ML22278A065
| ML22278A065 | |
| Person / Time | |
|---|---|
| Issue date: | 09/07/2022 |
| From: | Advisory Committee on Reactor Safeguards |
| To: | |
| Burkhart, L., Antonescu, C., ACRS | |
| References | |
| NRC-2076 | |
| Download: ML22278A065 (127) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Open Session Docket Number:
(n/a)
Location:
teleconference Date:
Wednesday, September 7, 2022 Work Order No.:
NRC-2076 Pages 1-89 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 698TH MEETING 4
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5
(ACRS) 6
+ + + + +
7 WEDNESDAY 8
SEPTEMBER 7, 2022 9
+ + + + +
10 The Advisory Committee met via 11 videoconference at 1:30 p.m., Joy L. Rempe, 12 Chairman, presiding.
13 14 COMMITTEE MEMBERS:
15 JOY L. REMPE, Chairman 16 WALTER L. KIRCHNER, Vice Chairman 17 DAVID A. PETTI, Member-at-Large 18 RONALD G. BALLINGER, Member 19 VICKI M. BIER, Member 20 CHARLES H. BROWN, JR., Member 21 VESNA B. DIMITRIJEVIC, Member 22 GREGORY H. HALNON, Member 23 JOSE A. MARCH-LEUBA, Member 24 MATTHEW W. SUNSERI, Member 25
2 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 ACRS CONSULTANTS:
1 DENNIS BLEY 2
3 DESIGNATED FEDERAL OFFICIAL:
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
3 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 P R O C E E D I N G S 1
(1:30 p.m.)
2 CHAIRMAN REMPE: Okay, folks, its 3
1:30 p.m. on the East Coast. So this meeting will 4
now come to order.
5 This is the first day of the 698th 6
meeting of the Advisory Committee on Reactor 7
Safeguards. Im Joy Rempe, Chairman of the ACRS.
8 Other members in attendance are Ron Ballinger, 9
Vicki Bier, Charles Brown, Vesna Dimitrijevic, Greg 10 Halnon, Walt Kirchner, Jose March-Leuba, Dave 11 Petti, and Matt Sunseri. I note we do have a 12 quorum. Today, the Committee is meeting in-person 13 and virtual.
14 The ACRS is established by the Atomic 15 Energy Act and is governed by the Federal Advisory 16 Committee Act. The ACRS Section of the U.S. NRC 17 public website provides information about the 18 history of this Committee and documents such as 19 our charter, bylaws, Federal Register Notices 20 (audio interference) at least the meetings that 21 are open.
22 The Committee provides advice on safety 23 matters to the Commission through its publicly 24 available letter reports.
25
4 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 The Federal Register Notice announcing 1
this meeting was published on August 10, 2022.
2 This announcement provided a meeting agenda as well 3
as instructions for interested parties to submit 4
written documents or request opportunities to 5
address the Committee.
6 The Designated Federal Officer for 7
todays meeting is Ms. Christina Antonescu. A 8
communications channel has been opened to allow 9
members of the public to monitor the open portions 10 of the meeting.
11 The ACRS is now inviting members of the 12 public to use the MS Teams link to view slides and 13 other discussion materials during these open 14 sessions. The MS Teams link information was placed 15 in the Federal Register Notice and agenda on the 16 ACRS public website.
17 Periodically, the meeting will be open 18 to accept comments from participants listening to 19 our meeting. Written comments may still be 20 forwarded to the Designated Federal Officer.
21 During todays meeting, the Committee 22 will consider the following topics: Proposed New 23 Regulatory Guide 1.250, Dedication of 24 Commercial-Grade Digital I&C Items for Nuclear 25
5 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Power Plants; and, two, SHINE Memoranda Review and 1
Deliberation/Report Preparation.
2 A transcript of the open portions of 3
the meeting is being kept, and its requested that 4
speakers identify themselves and speak with 5
sufficient clarity and volume so they can be readily 6
heard. Additionally, participants should mute 7
themselves when not speaking.
8 Before we start todays meeting, I want 9
to take some time to highlight a couple of items.
10 First, one of our staff members has received a 11 significant recognition. Senior Staff Engineer 12 Mike Snodderly has been awarded an NRC Meritorious 13 Service Award in recognition of his exemplary 14 performance, initiative, and dedication to the 15 NRCs Operating and New Reactor Safety Programs.
16 Mr. Snodderly received this award for his lasting 17 contributions to technical support issues facing 18 ACRS.
19 Most recently, he worked with ACRS 20 members to implement novel ways for the Committee 21 to establish and meet an aggressive review schedule 22 for the NuScale design certification application.
23 His efforts enabled the ACRS review to be completed 24 on an unprecedented schedule.
25
6 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 In addition to his technical support 1
work with the Committee, Mr. Snodderly also served 2
at Commission staff level and as branch chief during 3
his 32-year NRC career. Mr. Snodderly exhibits 4
a proven level of superior performance and strong 5
leadership that is a credit to himself and the 6
agency.
7 I also want to express our appreciation 8
to Members Halnon and Ballinger, along with ACRS 9
staff members Weidong Wang, Chris Brown, and Mike 10 Snodderly, for our well-organized visit to Region 11 II, the Byron Station, and the SHINE facility.
12 These visits help us better perform our duties as 13 ACRS members and Ive missed the years when the 14 pandemic prevented them.
15 At this time, Id like to ask other 16 members if they have any opening remarks.
17 Not seeing any, Id like to ask Member 18 Charles Brown to lead us through our first topic 19 for todays meeting. Charlie?
20 MEMBER BROWN: Okay, thank you. Im 21 going to try to provide a slight summary of the 22 last meeting, since its been a while, and a little 23 bit of a calibration on how these two things fit 24 together.
25
7 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Currently, the commercial -- youve got 1
Topical Reports, which make formal declarations, 2
and NRC reviews and they approve them. And it can 3
be for whatever it is, whether its a commercial 4
item thats been tested, and whatever it is, you 5
all can approve that.
6 Right now, there is a -- then their 7
commercial certification is done under Reg Guide 8
1.164, which references some EPRI documents and 9
Topical Report, which I will mention in there, and 10 that Topical Report generally characterizes 11 critical characteristics and attributes as being 12 physical performance and dependability.
13
- And, therefore, the commercial 14 certification is reviewed trying to satisfy those 15 three main functions.
16 And thats kind of an arbitrary 17 categorization, the way they put them together.
18 They presented that last time.
19 Dependability is the hard one. The 20 first two, you can kind of test and do things.
21 The last one is a little bit more cerebral, the 22 way I view. Its not as easy to prove dependability 23 as it is to test something.
24 The Reg Guide 1.250 is an effort to now 25
8 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 utilize an international standard, which develops 1
something called safety integrity levels one 2
through four, and that if the certifying -- Im 3
not going to get into the dedication bodies and 4
all that.
5 If it comes to that process, now it is 6
available for people to use and they are proposing 7
to accept that as the -- whats the word? I 8
forgot the words now.
Satisfying the 9
dependability category or characteristic, okay?
10 So, when we reviewed this last time, 11 we didnt have the IEC or we couldnt find it.
12 So I was able to get that this time.
13 I hope none of the rest of you tortured 14 yourself by trying to look at it.
15 So anyway, the object now, we went 16 through that, so the effort here now, it says, 17 follow 1.250 and they meet these SIL type 18 requirements for whoever theyre getting the stuff 19 from.
20 In other words, if they get a computer 21 card thats been used in numerous projects, 22 everybody says its reliable, we dont have to do 23 anything.
24 They accept that as the certification 25
9 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 for the review of the application of the stuff in 1
the nuclear power plants. I may have overstated 2
it, but I think thats close enough.
3 So, thats what they are now going to 4
rephrase or redo this time. We made some comments 5
last time and I didnt -- I saw what you all had 6
proposed.
7 Id like to say I remember every one 8
of them. I did this two weeks ago. And theyre 9
going to present that in a summary package.
10 And I have a few questions at the end 11 so as we dont disturb the flow. Did I get most 12 of that right? Okay.
13 And weve got both the staff and NEI 14 will be presenting, for your information.
15 MR. BENNER: Okay, so thank you, 16 Member Brown, Chairman Rempe, and members of the 17 Committee. Can you hear me?
18 MEMBER BROWN: A little closer.
19 MR. BENNER: People usually dont say 20 I dont talk loud. So, but that characterization 21 is accurate.
22 Ill step it back just a little bit, 23 because way in the past, nuclear power plants 24 typically would purchase components from what we 25
10 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 call Appendix B supply. All Appendix B --
1 MEMBER BROWN: I forgot that part, Im 2
sorry.
3 MR. BENNER: No, no its a good -- its 4
a good clarification.
5 MEMBER KIRCHNER: Could you identify 6
yourself for the reporter?
7 MR. BENNER: Im sorry. Okay. This 8
is Eric Benner, the Director of the Division of 9
Engineering and External Hazards at NRCs Office 10 of Nuclear Reactor Regulations.
11 So those suppliers were called Appendix 12 B because it refers to the part of the NRCs 13 regulations that contain our quality assurance 14 requirements, 10 CFR 50, Appendix B.
15 But over time, there have been fewer 16 and fewer suppliers who wish to go through all the 17 challenges of providing things to that quality 18 standard.
19 So that begat the creation of what we 20 call commercial grade dedication programs, which 21 is what Member Brown was talking about.
22 We have guidance that has been in place 23 for a while for how licensees can do this dedication 24 process.
25
11 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Essentially, make their own 1
determination that components meet the quality 2
assurance standards of 10 CFR 50 Appendix B.
3 As that has become more prevalent, 4
there have been these generic entities that have 5
taken on some of those responsibilities so that 6
individual licensees didnt have to do all those 7
steps themselves.
8 So like I said, weve had guidance in 9
that area and time marches on. As weve talked 10
- about, there
- are, in those criteria are 11 expectations for determining the dependability of 12 those components.
13 As time marched on, theres this IEC 14 standard that has the safety integrity levels that 15 gets part of dependability of components.
16 So, this effort and this regulatory 17 guide is basically a roadmap of how licensees can 18 use that SIL certification within their commercial 19 grade dedication programs to satisfy the 20 dependability characteristic standards.
21 DR. BLEY: Eric?
22 MR. BENNER: Yes.
23 DR. BLEY: This is Dennis Bley.
24 MR. BENNER: Hey, Dennis.
25
12 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 DR. BLEY: Have we -- have we gathered 1
any careful analysis of how commercial dedicated 2
components have performed compared to those that 3
go through the old process? Reliability 4
parameters or things like that?
5 MR. BENNER: Im going to give more 6
of a process answer and see if anyone jumps in to 7
help me.
8 Even for commercial grade dedicated 9
items, the licensees have reporting requirements 10 under 10 CFR Part 21.
11 And under those reporting 12 requirements, if theres a belief that components 13 have different failure mechanisms, that gets 14 reported and gets transmitted to different 15 entities.
16 I mean, I used to be in what is now called 17 the Operating Experience Branch, MOR, and we look 18 at all those reports as well as other failure 19 reports, and I can just say anecdotally that we 20 didnt see any what I would call weaknesses overall 21 in this commercial grade dedication process.
22 I think at the end of the day, the 23 licensees have the responsibility. In some ways, 24 on one level its better because the licensee who 25
13 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 is the responsible entity for operating that 1
facility now is taking on the responsibility to 2
say, yes, this component meets these quality 3
standards that theyre held to.
4 So, like in any process, we find design 5
defects. We find different flaws and everything.
6 7
But I think overall we would say the 8
commercial grade dedication process has been a huge 9
success.
10 DR. BLEY: Okay. I appreciate the 11 process comments and Im sure theyre all correct.
12 13 We do have large databases now, 14 equipment, reliability, and it just seems like 15 somebody from industry or maybe OpE at NRC ought 16 to tease that data apart and see if we see any 17 differences.
18 I know were using plant--specific data 19 when we look at the theories for plants, and that 20 kind of takes care of it all, but I think the larger 21 question probably deserves an answer.
22 And I suspect the answer would make us 23 feel good.
24 MR. BENNER: And we certainly will 25
14 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 take that back and see what kind of data we can 1
tease out in that regard.
