Text

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page and Comment Significance &

Comment No. Comment NEI Response Section Type As the proposed commercial grade dedication (CGD) methodology will be considered a reduction in commitment in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.54(a)(4), the report should add an action, that the licensee use of this approach will require a change to their approved quality assurance program manual. For comparison Potential Exception 1 General purposes, Nuclear Energy Institute (NEI) 14-05, states, in part, Prior to a licensee implementing the methodology This action will be added to NEI 17-06.

QA Oversight outlined in NEI 14-05A, Revision 0, the U.S. Nuclear Regulatory Commission (NRC) required a licensee to submit a revision to its Operating Quality Assurance Program (OQAP) for NRC acceptance in accordance with 10 CFR 50.54(a)(4) since implementation of NEI 14-05A represented a reduction in commitment.

Section 1.3, Acceptance of Safety Integrity Level as Verification of Dependability Critical Characteristics," leverages the results of the American National Standards Institute (ANSI) National Accreditation Board (ANAB) audit of exida and the supplemental effort by the NEI working group to complete the supplemental audit checklist related to the implementation of the International Electrotechncial Commission (IEC) 61508 technical criteria at exida. The report concludes that the SIL accreditation process is sufficient, robust, and repeatable, such that other ABs that are signatories of the International Accreditation Forum (IAF) should also be considered acceptable for these purposes.

The NRCs approach to approving NEI 14-05 regarding use of the ILAC process in lieu of CGD activities, were based on the NRC and the industry evaluated multiple accreditation bodies (ABs) and certifying bodies (CBs) performing work in accordance with the established ILAC programs and agreements as it pertained to the implementation of the Page 3, Section Potential Exception This limitation will be added to NEI 17-06 along with a description of a methodology for 2 International Standards Organization (ISO) 17025 standard, to gain assurance that the process was stable, robust, and 1.3 QA Oversight adding others.

repeatable. This report is essentially based on conclusions drawn from a single audit observation (done twice) of one AB and one CB, by the NRC and NEI, and additional inference from a report by Electric Power Research Institute (EPRI) that has not been formally evaluated by the NRC.

As a result, the NRC does not consider it appropriate to include or suggest that other, non-vetted ABs, are acceptable in the report. Given the observations made during the implementation audit conducted by ANAB of exida, which were discussed at the June 23, 2021 public meeting, and the need to perform supplemental verification external to the ANAB process (supplemental checklist), NEI 17-06 should clearly limit the applicability of using this alternative currently to ANAB with restrictions, with provisions for potentially adding other ABs after adequate vetting by NEI, US Nuclear licensees, and the NRC.

Similarly, the sole observation of ANAB auditing the capabilities and programmatic controls at exida, and the need to Page 3, Section perform a supplemental checklist due to observed weaknesses in the ANAB accreditation process, should not be used as Potential Exception At this point, the intent is for the supplemental checklist to be performed for each CB, but it 3

1.3 the basis for approval of other CBs without continued direct observation of the accreditation activities of ANAB for those QA Oversight is not necessary for NEI/NRC to observe ANAB's accreditation activities for every CB.

other CBs and completion of the supplemental checklists.

The first sentence in the paragraph, "The approach being laid out in this document for performing commercial grade dedication of digital equipment is based on the conclusion pointed out in Section 3.3 of this document" implies that EPRI research is the sole source of information that leads to conclusion that SIL certifications can be used as the evidence of Potential Exception Page 20, Section This sentence will be revised to point to the use of the NEI audit checklist instead of to the 4 acceptability of dependability critical characteristics (CC), as defined by EPRI TR-106439. Whereas, NEI's observation of Use of Ref. 8 4.1 EPRI report ANAB's audits of exida that used the NEI audit checklist (based on EPRI TR-106439 dependability CC) is an alternative to EPRI 3002011817 the EPRI research. Since the NRC endorsement of NEI 17-06 is not relying on EPRI research, revise this paragraph to provide adequate basis for the stated claim.

In the "SIL Certification Process Method of Verification" column reference is made to the EPRI research report (Reference Potential Exception Page 25, Section 8). Since the EPRI report is not being evaluated by the NRC, reference should only be made to the relevant IEC 61508 The references to the EPRI report will be replaced by the corresponding references to IEC 5 Use of Ref. 8 4.4 consensus standard sections. In general, any information from the EPRI research report that is necessary for this CGD 61508 called out in the supplemental accreditation checklist EPRI 3002011817 process (that relies on safety integrity level (SIL) certification) should be included within NEI 17-06.

