Text

11/22/23, 10:34 AM blob:https://www.fdms.gov/7cfe8afb-cbac-4d13-be80-430462dc69fd blob:https://www.fdms.gov/7cfe8afb-cbac-4d13-be80-430462dc69fd 1/1 PUBLIC SUBMISSION As of: 11/22/23, 10:34 AM Received: November 21, 2023 Status: Pending_Post Tracking No. lp8-xe46-megi Comments Due: November 24, 2023 Submission Type: Web Docket: NRC-2023-0181 Proposed Revision to Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense-In-Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems Comment On: NRC-2023-0181-0001 Proposed Revision to Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense In Depth and Diversity To Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems Document: NRC-2023-0181-DRAFT-0002 Comment on FR Doc # 2023-23426 Submitter Information Email:txc@nei.org Organization:Nuclear Energy Institute General Comment NEI Comments on Draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems [Docket NRC-2023-0181]

Attachments 11-21-23_NRC_Industry Comments on Draft BTP-7-19 Revision 9 SUNSI Review Complete Template=ADM-013 E-RIDS=ADM-03 ADD: Ekaterina Lenning, Brent Ballard, Carla Roque-Cruz, Michael Marshall, Dana Harrison, Denae Boone, Mary Neely Comment (1)

Publication Date:

10/24/2023 Citation 88 FR 73051

Alan Campbell, PE Technical Advisor Phone: 202.439.3698 Email: adc@nei.org November 21, 2023 Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Program Management, Announcements and Editing Staff

Subject:

NEI Comments on Draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems [Docket NRC-2023-0181]

Project Number: 689 Submitted via Regulations.gov

Dear Program Management,

Announcements and Editing Staff:

The Nuclear Energy Institute (NEI)1, on behalf of our members, appreciates the opportunity to comment on draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems. NEI appreciates the NRC staffs ongoing efforts to modernize the Digital Instrumentation and Control (DI&C) regulatory infrastructure to reflect state-of-the-art approaches for addressing DI&C issues such as Common Cause Failure (CCF). Draft Revision 9 incorporates new staff review guidance intended to address SRM-SECY-22-0076, Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems. NEIs review of draft BTP-7-19, Revision 9 identified portions of the document that will inhibit licensees and applicants to use new, risk-informed methods. As a result, NEI believes this draft revision as currently written will impair industrys understanding of the NRCs policy for addressing DI&C CCF.

Draft BTP-7-19, Revision 9, does not contain a clear scope statement. The document title and review responsibilities clearly demonstrate the intent for BTP-7-19 to be limited to digital safety systems; however, many sections discuss CCF treatment for non-safety-related SSCs (e.g. lower safety significance).

Furthermore, the BTP uses terms interchangeably that create confusion (e.g. "Digital Safety System," "I&C,"

"I&C Equipment," "I&C Systems," "Digital I&C Systems," "Digital Technology," and Safety System). BTP-7-19 1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Program Management, Announcements and Editing Staff November 21, 2023 Page 2 Nuclear Energy Institute includes safety significance terminology that confuses commonly used terms in other portions of regulation.

BTP-7-19, Section B.2.1, uses the terms high safety significance," "lower safety significance," and "lowest safety significance. Attachment 2 provides a proposed flow chart that we believe is consistent with the BTP being focused on digital safety systems and the industrys understanding of the requirements for CCF.

Inclusion of this attachment and an improved scope description in BTP-7-19 will provide clarity to the NRC staff and the industry related to NRCs policy of DI&C CCF.

The structure of the proposed revision is difficult to navigate and may lead to multiple interpretations.

Throughout the document, deterministic pathways, risk-informed pathways, DI&C reviewers, PRA reviewers, operating reactor considerations, and advanced light-water reactor considerations are intermixed with little indication of what guidance applies to the selected pathway and application type. NEI recommends that the NRC staff restructure the BTP to ensure deterministic and risk-informed pathways are wholly described within their own respective sections. Within each pathway description, acceptance criteria and references should be clearly designated for operating reactors and separately for advanced reactors. An example structure is provided:

1. Section B.1 - Introduction and Scope

2. Section B.2 - CCF Treatment and Elimination - Provide an overview of the process demonstrated in and review guidance on the elimination of CCF from consideration (as currently discussed in Section B.3.1)

3. Section B.3 - Deterministic Pathway - Consolidate all staff review guidance associated with the deterministic CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.

