ML21109A001
ML21109A001 | |
Person / Time | |
---|---|
Issue date: | 06/07/2021 |
From: | Office of Nuclear Regulatory Research |
To: | |
R. Roche-Rivera | |
Shared Package | |
ML21106A215 | List: |
References | |
Download: ML21109A001 (25) | |
Text
NRC STAFF RESPONSES TO POST-PROMULGATION PUBLIC COMMENTS ON REGULATORY GUIDE 1.187, Revision 2: GUIDANCE FOR IMPLEMENTATION OF 10 CFR 50.59, CHANGES, TESTS, AND EXPERIMENTS Federal Register 85 FR 40696 (July 7, 2020)
On July 7, 2020 (85 FR 40696), the NRC issued Regulatory Guide (RG) 1.187, Revision 2, Guidance for Implementation of 10 CFR 50.59, Changes, Tests, and Experiments (Agencywide Documents Access and Management System (ADAMS) Accession No. ML20125A730), as final with a 30-day post-promulgation public comment period. The post-promulgation public comment period ended on August 6, 2020. Comments on the subject RG are available electronically at the U.S. Nuclear Regulatory Commissions (NRCs) electronic Reading Room at http://www.nrc.gov/reading-rm/adams.html. From this page, the public can enter ADAMS, which provides text and image files of NRCs public documents.
During the post-promulgation comment period, the NRC staff received 5 comment submissions on RG 1.187, Revision 2, as listed below, from the following individuals or organizations:
Letter No.
ADAMS Accession No.
Commenter Affiliation Commenter Name 1
ML20212L674 No Known Affiliation Anonymous 2
ML20212L679 No Known Affiliation Anonymous 3
ML20219A815 No Known Affiliation Anonymous 4
ML20219A816 Nuclear Energy Institute (NEI)
Stephen E. Geier 5
ML20220A306 Nuclear Automation Engineering, LLC Ken Scarola This document lists each public comment by letter and comment number. For example, Comment No. 3-2 would be the second comment provided in Letter No. 3 listed in the table above. For each comment, the NRC has repeated the comment as written by the commenter and then provided the NRCs response. In some instances, the comment was broken down into segments for clarity.
Comment No. 1-1 There was an NRC staff nonoccurrence on the RG which was made publically available (see ML20197A381). Why was this not mentioned in the FRN?
NRC Staff Response The commenter is correct that the NRC procedure in Management Directive 10.158, NRC Non-Concurrence Process, states, in part, that if a publicly available non-concurrence is associated with a document for which the NRC is seeking public comment or is associated with a final document for which the NRC has sought public comments, then the Federal Register notice must include a reference to the non-concurrence and must include the ADAMS accession number for the NCP form. The subject non-concurrence was not included as a reference in the Federal Register notice because the NCP form (and related attachments) was not available to the public at the time of the Federal Register notice issuance date. Specifically, the Federal Register notice for RG 1.187 Revision 2 was published on July 7, 2020 and the NCP form (and related attachments) for the non-concurrence associated with RG 1.187 Revision 2 was made public in ADAMS on July 16, 2020. The ADAMS accession number for the NCP form is now included in this present Federal Register notice, which issues these comment responses.
Comment No. 2-1 Were there any meetings between NRC and NEI, either in person or electronically, where the contents of Appendix D were discussed, but which were not noticed or do not have publically available meeting summaries?
NRC Staff Response The NRC routinely has non-public conversations with applicants, licensees, and members of the public to discuss process and schedule matters, consistent with NRCs public meeting policy in Management Directive 3.5. In addition, the NRC met with NEI on a few occasions to clarify and reiterate specific issues in the text in Appendix D that the NRC staff had previously identified in public meetings, so that NEI could develop revisions to submit to the NRC staff for review. All revisions of Appendix D that the NRC received have been made publicly available in ADAMS.
Comment No. 3-1 Appendix D Section 4.3.6, Step 6, contains the following criteria: "safety analysis no longer satisfies the acceptance criteria identified in the associated safety analysis;" however, this criteria is not acceptable because the NRC has not demonstrated that it maintains the "margin" required by a facilities principle design criteria or any other regulatory requirements for margin.
In short, it is not possible for the NRC to have evaluated all of the acceptance criteria in all of the safety analysis reports which are affected by this guidance (against all of the obligated margins); furthermore, there is no NRC statement that it has ever evaluated the acceptance criteria for maintaining obligated margins; therefore, the NRC has no technical basis to claim that meeting the acceptance criteria maintains a licensees obligations regarding margin. Please publish an NRC evaluation that demonstrates that meeting the acceptance criteria maintains a licensee's obligations regarding margin.
NRC Staff Response The NRC staff does not agree with the comment. Design control requirements such as those found in 10 CFR Part 50, Appendix B, Criterion III, Design Control, not 10 CFR 50.59, ensure the licensee maintains any required margin. Importantly, neither 10 CFR 50.59 nor the Federal Register notice for the 1999 final rule describe 10 CFR 50.59 as a process for verifying design adequacy. Rather, the licensees engineering/technical design evaluations supporting the change are developed using the licensees plant modification process that implements the requirements of NRC regulations including 10 CFR Part 50, Appendix B. This requirement states:
The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by individuals or groups other than those who performed the original design.
An entry condition for the 10 CFR 50.59 process is described in NEI 96-07, Revision 1 in Section 1.3, 10 CFR 50.59 Process Summary, which states:
After determining that a proposed activity is safe and effective through appropriate engineering and technical evaluations, the 10 CFR 50.59 process is applied to determine if a license amendment is required prior to implementation.
In other words, the licensee must first determine, through appropriate engineering and technical evaluations, that any required margin is maintained. Then the licensee may use section 50.59 to determine whether a license amendment is required for the proposed change.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 4-1 In Section 2.d of RG 1.187, Revision 2, add the following sentence at the end of the fourth paragraph that ends with credited plant system functions and associated instrumentation and controls functions will be performed.
Adherence to the six-step process described within Section 4.3.6, and as illustrated through the examples, will ensure consistency with the clarification on basic assumptions.
We believe that incorporating the suggestion provided above will further clarify the language in RG 1.187, Revision 2, appropriately refers back to the Appendix D guidance, and will promote a common understanding among the NRC staff and licensees.
NRC Staff Response The NRC staff does not agree with the comment. This comment relates to the clarification of basic assumption in Section 2.d of RG 1.187, Revision 2. NRC staff understands this comment to say that following the guidance in Appendix D, Section 4.3.6 would, ipso facto, ensure a proposed modification is consistent with the clarification at issue. However, Appendix D does not provide guidance on the meaning of the phrase basic assumption. The clarification provides NRC staffs understanding of this term in the context of Appendix D. Thus, while the guidance in Appendix D is acceptable, the guidance in Appendix D, standing alone (i.e., without the clarification in the RG), might result in licensees misapplying the guidance in a way that is not consistent with 10 CFR 50.59.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-1 In RG 1.187 Section C.2.b.ii, the Staff endorsed Example 4-18 to illustrate a proposed activity that does not create the possibility for a malfunction of an SSC important to safety with a different result for the evaluation of 10 CFR 50.59(c)(2)(vi). This is based on the minimum DNBR result being within the accident acceptance criteria of 1.30. Therefore, this example is judging the acceptability of the change based only on the impact to the acceptance criteria for a fission product barrier, which is clearly the purpose of 10 CFR 50.59(c)(2)(vii). Based on this interpretation in NEI 96-07 Appendix D, 10 CFR 50.59(c)(2)(vi) adds no unique criteria to the evaluation. RG 1.187 should explain the basis of the Staffs acceptance that there is no uniqueness between 10 CFR 50.59(c)(2)(vi) and (vii). In addition, Example 4-18 states that the minimum DNBR for the current design is 1.42 and the new minimum DNBR calculated for the proposed design is 1.33. Therefore, although the proposed design does not create a malfunction with a different result, it significantly reduces the margin to the acceptance criteria.
