Text

STEPHEN E. GEIER Sr. Director, Engineering and Risk 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8111 seg@nei.org nei.org July 15, 2019 Mr. Philip McKenna Division of Inspection and Regional Support Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NEI Comments on draft regulatory guide (DG), DG-1356, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, 84 Fed. Reg. 25077; Docket ID NRC-2019-0086 Project Number: 689

Dear Mr. McKenna:

The Nuclear Energy Institute (NEI) 1, on behalf of its members, submits the following comments on DG-1356, proposed revision 2 of Regulatory Guide (RG) 1.187, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments as requested in the subject Federal Register Notice. With significant exceptions and clarifications, DG-1356 endorses NEI 96-07, Appendix D, Revision 0, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18338A389). NEI submitted Revision 0 of NEI 96-07, Appendix D to the Nuclear Regulatory Commission (NRC) on November 30, 2018, following a series of public meetings and correspondence to address unique challenges pertaining to the application of the Title 10 of the Code of Federal Regulations (10 CFR) 50.59 regulatory change process to digital technology implementation. NRCs December 20, 2018 letter (ADAMS Accession No. ML18340A124) to NEI summarizes these extensive interactions.

When NEI submitted Appendix D and NRC entered the Regulatory Guide endorsement process, the only areas of dispute involved 10 CFR 50.59(c)(2)(vi) or criterion 6. Criterion 6 requires a license amendment for any proposed change that would Create a possibility for a malfunction of an SSC [system, structure and component] important to safety with a different result than any previously evaluated in the final safety 1

The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Mr. Philip McKenna July 15, 2019 Page 2 analysis report (as updated). Supplemental guidance on this criterion is contained in Section 4.3.6 of NEI 96-07, Appendix D. In terms of page length, Section 4.3.6 represents more than one-third of the guidance provided in NEI 96-07, Appendix D. In substance, Section 4.3.6 represents far more as criterion 6 is one of the most challenging areas for licensees applying 10 CFR 50.59 to digital modifications. DG-1356, Section C.2.e addresses NRC staff exceptions to portions of Section 4.3.6 of NEI 96-07, Appendix D. We believe these overly broad exceptions to Section 4.3.6 are unnecessary, confusing, and contrary to the NRCs Reliability principle of good regulation. We appreciated the opportunity to gain clarity on the exceptions in the June 25, 2019 public meeting on NEI 96-07, Appendix D, as Endorsed by Draft Regulatory Guide 1.187, Revision 2. Based on the outcome of that public meeting, it was apparent that the NRC and NEI approaches often come to the same conclusion (although the rationale for NRCs approach is not clearly set forth in DG-1356).

Our comments on DG-1356, Section C.2.e, below, are provided to demonstrate that the NRC staffs proposed exceptions will create confusion for the use of NEI 96-07, Appendix D. Included in our comments are additional examples that we propose to add to NEI 96-07, Appendix D to provide the clarity sought by the staff and that should enable the removal of the exceptions.

Comments on Section C.2.e In DG-1356, Section C.2.e, The NRC staff takes exception to the application of the term safety analysis to the criterion in section 10 CFR 50.59(c)(2)(vi) in lieu of the term FSAR (as updated) throughout NEI 96-07, Appendix D, Section 4.3.6. Section C.2.e further states, The NRC staffs position is that where the criteria in 10 CFR 50.59 uses the term previously evaluated in the final safety analysis report, it means the whole FSAR (as updated). Therefore, when applying the guidance in Appendix D, licenses should not limit their examination of the FSAR (as updated) to particular sections.

The guidance proposed in NEI 96-07, Appendix D, Section 4.3.6, specifically the six step process for cases in which the qualitative assessment outcome is a failure likelihood of not sufficiently low, begins with identification of all functions that are directly or indirectly related to the proposed activity. Further, the guidance reiterates the expectation from NEI 96-07, Rev. 1 that all functions involved with the proposed activity are initially considered in the scope of review regardless of the level of direct description in the FSAR (as updated) or UFSAR. This is consistent with the NRC staff position that one must examine the whole FSAR (as updated).

