Text

4/25/23, 6:38 AM blob:https://www.fdms.gov/fee8461f-2396-4836-ad42-fedeb7093382 SUNSI Review Complete Template=ADM-013 E-RIDS=ADM-03 As of: 4/25/23, 6:37 AM Received: April 07, 2023 PUBLIC SUBMISSION ADD: Michael Eudy, Bridget Curran, Mary Neely Status: Pending_Post Tracking No. lg6-pqol-2s6w Comment (1)

Publication Date: 3/10/2023 Comments Due: April 10, 2023 Citation: 88 FR 14956 Submission Type: Web Docket: NRC-2022-0143 Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants Comment On: NRC-2022-0143-0001 Draft Regulatory Guide: Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants Document: NRC-2022-0143-DRAFT-0001 Comment on FR Doc # 2023-04805 Submitter Information Email: atb@nei.org Organization: Nuclear Energy Institute General Comment See attached file(s)

Attachments 04-07-23_NRC_NEI Comments on DG-1374 blob:https://www.fdms.gov/fee8461f-2396-4836-ad42-fedeb7093382 1/1

ALAN CAMPBELL Technical Advisor, Technical and Regulatory Services 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8011 adc@nei.org nei.org April 7, 2023 Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Program Management, Announcements and Editing Staff Submitted via regulations.gov

Subject:

NEI Comments on Draft Regulatory Guide DG-1374, Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants (Docket ID NRC-2022-0143)

Project Number: 689

Dear Program Management,

Announcements, and Editing Staff:

The Nuclear Energy Institute (NEI) 1, on behalf of our members, appreciates the opportunity to comment on draft regulatory guide DG-1374 (RG 1.152, Rev. 4). NEI appreciates the endorsement of the IEEE 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations, which provides enhanced guidance for the use of digital instrumentation and control (DI&C) technology in safety-related applications. However, we believe the guidance related to the use of self-diagnostic features requires additional clarity.

Section C.1.b(1)1.2 addresses supplemental criteria to IEEE 7-4.3.2-2016 for crediting self-diagnostic features. Section C.1.b.(1)1.2.1 states:

A WDT [watchdog timer] used to detect lock-up conditions should be independent of the microprocessor it is monitoring such that the WDT is not subject to the same failure condition as the microprocessor.

The use of the term independent may easily be confused with the fundamental design principle of independence used in IEEE 603-1991, IEEE 7-4.3.2, and DI&C-ISG-06 Rev. 2 which is generally predicated 1

The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Program Management, Announcements and Editing Staff April 7, 2023 Page 2 on the concept of separation. NEI agrees that a WDT should not be subject to the same failure condition as the programmable digital device (PDD); however, to perform its intended function the WDT must interface with the PDD it is protecting. This statement should be revised to ensure there is no confusion related to the required interface between a WDT and the PDD.

Additionally, Section C.1.b(1)1.2.2 states:

If self-diagnostic features are integrated into the safety-related DI&C systems, the following criteria should be applied: []

(e) Self-diagnostic functions are verified during periodic functional tests.

It is unclear if Section C.1.b(1)1.2.2 refers only to the design, installation, and testing lifecycle phases or if it is intended to also apply to long-term operation and maintenance lifecycle phases. If the section only refers to design, installation and testing phases, clause (e) should be reworded to eliminate the need for periodic functional tests. Self-diagnostic feature functionality can be verified via design activities including, but not limited to, functional testing. If the section is intended to include the long-term operations and maintenance lifecycle phases, this guidance contradicts approved precedence set by the Safety Evaluation Report for Vogtle 3&4 License Amendment Request 19-001 (ML19297D159) which credits self-diagnostics to eliminate periodic functional tests. The self-diagnostic features credited in the Vogtle 3&4 LAR are checked via administrative control and operation procedures as described in Section 3.3.3.2.3 of Safety Evaluation Report for Vogtle 3&4 License Amendment Request 19-001 (ML19297D159)

Furthermore, Section C.1.b(1)1.2.3(d) states:

Administrative control and operation procedures are maintained to periodically verify the performance of self-diagnostics (e.g., periodic checks of event logs, manual verification of setpoints, rebooting of startup self-diagnostics).

The guidance in Sections C.1.b(1)1.2.2(e) and C.1.b(1)1.2.3(d) should be clarified to reconcile the different expectations and should consider the existing precedence set by Vogtle 3&4. NEI believes that self-diagnostic features should be verified during the design, installation, and/or testing lifecycle phases and that administrative control and operation procedures can be used effectively to verify the ongoing performance of those self-diagnostic functions.

We appreciate the NRCs effort in endorsing the latest revision to IEEE 7-4.3.2 and encourage your consideration of NEIs comments prior to finalizing and publishing the regulatory guide. NEIs full set of comments are provided in Attachment 1.

Program Management, Announcements and Editing Staff April 7, 2023 Page 3 Please contact Alan Campbell at adc@nei.org or (202) 439-3698 with any questions or comments.

