Reg Guide 01.168, Verification Validation Reviews & Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants

ML20198F773
Person / Time
Issue date:	09/30/1997
From:	NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
To:
References
TASK-*****, TASK-RE REGGD-01.168, REGGD-1.168, NUDOCS 9801120149
Download: ML20198F773 (8)
v • d • e

Text

_ _ _ _ _ _ _ _

I U.S. NUCLEAR REGULATORY COMMISSION Septomber 1997

/n) g.#weeg%,) REGUi_ATORY GUIDE

• • • • + OFFICE OF NUCLEAR REGULATORY RESEARCH REGULATORY GUIDE 1.168 (Draft was DG-1054)

VERIFICATION, VALIDATION, REVIEWS, AND AUDITS FOR DICITAL COMPlJTER SOFTWARE USED IN SAFETY SYSTEMS OF NUCLEAR POWER PLANT S A. INTRODUCTION testing, operating, maintaining, or modifying. A spe-cific requirement is contained in 10 CFR 50.55a(h),

in 10 CFR Part 50, " Domestic Licensing of Pro- which requires that reactor protection systems satisfy duction and Utilization Facilities," paragraph 55a(a)(1) the criteria of IEEE Std 279-1971," Criteria for Protec-requires, in part, that systems and components be de- t on Sptems for Nuclear Power Gen .ating Stations."2 signed, tested, and inspected to quality standards com- Paragraph 4.3 ofIEEE Std 279-19713states that quali-mensurate with the safety function to be performed.1 ty of components is to be achieved through the specifi Criterion 1," Quality Standards and Records," of Ap- cation of requirements known to promote high quality, pendix A," General Design Criteria for Nuclear Power such as requirements for design, inspection, and test, m Plants," to 10 CFR Part 50 requires, in part,1 that a qual-

\ ity assurance program be established and implemented in Appendix B,1" Quality Assurance Criteria for

[O in order to provide adequate assurance that systems and Nuclear Power Plants and Fuel Reprocessing Plants,"

to 10 CFR Part 50, many of the criteria contain r quire-components important to safety will satisfactorily per-ments closely related to the activities of verification form their safety functions. Appendix B," Quality As.

surance Criteria for Nuclear Power Plants and Fuel Re.

and testing. Criterion I," Organization," of Appendix B, in describing the establishment and execution of a processing Plants," to 10 CFR Part 50 describes criteria that must be met by a quality assurance program for quality assurance program, specific that applicants must (a) assure that an appropriate quality assurancc systems and components that prevent or mitigate the program is established and effectively executed and (b) consequences of postulated accid:nts. In particular, be.

sides the systems and comp (ments that directly prevent or mitigate the consequences of postulated accidents, 2Revision 1 of Regulation Guide 1.153," Criteria for safety systems " en-d no urn sid e,03-1991," Criteria for saiety systems for Nuclear Pow.

the criteria of Appendix B also apply to all activities af- er Generating stations, as a method acceptable to the N RC staff for satis.

fecting the safety-related functions of such systems and ry m: the NRC i re gulations with respeci so the design, ren.oiiity , qualifi-can n. and intabany onhe pown. insuuinenianon, and conuol ponions components, such as designing, purchasing, installing, of the safety systems of nuclear powet plants.

lin this regulatory guide, many of the requirements have been paraphrased, hEEE publications may be obtained from the IEEE service Center,44$

see 10 Cf R Pan 50 for the full text llocs Ianc, Piscataway, NJ OS854 av

' l'5NRC REGt'tATORY GtJ1 DES Th. guid.s .r. essued m th. todowmg t.n two.d cbvision.

ton metrate .cc to th.NRC tar tm impse .rts Ih. 1 Pow.r R ctors 6 Products rJ::=%"~na:::".r:;T.%"t="':"?.w'?.="7 tor" i = * ' . =  ; &'::""lT,nn

O':""*,*.2"T.M'no"ta'n'"?.%"T".'. :L*""0::::

