Text

C. DIGITAL I&C REVIEW PROCESS NUREG-0800, Standard Review Plan (SRP) for the Review of Safety Analysis Reports for Nuclear Power PlantsThe SRP provides guidance to NRC staff for performing safety reviews of license amendments under 10 CFR Part 50. The SRP references refers to some standards that are not endorsed by regulatory guides as sources of information for NRC staff. These standards are referenced in the SRP as sources of good practices for NRC staff to consider.

References to these standards in the SRP alone do not imply endorsement of these standards as a method acceptable to the NRC for meeting NRC regulations.

It is the intent of this plan to make information about regulatory matters widely available and to improve communication between the NRC, interested members of the public, and the nuclear power industry, thereby increasing understanding of the NRCs review process.

The review process described in this document is the current process used by the Office of Nuclear Reactor Regulation (NRR) to perform reviews of requests for amendments to operating licenses issued in accordance with Part 50. Specifically, Enclosure B identifies the documents and information to be submitted in a typical LAR that seeks to install a digital I&C safety system. Commented [SR1]: Deleted because the revised processes will no longer be consistent with current Precedent licensing actions are those with a similar proposed change and regulatory basis. review methods. In short, we are creating new Searching for, identifying, and using precedents in the review process maximizes staff processes.

efficiency, minimizes requests for additional information and ensures consistency of licensing actions. However, approval of a function or DSS digital component at one plant does not serve as the basis for approving the same at another plant. Each LAR is a plant specific licensing action.

The staffs acceptance acceptability of a safety system is based on the systems ability to perform design basis functions (e.g., trip on high level, display of proper indications,) and the systems conformance with regulatory requirements (e.g., redundancy, independence,). This information is contained in a description of the design and in analysis reports that indicate the design meets requirements. In some cases it may be necessary to include testing and associated documentation to demonstrate that a certain design criterion has been achieved.

The staffs acceptanceAcceptability of software for safety system functions is based upon (1) conclusion determination that acceptable plans were prepared to control software development activities, (2) evidence that the plans were followed in an acceptable software life cycle, and (3) evidence that the process produced acceptable design outputs. Branch Technical Position No.

14 (BTP 7-14) provides guidelines for evaluating software life-cycle processes for digital computer-based instrumentation and control (I&C) systems. The technical evaluation section for software development (i.e., Section D.4.4) is organized in the same manner as BTP 7-14. In some cases, the NRC staff does not review docketed material, but rather performs audits or inspections of the associated documentation and development products. Subsections (e.g.,

D.4.4.2.4) clearly Annex B indicate Provides guidance on the type (e.g., licensing review, licensing audit, & regional inspection) and timing (e.g., Phase 1, 2, & 3 - See Enclosure C) of regulatory oversight activities.Figure C.1)

C.1 Process Overview Recognizing that digital I&C upgrades represent a significant licensee resource commitment, a phased approach is appropriate where critical, fundamental, system information is initially vetted through the NRC staff prior to undertaking subsequent steps in the digital I&C system

development and licensing process. Therefore, the NRC staff encourages the use of public meetings prior to submittal of the LAR in order to discuss issues regarding the system development scope. The intent of this activity is to reduce regulatory uncertainty through the early resolution of major issues that may challenge the staffs ability to assess the systems compliance with NRC regulations. The NRC staff recognizes that for some projects, certain information may not be available upon initial submittal of the LAR, thus it is not expected that information sufficient to address all review topics be submitted until at least 12 months prior to the requested approval datelater in the evaluation period.; the The timing of specific exceptions may be a topic fordocument availability should be discussions discussed during the Phase 0 meetings and established during the acceptance review period.

A Figure C.1 below is a flow chart of the overall review process. is included in Enclosure C andThis figure illustrates the various review phases are further discussed in Sections C.2 through C.5.

Field Code Changed Figure C.1 Digital I&C Licensing Process Flowchart Formatted: Font: Bold, Italic, Underline Formatted: Centered

Additionally, tThe NRC staff recognizes that there are different approaches available to licensees regarding use and application of previously-approved digital platforms. Therefore, the NRC staff should consider applications to be within one of three the following tiers of review.

