ML22329A171
| ML22329A171 | |
| Person / Time | |
|---|---|
| Issue date: | 11/17/2022 |
| From: | Christina Antonescu Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| NRC-2172 | |
| Download: ML22329A171 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Docket Number:
(n/a)
Location:
teleconference Date:
Thursday, November 17, 2022 Work Order No.:
NRC-2172 Pages 1-166 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com 1
1 2
3 DISCLAIMER 4
5 6
UNITED STATES NUCLEAR REGULATORY COMMISSIONS 7
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 8
9 10 The contents of this transcript of the 11 proceeding of the United States Nuclear Regulatory 12 Commission Advisory Committee on Reactor Safeguards, 13 as reported herein, is a record of the discussions 14 recorded at the meeting.
15 16 This transcript has not been reviewed, 17 corrected, and edited, and it may contain 18 inaccuracies.
19 20 21 22 23
1 UNITED STATES OF AMERICA 1
NUCLEAR REGULATORY COMMISSION 2
+ + + + +
3 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 4
(ACRS) 5
+ + + + +
6 DIGITAL INSTRUMENTATION AND CONTROL SUBCOMMITTEE 7
+ + + + +
8 THURSDAY 9
NOVEMBER 17, 2022 10
+ + + + +
11 The Subcommittee met via hybrid in-person 12 and Video Teleconference, at 8:30 a.m. EST, Charles 13 Brown, Jr., Chairman, presiding.
14 COMMITTEE MEMBERS:
15 CHARLES H. BROWN, JR., Chair 16 RONALD G. BALLINGER, Member 17 VICKI BIER, Member 18 VESNA DIMITRIJEVIC, Member 19 GREGORY HALNON, Member 20 WALT KIRCHNER, Member 21 JOSE MARCH-LEUBA, Member 22 DAVID PETTI, Member 23 JOY L. REMPE, Member 24 MATTHEW SUNSERI, Member 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 ACRS CONSULTANTS:
1 DENNIS BLEY 2
MYRON HECHT 3
5 DESIGNATED FEDERAL OFFICIAL:
8 ALSO PRESENT:
9 ERIC BENNER, NRR 10 SAMIR DARBALI, NRR 11 MIKE EUDY, RES 12 GREG GALLETTI, NRR 13 KIM LAWSON-JENKINS, NSIR 14 KHOI NGUYEN, NRR 15 RICHARD STATTEL, NRR 16 DINESH TANEJA, NRR 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 CONTENTS 1
Call to Order..................
4 2
Opening Remarks by Chairman............
3 Introductory Remarks 6
4 Purpose, Scope, and Regulatory Basis of 5
DG-1374 (Proposed Rev 4 of RG 1.152) 8 6
Public Comments................
157 7
Status and Next Steps for Completion of 8
Proposed Rev 4 of RG 1.152 160 9
Adjourn 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 P R O C E E D I N G S 1
8:37 a.m.
2 CHAIR BROWN: Good morning, everyone.
3 This is a meeting of the Digital 4
Instrumentation and Control Subcommittee. We are 5
operating in person and virtually. The meeting will 6
now come to order.
7 I'm Charles Brown, Chairman of the 8
Subcommittee meeting. ACRS members in attendance are 9
Matt Sunseri, Jose March-Leuba, Vesna Dimitrijevic, 10 Ron Ballinger, Dave Petti, Walt Kirchner, Vicki Bier, 11 Greg Halnon, and our Consultants Myron Hecht and 12 Dennis Bley. Christina Antonescu of the ACRS staff is 13 the Designated Federal Official for this meeting.
14 The purpose of this meeting is for the 15 staff to brief the Subcommittee on Draft Guide 1374, 16 proposed Revision 4 to Reg Guide 1.152, "Criteria for 17 Programmable Digital Devices in Safety-Related Systems 18 of Nuclear Power Plants."
19 The ACRS was established by statute and is 20 governed by the Federal Advisory Committee Act, FACA.
21 That means the Committee can only speak through its 22 published letter reports. We hold meetings to gather 23 information to support our deliberations.