However, because 10 CFR 50.59(c)(2)(vi) states, Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated), each of the involved functions must then be examined to determine which are design functions. That is, malfunction of an SSC important to safety has been defined in Definition 3.9 of NEI 96-07, Rev.1 as the failure of SSCs to perform their intended design functions described

Mr. Philip McKenna July 15, 2019 Page 3 in the UFSAR (whether or not classified as safety-related in accordance with 10 CFR 50, Appendix B). From the discussion in NEI 96-07, Rev. 1, Definition 3.3, Design functions are UFSAR-described design bases functions and other SSC functions described in the UFSAR that support or impact design bases functions. This discussion continues, providing the definition of design bases function from Appendix B to NEI 97-04 as endorsed by Regulatory Guide 1.186. The NRC has previously endorsed all these definitions and related discussions of design functions and design basis functions in NEI 96-07, Rev. 1 and NEI 97-04, Appendix B.

The definition of malfunction of an SSC important to safety and the focus on design functions are a direct reflection of the 1999 rulemaking on 10 CFR 50.59, which was promulgated to address the uneven application of the rule to licensees with UFSARs of varying level of detail. The associated design functions are described in licensees UFSARs, and both NEI 96-07, Rev. 1 and Appendix D provide guidance to ensure that these design functions are properly treated. DG-1356 is silent on the regulatory foundation for malfunction of an SSC important to safety as there is no mention of NEI 96-07, Rev. 1 Sections 3.9 and 3.3, or RG 1.186.

With a malfunction of an SSC important to safety being the failure of SSCs to perform their intended design functions described in the UFSAR, it is clear that the result of the failure to perform a design function is the focus. Returning to the discussion in NEI 96-07, Rev. 1, Definition 3.3, the connection between design functions and design bases functions is described. NEI 96-07, Appendix D, Section 4.3.6, provides guidance on taking each design function through a process to determine the result of a failure to perform that design function.

NEI 96-07, Appendix D, Section 4.3.6 reasonably interprets the term different result in criterion 6 to mean different safety analysis result. While DG-1356 takes exception to this position, it points to no agency guidance offering a contrary interpretation, nor does it demonstrate that NEIs position is unreasonable or would result in any safety issues. On the other hand, NEIs proposal has the advantage of allowing licensees to use the endorsed definition in NEI 96-07, Rev. 1, Section 3.12 to identify safety analyses (and thus safety analysis results). Furthermore, if the term different result were not limited to an examination of the results in the safety analyses, it is unclear which other results licensees would need to examine to satisfy criterion 6. With the exception as stated in DG-1356, Section C.2.e, and without reasonable limits on which different results licensees should focus on, the NRC staff would be inviting the return of the uneven application of 10 CFR 50.59 that the 1999 amendment was intended to cure.

To the extent that DG-1356, Section C.2.e argues that NEI 96-07, Appendix D, Section 4.3.6 reads the phrase FSAR (as updated) out of criterion 6 and, instead, replaces that phrase with safety analysis, NEI disagrees. As previously explained, the focus on safety analysis within Section 4.3.6 is not based on the phrase FSAR (as updated), but rather is based on the phrase different result.

The question thus is where in the FSAR (as updated) are the results that were previously

Mr. Philip McKenna July 15, 2019 Page 4 evaluated? Again, NEI submits that is reasonable to interpret results as safety analysis results.

In accordance with Definition 3.12, Safety analyses are required to be presented in the UFSAR, and in alignment with the portion of 10 CFR 50.59(c)(2)(vi) that states, any previously evaluated in the final safety analysis report (as updated), NEI agrees that licensees must take a broad look at the UFSAR to identify any safety analyses that meet Definition 3.12. This examination is expressly not limited to specific sections of the UFSAR, instead licensees must take a wide view to determine which analyses or evaluations demonstrate that acceptance criteria for the facilitys capability to withstand or respond to postulated events are met. Accordingly, safety analyses meeting Definition 3.12 may be found in any section of the UFSAR.

The NEI 96-07, Appendix D, Section 4.3.6 focus on the safety analyses meeting Definition 3.12, wherever they may be found in the UFSAR, is consistent with other 10 CFR 50.59 evaluation criteria and the guidance in NEI 96-07, Rev. 1. For example, 10 CFR 50.59(c)(2)(iii) considers accident consequences previously evaluated in the final safety analysis report (as updated).

Notwithstanding an identical reference to the FSAR (as updated), it is well understood that this criterion is focused on safety analyses. Several 10 CFR 50.59 evaluation criteria utilize this logic with Definition 3.12 safety analyses as the focus and have done so since the 1999 rulemaking on 10 CFR 50.59. If the NRC staff proceeds with the exception as stated in DG-1356, Section C.2.e, it will reinstate the focus on the UFSAR wording rather than the various design functions and introduce inconsistent application among the 10 CFR 50.59 evaluation criteria.