2 So that was the end of my expected 3
remarks. And with that, if there are no other 4
initial questions, Ill turn it over to Dinesh 5
Taneja who is going to be giving the main part of 6
our presentation.
7 MEMBER BROWN: Can I make one 8
observation that I forgot on my input? When I said 9
Reg Guide 1.164 was the kind of umbrella that they 10 operate, 1.164 represents the EPRI document, and 11 that EPRI document covers all types of equipment, 12 not I&C.
13 Theres a Topical Report also in every 14 document thats funneled in that covers dedication 15 of the electronic, digital electronic components, 16 programmable components.
17 So its kind of a two-piece. 1.164 is 18 not all electronics.
Its everything.
19 Mechanical, all kinds of general stuff.
20 And this other part now is in there to 21 cover the other stuff. So if you hear the two 22 things, theyre not -- theyre not both the same.
23 One deals specifically with - they 24 mention it in the slides, so thats why I brought 25
15 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 it up now. Thank you very much, Dinesh.
1 MR. TANEJA: Good afternoon, Member 2
Brown and Chairman Rempe. My name is Dinesh 3
Taneja. I am the I&C Technical Reviewer in NRR 4
NRC Branch.
5 And Ive been actually working on this 6
particular topic since 2016, since we were directed 7
by the Commission to modernize the digital, the 8
INC regulatory infrastructure.
9 So one of the tasks that Ive identified 10 was to see if we can leverage this SIL certification 11 process which has really matured over the last 15-20 12 years into the commercial grade dedication process.
13 Next slide, Meraj.
14 Next slide, please. So, in this 15 activity, a number of people that have worked with 16 me and supported me in trying to get this Reg Guide 17 where we are today, Mike Eudys managing this Reg 18 Guide process, Bernie Dittman that worked with us 19 for a couple of years has retired since, David Rahn, 20 hes on the line with us, he has supported this 21 activity from my branch, and I have Greg Galletti 22 and Ayo on the vendor and QA branch that have been 23 instrumental in development of this activity.
24 And Jonathan Ortega, hes left us to 25
16 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 go to DOE but he was also instrumental in developing 1
this. Next slide, please.
2 So I think I can go through the material 3
that I covered back in the Subcommittee meeting, 4
which was on July 21, or I can just cover whats 5
happened since.
6 So its really, if you have any 7
questions, you can get me deeper into it, but Ill 8
probably just summarize what we did during the 9
Subcommittee meeting and the feedback that we took 10 back that resulted in our documents.
11 So next slide, please. So the scope 12 and purpose, I think we probably discussed that.
13 This Reg Guide is really endorsing the NEI 17-06 14 Revision 1, which is the process or the guidance 15 on how to utilize the SIL certification into the 16 commercial grade dedication activities.
17 Now, NEI has been working on that 18 document as part of the IAP activity since 2016 19 and we have been basically participating in a way 20 that we have been providing constantly feedback 21 to NEI on development of NEI 17-06.
22 So part of the endorsement is endorsing 23 the portions of the IEC 61508 standard that really 24 focuses on these critical characteristics of 25
17 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 dependability.
1 Now, like Member Brown mentioned, that 2
the standard is like a six-or seven-part standard.
3 Its a pretty big standard. And it covers a myriad 4
of things.
5 And so, but for the purposes of our -
6 we are doing a limited proportion of utilization 7
of the standard. So that portion is being endorsed 8
by this Reg Guide as well.
9 There is the ISO IEC 17065 standard that 10 really is a framework that, like, in this case, 11 the certifying body, which is a third party that 12 does the certification activity, this is the 13 framework that they work under.
14 Its like their web program that they 15 abide by when theyre doing this work, providing 16 reliability, repeatable performance of the 17 certification.
18 And also the relationship, describe the 19 relationship of this specific Reg Guide, the Reg 20 Guide 1.164.
21 That is the guidance on how to do 22 commercial grade dedication on any commercial item 23 that has a base in a nuclear facility.
24 And the EPRI TR 106439, I have put 25
18 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 together a timeline slide based on the feedback 1
that we got during the Subcommittee.
2 And a lot of the questions that we were 3
getting were really related to why are we doing 4
this now and all that sort.
5 Its fully respective of commercial 6
grade dedication. So Ill go through that.
7 Thats near the end of my presentation, which will 8
probably link how all these documents are linked 9
together that we tried to basically establish at 10 length in the record. Next slide, please.
11 So I think Ive already covered the 12 background of it and all, how we came about working 13 on this document.
14 And on this slide, what I would point 15 to is that it was not a first of its kind effort.
16 I think there was a precedence.
17 We had previously endorsed NEI 1405, 18 which was a process for procuring commercial grade 19 laboratory calibration and test services.
20 And so we kind of followed that 21 framework on how to utilize this third party 22 commercial grade processes into a -- I want to call 23 like an Appendix B type of activity.
24 And, other than that, what I think what 25
19 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 we talked about on this slide has already been 1
discussed. So, next slide, please.
2 So Ill cover a little bit of historic 3
perspective of these EPRI standards. And this one 4
thing here that I want to point out is that in 2016, 5
when this task was identified under the IAP, the 6
Integrated Action
- Plan, as part of the 7
modernization of the IAC infrastructure, 8
regulatory infrastructure, EPRI started a real 9
effort, and this is an EPRI document 3002011817, 10 its the efficacy of the SIL process.
11 But this research was undertaken by 12 EPRI to take a look at the -- can this SIL certified 13 component and what do they do as part of the 14 certification?
15 Can that be utilized into the nuclear 16 arena? And I think some of the work thats done 17 under that, NEIs presentation that I just sneaked 18 in, theyll probably go into a little bit of the 19 detail on how they utilized that, leveraged that 20 research work in putting together NEI 17065.
21 That was another item. So the MP #3 22 was a task that was identified under the IAP. All 23 right.
24 So as part of this activity, what else 25
20 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 we did was that in the ANSI accreditation, ANSI 1
National Accreditation Board, I think thats what 2
ANSI stands for, ANAB is the one that does what 3
they call the -- they use the word accreditation 4
body, right?
5 So they accredit the certifying bodies, 6
right in the USA. In the USA, for example, Exida 7
is one of the certifying bodies that does SIL 8
certification.
9 And ANAB, which is the national 10 accreditation board, annually goes in and audits 11 their activities to make sure that they are 12 complying with ISO 17065 and they are doing the 13 work in accordance with that.
14 So, part of this development activity, 15 the NRC staff took this opportunity to observe.
16 We did that over three cycles.
17 We observed and conducted audits of 18 Exida and we provided some of our feedback which 19 they accepted, and they actually enhanced their 20 accreditation audit activities as a result of that.
21 What else is on this slide I highlight?
22 Yes, and also -
23 MEMBER HALNON: Can I ask you a quick 24 question?
25
21 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MR. TANEJA: Yes, sure.
1 MEMBER HALNON: This is Greg Halnon.
2 When you looked at the accrediting, actually, the 3
accrediting has several aspects to it.
4 One of them is compliance in process 5
but it also has outcomes. Was operating experience 6
heavily looked at in that accrediting?
7 In other words, went through the 8
process and looked at failures in the industry to 9
come back and say, is that anywhere possibly 10 connected to inadequate certification?
11 MR. TANEJA: So, the other thing is 12 certification of the certifying body, whether they 13 are performing the activities in accordance with 14 their procedures, plan and procedure thats in 15 compliance with the ISO standard.
16 And also, one of the initial key facts 17 that we gave them, that they were pretty strong 18 on looking at the processes, the accreditation 19 body.
20 But what they call it is looking at the 21 actual technical work. They did not really dig 22 into it much deeply.
23 Actually, what do they do? They really 24 look at a component, SIL certification in 25
22 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 accordance with the IEC 61508.
1 MEMBER BROWN: Thats ANAB that youre 2
talking ab out?
3 MR. TANEJA: Thats ANAB.
4 MEMBER BROWN: Okay, so --
5 MR. TANEJA: Thats really --
6 MEMBER HALNON: They pressed them to 7
take a look at the technical outcomes, not just 8
the process compliance, but with the technical 9
outcomes.
10 MR. TANEJA: Right, exactly. And I 11 think they took our feedback and they modified their 12 checklist.
13 MEMBER HALNON: Okay.
14 MR. TANEJA: That includes some of 15 those items as part of their ongoing audits.
16 MEMBER HALNON: Good. Thank you.
17 MR. TANEJA: All right. Next slide, 18 please. So the regulatory bases for this Reg Guide 19 are the things here for 21.3, which really allows 20 for commercial grade dedication of off the shelf 21 items, which is basic components in the nuclear 22 power plants and facilities.
23 And all these activities have to be 24 performed by under an Appendix B program or by what 25
23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 we call is a dedicating entity that has an Appendix 1
B program influence.
2 And that is all laid out in our 3
regulation. What is dedication? Whats the 4
definition of dedication?
5 And, briefly, what it really says is 6
that its an acceptable way of using a component, 7
a commercial component, as a basic component for 8
what its been dedicated. What is boils down to 9
is once thou shall identify the critical 10 characteristics of the component and thou shall 11 verify those characteristics.
12 And it plays out full process and how 13 you go about verifying those characteristics. And 14 so there is no real guidance that are developed 15 in basically making sure that its done 16 consistently across the board.
17 But those are the basic regulations 18 that -- so one thing here that I would point out, 19 the Reg Guide -- hm?
20 CHAIRMAN REMPE: I dont know if you 21 want to do it now or later, but you mentioned the 22 items that already exist.
23 MR. TANEJA: Right.
24 CHAIRMAN REMPE: And so, theres no 25
24 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 reason to think that if anyone would follow this 1
new Reg Guide, they wouldnt adhere to other 2
existing guidance, whether its a branch technical 3
position or an ISG.
4 I mean, all of those things still exist 5
and theyd have to adhere to it as they perform 6
this dedication process, right?
7 MR. TANEJA: Correct. Correct. So I 8
think what this Reg Guide does is it supplements 9
the existing guidance, right?
10 CHAIRMAN REMPE: Thats what I took 11 away from my read on it, but Im not an expert in 12 this.
13 MR. TANEJA: Yes.
14 CHAIRMAN REMPE: I want to make sure 15 that you were agreeing. And frankly, the other 16 Reg Guide, the 1.164, it doesnt list every single 17 guidance that has to be followed, and yet its not 18 been a problem. They still were recognizing that 19 this had to -- they had to adhere to this.
20 MR. TANEJA: Yes.
21 CHAIRMAN REMPE: Just checking.
22 Thanks.
23 MR. TANEJA: So I think what I was going 24 to point out is that the draft of the Reg Guide 25
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 that we had here during the Subcommittee meeting 1
did not have the direct base as the Appendix B, 2
Criterion VII.
3 I think the markup that we gave you, 4
we added that Criterion VII to the regulatory bases 5
of the Reg Guide. So thats one change that we 6
did make. Next slide, please.
7 So, nothing really -- we did not have 8
to -- the changes that we made as a result of the 9
Subcommittee meeting to the Reg Guide were not at 10 the level that we needed to go back for public 11 comments.
12 So the public comments that we 13 discussed during this Subcommittee meeting and how 14 we dispositioned them and any impacts to the Reg 15 Guide were already incorporated in the draft guide 16 that we shared at that time.
17 So nothing has changed since the -- and 18 we did not have to go back and ask for public 19 comments and there are no new comments.
20 So I think really there is, unless there 21 is any interest in the comments that we got from 22 public, we dispositioned them adequately, and any 23 impact to the Reg Guide, we incorporated them and 24 we did not really have any follow-up on that area.
25
26 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER BROWN: I presume the main one 1
you put in there was the 10 CFR Appendix B addition.
2 MR. TANEJA: Criterion VII.
3 MEMBER BROWN: Which was a quick 4
summary about documentary evidence, et cetera.
5 MR. TANEJA: Yes. Next slide, please.
6 I think the next few slides, I probably want to 7
skip that. Lets skip down to the historic 8
perspective. I think that was a lot of the 9
questions that we got during the Subcommittee --
10 next slide -- were all about why are we doing this 11 and what we are doing here and --
12 MEMBER BROWN: Can you back up for one 13 minute?
14 MR. TANEJA: Yes.
15 MEMBER BROWN: Back up a slide just for 16 that --
17 MR. TANEJA: Sure.
18 MEMBER BROWN: My take on your position 19 when I went through, and correct me if Im wrong, 20 but were largely process
- oriented, not 21 necessarily technically oriented, and its 22 reflected in what I see.