24 Interested parties who wish to provide 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 comments can contact our office requesting time. That 1
said, we've set aside 15 minutes for comments from 2
members of the public attending or listening to our 3
meeting. Written comments are also welcomed.
4 And the meeting agenda for today's meeting 5
was published on the NRC's public meeting notice 6
website, as well as the ACRS meeting website.
7 On the agenda for this meeting and on the 8
ACRS meeting website are instructions as to how the 9
public may participate. No request for making a 10 statement to the Subcommittee has been received from 11 the public.
12 Due to COVID-19, we are conducting today's 13 meeting as a hybrid meeting.
14 A transcript of the meeting is being kept 15 and will be made available on our website. Therefore, 16 we request that participants in this meeting should 17 first identify themselves and speak with sufficient 18 clarity and volume, so that they can be readily heard.
19 All presenters please pause from time to 20 time to allow members to ask questions. Please, also, 21 indicate the slide number you are on when moving to 22 the next slide.
23 We have the MS Teams phone line, audio-24 only, established for the public to listen to the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 meeting.
1 Based on our experience from previous 2
virtual and hybrid meetings, I would like to remind 3
speakers to speak slowly.
4 We will take a short break after each 5
presentation to allow time for screen-sharing, as well 6
as at the Chairman's discretion during longer 7
meetings. There's only one presentation today, 8
correct? Okay.
9 Lastly, please do not use any virtual 10 meeting features to conduct sidebar technical 11 conversations, but rather contact the DFO, who is also 12 connected, if you have any technical questions, so we 13 can bring those to the floor. And the DFO, I'll 14 repeat again, is Christina Antonescu of the Nuclear 15 Regulatory Commission Advisory Committee staff.
16 We will now proceed with the meeting, and 17 I guess Mr. Khoi Nguyen is going to be making the 18 presentations. And he can share his screen, and it's 19 obviously being shared. And Eric Benner will make 20 some introductory remarks before we begin today's 21 presentation.
22 Eric?
23 MR. BENNER: Thank you, Member Brown.
24 As you indicate, I'm Eric Benner. I'm the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 Director of the Division of Engineering and External 1
Hazards in NRR, who has programmatic responsibility 2
for this technical area.
3 I won't repeat much of what the Chair 4
said. This is a collaboration between Research, our 5
Office of Research, and NRR to update this Reg Guide.
6 We continually look to endorse updated versions of 7
standards to help us in conducting our work.
8 We also work extensively with standards-9 developing organizations for those areas where we feel 10 the standard has a gap in it. We put what we call 11 either a condition and clarification, so that it's 12 complete for us when doing our reviews and groups of 13 those standards-developing organizations, when we have 14 those disconnects, to see if those issues can get 15 resolved and incorporated into the standards.
16 So, I'm happy to report we have some of 17 that, some of both of those things in today's 18 presentation; that this is a newer version of a 19 standard we had previously endorsed and we were able 20 to remove some conditions from the Reg Guide because 21 of our effective coordination with the standards-22 developing organizations.
23 So, not to take too much thunder away from 24 the main presenter, I will turn it over to Khoi 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 Nguyen.
1 MR. NGUYEN: Thanks, Eric.
2 Good morning. My name is Khoi Nguyen, 3
Electrical Engineer from the Electrical Engineering 4
Branch, from the Division of Engineering and External 5
Hazards in NRR.
6 I'm here to present Draft Guide 1374, the 7
proposed Revision 4 of Regulatory Guide 1.152, 8
"Criteria for Programmable Digital Devices in Safety-9 Related Systems of Nuclear Power Plants."
10 Next slide, please.
11 Today, you can see on the screen that we 12 go over the introduction; the scope of the Reg Guide 13 1.152; the Reg Guide applicability background; the 14 purpose of the Reg Guide revision; regulatory basis; 15 proposed changes, and finally, a summary.
16 Next slide, on slide 3, please. I'm 17 sorry, it's slide 4.
18 I will start the introduction with the 19 current revision, Revision 3 of the Reg Guide, which 20 endorsed IEEE Standard 7-4.3.2, 2003 version, the 21 "IEEE Standard Critical for Digital Computers in 22 Safety Systems of Nuclear Power Generating Stations."
