Text

NRR-DMPSPEm Resource From: FREGONESE, Victor <vxf@nei.org>

Sent: Wednesday, August 16, 2017 4:05 PM To: Morton, Wendell; Rahn, David

Subject:

[External_Sender] FW: NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

Attachments: 08-16-17_NRC_NEI 17-XX-Industry-Comments-NEI-Cover Letter.pdf; 08-16-17

_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-General Comments_Attachment1.pdf; 08-16-17_NRC_NEI_17-xx-Consolidated Industry Comment-8-16-17-Editorial Comments_Attachment2.pdf; 08-17-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-Clarification Comments_Attachment3.pdf Vic Fregonese Senior Project Manager Nuclear Generation Division Nuclear Energy Institute 1201 F Street, NW, Suite 1100 Washington, DC 20004 www.nei.org M: 704-953-4544 E: vxf@nei.org From: HANSON, Jerud Sent: Wednesday, August 16, 2017 4:04 PM To: cindy.bladey@nrc.gov Cc: Jason.Drake@nrc.gov; john.lubinski@nrc.gov

Subject:

NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

THE ATTACHMENT CONTAINS THE COMPLETE CONTENTS OF THE LETTER August 16, 2017 Ms. Cindy Bladey Mail Stop: TWFN-8 D 36M Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

Project Number: 689

Dear Ms. Bladey:

1

The Nuclear Energy Institute (NEI)[1] and the industry appreciate the opportunity to provide integrated industry comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRCs endorsement of NEI 01-01 by providing additional guidance for preparing and documenting the qualitative assessment used to provide reasonable assurance that a digital modification will exhibit a low likelihood of failure, which is a key element in 10 CFR 50.59, Changes, tests and experiments, evaluations of whether the change requires prior NRC approval. This RIS supports our mutual interest in more efficient and effective licensing of digital upgrades across the operating fleet and we look forward to issuance in the third quarter of 2017. Our principal comments are included below and more detailed comments are presented in the attachments for consideration by the NRC staff.

We appreciated the opportunity to participate in a public meeting to conduct a tabletop exercise utilizing the draft RIS 2002-22 Supplement for Digital I&C upgrades at nuclear power reactor facilities under 10 CFR 50.59 on August 2, 2017. The draft RIS provided an effective framework for conducting digital upgrades within the scenarios that were demonstrated.

We appreciate the opportunity to comment on the Draft RIS. If you have any questions or require additional information, please contact me.

Sincerely, Jerud Hanson Senior Project Manager, Life Extension & New Technology Nuclear Energy Institute 1201 F Street N.W., Suite 1100 Washington, DC 20004 www.nei.org P: 202.739.8053 M: 202.497.2051 E: jeh@nei.org The link ed image cannot be display ed. The file may hav e been mov ed, renamed, or deleted. Verify that the link points to the correct file and location.

This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

2

Sent through www.intermedia.com

[1]

The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEI's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.

3

Hearing Identifier: NRR_DMPS Email Number: 185 Mail Envelope Properties (41207040FCA6A84984074E806C73D73EE20B13)

Subject:

[External_Sender] FW: NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

Sent Date: 8/16/2017 4:05:06 PM Received Date: 8/16/2017 4:05:32 PM From: FREGONESE, Victor Created By: vxf@nei.org Recipients:

"Morton, Wendell" <Wendell.Morton@nrc.gov>

Tracking Status: None "Rahn, David" <David.Rahn@nrc.gov>

Tracking Status: None Post Office: mbx023-e1-nj-2.exch023.domain.local Files Size Date & Time MESSAGE 4366 8/16/2017 4:05:32 PM 08-16-17_NRC_NEI 17-XX-Industry-Comments-NEI-Cover Letter.pdf 54333 08-16-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-General Comments_Attachment1.pdf 74548 08-16-17_NRC_NEI_17-xx-Consolidated Industry Comment-8-16-17-Editorial Comments_Attachment2.pdf 105134 08-17-17_NRC_NEI 17-xx-Consolidated Industry Comment-8-16-17-Clarification Comments_Attachment3.pdf 206858 Options Priority: Standard Return Notification: No Reply Requested: No Sensitivity: Normal Expiration Date:

Recipients Received:

JERUD E. HANSON Senior Project Manager, Life Extension & New Technology 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8053 jeh@nei.org nei.org August 16, 2017 Ms. Cindy Bladey Mail Stop: TWFN-8 D 36M Office of Administration U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NRC Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22 (Docket ID: NRC-2017-0154)

Project Number: 689

Dear Ms. Bladey:

The Nuclear Energy Institute (NEI) 1 and the industry appreciate the opportunity to provide integrated industry comments on the Draft Regulatory Issue Summary 2017-XX Supplement to RIS 2002-22. The purpose of this RIS is to clarify the NRCs endorsement of NEI 01-01 by providing additional guidance for preparing and documenting the qualitative assessment used to provide reasonable assurance that a digital modification will exhibit a low likelihood of failure, which is a key element in 10 CFR 50.59, Changes, tests and experiments, evaluations of whether the change requires prior NRC approval. This RIS supports our mutual interest in more efficient and effective licensing of digital upgrades across the operating fleet and we look forward to issuance in the third quarter of 2017. Our principal comments are included below and more detailed comments are presented in the attachments for consideration by the NRC staff.

We appreciated the opportunity to participate in a public meeting to conduct a tabletop exercise utilizing the draft RIS 2002-22 Supplement for Digital I&C upgrades at nuclear power reactor facilities under 10 CFR 50.59 on August 2, 2017. The draft RIS provided an effective framework for conducting digital upgrades within the scenarios that were demonstrated.

1 The Nuclear Energy Institute (NEI) is the organization responsible for establishing unified industry policy on matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEI's members include all entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect/engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations and entities involved in the nuclear energy industry.

Ms. Bladey August 16, 2017 Page 2 Application to safety-related systems The scope of the RIS and attachment should be clearly stated as intended to be used for safety-related systems only. It should be clear that the RIS could, or might be used as guidance for non-safety related upgrades only if desired by licensees. Therefore, industry requests that the RIS should provide sufficient clarity to avoid an interpretation that it is viewed as mandatory for non-safety related systems. Comment

1. 1 within attachment #1, provides suggestions to address this point.

