Text

PUBLIC SUBMISSION As of: 7/17/19 4:16 PM Received: July 15, 2019 Status: Pending_Post Tracking No. 1k3-9b1u-seo6 Comments Due: July 15, 2019 Submission Type: Web Docket: NRC-2019-0086 Draft Regulatory Guide, DG-1356, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments Comment On: NRC-2019-0086-0001 Guidance for Changes, Tests, and Experiments Document: NRC-2019-0086-DRAFT-0004 Comment on FR Doc # 2019-11246 Submitter Information Name: Stephen Geier General Comment See attached file(s).

Attachments 07-15-19_NRC_NEI Comments on DG-1356 Page 1 of 1 07/17/2019 https://www.fdms.gov/fdms/getcontent?objectId=0900006483d91e77&format=xml&showorig=false SUNSI Review Complete Template = ADM-013 E-RIDS=ADM-03 ADD: Tom Boyce (RES), Philip McKenna, Stephen Burton COMMENT (3)

PUBLICATION DATE:

5/30/2019 CITATION 84 FR 25077

STEPHEN E. GEIER Sr. Director, Engineering and Risk 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8111 seg@nei.org nei.org July 15, 2019 Mr. Philip McKenna Division of Inspection and Regional Support Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NEI Comments on draft regulatory guide (DG), DG-1356, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments, 84 Fed. Reg. 25077; Docket ID NRC-2019-0086 Project Number: 689

Dear Mr. McKenna:

The Nuclear Energy Institute (NEI)1, on behalf of its members, submits the following comments on DG-1356, proposed revision 2 of Regulatory Guide (RG) 1.187, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments as requested in the subject Federal Register Notice. With significant exceptions and clarifications, DG-1356 endorses NEI 96-07, Appendix D, Revision 0, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18338A389). NEI submitted Revision 0 of NEI 96-07, Appendix D to the Nuclear Regulatory Commission (NRC) on November 30, 2018, following a series of public meetings and correspondence to address unique challenges pertaining to the application of the Title 10 of the Code of Federal Regulations (10 CFR) 50.59 regulatory change process to digital technology implementation. NRCs December 20, 2018 letter (ADAMS Accession No. ML18340A124) to NEI summarizes these extensive interactions.

When NEI submitted Appendix D and NRC entered the Regulatory Guide endorsement process, the only areas of dispute involved 10 CFR 50.59(c)(2)(vi) or criterion 6. Criterion 6 requires a license amendment for any proposed change that would Create a possibility for a malfunction of an SSC [system, structure and component] important to safety with a different result than any previously evaluated in the final safety 1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Mr. Philip McKenna July 15, 2019 Page 2 analysis report (as updated). Supplemental guidance on this criterion is contained in Section 4.3.6 of NEI 96-07, Appendix D. In terms of page length, Section 4.3.6 represents more than one-third of the guidance provided in NEI 96-07, Appendix D. In substance, Section 4.3.6 represents far more as criterion 6 is one of the most challenging areas for licensees applying 10 CFR 50.59 to digital modifications. DG-1356, Section C.2.e addresses NRC staff exceptions to portions of Section 4.3.6 of NEI 96-07, Appendix D. We believe these overly broad exceptions to Section 4.3.6 are unnecessary, confusing, and contrary to the NRCs Reliability principle of good regulation. We appreciated the opportunity to gain clarity on the exceptions in the June 25, 2019 public meeting on NEI 96-07, Appendix D, as Endorsed by Draft Regulatory Guide 1.187, Revision 2. Based on the outcome of that public meeting, it was apparent that the NRC and NEI approaches often come to the same conclusion (although the rationale for NRCs approach is not clearly set forth in DG-1356).

Our comments on DG-1356, Section C.2.e, below, are provided to demonstrate that the NRC staffs proposed exceptions will create confusion for the use of NEI 96-07, Appendix D. Included in our comments are additional examples that we propose to add to NEI 96-07, Appendix D to provide the clarity sought by the staff and that should enable the removal of the exceptions.