4. Section B.4 - Risk-Informed Pathway - Consolidate all staff review guidance associated with the risk-informed CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.

PRA-specific criteria should not be included within the scope of BTP-7-19. Sufficient PRA guidance already exists in regulatory guidance and staff review guidance.

5. Section B.5 - Manual System-Level Actuation and Indications to Address Point 4

6. Section B.6 - Information for Interdisciplinary NRC Staff Review

7. Section B.7 - Additional Items for Consideration Many of the technical methods introduced in this draft revision contain guidance and acceptance criteria that are not consistent with existing or comparable methods. When using hazards analysis techniques, the results are required to be confirmed independently that the analysis is correct and complete. Although industry agrees any analysis should be accurate and thorough, this threshold for acceptance criteria is not consistent with acceptance criteria for existing transient safety analysis techniques. Completeness in any type of analysis

Program Management, Announcements and Editing Staff November 21, 2023 Page 3 Nuclear Energy Institute is subjective and may result in unbounded staff reviews. Addiitonally, it is unclear whether this guidance is describing an independent confirmation from the NRC staff or requiring independence in the licensees review process. NEI suggests alternate language: the NRC reviewer should confirm that the applicant has considered a sufficient range of hazards in its analysis to provide reasonable assurance that CCF is avoided.

Intersystem CCF and PRA modeling is mentioned throughout the draft even though most PRA models do not model intersystem CCF. Given that current practices for PRA modeling do not require intersystem common cause failure for Capability Category II requirements, we recommend that the intersystem CCF dependency requirement of the PRA be removed. Based on discussions during the BTP-7-19 public meeting held November 11, 2023, NEI understands that where BTP-7-19 uses the terms "intersystem common cause failure" or "intersystem dependency," this language was intended to address the impact of CCF when design functions are combined into a single DI&C system (either through connectivity or common equipment). The terms "intersystem common cause failure" and "intersystem dependency" should be removed and replaced with language communicating the impacts of CCF when design functions are combined.

NEI understands many of these issues are present in BTP-7-19, Revision 8; however, we believe that in order to clearly communicate NRCs DI&C CCF policy consistent with SRM-SECY-22-0076, additional changes are warranted. We understand the time pressure to meet the Commissions direction in SRM-SECY-22-0076 and stand ready to do our part to meet this deadline.

In addition to the comments described in this letter, the NEI Digital I&C Task Force has identified other items that are critical to our understanding of CCF treatment and new methods that may be used in the risk-informed pathway. NEIs full set of prioritized comments are provided in Attachment 1. Attachment 2 provides a flow chart clearly demonstrating the graded approach to treating CCF based upon safety classification and application of RIS-2002-22, Supplement 1.

We appreciate the opportunity to provide feedback on this draft revision of BTP-7-19. Please contact me with any questions or comments at adc@nei.org.

Sincerely, Alan Campbell, Technical Advisor : NEI Comments on Draft BTP-7-19, Revision 9 : Common Cause Failure Treatment Process Flow Chart c:

Eric Benner (NRR/DEX)

Jason Paige (NRR/DEX/ELTB)

Samir Darbali (NRR/DEX/ELTB)

Norbert Carte (NRR/DEX/EICB)

Steven Alferink (NRR/DRA/APLC)

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute : NEI Comments on Draft BTP-7-19, Revision 9 Comment Section Page Comment Suggested Resolution Priority 1

All All BTP-7-19 Scope and Terminology:

The scope of BTP-7-19 should be limited to safety-related digital I&C systems outside the scope of RIS-2002-22, Supplement 1. The document uses many terms that create different scope boundaries resulting in unclear limits to its application. The terminology and definitions used throughout BTP-7-19 should be consistent (e.g., the terms "Digital Safety System," "I&C," "I&C Equipment," "I&C systems,"

"Digital I&C systems," "Digital Technology," and safety system are currently used interchangeably and have different scopes).