Impact on digital system common cause failure The draft RIS is characterized as a means to allow for low risk (non-protection systems) changes to safety systems to go forward under 50.59, but there is no discussion of risk considerations. Instead, it includes a recommended level of rigor for the engineering evaluations needed to support the 50.59 process without providing any assurance that these will be accepted for low risk systems. These low risk systems have been incorrectly included in the current NRC staff position on common cause failure (CCF) policy, due to changes over time to Branch Technical Position (BTP) 7-19. It should be clearly stated how the RIS impacts the current NRC policy/position that addresses digital system CCF. Comment #2 within attachment #1, provides suggestions to address this point.

Application to non-power reactors This RIS should be applicable to include non-power reactors (NPRs). Relevant guidance contained within NEI 96-07 and RG 1.187 is applicable to NPRs, and digital upgrades at NPRs should be addressed within this RIS. Comment #3 within attachment #1, provides suggestions to address this point.

We appreciate the opportunity to comment on the Draft RIS. If you have any questions or require additional information, please contact me.

Sincerely, Jerud E. Hanson Attachments c: John W. Lubinski, NRR, DE c: Jason Drake, NRR, DE

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - General Comments Comment No. Section/Page # Industry Comment Recommended Change

1. General The scope of the RIS and attachment needs to be limited to safety-related Clearly state the applicability of the RIS and systems only. attachment is intended to be used for safety It should be very clear that the RIS could, or might be used as guidance for related systems only.

non-safety related upgrades if desired. The RIS should provide sufficient clarity to avoid an interpretation that it is to be viewed as mandatory for non-safety related systems.

2. General The Draft RIS was characterized as a means to allow for low risk (non Describe how the RIS impacts the current protection systems) changes to safety systems to go forward in 50.59, but NRC policy/position documents that address there is no mention of any sort of risk considerations in the Draft RIS. digital system CCF, such that end users of Instead it mainly provides a recommended level of rigor for the engineering the RIS are clear how, or if, other NRC CCF evaluations needed to support the 50.59 without providing any assurance policy/position documents apply to the that these will be accepted for low risk systems that have been incorrectly activities within the scope of the RIS.

pulled into the CCF policy due to changes to BTP 7-19. Nowhere in this RIS is a statement on scope of the policy on CCF, in fact it seems to reinforce the current content of BTP 7-19 into not only safety related components but non safety components that are in the licensee design basis.

1

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - General Comments Comment No. Section/Page # Industry Comment Recommended Change

3. General The non-power reactor community was not included in consideration of this Please include non-power reactors within RIS. the scope of the RIS.

At the May 25, 2017 public meeting on this proposed RIS there was discussion of the importance of including non-power reactor licensees within this proposed RIS. The general consensus was that non-power reactors should be included within its scope. It appears that the exclusion of non-power reactors from RIS 2002-22 was likely an oversight. EPRI TR-102348 and Generic Letter 95-02 are referenced in NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, for use by the non-power NRC staff and licensees in licensing DI&C upgrades. Though they followed after the issuance of NUREG-1537, the revision to EPRI TR-102348 (NEI 01-01) and related RIS 2002-22 are also used by the non-power NRC staff and licensees in licensing DI&C upgrades. NEI 96-07 and associated RG 1.187 are also applicable to non-power reactor licensees.

4. General The RIS does not specify whether the NRC expectation is that the Add a statement that the RIS is intended to Qualitative Assessment guidance is to be used for 50.59 screening. be used for 50.59 evaluations, but may be consulted during the 50.59 screening process.

2

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

1. Draft RIS Page 1 In the ninth line of this paragraph, please augment the implicit statement of Replace this RIS is to clarify the NRCs Intent Paragraph applicability to ensure that the reader recognizes that RIS 2002-22 is being endorsement of NEI 01-01 with this supplemented rather than supplanted. The text does not make this supplemental RIS clarifies still-active RIS extremely clear and unambiguous. 2002-22 that endorsed NEI 01-01

2. Draft RIS Page 2 Background Information section, first full paragraph, Correct the title of NEI Correct text as noted.

Section titled 96-07, Evaluations should be Implementation.

Background

Information

3. Draft RIS Page 3 At the end of the last sentence in the paragraph starting Specifically, this Revise from methods to demonstrate the Section titled RIS add words that clarify that the problem is in software. likelihood of failure Summary of To Issue Section

.methods to demonstrate the likelihood of failure from software design errors

4. Draft RIS Page 4 For readability, please consider bolding these italicized section headers to Use bold text for section headers.

Section titled make them stand out in the rest of the text.

Clarification of Guidance for Addressing Digital I&C Changes under 10 CFR 50.59 1

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

5. Draft RIS Page 4 In the second full paragraph, second line, the word appropriate is Replace appropriate with something more Section titled ambiguous. like applicable Clarification of Guidance for The last sentence in this paragraph is very long. Split the last sentence into applied to the Addressing Digital proposed design. Using such standards I&C Changes under 10 CFR 50.59

6. Draft RIS Page 4 In the paragraph starting To assist licensees, the second line, the Replace the NRC staff has clarified Section titled sentence should be simplified. within the attachment to this RIS its Clarification of position with the attachment to this Guidance for RIS clarifies the NRC staff position Addressing Digital I&C Changes In the last sentence of this paragraph, delete under 10 CFR clarification within the as the 50.59 attachment describes is sufficient.

7. Draft RIS Page 4 In the next to last line of the first paragraph, it is not clear what alter the Replace alter the conclusions of by the Section titled conclusions of means to a licensee. safety analysis with alter the conclusions Clarification of of or not be bounded by the safety analysis Guidance for in the UFSAR Addressing Digital I&C Changes under 10 CFR 50.59 2

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

8. Draft RIS Page 4 In the first paragraph, please reiterate that this RIS supplements, but does Replace supplements RIS 2002-22 Section titled not supersede, RIS 2002-22. with supplements but does not Backfitting and supersede RIS 2022-22 Issue Finality Discussion In the second paragraph, the first sentence does not define on whom the Rework the first sentence in the second guidance might be imposed. paragraph.