23 Youve got to do it. You cant 24 extend the time period about which you 25
27 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 recertify.
Youve got to follow the 1
endorsements. Youve got to have certain 2
things. But its process oriented, its not 3
just technical requirements are this or that.
4 MR. TANEJA: Yes. These are 5
clarifications.
6 MEMBER BROWN: Ive got it. Thank 7
you.
8 MR. TANEJA: So our regulatory 9
positions are not exceptions. What happened 10 is, we endorsed Rev. 1 of 1706. So when we 11 received the Rev. 0, we provided a set of 12 comments to NEI, which they incorporated.
13 So, really, Rev. 1 addressed all of 14 our concerns. But here, I think these are more 15 like highlighting the areas that I think one 16 was a little vague of the periodicity of doing 17 the oversight. They said its got to be done 18 at least hours, and thats one of the 19 clarifications.
20 And the other was that make sure that 21 the certificates that you do get, I think we 22 hear that there are some counterfeits out there 23 on the market, that you really need to pay 24 attention to the generalness of those 25
28 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 documents.
1 If youre going to utilize a 2
certificate, make sure that it is a good one, 3
not just some entity.
4 So I think those were just kind of 5
safeguards, those that needed clarification.
6 Okay, so, next slide, unless you have any 7
questions.
8 So these were the five public 9
comments that we go and their dispositions.
10 Nothing new there. So, next slide.
11 So here, I think is where I think 12 probably well answer most of the questions that 13 were raised during the Subcommittee meeting.
14 And the information that I have here 15 really is coming from Reg Guide 1.64s endorsed 16 document.
17 Those are the EPRI document that we 18 endorsed. Has a pretty good history of where 19 the commercial grade dedication of items and 20 services.
21 And what I did is Ive taken the parts 22 that are of interest to the -- from the 23 regulatory framework.
24 It covered a whole lot of -- gamut 25
29 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 of things, that document, but I just captured 1
a few.
2 So this effort really goes back to 3
the 70s when there was -- Appendix B suppliers 4
were disappearing and during the heydays of the 5
- nuclear, there were people that were 6
disappearing and the concern was can we take 7
these commercial items and what do we do with 8
them, right?
9 These commercial grade item 10 discussions started back then when we didnt 11 have Appendix B suppliers.
12 In 76 the first standard that came 13 out was the ANSI 18.7 that was endorsed by the 14 NRC as Reg Guide 1.33, which addressed the end 15 user of the commercial off the shelf item.
16 So, in 78, Part 21 basically was 17 revised. That required a commercial grade 18 dedication before it could be used as a basic 19 component.
20 It became a regulatory requirement in 21 78 that if youre going to use it as a basic 22 component, thou shall dedicate it, right? In 88, 23 EPRI 5652 issued that really provided a methodology 24 of how you go about doing commercial grade 25
30 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 dedication.
1 In 89, NRC issue a generic letter, 2
89-02, that conditionally endorses NP 5652. Next 3
slide, please.
4 In 91, generic letter 91-05 was 5
issued. And that basically pointed to 10 CFR 6
Appendix B, applicability to commercial grade 7
dedication process. But thats really going to 8
be how it imposes the QA requirements onto the 9
process itself.
10 So in 94, EPRI issued TR 102260, a 11 supplemental guidance to the NP 5652. But these 12 two documents, the NP 5652 and EPRI TR 102260, the 13 Rev. 1 of that is the front vision that they gave 14 it a new document or that endorsed by Reg Guide 15 1.164. That is in a pre-document --
16 MEMBER BROWN: Thats not the 106 --
17 whatever the number is.
18 MR. TANEJA: That document, they gave 19 it a new number which basically is a division one 20 to this, and NP 5652. So what they did is this 21 is a supplemental guidance, right? The NP 5652 22 and the supplemental guidance, revision one to 23 that, became the new EPRI doc.
24 MEMBER BROWN: And thats 106439 25
31 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 youre talking about?
1 MR. TANEJA: No.
2 MEMBER BROWN: Or is that the 22 --
3 MR. TANEJA: Thats a document that we 4
endorsed by Reg Guide 1.164. Okay, thats the 5
3002002982. Right. Yes, thats why its so 6
confusing and I thought Id put it in a timeline 7
because theres just so many different documents 8
and so many things happening, right?
9 So in 1996 is when EPRI 106439 was 10 issued. Now, this document is the one that 11 actually provides guidance on how to do commercial 12 grade dedication of digital items, the PLCs and 13 the computerized items and the digital devices.
14 And this is where it supplements the 15 EPRI 5652, right? And in the new standard, this 16 is called out in section 14.1 of the EPRI guidance 17 document.
18 This section focuses on the digital 19 under that document. So the EPRI TR 106439 was 20 endorsed by the NRC by a safety evaluation in 1997.
21 In 2011, a second paper was generated.
22 So we have these bunch of documents, 23 so the issue must have been there, right? The staff 24 issued a paper saying that, hey, we should have 25
32 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 a record on commercial grade dedication process.
1 Right? Because we are noticing these 2
by generic letters and safety evaluations. So 3
thats really where the development of the Reg Guide 4
1.164 effort was initiated. Next slide, please.
5 So in 2014, EPRI issued the 3002002982.
6 That is, and its a mouthful, that division 7
1205652, and a supplement supporting document here, 8
102360.
9 And in 2016 is when the modernization, 10 project number three, that was identified as part 11 of the IAP effort, Commission direction for 12 modernizing the I&C infrastructure.
13 And that effort that was identified was 14 how can we leverage the I&C 61508 into the 15 commercial grade dedication activities?
16 Like I said earlier, concurrent with 17 that, EPRI started their research work, and I think 18 in EPRIs presentation, in their presentation I 19 think theyll go over that a little bit, how they 20 use that research and do that.
21 In 2017, Reg Guide 1.164 was issued that 22 endorsed the EPRI 3002002982. In 2021, December, 23 is when we received NES 1706 Rev One for 24 endorsement. And today we are in front of you 25
33 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 trying to get this document endorsed via Reg Guide 1
1.152.
2 So it has had a long history. Its been 3
evolving, but the nuclear industry has been 4
dedicating this item for a number of years now.
5 And my personal experience with 6
dedication of digital items goes back to the early 7
90s when we dedicated single loop controllers that 8
were made by, I forget now, I think Fisher Porter 9
or somebody like that and then (audio interference) 10 that were digital recorders that replaced pen and 11 paper.
12 And they were commercially dedicated 13 back in the early 90s, so those efforts - and we 14 used this guidance in EPRI 106439 in performing 15 those dedication efforts.
16 But thats my presentation. Are there 17 any questions? Id be more than happy to entertain 18 them. And I have, I think, hopefully, people 19 online with me, Greg was there, QA branch, so any 20 questions.
21 MEMBER MARCH-LEUBA: This is Jose.
22 MR. TANEJA: Yes.
23 MEMBER MARCH-LEUBA: Just for my 24 education, as you say in your presentation, the 25
34 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 whole thing was started in the 70s when people 1
couldnt buy spare parts, right? Has this evolved 2
now? So if Im designing a new reactor from 3
scratch, can I use commercial parts for the guide?
4 Or is this only -- is this only for spare parts 5
or can I build a new reactor with them?
6 MR. TANEJA: Well, our regulatory 7
framework doesnt distinguish between a commercial 8
part or an Appendix B supplier part. What it says 9
is that if you are going to use a commercial 10 off-the-shelf as a basic component, thou shalt 11 dedicate it and thou shalt follow this process of 12 dedicating it.
13 So a dedicated item by de facto means 14 its equal to an item produced under Appendix B.
15 Its as good as that.
16 MEMBER MARCH-LEUBA: So I could design 17 a brand new reactor --
18 MR. TANEJA: Just using commercial 19 parts, if you dedicate it.
20 MEMBER MARCH-LEUBA: Right. Okay.
21 Thank you.
22 MR. BENNER: Now, theres a pragmatic 23 aspect that I could go someplace and buy a vessel 24 and then say I'm going to dedicate it. But I just 25
35 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 dont envision that being how a reactor vessel comes 1
to play. So I think its for this to be an avenue, 2
its because there is a commercial -- like, 3
breakers. I mean, its stuff that you just buy 4
commercial grade. I mean, I think theres still 5
going to be plenty of major components in any new 6
power plant that are going to be -- the only reason 7
theyre going to be there is if theres an Appendix 8
B supplier making that.
9 MEMBER MARCH-LEUBA: The guide is 10 focused on Digital I&C. They still have commercial 11 parts or commercial -- so I&C components that would 12 be very difficult to go under Appendix B?
13 MR. BENNER: Yes. Well, I wouldnt 14 say difficult. Its just, is there a market there?
15 I mean, to get that be certified as an Appendix 16 B supplier, you subject yourself to NRC inspections 17 and other things.
18 And I think theres just not enough 19 customers that these vendors want to do that.
20 Theyre like, hey, I got commercial stuff that I 21 sell to all these highly safety significant 22 industries and its good enough for them.
23 So, nuclear, if you want to use mine, 24 you have to find a way to get my stuff. Im not 25
36 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 going to come to you.
1 MEMBER BROWN: I was going to try to 2
provide some perspective on that. Because most 3
of you all would probably assume Im not great on 4
what I would call all third-party type stuff.
5 I
- mean, but from an experience 6
standpoint in the electronics world, Im not 7
talking about pipes and valves and gears and stuff 8
like that, which are big parts that you can do things 9
- with, theres thousands of parts on a
10 computer-based module, PLC, and thats aside from 11 the million chips weve got inside the 12 microprocessor, inside the logic in it.
13 And you cant test all of it. Theres 14 just no way to do it. Youre faced with stuff in 15 the military world with
- MILSPEC, military 16 specification, parts.
17 There, theres a big market. A lot of 18 ships, a lot of army units, a lot of stuff goes 19 out in the field. Theres a lot of stuff that gets 20 built all the time.
21 So when you build a transistor for an 22 integrated service or a log unit or any piece of 23 equipment thats going into the field, theyll 24 build 10,000 pieces on an assembly line.
25
37 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Theyll test 100. And if no more than 1
three fail, the whole lot passes. I just picked 2
a number out of there, but thats the ballpark.
3 Thats what you live with in the 4
electronics world. So I appreciate this approach 5
because I think thats what were facing largely.
6 We need to go out and find out are these 7
parts that people are using, PLCs whatever you want 8
to call them, commercial parts, theres got to be 9
a better way to do this.
10 I think theres some ways that I mention 11 later in my questions, but I just wanted to put 12 it in perspective so that everybody would 13 understand how you build stuff in the electronics 14 world and how the piece parts do get tested, because 15 they dont get 100 percent tested.
16 Im going to save my other question for 17 everybody elses. Im going to save mine until after 18 NEI. I dont want to -- I want to keep the whole 19 thing moving and get both parts in and then Ill 20 have my other questions. It relates more to my 21 letter, the letter that I generated.
22 MEMBER BIER: So --
23 MEMBER BROWN: Yes, Vicki, go ahead.
24 MEMBER BIER: Okay, this is not my 25
38 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 area, but just from things Ive read in the press 1
and other areas like voting machines or military 2
equipment, whatever, theres a lot of concern about 3
parts that might come already compromised from 4
Chinese manufacturers or other external sources.
5 And has that been addressed? How big of a concern 6
is that in this context, et cetera?
7 MR. TANEJA: Right. So, in our 8
regulatory framework in general, we have what we 9
call an SDOE, secure development and operational 10 environment.
11 And in that effort, not only we require 12 it, but also our Appendix B program and the 13 commercial grade dedication program, one of the 14 requirements is to assure that each part that you 15 are using, right, are coming from reliable sources.
16 And there is a large awareness in the 17 industry of these so-called compromised parts that 18 are getting into their products. They have a 19 person who is building these so-called digital 20 devices, they have as much at risk as a user does.
