NEI 96-07, Appendix D Draft Revision 0c  

NEI PROPOSED REVISIONS (Document Date: May 16, 2017)  

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 i EXECUTIVE  

NEI 96-07, Appendix D, Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications, provides focused application of the 10 CFR 50.59 guidance contained in NEI 96-07, Revision 1, to activities involving digital modifications. The main objective of this guidance is to provide all stakeholders a common framework and understanding of how to apply the 10 CFR 50.59 process to activities involving digital modifications. The guidance in this appendix supersedes NEI 01-01/ EPRI TR-102348, Guideline on Licensing of Digital Upgrades.

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-1  1 TABLE OF CONTENTS 2 EXECUTIVE  

...................................................................................................................................... i 3 1 INTRODUCTION ........................................................................................................................................ 2 4

............................................................................................ 2432 5 1.2 PURPOSE ............................................................................................... 354332 6 2  [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPHY AS APPLIED TO DIGITAL I&C465443 7 3  DEFINITIONS AND APPLICABILITY OF TERMS ..................................................................476643 8 4 IMPLEMENTATION GUIDANCE ................................................................................................ 798873 9 4.1 APPLICABILITY .................................................................................... 7109973 10 4.2 SCREENING ....................................................................................... 81110974 11 4.3 EVALUATION PROCESS ................................................................ 363634332723 12 5.0 EXAMPLES ......................................................................................................................

707167675852 13  14 15 NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017  D-2 1 INTRODUCTION 16  17 The intent of the § 50.59 process is to permit licensees to make changes to the 18 facility, provided the changes maintain the level of safety documented in the 19 original licensing basis, such as in the safety analysis report. There are 20 specific considerations that should be addressed as part of the 50.59 process 21 when performing 50.59 reviews for digital modifications. These specific 22 considerations includeing, for example, different potential failure modes of 23 digital equipment as opposed to the equipment being replaced, the effect of 24 combining functions of previously separate devices into one device, and the 25 potential for software common cause failure (software CCF).

==1.1 BACKGROUND==

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-4 1.3 10 CFR 50.59 PROCESS  

91 No additional guidance is provided.

92 1.4 APPLICABILITY TO 10 CFR 72.48 93 This section is not used for digital modifications.No additional guidance is 94 provided.

95  96 1.5 CONTENT OF THIS GUIDANCE DOCUMENT 97 This section is not used for digital modifications

. No additional guidance is 98 provided.

99  100 2  [NOT USED]DEFENSE IN DEPTH DESIGN PHILOSOPY AS APPLIED TO DIGITAL I&C 101 This section is not used for digital modifications.No additional guidance is 102 provided. 103  104  105  106 3  DEFINITIONS AND APPLICABILITY OF TERMS 107 There are no definitions or modifications to the definitions necessary for 108 application of 10 CFR 50.59 to digital modifications Definitions 3.1 through 109 3.14 are the same as those provided in NEI 96-07, Rev. 1. Terms specific to 110 this document appendix are defined below.

111 3.1 10 CFR 50.59 EVALUATIONS 112 No additional giuidance is provided. 113 3.2 ACCIDENTS PREVIOUSLY EVALUATED IN THE UFSAR (AS UPDATED) 114 No additional giuidance is provided. 115 Commented [A4]: Source:  ML13298A787 Issue Nos. 5, 7, 9, & 10 Rationale: As discussed in the "sources," 50.59 implementers have had trouble distinguishing between technical criteria and 50.59 criteria. The basic problem was they used guidance for one to do the other. Commented [A5]: Source: ML13298A787 Issue Nos. 5, 7, 9, & 10 Text adapted from NEI 01-01 Section 5.2 Rationale: It is necessary to clearly articulate the D3 criteria, and show they are not new, but have always been there. It has been the application of these criteria to a new technology (i.e., digital I&C) that has been confusing to industry; therefore the basic concepts must be stated and agreed to. Commented [A6]: Source: (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms are defined since undefined terms are a source of regulatory uncertainty.

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-5 3.3 CHANGE 116 No additional giuidance is provided. 117 3.4 DEPRTURE FROM A METHOD OF EVALUATION DECRIBED IN THE UFSAR 118 No additional giuidance is provided. 119 3.5 DESIGN BASES (DESIGN BASIS) 120 No additional giuidance is provided. 121 3.6 FACILITY AS DESCRIBED IN THE UFSAR 122 No additional giuidance is provided. 123 3.7 FINAL SAFETY ANALYSIS REPORT (AS UPDATED) 124 No additional giuidance is provided. 125 3.8 INPUT PARAMETERS 126 No additional giuidance is provided. 127 3.9 M ALFUNCTION OF A SSC IMPORTANT TO SAFETY 128 No additional giuidance is provided. 129 3.10 METHODS OF EVALUATION 130 No additional giuidance is provided. 131 3.11 PROCEDURES AS DESCRIBED IN THE UFSAR 132 No additional giuidance is provided. 133 3.12 SAFETY ANALYSIS 134 No additional giuidance is provided. 135 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-6 3.13 SCREENING 136 No additional giuidance is provided. 137 3.14 TEST OR EXPERIMENTS NOT DESCRIBED IN THE UFSAR 138 No additional giuidance is provided. 139 3.15 CCF 140 [LATER - coordinate with NEI 16-16]

141 3.16 SOFTWARE CCF 142 [LATER - coordinate with NEI 16-16]

143 3.17 CCF SUSCEPTABILITY ANALYIS 144  145 3.18 P LANT LEVEL EFFECTS 146  147 3.19 Qualitative Assessment 148 For digital I&C systems, reasonable assurance of low likelihood of failure is 149 derived from a qualitative assessment of factors involving system design 150 features, the quality of the design processes employed, and the operating 151 history of the software and hardware used (i.e., product maturity and in-152 service experience). The qualitative assessment is used to record the factors 153 and rationale and reasoning for making a determination that there is 154 reasonable assurance that the digital I&C modification will exhibit a low 155 likelihood of failure by considering the aggregate of these factors. 156  [REMOVE USE OF THE TERM "QUALITATIVE ASSESSMENT"] 157 3.17 Sufficiently Low 158 Sufficiently low means much lower than the likelihood of failures that are 159 considered in the UFSAR (e.g., single failures) and comparable to other 160 Commented [A7]: Source:  (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4, A28, & A29 Rationale: New terms should be defined since undefined terms are a source of regulatory uncertainty. Commented [A8]: Global change to be addressed during meeting:  Any examples that refer to technical information that is part of the qualitative assessment should state that the design satisfies the "suffently low" likelihood of the qualitative assessment instead of describing a select incomplete piece.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017  D-7 common cause failures that are not considered in the UFSAR (e.g., design 161 flaws, maintenance errors, calibration errors). 162  163 4 IMPLEMENTATION GUIDANCE 164 In accordance with 10 CFR 50.59, plant changes are reviewed by the licensee 165 to determine whether the change can be made witout obtaining a license 166 amendment (i.e., without prior NRC review and approval of the change). The 167 10 CFR 50.59 process of determining when prior NRC review is required 168 includes three parts: Applicability, Screening, & Evaluation. The 169 applicability process involves determining whether a change is controlled 170 under another regulatory requirement. The screening process involves 171 determining whether a change has an adverse effect on a design function 172 described in the UFSAR. The evaluation process involves determining 173 whether the change has more than a minimal effect on the likelihood of 174 failure or on the outcomes associated with the proposed activity. 175  176 In general, since digital systems can not be verified to contain no errors, two 177 separate aspects should be considered, the design process and the design. A 178 high quality design process is used to minimize the likelihood of errors in the 179 softeware, and the design is evaluated to ensure it contains the proper design 180 attributes to ensure the assumptions of the accident analysis are maintained. 181  182 Design Process: For digital upgrades one of the challenges in the 10 CFR 183 50.59 process is addressing the effect of software, and potential failures of 184 software, on a UFSAR-described design function. The answer lies in the 185 engineering evaluations that are performed throughout the design process. 186  187 Design: Another challenge is evaluating the effect that design changes to 188 system architecture has on the assumptions in the accident analyses, such as, 189 diversity, defense-in-depth, and independence. Furthermore, the coupling or 190 combining of functions and/or equipment also has the potential to challenge 191 these same assumptions. 192 [Verify addressed in Screen and Evaluation sections]

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-8 the replacement is a plant design change (subject to 10 CFR 50.59) versus a 200 maintenance activity. Digital-to-digital change may not necessarily be like-201 for-like because the system behaviours, respionse time, failure modes, etc. for 202 the new system may be different from the old system. If the vendor, 203 hardware, firmware, application software, and the configuration data are 204 identical, then the upgrade may be a like-for-like maintenance activity where 205 10 CFR 50.59 would  apply.

206  207 4.2 SCREENING  208  209  210  211  212  213 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will 214 be identified as "NEI 96-07." 215 In NEI 96-07, Section 4.2.1.1, equivalent replacements are discussed.

