ML23326A117

From kanterella
Jump to navigation Jump to search
Comment (1) of Alan Campbell on Proposed Revision to Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense-In-Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safe
ML23326A117
Person / Time
Site: Nuclear Energy Institute
Issue date: 11/21/2023
From: Andy Campbell
Nuclear Energy Institute
To:
Office of Administration
References
NRC-2023-0181, 88FR73051 00001
Download: ML23326A117 (1)
v  d  e


Text

11/22/23, 10:34 AM blob:https://www.fdms.gov/7cfe8afb-cbac-4d13-be80-430462dc69fd SUNSI Review Complete Template=ADM-013 As of: 11/22/23, 10:34 AM E-RIDS=ADM-03 Received: November 21, 2023 PUBLIC SUBMISSION ADD: Ekaterina Lenning, Brent Ballard,Status: Pending_Post Carla Roque-Cruz, Tracking No. lp8-xe46-megi Michael Marshall, Dana Harrison, Denae Comments Due: November 24, 2023 Boone, Mary Neely Submission Type: Web Comment (1)

Publication Date:

10/24/2023 Citation 88 FR 73051 Docket: NRC-2023-0181 Proposed Revision to Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense-In-Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems Comment On: NRC-2023-0181-0001 Proposed Revision to Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense In Depth and Diversity To Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems Document: NRC-2023-0181-DRAFT-0002 Comment on FR Doc # 2023-23426 Submitter Information Email: txc@nei.org Organization: Nuclear Energy Institute General Comment NEI Comments on Draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems [Docket NRC-2023-0181]

Attachments 11-21-23_NRC_Industry Comments on Draft BTP-7-19 Revision 9 blob:https://www.fdms.gov/7cfe8afb-cbac-4d13-be80-430462dc69fd 1/1

Alan Campbell, PE Phone: 202.439.3698 Technical Advisor Email: adc@nei.org November 21, 2023 Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Program Management, Announcements and Editing Staff

Subject:

NEI Comments on Draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems [Docket NRC-2023-0181]

Project Number: 689 Submitted via Regulations.gov

Dear Program Management,

Announcements and Editing Staff:

The Nuclear Energy Institute (NEI)1, on behalf of our members, appreciates the opportunity to comment on draft Branch Technical Position (BTP)-7-19, Revision 9, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Safety Systems. NEI appreciates the NRC staffs ongoing efforts to modernize the Digital Instrumentation and Control (DI&C) regulatory infrastructure to reflect state-of-the-art approaches for addressing DI&C issues such as Common Cause Failure (CCF). Draft Revision 9 incorporates new staff review guidance intended to address SRM-SECY-22-0076, Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems. NEIs review of draft BTP-7-19, Revision 9 identified portions of the document that will inhibit licensees and applicants to use new, risk-informed methods. As a result, NEI believes this draft revision as currently written will impair industrys understanding of the NRCs policy for addressing DI&C CCF.

Draft BTP-7-19, Revision 9, does not contain a clear scope statement. The document title and review responsibilities clearly demonstrate the intent for BTP-7-19 to be limited to digital safety systems; however, many sections discuss CCF treatment for non-safety-related SSCs (e.g. lower safety significance).

Furthermore, the BTP uses terms interchangeably that create confusion (e.g. "Digital Safety System," "I&C,"

"I&C Equipment," "I&C Systems," "Digital I&C Systems," "Digital Technology," and Safety System). BTP-7-19 1

The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Page 2 includes safety significance terminology that confuses commonly used terms in other portions of regulation.

BTP-7-19, Section B.2.1, uses the terms high safety significance," "lower safety significance," and "lowest safety significance. Attachment 2 provides a proposed flow chart that we believe is consistent with the BTP being focused on digital safety systems and the industrys understanding of the requirements for CCF.

Inclusion of this attachment and an improved scope description in BTP-7-19 will provide clarity to the NRC staff and the industry related to NRCs policy of DI&C CCF.

The structure of the proposed revision is difficult to navigate and may lead to multiple interpretations.

