Text

Comment No.

Page and Section Comment Comment Significance &

Type NEI Response 1

General As the proposed commercial grade dedication (CGD) methodology will be considered a reduction in commitment in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.54(a)(4), the report should add an action, that the licensee use of this approach will require a change to their approved quality assurance program manual. For comparison purposes, Nuclear Energy Institute (NEI) 14-05, states, in part, Prior to a licensee implementing the methodology outlined in NEI 14-05A, Revision 0, the U.S. Nuclear Regulatory Commission (NRC) required a licensee to submit a revision to its Operating Quality Assurance Program (OQAP) for NRC acceptance in accordance with 10CFR 50.54(a)(4) since implementation of NEI 14-05A represented a reduction in commitment.

Potential Exception QA Oversight This action will be added to NEI 17-06.

2 Page 3, Section 1.3 Section 1.3, Acceptance of Safety Integrity Level as Verification of Dependability Critical Characteristics," leverages the results of the American National Standards Institute (ANSI) National Accreditation Board (ANAB) audit of exida and the supplemental effort by the NEI working group to complete the supplemental audit checklist related to the implementation of the International Electrotechncial Commission (IEC) 61508 technical criteria at exida. The report concludes that the SIL accreditation process is sufficient, robust, and repeatable, such that other ABs that are signatories of the International Accreditation Forum (IAF) should also be considered acceptable for these purposes.

The NRCs approach to approving NEI 14-05 regarding use of the ILAC process in lieu of CGD activities, were based on the NRC and the industry evaluated multiple accreditation bodies (ABs) and certifying bodies (CBs) performing work in accordance with the established ILAC programs and agreements as it pertained to the implementation of the International Standards Organization (ISO) 17025 standard, to gain assurance that the process was stable, robust, and repeatable. This report is essentially based on conclusions drawn from a single audit observation (done twice) of one AB and one CB, by the NRC and NEI, and additional inference from a report by Electric Power Research Institute (EPRI) that has not been formally evaluated by the NRC.

As a result, the NRC does not consider it appropriate to include or suggest that other, non-vetted ABs, are acceptable in the report. Given the observations made during the implementation audit conducted by ANAB of exida, which were discussed at the June 23, 2021 public meeting, and the need to perform supplemental verification external to the ANAB process (supplemental checklist), NEI 17-06 should clearly limit the applicability of using this alternative currently to ANAB with restrictions, with provisions for potentially adding other ABs after adequate vetting by NEI, US Nuclear licensees, and the NRC.

Potential Exception QA Oversight This limitation will be added to NEI 17-06 along with a description of a methodology for adding others.

3 Page 3, Section 1.3 Similarly, the sole observation of ANAB auditing the capabilities and programmatic controls at exida, and the need to perform a supplemental checklist due to observed weaknesses in the ANAB accreditation process, should not be used as the basis for approval of other CBs without continued direct observation of the accreditation activities of ANAB for those other CBs and completion of the supplemental checklists.

Potential Exception QA Oversight At this point, the intent is for the supplemental checklist to be performed for each CB, but it is not necessary for NEI/NRC to observe ANAB's accreditation activities for every CB.

4 Page 20, Section 4.1 The first sentence in the paragraph, "The approach being laid out in this document for performing commercial grade dedication of digital equipment is based on the conclusion pointed out in Section 3.3 of this document" implies that EPRI research is the sole source of information that leads to conclusion that SIL certifications can be used as the evidence of acceptability of dependability critical characteristics (CC), as defined by EPRI TR-106439. Whereas, NEI's observation of ANAB's audits of exida that used the NEI audit checklist (based on EPRI TR-106439 dependability CC) is an alternative to the EPRI research. Since the NRC endorsement of NEI 17-06 is not relying on EPRI research, revise this paragraph to provide adequate basis for the stated claim.

Potential Exception Use of Ref. 8 EPRI 3002011817 This sentence will be revised to point to the use of the NEI audit checklist instead of to the EPRI report 5

Page 25, Section 4.4 In the "SIL Certification Process Method of Verification" column reference is made to the EPRI research report (Reference 8). Since the EPRI report is not being evaluated by the NRC, reference should only be made to the relevant IEC 61508 consensus standard sections. In general, any information from the EPRI research report that is necessary for this CGD process (that relies on safety integrity level (SIL) certification) should be included within NEI 17-06.