Therefore, it is reasonable to conclude that the proposed design creates more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the final safety analysis report, which must be evaluated for 10 CFR 50.59(c)(2)(iv).
10 CFR 50.59(c)(2)(iv) directly correlates to General Design Criterion (GDC) 10, Reactor Design, which states:
The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences. [emphasis added].
The NRC Staff reviewed the accident analysis and determined that there was appropriate margin. The proposed design significantly reduces the appropriate margin that the Staff had approved, which brings compliance to GDC 10 into question. RG 1.187 should explain why this significant reduction in margin does not require additional Staff review to remain in compliance with GDC 10. It is recognized that NEI 96-07 Section 4.3.4 says that only radiological consequences are considered when evaluating 10 CFR 50.59(c)(2)(iv). However, there is a direct correlation between DNBR, fuel damage and radiological consequences. Since NEI 96-07 Appendix D does not explain the correlation between a reduction in DNBR margin and an increase in the radiological consequences of this malfunction, RG 1.187 should clarify the Staffs position on this point. In addition, since the rule language in 10 CFR 50.59(c)(2)(iv) does not limit the increase in the consequences of a malfunction to only radiological consequences, RG 1.187 should clarify the basis of the Staffs endorsement of this guidance in NEI 96-07 Section 4.3.4.
NRC Staff Response The NRC staff agrees with the commenter that in some circumstances, the factors that are relevant to criterion (vi) may overlap those for criterion (vii). However, the two criteria remain separate and must be addressed separately. In Example 4-18, the use of DNBR is limited to illustrating how an acceptance criterion may be used in evaluating the criterion in section 50.59(c)(2)(vi); it does not relate to the application of section 50.59(c)(2)(vii) and is not an example of whether the application of criterion (vi), compared to criterion (vii), is unique or not.
Taken together, the eight criteria in 10 CFR 50.59(c)(2) serve the underlying purpose of the 10 CFR 50.59 regulation as described by the Commission in its statements of consideration for the 1999 final rule, which establishes a threshold for NRC review of changes that could affect the basis on which the NRC issued a license to operate the facility.
Additionally, the NRC staff does not agree with the part of the comment that discusses DNBR and GDC 10. Appendix D was developed to provide one acceptable way to implement 10 CFR 50.59 to digital modifications and does not address other regulatory requirements. That is, the examples illustrate the application of the guidance, given the postulated technical information. The guidance for 10 CFR 50.59 is not intended to assist in determining compliance with other regulatory requirements, but rather relies on compliance with all regulatory requirements.
Additionally, the NRC staff does not agree with the part of the comment that requests to clarify the basis of the Staffs endorsement of the guidance in NEI 96-07 Section 4.3.4. The staff is not revisiting the endorsement of the base document NEI 96-07 in RG 1.187, Revision 2. Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-2 In RG 1.187 Section C.2.c says RIS 2002-22 Supplement 1 may be used in conjunction with NEI 96-07, Appendix D, Revision 1. Section 1.2 of Appendix D states The guidance in this appendix applies to a complete replacement of an analog reactor protection system with an integrated digital system. However, on page 2 the RIS states This RIS supplement is not directed toward digital I&C replacements of the reactor protection system These statements clearly conflict; RG 1.187 should address this discrepancy. For example, RG 1.187 could reiterate that (1) to preclude further consideration of a CCF due to a digital design defect, reactor protection system (RPS) replacements require a deterministic assessment of sufficient diversity or sufficient simplicity (i.e., testability), not simply a qualitative assessment to reach a sufficiently low likelihood conclusion and (2) if a CCF due to a digital design defect cannot be precluded for the RPS, then an analysis is needed for each accident to demonstrate CCF coping using alternate methods.
NRC Staff Response The NRC staff does not agree with the comment. While Appendix D, Section 1.2, states the guidance applies to a complete replacement of RPS, Appendix D, Section 3.15, states:
A qualitative assessment should not be used for digital I&C replacements of the reactor protection system (RPS), the engineered safety features actuation system (ESFAS), or modification/replacement of the internal logic portions of these systems (e.g., voting logic, bistable inputs, and signal conditioning/processing).
In any case, RIS-2002-22, Supplement 1, can be used in connection with changes to SSCs other than the RPS and ESFAS in accordance with other portions of NEI 97-06, Appendix D.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-3 For evaluating 50.59(c)(2)(vi) - Create a possibility for a malfunction of an SSC important to safety with a different result - page 9 of RG 1.187 says the test fails if the change would invalidate basic assumptions examples of basic assumptions include the assumptions (1) that credited plant and reactor protection system functions will be performed, (2) that credited engineered safety system functions will be performed, and (3) that credited plant system functions and associated instrumentation and controls functions will be performed.
Contrary to this regulatory position, NEI 96-07 Appendix D Example 4-20 describes a proposed change where a credited system function will not be performed due to a software CCF (i.e., a basic assumption is invalidated by the CCF); however, the ability to cope with loss of that credited function using alternate methods is the basis for 10 CFR 50.59(c)(2)(vi) acceptance.
RG 1.187 should address this inconsistency.
Example 4-20 emphasizes that the alternate methods are currently proceduralized and are NOT compensatory actions for addressing degraded or nonconforming conditions. But the described alternate methods are not the methods credited in the accident analysis, and one alternate method is a new digital control system restart feature to clear any software faults. As written, this is certainly a new comensatory action to address a degraded condition in the new digital control system. Therefore, this change appears to invalidate a basic assumption of the original accident analysis. RG 1.187 should clarify the Staffs position on crediting compensatory actions to avoid invalidating basic assumptions.
RG 1.187 should also clarify the Staffs position on crediting restart to clear software faults; there is no technical basis to conclude that any/all software faults can be cleared by restart. I have never seen restart credited in any coping analysis for compliance to SRM SECY 93-087 or BTP 7-19; the Staffs position has always been that unless the design defect that caused the software fault is corrected, whatever caused the software fault is likely to recur. Therefore, restart cannot be relied on as a coping action.
NRC Staff Response The NRC staff does not agree with the comment. In this case, Example 4-20, Step 6, relies on the statement in Section 4.3.6, Step 4, to conclude that the acceptance criteria prong of step 6 is met. This conclusion is at the deliberate exclusion of other aspects of the guidance in Appendix D (i.e., basic assumptions no longer being valid), which, if considered, could potentially change the evaluation conclusion.
The digital controllers for the Main Control Room Ventilation System (MCRVS) perform a design basis function because the controllers are required by, or otherwise necessary to comply with TS for operability for RPS and ESFAS. Example 4-20 Step 4, states, compliance with pre-existing procedures will result in the restoration of at least one chiller well before the Relay Room cooling becomes inadequate and temperature exceeds 120°F. Specifically, compliance with existing procedures will lead to recognition of the problem and, using currently proceduralized alternate methods for operating the system (i.e., NOT compensatory actions for addressing degraded or nonconforming conditions), restore the chiller control system function prior to the impairment of the associated design bases functions.
