ML24005A115

From kanterella
Jump to navigation Jump to search
SRM-S22-0076-1 -Response to Public Comments on Draft Standard Review Plan - Branch Technical Position 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Sa
ML24005A115
Person / Time
Issue date: 04/25/2024
From: Carla Roque-Cruz
NRC/NRR/DORL/LPMB
To:
Shared Package
ML24005A119 List:
References
SRM-S22-0076-1
Download: ML24005A115 (1)
v  d  e


Text

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

1 of 20 On October 24, 2023, a notice of opportunity for public comment was published in the Federal Register (88 FR 73051) on the proposed revision to NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants:

LWR Edition (SRP), Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latent Design Defects in Digital Instrumentation and Control Systems. Comments were received from the following and are available in the Agencywide Documents Access and Management System (ADAMS):

Name/Organization ADAMS Accession Number Nuclear Energy Institute (NEI)

ML23326A117 The table below provides the U.S. Nuclear Regulatory Commission (NRC) staffs review and disposition of the comments.

No.

Comment Submission NRC Resolution

1.

Comment: BTP-7-19 Scope and Terminology:

[1.1] The scope of BTP-7-19 should be limited to safety-related digital I&C [instrumentation and control]

systems outside the scope of RIS [Regulatory Information Summary]-2002-22, Supplement 1 [Clarification on Endorsement of Nuclear Energy Institute Guidance in Designing Digital Upgrades in Instrumentation and Control Systems, dated May 31, 2018].The document uses many terms that create different scope boundaries resulting in unclear limits to its application. The terminology and definitions used throughout BTP-7-19 should be consistent (e.g., the terms Digital Safety System, I&C, I&C Equipment, I&C systems, Digital I&C systems, Digital Technology, and safety system are currently used interchangeably and have different scopes).

[1.2] The safety significance determination process is confusing and conflicts with other industry practices (such as [Title 10 of the Code of Federal Regulations]

10 CFR 50.69). This section introduces terminology high

[1.1] The staff agrees in part and disagrees in part with the comment. The staff agrees that the terms in BTP 7-19 are not used consistently but disagrees that BTP 7-19 should be limited to safety-related SSCs. Staff Requirements Memorandum (SRM)-SECY-22-0076, Staff Requirements

- SECY-22-0076 - Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems, dated May 25, 2023, uses the term digital I&C system, and therefore digital I&C system is the scope of the policy: The Commission has approved the staffs recommendation to expand the existing policy for digital instrumentation and control (I&C) common-cause failures.... Nonetheless, to the extent BTP 7-19 uses different words to convey similar or identical concepts, the staff has revised it to use more consistent language and to ensure the terminology corresponds to that in SRM-SECY-22-0076.

RIS 2002-22, Supplement 1, addresses 10 CFR 50.59, Changes, tests and experiments (which provides criteria

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

2 of 20 No.

Comment Submission NRC Resolution safety significance, lower safety significance, and lowest safety significance that lacks regulatory basis and confuses terminology with 10 CFR 50.69. The criteria within each acceptance criteria subsection are not wholly accurate with the intent of the sections or lack clarity. For example:

Subsection (a) states: They are credited in the FSAR

[final safety analysis report] for meeting diversity requirements. This criterion lacks objective criteria to establish a threshold for to contribute significantly. The remaining two bullets adequately describe safety significant, safety related SSCs [structures, systems, and components]. Alternatively, the industry only anticipates RPS/ESFAS [reactor protection system/engineered safety features actuation system] to scope into high safety significance. It will be clearer to state RPS/ESFAS as previous versions of BTP-7-19 did. Additionally, the introductory paragraph on page 17 changed FSAR to directly credited in accident analysis. Not all credited FSAR design functions are direct accident analysis functions but contribute significantly to plant safety.

Subsection (b) states: They are credited in the FSAR for meeting diversity requirements. Non-safety related SSCs may also be used to meet diversity requirements as allowed by Points 3 and 4.

Suggested Resolution: Refer to the Attachment 2 for the proposed flow chart for treatment of CCF [common-cause failures] and scope for BTP-7-19. We recommend that the term digital safety system be used for the scope of BTP-7-19.

for determining when a change requires a license amendment) and does not reference SRM-SECY-93-087, SECY-93-087Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, dated July 21, 1993 (since SRM-SECY-22-0076 was not published yet), or provide guidance for the acceptable implementation of SRM-SECY-93-087. The staff disagrees that the scope of the BTP should be limited to safety-related DI&C systems outside of the RIS. For example, review guidance in the BTP would be needed for a low safety-significance system modification that requires a license amendment request under the 10 CFR 50.59 criteria.

BTP 7-19, Revision 8, dated January 25, 2021, was produced in accordance with SECY-18-0090, Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Controls, dated September 12, 2018.

BTP 7-19, Revision 8, provided guidance on non-safety systems. The staff did not propose in SECY-22-0076 to revise BTP 7-19 to remove references to SSCs that are not safety-related, nor did the Commission in SRM-SECY-22-0076 direct the staff to do so. Accordingly, the staff is not changing the BTP as suggested in this regard.