Page 1

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page and Comment Significance &

Comment No. Comment NEI Response Section Type Section 5.5, Compensatory Measures, identifies a long-term and short-term path to resolve the observed accreditation process weaknesses. The long-term path is to work with ANAB to improve the assessment of Section 7.1.2 of ISO 17065. More detail will be provided to describe the long term path and clearly define what actions Page 30, Section However, that action has been noted as preliminary in nature and will take an unspecified length of time to achieve, if at Potential Exception must be accomplished to successfully resolve the observed concerns. The intent is to 6

5.5 all. Given the nature of this as preliminary, at best, the NRC cannot endorse a compensatory measure that has not been QA Oversight describe what ANAB needs to do to resolve the observed deficiencies and if they do, the formalized. NEI should provide a more definitive set of actions that have been agreed to and accepted by both parties long-term path can be utilized; if not then the short-term path will continue to be used.

and a timeline to achieve full implementation.

Furthermore, the short-term compensatory measure described also lacks adequate specificity to enable the NRC to endorse as an acceptable means to meet the regulatory requirements. Specifically, the action to have the U.S. nuclear industry develop a supplemental accreditation checklist to be applied to each CB that would assess their schemes A clarification will be added so that it is understood that the checklist included in Appendix D compliance with IEC 61508 within the context of the dependability CC in Table 4-1 of EPRI TR106439. Details regarding is to be used. A new checklist will not be required to be developed by the nuclear industry Page 30, Section Clarification 7 the methods by which this will be performed and by whom more specifically (i.e., NEI working group, Nuclear so the NRC doesn't need to evaluate the EPRI report or IEC 61508. More detail will be added 5.5 QA Oversight Procurement Issues Corporation (NUPIC), individual licensees), and a description of necessary and sufficient to describe the short term path, and change the responsible party to be "the licensee or administrative controls to ensure consistent application of the checklist should be provided. This may include the need to their designee".

evaluate and accept the EPRI report as well as the IEC 61508 standard as it pertains to the checklist provided in Appendix D.

The intended scope of applicability of NEI 17-06 should be clear to support its efficient potential endorsement in a Regulatory Guide (RG). The staff considers scope of NEI 17-06 to only apply under the following conditions/circumstances. 1) Applies only to digital I&C equipment, 2) Applies only to CGD for the critical characteristic of dependability, 3) Applies only to 10 CFR Part 50 and 10 CFR Part 52 power reactors, 4) Applies only where the item has a Clarification 8 General The identified scope is consistent with NEI's intent. NEI 17-06 will clarify this scope.

certification of compliance to an IEC 61508 SIL by a functional safety certifying body, and 5) Applies only where the NEI 17-06 Scope functional safety certifying body has been accredited by signatory to the International Accreditation Forum. If 1 through 5 above do not correctly set the limit of NEI 17-06s intended application, would NEI clarify and indicate whether a clarification would also be included in the body of NEI 17-06?

Alignment on NEI's intended scope of endorsement of NEI 17-06 should be clear to support its efficient potential endorsement of a RG. The staff considers scope of NEI 17-06 to be endorsed by the NRC to include the following items.

1) For a commercial item with a SIL certification, the guidance in NEI 17 06 that applies the ISO 17065 accreditation process as supplemented is acceptable for use as a commercial-grade survey of a SIL certification service provided by an IEC 61508 functional safety certifying body, 2) For a commercial item with a SIL certification, the guidance in NEI 17 06 that applies a SIL certification by an accredited certifying body is acceptable for use when assessing the suitability of the Clarification 9 General The identified scope is consistent with NEI's intent. NEI 17-06 will clarify this scope.

commercial item for its critical characteristic of dependability, 3) When applying EPRI TR 106439 and EPRI 30020002982 NEI 17-06 Scope to a commercial item with a SIL certification, the guidance in NEI 17 06 that applies a SIL certification by an accredited certifying body to establish the dependability characteristics of the commercial equipment is an acceptable substitute for methods: 2-Commercial-Grade Survey of Supplier, and 4-Acceptable Item Performance Record when performing a CGD.

If 1 through 3 above do not correctly represent what NEI seeks in an NRC endorsement of NEI 17-06, would NEI clarify and indicate whether a clarification would also be included in the body of NEI 17-06?