Throughout the document, deterministic pathways, risk-informed pathways, DI&C reviewers, PRA reviewers, operating reactor considerations, and advanced light-water reactor considerations are intermixed with little indication of what guidance applies to the selected pathway and application type. NEI recommends that the NRC staff restructure the BTP to ensure deterministic and risk-informed pathways are wholly described within their own respective sections. Within each pathway description, acceptance criteria and references should be clearly designated for operating reactors and separately for advanced reactors. An example structure is provided:

1. Section B.1 - Introduction and Scope
2. Section B.2 - CCF Treatment and Elimination - Provide an overview of the process demonstrated in Attachment 2 and review guidance on the elimination of CCF from consideration (as currently discussed in Section B.3.1)
3. Section B.3 - Deterministic Pathway - Consolidate all staff review guidance associated with the deterministic CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.
4. Section B.4 - Risk-Informed Pathway - Consolidate all staff review guidance associated with the risk-informed CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.

PRA-specific criteria should not be included within the scope of BTP-7-19. Sufficient PRA guidance already exists in regulatory guidance and staff review guidance.

5. Section B.5 - Manual System-Level Actuation and Indications to Address Point 4
6. Section B.6 - Information for Interdisciplinary NRC Staff Review
7. Section B.7 - Additional Items for Consideration Many of the technical methods introduced in this draft revision contain guidance and acceptance criteria that are not consistent with existing or comparable methods. When using hazards analysis techniques, the results are required to be confirmed independently that the analysis is correct and complete. Although industry agrees any analysis should be accurate and thorough, this threshold for acceptance criteria is not consistent with acceptance criteria for existing transient safety analysis techniques. Completeness in any type of analysis

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Page 3 is subjective and may result in unbounded staff reviews. Addiitonally, it is unclear whether this guidance is describing an independent confirmation from the NRC staff or requiring independence in the licensees review process. NEI suggests alternate language: the NRC reviewer should confirm that the applicant has considered a sufficient range of hazards in its analysis to provide reasonable assurance that CCF is avoided.

Intersystem CCF and PRA modeling is mentioned throughout the draft even though most PRA models do not model intersystem CCF. Given that current practices for PRA modeling do not require intersystem common cause failure for Capability Category II requirements, we recommend that the intersystem CCF dependency requirement of the PRA be removed. Based on discussions during the BTP-7-19 public meeting held November 11, 2023, NEI understands that where BTP-7-19 uses the terms "intersystem common cause failure" or "intersystem dependency," this language was intended to address the impact of CCF when design functions are combined into a single DI&C system (either through connectivity or common equipment). The terms "intersystem common cause failure" and "intersystem dependency" should be removed and replaced with language communicating the impacts of CCF when design functions are combined.

NEI understands many of these issues are present in BTP-7-19, Revision 8; however, we believe that in order to clearly communicate NRCs DI&C CCF policy consistent with SRM-SECY-22-0076, additional changes are warranted. We understand the time pressure to meet the Commissions direction in SRM-SECY-22-0076 and stand ready to do our part to meet this deadline.

In addition to the comments described in this letter, the NEI Digital I&C Task Force has identified other items that are critical to our understanding of CCF treatment and new methods that may be used in the risk-informed pathway. NEIs full set of prioritized comments are provided in Attachment 1. Attachment 2 provides a flow chart clearly demonstrating the graded approach to treating CCF based upon safety classification and application of RIS-2002-22, Supplement 1.

We appreciate the opportunity to provide feedback on this draft revision of BTP-7-19. Please contact me with any questions or comments at adc@nei.org.

Sincerely, Alan Campbell, Technical Advisor : NEI Comments on Draft BTP-7-19, Revision 9 : Common Cause Failure Treatment Process Flow Chart c: Eric Benner (NRR/DEX)

Jason Paige (NRR/DEX/ELTB)

Samir Darbali (NRR/DEX/ELTB)

Norbert Carte (NRR/DEX/EICB)

Steven Alferink (NRR/DRA/APLC)

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Attachment 1: NEI Comments on Draft BTP-7-19, Revision 9 Comment Page

  1. Section # Comment Suggested Resolution Priority BTP-7-19 Scope and Terminology:

The scope of BTP-7-19 should be limited to safety-related digital I&C systems outside the scope of RIS-2002-22, Supplement 1. The document uses many terms that create different scope boundaries resulting in unclear limits to its application. The terminology and definitions used throughout BTP-7-19 should be consistent (e.g., the terms "Digital Safety System," "I&C," "I&C Equipment," "I&C systems,"

"Digital I&C systems," "Digital Technology," and safety system are currently used interchangeably and have different scopes).