Potential Exception Use of Ref. 8 EPRI 3002011817 The references to the EPRI report will be replaced by the corresponding references to IEC 61508 called out in the supplemental accreditation checklist NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page 1

Comment No.

Page and Section Comment Comment Significance &

Type NEI Response 6

Page 30, Section 5.5 Section 5.5, Compensatory Measures, identifies a long-term and short-term path to resolve the observed accreditation process weaknesses. The long-term path is to work with ANAB to improve the assessment of Section 7.1.2 of ISO 17065.

However, that action has been noted as preliminary in nature and will take an unspecified length of time to achieve, if at all. Given the nature of this as preliminary, at best, the NRC cannot endorse a compensatory measure that has not been formalized. NEI should provide a more definitive set of actions that have been agreed to and accepted by both parties and a timeline to achieve full implementation.

Potential Exception QA Oversight More detail will be provided to describe the long term path and clearly define what actions must be accomplished to successfully resolve the observed concerns. The intent is to describe what ANAB needs to do to resolve the observed deficiencies and if they do, the long-term path can be utilized; if not then the short-term path will continue to be used.

7 Page 30, Section 5.5 Furthermore, the short-term compensatory measure described also lacks adequate specificity to enable the NRC to endorse as an acceptable means to meet the regulatory requirements. Specifically, the action to have the U.S. nuclear industry develop a supplemental accreditation checklist to be applied to each CB that would assess their schemes compliance with IEC 61508 within the context of the dependability CC in Table 4-1 of EPRI TR106439. Details regarding the methods by which this will be performed and by whom more specifically (i.e., NEI working group, Nuclear Procurement Issues Corporation (NUPIC), individual licensees), and a description of necessary and sufficient administrative controls to ensure consistent application of the checklist should be provided. This may include the need to evaluate and accept the EPRI report as well as the IEC 61508 standard as it pertains to the checklist provided in Appendix D.

Clarification QA Oversight A clarification will be added so that it is understood that the checklist included in Appendix D is to be used. A new checklist will not be required to be developed by the nuclear industry so the NRC doesn't need to evaluate the EPRI report or IEC 61508. More detail will be added to describe the short term path, and change the responsible party to be "the licensee or their designee".

8 General The intended scope of applicability of NEI 17-06 should be clear to support its efficient potential endorsement in a Regulatory Guide (RG). The staff considers scope of NEI 17-06 to only apply under the following conditions/circumstances. 1) Applies only to digital I&C equipment, 2) Applies only to CGD for the critical characteristic of dependability, 3) Applies only to 10 CFR Part 50 and 10 CFR Part 52 power reactors, 4) Applies only where the item has a certification of compliance to an IEC 61508 SIL by a functional safety certifying body, and 5)Applies only where the functional safety certifying body has been accredited by signatory to the International Accreditation Forum. If 1 through 5 above do not correctly set the limit of NEI 17-06s intended application, would NEI clarify and indicate whether a clarification would also be included in the body of NEI 17-06?

Clarification NEI 17-06 Scope The identified scope is consistent with NEI's intent. NEI 17-06 will clarify this scope.

9 General Alignment on NEI's intended scope of endorsement of NEI 17-06 should be clear to support its efficient potential endorsement of a RG. The staff considers scope of NEI 17-06 to be endorsed by the NRC to include the following items.

1) For a commercial item with a SIL certification, the guidance in NEI 17

06 that applies the ISO 17065 accreditation process as supplemented is acceptable for use as a commercial-grade survey of a SIL certification service provided by an IEC 61508 functional safety certifying body, 2) For a commercial item with a SIL certification, the guidance in NEI 17

06 that applies a SIL certification by an accredited certifying body is acceptable for use when assessing the suitability of the commercial item for its critical characteristic of dependability, 3) When applying EPRI TR

106439 and EPRI 30020002982 to a commercial item with a SIL certification, the guidance in NEI 17

06 that applies a SIL certification by an accredited certifying body to establish the dependability characteristics of the commercial equipment is an acceptable substitute for methods: 2-Commercial-Grade Survey of Supplier, and 4-Acceptable Item Performance Record when performing a CGD.

If 1 through 3 above do not correctly represent what NEI seeks in an NRC endorsement of NEI 17-06, would NEI clarify and indicate whether a clarification would also be included in the body of NEI 17-06?

Clarification NEI 17-06 Scope The identified scope is consistent with NEI's intent. NEI 17-06 will clarify this scope.

