Text

Responses to Public Comments on Draft Regulatory Guide (DG)-137 4 Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants

On March 10, 2023, the U.S Nuclear Regulatory Commission (NRC) published a notice in the Federal Register (88 FR 14957) that DG-1374, proposed Revision 4 to Regulatory Guide (RG) 1.152, was available for public comment. The public comment per iod ended on April 10, 2023.

The NRC received comments from the organizations and individual s listed below. The NRC has combined the comments and NRC staff responses in this document.

1. Comment #1 From Nuclear Energy Institute (NEI)

Agencywide Documents Access and Management System Accession No. ML23115A017 DG-1374 Section C1b(1)1.2.2

I am consolidating industry comments on DG-1374 to submit during the public comment period. Can you please clarify the intent of the criteria in Section C.b.1.2.2? Are these criteria intended to apply during the design and testing phases of the digital lifecycle? This will help us provide the appropriate feedback/comments.

NRC Response

The NRC staff understood this to be a request for clarification to assist in the development of comments on DG-1374. Therefore, the NRC staff provided the f ollowing clarification on March 23, 2023 (ML23115A017):

As stated in IEEE Std. 7-4.3.2-2016, if self-diagnostic functio ns are integrated into the safety system, these functions shall be subject to the same verificati on and validation (V&V) processes as the safety functions. This standard further states, in part, that for V&V refer to IEEE Std. 1012-2012.

IEEE Std 1012 is a process standard that defines the V&V proces ses in terms of specific activities and related tasks. This standard states, in part, th at the life cycle processes at the system, software, or hardware levels may be conducted in parall el for systems or system elements at the same level. The full set of life cycle processe s (system, software, or hardware, as appropriate) are applied to each product. In the s ame way, system V&V is applied recursively for each system of the system of interest, and software or hardware V&V is applied to each system element.

DG-1374 (Revision of RG 1.152) endorses IEEE Std. 7-4.3.2-2016 with exceptions and clarifications. With regard to self-diagnostics criteria, DG-13 74 provides clarification with supplemental guidance, including Section C1b(1)1.2.2. This supp lemental guidance does not exclude any phase of the safety-related DI&C systems lifec ycle, and therefore Section C1b(1)1.2.2 of DG-1374 should apply throughout the system lifec ycle.

No changes to DG-1374 were made as a result of this comment and response.

2. Comment #2 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1

NEI is concerned with the use of the term "independent" in this section. At some point, the WDT [watch dog timer] has to be tied to the software the WDT is protecting. As written, the document is not clear that any interface is allowed between the safety function and the WDT, which makes implementing a WDT that is directly tied to the safety function impossible.

Recommendation:

Replace: "A WDT used to detect lock-up conditions should be independent of..." with: "A WDT used to detect lock-up conditions should not be dependent on...."

NRC Response

The NRC staff agrees with the comment that the RG should be cla rified on this point, but disagrees with the suggested revision.

Section C1b(1)1.2.1 of DG-1374 states, in part, A WDT used to detect lock-up conditions should be independent of the microprocessor it is monitoring su ch that the WDT is not subject to the same failure condition as the microprocessor. T he term monitoring indicates that the interface between the WDT and the microprocessor (PDD) is allowed. While the NRC staff disagrees with the proposed revision, the NRC staff a cknowledges that the affected sentence should be clarified. To avoid the confusion r egarding to the use of terms such as independent or dependent, the affected sentence wil l be revised as follows:

A WDT used to detect lock-up conditions should not be independent of the microprocessor it is monitoring such that the WDT is not susceptible subject to the same failure condition as the microprocessor it is monitoring.

3. Comment #3 From NEI ML23115A015 DG-1374 Sections C1b(1)1.2.2(e), C1b(1)1.2.3, and C1b(1)1.2.3(d )

The statement "The Self-diagnostic functions are verified during periodic functional tests" suggests that the faults that the self-diagnostic features are designed to detect must be periodically inserted during functional tests to verify correct operation of the self-diagnostic feature. Such tests are typically part of the original validation of the safety-related digital platform and cannot practically be performed later. Additionally, requiring that self-diagnostic functions be verified during periodic functional tests is (1) contrary to the goal of eliminating the periodic functional test and (2) is not the process approved by the NRC for the Vogtle 3&4 LAR (ML19297D159) crediting self-diagnostics to eliminate periodic functional testing.