Based on the NRC public meeting held on June 25, 2019, we agree that there are additional examples that could be included in NEI 96-07, Appendix D, Section 4.3.6 to illustrate cases that create a possibility for a malfunction of an SSC important to safety with a different result.

Attachment 1 provides proposed examples 4-23 and 4-24 based on the NRCs public meeting presentation examples of an emergency diesel generator voltage regulator control system and pressurizer power operated relief valves to control reactor coolant system pressure during low temperature operations. Incorporation of these examples in NEI 96-07, Appendix D, Section 4.3.6 as part of NRCs resolution of public comments should reassure NRC staff and licensees that the intent of the guidance appropriately captures the intent of 10 CFR 50.59(c)(2)(vi) consistent with NEI 96-07, Rev. 1.

Comments on other portions of DG-1356 Additional comments on areas other than Section C.2.e are included in Attachment 2.

We believe that incorporation of the comments provided above and in the attachments to this letter will improve the DG and will effectively achieve the NRCs objective to provide additional guidance on digital instrumentation and control modifications. If NRC agrees that the incorporation of the proposed examples in

Mr. Philip McKenna July 15, 2019 Page 5 would provide clarity needed to appropriately address the exception in C.2.e, NEI will submit an update to NEI 96-07, Appendix D which includes these examples.

We appreciate the NRC staffs consideration of these comments. If you have any questions concerning this letter or the attachments, please contact me (seg@nei.org; 202-739-8111) or Kati Austgen (kra@nei.org; 202-739-8068).

Sincerely, Stephen E. Geier Attachments c: Mr. Chris Miller, NRR/DIRS, NRC Mr. Eric Benner, NRR/DE, NRC Mr. Gregory Bowman, NRR/DIRS, NRC Ms. Tekia Govan, NRR/DIRS/IRGB, NRC NRC Document Control Desk

NEI Attachment 1 Example 4-23 and 4-24 are proposed for addition to NEI 96-07, Appendix D Section 4.3.6 following Example 4-22 to illustrate cases in which there is the CREATION of a malfunction with a different result.

Example 4-23. CREATION of a Malfunction with a Different Result Proposed Activity The analog voltage regulators on both trains of Emergency Diesel Generators (EDGs) are being replaced with digital voltage regulators.

Safety Analysis Result Impact Consideration Step 1:

The voltage regulator is required to function properly to support EDG operation. Failure of the voltage regulator will result in failure of the associated EDG.

Step 2:

The function of the voltage regulator is classified as a design function because it supports or impacts a design bases function specified in GDC 17. Therefore, the voltage regulators function is a design function credited in the safety analysis.

From GDC 17:

Criterion 17 -- Electric power systems. An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. [emphasis added]

Step 3:

The effect on the voltage regulator, and the EDGs operation, is clear and understood, having a direct impact on the accident analysis assumptions and modeling. There is no reason to generate a new FMEA since the impact of the software CCF on the design basis function is readily apparent (i.e., clear and understood).

Step 4:

If a software CCF occurs, the voltage regulators control function, which supports or impacts the GDC 17 design bases function, will not be performed.

Step 5:

Numerous safety analyses directly credit functions that are assumed to remain powered by a single EDG, which is commonly assumed to be the limiting single failure.

Step 6:

In this instance, the basic assumption of single failure is no longer valid. Thus, if the safety analyses in question were rerun, the associated acceptance criteria would likely not be met with 1

NEI Attachment 1 such a basic assumption not being maintained.

Conclusion With the software CCF likelihood determined to be not sufficiently low, the assumptions regarding satisfaction of single failure criteria are invalidated and the results are no longer bounded. Therefore, the proposed activity CREATES the possibility for a malfunction of an SSC important to safety with a different result.

Example 4-24. CREATION of a Malfunction with a Different Result Proposed Activity The analog pressurizer pressure transmitters and associated circuitry used to control the Low Temperature Overpressure Protection opening signal for the pressurizer Power Operated Relief Valve (PORV) are being replaced with digital equipment.

Safety Analysis Result Impact Consideration Step 1:

The PORVs are required to open to prevent an overpressurization of the Reactor Coolant System (RCS) when the RCS is being operated in a water-solid condition. The pressure sensing circuitry is essential to that function.

Step 2:

The function of the PORV is classified as a design function due to performing a function that supports or impacts a design bases function specified in GDC 14. Further, the generation of an appropriate opening signal upon a high pressure condition also supports that function. Therefore, both the PORV and the pressure sensing circuitry perform design functions credited in the safety analysis.

