Text

_ _.

,f %g s

1 UNITED STATES p

m g

j NUCLEAR REGULATORY COMMISSION 2

WASHINGTON, D.C. 30seH001

\\,,, /

4 September 24, 1996 I

l MEMORANDUM TO:

David B. Matthews, Chief l

Generic Issues and Environmental Projects Branch Division of Reactor Program Management, NRR FROM:

James H. Wilson, Senior Project Manager ww h h Generic Issues and Environmental Projects Bra Division of Reactor Program Management, NRR

SUBJECT:

SUMMARY

OF MEETING HELD ON SEPTEMBER 9 AND 10, 1996, WITH i

ELECTRIC POWER RESEARCH INSTITUTE ON QUALIFICATION PROGRAM FOR PROGRAMABLE LOGIC CONTROLLERS

]

On September.10 and 11, 1996, the staff held a public meeting with the l

Electric Power Research Institute (EPRI) at NRC headquarters in Rockville, i

Maryland to discuss EPRI's program for qualification of programable logic j

l controllers (PLCs) for use in safety systems at nuclear power plants. A list L

of attendees and their affiliations is provided as Attachment 1.

A copy of

(

the preliminary draft of the EPRI requirements / guidance document for qualification of PLCs that served as the basis for discussion is provided as l.

This document, prepared by EPRI's contractor, S. Levy, Inc.,

contains draft requirement specifications for qualifying a PLC for Nuclear i

Class I service.

)

The goal for the meeting was to discuss and resolve coments on the draft requirements document. The NRC coments, transmitted to EPRI prior to the meeting, are provided as Attachment 3.

The majority of the NRC coments were accepted, withdrawn by the comentor, or tabled for discussion with the authors. However, three major areas of discussion were not resolved at the meeting, as described below.

Quality Assurance One of the major comments by the NRC dealt with the relationship between the 150-9000 series certification and compliance with 10 CFR Part 50, Appendix B.

The staff questioned whether the purpose of the specification was to provide a

~

level of quality assurance equivalent to 10 CFR Part 50, Appendix B, or to provide assurance of compliance with 10 CFR Part 50, Appendix B.

The staff stated that 150-9000 can not automatically be assumed to be the equivalent of Appendix B.

Furthermore, a simple reference to a standard is not sufficient evidence that a QA program is in compliance with Appendix B.

Rather, the requirements that the QA plan is based"on should be stated and, if acceptable, these requirements would then form the bases for an audit to verify compliance with Appendix B.

This comment generated considerable discussion regarding the scope and focus of the requirements specification. The staff and EPRI discussed whether this document was intended apply to the comercial PLC, a PLC vendor that is also an r

l 9610030287 960924

\\

PDR PROJ g %Q[$b5$ khh[h '

l ud-fn) h[

3*

.: Appendix B vendor, or a third party qualifier (an Appendix B vendor) who in turn procures the PLC from a commercial PLC vendor? This discussion included the assignment of the Part 21 reporting responsibility. Several of the utility members were concerned that inclusion of requirements specific to compliance with requirements from 10 CFR would significantly limit the number of PLC vendors that would be interested in meeting the generic PLC requirements specification. This matter was not resolved at the meeting and the next draft should provide clarification.

The staff notes that the Lawrence Livermore National Laboratory (LLNL) task for the development of criteria for commercial off-the-shelf (C0TS) software for application to nuclear power plant systems important to safety faced a similar issue. That is, whether the vendor's process should be one for commercial dedication as defined in 10 CFR Part 21, or should the vendor's process have a quality assurance program that results in a commercial grade item that can be used as a basic component; i.e. is equivalent to an item designed and manufactured under a 10 CFR Part 50, Appendix B quality assurance program. The LLNL tack was directed to the development of acceptance criteria for commercial grade software for application in safety systems, and not to the formal commercial dedication process. The acceptance process reported in the LLNL final task report, NUREG/CR-6421, "A Proposed Acceptance Process for Commercial Off-the-Shelf (C0TS) Software in Reactor Applications," was based to a large extent on the review of current and draft IEEE Computer Society Standards as summarized in Appendix A of the report.