"0". .T, ,.",a"."*%".'21".'"*""""' * " - " "

ff=

;'.",J' OW.c.on a r.'"= "*""""a ~-

{

) &2L';;"QM-.%%"=,,%,,,

'" ~ =" -

YYYY$!$5Y" w ,u,

- - ~ ,,. .n.~. t --. -

u -i r errms W hogten #go S Ro.d 22 6 9001120149 970930 ll ll lli IIlL ll0l IW!I lll N l@dl, PDR 01.168 R REGOD PDR

• * * * *I * '

• W ' 'q O{

i?

l verify, such as by check:ng, auditing, and inspection, ing out software reviews, inspections, walkthroughs, that activities affecting safety-related functions have and audits subject to certain provisicra.

been correctly performed. Criterion ll," Quality Assur-In g:neral, information provided by regulatory ance Program," of Appendix B states, in part, that activ- guides is reDected in the Standard Review Plan ities affecting quality must be accomplished under suit-(NUREG-0800). The Office of Nuclear Roctor Regu-cbly controlled conditions. Controlled conditions lation uses the Standard Review Plan to res rew applica-include the use of appropriate equipment, suitable envi-tions to construct and operate nuclear po..-r plants.

ronmental conditions for accomplishing the activity, This regulatory guide will apply to the revised Chapter and assurance that all prerequisites for the given activi-7 of the Standard Review Plan.

ty have been satisfied. It also states,in part, that the pro-gram must take into account the need for verification of The information collections contained in this regu-quality by inspection and test. Criterion 111, " Design latory guide are covered by the requirements of 10 CFR Control," of Appendix B requires, in part, that design Part 50, which were approved by the Office of Manage-control measures provide for verifying or checking the ment and Budget, appr) val number 3150-0011. The adequacy of design. Criterion XI, " Test Control," NRC may not conduct or sponsor, and s person is not requires, in part, that a test program he established to required to respond to, a collection of information un-ensure that all testing icquired to demonstrate that less it displays a currently valid OMB control number, structures, systems, and components will perform sat-H. DISCUSSION isfactorily in service is identified and performed in accordance with written test procedures that lacorpo- The use of industry consensus standards is part of rate the requirements and acceptance limits contained an overall approach to meeting the requirements of in applicable design documents. Finally, Criterion 10 CFR Part 50 when developing safety systems for XVill, " Audits," requires, in part, that a comprehensive nuclear power plants. Compliance with standards does system of planned and periodic audits be carried out to not guarantee that regulatory requirements will be met.

verify compliance with all aspects of the quality assur- llowever, compliance (L,es ensure that practices ance program and to determine the effectiveness of the accepted within various technical communities will be program. incorporated into the development and quality assur.

This regd. tory guide endorses IEEE St? ance processes used to design safety systems. These 1012-1986,3"lEEE Standard for Software Verifiuion practices are based on experience, and they represent and Validation Plans," and IEEE Std 102 % 1988,3 industry consensus on approaches used for develop-

"lEEE Standard for Software Reviews and Audits " ment of such systems.

IEEE Std 1012-1986, with the exceptions stated in the Software incorporated into instrumentation and Regulatory Position, describes a method acceptable to control systems covered by Appendix B will be referred the NRC staff for complying with parts of the NRC's to in this regulatory guide as safety system software.

regulations for promoting high functional reliability For safety system software, software verification and and design quality in software used in safety systems / 8 validation (V&V), reviews, and audits are important in particular, the method is consistent with the pre- parts of the effort to achieve compliance with the viously cited General Design Criteria and the criteria NRC's requirements. Software engineering practices for quality assurance programs in Appendix B, as rely,in part, on software V&V and on technicai reviews applied to software verification and validation. The eri- and audits to meet general quality and reliability teria of Appendices A and B apply to systems and requirements consistent with Criteria 1 and 21 of Ap-related quality assurance processes, and if those sys- pendix A to 10 CFR Part 50, as well as Criteria 11, Ill, tems include software, the requirements extend to the XI, and XVill of Appendix B. In addition, manage-software elements. IEEE Std 102bl988 provides an ment reviews and audits of software processes are part approach that is acceptable to the NRC staff for er ry- of a verification process consistent with Criterion I of Appendix B.

