Text

APPENDIX E Analysis of Public Comments on Design Review Guide (DRG): Instrumentation and Controls for Non-Light-Water Reactor (Non-LWR) Reviews Comments on the subject draft Design Review Guide (DRG) are available electronically at the U.S. Nuclear Regulatory Commissions (NRCs) electronic Reading Room at http://www.nrc.gov/reading-rm/adams.html. From this page, the public can access the Agencywide Documents Access and Management System (ADAMS), which provides text and image files of the NRCs public documents. The following table lists the comments the NRC received on the draft DRG.

ADAMS Letter Number Commenter Affiliation Commenter Name Accession No.

1 ML20107H199 SunPort Mark Burzynski 2 ML20106F196 Public Delores Hellens 3 ML20106F191 Public Maria Hernandez 4 ML20227A021 Nuclear Energy Institute (NEI) Marcus Nichol The original comment as written by the commenter in its letter above is listed first, followed by the NRC staffs response. The Enclosure (ADAMS Accession No. ML20280A509) provides a red-line strikeout version of the DRG and identifies the revisions made in response to the comments.

Letter 1SunPort Comment No. 1-1 Section X.0.1.2, Objectives of Review, identifies two tasks not shown in Figure X-1: (1) the I&C system design includes the functions necessary to assure adequate safety during operation of a nuclear power plant under normal operation, transient, and accident conditions and (2) the instrumentation and control (I&C) system safety-related functions, systems, and equipment have been properly classified, and appropriate performance as well as special treatment measures have been established. It would be helpful to shown them in the figure to clarify whether they are within the scope of the I&C review or a prerequisite for the I&C review.

NRC Response The NRC staff agrees with this comment. The NRC staff will add the following clarification at the beginning of Section X.0.1.2. The framework depicted in Figure X-1 above supports achieving the objectives of I&C system reviews, which are to confirm that:

Comment No. 1-2 Section X.1.1, Systematic Assessment Review Criteria, specifies that credible hazards and failure modes of the design be identified and controlled. In practice, credible hazards and failure modes can be grouped in four categories that are treated in different ways.

Page 2 of 37

a. Abnormal Operating Occurrences and Postulated Accidents - These hazards are typically defined by deterministic means to provide safety margins for various categories of events. These events are analyzed by conservative methods (e.g., bounding parameters) with conservative assumptions (e.g., assumed single failures and no beneficial credit for non-safety related control system actions). The protective schemes developed from the formal safety analysis of these events form the basis for the safety-related functions implemented in I&C systems.

b. External and Internal Plant Hazards - These hazards (e.g., seismic, flood, fire, etc.) are specified at the plant level and defined by deterministic or probabilistic means. These hazards form the basis for qualification, physical separation, and isolation requirements for the safety-related I&C systems.

c. Beyond Design Basis Events - These hazards can be specified at the plant or system level by deterministic or probabilistic means. These hazards typically form the basis for alternate mitigation capabilities that are often implemented in a graded approach (i.e., less stringent design requirements than safety-related systems).

d. Internal I&C System Hazards - These hazards have not been consistently defined and assessed. The methods for assessing hazards from assumed single failures in safety-related systems are well understood. The methods for assessing hazards from non-safety related system interfaces and associated circuits are also understood. Use of digital I&C equipment results in additional qualification requirements (i.e., electromagnetic compatibility).

Consideration of digital common cause failure (CCF) in safety-related systems that result in a loss of safety-related functions are generally understood and have created a new set of beyond design basis events to be considered. However, the criteria for use of diversity and defensive design measures to address the hazards are not well defined. A direct consequence of this weakness is that late regulatory rejection of these design features can lead to rework of plant and system level requirements.

The treatment of spurious operation of digital I&C systems are not well defined or universally understood. The spurious operation hazards can result in additional Abnormal Operating Occurrences that must be evaluated by formal safety analyses due to postulated failures in shared digital I&C resources or the assessment of additional Beyond Design Basis Events due to postulated software CCFs in I&C systems. Late identification of the spurious operation hazards to be considered can lead to rework of key inputs to the I&C system design.

Figure X-1 does not show how the assessment of the four hazard categories are integrated into the I&C system review framework and how the treatment of the Internal I&C System Hazards can affect the other three categories of hazards.

NRC Response The NRC staff disagrees with this comment. The suggested inclusion of the four hazard categories information is judged beyond the scope of the DRG as the listed categories are not specific to the I&C design and would be broadly applicable to other technical disciplines.

Therefore, such information would be better suited for a higher-level document. RG 1.233, which endorses NEI 18-04, Revision 1, with clarifications, discusses the systematic assessment of potential event sequences can thus be used as guidance. Furthermore, RIL-1101, which is referenced in Section X.1.1 of the DRG, includes information pertaining to categories of hazard

Page 3 of 37 origination. Nonetheless, the NRC staff is currently evaluating options for providing guidance to licensees and the NRC staff on hazard analysis, which could serve as a venue for incorporating the hazard categories information per the comment. In a separate effort, the NRC staff is looking into making updates to the I&C-related Regulatory Guides that will be addressing these hazards. The NRC staff made no changes to the DRG based on this comment.

Comment No. 1-3 Section X.2.2.1, Defense-in-Depth Measures, specifies that the degree of defense-in-depth and qualification measures should be justified as being adequate to achieve the necessary robustness and reliability of the safety functions to be performed by the I&C systems. World Nuclear Association Report No. 2018/003, Defense-in-Depth and Diversity: Challenges Related to I&C Architecture, outlines significant challenges in design, licensing and cost of nuclear power plants caused by inconsistent treatment of defense-in-depth. The regulatory reviews of defense-in-depth can be made more effective by having a defined framework for lines of defense. As an example, [International Atomic energy Agency] IAEA Safety Standards Series No. SSR-2/1, Revision 1, Safety of Nuclear Power Plants: Design, outlines five levels of defense:

a. prevent deviations from normal operation and the failure of items important to safety (control system),

b. detect and control deviations from normal operational states in order to prevent anticipated operational occurrences from escalating to accident conditions (reactor trip),

c. prevent damage to the reactor core or radioactive releases requiring off-site protective actions from postulated accidents (engineered safeguards actuation),

d. mitigate the consequences of accidents that result from failure of the third level (severe accident mitigation), and

e. mitigate the radiological consequences of radioactive releases that could potentially result from accidents (emergency response).

World Nuclear Association Report No. 2020/001, Safety Classification for I&C Systems in Nuclear Power Plants - Current Status and Difficulties, outlines difficulties that have been encountered when developing and applying safety classification for I&C systems in nuclear power plants. Clear and consistent classification and design criteria should be defined for each level of defense.

NRC Response The NRC staff disagrees with this comment. The proposed inclusion of a defined framework for lines of defense is beyond the scope of the DRG as the information from the IAEA document referenced by the comment would be applicable to other technical disciplines. Furthermore, NUREG/CR-6303, Section 2.2, already establishes a framework of levels (echelons) of defense that could be used for digital I&C systems similar to the framework described in the IAEA document referenced by the comment. While the framework in NUREG/CR-6303 could be re-assessed or revised in light of documents such as those from IAEA, such an effort would be beyond the scope of DRG development efforts. Regarding the comment that [c]lear and consistent classification and design criteria should be defined for each level of defense, both

Page 4 of 37 RG 1.233 and NEI 18-04 aim to address this issue for advanced reactors for all technical disciplines, not just I&C. NEI 18-04 specifically discusses the levels of defense related to defense-in-depth measures in IAEA Safety Report Series No. 46, Assessment of Defense in Depth for Nuclear Power Plants. The NRC staff made no changes to the DRG based on this comment.

Comment No. 1-4 Section X.2.2.1.3, Diversity in Support of Defense-in-Depth to Address CCFs, assesses the use of diversity in I&C systems to address CCF vulnerabilities. Timeliness of regulatory reviews has been impacted in other new plant reviews due to the subjective natures of both the definition of the digital CCF vulnerabilities to be solved and the acceptance criteria for diversity strategies.

These factors have also influenced the degree of stability for the regulatory decisions. For example, two popular guidance documents (i.e., NUREG/CR-6303 and the NUREG/CR-7007) focus on addressing a full set of potential diversity attributes with no regard to their relationship or usefulness in mitigating relevant or important digital CCF vulnerabilities. The trend has been towards lengthy and more difficult reviews of the treatment of digital CCF vulnerabilities and I&C system architectures. These reviews have required more specific and detailed information about the digital review systems to support regulatory decisions. The goals of timely reviews and approvals of I&C architectures early in the system development process cannot be realized with the current regulatory framework for treatment of digital CCF. The I&C architecture design and review process would be more predictable and efficient if the guidance focused on important CCF vulnerabilities and used appropriate diversity measures to address those vulnerabilities.