21 So theres a very high awareness, very concerned.
22 MEMBER BIER: Okay. Thank you.
23 MEMBER BROWN: Any other questions at 24 this point? Yes?
25
39 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER KIRCHNER: Dinesh, in practice, 1
lets pick on some critical components, like the 2
3 How does this all work out? In my mind, 4
if its under Appendix B the umbrella, so how do 5
you feed the parts of a larger system or component?
6 MEMBER BROWN: Well, can we answer that 7
question after NEI? That is a very pertinent 8
question. I wanted to deal with that in a unified 9
discussion.
10 MEMBER KIRCHNER: Thats my only 11 question.
12 MEMBER BROWN: No, thats good.
13 Thats very good.
14 MEMBER MARCH-LEUBA: For the staff, 15 they prove that their microphones are there.
16 MEMBER BROWN: So if theres no more 17 questions for the staff, NEI can come on up and 18 19 MR. BENNER: Yes, the staff is going 20 to stay here. Whatever questions come up, were 21 still available to take them.
22 MEMBER BROWN: Does he need the center 23 seat or is the right hand or left-hand seat okay?
24 CHAIRMAN REMPE: Do you have someone 25
40 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 online that can share the slides? Wonderful.
1 MR. CAMPBELL: Its actually going to 2
be the primary presenter today. Id just like 3
to make a couple of introductory marks and then 4
well --
5 MEMBER BROWN: Turn on the mic.
6 CHAIRMAN REMPE: Go ahead and ask them 7
to share their slides, too.
8 MEMBER BROWN: When its green its on.
9 MR.
CAMPBELL:
Im red-green 10 colorblind so --
11 MEMBER BROWN: Touch it again.
12 MR. CAMPBELL: There we go.
13 MEMBER BROWN: Pull the mic forward.
14 MEMBER MARCH-LEUBA: Say your name, 15 please.
16 MEMBER BROWN: Pull the mic -- pull the 17 mic toward you. Thats it. Thank you.
18 MR. CAMPBELL: Okay, can everybody 19 hear me? And it looks like Andy Nack will be our 20 primary presenter today.
21 My name is Alan Campbell. Im the 22 technical advisor with NEI. I lead our digital 23 I&C working group and multiple task forces that 24 we have underneath that digital I&C working group.
25
41 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 So I wanted to start by thanking the 1
ACRS Committee today for inviting NEI to speak 2
regarding our work on digital I&C commercial grade 3
4 The approach that will be presented 5
today supports the replacement of aging analog 6
systems in the operating fleet with digital systems 7
that enhance the safety and reliability of our 8
nuclear power plants.
9 This process provides a pathway for the 10 use of commercial digital I&C technology that has 11 been developed specifically for functional safety 12 applications.
13 By using this approach, we will provide 14 a consistent oversight process of commercial off 15 the shelf components and are able to draw from the 16 operating experience of other safety critical --
17 I want to thank the NRC staff for their review and 18 comments of NEI 1706 and their participation in 19 multiple accreditation audit observations that 20 demonstrated the adequacy of both SIL certification 21 and NEI 1706 oversight processes.
22 But at this time, Ill turn over the 23 presentation to our primary author of NEI 1706, 24 Mr. Andy Nack, and hell go over the processes.
25
42 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Thank you very much.
1 MR. NACK: All right. Thank you, 2
Alan. As Alan said, my name is Andy Nack. Im 3
part of the NEI team.
4 So, what weve got today is a 5
presentation that is a little bit abbreviate 6
version of what we presented previously to the 7
Subcommittee.
8 This slide here is just kind of a 9
placeholder showing you where the document is 10 available on the NRCs website with a quick summary 11 of the scope that reflects what Alan just shared 12 in terms of the overall goal of this document, the 13 purpose of the document.
14 So one of the things we wanted to do 15 today is to get a little bit more into what this 16 safety integrity level ecosystem is and how it 17 already exists and how were just trying to leverage 18 something that is already being utilized in other 19 high risk industries.
20 So this safety integrity level concept, 21 it was already mentioned that theres four levels.
22 23 So its level one, or SIL one, would 24 be for the least risky application going all the 25
43 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 way up to SIL four, which is the highest risk.
1 And so typically within a system that 2
is certified or developed to a SIL level, theres 3
three main types of components that are going to 4
be involved.
5 And thats what were showing here with 6
the sensor, the logic solver, and some type of an 7
on/off actuator.
8 And so theres manufacturers of these 9
components that are using the IEC 61508 standard 10 to ensure that theres systematic integrity and 11 the appropriate level of reliability and hardware 12 fault and tolerance based on what the particular 13 skill is that their goal is to achieve.
14 And so, across the bottom Ive got some 15 example manufacturers that use IEC 61508 to design 16 and manufacture products.
17 Once these manufacturers have the 18 product ready for certification, they contract with 19 Exida or TUV Rheinland or various other certifying 20 bodies to come in to evaluate what they have done 21 in their efforts to design and develop these 22 products to be in compliance with 61508.
23 So, these manufacturers, as was 24 discussed, are doing this because they know that 25
44 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 theres a market in high risk industries such as 1
oil and gas or chemical processing or other 2
industries that are going to, kind of like was 3
discussed about the military, is going to buy a 4
large quantity of the products that they design 5
and develop and sell.
6 So these certified bodies are also then 7
accredited by whichever accreditation body is 8
appropriate for the country theyre located in.
9 So for example, I just have DakkS at 10 the top, because thats the German accreditation 11 body, and that would be who accredits TUV Rheinland 12 and the other two entities.
13 And ANAB would be the entity here in 14 the US that accredits Exida.
15 And earlier, it was mentioned about the 16 EPRI research. So these items here are summaries 17 of what the conclusions were from that research 18 that we were able to build upon when we were 19 developing this guidance.
20 First one was that the SIL 21 certification aligns well with EPRI TR 106439.
22 So this is where you can really get into 23 the nuts and bolts of the types of activities, the 24 design techniques, the features that were being 25
45 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 built into the products, align well with what was 1
already in the existing process for nuclear in this 2
TR 106439 document.
3 Then the certifying bodies are standard 4
and rigorous, reliable evaluation process. The 5
CBs, so thats the CBs.
6 The ABs, the accreditation bodies, 7
ensures the CBs are consistent and trustworthy.
8 The failure data indicates reliable operation and 9
SIL certified equipment.
10 And SIL certifications are an accurate 11 indicator of reliability. So to accomplish these 12 conclusions, EPRI did an in-depth dive into what 13 these certifying bodies and these accreditation 14 bodies, what they do, what their processes are.
15 And the interesting aspects with the 16 final two conclusions was that they actually did 17 gather operating experience and compare it to what 18 the certifying bodies had certified.
19 So they were able to see in the data 20 that the actual failure rates of the certified 21 equipment were -- the certifications were actually 22 conservative in terms of the actual failure rates 23 in the field.
24 So with one noted exception of a 25
46 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 situation where they were able to see that the 1
failure rate was higher than predicted and 2
certified, and it was actually a way that they were 3
able to go in and find a systemic issue with the 4
manufacturing process.
5 So part of the certifying bodies 6
evaluation process already included comparing 7
actual operating experience against what the 8
predicted failure rates were and when the actual 9
failure rates are higher than whats predicted, 10 they go in and figure out why.
11 And it is a very useful indicator of 12 finding that systematic issue with the 13 manufacturing.
14 They were able to in that instance 15 correct it and see the reliability numbers fall 16 back down into the range of being predicted.
17 DR. BLEY: Andy, this is Dennis Bley.
18 MR. NACK: Yes.
19 DR. BLEY: Im glad to hear all this.
20 We heard earlier part of the reason weve gone 21 to this process is that manufacturers didnt want 22 to dance through all the hopes that NRC applies 23 for inspections and the like.
24 Do these accreditation bodies or the 25
47 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 certification bodies have agreements with the 1
vendors that when they find something curious like 2
you just talked about they can get in and rummage 3
through the vendors data?
4 MR. NACK: Yes. So the certifying 5
bodies operate using ISO 17065. And that standard 6
drives contractual agreements between the 7
certifying body and the particular manufacturers 8
where they make commitments like that, that they 9
are - if - so if the manufacturer is wanting to 10 carry a particular CB certification, they have to 11 agree to provide that type of information to the 12 CB.
13 DR. BLEY: Okay. Just thinking out 14 loud now, which is a dangerous thing to do. This 15 kind of implies that from a component vendors point 16 of view, the NRC process puts a lot of overhead 17 on them whether or not they have problems, and here 18 theyre willing to allow outside involvement in 19 their systems if theres indications of a problem.
20 Is that a fair statement?
21 MR. NACK: Yes, I would say thats 22 correct. And I think what was mentioned earlier 23 about what the size of the potential market is for 24 them to sell them to is a major differentiator.
25
48 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 DR. BLEY: Yes, okay, thank you. You 1
have spoken to one of the questions I asked NRC 2
earlier.
3 Are the reliability data that back up 4
this process available to people in the various 5
industries? Or is it proprietary to the vendors?
6 MR. NACK: Its available. So Exida 7
is the CB Im most familiar with. I know that they 8
use various sources for their reliability data, 9
some of which are probably the ones that youre 10 aware of.
11 But they also collect data as theyre 12 doing their certification evaluations of 13 manufacturers.
14 And Exida actually offers a platform 15 that provides access to a lot of that data for use 16 through someone creating a contract with them and 17 gives access to all the data that they have in terms 18 of operating experience.
19 DR. BLEY: Okay. Interesting. Thank 20 you.
21 MR. NACK: Sure. All right. And so 22 now, well jump into looking at the existing process 23 for accepting or justifying equipment and then 24 looking at how this new NEI 17-06 guidance enhances 25
49 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 that process.
1 So this right now is what the process 2
would look like to go through qualifying and 3
dedicating equipment for use in a nuclear 4
application.
5 And so, the next slide, we overlay where 6
the SIL certification provides some enhancement 7
here. So the work that is being done is a 8
qualification part of the process where youre 9
determining suitability of the design for the 10 application, looking at the systematic integrity 11 aspect of that evaluation is covered by the fact 12 that the manufacturer is adhering to IEC 62508.
13 Then getting into the commercial grade 14 dedication phase, this is where you gain the ability 15 to utilize the SIL certification in place of what 16 would have needed to be covered using typically 17 a commercial grade survey to address the 18 dependability critical characteristics.
19 Then that gets you to where it says 20 implementing the method one acceptance strategy, 21 where youre still completing the commercial grade 22 dedication using or completing the commercial grade 23 dedication process for the critical 24 characteristics that fall into those categories 25
50 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 of performance and physical critical 1
characteristics that can be typically evaluated 2
by some type of testing.
3 DR. BLEY: Andy, its Dennis Bley 4
again. We talked about availability of the data 5
to the folks who are building components.
6 What about the people who are users of 7
those components, either a utility company whos 8
going to buy a new plant or a US reactor vendor 9
whos looking to buy components to put into their 10 plant?
11 Do they have access? And lets include 12 the NRC as well. Do they have access to the data?
13 MR. NACK: They would be able to 14 achieve the same access by engaging with Exida that 15 a manufacturer would.
16 And so the way the SIL ecosystem works 17 is that the end user is actually, or some 18 integrator, is actually responsible for putting 19 the different components together in a manner that 20 still achieves the particular reliability targets 21 required for the application.
22 So the failure rates are still 23 applicable to the end user, maybe even more so than 24 the manufacturer, because the end user is 25
51 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 responsible for making sure that the reliability 1
targets are still achieved when they put all the 2
different pieces together.
3 DR. BLEY: So that makes sense.
4 MR. NACK: So theyre looking at the 5
system reliability instead of just the individual 6
component reliabilities.
7 DR. BLEY: If Im an end user, do I have 8
a contractual or other obligation to provide 9
failure data I collect after Im using the 10 components back to this process?
11 MR. NACK: I wouldnt say 12 contractually. I think in that type of a scenario, 13 it makes a lot of sense for the end user to feedback 14 failure data back to the manufacturer.
15 Because its definitely in the interest 16 of the end user to have the most accurate failure 17 data as possible, so they would want to provide 18 that information back to the manufacturer that 19 would then get integrated into the larger data set.