Digital-216 to-digital changes may not necessarily be equivalent because the system behaviours, 217 response time, failure modes, etc. for the new system may be different from the old 218 system. 219 As stated in NEI 96-07, Section 4.2.1, the determination of the impact of a 220 proposed activity (i.e., adverse or not adverse) is based on the impact of the 221 proposed activity on UFSAR-described design functions. To assist in 222 determining the impact of a digital modification on a UFSAR-described 223 design function, the general guidance from NEI 96-07 will be supplemented 224 with the digital-specific guidance in the topic areas identified below. 225 In the following sections and sub-sections that provide the Screen guidance 226 unique to the application of 10 CFR 50.59 to digital modifications, each 227 section and sub-section addresses only a specific aspect, sometimes at the 228 deliberate exclusion of other related aspects. This focused approach is 229 intended to concentrate on the particular aspect of interest and does not 230 imply that the other aspects do not apply or could not be related to the aspect 231 being addressed. Initially, all aspects need to be considered, with the 232 knowledge that some of them may be able to be excluded based on the actual 233 scope of the digital modification being reviewed. 234 CAUTION The guidance contained in this appendix is intended to supplement the generic Screen guidance contained in the main body in NEI 96-07, Section 4.2. Namely, the generic Screen guidance provided in the main body of NEI 96-07 and the more-focused Screen guidance in this appendix BOTH apply to digital modifications. Commented [A13]: Source: NEI 01-01 Section 4.2 Reason: To provide missing guidance.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017  D-9 Within this appendix, examples are provided to illustrate the guidance. 235 Unless stated otherwise, a given example only addresses the aspect or topic 236 within the section/sub-section in which it is included, sometimes at the 237 deliberate exclusion of other aspects or topics that, if considered, could 238 potentially change the Screen conclusion.

239 The first step in screening is to determine whether the change affects a 240 design function as described in the UFSAR. If it does not, then the change 241 screens out, and can be implemented without further evaluation under the 10 242 CFR 50.59 process. If the change does affect a UFSAR-described design 243 function, then it should be evaluated to determine if it has an adverse affect. 244 Changes with adverse effects areas those that have the potential to increase 245 the likelihood of malfunctions, increase consequences, create new accidents, 246 or otherwise meet the 10 CFR 50.59 evaluation criteria. Additional guidance 247 on the definition of adverse is provided in the bulleted examples below: 248  Decreasing the reliability of a design function, 249  aAdding or deleting an automatic or manual design function, 250  Converting a feature that was automatic to amanual or visce versa, 251  Reducing redundancy, diversity, or defense-in-depth, or 252  Adversely affecting the response time required to perform requied 253 actions. 254 As discussed in 4.2.1, "Is the Activity a Change to the Facility or Procedures 255 as Described in the UFSAR?," Aa given activity may have both direct and 256 indirect effects that the screening review must consider. Consistent with 257 historical practice, changes to the facility or procedures affecting SSCs or 258 functions not described in the UFSAR must be screened for their effects (so-259 called "indirect effects") on UFSAR-described design functions. A 10 CFR 260 50.59 evaluation is required when such changes adversely affect a UFSAR-261 described design function,  262 Examples 4-C and 4-D illustrate typical screening considerations for a small 263 digital upgrade. 264 Example 4-C. Screening for a Recorder Upgrade (Screens Out) An analog recorder is to be replaced with a new microprocessor based recorder. The recorder is used for various purposes including Post Accident Monitoring, which is an UFSAR-described design function. An engineering/technical evaluation performed on the change determined that Commented [A14]: Global Comment:  Do not mention "described in the UFSAR" when indirect effects must be considered because it incorrectly implies that whether something is explicitly described  UFSAR is a factor in 50.59 decisionmaking. Specifically, explicitly described in the UFSAR is not a factor in screening (e.g., HSI) or criterion 2. NEI 96-07r1  clearly states when explict UFSAR wording matters (e.g., UFSAR described "design functions, "accidents",  "methods of evaluation") Commented [A15]: Source: NEI 01-01 Section 4.3.3 Reason: To provide guidance. the following 2 examples are from NEI 01-01. Commented [A16]: Source: ML17006A341 Comment No. A2 Reason: To provide example to illustrate when digital modifications are or are not adverse.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-10 the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low. The new recorder also meets all current required performance, HSI, and qualification requirements, and would have no new failure modes or effects at the level of the design function. The operator will use the new recorder in the same way the old one was used, and the same information is provided to support the Post Accident Monitoring function, so the method of controlling or performing the design function is unaltered. The licensee concludes that the change will not adversely affect any design function and screens out the change.

265  266 Example 4-D. Screening for a Recorder Upgrade (Screens In) Similar to Example 4-C, a licensee is planning to replace an analog recorder with a new microprocessor based recorder. However, in this instance, the engineering/technical evaluation determined that the new recorder does not truly record continuously. Instead, it samples at a rate of 10 hertz then averages the 10 samples and records the average every one second. This frequency response is lower compared to the originalequipment and may result in not capturing all process variable spikes or short-lived transients. In this case, the licensee concludes that there could be an adverse effect on an UFSAR-described design function and screens in the change. In the 10 CFR 50.59 evaluation, the licensee will evaluate the magnitude of this adverse effect. 267 4.2.1 Is the Activity a Change to the Facility or Procedures as Described in the 268 UFSAR? 269 There is no regulatory requirement for a proposed activity involving a digital 270 modification to default (i.e., be mandatorily "forced") to an adverse 271 conclusion. 272 Although there may be the potential for the introduction of adverse impacts 273 on UFSAR-described design functions due to the following types of activities 274 involving a digital modification, these typical activities do not default to an 275 adverse conclusion simply because of the activities themselves (i.e., not a 276 change that fundamentally alters (replaces) the existing means of performing 277 or controlling design function as described in NEI 96-07, Section 4.2.1.2), for 278 example: 279 Commented [A17]: Source: ML17006A341 Comment No. A2 Reason: To provide example to illustrate when digital modifications are or are not adverse.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-11

* The replacement of software and/or digital devices with other software 281 and/or digital devices. 282

* The use of a digital processor to "calculate" a numerical value or 283 "generate" a control signal using software in place of using analog 284 components. 285

* Replacement of hard controls (i.e., pushbuttons, knobs, switches, etc.) 286 to operate or control plant equipment with a touch-screen. 287 Therefore, documented engineering/technical information determinations are 288 neededshould be documented (as part of the design process) to demonstrate 289 that there are no adverse impacts from the above activities. 290 Generally, a digital modification may consist of three areas of activities: (1) 291 software-related, (2) hardware-related and (3) Human-System Interface-292 related. 293 NEI 96-07, Section 4.2.1.1 provides guidance for activities that involve "...an 294 SSC design function..." or a "...method of performing or controlling a design 295 function..." and Section 4.2.1.2 provides guidance for activities that involve 296 "...how SSC design functions are performed or controlled (including changes 297 to UFSAR-described procedures, assumed operator actions and response 298 times)." Based on this segmentation of activities, the software and hardware 299 portions will be assessed within the "facility" Screen consideration since these 300 aspects involve SSCs or the method of performing or controlling a design 301 function and the Human-System Interface portion will be assessed within the 302 "procedures" Screen consideration since this portion involves how SSCs are 303 operated and controlled. 304  305 4.2.1.1 Screening of Changes to the Facility as Described in the UFSAR 306 SCOPE 307 Many of the examples in this section involve the Main Feedwater (MFW) 308 System to illustrate concepts. The reason for selecting the MFW system is 309 that it is one of the few non-safety-related systems that, upon failure, can 310 initiate an accident. 311 In the determination of potential adverse impacts, the following aspects 312 should be addressed in the response to this Screen consideration: 313 (a) Use of Software and Digital Devices 314 Commented [PM18]: Placeholder for NRC comment A18 Formatted:

HighlightCommented [A21]: Source: ML170170A089 Comment No. A6.

Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.)

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-12 (b) Combination of Components/Functions 315 (c) Dependability Impact 316 Examples of activities that have the potential to cause an adverse effect 317 include the following activities: 318

* Replacement of instantaneous readings with time-averaged readings 320 (or vice-versa). 321 USE OF SOFTWARE AND DIGITAL DEVICES 322 The UFSAR may identify SSC design function condition s such asthrough 323 diversity, separation, independence, defense-in-depth and/or redundancy 324 through UFSAR discussions. With digital modifications, software and/or 325 hardware have the potential to impact design function conditions such as the 326 diversity, separation, independence, defense-in-depth, and/or redundancy of 327 SSCs explicitly and/or implicitly described in the UFSAR.

1 328 To assist in determining the impact of a digital modification on design 329 function conditions such as the diversity, separation, independence, defense-330 in-depth and/or redundancy of the affected SSCs described in the UFSAR, 331 identify the features of the affected SSCs described in the UFSAR., 332 Ccompare the proposed features of the affected SSCs with the existing 333 features of the affected SSCs. The impact of any differences in the diversity, 334 separation, independence, defense-in-depth and/or redundancy on the design 335 functions described in the UFSAR of the affected SSCs is then determined. 336 A digital modification that reduces SSC diversity, separation, independence, 337 defense-in-depth and/or redundancy is adverse. In addition, an adverse effect 338 may also consist of the potential marginal increase in the likelihood of SSC 339 failure due to the introduction of software. For redundant safety systems, 340 this marginal increase in likelihood creates a similar marginal increase in the 341 likelihood of a common failure in the redundant safety systems. On this 342 basis, most digital modifications to redundant safety systems are adverse. 343 However, for some digital modifications, engineering evaluations, using 344 methods approved by the NRC, may show that the digital modification 345 contains design attributes to eliminate consideration of a software common 346 cause failure. In such cases, even when a digital modification involves 347 redundant systems, the digital modification would be not adverse. Note:  348 1 Refer to NEI 96-07, Section 4.2.1.1, 2 nd paragraph. Commented [A22]: Strickly speaking "diversity, separation, independence, defense-in-depth and/or redundancy" are properties or attributes of a design and not "design functions;" however, NEI 96-07 page 12 states: "Implicitly included within the eaning of design function are the conditions under which intened functions are required to be performed, such as equipment response times, process conditions, equipment qualification and single failure."  Therefore "diversity, separation, independence, defense-in-depth and/or redundancy" can be considered conditions of design functions.