23 The current revision of this Reg Guide 24 includes the "Secure Development and Operational 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 Environment, or SDOE, Guidance for Digital Computers 1
in the Safety Systems of the Nuclear Power Plants."
2 Next slide, please.
3 The proposed Revision 4 of Reg Guide 1.152 4
will endorse IEEE Standard 7-4.3.2, Revision 2016, 5
"IEEE Standard Criteria for Programmable Digital 6
Devices in Safety-Related Systems of the Nuclear Power 7
Generation," with exceptions and clarifications.
8 The revision also includes the "Secure 9
Development and Operational Environment Guidance for 10 Digital Computers in the Safety Systems of Nuclear 11 Power Plants."
12 MEMBER HALNON: Khoi, this is Greg Halnon.
13 Just a quick question.
14 Several places I read that this is all 15 being revised to keep up with the present digital 16 technology, but we're endorsing a guide that's almost 17 seven years old at this point. That IEEE standard, is 18 that purely 2016 technology, not 2022 technology?
19 MR. NGUYEN: As we understand, that IEEE 20 is in the process of updating the revision 2016 of the 21 standard. And we have the staff in this room, 22 actually, that is a working group that is responsible 23 for revising the standard, and I consult with these 24 staff. We are confident that there's not much changes 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 from the 2016 version to the next version. So, we are 1
confident, by endorsing this standard, we have the 2
latest, you know, information.
3 MEMBER HALNON: Will it take another six 4
years to endorse the next IEEE revision, or is it just 5
lagging for other reasons?
6 MR. NGUYEN: Actually, normally, we have 7
a 10-years cycle.
8 MEMBER HALNON: A 10-year cycle?
9 MR. NGUYEN: Yes. So, 2026, or maybe 10 2027, the next revision --
11 MEMBER HALNON: So, the window will be a 12 little tighter?
13 MR. NGUYEN: A little bit tighter, yes.
14 MEMBER HALNON: Thanks.
15 MR. BENNER: This is Eric Benner.
16 I would add that you're all aware that, in 17 the middle of the past decade, we had some significant 18 interactions with the Commission where we got some 19 redirects on how the staff should be looking at 20 digital I&C. So, we really focused on the high-21 profile issues that the Commission had raised to us.
22 But, as part of that activity, we had what 23 we called strategic long-term modernization. And in 24 that task, we talked about, hey, how are we going to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 revisit what people affectionately, or not 1
affectionately, called "the spaghetti chart of 2
guidance." So, that's sort of clean up the Reg 3
Guides; how the Reg Guides fit together; how our 4
internal guidance fits together. So, we're finally 5
starting to get that cleanup activity.
6 So, I would hope that in the future, if 7
we're able to manage our infrastructure in what I call 8
a more routine fashion, that we would significantly 9
shorten the time to keep the guidance in line with 10 more modern standards.
11 MEMBER HALNON: Thank you.
12 MR. NGUYEN: So, for the purpose of this 13 presentation, I will use the term "7-4.3.2" for short 14 for the IEEE standard and, also, "SDOE" for the Secure 15 Development and Operational Environment.
16 So, continue on slide 8.
17 The proposed Revision 4 of Reg Guide 1.152 18 also implements the Commission directions, which were 19 informed by the EDO letters to Commission, dated July 20 14, 2021.
21 Next slide, please.
22 The scope of Reg Guide 1.152 is with 23 regard to -- the proposed revision of Reg Guide 1.152 24 scope is to remain unchanged, which endorsed 7-4.3.2 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 as an acceptable approach to meet the regulatory 1
requirements for promoting, first of
- all, 2
reliability, design quality, and SDOE for the use of 3
programmable digital devices in the safety-related 4
systems of nuclear power generating stations.
5 Next slide, please.
6 MR. BENNER: I see a hand up. Walt?
7 MEMBER KIRCHNER: Yes, good morning. This 8
is Walt Kirchner.
