Text

______________________________________________________________________

Page 1 DRAFT Sections A & B for Discussion DIGITAL INSTRUMENTATION AND CONTROLS Digital I&C-ISG-06 Task Working Group #6:

Licensing Process Interim Staff Guidance Revision 2 DRAFT (Sections A, & B)

Page 2 DRAFT Sections A & B for Discussion Digital Instrumentation and Controls DI&C-ISG-06 Task Working Group #6:

Licensing Process Interim Staff Guidance A.

INTRODUCTION This Interim Staff Guidance (ISG) describes the licensing process which may be used to support the review of license amendment requests associated with digital Instrumentation and Control (I&C) system modifications in operating plants as well as subsequent license inspection activities. This guidance is consistent with current NRC policy on digital I&C systems and is not intended to be a substitute for Nuclear Regulatory Commission (NRC) regulations.

This ISG provides guidance for activities performed prior to submittal of the license amendment request (LAR) and for inspection activities performed after issuance of a license amendment to support a digital I&C safety system. The NRC staff may use the process described in this ISG to evaluate compliance with NRC regulations.`

The purpose of NRC review or inspection activities is to evaluate:

facility and equipment, proposed use of the equipment, and processes performed during development and implementation of equipment, for compliance with federal regulations. The NRC review and inspection activities are also intended to ensure the protection of public health and safety. NRC reviews are not intended to include evaluation of all aspects of I&C system design and implementation. The review scope should be of sufficient detail to allow the reviewer to conclude the digital I&C safety system complies with all applicable regulations.

Review and inspection of digital computer-based systems should include assessing the acceptability and correct implementation of software development life-cycle activities. While process is important, it is not a substitute for a review of hardware and software architectures to determine if they meet the four fundamental principles of redundancy, independence, deterministic behavior, and diversity and defense-in-depth.

B.

PURPOSE The purpose of this ISG is to provide guidance for the NRC staffs review of license amendments supporting installation of digital I&C equipment in accordance with current licensing processes (LIC-101, License Amendment Review Procedures - ADAMS Accession No. ML16061A451). This ISG also identifies information the NRC staff should review for digital I&C equipment and guidance on when the information should be either reviewed or inspected.

Page 3 DRAFT Sections A & B for Discussion Use of this ISG is designed to be complementary to the NRCs topical report review and approval process (LIC-500, Topical Report Process - ADAMS Accession No. ML13158A296).

Where a licensee references an NRC-approved topical report, the NRC staff should be able to, where appropriate, limit its review to assessing whether the application of the digital I&C upgrade falls within the envelope of the topical report approval. Additionally, this ISG was developed based upon, and is designed to work in concert with, existing guidance. Where appropriate, this ISG references other guidance documents.

B.1

Background

The NRC staff performs evaluations of proposed digital I&C equipment to ensure equipment will perform all required functions. These evaluations use the guidance in the SRP, Chapter 7, and other associated guidance. When a license amendment is required, licensees are obligated to provide a description of the licensing basis functions of I&C equipment and include a description of the equipment that implements the functions. Additionally, licensees should clearly identify those parts of the licensing basis being updated as a result of the proposed change.

The NRC staff review processes include activities for evaluating or inspecting documentation of plans and processes which describe the life-cycle development of the software to be used by and/or in support of the digital I&C system. The SRP Appendix 7.0-A and Branch Technical Position 7-14 (BTP 7-14) have been established to guide NRC staff in performing reviews of digital safety systems in support of safety evaluations and inspection activities. The NRC staff may review or inspect the design and development process to support a determination that design meets regulatory requirements (e.g., independence / redundancy, deterministic behavior, defense-in-depth and diversity,) and that in safety-related applications in nuclear power plants, the process is of sufficient high quality to produce systems and software suitable for use.

The staff may also perform thread audits (in accordance with LIC-111, "Regulatory Audits" -

ADAMS Accession No. ML082900195) or inspection activities to determine if digital safety system implementation activities are consistent with the digital safety system planning activities.

The NRC staff relies on proper application of high quality development processes to produce acceptable systems and software.

The NRC staff should review or inspect the development process, and associated implementation, with the objectives of: determining the process described is the process used, the process was used correctly, and the process was used in a manner which produces software suitable for use in safety-related applications at nuclear power plants.