The above excerpt does not state that the failed digital controller is restored but rather that the controller function is restored using currently proceduralized alternate methods for operating the system. This involves crediting existing procedures (e.g., manual actions) that provide an alternate method or different means of operating the chillers. Because of this pre-established acceptable alternative method, a software CCF of the digital controllers does not result in a loss of system function and thus the alternate method does not restore system function. Rather, the alternative method is a different means of performing the same function. By definition, compensatory actions are measures used to maintain or restore operability and may be used only on a temporary basis. The fact that Example 4-20 states the alternative methods are NOT compensatory actions means that the MCRVS remains operable in the event of a software CCF because of the permanent credited alternative method of operating the chillers.
Additionally, the NRC staff does not agree with the part of the comment that discusses restarts to clear software faults. The NRC staff has not endorsed guidance providing licensees a technical basis to conclude that software faults can be cleared by restart. The purpose of Appendix D is to provide guidance on how to comply with § 50.59, not guidance on acceptable engineering practices. The example states that the reset is capable of clearing the fault, which is sufficient to illustrate the point of the example, but any licensee evaluation would need to document a basis for such a conclusion.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-4 BTP 7-19 and SRP 18-A require a human factors evaluation to conclude that there is acceptable time margin between Time Required and Time Available to credit manual actions for coping with a CCF. However, NEI 96-07 Appendix D Example 4-20 concludes that the plant can cope with loss of a credited safety function using manual actions, with no mention of a human factors evaluation. RG 1.187 should address this omission.
NRC Staff Response The NRC staff does not agree with the comment. NEI 96-07, Appendix D, Section 1.5 states, unless stated otherwise, a given example addresses ONLY the aspect within the section/sub-section in which it is included, sometimes at the deliberate exclusion of other pertinent and/or related aspects which, if considered, could potentially change the Screen and/or Evaluation conclusion(s). Example 4-20 is demonstrating Section 4.3.6. Human factors considerations are addressed by the NEI 96-07, Appendix D, Section 4.3.2, examples.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-5 NEI 96-07 Appendix D Example 4-1 concludes that a proposed change is not adverse. But there is no discussion of documenting a Qualitative Assessment to reach a sufficiently low likelihood conclusion, as is required by RIS 2002-22. Furthermore, per the guidance in NEI 96-07, Section 5, there is no regulatory requirement to document screenings (only evaluations). RG 1.187 should address this discrepancy.
NRC Staff Response The NRC staff does not agree with the comment for two reasons. First, NEI 96-07 Appendix D Example 4-1 involves screening, and the NRC staff has not endorsed using a qualitative assessment in screening. Neither Appendix D nor RIS 2002-22 provide guidance on using a qualitative assessment in screening. Second, RIS 2002-22 does not require the use of a qualitative assessment, rather it endorses a method for qualitative assessments that the NRC staff has found adequate to meet some requirements for an evaluation under 10 CFR 50.59.
Further, the comment is correct that there is no regulatory requirement to document a screening, but NEI 96-07, Revision 1, does provide guidance to licensees on appropriate records for screening. Nevertheless, because a qualitative assessment per the guidance in RIS 2002-22, Supplement 1 is a part of a 10 CFR 50.59 evaluation, § 50.59(d) requires licensees to maintain records of qualitative assessments supporting a change. So, there is no reason for it to be referenced in the example.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-6 NEI 96-07 Appendix D Example 4-2, which maintains the segmented configuration of the original analog design, but with identical digital devices, correctly concludes that the proposed change is adverse because it introduces the potential for a CCF due to a design defect in both digital controllers. But Example 4-3, which describes the same configuration in Option 1, concludes that this proposed change is not adverse because the segmented configuration of the analog design is maintained. Even though the segmented design is maintained, this example fails to mention the potential for a CCF due to a design defect, as in Example 4-2. RG 1.187 should address this discrepancy within NEI 96-07 Appendix D.
It is recognized that NEI 96-07 Appendix D Section 1.5 discusses deliberate exclusion of other pertinent and/or related aspects. However, this example clearly states that the two analog control systems are physically and functionally the same (i.e., this is not excluded). Therefore, unless the example describes new intentional diversity built into the digital controllers, the reader is very likely to conclude that the digital systems are also physically and functionally the same; and regardless of this conclusion, a CCF due to a design defect does not require consideration due the segmentation. But segmentation alone does not preclude the need to consider a design defect in all segments that utilize the same design. RG 1.187 should address this problem in Example 4-3 to circumvent this misleading conclusion.
NRC Staff Response The NRC staff does not agree with the comment because, as the comment acknowledges, these examples illustrate only limited aspects of the guidance being described, and deliberately do not address other aspects of the example that might factor into reaching a different conclusion. Example 4-3 is intended only to illustrate that combining functions of subcomponents in a system as part of a digital upgrade does not necessarily result in an adverse impact, but that combining previously separate systems does. The text of the example itself states that the conclusion in the example is only for the aspect of the guidance being illustrated. The NRC staff does not believe that the example will lead to licensees reaching the wrong conclusion, and therefore does not agree that RG 1.187 needs to address the issues raised in the comment.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-7 NEI 96-07 Appendix D Example 4-4 concludes that the proposed digital design is not adverse, because although the new design can cause multiple function failures, compared to only single function failures in the original design, the multiple failures all cause loss of the ability to control temperature, which is stated to be the same as in the original design.
But this example discounts that there are two controllers in the original design - one for temperature monitoring/control and a separate controller for air damper control - whereas in the proposed digital design all functions are combined into one controller. Therefore, in the original design if the temperature controller fails, the air damper can be manually controlled by putting the air damper controller in the manual mode. If the air damper controller fails the temperature in the room can be monitored remotely; therefore, if the temperature gets too high an auxiliary operator can be sent to the room to manually reposition the damper. In the proposed design a failure of the digital controller prevents both damper control and room monitoring. Therefore, the proposed design changes the human systems interface (HSI) design, and it reduces defense-in-depth; therefore, the screening should have concluded that the change is adverse; therefore, the change requires further evaluation. RG 1.187 should address this error in NEI 96-07 Appendix D.
NRC Staff Response The NRC Staff does not agree with comment 5-7. The comment did not apply the guidance in NEI 96-07 Appendix D Section 1.5 to the example (i.e., a given example addresses ONLY the aspect within the section/subsection in which it is included, sometimes at the deliberate exclusion of other pertinent and/or related aspects which, if considered, could potentially change the Screen and/or Evaluation conclusion(s) (emphasis in original)). NEI 96-07, Appendix D, Examples 4-4 and 4-5 illustrate only the guidance in NEI 96-07, Appendix D, Section 4.2.1.1 regarding whether the change screens in by applying the guidance for combination of components/systems and/or functions, at the deliberate exclusion of aspects regarding human systems interface, which is addressed in NEI 96-07, Appendix D, Section 4.2.1.2. In the example, the combination of functions results in the loss of the ability to cool the room, which is the same result as the loss of either function alone. Therefore, the combination of functions is not adverse. Example 4-4 is limited to its stated facts and does not involve consideration of, as the comment suggests, manual control of the air damper in the event that the temperature controller failed.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-8 NEI 96-07 Appendix D Example 4-5 reaches an adverse conclusion, because previously separate analog control functions are combined into a single digital controller; this is correct.
