ML14143A175
| ML14143A175 | |
| Person / Time | |
|---|---|
| Issue date: | 05/31/2014 |
| From: | Office of Nuclear Regulatory Research |
| To: | |
| Doyle D | |
| References | |
| DG-1251, NRC-2011-0089, RIN 3150-AI98, TAC ME5953 RG-1.153, Rev. 2 | |
| Download: ML14143A175 (30) | |
Text
NOTE:
The availability of this preliminary draft version of DG-1251 is intended to support the May 20, 2014, public meeting with the Advisory Committee on Reactor Safeguards Subcommittee on Digital Instrumentation and Control.
The NRC is not soliciting public comments on DG-1251 at this time. The NRC will publish a notice in the Federal Register announcing the availability of and opportunity to comment on DG-1251. The NRC will respond to any such comments in the Federal Register notice announcing the availability of the final regulatory guide.
U.S. NUCLEAR REGULATORY COMMISSION May 2014 OFFICE OF NUCLEAR REGULATORY RESEARCH Division 1 DRAFT REGULATORY GUIDE Technical Lead Michael E. Waterman 301-251-7451 This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not received final staff review or approval and does not represent an official NRC final staff position. Public comments are being solicited on this draft guide and its associated regulatory analysis. Comments should be accompanied by appropriate supporting data. Written comments may be submitted through the federal government rulemaking Web site at http://www.regulations.gov. Alternatively, written comments may be submitted to the Rules, Announcements, and Directives Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Comments must be submitted by [insert date here].
Electronic copies of this draft regulatory guide, previous versions of this guide, and other recently issued guides are available through the NRCs public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading-rm/doc-collections/reg-guides/. The draft regulatory guide is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML112160394. The regulatory analysis may be found in ADAMS under Accession No. ML120310194.
DRAFT REGULATORY GUIDE DG-1251 (Proposed Revision 2 of Regulatory Guide 1.153, dated June 1996)
CRITERIA FOR THE POWER, INSTRUMENTATION, AND CONTROL PORTIONS OF SAFETY SYSTEMS FOR NUCLEAR POWER PLANTS A. INTRODUCTION Purpose This regulatory guide (RG) addresses the criteria for the power, instrumentation, and control portions of safety systems for nuclear power plants as specified in Section 50.55a(h), Title 10, Part 50 of the Code of Federal Regulations (10 CFR Section 50.55a(h)) (Ref. 1). The regulation incorporates by reference Institute of Electrical and Electronics Engineers (IEEE) Standard (IEEE Std) 279-1971, IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations (Ref. 2); IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (Ref. 3);
IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations Correction Sheet issued January 30, 1995 (Ref. 4); and IEEE Std 603-2009, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (Ref. 5).
Applicable Rules and Regulations 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, (Ref. 1) governs the licensing of nuclear power plants and it requires that structures, systems, and components that are important to safety in a nuclear power plant must be designed to remain functional under postulated design-basis events (DBEs).
10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, (GDC) (Ref.
- 1) contains, in part, requirements for the design, reliability, qualification, and testability of safety systems.
10 CFR Part 52 Licenses, Certifications, and Approvals for Nuclear Power Plants, (Ref. 6) governs the issuance of early site permits, standard design certifications, combined licenses, standard design approvals, and manufacturing licenses for nuclear power facilities licensed under Pre-Decisional
DG-1251 Rev. 1 Page 2 Section 103 of the Atomic Energy Act of 1954, as amended (68 Stat. 919), and Title II of the Energy Reorganization Act of 1974 (88 Stat. 1242).
Related Guidance IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, (Ref. 7). This standard provides additional computer specific requirements to supplement the criteria and requirements of IEEE Std 603.
RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, (Ref. 8).
This RG describes a method that the NRC staff deems acceptable for complying with NRC regulations for promoting high functional reliability, design quality, and a secure development and operational environment (SDOE) for the use of digital computers in the safety systems of nuclear power plants. In this context, the term computer identifies a system that includes computer hardware, software, firmware, and interfaces.
NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, (Ref. 9). The Standard Review Plan (SRP) is prepared for the guidance of staff reviewers in the Office of Nuclear Reactor Regulation in performing safety reviews of applications to construct or operate nuclear power plants. The principal purpose of the SRP is to assure the quality and uniformity of staff reviews and to present a well-defined base from which to evaluate proposed changes in the scope and requirements of reviews. It is also a purpose of the SRP to make information about regulatory matters widely available and to improve communication and understanding of the staff review process by interested members of the public and the nuclear power industry.
RG 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, (Ref. 10). This RG provides guidance to licensees and applicants on methods acceptable to the NRC staff for complying with the NRCs regulations on design, installation, and testing practices for addressing the effects of electromagnetic and radio-frequency interference (EMI/RFI) and power surges on safety-related instrumentation and control (I&C) systems.
RG 1.53, Application of the Single-Failure Criterion to Safety Systems, (Ref. 11). This RG provides guidance for satisfying the NRCs regulations with respect to the application of the single-failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems.
IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, (Ref. 12). This standard provides basic requirements for qualifying Class 1E equipment and interfaces used in nuclear power generating stations.
RG 1.209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, (Ref. 13). This RG describes a method that the NRC staff considers acceptable for determining the environmental qualification procedures for safety-related computer-based I&C systems for service within nuclear power plants. In so doing, this guide endorses certain practices in the current national standard, and it incorporates guidance to address specific issues posed by the application of microprocessor-based technology.
Pre-Decisional
DG-1251 Rev. 1 Page 3 IEEE Std 323-1974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, (Ref. 14). This standard gives generic requirements and methods for qualifying Class 1E equipment.
RG 1.89, Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants, (Ref. 15). This RG describes a method acceptable to the NRC staff for complying with 10 CFR 50.49 with regard to qualification of electric equipment important to safety for service in nuclear power plants to ensure that the equipment can perform its safety function during and after a design basis accident.
NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, (Ref. 16). This report describes a method for analyzing computer-based nuclear reactor protection systems that discovers design vulnerabilities to common-mode failure.
NUREG/CR-7007, Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems, (Ref. 17). This report presents the technical basis for establishing acceptable mitigating strategies that resolve diversity and defense-in-depth assessment findings.
Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems, (Ref. 18). The purpose of BTP 7-19 is to provide guidance for evaluating an applicants diversity and defense-in-depth assessment, design, and the design of manual controls and displays to ensure conformance with the NRC position on diversity and defense-in-depth for instrumentation and control systems incorporating digital, software-based or software-logic-based safety systems, auxiliary supporting features, and other auxiliary features.
Purpose of Regulatory Guides The NRC issues RGs to describe to the public methods that the NRC staff considers acceptable for use in implementing specific parts of the agencys regulations, to explain techniques that the NRC staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants.
RGs are not substitutes for regulations and compliance with them is not required. Methods and solutions that differ from those set forth in RGs will be deemed acceptable if they provide a basis for the findings required for the issuance or continuance of a permit or license by the NRC.
Paperwork Reduction Act This RG contains information collection requirements covered by 10 CFR part 50 and 10 CFR part 52 that the Office of Management and Budget (OMB) approved under OMB control number 3150-0011 and OMB control number 3150-0151, respectively. The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information collection request or requirement unless the requesting document displays a currently valid OMB control number.
Pre-Decisional
DG-1251 Rev. 1 Page 4 B. DISCUSSION Reason for Change This revision of RG 1.153 provides the underlying basis of the 10 CFR 50.55a(h) regulations when implementing or modifying safety systems in nuclear power plants. This regulatory guidance was issued to support issuance of the revision to 10 CFR 50.55a(h) that incorporates by reference IEEE Std 279-1971, IEEE Std 603-1991 and the correction sheet dated January 30, 1995, and IEEE Std 603-2009, as discussed in Federal Register Notice (FRN) xxxxxx (Ref. 19).
In the previous edition of 10 CFR 50.55a(h)(2), Protection systems, required that the protection systems in nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, meet the requirements stated in either IEEE Std. 279-1971, or IEEE Std 603-1991 and the correction sheet dated January 30, 1995. The IEEE superseded these standards with IEEE Std 603-2009.
Consequently, the previous version of 10 CFR 50.55a(h) was revised to incorporate by reference IEEE Std 603-2009, and to specify requirements for using IEEE Std 603-2009 and the earlier versions of this standard that had been previously incorporated into the regulation.
NRC issued RG 1.153, in June 1996 (Ref. 20) to state that conformance with the requirements of IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations (including the correction sheet dated January 30, 1995) provided a method acceptable to the NRC staff for satisfying the Commissions regulations with respect to the design, reliability, qualification, and testability of the power, instrumentation, and control portions of nuclear power plant safety systems. This regulatory guidance allowed licensees with IEEE Std 279-1971 nuclear power plants licenses to use IEEE Std 603-1991 and the correction sheet dated January 30, 1995, when performing protection system modifications.
Background
The IEEE Std 603series began with IEEE Std 279-1968, IEEE Standard: Criteria for Nuclear Power Plant Protection Systems (Ref. 21), a trial-use standard for protection systems. This was followed by IEEE Std 279-1971, a standard for protection systems, which the IEEE then superseded with IEEE Std 603-1977, Trial-Use Standard Criteria for Safety Systems to Nuclear Power Generating Stations, issued in 1977 (Ref. 22). IEEE Std 603 was revised and issued in 1980 as IEEE Std 603-1980, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (Ref. 23); in 1987 as IEEE Std 603-1987, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations; Correction Sheet (Ref. 24); in 1991 as IEEE Std 603-1991, supplemented by the correction sheet dated January 30, 1995; and in 1998 as IEEE Std 603-1998, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (Ref. 25). The current revision, IEEE Std 603-2009, provides the current IEEE criteria for safety systems.