General design verification requirements, but not details of software V&V planning and the conduct of

+ne wrm sareiy sysiems is synonymous .ich sareiy.retaico systems, W ews aM ads, are descriM by EE M ne oeneral Design entena cover systems, struciures and components 7-4.3.2-1993, " Standard Criteria for Digital Comput-important to sakry? The scope or ihis regulatory guide is, howeve'-

limited to fAthy systfms. %htch are 8 subsel Gr"Spems important to ers in Safety S}wtems of Nuclear Power Generating Sta-uretyr tions,"3which is endorsed by Revision 1 of Regulatory 1.1M-2

Guide 1.152," Criteria for Digital Computers in Safety The benefits of this approach are that the concepts ad-Systems of Nuclear Power Plants," and ASMEt dressed in the standard are applied within the context of (g) NOA-1-1994, " Quality Assurance Requirements for safety system development while the applicant or l() _ Nuclear Facility ApplicaJons." Two consensus stan- licensee has flexibility in implementation.

dards on software engine < ring, IEEE Std 1012-1986 (reaffirmed in 1992) and IEEE Std 1028-1988 (re. C. REGULATORY POSITION affirmed in 1993), describe the software industry's ap.

The requirements specified in IEEE Std 1012-proaches to software verification, validation, review, 1986 provide an approach that is acceptable to the NRC and audit activities that are generally accepted in the staff for meeting the requirements of 10 CFR Part 50 software engineering community. Comphance with and the guidance given in Revision 1 of Regulatory these standards helps to meet regulatory requirements Guide 1.152," Criteria for Digital Compoters in Safety by ensuring that disciplined software V&V, review, and Systems of Nuclear Power Plants," as they apply to the audit practices accepted within the software communi-verification and validation of safety system software, ty will be incorporated into software processes applied subject to the exceptions listed below in Regulatory to safety system softwate. IEEE Std 1012-1986 de-Positions 1 through 8 and 11.

scribes the elements of a software V&V plan and, for software deemed " critical software" by IEEE Std IEEE Std 1028-1988 provides an approacn accept-1012-1986, describes a minimum set of V&V activi. able to the NRC staff for carrying out software reviews, ties to be included in the plan. IEEE Std 1028-1988 is a inspections, walkthroughs, and audits, subject to the process standard that provides guidance on how to con. exceptions listed below in Regulatory Positions 9 duct audits, inspections and walkthroughs, and techni. through 11. These are often performed in association cal and management reviews. with V&V or software quality assurance activities.

Except as noted below, the appendices to these stan-Technical reviews, some audits, and software in. darda are not covered by this regulatory guide. In this spections and walkthroughs are focused on the verifica- Regulatory Position, the cited criteria are in Appendix q tion and validation of products of the software develop. B to 10 CFR l art 50 unless otherwise noted.

ment process. Management reviews and other audits To meet the requirements of 10 CFR 50.55a(h) and are focured on ensuring that planned activities are be- Appendix A of 10 CFR Part 50 as ensured by comply-ing accomplished effectively. Reviews and audits are ing with the criteria of Appendix B applied to the verifi-closely associated with V&V activities since technical cation, validation, reviews, and audits of safety system reviews and audits are frequently conducted by the software, the following exceptions are necessary and V&V organization and because the V&V organization will be considered by the NRC staff in the review of normally participates in management reviews. Because submittals from applicants and licensees.

of this close connection of the V&V activity with reviews and audits, IEEE Std 1028-1988 and IEEE Std 1. CRITICAL SOlmVARE 1012-1986 are addressed together in this regulatory lEEE Std 1012-1986 tefers to critical and noncriti-guide, cat software. It defines the c,ntents of a Software V&V Plan (SVVP) for all software and, for critical software, IEEE Std 603-1991 and IEEE Std 7-4.3.2-1993, identifies a minimum set of software V&V tasks and which are endorsed by Revision 1 of Regulatory Guide their inputs and outputs that must be included in the 1.153 and Revision 1 of Regulatory Guide 1.152, SVVP. Critical software is defined in IEEE Std respectively, do not provide for classification, although 1012-1986 to he software whose failure coula have an the foreword to IEEE Std 7-4.3.2-1993 recommends impact on safety or could cause large financial or social the addition of grading to future versions of IEEE Std loss. For the purposes of this regulatory guide, critical 603.This regulatory guide is based on current standards software means software used in nuclear power plant and describes methods acceptable for eny safety system safety systems per footnote 4 of this guide, a narrower software Within the framework of the acceptable set of critical software than that defined in IEEE Std methods described by this regulatory guide, certain 1012-1986.