Tier 1 Formatted: Font: Bold Formatted: Keep with next Tier 1 is applicable to license amendments proposing to reference a previously approved topical report (regarding a digital I&C platform or component(s) - hardware, software, and developmental tools) within the envelope of its generic approval as described in the topical report. A Tier 1 review would rely heavily upon previous review efforts. The list of documentsinformation that typically should be submitted by the licensee in support of a Tier 1 review is contained in Enclosure B, as indicated by Column 1. This list would not include those documents already reviewed and approved by the NRC staff. Tier 1 generally addresses: (1)

Application Specific Action Items (ASAI) identified in the safety evaluation, (2) post-SE regulatory changes, (3) post-Safety Evaluation (SE) regulatory guidance changes (e.g., DI&C-ISG-04), (4) evaluation of the equipment for performing application or plant specific functions, and (5) assembling, programming, integrating, and configuring the platform components to perform the application specific functions.

Tier 2 Formatted: Font: Bold Formatted: Keep with next Tier 2 is applicable to license amendments proposing to reference a previously approved topical report with deviations to suit the plant-specific application. Deviations could include, for example, a revised software development process or new hardware. Deviationshe deviations from the approved topical report should receive a significanta significant review effort.

Typically, an application citing licensing experience from another plants previous approval would also be considered a Tier 2 review; this, however, is dependent upon the similarities of the application. The list of documentsinformation that would typically be submitted by the licensee in support of a typical Tier 2 review is contained in Enclosure B, as indicated by the Column 2. However for any particular submittal, the actual list of documents should be determined by the changes from the previously approved topical report as determined in the Phase 0 meetings. Tier 2 evaluations generally include Tier 1 review scope and any deviations from the approved SE or topical report.

Tier 3 Formatted: Font: Bold Formatted: Keep with next Tier 3 is applicable to license amendments proposing to use a new digital I&C platform or component(s) with no generic approval. Licensees should expect that a Tier 3 review should receive a significant review effort within all review areas. The list of documentsinformation , that would typically be submitted by the licensee in support of a Tier 3 review, is contained in Enclosure B as indicated by , Column 3. Tier 3 evaluations generally include Tier 1 review scope and topical report review scope. The typical topical review scope includes hardware, software, developmental tools, and associated developmental methods (e.g., application restrictions and integration methods).

Alternate Tier 1 Formatted: Font: Bold Formatted: Keep with next As an alternative to the processes described in Tier 1 through 3 above, a licensee may elect to use a single step license amendment submittal process hereafter referred to as Alternate Tier 1.

Like Tier 1, Alternate Tier 1 is applicable to license amendments proposing to reference a previously approved topical report within the envelope of its generic approval as described in

the topical report and an Alternate Tier 1 review would rely heavily upon previous review efforts.

The information that typically should be submitted by the licensee in support of an Alternate Tier 1 review is contained in Enclosure B as indicated by column A1. This list would not include those documents already reviewed and approved by the NRC staff. Alternate Tier 1 generally addresses: (1) Application Specific Action Items (ASAI) identified in the safety evaluation, (2) post-SE regulatory changes, (3) post-Safety Evaluation (SE) regulatory guidance changes (e.g.,

DI&C-ISG-04), (4) evaluation of the equipment for performing application or plant specific functions, and (5) assembling, programming, integrating, and configuring the platform components to perform the application specific functions.

Unlike a Tier 1 application, an Alternate Tier 1 licensing review process is not performed in parallel with the product development activities and does not include provisions for phase 2 document submittals. Instead, all information identified in Table B is expected to be provided to the NRC at the time of Application submittal. A safety evaluation conducted for an Alternate Tier 1 submittal will base its safety conclusions on information provided in accordance with Enclosure B.

These tier labels are used as a general guide for defining the scope or complexity of a review. It is expected that not all reviews will be in one tier or another. It is expected that systems with greater complexity should receive greater review effort.

The tables within Enclosure B is are only an examples list of information to be provided for review, which has beenas explained throughout this ISG, that is reviewed. A licensee may have different names for similar documents. Regardless of the titles of the documents submitted, the actual LAR should contain sufficient information to address the criteria discussed in the applicable technical evaluation subsectionssections of Section D. It is possible that the plant specific application of a digital system may obviate the review of certain listed documents and necessitate the inclusion of other, unlisted, documents.

This guidance divides the whole of the review into a number of conceptual review areas. Doing this allows the review to be handled in a more regimented manner that fosters better tracking of outstanding information and communication of the associated status to the licensee.

Additionally, this method supports knowledge transfer by allowing new reviewers to better conceptualize what should be reviewed versus a single large list of criteria. Not all of the review areas directly address meeting regulatory requirements, instead, some lay the groundwork for evaluating the criteria of others; this information subsequently feeds into the NRC staffs evaluation against the acceptance criteria (e.g., IEEE Std 603-1991).