10 General It appears that NEI 17-06's scope does not include or reference a method to determine the SIL level upon which a particular piece of digital I&C equipment's dependability would be evaluated using NEI 17-06 as guidance. NEI to clarify if NEI 17-06's endorsement should leave open the method for determining the SIL level of the digital equipment being dedicated?

Clarification NEI 17-06 Scope Section 4.2 of NEI 17-06 provides a high level approach to determining the SIL level. This is consistent with how EPRI TR-106439 leaves open the application of a graded approach. The endorsement should leave open the method for determining the SIL level accordingly.

11 Page 9, Section 2.1 Revise second sentence from "This accreditation is typically in accordance with ISO 17065" to "This accreditation is typically in accordance with ISO 17065 supplemented by IEC 61508 SIL certification scheme." Change fourth sentence from "The AB performs audits and monitors activities of the CB in order to confirm that their processes and procedures, and their corresponding implementation follows ISO 17065" to "The AB performs audits and monitors activities of the CB in order to confirm that their processes and procedures, and their corresponding implementation follows ISO 17065 supplemented by IEC 61508 scheme."

Suggestion QA Oversight NEI 17-06 will be revised to incorporate this suggestion NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page 2

Comment No.

Page and Section Comment Comment Significance &

Type NEI Response 12 Page 21, Section 4.1 When procuring a SIL certified equipment, the dedicating entity should receive the SIL certificate from the original equipment manufacturer (OEM) and not the CB. CB grants the SIL certificate to the OEM and has no obligation of providing the SIL certificate to the dedicating entity. In addition, the dedicating entity should also receive a set document from the OEM that describes the application limitation of their SIL certified product. Please update this figure to correct these relationships.

Suggestion NEI 17-06 Scope To ensure authenticity, it is best to acquire the SIL certificate from the CB body. CB's are set up with certificate databases to support this approach. Obtaining the safety manual (describes the application limitations) from the OEM will be added to the figure.

13 Page 22, Section 3

NEI 17-06 states that the estimated failure rates of the observed logic solver failure data are conservative since 323 failures were expected but only 205 occurred. It also states: "These results also illustrated how the probabilistic failure rates and the systematic integrity could both be evaluated through the review of field failure data." The document also states that "it is valuable to note that systematic integrity is a parallel concept to the nuclear industrys concept of common cause failure." The NRC finds this statement to be unclear and potentially misleading to potential users of NEI 17-06. The integrity of a component does not in itself establish systematic integrity of the systems safety function.

Absent this additional consideration of system architecture and application of safety features, NRC understands such individual logic solver failure data can at best represent only the reliability of the specific platform device configuration that was incorporated into a system of devices designed to achieve a plant safety function. Please clarify what is meant by stating that systematic integrity of a single platform can be considered a "parallel concept" to the nuclear industry's concept of common cause failure, which usually addresses failure causes which can occur concurrently in redundant channels.

Clarification NEI 17-06 Scope (This comment applies to page 18, section 3.2 of NEI 17-06, not Page 22, section 3)

The phrase "it is valuable to note that systematic integrity is a parallel concept to the nuclear industrys concept of common cause failure" will be removed to avoid unnecessary discussion. This note is not important to the methodology being laid out in NEI 17-06.

14 Page 22, Section 4.2 This guidance limits the use of SIL certified equipment to a risk-based selection process. Does NEI intend to provide guidance or example for selection of a SIL level that is appropriate for a safety function application using a deterministic process, e.g., can a SIL 3 certified component be used in an ESFAS with 3 or 4 divisions?

Suggestion NEI 17-06 Scope Section 4.2 of NEI 17-06 provides a high level approach to determining the SIL level. This is consistent with how EPRI TR-106439 leaves open the application of a graded approach. The endorsement should leave open the method for determining the SIL level accordingly.

15 Page 30, Section 5.5 Section 5.5, Compensatory Measures, states, in part, that after five years, these assessments would be reperformed to ensure the CBs schemes have remained compliant, unless the long-term path has already been realized. Five years is an appropriate amount of time because the IEC 61508 standard is a very stable document, and the accreditation activities will continue to happen annually."

Although the accreditation process may be stable, the NRC considers a 3-year timeframe rather than the proposed 5-years is appropriate, given industry precedent for similar evaluations of the supply chains quality programs at a period not to exceed 3 years. NRC suggests it is appropriate to reflect this long-standing practice for this activity as well. (see comment to Section 7.3, Paragraph 2)

Suggestion QA Oversight NEI 17-06 will be revised to use the 3 year time frame.