Regulatory guides thy endorse these standards are now out for public comment, with the exception t.f i

IEEE 730.1 and 730.2. The subject of standards for software QA is very fluid, t

l primarily because of issues concerning 150-9000 series, vs. IEEE documents, and in the Nuclear area, ASME NQA-1-1994, subpart 2.7 vs. an IEEE QA standard.

Software Reauirements Another area of major comment by the NRC that was not resolved at the meeting dealt with software requirements, both in the section on software /firmware (Section 4.4) and in the section on PLC architecture and the section on availability / reliability (Sections 4.1.1 and 4.2.3, respectively). The comments on Section 4.1.1 dealt with the multitasking features in the PLC operating system that permitted event-driven interrupts rather than giving preference to a continuous loop non-interruptable software structure. This would significantly complicate the V&V process (e.g., see Section 6.1.3.14 of

)

Chapter 10 of the EPRI Utility Requirements for Evolutionary Plant Designs).

The comment on Section 4.2.3 dealt with the implification that reliability was achieved primarily through redundancy rather than through both high reliability of components (hardware and software) and diversity / redundancy.

These comments will be addressed in the next draft.

i b

i

_3_

Ladder Loaic Tools The third major area of staff concern was raised during the meeting and, therefore, did not receive much discussion.

It involved the concern that PLC ladder logic tools could provide a means for coding structures that have been identified as sources of potential problems with PLC programs; i.e. the potential for unintended functions based on the use of retentive vs. non-retentive output functions. This identification was given in NUREG/CR-6463,

" Review Guidelines on Software Languages for Use in NPP Safety Systems,"

authored by SoHaR, Inc. and is available on the web (http:\\\\www.sohar.com\\J1030\\ toc.htm). The sections of this report that dealt with PLC ladder logic were given to attendees of this meeting for consideration in the next draft of the requirements document.

i Project No. 669 l

Attachments: As stated cc w/ attachments:

See next page l

n A

a m

a aa

_m J.

a 4

de Aya

,a a:.__._

pi,a g a

e, l'

l

'a Ladder Loaic Tools The third major area of staff concern was raised during the meeting and, therefore, did not receive much discussion.

It involved the concern that PLC ladder logic tools could provide a means for coding structures that have been identified as sources of potential problems with PLC programs; i.e. the l

potential for unintended functions based on the use of retentive vs. non-l retentive output functions. This identification was given in NUREG/CR-6463, l

" Review fuidelines on Software Languages for Use in NPP Safety Systems,"

authored us SoHaR, Inc. and is available on the web (http:\\\\www.sohar.com\\J1030\\ toc.htm). The sections of this report that dealt l

with PLC ladder logic were given to attendees of this meeting for consideration in the next draft of the requirements document.

i Project No. 669 Attachments: As stated cc w/ attachments:

l See next page DISTRIBUTION:

• w/o atts Central File ACRS WRussell/FMiraglia **

PUBLIC JJoyce

• RZimmerman PGEB r/f JWermiel

• AThadani l

BGrimes

• JMauck BBoger DMatthews

• DSpaulding

• W8eckner RArchitizel

• JGallagher

• TAlexion JWilson JPeralta MChiramal Document Name: MEETSUM.910 1

0FC PGEB @ h4k C:lUCB,

C:PGEblk NAME JWilson[sw Nrchb1 JWehl DMattt(ews A

DATE 9/4/96 9/ d$96 9/23/96 9/][/96

/ OFFICIAL RECORD COPY E3

% N bdN3 N

&//4

LIST OF ATTENDEES AT MEETING WITH EPRI HELD IN ROCKVILLE, MARYLAND ON SEPTEMBER 10 and 11, 1996 fi8tif AFFILIATION J. Wermiel NRC J. Mauck NRC J. Gallagher NRC D. Spaulding NRC J. Stewart NRC J. Peralta NRC J. H. Wilson NRC C. Doutt*

NRC T. Jackson

• NRC L. Campbell *

-NRC D. Matthewst NRC R. Carritte MPR Associates J. Amin TU Electric i

l W. Sotos HL&P l

S. Jasien HL&P H. Fish

• NY Power Authority i

J. Ruether*

NSP D. Wilkinson*

EPRI W. Wellbornt HL&P R. Mayt S. Levy, Inc.

A. Ostansot S. Levy, Inc.

l B. Geddest BG&E l

• - present on September 10 only t - present on September 11 only

,