The safety significance determination process is confusing and conflicts with other industry practices (such as 10 CFR 50.69). This section introduces terminology "high safety significance," "lower safety significance," and "lowest safety significance" that lacks regulatory basis and confuses terminology with 10 CFR 50.69. The criteria within each acceptance criteria subsection are not wholly accurate with the intent of the sections or lack clarity. For example:

Subsection (a) states: "They are credited in the FSAR for meeting diversity requirements." This criterion lacks objective criteria to establish a threshold for to "contribute significantly." The remaining two bullets adequately describe safety significant, safety related SSCs.

Alternatively, the industry only anticipates RPS/ESFAS to scope into high safety significance. It will be clearer to state RPS/ESFAS as previous versions of BTP-7-19 did. Additionally, the introductory paragraph on page 17 changed FSAR to "directly credited in accident analysis." Not all credited FSAR design functions are direct accident analysis functions but contribute significantly to plant safety.

Subsection (b) states: "They are credited in the FSAR for meeting diversity requirements." Non-safety related SSCs may also be used to meet diversity requirements as allowed by Points 3 and 4.

Refer to the Attachment 2 for the proposed flow chart for treatment of CCF and scope for BTP-7-19.

We recommend that the term "digital safety system" be used for the scope of BTP-7-19.

Non-safety related and low safety significant SSCs should NOT be within the scope of BTP-7-19. BTP-7-19 should be reserved for use of safety significant digital I&C safety systems (e.g., RPS and ESFAS).

Deferral of this comment would be detrimental to the industry use of BTP 19 and understanding of treatment of CCF.

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 2

All All BTP-7-19 Organization:

The organization of BTP-7-19 is difficult to navigate. The overall structure intermixes instruction to deterministic pathways, risk-informed pathways, DI&C reviewers, PRA reviewers, operating reactor considerations, and advanced LWR considerations. The result is a document that confuses the reader on the scope, applicability and direction within any given section.

The following layout would improve readability/understanding. This layout is consistent with the proposed flow chart.

Section B.1 - Introduction Section B.2 - CCF Treatment and Elimination - Provide an overview of the process demonstrated in Attachment 2 and direction on the elimination of CCF from consideration (as currently discussed in Section B.3.1)

Section B.3 - Deterministic Pathway - Consolidate all staff review guidance associated with the deterministic CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.

Section B.4 - Risk-Informed Pathway - Consolidate all staff review guidance associated with the risk-informed CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors. PRA-specific criteria should not be included within the scope of BTP-7-19. BTP-7-19 is intended for DI&C staff reviewers, not PRA staff reviewers.

Section B.5 - Manual System-Level Actuation and Indications to Address Point 4

Section B.6 - Information for Interdisciplinary NRC Staff Review Section B.7 - Additional Items for Consideration Deferral of this comment would be detrimental to the industry use of BTP 19 and understanding of treatment of CCF.

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 3

B.3.1.3.a 23 "the identification of the CCF vulnerabilities or causes that the proposed alternative approach addresses; if these are identified using a hazard analysis technique, then it should be confirmed independently that the analysis is correct and complete" This should be commensurate with the best-estimate approach of the traditional pathway. A traditional nuclear transient and accident analysis is developed upon the principle that licensing basis events do not represent all events that may occur at a nuclear power plant; however, the events identified are the most credible and bounding events. The hazards analysis should identify the most likely and bounding sources of CCF. The terms "correct and complete" goes beyond the measure of reasonable assurance and increases the acceptance threshold beyond what is acceptable for design basis events.

Additionally, it is unclear who provides the independent confirmation and what the acceptance criteria for independence are. NEI does not believe independence is necessary for the technical review of hazards.

Replace "confirmed independently that the analysis is correct and complete."

with the NRC reviewer should confirm that the applicant has considered a sufficient range of hazards in its analysis to provide reasonable assurance that CCF is avoided.

Remove "independently." Alternatively, clarify that the level of independence required for design reviews in 10 CFR 50 Appendix A, Design Control, is sufficient.

Deferral of this comment would be detrimental to the industry use of BTP 19 and understanding of treatment of CCF.