The safety significance determination process is confusing and conflicts with other industry practices (such as 10 CFR 50.69). This section Refer to the Attachment 2 for the proposed flow chart for treatment of CCF introduces terminology "high safety significance," "lower safety and scope for BTP-7-19.

Deferral of this comment significance," and "lowest safety significance" that lacks regulatory basis We recommend that the term "digital safety system" be used for the scope of would be detrimental to and confuses terminology with 10 CFR 50.69. The criteria within each BTP-7-19.

1 All All the industry use of BTP acceptance criteria subsection are not wholly accurate with the intent 19 and understanding of of the sections or lack clarity. For example: Non-safety related and low safety significant SSCs should NOT be within the treatment of CCF.

Subsection (a) states: "They are credited in the FSAR for meeting scope of BTP-7-19. BTP-7-19 should be reserved for use of safety significant diversity requirements." This criterion lacks objective criteria to digital I&C safety systems (e.g., RPS and ESFAS).

establish a threshold for to "contribute significantly." The remaining two bullets adequately describe safety significant, safety related SSCs.

Alternatively, the industry only anticipates RPS/ESFAS to scope into high safety significance. It will be clearer to state RPS/ESFAS as previous versions of BTP-7-19 did. Additionally, the introductory paragraph on page 17 changed FSAR to "directly credited in accident analysis." Not all credited FSAR design functions are direct accident analysis functions but contribute significantly to plant safety.

Subsection (b) states: "They are credited in the FSAR for meeting diversity requirements." Non-safety related SSCs may also be used to meet diversity requirements as allowed by Points 3 and 4.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority The following layout would improve readability/understanding. This layout is consistent with the proposed flow chart.

Section B.1 - Introduction Section B.2 - CCF Treatment and Elimination - Provide an overview of the process demonstrated in Attachment 2 and direction on the elimination of CCF from consideration (as currently discussed in Section B.3.1)

Section B.3 - Deterministic Pathway - Consolidate all staff review guidance BTP-7-19 Organization:

associated with the deterministic CCF pathway. Clearly state what guidance The organization of BTP-7-19 is difficult to navigate. The overall Deferral of this comment and acceptance criteria are applicable to operating reactors and what guidance structure intermixes instruction to deterministic pathways, risk- would be detrimental to and acceptance criteria are applicable to advanced light-water reactors.

2 All All informed pathways, DI&C reviewers, PRA reviewers, operating reactor the industry use of BTP Section B.4 - Risk-Informed Pathway - Consolidate all staff review guidance considerations, and advanced LWR considerations. The result is a 19 and understanding of associated with the risk-informed CCF pathway. Clearly state what guidance document that confuses the reader on the scope, applicability and treatment of CCF.

and acceptance criteria are applicable to operating reactors and what guidance direction within any given section.

and acceptance criteria are applicable to advanced light-water reactors. PRA-specific criteria should not be included within the scope of BTP-7-19. BTP-7-19 is intended for DI&C staff reviewers, not PRA staff reviewers.

Section B.5 - Manual System-Level Actuation and Indications to Address Point 4

Section B.6 - Information for Interdisciplinary NRC Staff Review Section B.7 - Additional Items for Consideration

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority "the identification of the CCF vulnerabilities or causes that the proposed alternative approach addresses; if these are identified using a hazard analysis technique, then it should be confirmed independently that the analysis is correct and complete" This should be commensurate with the best-estimate approach of the Replace "confirmed independently that the analysis is correct and complete."

traditional pathway. A traditional nuclear transient and accident with the NRC reviewer should confirm that the applicant has considered a analysis is developed upon the principle that licensing basis events do Deferral of this comment sufficient range of hazards in its analysis to provide reasonable assurance that not represent all events that may occur at a nuclear power plant; would be detrimental to CCF is avoided.

3 B.3.1.3.a 23 however, the events identified are the most credible and bounding the industry use of BTP events. The hazards analysis should identify the most likely and 19 and understanding of Remove "independently." Alternatively, clarify that the level of independence bounding sources of CCF. The terms "correct and complete" goes treatment of CCF.

required for design reviews in 10 CFR 50 Appendix A, Design Control, is beyond the measure of reasonable assurance and increases the sufficient.

acceptance threshold beyond what is acceptable for design basis events.