9. RIS Attachment, The first paragraph, first sentence is excessively long, with the result of Replace 10 CFR 50.59 Rule, for use as page 1, Purpose being difficult to read and understand. guidance for implementing with 10 CFR 50.59 Rule. This RIS provides guidance for implementing

10. RIS Attachment, In the second paragraph, reinforce that this is a supplemental RIS. Change to provide clarifying guidance page 1, Purpose with to provide supplemental clarifying guidance Change Following this guidance will help with Following the guidance in the RIS 2022-22 and NEI 01-01, as augmented by the guidance in this RIS

11. RIS Attachment, This second would be easier to find if it were set in bold type. Change the format to bold on all section page 1, headers throughout the attachment, Likelihood including those that are underlined.

Justifications

12. RIS Attachment In the first paragraph, last sentence, there are extra words, and a missing Delete both that in the sentence, and Page 2, reference to where the characteristics that should be evaluated are defined. replace there are some important with Regulatory several important.

Clarification Provide some reference, even within the RIS, to the important characteristics that we should evaluate.

3

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

13. RIS Attachment In the paragraph starting 10 CFR 50.59 (c)(2)(vi) in the fourth line, that is Replace reasonable assurance the Page 3 missing. likelihood with reasonable assurance that the likelihood

14. RIS Attachment Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; Revise bullets 1 and 3 to ensure the quoted Page 4, Section however, in a couple cases, the quoted information is not correct. text is accurate and traceable to the source 2.2, Step 1 document.

15. RIS Attachment Delete the entire paragraph beginning with: Documentation is needed.. Replace with the following:

Page 7, last paragraph Documentation is needed to demonstrate the proposed design will not create malfunctions with different results or initiate a different type of accident not previously analyzed in the UFSAR. Within the concept of layers of defense, acceptable justification for concluding an accident of a different type will not be initiated to include the postulated new accident is only possible after a sequence of multiple unlikely independent failures. This type of justification should also be documented as part of the qualitative assessment.

16. RIS Attachment In the last line, a reference to the major section we are in is not helpful. Either revise Section 4.2 to be more Page 8 useful, or remove the reference to a general section in the RIS Attachment.

17. RIS Attachment In the second paragraph, the subject (software and hardware) is plural. Replace modification has with Page 8,Operating modification have Experience In the last sentence, the phrase along with consideration of the supplier of Add commas before and after the phrase.

such equipment should be set off in leading and trailing commas.

4

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

18. RIS Attachment 2nd paragraph. Revise the following from:

Page 9, 4.2.1 .do not result in a potential.

To:

do not result in more than minimal

19. RIS Attachment In the first paragraph, last sentence, it might be clearer if the three steps in Please consider clarification of this Page 9, 4.2.1 the justification were numbered (e.g., 1) a thorough description of the , paragraph. Delete thorough.

2) the design attributes..., and 3) a clear description Further, it is not clear how extensive thorough is expected to be.

20. RIS Attachment Sentence beginning with If the qualitative assessment.. Revise the following from:

Page 10, 4.2.1.2 ..a new type of accident, a malfunction with a new result, or an unbounded malfunction or accident now exists due to the combing of functions creating new malfunctions, or new inter-system interactions, etc, then..

To:

a new type of accident or, a malfunction with a different result now exists due to the combination of functions, then.

21. RIS Attachment First paragraph. Revise the following from:

Page 10 .the potential for new malfunctions or accidents should be evaluated.

To:

the potential for malfunctions with a different result or accidents of a different type should be evaluated 5

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

22. RIS Attachment The first sentence is too long. Replace development organization that Page 11, 1st provides for common and repeated use, paragraph rules with development organization.

These quality standards provide rules and move for common and repeated use to the end of the sentence, replacing context with context, for common and repeated use.

23. RIS Attachment In the last sentence of the first paragraph, there are extraneous words and In the last sentence of the first paragraph, Page 11, 4.2.3 an imprecise set of references. delete other avenues for performing the change, i.e., and list all avenues.

24. RIS Attachment In the first sentence of the last paragraph, there are extraneous words. Replace guidance provides the kind of Page 11, 4.2.3 process that should be engaged when using this guidance with .. guidance illustrates the process to use this guidance.

25. RIS Attachment The diamond near the top of the page states Does the proposed change Change the phrase to state Does the Figure 1 have the characteristics described in the attachment to the RIS?. It is proposed change have the characteristics suggested that the characteristics being reference be pointed out described in RIS attachment section 3?

specifically in the RIS attachment.

26. RIS Attachment The second decision block language is not consistent with the verbiage Revised the second decision block question Figure 1 used in 10 CFR 50.59. verbiage to align with 10 CFR 50.59.

6

INDUSTRY COMMENTS ON DRAFT RIS 2017-xx, SUPPLEMENT TO RIS 2002-22 Attachment 1 - Editorial Comments Comment No. Section/Page # Industry Comment Recommended Change

27. RIS Attachment Step 1. Revise wording from:

Table 2 What are all of the UFSAR design functions..

To:

What are all of the UFSAR described design functions Alternatively, What are all of the design functions described in the UFSAR

28. RIS Attachment Step 4, 2nd bullet. Revise wording from:

Table 2 The digital components likelihood of postulated CCF likelihood To:

The digital components postulated CCF likelihood

29. RIS Attachment Step 3. Revise wording from:

Table 2 Could those potential impacts already be bounded by the results of the design basis analyses, or would the analyses need to be revised to address it?

To:

Are potential impacts already bounded by results previously evaluated in the UFSAR or would the safety analyses need to be revised to address potential impacts?

7

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

1. ALL The DRAFT RIS uses the term, qualitative assessment more than 15 Define the term qualitative assessment times throughout the RIS. In the context where it is used, in most case, once, then only use the term in the balance either an implicit or explicit definition is stated. This is confusing. of the text.

Also, in a few random cases effective qualitative assessment is used. This Suggest using a definition that states that DRAFT RIS does not define the differences between the two. Overall, the purpose of the qualitative assessment is effective qualitative assessment seems out of place because either the to demonstrate reasonable assurance of conclusions of a qualitative assessment support the outcomes when used in adequate quality and low likelihood of failure a 10 CFR 50.59 Review or they do not through a review of the system design process and design features. This would be consistent the with NEI 01-01 discussion of dependability (page 5-14).

For clarity and to avoid confusion, remove the word effective from effective qualitative assessment throughout the text.