[1.2] The staff agrees in part with the comment. The staff agrees that references to 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power reactors, can create confusion. The staff has revised BTP 7-19 to remove such references and references to Generic Letter (GL) 85-06,

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

3 of 20 No.

Comment Submission NRC Resolution Non-safety related and low safety significant SSCs should NOT be within the scope of BTP-7-19. BTP-7-19 should be reserved for use of safety significant digital I&C safety systems (e.g., RPS and ESFAS).

Quality Assurance Guidance for ATWS [anticipated transient without scram] Equipment that Is Not Safety-Related, dated April 16, 1985. The staff added a footnote in section B.2.1 to clarify that the safety-significance determination categories used in this BTP are consistent with SECY-18-0090. BTP 7-19 is intended to provide review guidance to the NRC staff for ensuring an application meets the applicable regulations it is not intended as guidance to applicants for developing a D3 assessment.

The staff disagrees with the comment regarding the introductory paragraph on page 17 that changed FSAR to directly credited in accident analysis. The staff made this change because some FSARs may not describe the accident analysis in Chapter 15.

2.

Comment: BTP-7-19 Organization:

The organization of BTP-7-19 is difficult to navigate. The overall structure intermixes instruction to deterministic pathways, risk-informed pathways, DI&C reviewers, PRA

[probabilistic risk assessment] reviewers, operating reactor considerations, and advanced LWR [light-water reactor]

considerations. The result is a document that confuses the reader on the scope, applicability and direction within any given section.

Suggested Resolution: The following layout would improve readability/understanding. This layout is consistent with the proposed flow chart.

Section B.1Introduction The staff disagrees with this comment. BTP 7-19 is intended to provide review guidance to the NRC staff for ensuring an application meets the applicable regulations it is not intended as guidance for applicants developing a D3 assessment. The staff does not agree that the organization of the document is difficult to navigate or would result in confusion for the reviewer. However, the staff revised the BTP to include a figure depicting the applicable BTP sections for addressing each of the four points in SRM-SECY-22-0076 and clarify the scope of the BTP.

The NRC staff disagrees with the portion of the comment that states PRA-specific acceptance criteria should not be included within the scope of BTP-7-19. As stated in

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

4 of 20 No.

Comment Submission NRC Resolution Section B.2CCF Treatment and EliminationProvide an overview of the process demonstrated in Attachment 2 and direction on the elimination of CCF from consideration (as currently discussed in Section B.3.1)

Section B.3Deterministic PathwayConsolidate all staff review guidance associated with the deterministic CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors.

Section B.4Risk-Informed PathwayConsolidate all staff review guidance associated with the risk-informed CCF pathway. Clearly state what guidance and acceptance criteria are applicable to operating reactors and what guidance and acceptance criteria are applicable to advanced light-water reactors. PRA-specific criteria should not be included within the scope of BTP-7-19.

BTP-7-19 is intended for DI&C staff reviewers, not PRA staff reviewers.

Section B.5Manual System-Level Actuation and Indications to Address Point 4 Section B.6Information for Interdisciplinary NRC Staff Review Section B.7Additional Items for Consideration SECY-22-0076, the NRC staffs goal is that the acceptance criteria for risk-informed approaches for DI&C CCFs will be consistent with the agencys broader (i.e., not specific to DI&C) practices and guidance for risk-informed decision-making. As such, BTP 7-19, Revision 9, primarily points to other staff review guidance for risk-informed applications. Since risk-informed applications are allowed by the policy, it is necessary to include some guidance related to PRA in BTP 7-19, Revision 9.

The NRC staff disagrees with the portion of the comment that states BTP 7-19 is intended for DI&C staff reviewers, not PRA staff reviewers. BTP 7-19 provides review guidance for evaluating D3 to address CCFs due to latent design defects in digital safety systems. DI&C staff reviewers have primary responsibility for the review of applications within the scope of BTP 7-19. Since risk-informed applications are allowed by the policy, reliability and risk analysts are responsible for reviewing risk-informed applications.

3.

Comment: the identification of the CCF vulnerabilities or causes that the proposed alternative approach addresses; if these are identified using a hazard analysis technique, then it should be confirmed independently that the analysis is correct and complete This should be commensurate with the best-estimate approach of the traditional pathway. A traditional nuclear The NRC staff agrees in part with the comment and disagrees in part with the proposed change. The applicant should explain what it has chosen and justify why it is appropriate.

Furthermore, the traditional approach (referenced in this comment) includes D3 (as is explained in many places);

these are necessary because one cannot ensure the

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

5 of 20 No.

Comment Submission NRC Resolution transient and accident analysis is developed upon the principle that licensing basis events do not represent all events that may occur at a nuclear power plant; however, the events identified are the most credible and bounding events. The hazards analysis should identify the most likely and bounding sources of CCF. The terms correct and complete goes beyond the measure of reasonable assurance and increases the acceptance threshold beyond what is acceptable for design basis events.