In the previous edition of 10 CFR 50.55a(h)(2), Protection systems, required that the protection systems in nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, meet the requirements stated in either IEEE Std. 279-1971, or IEEE Std 603-1991 and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, 10 CFR 50.55a(h)(2) required that protection systems be consistent with their licensing basis or meet the requirements of IEEE Std 603-1991 and the correction sheet dated January 30, 1995.
Further, in the previous edition of 10 CFR 50.55a(h)(3), Safety systems, required that applications filed on or after May 13, 1999, construction permits and operating licenses under 10 CFR part 50, and design approvals, design certifications, and combined licenses under 10 CFR part 52 meet the requirements for safety systems stated in IEEE Std 603-1991 and the correction sheet dated January 30, 1995.
Pre-Decisional
DG-1251 Rev. 1 Page 5 The IEEE superseded the above referenced standards with IEEE Std 603-2009. The previous version of 10 CFR 50.55a(h) was revised to incorporate by reference IEEE Std 603-2009, and to specify requirements for using IEEE Std 603-2009 or earlier versions of this standard on the basis of the dates of license and construction permit applications, and the extent of modifications of existing protection systems and safety systems or installations of new safety functions and systems. The current version of 10 CFR 50.55a(h) affects applicants for new reactor designs and licensees of currently operating nuclear power plants who apply for a license or a license amendment. Since publication of RG 1.153, Revision 1 in 1996, the IEEE published IEEE Std 603-2009 to:
address potential safety issues that might arise from incorporating components that use advanced technologies in safety systems; provide additional and updated references and exclude references that are no longer in effect; provide guidance to address electromagnetic compatibility issues; add new criteria for common cause failure; classify requirements for equipment not credited to perform a safety function but connected to safety-related equipment; remove the requirement in section 6.7, Maintenance bypass, for conforming to IEEE Std 603-2009 section 5.1, Single failure, and section 6.3, Interaction between the sense and command features and other systems; and specifically require electrical isolation and digital communication independence between safety systems and non-safety systems.
Consequently, the NRC updated 10 CFR 50.55a(h) to incorporate by reference IEEE Std 603-2009, with conditions, in addition to retaining the incorporation by reference for IEEE Std 279-1971, IEEE Std 603-1991, and the IEEE Std 603-1991 correction sheet dated January 30, 1995.
Harmonization with International Standards The international standards and guides listed below are generally consistent with the principles in the standards incorporated by reference in 10 CFR 50.55a(h). These international standards and guides provide useful information for implementing safety systems in nuclear power plants and utilization facilities, although they may not provide a one-to-one correlation with the standards incorporated by reference in 10 CFR 50.55a(h). However, the NRC does not endorse these standards and guides and does not recognize these standards and guides as an acceptable means for complying with the requirements of 10 CFR 50.55a(h).
International Atomic Energy Agency (IAEA) Safety Guide NS-G-1.1, Software for Computer Based Systems Important to Safety in Nuclear Power Plants Safety Guide, November 2000 (Ref. 26)
IAEA Safety Guide NS-G-1.3, Instrumentation and Control Systems Important to Safety in Nuclear Power Plants Safety Guide, March 2002 (Ref. 27)
Pre-Decisional
DG-1251 Rev. 1 Page 6 International Electrotechnical Commission (IEC) 60709, Edition 2.0, Nuclear Power Plants Instrumentation and Control Systems Important to SafetySeparation, November 2004 (Ref. 28)
IEC 60780, Edition 2.0, Nuclear Power PlantsElectrical Equipment of the Safety System Qualification, October 1998 (Ref. 29)
IEC 60880, Edition 2.0, Nuclear Power PlantsInstrumentation and Control Systems Important to SafetySoftware Aspects for Computer-Based Systems Performing Category A Functions, May 2006 (Ref. 30)
IEC 60880-2, Edition 1.0, Software for Computers Important to Safety for Nuclear Power PlantsPart 2: Software Aspects of Defense against Common Cause Failures, Use of Software Tools and of Pre-Developed Software, December 2000 (Ref. 31)
IEC 60980, Edition 1.0, Recommended Practices for Seismic Qualification of Electrical Equipment of the Safety System for Nuclear Generating Stations, June 1989 (Ref. 32)
IEC 61226, Edition 3.0, Nuclear Power PlantsInstrumentation and Control Important to SafetyClassification of Instrumentation and Control Functions, July 2009 (Ref. 33)
IEC 61888, Edition 1.0, Nuclear Power PlantsInstrumentation Important to Safety Determination and Maintenance of Trip Setpoints, August 2002 (Ref. 34)
IEC 62385, Edition 1.0, Nuclear Power PlantsInstrumentation and Control Important to SafetyMethods for Assessing the Performance of Safety System Instrument Channels, June 2007 (Ref. 35)
Documents Discussed in Staff Regulatory Guidance This RG addresses the use of three standards and a correction sheet developed by the IEEE.
These standards contain references to other IEEE standards (secondary references). If a secondary reference has itself been incorporated by reference into NRC regulations as a requirement, then licensees and applicants must comply with that standard as set forth in the regulation. If the secondary reference has been endorsed in a RG as an acceptable approach for meeting an NRC requirement, then the standard constitutes a method acceptable to the NRC staff for meeting that regulatory requirement as described in the specific RG. If the secondary reference has neither been incorporated by reference into NRC regulations nor endorsed in a RG, then the secondary reference is neither a legally-binding requirement nor a generic NRC approved acceptable approach for meeting an NRC requirement. However, licensees and applicants may consider and use the information in the secondary reference, if appropriately justified, consistent with current regulatory practice, and consistent with applicable NRC requirements.
C. STAFF REGULATORY GUIDANCE As stated in 10 CFR 50.55a(h), conformance with the requirements in IEEE Std 279-1971, IEEE Std 603-1991 and the correction sheet dated January 30, 1995, IEEE Std 603-2009, and the additional requirements specified in 10 CFR 50.55a(h) is required with respect to the design, reliability, qualification, and testability of the power, instrumentation, and control portions of the safety systems of nuclear power plants. The following discussion describes the underlying bases of 10 CFR 50.55a(h)(1)
Pre-Decisional
DG-1251 Rev. 1 Page 7 through (h)(8). The guidance provided in the following discussion does not modify the scope of 10 CFR 50.55a(h).
Definitions Definitions of terms used in this section are provided in the Glossary at the end of this guide.
10 CFR 50.55a(h)(1) - Reserve for Future Use 10 CFR 50.55a(h)(1) was reserved for future use. In the previous version of 10 CFR 50.55a(h),
this paragraph provided references to IEEE standards that continue to be incorporated by reference into the regulations (i.e., IEEE Std 279-1971, IEEE Std 603-1991, and the IEEE Std 603-1991 correction sheet dated January 30, 1995). These references and the reference to IEEE Std 603-2009 are provided in 10 CFR 50.55a paragraph (a)(2). Paragraph 50.55a(h)(1) is reserved for future use so that licensees and applicants of current and pending licensing actions would not be required to revise their documentation to be consistent with a different paragraph structure in the current edition of 10 CFR 50.55a(h).
10 CFR 50.55a(h)(2) - Issue Date Applicability Conditions for the use of IEEE Std 279-1971 and versions of IEEE Std 603 are provided in 10 CFR 50.55a(h)(2)(i) through (h)(2)(vii). Paragraph 50.55a(h)(2) identifies the specific criteria to be addressed for protection systems and safety systems. The criteria are subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7), and earlier standards requirements for (1) operating plants, (2) new plants and manufacturing licenses on the basis of the issue date of the construction permit, (3) standard design certifications, and (4) manufacturing licenses. The following discussion addresses the basis underlying each of the subparagraphs under 10 CFR 50.55a(h)(2).
Paragraph 50.55a(h)(2)(i) clarifies the requirements for protection systems and safety systems in nuclear power plants with construction permits issued before January 1, 1971. Licensees of plants in this category may retain the licensing basis of their plant protection systems and safety systems (i.e., the plant licensing basis or IEEE Std 603-1991 and the correction sheet dated January 30, 1995). Licensees are not required to modify or replace protection systems or safety systems to meet the requirements in IEEE Std 603-2009. This paragraph does not allow licensees to lessen the requirements stated in their existing protection system or safety system licensing basis. For example, a safety system that meets the requirements stated in IEEE Std 603-1991 and the correction sheet dated January 30, 1995, could not be modified such that it met only the requirements stated in its original licensing basis.
By preserving the current licensing basis for the protection systems and safety systems addressed in 10 CFR 50.55a(h)(2)(i), licensees are not required to modify or replace systems that were approved prior to 30 days after the effective date of 10 CFR 50.55a(h) to meet the requirements stated in IEEE Std 603-2009.
Paragraph 50.55a(h)(2)(ii) clarifies the requirements for protection systems and safety systems in nuclear power plants whose construction permits were issued on or after January 1, 1971, but before May 13, 1999. This paragraph does not apply to combined operating licenses or for standard design certifications. Protection systems and safety systems that are not subject to the requirements of 10 CFR 50.55a(h)(3) are required to meet the requirements stated in the protection system or safety system licensing basis in effect 30 days after the effective date of 10 CFR 50.55a(h) instead of the requirements stated in IEEE Std 603-2009 (i.e., IEEE Std 279-1971, or IEEE Std 603-1991 and the IEEE Std 603-1991 correction sheet dated January 30, 1995).