V&V act; ities are required. For smaller,less complex

[m 2. SOlmVARE PELIABILITY V} systems or components, these activities should require less effort. Additionally, the applicant or licensec deter-mines how the required activities will be implemented, In its discussion of component and integration test plans in Table 1, IEEE Std 1012-1986 identifies commensurate with the item's importance to safety, measurement of software reliability as a criterion for 1.168 - 3

detennining whether software elements correctly im- tent of re performance of V&V tasks. Such cost and plement software requirementi The followingis noted schedule criteria, if used, must be comn ensurate in im-in Revision 1 of Regulatory Guide 1.152, portance with the cost and schedule criteria that applied to verification of the original design. Any use of these Section 5.15, " Reliability," of IEEE Std criteria must be consistent with the requirement of 10 7-4.3.2-1993 states, "When qualitative or quanti- CFR 50.57(a)(3) that there be reasonable assurance that tative relih'oility goals are required, the proof of the activities authorized by the operating license can be meeting the goals shall include software used with conducted without endangering the health and safety of j the hardware." The staff does not endorse the con- the public.

cept of quantitative reliab!!ity goals as a sole means oi meeting the Commission's regulations 5. CONFORMANCE OF MATERlALS for reliability of the digital computers used in Criterion 111 " Design Control," states that safety systems. measures are to be established for the selection and re- {

view for suitability of application of materials, parts,

3. INDEPENDENCE OF SOFBVARE V&V equipment, and processes that are essential to the IEEE Std 1012-1986 does not require indepen- safety-related functions of the structures, systems, and dence ia the performance. of software V&V, but the components. Criterion VII, " Control of Purchased NRC does require independence. Criterion ill," Design Material, Equipment, and Services," states that Control," imposes an independence requirement for the measures are to be established to ensure that purchased vnification and checking of the adequacy of the design, material, whether purchased directly or through con-requiring that those who perform the verification and tractors and subcontractors, conform to the precure-checking be different from those who accomplish the ment documents, in its discussion of V&V during the design. Approaches to performing independent soft- operation and maintenance phase of the software life ware V&V are described in Revision 1 of Regulatory cycle, IEEE Std 1012-1986 (in paragraph 3.5.8) pro-Guide 1.152. Regardless of the approach selected for a vides requirements and guidance for retrospective given V&V task, the responsibility for the adequaq of V&V of software that was not verified under the stan.

V&V lies with the organization responsible for the in- dard.The use of this guidance for the acceptance of pre-dependent V&V. The person accountable for V&V existing (e.g., commercial off-the-shelf) critical soft-must also be independent of the person accountable for ware not verified during development to the provisions the design. This independence must be sufficient to en- cf this regulatory guide or its equivalent is not en-sure that the V&V process is not compromised by dorsed. Revision l of Regulatory Guide l.152 provides schedule and resource demands placed on the design information on the acceptance of pre-existing software, process, Theindependent verifiers must be sufficiently Additional detailed information on acceptance pro-competent in software engineering to ensure that soft- cesses is available in EPRI TR-106439, " Guideline on ware V&V is adequately implemented. Criterion 11 Evaluation and Acceptance of Commercial Grade Dig-

" Quality Assurance Program," states that the program ital Equipment for Nuclear Safety Applications"(Octo-must provide for indoctrination and training of person- ber 1996). 5 nel performing activities affecting quality as necessary