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 4

B.3.4 30 -

35 These sections intermix review guidance for operating reactors and advanced LWR reactors. SRP Chapter 19 and DC/COL-ISG-028 only apply to new reactors. Refer to scoping statements from each of these documents below. Section 3.4.2 states: "SRP Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, provides guidance for reviewing DI&C system risk assessments for new reactors, which may also be applicable to operating reactors." This is an expansion of the scope of SRP Section 19 to operating reactors and creates concerns regarding forward fitting of advanced reactor concepts.SRP Chapter 19 scope: This section of the Standard Review Plan (SRP) pertains to the staff review of the design specific probabilistic risk assessment (PRA) for a design certification (DC) and plant-specific PRA for a combined license (COL) application, respectively. DC/COL-ISG-028 scope:"The purpose of this document is to provide Interim Staff Guidance (ISG) for assessing the technical adequacy of the probabilistic risk assessment (PRA) needed for an application for design certification (DC) of an advanced light-water reactor (ALWR) under Title 10 of the Code of Federal Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, specifically 10 CFR 52.47(a)(27), as well as an application for a combined license (COL) under 10 CFR 52.79(a)(46). "BTP-7-19 should not be used to expand the scope of other regulatory and/or staff review guidance.

These sections should be re-arranged to clearly identify which guidance is to be used for operating reactors and which guidance is to be used for advanced light-water reactors. Additionally, the guidance should not be expanded beyond the intended scope of referenced standards. Remove "...which may also be applicable to operating reactors."

Deferral of this comment would be detrimental to the industry use of BTP 19 and understanding of treatment of CCF.

5 B.3.4.2 33 Discussion of intersystem CCF and PRA modeling is mentioned even though most PRA models do not model intersystem CCF. Given that current practices for PRA modeling do not require intersystem common cause failure for Capability Category II requirements, it is suggested to remove the intersystem common cause failure dependency requirement for the PRA model.

Based on discussions during the BTP-7-19 public meeting held 11/14, NEI understands that where BTP-7-19 states "intersystem common cause failure" or "intersystem dependency" this was intended to address the impact of CCF when design functions are combined into a DI&C system either through connectivity or common equipment. The term "intersystem common cause failure" and "intersystem dependency" should be removed and replaced with language communicating the impacts of CCF when design functions are combined.

Deferral of this comment would be detrimental to the industry use of BTP 19 and understanding of treatment of CCF.

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 6

B.3.4.2 32 In several places there is identification that any changes to the PRA model be identified and explained. However, there is no clear definition of the baseline PRA from which the changes are to be referenced. Furthermore, the wording seems to suggest that changes unrelated to the digital I&C upgrade are to be discussed.

Section 3.4.2 outlines " The application should also justify any changes beyond those for modeling the CCF made to the PRA model to support the application, including whether the changes are considered PRA maintenance or a PRA upgrade (typically based on the corresponding definitions in the applications specified revision of RG 1.200 or equivalent guidance for new reactors, such as DC/COL-ISG-028)."

Suggestion to provide clarification to identify the baseline PRA which the upgrades, updates, hazard additions/changes, etc., are to be referenced.

Suggestion to clarify that only the differences between a previously approved PRA model will be examined which are applicable to this DI&C assessment and that this would not require a focused scope peer review or determination of update/upgrade. For many plants, PRA models have already been reviewed for the as-built, as-operated plant. Furthermore, the changes should be limited to the risk-informed assessment of the DI&C system.

Critical for new approaches 7

B.3.4.2 B.3.4.3 32 Guidance drives toward assumption of P(ccf)=1 or high, conservative value. This, in conjunction with common conservative fire PRA assumptions, could skew results:

Section B.3.4.2 states: The reviewer should determine whether the application explains how the CCF is modeled in the PRA and provides justification that the modeling includes the impact of the CCF. In providing the justification, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

Section B.3.4.3 only describes approaches using bounding and sensitivity analyses in various places.

While the industry expects to initially provide guidance using a sensitivity analysis with modeling the change to plant risk metrics based on P(ccf)=1, we do not believe the BTP-7-19 should use such conservatism as acceptance criteria. BTP-7-19 should allow use of justified best-estimate CCF values where accepted conservative modeling practices (e.g. in fire PRA) result in excessive compounded conservatism.

