ML101320317

From kanterella
Jump to navigation Jump to search
Regulatory Analysis for Revision 3 of Regulatory Guide 1.152
ML101320317
Person / Time
Issue date: 06/14/2010
From:
Office of Nuclear Regulatory Research
To:
Ridgely J
Shared Package
ML100490511 List:
References
DG-1249 RG-1.152
Download: ML101320317 (2)


Text

REGULATORY ANALYSIS Proposed Revision 3 to Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.

Statement of the Problem In January 2006, the Nuclear Regulatory Commission (NRC) staff issued Regulatory Guide 1.152, Revision 2, which noted that Institute of Electrical and Electronic Engineers (IEEE) Standard 7-4.3.2-20031 did not contain provisions for the establishment of a secure development and operational environment for digital systems. To address the recognized need for guidance for digital safety systems, Regulatory Guide 1.152, Revision 2, adopted nine regulatory positions that address the development and operational environment of a digital safety system throughout its lifecycle, including development, implementation, testing and operation.

In 2009, the NRC published Title 10 of the Code of Federal Regulations (10 CFR) 73.54, which requires licensees to establish comprehensive cyber security programs at their nuclear facilities. With the issuance of this new rule, designed specifically to ensure adequate protection against malicious cyber attacks, there was a perceived overlap in certain provisions of Regulatory Guide 1.152 and 10 CFR 73.54 with regard to cyber security. The NRCs position is that cyber security (i.e., protection against intentional malicious actions) is now addressed solely by 10 CFR 73.54.

In addition, the NRC has determined that only Regulatory Positions 2.1 - 2.5 apply to licensing determinations in the evaluation of applications for license amendments, design certifications, and combined operating licenses. Thus, the NRC removed Regulatory Positions 2.6 - 2.9 with the expectation that other licensee programs will address the establishment of a secure development and operational environment for those phases of the digital safety system lifecycle.

Therefore, revision of this regulatory guidance is necessary to clarify that the guide specifically focuses on the establishment of secure development and operational environments for digital safety systems and on their protection from system reliability challenges that may be posed by inadvertent operator actions and undesirable behavior of connected systems. The NRC also removed provisions in this guide that it determined were not applicable to licensing actions.

Objective The objective of this regulatory action is to clarify the regulatory positions of this guide and to remove regulatory positions that are now covered by other regulations to eliminate the potential for any perceived conflict.

Alternative Approaches The NRC staff considered the following alternative approaches:

1) Do not revise Regulatory Guide 1.152.
2) Revise Regulatory Guide 1.152.

1 Copies of Institute of Electrical and Electronics Engineers (IEEE) standards may be purchased from the IEEE Contact Center, 445 Hoes Lane, Piscataway, NJ 08855-1331; telephone (800) 678 4333. Purchase information is available through the IEEE Web site at http://www.ieee.org.

Page 1

Alternative 1: Do Not Revise Regulatory Guide 1.152 Under this alternative, the NRC would not revise this guidance, and the current guidance would be retained. If the NRC does not take action, there would not be any changes in costs or benefit to the public, the licensees, or the NRC. However, the no-action alternative would not address identified concerns with the current version of the regulatory guide. The NRC would continue to review each application on a case-by-case basis using Regulatory Guide 1.152. This alternative provides a baseline condition from which any other alternatives will be assessed.

Alternative 2: Revise Regulatory Guide 1.152 Under this alternative, the NRC would revise Regulatory Guide 1.152 taking into consideration the issues described above. Eliminating Regulatory Positions 2.6 - 2.9 and any language in the guidance that refers to cyber security, attacks, or malicious activity will clearly focus this guide on the establishment of secure development and operating environments for digital safety systems and on their protection from system reliability challenges that may be posed by inadvertent operator actions and undesirable behavior of connected systems. This change should help clarify that cyber security and protection from malicious digital attacks are under the purview of 10 CFR 73.54.

This action would clarify the relationship between 10 CFR Part 50 and 10 CFR Part 73, Physical Protection of Plants and Materials, regarding the security of digital safety systems.

The impact to the NRC would be the costs associated with preparing and issuing the regulatory guide revision. The impact to the public would be the voluntary costs associated with reviewing and providing comments to the NRC during the public comment period. The value to the NRC staff and its applicants would be the benefits associated with enhanced clarity in the application of NRC regulations and guidance documents on digital safety systems for license applications and other interactions between the NRC and its regulated entities.

Conclusion Based on this regulatory analysis, the NRC staff recommends revision of Regulatory Guide 1.152. The staff concludes that the proposed action will enhance clarity of the regulatory guidance.

It could also lead to cost savings for the industry, especially with regard to applications for license amendment requests, standard plant design certification, and combined licensees.

Page 2