Additionally, it is unclear who provides the independent confirmation and what the acceptance criteria for independence are. NEI does not believe independence is necessary for the technical review of hazards.

Suggested Resolution: Replace confirmed independently that the analysis is correct and complete.

with the NRC reviewer should confirm that the applicant has considered a sufficient range of hazards in its analysis to provide reasonable assurance that CCF is avoided.

Remove independently. Alternatively, clarify that the level of independence required for design reviews in 10 CFR [Part] 50 [Domestic Licensing of Production and Utilization Facilities] Appendix A [General Design Criteria for Nuclear Power Plants], Design Control, is sufficient.

design is completely free from CCF (as is explained in many places). Therefore, when D3 is reduced, the reviewer should verify that the application provides adequate justification such as confidence in the completeness and correctness of the design.

Finally, individual clauses and sentences should be taken in context, and part of the context is in the last sentence of the first paragraph introducing the section B.3.1.3 acceptance criteria.

This section essentially takes a performance-based approach, as is outlined by the last paragraph before the acceptance criteria. It would be inconsistent with this approach to state specific solutions, as is proposed by the comment.

For clarity, the staff revised section B.3.1.3, acceptance criteria item a.

4.

Comment: These sections intermix review guidance for operating reactors and advanced LWR reactors. SRP Chapter 19 and [Design Certification/Combined License-Interim Staff Guidance] DC/COL-ISG-028 [Assessing the Technical Adequacy of the Advanced Light-Water Reactor Probabilistic Risk Assessment for the Design Certification The NRC staff partially agrees with this comment. The NRC staff agrees that BTP 7-19 should not be used to expand the scope of other regulatory or staff review guidance. The NRC staff revised section B.3.4.1 to clarify that the NRC staff should follow applicable current review guidance for risk-informed applications.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

6 of 20 No.

Comment Submission NRC Resolution Application and Combined License Application, dated December 2, 2016] only apply to new reactors. Refer to scoping statements from each of these documents below.

Section 3.4.2 states: SRP Section 19.0, Probabilistic Risk Assessment and Severe Accident Evaluation for New Reactors, provides guidance for reviewing DI&C system risk assessments for new reactors, which may also be applicable to operating reactors. This is an expansion of the scope of SRP Section 19 to operating reactors and creates concerns regarding forward fitting of advanced reactor concepts. SRP Chapter 19 scope: This section of the Standard Review Plan (SRP) pertains to the staff review of the design specific probabilistic risk assessment (PRA) for a design certification (DC) and plant-specific PRA for a combined license (COL) application, respectively. DC/COL-ISG-028 scope: The purpose of this document is to provide Interim Staff Guidance (ISG) for assessing the technical adequacy of the probabilistic risk assessment (PRA) needed for an application for design certification (DC) of an advanced light-water reactor (ALWR) under Title 10 of the Code of Federal Regulations (10 CFR) Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants, specifically 10 CFR 52.47(a)(27), as well as an application for a combined license (COL) under 10 CFR 52.79(a)(46).

BTP-7-19 should not be used to expand the scope of other regulatory and/or staff review guidance.

Suggested Resolution: These sections should be re-arranged to clearly identify which guidance is to be used for operating reactors and which guidance is to be used for advanced light-water reactors. Additionally, the The NRC staff disagrees that SRP chapter 19 is only applicable to new reactors. The NRC staff notes that SRP section 19.0 is applicable to new reactors, but SRP sections 19.1 and 19.2 are applicable to operating reactors. The NRC staff added clarifying information to section B.3.4.1 on the applicability of SRP sections 19.0-19.2.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

7 of 20 No.

Comment Submission NRC Resolution guidance should not be expanded beyond the intended scope of referenced standards. Remove...which may also be applicable to operating reactors.

5.

Comment: Discussion of intersystem CCF and PRA modeling is mentioned even though most PRA models do not model intersystem CCF. Given that current practices for PRA modeling do not require intersystem common cause failure for Capability Category II requirements, it is suggested to remove the intersystem common cause failure dependency requirement for the PRA model.

Suggested Resolution: Based on discussions during the BTP-7-19 public meeting held 11/14, NEI understands that where BTP-7-19 states intersystem common cause failure or intersystem dependency this was intended to address the impact of CCF when design functions are combined into a DI&C system either through connectivity or common equipment. The term intersystem common cause failure and intersystem dependency should be removed and replaced with language communicating the impacts of CCF when design functions are combined.

The NRC staff agrees with this comment but disagrees with the proposed resolution. The NRC staff agrees that the American Society of Mechanical Engineers (ASME)/American Nuclear Society (ANS) PRA standard ASME/ANS RA-Sa-2009, Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Plant Applications, does not require modeling intersystem CCFs for Capability Category II. However, High-Level Requirement HLR-SY-B of the PRA standard requires the systems analysis to provide a reasonably complete treatment of CCFs and intersystem and intrasystem dependencies. If a DI&C system combines design functions that were previously implemented by different systems, then a CCF of the DI&C system could impact plant equipment from multiple systems. The NRC staff revised the acceptance criteria to address this comment.