16 Page 30, Section 5.5 Implementation of the supplemental checklist will require NRC licensees, or their representatives, to have access to the ANAB processes as well as the CBs internal programs, procedures, and specific evaluations of sample products that have been vetted by the CB. This document does not address any formal agreements by the ABs, CBs, and either NEI, other US licensee organizations, such as NUPIC, or individual NRC licensees to have access to conduct such audit activities or grant access during audit performance. Please describe how the implementation of the supplemental checklists will be accomplished and how has this been formally adopted?

Clarification QA Oversight NEI has demonstrated that ANAB and exida are willing to allow this type of access, but NEI will add a prerequisite to this section of NEI 17-06 for future ABs and CBs that they will need to also allow this level of access as part of the methodology of determining their acceptability.

17 Page 32, Section 6.5 Section 6.5, Corrective Action, states in part, that the dedicating entity is required to notify licensees and the NRC of deviations/defects which could result in substantial safety hazards as required by 10 CFR Part 21. In accordance with 10 CFR Part 21 the dedicating entity need only report to the NRC not licensees, and only defects and failures to comply associated with substantial safety hazards for dedicated items need to be reported, not deviations. Please revise this to reflect the regulation language.

Suggestion QA Oversight NEI 17-06 will be revised to incorporate this suggestion.

18 Page 1, Section 1.1 Accreditation body (AB) in the United States is now called ANAB (ANSI National Accreditation Board), a wholly owned subsidiary of the American National Standards Institute (ANSI). (see https://anab.ansi.org/). Update NEI 17-06 accordingly (consistent with Section 5.3 identification).

Suggestion QA Oversight NEI 17-06 will be revised to incorporate this suggestion.

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page 3

Comment No.

Page and Section Comment Comment Significance &

Type NEI Response 19 Page 3, Section 1.3 EPRI 3002002982 is endorsed by RG 1.164, which is not referenced in NEI 17-06. In the same way NEI 17-06 includes a reference to the NRC safety evaluation of EPRI TR-106439, NEI 17-06 should include a reference to RG 1.164.

Suggestion NEI 17-06 Scope NEI 17-06 will be revised to incorporate this suggestion.

20 Page 21, Section 4.1 Manufacturer's safety manual and related documents may only be made available upon procuring the equipment from OEM. The steps should identify where in the procurement process of the SIL certified equipment this information is made available and any additional documents that should be a part of the procurement.

Suggestion NEI 17-06 Scope This specificity does not seem to be necessary. Each OEM will have their own policies for when this information is provided. For the purposes of NEI 17-06, it is only important that the information is obtained as necessary, to support the methodology.

21 Page 21, Section 4.1 ANAB issued CB's accreditation certificates are publicly available on their website. Is this also true of other ABs? The steps should clarify how to obtain the accreditation certificate.

Clarification QA Oversight This specificity does not seem to be necessary. This type of information can be covered in workshops and trainings if dedicating entities have issues with finding this information.

Additionally, the specific location of this information may change over time and become obsolete if captured in NEI 17-06.

22 Page 23, Section 4.3 This sections states, in part, "and must be certified to meet or exceed the SIL that has been established for the application (as described in Section 4.3)." This would be true when the safety instrumented system (SIS) is designed using IEC 61511 methodology. However, none of the operating reactor's safety systems have been designed using the SIS process. This "must" requirement would require the plants to determine the SIL level of the safety systems prior to using a SIL certified component in their plants. Is this the intent of this guidance?

Clarification NEI 17-06 Scope There is a typo in the quoted section. It should say "as described in Section 4.2." The equipment must meet or exceed the SIL that is determined to be appropriate for the application. It is not intended for the application to have been originally designed to meet a particular SIL. Also, this concept is specific to the systematic capability aspect of the SIL certification.

NEI 17-06 will be revised to correct the typo, and add clarification about the systematic capability focus of this requirement.

23 Page 24, Section 3

Certain statements made within NEI 17-06 imply a general condition exists for all CBs when the data provided seems to support work performed by a particular CB. For example, in Section 3.3 it is stated that CB's "oversee" the compliance of a vendor to quality standards. Some evidence of this was observed by the NRC staff at its observations of the ANAB accreditation of a particular CB, but no evidence is provided that all CBs perform oversight of a vendor's self-validation process. NEI 17-06 should provide evidence that all CBs perform oversight of a vendor's self-validation process.