Comments on Section C.2.e In DG-1356, Section C.2.e, The NRC staff takes exception to the application of the term safety analysis to the criterion in section 10 CFR 50.59(c)(2)(vi) in lieu of the term FSAR (as updated) throughout NEI 96-07, Appendix D, Section 4.3.6. Section C.2.e further states, The NRC staffs position is that where the criteria in 10 CFR 50.59 uses the term previously evaluated in the final safety analysis report, it means the whole FSAR (as updated). Therefore, when applying the guidance in Appendix D, licenses should not limit their examination of the FSAR (as updated) to particular sections.

The guidance proposed in NEI 96-07, Appendix D, Section 4.3.6, specifically the six step process for cases in which the qualitative assessment outcome is a failure likelihood of not sufficiently low, begins with identification of all functions that are directly or indirectly related to the proposed activity. Further, the guidance reiterates the expectation from NEI 96-07, Rev. 1 that all functions involved with the proposed activity are initially considered in the scope of review regardless of the level of direct description in the FSAR (as updated) or UFSAR. This is consistent with the NRC staff position that one must examine the whole FSAR (as updated).

However, because 10 CFR 50.59(c)(2)(vi) states, Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the final safety analysis report (as updated), each of the involved functions must then be examined to determine which are design functions. That is, malfunction of an SSC important to safety has been defined in Definition 3.9 of NEI 96-07, Rev.1 as the failure of SSCs to perform their intended design functions described

Mr. Philip McKenna July 15, 2019 Page 3 in the UFSAR (whether or not classified as safety-related in accordance with 10 CFR 50, Appendix B). From the discussion in NEI 96-07, Rev. 1, Definition 3.3, Design functions are UFSAR-described design bases functions and other SSC functions described in the UFSAR that support or impact design bases functions. This discussion continues, providing the definition of design bases function from Appendix B to NEI 97-04 as endorsed by Regulatory Guide 1.186. The NRC has previously endorsed all these definitions and related discussions of design functions and design basis functions in NEI 96-07, Rev. 1 and NEI 97-04, Appendix B.

The definition of malfunction of an SSC important to safety and the focus on design functions are a direct reflection of the 1999 rulemaking on 10 CFR 50.59, which was promulgated to address the uneven application of the rule to licensees with UFSARs of varying level of detail. The associated design functions are described in licensees UFSARs, and both NEI 96-07, Rev. 1 and Appendix D provide guidance to ensure that these design functions are properly treated. DG-1356 is silent on the regulatory foundation for malfunction of an SSC important to safety as there is no mention of NEI 96-07, Rev. 1 Sections 3.9 and 3.3, or RG 1.186.

With a malfunction of an SSC important to safety being the failure of SSCs to perform their intended design functions described in the UFSAR, it is clear that the result of the failure to perform a design function is the focus. Returning to the discussion in NEI 96-07, Rev. 1, Definition 3.3, the connection between design functions and design bases functions is described. NEI 96-07, Appendix D, Section 4.3.6, provides guidance on taking each design function through a process to determine the result of a failure to perform that design function.

NEI 96-07, Appendix D, Section 4.3.6 reasonably interprets the term different result in criterion 6 to mean different safety analysis result. While DG-1356 takes exception to this position, it points to no agency guidance offering a contrary interpretation, nor does it demonstrate that NEIs position is unreasonable or would result in any safety issues. On the other hand, NEIs proposal has the advantage of allowing licensees to use the endorsed definition in NEI 96-07, Rev. 1, Section 3.12 to identify safety analyses (and thus safety analysis results). Furthermore, if the term different result were not limited to an examination of the results in the safety analyses, it is unclear which other results licensees would need to examine to satisfy criterion 6. With the exception as stated in DG-1356, Section C.2.e, and without reasonable limits on which different results licensees should focus on, the NRC staff would be inviting the return of the uneven application of 10 CFR 50.59 that the 1999 amendment was intended to cure.

