ML18260A001
| ML18260A001 | |
| Person / Time | |
|---|---|
| Site: | Nuclear Energy Institute |
| Issue date: | 09/14/2018 |
| From: | Nuclear Energy Institute |
| To: | Office of Nuclear Reactor Regulation |
| Holonich J | |
| References | |
| NEI 17-06 | |
| Download: ML18260A001 (9) | |
Text
NEI1706
September14,2018
Pagei TABLE OF CONTENTS 1
INTRODUCTION................................................................................. 1 1.1 PURPOSE.........................................................................................................................1 1.2 REGULATORY BASIS.......................................................................................................1 1.3 ACCEPTANCE OF SAFETY INTEGRITY LEVEL AS-VERIFICATION OF DEPENDABILITY CRITICAL CHARACTERISTICS........................................................................................3 1.4 ACRONYMS.....................................................................................................................4 2
SAFETY INTEGRITY LEVEL (SIL)....................................................... 5
2.1 DESCRIPTION
OF THE THIRD PARTY CERTIFICATION PROCESS FOR PERFORMANCE OF SAFETY FUNCTIONS OF A PARTICULAR SAFETY INTEGRITY LEVEL (SIL)................5
2.2 DESCRIPTION
OF THE CRITICAL DEPENDABILITY CHARACTERISTICS PER NRC-ENDORSED EPRI-TR 106439.........................................................................................5 3
EPRI RESEARCH OF THE SIL CERTIFICATION PROCESS................. 5 3.1 SCOPE OF THE EPRI RESEARCH....................................................................................5 3.2
SUMMARY
OF THE EPRI RESEARCH.............................................................................5 4
ACCEPTANCE OF COMMERCIAL GRADE DIGITAL EQUIPMENT FOR SAFETY APPLICATIONS CERTIFIED TO A PARTICULAR SIL............ 5 4.1 APPLICATION OF THE SIL CERTIFICATION PROCESS...................................................5
4.2 TECHNICAL EVALUATION
..............................................................................................5 4.3 ACCEPTANCE METHOD..................................................................................................5 5
PURCHASERS QUALITY ASSURANCE PROGRAM............................ 5 5.1 ORGANIZATION...............................................................................................................5 5.2 PROCUREMENT DOCUMENT CONTROL.........................................................................5 5.3 CONTROL OF PURCHASED MATERIAL, EQUIPMENT, AND SERVICES...........................5 5.4 CONTROL OF MEASURING AND TEST EQUIPMENT........................................................5 5.5 CORRECTIVE ACTION.....................................................................................................5 6
US NUCLEAR INDUSTRY OVERSIGHT OF THE SIL CERTIFICATION PROCESS............................................................................................ 6 6.1 ORGANIZATION...............................................................................................................6
NEI1706
September14,2018
Pageii 6.2 VERIFICATION THAT THE SIL CERTIFICATION PROCESS CONTINUES TO BE CONSISTENT WITH NRC ENDORSED PRACTICES..........................................................6 6.3 VERIFICATION THAT IMPLEMENTATION OF THE 3 RD PARTY IEC 61508 SIL CERTIFICATION PROCESS CONTINUES TO BE CONSISTENT WITH NRC ACCEPTED PRACTICES......................................................................................................................7 ATTACHMENT A - NRC FINAL SAFETY EVALUATION REPORTATTACHMENT A-1 ATTACHMENT B - NRC RAIS AND NEI RESPONSES... ATTACHMENT B-1
NEI1706
September14,2018
Page1 1 INTRODUCTION 1.1 Purpose Thepurposeofthissupplementalguidanceistoprovideanacceptableapproachforprocuringand acceptingcommercialgradedigitalequipmentfornuclearsafetyapplicationsthathaveasafetyintegrity level(SIL)certificationbyanaccreditedthirdpartySILcertificationbody.Makinguseofinternationally accreditedSILcertificationservicesbenefitslicenseesandtheirsuppliersthroughreducedcost, expandedaccesstoexpertservices,improvedstandardizationonequipmentqualityevaluations,and improvedregulatoryconfidence.
