RIS 2002-22, Summary of Comments on 2018-01-24 Draft Ris Ks R1 from Ken Scarola Nuclear Automation Engineering

Summary of Comments on 2018-01-23 Draft RIS_KS R1.pdfThis page contains no comments

This page contains no comments 1234 Page: 3Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:06:34 PM In the sentence directly before this one, the limitation regarding not providing new guidance is restricted to RPS and ESF. But in this sentence that limitation is extended to all SSCs. This contradicts subsequent sections of this RIS which provide new CCF guidance for other non-RPS/ESF SSCs. Number: 2 Author: KenSc Subject: Highlight Date: 01/23/2018 10:39:52 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 9:03:14 AM ATWS is considered in most FSARs, maybe all. So CCF due to a design flaw is considered in most, maybe all, FSARs. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 9:02:09 AM 12 Page: 4Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:07:45 PM The first paragraph on Page 3 says this RIS is not applicable to RPS/ESF. But this paragraph implies it would not be applicable to any equipment of equal or greater importance to RPS/ESF. Importance can be determined by the PRA. Equipment of equal or greater importance would typically include load sequencers, and accident monitoring instrumentation and controls for manual actions credited in the TAA. So the original statement that says this RIS is not applicable to RPS and ESFAS should be expanded to encompass these additional systems. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 9:06:19 AM 1234 Page: 5Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:08:20 PM We typically view "failure to perform" as "no function at all". But equally important is performing a design function erroneously. This is too often forgotten by digital designers. It should be clearly stated. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 9:15:39 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 9:17:29 AM A failure of shared resources among safety control functions can also introduce unanalyzed malfunctions. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 9:13:15 AM 12 Page: 6Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 10:01:37 AM SECY 93-087 and BTP 7-19 constitute current NRC policy on digital CCF. The current policy does not allow a conclusion that the likelihood of a CCF is sufficiently low to require no further consideration based on these qualitative factors alone. The current policy is clear that these qualitative factors facilitate a conclusion that the CCF is beyond design basis, but not that it requires no further consideration. Another way of looking at this is that the current policy is that qualitative factors do not allow a conclusion that the likelihood is comparable to other sources of CCF that are not considered in the FSAR. How can a RIS be used to change previous NRC policy. I have heard some people say that the current NRC policy is only applicable to new plants. If that is true, which I don't believe it is, then how can the NRC createa new policy for operating plants that is different than for new plants. This directly contradicts the commissioners direction in (SRM)-SECY-16-0070 that the guidance for new plants and operating plants should be the same. Number: 2 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:10:01 PM Dave, You told me that "sufficiently low" could only be reached with 4 factors, the fourth being an evaluation of the "what if" malfunction results. This contradicts your explanation of this RIS. If your interpretation is confused, the industry's interpretation is also going to be confuse This page contains no comments

This page contains no comments 1234 Page: 9Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 9:38:55 AM Licensees will often conduct these evaluations prior to investing in revised design/analysis documentation. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 9:37:49 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:00:39 PM Dave, This is an OR statement. Therefore, this does not say that a failure must be postulated, as you told me. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 9:40:15 AM 12 Page: 10Number: 1 Author: KenSc Subject: Highlight Date: 01/23/2018 10:53:30 PM Number: 2 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:04:51 PM Dave, you told me that to reach a conclusion of "sufficiently low" the licensee must postulate a CCF and then demonstrate acceptable results. What you told meis not reflected here. This postulate may be your interpretation, but others will interpret this differently. This RIS is supposed to resolve the current industry confusion, not create more confusio Page: 11Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:05:43 PM This is technically incorrect. Single failures, by definition, are random non-systematic failures. An increase in the likelihood of a single failure, does lower system availability, but it does not increase the likelihood of a CC Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 9:44:37 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 10:18:38 AM Should be NEI 01-01 Section 4.4.6. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 10:18:44 AM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:11:14 PM Note that this is an AND condition. Therefore, to achieve "sufficiently low" the failure likelihood must be comparable to other failures not considered at all in the FSAR. If the failure likelihood is only comparable to failures considered as beyond design basis events, then the failure must also be considered a beyond design basis event. The current NRC policy is that only deterministic attributes of 100% testing and internal diversity facilitate a conclusion that the failure likelihood is comparable to to other failures not considered at all in the FSAR, and therefore requires no further consideration. Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 1:06:26 PM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:16:44 PM This note says that if a failure is "not credible" it may still require further consideration. This is sure to confuse licensees, because we have never analyzed non-credible events. I don't know the basis of this sentence but it is wrong. An event that is not as unlikely as events not considered in the FSAR, as either design basis or beyond design basis, are credible. This is why we analyze both design basis and beyond design basis events (i.e., because they are credible, not becausethey are not credible). Number: 8 Author: KenSc Subject: Highlight Date: 01/24/2018 10:03:46 AM 123456 Page: 12Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:18:10 PM This contradicts previous statements in this RIS and in NEI 01-01 which state to require no further consideration in 50.59, the failure likelihood must be "comparable to other common cause failures that are not considered in the UFSAR". This is quite different than "as likely as those failures that areconsidered". Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 10:12:30 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:20:41 PM Yes, but the sentence above says that even if you have not reached the "sufficiently low" threshold, there are no new accidents introduced unless the failure is "as likely" as other failures assumed in the FSAR. This is different than your definition of "sufficiently low" and therefore quite confusing. "Sufficiently low" should be removed from this paragraph, because "sufficiently low" is not required by the statements of consideration for this question, as it is for Question 6. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 10:05:54 AM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:29:07 PM This contradicts previous statements in this RIS and in NEI 01-01 which state to require no further consideration in 50.59, the failure likelihood must be "comparable to other common cause failures that are not considered in the UFSAR". Since NEI 01-01 is inconsistent in this regard, this RIS shouldresolve the inconsistency by making it perfectly clear that unless the failure likelihood is "sufficiently low" (i.e., comparable to other malfunctions not considered in the FSAR) it does require further consideration. It should be clear that this threshold is different than the unlikelihood thresholdin Question 5. A simple chart would help that very simply and clearly shows the different likelihood levels, with "failures in the FSAR" having higher likelihood than failures "not in the FSAR". Number: 6 Author: KenSc Subject: Highlight Date: 01/23/2018 10:57:32 PM 123456789101112 Page: 13Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:32:10 PM This statement in NEI 96-07 contradicts NEI 01-01 which says to require no further consideration the failure likelihood must be "comparable to other common cause failures that are not considered in the UFSAR"; this is different than 'as likely as those that are considered'. Since these are different likelihood thresholds, this RIS needs to resolve this inconsistency between NEI 96-07 and NEI 01-0 Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 10:13:32 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:33:22 PM Needs to also include ways in which SSCs can erroneously perform. Some may argue that "failure" encompasses "erroneous" but erroneous is too often overlooked by digital designers. Number: 4 Author: KenSc Subject: Highlight Date: 01/23/2018 10:58:55 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:33:49 PM This should say "which ones that are not as unlikely as failures not considered in the FSAR" or "which one whose likelihood is not comparable to other common cause failures that are not considered in the UFSAR." Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 10:22:20 AM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:36:31 PM "as likely as those described in the FSAR" contradicts "comparable to other common cause failures that are not considered in the UFSAR", which is your definition of "sufficiently low". These are two different thresholds. So it is not clear when Steps 3-5 are needed. This RIS is supposed to bring clarity to the 50.59 issue, not more ambiguity. Dave, you told me that steps 3-5 are always needed to reach "sufficiently low"; here it says they are needed only when you have not reached "sufficiently low". So I think you are also confused about what this RIS actually requires; I know I am certainly confused. Number: 8 Author: KenSc Subject: Highlight Date: 01/23/2018 11:00:26 PM Number: 9 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:37:33 PM Clarify that "end result" means "plant level". This is another key ambiguity in NEI 96-07 and NEI 01-01, that has caused much industry confusion, that this RIS needs to resolve. Number: 10 Author: KenSc Subject: Highlight Date: 01/24/2018 10:28:29 AM Number: 11 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:42:45 PM "Bounded" is in NEI 96-07 and NEI 