NRC Response The NRC staff disagrees with this comment. The risk-informed and performance-based approach in RG 1.233/NEI 18-04 to be applied in non-LWR designs addresses defense-in-depth adequacy in a holistic manner along with licensing basis events identification and safety classification of structures, systems, and components (SSCs). A systematic evaluation of event sequences including their frequencies and consequences should include potential CCFs and their importance to the plant risk. By iteratively applying risk insights as the reactor design evolves, the designers should be able to optimize their designs while important CCF vulnerabilities are eliminated or appropriate preventive and mitigating measures, such as diversity, are introduced. The DRG builds on this approach by providing NRC staff review guidance on the I&C portion of the design.

Similar concerns as those raised by the comment regarding the need for the guidance to focu[s] on important CCF vulnerabilities and [use] appropriate diversity measures to address those vulnerabilities are being addressed as part of the ongoing revisions to Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems Review Responsibilities. BTPs are part of the standard review plan (SRP), which is for LWRs; however, the NRC staff will continue to follow the BTP 7-19 revision efforts to determine whether any additional revisions to the DRG Section X.2.2.1.3 are needed. The NRC staff made no changes to the DRG based on this comment.

Page 5 of 37 Letter 2 - Public Comment No. 2-1 Agree NRC Response The NRC staff made no changes to the DRG based on this comment.

Letter 3 - Public Comment No. 3-1 This is to interefere in one life .against the people .and i am the people.can you get thisoff.

NRC Response The NRC staff made no changes to the DRG based on this comment.

Letter 4 - NEI Comment No. 4-1 General The guidance discusses the use of probabilistic and deterministic approaches in the review of the [digital instrumentation and control] DI&C design. In SRM-SECY-19-0036, the Commission stated that In any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria such as the single failure criterion is unnecessary to provide for reasonable assurance of adequate protection of public health and safety. Further clarity on this statement is found in the Commission voting record. It is unclear how the staff has incorporated the Commission direction in the development of this guidance. For example, if a risk informed and performance-based approach demonstrates that deterministic criteria (e.g., independence or diversity) are not necessary in order to protect the public health and safety, then those deterministic criteria should not be imposed.

Include a discussion of how the staff addressed the Commission direction from SRM-SECY 0036 in the DRG. Where appropriate, discuss how the NRC will evaluate whether the risk-informed aspects of the application make the requested deterministic criteria unnecessary to provide for reasonable assurance of adequate protection of the public health and safety.

NRC Response The NRC staff disagrees with the proposed change. The DRG uses risk-informed and performance-based principles and discusses how it addresses the Commission direction in SRM-SECY-11-0024, Use of Risk Insights to Enhance the Safety Focus of Small Modular Reactor [SMR] Reviews. Further, it is aligned with the risk-informed and performance-based methodology in RG 1.233/NEI 18-04. The DRG effectively addresses the application of risk-informed principles to the review such as those discussed in the Commission direction from

Page 6 of 37 SRM-SECY-19-0036. In addition, NRR Office Instruction LIC-206, Integrated Risk-Informed Decision-Making for Licensing Reviews, Revision 1 (ADAMS Accession No. ML19263A645),

issued in June 2020, provides guidance on SRM-SECY-19-0036. Although this Office Instruction is for overall license amendment reviews, it states that: Staff performing licensing and review activities in the new reactor business line are encouraged to apply this guidance to the extent possible and appropriate.

Regarding the comments suggestion that the DRG should discuss how the NRC staff will evaluate whether the risk-informed aspects of the application make the requested deterministic criteria unnecessary, the DRG already includes such discussion. For example, the DRG states that the: ...I&C performance objectives should be achieved through demonstrating that the I&C architecture and systems are sufficiently reliable and robust commensurate with their safety significance. Therefore, the NRC staff would need to assess via the review frameworks depicted in Figures X-1 and X-2 whether an applicant can demonstrate how the I&C performance objectives for a given I&C design are met. For example, an applicant may claim that a given plant design does not need safety-related I&C systems due to the inherent passive features of the reactor design. The NRC staff determines that information in the application, including appropriate risk assessment that complements relevant regulatory analyses (e.g.,

evaluation against applicable regulations), supports the claim. In this case, the NRC staff should be able to conclude that the I&C systems need not be classified as safety-related systems based on such risk insight. The DRG review framework depicted in the aforementioned figures allows the NRC staff to perform the assessment for such a design approach. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-2 General We commend the NRC on developing technology-inclusive guidance. However, the DRG specifies that it is only applicable to non-LWRs, even though it also states that it is based on the guidance that was used to review applications for LWR SMRs. Artificially limiting the applicability of technology-inclusive guidance is unnecessary and creates regulatory uncertainty for technologies that have been excluded.

Revise the D[R]G to state that it is technology-inclusive and can be used by any new reactor applicant.

NRC Response The NRC staff disagrees with the proposed change. While the NRC staff agrees that the DRG is technology-inclusive and can be used by any new reactor applicant, it was developed to address the immediate needs associated with the non-LWRs community consistent with RG 1.233/NEI 18-04. The NRC staff acknowledges that the comment suggests a worthwhile goal, but this would be a long-term effort if the NRC decides to pursue it. The NRC staff made no changes to the DRG based on this comment.

Page 7 of 37 Comment No. 4-3 General The DRG is not clear about the types of applications to which this guidance applies.Section X.0.1.1 states that The I&C portions of applications for nuclear reactor design certifications, combined licenses, standard design approvals, manufacturing licenses, construction permits, or operating licenses should demonstrate how the specified I&C systems support the overall nuclear power plant (NPP) performance objectives for a particular plant design. However, it is unclear if the NRC intends this guidance to apply equally to all of these types of applications. It appears that expected scope and level of detail for the DI&C design is written to be appropriate for a Part 52 design certification or [combined license] COL application. While this level of detail may also be appropriate for a Part 50 operating license application, it would not be appropriate for a Part 50 construction permit application, which does not require as much information about the design.

The NRC should clarify the types of applications to which the guidance is applicable. The NRC should address the fact that Part 50 construction permit applications would not be expected to include the same scope and level of detail. Since it is likely that some near-term applications will be Part 50 construction permits, it would be helpful to both the applicants and NRC staff to clarify the scope and level of detail that would be appropriate.

NRC Response The NRC staff partially agrees with the proposed change. The NRC staff acknowledges that a construction permit application under Part 50 need not describe more than a preliminary I&C design, including, among other things, the Principle Design Criteria for I&C. Accordingly, the scope and level of detail for the DI&C design in a construction permit application may differ from that of applications for operating licenses, design certifications, or combined licenses. The NRC staff replaced the first sentence of the third paragraph under Section X.0.1.1 with the following:

The type of application under review largely determines the review activities to be conducted and impacts the complexity and scope of the review. The scope and the level of detail for the I&C design should be the same for operating licenses, combined licenses, and manufacturing licenses while less detail is an option for design certifications, standard design approvals, or construction permits. The NRC staff should use the DRG and customize its use as needed for reviewing these types of applications. Specifically, the NRC staff review should assess whether the applicant demonstrates how the specified I&C systems support the overall NPP performance objectives for a particular plant design.

Comment No. 4-4 General It is not clear what regulations this review guidance is trying to conform to as there are minimal references throughout this document to regulations. Therefore, in many cases it is not 100%

clear which regulation the staff is referring to when providing specific review guidance on a topic. References to regulations are primarily included in Appendix A. Further,Section X.3 Mapping To Regulations And Guidance states In addition to reviewing the I&C systems design by following the approach discussed in Sections X.1 and X.2 above, the reviewer should also assess whether the design complies with the applicable regulatory requirements. Assessing

Page 8 of 37 whether the design complies with applicable regulatory requirements would appear to be the main point of this entire document, including Sections X.1 and X.2.

Update the review guidance by referencing specific regulations that must be met for the DI&C design, and how the guidance assures compliance with these requirements. The NRC should state in Sections X.1 and X.2 how the guidance ensures compliance with applicable requirements. If the guidance in X.1 and X.2 does not assure compliance with requirements for DI&C (i.e., it is either insufficient or overly burdensome), then it should be revised.

NRC Response The NRC staff disagrees with the proposed change. Following the guidance in Sections X.1 and X.2 should facilitate the NRC staff review process for verifying compliance with applicable requirements in an efficient and effective manner. The guidance contained in these sections reflects a three-tier, safety-focused framework that is risk-informed and performance-based as well as scalable to various reactor designs and chosen licensing approaches. An I&C systems design that incorporates the principles associated with this framework should lead to a safe design, which in return facilitates demonstrating compliance with relevant regulations.

Application of this approach is an evolution from the NuScale Design-Specific Review Standard (DSRS) Chapter 7, which has been used in a very effective and efficient manner. In addition to reviewing the I&C systems design by following the approach discussed in Sections X.1 and X.2, the NRC staff will also assess whether the design complies with the applicable regulatory requirements.Section X.3 provides guidance for assessing the regulatory compliance aspect of the proposed I&C portion of the license application. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-5 General We appreciate the staff effort (as communicated in NRC public meetings) to improve on the evolution from the NUREG-0800 Standard Review Plan for light-water reactors to the Design Specific Review Standards for small modular light-water reactors to a technology-inclusive Design Review Guide; however, the NRC should acknowledge that an applicant could elect not to use this guidance if their approach to I&C dramatically differs from the approach described.

