ML20262H182

From kanterella
Jump to navigation Jump to search
NEI Comments on BTP 7-19 Revision 8 - Sept-18-2020 - Final
ML20262H182
Person / Time
Issue date: 09/18/2020
From: Tekia Govan
NRC/NRR/DRO/IRSB
To:
Govan T
References
Download: ML20262H182 (7)
v  d  e


Text

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 1

Topic and Affected Section(s)

Comment/Basis Recommendation

1. Spurious Operations Section 3 Technical Concern:
1. The example of a partial actuation of an emergency core cooling system (i.e., spurious operation of a single division) with false indications stemming from postulated CCF is inconsistent with the evaluation guidance in NUREG/CR-6303.

NUREG/CR-6303 (Section 3.6) requires concurrent failures of the same blocks in all redundant divisions, which precludes partial actuations.

NUREG/CR-6303 (Section 3.8) specifies that downstream blocks are assumed to function correctly in exact response to correct or incorrect inputs they receive, which precludes false indications.

Regulatory Concern:

2. The BTP states Spurious operations originating from CCFs are one within the scope of this BTP and points to footnote 11, which describes spurious operations within the design basis (single failures to include cascading effects). The BTP then states As stated in the Background section of this BTP, CCF should be evaluated in a manner consistent with SRM-SECY 93-087. Therefore, the reviewer may consider the
1. Remove the example and state that spurious operations are considered in NUREG/CR-6303.
2. Footnote 11 identifies the regulatory basis for excluding spurious operations from the scope of this BTP because it is limited to single-failures within the design basis.

The sentence As stated in the Background section of this BTP, CCF should be evaluated in a manner consistent with SRM-SECY 93-087 is not correct because spurious operations are not evaluated concurrent with an AOO and PA.

Until appropriate regulatory bases are identified and a proper connection to SRM-SECY-93-087 is made, the topic of spurious operations should be removed from the BTP.

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 2

Topic and Affected Section(s)

Comment/Basis Recommendation methodologies described in this BTP when evaluating spurious operations resulting from CCFs in a proposed system In sum, these 3 sentences attempt to claim that SRM-SECY 93-087 provides the regulatory basis to analyze for spurious operations caused by CCFs.

However, regarding the 1st sentence, the design basis spurious operations are not within the scope of this BTP, therefore the first premise is not correct making the 3rd sentence logically false.

2. Spurious Operation and Integrated System Section 3 In this section is states that, The reviewer should consider whether a CCF of an integrated NSR DI&C system or platform (i.e., multiple NSR system functions controlled by the same platform) has the potential to result in spurious operation that would have unacceptable consequences. The reviewer should also consider the level of integration between safety and NSR systems as a potential vulnerability to be addressed in the application.

An NSR DI&C system can use the same platform for multiple system functions as long as there is sufficient segmentation.

Change to, The reviewer should consider whether a CCF of an integrated NSR DI&C system or platform (i.e., multiple NSR system functions controlled by the same platform) has the potential to result in spurious operation that would have unacceptable consequences (e.g., improper segmentation including multiple NSR system functions controlled by one controller). The reviewer should also consider the level of integration between safety and NSR systems as a potential vulnerability to be addressed in the application.

3. Safety vs Non-Safety Various The title and scope statement of the BTP focus on safety systems. Sections of the guidance still address non-safety systems and this inconsistency between the title/scope and review details creates confusion.

The only link to non-safety systems should be system integration and interconnectivity as described in Section 2.1.

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 3

Topic and Affected Section(s)

Comment/Basis Recommendation Non-safety-related DI&C SSCs are not integrated or interconnected to safety systems can be evaluated under other Chapter 7 SRP guidance.

4. DI&C Categorization Section 2 The BTP states that The use of risk insights, such as from a site-specific PRA, to demonstrate that an SSC is less safety-significant than these characteristics would indicate should be reviewed on a case-by-case basis.

Risk-insights from a site-specific PRA to support a determination of safety significance for a particular DI&C system or component is independent from the deterministic criteria in (a) thru (d). The risk-insights could determine that is particular DI&C is less (or more) safety significant than the deterministic characteristics would indicate.

The purpose of Section 2 is to adjust the rigor of the assessment (i.e., D3 or qualitative assessment) based on certain safety characteristics, as such there is no need to have four categories. In particular, the title of (b) Low Safety Significance:

Non-safety-related SSCs that Perform Safety-Significant Functions creates logical inconsistencies in that an SSC that performs safety-significant functions should not be labeled Low Safety Significance.

Reword the sentence on risk-insights to state Risk insights from a site-specific PRA that are used to determine the safety-significance of a particular DI&C system or component should be reviewed on a case-by-case basis.

Instead of 4 sets of characteristics (i.e., (a) thru (d)),

only use 2 sets of characteristics as described below:

The 1st set of characteristics is for high safety-significant safety-related SSCs (currently (a)).

The characteristics under (a) should be limited to only the 2nd and 3rd criterion (i.e.,

remove the 1st and 4th criterion). For (a) a D3 is necessary.

The 2nd set is not a list of characteristics, rather the complement of (a) (i.e. not (a)).

For SSCs that meet the not (a) case, a qualitative assessment is appropriate.

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 4

Topic and Affected Section(s)

Comment/Basis Recommendation

5. Using Safety Significance to Determine whether a D3 Assessment is Necessary Section 2.2 The section states, A D3 assessment is necessary for all systems determined to be of higher safety significance.