Additionally, it is unclear who provides the independent confirmation and what the acceptance criteria for independence are. NEI does not believe independence is necessary for the technical review of hazards.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority These sections intermix review guidance for operating reactors and advanced LWR reactors. SRP Chapter 19 and DC/COL-ISG-028 only apply to new reactors. Refer to scoping statements from each of these documents below. Section 3.4.2 states: "SRP Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, provides guidance for reviewing DI&C system risk assessments for new reactors, which may also be applicable to operating reactors." This is an expansion of the scope of SRP Section 19 to operating reactors and creates concerns regarding forward fitting of advanced reactor concepts.SRP Chapter 19 scope: This section of the These sections should be re-arranged to clearly identify which guidance is to Deferral of this comment Standard Review Plan (SRP) pertains to the staff review of the design be used for operating reactors and which guidance is to be used for advanced would be detrimental to 30 -

4 B.3.4 specific probabilistic risk assessment (PRA) for a design certification light-water reactors. Additionally, the guidance should not be expanded the industry use of BTP 35 (DC) and plant-specific PRA for a combined license (COL) application, beyond the intended scope of referenced standards. Remove "...which may 19 and understanding of respectively. DC/COL-ISG-028 scope:"The purpose of this document is also be applicable to operating reactors." treatment of CCF.

to provide Interim Staff Guidance (ISG) for assessing the technical adequacy of the probabilistic risk assessment (PRA) needed for an application for design certification (DC) of an advanced light-water reactor (ALWR) under Title 10 of the Code of Federal Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, specifically 10 CFR 52.47(a)(27), as well as an application for a combined license (COL) under 10 CFR 52.79(a)(46). "BTP-7-19 should not be used to expand the scope of other regulatory and/or staff review guidance.

Based on discussions during the BTP-7-19 public meeting held 11/14, NEI Discussion of intersystem CCF and PRA modeling is mentioned even understands that where BTP-7-19 states "intersystem common cause failure" Deferral of this comment though most PRA models do not model intersystem CCF. Given that or "intersystem dependency" this was intended to address the impact of CCF would be detrimental to current practices for PRA modeling do not require intersystem common when design functions are combined into a DI&C system either through 5 B.3.4.2 33 the industry use of BTP cause failure for Capability Category II requirements, it is suggested to connectivity or common equipment. The term "intersystem common cause 19 and understanding of remove the intersystem common cause failure dependency failure" and "intersystem dependency" should be removed and replaced with treatment of CCF.

requirement for the PRA model. language communicating the impacts of CCF when design functions are combined.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority In several places there is identification that any changes to the PRA model be identified and explained. However, there is no clear Suggestion to provide clarification to identify the baseline PRA which the definition of the baseline PRA from which the changes are to be upgrades, updates, hazard additions/changes, etc., are to be referenced.

referenced. Furthermore, the wording seems to suggest that changes unrelated to the digital I&C upgrade are to be discussed.

Suggestion to clarify that only the differences between a previously approved Critical for new 6 B.3.4.2 32 PRA model will be examined which are applicable to this DI&C assessment and Section 3.4.2 outlines " The application should also justify any changes approaches that this would not require a focused scope peer review or determination of beyond those for modeling the CCF made to the PRA model to support update/upgrade. For many plants, PRA models have already been reviewed for the application, including whether the changes are considered PRA the as-built, as-operated plant. Furthermore, the changes should be limited to maintenance or a PRA upgrade (typically based on the corresponding the risk-informed assessment of the DI&C system.

definitions in the applications specified revision of RG 1.200 or equivalent guidance for new reactors, such as DC/COL-ISG-028)."

Guidance drives toward assumption of P(ccf)=1 or high, conservative value. This, in conjunction with common conservative fire PRA assumptions, could skew results:

Section B.3.4.2 states: The reviewer should determine whether the While the industry expects to initially provide guidance using a sensitivity application explains how the CCF is modeled in the PRA and provides analysis with modeling the change to plant risk metrics based on P(ccf)=1, we B.3.4.2 justification that the modeling includes the impact of the CCF. In do not believe the BTP-7-19 should use such conservatism as acceptance Critical for new 7 32 B.3.4.3 providing the justification, the application should evaluate DI&C system criteria. BTP-7-19 should allow use of justified best-estimate CCF values where approaches interconnectivity and address DI&C system spatial separation that could accepted conservative modeling practices (e.g. in fire PRA) result in excessive significantly influence the risk due to fires, earthquakes, and other compounded conservatism.

hazards.