20 DR. BLEY: Okay, thanks.
21 MR. NACK: Okay. And so now moving 22 into a more detailed step through of what this NEI 23 17-06 guidance really is and the nuts and bolts 24 here.
25
52 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 And Ive included an example 1
manufacturer, Yokogawa, and an example certifying 2
body of Exida, just as a reference.
3 And then over on the left side of the 4
screen, Ive just noted that thats the Appendix 5
B QA program that the dedicating entity would be 6
operating under.
7 So starting out, step one, youre 8
definitely going to need to identify what your 9
requirements are for your application.
10 And then youre going to confirm that 11 the equipment that youre evaluating is certified 12 in a manner that encompasses what your requirements 13 are.
14 Then you move into identifying what the 15 critical characteristics are for the equipment as 16 well as identifying critical characteristics of 17 the service that the CB is providing when theyre 18 providing their certification.
19 Because I guess its important to note 20 here, theres actually two separate commercial 21 grade dedication activities happening.
22 One is for the actual item that the 23 manufacturers providing and one is a dedication 24 of the service that the CB is providing.
25
53 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Then youre going to confirm that the 1
certifications that the CB are providing are within 2
the scope of what their accreditation covers.
3 And then youre able to complete the 4
dedication of the CB service using that 5
accreditation.
6 Then well talk more detail later about 7
how an accreditation body or how an accreditation 8
body and CB together get their initial approval.
9 And so that approval process happens 10 before this to where that approval is part of what 11 is necessary to complete this dedication of the 12 service.
13 Then Step 7, we get into being able to 14 use the certification. So the reason for the 15 dedication of the CB service is so that the 16 certification thats been provided by that CB now 17 has the necessary pedigree to be used to - be used 18 to determine the acceptability of the dependability 19 critical characteristics.
20 Then the final step, Step 8, youre 21 using traditional commercial grade dedication 22 methodologies such as Method 1 Testing to determine 23 the acceptability of the physical and critical 24 performance characteristics.
25
54 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 And so that walks you through what the 1
actual process is that this guidance is utilizing.
2 3
And then the NEI 17-06 does also include 4
some indications of how to select SIL certified 5
equipment.
6 And just at a high-level summary, 7
youve got the equipment, must be able to prove 8
-- to perform the required functions for the 9
application.
10 The equipment must be certified for the 11 appropriate SIL level. So for an example, if its, 12 if the application requires SIL two, the equipment 13 must be certified to two or higher.
14 And the required safety functions must 15 be within the scope of the safety functions 16 identified on the certificate.
17 And just as an example of this, theres 18 several actuators that are certified that its 19 important to look at what details of their actuation 20 are actually covered by the safety function thats 21 listed on the certificate.
22 So if the actuator does provide some 23 variable in all type control, often the certificate 24 will list the safety function as only including 25
55 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 the on/off range of that actuators functionality.
1 So heres what I was referring to a 2
minute ago about the different pathways to 3
approving the CBs.
4 So before walking through the process 5
of utilizing this NEI 17-06 methodology, the CBs 6
need to have been evaluated by the industry using 7
one of these two pathways.
8 One is this accreditation only pathway, 9
where the accreditation body, its been observed 10 that they utilized sufficient rigor to look at the 11 CBs processes but also their scheme.
12 And the scheme is whats specifically 13 tying into the IEC 61508 requirements that are more 14 the technical type of requirements in nature.
15 And the second pathway is a situation 16 where a little bit more rigor does need to be applied 17 to the assessment of the certification scheme.
18 And this is an example of what we 19 encountered with ANAB during our observations was 20 that during the initial observations, ANAB needed 21 a little bit more rigor in terms of how they were 22 evaluating the scheme that the certifying body was 23 using.
24 And so, NEI 17-06 includes a 25
56 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 supplemental checklist that the nuclear industry 1
can directly use interacting with the CB directly 2
to supplement what the accreditation body has done 3
in terms of looking at the processes.
4 So one of these two paths are available 5
to gain the initial approval of the CBs for use 6
within this process.
7 MEMBER HALNON: Andy, this is Greg 8
Halnon. How often is the accreditation process?
9 MR. NACK: The accreditation or the AB 10 at least in what we interacted with, with ANAB and 11 Exida has some type of an activity every year.
12 I think the actual accreditation cycle 13 is every two years but even on the off years, the 14 accreditation body does at least a supplemental 15 observation process that looks similar to a full 16 accreditation activity but I guess is a little bit 17 abbreviated.
18 So theyre doing something every year.
19 MEMBER HALNON: Great. Do you know 20 how long the certification process takes from -
21 I hate to say the site visit but from the actual 22 accreditation? A week? Two weeks?
23 MR. NACK: Yes, so, these interactions 24 typically involve the CB providing the AB a lot 25
57 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 of information remotely ahead of time.
1 So a lot of the work is done up front 2
of reading the procedures and figuring out what 3
they want to look at.
4 So then the actual on-site activities 5
are something more like the one-week range.
6 What we saw was the accreditation body 7
utilized separate teams and so it was more like 8
each team spent one or two days looking at their 9
particular area.
10 And they might be operating in 11 parallel. So like one team would be more focused 12 on the procedures and the administrative aspects 13 of 17065 while the other team was more the technical 14 aspects, looking at how the manufacturer was 15 qualified to do the work and how theyre applying 16 their scheme.
17 MEMBER HALNON: Okay. Who is on the 18 accreditation visit? Are they consultants? Are 19 they industry folks? What is the makeup of the 20 team that does the accreditation?
21 MR. NACK: So, ANAB has a process that 22 they use to qualify people. So theyre 23 representatives of ANAB. I dont know how they 24 necessarily structure them in terms of, are they 25
58 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 direct employees of ANAB? I dont know. They may 1
be operating as contractors of ANAB. But they have 2
been evaluated by ANAB as qualified to perform the 3
particular accreditation activity.
4 MEMBER HALNON: Okay, so they train 5
their own folks.
6 MR. NACK: Yes.
7 MEMBER HALNON: The accreditation 8
processes.
9 MR. NACK: Yes.
10 MEMBER HALNON: Thank you.
11 MEMBER BIER: Another question. Are 12 the accrediting bodies currently all governmental 13 organizations or no?
14 MR. NACK: No, theyre not.
15 MEMBER BIER: Okay. So theyre 16 commercial or non-profit or do you know what the 17 status is?
18 MR. NACK: I dont know. Alan, do you 19 know? I dont know.
20 MEMBER BIER: Its not super 21 important. Im just curious.
22 MR. NACK: Im not sure organizational 23 wise the structure.
24 MEMBER BIER: Thanks.
25
59 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER HALNON: This is Greg again.
1 MR. CAMPBELL: ANAB is associated with 2
the answer.
3 MEMBER HALNON: So if you make the 4
analogy to like ABET, the accreditation board for 5
engineering technology programs, there are 6
industry and academics and other folks who are 7
involved in that field that give their time to the 8
accrediting board itself.
9 And thats what I was trying to find 10 a word. They draw their people from. That might 11 be just good to look up if you would just to let 12 us know. Because it speaks to, one, how 13 independent they are and how consistent the process 14 is year after year. Because if you get different 15 people every single time, there are plusses and 16 minuses. Theres a fresh look but you also get 17 less experience.
18 MR. NACK: Yes, and the other umbrella 19 that all the accreditation bodies are under is the 20 international accreditation forum where different 21 accreditation bodies evaluate each other.
22 So youve got that dynamic going on as 23 well that tries to maintain a standard application 24 of what the accreditation bodies are doing.
25
60 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 All right. Then NEI 17-06 also 1
provides some guidance on how the dedicating 2
entities would need to adjust their QA program to 3
be able to make sure its set up in an appropriate 4
manner to utilize this process.
5 And this is just a summary of the areas 6
that it provides direction for it to be adjustments 7
made in these procurement documents, what the tasks 8
are associated with the digital dependability 9
evidence and the QA evidence for digital 10 dependability and their correction action program.
11 So details are provided in the NEI 12 guidance for those areas. And then this is whats 13 already been touched on a little bit, but this is 14 where the nuclear industry will continually provide 15 oversight of the accreditation bodies and the 16 certification bodies on an ongoing basis, kind of 17 trying to be able to look at what was just being 18 asked in terms of are they maintain their level 19 of rigor and are there people that are out in the 20 field doing the evaluations maintaining the proper 21 level of training and evaluations and such?
22 And so, were currently in discussions 23 engaging with NUPIC as a possibility for being the 24 entity that would take on this task. But were 25
61 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 kind of in a situation right now where NUPIC is 1
interested in waiting on seeing the NRC endorse 2
the process and then it looks like they probably 3
would be interested in getting more involved. So 4
5 MEMBER BROWN: Excuse me, I keep 6
forgetting what NUPIC alphabet soup means.
7 MR. NACK: Yes, its, I believe its 8
nuclear -
9 MEMBER BROWN: Im not the only one.
10 MR. NACK: Yes, Nuclear Utility 11 Procurement Issues Committee.
12 MR. GALLETTI: Andy, Ill just chime 13 in. This is Greg Galletti from the NRC group.
14 It just stands for Nuclear Utility Procurement 15 Initiative Corporation.
16 MEMBER BROWN: Thats not an NRC 17 operation.
18 MR. GALLETTI: No, its a consortium 19 of licensees. So they would -
20 MEMBER BROWN: Go ahead.
21 MR. GALLETTI: I was just going to say, 22 its an organization based up of nuclear, 23 commercial nuclear licensees and their 24 representatives sit on the committee.
25
62 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER BROWN: Okay, so the oversight 1
by U.S. NRC really follows. It says NRC licensees 2
or designees, not NRC body going out and doing this 3
oversight. Is that the way you read this?
4 MR. NACK: Well, it can be. So the 5
NUPIC, the utilities are ultimately responsible 6
for the oversight but the NRC has the option to 7
participate as they see fit.
8 MEMBER BROWN: Has that process been 9
defined yet or is that still in play based on NUPICs 10 hesitancy on jumping in?
11 MR. NACK: Well, the fundamentals are 12 as I described in the two pathways for getting the 13 approval of the CBs and the Abs using the 14 accreditation or the accreditation plus the scheme 15 evaluation.
16 And the NEI 17-06 has the additional 17 checklist included in it. That would be the 18 process that the oversight would use to do the 19 evaluations.
20 So the only open issue right now is are 21 specific licensees performing that or will they 22 jointly perform it under the NUPIC entity?
23 MR. ODESS-GILLETT: Andy, can I 24 supplement your response by saying that the NEI 25
63 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 17-06 says that the licensee or its designee is 1
responsible for this oversight.
2 MEMBER BROWN: Who spoke just now?
3 MR. ODESS-GILLETT: That was Warren.
4 Im sorry, Charlie, Warren Odess-Gillett.
5 MEMBER BROWN: Oh, okay. Thank you.
6 MR. ODESS-GILLETT: Yes. So that 7
really is, I think, US NRC licensee as you were 8
asking, Charlie.
9 MEMBER BROWN: Okay, thank you for the 10 more than clarifications, explicit statements.
11 MR. BENNER: Yes, and this is Eric 12 Benner. Ill add some clarification, because 13 theres a lot of layers here, right? I think 14 everyone gets that.
15 So that was part of our challenge as 16 the staff of, we needed to make our endorsement 17 of this process sort of standalone.
18 So its written right now, we 19 understand that NUPIC may do some things and were 20 looking at -- theres current certifying and 21 accreditation bodies and we wanted to make sure 22 we didnt need to update the reg guide every time 23 another party added to it.
24 So we set the standards for each of the 25
64 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 entities. And like Warren just said, right now 1
its constructed that since NUPIC hasnt stepped 2
in to do this role, its very clear that the licensee 3
has this responsibility.
4 But we added our designee so that if 5
NUPIC steps in to take on this role, then its very 6
clear what NUPIC needs to do.
7 Now, that layer is what it is. The NRC 8
still has its independent oversight layer where 9
just like for any Appendix B or commercial grade 10 dedication activities we have, you heard Greg 11 Galletti speak. Hes a member of our Vendor 12 Inspection and QA Branch. They have a rubric that 13 they use to do different inspections each year.
14 I mean, they have a certain number of 15 resources, so they pick and choose where they 16 inspect. But just like for all commercial grade 17 dedication stuff, they go out and we do our own 18 independent look at each part of all these things 19 to draw our own regulatory conclusions.