9 Could you spend a little more time on 10 SDOE? And in particular, I'm interested to know about 11 access control in an operational environment and how 12 the guide provides for protecting the integrity of the 13 device and its software.
14 MR. NGUYEN: Let me --
15 MEMBER KIRCHNER: The concern is cyber 16 security, among others, since these are devices that 17 would be used in a safety-related system.
18 MR. NGUYEN: Okay. Let me make sure I 19 understand your question right. You want to make sure 20 the guidance in IEEE standard, whether it covers the 21 cyber security guidance on control of access?
22 MEMBER KIRCHNER: Well, no. What I want 23 to -- not quite. Both in the secure development and 24 the operational environment, how do you protect the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 integrity of the device and its software against 1
intrusion, malware, whatever? What guidelines are 2
there for a device that is deployed to support a 3
safety-related function?
4 Could you, just for the record, say what 5
this actually means? It's an acronym. We skip over 6
it quickly in presentations, but could you explain for 7
the record what does "SDOE" mean in terms of 8
expectations for a digital device used in a safety-9 related system?
10 MR. NGUYEN: I would like to ask Samir 11 Darbali to answer the question because he's the one 12 who is directly working on the guidance of the SDOE.
13 MR. DARBALI: Thank you, Khoi.
14 Good morning. My name is Samir Darbali.
15 CHAIR BROWN: Samir, this is Charlie 16 Brown.
17 MR. DARBALI: Yes?
18 CHAIR BROWN: I wanted to clarify, not 19 clarify, but just -- Walt, to make it clear, the SDOE 20 is the environment within the vendor's plant. So, 21 control of access is an issue once you get out into 22 the operational world where you've got equipment 23 installed and it's operating. Is that the vision 24 you're thinking about and the separation you're 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 referring to.
1 MEMBER KIRCHNER: Well, both. No, both, 2
actually, yes.
3 CHAIR BROWN: Okay, I understand that. I 4
just wanted to make sure that the SDOE is not 5
something -- that's something you build into it when 6
you're designing it to make sure it's safe, comes out 7
right, supposedly, and all that. You've asked that 8
question.
9 MEMBER KIRCHNER: Yes.
10 CHAIR BROWN: You also are talking about 11 the operational environment. I just wanted to make 12 sure we separated the two things into two pieces.
13 MEMBER KIRCHNER: Yes. No. Thanks, 14 Charlie. Yes, that clarifies it better.
15 CHAIR BROWN: That was it.
16 MR. DARBALI: Okay.
17 CHAIR BROWN: I just wanted to make sure 18 we were on the right track.
19 MR. DARBALI: Thank you.
20 Again, my name is Samir Darbali, NRR/DEX.
21 So, a secure development and operational 22 environment covers both the vendor side and the 23 operations side. And it's somewhat related to cyber 24 security. The nature of cyber security is that it's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 focused on security and Part 73. Secure development 1
and operational environment is focused on safety and 2
reliability, and it's on Part 50.
3 The secure development side is at the 4
vendor's side, and it's those controls that the vendor 5
has on their development environment, whether it's the 6
use of firewalls by the computers that are used to 7
develop the system and create the code, that they're 8
not connected to the internet; that the software that 9
they're using to develop the system, it's secure. And 10 it does have some overlaps with formal cyber security.
11 The secure operational side includes 12 activities done by the vendor and by the licensee.
13 So, activities that the vendor does for a secure 14 operational environment include: does the system 15 allow for remote access? Does it have open physical 16 ports? Is there code in the software that is not 17 defined or that it provides functionality that's not 18 desired?
19 So, the vendor, based on the requirements 20 provided by the licensee, will ensure that the system 21 doesn't allow access, does not intend it, during 22 operations.
23 The licensee, on their part, ensures the 24 secure operational environment by making sure that the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 hardware is secure. So, the hardware is going to be 1
in a cabinet; that cabinet is going to be locked.
2 Typically, you'll see that those cabinet doors have 3
alarms. So, when somebody opens them, the operators 4
know somebody's working on channel alpha or channel 5
bravo.