Sincerely, Alan Campbell : NEI Comments on DG-1374 c: Michael Eudy (RES/DE/RGPMB)

Khoi Nguyen (NRR/DEX/ELTB)

NEI Comments on DG-1374

1. Section Comment Recommendation NEI is concerned with the use of the term "independent" in this section. At some point, the WDT has to be tied to the Replace: "A WDT used to detect lock-up software the WDT is protecting. As written, the document is conditions should be independent of..."

1 C.1.b.(1)1.2.1 not clear that any interface is allowed between the safety with: "A WDT used to detect lock-up conditions function and the WDT, which makes implementing a WDT should not be dependent on...."

that is directly tied to the safety function impossible.

The statement "Self-diagnostic functions are verified during periodic functional tests" suggests that the faults that the Assuming that Section C.1.b(1)1.2.2 is intended to self-diagnostic features are designed to detect must be provide criteria during the system design, periodically inserted during functional tests to verify correct installation and testing phase and not operation operation of the self-diagnostic feature. Such tests are and maintenance phase, C.1.b(1)1.2.2(e) should typically part of the original validation of the safety-related be worded as follows:

digital platform and cannot practically be performed later.

C.1.b(1)1.2.2 (e) "Self-diagnostic functions are verified during Additionally, requiring that self-diagnostic functions be 2 C.1.b(1)1.2.3 design activities."

verified during periodic functional tests is (1) contrary to the C.1.b(1)1.2.3 (d) goal of eliminating the periodic functional test and (2) is not If that assumption is incorrect, Section the process approved by the NRC for the Vogtle 3&4 LAR C.1.b(1)1.2.3(d) should be clarified to reconcile (ML19297D159) crediting self-diagnostics to eliminate the different expectations in 1.2.2(e) and 1.2.3(d) periodic functional testing. The Vogtle 3&4 LAR instead and consider the precedence set by the Vogtle allows for a number of different monitoring procedures 3&4 LAR (ML19297D159).

outside the tech spec surveillance domain to ensure the self-diagnostics are functioning properly.

Self-diagnostic features do add complexity; however, it adds Reword as follows:

reliability and fault detection into designs which is a "Self-diagnostic features should minimize 3 C.1.b.(1)1.2.2(d) reasonable trade-off. The design intent is to minimize the complexity to the safety-related system to the added complexity while maximizing the system reliability and degree practical" fault detection capabilities.

NEI Comments on DG-1374 Page 2

1. Section Comment Recommendation This section states that "A WDT used to detect lock-up Throughout, the RG should use the term conditions should be independent of the microprocessor it is programmable digital device (PDD) instead of monitoring such that the WDT is not subject to the same 4 C.1.b.(1)1.2.1 microprocessor to maintain consistency with the failure condition as the microprocessor." The use of the term rest of the Regulatory Guide and IEEE 7-4.3.2-microprocessor is inconsistent with the remainder of the 2016.

Regulatory Guide and IEEE 7-4.3.2-2016.

The wording in the last sentence of this section is too prescriptive and technology specific. The counter, reset, Replace "counter, reset, time-out, and fail-safe 5 C.1.b.(1)1.2.1 time-out, and fail-safe functions are technology specific and functions" with "function" do not reflect the functions used by some WDT technologies.

Section A, SECY-22-0076 is under evaluation to provide a more risk-Related informed approach to software common cause failure.

Guidance, Including "Rev. 8" appears to tie this RG to the existing BTP, Delete "(Rev. 8)" from the text OR replace with 6

second bullet with no potential for using a later version. Other guidance "(Rev. 8 or later)"

and referenced in this standard does not specify a specific References revision (e.g., Regulatory Guide 5.71).

Replace the whole sentence with: IEEE Nuclear B Discussion, Power Engineering Committee (NPEC), Sub-Background, The name of WG 6.4 appears to be the IEEE standard, which Committee 6, Working Group 6.4 prepared IEEE 7

third paragraph is not correct. Std 7-4.3.2-2016. Application of Programmable on page 4 Digital Devices to Safety Systems of Nuclear Power Generating Stations.

NEI Comments on DG-1374 Page 3

1. Section Comment Recommendation The purpose of IEC 60880, IEC 61226, IEC 61513, IEC 62138, IEC 62566, and a string of IAEA reports, The statement is made that "No relevant international including NP-3.17, IAEA NP-3.27, IAEA SSG-38, standards related to promoting high functional reliability, B Discussion, IAEA SSG-39, IAEA SSR-2, and others is to provide design quality, and a SDOE for the use of PDDs in the safety-Background, detailed guidance for software development for related systems of nuclear power generating stations were 8 Consideration of reliability, dependability, and safety. There are identified." There are, in fact, many international standards International additional international reports for cyber security, that address these topics. NEI is not suggesting that these Standards. which equates to SDOE in this RG.

other standards are included; however, this statement is misleading.

NEI is not suggesting including these international standards as part of Reg. Guide 1.152.