6. QUAllW ASSURANCE to ensure that suitable proficiency is achieved and maintained. It is beneficial if the ind pendent verifiers Criterion I identifies the quality assurance func-are also knowledgeable regarding nuclear applications. tions of (a) assuring that an appropriate quality assur-ance program is established and effectively executed

4. DESIGN CilANGES and (b) verifying, such as by checking, auditing, and in-IEEE Sid 1012-1986, in paragraph 3.7.2, requires specting, that activities affecting the safety-related functions have been correctly performed. Criterion a decc iption in the SVVP of the criteria for determin-XVII requires that sufficient records be maintained to ing the extent to which a V&V task must be reper-furnish evidence of activities affecting quality. Criteri-formed following a change to an input of the task. The n til requires that design changes be subject to design criteria described in the SVVP must be consistent with Criterion 111 " Design Control," which requires that de- SElectrn Power Research Institute documents may be obtained trum the EPRI Distribution Center. 207 Coggins Drive. P.o. Box 23205. Pleasant sibn changes be sub'ect

- 3 to desi Sn control measures lhll, CA 94523. EPRI TR-106439 is also available for inspection or commensurate with shose applied to the original de- copying for a fee in the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDP's maihng addren is Mail stop LL-6 sign. In addition, IEEE Std 1012-1986 includes cost Washington. DC 20555-0001; telephone (202)634-3273; rax and schedule as possible criterit. for determining the ex- (2023634-3343. l 1.168 - 4

l control measures commensurate with those applied to " Identification and Control of Materials, Parts, and the original design. In addition to the requirements of Components," as applied to software. The same per.

IEEE Std 1012-1986 (in paragraph 3.7.4) regarding sonnel who perform the V&V functions may perform

%). control procedures, any V&V materials necessary for the roftware configuration management functions.

the verification of the effectiveness of the V&V pro-grams or necessary to furnish evidence of activities af, 8.2 Audits .

fecting quality must be maintained as quality assurance Criteria Ill, " Design Control," and XVill, "Au-records. Those materials necessary. for the reverifica- dits," require the performance of audits. These audits tion of changes must be maintained under configura- include functional audits, in process audits, and physi-tion management.6 cal audits for software. These audits are commonly

. TOOLS FOR sol"lWARE DEVELOPMENT g nsidered to be the responsibility of the software qual-

-7. -

sty asemce organization and the configuration man.

Tools used in the development of safety syrtem agement organization, but they may be handled by the software should be handled according to IEEE Std V&V organization. lf so, the audits should be described 7-4.3.2-1993," Standard Criteria for Digital Comput- in the SVVP. An acceptable method of conducting ers in Safety Systems of Nuclear Power Generating Sta- these audits i , described in IEEE Std 1028-1988.

tions," as endorsed by Revision 1 of Regulatory Guide 1.152. IEEE Std 7-4.3.2-1993 states that "V&V tasks 8.3 Regression Analysis and Testing of witnessing. reviewing, and testing are not required Criterion Ill, " Design Centroil requires that -

for software tools, provided the software that is pro- design changes be subject to design control measures ducr:d using the tools is subject to V8 V activities that commensurate with- those applied to the original will detect flaws introduced by the tools." If this cannot design. Regression analysis and testing following the be demonstrated, the provisions of this Regulatory implementation of software modifications is a neces-Guide 1.168 are applicable. sary element of the V&V of software changes. It is con-

8. V&V TASKS sidered by the staff to be part of the minimum r,et of s ftware V&V activities for critical software.

Table 20fIEEE Std 1012-19861ists optional V&V tasks. These are further described in the appendix 8.4 Installation and Checkout Testing (which is for information only) to IEEE Std 1012-1986. These tasks are intended to provide a tai. Criterion XI," Test Control," requires that the test ioring capability by allowing tasks to be added to the program include, as appropriate, proof tests prior to minimum set for critical software. Exception is taken to installation, pre-operational tests, and operational tests.

the ' optional' status of some tasks on this list; they are The user of IFEE Std 1012-1986 must identify in the considered by the NRC staff to be acceptable methods SVVP which tests will be performed to meet Criterion for meeting the requirements of Appendices A and B to XI-10 CFR Part 50 as applied to software, regardless of 8.5 Test Evaluation whelber they are performed by the V&V organization.