ThisapproachtakesadvantageoftheinternationallyrecognizedSILcertificationprocesswhenaccepting commercialgradedigitalequipmentforuseinsafetyapplicationsforthenuclearindustry.Purchasers (licenseesandsuppliersofbasiccomponents)thatprocurecommercialgradeequipmentforsafety applicationsareabletorelyonthethirdpartySILcertificationprocessinlieuofconductinga commercialgradesurvey(includingacriticaldesignreview)thatprovidedthenecessaryevidenceof dependabilitycriticalcharacteristicsdescribedinEPRITechnicalReport106439,Guidelineon EvaluationandAcceptanceofCommercialGradeDigitalEquipmentforNuclearSafetyApplications.
ThethirdpartySILcertifiersarecompanieswithaccreditationbyanaccreditationbody(AB),suchasthe AmericanNationalStandardsInstitute[ANSI]),thataresignatoriestotheInternationalAccreditation Forum[IAF].Thenetresultwillbeasubstantialreductioninduplicationofeffortforaccepting commercialgradeequipmentacrosstheindustry,whileensuringthattheidentifieddependability criticalcharacteristicsdefinedinEPRITR106439continuetobemet.
1.2 Regulatory Basis ItemsandservicesusedinsafetyrelatedapplicationsatUScommercialnuclearpowerplantsare designatedasbasiccomponentsandarerequiredtobeprovidedinaccordancewith10CFRPart50, AppendixB,QualityAssuranceCriteriaforNuclearPowerPlantsandFuelReprocessingPlants.
Itisnotalwayspossibleorpracticaltoprocureitemsandservicesdirectlyfromsuppliersthatimplement qualityassuranceprogramsthatmeet10CFRPart50,AppendixB.Therefore,theNRCestablished requirementsin10CFRPart21ReportingofDefectsandNoncompliancethatpermittheuseof commercialgradeitemsandservicesinnuclearsafetyrelatedapplicationsthroughacommercialgrade dedicationprocess.Althoughthesuppliersofcommercialgradeitemsandservicesarenotrequiredto complywith10CFRPart50,AppendixBrequirements,thecommercialgradededicationactivitiesmust beperformedunderaQualityAssuranceProgramthatmeetstherequirementsof10CFRPart50, AppendixB.
Theprocessforacceptingitemsandservicesforuseasbasiccomponentsfromcommercialsuppliersis knownascommercialgradededication.TheNRChasendorsedEPRITR106439asanacceptable methodfordedicatingcommercialgradedigitalequipmentforuseinnuclearpowerplantsafety applicationsandmeetstherequirementsof10CFRPart21.
NEI1706
September14,2018
Page2 EPRITR106439containsguidanceonallaspectsofcommercialgradededicationofcommercialgrade digitalequipment.EPRITR106439identifiesauniquetypeofcriticalcharacteristicsforcommercial gradedigitalequipmentcalleddependability.ThefollowingexcerptsfromEPRITR106439aregermane tothescopeofthirdpartySILcertification[underlingaddedforemphasis]:
athirdtypeofcriticalcharacteristics,referredtointhisguideline[EPRITR106439]asdependability, becomessignificantlymoreimportantwhendedicatingdigitalequipmentincludingsoftware Thisisthecategoryinwhichdedicationofdigitalequipmentdiffersthemostfromthatofothertypesof components.Itaddressesattributesthattypicallycannotbeverifiedthroughinspectionandtesting aloneandaregenerallyaffectedbytheprocessusedtoproducethedevice Thedependabilityattributes,whichincludeitemssuchasreliabilityandbuiltinquality,aregenerally influencedstronglybytheprocessandpersonnelusedbythemanufacturerinthedesign,development, verification,andvalidationofthesoftwarebasedequipment...
Thedependabilityofadigitaldevicealsocanbeheavilyinfluencedbydesignedinelements,including robustnessofthehardwareandsoftwarearchitectures,selfcheckingfeaturessuchaswatchdogtimers, andfailuremanagementschemessuchasuseofredundantprocessorswithautomaticfailover capabilities.Evaluationoftheseattributesrequiresthatthededicatorfocusonmorethanjustthe developmentandQAprocesses.Itmayrequiregaininganunderstandingofthespecificsoftwareand hardwarefeaturesembodiedinthedesign,andensuringthattheyarecorrectandappropriateinlightof therequirementsoftheintendedapplication.Accordingly,asurveyteammayneedtoincludespecialists whounderstandthedevicedesign,thesoftware,andthesysteminwhichitwillbeapplied,inadditionto qualityassuranceandprogrammaticissues.