Pre-Decisional
DG-1251 Rev. 1 Page 8 Paragraph 50.55a(h)(2)(ii) does not allow licensees to lessen the requirements stated in the licensing basis for their protection systems or safety systems. For example, a safety system whose current licensing basis is IEEE Std 603-1991 and the IEEE Std 603-1991 correction sheet dated January 30, 1995, could not be modified such that it met only the protection system requirements stated in IEEE Std 279-1971.
By preserving the current licensing basis for the plant protection systems and safety systems addressed in 10 CFR 50.55a(h)(2)(ii), licensees are not required to modify or replace systems that were approved prior to 30 days after the effective date of 10 CFR 50.55a(h) to meet the safety system requirements stated in IEEE Std 603-2009.
Paragraph 50.55a(h)(2)(iii) clarifies the requirements for protection systems and safety systems in standard design certifications issued after January 1, 1971, but before May 13, 1999. Two standard design certifications have been codified in 10 CFR Part 52 between these dates: the U.S. Advanced Boiling Water Reactor (ABWR) (10 CFR Part 52, appendix A) and the System 80+ (10 CFR Part 52, Appendix B). As specified in 10 CFR 52.63, 10 CFR 52.83, 10 CFR 52.98, and 10 CFR 52.171, subject to the requirements stated in 10 CFR 50.55a(h)(3), the protection systems in these two standard design certifications are required to meet the requirements stated in IEEE Std 279-1971 instead of the requirements stated in IEEE Std 603-2009 regardless of the date a combined operating license referencing either standard design certification plant is issued. For example, an applicant obtaining a combined operating license for an ABWR nuclear power plant is required to meet the protection system requirements stated in IEEE Std 279-1971 instead of the safety system requirements stated in IEEE Std 603-2009, even though the combined operating license was issued 30 days after the effective date of 10 CFR 50.55a(h).
Paragraph 50.55a(h)(2)(iv) clarifies the requirements for safety systems in standard design certifications issued on or after May 13, 1999, but before 30 days after the effective date of 10 CFR 50.55a(h). As of April 1, 2012, two standard design certifications have been codified in 10 CFR Part 52 after May 13, 1999: a 600 MWe advanced pressurized water reactor (the AP600) (10 CFR Part 52, Appendix C) and a 1,000 MWe advanced pressurized water reactor (the AP1000) (10 CFR part 52, appendix D). As specified in 10 CFR 52.63, 10 CFR 52.83, 10 CFR 52.98, and 10 CFR 52.171, subject to the requirements stated in 10 CFR 50.55a(h)(3) through (h)(7), the safety system designs in these two standard design certifications are required to meet the requirements stated in IEEE Std 603-1991 and the IEEE Std 603-1991 correction sheet dated January 30, 1995, instead of the requirements stated in IEEE Std 603-2009. For example, an applicant applying 30 days after the effective date of 10 CFR 50.55a(h) for a combined operating license for an AP1000 nuclear power plant is required to meet the requirements stated in IEEE Std 603-1991 and the correction sheet dated January 30, 1995, instead of the requirements stated in IEEE Std 603-2009, even though the combined operating license would be issued 30 days after the effective date of 10 CFR 50.55a(h).
Paragraph 50.55a(h)(2)(v) clarifies the safety system requirements for standard design certifications issued 30 days after the effective date of 10 CFR 50.55a(h). Safety systems in standard design certifications issued 30 days after the effective date of 10 CFR 50.55a(h) are required to meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(3) through (h)(7).
Paragraph 50.55a(h)(2)(vi) clarifies the requirements for protection system designs and safety system designs for nuclear power plants with construction permits under 10 CFR Part 50 issued 30 days after the effective date of 10 CFR 50.55a(h). The protection system designs and safety system designs in construction permits under 10 CFR part 50 issued 30 days after the effective date of 10 CFR 50.55a(h) are Pre-Decisional
DG-1251 Rev. 1 Page 9 required to meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(3) through (h)(7).
Paragraph 50.55a(h)(2)(vii) clarifies the requirements for safety system designs in nuclear power plant combined operating licenses and manufacturing licenses under 10 CFR Part 52 issued 30 days after the effective date of 10 CFR 50.55a(h). Combined operating licenses and manufacturing licenses that reference a standard design certification issued before 30 days after the effective date of 10 CFR 50.55a(h) are required to meet the requirements stated in the referenced standard design certification. For example, a safety system design for a combined operating license issued 30 days after the effective date of 10 CFR 50.55a(h) that references a standard design certification issued on or after May 13, 1999, but before 30 days after the effective date of 10 CFR 50.55a(h) would be required to meet the requirements stated in IEEE Std 603-1991 and the IEEE Std 603-1991 correction sheet dated January 30, 1995, instead of meeting the requirements stated in IEEE Std 603-2009. Safety system designs in combined operating licenses and manufacturing licenses that reference a standard design certification issued 30 days after the effective date of 10 CFR 50.55a(h) are required to meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(3) through (h)(7).
Table 1 summarizes the 10 CFR 50.55a(h)(2) criteria to be met on the basis of the issue date of a plants construction permit under 10 CFR Part 50 and standard design certification, combined license, or manufacturing license under 10 CFR Part 52. The standards listed in the Licensing Basis Standard column designate the licensing basis standards that are applicable for the corresponding paragraph in 10 CFR 50.55a(h). References to IEEE Std 603-1991 include the IEEE Std 603-1991 correction sheet dated January 30, 1995.
Table 1 - 10 CFR 50.55a(h) Issue Date Applicability Construction Permit, Standard Design Certification, Combined License, or Manufacturing License Issue Date 10 CFR 50.55a Paragraph Standard Applicability1 Nuclear power plant construction permits issued before January 1, 1971 (h)(2)(i)
Licensing Basis IEEE Std 603-19912 Nuclear power plant construction permits issued on or after January 1, 1971 and before May 13, 1999 (h)(2)(ii)
IEEE Std 279-1971 IEEE Std 603-19912 Standard design certifications issued before May 13, 1999 (h)(2)(iii)
IEEE Std 279-1971 Standard design certifications issued on or after May 13, 1999, but before 30 days after the effective date of 10 CFR 50.55a(h)
(h)(2)(iv)
IEEE Std 603-19912 Standard design certification issued 30 days after the effective date of 10 CFR 50.55a(h)
(h)(2)(v)
IEEE Std 603-2009 Applications submitted 30 days after the effective date of 10 CFR 50.55a(h) for nuclear power plant construction permits and operating licenses under 10 CFR part 50.
(h)(2)(vi)
Pre-Decisional
DG-1251 Rev. 1 Page 10 Table 1 - 10 CFR 50.55a(h) Issue Date Applicability Construction Permit, Standard Design Certification, Combined License, or Manufacturing License Issue Date 10 CFR 50.55a Paragraph Standard Applicability1 Nuclear power plant combined licenses and manufacturing licenses under 10 CFR part 52 issued 30 days after the effective date of 10 CFR 50.55a(h)
(h)(2)(vii)
Standard design certifications issued before 30 days after the effective date of 10 CFR 50.55a(h)
IEEE Std 279-1971 IEEE Std 603-19912 Nuclear power plant combined licenses and manufacturing licenses under 10 CFR part 52 issued 30 days after the effective date of 10 CFR 50.55a(h)
(h)(2)(vii)
Standard design certifications issued 30 days after the effective date of 10 CFR 50.55a(h)
- 1.
- 2.
Including the correction sheet dated January 30, 1995 10 CFR 50.55a(h)(3) - Modifications and Installations of Protection Systems and Safety Systems Conditions for meeting the criteria stated in IEEE Std 279 and versions of IEEE Std 603 are provided in 10 CFR 50.55a(h)(3) to clarify the applicability of IEEE Std 603-2009 and earlier standards for: (1) currently operating plants under 10 CFR Part 50, (2) standard design certifications, combined operating licenses, and manufacturing licenses under 10 CFR Part 52, and (3) for modifications of protection systems and safety systems, and installations of new protection system functions and safety system functions. Paragraph 50.55a(h)(3) preserves the current licensing basis for plants in which a modification or replacement would not add new functionality, new technology, change the independence strategy, or change the diversity strategy in the existing protection system functions or safety system functions. However, licensees and applicants are required to apply IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7), for changes to plant protection systems or safety systems that add new safety functionality, new technology, or change the independence strategy or the diversity strategy in the existing protection system functions or safety system functions.
Paragraph 50.55a(h)(3) assures that the most current requirements will be met for new safety functionality or new technology being added to protection systems and safety systems. In the event the independence strategy for divisions is changed, these changes should be introduced into the protection system or safety system in accordance with the requirements in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55 (h)(4) through (h)(7). Further, if the system diversity strategy would be changed in a protection system or safety system, the revised system diversity strategy should meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7), to assure the revised system diversity strategy addresses regulatory criteria.
Paragraph 50.55a(h)(3) does not allow licensees to use a licensing basis or standard that results in a lessening of the requirements stated in the licensing basis for the protection system or safety system. For example, a safety system whose licensing basis meets the requirements stated in IEEE Std 603-1991 and Pre-Decisional
DG-1251 Rev. 1 Page 11 the correction sheet dated January 30, 1995, could not be modified such that it met only the requirements stated in IEEE Std 279-1971.