6.

Comment: In several places there is identification that any changes to the PRA model be identified and explained.

However, there is no clear definition of the baseline PRA from which the changes are to be referenced.

Furthermore, the wording seems to suggest that changes unrelated to the digital I&C upgrade are to be discussed.

Section 3.4.2 outlines The application should also justify any changes beyond those for modeling the CCF made to the PRA model to support the application, including whether the changes are considered PRA maintenance or The NRC staff partially agrees with this comment. The NRC staff agrees that the application should identify the base PRA used to support the application. The NRC staff revised section B.3.4.2 and its acceptance criteria to clarify this matter.

Regarding the portion of the comment that states that the wording seems to suggest changes unrelated to the DI&C upgrade are to be discussed, the reviewer should confirm that the application identifies and discusses any changes made to the PRA model that significantly impact the risk

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

8 of 20 No.

Comment Submission NRC Resolution a PRA upgrade (typically based on the corresponding definitions in the applications specified revision of RG 1.200 or equivalent guidance for new reactors, such as DC/COL-ISG-028).

Suggested Resolution: Suggestion to provide clarification to identify the baseline PRA which the upgrades, updates, hazard additions/changes, etc., are to be referenced.

Suggestion to clarify that only the differences between a previously approved PRA model will be examined which are applicable to this DI&C assessment and that this would not require a focused scope peer review or determination of update/upgrade. For many plants, PRA models have already been reviewed for the as-built, as-operated plant. Furthermore, the changes should be limited to the risk-informed assessment of the DI&C system.

significance determination of the CCF because changes to the PRA other than those related to CCF modeling can change the results of the CCF assessment.

The NRC staff disagrees with the suggested resolution that states that differences between a previously approved PRA model would not require a focused scope peer review or determination of update/upgrade. The applicant is responsible for determining whether any particular change to the PRA model is PRA maintenance or a PRA upgrade and whether a focused scope peer review for that change is warranted.

7.

Comment: Guidance drives toward assumption of P(ccf)=1 or high, conservative value. This, in conjunction with common conservative fire PRA assumptions, could skew results:

Section B.3.4.2 states: The reviewer should determine whether the application explains how the CCF is modeled in the PRA and provides justification that the modeling includes the impact of the CCF. In providing the justification, the application should evaluate DI&C system interconnectivity and address DI&C system spatial separation that could significantly influence the risk due to fires, earthquakes, and other hazards.

The NRC staff disagrees with this comment. The NRC staffs position, as stated in SECY-22-0076, is that current experience is insufficient to establish confidence in quantifying the probability of occurrence of DI&C CCFs. As such, the NRC staff does not believe that currently available data and experience support the identification of best-estimate values. The NRC staff notes that BTP 7-19 does provide a reviewer some discretion to accept the use of conservative values less than 1 with appropriate technical justification.

If future experience establishes confidence in quantifying the probability of occurrence of a DI&C CCF, then the

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

9 of 20 No.

Comment Submission NRC Resolution Section B.3.4.3 only describes approaches using bounding and sensitivity analyses in various places.

Suggested Resolution: While the industry expects to initially provide guidance using a sensitivity analysis with modeling the change to plant risk metrics based on P(ccf)=1, we do not believe the BTP-7-19 should use such conservatism as acceptance criteria. BTP-7-19 should allow use of justified best-estimate CCF values where accepted conservative modeling practices (e.g. in fire PRA) result in excessive compounded conservatism.

NRC staff may consider proposed alternatives to the BTP acceptance criteria (e.g., the use of best estimate values) and the staff can evaluate how the proposed alternatives to the BTP acceptance criteria provide an acceptable method of complying with the NRCs regulations.

8.

Comment: The following criteria seems open ended:

c. The risk quantification accounts for any dependencies introduced by the CCF, including the ability for operators to perform manual actions.

Suggested Resolution: Limit to operator actions intended to compensate for postulated CCF The NRC staff agrees with this comment but disagrees with the proposed resolution. The NRC staff considers the suggested resolution to limit consideration to operator actions intended to compensate for the postulated CCF to be too narrow in focus and can overlook potential impacts of the CCF. The NRC staffs position is that all operator actions impacted by the CCF need to be considered. The NRC staff revised the acceptance criteria in section B.3.4.3 to address this comment.

9.

Comment: However, if the diverse means credited for Point 3 are not located in the MCR [main control room],

then they are not sufficient to meet Point 4.

NEI expects that HFE [human factors engineering]

analysis may be used to demonstrate acceptable equipment locations (MCR or elsewhere). This statement contradicts the Commission direction that the licensees may propose alternate approaches.

Suggested Resolution: Remove statement.