To the extent that DG-1356, Section C.2.e argues that NEI 96-07, Appendix D, Section 4.3.6 reads the phrase FSAR (as updated) out of criterion 6 and, instead, replaces that phrase with safety analysis, NEI disagrees. As previously explained, the focus on safety analysis within Section 4.3.6 is not based on the phrase FSAR (as updated), but rather is based on the phrase different result.

The question thus is where in the FSAR (as updated) are the results that were previously

Mr. Philip McKenna July 15, 2019 Page 4 evaluated? Again, NEI submits that is reasonable to interpret results as safety analysis results.

In accordance with Definition 3.12, Safety analyses are required to be presented in the UFSAR, and in alignment with the portion of 10 CFR 50.59(c)(2)(vi) that states, any previously evaluated in the final safety analysis report (as updated), NEI agrees that licensees must take a broad look at the UFSAR to identify any safety analyses that meet Definition 3.12. This examination is expressly not limited to specific sections of the UFSAR, instead licensees must take a wide view to determine which analyses or evaluations demonstrate that acceptance criteria for the facilitys capability to withstand or respond to postulated events are met. Accordingly, safety analyses meeting Definition 3.12 may be found in any section of the UFSAR.

The NEI 96-07, Appendix D, Section 4.3.6 focus on the safety analyses meeting Definition 3.12, wherever they may be found in the UFSAR, is consistent with other 10 CFR 50.59 evaluation criteria and the guidance in NEI 96-07, Rev. 1. For example, 10 CFR 50.59(c)(2)(iii) considers accident consequences previously evaluated in the final safety analysis report (as updated).

Notwithstanding an identical reference to the FSAR (as updated), it is well understood that this criterion is focused on safety analyses. Several 10 CFR 50.59 evaluation criteria utilize this logic with Definition 3.12 safety analyses as the focus and have done so since the 1999 rulemaking on 10 CFR 50.59. If the NRC staff proceeds with the exception as stated in DG-1356, Section C.2.e, it will reinstate the focus on the UFSAR wording rather than the various design functions and introduce inconsistent application among the 10 CFR 50.59 evaluation criteria.

Based on the NRC public meeting held on June 25, 2019, we agree that there are additional examples that could be included in NEI 96-07, Appendix D, Section 4.3.6 to illustrate cases that create a possibility for a malfunction of an SSC important to safety with a different result. provides proposed examples 4-23 and 4-24 based on the NRCs public meeting presentation examples of an emergency diesel generator voltage regulator control system and pressurizer power operated relief valves to control reactor coolant system pressure during low temperature operations. Incorporation of these examples in NEI 96-07, Appendix D, Section 4.3.6 as part of NRCs resolution of public comments should reassure NRC staff and licensees that the intent of the guidance appropriately captures the intent of 10 CFR 50.59(c)(2)(vi) consistent with NEI 96-07, Rev. 1.

Comments on other portions of DG-1356 Additional comments on areas other than Section C.2.e are included in Attachment 2.

We believe that incorporation of the comments provided above and in the attachments to this letter will improve the DG and will effectively achieve the NRCs objective to provide additional guidance on digital instrumentation and control modifications. If NRC agrees that the incorporation of the proposed examples in

Mr. Philip McKenna July 15, 2019 Page 5 would provide clarity needed to appropriately address the exception in C.2.e, NEI will submit an update to NEI 96-07, Appendix D which includes these examples.

We appreciate the NRC staffs consideration of these comments. If you have any questions concerning this letter or the attachments, please contact me (seg@nei.org; 202-739-8111) or Kati Austgen (kra@nei.org; 202-739-8068).