01-01, but it is never defined. This is a key area of industry confusion. This RIS is supposed to address key areas of industry confusion, so it should define this term. Number: 12 Author: KenSc Subject: Highlight Date: 01/24/2018 1:41:41 PM 1234567891011121314151617181920 Page: 14Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:38:25 PM This is new NRC policy that clearly contradicts the quote in this paragraph from NEI 01-01, which is previously endorsed by NRC. It is not clarification of previous policy. It also contradicts SECY 93-087 and BTP 7-19. A RIS cannot change previous NRC policy. Regardless, "best estimate" methods are used in most, maybe all, FSARs for ATWS, SBO and fire. So they are used in the FSAR, therefore even with this new policy, as worded here they can be used to evaluate CCFs when the CCF is considered beyond design basis (i.e., significantly less likely than other malfunctions considered in design basis events). Number: 2 Author: KenSc Subject: Highlight Date: 01/23/2018 11:02:45 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 10:33:15 AM Clarify that "end result" means "plant level". Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 10:31:39 AM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:39:54 PM These are failure modes or component level effects. They are not the "end result". The ambiguity in this RIS is evidence that this is point of confusion, which thisRIS needs to resolv Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 10:34:02 AM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:40:37 PM Clarify that "end result" means "plant level". Number: 8 Author: KenSc Subject: Sticky Note Date: 01/24/2018 10:44:51 AM What does it mean to be "bounded". This RIS needs to provide guidance, because this is a particular area for frequent industry inconsistency. Number: 9 Author: KenSc Subject: Highlight Date: 01/24/2018 10:34:29 AM Number: 10 Author: KenSc Subject: Highlight Date: 01/24/2018 10:44:57 AM Number: 11 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:56:53 PM This is not clear. All design functions are assigned at the system level. But the effects of system level failures can be assessed at the plant level. The plant level is where "bounded" should be defined. Clarity is needed here because this is clearly an area of frequent industry inconsistency. Number: 12 Author: KenSc Subject: Highlight Date: 01/24/2018 10:46:06 AM Number: 13 Author: KenSc Subject: Highlight Date: 01/24/2018 1:56:32 PM Number: 14 Author: KenSc Subject: Sticky Note Date: 01/24/2018 10:47:45 AM define "bounded" Number: 15 Author: KenSc Subject: Highlight Date: 01/24/2018 10:47:34 AM Number: 16 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:48:27 PM This paragraph uses "results" to refer to two different things. Therefore "results" has two different meanings. This RIS needs to clarify that the results of concern for 50.59 are the plant level results. Then this RIS needs to define what it means to have "bounded" plant level results. Without these clarifications you are just promulgating industry confusion, not resolving that confusion. Number: 17 Author: KenSc Subject: Highlight Date: 01/24/2018 10:48:19 AM Number: 18 Author: KenSc Subject: Highlight Date: 01/24/2018 10:48:24 AM Number: 19 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:49:35 PM "bounded" is used in three quotes on this page. But it is never defined here or in NEI 96-07 or NEI 01-01. A definition is clearly needed, because this is pivotal concept for the correct 50.59 decision. Number: 20 Author: KenSc Subject: Highlight Date: 01/24/2018 10:51:10 AM 12 Page: 15Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:50:32 PM The same software in different systems could be considered a "shared resource", but it is not when assessing single failures. So change to "shared hardware resource". Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 10:56:17 AM 123456789 Page: 16Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:51:59 PM This contradicts previous sections which say that the malfunction must be analyzed only if the likelihood is not "sufficiently low" based on a qualitative assessment. Here you say that analysis is needed to reach the "sufficiently low" threshold. This is quite confusing. Dave, this supports the interpretation that youshared with me. But the RIS itself is contradictory in this area. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 10:59:25 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:55:56 PM These words are very unclear. What does it mean to be evaluated "at the level previously evaluated". The plant level effect of all malfunctions are evaluated in the FSAR. Sometimes the words in the FSAR stop at the system level, because the plant level is clearly unaffected. But that does not mean that the plant level is not evaluated; of course it is. See previous comments. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 1:52:46 PM Number: 5 Author: KenSc Subject: Highlight Date: 01/24/2018 1:52:50 PM Number: 6 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:57:53 PM Even if you hardwire a signal from a digital device, the digital device itself can create an erroneous signal that could adversely affect RPS/ESF. Digital data communication creates an additional communication independence vulnerability. But it has no effect (positive or negative) on functional independence. "using digital data communication" should be deleted. Number: 7 Author: KenSc Subject: Highlight Date: 01/24/2018 11:02:46 AM Number: 8 Author: KenSc Subject: Sticky Note Date: 01/24/2018 1:58:52 PM Per previous NRC policy, all of these attributes facilitate a conclusion of sufficiently low likelihood to be analyzed using "best estimate" methods. Not sufficientlylow likelihood to require no further consideration. This RIS should not be changing NRC policy. Number: 9 Author: KenSc Subject: Highlight Date: 01/24/2018 11:07:41 AM