1

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

2. ALL The terms safety significance and safety significant are used throughout Suggest using important to safety as this section without formal definitions. defined in the UFSAR as it has a formal It is noted that use of these terms is limited to defining the level of regulatory definition associated with the documentation that is worthwhile and is not used as input to answering the design basis.

50.59 questions.

The scope of the draft RIS is such that the definition of safety significant is not consistent with its use in other regulatory applications The term safety significant as used in regulatory applications today generally has a definition that is much broader than just the licensing basis for the plant and often includes risk-insights (e.g., see the definition of safety significant in 10CFR50.69). Throughout the Qualitative Assessment Framework, review of the modification under 50.59 is restricted to the plant design basis as documented in the UFSAR. As the Qualitative Assessment Framework clearly is limited to the licensing basis for the plant and is neither risk-informed nor considers risk insights, the term safety significant should be avoided and replaced with a regulatory term having a formal definition applicable to the scope of this guidance, important to safety (as defined in the UFSAR).

3. Draft RIS The term reasonable assurance is used here and in footnote 1. No basis Remove the footnote, or, further define the Page 1 is provided for use of a different standard as used in the RIS, versus the term adequate degree of certainty.

Intent Paragraph broader regulatory standard. What is the source for the footnote?

Identify the Regulatory sources of the Having different definitions of this term will cause confusion. As an example, footnote that clearly defines the difference the RIS uses the term reasonable assurance nearly 20 times throughout between adequate degree of certainty and the document in various contexts. In many cases, the RIS includes quotes broader NRC regulatory standard.

from NEI 01-01 with this term included.

2

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

4. Draft RIS Page 2 In the third full paragraph, fifth line, reinforce the idea that this supplement is Replace This RIS supplements the NRC Section titled to be used with RIS 2002-22. Staffs previous endorsement of the NEI 01-Background 01 guidance with This RIS supplements Information the still-active RIS 2002-22 endorsement of NEI 01-01 guidance At the end of the paragraph, explain that this RIS is expected to provide the additional detail necessary to ensure resolution of the issues that have occurred when applying RIS 2002-22 and NEI 01-01.

5. Draft RIS Page 2 In the last full paragraph on this page, IAP MP #1 is mentioned in the Explain how the CCF portion of the Section titled context of 50.59. modernization plan interacts with the 50.59 Background evaluation in the RIS discussion.

Information

6. Draft RIS With respect to the text including the statement: there may be a potential Clarify this statement to be clear that digital Page 3 for a marginal increase in the likelihood of malfunctions upgrades are not always expected to Summary of Although this statement paraphrases NEI 01-01, Section 4.3.2, it seems to increase malfunction likelihood.

Issue Section imply that digital upgrades will always result in a marginal increase in malfunction likelihood. In practice, industry has observed the opposite - that Rephrase to use the no more than minimal digital upgrades tend to decrease malfunction likelihood as most digital increase text from 50.59.

upgrades eliminate single points of vulnerability, provide for signal validation, afford internal diagnostics and alarming capabilities - to name just a few characteristics that go beyond the capabilities of their analog counterparts.

This sentence may cause confusion within industry and with regional inspectors if it is interpreted to mean that digital upgrades are expected to increase malfunction likelihood.

3

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

7. Draft RIS The sentence leading into the last paragraph on the page: Please clarify whether there is a change in Page 3 The RIS pulls out a statement from RIS 2002-22 and states that the Draft NRC staff position from what was previously Section titled RIS does not change NRC staff position, which apparently is that NEI 01-01 endorsed in NEI 01-01.

Summary of provides an acceptable means. This seems to be at odds with the Issue Section statements in the final two paragraphs of this section that the appendix will provide content, rationale and evaluating factors to be addressed, along with a short list of design attributes primarily drawn from the existing BTP 7-14.

8. Draft RIS With respect to the text including the statement: ensuring that the Suggest deleting this portion of the sentence uncertainty of qualitative assessments is sufficiently low as it may cause confusion.

Page 4, Section What is meant by this statement? Generally speaking, the qualitative titled Clarification assessment is used to draw the conclusion that the digital change has a low of Guidance for likelihood of failure.

Addressing Digital I&C Changes under 10 CFR 50.59

9. RIS Attachment / The attachment seems to explicitly specify a quality process, structure and In the Purpose section of the Attachment, Pages 1-17 format for the qualitative assessment that if left without clarification, could It should be made clear that the format, result in a significant impact on the industry in the areas of procedures, content, and structure of the Attachment is qualification, and training, if the interpretation is that the qualitative an example of what an acceptable assessment attributes are viewed as mandatory. Qualitative Assessment could contain, and that the implementation details are up to the licensee.

4

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

10. RIS Attachment / Outcomes from a qualitative assessment that would in turn be used as Recommend that the outcome of a Pages 1-17 engineering/technical information in a 10 CFR 50.59 review are specified as qualitative assessment be described as finds, final determination, resulting, etc. This inconsistent verbiage is conclusions because conclusions are the confusing. translation of the results. Therefore, the Examples of this are: conclusions of an assessment are the Section 2.1, last paragraph engineering/technical information that is Page 2 of 17, 3rd paragraph important to the 10 CFR 50.59 review.

Section 3, 1st paragraph

11. RIS Attachment In section 2.1 (likelihood justifications) the attachment discusses the link Recommend reconciling the use of Page 2, 1st between dependability and likelihood of failures, but in the next to the last reliability versus dependability in the Paragraph paragraph, there seems to be an interchangeable use of reliability and documents.

dependability, recommend sticking to dependability. Furthermore, the inclusion of reliability in the next to the last paragraph in this section is a miss-representation of NEI 01-01 which makes this point that for some high risk systems, there may be a need to provide additional assurance of adequate defense in depth and diversity. Since there is no mention of this, in the section, it can only be implied that all changes, without regard to risk will require a demonstration of defense in depth, but some systems do not require defense in depth because there is no requirement to do D3, but this could be construed to put that requirement onto the licensee.

12. RIS Attachment This section discusses a reasonable assurance standard for evaluating low Revise section to include a statement that Page 2, 3rd likelihood of failure. captures the following concept:

Paragraph Its important to note that the new digital equipment must only be as The new digital equipment is not held to a reliable/dependable as the equipment it is replacing. The likelihood of failure higher standard than the analog (or even is relative to the equipment being replaced. digital) equipment it is replacing.