Paragraph 50.55a(h)(3) reduces licensing uncertainty by providing consistent licensing criteria for modifications of existing protection systems and safety systems, and installations of protection system functions and safety system functions.
While the requirement in 10 CFR 50.55a(h)(3) is intended to address all cases involving modifications and installations of protection systems and safety systems, there may arise specific cases of modifications or replacements that would not apply. In those cases, 10 CFR 50.55a(h)(3) requires licensees and applicants to meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7), as this is the most conservative approach of the alternatives for specifying protection system and safety system requirements.
The following seven examples, which are summarized in Table 2, illustrate the application of 10 CFR 50.55a(h)(3) for different types of protection system or safety system modifications or replacements. These examples are for illustrative purposes only.
Example 1. In this example a licensee replaces a power supply in a single division with a new power supply that has the same functionality and technology. As part of this modification, the licensee determines that the functionality and technology of the new power supply would not be changed. The licensee determines that independence between the redundant divisions and the power trains would be maintained such that a failure occurring in the new power supply would not cause the redundant division or power train to fail. The licensee determines there would be no potential for a common cause failure to occur in the power supplies of the redundant trains.
In this case, 10 CFR 50.55a(h)(3) requires that the protection system or safety system requirements stated in a plants licensing basis be applicable for this modification. In modifications such as this, licensees and applicants are not required to modify or replace an existing protection system or safety system to meet the requirements stated in IEEE Std 603-2009 when making the modification because the modification would not affect the licensing basis of the plant.
Example 2. In this example, a licensee replaces all four divisions of the protection system pressure measurement instrumentation with new pressure measurement instrumentation that has the same function and technology (including changes to equipment qualification characteristics). The licensee ensures the new pressure instrumentation would not change the existing independence between redundant divisions of the protection system, and the diversity strategy would not be changed. In this case, the modification would be required by 10 CFR 50.55a(h)(3) to meet the requirements in the license basis.
Example 3. In this example, a licensee replaces the departure from nucleate boiling ratio (DNBR) reactor trip system function with an improved DNBR reactor trip system function based on the same technology. The DNBR reactor trip system function protects the fuel rod cladding from damage caused by overheating when reactor coolant thermodynamic or thermal-hydraulic conditions (e.g., reactor coolant pressure, temperature, or coolant flow rate) become degraded such that the reactor must be shut down to prevent further overheating. This safety function is a diverse means of shutting down the reactor if the protection system fails to detect a coolant condition that could adversely affect the fuel rod cladding. The licensee determines that the proposed change would not change the safety system diversity strategy or independence between redundant divisions of the safety system. The licensee further determines that the proposed DNBR safety function would be implemented with the same system functionality. The licensee, therefore, may implement the new DNBR safety function in conformance with the plants existing license basis instead of meeting the requirements stated in IEEE Std 603-2009.
Pre-Decisional
DG-1251 Rev. 1 Page 12 Example 4. In this example, a licensee modifies a microprocessor-based DNBR safety function by adding functionality to the DNBR safety function to allow the reactor operator to manually select one of four divisions of input data for each of the four previously independent DNBR divisions. This change in functionality and independence strategy would require the safety function to meet the requirements in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7), because the functionality and independence strategy would be changed.
Example 5. In this example, a licensee replaces an analog-based reactor protection system with a microprocessor-based reactor protection system. Paragraph 50.55a(h)(3) requires that replacement of the protection system with an equivalent protection system implemented with a different technology meet the requirements stated in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a(h)(4) through (h)(7). As further clarification of 10 CFR 50.55a(h)(3), the new system-level functions or technology would include (but would not be limited to) sensor input modules, trip bistable and signal processing modules, and communication protocols for redundant divisions or external systems and trip signal voting modules or processors. Reusing existing components in the protection system (e.g., cables, sensors, field mounted signal conditioning equipment, control room panels, and operator displays) as a part of the system-level protection system modification would not exclude this type of modification from the requirements of IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a (h)(4) through (h)(7).
Paragraph 50.55a(h)(3) requires licensees and applicants to use the most current system safety requirements available when planning, developing, and implementing new protection systems and safety systems that use functions (including changes to independence) or technology (including changes to equipment qualification characteristics) that are different from the system being replaced.
Example 6. In this example, a licensee proposes to replace a microprocessor-based DNBR safety function with another digital-based DNBR safety function. To improve availability, the licensee proposes to share all four divisions of instrument data between the DNBR safety functions, thereby reducing the independence between redundant divisions. In this example, the diversity strategy would not be changed because the diversity arising from use of a DNBR function would be preserved. However, since independence between redundant divisions of the safety system would be decreased by eliminating communication independence, the proposed DNBR modification is required to meet the requirements in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a (h)(4) through (h)(7).
Example 7. In the final example, a licensee replaces a microprocessor-based main steamline and feedwater isolation subsystem with a field-programmable gate array-based (FPGA-based) subsystem that adds new system functionality and operating characteristics that require different methods for coping with system failure modes (e.g., different common cause failure consequences that change the type of operator response and the timing of operator responses). Since system functionality and diversity strategy would be changed, the licensee is required to meet the requirements in IEEE Std 603-2009, subject to the conditions in 10 CFR 50.55a (h)(4) through (h)(7).
Using the above examples, Table 2 summarizes the 10 CFR 50.55a(h) requirements to be met on the basis of the scope of a modification, replacement, or installation of a protection system, safety system, or safety function.
Pre-Decisional
DG-1251 Rev. 1 Page 13 Table 2-Examples of modifications and replacements of components, functions, and systems Example Modification or Replacement Example Was Functionality (F),
Technology (T), Independence strategy(I), or Diversity strategy (D) changed?
Applicable Standard F
T I
D 1
Power supply replaced in one power train division no no no no Licensing Basis Standard 2
Pressure measurement instrumentation replaced with new pressure measurement instrumentation in all four divisions of the protection system no no no no 3
DNBR safety function replaced with improved DNBR safety function no no no no 4
Added functionality to DNBR safety function to allow manual selection of one of four divisions of input data for each DNBR division yes yes yes yes IEEE Std 603-2009 (subject to the conditions in 10 CFR 50.55a paragraph (h)(4) through paragraph (h)(7))
5 Modified a protection system with components based on a different technology no yes no no 6
Modified divisions such that independence was changed no no yes no 7
Modified a safety function such that protection system diversity strategy was changed yes no no yes 10 CFR 50.55a(h)(4) - System Integrity Requirements Paragraph 50.55a(h)(4) amplifies the requirements stated in IEEE Std 603-2009 Section 5.5, System Integrity. Paragraph 50.55a(h)(4) requires that in order to assure the integrity and reliable operation of safety systems, safety functions shall be designed to operate in a predictable and repeatable manner. Predictable and repeatable operation of the system requires that the results of translating input signals to output signals are determined through known relationships among the controlled system states and required responses to those states, and in which a given set of input signals produce the same output signals for the full range of applicable conditions enumerated in the design basis. Predictable and repeatable systems, in general, do not provide the capability for unscheduled event-based interrupts or operator-based system interrupts to meet system safety requirements.
Pre-Decisional
DG-1251 Rev. 1 Page 14 Systems that operate in a predictable and repeatable manner, in general, should not be designed with the capability for unscheduled event-based disruptions or operator-based system functions that would inhibit or prevent the system from meeting its safety requirements. Any analysis used to demonstrate system predictability and repeatability should be based on analysis of system characteristics (e.g., definitive design and performance criteria) as opposed to probabilistic analysis.
10 CFR 50.55a(h)(5) - Independence Requirements Paragraph 50.55a(h)(5) amplifies the requirements stated in IEEE Std 603-2009, section 5.6, Independence. Protection systems and safety systems should implement provisions for protection against identified hazards.
Paragraph 50.55a(h)(5)(i) provides requirements for applicants to address independence among redundant portions of safety systems. Receipt of information from outside a safety division could increase the likelihood of impairing the safety function in that division. Provisions should be included to protect against the potential for impairing the safety function. Redundant portions of safety systems should be sufficiently independent such that those provisions are commensurate with the relative risk posed by any potential hazards identified. The degree of interconnectivity between redundant portions of safety systems should be evaluated to ensure that the potential to introduce pathways for such hazards to propagate is minimized. Applicants should evaluate the hazards introduced by such information sharing.
Paragraph 50.55a(h)(5)(ii) provides requirements for applicants to address independence between safety systems and other systems. Receipt of information from other systems could increase the likelihood of impairing a safety function in the safety system. Provisions should be included to protect against the potential for impairing the safety function. Safety systems should be sufficiently independent from other systems such that those provisions are commensurate with the potential hazards identified. The degree of interconnectivity between safety systems and other systems should be evaluated to ensure that the potential to introduce pathways for such hazards to propagate is minimized. Applicants should evaluate the hazards introduced by such information sharing.
Section 5.6.3.1.a.2.ii and section 5.6.3.1.b in IEEE Std 603-2009 uses the term digital communications independence. This term excludes consideration for technologies other than digital, which could also impair safety. Therefore, communications independence between safety systems and other systems should be applied for all signal technologies.
Paragraph 50.55a(h)(5)(iii) clarifies requirements that apply to section 5.6 of IEEE Std 603 2009.