The following tasks are considered by the NRC staff to Test evaluation, an optional task described in the be part of the minimum set of V&V activities for criti- Appendix to IEEE Std 1012-1986, calls for confirma-cal software unless they are (1) incorporated into other tion of the technical adequacy of test materials such as V&V tasks in the SVVP or (2) performed outside the plans, designs, and results. The evaluation of these ma-software V&V organization as part or all of the duties of terials != necessary for consistency with Criterion 11 same other organization. " Quality Assurance Program," in its requirement for controlled conditions and with Criterion XI, " Test Con-8.1 Configuration Management trol." in its requirement for the evaluation of test Configuration management (CM), and software resolts.

configuration management in particular, are not option-al functions, but are identification and control functions 8.6 Evaluation of User Documentation con idered to be mandatory under Criterion Vill, Table 2 of IEEE Std 1012-1986 includes User Documentation Evaluation as an optional V&V task.

(

• see the guidana in Regutaiory cuide i.io9 coneguration

"* ' D Managenwns rians for pigoni compuier soriware used in sarety sys. for verifying and checkmg the design apply to sof tware tems of Nuclear Power Planis" documenht tion, including user documentation.

1.168 - 5

! 9 CLARIFICATIONS assurance objectives. In so doing,it does not provide an Criterion ill, " Design Control," requires measures, exhaustive list of all process and objective relation-such as the performance of design reviews, to be pro. ships. In particular, the relationship of testing to verifi-vided for verifying or checking the adequacy of the cation is not indicated, but this relationship is added by design, and Criterion ll," Quality Assurance Program," this regulatory guide.

requires activities affecting quality to be accomplished

11. OTilER CODES AND STANDARDS under suitably controlled conditions. Criterion V,

" Instructions, Procedures, and Drawings," requires Various sections ofIEEE Std 1012-1986 and IEEE activities affecting quality to be directed by written Std 102bl988 teference other industry codes and stan-instructions, procedures, and drawings that include ac. dards. These references to other standards should be ceptance criteria for determining that these activities treated individually, if a referenced standard has been are successfully accomplished. IEEE Std 102bl988 incorporated separately into the NRC's regulations, contains a mix of verbs (such as "will," variants of"to licensees and applicants must comply w' h that stan-be," or verbs used in the present tense (as described be. dard as set forth in the regulation. If the referenced stan-low)), and i' may not be clear whether the usage is in. dard has been endorsed in a regulatory guide, the stan-tended to be a requirement of the standard or a state. dard constitutes a method acceptable to the NRC staff ment of fact. In this regulatory guide, the foSowing are of meeting a regulatory requirement as described in the considered to be conditions for audits and reviews, regulatory guide. If a referenced standard has been nei-ther incorporated into the NRC's regulations nor en-9.1 The responsibilities and prerequisites of sections dorsed in a regulatory guide, licensees and applicants 3.1 and 3.2 and the minirnum process description may consider and use the information in the referenced template of section 3.3 of IEEE Std 102bl988. standard, if appropriately justified, consistent with cur-

. rent regulatory practice 9.2 Anything with the terms "must," " required,"

"shall,"" minimum requirements,""is r:sponsible D. IMPLEMENTATION for," "will ensure," "is to (or 'is not allowed to'),"

" minimum input," "necessary input," "is l he purpose of this section is to provide informa-conducted when," " reports that identify (or tion to applicants and licensees regarding the NRC

'contain')," " output is," or variations of any of staff's plans for using this regulatory guide. No back-these terms, fitting is intended or approved in connection with the issuance of this guide.

