Text

_ _ _ _ - _ _ _ _ _ _

]

t

>GCtQy

)(

UNITED STATES l

o 3

E NUCLEAR REGULATORY COMMISSION

• ka[f WASHINGTON, D.C. 20665 October 23, 1992 Mr. David A. Ward, Chairman Advisory Committee on Reactor Safeguards U.S. Nuclear Regulatory Ccmmission Washington, D.C.

20555

Dear Chairman Ward:

SUBJECT:

DEFENSE AGAINST COMMON MODE FAILURES IN DIGITAL INSTRUMENTATION AND CONTROL (I&C) SYSTEMS I am responding to your letter to the Chairman of September 16, 1992, in which you commented on the staff's proposed approach with respect to defense against i

1 the common-mode failure of dig'tal I&C systems. This approach was discussed in policy issue "A" of the draft Commission paper, " Design Certification and Licensing Policy Issues Pertaining to Passive and Evolutionary Advanced Light Water Reactor Designs," June 25, 1992.

I also received your letter of September 16, 1992, in which you provided specific comments on policy issue i

"A."

In the letter to the Chairman, you also raised concerns that apply generally to the staff's proposed Deneric letter on analog-to-digital replacements. The staff will be presenting this proposed generic letter to tr.e ACRS for its review and consideration, and our dialogue on this topic can continue.

In the interim, this response is intended to address the specific 1

ACRS comments raised on policy issue "A" by the September 16, 1992, letters.

This issue of diversity and requisite level of independent backup capability for shutdown purposes is an issue that I feel strongly needs to be addressed in the use of digital protection systems.

In the introduction to the proposed policy issue "A," the staff stated that the two principal factors for defense against common-mode failures in digital computer systems are quality and diversity. These factors and segregation (or separation), which are needed to provide and maintain independence between redundant or diverse equipment, were discussed more fully in SECY-91-292, September 16, 1991, " Digital Computer Systems for Advanced Light Water Reactors."

4 As stated in SECY-91-292 and documented in the reviews of advanced light water reactor designs and analog-to-digital conversions at operating reactors, the staff reviewed and accepted several Institute of Electrical and Electronic Engineers (IEEE) standards that govern quality in the development of software.

The staff is also assessing means to improve software quality by conducting research, obtaining assistance of expert consultants, exchanging technical information with other nations, and participating in national and 5fb 3 050048

%/ /D(/00

} I0 6

l' i

1 Mr. David A. Ward, Chairman l' i

I international software engineering standards committees. These activities i

will provide the information needed to develop regulatory guidance and acceptance criteria to improve the quality of computer-based I&C systems.

The staff agrees with the ACRS that quality of digital computer systems is of 1

principal importance and that improving the quality of software will reduce the potential for a' software caused common mode failure. However,. based upon' l

staff interaction with the international community, discussion with experts'in the field of software engineering and.our experience with digital control i

systems, the staff concludes that software quality by. itself is not sufficient

]

to reduce the potential for a common mode failure to an acceptable level. As j

a result the staff concludes that overall control system designs must include diversity in addition to high quality to provide reasonable assurance that a j

common mode software error cannot disable required controls.

i j

The staff recommended four points in assessing diversity and ensuring its 1

adequacy for digital I&C system applications. The first three points address l

requirements for the applicant to assess the defense in depth and diversity of the proposed designs against common mode failure vulnerabilities for events l

postulated in the safety analysis report (SAR) and demonstrate an acceptable j

plant response to each event. The staff proposed as a fourth point a set of j

safety-grade displays and controls in the main control room, independent of 1

the computer systems, for system-level actuation and monitoring of critical j

safety functions and parameters for shutdown purposes. The staff did not intend that the independent backup provisions be designed to a reliability equivalent to that of the first-line digital system.

i j

Your specific comments on this issue indicate that the ACRS basically agrees i

with the first three points of the staff's proposal; that is, you consider the recommendations for defense against common-mode failures in digital I&C i

systems to be appropriate and the requirement to assess the defense in depth j'

and diversity of the systems to be essential. However, the ACRS believes that other arrangements might be shown to be acceptable for the fourth point that proposed an independent set of safety-grade displays and controls. Upon 4

considering your specific comments, the staff does not believe that the entire policy issue "A" needs to be revisited, only its fourth point.

1 The staff position on the fourth point has changed as a result-of the comments received from the ACRS, EPRI, and industry on the draft position. The staff would consider allowing more flexibility in implementing the independent set j

of displays and controls. The flexibility necessary depends on the specific equipment and design features of the I&C system and will be evaluated f

individually with each vendor. The intent is to permit the use of digital i

a 4

4 i

y

- - - = ~. - -

ec

- +-,_~

s y

a--a'riWe

'r e---'"

r=

e 4-

^-

e+r e-

-2w P

m

t I'

i l

l Mr. David A. Ward, Chairman l i

equipment that is not affected by the identified common-mode failures and to reduce complexity in the design.

The staff will not be so inflexible as to require only analog equipment and will consider allowing simple digital equipment. Safety parameter displays may include dedicated digital l

components. The system-level actuation controls that are " hardwired" to the lowest level practicable in the I&C architecture may use dedicated and diverse digital equipment.

I believe that this revised approach is consistent with l

the comments received from the ACRS.

l l

Sincerely, Original Signed B l

l James M. Taylot 'y:

James M. Taylor Executive Director for Operations cc:

i The Chairman Commissioner Rogers Commissioner Curtiss Commissioner Remick Commissioner de Planque SECY OGC Distribution A. Thadani J.-Taylor 17G21 Central-File-B. Boger 10H3 JrSniezek-17G21 DRCH R/F T. Murley 12G18 H. Thompson 17G21 EDO R/P F. Mirglia 12G18 Jr Blaha.17G21 Mail Room 12G18 W. Russell 12G18 Mat-Taylor--17G21 J. Scinto 15B18 F. Gillespie 12G18 E. Beckjord NLS007

.. PDRf D. Crutchfield 11H21 R. Bernero 6E6 J. Partlow 12G18 E. Jordan MNBB3701

• See previous concurrence.

DRCH

• HICB:DRCH

• D:DRCH

• MChiramal:1m Tech Ed Snewberry Bboger 10/5/92 10/1/92 10/5/92 10/5/92 ADT:NRR*

DD:NRR*

D:NRR*

FA 7 WRussell FMiraglia TMurley M or 10/06/92 10/09/92 10/09/92 10 92 l

,