Alternatively, the first sentence of this paragraph could be deleted. Commented [A23]: Imporantly, adverse impact due to software is not limited to factors related to the diversity, separation, independence, defense-in-depth, and/or redundancy. Commented [A24]: Source: (1) ML17068A092 Comment No. 9 (2) ML17170A089 Comment No. A8 Rationale: An SSC does not need to be described in the FASR (as updated) for a change to it to adversely affect a FSAR (as updated)-described design function. Commented [A25]: Source: None Rationale: To improve claity. This intent being that only after it is determined that there is no reduction in - then one can consider -  

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-13 In some cases the regulations require, and/or the UFSAR includes: (1) 349 diversity, and (2) defense-in-depth; both of which address, in part, CCF. 350 Engineering evaluations of design attributes should not be used to relax 351 conformance to such diversity and defense-in-depth requirements when 352 performing a 50.59 screening and evaluation. 353 For some relatively simple digital modifications, engineering evaluations may 354 show that the risk of failure due to software is not significant and need not be 355 evaluated further, even in applications of high safety significance. In such 356 cases, even when a digital modification involves redundant systems, the 357 digital modification would be not adverse. The engineering evaluation will 358 have concluded that the digital system is sufficiently dependable, based on 359 considerations such as: 360

* the quality of the design processes employed 361

* the change has a limited scope (e.g., replace analog transmitter 362 with a digital transmitter that drives an existing instrument 363 loop) 364

* single failures of the digital device are bounded by existing 365 failures of the analog device (e.g., no new digital 366 communications among devices that introduce possible new 367 failure modes involving separate devices). 368

* uses a relatively simple digital architecture internally (simple 369 process of acquiring one input signal, setting one output, and 370 performing some simple diagnostic checks), 371

* has limited functionality (e.g., transmitters are used to drive 372 signals for parameters monitored), 373

* has extensive operating history. 376 Considerations for screening relatively simple digital equipment are 377 illustrated in Example 4-A. 378 NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-14 Example 4-A. Screening for a Smart Transmitter (Screens Out) Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself. The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts. Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A "qualitative assessment" of the digital device concluded that the digital system is sufficiently dependable, based on the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was comprehensively tested. Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application. The ESFAS design function is the ability to respond to plant accidents. Consequently, it is concluded that no adverse effects on UFSAR-described design functions are created, and the change screens out. Note that an upgrade that is similar to Example 4-A, but that uses digital 379 communications from the smart transmitter to other components in the 380 instrument loop might screen in because new interactions and potentially 381 new failure behaviors are introduced that could have adverse effects and 382 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B). 383 NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-15 Example 4-B. Screening for a Smart Transmitter (Screens In) Smart transmitters similar to those described in Example 4-A are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices. The ESFAS design function is the ability to respond to plant accidents. As a result of the adverse affect on a UFSAR-described design function, this change screens in.

384 In some cases, the licensee's UFSAR describes (1) diversity, and (2) defense-385 in-depth; both of which address, in part, software CCF. Engineering 386 evaluations of design attributes should not be used to relax conformance to 387 such diversity and defense-in-depth requirements when performing a 50.59 388 screen. 389 Alternately, the use of different software in two or more redundant SSCs is 390 not adverse due to a software common cause failure because there is no 391 mechanism to increase in the likelihood of failure due to the introduction of 392 software. 393 Examples 4-1a and 4-1b illustrate the application of the Use of Software and 394 Digital Devices aspect. These examples illustrate how a variation in the 395 licensing basis identified in the UFSAR can affect the Screen conclusion. 396 Example 4-1a. NO ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same. The two analog control systems will be replaced with two digital control systems. The hardware platform for each digital control system is from the NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-16 same supplier and the software in each digital control system is exactly the same. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog control systems are identified. (2) Both analog control systems consist of the same physical and functional characteristics. (3) The analog control system malfunctions include (a) failures causing the loss of all feedwater to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs. The pertinent UFSAR-described design function of the main feedwater system is to automatically control and regulate feedwater to the steam generators. With respect to the following considerations, the Uuse of the same hardware platforms and same software in both control systems is NOT ADVERSE for the following reasons

: (a) Redundancy Consideration:  There is no impact on redundancy since the UFSAR does not describe redundant SSCs and there are no UFSAR-described design function conditions related to redundancy.   (b) Diversity Consideration:  There is no impact on diversity since the UFSAR does not describe diverse SSCs and there are no UFSAR-described design function conditions related to diversity. (c) Separation Consideration:  There is no impact on the separation of the control systems identified in the UFSAR since each of the analog control systems will be replaced with a separate digital control system. (d) Independence Consideration:  Although both of the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWPs are already considered in the licensing basis. (e) Defense-in-Depth Consideration:  There is no impact on defense-in-depth Commented [PM27]: Placeholder to align original comment numbering. Commented [A28]: Source:  (1) ML17068A092 Comment No. 9 (2) ML17170A089 Comment No. A11 Rationale: It does not mater if it is described in the FSAR (as updated) or not. Commented [A29]: Source: ML17170A089 Comment No. A12 Rationale:  It does not mater if it is described in the FSAR (as updated) or not.

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-17 since the UFSAR does not describe SSCs for the purpose of establishing defense-in-depth and there are no UFSAR-described design function conditions related to defense-in-depth. Through consideration of items (a) through (e) above, there is NO ADVERSE impact on the method of performing or controlling the design function of the main feedwater system to automatically control and regulate feedwater to the steam generators due to the use of software and digital devices.

397 Example 4-1b. ADVERSE IMPACT on a UFSAR-Described Design Function related to use of Software and Digital Devices This example differs from Example 4-1a in only the types of malfunctions already identified in the UFSAR, as reflected in item (3) shown below. Items (1) and (2) are unaffected. (3) [Modified from Example 4-1a] The analog control sy stem malfunctions include (a) failures causing the loss of feedwater from only one MWFP to the steam generators and (b) failures causing an increase in main feedwater flow to the maximum output from only one MFWP. The use of the same hardware platforms and same software in both control systems is ADVERSE due to its impact on the Independence Consideration. Items (a), (b), (c) and (e) are unaffected. (d) [Modified from Example 4-1a] Independence Consideration:  Since the new digital control systems contain the exact same software (which is subject to a software common cause failure), the Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that two new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main feedwater flow to the maximum output from both MFWP have been created and were not considered in the original licensing basis. There is an ADVERSE impact on the design function of the main feedwater system to automatically control and regulate feedwater to the steam generators due to the use of software that reduces independence and creates two new types of malfunctions.

398  399 Commented [A30]: Source: ML17170A089 Comment No. A13 Rationale:  It does not mater if it is described in the FSAR (as updated) or not. Commented [A31]: Source:  (1) ML17068A092 Comment No. 4 (2) ML17170A089 Comment No. A14 Rationale:  NEU 96-07 Rev. 1 Section 3.3 defines "Method of performing of controlling a function"  and it is used exclusively to refer to the things people do.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-18 COMBINATION OF COMPONENTS/FUNCTIONS 400 The UFSAR may identify the number of components, how the components 401 were arranged, and/or how functions were allocated to those components. 402 Any or all of these characteristics may have been considered in the process of 403 identifying possible malfunctions or accident initiators. 404 When replacing analog SSCs with digital SSCs, it is potentially advantageous 405 to combine multiple components and/or functions into a single device or 406 control system. However, the failure of the single device or control system for 407 any reason (e.g., a software common cause failure) can potentially affect 408 multiple functions. 409 The combination of previously separate components and/or functions (that 410 does not reduce SSC design aspects such as diversity, separation, 411 independence, defense-in-depth and/or redundancy), in and of itself, does not 412 make the Screen conclusion adverse. Only if combining the previously 413 separate components and/or functions causes a reduction in one of these 414 aspects or a reduction in athe the required or assumed SSC design aspects 415 such as diversity, separation, independence, defense-in-depth and/or 416 redundancy or in an SSC's ability or capability of to performing a design 417 function (e.g., by the creation of a new malfunction or the creation of a new 418 malfunction or accident initiator) is the combination aspect of the digital 419 modification adverse. 420 To assure adequate existing defense in depth is maintained, one should first 421 identify potential coupling factors between equipment failures. A coupling 422 factor is the condition or mechanism through which multiple components 423 could be affected (or coupled) by the same cause.

[DISCUSS MORE LATER, 424 IN CONJUCTION WITH EXAMPLE 4-A AND 4-B

] 425 To assist in determining the impact of a digital modification on the number 426 and/or arrangement of components, review the description(s) of the existing 427 SSCs described in the UFSAR (as updated). When comparing the existing 428 and proposed configurations, consider how the proposed configuration affects 429 the number and/or arrangement of components and the potential impacts of 430 the proposed arrangement on UFSAR-described design functions. 431 Examples 4-2 and 4-3 illustrate the application of the Combination of 432 Components/Functions aspect. 433 Examples 4-2a and 4-2b illustrate how variations in a proposed activity can 434 affect the Screen conclusion. 435 Commented [A32]: Source: ML13298A787 - Concerns 5 & 7 Rationale:  Presumably this section was added to address this concern. Commented [A33]: Single device failures or misbehaviours are by definition not CCFs. Only when there are multiple components that are assumed to be independent can one call it a CCF; therefore this example is technically incorrect. Commented [A34]: Source: In several meetings, Industry expressed that "not all combinations are bad."