20 MEMBER BROWN: So you can step in when 21 you want to?
22 MR. BENNER: Yes. I mean, if we see 23 a problem, right, we always have the available to 24 step in if theres a problem.
25
65 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER BROWN: Youre just not left out 1
2 MR. BENNER: No. I mean, the bottom 3
line is theres regulated activities so there are 4
-- our process makes it clear whose responsibility 5
it is to do those activities. And it continues to 6
make it clear that we have an independent method.
7 And those fundamentals dont change at all.
8 MEMBER BROWN: Okay. Thank you. Any 9
more comments? Go ahead.
10 MR. NACK: Very good. And just to 11 highlight some of the reasons why we want this 12 process and think it will be helpful is that it 13 does direct the nuclear industry to direct them 14 towards these products that can be seen as better 15 products in terms of engaging with manufacturers 16 that are particularly interested in building in 17 reliability and systematic integrity into their 18 products.
19 Because thats the result of them 20 complying with the IEC 61508 standards. And it 21 does provide access to a broader collection of 22 operating experiences to be used by the power 23 plants.
24 Traditionally, you could use 25
66 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 commercial grade dedication on any product that 1
you wanted to and it was hard from the outside to 2
necessarily see what you were going to find before 3
you really dug into it.
4 And so, SIL certification provides a 5
helpful indicator from the outside so that you know 6
what youre getting into from the start.
7 And then with improved efficiency, you 8
are interacting with manufacturers that are able 9
to sell these products that do have the necessary 10 reliability and systematic integrity that are able 11 to sell them to other high-risk industries as I 12 mentioned earlier.
13 And it really is a benefit in terms of 14 manufacturers are already familiar with 15 interacting with people that want to dig into their 16 process and see how they do things.
17 And the process also provides 18 significant efficiencies in terms of the nuclear 19 industry not having to perform their own commercial 20 grade surveys, which are really seen as a redundant 21 activity from what the CBs were already performing.
22 And that brings us to any questions.
23 MEMBER BROWN: Walt, did you want to 24 ask your question again or do you want me to ask 25
67 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 it for you?
1 MEMBER KIRCHNER: Why dont you go 2
ahead and ask it for me? Because I cant quite 3
remember how I phrased it. You made me hold it 4
too long.
5 MEMBER BROWN: Im going to -- I want 6
to phrase this the right way because I think this 7
is something that the NRC as a program needs, to 8
provide about getting new stuff put into plants 9
where it ought to be.
10 And theres a lot of resistance to doing 11 this. Its a matter of some of the thought 12 processes. As weve all talked about before, 13 software-based systems introduces, relative to 14 analog, introduces a whole new set of modes, 15 possible modes of failure.
16 It can be anything from corrupt data 17 to lockups to functions not being performed because 18 you run out of time, et cetera. Silent stuff.
19 As weve emphasized in most of our 20 discussions, this is my opinion in this case, not 21 the Committees opinion by any means. I hope it 22 is, but not.
23 The protection against most of this 24 stuff in the RTS and ESFAS world is multidivisional 25
68 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 protection system that meets a set of requirements, 1
the redundancy and its all the standard 2
deterministic with none of our systems with 3
permanency.
4 But theyre all interrupt driven. At 5
least I havent found any. And then the control 6
is physical as well as electronic access and still 7
manage to interact with the staff on it.
8 Now, thats put in place. Watchdog 9
timers are part of the primary, almost the only 10 way that you can ensure those downstream, both the 11 processing data, processors as well as the voting 12 units if youre going to use digital components 13 for voting units, other than analog logic service.
14 Digital logic service, but not software.
15 TR whatever it is, it addresses 16 watchdog timers in considerable detail throughout 17 the supplier, particularly the concession 6.4.
18 It actually talks about an ESFAS 19 application of single unit versus a double unit, 20 which we talked about before.
21 There were a number of examples. With 22 single units, were talking about. And looking 23 through the IEC, there was an interest relative 24 to the single versus multi in part six, Appendix 25
69 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 B, EU.1.1, where it says, this standard 1
incorporates a number of measures which deal with 2
systematic failures.
3 However, no matter how well these 4
measures are applied, there is a residual 5
probability of systematic failures occurring.
6 Although this does not significantly 7
affect the reliability calculation, theres a lot 8
of those that goes through the IEC, for single 9
channel systems.
10 If I want to start a pump or do this, 11 the potential of failures which may affect more 12 than one channel in a multi-channel system or 13 several components in a redundant safety system, 14 paren, i.e., common cause failures, results in 15 substantial error in reliability calculations are 16 applied to multichannel or redundant systems.
17 The International Standard recognizes 18 taking a PLC with your logic and reliability and 19 dependability calculations. It doesnt 20 necessarily transform into a multidivisional 21 system, which is what we really kind of rely on 22 in our RTS and ESFAS systems.
23 Now, Im going to segue back to the 24 example, 6.4 in the TR, Topical Report, 10, whatever 25
70 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 the number is, 10636439, where you evaluate all 1
the equity evaluated, excuse me, the application 2
of the programmable logic control in an ESFAS 3
system, a multichannel system.
4 And they go through an evaluation, two 5
sets of evaluations. One, make sure I get these 6
straight, oh, yes, they evaluated the need for an 7
external watchdog timer challenge failures, and 8
it concluded that the feature wasnt required 9
because the internal diagnostics had such a high 10 degree of coverage with internal failure, the 11 implementation of watchdog onboard and watchdog 12 timers, thats in software, watchdog timers, 13 basically, is what youre talking about, is 14 sufficiently robust to protect against failure.
15 Modes of interest with these features 16 combined with the fact that the systems are 17 functionally tested every month and theres a 18 manual backup, and therefore no watchdog timer is 19 required, hardware off guard.
20 The example then said, well, okay, hold 21 it. Weve also got to look at a failure analysis 22 considering the possibility of a failure that could 23 disable redundant PLCs into automatic actuation.
24 In other words, silent, I guess, across whatever 25
71 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 that mode would be.
1 And then they go on to say the 2
likelihood is considered very low based on a review 3
of the software development process. Okay, the 4
marble process. Theyre always good.
5 A successful operating history with the 6
controller and similar application. This is a 7
one-line controller. Knowledge of the device 8
design. And wonderful failure management 9
provisions.
10 Monthly surveillance checks and an 11 extensive testing program performed by the vendor 12 and utility integrator to support the dedication.
13 Okay. However, we did do a defensive 14 in-depth evaluation of that, but determined that 15 since we have operator backups, we dont need a 16 watchdog timer, which was a terrible message to 17 be sending.
18 Theres some inconsistencies is all Im 19 saying, when you apply, just, other examples of 20 PLC that you find thats been used in a lot of 21 applications, those get software upgrades.
22 It happens inevitably, and software 23 applications, you have to change the operating.
24 You download the provisions however you want to 25
72 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 frame them.
1 They have to be compiled when theyre 2
done. And five years later, if you use a different 3
compiler, then you use the initial design, you may 4
get a different way that code is compiled.
5 I only make a statement like that 6
because there was one circumstance I was involved 7
in where we had a system that worked just fine but 8
we had to get a new device and put our software 9
in it.
10 We had a different compiler and now the 11 system didnt work. Fortunately, it wasnt an 12 operating system. It was a testing system.
13 So its all these things point to the 14 need for some emphasis in my thought process in 15 whats lacking, and not just my opinion, not the 16 Committees opinion, that 1.250 is a clarifying 17 position.
18 Is it the utilization of this process 19 doesnt ever gain or put aside the need to evaluate 20 our reactive protection and safeguard systems via 21 the standard review plans, the DSRS, the Reg Guides, 22 the ISGO 6, BTP 7-19, et cetera. And that the 23 silent failure routine, I mean, if you go, all of 24 those documents talk about watchdog timers 25
73 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 somewhere in the architecture.
1 I would just think it would be useful 2
to have something that identifies this says this 3
parts okay but it has to be used in an integrated 4
system, particularly in multidivisional systems, 5
that we utilized skill, need to be adhered to or 6
appeal part of the process.
7 That doesnt come through as part of 8
the guidance.
9 MR. BENNER: Yes, and Ill start, and 10 this is Eric Benner now.
11 MEMBER BROWN: Did I pay for you all?
12 MR. BENNER: Yes, and this is Eric 13 Benner again. Id say we completely agree. The 14 lens through we look at this is, the commercial 15 grade dedication process in no way, shape, or form, 16 thats what your design and licensing requirements 17 are.
18 So while the references we talked about 19 are when we actually design, an applicant designs 20 something, the license that we set certain 21 requirements and we apply all those guidance 22 standards.
23 So this process says, hey, I already 24 have a license. I already have a system. I 25
74 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 already have a design.
1 I already have components. And now I 2
need to replace part of that with new systems or 3
components.
4 So they still have an obligation to make 5
sure that whatever theyre doing fulfills the 6
design and license requirements. But I see your 7
point, particularly in this situation, that 8
sometimes you believe, but this has been the case 9
for commercial grade dedication, not just in SIL 10 but across the board is, right, you want to buy 11 one thing, because that is what the design says, 12 and you buy something else and you think that 13 something else works the same exact way but it 14 doesnt.
15 Thats part of what this process is all 16 about is to say, okay, youre taking on this new 17 responsibility to get this new thing and put it 18 into your system, put it into your facility to do 19 a certain function.
20 We put a bunch of tests in place that 21 licensees and these other bodies do to convince 22 ourselves that its actually going to do what you 23 say its going to do.
24 But I respect this idea that a run-in 25
75 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 to the classic scenario, particularly as you move 1
to digital, particularly because software 2
component may be introducing failure mechanisms 3
that you havent really considered before.
4 So well certainly take that offline 5
to see what reinforcement well need.
6 MEMBER BROWN: So hopefully Im 7
writing the report on this and Ive tried to 8
incorporate enough information in there to try to 9
get this point across.
10 The fundamental is hardware watchdog 11 timers come in a couple of different varieties.
12 A PLC could have a built-in hardware watchdog timer 13 in but just its not, its separate.
14 Theyve got to be separate. You cant 15 depend on the operating system software. I mean, 16 its got to be separate. But it could have that 17 component built in but just not used in some 18 circumstances. Or it could be an off-board one 19 thats incorporated based on your design approach.
20 So, I mean, the point being is that, 21 and I dont want to be pedantic about this, its 22 just that weve worked hard over the last 12 years.
23 Every new plant design weve worked on where we 24 had software-based processing and voting units, 25
76 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 Im not applying it to the equivalent.
1 We didnt do it in the HIPTS process 2
because its hardware, fundamentally, and log 3
computer based by the time you program it.
4 So, I mean, we just cant lose that 5
capability or that idea. Youve agreed that we 6
can use these and theyre okay, but they dont have 7
that.
8 Well, but this thing is not capable of 9
incorporating -- we used this in the architecture, 10 it cant incorporate it. Thats my concern.
11 Now, Jose had a comment, I think. You 12 raised your hand.
13 MEMBER MARCH-LEUBA: Yes, this concept 14 comes very often in software reliability. The 15 issue is open identification of requirements.
16 Before you start doing the testing, you have to 17 identify whether a watchdog timer is needed or not.
18 And its easy to forget, especially if the watchdog 19 timer is embedded into the PLC, that you need to 20 test it.
21 So I dont know if we have enough 22 emphasis. The best way to design the software is 23 to have good requirements.
24 The best way to design or to certify 25
77 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 the parts is to know what the part needs to do.
1 And thats crucial.
2 MEMBER BROWN: Theres always, theres 3
software timers throughout most that are 4
interrupt-driven because it stops and goes off and 5
does something.
6 So theres a timer in the software.
7 Theres one of them every five milliseconds. It 8
was off doing something and it stopped everything 9
that came back and every five milliseconds it was 10 testing.
11 It would be insane to be doing it in 12 my opinion, when I read the Topical Report, but 13 thats what they were doing. The system worked 14 so its in use.
15 The point being that theres a lot of 16 little ones in there, but if the timers are part 17 of the software and the software stops, for whatever 18 reason, youre toast. And this is the important 19 part. Im sorry, go ahead.