However, contrary to Example 4-2, this conclusion incorrectly implies that separate digital controllers can resolve this adversity. The example should have clarified that, as in Example 4-2, even if there are two separate digital controllers, if those controllers employ the same digital platform, the digital design is still adverse due to the potential for a CCF of both controllers due to a design defect in the digital platform. Without this clarification, adverse conditions in distributed control systems that are being commonly deployed throughout the industry can be overlooked. RG 1.187 should address this clarification.
NRC Staff Response The NRC staff does not agree with comment 5-8. Example 4-5 does not mention two separate digital controllers nor does it imply any result that might obtain from the analysis of the use of two separate digital controllers for the two functions identified in the example. Example 4-5 is limited to its stated facts and does not involve consideration of common cause failure.
Based on the above and the response given in comment 5-7, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-9 NEI 96-07 Appendix D Example 4-6 concludes that a proposed change from conventional HSI to touch screen HSI is not adverse because the operator can still manually control the valves. It is not possible to reach this not adverse conclusion without a thorough evaluation of touch screen navigation. In the current design the knob is spatially dedicated continuously visible (SDCV). In the proposed design, accessing this touch control could require numerous screen navigation steps to get to the screen that has the touch controls for this flow control valve. This additional screen navigation increases the Time Required to take a manual action, which increases the task burden and decreases the margin to Time Available. Screen navigation and selectable controls also introduce the potential for human error. Therefore, this change is adverse and requires further evaluation. RG 1.187 should address this error in NEI 96-07 Appendix D.
NRC Staff Response The comment relates to NEI 96-07, Appendix D, Example 4-6, which states:
Using the results from the engineering/technical information supporting the change, including the HFE evaluation, and examining the replacement of the knob with a touch screen, the modification is not adverse (for the aspect being illustrated in this example) because it does not impact the ability of the operator to open and close the flow control valve using manual controls located in the Main Control Room, maintaining satisfaction of how the UFSAR-described design function is performed or controlled.
Based on the above, the NRC staff does not agree with the comment because the example presumes that the HFE evaluation performed as part of the design change process (i.e., the engineering/technical information supporting the change) conforms to the guidance. Although the example does not state all the factors that may have been considered in the HFE evaluation, it reports the conclusion that the change would not impact the operators ability to perform the response implementation task. The guidance states that the HFE evaluation should consider whether the change can result in increased time to respond, which is the factor raised by the comment. Therefore, the would not impact determination includes the conclusion that the response time did not increase. Because the example is intended only to illustrate how the pieces of the guidance on HSI considerations fit into an overall screening process and not the effect of increased response time, the NRC staff considered the HFE evaluation result sufficient to conclude the change was not adverse.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-10 NEI 96-07 Appendix D Example 4-7 has the same problem as discussed in Item 9 above, regarding the change from conventional controls to touchscreen controls. RG 1.187 should address this error in NEI 96-07 Appendix D.
In addition, Example 4-7 concludes that a change from conventional analog meters and indicator lights to flat screen displays does not impact the operators ability to monitor and detect changes in plant parameters; therefore, the change is not adverse. But this conclusion cannot be reached without a thorough human factors evaluation, because the change from SDCV information to selectable information changes the operator's ability to monitor these functions.
Needing to navigate to appropriate screens to obtain information adversely impacts task burden and situation awareness. Therefore, from a screening perspective this change is adverse.
It is noted that Example 4-8 does reach a correct adverse conclusion due to the negative impact on situation awareness. RG 1.187 should clarify that this adversity is likely to apply to every digital modification that converts conventional HSI to selectable flat screens, unless an SDCV display (e.g., a plant overview display) is also included in the modification to maintain a comparable level of situation awareness as in the original analog design that utilized SDCV indicators.
In Example 4-7, there is also no discussion of the separate analog indications and controls being combined on a single flat panel. This results in several adverse conditions that are not mentioned at all in this example:
Even though there are separate flat panels for each division, a single malfunction or design defect in a flat panel could result in failure of many more functions (i.e., multiple indications and multiple controls) than a single malfunction in the analog design which could result in failure of only one indication or one control. Therefore, the digital design reduces defense-in-depth, which is adverse.
In the analog design, when there is a malfunction that results in failure of an indicator, the control is not impacted (and vice versa); in the digital design a single malfunction or design defect results in failure of both indication and control. Therefore, the digital design reduces defense-in-depth, which is adverse.
Since the digital design combines multiple indications, a single malfunction or design defect could result in multiple erroneous indications, not just failure of indications. This could result in human performance errors which are adverse.
Since the digital design combines multiple controls, a single malfunction or design defect could result in multiple spurious operations, not just failure of control functions. This could result in unanalyzed transients which are adverse.
In Example 4-7, there is also no discussion of a design defect that could result in a CCF of the flat panels in both divisions. That CCF could result in loss of all indications/controls or erroneous indication/control in both divisions. Since a design defect leading to a CCF of both divisions was not considered for the previous analog design, due to its simplicity, the potential for a CCF due to a design defect in the new digital design, due to its complexity, is adverse.
RG 1.187 should address the numerous errors in NEI 96-07 Appendix D Example 4-7.
NRC Staff Response The NRC Staff agrees that Example 4-7 is written in a manner that could be confusing to the NEI 96-07 reader if the example is taken in isolation. NEI 96-07, Appendix D, Section 1.5 states, unless stated otherwise, a given example addresses ONLY the aspect within the section/sub-section in which it is included, sometimes at the deliberate exclusion of other pertinent and/or related aspects which, if considered, could potentially change the Screen and/or Evaluation conclusion(s). For instance, Example 4-7 does not address CCF or spurious operation, which are related aspects that, if considered, could potentially change the screen conclusion. Instead, Example 4-7 is demonstrating the relationship between adverse effects on the design function and the Human Factors Engineering (HFE) Evaluation described in Section 4.2.1.2. Although the example does not state all the factors that may have been considered in the HFE evaluation, the example does state that there were no design functions related to the number of steps necessary to perform the design function (i.e., complexity) or the duration in which the steps were to be performed (i.e., time response). This statement alone is sufficient to conclude that the modification is not adverse in regard to time response.
Nonetheless, the staff agrees with the comment that statements in Example 4-7 indicating that time response increases appear inconsistent with the rest of the example. The discussion of response time is extraneous to the HFE evaluation and conclusion in Example 4-7. The relationship between design function and the HFE evaluation is the point that the example is attempting to demonstrate.
Accordingly, the staff has determined to modify RG 1.187 to clarify that the statements regarding increased response time in Example 4-7 are irrelevant to the conclusion in that example and should be disregarded.
Comment No. 5-11 NEI 96-07 Appendix D Example 4-8 reaches a not adverse conclusion for a change from conventional HSI to touch screen HSI, even though it acknowledges that the proposed design would result in an increase in response time for operator actions. Unless a thorough evaluation is conducted to determine the plant level effect of this increase in response time for any credited manual actions the "minimal increase in the consequences of a malfunction" requirements of 50.59(c)(2)(iv) cannot be determined. RG 1.187 should address this error.
In addition, this example provides no discussion regarding the potential for CCF of multiple erroneous indications, multiple spurious operations and multiple failures, due to the consolidation of numerous indications and controls into only two flat panels and use of common digital designs. All of these present adverse conditions that require further evaluation.
RG 1.187 should address this omission.
