Text

REGULATORY ANALYSIS DRAFT REGULATORY GUIDE DG-1374 CRITERIA FOR PROGRAMMABLE DIGITAL DEVICES IN SAFETY-RELATED SYSTEMS OF NUCLEAR POWER PLANTS (Proposed Revision 4 of Regulatory Guide 1.152 Revision 3, dated July 2011 The purpose of a regulatory analysis for a revision to an existing regulatory guide (RG) is (1) to clearly state the need for and consequences of the proposed revision, (2) to identify and evaluate alternate approaches, and (3) to clearly describe how the proposed revision will improve nuclear safety or security.

1.

Statement of the Problem The U.S. Nuclear Regulatory Commission (NRC) is considering revising RG 1.152, Revision 3, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, issued July 2011, to endorse Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations, with exceptions and clarifications. In particular, this proposed revision would remove the previous secure development and operational environment (SDOE) guidance from RG 1.152 and instead endorse (with clarifications) the SDOE criteria in IEEE Std 7-4.3.2-2016. This revision would also include additional guidance for fault detection and self-diagnostics (if used) in digital instrumentation and controls (DI&C) systems.

Section 50.55a(h)(2) of Title 10 of the Code of Federal Regulations (10 CFR) requires that protection systems for nuclear power plants meet the requirements of either IEEE Std 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and its correction sheet dated January 30, 1995, depending on the licensing basis of the nuclear power plants. The American Nuclear Society Standards Committee and the Nuclear Power Engineering Committee of the IEEE Power Engineering Society developed IEEE Std 7-4.3.2 in 1982 to supplement IEEE Std 603-1977, IEEE Trial Use Standard for Safety Systems for Nuclear Power Generating Stations, with criteria for programmable digital computer systems.

Since then, IEEE Std 7-4.3.2 has been updated periodically to encompass the evolving digital technologies. The updated versions of IEEE Std 7-4.3.2 represent IEEEs continuing effort to support the specification, design, and implementation of DI&C devices used in safety-related systems of nuclear power plants.

The NRC published Revision 0 of RG 1.152, Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants, in November 1985 to provide a method acceptable to the NRC staff for promoting high functional reliability for safety-related systems using programmable digital computer systems in the operation of nuclear power plants. The current version of RG 1.152 (Revision 3) endorses Revision 2003 of IEEE Std 7-4.3.2 and includes SDOE guidance for the use of digital computers in the safety systems of nuclear power plants.

Page 2 The scope of IEEE Std 7-4.3.2-2003 covers only computer-based digital systems, while the scope of IEEE Std 7-4.3.2-2016 was expanded to also cover programmable digital devices (encompassing technologies such as field programmable gate arrays) and includes criteria tailored to address the unique aspects of such technologies. IEEE Std 7-4.3.2-2016 also incorporated the SDOE guidance currently in RG 1.152, Revision 3. Furthermore, IEEE Std 7-4.3.2-2016 incorporated several criteria that staff currently uses in DI&C Interim Staff Guidance 04, Highly-Integrated Control RoomsCommunications Issues, dated September 28, 2007 (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML072540138), for evaluating independence among safety channels of protective systems. In addition, IEEE Std 7-4.3.2-2016 includes Annex D, Identification and Control of Hazards, which the NRC staff found acceptable to identify and address hazards of DI&C devices used in safety-related systems.

2.

Objective The objective of this regulatory action is to assess the need to update NRC guidance and provide licensees and applicants with an acceptable approach to meet regulatory requirements for promoting high functional reliability, design quality, and SDOEs for the use of programmable digital devices in the safety-related systems of nuclear power generating stations.

3.

Alternative Approaches The NRC staff considered the following three alternative approaches:

(1)

Do not revise RG 1.152.

(2)

Withdraw RG 1.152.

(3)

Revise RG 1.152 to address the current methods and procedures.

Alternative 1: Do Not Revise RG 1.152 Under this alternative, the NRC would not revise RG 1.152 and would retain the current guidance. If the NRC does not take action, costs or benefit to the public, licensees, or the NRC would not change. This alternative is considered the no-action alternative and provides a baseline condition from which any other alternatives will be assessed. However, the no-action alternative would not address identified concerns with the current version of RG 1.152. The NRC would continue to review each application on a case-by-case basis.

Alternative 2: Withdraw RG 1.152 Under this alternative, the NRC would withdraw RG 1.152, which would eliminate certain problems that have been identified. However, it would also eliminate the only readily available description of the methods the NRC staff considers acceptable for demonstrating the compliance of programmable digital computer systems in safety-related systems of nuclear power plants with 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, and 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants.

Although this alternative would be less costly than the proposed recommended alternative, it would impede the publics ability to access the most current regulatory guidance.

Page 3 Alternative 3: Revise RG 1.152 Under this alternative, the NRC would revise RG 1.152. This revision would incorporate the latest information in a) functional reliability, design quality, and SDOEs for the use of programmable digital devices in the safety-related systems of nuclear power plants, b) supporting guidance, and c) review practices. By revising RG 1.152, the NRC would ensure that the RG guidance available in this area is current and accurately reflects the staffs position.

The impact to the NRC would be the costs associated with preparing and issuing the revision to RG 1.152. The impact to the public would be the voluntary costs associated with reviewing and providing comments to the NRC during the public comment period. The value to NRC staff and applicants would be the benefits associated with enhanced efficiency and effectiveness from using a common guidance document as the technical basis for license applications and other interactions between the NRC and its regulated entities.

4.

Conclusion Based on this regulatory analysis, the NRC staff concludes that revision of RG 1.152 is warranted. The action will enhance reactor safety by promoting high functional reliability, design quality, and SDOEs for the use of programmable digital devices in the safety-related systems of nuclear power plants. It could also lead to cost savings for the industry, especially with regard to applications for standard plant design certifications and combined licenses.

Revising this RG to endorse portions of a consensus standard is consistent with the NRC policy of evaluating the latest versions of national consensus standards to determine their suitability for endorsement by RGs. This approach also complies with the NRCs Management Directive 6.5, NRC Participation in the Development and Use of Consensus Standards, dated December 20, 2011 (ADAMS Accession No. ML100600460). This is in accordance with the National Technology Transfer and Advancement Act of 1995, 15 U.S.C. § 3701 et seq. (1996)

(Public Law 104-113).