It appears that NEI 17-06's scope does not include or reference a method to determine the SIL level upon which a Section 4.2 of NEI 17-06 provides a high level approach to determining the SIL level. This is particular piece of digital I&C equipment's dependability would be evaluated using NEI 17-06 as guidance. NEI to clarify if Clarification 10 General consistent with how EPRI TR-106439 leaves open the application of a graded approach. The NEI 17-06's endorsement should leave open the method for determining the SIL level of the digital equipment being NEI 17-06 Scope endorsement should leave open the method for determining the SIL level accordingly.

dedicated?

Revise second sentence from "This accreditation is typically in accordance with ISO 17065" to "This accreditation is typically in accordance with ISO 17065 supplemented by IEC 61508 SIL certification scheme." Change fourth sentence Page 9, Section from "The AB performs audits and monitors activities of the CB in order to confirm that their processes and procedures, Suggestion 11 NEI 17-06 will be revised to incorporate this suggestion 2.1 and their corresponding implementation follows ISO 17065" to "The AB performs audits and monitors activities of the CB QA Oversight in order to confirm that their processes and procedures, and their corresponding implementation follows ISO 17065 supplemented by IEC 61508 scheme."

Page 2

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page and Comment Significance &

Comment No. Comment NEI Response Section Type When procuring a SIL certified equipment, the dedicating entity should receive the SIL certificate from the original equipment manufacturer (OEM) and not the CB. CB grants the SIL certificate to the OEM and has no obligation of To ensure authenticity, it is best to acquire the SIL certificate from the CB body. CB's are set Page 21, Section Suggestion 12 providing the SIL certificate to the dedicating entity. In addition, the dedicating entity should also receive a set document up with certificate databases to support this approach. Obtaining the safety manual 4.1 NEI 17-06 Scope from the OEM that describes the application limitation of their SIL certified product. Please update this figure to correct (describes the application limitations) from the OEM will be added to the figure.

these relationships.

NEI 17-06 states that the estimated failure rates of the observed logic solver failure data are conservative since 323 failures were expected but only 205 occurred. It also states: "These results also illustrated how the probabilistic failure rates and the systematic integrity could both be evaluated through the review of field failure data." The document also states that "it is valuable to note that systematic integrity is a parallel concept to the nuclear industrys concept of common cause failure." The NRC finds this statement to be unclear and potentially misleading to potential users of NEI (This comment applies to page 18, section 3.2 of NEI 17-06, not Page 22, section 3)

Page 22, Section 17-06. The integrity of a component does not in itself establish systematic integrity of the systems safety function. Clarification The phrase "it is valuable to note that systematic integrity is a parallel concept to the 13 3 Absent this additional consideration of system architecture and application of safety features, NRC understands such NEI 17-06 Scope nuclear industrys concept of common cause failure" will be removed to avoid unnecessary individual logic solver failure data can at best represent only the reliability of the specific platform device configuration discussion. This note is not important to the methodology being laid out in NEI 17-06.

that was incorporated into a system of devices designed to achieve a plant safety function. Please clarify what is meant by stating that systematic integrity of a single platform can be considered a "parallel concept" to the nuclear industry's concept of common cause failure, which usually addresses failure causes which can occur concurrently in redundant channels.

This guidance limits the use of SIL certified equipment to a risk-based selection process. Does NEI intend to provide Section 4.2 of NEI 17-06 provides a high level approach to determining the SIL level. This is Page 22, Section Suggestion 14 guidance or example for selection of a SIL level that is appropriate for a safety function application using a deterministic consistent with how EPRI TR-106439 leaves open the application of a graded approach. The 4.2 NEI 17-06 Scope process, e.g., can a SIL 3 certified component be used in an ESFAS with 3 or 4 divisions? endorsement should leave open the method for determining the SIL level accordingly.

Section 5.5, Compensatory Measures, states, in part, that after five years, these assessments would be reperformed to ensure the CBs schemes have remained compliant, unless the long-term path has already been realized. Five years is an appropriate amount of time because the IEC 61508 standard is a very stable document, and the accreditation activities will continue to happen annually."

Page 30, Section Suggestion 15 NEI 17-06 will be revised to use the 3 year time frame.