Thedependabilitycategorycapturesthosecriticalcharacteristicsthatmustbeevaluatedtoforman appropriatejudgmentregardingbuiltinqualityofasoftwarebaseddevice.Italsoincludes characteristicsrelatedtoproblemreportingandconfigurationcontrol.Verificationofthese characteristicstypicallyinvolvesasurveyofthevendor'sprocesses(Method2[ofNP5652]),andreview ofthevendorperformancerecordandproductoperatinghistory(Method4)Sourceinspectionswould notbeusedinverifyingbuiltinqualityofpreexistingsoftware,becausethesoftwaredevelopmenthas alreadyoccurred.
Acommercialproductmaybejudgedtohavesufficientquality,evenifitsdevelopmentprocesslacked someoftherigorousstepsofmodernsoftwareengineeringand/orsomeformaldocumentation.
Reachingareasonablelevelofassuranceofqualityofacommercialgradedigitalitemtypicallyinvolves makingajudgmentbasedonacombinationoftheproductdevelopmentprocessanditsdocumentation, operatinghistory,testing,reviewofdesignfeaturessuchasfailuremanagement,andotherfactors notedinthecriticalcharacteristicsmatrix,Table41[inEPRITR106439].
NEI1706
September14,2018
Page3 ThissupplementalguidancedocumentdescribesamethodforusingtheaccreditedSILcertification processasevidenceofverificationoftheEPRITR106439dependabilitycriticalcharacteristicswithinthe commercialgradededicationprocess.Thissupplementalguidanceisapplicabletodedicatingentities subjecttothequalityassurancerequirementsof10CFRPart50,AppendixB(e.g.,10CFRPart50,10 CFRPart52,10CFRPart71and10CFRPart72licenseesandaffectedsuppliers).
1.3 Acceptance of Safety Integrity Level AsVerification of Dependability Critical Characteristics ThirdpartySILcertification,providedbyinternationalbodiesaccreditedbysuchaccreditation organizationsasANSI,isacommercialgradeservice.Thesupplementalguidancewithinthisdocument describesanapproachtorelyonthirdpartySILcertifications,bycompaniesaccreditedbyANSIand othersignatoriestoIAF,inlieuofacommercialgradesurveytoverifytheEPRITR106439dependability criticalcharacteristics.TheapproachusedtodevelopthisguidancewastocomparethethirdpartySIL certificationprocesswiththeEPRITR106439dependabilitycriticalcharacteristicstoevaluatetheir equivalenceanddeterminewhetheranyadditionalactionsarenecessarytoaddressdifferences.
Section2describesthethirdpartySILcertificationprocess,andSection5providestheUSnuclear industrysevaluationofthethirdpartySILcertificationprocessincludingacomparisonwithNRC acceptedpractices(i.e.,EPRITR106439).Section6describestheapproachfortheUSnuclearindustry toprovidecontinuedoversightofthethirdpartySILcertificationprocessinordertoconfirmthatthe thirdpartySILcertificationprocesscancontinuetobeusedinlieuofcommercialgradesurveysforthe purposeofverifyingtheEPRITR106439dependabilitycriticalcharacteristics.
BasedupontheconclusionthatthethirdpartySILcertificationprocessisessentiallyequivalenttoa commercialgradesurveyverifyingtheEPRITR106439dependabilitycriticalcharacteristics,ithasbeen determinedthatthethirdpartySILcertifications,bycompaniesaccreditedbyIAFsignatories,canbe used.Thisconclusionrequiresprocurementdocumentstoincludeafewrequirements.Section3 describeshowPurchasersofcommercialgradedigitalequipmentshouldusethethirdpartySIL certificationsaspartoftheircommercialgradededicationactivities.Itisnotedthatthissupplemental guidanceshouldbeusedinconjunctionwiththeoverallguidanceoncommercialgradededication(i.e.,
EPRITR106439andEPRI3002002982).Inaddition,Section4describesinformationthatPurchasers shouldensureisincludedintheirQualityAssurancePrograms.