Sincerely, Stephen E. Geier Attachments c:

Mr. Chris Miller, NRR/DIRS, NRC Mr. Eric Benner, NRR/DE, NRC Mr. Gregory Bowman, NRR/DIRS, NRC Ms. Tekia Govan, NRR/DIRS/IRGB, NRC NRC Document Control Desk

NEI Attachment 1 1

Example 4-23 and 4-24 are proposed for addition to NEI 96-07, Appendix D Section 4.3.6 following Example 4-22 to illustrate cases in which there is the CREATION of a malfunction with a different result.

Example 4-23. CREATION of a Malfunction with a Different Result Proposed Activity The analog voltage regulators on both trains of Emergency Diesel Generators (EDGs) are being replaced with digital voltage regulators.

Safety Analysis Result Impact Consideration Step 1:

The voltage regulator is required to function properly to support EDG operation. Failure of the voltage regulator will result in failure of the associated EDG.

Step 2:

The function of the voltage regulator is classified as a design function because it supports or impacts a design bases function specified in GDC 17. Therefore, the voltage regulators function is a design function credited in the safety analysis.

From GDC 17:

Criterion 17 -- Electric power systems. An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. [emphasis added]

Step 3:

The effect on the voltage regulator, and the EDGs operation, is clear and understood, having a direct impact on the accident analysis assumptions and modeling. There is no reason to generate a new FMEA since the impact of the software CCF on the design basis function is readily apparent (i.e., clear and understood).

Step 4:

If a software CCF occurs, the voltage regulators control function, which supports or impacts the GDC 17 design bases function, will not be performed.

Step 5:

Numerous safety analyses directly credit functions that are assumed to remain powered by a single EDG, which is commonly assumed to be the limiting single failure.

Step 6:

In this instance, the basic assumption of single failure is no longer valid. Thus, if the safety analyses in question were rerun, the associated acceptance criteria would likely not be met with

NEI Attachment 1 2

such a basic assumption not being maintained.

Conclusion With the software CCF likelihood determined to be not sufficiently low, the assumptions regarding satisfaction of single failure criteria are invalidated and the results are no longer bounded. Therefore, the proposed activity CREATES the possibility for a malfunction of an SSC important to safety with a different result.

Example 4-24. CREATION of a Malfunction with a Different Result Proposed Activity The analog pressurizer pressure transmitters and associated circuitry used to control the Low Temperature Overpressure Protection opening signal for the pressurizer Power Operated Relief Valve (PORV) are being replaced with digital equipment.

Safety Analysis Result Impact Consideration Step 1:

The PORVs are required to open to prevent an overpressurization of the Reactor Coolant System (RCS) when the RCS is being operated in a water-solid condition. The pressure sensing circuitry is essential to that function.

Step 2:

The function of the PORV is classified as a design function due to performing a function that supports or impacts a design bases function specified in GDC 14. Further, the generation of an appropriate opening signal upon a high pressure condition also supports that function. Therefore, both the PORV and the pressure sensing circuitry perform design functions credited in the safety analysis.

From GDC 14:

Criterion 14 -- Reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture. [emphasis added]

Specifically, the design bases function identified in GDC 14 above applies during cold, water-solid conditions. This protection is commonly referred to as Low Temperature Overpressure Protection, or LTOP. Therefore, both the PORV and the pressure sensing circuitry perform design functions credited in the safety analysis.

Step 3:

The effect on the pressure sensing circuitry, and the PORVs operation, is clear and understood, having a direct impact on the safety analysis assumptions and modeling. There is no reason to generate a new FMEA since the impact of the software CCF on the safety analysis is readily apparent (i.e., clear and understood).

Step 4:

NEI Attachment 1 3

If a software CCF occurs, the pressure sensing circuitry, and the PORVs operation, which both support or impact the GDC 14 design bases function, will not be performed.

Step 5:

The pertinent safety analysis is typically part of the Pressure Temperature Limits Report (PTLR). That report is controlled by a Technical Specification in section 5.6. The PTLR itself is either summarized as part of the UFSAR or is incorporated by reference.