5.5 QA Oversight Although the accreditation process may be stable, the NRC considers a 3-year timeframe rather than the proposed 5-years is appropriate, given industry precedent for similar evaluations of the supply chains quality programs at a period not to exceed 3 years. NRC suggests it is appropriate to reflect this long-standing practice for this activity as well. (see comment to Section 7.3, Paragraph 2)

Implementation of the supplemental checklist will require NRC licensees, or their representatives, to have access to the ANAB processes as well as the CBs internal programs, procedures, and specific evaluations of sample products that have NEI has demonstrated that ANAB and exida are willing to allow this type of access, but NEI Page 30, Section been vetted by the CB. This document does not address any formal agreements by the ABs, CBs, and either NEI, other US Clarification will add a prerequisite to this section of NEI 17-06 for future ABs and CBs that they will need 16 5.5 licensee organizations, such as NUPIC, or individual NRC licensees to have access to conduct such audit activities or grant QA Oversight to also allow this level of access as part of the methodology of determining their access during audit performance. Please describe how the implementation of the supplemental checklists will be acceptability.

accomplished and how has this been formally adopted?

Section 6.5, Corrective Action, states in part, that the dedicating entity is required to notify licensees and the NRC of deviations/defects which could result in substantial safety hazards as required by 10 CFR Part 21. In accordance with 10 Page 32, Section Suggestion 17 CFR Part 21 the dedicating entity need only report to the NRC not licensees, and only defects and failures to comply NEI 17-06 will be revised to incorporate this suggestion.

6.5 QA Oversight associated with substantial safety hazards for dedicated items need to be reported, not deviations. Please revise this to reflect the regulation language.

Accreditation body (AB) in the United States is now called ANAB (ANSI National Accreditation Board), a wholly owned Page 1, Section Suggestion 18 subsidiary of the American National Standards Institute (ANSI). (see https://anab.ansi.org/). Update NEI 17-06 NEI 17-06 will be revised to incorporate this suggestion.

1.1 QA Oversight accordingly (consistent with Section 5.3 identification).

Page 3

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page and Comment Significance &

Comment No. Comment NEI Response Section Type Page 3, Section EPRI 3002002982 is endorsed by RG 1.164, which is not referenced in NEI 17-06. In the same way NEI 17-06 includes a Suggestion 19 NEI 17-06 will be revised to incorporate this suggestion.

1.3 reference to the NRC safety evaluation of EPRI TR-106439, NEI 17-06 should include a reference to RG 1.164. NEI 17-06 Scope Manufacturer's safety manual and related documents may only be made available upon procuring the equipment from This specificity does not seem to be necessary. Each OEM will have their own policies for Page 21, Section Suggestion 20 OEM. The steps should identify where in the procurement process of the SIL certified equipment this information is when this information is provided. For the purposes of NEI 17-06, it is only important that 4.1 NEI 17-06 Scope made available and any additional documents that should be a part of the procurement. the information is obtained as necessary, to support the methodology.

This specificity does not seem to be necessary. This type of information can be covered in Page 21, Section ANAB issued CB's accreditation certificates are publicly available on their website. Is this also true of other ABs? The Clarification workshops and trainings if dedicating entities have issues with finding this information.

21 4.1 steps should clarify how to obtain the accreditation certificate. QA Oversight Additionally, the specific location of this information may change over time and become obsolete if captured in NEI 17-06.

There is a typo in the quoted section. It should say "as described in Section 4.2." The equipment must meet or exceed the SIL that is determined to be appropriate for the This sections states, in part, "and must be certified to meet or exceed the SIL that has been established for the application. It is not intended for the application to have been originally designed to meet a application (as described in Section 4.3)." This would be true when the safety instrumented system (SIS) is designed Page 23, Section Clarification particular SIL. Also, this concept is specific to the systematic capability aspect of the SIL 22 using IEC 61511 methodology. However, none of the operating reactor's safety systems have been designed using the 4.3 NEI 17-06 Scope certification.

SIS process. This "must" requirement would require the plants to determine the SIL level of the safety systems prior to using a SIL certified component in their plants. Is this the intent of this guidance?

NEI 17-06 will be revised to correct the typo, and add clarification about the systematic capability focus of this requirement.

Certain statements made within NEI 17-06 imply a general condition exists for all CBs when the data provided seems to This concept is based on ISO 17065 and has been observed to be accurate for exida. Based support work performed by a particular CB. For example, in Section 3.3 it is stated that CB's "oversee" the compliance of Page 24, Section Suggestion on previous comments, NEI 17-06 is going to be limited to exida as the only acceptable CB at 23 a vendor to quality standards. Some evidence of this was observed by the NRC staff at its observations of the ANAB 3 QA Oversight this time, but gathering evidence for other CBs will be part of the methodology for accepting accreditation of a particular CB, but no evidence is provided that all CBs perform oversight of a vendor's self-validation future CBs.

process. NEI 17-06 should provide evidence that all CBs perform oversight of a vendor's self-validation process.