6 Sometimes, also, some of those features 7
include if there's going to be a change made to 8
software, whether it is to make a change to a constant 9
or a set point or a change to firmware, you have to in 10 some cases use a key switch. So, that key is going to 11 be controlled by the control room operators. Also, 12 when you turn the key switch, operators would get an 13 alert somebody's working on this cabinet.
14 So, those are layers of defense that are 15 incorporated to ensure that nobody is making changes 16 to the system that they're not supposed to. Again, 17 this is somewhat different from cyber security 18 perspective which has some overlapping, but separate 19 requirements.
20 Hopefully, that made it clearer.
21 MR. NGUYEN: Thanks, Samir.
22 MEMBER MARCH-LEUBA: To follow up on that 23 line of thought, it's good to have a secure 24 development environment working close. But if you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 have been following developments in this area in the 1
last couple of years, one has to become very familiar 2
with the supply-side vulnerabilities.
3 MR. DARBALI: Right.
4 MEMBER MARCH-LEUBA: But more insidious 5
are others which are really supply side, but you're 6
young enough to know how programming is then. You 7
don't program everything; you just go out there to the 8
"GitHubs" and get yourself libraries. And some of 9
those libraries are used very widely. Log4j is the 10 most famous one that has happened recently that a Java 11 student wrote in 1990. Theoretically, he left it 12 needing rehab. And everybody and their mother uses it 13 and nobody maintains it.
14 And it had a very serious flaw that I 15 think that every single website in the world -- I 16 mean, just because you use an open-source library, is 17 there any guidance in the guide to warn you that just 18 having a lock and key on the cabinet is not good 19 enough?
20 Is there anything that you use in your 21 software? Because you know the software. You 22 actually program 10 percent of the lines of code, at 23 most. How do you verify the other 90 percent?
24 MR. DARBALI: So, there's guidance on the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 use of pre-developed software or commercial off-the-1 shelf software to ensure that it doesn't contain any 2
unintended code. But, again, this is from a safety 3
reliability side; whereas, Reg Guide 5.71 covers the 4
guidance on the supply chain for ensuring that secure 5
supply chain.
6 MEMBER MARCH-LEUBA: Yes, but every single 7
website in the world developed by the smartest people 8
out there, IT techs, people that work on protecting 9
and writing malware detection software had the log4j.
10 That's L-O-G No. 4j. Everybody uses that guidance 11 student library to create logs.
12 MR. DARBALI: Right.
13 MEMBER MARCH-LEUBA: So, I mean, there has 14 to be some warning for use of that. You have to state 15 in the documents (audio interference) --
16 MEMBER BIER: I would note, similar to 17 what Jose commented, that for many, many years, and 18 probably still, there was like a flawed random number 19 generator that was randomly used in lots of Monte 20 Carlo analysis. And it was well-known to be flawed, 21 but if you weren't an expert, you just went and 22 grabbed it and it looked good, so there you go.
23 MEMBER MARCH-LEUBA: I, myself, discovered 24 a flaw in Excel; it was actually log base 10 in Excel 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 1.0, and I reported it to Microsoft. I mean, things 1
happen.
2 MS. ANTONESCU: Chairman Brown, there are 3
two people --
4 MEMBER MARCH-LEUBA: There are some hands 5
up.
6 MS. ANTONESCU: Hands, yes, both Dinesh 7
and, also, Kim. Just call on them.
8 CHAIR BROWN: Yes, it says I'm plus 30.
9 How do I know who to call on?
10 MEMBER MARCH-LEUBA: Well, Dennis was 11 also --
12 MS. ANTONESCU: Well, Dinesh was first, 13 then Kim, and then, Dennis Bley also.
14 CHAIR BROWN: Okay. Dinesh, since you 15 were up first, do you want to comment?
16 MR. TANEJA: Yes. Good morning, everyone.
17 This is Dinesh Taneja.
18 So, I just wanted to give our recent 19 experience. I know that the Committee has heard that 20 we audited the SHINE, you know, program logic 21 development life cycle activities recently.