The Vogtle 3&4 LAR instead allows for a number of different monitoring procedures outside the tech spec surveillance domain to ensure the self-diagnostics are functioning properly.

Recommendation:

Assuming that Section C.1.b(1)1.2.2 is intended to provide criteria during the system design, installation and testing phase and not operation and maintenance phase, C.1.b(1)1.2.2(e) should be worded as follows: "Self-diagnostic functions are verified during design activities."

If that assumption is incorrect, Section C.1.b(1)1.2.3(d) should be clarified to reconcile the different expectations in 1.2.2(e) and 1.2.3(d) and consider the precedence set by the Vogtle 3&4 LAR (ML19297D159).

NRC Response

The NRC staff partially agrees with the comment that the DG sho uld be clarified because crediting self-diagnostics may be a basis for reducing or elimi nating periodic functional tests, but disagrees with the proposed revision.

The guidance in Section C1b(1)1.2 is consistent with guidance i n the NRC Branch Technical Position (BTP) 7-17, which has been used by the NRC staff to re view licensing applications, including the Vogtle 3 & 4 license amendment request (LAR).

The periodic functional tests of the self-diagnostic functions discussed in Section C1b(1)1.2.2(e) of DG-1374 are necessary to verify that these fu nctions are working properly.

Further, as described in Section C1b(1)1.2.3(c), if self-diagno stics are credited, during operation, provisions are in place to confirm the execution of the self-diagnostics as means to verify that the self-diagnostic functions are working proper ly.

The NRC staff agrees that if the self-diagnostic is credited, t hen these periodic functional tests could be reduced or eliminated as discussed in Section C1 b(1)1.2.3. To clarify the NRC staff position, DG-1374 will be revised to read:

1.2.3 Self-diagnostics could be credited, on an application-sp ecific basis, to either reduce or eliminate the channel operability tests, provided 1.2.2(a), 1.2.2(b), 1.2.2(c),

and 1.2.2(d), and 1.2.2(e) and the following criteria are met:.

4. Comment #4 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.2(d)

Self-diagnostic features do add complexity; howev er, it adds reliability and fault detection into designs which is a reasonable trade-off. The design intent is to minimize the added complexity while maximizing the system reliability and fault detection capabilities.

Recommendation:

Reword as follows: Self-diagnostic features should minimize complexity to the safety-related system to the degree practical

NRC Response

The NRC staff agrees with the comment.

The affected sentence will be revised to read:

(d) The design of sSelf-diagnostic features do not add complexity to the safety-related system. should minimize complexity added to the safety-related system while maximizing the system reliability and fault detect ion capabilities.

5. Comment #5 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1

This section [C.1.b(1)1.2.1] states that "A WDT used to detect lock-up conditions should be independent of the microprocessor it is monitoring such that the WDT is not subject to the same failure condition as the microprocessor." The use of the term microprocessor is inconsistent with the remainder of the Regulatory Guide and IEEE 7-4.3.2-2016.

Recommendation:

Throughout, the RG should use the term programmable digital device (PDD) instead of microprocessor to maintain consistency with the rest of the Regulatory Guide and IEEE 7-4.3.2-2016.

NRC Response

The NRC staff agrees with the comment that clarification regard ing the terms microprocessor and PDD is appropriate, but not that the ter m microprocessor is incorrect in section C.1.b(1)1.2.1.

The lock-up detection function of the WDT is used specifically for microprocessor and not for all PDDs. Therefore, within this context, the use of the term microprocessor in Section C1b(1)1.2.1 of DG-1374 is appropriate. However, the following s tatement will be added to Section C1b(1)1.2.1 for clarity:

For digital safety systems, the lock-up detection function of t he WDT is used specifically for microprocessor-based devices and not for all PDDs.

6. Comment #6 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1

The wording in the last sentence of this section is too prescriptive and technology specific.

The counter, reset, time-out, and fail-safe functions are technology specific and do not reflect the functions used by some WDT technologies.

Recommendation:

Replace counter, reset, time-out, and fail-safe functions with function.