NRC Staff Response Because Example 4-8 does reach an adverse impact conclusion for design function (a),
Status indications are continuously available to the operator, the NRC staff understands the comment to be primarily objecting to the Example 4-8 analysis of design function (b) as screening out. In this example, critical status indications (design function (a)) may not be continuously available to the operator. Thus, the proposed modification screens in and a 10 CFR 50.59 evaluation is required for this example. To the extent the comment suggests that the modification is adverse with respect to design function (a) for reasons not mentioned in the example (e.g., CCF and spurious operation), those reasons would not illustrate the concept that is the subject of Example 4-8 (i.e., the consequences of the displays being configurable) and need not be addressed in the example. Additional bases for an adverse conclusion with respect to design function (a) will not change the result, i.e., the modification proposed in the example will always be adverse.
The NRC Staff agrees that the discussion of design function (b), operator controls the system components manually, in Example 4-8, is written in a manner that could be confusing to the reader if the example is taken in isolation. As discussed below, the staff has concluded that clarification of Example 4-8 is warranted in regard to design function (b). As the comment indicates, the example states that the HFE evaluation determined that... additional actions result in an increase in the operators time to respond. The staff agrees with the comment insofar as an increase in response time would normally result in a proposed modification being adverse under NEI 96-07, Revision1.
However, NEI 96-07, Revision 1, Section 4.2.1 includes an example (involving diesel generators) that illustrates a case in which an increase in response time can screen out. In that example, the FSAR-described design function specifies a response time, and although the proposed change would increase the calculated response time, it would not result in a calculated response time exceeding the design function response time. Although Example 4-8 does not indicate that it relies on the example in NEI 96-07, Revision 1, the NRC staff believes that Example 4-8 would be acceptable if understood as applying the concept illustrated by the example in NEI 96-07, Revision1, Section 4.2.1. The staff agrees with the comment insofar as an HFE evaluation cannot show that an increase in response time is not adverse in the absence of other information in the FSAR.
Example 4-8 is acceptable if it illustrates a case in which an increase in response time is not adverse because the new response time to accomplish design function (b) falls within (is bounded by) a design function response time specified in the FSAR. Example 4-8 includes a design function response time and states a response time requirement of the operator is credited. However, Example 4-8 does not identify the particular response time and does not compare the increase in response time to that credited in the FSAR for design function (b). The staff therefore concludes that Example 4-8 could be misunderstood to mean that a modification can screen out as not adverse, despite an increase in response time, without reference to a design function response time credited in the FSAR.
Accordingly, the NRC staff has modified RG 1.187 to clarify NEI 96-07, Appendix D, Example 4-8 as described in this response.
Comment No. 5-12 On page 24, NEI 96-07 Appendix D states the "negative" impact due to a software CCF likelihood being not sufficiently low could be partially or wholly offset by the "positive" impacts due to the digital system/component itself and/or its design features. There is no technical basis for this statement; there are no digital benefits that negate the need to demonstrate the ability to cope with a CCF whose likelihood is not sufficiently low. This statement in NEI 96-07 Appendix D contradicts both RIS 2002-22 Supplement 1 and BTP 719. RG 1.187 should correct this statement.
NRC Staff Response The NRC staff disagrees with the comment. The discussion cited by the comment addresses an evaluation of 10 CFR 50.59(c)(2)(i). This criterion addresses the overall frequency of an occurrence of an accident and not individual causes of an accident. If one individual cause of an accident is created by a proposed modification (e.g., software CCF), its impact on the overall frequency of an existing accident can be offset by the frequency of another cause being decreased (e.g., due to improved reliability of digital system components themselves and/or its design features, a positive impact). The technical considerations of the particular change will determine whether negative impacts can be offset by positive impacts. Furthermore, the licensees 10 CFR 50.59 evaluation is permitted to consider the positive impacts due to the digital system/component itself and/or its design features, in determining whether there is a no more than minimal increase based on RIS 2002-22, Supplement 1, Section 3.1.1, which states:
Design attributes of a proposed modification can prevent or limit failures from occurring. Design attributes focus primarily on built-in features such as fault detection and failure management schemes, internal redundancy, and diagnostics within the integrated software and hardware architecture. However, design features external to the proposed modification (e.g., mechanical stops on valves or pump speed limiters) may also be considered. (emphasis added).
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-13 NEI 96-07 Appendix D Example 4-10 incorrectly concludes that with the failure likelihood introduced by the modified SSC being not sufficiently low, there is more than a minimal increase in the frequency of occurrence of the accident previously evaluated in the UFSAR. But not sufficiently low is most likely to mean that the failure likelihood is comparable to single malfunctions, which establish the frequency of this event for the FSAR. Therefore, digital failures that have comparable likelihood to analog failures do not automatically increase the frequency of the accident; RG 1.187 should correct this error.
RG 1.187 should also clarify that digital failures that have a comparable likelihood to analog failures may increase the frequency of the event if there are more digital vulnerabilities; but this is rarely the case for modern digital designs.
NRC Staff Response The NRC does not agree with the comment, as explained below, because the comment appears to misconstrue both the concept of sufficiently low and the basis for the conclusion in the example.
The conclusion in Example 4-10 is not based solely on the not sufficiently low conclusion; the conclusion also considers, the inability to offset weaknesses in the design attributes, which the qualitative assessment documented. Although not expressly stated in the example, the ability to offset weaknesses would not be considered under the guidance in Appendix D unless the licensee had already concluded that the increase in accident frequency is not negligible. This example concludes there are no other features of the proposed change that the licensee can credit to reduce the increase in frequency of occurrence.
The comment states:
But not sufficiently low is most likely to mean that the failure likelihood is comparable to single malfunctions, which establish the frequency of this event for the FSAR.
As stated in NEI 96-07, Appendix D, Section 3.16, NEI defines sufficiently low to mean that the likelihood of failure of the modified system or component is much lower than the likelihood of failures that are considered in the updated final safety analysis report (UFSAR) (e.g., single failures) and comparable to other CCFs that are not considered in the UFSAR (e.g., design flaws, maintenance errors, calibration errors). Thus, the comment is incorrect; sufficiently low doesnt mean the likelihood of failure of the digital modification is comparable to single failure malfunctions but rather much lower than the likelihood of single failures.
The comment also states:
Therefore, digital failures that have comparable likelihood to analog failures do not automatically increase the frequency of the accident; RG 1.187 should correct this error.
The NRC staff does not agree that not sufficiently low means the likelihood of failure of the analog and digital equipment is comparable, as explained above.
The comment also states:
RG 1.187 should also clarify that digital failures that have a comparable likelihood to analog failures may increase the frequency of the event if there are more digital vulnerabilities; but this is rarely the case for modern digital designs.
The NRC staff does not agree with this part of the comment because Appendix D already provides guidance on evaluating frequency and likelihoods. The point of Example 4-10 is to demonstrate that a modification that introduces a CCF for which the likelihood of occurrence is not sufficiently low, in the absence of the ability to offset weaknesses, should be considered as a more than minimal increase in the frequency of occurrence under Section 50.59(c)(2)(i).
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-14 NEI 96-07 Appendix D Example 4-11 concludes that an adverse impact on the likelihood of occurrence of the malfunction has occurred due to the potential for a CCF due to a design defect in redundant safety controllers. But this conclusion does not credit that for compliance to other regulatory guidance for safety systems, the digital equipment must be designed with a robust design process. Therefore, in accordance with SRM SECY 93-087 the likelihood of a CCF due to a design defect is low enough to consider the CCF a beyond design basis event; this supports a qualitative assessment with "sufficiently low likelihood" conclusion in accordance with RIS 2002-22 Supplement 1. Therefore, the increase in the likelihood of the event due to a digital CCF is minimal; a minimal increase is permitted by 10 CFR 50.59(c)(2)(i). RG 1.187 should correct this conclusion and clarify the correlation to SRM SECY 93-087.
