Text

Responses to Public Comments on Draft Regulatory Guide (DG)-1374 Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants On March 10, 2023, the U.S Nuclear Regulatory Commission (NRC) published a notice in the Federal Register (88 FR 14957) that DG-1374, proposed Revision 4 to Regulatory Guide (RG) 1.152, was available for public comment. The public comment period ended on April 10, 2023.

The NRC received comments from the organizations and individuals listed below. The NRC has combined the comments and NRC staff responses in this document.

1. Comment #1 From Nuclear Energy Institute (NEI)

Agencywide Documents Access and Management System Accession No. ML23115A017 DG-1374 Section C1b(1)1.2.2 I am consolidating industry comments on DG-1374 to submit during the public comment period. Can you please clarify the intent of the criteria in Section C.b.1.2.2? Are these criteria intended to apply during the design and testing phases of the digital lifecycle? This will help us provide the appropriate feedback/comments.

NRC Response The NRC staff understood this to be a request for clarification to assist in the development of comments on DG-1374. Therefore, the NRC staff provided the following clarification on March 23, 2023 (ML23115A017):

As stated in IEEE Std. 7-4.3.2-2016, if self-diagnostic functions are integrated into the safety system, these functions shall be subject to the same verification and validation (V&V) processes as the safety functions. This standard further states, in part, that for V&V refer to IEEE Std. 1012-2012.

IEEE Std 1012 is a process standard that defines the V&V processes in terms of specific activities and related tasks. This standard states, in part, that the life cycle processes at the system, software, or hardware levels may be conducted in parallel for systems or system elements at the same level. The full set of life cycle processes (system, software, or hardware, as appropriate) are applied to each product. In the same way, system V&V is applied recursively for each system of the system of interest, and software or hardware V&V is applied to each system element.

DG-1374 (Revision of RG 1.152) endorses IEEE Std. 7-4.3.2-2016 with exceptions and clarifications. With regard to self-diagnostics criteria, DG-1374 provides clarification with supplemental guidance, including Section C1b(1)1.2.2. This supplemental guidance does not exclude any phase of the safety-related DI&C systems lifecycle, and therefore Section C1b(1)1.2.2 of DG-1374 should apply throughout the system lifecycle.

No changes to DG-1374 were made as a result of this comment and response.

2. Comment #2 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1 NEI is concerned with the use of the term "independent" in this section. At some point, the WDT [watch dog timer] has to be tied to the software the WDT is protecting. As written, the document is not clear that any interface is allowed between the safety function and the WDT, which makes implementing a WDT that is directly tied to the safety function impossible.

Recommendation:

Replace: "A WDT used to detect lock-up conditions should be independent of..." with: "A WDT used to detect lock-up conditions should not be dependent on...."

NRC Response The NRC staff agrees with the comment that the RG should be clarified on this point, but disagrees with the suggested revision.

Section C1b(1)1.2.1 of DG-1374 states, in part, A WDT used to detect lock-up conditions should be independent of the microprocessor it is monitoring such that the WDT is not subject to the same failure condition as the microprocessor. The term monitoring indicates that the interface between the WDT and the microprocessor (PDD) is allowed. While the NRC staff disagrees with the proposed revision, the NRC staff acknowledges that the affected sentence should be clarified. To avoid the confusion regarding to the use of terms such as independent or dependent, the affected sentence will be revised as follows:

A WDT used to detect lock-up conditions should not be independent of the microprocessor it is monitoring such that the WDT is not susceptible subject to the same failure condition as the microprocessor it is monitoring.

3. Comment #3 From NEI ML23115A015 DG-1374 Sections C1b(1)1.2.2(e), C1b(1)1.2.3, and C1b(1)1.2.3(d)

The statement "The Self-diagnostic functions are verified during periodic functional tests" suggests that the faults that the self-diagnostic features are designed to detect must be periodically inserted during functional tests to verify correct operation of the self-diagnostic feature. Such tests are typically part of the original validation of the safety-related digital

platform and cannot practically be performed later. Additionally, requiring that self-diagnostic functions be verified during periodic functional tests is (1) contrary to the goal of eliminating the periodic functional test and (2) is not the process approved by the NRC for the Vogtle 3&4 LAR (ML19297D159) crediting self-diagnostics to eliminate periodic functional testing.