Clarify that an applicant could elect not to use this guidance if their approach to I&C dramatically differs from the approach described.

NRC Response The NRC staff disagrees with the proposed change. The intent of the DRG is to provide guidance to the NRC staff responsible for the review of the I&C portion of license applications, and not to the non-LWR applicants. Therefore, an applicant is free to elect an approach to I&C that is not amenable to the review approach described in the DRG. The NRC staff notes that early pre-application interactions between the applicant and the NRC staff would be very useful in such cases in order for the NRC staff to develop a review approach that is practical for the particular application. The NRC staff made no changes to the DRG based on this comment.

Page 9 of 37 Comment No. 4-6 General There is very little reference to existing NRC guidance for reviews, i.e., if this replaces a portion of the Standard Review Plan, there may still be existing Regulatory Guides that are useful to consider. It is therefore unclear how the DRG fits within the broader NRC review plan.

Suggest adding reference to existing NRC guidance to the staff reviews.

NRC Response The NRC staff disagrees with the proposed change. As stated in the NEI comment No. 4-2 resolution above, the DRG is intended to address the immediate need for the non-LWR community by providing the NRC staff with guidance for reviewing the I&C portion of license applications. Other staff guidance documents may be used as appropriate in support of a given non-LWR application review. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-7 General The term fundamental I&C design principles is used throughout the document. It appears that these may be described in Section X.2.2.1. Is this intended as a definition?

Clarify where the definition of fundamental I&C design principles exists and explain the relationship between fundamental I&C design principles and PDCs.

NRC Response The NRC staff disagrees with the proposed change. The term fundamental I&C design principles was first defined and explained in the NuScale DSRS Chapter 7, Section 7.1 (ADAMS Accession No. ML15356A416) and is used in the same manner in the DRG as it is an evolution from the NuScale DSRS. The fundamental I&C design principles could be used as a vehicle for meeting the PDCs but are not equivalent. The NRC staff added the reference to the NuScale DSRS Chapter 7, Section 7.1 to the DRG based on this comment.

Comment No. 4-8 General The layout of the sections with the Review Procedures sub-section heading was not intuitive.

The text in these sections seemed largely similar to text elsewhere. It seemed to make for a lot of redundancy.

Consider removing redundant statements to streamline the document by removing Review Procedures section and simply combining the text with the text outside of this sub-section.

Page 10 of 37 NRC Response The NRC staff disagrees with the proposed change. The apparent redundancy between the introductory portion of each sub-section and the associated Review Procedure is intentional.

Specifically, the introductory portion of each sub-section is intended to explain the basis for the review procedure. A similar approach was followed for the NuScale DSRS Chapter 7. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-9 General There is a brief mention of Cyber in this document. We support consideration of all hazards in the I&C design/review; however, the safety and (cyber) security reviews have different frameworks. See NRC RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, for an example of guidance that accounts for this distinction. The use of the core review team approach should bridge the related information, but this may not be clearly articulated.

Clarify how the distinct regulatory frameworks for cyber and digital I&C are addressed in the core review team approach such that, to the extent that cyber security requirements have been specified for the design of the system, appropriate information is integrated during all phases of I&C including concept and development phase. This will provide a more robust design and will provide regulatory certainty within the bounds of the safety/security regulatory frameworks early on. Adding a reference to RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, may be useful.

NRC Response The NRC staff agrees that the digital I&C and cyber security reviews are performed under different regulatory frameworks, but declines to adopt the comments suggestion to clarify how they are addressed in the core review team approach. The DRG states that: This Design Review Guide (DRG) chapter provides guidance for the NRC staff to use in reviewing the I&C portions of applications for advanced non-LWRs within the bounds of existing regulations.

Therefore, applicants/developers would need to follow the existing regulations including the cyber security requirements in 10 CFR 73.54, which discusses the need to develop a Cyber Security Plan for NRC approval. Considering that the cyber security framework remains unchanged for non-LWRs, the following sentence in Section X.0.1.2 was deleted in response to the comment: The review is coordinated with the staff responsible for cyber security under 10 CFR Part 73 to integrate and optimize the staffs review of all potential hazards including malicious acts.

Comment No. 4-10 General There are various references to simplicity throughout (e.g., page X-4, X-10) this document.

The staff acknowledges that simpler designs are easier and more efficient to review. However, there is no specific guidance for meeting simplicity criterion.

Page 11 of 37

• Page X-4 of the guide states, To achieve adequate [defense-in-depth] DID, the I&C architecture and systems design should meet the fundamental I&C design principles and simplicity needed to support the assessment of DID adequacy for the overall plant.

• Page X-10 hints at a definition of simplicity.

This guidance implies that a finding of adequate protection related to defense in depth will be partly based on the simplicity of the I&C design. However, it is unclear against what standard the simplicity of a design will be measured. It is also not clear why one design which may be more complex would not be adequately safe.

Issues related to simplicity have historically arisen in the context of computer operating system software. However, some technologies will not rely on software to meet the fundamental safety functions. The guidance above implies that even those technologies that do not rely on software to meet the fundamental safety functions would still need to address simplicity in the application.

If the intent of the guidance about simplicity is to address complexities introduced by use of systems such as microprocessors and computer operating system software, the guide should clarify that the guidance related to simplicity is specific to systems that use such systems to meet the fundamental safety functions. Other sections of the guide address common cause failure related to software as well as reliability assessments.

Recommend removing language that ties a design goal of simplicity to a finding of adequate protection for defense in depth. Also, recommend that discussion of design goals related to simplicity are put in the context of microprocessor-based systems and computer software.

NRC Response The NRC staff disagrees with the proposed change. Providing specific guidance for meeting the simplicity criterion is beyond the scope of the DRG. Rather, NRC reviewers will apply engineering judgment in determining the simplicity of a design. Instead, documents such as IEEE Std. 7-4.3.2-2016 (IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations) provide such guidance (e.g., Section 5.18 (Simplicity)). The simplicity concept is not limited to microprocessors and computer operating system software as stated by the comment. For example, using other technologies, such as Field Programmable Gate Array (FPGA)-based technology, in support of an I&C design would also be subject to the simplicity concept. Furthermore, the simplicity concept discussion in the DRG is consistent with the level of detail provided in the NuScale DSRS Chapter 7. The DRG does not indicate that a complex design would not be adequately safe; such a design, however, may call for more NRC review resources than a simpler design. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-11 X.0.1.1, Scope of Review, second paragraph, page X-2 This paragraph speaks to the focus of the review using the safety classification of SSCs.

Although the paragraph mentions non-safety significant SSCs, it does not make an explicit statement regarding the extent of review for SSCs in that classification. Specifically, the second sentence of the second paragraph states, None of the I&C systems that are not safety-related

Page 12 of 37 and have no special treatment are classified as safety significant, but requirements1 may apply to such systems to ensure that failures following a design-basis or licensing basis internal or external event do not adversely impact safety-related I&C systems or I&C systems that are not safety-related but warrant special treatment in their performance of safety-significant functions.

This sentence and the included footnote seem to extend the review criteria well beyond those systems that are safety related (or non-safety related that warrant special treatment). This footnote seems to lump all non-safety I&C systems (specifically those that do not require special treatment) into the review against recommended requirements.

Recommend that the NRC specify that review of non-safety significant SSCs should be limited to the review of circumstances under which those non-safety significant SSCs may affect the ability of a safety significant SSC to meet its fundamental safety function.

Recommend adding the following statement as an alternative second sentence in the paragraph: Review of non-safety significant SSCs should be limited to the review of failures that would adversely affect the ability of safety significant SSCs in the performance of fundamental safety functions. Thus, removing the current second sentence and footnote.

NRC Response The NRC staff disagrees with the proposed change. The DRG sentence in question, as well as the preceding sentence, explain the scope of the DRG guidance for assessing the different types of I&C systems within a given non-LWR design (per the categorization scheme defined in NEI 18-04 (Risk-Informed Performance-Based Technology Guidance for Non-Light Water Reactors)). In short, the DRG provides for NRC staff review of all SSCs that are not safety-related if the failure of such an SSC could prevent other SSCs from performing their safety-significant functions or adversely affect DID adequacy. The proposed change would not address or explain why non-safety-related SSCs with no special treatment need to be assessed as part of the NRC staff review. Furthermore, the footnote is intended to explain how the term "requirements" is used in the context of the DRG and is not related to the substance of this comment. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-12 X.0.1.2 Objectives of Review, Page X-5 It would have been expected that the objective of this review would explicitly tie back to confirming certain regulations are met.

Recommend that each objective and each review task be tied back to a regulation.

NRC Response The NRC staff disagrees with the proposed change. See resolution to NEI comment No. 4-4 above. The NRC staff made no changes to the DRG based on this comment.

Page 13 of 37 Comment No. 4-13 X.0.1.2 Objectives of Review, Page X-5 The guide states: The objectives of I&C system reviews are to confirm that: (1) the I&C system design includes the functions necessary to assure adequate safety during operation of a NPP under normal operation, transient, and accident conditions; The statement refers to functions in the context of a finding of adequate safety. The statement is not specific as to the type of functions that are part of an adequate protection finding.