20 MR. BENNER: And this has played out 21 significantly, not so much in these discussions, 22 but in a different realm. Applicants have looked 23 at the self-diagnostic capabilities of these 24 systems to eliminate required text message 25
78 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 analysis.
1 And weve done some of that but we also 2
basically have the same concern youve had, Member 3
Brown, of, hey, what if the self-diagnostics arent 4
working?
5 What is your mechanism to know that 6
these self-diagnostics are still working? And as 7
we have allowed elimination of some certain 8
balances, weve put in what we think are the right 9
checks and balances that the operator does have 10 touchpoints to ensure that those processes are 11 indeed giving you what you think theyre going to 12 give you.
13 So conceptually, weve been working 14 this issue and I think its been not so much in 15 this forum.
16 MEMBER HALNON: And this is Greg.
17 Forgive me for being a novice. A component was 18 supposed to be able to do a self-diagnostic, either 19 watchdog timer or some other, wouldnt that be a 20 critical characteristic that would have to be 21 brought through the process and eventually tested 22 in some way?
23 MR. TANEJA: You know, thats really 24 where, if youre relying on that sort of diagnostic, 25
79 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 and that, and some of these safety critical devices, 1
some of these SIL requirements are that there is 2
a failure outcome, which it puts it into a safe 3
state.
4 So if it does fail, the result, its 5
essentially doing what a watchdog timer would do.
6 Essentially, put the output into a safe state 7
and so those are then become the requirements for 8
that product they are getting certified.
9 And I think one of the points that Andy 10 alluded to was that you have to, if you are going 11 to use this process, you have to see what does the 12 SIL certification mean and what feature is it 13 certifying, and for your application, are those 14 features suit your requirements or not?
15 But that assessment has to be done very 16 early in the process, before you even go and start 17 to dedicate that item for use.
18 Does it have the level of certification 19 that meets your requirements for your given 20 application?
21 So I think, and Member Brown, to your 22 point, yes, we worked on developing the SRPs and 23 the DSRS and all of these ISGs, to really shift 24 our focus toward meeting these fundamental design 25
80 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 principles for the INCs and looking at these 1
dependability of performance and repeatability and 2
dependability where we are talking about, what are 3
these lockup situations and how do we protect 4
against these things? But that is an effort that 5
we pay a lot of attention to when we are doing the 6
overall design application.
7 Now, here, if you are buying a part, 8
you still have to meet your overall design 9
requirements. What are your requirements for your 10 system? And so that requirement match has to be 11 done by the designer very early on in the process.
12 So, I dont think we are downplaying 13 any of that effort. I think what we are trying 14 to say, by using the SIL certified product, what 15 you are getting is actually you are getting better 16 products into your plant than you would otherwise.
17 If you were to dedicate any commercial 18 off the shelf item that has not been proven in the 19 industry, so what we are getting from a SIL 20 certified product is a product that a manufacturer 21 is marketing to a safety critical industry.
22 So they are saying that I have a market, 23 Im going to get this certified. Theyre spending 24 their effort and money in developing a product and 25
81 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 getting it certified because they have a large user 1
base.
2 But what does that give us? It gives 3
us a larger data to rely on, the reliability data 4
that we get, because we have a larger user base 5
of their product.
6 So there are these benefits that we want 7
to try to capture, and I think what we are getting 8
from that, it will not be applied properly in our 9
safety systems. Were getting our reliability and 10 hopefully --
11 MEMBER BROWN: I understand that 12 around the circle discussion, but when you lay out 13 requirements, youve got to do that in the context 14 of the overall system youre dealing with.
15 And youve got to address the potential 16 weaknesses of what youre dealing with. For 17 instance, when you talk about self-diagnostics, 18 there are a couple of different ways to do that.
19 If you have a deterministic process, which I used 20 in my naval program, every function was performed 21 on every sample period, and at the end, there was 22 enough room where we implemented, we did a certain 23 amount of self-testing.
24 And then you hit the end. Theres a 25
82 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 watchdog timer there. If it didnt get to that 1
point, okay, then it goes back to next cycle, and 2
at that last stop, it knows where it stops and you 3
go through the whole process again.
4 Every function is tested. No 5
interruption, all the way to the end. Guess whats 6
at the end again? Another watchdog timer waiting.
7 8
If you dont get here, Im going to give 9
you an alarm. Or in a submarine, you may not 10 necessarily trip the reactor. Its not a good idea 11 to do that when youre in certain locations and 12 places.
13 But you make people aware of it, ever 14 however you want to do it. Thats fairly 15 straightforward.
16 When you do that in the testing, 17 self-testing, and its an interrupt self-testing 18 where youre 10 percent through and, oh, Ill 19 self-test this little function. Oh, okay, thats 20 working. Okay, come back and I keep going.
21 You may not ever finish. You may lock 22 up in between. You cant. Theres always the 23 potential for that processor not to finish its 24 process.
25
83 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 It never triggered whatever it should 1
trigger at the end to restart again. And the 2
problem with resetting most of these companies 3
products, like I wont mention the name, but the 4
one platform we used, it took five to ten minutes 5
to reboot. Thats horrible.
6 MEMBER MARCH-LEUBA: Charlie, I wonder 7
if youre confusing apples with oranges.
8 MEMBER BROWN: Oh, probably.
9 MEMBER MARCH-LEUBA: Yes. I mean, as 10 the staff said before, there is a step in the design 11 requirements and the range of system. Now you 12 raised the problem of replacing this particular 13 part in the presentation.
14 The system is really where we already 15 reviewed this. And I want to make sure that this 16 part is as good as the whole.
17 MEMBER BROWN: The analog one. In 18 this case, theyre going to be replacing analog 19 stuff with digital stuff. Thats what theyre 20 driving at, primarily. Primarily.
21 MEMBER MARCH-LEUBA: They have to make 22 sure that the system works. And what I like about 23 this approach of having a large user base is that 24 databases will see the reliability of hundreds of 25
84 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 systems, not two.
1 So there is some feedback. Maybe you 2
did your evaluation and you made a mistake. You 3
put hundreds of these on the field and you find 4
out you made a mistake, put some fix in there, get 5
some feedback, and you fix it.
6 MEMBER BROWN: Im not disagreeing 7
with using the process. Im only looking to make 8
sure that in the process of doing this, we dont 9
distract the overall end result.
10 The evaluations of the process we go 11 through. The first process, you werent here, the 12 first one we looked at did not have watchdog timers 13 in it.
14 We had to insist on it. It was like 15 sucking blood out of rocks. It took us a year and 16 a half to get the FSAR revised.
17 CHAIRMAN REMPE: So, colleagues, we 18 have four minutes left and we do have to have public 19 comments. And I know Walt has been wanting to make 20 a comment.
21 MEMBER BROWN: Oh, Im sorry.
22 CHAIRMAN REMPE: And so I just, if 23 theres questions from staff --
24 MEMBER BROWN: No, Im done.
25
85 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 CHAIRMAN REMPE: If theres time, and 1
then lets make sure theres time for public 2
comments.
3 MEMBER BROWN: Lets go ahead. Yes, 4
go ahead, Walt. Sorry.
5 MEMBER KIRCHNER: So I can see that the 6
main thrust here is for implementing digital 7
systems, commercial grade dedicated equipment.
8 I was just thinking ahead to advanced reactors and 9
stuff. This is an observation, not a question.
10 It points back here to the Reg Guide 11 Appendix B, design control, procurement control 12 and such, and advanced reactor people are basically 13 saying, Appendix A, Appendix B doesnt apply to 14 us. Were not LWRs. But Im just looking ahead 15 to think of new advanced reactors.
16 Would the expectation, you think, 17 Dinesh, be you would look for them to in a comparable 18 manner go through a commercial dedication process 19 for their I&C systems? Its a leading question.
20 MR. TANEJA: Again, the advanced 21 reactors, if they have -- if they have a case where 22 there is a safety function that has to be performed 23 under certain given circumstances and conditions, 24 so for our postulated condition, if the equipment 25
86 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 needs to perform that function, that component 1
needs to be qualified and proven that its reliable 2
from that function.
3 Now, if you want to call it an Appendix 4
B or you want to call it a dedicated item, or you 5
want to call it whatever you want to call it, on 6
that new FSAR 53 framework or MP framework, at the 7
end of the day, I need to have a system or a device 8
or a system that reliably performs that function 9
repeatedly if it's required, right?
10 And I think that is a discussion that 11 we had a couple of the new vendors was that its 12 really upon you to demonstrate that you are 13 designing this system with high reliability and 14 availability.
15 And that reliability, how do you 16 demonstrate that? Now, some are saying that we 17 are going to follow the IEC 61503 framework, which 18 actually has done pretty good with the risk 19 significant industries otherwise.
20 So well see what they come back with.
21 CHAIRMAN REMPE: Charlie, do you want 22 to be the person to ask for public or you want me 23 to?
24 MEMBER BROWN: No, you can do it.
25
87 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 CHAIRMAN REMPE: Oh, okay. So were 1
at that time where if someone, a member of the public 2
is out there, if you are on MS Teams, just unmute 3
yourself and make a comment.
4 If youre on the phone line, I believe 5
you have to press star-six to unmute yourself.
6 But, feel free to do so.
7 (No response.)
8 CHAIRMAN REMPE: Okay, theres been 9
ten seconds so at this point -- yes, Charlie?
10 MEMBER BROWN: You answered the 11 question.
12 CHAIRMAN REMPE: Okay. Go ahead.
13 MEMBER BROWN: Im sorry. No, I just 14 wanted to thank the staff at NEI for a very good 15 summary download from the last Subcommittee meeting 16 where there was a little more detail. But I think 17 this was a substantial presentation. We got to 18 get to the meat of the overall process and what 19 youre trying to accomplish.
20 And I thought it was done very well and 21 the discussion was animated, as I would have 22 expected in our normal format with these I&C 23 discussions. I just thought it was a good talk.
24 CHAIRMAN REMPE: I agree.
25
88 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 MEMBER BROWN: Thank you.
1 CHAIRMAN REMPE: I believe you have 2
a draft letter that you plan to read in in the next 3
hour and we can discuss it and continue the 4
discussions that you and Jose and Walt were having.
5 Larry, if youre off, or Christina, if 6
youre out there, we need to get hold of Sandra 7
and whoevers going to be helping us with the letter 8
and get it brought up. And so, why dont we take 9
a break until 3:40? And thatll give us nine 10 minutes to try and find the appropriate people.
11 MEMBER BROWN: What about 15 minutes?
12 CHAIRMAN REMPE: Okay, Charlie, just 13 for you, how about 3:45? Were going to do 3:45.
14 You get 14 minutes. Get a head start. And I 15 hope that NEI and the staff will stay around and 16 listen to the letter. And, as always, we want 17 factual corrections and --
18 MEMBER BROWN: No, its not going to 19 happen.
20 CHAIRMAN REMPE: Charlie drafted the 21 letter, so Im sure its factually true. But 22 anyway, well see what happens.
23 MEMBER BROWN: No, I tried my best to 24 describe the processes, and Im not sure I got all 25
89 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234--4433 WASHINGTON, D.C. 20005--3701 (202) 234--4433 the --
1 CHAIRMAN REMPE: At this point, 2
though were going to give you your 14 minutes 3
before they turn to 13.
4 (Whereupon, the above-entitled matter 5
went off the record at 3:32 p.m.)
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
©2022 Nuclear Energy Institute NEI 17-06, Rev. 1 Overview 7 September 2022-ACRS Meeting
©2022 Nuclear Energy Institute 2 NEI 17-06 Rev. 1 Issued 12/3/2021 (ML21337A380)
The purpose of this document is to facilitate the commercial grade dedication process for digital equipment by crediting SIL certification by an accredited and NRC-approved certification body in lieu of a commercial grade survey and critical design review https://www.nrc.gov/docs/ML2133/ML21337A380.pdf
©2022 Nuclear Energy Institute 3 SIL Foundation Systematic Integrity Probabilistic Reliability Hardware Fault Tolerance Safety Integrity Level (SIL) Overview ON/OFF ACTUATION LOGIC SOLVER SENSOR
©2022 Nuclear Energy Institute 4 SIL Certification Process Accreditation Body Certification Body ISO 17065 Accreditation OEM IEC 61508 Evaluation Service
©2022 Nuclear Energy Institute 5 Safety Integrity Level (SIL) Certification Efficacy for Nuclear Power. EPRI, Palo Alto, CA: 2019. 3002011817.