Section B.3.4.3 only describes approaches using bounding and sensitivity analyses in various places.

The following criteria seems open ended: c. The risk quantification Critical for new 8 B.3.4.3 34 accounts for any dependencies introduced by the CCF, including the Limit to operator actions intended to compensate for postulated CCF approaches ability for operators to perform manual actions.

"However, if the diverse means credited for Point 3 are not located in the MCR, then they are not sufficient to meet Point 4."

Critical for new 9 B.4 36 NEI expects that HFE analysis may be used to demonstrate acceptable Remove statement.

approaches equipment locations (MCR or elsewhere). This statement contradicts the Commission direction that the licensees may propose alternate approaches.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority "Point 4 is risk-informed because it focuses only on those most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to public health and safety" The industry agrees that the list of Critical Safety Functions provided in this This statement implies that Critical Safety Functions are pre-determined section may be used for operating LWRs as a general rule of thumb with the based on their impact to plant risk. As the NRC points out in Section 3.4 flexibility of each licensee to provide justification that supports the removal or 10 B.1.1 14 Critical for clarity "Risk significance and safety significance are different concepts." This addition of functions based on plant specific data (including risk). The statement confuses the two points and is not supported by a risk statement provided in this comment should be removed from the BTP as it is analysis demonstrating the impacts of these functions on plant risk. misleading regarding the basis for the concept of critical safety functions.

This statement also implies that a risk-informed approach is required to adequately address Point 4.

"The displays and controls credited for Point 4 must provide for effective manual control of critical safety functions. Point 4 clarifies that these main control room (MCR) displays and controls may be addressed If the results from Point 3 are not sufficient to meet Point 4, then the phrase, in the same assessment as the first three points (i.e., does not require a "a separate analysis beyond what is called for in Points 1-3 of the policy" needs separate analysis beyond what is called for in Points 1-3 of the 11 B.1.1 15 more review guidance in the BTP to understand the intent of this phrase. Critical for clarity policy)."See also paragraph 2 on p. 39.This interpretation implies that the results of analysis for Point 3 can suffice for Point 4. Point 3 only Please provide additional clarity on what is required to satisfy Point 4.

requires the postulated CCFs are adequately addressed; the results of which may not require a particular manual control (e.g., the Point 3 analysis may credit an automatic function.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority The description of the basis for the term "critical safety functions" contains inaccurate statements:
1. "The NRC staff's proposal in SECY-93-087, as amended and approved by SRM-SECY-93-087, identified the following examples of critical safety functions..."

The Commission did not approve the definition of critical safety functions in SECY-93-087. In SRM-SECY-93-087, the Commission deleted the definition of critical safety functions and stated:

"Further, the remainder of the discussion under the fourth part of the staff position is highly prescriptive and detailed (e.g., "shall be The industry agrees that the list of Critical Safety Functions provided in this evaluated," "shall be sufficient," shall be hardwired," etc.). The section may be used for operating LWRs as a general rule of thumb with the Commission approves only that such prescriptiveness be considered as 14 - flexibility of each licensee to provide justification that supports the removal or 12 B.1.2 general guidance, the practicality of which should be determined on a Critical for clarity 15 addition of functions based on plant specific data (including risk). The case-by-case basis."

statements provided in this comment should be removed from the BTP as it is misleading regarding the basis for the concept of critical safety functions.

2. Note 6 implies that the term "safety function" in IEEE 497-2016 is synonymous with "critical safety function" from earlier versions of the standard. The definition provided in IEEE 497-2016 is more closely related to the term "safety-related function" in earlier versions of the standard and does NOT provide prescribed functions as the previous defined term "critical safety functions."
3. "The critical safety functions listed in SECY-93-087 and SECY-22-0076 are representative of operating light-water reactors. Other types of reactors may have different critical safety functions."

The Commission did not approve these functions as part of the policies.

This statement is misleading.

