the sentence to read: "The reviewer should evaluate whether the LAR justifies changes (including modifications, In the paragraph starting: "The reviewer should evaluate whether the LAR justifies additions, and deletions) and demonstrates that the changes do not adversely affect plant safety for each of the following:". changes, including modifications, additions, and deletions, and demonstrates that the 23 D.2.2.2 Alternatively, change the sentence to read: "The reviewer should evaluate whether the LAR justifies changes and demonstrates that the changes do not adversely affect plant safety" it is not clear where the items to be changes do not adversely affect plant safety, where changes modifications, additions, and deletions, for each of the following:" included break and actions to be demonstrated begin.

In 9th paragraph, suggest: The SyRS should state the requirement, not the specific measures.

27 D.2.3.3.1 "The SyRS should specify boundaries and interfaces with other systems, including isolation requirements measures."

Change the item to read: "i. whether the defined use of the hardwired interfaces is consistent with the previous In item: "i. whether the defined use of the hardwired interfaces is consistent with the 32 D.2.5.2 system and with any changes, including the rationale for the changes" previous system and with any changes and the rationale for the changes" there are too many "and" 37 D.2.6.2.5 Correct typo: more heavily on engineering judgment that than the other Grammar.

All but the first and last sentences in the paragraph should be deleted. The paragraph should thus consist of: "The NRC staff should In the paragraph starting "The NRC staff should evaluate the various test plans to ensure evaluate the various test plans to ensure that the plans are rigorous enough to support the conclusion that the environment should not that the plans are rigorous enough to support the conclusion that the environment should have a negative effect on the ability of the system to perform its safety function in the worst case environment in which it needs to not have a negative effect on the ability of the system to perform its safety function in the operate. The NRC staff should evaluate the comparison that shows that the equipment qualification envelopes the worst case plant worst case environment in which it needs to operate.. " the edit re-introduces an issue conditions for each environmental stressor at each plant location where the equipment is proposed to be installed." that did not exist in the ACRS version. The ISG does not need to paraphrase from the RG 40 D.3.2 Position C 1, 2, and 4 (as well as 5 in the harsh environment) and IEEE standard Clauses 6.2.1.1, 6.2.1.2, and 6.3.1 (and subclauses, next paragraph on test planning) here. There was a concerted effort to remove such paraphrased material, which has been restored here.

The sentence should be replaced with "The NRC staff should review the licensee's vendor- and system-specific vulnerability assessment The paragraph beginning "The NRC staff should review the vulnerability assessment and verify that the assessment identifies those vulnerabilities that could affect the secure development and reliable and secure description and verify that the licensee has performed a vulnerability assessment operation of the digital safety system." identifying the vulnerabilities that could affect the secure development and reliable and secure operation of the digital safety system." The first part of the sentence requires a 58 D.8.2 vulnerability assessment, the second part of the sentence requires ensuring that a vulnerability assessment was performed, and the third part requires evaluation of the vulnerabilities. This is confusing and needs to be simplified.

Change the sentence to: "Although some CM activities are performed by the vendor(s), ownership of the plant configuration, licensing In the last sentence of the pararaph: "Although some CM activities are performed by the basis, system design, plant modification, and system acceptance rests with the licensee. The licensee is responsible for oversight and vendor(s), ownership of the system design modification and oversight of vendor activities 61 D.9.5.1 acceptance of vendor activities that affects all configuration items." rests with the licensee" Many of the non-software CM responsibilities are not provided here, and the sentence structure is awkward.

Page 5 of 6

NEI MEMBER COMMENTS TO DI&C-ISG-06 Revision 2 (ML18123A118)

Please change the title from "Qualification of Commercial Computers" to "Commercial Grade Dedication of Digital Equipment" which is While the version of IEEE Std. 7-4.3.2 referenced does restrict itself to "commercial what is of interest. Qualification is provided in a separate section (D.3). computers", this ISG has been applied to several systems that do not contain "computers" 63 D.9.9 per se. We have an opportunity to address one point of contention in this document.

C.3.2.1.1 & Can a hearing be required in the AR process? If so, the text from the Tier 1/2/3 process should be copied to the AR process section. There are elements in the added text in C.3.2.1.1 that also have bearing on C.3.2.2, as well 15 & 17 C.3.2.2 as items in C.3.2.2 that should have been covered in C.3.2.1.1.

C.3.2.1.1 & The AR process has the note concerning not copying or printing "share site" documents, which also applies to the Tier 1/2/3 process. There are elements in the added text in C.3.2.1.1 that also have bearing on C.3.2.2, as well 15 & 17 C.3.2.2 Please copy the sentence to the Tier 1/2/3 section. as items in C.3.2.2 that should have been covered in C.3.2.1.1.

Industry assumes the Open Item list text from the AR process should also be added to the Tier 1/2/3 process. Please copy the AR text to There are elements in the added text in C.3.2.1.1 that also have bearing on C.3.2.2, as well C.3.2.1.1 &

15 & 17 the appropriate location in the Tier 1/2/3 process text. In addition, edit and modify the text to ensure that the RAI process for Tier as items in C.3.2.2 that should have been covered in C.3.2.1.1.

C.3.2.2 1/2/3 and for AR are similar.

All but the first sentence in the paragraph should be deleted. The resultinng paragraph needs to say no more than: "For digital systems In the paragraph starting "For digital systems located in mild environments, Regulatory located in mild environments, Regulatory Position 1 in RG 1.209 states that the NRC does not consider the age conditioning in IEEE Std Position 1 in RG 1.209 states that the NRC does not consider the age conditioning in IEEE 323, Section 6.2.1.2, to apply. " Std 323, Section 6.2.1.2, to apply because of the absence of significant aging mechanisms.

" the edit re-introduces an issue that did not exist in the ACRS version. The ISG does not 39-40 D.3.2 need to paraphrase from the RG Position C 1, 2, and 4 (as well as 5 in the harsh environment) and IEEE standard Clauses 6.2.1.1, 6.2.1.2, and 6.3.1 (and subclauses, next paragraph on test planning) here. There was a concerted effort to remove such paraphrased material, which has been restored here.

59 D.9.1.1 Add title to RG 1.172 Format should be consistent throughout the document.

Move "Phase 2" in the table on page 2 to the same location as "Phase 1" in the table on page 1, making the title "Submitted before The titles of the tables on pages 1 and 2 should follow similar structure. Phase 1 is 2 Enclosure B Requested Approval (Phase 2 for Tier 1, Tier 2, Tier 3 only)" embedded in the parenthetical expression on page 1. Phase 2 is the opening of the title on page 2.

2 Enclosure B 2.3 "Summary Test Reports (Including Test Results up to and including FAT) To make clear FAT is included for summary reports.

Page 6 of 6