The Vogtle 3&4 LAR instead allows for a number of different monitoring procedures outside the tech spec surveillance domain to ensure the self-diagnostics are functioning properly.

Recommendation:

Assuming that Section C.1.b(1)1.2.2 is intended to provide criteria during the system design, installation and testing phase and not operation and maintenance phase, C.1.b(1)1.2.2(e) should be worded as follows: "Self-diagnostic functions are verified during design activities."

If that assumption is incorrect, Section C.1.b(1)1.2.3(d) should be clarified to reconcile the different expectations in 1.2.2(e) and 1.2.3(d) and consider the precedence set by the Vogtle 3&4 LAR (ML19297D159).

NRC Response The NRC staff partially agrees with the comment that the DG should be clarified because crediting self-diagnostics may be a basis for reducing or eliminating periodic functional tests, but disagrees with the proposed revision.

The guidance in Section C1b(1)1.2 is consistent with guidance in the NRC Branch Technical Position (BTP) 7-17, which has been used by the NRC staff to review licensing applications, including the Vogtle 3 & 4 license amendment request (LAR).

The periodic functional tests of the self-diagnostic functions discussed in Section C1b(1)1.2.2(e) of DG-1374 are necessary to verify that these functions are working properly.

Further, as described in Section C1b(1)1.2.3(c), if self-diagnostics are credited, during operation, provisions are in place to confirm the execution of the self-diagnostics as means to verify that the self-diagnostic functions are working properly.

The NRC staff agrees that if the self-diagnostic is credited, then these periodic functional tests could be reduced or eliminated as discussed in Section C1b(1)1.2.3. To clarify the NRC staff position, DG-1374 will be revised to read:

1.2.3 Self-diagnostics could be credited, on an application-specific basis, to either reduce or eliminate the channel operability tests, provided 1.2.2(a), 1.2.2(b), 1.2.2(c),

and 1.2.2(d), and 1.2.2(e) and the following criteria are met:.

4. Comment #4 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.2(d)

Self-diagnostic features do add complexity; however, it adds reliability and fault detection into designs which is a reasonable trade-off. The design intent is to minimize the added complexity while maximizing the system reliability and fault detection capabilities.

Recommendation:

Reword as follows: Self-diagnostic features should minimize complexity to the safety-related system to the degree practical NRC Response The NRC staff agrees with the comment.

The affected sentence will be revised to read:

(d)

The design of sSelf-diagnostic features do not add complexity to the safety-related system. should minimize complexity added to the safety-related system while maximizing the system reliability and fault detection capabilities.

5. Comment #5 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1 This section [C.1.b(1)1.2.1] states that "A WDT used to detect lock-up conditions should be independent of the microprocessor it is monitoring such that the WDT is not subject to the same failure condition as the microprocessor." The use of the term microprocessor is inconsistent with the remainder of the Regulatory Guide and IEEE 7-4.3.2-2016.

Recommendation:

Throughout, the RG should use the term programmable digital device (PDD) instead of microprocessor to maintain consistency with the rest of the Regulatory Guide and IEEE 7-4.3.2-2016.

NRC Response The NRC staff agrees with the comment that clarification regarding the terms microprocessor and PDD is appropriate, but not that the term microprocessor is incorrect in section C.1.b(1)1.2.1.

The lock-up detection function of the WDT is used specifically for microprocessor and not for all PDDs. Therefore, within this context, the use of the term microprocessor in Section C1b(1)1.2.1 of DG-1374 is appropriate. However, the following statement will be added to Section C1b(1)1.2.1 for clarity:

For digital safety systems, the lock-up detection function of the WDT is used specifically for microprocessor-based devices and not for all PDDs.

6. Comment #6 From NEI ML23115A015 DG-1374 Section C1b(1)1.2.1 The wording in the last sentence of this section is too prescriptive and technology specific.

The counter, reset, time-out, and fail-safe functions are technology specific and do not reflect the functions used by some WDT technologies.

Recommendation:

Replace counter, reset, time-out, and fail-safe functions with function.

NRC Response The NRC staff agrees with the comment that the RG should be revised on this point, but disagrees with the suggested revision because the listed functions are valid examples.