Critical for new approaches 8

B.3.4.3 34 The following criteria seems open ended: c. The risk quantification accounts for any dependencies introduced by the CCF, including the ability for operators to perform manual actions.

Limit to operator actions intended to compensate for postulated CCF Critical for new approaches 9

B.4 36 "However, if the diverse means credited for Point 3 are not located in the MCR, then they are not sufficient to meet Point 4."

NEI expects that HFE analysis may be used to demonstrate acceptable equipment locations (MCR or elsewhere). This statement contradicts the Commission direction that the licensees may propose alternate approaches.

Remove statement.

Critical for new approaches

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 10 B.1.1 14 "Point 4 is risk-informed because it focuses only on those most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to public health and safety" This statement implies that Critical Safety Functions are pre-determined based on their impact to plant risk. As the NRC points out in Section 3.4 "Risk significance and safety significance are different concepts." This statement confuses the two points and is not supported by a risk analysis demonstrating the impacts of these functions on plant risk.

This statement also implies that a risk-informed approach is required to adequately address Point 4.

The industry agrees that the list of Critical Safety Functions provided in this section may be used for operating LWRs as a general rule of thumb with the flexibility of each licensee to provide justification that supports the removal or addition of functions based on plant specific data (including risk). The statement provided in this comment should be removed from the BTP as it is misleading regarding the basis for the concept of critical safety functions.

Critical for clarity 11 B.1.1 15 "The displays and controls credited for Point 4 must provide for effective manual control of critical safety functions. Point 4 clarifies that these main control room (MCR) displays and controls may be addressed in the same assessment as the first three points (i.e., does not require a separate analysis beyond what is called for in Points 1-3 of the policy)."See also paragraph 2 on p. 39.This interpretation implies that the results of analysis for Point 3 can suffice for Point 4. Point 3 only requires the postulated CCFs are adequately addressed; the results of which may not require a particular manual control (e.g., the Point 3 analysis may credit an automatic function.

If the results from Point 3 are not sufficient to meet Point 4, then the phrase, "a separate analysis beyond what is called for in Points 1-3 of the policy" needs more review guidance in the BTP to understand the intent of this phrase.

Please provide additional clarity on what is required to satisfy Point 4.

Critical for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 12 B.1.2 14 -

15 The description of the basis for the term "critical safety functions" contains inaccurate statements:

1. "The NRC staff's proposal in SECY-93-087, as amended and approved by SRM-SECY-93-087, identified the following examples of critical safety functions..."

The Commission did not approve the definition of critical safety functions in SECY-93-087. In SRM-SECY-93-087, the Commission deleted the definition of critical safety functions and stated:

"Further, the remainder of the discussion under the fourth part of the staff position is highly prescriptive and detailed (e.g., "shall be evaluated," "shall be sufficient," shall be hardwired," etc.). The Commission approves only that such prescriptiveness be considered as general guidance, the practicality of which should be determined on a case-by-case basis."

2. Note 6 implies that the term "safety function" in IEEE 497-2016 is synonymous with "critical safety function" from earlier versions of the standard. The definition provided in IEEE 497-2016 is more closely related to the term "safety-related function" in earlier versions of the standard and does NOT provide prescribed functions as the previous defined term "critical safety functions."

3. "The critical safety functions listed in SECY-93-087 and SECY-22-0076 are representative of operating light-water reactors. Other types of reactors may have different critical safety functions."

The Commission did not approve these functions as part of the policies.

This statement is misleading.

The industry agrees that the list of Critical Safety Functions provided in this section may be used for operating LWRs as a general rule of thumb with the flexibility of each licensee to provide justification that supports the removal or addition of functions based on plant specific data (including risk). The statements provided in this comment should be removed from the BTP as it is misleading regarding the basis for the concept of critical safety functions.

Critical for clarity 13 B.2.2 17 The second bullet uses "Interconnected" without defining how the data communication functions. If we have data flowing unidirectionally from safety to non-safety systems, appropriately electrically isolated, with no messages returning from non-safety to safety, why would that require analysis? The non-safety system cannot affect the operation of the safety system.

Clearly delineate the conditions under which data communication (not "interconnection") can have adverse effects that require analysis. OR state that sufficient conditions can be established where D3 analysis is not required.