Rationale:  These word help provide conceptual guidance for distinguishing combinations that are of regulatory concern, from those that do not. The combinations that are bad are the one that combine or couple items that span these criteria.Commented [A35]: As screening criteria, ANY reduction in one of these aspects should be considered adverse.

Whether the outcomes of such a reduction requires a LAR, is the subject of the evaluation section. Commented [A36]: Source:  ML17170A089 Comment No. A16 Rationale:  Change includes indirect effects. Commented [A37]: Source: (1) ML17006A341 Comment No. A2 (2) ML170170A089 Comment No. A10. (3) Text adapted from DG-1285 (ML16358A153)

(4) ML13298A787 - Concern 10 Rationale: To add key aspects to consider when determining whether a digital modification should be considered adverse (or not) for 50.59 screening purposes. Commented [A38]: As written this sentence is ambigious. Without this change, it could be interpreted that only FSAR described arrangements (as opposed to actual arrangements) matter. The criteria should be actual arangements, whether described in the FSAR or not.  

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-19 Example 4-2a. Combining Components and Functions with NO ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related main feedwater pumps (MFWPs) exist. There are two analog control systems (one per MFWP) that are physically and functionally the same. System drawings (incorporated by reference into the UFSAR) show that each analog control system has many subcomponents. All of the analog subcomponents will be replaced with a single digital device that consolidates all of the components, sub-components and the technical functions associated with each component and sub-component. Each analog control system will be replaced with a separate digital control system. The hardware platform for each digital control system is from the same supplier and the software in each digital control system is exactly the same. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog feedwater control systems are identified, including several major individual components. (2) The SSC descriptions state that both analog control systems consist of the same physical and functional characteristics. Although the control systems and the major components are described in the UFSAR, only a UFSAR-described design function for the feedwater control system is identified. No design functions for any of the individual components are described in the UFSAR. The pertinent UFSAR-described design function of the feedwater control system is "to provide adequate cooling water to the steam generators during normal operation." The UFSAR identifies the following MFWP control system malfunctions: (a) failures causing the loss of all feedwater to the steam generators, and (b) failures causing an increase in main feedwater flow to the maximum output from both MFWPs. The combination of components and functions has NO ADVERSE IMPACT on the identified design function for the following reasons: No new malfunctions are created. The Failure Modes and Effects Analysis (FMEA) performed as part of the technical assessment supporting the digital modification concluded that no new types of malfunctions are introduced since the loss of both MFWPs and failures causing an increase in main NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-20 feedwater flow to the maximum output from bothMFWPsare already considered in the licensing basis. Since no new malfunctions are created, the ability to perform the design function "to provide adequate cooling water to the steam generators during normal operation" is maintained. Using the same initial SSC configuration, proposed activity and UFSAR 436 descriptions from Example 4-2a, Example 4-2b illustrates how a variation in 437 the proposed activity would be addressed. 438 Example 4-2b. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Instead of two separate, discreet, unconnected digital control systems being used for the feedwater control systems, only one central digital processor is proposed to be used that will combine the previously separate control systems and control both feedwater pumps. In this case, the proposed activity is ADVERSE because there is a reduction in the separation of the two original control systems. Example 4-3 illustrates the combining of control systems from different, 439 originally separate systems. 440 Example 4-3. Combining Components and Functions with an ADVERSE IMPACT on a UFSAR-Described Design Function Two non-safety-related analog feedwater control systems and a separate analog control system that controls the main turbine steam-inlet valves exist.All three analog control systems will be replaced with one digital control system that will combine the two feedwater control systems and the main turbine steam-inlet valve control system into a single digital device. The pertinent UFSAR SSC descriptions are as follows: (1) Two analog feedwater control systems are identified. The feedwater control system contains a design function "to provide adequate cooling water to the steam generators during normal operation." (2) One analog main turbine steam-inlet valve control system is identified. The main turbine steam-inlet valve control system contains a design function "to control the amount of steam entering the main turbine during normal operation." (3) The two feedwater control systems are independent from the main turbine NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-21 steam-inlet valve control system. (4) The function of controlling feedwater is separate from the function of controlling the main turbine steam-inlet valves. This separation is confirmed by a review of the accident analyses that do not include consideration of a simultaneous failure of the feedwater control system and the failure of the turbine control system. In this case, the proposed activity is ADVERSE because there is a reduction in the separation and independence of the original control systems. 441 For some component upgrades the likelihood of failure due to software may 442 be judged to be no greater than failure due to other causes, i.e., comparable to 443 hardware common cause failure, and includes no coupling mechanisms. In 444 such a case, even when it affects redundant systems, the digital upgrade 445 would screen out. Considerations for screening relatively simple digital 446 equipment are illustrated in Example 4-A and include: 447  The digital modification has a sufficiently low likelihood of 448 common cause failure based on the "qualitative assessment" of 449 system design features, the quality of the design processes 450 employed, and the operating history of the software and 451 hardware used. This qualitative assessment evaluates the 452 magnitude of the adverse effect (i.e., "sufficiently low" likelihood) 453 and which is the focus of the 10 CFR 50.59 evaluation, not the 454 screening. To screen out the digital modification, the following 455 additional considerations provide a greater degree of assurance 456 to conclude that change does not have an adverse effect on a 457 design function: 458  the change is of limited scope (e.g., replace analog transmitter 459 with a digital transmitter that drives an existing instrument 460 loop) 461  single failures of the digital device are bounded by existing 462 failures of the analog device (e.g., no new digital 463 communications among devices that introduce possible new 464 failure modes involving multiple devices). 465 Commented [PM39]: Placeholder for original NRC comment A39 Formatted: Indent: Left:  1", Bulleted + Level: 1 + Alignedat:  0.5" + Indent at:  1" NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-22  uses a relatively simple digital architecture internally (simple 466 process of acquiring one input signal, setting one output, and 467 performing some simple diagnostic checks), 468  has limited functionality (e.g., transmitters are used to drive 469 signals for parameters monitored), 470  can be comprehensively tested (but not necessarily 100 percent 471 of all combinations); and, 472 has extensive operating history. 473 Example 4-A. Screening for a Smart Transmitter (Screens Out) Transmitters are used to drive signals for parameters monitored by redundant ESFAS channels. The original analog transmitters are to be replaced with microprocessor-based transmitters. The change is of limit scope in that for each channel, the existing 4-20 mA instrument loop is maintained without any changes other than replacing the transmitter itself. The digital transmitters are used to drive signals of monitored parameters and thus have limited functionality with respect to the ESFAS design function. The digital transmitters use a relatively simple digital architecture internally in that the firmware in the new transmitters implements a simple process of acquiring one input signal, setting one output, and performing some simple diagnostic checks. This process runs in a continuous sequence with no branching or interrupts. An alarm relay is available to annunciate detected failures. Single failures of the digital device are bounded by existing failures of the analog device in that no new digital communications among devices that introduce possible new failure modes involving multiple devices. A "qualitative assessment" of the digital device concluded and the likelihood of common cause failures in multiple channels was very low based on system design features, the quality of the design processes employed, and the operating history of the software and hardware used. In addition, based on the simplicity of the device (one input and two outputs), it was easily tested. Further, substantial operating history has demonstrated high reliability in applications similar to the ESFAS application. Consequently, it is concluded that no adverse effects are created, and the change screens out. Note that an upgrade that is similar to Example 4-A, but that uses digital 474 communications from the smart transmitter to other components in the 475 instrument loop might screen in because new interactions and potentially 476 Commented [PM40]: Placeholder for original NRC comment A40 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-23 new failure behaviors are introduced that could have adverse effects and 477 should be analyzed in a 10 CFR 50.59 evaluation (see Example 4-B). 478 Example 4-B. Screening for a Smart Transmitter (Screens In) Smart transmitters similar to those described in Example 4-1 are to be installed as part of an upgrade to the reactor protection system. The new smart transmitters have the capability to transmit their output signal using a digital communication protocol. Other instruments in the loop are to be replaced with units that can communicate with the transmitter using the same protocol. Because this change not only upgrades to a digital transmitter but also converts the instrument loop to digital communications among devices, there would be the potential for adverse effects owing to the digital communication and possible new failure modes involving multiple devices. As a result, this change screens in.

479 DEPENDABILITY IMPACT 480 In the main body of NEI 96-07, Section 4.2.1, subsection titled "Screening for 481 Adverse Effects," reliability is mentioned in the following excerpt: 482 "...a change that decreases the reliability of a function whose 483 failure could initiate an accident would be considered to 484 adversely affect a design function..." 485 Based on the technical outcomes from applicable Industry and/or NRC 486 guidance documents and using the information considered in those sources to 487 develop those outcomes, the Screen should assess the dependability of 488 performing applicable design functions due to the introduction of software 489 and/or hardware. 490 Example 4-4 illustrates the application of the dependability consideration. 491 Commented [PM41]: Placeholder for original NRC comment A41.

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-24 Example 4-4. Digital Modification that Satisfies Dependability, causing NO ADVERSE IMPACT on a UFSAR-described Design Function An analog recorder is to be replaced with a new microprocessor-based recorder. The recorder is used for various purposes including Post Accident Monitoring, which is a UFSAR-described design function. Dependability Assessment: An engineering evaluation performed as part of the technical assessment supporting the digital modification concluded that the new recorder will be highly dependable (based on a quality development process, testability, and successful operating history) and therefore, the risk of failure of the recorder due to software is considered very low. The change will have NO ADVERSE IMPACT on any design function due to the dependability assessment.