9.3 The responsibilitits, minimum inputs, entry and exit criteria, procedures, and auditability of items Except in those cases in which an applicant or described in sections 4 through 8 ofIEEE Std 1028, licensee proposes an acceptable al ernative method for unless the IEEE Std 102bl988 phraseology complying with the specified portions of the NRC's indicates a recommended or optional item. regula; ions, the methods described in this guide will be used in the evaluation of submittals in connection with 10 TAIILE I IN IEEE STD 1028-1988 applications for construction permits and operating In Table 1 in IEEE Std 1028-1988, the word 'in- licenses. This guide will also be used to evaluate sub-clude' in the column heading means representative but mittals from operating reactor licensees who propose not exhaustive. Table I relates quality assurance system modifications that are voluntarily initiated by nrocesses to quality assurance objectives, adds ' test' the licensee !f there is a clear nexus between the pro-for completeness, and matches key processes to quality posed modifications and this guidance, i

1.168 - 6

BillLIOGRAPilY

/s

\V) liecht,11., A.T. Tai, K.S. Tso, " Class 1E Digital Sys- o tems Studies," NUREG/CR-6113, USNRC, October *'#" ' ## #"'8" "' '*'

for Safety-Critical Software,b N'UREG/CR-6294, 1993'1 USNRC, December 1994.1 liecht,11., et al., " Verification and Validation Guide-

. Seth, S., et al., oliigh Integrity Software for Nuclear lines for fligh Integrity Systems," NUREG/CR-6293, Power Plants: Candidate Guidelines, Technical Basis USNRC' March 1995'1 and Research Needs," NUREG/CR-6263, USNRC, Institute of Electrical and Electronics Engineers,"Stan- June 1995.1 dard Criteria for Digital Computers in Safety Systems USNRC, " Criteria for Digital Computers in Safety of Nuclear Power Generating Stations," lEEE Std Systems of Nuclear Power Plants," Regulatory Guide 3' ~ 1.152, Revision 1, January 1996.2 Lawrence, J.D., " Software Reliability and Safety in USNRC, " Standard Review Plan," NUREG4800, Nuclear Reactor Protection c ystems,' NUREG/

Februq> 19R 1 CR-6101 (UCRielD-117524, Lawrence Livermore National Laboratory), USNRC, November 1993.1 ICopies may be purchased at tuttent raves from the U.S, oovernment 2 single copics of regulatory guide' may be obtained free of charge by Pantmg Office, P 0, llox 37082, Washington, DC 20402-9328 (telephone writing the Office of Administration. Prmting, orsphics and Distribu.

(202)512-2249), or from the National Technical Information Service by tion litanch, U.S Nuclear Regulatory Commission, Washington, DC w ramg NTis at 5285 Port Roy al Road Sprmgfield, VA 22161. Copics are 20555-0001; or by fax at (3al)415-5272. Copics are available for in-avsilable for inspectron or copying for a fee from the NRC Pubhc spection or copying f. r a fee from the NRC Public Document Room at Document Room at 2120 L Street NW.. Washington. DC; the PDR's 2120 L Strect NW, W .shmgton. DC; the PDR's maihng address is Mail mailmg addrew is Mail stop Lic6, Washington, DC 20555-0001; Stop lL-6, Washington. DC 20555 0001; telephors (202)634-3273 telephone (202)634-3273, fat (202)634-3343 fax (202)634-3343.

fg

( )

U REGULATORY ANALYSIS A separate regulatory analysis was not prepared for this regulatory guide. The regulatory analysis prepared for Draft Regulatory Guide DG-1054," Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Phnts," provides the regulatory basis for this guide. A copy of the regulatory analysis is available for inspection and copying for a fee at the NRC Public Document Room, 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop Lic6, Washington DC 20555-0001; phone (202)634-3273; fax (202)634-3343.

Printed on recycled paper p,

')

's Federal Recycling Program 1.168 - 7

i l: 'l '

N U

C P

E N

A L

T Y O WL A E S

HR N R U I

A g FF F G T EGIN OC OUT RA PL ,NLEAD D T S f

WB AS U

C O T TI EN RA E 2 YT U 0 5 C E S 4#

.E 5O S 5 5M 0

3 0

0 0M 0IS 1

S I

O N

9 P

C P 7A E AR R Gs M

I U Ei TS NN O. CF G

4 7

N R D Am E

S Em 9

P A!

D

)

• dE55is?

a . ,

. , iE *8E l illII I 1l