From GDC 14:

Criterion 14 -- Reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture. [emphasis added]

Specifically, the design bases function identified in GDC 14 above applies during cold, water-solid conditions. This protection is commonly referred to as Low Temperature Overpressure Protection, or LTOP. Therefore, both the PORV and the pressure sensing circuitry perform design functions credited in the safety analysis.

Step 3:

The effect on the pressure sensing circuitry, and the PORVs operation, is clear and understood, having a direct impact on the safety analysis assumptions and modeling. There is no reason to generate a new FMEA since the impact of the software CCF on the safety analysis is readily apparent (i.e., clear and understood).

Step 4:

2

NEI Attachment 1 If a software CCF occurs, the pressure sensing circuitry, and the PORVs operation, which both support or impact the GDC 14 design bases function, will not be performed.

Step 5:

The pertinent safety analysis is typically part of the Pressure Temperature Limits Report (PTLR). That report is controlled by a Technical Specification in section 5.6. The PTLR itself is either summarized as part of the UFSAR or is incorporated by reference.

Contained within the PTLR is a description of an analysis that demonstrates the selected Low Temperature PORV Setpoint will ensure RCS pressure does not exceed the limits specified in 10 CFR 50, Appendix G during a cold water-solid pressure excursion. This excursion is typically the result of an uncontrolled injection of water into the RCS via a high pressure Emergency Core Cooling System (ECCS pump).

The analysis contained within the PTLR is a safety analysis because it demonstrates that the limits contained within 10 CFR 50, Appendix G (the acceptance criteria) for the facilitys capability to withstand or respond to the LTOP excursion (postulated event(s)) are met.

Step 6:

In this instance, the basic assumption of PORV operation is no longer valid. Thus, if the safety analyses in question were rerun, the associated acceptance criteria would likely not be met with no pressure relief capability available to mitigate the cold, overpressure transient.

Conclusion With the software CCF likelihood determined to be not sufficiently low, the assumptions regarding PORV operation are invalidated and the results are no longer bounded. Therefore, the proposed activity CREATES the possibility for a malfunction of an SSC important to safety with a different result.

3 NEI Comments on DG-1356 Affected Section Comment/Basis Recommendation

1. B. Discussion, The draft guidance states, NEI 96-07, Appendix D, does not Clarify that NEI 96-07, Appendix D Background, Page 5, replace or supersede NEI 01-01 either in whole or in part. supersedes the 10 CFR 50.59-related Paragraph 5 Licensees have the option to use the 10 CFR 50.59 guidance in guidance contained in NEI 01-01/ EPRI TR-total in either NEI 01-01 or in NEI 96-07, Appendix D. 102348, Guideline on Licensing of Digital Upgrades. NEI will not be making further This is confusing because NEI stated its intent that, The guidance changes to update or maintain NEI 01-01.

in this appendix supersedes the 10 CFR 50.59-related guidance If NRC wishes to retain for licensees the contained in NEI 01-01/ EPRI TR-102348, Guideline on Licensing of option to use NEI 01-01, that can still be Digital Upgrades, and incorporates the 10 CFR 50.59-related specified.

guidance contained in Regulatory Issue Summary (RIS) 2002-22, Supplement 1, Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems.

2. Section C.2.a, NEI The draft guidance in C.2.a. is confusing and unnecessary. Section C.2.a. could be eliminated by 96-07, Appendix D revising the Section 2 introductory Use statement to something along the lines of:

The NRC staff evaluated NEI 96-07, Appendix D, as applied to digital modifications only. The NRC staff concludes that Appendix D provides an acceptable approach for the application of 10 CFR 50.59 guidance when conducting digital instrumentation and control modifications, subject to the following exceptions and additions:

3. Section C.2.b, The draft guidance states (in part), "However, including Human- Delete the subject sentence.

Human-System System Interface (HSI) changes in the screening process is a Interface change from the guidance contained in NEI 96-07, Revision 1, Section 4.2.1.2."

This statement is incorrect.

NEI 96-07, Rev. 1, Section 4.2.1.2 contains the following guidance:

1 NEI Comments on DG-1356 Affected Section Comment/Basis Recommendation "For purposes of 10 CFR 50.59 screening, changes that fundamentally alter (replace) the existing means of performing or controlling design functions should be conservatively treated as adverse and screened in. Such changes include replacement of automatic action by manual action (or vice versa), changes to the man-machine interface, changing a valve from locked closed to administratively closed and similar changes." [emphasis added]

The concept of man-machine interface, now called human-system interface, was previously considered in NEI 96-07, Rev. 1, Section 4.2.1.2.