In the NEI 18-04 context, fundamental safety functions are those that are important to a finding of adequate protection. Recommend rewording item (1) as follows:

(1) the I&C system design addresses the fundamental safety functions as stated in Proposal for a TechnologyNeutral Safety Approach for New Reactor Designs, Technical Report IAEA-TECDOC1570, to assure adequate safety during operation of a NPP under normal operation, transient, and accident conditions; NRC Response The NRC staff partially agrees with the comment. Specifically, the NRC staff agrees with adding fundamental safety to the identified sentence as proposed by the comment; however, the NRC staff does not agree with adding a reference to the IAEA Technical Report as NEI 18-04, which is referenced in the DRG, includes and defines the term fundamental safety functions.

Comment No. 4-14 X.0.1.2 Objectives of Review, Page X-5 The draft guidance states, The reviewers also evaluate, where appropriate, whether the I&C systems and components are designed in accordance with the relevant domestic and/or international standards and via proven engineering design practices and processes. [emphasis added]

It is not clear what where appropriate means. Per [General Design Criterion] GDC 1, this could be appropriate specifically when an applicant chooses to commit to a certain industry standard.

Provide more specificity in the paragraph rather than where appropriate, as suggested below:

When an applicant chooses to commit to an industry standard, the reviewers also evaluate, where appropriate, whether the I&C systems and components are designed in accordance with the relevant domestic and/or international standards and via proven engineering design practices and processes.

NRC Response The NRC staff agrees with the proposed change and in addition, the NRC staff replaced relevant with chosen in the same sentence.

Page 14 of 37 Comment No. 4-15 X.0.1.2 Objectives of Review, item 1, Page X-5 The draft guide states: The staff should review and confirm that there is an implemented management system by the applicant for ensuring that all requirements established for the I&C systems are considered and implemented in all phases of the development process and that the completed I&C systems meet these requirements.

The statement includes review and confirm in relation to a requirements management system.

It is unclear by this statement if the intent of the guidance is that an NRC reviewer needs to approve of the adequacy of the system itself by which requirements are identified, or to confirm that such a system exists and was implemented. We believe the latter is intended.

If it is the intent of the guide that the reviewer should make a finding about the adequacy of the requirements management system, then the guide should provide a basis by which NRC would make a finding that a management system is adequate.

We believe the intent of the phrase review and confirm is that the NRC staff should confirm that a requirements management system exists and was used in the development of the I&C systems. The statement should be edited as follows:

The staff should review and confirm that there is an implemented management system...

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-16 X.0.1.2 Objectives of Review, item 2, Page X-5 The draft guide states: The staff should review and confirm that the I&C systems and components are designed by the applicant in accordance with the relevant domestic and/or international standards and via engineering design best practices and processes. Furthermore, the I&C systems and components are designed so that they can be manufactured, constructed, assembled, installed, and operated in accordance with established processes that ensure the achievement of the design specifications and the required level of safety.

The statement could be interpreted to mean that the NRC reviewers should review all parts of the I&C systems and components, regardless of their safety significance.

Recommend adding a sentence to indicate that the review should focus on those parts of the I&C system that are significant to safety. Recommend adding after the first sentence:

In this review, the staff should focus their review on those I&C systems and components that are classified as safety significant.

NRC Response The NRC staff agrees with the substance of the proposed change but has implemented it with different text. In response to the comment, the NRC staff added the following sentence at the end of item 2 in Section X.0.1.2: The reviewer should consider the safety significance of SSCs in determining the level of detail of the review.

Page 15 of 37 Comment No. 4-17 X.0.1.2 Objectives of Review, item 4, Page X-5 In the following sentence, it is not clear what is meant by confirming that all safety requirements are met throughout all stages of the systems lifecycles. Is this referring to lifecycle phases such as conceptual phase, development phase, implementation phase, etc.? For example, how is a safety requirement met while the system is in a conceptual phase?

As part of the systematic assessment, deterministic analyses and [probabilistic risk assessments] PRAs are performed by the applicant to ensure that all safety requirements for the I&C systems are met throughout all stages of the systems lifecycles and plant events, including defining appropriate programmatic controls. [emphasis added]

Clarify how a safety requirement met in each of the stages of the systems lifecycles.

NRC Response The NRC staff agrees with the proposed change. In response to the comment, the NRC staff deleted the phrase throughout all stages of the systems' lifecycles and plant events" as it is unnecessary considering that the bottom line associated with the stated objective is that an applicant needs to demonstrate that all safety requirements for the I&C systems are met.

Comment No. 4-18 X.0.1.2, Objectives of Review, items 4, 5, & 6, page X-5 The Objectives of Review has the reviewer assess the acceptability of the systematic assessment methodology used (item 4, 5, and possibly 6) and this is an entire section of review in X.1.1, but the front matter makes no mention of this in the introduction or scope of review sections, and it is not part of the framework, but appears to be a key element.

Recommend that NRC include a discussion of the Systematic Assessment in the first two sections. Especially since this will be used as a criterion for acceptance based on items 4, 5, and possibly 6 in this section.

NRC Response The NRC staff agrees with the proposed change. In response to the comment, the NRC staff revised Section X.0.1.1 to include the following: The reviewer considers the systematic assessment used in the application to assess the adequacy of the I&C architecture and systems design. The reviewer should consider whether the assessment provides assurance that the I&C design is reliable and robust by demonstrating that: (1) the design criteria and testing and qualification requirements have been met and (2) credible hazards and failure modes of the design are identified and controlled.

Page 16 of 37 Comment No. 4-19 X.0.1.2 Objectives of Review, item 5, Page X-5 The draft guide states: The staff should review and confirm that a systematic consideration of human factors is performed by the applicant, including the human-machine interface, at an early stage in the I&C design process and continues throughout the entire I&C design process.

The review and confirm portion of the statement could be interpreted to mean that the reviewer should review for adequacy the system used to consider human factors from the very beginning of the design process. This is not specific and it is unclear what basis the reviewer would use to make a finding about the adequacy of the system. It is unclear by this statement if the intent of the guidance is that an NRC reviewer needs to approve of the adequacy of the system itself by which human factors are considered, or to confirm that such a system exists and was implemented. We believe the latter is intended.

If it is the intent of the guide that the reviewer should make a finding about the adequacy of the systematic review, then the guide should provide a basis by which NRC would make a finding that a consideration was adequately systematic.

We believe the intent of the phrase review and confirm is that the NRC staff should confirm that a systematic process exists and was used in the consideration of human factors. The statement should be edited as follows:

The staff should review and confirm that a systematic consideration of human factors was performed by the applicant...

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-20 X.0.1.2 Objectives of Review, items 5 and 6, Pages X-5 and X-6 Item 5 states, The staff should review and confirm that a systematic consideration of human factors is performed by the applicant, including the human-machine interface, at an early stage in the I&C design process and continues throughout the entire I&C design process.

Is considering human factors early in the process a regulatory requirement? Or is this simply good engineering practice? It seems like "good engineering" practice language should be kept to a minimum in this document. Focus should be on confirming regulations are met.

Similarly, item 6 states, in part, It is noted that addressing safety and security early in the design has long been established as a good engineering practice, which would also enhance the staffs efficient review of the application. Again, is this a regulatory requirement or merely good engineering practice that helps the staff perform a more efficient review?

Tie review objectives back to the corresponding regulations. Limit review guidance to confirming those things that are required to meet a regulation only. Do not include review guidance for things that are simply good engineering practice.

Page 17 of 37 NRC Response The NRC staff partially agrees with the proposed change. Item 5 as written is tied to a regulation. Specifically, IEEE Std 603-1991, which is referenced in 10 CFR 50.55a(h)(3),

includes Clause 5.14, Human Factors Considerations. Section 5.14 requires, in part, that human factors be considered throughout the design process. Item 5 as written paraphrases this requirement. In regard to item 6, the NRC staff agrees that the identified statement seems more appropriate for applicant guidance than staff guidance; thus, it is beyond the scope of the DRG.

Accordingly, the staff deleted the statement: It is noted that addressing safety and security early in the design has long been established as a good engineering practice, which would also enhance the staffs efficient review of the application.

Comment No. 4-21 X.0.1.2 Objectives of Review, item 6, Page X-6 The draft guide states: The staff should review and confirm that digital I&C communication systems and networks are assessed by the applicant regarding hazards associated with communication paths that could affect the reliability and robustness of the system. The review is coordinated with the staff responsible for cyber security under 10 CFR Part 73 to integrate and optimize the staffs review of all potential hazards including malicious acts. It is noted that addressing safety and security early in the design has long been established as a good engineering practice, which would also enhance the staffs efficient review of the application.

This statement is not technology neutral because it implies that safety significant hazards to communication paths exist for all technologies. The statement does not account for passive features and inherent safety features which preclude a credible hazard from compromising the reliability and robustness of the I&C system. It also does not account for the distinct safety and (cyber) security review frameworks. See NRC RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, for an example of guidance that accounts for this distinction.