Contained within the PTLR is a description of an analysis that demonstrates the selected Low Temperature PORV Setpoint will ensure RCS pressure does not exceed the limits specified in 10 CFR 50, Appendix G during a cold water-solid pressure excursion. This excursion is typically the result of an uncontrolled injection of water into the RCS via a high pressure Emergency Core Cooling System (ECCS pump).

The analysis contained within the PTLR is a safety analysis because it demonstrates that the limits contained within 10 CFR 50, Appendix G (the acceptance criteria) for the facilitys capability to withstand or respond to the LTOP excursion (postulated event(s)) are met.

Step 6:

In this instance, the basic assumption of PORV operation is no longer valid. Thus, if the safety analyses in question were rerun, the associated acceptance criteria would likely not be met with no pressure relief capability available to mitigate the cold, overpressure transient.

Conclusion With the software CCF likelihood determined to be not sufficiently low, the assumptions regarding PORV operation are invalidated and the results are no longer bounded. Therefore, the proposed activity CREATES the possibility for a malfunction of an SSC important to safety with a different result.

NEI Comments on DG-1356 1

Affected Section Comment/Basis Recommendation

1. B. Discussion, Background, Page 5, Paragraph 5 The draft guidance states, NEI 96-07, Appendix D, does not replace or supersede NEI 01-01 either in whole or in part.

Licensees have the option to use the 10 CFR 50.59 guidance in total in either NEI 01-01 or in NEI 96-07, Appendix D.

This is confusing because NEI stated its intent that, The guidance in this appendix supersedes the 10 CFR 50.59-related guidance contained in NEI 01-01/ EPRI TR-102348, Guideline on Licensing of Digital Upgrades, and incorporates the 10 CFR 50.59-related guidance contained in Regulatory Issue Summary (RIS) 2002-22, Supplement 1, Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems.

Clarify that NEI 96-07, Appendix D supersedes the 10 CFR 50.59-related guidance contained in NEI 01-01/ EPRI TR-102348, Guideline on Licensing of Digital Upgrades. NEI will not be making further changes to update or maintain NEI 01-01.

If NRC wishes to retain for licensees the option to use NEI 01-01, that can still be specified.

2. Section C.2.a, NEI 96-07, Appendix D Use The draft guidance in C.2.a. is confusing and unnecessary.

Section C.2.a. could be eliminated by revising the Section 2 introductory statement to something along the lines of:

The NRC staff evaluated NEI 96-07, Appendix D, as applied to digital modifications only. The NRC staff concludes that Appendix D provides an acceptable approach for the application of 10 CFR 50.59 guidance when conducting digital instrumentation and control modifications, subject to the following exceptions and additions:

3. Section C.2.b, Human-System Interface The draft guidance states (in part), "However, including Human-System Interface (HSI) changes in the screening process is a change from the guidance contained in NEI 96-07, Revision 1, Section 4.2.1.2."

This statement is incorrect.

NEI 96-07, Rev. 1, Section 4.2.1.2 contains the following guidance:

Delete the subject sentence.

NEI Comments on DG-1356 2

Affected Section Comment/Basis Recommendation "For purposes of 10 CFR 50.59 screening, changes that fundamentally alter (replace) the existing means of performing or controlling design functions should be conservatively treated as adverse and screened in. Such changes include replacement of automatic action by manual action (or vice versa), changes to the man-machine interface, changing a valve from locked closed to administratively closed and similar changes." [emphasis added]

The concept of man-machine interface, now called human-system interface, was previously considered in NEI 96-07, Rev. 1, Section 4.2.1.2.

NEI 01-01, Section 4.3.4 also currently considers the human-system interface.

4. Section C.2.b, Human-System Interface The draft guidance states (in part), "Digital interfaces are fundamentally different from analog interfaces." This statement is contradictory to the 10 CFR 50.59 guidance currently endorsed by the NRC in NEI 01-01.