Safety system independence is a design principle that accounts for failures and interdependencies (both known and unknown) between plant systems and helps minimize the propagation of errors. To ensure independence, a safety system should not rely upon the performance or receipt of information from other external safety and/or non-safety systems to perform its safety function.
Communications independence provides a degree of protection against hazards that may impair a safety system. For example, a completely independent safety system would not have any communications link between redundant portions of safety systems or between safety and non-safety systems and therefore would be protected from the effects of communication failures or unexpected behaviors. However, having the ability to send information to non-safety systems could also be beneficial from a display, indication, diagnostic, and data recording perspective.
The sharing of signals between redundant portions of safety systems has typically only been used for the accomplishment of safety-related functions. Communications links can allow non-safety systems to be used as a means (e.g. online diagnostics) to monitor, and maintain control system parameters of a Pre-Decisional
DG-1251 Rev. 1 Page 15 safety system. Digital technology, including the use of digital communications features may provide additional flexibility and functionality in safety and non-safety functions provided by nuclear power plant I&C systems; however, an integrated and interconnected digital communication system may also introduce additional unique failure modes and unexpected interdependencies.
Except for very simple systems, the performance of verification testing to identify all failure modes and interdependencies (e.g. latent defects) in the digital system development process is impractical, if not impossible, due to the number of input and system states that increase with the level of integration and interconnectivity. These errors and interdependencies may challenge the independence between redundant portions of safety systems and between safety systems and non-safety systems. These failure modes and dependencies may outweigh the benefits offered by the interconnectivity.
Paragraph 50.55a(h)(5)(iii)(A) clarifies that the signal processing portions of the safety system should provide the capability to ensure that degradation or failures of signals exchanged among redundant safety divisions or between safety systems and other systems do not propagate in a manner that results in impairment of the safety functions being performed by the safety system.
Paragraph 50.55a(h)(5)(iii)(B) clarifies that safety systems should be designed with provisions for detecting and mitigating the effects of signal faults or failures received from outside the safety division.
Redundant divisions of safety systems should have the capability of tolerating such faults or failures originating from outside the safety division in a manner that does not degrade the ability of the safety division to perform its safety functions.
Paragraph 50.55a(h)(5)(iii)(C) clarifies the requirements in section 5.6, Independence of IEEE Std 603-2009, for communications (e.g., either analog or digital signals) between redundant portions of safety systems and between safety and non-safety systems in currently operating nuclear power plant designs.
Specifically, 10 CFR 50.55a(h)(5)(iii)(C) clarifies that communications or signals received by a safety system from outside the division or system should be limited to only those that support the accomplishment of safety functions or otherwise benefit safety. Although this concept has been expressed in previous NRC guidance, the clarity of the guidance has been such that licensees and applicants have not been able to apply this concept consistently. The safety significance of this concept warranted the need for specific regulatory criteria.
For example, complexity is increased by interconnecting safety divisions or connecting maintenance work stations to the safety system. While sharing information among redundant portions of safety systems and between safety systems and other systems could be considered a means to increase safety system reliability and performance, adding complexity to a safety system has the potential to create additional hazards that should be analyzed and addressed. Analyses should (1) ensure the resulting system meets all the criteria in 10 CFR 50.55a(h)(5); and (2) evaluate the hazards introduced by the added complexity.
Paragraph 50.55a(h)(5)(iii)(D) clarifies the requirements in section 5.6, Independence of IEEE Std 603-2009, for communications (e.g., either analog or digital signals) between redundant portions of safety systems and between safety and non-safety systems in new reactor designs.
Paragraph 50.55a(h)(5)(iii)(D) limits the implementation of communications between redundant portions of safety systems and between safety and non-safety systems to limit failure modes and unexpected behaviors associated with communications, while preserving the benefits of digital technology and allowing functionality that improves reliability and availability.
Pre-Decisional
DG-1251 Rev. 1 Page 16 As a general safety principle, hazards should be eliminated when possible during the design stage; otherwise, hazards should be mitigated. Communications that use programmable means to enforce independence could introduce failure modes associated with design errors. By implementing communication independence in the hardware architectural design, the potential for the propagation of design errors is minimized. Failure modes and unexpected behaviors can be minimized in such a design by implementing redundancy in the I&C system architecture design.
Paragraph 50.55a(h)(5)(iii)(D) applies to design certifications; standard design approvals; manufacturing licenses; and combined licenses not referencing a design certification, standard design approval, or manufacturing license under 10 CFR Part 52 issued on or after 30 days after the effective date of this rule. Paragraph 50.55a(h)(5)(iii)(D) also applies to construction permits and operating licenses under 10 CFR Part 50 issued on or after 30 days after the effective date of this rule, except for an applicant for an operating license who received a construction permit for that facility before the effective date of this rule. For combined licenses issued before the effective date of the rule, 10 CFR 50.55a(h)(5)(iii)(D) would only apply if the licensee modifies its data communications independence strategy. For example, if a combined license holder modified its safety I&C system architecture by adding additional controls of safety related equipment from non-safety systems using data communications, then only the modified portion of the architecture would need to comply with the applicable data communications requirements of 10 CFR 50.55a(h)(5)(iii)(D) (in this example, the applicable requirement is under 10 CFR 50.55a(h)(5)(iii)(D)(3)).
New reactors licensed under the 10 CFR Part 52 process are not required to provide design implementation details at the time of design certification. As stated in 10 CFR 52.47, the application must contain a level of design information sufficient to enable the NRC staff to reach a final conclusion on all safety questions associated with the design before the certification is granted. The requirements in 10 CFR 50.55a(h) allow new reactor applicants to demonstrate communications independence with a level of design information at the hardware architecture level without the need to provide detailed design implementation information, which is consistent with the requirements of 10 CFR 52.47. If a new reactor applicant chooses to implement software-based solutions to enforce communications independence, additional design details and implementation information (e.g., software code, testing data, factory acceptance test results, etc.) may be needed in the licensing basis to demonstrate that the software-based solutions to enforce communications independence are safe. Based on experience of new reactor I&C systems reviews conducted prior to the development of 10 CFR 50.55a(h), many applications did not have this level of information available during the time of design certification or licensing due to the state of design maturity.
It is preferable from a safety and licensing point of view to design systems to promote elimination of failure modes as opposed to incorporating strategies to mitigate the results of failures. New reactor designs are able to more readily accommodate 10 CFR 50.55a(h) requirements as these designs do not have a current licensing basis for an existing system that may impact the particular design. As such, 10 CFR 50.55a(h)(5)(iii)(D) does not apply to currently operating nuclear power plant licenses or operating licenses with construction permits issued before the effective date of 10 CFR 50.55a(h).
The independence requirements increase consistency of the regulatory framework for I&C systems in advanced reactors by requiring a simplified means to accomplish safety functions. This is supported by the 2007 National Academy of Science Study, Software for Dependable Systems:
Sufficient Evidence?(Ref. 36), which linked the issue of complexity to the independence design principle. Specifically, the study noted that the most important form of simplicity is that produced by independence, in which particular system-level properties are guaranteed by individual components much smaller than the system as a whole, which can preserve these properties despite failures in the rest of the Pre-Decisional
DG-1251 Rev. 1 Page 17 system. Independence can be established in the overall design of the system, with the support of architectural mechanisms.
Non-safety digital I&C systems could have failure modes and behaviors for which a complete set of failure modes may not be fully identified or adequately mitigated. Specifically, since non-safety systems may not have been developed using rigorous development activities that are required for safety systems (e.g. independent verification and validation, requirements traceability), there is more potential for the software in these non-safety systems to contain errors and defects. It is this potential for latent software design errors and hardware defects that may create failure modes and/or unexpected behavior within a non-safety system that may propagate to safety systems through the communications links of interconnected systems. Paragraph 50.55a(h)(5)(iii)(D)(1) is intended to eliminate or mitigate failure modes and unexpected behaviors associated with communication failures among interconnected I&C systems by restricting use of communication links from non-safety systems to safety systems during specific periods of operation.
A further concern for non-safety systems is that some of these systems may not be required to operate in a predictable and repeatable manner (e.g., no response time requirements, using event driven interrupts). This situation could potentially increase or introduce unidentified failure modes within these non-safety systems. Although safety-related isolation devices can be used to detect and prevent propagation of failures from non-safety systems to safety systems, these isolation devices may not be capable of addressing the effects of failures originating in non-safety systems because the full set of non-safety system failure modes may not be identified or anticipated. In addition, a safety systems ability to address potential failures (e.g. communications errors) propagated by non-safety systems may not be effective in addressing these failures. This situation may arise when the potential failures occur in a manner different than anticipated, and thus the software features in the safety system may not be able to detect or mitigate an unanticipated failure.
Paragraph 50.55a(h)(5)(iii)(D)(1) ensures that data communication from safety systems to non-safety systems is in one direction while the safety system division or channel is in operation, and is accomplished through hardware means. This will allow information to be transmitted to non-safety systems in a manner that prevents the receiving non-safety system from adversely impacting a safety function. By limiting the implementation of the data communication to one direction (i.e., from the safety system to the non-safety system) while the safety system division or channel is in operation, 10 CFR 50.55a(h)(5)(iii)(D)(1) allows for safety and non-safety systems to take advantage of digital technology without adversely affecting safety system functionality.