Suggestion QA Oversight This concept is based on ISO 17065 and has been observed to be accurate for exida. Based on previous comments, NEI 17-06 is going to be limited to exida as the only acceptable CB at this time, but gathering evidence for other CBs will be part of the methodology for accepting future CBs.

24 Page 27, Section 4

Regarding the SIL Certificate and Safety Manual: The steps to be followed should include actions that address the need to identify whether the safety manual identifies any precautions, conditions of operation, or limitations in the use of the equipment for which the SIL Certificate applies. Specifically, to maintain certification, the safety manual specifies implementation, configuration, or maintenance or diagnostic requirements to be followed, to maintain compliance with the certificate reliability statements.

Suggestion NEI 17-06 Scope Step 2 in Section 4.1 of NEI 17-06 already includes reviewing the safety manual and making sure the application is within scope. Step 2 is:

Identify SIL certified equipment, and review the SIL certification and the manufacturers safety manual to confirm they encompass the requirements of the application (see Section 4.3 for more details).

Beyond this, it seems like its getting into the application design/implementation process (not procurement) and that is outside the scope of NEI 17-06.

25 Page 31, Section 6.1 Section 6.1, Organization, states, in part, that the dedicating entity retains overall responsibility for assuring that purchased digital devices meet applicable technical and regulatory requirements and that reasonable assurance of quality exists. There are no special requirements beyond 10 CFR Part 50, Appendix B. It should be noted that the dedicating entity must also meet the requirements of 10 CFR Part 21. This should be added for completeness and accuracy.

Suggestion QA Oversight NEI 17-06 will be revised to incorporate this suggestion 26 Page 33, Section 7.2 Section 7.2, Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices, states, in part, that as part of the continued oversight, a nuclear industry team, through NEI, will monitor the IEC 61508 SIL certification requirements to verify that they continue to cover the EPRI TR 106439 Dependability Critical Characteristics. Please describe the compliment of that team, whether there is a documented commitment to support these activities among the team members, and the nature of any commitment.

Clarification QA Oversight This specificity does not seem to be necessary. The NEI will be responsible for the compliment of this team. Additionally, team member commitments can change over time and become obsolete if documented in NEI 17-06.

NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page 4

Comment No.

Page and Section Comment Comment Significance &

Type NEI Response 27 Page 33, Section 7.2 Section 7.2, Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices, states, in part, that If changes adversely impact coverage of the EPRI TR 106439 Dependability Critical Characteristics, then the nuclear industry through NEI has the ability to provide feedback to the IEC 61508 standards development committee to change the draft revision to encompass these critical characteristics. Does this require NEI to have a formal agreement with the IEC to affect such revisions?

The NRCs approval of the methodology described in NEI 14-05 regarding use of the ILAC accreditation process relied, in part, on the formal relationship NEI and the ILAC organization had created through NEIs formal stakeholder membership in the organization. Under the proposed methodology outlined in Section 7.2, Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices, there is no parallel discussion of how NEI and the nuclear industry would formally affect changes to the ISO or IEC standards central to this report other than a statement that the IEC 61508 standard will be periodically reviewed and comments provided to IEC for consideration. There is no discussion regarding ISO 17065 in this regard. Describe what formal methods have been established to ensure issues identified by NEI, NRC licensees, or third-party dedicating entities will be resolved by the ISO and IEC organizations.

Clarification QA Oversight A formal agreement is not required. exida (the primary CB dicussed in NEI 17-06) is a foundational member to the IEC 61508 committee and the nuclear industry will maintain oversight with the periodic observations. The intention is not to affect change in either IEC 61508 or ISO/IEC 17065 but rather create an analysis of the changes to determine if they have any impact on compliance to EPRI TR 106439. The analysis results would include any required updates to the augmented checklist.

28 Page 34, Section 7.3 Section 7.3, Verification that Implementation of the IEC 61508 SIL Certification Process Continues to be Consistent with NRC Accepted Practices, states in part, that the U.S. nuclear industry observations will be performed initially on a 3-year frequency with the possibility of reducing the frequency if it is observed that the process is demonstrably consistent. The initial 3-year frequency is consistent with the guidance in NRC RGs 1.28 and 1.144 for auditing. However, this appears to be inconsistent with the requirement for 5

year assessments described in Section 5.5 of the report (see comment to Section 5.5, Paragraph 3).

Suggestion QA Oversight NEI 17-06 will be revised to use the 3 year time frame NEI 17-06, Rev. 0 NEI Responses to NRC Comments September 24, 2021 Page 5