5

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

13. RIS Attachment With respect to the text including the statement: Remove this statement from the paragraph, Page 2, 7th (whether or not classified as safety-related in accordance with 10 CFR Part and if still necessary, place it elsewhere in Paragraph 50, Appendix B) the text, in a context that is not tied to 50.59.

14. RIS Attachment Section 2 of this document is titled regulatory clarification, but later in 2.2 it Delete or include in Section 4.

Page 3, Section seems to provide a framework for evaluating malfunctions of a different 2.2 result, I think this is better handled in Appendix D or is sufficiently covered in 96-07, since there is really no new guidance here, any attempt to provide it (which it seems you didnt in step #3), then I recommend this part be deleted. If the framework is deemed important include it in section 4.

15. RIS Attachment With respect to the text including the statement: Recommend one term be defined and used Page 3, 2nd .the likelihood of common-cause failure (CCF) is much lower than consistently throughout the document.

Paragraph The term much lower is used several places in the document, as well as the term significantly lower.

16. RIS Attachment With respect to the text including the statement: This limitation also should be reflected the Page 3, 2nd .reasonable assurance the likelihood of common-cause failure (CCF).. RIS.

Paragraph NEI 01-01 uses terminology similar to this and, by inference, is endorsed by RIS 2002-22. However, the applicability of the NEI guidance is limited to software failures (including common cause failures) and does not include other sources of CCF (such as hardware failures).

17. RIS Attachment With respect to the text including the statement: Clarify this section.

Page 3, 3rd The above likelihood thresholds Paragraph This conclusion in this section is acceptable, provided the applicability of the CCF statement of the 10CFR50.59(c)(2)(vi) threshold is limited to software failures. Otherwise the statement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.

6

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

18. RIS Attachment With respect to the text including the statement: Please clarify meeting the above Page 3, 5th For activities that introduce a potential failure mode (e.g., CCF) that does thresholds Paragraph not meet the above thresholds This section would be acceptable, assuming meeting the above thresholds means the likelihood of common-cause failure (CCF) is much lower than the likelihood of failures that are considered in the UFSAR (e.g., single failures) and comparable to other CCF that are not considered in the UFSAR. If not clarified, this statement expands the scope of consideration CCF under 50.59 to well beyond the original RIS, NEI 96-07, the SRP, RG 1.70 and ANS/ANSI 51.1 & 52.1.

Where CCF has been included in the licensing basis of the plants in the past, it has required a regulatory analysis and gone through rulemaking (e.g, ATWS and SBO). Such a regulatory analysis has not been performed for digital CCF.

The statement also is inconsistent with the SRM to SECY 93-087 and BTP-19 which state that CCF is beyond the design basis.

19. RIS Attachment / The following NOTE is stated, [Note: This likelihood threshold is not Identify the Regulatory source of the Note or Page 3, Section interchangeable with that for credible/not credible, which has a threshold revise the Note to add sufficient clarity 2.1 of as likely as (i.e., not much lower than) malfunctions already assumed (preferably with examples) to ensure it is not in the UFSAR.] mistranslated by the industry.

However, no basis for the note could be found in NEI 01-01 or NEI 96-07, Rev 1, or regulatory framework.

7

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

20. RIS Attachment With respect to the text including the statement: Add the following clarification/definition:

Page 4,Step 1 for the purpose of the 10 CFR 50.59 evaluation, credible Section malfunctions.. For the purposes of the technical evaluation, It is not clear that a credible malfunction considered in the technical a CCF can be considered credible only if the evaluation is the same as a credible malfunction considered in the 50.59 likelihood of a CCF caused by an I&C failure process. source is greater than the likelihood of a CCF caused by other failure sources that are not considered in a deterministic safety analysis described in the UFSAR.

21. RIS Attachment Bullet nine - with respect to the text including the statement: This need to be reworded to something that Page 4, Section malfunctions previously thought to be incredible. is bounding within the plant design basis.

2.2, Step 1 Step 1 in this process is to develop a list of possible malfunctions. Listing malfunctions that are previously thought to be incredible is not verifiable criteria and opens up the evaluation to any possible combination of failures (i.e., unrelated multiple failures).

22. RIS Attachment 2nd bullet, with respect to the text including the statement: Remove the statement including a single Page 4,Step 2 , there may be the potential marginal increase in likelihood of failure, failure Section including a single failure..

The statement identified in the bulleted item appears to be from NEI 01-01 Section 4.3.2. Where does the including a single failure wording come from?

8

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

23. RIS Attachment 2nd bullet, with respect to the text including the statement: Please clarify the intent of the use of the Page 4, Section For digital modifications, particularly those that introduce software term software in this section based on the 2.2, Step 2 What is this intended to mean? comment.

- Consider how digital modifications that do not involve software should be defined, as most digital equipment has software/firmware.

Examples are discrete logic chips and FPGAs. Please consider the use of the term

- Introduce software phrase could be taken that this only applies to redundant and independent versus just the analog to digital mods. It should also address digital to digital mods use of redundant.

- The use of redundant should also have independence stated. Please change to redundant and independent. This is a generic comment wherever redundancy is used. Independence is the key word.

Redundancy can be added in non-safety systems for reliability purposes only.

24. RIS Attachment This statement, although out of NEI 01-01, would seem to imply that digital Add supporting statement(s) that include Page 4,Step 2 upgrades will always increase the likelihood of failure, which has not been acknowledgement of positive, not just Section observed in actual practice where, in most cases, digital upgrades have negative, impacts of installing digital been shown to decrease failure likelihood. equipment.

Also, in 50.59 it is common practice to consider the balancing of positive effects of installing the digital equipment (e.g., elimination of SPVs, signal Further, rephrase the statements that imply validation, etc.) with the potential negative effects (e.g., SCCF, etc.) when that digital systems will always increase the arriving at the final conclusion of not more than a minimal increase in likelihood of failure to include the idea of no malfunction likelihood or accident frequency. The RIS does not appear to more than a minimal increase text from discuss using the balancing effects of the positives and negatives of digital 50.59.

upgrades.