For example, 10 CFR 50.55a(h)(5)(iii)(D)(1) allows communication from safety systems to non-safety systems for display, control, recording, and diagnostics. Failure modes may still exist with use of data communications within the design; however, if the communication link is a physical one-way connection (i.e., no hand-shaking signal and only a fiber optic or copper wire connection from a transmit port to a receive port), then the failure modes associated with data communications are more effectively addressed by hardware designed to maintain the communication flow. The use of physical means (i.e.,
hardware devices) to prevent non-safety to safety system communication while the safety system division or channel is in operation further reduces reliance on software to maintain safety system independence.
The NRC recognizes that there may exist circumstances in which the sharing of information is necessary to accomplish a safety function. Although sharing of signals among redundant portions of safety systems could be considered a means to increase safety system reliability, operational performance, and availability, such sharing of signals has the potential to create additional failure modes and unexpected behaviors. Paragraph 50.55a(h)(5)(iii)(D)(2) ensures that transfer of signals between redundant portions of safety systems is only accomplished when the signal transferred is required for the Pre-Decisional
DG-1251 Rev. 1 Page 18 performance of safety-related functions. The sharing of inputs to the coincidence logic (i.e., combining the logical results of each division to produce a safety system actuation signal) among otherwise independent redundant portions of the protection system has been found acceptable when this communication is required to accomplish safety-related functions or to perform safety interlock functions.
Paragraph 50.55a(h)(5)(iii)(D)(3) ensures that, for functions that require safety systems to receive signals from non-safety systems to ensure diversity and defense-in-depth or to support automatic anticipatory reactor trip functions, the signal transfer method is restricted to means that do not use data communication. For example, in accordance with the requirements of 10 CFR 50.55a(h)(6), diverse back-up systems may require connection to safety components to mitigate the effects of beyond design basis safety system common-cause failures. If the diverse back-up system is a non-safety system, then functionality of this system is limited to mitigating the effects of beyond design basis safety system common-cause failures (e.g., the non-safety system should not have the capability to perform control functions or modify safety-related functions during normal operations). Another example is a nuclear power plant design that implements anticipatory reactor trip functions (e.g. reactor trip on turbine trip). In these cases, a signal may need to be sent from a non-safety system to the reactor protection system to initiate the anticipatory reactor trip function.
If a signal is needed to support diversity and automatic anticipatory reactor trip functions as described in the examples above, then independence could be achieved through means other than data communications. These alternative means could be accomplished using Class 1E isolators. As required by 10 CFR 50.55a(h)(5)(ii), the hazards associated with the transmission of these signals over hardwired connections (e.g., EMI, spurious actuations) must be identified and addressed such that it can be demonstrated that a fault in the non-safety system would not propagate to the safety system.
Paragraph 50.55a(h)(5)(iii)(D)(3) limits transmission of signals to safety systems from other systems to only those that are necessary to accomplish defense-in-depth, diversity, and automatic anticipatory reactor trip functions. This paragraph does not allow for control of safety equipment from non-safety systems (e.g., non-safety control systems and multi-divisional display of controlling safety systems). In addition to the potential for errors in non-safety systems to impact the operation of safety systems, control of plant safety equipment could result in conditions that exceed a plants safety analysis limits. For example, failures in non-safety systems might result in spurious actuation of safety systems that result in plant conditions that exceed the safety analysis limits. Limiting the control of safety equipment from non-safety systems reduces the potential for such spurious actuations.
Paragraph 50.55a(h)(5)(iv) addresses the potential communication pathways introduced by an alternative approach to 10 CFR 50.55a(h) between a digital safety system and other systems, such as other safety systems or non-safety systems. This paragraph requires applicants of design certifications, standard design approvals, or manufacturing licenses to identify all direct and indirect communication pathways to safety systems to facilitate the identification of interdependences and failure modes in the alternative design. For example, if a non-safety system is connected to a safety system to provide information on the status of the plant (e.g. either directly connected or indirectly through another non-safety system), then this connection must be identified to ensure that failure modes and unexpected behaviors associated with this connection could be addressed.
10 CFR 50.55a(h)(6) - Common Cause Failure Requirements Paragraph 50.55a(h)(6) amplifies the requirements stated in IEEE Std 603-2009, section 5.16, Common cause failure criteria. The use of digital technology in safety systems has led to concerns that errors could lead to common cause failures (CCFs) that might disable one or more safety functions in redundant divisions of a safety system. Errors can be introduced into a system at any stage of the system Pre-Decisional
DG-1251 Rev. 1 Page 19 development life cycle, including specification, development of requirements, design, implementation, integration, maintenance, or modification. Safety systems must have adequate defense in depth and diversity to compensate for CCFs.
Faults may result from errors that are undetected until challenged by a triggering mechanism (i.e.,
a specific event or operating state). A fault is systemic if it exists in multiple components in an integrated instrumentation and control system. A systemic fault becomes a CCF if a triggering event occurs that causes concurrent failures in multiple divisions of the safety system, thereby defeating one or more safety functions.
Digital safety system CCFs generally are not subject to the single failure criteria of IEEE Std 379-2000; however, this category of CCFs is required to be addressed by performing a diversity and defense-in-depth analysis using the process described in 10 CFR 50.55a(h)(6) consistent with the NRC Commissions policy stated in SECY 93-087 (Ref. 37).
In performing a diversity and defense-in-depth analysis, the applicant or licensee is required to analyze each postulated CCF for each event that is evaluated in the safety analysis report (SAR) section that presents to analysis of power operation accidents at the plant conditions corresponding to the event.
This analysis may use best-estimate assumptions (i.e., realistic assumptions) to analyze the plant response to design basis events, or the conservative assumptions on which the SAR analysis is based.
The conditions under which a postulated CCF concurrent with events evaluated in the accident analysis section of the SAR are considered beyond design basis conditions. Consequently, the diversity and defense-in-depth analysis may credit non-safety systems in the analysis if the non-safety system is of sufficient quality to perform the necessary function under the postulated event conditions.
Guidance for performing diversity and defense-in-depth analyses using the process described in 10 CFR 50.55a(h)(6) is provided in NUREG-0800 (Ref. 8), chapter 7, Instrumentation and Controls, Branch Technical Position 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems.
10 CFR 50.55a(h)(7) - Maintenance Bypass Paragraph 50.55a(h)(7)(i) corrects IEEE Std 603-2009 section 6.5.1, Checking the operational availability, which states:
6.5.1 Checking the operational availability Means shall be provided for checking, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation. This may be accomplished in various ways; for example:
a) By perturbing the monitored variable, b) Within the constraints of 6.6, by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable, or c) By cross-checking between channels that bear a known relationship to each other and that have readouts available.
Pre-Decisional
DG-1251 Rev. 1 Page 20 Section 6.5.1.b in IEEE Std 603-2009 references section 6.6, Operating Bypasses, in IEEE Std 603-2009. Section 6.6 requires safety systems to automatically override a safety function bypass condition when plant operating conditions require the safety function to be active. Section 6.7, Maintenance Bypass, requires safety systems to accomplish safety functions while sense and command features equipment is in maintenance bypass.
Since section 6.5.1 addresses checking operational availability of safety functions, which is a maintenance activity and not an operating bypass state, 10 CFR 50.55a(h)(7)(i) requires that Section 6.5.1 reference Section 6.7, which addresses system bypasses during maintenance activities, instead of Section 6.6, which does not address maintenance activities.
Paragraph 50.55a(h)(7)(ii) clarifies requirements with regard to the ability of the safety system to continue to perform its required safety functions while redundant portions are in maintenance bypass mode. The paragraph also clarifies the need to demonstrate acceptable reliability of the portions of the safety system that are not in maintenance bypass mode. Section 6.7 in IEEE Std 603-2009 states, Capability of a safety system to accomplish its safety function must be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features should continue to meet the requirements of 5.1 and 6.3.
The accompanying Note for section 6.7 states, NOTEFor portions of the sense and command features that cannot meet the requirements of 5.1 and 6.3 when in maintenance bypass, acceptable reliability of equipment operation shall be demonstrated (e.g., that the period allowed for removal from service for maintenance bypass is sufficiently short, or additional measures are taken, or both, to ensure there is no significant detrimental effect on overall sense and command feature availability).
In IEEE standards, Notes providing explanatory statements are used for emphasis or to offer informative suggestions about the technical content of a requirement. These Notes provide additional information concerning a particular requirement and are not mandatory requirements. A Note in the text of a requirement in an IEEE standard is an informative (i.e., non-binding) part of the standard; therefore, the IEEE does not allow important information on safety, health, or the environment in a Note. Therefore, the Note in IEEE Std 603-2009 section 6.7 would not become a regulatory requirement or alternative to the requirement(s) in the referencing section although the IEEE Std 603-2009 would be incorporated by reference in 10 CFR 50.55a.
In contrast to IEEE Std 607-2009, section 6.7 in IEEE Std 603-1991 states, Capability of a safety system to accomplish its safety function must be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features must continue to meet the requirements of 5.1 and 6.3.
EXCEPTION: One-out-of-two portions of the sense and command features are not required to meet [section] 5.1 and [section] 6.3 when one portion is rendered inoperable, provided that acceptable reliability of equipment operation is otherwise demonstrated (that is, that the period allowed for removal from service for maintenance Pre-Decisional
DG-1251 Rev. 1 Page 21 bypass is sufficiently short to have no significantly detrimental effect on overall sense and command features availability).
Section 6.7 in IEEE Std 603-1991, as compared to section 6.7 in IEEE Std 603-2009, provides a more conservative requirement for placing sense and command features equipment in maintenance bypass. Therefore, 10 CFR 50.55a(h)(7)(ii) requires licensees and applicants to meet the requirements stated in section 6.7 of IEEE Std 603-1991.