22 So, what we observed when it came to the 23 secure development environment, that the vendor 24 actually had a pretty tight, secure environment where 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 they are doing the development activities. This is 1
just saying that, you know, they were taking all the 2
necessary steps to ensure the purity and the sanity of 3
the work that they were developing has no infections 4
of any type.
5 And they were building in features such 6
as, you know, access during the operation is limited 7
to only the authorized personnel by putting in 8
password protections and different checks and 9
balances. So, to even access any of these parameters 10 for any kind of modification or set point changes 11 required some necessary steps and procedures on the 12 part of the operating staff.
13 So, that secure development environment 14 was pretty tight; at least, that's what we observed at 15 this specific one vendor that was doing the work.
16 And to Jose's point about the acquired 17 softwares, so there is a requirement that we have --
18 I think there is a Reg Guide we have on commercial 19 rededication of all the acquired softwares. So, they 20 are actually following that guidance on dedicating all 21 the acquired softwares and taking it through the 22 necessary due diligence of our regulatory requirements 23 of assuring that they actually do, you know, the 24 criticality analysis and checking everything before 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 they use any of these off-the-shelf items or, you 1
know, otherwise acquired software. So, we do have a 2
regulatory framework in place to address all these 3
concerns.
4 Also, I think Greg Galletti probably can 5
add more to it in that area, because he is our Vendor 6
Branch expert in this area. And I think he's online 7
also.
8 I just wanted to share that. Thank you.
9 CHAIR BROWN: Thank you, Dinesh.
10 Before I go on to the next hand, correct 11 me I don't state this correctly: SDOE is not in the 12 Reg Guide and it's often 7-4.3.2, is that correct? I 13 mean, and it looks like it's about the same as it was 14 in the previous version 7 -- I'm trying to connect the 15 dots here a little bit. There hasn't been a whole of 16 changes in that over the last -- was that the way it's 17 been applied; you all have been using that for a 18 while?
19 MR. NGUYEN: You are correct, Member 20 Brown. The 2016 version 7-4.3.2 incorporated the SDOE 21 guidance in --
22 CHAIR BROWN: It was in Rev 3, correct?
23 MR. NGUYEN: In Rev 3, yes.
24 CHAIR BROWN: Yes. Okay. You all moved 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 all that over. I mapped that over and it looked like 1
you kind of just moved it --
2 MR. NGUYEN: Yes.
3 CHAIR BROWN: -- for the most part.
4 MR. NGUYEN: Yes. And we examined to see 5
if the standard incorporated all of the principal 6
guidance and the important stuff from the Reg Guide 7
and Standard, and we confirmed that.
8 CHAIR BROWN: Okay. I don't know whether 9
that answers anybody else's questions. I just wanted 10 to make it clear that those particular guidances 11 that's been out there has been out and it's utilized.
12 And that's largely a facility-type operation as 13 opposed to what we do when -- we obviously have to 14 have some little piece of that when you're operating, 15 but you're not developing code at the vendors -- I 16 mean at the plant operators' location for the most 17 part.
18 There were two more hands up, you said?
19 Kim?
20 MS. LAWSON-JENKINS: Thank you, Member 21 Brown. I have a few very brief comments.
22 My name is Kim Lawson-Jenkins. I'm with 23 the Cyber Security Branch at the Nuclear Regulatory 24 Commission.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 There's one of the requirements in every 1
licensee cyber security plan, when they receive 2
software from a vendor, to verify that the vendor has 3
acknowledged that there are known vulnerabilities in 4
their software, or if there are, that they have 5
provided mitigations for those.
6 So, some of the examples that were 7
mentioned are very valid. They think there may be 8
vulnerabilities that are there that haven't been 9
exploited at that point, that later on have been, will 10 become exploitable because people have gotten more 11 sophisticated and smarter and figured out a way to 12 attack the system. And at that point, if the device 13 is operational in a system, the vendor contacts the 14 licensees to let them know about this vulnerability, 15 or they receive this information from a government 16 agency such as CISA, and then, the licensee will take 17 actions on it.
18 But there
- are, as was mentioned, 19 vulnerabilities that exist today that may not have 20 been exploited. So, those will have to be addressed.