25. RIS Attachment / Bullets contain quoted guidance from NEI 01-01 and NEI 96-07, Rev 1; Revise the last three bullets to ensure Page 4, Section however, the quoted text from the last three bullets could not be traced back quoted information is accurate and traceable 2.2, Step 2 to either source. to the source document.

Provide a reference to the source.

9

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

26. RIS Attachment The title of this section is Draft Characteristics of Proposed Modifications Clarify the applicability of the characteristics Page 5, Section 3 that Produce Effective Qualitative Assessments. The first paragraph of this in this section to digital modifications.

section states: Consider changing Do not to:

Do not create an adverse condition due The NRC staff finds that proposed digital I&C upgrades and modifications to having all the characteristics listed below are more suitable to and effective for qualitative assessments and thus more likely to meet the 10 CFR 50.59 evaluation criteria. Remove that Produce Effective Qualitative Assessments from the title and delete more The title and wording in this section imply that the Qualitative Assessment suitable to and effective for qualitative Framework is permitted only for digital modifications having all the assessments and thus from the last characteristics in this section. sentence of the first paragraph to avoid misinterpretation of this section.

It is assumed that the term effective actually means produces positive results. The section reads more clearly without the word effective.

27. RIS Attachment This sub-section states Digital I&C design function-for-design function Unless the phrase design function-for-Page 5, Section 3 replacements and upgrades to systems and components that: Is the design function provides additional criteria (1) qualifier design function-for-design function both meaningful and or meaning, it is suggested that it be removed.

necessary?

If the term provides specific meaning, please provide the criteria for determining the function for function alignment.

10

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

28. RIS Attachment This section seems to constrain the digital modification to a very limited Clarify the applicability and limitations of Page 5, Section 3 scope, which does not appear to meet the intent. For instance, it is not clear these constraints to address potential issues whether all of the attributes, or some of the constraints need to be met. with items noted, such as:

Applying these in a strict way would eliminate most digital changes being - DCS Upgrades contemplated, or currently being done. For example: - Safety Chillers

a. 1a)-b) These conditions appear to only allow designs that dont - Embedded Devices combine functions that were previously separate (this eliminates DCSs from being considered per this criteria, even if you use segmentation on separate controllers because they communicate via shared network, which is not acceptable).

b. 2 could be construed to eliminate all safety systems that have two channels (chillers) from consideration since they will be digital and identical and this will screen them out before we even get a chance to demonstrate low likelihood of CCF.

c. 3 is just a regurgitation of BTP 7-19 criteria, but the prelude to the section says that all criteria must be met, which is pretty much impossible for embedded devices.

29. RIS Attachment The exclusion of systems using common HMI eliminates all non-safety The type of systems that use shared Page 5, Section 3 related DCS upgrades from this RIS scope. resources should be in scope of this RIS 1(a) & 1(b) which should describe that the licensee addresses combination of functions and spurious operation in the qualitative assessment.

11

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

30. RIS Attachment With respect to the text including the statement: The RIS should clearly define the scope of Page 5, 1st the qualitative assessment results alone are sufficient that software CCF CCFs (software, etc.) being considered.

paragraph does not need to be assumed The use of software CCF appears to limit the use of qualitative methods to demonstrate that CCF does not have to be assumed for other types of potential common cause failures.

31. RIS Attachment With respect to the text including the statement: Clarify whether the different result is at the Page 5, Step 3 SSC level or plant level. The industry position is that the results are evaluated at Only for possible malfunctions that do not have a sufficiently low likelihood the plant level, as discussed in the recent based on the qualitative assessment in Step 2, determine whether the RIS public meeting.

malfunction has a different result.

32. RIS Attachment With respect to the text including the statement: Remove implicitly assumed.

Page 5, 1(b) Do not incorporate new shared resources..... implicitly assumed Implicit assumptions are impossible to verify. Should provide clarification on whether system function equals design function and if so, use design function.

33. RIS Attachment With respect to the text including the statement: Please reword with reasonable assurance Page 6, Section 3 .that do not result in reduction of any aspects of independence language instead of using do not.

(2) This goes beyond reasonable assurance. Adding any software could and does result in a small quantitatively reduction.

12

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

34. RIS Attachment With respect to the text including the statement: Eliminate the 100% testing criteria as the Page 6, item (3) as demonstrated through 100% testing only test for simplicity.

There is a lack of clarity with industry (and perhaps regional inspectors) over what constitutes 100% testing, and this simplicity concept. Technical individuals working on the NEI/Industry DI&C teams have come to understand that any device containing software is not considered to be 100% testable, and we must assume a CCF.

If this is the case, then this RIS will only work for a very limited number of digital changes.

The 100% testing approach does not meet the qualitative intent of the RIS, and the reasonable assurance standard.

35. RIS Attachment With respect to the text including the statement: Address the use of the term bounding with Page 6, item (3) bounded by previous FSAR analysis.. respect to plant level in this section, and further define FSAR analysis as safety analyses

36. RIS Attachment With respect to the text including the statement: Add a discussion and clarify methods for Page 6, 4th demonstration that the resulting replacement or upgrade design can demonstrating what would be an acceptable paragraph tolerate the postulated triggering of that defect way of tolerating the triggering of a defect.

This statement would seem to indicate that we must assume a design defect and then assume the design defect is triggered. If this is the intent, Clarify the statement to indicate whether a the RIS will likely not work for most safety related SSCs (including the design defect must be assumed or not.

safety related chiller mod). If this is not the intent, should clarify the statement. Define the basis for the design defect likelihood needing to be significantly lower.

13

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

37. RIS Attachment With respect to the text including the statement: Add a clear language in this paragraph that Page 6 last Alternatively, electrical independence can be demonstrated qualitatively states, software also can be addressed in a paragraph The real purpose of this RIS is software and SCCF with respect to qualitative manner and consider using a Page 7, first independence. digital example.

paragraph Using electrical independence may not be the best example for this RIS.

38. RIS Attachment / A new term, layers of defense is used and is not defined. If this is intended Either define the term layers of defense or Page 7, Section to refer to defense in depth, then defense in depth should be stated. use the term defense in depth.