Change the sentence to read, A D3 assessment is necessary for all systems determined to be of higher safety significance.

6. Software and Hardware Latent Defects Section A

Background

Paragraph two states DI&C systems or components are vulnerable to common cause failures (CCFs) due to latent defects in active hardware components, software, or software-based logic The term latent defects is too broad for the scope of the BTP. The focus should be on latent defects in design only and should not include latent defects in manufacturing and fabrication processes.

The phrase active hardware components is vague and could include hardware CCFs outside the scope of this BTP. The only hardware CCFs that should be considered with in scope are hardware components that have been programmed using software.

Add the term design to the term latent defects to read latent design defects Delete the term active and replace it with the term programmed so the phrase reads programmed hardware components

7. Crediting Existing Systems Section B.3.2.1 Second paragraph states:

ATWS system to be credited demonstrates that the system (1) is not subject to the same CCF as the equipment performing the reactor trip function within the proposed DI&C system, (2) is capable of functioning under the event conditions expected and of sufficient quality, and (3) is responsive to the AOO or PA sequences Change the sentence to read, ATWS system to be credited demonstrates that the system (1) is not subject to the same CCF as the equipment performing the reactor trip function within the proposed DI&C system, (2) is capable of functioning under the event conditions expected and of sufficient quality, and (3) is responsive to the AOO or PA sequences using

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 5

Topic and Affected Section(s)

Comment/Basis Recommendation using sensors and actuators other than those proposed for accomplishing the reactor trip function within the proposed DI&C system.

The text in bold is not congruent with 10 CFR 50.62.

Also, there is a typographical error on 2nd paragraph under 3.2.2 10 CFR 50.69or Needs a space.

sensors and actuators other than those proposed for accomplishing the reactor trip function within the proposed DI&C system.

Change to, 10 CFR 50.69 for

8. Manual System Level Actuation and Indications to Address Position 4 Section 4 The section states The applicant may credit existing displays and controls in the MCR to satisfy Position 4.

However, the reviewer should confirm that the applicant did not also credit the same digital platform or analog technology for Position 1 or 3 (e.g., for mitigating DBEs) because Position 4 specifies that the MCR displays and controls shall be independent and diverse from those credited for Position 1 and 3 Systems credited for Position 3 must be diverse from the digital system being replaced. However, it does not also have to be diverse from Position 4.

Page 29, item f. has a typographical error, These displays and controls are no affected by postulated CCFs Position 4 specifies that the MCR displays and controls shall be independent and diverse from those credited for vulnerable to CCF in Position 1 and 3 Change to, These displays and controls are not affected by postulated CCFs

9. Best Estimates Various BTP states in several places consequences of CCFs are bounded by the acceptance criteria defined in the FSAR, Ensure the guidance is clear that best estimates or realistic assumptions can be used to when

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 6

Topic and Affected Section(s)

Comment/Basis Recommendation with no mention of best estimates or realistic assumptions assessing the consequences of CCFs, given that the CCFs are a beyond design basis event.

10. Independent and Diverse Various Use of the term independent can cause confusion because there are different definitions used by practitioners.

Add a clarification on independent that isolation is not required for safety-related manual controls that are connected downstream of the digital I&C safety system outputs in the same safety division.

11. Defensive Measures Section B.3.1.3 The BTP states NRC-approved defensive measures may be used to eliminate the CCF from further consideration. The NRC approval should include a supporting technical basis and acceptance criteria for the use of the defensive measure. The reviewer should confirm that the defensive measure is approved for the application described in the D3 assessment.

Section 3.1.3 creates an opportunity for an NEI solution to appropriately address CCFs caused by latent design defects.

However, the current language focusing on NRC-approved defensive measures is limiting. NEI does not plan to submit a list of various defensive measures for approval, rather a performance-based methodology based on safe design objectives and various defensive measures can be used to meet those objectives.

Change the 1st paragraph in Section 3.1.3 to read:

An NRC-approved performance-based methodology may be used to eliminate the CCF from further consideration. The reviewer should confirm that the defensive measure(s) used to meet the performance-based methodology includes a supporting technical basis and meets acceptance the criteria in this BTP.

Make necessary changes to the other paragraphs in Section 3.1.3 to align with the description above.

12. Background Section A Th last line on page 2, the NRC considers CCF in DI&C systems to be a beyond-design-basis event (BDBE) Only safety-related DI&C systems are BDBE.

Change to the NRC considers CCF in safety-related DI&C systems to be a beyond-design-basis event (BDBE).

13. D3 Assessment General Approach Section 3 On page 16 (2nd bullet) it states, The applicant or mitigated consequences from CCF vulnerabilities using design techniques described below:

Change the sentence to read, The applicant or mitigated consequences approaches to address from CCF vulnerabilities using design techniques described below:

NEI DI&C Working Group Comments on BTP 7-19, Revision 8 in support of the 9/24/2020 Public Meeting 7

Topic and Affected Section(s)

Comment/Basis Recommendation

14. D3 Assessment Section 3 Footnote 12 has a typo, This BTP does not use the that term.

Change the sentence to read, This BTP does not use the that term.

Retrieved from "https://kanterella.com/w/index.php?title=ML20262H182&oldid=3865651"