The NRC staff disagrees with this comment. The staff nonetheless modified section B.4 to explain that, in most cases, when displays and manual controls are credited as the diverse means for Point 3, they may also be credited for Point 4, provided they meet the acceptance criteria described in section B.4 or the application includes appropriate justification.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

10 of 20 No.

Comment Submission NRC Resolution

10.

Comment: Point 4 is risk-informed because it focuses only on those most important safety functions to be accomplished or maintained to prevent a direct and immediate threat to public health and safety This statement implies that Critical Safety Functions are pre-determined based on their impact to plant risk. As the NRC points out in Section 3.4 Risk significance and safety significance are different concepts. This statement confuses the two points and is not supported by a risk analysis demonstrating the impacts of these functions on plant risk.

This statement also implies that a risk-informed approach is required to adequately address Point 4.

Suggested Resolution: The industry agrees that the list of Critical Safety Functions provided in this section may be used for operating LWRs as a general rule of thumb with the flexibility of each licensee to provide justification that supports the removal or addition of functions based on plant specific data (including risk). The statement provided in this comment should be removed from the BTP as it is misleading regarding the basis for the concept of critical safety functions.

The NRC staff agrees with this comment. The staff revised section B.1.1 to provide clear language regarding Point 4 of SRM-SECY-22-0076.

11.

Comment: The displays and controls credited for Point 4 must provide for effective manual control of critical safety functions. Point 4 clarifies that these main control room (MCR) displays and controls may be addressed in the same assessment as the first three points (i.e., does not require a separate analysis beyond what is called for in Points 1-3 of the policy). See also paragraph 2 on The NRC staff agrees with this comment but disagrees with the suggested resolution. The staff revised section B.1.1 to clarify that the same assessment performed to address the first three points can be used to identify if the main control room displays and controls for manual actuation of critical safety functions are independent and diverse from the proposed DI&C system.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

11 of 20 No.

Comment Submission NRC Resolution

p. 39. This interpretation implies that the results of analysis for Point 3 can suffice for Point 4. Point 3 only requires the postulated CCFs are adequately addressed; the results of which may not require a particular manual control (e.g., the Point 3 analysis may credit an automatic function.

Suggested Resolution: If the results from Point 3 are not sufficient to meet Point 4, then the phrase, a separate analysis beyond what is called for in Points 1-3 of the policy needs more review guidance in the BTP to understand the intent of this phrase.

Please provide additional clarity on what is required to satisfy Point 4.

12.

Comment: The description of the basis for the term critical safety functions contains inaccurate statements:

[12.1] The NRC staff's proposal in SECY-93-087, as amended and approved by SRM-SECY-93-087, identified the following examples of critical safety functions...

The Commission did not approve the definition of critical safety functions in SECY-93-087. In SRM-SECY-93-087, the Commission deleted the definition of critical safety functions and stated: Further, the remainder of the discussion under the fourth part of the staff position is highly prescriptive and detailed (e.g., shall be evaluated, shall be sufficient, shall be hardwired, etc.). The Commission approves only that such prescriptiveness be considered as general guidance, the practicality of which should be determined on a case-by-case basis.

The staff disagrees with the comments characterization that the identified sentences are misleading. However, the staff has revised section B.1.2 to provide clearer language regarding critical safety functions.

[12.1] The staff recognizes that the sentence in question may be misinterpreted. The staff has revised section B.1.2 to remove the language that refers to SRM-SECY-93-087 and included the list of examples of critical safety functions for LWRs in the following paragraph.

[12.2] The staff revised footnote 6 to remove the example, as it is not needed to convey the message that the most important safety functions may not always be called critical safety functions.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

12 of 20 No.

Comment Submission NRC Resolution

[12.2] Note 6 implies that the term safety function in IEEE

[Institute of Electrical and Electronics Engineers] 497-2016 is synonymous with critical safety function from earlier versions of the standard. The definition provided in IEEE 497-2016 is more closely related to the term safety-related function in earlier versions of the standard and does NOT provide prescribed functions as the previous defined term critical safety functions.

[12.3] The critical safety functions listed in SECY-93-087 and SECY-22-0076 are representative of operating light-water reactors. Other types of reactors may have different critical safety functions. The Commission did not approve these functions as part of the policies. This statement is misleading.

Suggested Resolution: The industry agrees that the list of Critical Safety Functions provided in this section may be used for operating LWRs as a general rule of thumb with the flexibility of each licensee to provide justification that supports the removal or addition of functions based on plant specific data (including risk). The statements provided in this comment should be removed from the BTP as it is misleading regarding the basis for the concept of critical safety functions.

[12.3] The staff disagrees with the comment that the statement is misleading, as the sentence references the SECYs that contain the list of critical safety functions. The staff did revise this sentence when it addressed the comment above.

13.

Comment: The second bullet uses Interconnected without defining how the data communication functions. If we have data flowing unidirectionally from safety to non-safety systems, appropriately electrically isolated, with no messages returning from non-safety to safety, why The staff disagrees with the comment. It is not possible to:

Clearly delineate the conditions under which data communication (not interconnection) can have adverse effects that require analysis. OR state that sufficient conditions can be established where D3 analysis is not required

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

13 of 20 No.