NEI 01-01, Section 4.3.4 also currently considers the human-system interface.

4. Section C.2.b, The draft guidance states (in part), "Digital interfaces are Consider deleting the sentence entirely or Human-System fundamentally different from analog interfaces." This statement is at a minimum modifying the sentence to Interface contradictory to the 10 CFR 50.59 guidance currently endorsed by read: "Digital interfaces are not the NRC in NEI 01-01. necessarily fundamentally different from analog interfaces." [em phasis added to Originally (i.e., before NEI 01-01), NEI 96-07, Rev. 1, Section highlight the suggested modification]

4.2.1.2 contained the following guidance:

"For purposes of 10 CFR 50.59 screening, changes that fundamentally alter (replace) the existing means of performing or controlling design functions should be conservatively treated as adverse and screened in. Such changes include replacement of automatic action by manual action (or vice versa), changes to the man-machine interface, changing a valve from locked closed to administratively closed and similar 2

NEI Comments on DG-1356 Affected Section Comment/Basis Recommendation changes." [emphasis added]

This guidance meant that ALL man-machine interfaces (now called human-system interfaces) MUST be considered ADVERSE (i.e.,

"screen in").

Then, NEI 01-01 was endorsed by the NRC and Section 4.3.4 contained the following guidance:

"It is important to note that not all changes to the human-system interface fundamentally alter the means of performing or controlling design functions. Some HSI changes that accompany digital upgrades leave the method of performing functions essentially unchanged.

Technical evaluations should determine whether changes to the HSI create adverse effects on design functions (including adverse effects on the licensing basis and safety analyses)."

This guidance, which is currently endorsed, clearly states that the impact of a change to an HSI (i.e., a Human-System Interface) on a UFSAR-described design function needs to be determined. In other words, an HSI change no longer automatically becomes ADVERSE, or defaults to being ADVERSE.

The sentence proposed by the NRC (identified in the first paragraph above) overturns the guidance in NEI 01-01 and returns the guidance to that given in NEI 96-07. Furthermore, the intent of the guidance in Appendix D is to provide one type of technical evaluation that the 50.59 practitioner may use to determine the impact of an HSI change on a UFSAR-described design function.

If the proposed sentence is maintained as written, then there is no 3

NEI Comments on DG-1356 Affected Section Comment/Basis Recommendation need for the guidance contained in Appendix D, Section 4.2.1.2 since ALL changes involving an HSI would need to be considered ADVERSE.

5. Section C.2.c, The draft guidance states (in part), For example, the Delete the identified text since it is not an Examples Illustrate Note in example 4-19 of NEI 96-07, Appendix D states, The exception in the form of a Guidance acceptability of these new area radiation monitors will be dictated limit/restriction on the use of the by their reliability, which is assessed as part of Criterion (ii), not examples (as is done in the first two Criterion (vi). The NRC staffs position is that this note is sentences).

potentially misleading as it could be read to mean that CCF of a proposed digital I&C modification is solely a reliability issue, applicable to Criterion (ii) and not Criterion (vi), when read within the context of the entirety of example 4-19.

This statement is a comment, NOT an exception.

6. Section C.2.d, This section is confusing. It could be misinterpreted to imply that Section C.2.d. should either be deleted -or-Software Common NRC staff takes exception to all Appendix D language discussing it should be revised to contain the specific Cause Failures software CCF except for language quoted directly from RIS 2002- software CCF related text in Appendix D to 02 Supplement 1. which the staff take exception.

7. Section 4 of RG Section 4 of RG 1.187 Rev 1 titled Applicability to 10 CFR Part 50 The language of Section 4 of RG 1.187 Rev 1.187, Revision 1 Licensees other than Power Reactors has been deleted from draft 1 should be re-included in Rev 2.

of Rev 2 with no apparent explanation. This is confusing and likely Alternatively, the staff should state in the to be interpreted as effectively eliminating 10 CFR Part 50 revised RG why it was removed and Licensees other than Power Reactors from the scope of this RG. provide an analysis of the impact the Some Part 50 Licensees other than Power Reactors need the change in regulatory guidance would have guidance contained in Appendix D and this RG to fulfill their on affected Part 50 Licensees.

missions.

4