Step 2 in Section 4.1 of NEI 17-06 already includes reviewing the safety manual and making sure the application is within scope. Step 2 is:

Regarding the SIL Certificate and Safety Manual: The steps to be followed should include actions that address the need to identify whether the safety manual identifies any precautions, conditions of operation, or limitations in the use of the Identify SIL certified equipment, and review the SIL certification and the manufacturers Page 27, Section Suggestion 24 equipment for which the SIL Certificate applies. Specifically, to maintain certification, the safety manual specifies safety manual to confirm they encompass the requirements of the application (see Section 4 NEI 17-06 Scope implementation, configuration, or maintenance or diagnostic requirements to be followed, to maintain compliance with 4.3 for more details).

the certificate reliability statements.

Beyond this, it seems like its getting into the application design/implementation process (not procurement) and that is outside the scope of NEI 17-06.

Section 6.1, Organization, states, in part, that the dedicating entity retains overall responsibility for assuring that purchased digital devices meet applicable technical and regulatory requirements and that reasonable assurance of Page 31, Section Suggestion 25 quality exists. There are no special requirements beyond 10 CFR Part 50, Appendix B. It should be noted that the NEI 17-06 will be revised to incorporate this suggestion 6.1 QA Oversight dedicating entity must also meet the requirements of 10 CFR Part 21. This should be added for completeness and accuracy.

Section 7.2, Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices, states, in part, that as part of the continued oversight, a nuclear industry team, through NEI, will monitor the IEC 61508 This specificity does not seem to be necessary. The NEI will be responsible for the Page 33, Section Clarification 26 SIL certification requirements to verify that they continue to cover the EPRI TR 106439 Dependability Critical compliment of this team. Additionally, team member commitments can change over time 7.2 QA Oversight Characteristics. Please describe the compliment of that team, whether there is a documented commitment to support and become obsolete if documented in NEI 17-06.

these activities among the team members, and the nature of any commitment.

Page 4

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page and Comment Significance &

Comment No. Comment NEI Response Section Type Section 7.2, Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices, states, in part, that If changes adversely impact coverage of the EPRI TR 106439 Dependability Critical Characteristics, then the nuclear industry through NEI has the ability to provide feedback to the IEC 61508 standards development committee to change the draft revision to encompass these critical characteristics. Does this require NEI to have a formal agreement with the IEC to affect such revisions? A formal agreement is not required. exida (the primary CB dicussed in NEI 17-06) is a foundational member to the IEC 61508 committee and the nuclear industry will maintain Page 33, Section The NRCs approval of the methodology described in NEI 14-05 regarding use of the ILAC accreditation process relied, in Clarification oversight with the periodic observations. The intention is not to affect change in either IEC 27 7.2 part, on the formal relationship NEI and the ILAC organization had created through NEIs formal stakeholder membership QA Oversight 61508 or ISO/IEC 17065 but rather create an analysis of the changes to determine if they in the organization. Under the proposed methodology outlined in Section 7.2, Verification that the SIL Certification have any impact on compliance to EPRI TR 106439. The analysis results would include any Process Continues to be Consistent with NRC Endorsed Practices, there is no parallel discussion of how NEI and the required updates to the augmented checklist.

nuclear industry would formally affect changes to the ISO or IEC standards central to this report other than a statement that the IEC 61508 standard will be periodically reviewed and comments provided to IEC for consideration. There is no discussion regarding ISO 17065 in this regard. Describe what formal methods have been established to ensure issues identified by NEI, NRC licensees, or third-party dedicating entities will be resolved by the ISO and IEC organizations.

Section 7.3, Verification that Implementation of the IEC 61508 SIL Certification Process Continues to be Consistent with NRC Accepted Practices, states in part, that the U.S. nuclear industry observations will be performed initially on a 3-year Page 34, Section frequency with the possibility of reducing the frequency if it is observed that the process is demonstrably consistent. The Suggestion 28 NEI 17-06 will be revised to use the 3 year time frame 7.3 initial 3-year frequency is consistent with the guidance in NRC RGs 1.28 and 1.144 for auditing. However, this appears to QA Oversight be inconsistent with the requirement for 5 year assessments described in Section 5.5 of the report (see comment to Section 5.5, Paragraph 3).

Page 5