Originally (i.e., before NEI 01-01), NEI 96-07, Rev. 1, Section 4.2.1.2 contained the following guidance:

"For purposes of 10 CFR 50.59 screening, changes that fundamentally alter (replace) the existing means of performing or controlling design functions should be conservatively treated as adverse and screened in. Such changes include replacement of automatic action by manual action (or vice versa), changes to the man-machine interface, changing a valve from locked closed to administratively closed and similar Consider deleting the sentence entirely or at a minimum modifying the sentence to read: "Digital interfaces are not necessarily fundamentally different from analog interfaces." [emphasis added to highlight the suggested modification]

NEI Comments on DG-1356 3

Affected Section Comment/Basis Recommendation changes." [emphasis added]

This guidance meant that ALL man-machine interfaces (now called human-system interfaces) MUST be considered ADVERSE (i.e.,

"screen in").

Then, NEI 01-01 was endorsed by the NRC and Section 4.3.4 contained the following guidance:

"It is important to note that not all changes to the human-system interface fundamentally alter the means of performing or controlling design functions. Some HSI changes that accompany digital upgrades leave the method of performing functions essentially unchanged.

Technical evaluations should determine whether changes to the HSI create adverse effects on design functions (including adverse effects on the licensing basis and safety analyses)."

This guidance, which is currently endorsed, clearly states that the impact of a change to an HSI (i.e., a Human-System Interface) on a UFSAR-described design function needs to be determined. In other words, an HSI change no longer automatically becomes ADVERSE, or defaults to being ADVERSE.

The sentence proposed by the NRC (identified in the first paragraph above) overturns the guidance in NEI 01-01 and returns the guidance to that given in NEI 96-07. Furthermore, the intent of the guidance in Appendix D is to provide one type of technical evaluation that the 50.59 practitioner may use to determine the impact of an HSI change on a UFSAR-described design function.

If the proposed sentence is maintained as written, then there is no NEI Comments on DG-1356 4

Affected Section Comment/Basis Recommendation need for the guidance contained in Appendix D, Section 4.2.1.2 since ALL changes involving an HSI would need to be considered ADVERSE.

5. Section C.2.c, Examples Illustrate Guidance The draft guidance states (in part), For example, the Note in example 4-19 of NEI 96-07, Appendix D states, The acceptability of these new area radiation monitors will be dictated by their reliability, which is assessed as part of Criterion (ii), not Criterion (vi). The NRC staffs position is that this note is potentially misleading as it could be read to mean that CCF of a proposed digital I&C modification is solely a reliability issue, applicable to Criterion (ii) and not Criterion (vi), when read within the context of the entirety of example 4-19.

This statement is a comment, NOT an exception.

Delete the identified text since it is not an exception in the form of a limit/restriction on the use of the examples (as is done in the first two sentences).

6. Section C.2.d, Software Common Cause Failures This section is confusing. It could be misinterpreted to imply that NRC staff takes exception to all Appendix D language discussing software CCF except for language quoted directly from RIS 2002-02 Supplement 1.

Section C.2.d. should either be deleted -or-it should be revised to contain the specific software CCF related text in Appendix D to which the staff take exception.

7. Section 4 of RG 1.187, Revision 1 Section 4 of RG 1.187 Rev 1 titled Applicability to 10 CFR Part 50 Licensees other than Power Reactors has been deleted from draft of Rev 2 with no apparent explanation. This is confusing and likely to be interpreted as effectively eliminating 10 CFR Part 50 Licensees other than Power Reactors from the scope of this RG.

Some Part 50 Licensees other than Power Reactors need the guidance contained in Appendix D and this RG to fulfill their missions.

The language of Section 4 of RG 1.187 Rev 1 should be re-included in Rev 2.

Alternatively, the staff should state in the revised RG why it was removed and provide an analysis of the impact the change in regulatory guidance would have on affected Part 50 Licensees.