ThefollowingaretheactionsandstepsthatarenecessaryinorderforaPurchasertoacceptthirdparty SILcertificationofcommercialgradedigitalequipment,bycompaniesaccreditedbyIAFsignatory organizations,inlieuofperformingacommercialgradesurveytoevaluatetheEPRITR106439 dependabilitycriticalcharacteristics.Additionaldetailonperformingthesestepsisdiscussedin subsequentsectionsofthisguidance.
- 1)
ThemethodtouseathirdpartySILcertificationbyacompanyaccreditedbyasignatoryto IAFinlieuofacommercialgradesurvey(alternativemethod)forverificationofEPRITR 106439dependabilitycriticalcharacteristicsisdocumentedinthePurchasersQAprogram.
- 2)
ThemethodthePurchaserneedstofollow,anddocumentintheirQAProgram,consistsof:
NEI1706
September14,2018
Page4
- 1. AdocumentedreviewofthethirdpartySILcertifiersaccreditationisperformedand includesaverificationofthefollowing:
- a.
ThethirdpartySILcertifierholdsaccreditationbyanaccreditingbodythat isasignatorytoIAF.
- b.
ThepublishedscopeofaccreditationforthethirdpartySILcertifiercovers IEC61508SILcertification.
- 2. Thepurchasedocumentsrequirethat:
- a.
AcopyoftheSILcertificateforthecommercialgradedigitalequipment beingpurchasedbeprovided
- b.
TheIEC61508SystematicCapabilitySILbeidentifiedinthecertificate
- c.
SILcertificationprecautionsandlimitationsbeincludedintheSIL certificateorinthesafetymanual
- d.
AcertificateofconformancethatthethirdpartySILcertifierisaccredited byasignatorytoIAF.
- e.
Thecustomermustbenotifiedofanyconditionthatadverselyimpacts thethirdpartySILcertifiersabilitytomaintainitsSILcertification accreditationorthescopeofaccreditation.
- 3. Itisvalidated,atreceiptinspection,thatthecommercialgradedigitalequipment supplierdocumentationcertifiesthat:
- a.
ThecommercialgradedigitalequipmentmatchesthatdefinedintheSIL certificateprovided
- b.
Thepurchaseordersrequirementsaremet 1.4 Acronyms AB-AccreditationBody CFR-CodeofFederalRegulations EPRI-ElectricPowerResearchInstitute IAF-InternationalAccreditationForum IEC-InternationalElectrotechnicalCommission NEI-NuclearEnergyInstitute NRC-NuclearRegulatoryCommission NUPIC-NuclearProcurementIssuesCorporation QA-QualityAssurance QC-QualityControl SILSafetyIntegrityLevel
NEI1706
September14,2018
Page5 2 SAFETY INTEGRITY LEVEL (SIL) 2.1 Description of the Third Party certification process for performance of safety functions of a particular safety integrity level (SIL) 2.2 Description of the critical dependability characteristics per NRC endorsed EPRITR 106439 3 EPRI RESEARCH OF THE SIL CERTIFICATION PROCESS 3.1 Scope of the EPRI Research 3.2 Summary of the EPRI Research 4 ACCEPTANCE OF COMMERCIAL GRADE DIGITAL EQUIPMENT FOR SAFETY APPLICATIONS CERTIFIED TO A PARTICULAR SIL 4.1 Application of the SIL Certification Process 4.2 Technical Evaluation 4.3 Acceptance Method 5 PURCHASERS QUALITY ASSURANCE PROGRAM 5.1 Organization 5.2 Procurement Document Control 5.3 Control of Purchased Material, Equipment, and Services 5.4 Control of Measuring and Test Equipment 5.5 Corrective Action
NEI1706
September14,2018
Page6
6 US NUCLEAR INDUSTRY OVERSIGHT OF THE SIL CERTIFICATION PROCESS TheobjectiveoftheoversightoftheIEC615083rdPartySILCertificationProcessbytheU.S.nuclear industryistoconfirmthattheprocesscontinuestocovertheEPRITR106439DependabilityCritical Characteristicsandisimplementedconsistentlyforallvendorequipmentevaluations,sothatthe processcanbeusedinlieuofcommercialgradesurveysaspartofthePurchaserscommercialgrade dedicationactivities.Earlyidentificationofpotentiallyadverseconditionswillaffordthenuclear industrytheopportunitytodiscussanyimpactwiththeNRCandtomodifythisguidanceasnecessary.