10 CFR 50.55a(h)(8) - Documentation Supporting Compliance Paragraph 50.55a(h)(8) requires that applicants and licensees develop and maintain documentation, analyses, and design details demonstrating compliance with 10 CFR 50.55a paragraph (h)(2) through paragraph (h)(7) to ensure this documentation is accessible to the NRC staff to support independent NRC evaluations of safety systems.
D. IMPLEMENTATION The purpose of this section is to provide information on how applicants and licensees1 may use this guide and information regarding the NRCs plans for using this regulatory guide. In addition, this section describes how the NRC staff complies with 10 CFR 50.109, Backfitting and any applicable finality provisions in 10 CFR Part 52 Licenses, Certifications, and Approvals for Nuclear Power Plants.
Use by Licensees Licensees may voluntarily2 use the guidance in this document to demonstrate compliance with the underlying NRC regulations. Methods or solutions that differ from those described in this regulatory guide may be deemed acceptable if they provide sufficient basis and information for the NRC staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations.
Licensees may use the information in this regulatory guide for actions that do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59, Changes, Tests, and Experiments. Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues.
Use by NRC Staff The NRC staff does not intend or approve any imposition or backfitting of the guidance in this regulatory guide. The NRC staff does not expect any existing licensee to use or commit to using the guidance in this regulatory guide, unless the licensee makes a change to its licensing basis. The NRC staff expects licensees to adopt this regulatory guide to resolve generic regulatory issues regarding 10 CFR 50.55a(h) requirements. Since this regulatory guide only describes the underlying bases of 10 CFR 50.55a(h) requirements, the NRC staff does not expect or plan to initiate NRC regulatory action that would require the use of this regulatory guide. Examples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the regulatory guide, requests for information under 1 In this section, licensees refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52; and the term applicants, refers to applicants for licenses and permits for (or relating to) nuclear power plants under 10 CFR Parts 50 and 52, and applicants for standard design approvals and standard design certifications under 10 CFR Part 52.
2 In this section, voluntary and voluntarily means that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.
Pre-Decisional
DG-1251 Rev. 1 Page 22 10 CFR 50.54(f) as to whether a licensee intends to commit to use of this RG, generic communication, or promulgation of a rule requiring the use of this regulatory guide without further backfit consideration.
During regulatory discussions on plant specific operational issues, the NRC staff may discuss with licensees various actions consistent with NRC staff positions in this RG regarding underlying NRC regulatory requirements. Such discussions would not ordinarily be considered backfitting even if prior versions of this RG are part of the licensing basis of the facility. However, unless this RG is part of the licensing basis for a facility, the NRC staff may not represent to the licensee that the licensees failure to comply with the positions in this RG constitutes a violation.
If an existing licensee voluntarily seeks a license amendment or change and (1) the NRC staffs consideration of the request involves a regulatory issue directly relevant to this new or revised regulatory guide and (2) the specific subject matter of this RG is an essential consideration in the NRC staffs determination of the acceptability of the licensees request, then the NRC staff may request that the licensee either follow the guidance in this RG or provide an equivalent alternative process that demonstrates compliance with the underlying NRC regulatory requirements. This is not considered backfitting as defined in 10 CFR 50.109(a)(1) or a violation of any of the issue finality provisions in 10 CFR Part 52.
If a licensee believes that the NRC is either using this RG or requesting or requiring the licensee to implement the methods or processes in this RG in a manner inconsistent with the discussion in this implementation section, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG-1409, Backfitting Guidelines, (Ref. 38) and the NRC Management Directive 8.4, Management of Facility-Specific Backfitting and Information Collection (Ref. 39).
Pre-Decisional
DG-1251 Rev. 1 Page 23 Glossary In developing the10 CFR 50.55a(h) regulation, the NRC applied the following definitions to describe the underlying bases of the 10 CFR 50.55a(h) paragraphs.
Current reactors, in the context of 10 CFR 50.55a(h), is defined as nuclear power plants whose construction permits were issued before May 13, 1999.
Data communication, in the context of 10 CFR 50.55a(h), is defined as a method of transmitting and receiving information in which the information is encoded in a specific format (e.g.,
header, data content, and end of message) using software.
Defense-in-depth, in the context of 10 CFR 50.55a(h), is defined as an approach to designing and operating nuclear facilities that prevents and mitigates accidents that release radiation or hazardous materials. The key is multiple independent and redundant layers of defense to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is relied upon exclusively.
The defense-in-depth design approach includes the use of access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures. More succinctly, defense-in-depth, in the context of 10 CFR 50.55a(h)(4), is defined as the principle of using different functional barriers to the propagation of faults to compensate for failures in other barriers.
Diversity, in the context of 10 CFR 50.55a(h), is defined as the use of different means including function, design, principles of operation, and organizational and development strategies to compensate for failures within a safety system.
Protection system and safety system diversity strategies use different means to compensate for failures within the protection system and safety system. Defense-in-depth strategies use different functional barriers (e.g., a non-safety control system and a reactor trip system) to compensate for failures in other functional barriers. Implementation of defense-in-depth and diversity strategies assure protection and safety system independence from coincident failures or propagated failures due to the effects of natural phenomena, normal operation, postulated functional barrier failure modes, maintenance, testing, and postulated accident conditions.
Function, in the context of 10 CFR 50.55a(h), is defined as a specific process, action, or task that a system is to perform. More specifically, the term function is the process by which inputs into a structure, system, or component are transferred to outputs from the structure, system or component by means of some mechanism and that, subject to certain controls, can be identified by a function name and can be modeled as a unique entity. For example, a reactor trip system function consists of the reactor process measurement instrumentation, the reactor trip logic processing components, the reactor trip breakers, and the medium by which the input signals, the logic processing signals, and the output signals are transmitted to components in the safety function process (i.e., inputs, processing, outputs, and actuated devices).
Functionality, in the context of 10 CFR 50.55a(h), is defined as the set of functions or capabilities associated with software, computer hardware, or a component. These functions include the safety functions needed to actuate safety equipment and supporting features that are not required to perform the safety function, such as self-testing and diagnostic features and human-system interface functions.
Pre-Decisional
DG-1251 Rev. 1 Page 24 Hardwired connections, in the context of 10 CFR 50.55a(h) is defined as a permanent physical point-to-point connection that is used to transmit signals. Hardwired connections can be implemented using various physical media (e.g., copper wire and optical fiber).
New reactors, in the context of 10 CFR 50.55a(h) is defined as design certifications; standard design approvals; manufacturing licenses; and combined licenses not referencing a design certification, standard design approval, or manufacturing license under 10 CFR Part 52 issued on or after 30 days after the effective date of final rule, construction permits and operating licenses under 10 CFR Part 50 issued on or after 30 days after the effective date of final rule, except for an applicant for an operating license who received a construction permit for that facility before the effective date of final rule, and holders of combined licenses issued under 10 CFR Part 52 before the effective date of final rule, but only if the combined license holder voluntarily modifies its data communication independence strategy.
Physical mechanism, in the context of 10 CFR 50.55a(h) is defined as a means to enforce one way communication from safety systems to non-safety systems through a hardware-based method such that no software is used to maintain the direction of data flow.
Predictable, in the context of 10 CFR 50.55a(h), is defined as the ability to determine the output of a system at any time through known relationships among the controlled system states and required responses to those states, such that a given set of input signals will always produce the same output signals.
Protective function is defined in IEEE Std 279-1971 as the sensing of one or more variables associated with a particular generating station condition, signal processing, and the initiation and completion of the protective action at values of the variables established in the design bases.
Protection system, in the context of 10 CFR 50.55a(h) encompasses all electric and mechanical devices and circuitry (from sensors to actuation device input terminals) involved in generating those signals associated with the protective function. These signals include those that actuate reactor trips and that, following certain events, actuate engineered safeguards, such as containment isolation, core spray, safety injection, pressure reduction, and air cleaning.
Repeatable, in the context of 10 CFR 50.55a(h), is defined as the output of a system being consistently achieved given the same input and system properties (including internal and external conditions).
Safety benefit, in the context of 10 CFR 50.55a(h), is defined as a justification for adding safety system functionality that is not necessary to accomplish a safety function, but that contributes to safety (e.g., by increasing safety system availability or increasing the safety of a mechanical, nuclear, or electrical system design).
Safety function, in the context of 10 CFR 50.55a(h), is defined as one of the processes or conditions (for example, emergency negative reactivity insertion, post-accident heat removal, emergency core cooling, post-accident radioactivity removal, and containment isolation) essential to maintain plant parameters within acceptable limits established for a design basis event. The functional portion of a safety system consists of those functions of a safety system that must operate correctly for the safety system to accomplish its safety function.
Safety system, in the context of 10 CFR 50.55a(h), is defined as a minimum set of interconnected components, modules, signal processors, and equipment that is relied upon to accomplish one or more safety functions (e.g., equipment relied upon to remain functional during and following Pre-Decisional
DG-1251 Rev. 1 Page 25 design basis accidents). Safety system is a broad-based and all-encompassing term, embracing the protection system in addition to other electrical systems. Thus, the term protection system is not synonymous with the term safety system, but instead is a subset of safety systems.