NRC Staff Response The NRC staff does not agree with the comment because the comment did not apply the guidance in NEI 96-07 Appendix D, Section 1.5, which states that examples address ONLY certain aspects of the guidance within Appendix D, at the deliberate exclusion of other pertinent and/or related aspects of the guidance and of the change which, if considered, could potentially change the evaluation conclusion. Example 4-11 demonstrates an impact on the likelihood of occurrence of the malfunction due to the potential for a software common cause failure. More specifically, this example serves to demonstrate a case in which an incredible event has become credible due to a digital modification. The example is not attempting to address the case where other regulatory guidance for safety systems may provide the digital system with a robust design process, nor does it address whether the increase in frequency is minimal or more than minimal. While not addressed in this example, the NRC staff also disagrees with the comments suggestion that the status of CCF as a beyond design basis event means that an increase in the likelihood of a CCF is always minimal and therefore permitted by section 50.59(c)(2), criterion (i) or (ii). Each proposed modification must be evaluated under 10 CFR 50.59 on a case-by-case basis.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-15 NEI 96-07 Appendix D Example 4-12 describes a sufficiently low likelihood, which supports a conclusion that there is not more than a minimal Increase in the likelihood of occurrence of a malfunction. The example states that The qualitative assessment considered system design attributes, quality of the design processes employed, and operating experience of the proposed equipment. But unless interconnections are described, as they are in the same example for the screening, Example 4-3 Option 1 retaining two discreet, unconnected control systems, it is not possible to assess the likelihood of malfunctions due to a failure of a shared resource (e.g.,
network, workstation). Without adequate defensive measures, shared resources are typically new sources of failure that increase the likelihood of malfunctions. I agree that the design process may support a "sufficiently low likelihood" conclusion for failure due to a design defect.
But to reach a conclusion that the likelihood of failure has not increased due to single random hardware failures, an assessment is needed for the likelihood of failures in all shared resources.
RG 1.187 should clarify that a sufficiently low likelihood conclusion for a design defect does not preclude malfunctions due to shared hardware resources.
It is recognized that NEI 96-07 Appendix D Section 1.5 discusses deliberate exclusion of other pertinent and/or related aspects. However, since the potential for CCF due to a single malfunction in a shared resource is frequently overlooked, this example should help industry avoid that oversight, not contribute to the potential for that oversight.
NRC Staff Response The NRC staff does not agree with the comment. The examples in Appendix D frequently omit factors that are not relevant to the aspect of the guidance being illustrated by the example.
Interconnections are not relevant to the example cited in the comment, which is intended simply to illustrate that a qualitative assessment concluding in sufficiently low likelihood of failure is sufficient to conclude that criterion (ii) is not met. The NRC staff agrees, and Appendix D points out, that factors such as interconnections would need to be considered in a full Section 50.59 evaluation to support a proposed change, but that level of detail is not needed in the example.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-16 NEI 96-07 Appendix D Example 4-13:
- a. Saying the failure likelihood introduced by the modified SSC is not sufficiently low is unrealistic, because a digital modification for any safety equipment must have a robust design process. If not, it does not comply with other regulatory guidance for safety systems. If there is a robust design process, that complies with regulatory guidance, then a sufficiently low likelihood conclusion for a CCF due to a design defect will be reached. Understanding 10 CFR 50.59 is difficult enough; unrealistic examples compound this challenge and are very likely to mislead industry. RG 1.187 should address the unrealistic evaluation conclusion in this example.
- b. Saying the single failure criteria are no longer met [should be criterion is no longer met] is unrealistic, because the single failure criterion (SFC) must always be met for redundant safety equipment. Even the potential for a CCF due to a design defect does not negate SFC compliance, because for a safety system (i.e., a system with a robust design process) SECY 93-087 defines CCF due to a design defect as a beyond design basis event. BTP 7-19 has clarified that a design defect in a safety system is not a single failure. RG 1.187 should correct the inconsistency between this example and other NRC guidance.
NRC Staff Response The NRC staff disagrees with part a of the comment because 10 CFR 50.59 requires that an evaluation of likelihood be performed for proposed modifications and RIS 2002-22, Supplement 1 provides guidance on one acceptable way to perform that evaluation for certain proposed modifications, that is, through a qualitative assessment. The NRC staff reads Example 4-13 as simply reminding licensees that every qualitative assessment should be conducted with an open mind to the possibility that it will result in a conclusion that there is not a sufficiently low likelihood of failure.
Additionally, the NRC staff does not agree with part b of the comment because the example is demonstrating that a proposed changes inability to meet a single failure criterion means that an amendment is required to authorize the change. The licensee would not be allowed to make this facility change without an amendment under 10 CFR 50.59.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-17 NEI 96-07 Appendix D Example 4-14 is used to illustrate a modification that does not create an accident of a different type because the likelihood of a CCF is sufficiently low. But in contrast, even if the failure likelihood is not sufficiently low, loss of feedwater and excess feedwater (even if more severe than previously analyzed) are not accidents of a different type, because these feedwater anomalies were previously analyzed. The consequences of the malfunction may increase, but that requires evaluation for 10 CFR 50.59(c)(2)(iv). RG 1.187 should clarify this point.
NRC Staff Response The NRC does not agree with the comment. Example 4-14 does not need to describe the specific malfunctions and how they could create an accident of a different type because the purpose of Example 4-14 was simply to illustrate a modification that does not create an accident of a different type when the qualitative assessment concluded that the likelihood of a CCF is sufficiently low.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-18 NEI 96-07 Appendix D Example 4-15 is used to illustrate the creation of an accident of a different type when two separate control functions are combined into a single digital controller. I agree that this configuration could result in an accident of a different type. However, the example should also emphasize that the same conclusion would be reached if there were separate digital controllers that employed a common shared hardware resource (e.g., network, touch screen), because with a shared hardware resource a single malfunction could adversely affect both controllers. The same conclusion would also be reached if there were separate controllers, with each sharing the same digital design, and a sufficiently low likelihood conclusion could not be reached for a design defect; since this is a non-safety application, a robust design process cannot be assumed. RG 1.187 should add these points.
NRC Staff Response The NRC staff does not agree with the comment because Example 4-15 fulfills its intended purpose, which is to illustrate the guidance in Appendix D, Section 4.3.5, regarding the creation of an accident of a different type. The NRC staff does not agree that RG 1.187 should add these alternate technical scenarios because these details are not covered in Appendix D.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-19 NEI 96-07 Appendix D Example 4-16 describes a replacement of analog transmitters that are part of the ESFAS with digital transmitters under 10 CFR 50.59 based on a qualitative assessment that concludes the likelihood of CCF due to a design defect is sufficiently low.
However, RIS 2002-22 Supplement 1 does not permit the use of a qualitative assessment for ESFAS components. In addition, SRM SECY 93-087 and BTP 7-19 require AOOs and PAs in the UFSAR be re-analyzed with a concurrent CCF to demonstrate coping unless there is sufficient diversity or simplicity to preclude further consideration of a CCF due to a design defect.
RG 1.187 should address this conflict between NEI 96-07 Appendix D and other regulatory guidance. The Standard Review Plan (NUREG-0800) includes transmitters in Section 7.3 for the ESFAS, and transmitters are covered within the scope of IEEE 603. Clearly the ESFAS cannot function without process measurements from transmitters. If the Staff does not consider transmitters part of the ESFAS, the basis should be explained in RG 1.187.