Recommend removing the implication that all technologies will have safety significant hazards associated with communication paths. Suggested edit as follows:

The staff should review and confirm that digital I&C communication systems and networks are assessed by the applicant regarding hazards associated with communication paths that could affect the reliability and robustness of the system. Some technologies may have no such hazards due to inherent or passive safety design features. The review should focus on I&C systems and components classified as safety significant. To the extent that cyber security requirements have been specified for the design of the system, if communication path hazards are identified, the review is coordinated ...

NRC Response The NRC staff agrees with the comment to the extent it proposes to add the sentence that reads: Some technologies may have no such hazards due to inherent or passive safety design features. However, the staff has revised the sentence to state: Some technologies may not be subject to such hazards due to inherent or passive safety design features. However, the NRC staff does not agree with the remaining additions proposed by the comment based on the following: (1) The proposed change would inadequately represent the scope of the NRC staff

Page 18 of 37 review as it does not address the need to assess SSCs that are not safety-related are not subject to special treatment, for example; and (2) The proposed change is unnecessary as the applicants would need to follow the 10 CFR 73.54 requirements, which include providing for NRC approval a Cyber Security Plan (See resolution to NEI comment No. 9 above).

Comment No. 4-22 X.0.2 OVERALL REVIEW APPROACH, Figure X-2, Page X-7 Within the Functions Not Safety/Risk Significant section of Figure X-2 it says, The staff review focuses on ensuring that safety/risk-significant functions will not be impaired by such SSCs.

The phrase will not be impaired is too vague. More precise terminology is needed than "impaired."

Change the sentence to The staff review focuses on ensuring that safety/risk-significant functions will not be made inoperable impaired by such SSCs.

NRC Response The NRC staff agrees that the DRG does not define the term impaired in this context. The NRC staff, however, does not agree that the sentence identified in the comment should refer to operability, which may only apply to SSCs governed by technical specifications. Rather, the NRC staff has re-written the sentence to state: The NRC staff review focuses on ensuring that failure or operation of such SSCs will not prevent other SSCs from performing their safety-significant functions or adversely affect DID adequacy.

Comment No. 4-23 X.1.1, SYSTEMATIC ASSESSMENT REVIEW CRITERIA, Review Procedures, last paragraph, Page X-9 The last paragraph in this section includes a typo: The staff should verify that the information presented on the I&C system and is consistent with the information on systems interfacing with the I&C system as shown in the cross-discipline interface review box in Figure X-1.

[emphasis added]

Delete and.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-24 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, second full paragraph, Page X-10 The paragraph on keeping the system simple does not add value. This idea is subjective and its not clear it is linked to any regulatory requirement. As the paragraph states, it is difficult to define and control simplicity and complexity. The first property listed is (1) the I&C system

Page 19 of 37 architecture design is as simple as practical, which implies good engineering practice, not a requirement.

Tie review criteria back to the corresponding regulations. Remove review guidance not tied to regulatory requirements.

NRC Response The NRC staff disagrees with the proposed change. The paragraph in question discusses facts associated with simplicity and complexity. Although no specific regulations explicitly address the concept of simplicity for digital I&C systems, recent experience in reviews of LWR applications has shown that complex I&C systems can challenge the demonstration of conformance with safety system design criteria such as independence. Therefore, the purpose of this paragraph is to alert the NRC staff to this fact. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-25 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, Review Procedures, Pages X-10 through X-12 Items 1 and 2 which detail what the staff should review seem to be duplicative, as do items 3 and 4.

Recommend that the redundant parts of 2 be removed and the remaining be sub-text under item 1. Similarly, combine 3 and 4 to remove redundant listing of information (3 states what needs to be in a diagram and 4 is asking for information on DID which is included in 3 on the diagrams).

NRC Response The NRC staff disagrees with the proposed change. While information in Items 1 and 2, as well as Items 3 and 4, may seem redundant, the review procedures in Section X.1.2 are intended to implement the three-tier approach depicted in Figure X-2. Specifically, there is an intentional overlap within the review procedures documented in this section to ensure that the NRC staff can identify whether there are any design gaps in the overall I&C architecture. Additionally, the review procedures in Section X.1.2 align with the NuScale DSRS Chapter 7. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-26 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, item 1.B.a., Page X-11 The text states B. The architecture description of each individual I&C system should:

a. Include all the I&C functions allocated to the system that support implementation of the overall I&C architecture design; Why all I&C functions? Non-safety functions that are appropriately isolated/separated from safety functions / risk-significant functions should not require description.

Page 20 of 37 Item 2 also refers to all I&C functions.

Replace all I&C functions with more specific guidance, e.g., safety functions, acknowledging that description/review of non-safety significant functions should be limited to the circumstances under which those non-safety significant functions may affect the fulfillment of a safety /risk-significant function.

NRC Response The NRC staff agrees with the proposed change to the extent the word all is unnecessary in the text quoted in the comment. The purpose of this item is for the staff reviewer to understand the entire I&C architecture. As part of understanding the I&C architecture, the NRC staff will need to understand all the I&C functions. Subsequently, the NRC staff can focus on those functions that are safety-significant as depicted in the review framework shown in Figure X-2 of the DRG. In response to the comment, the NRC staff deleted all from item 1.B.a and item 2.

(Note: Per NEI 18-04, safety-significant functions include those classified as risk-significant or credited for DID).

Comment No. 4-27 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, item 3.A.d., Page X-11 Does "data barrier" mean "isolation device?" Isolation device is a more acceptable industry term (see IEEE 384).

Revise to be consistent with generally accepted terminology, such as isolation device.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-28 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, item 4.H., Page X-12 It is not clear how this item is related to defense in depth.

Delete item 4.H or clarify how this item is related to DID.

NRC Response The NRC staff agrees with the proposed change. In response to the comment, the NRC staff changed item 4.H to be a new item 5 in Section X.1.2 and renumbered the remaining items accordingly.

Page 21 of 37 Comment No. 4-29 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, item 5, Page X-12 Item 5 states, Indications and operator controls that are needed for normal operation, transient, and accident conditions.

This should be explicitly limited to indications and operator controls required for safety-related or risk-significant functions.

Revise to state, Indications and operator controls that are needed for safety-related or risk-significant functions during normal operation, transient, and accident conditions.

NRC Response The NRC staff agrees with the proposed change, except that the staff would substitute safety-significant for safety-related or risk-significant. In response, this item (now item 6, per the response to NEI comment 4-28) in Section X.1.2 of the DRG was revised as follows:

Indications and operator controls that are needed for safety-significant functions during normal operation, transient, and accident conditions.

Comment No. 4-30 X.1.2 ARCHITECTURE ASSESSMENT REVIEW CRITERIA, item 6, Page X-12 Item 6 states, The rationale, justification, or reasoning behind architecture choices, including potential consequences of such choices to address the concept of simplicity.

See comments No. 6 and 20 regarding simplicity. Why is it required to justify anything beyond showing that the chosen design meets regulatory requirements? Justifying or giving a rationale why a certain design choice was made over another choice seems unwarranted. Earlier statements in the draft guide, and our comments above, illustrate the challenge to prove the design is simple enough.

Tie review criteria back to the corresponding regulations. Remove review guidance not tied to regulatory requirements.

NRC Response The NRC staff disagrees with the proposed change. See resolution to NEI comment No. 4-4 above. Consistent with Appendix B of the NuScale DSRS Chapter 7, the NRC staff deleted the following phrase from this item (now item 7, per the response to NEI comment 4-28): to address the concept of simplicity.

Comment No. 4-31 X.2.1 RELIABILITY, Page X-12 The Review Criteria section on Reliability states, should be designed for a reliability level that is commensurate with the safety significance A reference is provided for the SSC function

Page 22 of 37 classification process for non-LWRs; is there guidance for acceptable reliability goals? What are the requirements the reviewer is using? Are there minimums?

Recommend that NRC work with stakeholders to provide guidance on acceptable reliability goals. This should include guidance on who determines reliability goals and on what basis.

NRC Response The NRC staff disagrees with the proposed change. The proposed change is beyond the scope of the DRG. Specifically, the methodology for defining the reliability necessary for the overall I&C system, as well as for other plant systems, should be defined as part of the NEI 18-04 framework and RG 1.233 (Guidance for a Technology-Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors). Therefore, NEI 18-04 and RG 1.233 should provide the necessary guidance in this area. Furthermore, Section 5.15 of IEEE 603-1991 includes information regarding reliability and includes references to other IEEE standards that provide guidance for reliability analysis. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-32 X.2.1 RELIABILITY, Page X-12 The Review Criteria section on Reliability states, Examples of design attributes for achieving a given level of functional reliability include those related to periodic testing (including the use of self-diagnostic features and surveillance tests),

Consider not grouping self-diagnostic features in with periodic tests since they are probably better described as continuous tests. Also, the term periodic tests is often associated with Tech Spec surveillances, though self-diagnostics are not part of the Tech Specs.

Revise to list self-diagnostic features separate from periodic tests.