The affected sentence will be revised to read:

One approach the NRC staff finds acceptable for implementing a WDT is to use a hardware-based device to perform the WDT functions (e.g., counter, reset, time-out, and fail-safe) functions.

7. Comment #7 From NEI ML23115A015 DG-1374 Section A, Related Guidance, second bullet SECY-22-0076 is under evaluation to provide a more risk-informed approach to software common cause failure. Including "Rev. 8" appears to tie this RG to the existing BTP, with no potential for using a later version. Other guidance referenced in this standard does not specify a specific revision (e.g., Regulatory Guide 5.71).

Recommendation:

Delete "(Rev. 8)" from the text OR replace with "(Rev. 8 or later)"

NRC Response The NRC staff disagrees with the comment.

Not all earlier revisions of BTP-7-19 address CCF or digital I&C issues, and it would therefore be inappropriate to reference those revisions (by not specifying the specific revision) in this RG. The staff is referencing revision 8 in the RG because it is the most relevant revision, which specifically addresses CCF, not because the particular revision number has any significance on the guidance provided in RG 1.152. BTP-7-19 provides review guidance to the NRC staff and the NRC staff will apply the latest revision available for its review, consistent with NRC staff review procedures. Nothing in the RG would preclude the application of any earlier or later version of BTP 7-19 or any other staff review guidance if appropriate.

8. Comment #8 From NEI ML23115A015 DG-1374 Section B, Background, third paragraph The name of WG 6.4 appears to be the IEEE standard, which is not correct.

Recommendation:

Replace the whole sentence with: IEEE Nuclear Power Engineering Committee (NPEC),

Sub-Committee 6, Working Group 6.4 prepared IEEE Std 7-4.3.2-2016. Application of Programmable Digital Devices to Safety Systems of Nuclear Power Generating Stations.

NRC Response The NRC staff agrees with the comment.

The affected sentence will be revised to read:

IEEE Nuclear Power Engineering Committee, Subcommittee 6, Working Group Subcommittee 6.4, Application of Programmable Digital Devices to Safety Systems of Nuclear Power Generating Stations, of the IEEE Nuclear Power Engineering Committee prepared IEEE Std 7-4.3.2-2016.

9. Comment #9 From NEI ML23115A015 DG-1374 Section B Discussion, Background, Consideration of International Standards The statement is made that No relevant international standards related to promoting high functional reliability, design quality, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identified. There are, in fact, many international standards that address these topics. NEI is not suggesting that these other standards are included; however, this statement is misleading.

Recommendation:

The purpose of IEC 60880, IEC 61226, IEC 61513, IEC 62138, IEC 62566, and a string of IAEA reports, including NP-3.17, IAEA NP-3.27, IAEA SSG-38, IAEA SSG-39, IAEA SSR-2, and others is to provide detailed guidance for software development for reliability, dependability, and safety. There are additional international reports for cyber security, which equates to SDOE in this RG. NEI is not suggesting including these international standards as part of Reg. Guide 1.152.

NRC Response The NRC staff agrees with the comment. The staff overlooked some international standards during the development of the draft guide DG-1374. After receiving the comment, the staff reviewed the recommended standards. The affected section of the DG will be revised to include international standards that contain relevant information related to the topics of this DG as follows:

Consideration of International Standards The international organizations (e.g., International Atomic Energy Agency (IAEA) and International Electrotechnical Commission (IEC)) works collaborate with member states and other partners to promote the safe, secure, and peaceful use of nuclear

technologies. In particular, The IAEA develops Safety Requirements and Safety Guides for protecting people and the environment from the harmful effects of ionizing radiation.