21 Also, in the cyber security plans that are 22 currently being
- used, it is possible to do 23 vulnerability scans, but because of the safety-related 24 devices, the guidance gives examples where you can do 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 this not when the system is operational, but before.
1 For example, a device becomes operational. They've 2
received a new device. They can run scans which can 3
verify whether there's something like Log4j or some 4
software that is in there. And then, like I said, 5
they can verify with the vendors that these, any known 6
vulnerabilities found, have been addressed. And also, 7
during system outages, they could run vulnerability 8
scans.
9 And like I said, basically, the area that 10 we're talking about now for secure development and 11 operational environments, they have to do with supply 12 chain. And it's very important because that's one of 13 those attack vectors that we really feel that, going 14 forward, we have to watch very carefully. And that's 15 covered, as I say, quite well in the cyber security 16 plans.
17 So, if you have any other questions, we 18 can definitely discuss those. But --
19 CHAIR BROWN: I'll have some other 20 questions later.
21 MS. LAWSON-JENKINS: Okay.
22 CHAIR BROWN: But I want to close this out 23 and make it clear that, when the software is brought 24 in -- say a vendor revises a software because he 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 discovered something, and the applicant says, okay, 1
we'll do that. They bring it in. They don't install 2
it, and then, scan it. They scan that software before 3
it gets installed. That's my understanding of the way 4
the system -- based on the guidance you've got in 5
here, they do all that. That's the smart thing to do.
6 So, I wanted to make sure that was clear 7
in everybody else's mind before we go on.
8 MEMBER MARCH-LEUBA: Yes. With the goal 9
in mind, I think we have been just fine, right?
10 CHAIR BROWN: We've got all day.
11 MEMBER MARCH-LEUBA: Yes. The problem is, 12 there is a false sense of security. Because a cyber 13 security plan exists, you say, "Aha, I'm covered."
14 You cannot tell me that Google doesn't know about 15 cyber security. This year, there have been seven CLA 16 updates to Chrome -- seven. I can't even count how 17 many Windows updates have been with similar internet 18 navigators. And there are many more in series 1 that 19 have not been found yet.
20 So, using a scan for the vulnerabilities 21 for 2021 doesn't do you any good because there are new 22 ones. You have to assume you have been penetrated and 23 do something to protect you against it.
24 What the IT guys here in our building are 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 doing, there's one guy already in a room monitoring 1
all the traffic on the web, making sure that nobody is 2
sending an evil viral vector where they're not 3
supposed to -- and assuming we've been penetrated.
4 And I'm warning about false sense of 5
security that having a plan gives you, because having 6
a plan is good for the 2021 vulnerabilities, or some 7
of those plans are 2008. There are new ones every 8
day. And so, the best thing to do is to have a good 9
architecture that segregates things as best as 10 possible, single trust, and assume you're going to 11 fail.
12 And when we're talking about this with 13 cyber security plans, the other concern I have, which 14 is a very serious concern, is that we concentrate 15 exclusively in critical digital assets and ignore or 16 kind of leave it to the student to work out with the 17 rest of the components. And specific examples are the 18 famous casino that got penetrated because somebody got 19 into their aquarium.
20 God knows how many of you have an IoT 21 device at home -- a thermostat, a smart TV, a router.
22 How many of those are out already? I mean, you have 23 those already inside your house and you don't know it.
24 The average time for a big company to find 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 out it has been penetrated is nine months. By the 1
time the payload is deployed and you know you've been 2
attacked, the bad guys have been inside your network 3
for nine months.
4 MR. BLEY: They're already there.
5 MEMBER MARCH-LEUBA: Yes, I mean, be 6
scared. Be very scared. That's all I can say.
7 And this sense of security that we did an 8
audit and everything looked good, I guarantee you it 9
wasn't. And next year, you'll find out why. I don't 10 know why. They don't know why; nobody does. But I 11 guarantee you there are faults.