Critical for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 14 B.3 18 The bullet that now results in the text shown below removed the requirement that only CCF that would result in a loss of a function needs to be evaluated:

"Evaluate whether the D3 assessment indicates that CCF vulnerabilities have been adequately addressed."

Revise to add "that might result in loss of safety function" after CCF vulnerabilities.

Critical for clarity 15 B.3.1.1 21 -

22 Item c talks about CCF failures of shared resources such as power supplies failure that could affect a system.

Revise BTP 7-19 guidance to focus on failures with adverse impacts. For example, power supply CCF failure modes may put the system in the safe state (i.e., actuated) which may have no adverse impact on safety.

Critical for clarity 16 B.3.1.3 23 One example of a design feature that mitigates a digital CCF could be a well-designed watchdog (i.e., not dependent on the platform software) that puts the actuators in the safe (i.e., actuated) state, as suggested in an ACRS letter dated August 5, 2014.

It would be helpful is the BTP 7-19 guidance was revised to acknowledge such an example of an alternative approach to eliminate potential CCF from further consideration.

Critical for clarity 17 B.3.2.2 27 In Item b, the use of "diverse" is misleading. This item appears to be requiring that the manual actuations not be affected by the CCF.

Replace the sentence with "The SSCs used to support the manual operator action are not vulnerable to the CCF." If desired, another sentence could be added to clarify that the manual actions initiate protective actions outside the boundaries where SCCF could affect the manual actuations.

Critical for clarity 18 B.3.4 B.3.4.1 B.3.4.4 33 34 38 An initial paragraph states "the policy" without clarifying which policy is being discuss.

Clarify if the policy being discussed is the SRM-SECY-22-0076.

Critical for clarity 19 B.3.4.3 34 Item d) i) states the following "the CCF is modeled in sufficient detail, including intersystem and intrasystem dependencies and associated potential emergent behaviors, to evaluate the impact of the CCF on plant equipment and functions modeled in the PRA (including the ability for operators to perform manual actions), and" The term "associated potential emergent behaviors" is not a common term used for PRA.

It is suggested to remove "associated potential emergent behaviors" and changed to "spatial dependencies."

Critical for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 20 B.4 35 "RG 1.62 outlines important design criteria for I&C equipment used by plant operators for manual initiation of protective actions."Reg. Guide 1.62 provides criteria for manual initiation of protective actions to meet IEEE 603 requirements. RG 1.62 only applies if the associated Point 4 manual control is also credited for manual initiation of protective actions to meet IEEE 603. Some previous LWR designs installed manual controls only to meet Point 4, not IEEE 603. In those cases, RG 1.62 is not applicable.

Remove statement.

Critical for clarity 21 B.4 36 "The reviewer should determine whether controls outside the MCR are exclusively used for long-term management of the critical safety functions after completion of system-level or division-level manual actuation from the MCR using the Point 4 displays and controls."

What is the purpose of this statement? There are no acceptance criteria associated with it, nor any action except to make a determination. What does the reviewer do with the results of that determination?

Prefer to remove this statement. Otherwise, define what the NRC staff reviewer is intended to do with this information.

Critical for clarity 22 Appendix B

51 Decision diamond on right hand side of flow chart (risk informed approaches) asks if approach utilized in a submittal is consistent with Commission policy and guidance, referencing further information in sections B.3.4.1 and B.3.4.2. 3rd paragraph in section 3.4.1 says "reviewer should follow current NRC staff review guidance (including SRP Chapter 19... or interim staff guidance (ISG) DC/COL-ISG-028... to confirm that the risk-informed approach is consistent with the Commissions policy and guidance." These references are for new reactors, but existing reactors may submit LARs involving digital I&C improvements as well.

Add "as applicable": If an application uses a risk-informed approach to address a CCF, the reviewer should follow current NRC staff review guidance... *as applicable* to confirm that the risk-informed approach is consistent with the Commissions policy and guidance Critical for clarity 23 All All Acceptance Criteria:

Each section of acceptance criteria should describe whether all bullets are required to meet the acceptable threshold.

Provide direction regarding minimum acceptance criteria.