B.1.1 Principles of Review The NRC staff recognizes two different ways that a component can be approved for use in safety-related applications:

(1) If a basic component has critical characteristics that cannot be verified, then it must be designed and manufactured under an Appendix B quality assurance program.

(2) If a basic component has critical characteristics that can be verified, then it may be designed and manufactured as commercial grade item and then commercially dedicated under an Appendix B quality assurance program.

These approaches are based upon the definitions in 10 CFR 21.3:

Page 4 DRAFT Sections A & B for Discussion Basic component... Basic components are items designed and manufactured under a quality assurance program complying with appendix B to part 50 of this chapter, or commercial grade items which have successfully completed the dedication process.

Commercial grade item... means a structure, system, or component, or part thereof that affects its safety function, that was not designed and manufactured as a basic component.

Commercial grade items do not include items where the design and manufacturing process require in-process inspections and verifications to ensure that defects or failures to comply are identified and corrected (i.e., one or more critical characteristics of the item cannot be verified).

Critical characteristics... are those important design, material, and performance characteristics of a commercial grade item that, once verified, will provide reasonable assurance that the item will perform its intended safety function.

The NRC staff considers a high quality software development process to be a critical characteristic of all safety-related software. A high quality software development process is one that is equivalent to the development process used for software developed under an Appendix B quality assurance program. Consistent with this principle, the Safety Evaluation (ML092190664) for EPRI TR-106439, Guidelines on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, the staff stated (see Section 2.0, Background, subsection Commercial Dedication per CFR Part 21): The staff considers verification and validation activities common to software development in digital systems to be a critical characteristic that can be verified as being performed correctly following the completion of the software development by conducting certain dedication activities such as audits, examinations, and tests.

B.1.2 Documentation Reviewed The organization responsible for the review or inspection of a digital I&C safety system, reviews the information necessary to make an evaluation using review criteria of Chapter 7 of the standard review plan. It is the responsibility of the licensee or applicant to ensure that that there is a documented design analysis to demonstrate regulatory compliance of the safety system.

The licensee should also ensure the Verification and Validation (V&V) team evaluates this design documentation and documents the evaluation results. Enclosure B sometimes asks for this analysis using a generic name. In some cases it may be appropriate to summarize this analysis in sufficient detail for the regulator to independently determine regulatory compliance.

Documentation to support an NRC safety evaluation must either be submitted to the NRC on the licensees docket or made available to the NRC staff for audit and inspection activities.

Actual document submittal requirements are expected to be unique for each I&C project.

Enclosures B1 and B2 provide guidance on two different approaches to addressing documentation docketing requirements.

Enclosure B1 provides a template to be used when a license amendment is to be completed in the late stages of design and development after completion of factory acceptance testing. This method involves a two phase submittal to allow licensing review activities to be performed in parallel with the design implementation and test activities of the software development process.

Enclosure B2 may be used if a license amendment is to be completed earlier in the system and software development life cycle at a stage where Design Phase activities are completed, but

Page 5 DRAFT Sections A & B for Discussion prior to completion of design implementation or testing. This method involves a phase 1 submittal in which licensing review activities are performed prior to the design implementation and test activities of the software development process. In this model, guidance for phase 2 activities can be performed during inspections to be performed after issuance of the license amendment. A significant portion of the Section D review guidance can be applied to subsequent inspection activities when this method is used. These criterion can be used to provide a basis for development of inspection plans.

Regardless of the review method used, the NRC staff is expected to determine the document submittal status and submittal timing for each item in Enclosure B1 (or B2) during the acceptance review period.

Some documents associated with software development are expected to be revised as system development activities progress. These are sometimes referred to as living documents. Such documents should be identified as such. For such documents; a decision of whether a version of the document should be submitted and when (i.e. what phase) the document is to be submitted to the NRC should be made during the acceptance review period. It is normally not necessary for applicants to submit multiple versions of these living documents to support the safety evaluation, however; the submitted living document should contain sufficient information to demonstrate conformance to all applicable regulatory requirements. In some cases it may also be necessary to provide accessibility to current versions of a living document to support either audit or inspection activities. Additional document specific guidance on the use of living documents is provided within Section D.

B.1.3 I&C Review Scope The organization responsible for the review of I&C should review sufficient information to make a safety determination. Sufficiently detailed functional diagrams and explanatory discussion should be provided to support the staffs safety evaluation and subsequent inspection activities.

Licensees should be aware of the potential for a digital I&C upgrade to impact other systems, programs, or procedures.