Comment Submission NRC Resolution would that require analysis? The non-safety system cannot affect the operation of the safety system.

Suggested Resolution: Clearly delineate the conditions under which data communication (not interconnection) can have adverse effects that require analysis. OR state that sufficient conditions can be established where D3 analysis is not required.

for all possible designs, because this is a concern related to the design of the I&C equipment and facility. Guidance on this topic exists in other documents, such as RG 1.152, which provides guidance on communication independence and includes more than simply unidirectional communication. This guidance primarily addresses potential failures as a result of the communications processes themselves.

Shared information can also be a potential source of failures. This is why the general design criteria (GDC) and IEEE Standard (Std) 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE Std 603-1991, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, contain criteria for separating protection and control systems.

14.

Comment: The bullet that now results in the text shown below removed the requirement that only CCF that would result in a loss of a function needs to be evaluated:

Evaluate whether the D3 assessment indicates that CCF vulnerabilities have been adequately addressed.

Suggested Resolution: Revise to add that might result in loss of safety function after CCF vulnerabilities.

The NRC staff disagrees with this comment. For some equipment and facility designs, a loss of the safety systems ability to perform the protective functions may be the only concern, but it may not be the only concern for all equipment and facility designs.

15.

Comment: Item c talks about CCF failures of shared resources such as power supplies failure that could affect a system.

Suggested Resolution: Revise BTP 7-19 guidance to focus on failures with adverse impacts. For example, The NRC staff agrees with this comment. The staff revised section B.3.1.1, using language from SECY-18-0090, to state the concept described in the comment.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

14 of 20 No.

Comment Submission NRC Resolution power supply CCF failure modes may put the system in the safe state (i.e., actuated) which may have no adverse impact on safety.

16.

Comment: One example of a design feature that mitigates a digital CCF could be a well-designed watchdog (i.e., not dependent on the platform software) that puts the actuators in the safe (i.e., actuated) state, as suggested in an ACRS [Advisory Committee on Reactor Safeguards]

letter dated August 5, 2014.

Suggested Resolution: It would be helpful is the BTP 7-19 guidance was revised to acknowledge such an example of an alternative approach to eliminate potential CCF from further consideration.

The NRC staff agrees with this comment. The staff modified section B.3.1.3 to provide an example of an alternative approach.

17.

Comment: In Item b, the use of diverse is misleading.

This item appears to be requiring that the manual actuations not be affected by the CCF.

Suggested Resolution: Replace the sentence with The SSCs used to support the manual operator action are not vulnerable to the CCF. If desired, another sentence could be added to clarify that the manual actions initiate protective actions outside the boundaries where SCCF

[software common-cause failure] could affect the manual actuations.

The staff disagrees with the comment that the use of the word diverse is misleading. Section B.3.2 is about the use of diverse means. The staff revised section B.3.2.2 to clarify that the term diverse means unlikely to be subject to the same CCF. The purpose of section B.3.2.2 is for the reviewer to verify that the manual actuations will not be affected by the CCF. Section B.3.4.4 provides guidance for the review of design techniques other than diversity.

18.

Comment: An initial paragraph states the policy without clarifying which policy is being discuss.

Suggested Resolution: Clarify if the policy being discussed is the SRM-SECY-22-0076.

The NRC staff agrees with this comment. The staff modified BTP 7-19 in various sections to clarify that the points being discussed are of SRM-SECY-22-0076.

19.

Comment: Item d) i) states the following the CCF is modeled in sufficient detail, including intersystem and The NRC staff agrees with this comment but disagrees with the proposed resolution. The NRC staff revised the

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

15 of 20 No.

Comment Submission NRC Resolution intrasystem dependencies and associated potential emergent behaviors, to evaluate the impact of the CCF on plant equipment and functions modeled in the PRA (including the ability for operators to perform manual actions), and The term associated potential emergent behaviors is not a common term used for PRA.

Suggested Resolution: It is suggested to remove associated potential emergent behaviors and changed to spatial dependencies.

acceptance criterion to remove the phrase associated potential emergent behaviors. The NRC staff did not include the phrase spatial dependencies due to revisions made to address comment #5.

20.

Comment: RG [Regulatory Guide] 1.62 [Manual Initiation of Protective Actions] outlines important design criteria for I&C equipment used by plant operators for manual initiation of protective actions. Reg. Guide 1.62 provides criteria for manual initiation of protective actions to meet IEEE 603 requirements. RG 1.62 only applies if the associated Point 4 manual control is also credited for manual initiation of protective actions to meet IEEE 603.

Some previous LWR designs installed manual controls only to meet Point 4, not IEEE 603. In those cases, RG 1.62 is not applicable.

Suggested Resolution: Remove statement.

The NRC staff agrees in part with this comment, and therefore modified section B.4 to remove the reference to RG 1.62. RG 1.62 section C describes one acceptable way to meet the regulations listed in RG 1.62 section A.