Preferential for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 24 A

3 In the fourth paragraph, in the text, it would be preferred that the phrase "defense-in-depth" be used consistently.

Check the entire document and replace all the textual "diversity and defense-in-depth" with an approach that clearly shows defense-in-depth is the capability we are trying to achieve, with diversity one of many means of achieving defense-in-depth.

Preferential for clarity 25 A

3 The paragraph shown below may need to be rephrased to be more direct that interdependencies for DI&C systems may not be present.

"DI&C system modifications can interconnect design functions" Instead of "can therefore introduce new failure mechanisms" to have "may introduce new failure mechanisms." For the last sentence, we suggest saying the "potential for interdependencies of DI&C systems" rather than "resulting interdependencies."

Preferential for clarity 26 A

4 Consider including the idea of network and controller segmentation for non-safety systems, especially considering distributed control system.

Augment the text with segmentation for use with non-safety related DCS.

Preferential for clarity 27 A.1.1 13 The discussion on Point 2 provides example attributes of 'best estimate' analysis assumptions to address the consequences of CCF.

It would be helpful to include an additional example of the use of realistic break opening times (rather than the assumed instantaneous double ended guillotine break) as realistic assumption for a D3 consequence analysis. This addition would provide useful linkage for the discussion in Section B.6.5.

Preferential for clarity 28 B.1 10 Footnote 6 was removed and may be beneficial for applicants and staff to be aware of.

Maintaining this footnote allows for clarity in how the staff should be reviewing these criteria and that other possible approaches are acceptable.

Preferential for clarity 29 B.2.1 16 Suggestion to rephrase the following sentence to highlight interconnectivity and dependencies may not be present:

"System interconnectivity can introduce additional dependencies and therefore CCF vulnerabilities" Suggestion to have this be "may", or "has the potential to" to make it clearer.

Preferential for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 30 B.2.2 18 The guidance describes spurious operation in DI&C systems to include partial actuation of an emergency core cooling system (i.e., spurious operation of a single division).

Partial actuations where one division behaves differently than another due to CCF is inconsistent with the guidance in NUREG/CR-6303 Section 3.6, Guideline 6Postulated Common-Mode Failure of Blocks, which says "... concurrent failure of each set of identical blocks in all divisions should be postulated...".

Correct BTP 7-19 guidance on partial actuations to be consistent with NUREG/CR-6303 Section 3.6, Guideline 6Postulated Common-Mode Failure of Blocks.

Preferential for clarity 31 B.3 19 The sentence removed system or component from the following sentence:

"The applicant analyzed consequence of CCF vulnerabilities" Retain the original text.

Preferential for clarity 32 B.3.2.2 B.3.4.4 27 34 For clarity, ensure that the Point 3 discussion at least points to Point 4, since the manual actuation and indication for each point can be used with the other point. Similarly, the Point 4 discussion should invoke Point 3.

Change the first sentence to read "When addressing Point 3 and Point 4" Preferential for clarity 33 B.3.4.1 31 In the last line of the first paragraph, an ambiguous "it" is provided, without clear provision of just what "it" is - is it the "risk-informed decision making" or "NRC policy and guidance" or something else.

Replace "it" (throughout the document) with a clear, unambiguous statement of the element to be applied.

Preferential for clarity 34 B.4 35 "If the displays and manual controls provided to meet Point 4 are not vulnerable to the same CCF as the proposed DI&C system, the applicant may credit them as the diverse means called for under Point 3."

"called for under Point 3" should be reworded to "if a diverse, manuals means is required to address the loss of a safety function due to CCF."

"...called for under Point 3 should be reworded to "if a diverse, manuals means is required to address the loss of a safety function due to CCF."

Preferential for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute Comment Section Page Comment Suggested Resolution Priority 35 B.4 36 "The proposed manual actions credited to accomplish safety functions that would otherwise have been accomplished by automatic safety systems are both feasible and reliable, as demonstrated through an HFE analysis and assessment process, such as the one described in SRP Chapter 18."

What is the difference between an HFE analysis process and HFE assessment process?

Replace "HFE analysis and assessment process" with "HFE process" Preferential for clarity

Program Management, Announcements and Editing Staff November 21, 2023 Nuclear Energy Institute : Common Cause Failure Treatment Process Flow Chart