4.2 Alternatively, provide a reference to the USNRC or industry document being used to define layers of defense.

39. RIS Attachment With respect to the paragraph beginning with: Clarify this section to acknowledge a Page 8, Quality For digital equipment incorporating software.. different standard applies for non-safety Design Process These attributes may not be available or well documented for non-safety related upgrades.

related equipment that contains software. NEI 01-01 was primarily written to evaluate changes to safety related SSCs. Quoting this paragraph within the RIS may lead some (including regional inspectors) to believe that all these attributes must be accounted for when implementing a non-safety related digital upgrade with software involved.

40. RIS Attachment With respect to the text including the statement: Please clarify the intent of this statement.

Page 8, Last .thoroughly documented within the licensees quality assurance (QA) paragraph program..

What is specifically meant by ... documented within the licensees QA program? Does this mean a formal qualitative assessment document must be developed and placed within the engineering change package for future retrieval?

14

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

41. RIS Attachment In section 4.2 the last paragraph on page 8 says All of these categories Please clarify intent of QA program Page 8, Last should be addressed and thoroughly addressed in the licensees quality reference.

paragraph assurance program, in consideration of the safety significance of SSCs Clarify QA program applicability is not based described below in Section 4.2 (See table 1) There may be confusion on safety significance of SSCs, but on the about what this means.to be described in the QA program. licensees Quality Assurance Program.

42. RIS Attachment Please add endorsed EPRI TR-106439 as an acceptable example for digital Please add the reference as noted.

Page 8 commercial grade dedication mods.

Page 9, Table 1

43. RIS Attachment For Table 1, the list of acceptable examples, is this list intended to be Please clarify the applicability of the Table 1 addressed by each evaluation, or is this just a suggested list? For the examples cited in Table 1, and their design attributes, what is the expectation on behalf of the NRC that there be intended use.

all items, or some items? Is the determination of adequacy up to the licensee or will this list constitute the basis for a Mods or 50.59 inspection?

44. RIS Attachment / Environmental Qualification implies a Regulatory programmatic Revise environmental qualification to Page 9, Table 1 requirement; however, based on the subsequent examples, (e.g., EMI/RFI, demonstrated tolerance (e.g., through Seismic), this does not appear to be the context. qualification testing) to withstand environmental conditions within which the SSC is required to perform its design function (e.g., EMI/RFI, Seismic).

45. RIS Attachment Watchdog Timers - The RIS should not limit credit for external watchdog Suggest changing to Watchdog timers that Table 1 timers only. There are designs that have internal watchdog timers that operate independent of software or Design Attributes operate independent of the software and are considered just a reliable as something to that effect.

external watchdog timers (the digital reference adjuster used on the EDG voltage regulator project is an example of an independent internal watchdog An acceptable alternative might be timer). Watchdog timers that time out in hardware..

15

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

46. RIS Attachment Sufficiently simple and 100% testing are used here. See previous comments on this subject.

Table 1 Suggest acknowledging other types of Design Attributes testing to demonstrate the design is sufficiently simple, such as comprehensive, or exhaustive testing, versus just 100%

testing.

47. RIS Attachment Failure state always know to be Safe - An acceptable failure state could Revise to describe that the failure state of Table 1 also simply be equivalent to the failure state of the device being replaced, the new digital equipment can be the same Design Attributes not necessarily to the safe state. as the failure state of the existing equipment (whether or not the failure state is considered safe).

48. RIS Attachment The last bullet indicates that high volume commercial products are less Augment the discussion to suggest that Table 1 likely to have deficiencies. High volume, high quality commercial Operating products with applicable operating history Experience used in other applications have the potential to not include as many design errors.

49. RIS Attachment This paragraph does not clearly distinguish between safety related and non- Please clarify applicable scope for digital Page 10, 4.2.1.1 safety related SSCs. Digital communications (ISG-04) is a concern primarily communications criteria, to clearly specify with Safety Systems and is not applicable to non-safety systems. Though that ISG-04 is applicable to only safety there is very good guidance in ISG-04, this section seems to make it related modifications.

required to be addressed for all classes of systems that might be evaluated by this process. Would digital communication between non-safety SSCs Please clarify to address how this might be considered out-of-scope of this RIS? For example, a plant may have two applied to non-safety related examples.

(redundant) feedwater pumps - not for plant safety but for operational convenience. Would digital communication between the two feedwater Also, while ISG-04 is good guidance, and pump controllers be out-of-scope for this RIS? has been in place for more than a decade, it would be preferable to refer to more durable guidance.

16

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

50. RIS Attachment For section 4.2.1.2 the gist of this section is that combination is bad in all Revise to acknowledge cases where Page 10, 4.2.1.2 cases, however, there are cases where combination of previously separate combination of functions may result in a components results in a more dependable system due to the tightly coupled more reliable and safer system.

nature and a reduction in complexity. A good example is the combination of Main Feed regulating valves with Feed bypass valves into one controller, this has allowed the industry to use one controller to control steam generator level through all power levels, where previously there was a manual cross over at a low power that often resulted in spurious level changes and plant trips due to loss of level control, those types of plant upsets are much less frequent with a combined system where both valves are controlled by one controller. A plant transient from both a bypass and MFRV may not be evaluated in the License but if the overall result from combining the two is a marked increase in dependability, in the aggregate.

51. RIS Attachment With respect to the discussion on combination of functions: Please add language that allows Page 10, 4.2.1.2, This section should acknowledge that combination of functions is allowable combination of functions where it does not 3rd sentence where it does not create an adverse condition; the 3rd sentence does not create an adverse condition.

accurately reflect verbiage consistent with 10 CFR 50.59.

52. RIS Attachment / The phrase the other NRC-approved processes does not provide If the other NRC-approved processes is Page 10, 4.2.1.2, guidance. intended to be license amendment request, last sentence so state. Else, define all the other processes that could be followed.

53. RIS Attachment This section should include reference of EPRI TR-106439 as an acceptable Add the noted reference.

Page 10, 4.2.2 example for digital commercial grade dedication mods.

17

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

54. RIS Attachment There is no expanded discussion on the Operating Experience topic. Revise document to use Section 4.2.3 as an Page 11 Sections 4.2.1 and 4.2.2 expand on the other bullet points noted on Page expanded discussion on Operating 7 and Page 8 of the attachment (Design Attributes and Quality Design Experience. Move current Section 4.2.3 Process). content to another section of the document.