492 4.2.1.2 Screening of Changes to Procedures as Described in the UFSAR 493 SCOPE 494 If the digital modification does not include or affect a Human-System 495 Interface (e.g., the replacement of a stand-alone analog relay with a digital 496 relay that has no features involving personnel interaction and does not feed 497 signals into any other analog or digital device), then this section does not 498 apply and may be excluded from the Screen assessment. 499 In NEI 96-07, Section 3.11 defines procedures as follows: 500 "...Procedures include UFSAR descriptions of how actions related to 501 system operation are to be performed and controls over the 502 performance of design functions. This includes UFSAR descriptions of 503 operator action sequencing or response times, certain descriptions...of 504 SSC operation and operating modes, operational...controls, and similar 505 information

." 506 Although UFSARs do not typically describe the details of a specific Human-507 System Interface, UFSARs will describe any design functions associated with 508 the HSI. 509 Because the human-system interface (HSI) involves system/component 510 operation this portion of a digital modification is assessed in this Screen 511 consideration. The focus of the Screen assessment is on potential adverse 512 effects due to modifications of the interface between the human user and the 513 technical device. 514 Commented [A42]: Comments on HSI Screening Guidance were previously provided in:

(1) ML17068A092 Comment Nos. 18-26 (2) ML17170A089 Comment Nos. A17-A27 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-25 There are 3 basic elements of an HSI (

NUREG-0700): 515

* Displays: the visual representation of the information operators need 516 to monitor and control the plant. 517

* Controls: the devices through which personnel interact with the HSI 518 and the plant. 519

* User-interface interaction and management: the means by which 520 personnel provide inputs to an interface, receive information from it, 521 and manage the tasks associated with access and control of 522 information. 523 Operators must be able to accurately perceive, comprehend and respond to 524 system information via the HSI to successfully complete their tasks. 525 Specifically, nuclear power plant personnel perform four primary types of 526 tasks (

XXX): 527 (1) monitoring and detection (extracting information from the 528 environment and recognizing when something changes), 529 (2) situation assessment (evaluation of conditions), 530 (3) response planning (deciding upon actions to resolve the situation) and 531 (4) response implementation (performing an action). 532 To determine potential adverse impacts of HSI modifications on design 533 functions, a two-step analysis must be performed. Step one is assessing how 534 the modification impacts (i.e., positively , negatively or no impact) the 535 operators' abilities to perform each of the four primary types of tasks 536 described above. If there are negative impacts, step two of the analysis 537 consists of determining how the impacts affects the pertinent UFSAR-538 described design function(s) (i.e., adversely or not adversely). Examples of 539 negative impacts on operator performance of tasks that may result in adverse 540 effects on a design function include: 541

* increased possibility of mis-operation, 542

* increased difficulty in evaluating conditions, 543

* increased difficulty in performing an action, 544

* increased time to respond, 545

* creation of new potential failure modes. 546  547 Table 1 contains examples of modifications to HSI elements that should be 548 addressed in the response to this Screen consideration. 549  550 [INSERT TABLE 1 FROM HSI COMMENTS FILE HERE.] 551  552 In NEI 96-07, Section 3.11 defines procedures as follows: 553  554 Formatted: Font: Century Schoolbook, 12 pt Formatted: Font: Century Schoolbook, 12 pt Formatted: Font: Century Schoolbook, 12 pt NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-26 "...Procedures include UFSAR descriptions of how actions 555 related to system operation are to be performed and controls 556 over the performance of design functions. This includes UFSAR 557 descriptions of operator action sequencing or response times, 558 certain descriptions...of SSC operation and operating modes, 559 operational...controls, and similar information

* Because the Human-System Interface involves system/component operation, operator 561 actions, response times, etc., this portion of a digital modification is assessed in this Screen 562 consideration. 563 If the digital modification does not include or affect a Human-System 564 Interface (e.g., the replacement of a stand-alone analog relay with a digital 565 relay that has no features involving personnel interaction and does not feed 566 signals into any other analog or digital device), then this section does not 567 apply and may be excluded from the Screen assessment. 568 The focus of the Screen assessment is on potential adverse effects due to 569 modifications of the interface between the human user and the technical 570 device [e.g., equipment manipulations, actions taken, options available, 571 decision-making, manipulation sequences or operator response times 572 (including the impact of errors of a cognitive nature in which the information 573 being provided is unclear or incorrect)], not the written procedure 574 modifications that may accompany a physical design modification (which are 575 addressed in the guidance provided in NEI 96-07, Section 4.2.1.2). 576 PHYSICAL INTERFACE WITH THE HUMAN-SYSTEM INTERFACE 577 In the determination of potential adverse impacts, the following aspects 578 should be addressed in the response to this Screen consideration: 579 (a) Physical Interaction with the Human-System Interface (HSI) 580 (b) Number/Type of Parameters 581 (c) Information Presentation 582 (d) Operator Response Time 583 Physical Interaction with the Human-System Interface 584 A typical physical interaction modification might involve the use of a touch 585 screen in place of push-buttons, switches or knobs, including sensory-based 586 aspects such as auditory or tactile feedback. 587 NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-27 To determine if the HSI aspects of a digital modification have an adverse 588 impact on UFSAR-described design functions, potential impacts due to the 589 physical interaction with the HSI should be addressed in the Screen. 590 Consideration of a digital modification's impact due to the physical 591 interaction with the HSI involves an examination of the actual physical 592 interface and how it could impact the performance and/or satisfaction of 593 UFSAR-described design functions. For example, if a new malfunction is 594 created as a result of the physical interaction, then the HSI portion of the 595 digital modification would be adverse. Such a new malfunction may be 596 created by the interface requiring the human user to choose which of multiple 597 components is to be controlled, creating the possibility of selecting the wrong 598 component (which could not occur with an analog system that did not need 599 the human user to "make a selection").

600 Characteristics of HSI changes that could lead to potential adverse effects 601 may include, but are not limited to: 602

* Changes from manual to automatic initiation (or vice versa) of 603 functions, 604

* Changes in the data acquisition process (such as replacing an edgewise 605 analog meter with a numeric display or a multipurpose CRT in which 606 access to the data requires operator interaction to display),  607

* Changes that create new potential failure modes in the interaction of 608 operators with the system (e.g., new interrelationships or 609 interdependencies of operator actions and/or plant response, or new 610 ways the operator assimilates plant status information), 611

* Increased possibility of mis-operation related to performing a design 612 function, 613

* Increased complexity or duration in diagnosing or responding to an 615 accident [e.g., Time-Critical Operation Actions (TCOAs) identified in 616 the UFSAR]. 617 If the HSI changes do not exhibit characteristics such as those listed above, 618 then it may be reasonable to conclude that the "method of performing or 619 controlling" a design function is not adversely affected. 620 Example s 4-5 through 4-7 illustrate the application of the Physical 621 Interaction aspect illustrates how to apply the assessment process to ONLY 622 the "controls" element of an HSI. 623 Example 4-5. Physical Interaction Assessment of the "Controls" Element of NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-28 an HSI with NO ADVERSE IMPACT on a UFSA R-Described Design Function Description of the Proposed Activity Involving the Control Element: Currently, a knob is rotated clock-wise to increase a control function and counter clock-wise to decrease the control function. This knob will be replaced with a touch screen. Using the touch screen, touching the "up" arrow will increase the control function and touching the "down" arrow will decrease the control function. Identification and Assessment of Task Type(s) Involved: 

(1) monitoring and detection (extracting information from the environment and recognizing when something changes) - INVOLVED (2) situation assessment (evaluation of conditions) - NOT INVOLVED (3) response planning (deciding upon actions to resolve the situation) - NOT INVOLVED (4) response implementation (performing an action) - NOT INVOLVED Design Function Identification: The UFSAR-described design function states the operator can "increase and decrease the control functions using manual controls located in the Main Control Room."  Thus, this UFSAR description implicitly identifies the SSC (i.e., the knob) and the design function of the SSC (i.e., its ability to allow the operator to manually adjust the control function).

As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. The HFE concluded that no new failures or malfunctions have been introduced as a result of the replacement from a knob to a touch screen.

* new potential failure modes - NO IMPACT Formatted: Space Before:  0 pt, After:  0 pt, Hyphenate, Tabstops: Not at  -0.5" Formatted: Space Before:  0 pt, After:  0 pt, Hyphenate, Tabstops: Not at  -0.5" NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-29 Assessment of Design Function Impact(s) Using the results from the HFE and examining only the physical interaction aspect "controls" element of an HSI (e.g., ignoring the impact on operator response time or the number and/or sequence of steps necessary to access the new digital controlsthe other three HSI elements), the replacement of the "knob" with a "touch screen" is not adverse since it does not impact the ability of the operator to "increase and decrease the control functions using manual controls located in the Main Control Room," maintaining satisfaction of the UFSAR-described design function.

Using the same proposed activity provided in Example 4-5, Example 4-6 624 illustrates how a variation in the UFSAR description would cause an adverse 625 impact. 626 Example 4-6. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function The UFSAR states not only that the operator can "increase and decrease the control functions using manual controls located in the Main Control Room," but also that "the control mechanism provides tactile feedback to the operator as the mechanism is rotated through each setting increment." Since a touch screen cannot provide (or duplicate) the "tactile feedback" of a mechanical device, replacing the "knob" with a "touch screen" is adverse because it adversely impacts the ability of the operator to obtain tactile feedback from the device.