The IEEE Std 603-1991 and IEEE Std 603-2009 use the term safety system rather than protection system. A safety system is defined in IEEE Std 603-1991 (and in IEEE Std 603-2009) as:
[a] system that is relied upon to remain functional during and following design basis events to ensure: (i) the integrity of the reactor coolant pressure boundary, (ii) the capability to shut down the reactor and maintain it in a safe shutdown condition, or (iii) the capability to prevent or mitigate the consequences of accidents that could result in potential off-site exposures comparable to the 10 CFR Part 100 guidelines.
Safety system function, in the context of 10 CFR 50.55a(h), is defined as any function performed by the safety system, including safety functions and other functions.
Signal, in the context of 10 CFR 50.55a(h), is defined as a detectable and measurable representation of a physical quantity by which messages or information can be transmitted. Signals can either be digital or analog in nature.
Signal sharing, in the context of 10 CFR 50.55a(h), is defined as the replication or duplication of a signal in one system and subsequent transmission to a different system. Signals can be shared through various media, including copper wires and optical links.
Support(s) the safety function, in the context of 10 CFR 50.55a(h)(4), is defined as activities or functions that are necessary to accomplish a safety function or prevent impairment of a safety function.
Technology, in the context of 10 CFR 50.55a(h), is defined as the methods, techniques, and materials that are used to develop and implement a protection system function or a safety system function.
For example, differences in technology exist in the methods, techniques, and materials for implementing a safety function with analog technology, microprocessor technology, and field programmable gate array (FPGA) technology. These technologies are significantly different from one another in the system development processes, format of the function logic (e.g., arrangement of discrete electronic components versus software versus hardware description language, respectively), supporting hardware components, and operating and maintenance characteristics. The safety issues arising from these differences in characteristics between technologies could be sufficiently different that a licensee or applicant could be challenged to address issues such as electromagnetic compatibility (EMC), equipment qualification (EQ),
common cause failure (CCF) mitigation, and digital communication independence. Converting an analog-based safety function or system into a microprocessor-based safety function or system, and replacing a microprocessor-based safety function or system into an FPGA-based safety function or system are two examples of technology changes.
Pre-Decisional
DG-1251 Rev. 1 Page 26 REFERENCES3
- 1.
U.S. Code of Federal Regulations, Domestic Licensing of Production and Utilization Facilities, Part 50, Title 10, Energy.
- 2.
Institute of Electrical and Electronics Engineers, IEEE Std 279-1971, IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations Piscataway, NJ.4
- 3.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Piscataway, NJ.
- 4.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations correction sheet issued January 30, 1995, Piscataway, NJ.
- 5.
Institute of Electrical and Electronics Engineers, Piscataway, IEEE Std 603-2009, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, NJ.
- 6.
U.S. Code of Federal Regulations, Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Title 10, Energy.
- 7.
Institute of Electrical and Electronics Engineers, IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Piscataway, NJ.
- 8.
U.S. Nuclear Regulatory Commission, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.152, Washington, DC.
- 9.
U.S. Nuclear Regulatory Commission, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, NUREG-0800, Washington, DC, Agencywide Document Access and Management System (ADAMS) Accession No. ML070630046.
- 10.
U.S. Nuclear Regulatory Commission, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, Regulatory Guide 1.180, Washington, DC.
- 11.
U.S. Nuclear Regulatory Commission, Application of the Single-Failure Criterion to Safety Systems, Regulatory Guide 1.53, Washington, DC.
- 12.
Institute of Electrical and Electronics Engineers, IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, Piscataway, NJ.
3 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at: http://www.nrc.gov/reading-rm/doc-collections/. The documents can also be viewed on-line or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD; the mailing address is USNRC PDR, Washington, DC 20555; telephone 301-415-4737 or (800) 397-4209; fax (301) 415-3548; and e-mail pdr.resource@nrc.gov.
4 Copies of Institute of Electrical and Electronics Engineers (IEEE) documents may be purchased from the Institute of Electrical and Electronics Engineers Service Center, 445 Hoes Lane, PO Box 1331, Piscataway, NJ 08855 or through the IEEEs public Web site at http://www.ieee.org/publications_standards/index.html.
Pre-Decisional
DG-1251 Rev. 1 Page 27
- 13.
U.S. Nuclear Regulatory Commission, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, Regulatory Guide 1.209, Washington, DC.
- 14.
Institute of Electrical and Electronics Engineers, IEEE Std 323-1974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, Piscataway, NJ.
- 15.
U.S. Nuclear Regulatory Commission, Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants, Regulatory Guide 1.89, Washington, DC.
- 16.
U.S. Nuclear Regulatory Commission, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, NUREG/CR-6303, Washington, DC, December 1994, ADAMS Accession No. ML071790509.
- 17.
U.S. Nuclear Regulatory Commission, Diversity Strategies for Nuclear Power Plant Instrumentation and Control Systems, NUREG/CR-7007, Washington, DC, ADAMS Accession No. ML100880143.
- 18.
U.S. Nuclear Regulatory Commission, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems, Branch Technical Position 7-19, Washington, DC, ADAMS Accession No. ML070630046.
- 19.
Office of the Federal Register, Nuclear Regulatory Commission, 10 CFR Part 50, Incorporation by Reference of Institute of Electrical and Electronics Engineers Standard 603-2009, NRC-2011-0089, Federal Register Notice (FRN) xxxxxx.
- 20.
U.S. Nuclear Regulatory Commission, Criteria for Safety Systems, Regulatory Guide 1.153, Revision 1, Washington, DC.
- 21.
Institute of Electrical and Electronics Engineers, IEEE Std 279-1968, IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations, Piscataway, NJ.
- 22.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1977, Trial-Use Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Piscataway, NJ.
- 23.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1980, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Piscataway, NJ.
- 24.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1987, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations; Correction SheetJanuary 1987, Piscataway, NJ.
- 25.
Institute of Electrical and Electronics Engineers, IEEE Std 603-1998, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, Piscataway, NJ.
Pre-Decisional
DG-1251 Rev. 1 Page 28
- 26.
International Atomic Energy Agency, IAEA Safety Guide NS-G-1.1, Software for Computer Based Systems Important to Safety in Nuclear Power Plants Safety Guide, Vienna, Austria.5
- 27.
International Atomic Energy Agency, IAEA Safety Guide NS-G-1.3, Instrumentation and Control Systems Important to Safety in Nuclear Power Plants Safety Guide, Vienna, Austria.
- 28.
International Electrotechnical Commission, IEC 60709, Edition 2.0, Nuclear Power Plants Instrumentation and Control Systems Important to SafetySeparation, Geneva, Switzerland.6
- 29.
International Electrotechnical Commission, Geneva, IEC 60780, Edition 2.0, Nuclear Power PlantsElectrical Equipment of the Safety SystemQualification, Switzerland.
- 30.
International Electrotechnical Commission, IEC 60880, Edition 2.0, Nuclear Power Plants Instrumentation and Control Systems Important to SafetySoftware Aspects for Computer-Based Systems Performing Category A Functions, Geneva, Switzerland.
- 31.
International Electrotechnical Commission, IEC 60880-2, Edition 1.0, Software for Computers Important to Safety for Nuclear Power PlantsPart 2: Software Aspects of Defense against Common Cause Failures, Use of Software Tools and of Pre-Developed Software, Geneva, Switzerland.
- 32.
International Electrotechnical Commission, IEC 60980, Edition 1.0, Recommended Practices for Seismic Qualification of Electrical Equipment of the Safety System for Nuclear Generating Stations, Geneva, Switzerland.
- 33.
International Electrotechnical Commission, IEC 61226, Edition 3.0, Nuclear Power Plants Instrumentation and Control Important to SafetyClassification of Instrumentation and Control Functions, Geneva, Switzerland.
- 34.
International Electrotechnical Commission, IEC 61888, Edition 1.0, Nuclear Power Plants Instrumentation Important to SafetyDetermination and Maintenance of Trip Setpoints, Geneva, Switzerland.
- 35.
International Electrotechnical Commission, IEC 62385, Edition 1.0, Nuclear Power Plants Instrumentation and Control Important to SafetyMethods for Assessing the Performance of Safety System Instrument Channels, Geneva, Switzerland.
- 36.
National Research Council of the National Academies, Software for Dependable Systems, Sufficient Evidence? The National Academies Press, Washington, DC.
- 37.
U.S. Nuclear Regulatory Commission, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, SECY-93-087, Washington, DC, April 2, 1993, ADAMS Accession No. ML003708021.
5 Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site:
WWW.IAEA.Org/ or at http://iaea.org/Publications and by writing the International Atomic Energy Agency P.O. Box 100 Wagramer Strasse 5, A-1400 Vienna, Austria. Telephone (+431) 2600-0, Fax (+431) 2600-7, or E-Mail at Official.Mail@IAEA.Org 6
Copies of International Electrical Commission (IEC) documents may be obtained through their Web site:
http://www.iec.ch/ or http://webstore.iec.ch/ and by writing the IEC Central Office at P.O. Box 131, 3 Rue de Varembé,
1211 Geneva, Switzerland, Telephone +41 22 919 02 11.
Pre-Decisional
DG-1251 Rev. 1 Page 29
- 38.
U.S. Nuclear Regulatory Commission, Backfitting and Information Collection, NUREG-1409, July 1990, ADAMS Accession No. ML032230247.
- 39.
U.S. Nuclear Regulatory Commission, Management of Facility-specific Backfitting and Information Collection, NRC Management Directive 8.4.
Pre-Decisional