6.1 Organization NUPICandNEIareresponsiblefortheindustryoversightoftheIEC615083rdpartySILcertification processasitrelatestoindustrysuseoftheprocessaspartofcommercialgradededication.NUPIChas formedagrouptosupporttheindustryseffortstomonitorthe3rdPartyIEC61508SILaccreditation process.NUPICplaysacentralroleinthecontinuedoversightactivities,andaNUPICmemberleadsor participatesintheoversightactivitiesdescribedbelow.
6.2 Verification that the SIL Certification Process Continues to be Consistent with NRC Endorsed Practices Theassessmentsandconclusionsoftheconsistencyofthe3rdPartyIEC61508SILcertificationprocess documentedhereinincludetheevaluationofanyfuturechangestothe3rdPartyIEC61508SIL certificationprocess,sinceNRCendorsement,tomakesuretheprocesscontinuestocovertheEPRITR 106439DependabilityCriticalCharacteristics.
Aspartofthecontinuedoversight,thenuclearindustrythroughNEIwillmonitorthe3rdPartyIEC61508 SILCertificationrequirementstoverifythattheycontinuetocovertheEPRITR106439Dependability CriticalCharacteristics.BecauseIEC61508isthemainstandardthatassuresconsistencywithNRC acceptedpracticesandbecauseitisnotoftenrevised,itisexpectedthatchangesthatwouldmakethe 3rdPartyIEC61508SILcertificationprocessnolongerconsistentwithEPRITR106439Dependability CriticalCharacteristicswouldbefewandinfrequent,ifatall.
AnytimetheIEC61508standardisunderrevision,NEIwillevaluatewhetherthepotentialchanges impactthe3rdPartyIEC61508SILcertificationprocessanditscoverageoftheEPRITR106439 DependabilityCriticalCharacteristics.IfchangesadverselyimpactcoverageoftheEPRITR106439 DependabilityCriticalCharacteristics,thenthenuclearindustrythroughNEIhastheabilitytoprovide feedbacktotheIEC61508standardsdevelopmentcommitteetochangethedraftrevisiontoencompass thesecriticalcharacteristics.
Asaresult,thenuclearindustryhasanopportunitytovetchangesto3rdPartyIEC61508SILcertification requirementsbeforetheyareimplemented,andthusprovidethenuclearindustryandNRCwith
NEI1706
September14,2018
Page7 substantialadvancednotification,andwouldhavetimetoimplementchangestothisguidanceor otherwiseissuecommunicationstousersoftheguidance.
NEIwillmaketheNRCawareofanypotentialadversechangesandindustrysactionstomitigatethem.
Asummaryofthemonitoringof3rdPartyIEC61508SILcertificationrequirementswillbedocumented wheneverIEC61508isrevised.
6.3 Verification that Implementation of the 3rd Party IEC 61508 SIL Certification Process Continues to be Consistent With NRC Accepted Practices Theassessmentsandconclusionsoftheconsistencyoftheimplementationofthe3rdPartyIEC61508SIL certificationprocessdocumentedhereinarebasedinpartonthedirectobservationsofthe performancebyaccreditationbodies(e.g.,ANSIandDeutscheAkkreditierungsstelle[DAkks])forSIL certification.Theseevaluationsareperformedtoverifytheaccreditationprocesscontinuestobe consistentlyapplied.
NUPICandotherIndustryRepresentativeswillobserveaccreditationbodiesthataccredit3rdpartyIEC 61508SILcertifierstoensurethatthe3rdPartyIEC61508SILcertificationprocesscontinuestobe implementedconsistently.U.S.nuclearindustryobservationswillbeperformedinitiallyonathree(3) yearfrequencywiththepossibilityofreducingthefrequencyifitisobservedthattheprocessis demonstrablyconsistent.Theinitial3yearfrequencyisconsistentwiththeguidanceinNRCRegulatory Guides1.28and1.144forauditing10CFR50AppendixBsuppliers.TheNRCmayrequestto participateontheseobservations.