C.2 Pre-Application (Phase 0)

Prior to submittal of a LAR for a digital I&C upgrade, it is beneficial to have an overall design concept that adequately addresses NRC regulatory requirements and policy with regard to key issues (e.g., communication independence, defense-in-depth and diversity, demonstration of deterministic behavior, etc.). To this end, the NRC staff intends to use the public meeting process to engage licensees in a discussion of how their proposed digital I&C upgrade LAR should addresses: (1) key issues such as, defense-in-depth and diversity, (2) significant variances from current guidance, (3) NRCs determination of the appropriate Tier of review, and (4) other unique or complex topics associated with the proposed design. Such unique or complex topics could include, for example, a large scale system application with multiple interconnections and communication paths or major human-machine interface changes. These meetings are intended to be two-way discussions where, in addition to the licensee presentation

of concept, the NRC staff can provide feedback on the critical aspects of the proposed design that are likely to affect (both positively and negatively) the NRC staffs evaluation.

As a minimum, the communication independence discussions should include whether the system will have: (1) interdivisional digital communications, or (2) nonsafety-related data diodes.

As a minimum, the defense-in-depth and diversity discussions should include whether the system will have built-in diversity for all applicable events or whether the licensee will rely on: (1) a diverse actuation system or (2) diverse manual actions. Further, these discussions should include whether the licensee is proposing the use of an approved topical report, any planned deviations from NRC staff positions, and specifics of the software quality assurance plan.

Licensees are encouraged to discuss topics from other review areas as well as how any best-estimate evaluations utilize realistic assumptions (or models) and address uncertainty associated with the results.

All proposed deviations from the document listsubmittal information guidance and associated schedule described in Enclosure B should be discussed in the Phase 0 meeting(s). Any associated agreements should be documented in the Phase 0 meeting minutes. Delays by a licensee in meeting these commitments can result in an application being denied (see 10 CFR 2.108, Denial of application for failure to supply information) or delay the evaluation completion date.

Following each meeting the NRC staff should capture the topics discussed via a meeting summary. This summary should include a preliminary NRC staff assessment of the licensees concept (or those sub-parts of the overall concept discussed) and identify the areas that are significant to this preliminary assessment. Additionally, as appropriate, the NRC staff should include a preliminary assessment of which review tier would be applicable for the proposed upgrade. The licensee should be provided a draft copy of the meeting summary comment prior to its issuance. An example meeting summary is included in Enclosure A to this document.

C.3 Initial Application (Phase 1)

Once a licensee believes it has a design that adequately addresses NRC criteria, including, for example: (1) independence / redundancy, (2) defense-in-depth and diversity, (3) deterministic behavior, (4) variances to existing guidance, and (5) any unique or complex design features, it should prepare and submit a LAR (e.g., see Enclosure B, Information to be provided with the LAR). It is incumbent upon the licensee to identify any design features and concepts that may impact the NRC staffs preliminary assessment made during Phase 0. These features and concepts may adversely impact the NRC staffs acceptance of the LAR for review.

To the extent possible, the LAR should address the criteria associated with the following areas, which are discussed in further detail in the referenced sections:

System Description (Section D.1)

Hardware Development Process (Section D.2)

Software Architecture (Section D.3)

Software Development Process (Section D.4)

Environmental Equipment Qualifications (Section D.5)

Defense-in-Depth & Diversity (Section D.6)

Communications (Section D.7)

System, Hardware, Software, and Methodology Modifications (Section D.8)

Compliance with IEEE Std 603 (Section D.9)

Conformance with IEEE Std 7-4.3.2 (Section D.10)

Technical Specifications (Section D.11)

Secure Development and Operational Environment (Section D.12)D.1 System Formatted: Not Highlight Description D.2 System Archetecture D.3 Summary of Modification Hardware Planning and Processes D.4 Summary of Application Software Planning and Processes D.5 Platform Topical Report SE Report D.6 Unified Compliance Matrix for IEEE Stds. 603, & 7-4.3.2 D.7 Technical Specifications D.8 Secure Development and Operating Environment (SDOE)

Initially, the NRC staff should review the application in accordance with the NRR Office Instruction, LIC-109, Acceptance Review Procedures, (ADAMS Accession No. ML091810088ML16144A521), to determine whether the application is sufficient for NRC staff review; the acceptability of an application is normally documented in a letter (e.g., ADAMS Accession Nos. ML081070521, ML082460632, ML102220073, ML103130160).

For Tier 1 through 3 applications, iIt is recognized that some sets of information may not be available upon initial application and the review process may be more efficiently administered by beginning prior to their availability. Therefore, for Tier 1 through 3 applications, a digital I&C upgrade application may be found to be sufficient for review provided a clear schedule for submission of omitted information is included. Any proposed changes to the schedule should be agreed upon by the NRC staff prior to a given due-date. Licensees should be made aware that the NRC staff intends to adhere to the schedule set forth and failure to submit information in accordance with the schedule may result in denial of the application pursuant to 10 CFR 2.108.