This page contains no comments 123 Page: 18Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:00:28 PM Limiting and mitigating do not reduce the likelihood of the failure. They can only be used to demonstrate that the failure has an acceptable plant level end result. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 11:09:58 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 11:12:29 AM This paragraph is not related to design attributes that reduce the likelihood of failure. It is about tolerating the failure. This paragraph should be deleted or move Page: 19Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:21:12 PM It needs to be clarified that any one or more of these examples, or even all of them, may not be sufficient for any specific application. We don't want licensees to point to these examples and say "look, we have this, so we reached a "sufficiently low" conclusion. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 2:18:47 PM 123456 Page: 20Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:22:16 PM Delete "acceptable" because this implies that any one or more of these may be sufficient. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 2:21:40 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:26:28 PM Non-concurrent triggers is never enough. You must also demonstrate that the triggered failure is self-announcing. This facilitates corrective actions before the same defect is triggered in another component. Without self-announcing, triggered defects can remain hidden. Therefore, multiple triggers for the same defect can occur in other places and thereby accumulate to become CCFs. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 2:23:37 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:27:37 PM I think you mean 107330 Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 2:27:22 PM 123456789 Page: 21Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:29:08 PM I think you mean "postulate" failure modes, not introduce them. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 2:28:39 PM Number: 3 Author: KenSc Subject: Highlight Date: 01/24/2018 2:31:15 PM Number: 4 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:33:19 PM In both cases here, I think "identified" should be "postulated". You cannot reach a 'sufficiently low" conclusion if any vulnerabilities remain (i.e., if any are "identified"). Number: 5 Author: KenSc Subject: Highlight Date: 01/24/2018 2:31:21 PM Number: 6 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:39:23 PM This is clear criteria for "screen in". So why don't you clearly say that, rather than tip-toe around the edges. The industry has made too many errors screening digital mods out. This is not the only screen-in criteria, but it is certainly the most important for digital mods and the simplest to understand. You have said in one sentence what Appendix D has not said in 50 pages. If this one sentence includes the words "screen-in" we will resolve the most prevalent historical inconsistency in 50.59 evaluation Number: 7 Author: KenSc Subject: Highlight Date: 01/24/2018 2:34:44 PM Number: 8 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:02:58 PM Clarify that this refers to functional diversity (e.g., temperature and pressure trips for the same accident), not implementation diversity (e.g., both implemented using 7300 or Spec 200). Implementation diversity is not required in the protection system by 10CFR Part 50 Appendix A. Implementation diversity is only required by 50.62 for ATWS, which is a beyond design basis event for which "best estimate" methods are permitted. Number: 9 Author: KenSc Subject: Highlight Date: 01/24/2018 11:16:14 AM 1234567891011121314151617 Page: 22Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:42:15 PM This should be "licensing basis", because BTP 7-19 does not address the design basis, it addresses only "beyond design basis" events. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 2:41:18 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:46:12 PM Again, this should be "licensing basis". Number: 4 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:46:03 PM Change "diversity" to "adequate defense against CCF" Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:45:13 PM This should say "have included adequate defensive against CCF vulnerabilities", because diversity is not the only acceptable defens Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 2:44:02 PM Number: 7 Author: KenSc Subject: Highlight Date: 01/24/2018 2:45:38 PM Number: 8 Author: KenSc Subject: Highlight Date: 01/24/2018 2:42:42 PM Number: 9 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:48:43 PM I agree that diversity is not a requirement under 50.59 because it is also not a requirement under 10CFR50 or Part 52. But adequate defense against a CCF is a requirement under 50.59, otherwise you cannot favorably answer Questions 5 and 6. Number: 10 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:52:02 PM ISG-04 does much more than "address". Change to 'ensure digital communication