NRC Response The NRC staff agrees with the proposed change. The NRC staff revised the sentence to state, Examples of design attributes for achieving a given level of functional reliability include those related to periodic testing, use of self-diagnostic features, surveillance tests, Comment No. 4-33 X.2.1.1 Qualitative Performance Measures/Criteria, first paragraph of the section, Page X-13 The text says, I&C systems should be designed to be inherently safe to the extent practical, or to fail in a safe manner, and potential failure modes should be identified using a formal analysis.

Page 23 of 37 GDC 23 says, The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis What regulation requires having a system that is inherently safe?

Tie review criteria back to the corresponding regulations. Remove review guidance not tied to regulatory requirements.

NRC Response The NRC staff partially agrees with the proposed change. Consistent with the terminology used in the NuScale DSRS Chapter 7, the NRC staff revised the sentence in question to read as follows [additions underlined]: "The reviewer should confirm that the I&C systems are designed to be inherently safe to the extent practical, or to fail in a safe state, or into a state that has been demonstrated to be acceptable on some other defined basis manner, and potential failure modes should be are identified using a formal analysis.

Regarding the use of inherent means, the NRC staff notes that the Commissions advanced reactor policy statement (ADAMS Accession No. ML082750370) states that Commission expects that advanced reactors will provide enhanced margins of safety and/or use simplified, inherent, passive, or other innovative means to accomplish their safety and security functions.

While there is no explicit regulation that requires having a system that is inherently safe, the NRC staff reviewer should be prepared to review inherently safe systems should an applicant employ them.

Regarding GDC 23, the NRC staff notes that GDCs establish minimum regulatory requirements for the principal design criteria (PDC) under 10 CFR Part 50 for LWRs similar in design and location to plants for which construction permits have been issued by the Commission, but are guidance for developing PDC for advanced reactors. Other regulations, such as 10 CFR 50.34, 52.47, 52.79, 52.137, and 52.157, require applications to state PDC for new reactors. RG 1.232 has been issued by the NRC staff to provide guidance on developing PDC for advanced reactors.

Comment No. 4-34 X.2.1.1 Qualitative Performance Measures/Criteria, first paragraph of the section, Page X-13 The text says, Potential failure modes may include single random failures and CCFs. A formal analysis of the identified hazards As written, this could be construed to mean that CCFs must be considered in the single failure analysis. Consider whether this text needs to be clarified to make it clear that CCFs do not need to be considered in the single failure analysis.

Recommend revising the sentence as follows, Potential failure modes may include single random failures, and CCFs, etc. A formal analysis Formal analyses of the identified hazards NRC Response The NRC staff agrees with the proposed change.

Page 24 of 37 Comment No. 4-35 X.2.1.2 Quantitative Performance Measures/Criteria, first paragraph of the section, Page X-14 The text says, The application should include an analysis to: (1) determine the effect of overall I&C system failure on the overall plant level performance objectives; What is an "overall I&C system failure?" Does this mean the entire safety-related I&C system failing? If so, what is the basis for considering this if appropriate redundancy, independence, diversity, etc. is achieved?

Revise terminology or clarify meaning of overall I&C system failure in the context of corresponding regulatory requirements.

NRC Response The NRC staff agrees with the proposed change. In response to this comment, the NRC staff revised the sentence in question, along with its two items, to read as follows: The reviewer should determine whether the analysis in the application demonstrates that the overall I&C system quantitative reliability goals supporting the overall plant level performance objectives are achieved using appropriate methods.

Comment No. 4-36 X.2.1.2 Quantitative Performance Measures/Criteria, first paragraph of the section, Page X-14 The text says, An example of an appropriate method includes statistical testing, which can be used as an approach for demonstrating numerical reliability of digital systems. There is no NRC regulatory guide endorsing the concept of statistical testing nor has this example been used in past NRC reviews.

Provide an appropriate example that is in use in the US industry today to justify PRA results.

One such method is a system reliability analysis.

NRC Response The NRC staff agrees with the proposed change. In response to the comment, the NRC staff deleted the sentence in question as it is not needed in support of the discussion.

Comment No. 4-37 X.2.2.1, Defense-in-Depth Measures, Page X-15 On page X-15 it says, While this section does not explicitly provide review guidance for simplicity, the reviewer should verify that the applicant has incorporated this concept in the design. Again, what is the basis for this guidance and how can an applicant know if their design is simple enough? Ensuring that the design principles are achieved is already confirmed via other activities. See comments No. 6, 20, and 26, above.

Remove this statement as it does not provide review guidance tied to regulatory requirements.

Page 25 of 37 NRC Response The NRC staff partially agrees with the proposed change. In response to this comment, the NRC staff replaced the sentence in question and the follow on sentence with the following sentence: The reviewer should verify that the design does not include unnecessary functions and interfaces that could challenge conformance to the fundamental I&C design principles.

Comment No. 4-38 X.2.2.1.1 Independence, Review Procedures, first paragraph, Page X-15 In the first paragraph, (2) the safety-related systems is not clear. How is this different from, (1) the redundant portions of a safety-related system such as redundant safety divisions? Is (2) intended to mean more than one, redundant safety-related systems?

Also, following this opening paragraph, 4 items are listed, and none of them seem to refer to 3 cases, only 2 cases - (1) and (3) in this first paragraph.

Delete (2) or clarify the intent, e.g., redundant safety-related systems, and provide connection to the four items subsequently listed.

NRC Response The NRC staff agrees with the proposed change. Regarding item (2), the sentence in question states: ...demonstrate independence of the I&C systems between...(2) the safety-related systems... which refers to cases such as RPS and ESFAS, for example, for which the NRC staff review should assess that such systems are independent. For the four items listed following the opening paragraph, the NRC staff revised them to clarify the purpose of the items in the first paragraph of Section X.2.2.1.1, as proposed by the comment.

Comment No. 4-39 X.2.2.1.1 Independence, Review Procedures, item 1, Page X-15 In item 1 the text says, The reviewer should verify that the design will have sufficient physical separation or barriers between equipment belonging to (1) different safety divisions and (2) safety-related systems and systems that are not safety-related such that the safety functions credited during and following any LBE can be accomplished.

There should be an allowance to do an evaluation if separation is not met and barriers are not possible in order to demonstrate a conclusion that the safety function would still occur. There may be cases where neither adequate separation distances nor barriers are possible (e.g.,

interdivisional communication cables)

Add a provision to allow an evaluation to be performed if separation is not met and barriers are not possible in order to demonstrate a conclusion that the safety function would still occur.

Page 26 of 37 NRC Response The NRC staff disagrees with the proposed change. The proposed change is not unique to Section X.2.2.1.1 as it applies to the entire Section X.2. Furthermore, if the application proposes a different method for achieving the overarching purpose of any one of the listed fundamental I&C design principles, then the reviewer should review the technical adequacy of the proposed method on a case-by-case basis. Such an approach is consistent with that used by the NRC staff for other licensing reviews. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-40 X.2.2.1.1 Independence, item 2, Page X-15 In item 2 the text includes, (2) safety-related systems and systems that are not safety-related, such that an electrical fault originating from one safety division or equipment that is not safety-related cannot propagate to another safety division or safety-related system, respectively. If so, the design ensures that such a fault will not adversely impact a safety function. [emphasis added]

In regards to the emphasized text, no isolation device perfectly isolates a fault. This is acknowledged by the next sentence after the emphasized text, which basically nullifies the emphasized text.

Recommend rewording the emphasized text to "will not degrade the isolated circuit on the other side of the device below acceptable limits and deleting the next sentence as follows:

(2) safety-related systems and systems that are not safety-related, such that an electrical fault originating from one safety division or equipment that is not safety-related will not degrade the isolated circuit on the other side of the device below acceptable limits cannot propagate to another safety division or safety-related system, respectively. If so, the design ensures that such a fault will not adversely impact a safety function.

NRC Response While the NRC staff agrees with the substance of the comment, the NRC staff declined to add the text proposed in the comment. The proposed change would unnecessarily introduce a new, undefined term (i.e., isolated circuit) and would require defining what constitutes acceptable limits for the purpose of the NRC staff review. In addition to the revisions made in response to NEI comment 4-38, the NRC staff revised item 2 to read as follows: 2. The reviewer should evaluate whether there is sufficient electrical isolation between equipment belonging to (1) redundant portions of a safety-related system such as redundant safety divisions; (2) different safety-related systems; and (3) safety-related systems and systems that are not safety-related, such that an electrical fault originating from one safety division or equipment that is not safety-related will not adversely impact a safety function. The reviewer should verify that any electrical isolation devices or measures installed to prevent electrical fault propagation are qualified as part of the safety-related system. The NRC staff deleted the text as proposed by the comment.

Page 27 of 37 Comment No. 4-41 X.2.2.1.1 Independence, item 3, Page X-16 In item 3 the text includes a typo, (2) the safety-related systems and systems that are not safety-related, such that communications failures originating from outside a safety division cannot not adversely impact the safety function. [emphasis added]

Delete not.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-42 X.2.2.1.2 Redundancy, Review Procedures, item 2, sub-item (3), Page X-17 In item 2 the text includes, (3) the design of a safety-related system precludes single failures from resulting in spurious actuations; There should be an allowance for single failures that cause spurious actuations that actuate the safety function and have no unacceptable safety consequence. This would be consistent with IEEE 379-2014 Section 6.4.2.