Using the same proposed activity provided in Example 4-5 and the same 627 UFSAR descriptions from Example 4-6, Example 4-7 illustrates how a 628 variation in the proposed activity would also cause an adverse impact. 629 Example 4-7. Physical Interaction with an ADVERSE IMPACT on a UFSAR-Described Design Function In addition to the touch screen control "arrows" themselves, a sound feature and associated components will be added to the digital design that will emit a clearly audible and distinct "tone" each time the control setting passes through the same setting increment that the tactile feature provided with the mechanical device. Although the operator will now receive auditory "feedback" during the operation of the digital device, the means by which this feedback is provided has been altered. Since the means of controlling the design function has NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-30 changed, new malfunctions can be postulated(e.g., high ambient sound levels that prevent the operator from hearing the feedback). Therefore, the modification of the feedback feature (i.e., from tactile to auditory) has an adverse impact on the ability of the design function to be performed.

630 Number and/or Type of Parameters Displayed By and/or Available From the 631 Human-System Interface 632 One advantage of a digital system is the amount of information that can be 633 monitored, stored and presented to the user. However, the possibility exists 634 that the amount of such information may lead to an over-abundance that is 635 not necessarily beneficial in all cases. 636 To determine if the HSI aspects of a digital modification have an adverse 637 effect on UFSAR-described design functions, potential impacts due to the 638 number and/or type of parameters displayed by and/or available from the 639 HSI should be addressed in the Screen. 640 Consideration of a digital modification's impact due to the number and/or 641 type of parameters displayed by and/or available from the HSI involves an 642 examination of the actual number and/or type of parameters displayed by 643 and/or available from the HSI and how they could impact the performance 644 and/or satisfaction of UFSAR-described design functions. Potential causes for 645 an adverse impact on a UFSAR-described design function could include a 646 reduction in the number of parameters monitored (which could make the 647 diagnosis of a problem or determination of the proper action more challenging 648 or time-consuming for the operator), the absence of a previously available 649 parameter (i.e., a type of parameter), a difference in how the loss or failure of 650 parameters occurs (e.g., as the result of combining parameters), or an 651 increase in the amount of information that is provided such that the amount 652 of available information has a detrimental impact on the operator's ability to 653 discern a particular plant condition or to perform a specific task. 654 Example 4-8 illustrates the application of the Number and/or Type of 655 Parameters aspect. 656 Example 4-8. Number and Type of Parameters with NO ADVERSE IMPACT on a UFSAR-Described Design Function Currently, all controls and indications for a single safety-related pump are analog. There are two redundant channels of indications, either of which can be used to monitor pump performance, but only one control device. For direct monitoring of pump performance, redundant motor electrical current indicators exist. For indirect monitoring of pump performance, redundant NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-31 discharge pressur e and flow rat e indicators exist. Furthermore, at the destination of the pump's flow, redundant temperature indicators exist to allow indirect monitoring of pump performance to validate proper pump operation by determination of an increasing temperature trend (i.e., indicating insufficient flow) or a stable/decreasing temperature trend (i.e., indicating sufficient flow). All of these features are described in the UFSAR. The UFSAR also states that the operator will "examine pump performance and utilize the information from at least one of the redundant plant channels to verify performance" and "the information necessary to perform this task is one parameter directly associated with the pump (motor electrical current) and three parameters indirectly associated with pump performance (discharge pressure, flow rate, and response of redundant temperature indications)." A digital system will replace all of the analog controls and indicators. Two monitoring stations will be provided, either of which can be used to monitor the pump. Each monitoring station will display the information from one of the two redundant channels. The new digital system does not contain features to automatically control the pump, but does contain the ability to monitor each of the performance indications and inform/alert the operator of the need to take action. Therefore, all pump manipulations will still be manually controlled. Since the new digital system presents the same number (one) and type (motor electrical current) of pump parameters to directly ascertain pump performance and the same number (three) and type (discharge pressure, flow rate and redundant temperature) of system parameters to indirectly ascertain pump performance, there is no adverse impact on the UFSAR-described design function to perform direct monitoring of pump performance and no adverse impact on the UFSAR-described design function to perform indirect monitoring of pump performance.

657 Information Presentation on the Human-System Interface 658  659 A typical change in data presentation might result from the replacement of 660 an edgewise analog meter with a numeric display or a multipurpose CRT. 661 To determine if the HSI aspects of a digital modification have an adverse 662 effect on UFSAR-described design functions, potential impacts due to how 663 the information is presented should be addressed in the Screen. 664 Consideration of a digital modification's impact due to how the information is 665 presented involves an examination of how the actual information 666 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-32 presentation method could impact the performance and/or satisfaction of 667 UFSAR-described design functions. To determine possible impacts, the 668 UFSAR should be reviewed to identify descriptions regarding how 669 information is presented, organized (e.g., how the information is physically 670 presented) or accessed, and if that presentation, organization or access 671 relates to the performance and/or satisfaction of a UFSAR-described design 672 function. 673 Examples of activities that have the potential to cause an adverse effect 674 include the following activities: 675

* Addition or removal of a dead-band, or 676

* Replacement of instantaneous readings with time-averaged readings 677 (or vice-versa). 678 If the HSI changes do not exhibit characteristics such as those listed above, 679 then it may be reasonable to conclude that the "method of performing or 680 controlling" a design function is not adversely affected. 681 Example 4-9 illustrates the application of the Information Presentation 682 aspect. 683 Example 4-9. Information Presentation with an ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train." The UFSAR identifies the existing presentation method as consisting of "indicators with a 10 gpm increment" to satisfy safety analysis assumptions and the physical layout as being "by flow path" to allow the operator to determine system performance.

The increase in the display increment is not adverse since the operator will continue to be able to distinguish the minimum increment of 10 gpm UFSAR-described design function. The new display method (i.e., "by channel/train") adversely affects the ability of the operator to satisfy the design function to ascertain system performance "by flow path." 684 Operator Response Time 685 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-33  686 Typically, an increase in the operator response time might result from the 687 need for the operator to perform additional actions (e.g., due to the additional 688 steps necessary to call up or retrieve the appropriate display and operate the 689 "soft" control rather than merely reading an indicator on the Main Control 690 Board). 691 To determine if the HSI aspects of a digital modification have an adverse 692 effect on UFSAR-described design functions, potential impacts on the 693 operator response time should be addressed in the Screen. 694 Consideration of a digital modification's impact on the operator response time 695 due to the modification of the number and/or type of decisions made, and/or 696 the modification of the number and/or type of actions taken, involves an 697 examination of the actual decisions made/actions taken and how they could 698 impact the performance and/or satisfaction of UFSAR-described design 699 functions. To determine possible impacts, the UFSAR must be reviewed to 700 identify descriptions relating to operator response time requirements and if 701 those timing requirements are related to the performance and/or satisfaction 702 of a UFSAR-described design function. 703 Example 4-10 is the same as Example 4-9, but illustrates the application of 704 the Operator Response Time aspect. 705 Example 4-10. Operator Response Time with NO ADVERSE IMPACT on a UFSAR-Described Design Function A digital modification consolidates system information onto two flat panel displays (one for each redundant channel/train). Also, due to the increased precision of the digital equipment, the increment of presentation on the HSI will be improved from 10 gpm to 1 gpm. Furthermore, the HSI will now present the information layout "by channel/train." The UFSAR identifies the existing presentation method as consisting of the physical layout as being "by flow path" to allow the operator to determine system performance.

Although the UFSAR identifies the existing presentation method as consisting of a physical layout "by flow path" to allow the operator to determine system performance and the new display method (i.e., "by channel/train") will require additional steps by the operator to determine system performance, requiring more time, there is no adverse impact on satisfaction of the design function to ascertain system performance because no response time requirements are applicable to the design function of the NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-34 operator being able "to determine system performance.

" 706 COMPREHENSIVE HUMAN-SYSTEM INTERFACE EXAMPLE 707 Although no additional guidance is provided in this section, Example 4-11 708 illustrates how each of the aspects identified above would be addressed. 709 Example 4-11. Digital Modification involving Extensive HSI Considerations with NO ADVERSE IMPACTS on a UFSAR-Described Design Function Component controls for a redundant safety-related system are to be replaced with PLCs. The existing HSI for these components is made up of redundant hard-wired switches, indicator lights, and analog meters. The new system consolidates the information and controls onto two flat panel displays (one per redundant train), each with a touch screen providing "soft" control capability. The existing number and type of parameters remains the same, which can be displayed in a manner similar to the existing presentations (e.g., by train). However, the information can be also presented in different configurations that did not previously exist (e.g., by path or by parameter type to allow for easier comparison of like parameters), using several selectable displays. The flat panel display can also present any of several selectable pages depending on the activity being performed by the operator (e.g., starting/initiating the system, monitoring the system during operation, or changing the system line-up). To operate a control, the operator must (via the touch screen) select the appropriate activity (e.g., starting/initiating the system, monitoring the system during operation, or changing the system line-up), select the desired page (e.g., train presentation, path presentation, or parameter comparison), select the component to be controlled (e.g., pump or valve), select the control action (e.g., start/stop or open/close), and execute it. The display remains on the last page selected, but each page contains a "menu" of each possible option to allow direct access to any page without having to return to the "main menu." The two new HSIs (one per redundant train) will provide better support of operator tasks and reduced risk of errors due to:

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-35

* Integration of cautions and warnings within the displays to help detect and prevent potential errors in operation (e.g., warnings about incorrect system lineups during a test or maintenance activity). The design was developed using a human factors engineering design, with a verification and validation process consistent with current industry and regulatory standards and guidelines. As part of the technical evaluation supporting the proposed activity, a Human Factors Evaluation (HFE) was performed. Based on the conclusions from the HFE, the design provides a more effective HSI that is less prone to human error than the existing design. The UFSAR-described design functions applicable to this proposed activity include descriptions of how the existing controls, including the physical switches, indicator lights and meters, and how each of these SSCs is used during normal and abnormal (including accident) operating conditions. The UFSAR identifies the current physical arrangement (i.e., two physically separate locations) as providing a provides assurance that the design function is satisfied by preventing the operator that prevents the operator from operating the "wrong" component. There are no UFSAR-described design functions related to the operator response times associated with using the existing controls. The impacts on design functions are identified below:

* Operator Response Time - NOT ADVERSE because no response time requirements were applicable to any of the design functions and there were no indirect adverse affects on any other design function

. 710 NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-36 4.2.1.3 Screening Changes to UFSAR Methods of Evaluation 711 By definition, a proposed activity involving a digital modification involves 712 SSCs and how SSCs are operated and controlled, not a method of evaluation 713 described in the UFSAR (see NEI 96-07, Section 3.10). 714 Methods of evaluation are analytical or numerical computer models used to 715 determine and/or justify conclusions in the UFSAR (e.g., accident analyses 716 that demonstrate the ability to safely shut down the reactor or prevent/limit 717 radiological releases). These models also use "software." However, the 718 software used in these models is separate and distinct from the software 719 installed in the facility. The response to this Screen consideration should 720 reflect this distinction. 721 A necessary revision or replacement of a method of evaluation (see NEI 96-722 07, Section 3.10) resulting from a digital modification is separate from the 723 digital modification itself and the guidance in NEI 96-07, Section 4.2.1.3 724 applies. 725 4.2.2 Is the Activity a Test or Experiment Not Described in the UFSAR? 726 By definition, a proposed activity involving a digital modification involves 727 SSCs and how SSCs are operated and controlled, not a test or experiment 728 (see NEI 96-07, Section 4.2.2). The response to this Screen consideration 729 should reflect this characterization. 730 A necessary test or experiment (see NEI 96-07, Section 3.14) involving a 731 digital modification is separate from the digital modification itself and the 732 guidance in NEI 96-07, Section 4.2.2 applies. 733 4.3 EVALUATION PROCESS 734  735 736 737  738 Introduction 739 In the following sections and sub-sections that describe the Evaluation 740 guidance unique toparticularly useful l for the application of 10 CFR 50.59 to 741 CAUTIONThe guidance contained in this appendix is intended to supplement the generic Evaluation guidance contained in the main body in NEI 96-07, Section 4.3. Namely, the generic Evaluation guidance provided in the main body of NEI 96-07 and the more-focused Evaluation guidance in this appendix BOTH apply to digital modifications.

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-37 digital modifications, each section and sub-section describes only a specific 742 aspect, sometimes at the deliberate exclusion of other related aspects. This 743 focused approach is intended to concentrate on the particular aspect of 744 interest and does not imply that the other aspects do not apply or could not 745 be related to the aspect being addressed. 746 Throughout this section, references to the main body of NEI 96-07, Rev. 1 will 747 be identified as "NEI 96-07." 748 Credibility of Common Cause Failure (CCF) Likelihood Determination 749 Outcomes 750 The possible outcomes of an engineering evaluation (e.g., CCF Susceptibility 751 Analysis), performed in accordance with regarding a CCF from the CCF 752 Susceptibility Analysis performed in accordance with applicable Industry 753 and/or NRC approved guidance documents

, regarding the CCF likelihood are 754 as follows: 755 (1) CCF likelihood not credible (i.e., likelihood of a CCF caused by an I&C 756 failure source is NOT greater than the likelihood of acomprable to CCF 757 caused by other failure sources that are not considered specifically 758 analyzed in the UFSAR)sufficiently low (as defined in Definition 3.17) 759 (2) CCF likelihood credible (i.e., likelihood of a CCF caused by an I&C 760 failure source IS greater than or equalcomprable to the likelihood of a 761 CCF caused by other failure sources that are considered specifically 762 analyzed in the UFSAR)not sufficiently low 763 These outcomes will be used in developing the responses to Evaluation 764 criteria 1, 2, 5 and 6. 765 Failure Analysis 766 As described in SECY 91-292 regarding NRC review of advanced light water 767 reactor (ALWR) designs, digital l&C systems employ a greater degree of 768 sharing of data transmission, functions, and process equipment as compared 769 to analog systems. While this sharing enables some of the key benefits of 770 digital equipment, it also increases the potential consequences of individual 771 failures. 772 Consideration of potential system failures and undesirable behaviors should 773 be an integral pairt of the process of designing, specifying, and implementing 774 a digital upgrade. Consideration of these undesirable events is referred to 775 collectively as failure analysis. Failure analysis interacts with essentially all 776 Commented [A43]: Source: ML13298A787 Concern 3 Comment:  The overarching goal is to have clear guidance. That is, both licensees and inspectors must interpret this document the same way.

The reason that NEI 01-01 was written was because it was felt that it was not clear how to apply NEI 96-07 to digital modifications, because digital based SSCs were typicaly different that analog systems in certian ways.

Formatted:

HighlightCommented [A44]: Source:  Engineering Judgement Rationale:  There are two things of concern: (1) Determination of if CCF is credible (2) Characterisation of behavior during CCF ... [1]Commented [A45]: Source:  (1) ML17068A092 Comment No. 12 (2) ML17170A089 Comment No. A4 Rationale: New terms should be defined since undefined terms are a source of regulatory uncertainty. Commented [A46]: In the August 29 Public Meeting, NEI stated the terms "CCF Credible/Not Credible" will no longer be used. All instances of "credible" have been highlighted to facilitate making this change.

HighlightCommented [A47]: Source:  ML17170A089 Comment No. A30 Rationale:  There are many ways that CCF can be considered in the FSAR (as updated), specifically postulating and analyzing the results being only one.

Formatted:

HighlightCommented [A48]: Source:  ML17170A089 Comment No. A30 Rationale:  There are many ways that CCF can be considered in the FSAR (as updated), specifically postulating and analyzing the results being one one. Commented [A49]: Source:  The following text (except as noted) adapted from NEI 01-01 Section 5.1 & 5.1.1. Rationale:  To address the first comment in Section 4.3 above. Commented [A50]: Source:  Source:  ML13298A787 - Concern 11 Rationale:  Text adapted from NEI 01-01 Section Section 5.3.1 to address the first comment in Section 4.3 above.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-38 the main elements of the design process. It provides information needed to 777 support the licensing evaluations, and it provides the context in which the 778 digital upgrade issues ultimately can be resolved. Failure analysis examines 779 what you do not want the system or device to do. 780 Failure analysis should not be a stand-alone activity, and it should not 781 generate unnecessary effort or excessive documentation. It is part of the 782 design process, and it can vary widely in scope depending on the extent and 783 complexity of the upgrade. It should be performed as part of plant design 784 procedures and should be documented as a part of the design process. 785 The purpose of the failure analysis is to ensure the system is designed with 786 consideration of potential failures and undesirable behaviors such that the 787 risk posed by these events is acceptable. Failure analysis should include the 788 following elements: 789  Identification of potential system-level failures and undesirable 790 behavior (which may not be technically "failures") and their 791 consequences. This includes consideration of potential single failures 792 as well as plausible common cause failures. 793  Identification of potential vulnerabilities, which could lead to system 794 failures or undesirable conditions. 795  Assessment of the significance and risk of identified vulnerabilities. 796  Identification of appropriate resolutions for identified vulnerabilities, 797 including provide means for annunciating system failures to the 798 operator. 799 A variety of methodologies and analysis techniques can be used in these 800 evaluations, and the scope of the evaluations performed and documentation 801 produced depends on the scope and complexity of the upgrade. The analysis 802 maintains a focus at the level of the design functions performed by the 803 system, because it is the effects of the failure on the system and the resulting 804 impact on the plant that are important. Failures that impact plant safety are 805 those thal could: prevent performance of a safety function of the system, 806 affect the ability of other systems to perform their safety functions, or lead to 807 plant trips or transients that could challenge safety systems. 808 Ultimately, the digital equipment is installed to support overall system 809 requirements, which in turn are necessary to support the plant system-level 810 requirements. It is generally at the plant system level that major functional 811 requirements exist to support plant safety and availability. Consequently, 812 NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-39 failure analysis should start by identifying the system or "design function" 813 level functions, and examining how the digital equipment can cause these 814 functions not to be performed. 815 In addition to failures of the system to perform its function, other failures 816 such as spurious actions, challenges to safety systems, transient or accident 817 initiators, etc., should be examined. 818 Engineering Evaluation Topics Beneficial for Performing a 50.59 Evaluation 819 of Digital-Specific Adverse Effects 820 For digital modifications, attention should be given to the major things that 821 may be different in the new digital electronic equipment, for example: 822 In the preparation of responses to the Evaluation criteria, the outcomes from 823 the following engineering evaluation topics should be considered (as 824 necessary):

825 (1) Modes of Behaviour and Misbehaviour 826 (2) Combining of Functions 827 (3) Coupling of Functions (e.g., via digital communications) 828 (4) Potential for Increased Complexity 829 (5) System Architecture Changes 830 (6) Software 831 Items 1, 2, 3, & 5 have the most potential to create the possibility for 832 accidents of a different type and/or malfunctions with a different result. 833 Items 4 & 6 can make it more difficult to fully understand all aspects of the 834 modification. 835 Examples 836 Examples are provided to illustrate the guidance provided herein. Unless 837 stated otherwise, a given example only addresses the aspect or topic within 838 the section/sub-section in which it is included, sometimes at the deliberate 839 exclusion of other aspects or topics that, if considered, could potentially 840 change the Evaluation conclusion. 841 Many of the examples in this section involve the Main Feedwater (MFW) 842 System to illustrate concepts. The reason for selecting the MFW system is 843 that it is one of the few non-safety-related systems that, upon failure, can 844 initiate an accident. Furthermore, a failure of the MFW system is one of the 845 few malfunctions that are also accident initiators. 846 Commented [A51]: Source:  ML13298A787 Modes of Beaviour and Misbehaviour - Concern 11 Combining of Functions - Concerns 5 & 7 Coupling of Functions - Concern 10 Complexity - Concern 1 Rationale:  To address the first comment in Section 4.3 above, one must identify the important aspects to consider. Commented [A52]: Source: ML170170A089 Comment No. A6.

Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.) Commented [A53]: Source: ML170170A089 Comment No. A6.

Rationale: Based on the definition of "accident" in NEI 96-07, many accidents are initiated by non-safety related SSCs. (Note: safety related SSCs are tpicaly credited to miigate accidents.)

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-40 4.3.1 Does the Activity Result in More Than a Minimal Increase in the Frequency 847 of Occurrence of an Accident?  848 INTRODUCTION 849 From NEI 96-07, Section 3.2:

850 "The term 'accidents' refers to the anticipated (or abnormal) 851 operational transients and postulated design basis accidents..." 852 Therefore, for purposes of 10 CFR 50.59, both Anticipated Operational 853 Occurrences (AOOs) and Postulated Accidents (PAs) fall within the definition 854 of "accident." 855 After applying the generic guidance in NEI 96-07, Section 4.3.1 to identify 856 any accidents affected by the systems/components involved with the digital 857 modification and examining the initiators of those accidents, the impact on 858 the frequency of the initiator (and, hence, the accident itself) due to the 859 digital modification can be assessed. 860 All accident initiators fall into one of two categories: equipment-related or 861 personnel-related. Therefore, the assessment of the impact of a digital 862 modification also needs to consider both equipment-related and personnel-863 related sources. 864 For a digital modification, the range of possible equipment-related sources 865 includes items unique to digital and items not unique to digital. An example 866 of an item unique to digital is consideration of the impact on accident 867 frequency due to a software CCF, which will be addressed in the guidance in 868 this section. An example of an itempotential source of CCF that is not unique 869 to digital is consideration of the impact on accident frequency due to the 870 digital system's compatibility with the environment in which the system is 871 being installed, which would be addressed by applying the general guidance 872 for applicable regulatory requirements, and commitments other acceptance 873 criteria to which the licensee is committed, and departures from standards as 874 outlined in the general design criteria, as described discussed in NEI 96-07, 875 Section 4.3.1

, and Section 4.3.1, Example 2. 876 For a digital modification, the assessment for personnel-related sources will 877 consider the impact due to the Human-System Interface (HSI). 878 Typically, numerical values quantifying an accident frequency are not 879 available, so the qualitative approach using the causal relationship (i.e., 880 attributable (i.e., causal relationshipor not

) and the magnitude of the effect 881 Commented [A54]: Source: ML17170A089 Comment No. A34 Rationale: Please change "CCF" to "software CCF" as appropriate. CCF has always been, and continues to be, a regulatory concern, and it is addressed in many ways in the SARs (as is explained in Section 2 above). Commented [A55]: Source: ML17170A089 Comment No. A34 Rationale: CCF has always been, and continues to be, a regulatory concern, and it is addressed in many ways in the SARs (as is explained in Section 2 above). Commented [A56]: Source: ML17170A089 Comment No. A35 Rationale: By adding this text, the reference was change forom a general section reference, to a reference to the specific applicable paragraph and example (to be explicitly clear what part of 4.3.1 was being reffered to). The point is: Not meeting applicalbe technical criteria should be considered as "not compatible with 'not more then a minimal increase' " standard. Commented [A57]: Source:  ML17170A089 Comment No. A40 Rationale: Clarification: The term attributable, since it is not defined, is used in the common English sence (i.e.,

NEI 96-07, Appendix D   NEI Proposed Modifications: May 16, 2017 D-41 (i.e., negligible/discernable (i.e., magnitude) criteria from NEI 96-07, Section 882 4.3.1 will be examined in the guidance in this section. 883 GUIDANCE 884 Factors to Consider and Address in the Response 885 1. Use of Software 886 Software developed in accordance with a defined life cycle process, and 887 complies with applicable industry standards and regulatory guidance does 888 not inherently result in more than a minimal increase in the frequency of an 889 accident . The design change process and the design documentation contain 890 the information that will be used to determine if software increases the 891 frequency of an accident. 892 2. Use of Digital Components (e.g., microprocessors in place of 893 mechanical devices) 894 NOTE: This factor is not unique to digital and would be addressed by 895 applying the guidance described in NEI 96-07, Section 4.3.1. 896 This factor is included here for completeness. 897 Digital components are expected to be more reliable than the equipment 898 being replaced. Aspects to be addressed include the following: compliance 899 with applicable regulations and industry standards; qualification for 900 environmental conditions (e.g., seismic, temperature, humidity, radiation, 901 pressure, and electromagnetic compatibility); performance requirements for 902 the plant-specific application; proper design of electrical power supplies; 903 cooling or ventilation for thermal loads; and separation, independence and 904 grounding. The design change process and the design documentation contain 905 the information that will be used to determine if the use of digital 906 components increases the frequency of an accident. 907 3. Creation of a Software Common Cause Failure (Software CCF) 908 An engineering evaluation of the quality design and design processes 909 determine s the likelihood of failure due to software via a common cause 910 failure and its potential impact on the frequency of an accident. The 911 engineering evaluation that assesses CCF likelihood includes the possible 912 outcomes (i.e., CCF likelihood is sufficiently low or CCF likelihood is not 913 sufficiently low).

This information is documented in the qualitative 914 assessment of the potential contributors to CCF and disposition of whether 915 Commented [PM58]: Placeholder for original NRC comment A58 Commented [A59]: Source: ML17170A089 Comment No. A37 Rationale: Sotware development proceses and software design are two distinct things, and each should be addressed separately. Commented [A60]: Source:  (1) ML13298A787 - Concern 9 (2) ML17170A089 Comment No. A37 & A39 Rationale: Sotware development proceses and software design are two distinct things, and each should be addressed separately. Commented [A61]: Check to assure useage matches definition.

NEI 96-07, Appendix D    NEI Proposed Modifications: May 16, 2017 D-42 the design effectively reduced the likelihood of the CCF to the extent that the 916 CCF can be considered not credible (e.g., in a CCF Susceptibility Analysis).

917 4. Intended Benefits of the Digital Component/System 918 NOTE: This factor is not unique to digital and would be addressed by 919 applying the guidance described in NEI 96-07, Section 4.3.1. 920 This factor is included here for completeness. 921 In addition to the expected hardware-related reliability improvements of the 922 physical devices themselves (addressed in factor 2 above), overall 923 improvements in the reliability of the performance of the digital 924 component/system, operational flexibility and/or maintenance-related 925 activities may also be achieved. The design documentation contains the 926 information that will be used to identify the intended benefits of the digital 927 component/system and possible impacts on the frequency of an accident. 928 5. Design Attributes/Features 929 Design attributes of the proposed digital modification are features that serve 930 to prevent or limit failures from occurring, or that mitigate the 931 results/outcomes of such possible failures. Factors to be considered include 932 the following items: 933

* Design Criteria (as applicable) (e.g., diversity, independence and 934 redundancy) 935

* Inherent Design Features for Software, Hardware or the 936 Architectural/Network (e.g., external watchdog timers, isolation 937 devices, segmentation, self-testing and self-diagnostic features) 938

* Sufficiently Simple (i.e., enabling comprehensive testing) 940

* Unlikely Series of Events (e.g., the evaluation of a given digital 941 modification would need to postulate multiple independent random 942 failures in order to arrive at a state in which a SCCF is possible) 943

* Failure State (e.g., always known to be acceptable) 944 Determination of Causality (using Attributable (i.e., causality

) 945 If a CCF is determined to be not credible, then there is NO attributable 946 dicernable impact on the frequency of occurrence of an accident. Namely, if a 947 CCF is sufficiently unlikely to occur, then no mechanism for an attributable 948 discernable impact has been created. 949 If a CCF is determined to be credible, but the component/system is not an 950 accident initiator, then there is NO attributable impact on the frequency of 951 Formatted:

HighlightCommented [A62]: Should expand based on recent draft RIS after RIS language has been finalized. Commented [A63]: Source: ML17170A089 Comment No. A40 Rationale: This section uses the term "atributble" in the same way that it iuses Negligible/Dicernable; to indicate magnitude of effect. The wording was changed to more clearly indicate causality rather than magnitude of effect as is the convention in the standard English interpretation of "attributable".

HighlightCommented [A64]: Source: ML17170A089 Comment No. A40 Rationale: The word "attributable" is about causality and the word "discernable" is related to magnitude of effect. The term "not credible" means a suficently low probability (so that it need not be considered), not that it is imposible. Only if CCF is impossible can there be no attributable impact.