The second bullet uses "Interconnected" without defining how the data communication functions. If we have data flowing unidirectionally from Clearly delineate the conditions under which data communication (not safety to non-safety systems, appropriately electrically isolated, with no 13 B.2.2 17 "interconnection") can have adverse effects that require analysis. OR state that Critical for clarity messages returning from non-safety to safety, why would that require sufficient conditions can be established where D3 analysis is not required.

analysis? The non-safety system cannot affect the operation of the safety system.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority The bullet that now results in the text shown below removed the requirement that only CCF that would result in a loss of a function needs to be evaluated: Revise to add "that might result in loss of safety function" after CCF 14 B.3 18 Critical for clarity vulnerabilities.

"Evaluate whether the D3 assessment indicates that CCF vulnerabilities have been adequately addressed."

Revise BTP 7-19 guidance to focus on failures with adverse impacts. For 21 - Item c talks about CCF failures of shared resources such as power 15 B.3.1.1 example, power supply CCF failure modes may put the system in the safe state Critical for clarity 22 supplies failure that could affect a system.

(i.e., actuated) which may have no adverse impact on safety.

One example of a design feature that mitigates a digital CCF could be a It would be helpful is the BTP 7-19 guidance was revised to acknowledge such well-designed watchdog (i.e., not dependent on the platform software) 16 B.3.1.3 23 an example of an alternative approach to eliminate potential CCF from further Critical for clarity that puts the actuators in the safe (i.e., actuated) state, as suggested in consideration.

an ACRS letter dated August 5, 2014.

Replace the sentence with "The SSCs used to support the manual operator In Item b, the use of "diverse" is misleading. This item appears to be action are not vulnerable to the CCF." If desired, another sentence could be 17 B.3.2.2 27 Critical for clarity requiring that the manual actuations not be affected by the CCF. added to clarify that the manual actions initiate protective actions outside the boundaries where SCCF could affect the manual actuations.

B.3.4 33 An initial paragraph states "the policy" without clarifying which policy is 18 B.3.4.1 34 Clarify if the policy being discussed is the SRM-SECY-22-0076. Critical for clarity being discuss.

B.3.4.4 38 Item d) i) states the following "the CCF is modeled in sufficient detail, including intersystem and intrasystem dependencies and associated potential emergent behaviors, to evaluate the impact of the CCF on plant equipment and functions modeled in the PRA (including the ability It is suggested to remove "associated potential emergent behaviors" and 19 B.3.4.3 34 Critical for clarity for operators to perform manual actions), and" changed to "spatial dependencies."

The term "associated potential emergent behaviors" is not a common term used for PRA.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority "RG 1.62 outlines important design criteria for I&C equipment used by plant operators for manual initiation of protective actions."Reg. Guide 1.62 provides criteria for manual initiation of protective actions to meet IEEE 603 requirements. RG 1.62 only applies if the associated Point 4 20 B.4 35 Remove statement. Critical for clarity manual control is also credited for manual initiation of protective actions to meet IEEE 603. Some previous LWR designs installed manual controls only to meet Point 4, not IEEE 603. In those cases, RG 1.62 is not applicable.

"The reviewer should determine whether controls outside the MCR are exclusively used for long-term management of the critical safety functions after completion of system-level or division-level manual actuation from the MCR using the Point 4 displays and controls."

Prefer to remove this statement. Otherwise, define what the NRC staff 21 B.4 36 Critical for clarity reviewer is intended to do with this information.

What is the purpose of this statement? There are no acceptance criteria associated with it, nor any action except to make a determination. What does the reviewer do with the results of that determination?

Decision diamond on right hand side of flow chart (risk informed approaches) asks if approach utilized in a submittal is consistent with Commission policy and guidance, referencing further information in sections B.3.4.1 and B.3.4.2. 3rd paragraph in section 3.4.1 says Add "as applicable": If an application uses a risk-informed approach to address Appendix "reviewer should follow current NRC staff review guidance (including a CCF, the reviewer should follow current NRC staff review guidance... *as 22 51 Critical for clarity B SRP Chapter 19... or interim staff guidance (ISG) DC/COL-ISG-028... to applicable* to confirm that the risk-informed approach is consistent with the confirm that the risk-informed approach is consistent with the Commissions policy and guidance Commissions policy and guidance." These references are for new reactors, but existing reactors may submit LARs involving digital I&C improvements as well.

Acceptance Criteria:

23 All All Each section of acceptance criteria should describe whether all bullets Provide direction regarding minimum acceptance criteria. Preferential for clarity are required to meet the acceptable threshold.