SIL certification aligns well with EPRI TR-106439 Certification Bodies (CBs) have a standardized, rigorous, and reliable evaluation process Accreditation Bodies (ABs) ensure CBs are consistent and trustworthy Failure data indicates reliable operation of SIL certified equipment SIL certifications are an accurate indicator of reliability Conclusion from EPRI Research
©2022 Nuclear Energy Institute 6 Justification Process-Current EQUIPMENT QUALIFICATION COMMERCIAL GRADE DEDICATION
©2022 Nuclear Energy Institute 7 Justification Process-with NEI 17-06 IEC 61508 SIL Certification IEC 61508 SIL Certification EQUIPMENT QUALIFICATION COMMERCIAL GRADE DEDICATION
©2022 Nuclear Energy Institute 8 Step 1. Identify the requirements of the end users application Step 2. Confirm SIL certification encompasses the requirements of the application Application of the SIL Certification Process Appendix B QA Program
©2022 Nuclear Energy Institute 9 Step 3. Perform a technical evaluation of the equipment to identify critical characteristics Step 4. Perform a technical evaluation of the CBs service to identify the critical characteristics of the service Application of the SIL Certification Process Appendix B QA Program
©2022 Nuclear Energy Institute 10 Step 5. Confirm that IEC 61508 certifications are within the CBs accreditation scope Step 6. Complete the CGD of the CBs service Application of the SIL Certification Process Appendix B QA Program
©2022 Nuclear Energy Institute 11 Step 7. Use the SIL certification to complete the determination of acceptability of the dependability CCs of the item CGD Step 8. Use traditional methods to determine acceptability of the physical and performance CCs Application of the SIL Certification Process Appendix B QA Program
©2022 Nuclear Energy Institute 12 The equipment must be able to perform the required functions for the application Equipment must be certified to IEC 61508 at the required level The required safety function must be within the scope of the safety function identified in the certification Selection of SIL Certified Equipment
©2022 Nuclear Energy Institute 13 Accreditation Only Accreditation Body observed conducting a satisfactory ISO 17065 assessment of the Certification Body Accreditation Plus Scheme Evaluation Accreditation Body observed conducting a mostly satisfactory ISO 17065 assessment of the Certification Body Additional assessment performed of the Certification Bodys certification scheme Paths to Accepting Certification Body (CB) Services
©2022 Nuclear Energy Institute 14 Adjustments will be needed to Appendix B QA programs concerning:
Procurement Document Control Tasks Associated with Digital Dependability Evidence QA Evidence for Digital Dependability Corrective Action Dedicating Entitys Quality Assurance Program
©2022 Nuclear Energy Institute 15 US NRC Licensee Oversight of the SIL Certification Process Dedicating Entity CGD of Service CGD of Equipment/
Components
- Dependability CCs
-Performance CCs
-Physical CCs Accreditation Body Certification Body ISO 17065 Accreditation Equipment/
Components and Safety Manual OEM IEC 61508 Evaluation Service Oversight by US NRC Licensee or Designee SIL Certificate Certificate of Accreditation Appendix B QA Program Possibly an entity such as NUPIC
©2022 Nuclear Energy Institute 16 Better Products Manufacturers are building in reliability and systematic integrity Broader collection of operating experience Improved Efficiency Economy of scale-joining other high-risk industries to give manufacturers a larger market to sell into Products are pre-approved by CBs, not requiring commercial grade surveys Benefits
©2022 Nuclear Energy Institute 17 Questions
Draft Regulatory Guide DG-1402 Proposed new RG 1.250 Dedication of Commercial-Grade Digital I&C Items for Use in Nuclear Power Plants September 7, 2022 ACRS Committee Meeting 1
Opening Remarks Eric Benner, Director Division of Engineering
& External Hazards Office of Nuclear Reactor Regulation 2
DG-1402 Working Group Dinesh Taneja, Technical Lead Sr Electronics Engineer, NRR/DEX/ELTB Michael Eudy - Project Manager, RES/DE/RGPMB Bernard Dittman - Sr I&C Engineer (Retired), RES/DE/ICEEB David Rahn - Sr Electronics Engineer, NRR/DEX/ELTB Greg Galletti - Sr Rx Ops Engineer, NRR/DRO/IQVB Odunayo Ayegbusi - Rx Ops Engineer, NRR/DRO/IQVB Jack Zhao - Sr Electronics Engineer, NRR/DEX/ELTB Jonathan Ortega-Luciano - (Former) Rx Ops Engineer, NRR/DRO/IQVB 3
Meeting Topics DG-1402 Scope & Purpose
Background:
- CGD of digital equipment
- DI&C Modernization Project (MP) #3
- Development of NEI 17-06 DG-1402 Regulatory Basis DG-1402 NRC Staff Regulatory Guidance Resolution of Public Comments on DG-1402 Historical Perspectives of CGD 4
DG-1402 Scope & Purpose Endorse NEI 17-06, Revision 1 Endorse applicable parts of the industry consensus Std. IEC 61508, 2.0 Edition Endorse applicable parts of the industry consensus Std. ISO/IEC 17065:2012 Describe relationships with existing endorsed CGD guidance documents RG 1.164 and EPRI TR-106439 5
DG-1402
Background
EPRI TR-106439 describes an approach for the evaluation and acceptance of commercial-grade digital equipment RG 1.164 describes acceptable methods for the dedication of commercial-grade items and services.
In April 2016 NEI proposed a task under DI&C Integrated Action Plan (IAP) to leverage SIL certification to IEC 61508 in commercial-grade dedication of digital equipment Proposed guidance to follow the NRC approved NEI 14-05 process for procuring commercial-grade laboratory calibration and test services 6
DG-1402
Background
(continued)
In parallel, EPRI initiated a research on SIL certification of digital equipment used in non-nuclear process industry and produced report EPRI 3002011817, Safety Integrity Level (SIL)
Certification Efficacy for Nuclear Power As a part of MP #3 task, NEI initiated developing NEI 17-06 guidance informed by the EPRI research The NRC staff provided continual feedback during NEI 17-06 development On multiple occasions, the staff observed audits of certifying body (exida, LLC) by the accrediting body (ANAB)
After resolution of NRC staff comments, NEI 17-06, Rev. 1 was submitted in Dec-2021 for NRC endorsement 7
DG-1402 Regulatory Basis 10 CFR 21.3 defines basic component as, among other things, commercial grade items which have successfully completed the dedication process and provides definitions for commercial grade item and dedication 10 CFR Part 50, Appendix B, Criterion III, Design Control and Criterion VII, Control of Purchased Material, Equipment, and Services, includes provisions for QA and quality control that are applicable to the acceptance and dedication process for commercial-grade digital I&C items 8
- 1. DG-1402 endorses, with clarifications, NEI 17-06, Revision 1, on using IEC 61508 SIL certification to support the acceptance of commercial-grade digital equipment that is dedicated as a basic component in accordance with EPRI TR-106439 9
DG-1402 Staff Regulatory Guidance Position 1
- a. The NRC staff considers SIL certification to be a commercial grade survey for the purposes of Part 21. Thus, considers dedication of the certifying bodys services and verification of SIL certification to be adequate for verifying dependability critical characteristics
- b. Each dedicating entity should dedicate the services of each certifying body and should not rely on dedication by, e.g., another NRC licensee 10 DG-1402 Staff Regulatory Guidance Position 1 clarifications
c.
In keeping with NRC staff-accepted practices, the certifying bodies SIL certification process should be observed every 3 years
- d. In accordance with 10 CFR 21.3, the NRC use of the term basic component includes dedicated commercial grade items
- e. Dedicating entities should take measures to avoid the acceptance of expired, counterfeit or fraudulent SIL certificates 11 DG-1402 Staff Regulatory Guidance Position 1 clarifications (continued)
- 2. DG-1402 endorses, with clarifications, use of IEC 61508, Edition 2.0 as described in NEI 17-06
- a. Dedicating entities should verify the certifying bodys accreditation consistent with the guidance in section 6.3 of NEI 17-06
- b. Dedicating entities should verify that the substantive requirements of the later editions related to the dependability characteristics remain unchanged from the IEC 61508, Edition 2.0 12 DG-1402 Staff Regulatory Guidance Position 2 with clarifications
- 3. DG-1402 endorses the use of ISO/IEC 17065:2012 by certifying bodies to perform commercial grade surveys as described in NEI 17-06 13 DG-1402 Staff Regulatory Guidance Position 3
Resolution of Public Comments The NRC received 5 public comments on DG-1402 that have been adequately resolved 1.
In response to comment 1, clarification has been added to Staff Position 1.b. that partly states, each of the licensees or dedicating entities relying on the results of a commercial grade dedication performed on behalf of licensees or dedicating entities remains individually responsible for the adequacy of the commercial grade dedication.
2.
In response to comment 2, Section B of DG-1402 has been revised to state, NEI 17-06 leverages an internationally recognized safety integrity level (SIL) certification process that relies on International Electrotechnical Commission (IEC) 61508, 14
Resolution of Public Comments (continued) 3.
NRC staff agrees with comment 3 and the recommended edit has been made to Section B of DG-1402, The NRC staff considers SIL certification to be a commercial grade survey for the purposes of Part 21.
4.
NRC staff agrees with comment 4, but not entirely with the recommended edits. Staff Position 2.a. has been edited to clearly indicate that NEI 17-06 is leveraging an existing certifying bodies accrediting process.
5.
NRC staff disagrees with the comment 5 recommendation of a reduced frequency for observing certifying bodies certification process. Therefore, no changes were made to DG-1402 as a result of this comment.
15
CGD of Items & Services Historical Perspectives 1970s CGI Procuremen tIn Mid 1970s, more attention given to CGI procurement practices due to lack of suppliers with App. B QA programs 1976 Industry Standard First standard to address commercial off-the-shelf items was ANSI N18.7-1976, which is endorsed by the NRC in RG 1.33 1978 10 CFR 21 October 1978 revision to 10CFR21 required a commercial-grade item to be dedicated before it could be used as a basic component 1988 EPRI NP-5652 In June 1988, EPRI issued NP-5652 to address the need for a methodology that ensures CGIs are dedicated in accordance with 10CFR21 1989 GL 89-02 In March 1989, the NRC issued GL 89-02 that conditionally endorsed EPRI NP-5652 1
6 DG-1402 (Proposed new RG 1.250)
September 7, 2022
CGD of Items & Services Historical Perspectives 1991 GL 91-05 In April 1991, GL 91-05 was issued to apply existing regulatory requirements in 10 CFR 50, App. B to CGD process 1994 EPRI TR-102260 In March 1994, EPRI TR-102260 was issued to provide supplemental guidance for application of EPRI NP-5652 1996 EPRI TR-106439 In October 1996, EPRI TR-106439 was issued to provide guidance on acceptance of commercial-grade digital equipment 1997 NRC Staffs SE In July 1997, the NRC staff issued a safety evaluation to endorse EPRI TR-106439 2011 SECY 0135 In September 2011, staff issued SECY-11-0135 to indicate importance of developing RGs for CGD activities 1
7 DG-1402 (Proposed new RG 1.250)
September 7, 2022
CGD of Items & Services Historical Perspectives 2014 EPRI 3002002982 In September 2014, ERPI issued Rev. 1 to NP-5652 and TR-102260 as EPRI 3002002982.
Section 14.1 references EPRI TR-106439 2016 MP #3 In April 2016, a task was proposed under DI&C IAP to leverage SIL certification to IEC 61508 in CGD of digital equipment 2017 RG 1.164 In June 2017, RG 1.164 was issued that endorses EPRI 3002002982 with exceptions or clarifications 2021 NEI 17-06 In December 2021, NEI 17-06, Rev. 1, prepared under MP
- 3, was submitted for NRC endorsement 2022 DG-1402 In 2022, DG-1402 (proposed new RG 1.250) is being developed for endorsing NEI 17-06, Rev. 1 1
8 DG-1402 (Proposed new RG 1.250)
September 7, 2022
Questions 19