NRC Staff Response The NRC staff does not agree with the comment that RIS 2002-22 Supplement 1 does not permit the use of a qualitative assessment for ESFAS components. RIS 2002-22 Supplement 1, states:
This RIS supplement is not directed toward digital I&C replacements of the reactor protection system, the engineered safety features actuation system, or modification/replacement of the internal logic portions of these systems (e.g., voting logic, bistable inputs, and signal conditioning/processing) because application of the guidance in this RIS supplement to such changes would likely involve additional considerations (emphasis added).
This means that the RIS supplement should not be used for wholesale replacement of the engineered safety features actuation system or the internal logic portions of these systems.
Replacement or digital modifications to other components of these systems is allowed using the RIS supplement. The examples provided in Section 3, Qualitative Assessments, of the RIS supplement includes components similar to transmitters, such as relays (including timing relays).
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-20 NEI 96-07 Appendix D Example 4-16 describes an analog design whose failure could affect only one of four feedwater valves and a proposed digital design whose failure could affect all four feedwater valves. The example states that this proposed design does not create the possibility for a malfunction of an SSC important to safety with a different result, because the existing loss of feedwater analysis assumed a failure of all four feedwater valves.
Since the loss of all feedwater is a different malfunction, and far more safety significant, than loss of feedwater from one valve, the digital design clearly presents a more severe challenge to plant safety. Therefore, RG 1.187 should clarify that this is more than a minimal increase in the consequences of a malfunction of an SSC important to safety per 10 CFR 50.59(c)(2)(iv), or explain why it is not as discussed in Item 1, above.
RG 1.187 should also clarify the conditions under which a licensee is permitted to first revise their accident analysis to address anticipated digital modifications (e.g. failure of all valves vs.
one valve), so that they can subsequently conclude that the proposed digital design is bounded by the existing analysis.
NRC Staff Response Based on the content of the comment, the NRC staff understands the comment to be referring to NEI 96-07, Appendix D, Example No. 4-17, not 4-16.
The NRC staff does not agree with the comment because the example illustrates the guidance in Appendix D, Section 4.3.6, related to criterion 10 CFR 50.59(c)(2)(vi) (i.e. with a different result than any previously evaluated) while any impact on consequences is evaluated under the guidance for criteria 10 CFR 50.59(c)(2)(iii) and (iv) (i.e., Result in more than a minimal increase in the consequences of). The reason this example is not a different result is because it is bounded by the existing loss of feedwater accident analysis, which is a previous evaluation of the result of a malfunction in the FSAR. This example would reach the same conclusion even following the guidance in section 4.3.6 of NEI 96-07, Revision 1.
Additionally, the NRC staff does not agree with the portion of the comment that discusses a licensee revising its accident analysis because in order to make the change described by the comment, the licensee would have first had to determine whether the change is allowed without a license amendment, e.g., under 10 CFR 50.59. If a change is allowed without a license amendment, then the change can be implemented regardless of whether it enables other future changes. Combining changes that are intended to support other changes is already addressed by NEI 96-07, Revision 1, Section 4.2, Screening, which states:
Each element of a proposed activity must undergo a 10 CFR 50.59 evaluation, except in instances where linking elements of an activity is appropriate, in which case the linked elements can be evaluated together. This is not the case for NEI 96-07, Appendix D, Example 4-17.
In the case proposed by the comment it is possible that the accident analysis result may have previously been revised under 10 CFR 50.59 to a higher value for other reasons (e.g., a change to a method of evaluation) such that a subsequent accident analysis result is bounded by the higher value. But in that case, the change would still have been preceded by a 10 CFR 50.59 evaluation concluding that no license amendment was required. Its also possible the licensee requested and the NRC issued an amendment to authorize the revision to the accident analysis.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-21 NEI 96-07 Appendix D Example 4-21 describes the combining of previously separate control systems, Steam Bypass Control System (SBCS) and Pressurizer Pressure Control System (PPCS), into a single digital controller, and concludes that this does not create the possibility of a malfunction with a different result. This conclusion is reached based on two reasons, which both have inconsistencies; therefore, additional explanation is required:
- a. The evaluation states In the Increased Main Steam Flow accident analysis, the pressurizer pressure control system is assumed to be in automatic and would attempt to mitigate the results of the accident. Clearly, if the analysis credits mitigation by the PPCS, then mis-operation of the PPCS would aggravate this event.
- b. The evaluation states regardless of the mis-operation of the pressurizer pressure control system during the event, the malfunction of the pressurizer pressure control system would have no effect on this event. This conclusion presumes a certain manner of mis-operation (i.e., no pressure control or fail as-is) which one cannot do for CCF.
This conclusion fails to recognize that the same design defect or random hardware failure within the controller that caused the SBCS valves to erroneously open could also cause the PPCS function in the same digital controller to erroneously close pressurizer spray valves and energize pressurizer heaters (i.e., erroneously increase pressure); this failure cannot be precluded without a detailed FMEA that considers other defensive measures. Even if the PPCS is not credited to mitigate the event, as would be the case for most accident analyses (I believe the statement in Example 4-21, discussed in item a above is actually incorrect), accident analyses do not consider a concurrent unrelated failure of other systems. Therefore, for the Main Steam Flow event, in the current analysis the SBCS is assumed to fail, but the PPCS is assumed to not fail in a manner that would aggravate the accident. The potential for a single malfunction (within the design basis) or a single design defect (beyond the design basis) to cause concurrent pressure increase by both the SBCS and PPCS is certainly a malfunction with a result that requires more analysis to determine its effect on the plants critical safety functions.
RG 1.187 should correct the inconsistencies in this example or explain their bases.
NRC Staff Response The NRC staff does not agree with the comment. The purpose of Appendix D is to describe how to apply 10 CFR 50.59 to a given proposed digital I&C modification. These comments relate to how controllers might actually function and the extent to which actual accident analyses might assume the functioning of the control systems. The details raised by the comment are not necessary to illustrate the point of Example 4-21. The scenario described in Example 4-21 is reasonable based on the stated facts and therefore is acceptable for illustrating how to apply 10 CFR 50.59 to the facts given in the example.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-22 NEI 96-07 Appendix D Example 4-22 describes replacement of solid-state cards in the reactor protection system (RPS) with digital cards. The example states that the likelihood of CCF is not sufficiently low. But these are safety cards; therefore, other regulatory requirements impose a robust design process. Therefore, in accordance with SRM SECY 93087 and BTP 7-19 the likelihood of a CCF due to a design defect is low enough to consider the CCF a beyond design basis event; this supports a sufficiently low likelihood" conclusion.
However, RIS-2002-22 Supplement 1 precludes using a qualitative assessment for components of the RPS; therefore, the likelihood conclusion is irrelevant. RG 1.187 should clarify this inconsistency.
Also, saying that a design defect could invalidate SFC compliance is incorrect. As clarified in BTP 7-19, a design defect is not a single failure. For most applications, SFC compliance is invalidated only when there is insufficient redundancy or insufficient independence between redundancies. RG 1.187 should correct this incorrect statement in this example.
NRC Staff Response The NRC staff disagrees with the comment. The NRC staff does not agree with the comments understanding of the issues relating to the concepts of sufficiently low likelihood and beyond design basis. There are two different principles at issue, with two different meanings: (1) sufficiently low likelihood of failure, and (2) beyond design basis.