NRC Response

The NRC staff agrees with the comment that the RG should be rev ised on this point, but disagrees with the suggested revision because the listed functi ons are valid examples.

The affected sentence will be revised to read:

One approach the NRC staff finds acceptable for implementing a WDT is to use a hardware-based device to perform the WDT functions (e.g., counter, reset, time-out, and fail-safe) functions.

7. Comment #7 From NEI ML23115A015 DG-1374 Section A, Related Guidance, second bullet

SECY-22-0076 is under evaluation to provide a more risk-informed approach to software common cause failure. Including "Rev. 8" appears to tie this RG to the existing BTP, with no potential for using a later version. Other guidance referenced in this standard does not specify a specific revision (e.g., Regulatory Guide 5.71).

Recommendation:

Delete "(Rev. 8)" from the text OR replace with "(Rev. 8 or later)"

NRC Response

The NRC staff disagrees with the comment.

Not all earlier revisions of BTP-7-19 address CCF or digital I& C issues, and it would therefore be inappropriate to reference those revisions (by not specifying the specific revision) in this RG. The staff is referencing revision 8 in th e RG because it is the most relevant revision, which specifically addresses CCF, not becaus e the particular revision number has any significance on the guidance provided in RG 1.15 2. BTP-7-19 provides review guidance to the NRC staff and the NRC staff will apply t he latest revision available for its review, consistent with NRC staff review procedures. Nothin g in the RG would preclude the application of any earlier or later version of BTP 7-19 or any other staff review guidance if appropriate.

8. Comment #8 From NEI ML23115A015 DG-1374 Section B, Background, third paragraph

The name of WG 6.4 appears to be the IEEE standard, which is not correct.

Recommendation:

Replace the whole sentence with: IEEE Nuclear Power Engineering Committee (NPEC),

Sub-Committee 6, Working Group 6.4 prepared IEEE Std 7-4.3.2-2016. Application of Programmable Digital Devices to Safety Systems of Nuclear Power Generating Stations.

NRC Response

The NRC staff agrees with the comment.

The affected sentence will be revised to read:

IEEE Nuclear Power Engineering Committee, Subcommittee 6, Working Group Subcommittee 6.4, Application of Programmable Digital Devices to Safety Systems of Nuclear Power Generating Stations, of the IEEE Nuclear Power E ngineering Committee prepared IEEE Std 7-4.3.2-2016.

9. Comment #9 From NEI ML23115A015 DG-1374 Section B Discussion, Background, Consideration of Inte rnational Standards

The statement is made that No relevant international standards related to promoting high functional reliability, design quality, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identified. There are, in fact, many international standards that address these topics. NEI is not suggesting that these other standards are included; however, this statement is misleading.

Recommendation:

The purpose of IEC 60880, IEC 61226, IEC 61513, IEC 62138, IEC 62566, and a string of IAEA reports, including NP-3.17, IAEA NP-3.27, IAEA SSG-38, IAEA SSG-39, IAEA SSR-2, and others is to provide detailed guidance for software development for reliability, dependability, and safety. There are additional international reports for cyber security, which equates to SDOE in this RG. NEI is not suggesting including these international standards as part of Reg. Guide 1.152.

NRC Response

The NRC staff agrees with the comment. The staff overlooked som e international standards during the development of the draft guide DG-1374. After receiv ing the comment, the staff reviewed the recommended standards. The affected section of the DG will be revised to include international standards that contain relevant informati on related to the topics of this DG as follows:

Consideration of International Standards

The international organizations (e.g., International Atomic Energy Agency (IAEA) and International Electrotechnical Commission (IEC)) works collaborate with member states and other partners to promote the safe, secure, and peaceful us e of nuclear technologies. In particular, The IAEA develops Safety Requirements and Safety Guides for protecting people and the environment from the harmful effe cts of ionizing radiation.