55. RIS Attachment Quality Standards - please clarify the use of the term quality standards in Clarify the use of the term quality Page 11, 1st the RIS. If the intent is to define a high quality design process, then the standards.

paragraph licensee Appendix B program should govern the activities as applicable.

It should be noted that there is no requirement for mandatory use of any other type of quality standard for non-safety related applications.

56. RIS Attachment It appears that the YES/NO labels should be reversed on the diamond near Flip the YES / NO labels.

Figure 1 the top of the page which states Does the proposed change have the characteristics described in the attachment to the RIS? Suggest being more specific by adding a Also, the first box appears to be selecting criteria. That is, if the specific section number of the RIS that characteristics dont match (e.g. no combinations, no communications, etc.) details the characteristics. (RIS Section 3?)

they you cant use this process. If you exit the RIS 2017-xx process, then are on your own to use NEI 01-01 as originally endorsed in RIS 2002-22? Consider an exit to this process that shows the previous RIS/NEI 01-01 process.

57. RIS Attachment The flowchart only addresses 50.59 Evaluations Questions 2 and 6. Suggest addressing Questions 1 and 5.

Figure 1 Questions 1 and 5 do not appear to be addressed in the flowchart.

58. RIS Attachment Conduct the Technical Analysis and Assess Vulnerabilities is split into two Provide explanation as to why this process Figure 1 boxes, but in reality the vulnerabilities will be assessed in the design is split into 2 boxes, and/or update Figure 1.

change (in the box that feed into the Conduct Technical Analysis). Is this split into two boxes because the RIS expect two distinct documents? Or do both of the boxes constitute the single Qualitative assessment as outlined in Table 2. The assumption is that it is broken out based on some thought model held by the staff, but in actuality this is all done under the design change process and is only documented in the 50.59 as a high level summary with sufficient detail to assist the approver of the 50.59 (and to support the NRC review under Mods inspections).

18

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

59. RIS Attachment This section appears to be written for safety-related software. In most Update this section to reflect the level of Page 13, Section cases, the evidence required in Section 5.1 would be difficult to compile for documentation that might be typically seen 5.1 non-safety software containing COTS devices. for non-safety related upgrades.

Augment the software safety analysis to software safety analysis (as applicable) to capture the non-safety related equipment.

60. RIS Attachment In Section 5.1 there is a statement that says that the Qualitative Revise document to address the software Page 13, Section Assessment should provide evidence that a well-defined process for - and process typically seen for non-safety related 5.1 it continues on with a statement of components from BTP 7-14, which again and commercially dedicated equipment.

is only applicable to safety-related software and would also be germane (but not required) for non-safety related software. What if any concessions are allowed for those non-safety and even those components that are Commercially dedicated where we will often credit extensive operating history and testing along with largely equivalent software processes, where portions of the software lifecycle are less relevant and not needed to make the Qualitative Assessment for less risk significant system that screen into 50.59 evaluation? See comment below on section 5.2 19

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

61. RIS Attachment In Section 5.2 there appears to be a hint of grading by safety significance, Please clarify basis and applicability of Page 13, Section which is in keeping with the original NEI 01-01, but the two lists are not well these grading criteria.

5.2 defined, are you saying that the items on the list constitute a risk significant system? Are they in any order of risk significance, or are they all considered equally risk significant? With the contrary being deemed less risk significant and therefore less documentation required and the second list seems to have a function based criteria. Same question as above, (all risk significant; any sort of hierarchy implied?). Will this grading be up to the utility? Or will this RIS address which would be acceptable?

62. RIS Attachment 2nd bullet - With respect to the term accident mitigation system Suggest clarifying by stating ... accident Page 13,Section Is this statement referring to accident mitigation systems that are credited in mitigation system credited in the safety 5.2 the safety (or accident) analysis? There are some non-safety systems that analysis.

can be used for accident mitigation but are not credited in the safety (accident) analysis (e.g., off-site power is the preferred source of power for mitigating accidents but is not generally credited as an accident mitigator in the safety (accident) analysis). There is some confusion in the industry when it comes to defining a SSCs that are considered accident mitigators.

63. RIS Attachment With respect to the following statement: Request this section be clarified to Page 14, last It is the responsibility of the licensees 10 CFR 50.59 evaluator to differentiate between where design basis paragraph demonstrate that the documentation of the design basis information is documented (for instance, the plant modification process), versus where licensing basis information is documented (for instance in the 50.59 evaluation).

20

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

64. RIS Attachment Step 1, last bullet: Add clarification as described in comment.

Table 2 Please add clarification that the evaluation should consider both active and inactive states.

65. RIS Attachment Step 1, 3rd bullet - Safety and power generation functions. Please clarify what this statement is asking Table 2 for, it is not entirely clear.

66. RIS Attachment Step 3 - Enhanced Safety Analysis. Please define or clarify what enhanced is Table 2 referring to.

67. RIS Attachment Step 3 - Failure Modes. Please add a note stating that the failure Table 2 mechanisms can change. Please add a note allowing us to eliminate failure modes of the original equipment in the replacement equipment.

68. RIS Attachment Step 4 - last paragraph, beginning with All assertions If this is the case, please explain. If this is Table 2 This statement implies that the licensee must assume a CCF. not the case, please reword or provide clarification.

69. RIS Attachment In Table 2: Steps 4 and 6 seem to be repeats, you make the assertions and Leave one or the other out, the evidence Table 2 provide the evidence, then repeat the assertions. needs to support the assertions either way.

If not repeats, but rather two steps in a process, where identification is done Clarify why the two steps are provided.

in one step, and verification of resolution is provided in a separate process, then suggest clarification.

70. RIS Attachment Step 5, 2nd paragraph, vectors to malfunctions. If definition exists, please provide it; Table 2 otherwise recommend deletion.

21

INDUSTRY COMMENTS ON DRAFT-RIS-17-xx, SUPPLEMENT TO RIS 2002-22 Attachment 2 - Clarifications Comment No. Section/Page # Industry Comment Recommended Change

71. RIS Attachment Step 5, first paragraph, evidence of the three qualitative assessment Please provide a reference to an earlier Table 2 justifications. section in the RIS or RIS Attachment where the three qualitative assessment justifications are provided for completeness.

22