Revise to be consistent with IEEE 379-2014 Section 6.4.2. as follows:

(3) the design of a safety-related system precludes single failures from resulting in spurious actuations, or single failures that cause spurious actuations actuate the safety function and have no unacceptable safety consequence; NRC Response The NRC staff agrees with the proposed change. In response to the comment, the NRC staff added: or in unacceptable safety consequences at the end of the sentence in question.

Comment No. 4-43 X.2.2.1.3 Diversity in Support of Defense-in-Depth to Address CCFs, Page X-17 At the bottom of page X-17 the text states, In performing this evaluation, the [final safety analysis report] FSAR should include a diversity in support of DID assessment for each event analyzed in the accident analysis section to determine whether: (1) a potential CCF due to systematic faults in the digital I&C system could disable a safety function; This should only apply to safety significant safety-related systems consistent with RIS 2002-22 Supplement 1 and draft BTP 7-19 Revision 8.

Revise as follows, In performing this evaluation for safety significant safety-related systems, the FSAR

Page 28 of 37 NRC Response The NRC staff agrees with the proposed change to the extent that the focus should be on safety-significant functions. The focus of diversity in support of DID assessment should be on the safety-significant functions and not a specific system(s). While the staff did not adopt the text suggested by the comment, the NRC staff changed the sentence in question to read

[additions underlined]: In performing this evaluation for safety-significant functions, the FSAR, which is consistent with the terminology used in Figure X-2 of the DRG.

Comment No. 4-44 X.2.2.1.3 Diversity in Support of Defense- in-Depth to Address CCFs, Page X-17 This section seems to run counter to the guidance in X.2.2.1.2 Redundancy where it states that the application of a single-failure criterion is not deemed necessary for designs employing the NEI 18-04 methodology and subjected to an evaluation of DID adequacy. For such designs, why would we be worried about CCF since that is in essence a violation of the single failure criteria? Wouldnt it be permissible to allow CCF in those same instances where single failure doesnt apply? Why not mention this as well?

The same guidance for setting aside the single failure criteria could be employed in setting aside the CCF criteria for these cases as the CCF wouldnt be consequential and therefore not safety significant. This seems to be supported in the Review Procedure portion on page X-18.

Consider adding language to section X.2.2.1.3 to allow Diversity based on risk in addition to deterministic analysis.

Consider adding language to Section X.2.2.1.3 to allow Diversity based on risk in addition to deterministic analysis. Recommend that the same guidance for setting aside the single failure criteria be employed in setting aside the CCF criteria for these cases as the CCF wouldnt be consequential and therefore not safety significant.

NRC Response The NRC staff disagrees with the proposed change. See the NRC staff response to NEI comment No. 4-34 above. The NRC staff made no changes to the DRG based on this comment.

Comment No. 4-45 X.2.2.1.3 Diversity in Support of Defense-in-Depth to Address CCFs, Review Procedures, Page X-18 The text states, The application should contain information sufficient to demonstrate that the diversity in support of DID assessment analyzes each postulated CCF for each event that is evaluated in the accident analysis section of the application, using best-estimate or design basis analysis methods. The application should include the following information:

This should only apply to safety significant safety-related systems consistent with RIS 2002-22 Supplement 1 and draft BTP 7-19 Revision 8.

Page 29 of 37 Revise as follows, For safety significant safety-related systems, the application should contain information sufficient NRC Response The NRC staff disagrees with the proposed change. Consistent with the resolution to NEI comment No. 4-43, the NRC staff revised the sentence in question to read [additions underlined]: For safety-significant functions, Tthe application should contain information sufficient.

Comment No. 4-46 X.2.2.1.3 Diversity in Support of Defense-in-Depth to Address CCFs, Review Procedures, item 8, Page X-19 Item 8 refers to a main control room; however, some advanced reactors may not have a traditional control room.

Recommend replacing located within the main control room with "accessible to the operators" to be technology-inclusive.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-47 X.2.2.1.3 Diversity in Support of Defense-in-Depth to Address CCFs, Review Procedures, item 8, Page X-19 Item 8 states, These displays and controls should be independent and diverse from the digital I&C system identified in Items 5 and 6 above.

Referring to items 5 and 6 makes it unclear what needs to be diverse.

Revise as follows, These displays and controls should be independent and diverse from the safety significant safety-related digital I&C system under analysis identified in Items 5 and 6 above.

NRC Response The NRC staff disagrees with the proposed change. As written, the proposed change would unnecessarily narrow the scope of the NRC staff review as it may be possible, depending on the proposed I&C design, that items 5 and 6 may include: (1) not safety-related with special treatment; and/or, (2) a not safety-related systems with no special treatment, for example. The NRC staff made no changes to the DRG based on this comment.

Page 30 of 37 Comment No. 4-48 X.2.2.1.3 Diversity in Support of Defense-in-Depth to Address CCFs, Review Procedures, Page X-19 This review guidance should be consistent with draft Revision 8 of BTP 7-19.

Add the following text after Item 8:

If an applicant credits use of design attributes to eliminate CCF hazards from further consideration, the defensive measures being credited, along with a supporting technical basis and acceptance criteria, should be based upon an NRC-approved methodology or otherwise described as part of the application.

NRC Response While the NRC staff agrees with the substance of the comment, the NRC staff declined to make the proposed change. Consistent with the ongoing BTP 7-19 Rev. 8 development efforts , the NRC staff added the following item 10: If defensive measures are used to eliminate the CCF from further consideration, the application should include a supporting technical basis and acceptance criteria for the use of the defensive measure.

Comment No. 4-49 X.2.2.1.4 Predictable and Repeatable Behavior, second paragraph, Page X-19 The second paragraph states, The objective of this review is to: (1) verify that system timing derived from the analysis of transient and accident conditions has been allocated to the I&C system architecture, as appropriate, and has been satisfied in the I&C system design; System timing derived from the analysis, could be clarified to indicate whether this system timing is assumed, required, or credited.

Suggest revision to clarify as follows, The objective of this review is to: (1) verify that the assumed system timing derived from the analysis of transient and accident conditions has been allocated to the I&C system architecture, as appropriate, and has been satisfied in the I&C system design; NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-50 X.2.2.1.4 Predictable and Repeatable Behavior, Review Procedures, item 6, Page X-20 In item 6 the text includes, (2) such practices cannot affect any safety-significant functions; Practices may actually have a positive effect. We understand that the concern would be an adverse effect.

Revise as follows, (2) such practices cannot adversely affect any safety-significant functions;

Page 31 of 37 NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-51 X.2.2.2.1 Quality, Review Procedures, first paragraph, Page X-21 The following statement appears near the top of page X-21, The application should describe how these activities will be coordinated with organizational and project management processes, which include configuration management, reviews/audits, validation and verification, quality assurance (QA), procurement, and safety plans. [emphasis added]

It is unclear what is meant by safety plans.

Replace safety plans with a recognized defined term, or revise to explicitly communicate what is intended.

NRC Response The NRC staff partially agrees with the proposed change, insofar as safety plans is not clearly defined. In response to the comment, the NRC staff deleted the term safety plans as it is implicitly included in the listed processes (e.g., validation and verification). Nonetheless, the term is used in IEEE Std 1228-1994 (IEEE Standard for Software Safety Plans) and is intended to address the processes and activities intended to improve the safety of safety-critical software.

Note that this term was also used in the NuScale DSRS Chapter 7.

Comment No. 4-52 X.2.2.2.2 Equipment Qualification, Review Procedures, item 3, Page X-22 Item 3 states, If environmental control systems are used, the application should provide information to confirm that a single failure within the environmental control system will not result in conditions that could result in damage to the safety-related system equipment.

There should be some criteria on the auxiliary control system before requiring such an analysis.

Rephrase to: If environmental control systems are used relied upon for safety-related I&C systems to perform a safety function, the application should provide information to confirm that a single failure within the environmental control system will not result in conditions that could result in damage to the safety-related system equipment.

NRC Response The NRC staff disagrees with the proposed change. The proposed change unnecessarily narrows the scope of the NRC staff review as it does not address the need to assess SSCs that are not safety-related and receive special treatment, for example. However, in response to the comment, the NRC staff revised the sentence in question to read [additions underlined]: "If environmental control systems are used relied upon in support of a safety-significant function, the application....

Page 32 of 37 Comment No. 4-53 X.3, MAPPING TO REGULATIONS AND GUIDANCE, page X-23 The third paragraph in this section states, This Appendix [A] supplements the review guidance contained in Sections X.1 and X.2 above to address the requirements within IEEE Std 603-1991.

This section doesnt provide enough guidance to the reviewer on what parts of Appendix A, as a supplement to Section X.1 and X.2, are applicable. It is not clear how this guidance is intended to move beyond NUREG-0800, Chapter 7 to be more safety-focused, risk-informed, technology neutral, and performance-based.

Provide more guidance for determining applicable portions of Appendix A.