This system of safety fundamentals, safety requirements, safety guides, and other relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC considered IAEA Safety Requirements and Safety Guides and other international standards pursuant to the Commissions International Policy Statement (Ref. 19) and Management Directive and Handbook 6.6, Regulatory Guides (Ref. 20). No relevant international standards related to promoting high functional reliability, design quality, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identifiedThe following international standards were considered in the development of this RG:

IAEA Specific Safety Requirements SSR-2/1, Safety of Nuclear Power Plants:

Design (Ref. 21)

IAEA Specific Safety Guide SSG-39, Design of Instrumentation and Control Systems for Nuclear Power Plants (Ref. 22)

IEC Standard 60671, Nuclear power plants - Instrumentation and Control Systems Important to Safety - Surveillance Testing (Ref. 23)

IEC Standard 60880, Nuclear power plants - Instrumentation and Control Systems Important to Safety - Software Aspects for Computer-Based Systems Performing Category A Functions (Ref. 24)

IEC Standard 62340, Nuclear Power Plants - Instrumentation and Control Systems Important to Safety - Requirements for Coping with Common Cause Failure (CCF)

(Ref. 25)

IEC Standard 62566, Nuclear power plants - Instrumentation and control important to safety - Development of HDL [hardware description language]-programmed integrated circuits for systems performing category A functions (Ref. 26)

Although the NRC has an interest in facilitating the harmonization of standards used domestically and internationally, for the purpose of this RG, the agency does not specifically endorse the international standards listed above.

10. Comment #10 From X-energy ML23115A016 DG-1374 Section A, Related Guidance, Second bullet As NRC policy (SECY-22-0076) for a risk-informed approach to software common cause failure evaluation is currently under consideration, reference to a specific revision of BTP 7-19 seems to exclude the use of potential future guidance reflecting updated policy.

NRC Response See the response to Comment #7.

11. Comment #11 From X-energy ML23115A016 DG-1374 Section B, Consideration of International Standards This section states: "No relevant international standards related to promoting high functional reliability, design quality, and a SDOE for the use of PDDs in the safety-related systems of nuclear power generating stations were identified." The following international standards provide guidance on reliability and design quality of PDDs: IEC 60880, IEC 61226, IEC 61513, IEC 62138, IEC 62340, IEC 62566.The following international standards provide guidance on cyber security, which is relevant to SDOEs for PDDs: IEC 62645, IEC 63096 and IEC 62859.

NRC Response See the response to Comment #9.

12. Comment #12 From X-energy ML23115A016 Section C1b(2)2.1.1 This section states: unless all safety functions associated with that processor are either bypassed or not in service.

Recommendation:

Change to: unless all safety functions associated with that processor are either bypassed, in partial trip, or not in service.

NRC Response The NRC staff agrees with the comment that the sentence should be clarified, but not with the recommended edit. The affected sentence will be revised to read:

Provisions for interdivisional communication should be included to prevent the ability to send software instructions to a safety function processor that could adversely impact the processors functionality unless all safety functions associated with that processor are either bypassed, in a trip state, or not in service.

The revision of the affected sentence does not include term partial trip due to the term being used differently in various designs/technologies (e.g., partial functional trip, channel trip, etc.) Further, while it is in the trip state, the affected channel would not be adversely impacted by software instructions coming from other divisions that may prevent the initiation of a safety function since that channel has already accomplished its safety function.

13. Comment #13 From X-energy ML23115A016 Section C1b(4)

This section in the Draft RG should also acknowledge and endorse the NEI 18-04, TI-RIPB

[technology-inclusive, risk-informed, and performance-based] methodology where as advanced non-LWRs [light water reactors] will employ a diverse combination of inherent, passive, and active design features to perform the required safety functions across layers of defense, and will be subjected to an evaluation of DID adequacy also as a means to address diversity and defense-in-depth (in addition to BTP 7-19).

Recommendation:

Include the TI-RIPB as a means to address diversity and defense-in depth in addition to BTP 7-19 for advanced non-LWRs.

NRC Response The NRC staff disagrees with the comment because this RG is not an appropriate place to endorse such guidance and such endorsement is not within the scope of the revisions proposed in DG-1374.

The scope of DG-1374 is to endorse, with some exceptions and clarifications, Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations. Endorsing Nuclear Energy Institute (NEI) 18-04 or any other standard/guidance is beyond the scope of this draft guide. Furthermore, RG 1.233, Guidance for a Technology-

Inclusive, Risk-Informed, and Performance-Based Methodology to Inform the Licensing Basis and Content of Applications for Licenses, Certifications, and Approvals for Non-Light Water Reactors, already endorses NEI 18-04.

No changes to DG-1374 were made as a result of this comment.