The regulations listed in RG 1.62 section A include more than just IEEE Std (603) 603-1991. The staff changed section B.4 as described based on the staffs understanding that NEI used the term IEEE 603 to refer to the regulations listed in RG 1.62 section A.

21.

Comment: The reviewer should determine whether controls outside the MCR are exclusively used for long-term management of the critical safety functions after completion of system-level or division-level manual actuation from the MCR using the Point 4 displays and controls.

The NRC staff agrees with this comment. The language in question does not provide acceptance criteria. The staff modified section B.4 to remove the statement regarding long-term management of critical safety functions.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

16 of 20 No.

Comment Submission NRC Resolution What is the purpose of this statement? There are no acceptance criteria associated with it, nor any action except to make a determination. What does the reviewer do with the results of that determination?

Suggested Resolution: Prefer to remove this statement.

Otherwise, define what the NRC staff reviewer is intended to do with this information.

22.

Comment: Decision diamond on right hand side of flow chart (risk informed approaches) asks if approach utilized in a submittal is consistent with Commission policy and guidance, referencing further information in sections B.3.4.1 and B.3.4.2. 3rd paragraph in section 3.4.1 says reviewer should follow current NRC staff review guidance (including SRP Chapter 19... or interim staff guidance (ISG) DC/COL-ISG-028... to confirm that the risk-informed approach is consistent with the Commissions policy and guidance. These references are for new reactors, but existing reactors may submit LARs involving digital I&C improvements as well.

Suggested Resolution: Add as applicable: If an application uses a risk-informed approach to address a CCF, the reviewer should follow current NRC staff review guidance... *as applicable* to confirm that the risk-informed approach is consistent with the Commissions policy and guidance The NRC staff agrees with this comment. The NRC staff added the phrase as applicable to section B.3.4.1 to clarify the expectation that the NRC staff follow applicable review guidance.

23.

Comment: Acceptance Criteria: Each section of acceptance criteria should describe whether all bullets are required to meet the acceptable threshold.

The NRC staff disagrees with this comment. It is implied that the reviewer should verify that all the items in the acceptance criteria are met, unless otherwise noted.

Therefore, it is clear what the minimum acceptance criteria are.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

17 of 20 No.

Comment Submission NRC Resolution Suggested Resolution: Provide direction regarding minimum acceptance criteria.

24.

Comment: In the fourth paragraph, in the text, it would be preferred that the phrase defense-in-depth be used consistently.

Suggested Resolution: Check the entire document and replace all the textual diversity and defense-in-depth with an approach that clearly shows defense-in-depth is the capability we are trying to achieve, with diversity one of many means of achieving defense-in-depth.

The NRC staff agrees with the comment but disagrees with the suggested resolution. The staff revised BTP 7-19 to consistently use the term defense in depth and diversity, which is the term used in SRM-SECY-22-0076.

25.

Comment: The paragraph shown below may need to be rephrased to be more direct that interdependencies for DI&C systems may not be present.

DI&C system modifications can interconnect design functions Suggested Resolution: Instead of can therefore introduce new failure mechanisms to have may introduce new failure mechanisms. For the last sentence, we suggest saying the potential for interdependencies of DI&C systems rather than resulting interdependencies.

The NRC staff agrees with the comment but disagrees with the first part of the suggested resolution. The staff agrees with the second part of the suggested resolution.

The staff revised section A to change the word can to could and changed resulting to potential for.

26.

Comment: Consider including the idea of network and controller segmentation for non-safety systems, especially considering distributed control system.

Suggested Resolution: Augment the text with segmentation for use with non-safety related DCS

[distributed control systems].

The NRC staff agrees with the comment but disagrees with the suggested resolution. The staff revised section A to include segmentation as a design technique.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

18 of 20 No.

Comment Submission NRC Resolution

27.

Comment: The discussion on Point 2 provides example attributes of best estimate analysis assumptions to address the consequences of CCF.

Suggested Resolution: It would be helpful to include an additional example of the use of realistic break opening times (rather than the assumed instantaneous double ended guillotine break) as realistic assumption for a D3 consequence analysis. This addition would provide useful linkage for the discussion in Section B.6.5.

The NRC staff disagrees with the comment. Establishing practices for system analysis using best estimate methods is beyond the scope of BTP 7-19, but may be found in existing guidance such as RG 1.157, Best-Estimate Calculations of Emergency Core Cooling System Performance; RG 1.203, Transient and Accident Analysis Methods; and SRP section 15.0.2, Review of Transient and Accident Analysis Method.

28.

Comment: Footnote 6 was removed and may be beneficial for applicants and staff to be aware of.

Suggested Resolution: Maintaining this footnote allows for clarity in how the staff should be reviewing these criteria and that other possible approaches are acceptable.

The NRC staff disagrees with the comment. The message in the footnote is already covered (with different wording) at the bottom of page 1.

29.