NRC Response The NRC staff partially agrees with the proposed change. In response to the comment, the NRC staff deleted the sentence in question as it is not needed. Specifically, the introductory paragraph in Appendix A already explain its applicability from the NRC staff review standpoint.

The characteristics discussed in Appendix A address specific functional and design requirements for safety-related I&C systems (and I&C systems that are not safety-related but warrant special treatment), including system criteria, sense and command features, and execute features that complement the reliability and robustness measures addressed in Section X.2. As explained in the NRC staffs response to Comment No. 4-4, this DRG is a three-tier, safety-focused framework in which the plant-level performance objectives inform I&C-specific performance objectives as depicted in Figure X-1. Since the NRC staffs review, including its scope and level of detail, would be more closely tied to the overall plant-level objectives such as those associated with the methodology in RG 1.233/NEI 18-04, this DRG is more safety-focused, risk-informed, and performance-based. As part of the development of the NuScale DSRS Chapter 7, the NRC staff held multiple interactions with the Advisory Committee on Reactor Safeguards (ACRS) and stakeholders during which explicit explanations were made on how the NuScale DSRS is more safety-focused, risk-informed, and performance-based (than the SRP approach). This DRG is a further evolution from the NuScale DSRS.

Comment No. 4-54 A.1 Operating and Maintenance Bypasses, Maintenance Bypass, item 1, Page X-24 and related/similar statements on Pages X-25, X-35 and X-26 Item 1 says, Additionally, provisions for a maintenance bypass are consistent with the Technical Specification (TS) action statements. In fact, the opposite is true; the TS need to be consistent with the design.

The first paragraph on page X-25 also states, (2) the proposed operating and maintenance bypasses are consistent with the required actions of the proposed plant TS. Again, this seems backwards and on page X-35, Appendix B CROSS-CUTTING ISSUES AND INTERFACES, Table X.2-1: Cross-Cutting Interface Reference, Review Interface Guidance for the Operating and Maintenance Bypasses line item continues this imprecise relationship description.

Page 33 of 37 Similarly, Section A.4 Setpoints, item 2 on page X-26 says, The established calibration intervals and methods are consistent with the safety analysis assumptions and TS. Shouldnt the TS be consistent with the established calibration intervals, methods, and the safety analysis assumptions?

Throughout Appendix A and B, state that the TS need to be consistent with the design, not the other way around. For example, the subject sentence in A.1 Operating and Maintenance Bypasses, Maintenance Bypass, item 1 would be rephrased as follows:

Additionally, Technical Specification (TS) action statements are consistent with the provisions for a maintenance bypass.

NRC Response The NRC staff agrees that the technical specifications must accurately reflect system functions as credited in the safety analyses, and has revised the DRG to reflect the proposed changes.

Comment No. 4-55 A.6 Control of Access, Identification, and Repair, Control of Access, item 3, Page X-28 Item 3 states, Measures are included to ensure that I&C systems that are not safety-related do not present an electronic path by which unauthorized personnel can change plant software or display erroneous plant status information for the operators.

The introductory paragraph to this appendix states, This appendix addresses review guidance associated with additional functional and design considerations for safety-related I&C systems.

The characteristics discussed below address specific functional and design requirements for safety-related I&C systems (and I&C systems that are not safety-related but warrant special treatment)

This item should either be deleted since this is criteria for a non-safety systems or revised to specify not safety-related but warrant special treatment.

Delete Item 3 or revise as follows, Measures are included to ensure that I&C systems that are not safety-related but warrant special treatment do not present an electronic path by which unauthorized personnel can change plant software or display erroneous plant status information for the operators.

NRC Response The NRC staff disagrees with the proposed change. The statement in question applies to all I&C systems versus a subset. Therefore, the NRC staff revised item 3 to read as follows:

Measures are included to ensure that I&C systems that are not safety-related do not present an electronic path by which unauthorized personnel can change plant software or display erroneous plant status information for the operators.

Page 34 of 37 Comment No. 4-56 A.6 Control of Access Identification, and Repair, Repair, item 1, Page X-29 Item 1 says, The software and hardware surveillance testing and self-diagnostic features within the safety-related I&C system design facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment. [emphasis added]

This appears to state "facilitate timely...location...of malfunctioning equipment," but that doesnt quite make sense. Perhaps this is supposed to mean the timely identification of the location of the malfunction. If that is the case, suggest revision accordingly.

Consider the following clarification, The software and hardware surveillance testing and self-diagnostic features within the safety-related I&C system design facilitate timely fault recognition, fault location identification, replacement, repair, and adjustment of malfunctioning equipment.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-57 A.6 Control of Access Identification, and Repair, Repair, item 2, Page X-29 Item 2 says that The system design allows for a bypass of individual functions in each safety channel to allow for repairs.

Why is this required? It is a convenient feature, but what if you can meet all requirements by bypassing the entire division or something else?

Consider making a less-specific statement about bypassing the system for repairs and connect review criteria back to the corresponding regulations.

NRC Response The NRC staff partially agrees with the proposed change. Item 2 is tied to regulations insofar as the NRC staff evaluates the applicants capability to repair I&C safety-related systems to ensure that the requirements in Section 5.10 of IEEE Std 603-1991 are met. In response to the comment, the NRC staff revised item 2 as follows [additions underlined]: The system design I&C architecture allows for a bypassing of individual system design features in each safety channel to allow for repairs without adversely affecting the safety functions.

Comment No. 4-58 A.8 Multi-Unit Stations, last paragraph, Page X-30 The last paragraph on page X-30 includes a typo, Note that non-LWRs may include multiple modules, and in this respect differ from multiple of large LWR units discussed above.

[emphasis added]

Delete of.

Page 35 of 37 NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-59 A.9 Automatic and Manual Control, Automatic Control, first paragraph, Page X-31 The first paragraph under Automatic Control says, The application should provide information to confirm that these systems have been designed to demonstrate that the performance specifications are met, and that the precision of these systems are adequate to the extent that setpoints, margins, errors, and response times are factored into the analysis. [emphasis added]

It appears that errors as used here may mean uncertainty.

Clarify by replacing errors with uncertainty.

NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-60 A.11 Capability for Testing and Calibration, X-32 This section should acknowledge the inter-relationship between manual periodic tests and self-diagnostics. Namely, that the applicant can use the combination of manual tests and self-diagnostics to confirm system operability. Tech Spec surveillances need not duplicate what the self-diagnostics already test for, and vice versa. The goal should be to show that between self-diagnostics and TS surveillances, all credible failure modes can be detected.

Add to this section to acknowledge the inter-relationship between self-diagnostics and TS surveillances in demonstrating that all credible failure modes can be detected.

NRC Response While the NRC staff agrees with the substance of the comment, the NRC staff declined to make the proposed change. On a case-by-case basis, the NRC staff will assess whether the inter-relationship between self-diagnostics and TS surveillances is technically adequate to demonstrate that all credible failure modes can be detected for a given I&C design. However, the guidance in the section is performance-based, and thus avoids specifying specific approaches an applicant may use to confirm system operability. The NRC staff made no changes to the DRG based on this comment.

Page 36 of 37 Comment No. 4-61 A.11 Capability for Testing and Calibration, item 2, X-32 Item 2 states, Logic processing units are monitored by an independent hardware-based, diverse means that produces a trip in the affected redundant portion of the system if the logic processing unit ceases operation or locks-up (i.e., ceases to respond).

It is not clear how this review criterion is related to Testing and Calibration.

Delete item 2 as it appears it is not related to Testing and Calibration.

NRC Response While the NRC staff agrees with the substance of the comment, the NRC staff declined to make the proposed change. Instead, the NRC staff moved item 2 to Section A.9 (Automatic and Manual Control).

Comment No. 4-62 A.11 Capability for Testing and Calibration, items 3 and 4, X-32 Items 3 and 4 say, Periodic testing duplicates and Periodic testing confirms The GDC 21 requirement is that the system is capable of doing testing, not that specific manual testing is performed. It appears that these items should say that the system has the capability to allow for testing that duplicates/confirms...

Align review guidance in items 3 and 4 with GDC 21 wording; e.g., delete periodic testing and begin each item, The system has the capability to allow for testing that NRC Response The NRC staff agrees with the proposed change.

Comment No. 4-63 Table X.2-1: Cross- Cutting Interface Reference, Post-Accident Monitoring Variables Row, Review Interface Guidance, item 3, Page X-37 The Review Interface Guidance for item 3 refers to specific SSCs such as pressurizer level indication, block valve position indication, and relief valve position indication, though these components are likely not a part of non-LWR designs.

Replace reference to these components with a technology-inclusive descriptor, e.g., safety-related component indication.

NRC Response The NRC staff agrees with the concept of using technology-inclusive descriptors. In response to the comment, the NRC staff revised item 3 as follows [additions underlined]: Electrical

Page 37 of 37 engineering to confirm that the power for pressurizer level indication, block valve position indication, and relief valve position indication safety-significant SSCs, such as level indication or pressure relief valve indication, is supplied from a reliable source of emergency power in the event of a loss of offsite power. Furthermore, the staff should evaluate each design to identify vulnerabilities that may warrant the electrical engineering branch attention.