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority Check the entire document and replace all the textual "diversity and defense-In the fourth paragraph, in the text, it would be preferred that the in-depth" with an approach that clearly shows defense-in-depth is the 24 A 3 Preferential for clarity phrase "defense-in-depth" be used consistently. capability we are trying to achieve, with diversity one of many means of achieving defense-in-depth.

The paragraph shown below may need to be rephrased to be more Instead of "can therefore introduce new failure mechanisms" to have "may direct that interdependencies for DI&C systems may not be present. introduce new failure mechanisms." For the last sentence, we suggest saying 25 A 3 Preferential for clarity the "potential for interdependencies of DI&C systems" rather than "resulting "DI&C system modifications can interconnect design functions" interdependencies."

Consider including the idea of network and controller segmentation for 26 A 4 Augment the text with segmentation for use with non-safety related DCS. Preferential for clarity non-safety systems, especially considering distributed control system.

It would be helpful to include an additional example of the use of realistic The discussion on Point 2 provides example attributes of 'best estimate' break opening times (rather than the assumed instantaneous double ended 27 A.1.1 13 Preferential for clarity analysis assumptions to address the consequences of CCF. guillotine break) as realistic assumption for a D3 consequence analysis. This addition would provide useful linkage for the discussion in Section B.6.5.

Footnote 6 was removed and may be beneficial for applicants and staff Maintaining this footnote allows for clarity in how the staff should be 28 B.1 10 Preferential for clarity to be aware of. reviewing these criteria and that other possible approaches are acceptable.

Suggestion to rephrase the following sentence to highlight interconnectivity and dependencies may not be present:

29 B.2.1 16 Suggestion to have this be "may", or "has the potential to" to make it clearer. Preferential for clarity "System interconnectivity can introduce additional dependencies and therefore CCF vulnerabilities"

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority The guidance describes spurious operation in DI&C systems to include partial actuation of an emergency core cooling system (i.e., spurious operation of a single division).

Correct BTP 7-19 guidance on partial actuations to be consistent with Partial actuations where one division behaves differently than another 30 B.2.2 18 NUREG/CR-6303 Section 3.6, Guideline 6Postulated Common-Mode Failure Preferential for clarity due to CCF is inconsistent with the guidance in NUREG/CR-6303 Section of Blocks.

3.6, Guideline 6Postulated Common-Mode Failure of Blocks, which says "... concurrent failure of each set of identical blocks in all divisions should be postulated ...".

The sentence removed system or component from the following 31 B.3 19 sentence: Retain the original text. Preferential for clarity "The applicant analyzed consequence of CCF vulnerabilities" For clarity, ensure that the Point 3 discussion at least points to Point 4, B.3.2.2 27 since the manual actuation and indication for each point can be used 32 Change the first sentence to read "When addressing Point 3 and Point 4" Preferential for clarity B.3.4.4 34 with the other point. Similarly, the Point 4 discussion should invoke Point 3.

In the last line of the first paragraph, an ambiguous "it" is provided, Replace "it" (throughout the document) with a clear, unambiguous statement 33 B.3.4.1 31 without clear provision of just what "it" is - is it the "risk-informed Preferential for clarity of the element to be applied.

decision making" or "NRC policy and guidance" or something else.

"If the displays and manual controls provided to meet Point 4 are not vulnerable to the same CCF as the proposed DI&C system, the applicant may credit them as the diverse means called for under Point 3." "...called for under Point 3 should be reworded to "if a diverse, manuals means 34 B.4 35 Preferential for clarity is required to address the loss of a safety function due to CCF."

"called for under Point 3" should be reworded to "if a diverse, manuals means is required to address the loss of a safety function due to CCF."

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Comment Page

  1. Section # Comment Suggested Resolution Priority "The proposed manual actions credited to accomplish safety functions that would otherwise have been accomplished by automatic safety systems are both feasible and reliable, as demonstrated through an HFE analysis and assessment process, such as the one described in SRP 35 B.4 36 Replace "HFE analysis and assessment process" with "HFE process" Preferential for clarity Chapter 18."

What is the difference between an HFE analysis process and HFE assessment process?

Program Management, Announcements and Editing Staff Nuclear Energy Institute November 21, 2023 Attachment 2: Common Cause Failure Treatment Process Flow Chart

Retrieved from "https://kanterella.com/w/index.php?title=ML23326A117&oldid=3644364"