Comment: Suggestion to rephrase the following sentence to highlight interconnectivity and dependencies may not be present:

System interconnectivity can introduce additional dependencies and therefore CCF vulnerabilities Suggested Resolution: Suggestion to have this be may, or has the potential to to make it clearer.

The NRC staff agrees with this comment. The staff modified section B.2.1 to improve the clarity.

30.

Comment: The guidance describes spurious operation in DI&C systems to include partial actuation of an emergency core cooling system (i.e., spurious operation of a single division).

Partial actuations where one division behaves differently than another due to CCF is inconsistent with the guidance in NUREG/CR-6303 [Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection The staff acknowledges that there is an apparent difference in wording between BTP 7-19 and NUREG/CR-6303. However, the staff disagrees with the suggested resolution. The method provided in NUREG/CR-6303 is not intended to be review guidance. In addition, there is no concern with an apparent inconsistency between BTP 7-19 and NUREG/CR-6303 because the review guidance in the BTP was not based on

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

19 of 20 No.

Comment Submission NRC Resolution Systems, Revision 0, issued December 1994]

Section 3.6, Guideline 6Postulated Common-Mode Failure of Blocks, which says...concurrent failure of each set of identical blocks in all divisions should be postulated....

Suggested Resolution: Correct BTP 7-19 guidance on partial actuations to be consistent with NUREG/CR-6303 Section 3.6, Guideline 6Postulated Common-Mode Failure of Blocks.

the NUREG/CR, as evidenced by the lack of reference to NUREG/CR-6303. The information in NUREG/CR-6303 was appropriate for the types of designs under consideration at the time it was written; however, the NUREG/CR-6303 analysis constraints (e.g., the one in the comment) may not be appropriate for future designs.

The staff removed references to NUREG/CR-6303 and NUREG/CR-7007, Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems, Revision 0, issued December 2008, in sections B.3.1.1 and B.3.2 because they may be interpreted as review guidance, which they are not in this context. Given the historical significance and information they contain, these documents were retained in the list of relevant guidance.

31.

Comment: The sentence removed system or component from the following sentence:

The applicant analyzed consequence of CCF vulnerabilities Suggested Resolution: Retain the original text.

The NRC staff partially agrees with this comment. In accordance with the resolution of NEI comment #1 above, the term DI&C system is used throughout the BTP.

Therefore, the staff retained the word system but removed the word component in the sentence in question.

32.

Comment: For clarity, ensure that the Point 3 discussion at least points to Point 4, since the manual actuation and indication for each point can be used with the other point.

Similarly, the Point 4 discussion should invoke Point 3.

Suggested Resolution: Change the first sentence to read When addressing Point 3 and Point 4 The NRC staff agrees with this comment but disagrees with the proposed language. The staff revised section B.3.2.2 to add a fourth paragraph that makes the connection to Point 4. The language in section B.4 for Point 4 makes the connection to Point 3.

33.

Comment: In the last line of the first paragraph, an ambiguous it is provided, without clear provision of just The NRC staff agrees with this comment. The NRC staff revised section B.3.4.1 to clarify the meaning of the word it.

RESPONSE TO PUBLIC COMMENTS ON DRAFT STANDARD REVIEW PLAN BRANCH TECHNICAL POSITION 7-19, GUIDANCE FOR EVALUATION OF DEFENSE IN DEPTH AND DIVERSITY TO ADDRESS COMMON-CAUSE FAILURE DUE TO LATENT DESIGN DEFECTS IN DIGITAL INSTRUMENTATION AND CONTROL SYSTEMS

20 of 20 No.

Comment Submission NRC Resolution what it is - is it the risk-informed decision making or NRC policy and guidance or something else.

Suggested Resolution: Replace it (throughout the document) with a clear, unambiguous statement of the element to be applied.

34.

Comment: If the displays and manual controls provided to meet Point 4 are not vulnerable to the same CCF as the proposed DI&C system, the applicant may credit them as the diverse means called for under Point 3.

Suggested Resolution:...called for under Point 3 should be reworded to if a diverse, manuals means is required to address the loss of a safety function due to CCF.

The NRC staff agrees with this comment but disagrees with the proposed language. The staff revised section B.4 to clarify the language but did not incorporate the suggested resolution by the comment.

35.

Comment: The proposed manual actions credited to accomplish safety functions that would otherwise have been accomplished by automatic safety systems are both feasible and reliable, as demonstrated through an HFE

[human factors engineering] analysis and assessment process, such as the one described in SRP Chapter 18.

What is the difference between an HFE analysis process and HFE assessment process?

Suggested Resolution: Replace HFE analysis and assessment process with HFE process The NRC staff agrees in part with this comment. The terms HFE analysis and HFE assessment are different. The term HFE analysis is used to refer to the process of evaluation and the term HFE assessment to refer to the judgments that are made (e.g., whether something meets acceptance criteria). The staff modified section B.4 to incorporate the proposed language and added a reference to appendix 18-A to improve the clarity.

Retrieved from "https://kanterella.com/w/index.php?title=ML24005A115&oldid=3764484"