among ... SSCs does not reduce independence.' Number: 11 Author: KenSc Subject: Highlight Date: 01/24/2018 2:50:47 PM Number: 12 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:01:50 PM This should be deleted or clarified, because ISG-02 makes it clear that no independence is needed between the RTS and ESF echelons. Number: 13 Author: KenSc Subject: Highlight Date: 01/24/2018 3:00:04 PM Number: 14 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:56:02 PM No, 50.59 is not an assessment of design alternatives. Change to "the qualitative assessment shall demonstrate that concurrent malfunctions of the combined equipment do not create unbounded plant conditions." Number: 15 Author: KenSc Subject: Highlight Date: 01/24/2018 2:53:23 PM Number: 16 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:06:38 PM This implies that FMEA and segmentation analysis are not needed. This is not correct; they are always needed when previously independent functions are combined and the CCF likelihood is not "sufficiently low". In addition, they are always possible; what would make these analyses not possible. Number: 17 Author: KenSc Subject: Highlight Date: 01/24/2018 3:03:37 PM 1234567 Page: 23Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:08:05 PM Delete or clarify. The use of industry standards always contributes to quality. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:07:02 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:11:01 PM I agree for non-safety systems. But for safety systems, even under CGD, compliance to NRC guidance or compensating measures for non-compliance, is required. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 3:09:50 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:12:03 PM It needs to be clear that OE cannot be the only justification. Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 3:11:33 PM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:53:11 PM How are these evaluations different than the evaluations described in the previous section. This document is far too long and far too repetitive. Most of this section repeats the material in previous section Page: 24Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:14:29 PM Delete these words. This is absolutely necessary. If you have not identified the sources, how can you reach a conclusion of "sufficiently low". Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:13:13 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:15:47 PM Again, you can't reach a "low likelihood" conclusion if you have not identified the failures. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 3:15:18 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:17:03 PM The effects of a failure, acceptable or not acceptable, have nothing to do with the likelihood of the failur Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 3:16:16 PM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:20:21 PM This implies that the results of (a) could preclude the need for b, c and d. I disagree. Number: 8 Author: KenSc Subject: Highlight Date: 01/24/2018 3:18:15 PM Number: 9 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:23:00 PM It is inconsistent that there are three tiers of risk, but only two tiers of likelihood. You need three tiers of likelihood to ensure appropriate analysis methods are employed (design basis, or beyond design basis, or no analysis needed at all). Number: 10 Author: KenSc Subject: Highlight Date: 01/24/2018 3:21:13 PM 1234 Page: 25Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:05:22 PM This contradicts your definition of "sufficiently low" which requires the failure likelihood to be "comparable to failures not considered in the FSAR", not 'as likely as those that are considered'. These thresholds are quite differen Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 11:26:09 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:06:15 PM The ability to mitigate the malfunction is completely different than the determination of likelihoo Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 11:27:52 AM 123456 Page: 26Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:43:31 PM Preventing a software design defect or mitigating the effects of a software design defect are not requirements to satisfy NRC criteria for redundancy, separationor independence. Therefore, these words should be deleted. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:42:45 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:45:20 PM For consistency with the rest of this document, replace risk with likelihood. Alternately, clarify that this means risk comparable to other failures that are not considered in the FSAR and distinguish this from risks that do not reach this level and therefore require further analysis of the plant level effects. Number: 4 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:48:15 PM I really think there is no place for any risk discussion in this document. Because for compliance to 50.59, even a malfunction that has very low consequences canbe a malfunction with a different result. Likelihood is the correct discussion, not risk. Number: 5 Author: KenSc Subject: Highlight Date: 01/24/2018 11:30:54 AM Number: 6 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:50:39 PM You are missing failures that have not been analyzed. These are equally important threats to plant safety because the plant level effect is unknow Page: 27Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:51:57 PM Or the triggers are not self-announcing. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:51:42 PM 123456789 Page: 28Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:55:04 PM Change to "are not". Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:54:46 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:56:04 PM delete these words. This RIS defines he Staff's position, not opinions. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 3:55:35 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:57:05 PM Where? Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 3:56:55 PM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 3:58:18 PM A D3 is needed even when there is not a discussion of this previously. Number: 8 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:09:37 PM A RIS cannot change current Staff policy. BTP 7-19 says a D3 analysis is required for "safety systems" not just protection systems. That analysis first determines ifthere is adequate protection against a CCF. If so, no further analysis is needed; so the D3 analysis stops there. But there is no safety system for which a D3 analysis (i.e., at least the CCF susceptibilty part) is not required. This RIS should not change Staff policy. Number: 9 Author: KenSc Subject: Highlight Date: 01/24/2018 11:36:08 AM 1234 Page: 29Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:01:23 PM If you do not allow "best estimate" methods then non-safety systems cannot be credited. Non-safety systems cannot be credited in design basis analyses. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 3:59:44 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:03:29 PM What is the basis for excluding new manual actions. New manual actions using equipment that is already described in the FSAR should be allowed. If "best estimate" methods are allowed these actions can employ non-safety systems. If "best estimate" methods are not allowed, then manual actions must employ safety systems, only. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 4:01:40 PM 12345678910 Page: 30Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:06:47 PM This contradicts previous statements that say other systems may be as important as RTS/ESFAS. Therefore, a D3 analysis is needed for any of these important systems. However, only the CCF susceptibility analysis is required. If there is no CCF vulnerability (i.e., susceptibility) then no further analysis is required (i.e. no further CCF mafunction results analysis). Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 4:04:36 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:09:15 PM Clarify that this does not apply to other systems that are as important as RTS/ESF, including load sequencers and HSI for credited manual actions. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 4:08:13 PM Number: 5 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:09:10 PM BTP 7-19 is guidance for Staff review. Therefore, these other attributes can be used when accompanied by Staff review. Now you are changing the Staff policy to allow these other attributes to be used without Staff review and without additional endorsed Staff guidance. We need Staff endorsement of NEI 16-16 beforeadditional attributes can be used without additional Staff review. Number: 6 Author: KenSc Subject: Highlight Date: 01/24/2018 11:39:34 AM Number: 7 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:09:58 PM You are making a statement with inadequate justification. "Best estimate" methods are used in most, maybe all, FSARs for all beyond design basis events. SECY 93-087 and BTP 7-19 define CCF with concurrent accidents as a beyond design basis event. Now, you are using this RIS to say "best estimate" methods cannot be used for beyond design basis events, which is a change to current NRC policy. Number: 8 Author: KenSc Subject: Highlight Date: 01/24/2018 11:40:21 AM Number: 9 Author: KenSc Subject: Sticky Note Date: 01/24/2018 2:13:25 PM This is not an alternate approach. It is your definition of "sufficiently low". Therefore, this is a prerequisite, not an alternate. Number: 10 Author: KenSc Subject: Highlight Date: 01/24/2018 11:43:50 AM 1234 Page: 31Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:01:52 PM "Best estimate" methods facilitate crediting backups. Without "best estimate" methods backups cannot be credited because they will never achieve the same performance (e.g. response time, design basis margin to critical safety function limits) as the original system. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 11:59:40 AM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 12:03:16 PM This is not an economical means nor is it likely to show equivalent design basis results. This is why "best estimate" methods are needed. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 12:02:23 PM

This page contains no comments

This page contains no comments 1234 Page: 34Number: 1 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:18:58 PM Rewrite to clarify that this refers to "bounded" "plant-level" end-results. Number: 2 Author: KenSc Subject: Highlight Date: 01/24/2018 4:17:55 PM Number: 3 Author: KenSc Subject: Sticky Note Date: 01/24/2018 4:16:43 PM Self-announcing does not always require alarms. A CCF that repositions a plant component and causes a plant transient is immediately identifiable. Number: 4 Author: KenSc Subject: Highlight Date: 01/24/2018 4:15:38 PM

This page contains no comments

This page contains no comments