This system of safety fundamentals, safety requirements, safety guides, and other relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC considere d IAEA Safety Requirements and Safety Guides and other international standards pursuant to the Commissions International Policy Statement (Ref. 19) and Manag ement Directive and Handbook 6.6, Regulatory Guides (Ref. 20). No relevant intern ational standards related to promoting high functional reliability, design qualit y, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identifiedThe following international standards were considered in the de velopment of this RG:

• IAEA Specific Safety Requirements SSR-2/1, Safety of Nuclear Power Plants:

Design (Ref. 21)

• IAEA Specific Safety Guide SSG-39, Design of Instrumentation and Control Systems for Nuclear Power Plants (Ref. 22)

• IEC Standard 60671, Nuclear power plants - Instrumentation a nd Control Systems Important to Safety - Surveillance Testing (Ref. 23)

• IEC Standard 60880, Nuclear power plants - Instrumentation a nd Control Systems Important to Safety - Software Aspects for Computer-Based Syste ms Performing Category A Functions (Ref. 24)

• IEC Standard 62340, Nuclear Power Plants - Instrumentation a nd Control Systems Important to Safety - Requirements for Coping with Common Cause Failure (CCF)

(Ref. 25)

• IEC Standard 62566, Nuclear power plants - Instrumentation a nd control important to safety - Development of HDL [hardware description language]- programmed integrated circuits for systems performing category A functions (Ref. 26)

Although the NRC has an interest in facilitating the harmonizat ion of standards used domestically and internationally, for the purpose of this RG, t he agency does not specifically endorse the international standards listed above.

10. Comment #10 From X-energy ML23115A016 DG-1374 Section A, Related Guidance, Second bullet

As NRC policy (SECY-22-0076) for a risk-informed approach to software common cause failure evaluation is currently under consideration, reference to a specific revision of BTP 7-19 seems to exclude the use of potential future guidance reflecting updated policy.

NRC Response

See the response to Comment #7.

11. Comment #11 From X-energy ML23115A016 DG-1374 Section B, Consideration of International Standards

This section states: "No relevant international standards related to promoting high functional reliability, design quality, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identified." The following international standards provide guidance on reliability and design quality of PDDs: IEC 60880, IEC 61226, IEC 61513, IEC 62138, IEC 62340, IEC 62566.The following international standards provide guidance on cyber security, which is relevant to SDOEs for PDDs: IEC 62645, IEC 63096 and IEC 62859.

NRC Response

See the response to Comment #9.

12. Comment #12 From X-energy ML23115A016 Section C1b(2)2.1.1

This section states: unless all safety functions associated with that processor are either bypassed or not in service.

Recommendation:

Change to: unless all safety functions associated with that processor are either bypassed, in partial trip, or not in service.

NRC Response

The NRC staff agrees with the comment that the sentence should be clarified, but not with the recommended edit. The affected sentence will be revised to read:

Provisions for interdivisional communication should be include d to prevent the ability to send software instructions to a safety function processor that could adversely impact the processors functionality unless all safety functions associate d with that processor are either bypassed, in a trip state, or not in service.

The revision of the affected sentence does not include term pa rtial trip due to the term being used differently in various designs/technologies (e.g., p artial functional trip, channel trip, etc.) Further, while it is in the trip state, the affecte d channel would not be adversely impacted by software instructions coming from other divisions that may prevent the initiation of a safety function since that channel has already accomplishe d its safety function.

13. Comment #13 From X-energy ML23115A016 Section C1b(4)

This section in the Draft RG should also acknowledge and endorse the NEI 18-04, TI-RIPB

[technology-inclusive, risk-informed, and performance-based] methodology where as advanced non-LWRs [light water reactors] will employ a diverse combination of inherent, passive, and active design features to perform the required safety functions across layers of defense, and will be subjected to an evaluation of DID adequacy also as a means to address diversity and defense-in-depth (in addition to BTP 7-19).

Recommendation:

Include the TI-RIPB as a means to address diversity and defense-in depth in addition to BTP 7-19 for advanced non-LWRs.

NRC Response

The NRC staff disagrees with the comment because this RG is not an appropriate place to endorse such guidance and such endorsement is not within the sc ope of the revisions proposed in DG-1374.

The scope of DG-1374 is to endorse, with some exceptions and cl arifications, Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 7-4. 3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations. Endorsing Nuclear Energy Institute (NEI) 18-04 or an y other standard/guidance is beyond the scope of this draft guide. Furthermore, RG 1.233, G uidance for a Technology-Inclusive, Risk-Informed, and Pe rformance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, already endorses NEI 18-04.

No changes to DG-1374 were made as a result of this comment.