In Example 4-22, the likelihood of failure is not sufficiently low because it is a given fact in the example. The example does not serve to demonstrate the use of RIS 2002-22, Supplement 1 for the replacement of all RPS solid-state cards with digital cards, rather it demonstrates that introducing a new possibility for CCF can result in a loss of independence between redundant trains or channels and invalidate a previous conclusion that the single failure criterion has been satisfied. The guidance in RIS 2002-22, Supplement 1 does not apply to upgrades such as the card replacement described in the example, even if a licensee concluded the likelihood of failure is sufficiently low. However, the determination of not sufficiently low is conservative and therefore can be made without any explicit guidance for doing so; applying it as in this example does not mean that a determination of sufficiently low is sufficient to allow replacement of all RPS solid-state cards with digital cards.
The term beyond design basis is not used in NEI 96-07, Revision 1 or Appendix D. While Appendix D does not address this concept, the NRC staff disagrees with the comments suggestion that the status of CCF as a beyond design basis event means that an increase in the likelihood of a CCF is always minimal and therefore permitted by section 50.59(c)(2), criterion (i) or (ii). Each proposed modification must be evaluated under 10 CFR 50.59 on a case-by-case basis.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-23 NEI 96-07 Appendix D Example 4-23 describes replacement of safety related analog voltage regulators with safety related digital regulators. This example has the same incorrect statements regarding sufficiently low likelihood and SFC compliance as discussed above for Example 4-22. RG 1.87 should address these points.
NRC Staff Response The NRC staff disagrees the with the premise of the comment because it relies on a mistaken understanding of regulatory requirements and other guidance as explained in the response to Comment 5-22.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-24 NEI 96-07 Appendix D Example 4-24 describes replacement of analog pressurizer pressure transmitters and associated circuitry used to control the Low Temperature Overpressure Protection opening signal for the pressurizer Power Operated Relief Valve (PORV) with digital equipment. Since these are safety related components, this example has the same incorrect statements regarding sufficiently low likelihood as discussed above for Example 4-22.
Regardless, this example fails to mention that these are components of the RPS, for which RIS 2002-22 Supplement 1 does not permit a qualitative assessment. RG 1.87 should address both of these points.
NRC Staff Response The NRC staff does not agree with the comment. As discussed in the NRCs staff response to comment 5-19, the RIS supplement indicates that it should not be used for wholesale replacement of the reactor protection system, the engineered safety features actuation system, or the modification/replacement of the internal logic portions of the RPS or ESFAS systems.
Replacement of other RPS and ESFAS components is allowed using the RIS supplement.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-25 NEI 96-07 Appendix D limits the discussion to only software CCF. However, RIS 2002-22 Supplement 1 addresses all sources of digital CCF; software CCF is just one example. Draft BTP 7-19 Revision 8 also addresses all sources of digital CCF. RG 1.187 should address this discrepancy between NEI 96-07 Appendix D and other regulatory guidance.
NRC Staff Response The NRC does not agree with the comment. NEI 96-07, Appendix D augments and supplements the guidance in NEI 96-07, Revision 1. NEI 96-07, Revision 1 provides guidance for CCFs that are not due to software. Appendix D is supplemental guidance specifically in the area of software CCF. Taken together, NEI 96-07, Revision 1 and NEI 96-07, Appendix D provide guidance for considering issues related to digital CCF under section 50.59. Although BTP 7-19 and RIS 2002-22, Supplement 1 also address issues related to digital CCF, the NRC staff drafted these documents to serve different purposes, with accordingly different scopes, than NEI had for Appendix D. Therefore, the NRC staff does not consider any difference between these documents and Appendix D to be discrepancies that need to be remedied.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-26 Several sections of NEI 96-07 Appendix D rely on a conclusion that the likelihood of a failure is sufficiently low. RG 1.187 should clarify that it is possible to conclude that the likelihood of a design defect is sufficiently low. But it is not technically possible to conclude that the likelihood of failure of a shared hardware resource (e.g., controller, network, touch screen) is sufficiently low. This is because hardware resources fail randomly and those random failures must be assumed to occur during the life of the plant.
Without sufficient defensive measures, failure of a shared hardware resources can adversely affect multiple functions that were previously separate in the analog design. For example, (1) erroneous operation of multiple control functions can result in a transient (i.e., accident) of a different type, (2) erroneous asynchronous control rod movements can result in a transient (i.e.,
accident) of a different type.
Therefore, RG 1.187 should clarify that the qualitative assessment may reach different likelihood conclusions for different failure sources.
NRC Staff Response The NRC disagrees with the comment. The commenter is conflating loss of hardware with loss of function, which in turn conflates the single failure criterion with the requirements of Section 50.59. Section 50.59 is concerned with functions, not individual pieces of equipment. So, it may be true that the single failure criterion requires an analysis of occurrence if a particular SSC fails, but the whole point of the single failure requirement is that the function must be maintained despite any single failure of an SSC. A change may introduce a potential new point of single failure that must be evaluated.
Digital modifications to hardware that reduce the redundancy, diversity, separation, or independence of UFSAR-described design functions would most likely require prior NRC approval under criterion 10 CFR 50.59(c)(2)(ii) (whether there is a more than minimal increase in the likelihood of a malfunction of an SSC important to safety). For example, if failure of a shared resource could result in concurrent failure of previously independent SSCs, that should be considered a reduction in independence. Further, requirements for treatment of some SSCs in accordance with single failure criteria account for random hardware failures.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-27 The words different result appear in many sections of NEI 96-07 Appendix D, as well as in the main body of NEI 96-07. But there is no definition of these words in any of these sections.
RG 1.187 should clarify that the "result" of concern is the impact on the critical safety functions of the plant; other interim results that may be different than previous results are not a concern for the 10 CFR 50.59 evaluation.
NRC Staff Response The NRC staff does not agree with the comment because NEI 96-07, Revision 1, Section 4.3.6 and RG 1.187, Revision 2, sufficiently describe different result. NEI 96-07, Revision 1, Section 4.3.6, states:
A malfunction that involves an initiator or failure whose effects are not bounded by those explicitly described in the UFSAR is a malfunction with a different result.
Based on the above, the NRC staff determined that no changes are needed to RG 1.187, Revision 2, in response to the comment.
Comment No. 5-28 NEI 96-07 Appendix D Rev. 1 was published May 2020. NEI requested NRC endorsement in a letter dated May 13, 2020. Then NRC issued RG 1.187 Rev. 2 June 2020 with an effective date of July 7, 2020. The Staff should explain why there was no public comment period prior to the issuance of RG 1.187 Rev. 2.
NRC Staff Response There was a public comment period prior to the issuance of RG 1.187, Revision 2 (DG-1356) from 5/30/19 to 7/15/19 (FRN Doc # 2019-11246). As proposed in May 2019, RG 1.187, Revision 2, included an exception to NEI 97-06, Appendix D. Between August 2019 and May 2020, NEI and the NRC staff engaged in discussions in public meetings aimed at resolving this exception prior to final publication. There were four additional public meetings held from July 2019 to June 2020 on the RG. Additionally, there were two public ACRS meetings. As the comment notes, in May 2020, NEI submitted to the NRC Appendix D, Revision 1, which included changes intended to resolve the exception. Although the NRC need not offer an additional opportunity for public comment to issue a final RG, the NRC offered a post-promulgation opportunity for comment in light of the significance of the changes to both NEI 97-06, Appendix D, Revision 1 (May 2020), and RG 1.187, Revision 2 (FRN Doc # 2020-14564).