During Phase 1, the NRC staff should draft the SE and issue requests for additional information (RAI) for the information that is necessary to finish the review of the docketed material. These activities should be conducted in accordance with LIC-101, License Amendment Review Procedures (Non-Publically AvailableML16061A451). The NRC staff should also communicate

those areas of review that, based upon the currently available information, appear to be acceptable.

For Tier 1 through 3 applications, tThe licensee should respond to the RAIs prior to the submittal of the Phase 2 information. Although the NRC staff may have additional questions based on the responses to the Phase 1 RAI response, the licensee should not delay submission of the Phase 2 information. It is important to maintain close communications between the NRC staff and the licensee such that both parties remain cognizant of deliverables and due-dates.

Use of a tracking system is encouraged.

As further discussed in Section C.4, the NRC staff and the licensee should be aware that some information may be in documentation available at licensee's facility (e.g., Enclosure B, table of documents information to be available for audit 12 months prior to the requested approval date).

The information examined in this manner should be documented and the NRC Project Manager, in consultation with the licensee and technical staff, should schedule the audit. While the information discussed in Section D.1 through D.12 indicates which process may be used (i.e.,

RAI or Audit), individual circumstances should dictate the appropriate vehicle for the NRC staff to obtain the necessary information.

One of the reasons for a publically available safety evaluation is so members of the public can have confidence in the review process by understanding what was approved, and the basis for that approval. This is addressed, in part, in Information Notice 2009-07. Sufficient non-proprietary information, including some system design details and design methods, should be provided as non-proprietary by the licensee and vendor to make this possible. To satisfy this concern, non-proprietary versions of documents should limit the material that is redacted to only specific portions that are necessary (i.e., a document containing proprietary information does not make the entire document proprietary).

C.4 Continued Review and Audit (Phase 2)

Phase 2 does not apply to Alternate Tier 1 license applications.

Following response to the Phase 1 RAIs but at least 12 months prior to the requested approval date, the licensee should submit a supplement containing sufficient information to address aspects of the review areas not submitted in the initial LAR or subsequent RAIs (e.g., see Enclosure B, table of documents to be submitted 12 months prior to requested approval date).

Although 12 months is the minimum lead time, tThe NRC staff should expect the licensee to adhere to the submittal schedules established earlier.

During Phase 2, the NRC staff should continue the RAI process until sufficient information has been provided for a decision to be rendered on the acceptability of the proposed digital I&C upgrade. If necessary, during the Phase 2 process, the NRC staff should conduct one or more audits in accordance with LIC-111, Regulatory Audits, (ADAMS Accession No. ML082900195).

Audits may cover information from both Phase 1 and Phase 2, and may result in further requests for information to be docketed. It is the NRC staffs intent to perform the audits as early in the process as is reasonable, but the performance of an effective and efficient audit necessitates that the LAR and supplements be sufficiently detailed about the later phases of the system development lifecycle. Although the use of an audit is discussed in Phase 2, this does not preclude the performance of an audit during Phase 1 if it is determined to be beneficial.

Some documentation may not be available 12 months prior to the anticipated issuance of the amendment. Although the plans and other available information should be submitted at early as possible, it is acceptable to submit certain documentation as mutually agreed in the Phase 0 meetings, but prior to the due planned completion date of the SE.

During the review of a digital I&C LAR, certain items may be identified that are applicable to the system configuration, testing or operation that contribute to approval of the system. These items should be identified within the SE as potential items for inspection after the system is installed.

Phase 2 should conclude with the issuance of a SE documenting the approval or denial of the licensees proposed digital I&C upgrade. The licensing process covered by this ISG ends at the issuance of the SE.

C.5 Implementation and Inspection (Phase 3)

Following regulatory approval of the digital I&C system, licensees may implement the upgrade by installing the system, implementing associated procedural and technical specification changes, and completing startup testing.

The startup testing is conducted in accordance with the plan submitted during Phase 2. NRC regional staff may review the startup testing as an inspection function conducted by the appropriate regional staff in accordance with IP-52003, Digital Instrumentation and Control Modification Inspection (ML112560050).

Changes after approval of the LAR (i.e., starting in Phase 3) are controlled and implemented by licensee programs which, in turn, are governed by 10 CFR 50 Appendix B and other regulatory requirements. The need for prior NRC review and approval is governed by 10 CFR 50.59.