12 Thank you.
13 CHAIR BROWN: That's why I still have a 14 mercury thermostat.
15 MS. ANTONESCU: Dennis Bley raised his 16 hand, Member Brown.
17 CHAIR BROWN: Yes, I'm just about to go to 18 him, when I finish saying something.
19 Dennis, are you still there?
20 MR. BLEY: Yes, Charlie, I'm still here.
21 CHAIR BROWN: Is your hand still up?
22 MR. BLEY: Yes. Let's see if I can 23 remember what I was going to say.
24 (Laughter.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 Two things right now. One is a comment; 1
one is a question.
2 The comment goes back to Eric's discussion 3
about the spaghetti of guidance. "Spaghetti" is a 4
nice word; I can think of others. We've had BTPs and 5
ISGs. We also point to standards which you need to 6
do. I think what we would like is to see all of this 7
eventually be in a NUREGs and Reg Guides, so you're 8
looking in one place to find it all.
9 One day, if the staff could give us a kind 10 of summary of how they're actually trying to clear up 11 this rats' nest of spaghetti, that would be very 12 helpful for me anyway. Dinesh brought up the 13 dedication of commercial equipment, which now ties 14 into these other things. So, understanding how we're 15 going to try to clarify all that would be really nice.
16 Now, in the Draft Reg Guide -- and I was 17 on the previous slide -- you point to IEEE Section 5.6 18 and 5.9 -- 5.6 on independence; 5.9 on control of 19 access to be of primary importance in protecting these 20 systems. I didn't go back to look at the previous 21 version of the Reg Guide. Were there any substantial 22 changes in the Reg Guide? And actually, I mean 23 substantial changes in the IEEE guidance in their 24 Sections 5.6 and 5.9. Or is this pretty much what 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 we've had before?
1 And that's for Khoi -- if he remembers he 2
was giving the presentation.
3 (Laughter.)
4 MR. NGUYEN: Yes, 5.6, yes, there's a 5
substantial change in Clause 5.6 and 5.9. And I call 6
that later on slide 11. Can you hold on that?
7 MR. BLEY: Yes.
8 MR. NGUYEN: Can you hold the question?
9 MR. BLEY: I certainly can. I just didn't 10 want it to get by until I knew you were going to talk 11 about it. But thank you.
12 MR. NGUYEN: We will. Yes, I will, yes.
13 MR. BLEY: All right.
14 CHAIR BROWN: But the differences between 15 7-4.3.2 -- the previous one is 2003.
16 MR. BLEY: Yes, I'm really looking for the 17 staff on this.
18 CHAIR BROWN: No, I'm just saying there 19 were two different IEEE standards. The older one was 20 2003 and the new one is 2016. So, I think they're 21 going to walk through some of the changes or 22 differences between them on a later slide. That's all 23 I was trying to make sure; that they've got that in 24 the slide pack.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 MR. NGUYEN: Yes, I will go over the major 1
changes in Revision 2016, 7-4.3.2, comparing with the 2
2003 version. And for each change, I will explain 3
what we reveal and how it is acceptable.
4 MR. BENNER: And this is Eric Benner 5
again.
6 I think it's going to be illustrative, 7
when we get there, of the migration. Because, as 8
Member Brown said, the guidance hasn't changed 9
significantly, but how it's packaged is. So, in 10 previous versions of the standard, the NRC staff felt 11 that there was more guidance that was necessary.
12 So, we put that in the surrounding 13 guidance documents, whether it was the previous Reg 14 Guide, whether it was from previous ISGs. But, as we 15 work with the working group, the IEEE Working Group, 16 we get them to ideally adopt what we think is the 17 appropriate guidance, such that our endorsement of 18 that guidance is a lot cleaner.
19 And as Khoi said, as we get into that 20 section of the presentation, he'll have some more 21 discrete mapping of how there was guidance in other 22 NRC guidance documents that has now migrated into the 23 underlying IEEE standard, such that we can just 24 endorse that.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 CHAIR BROWN: Did that answer the question 1
for you, Dennis?
2 MR. BLEY: I'm waiting for the information 3
coming later, Charlie.
4 CHAIR BROWN: Okay. All right. I just 5
wanted to make sure we were on track to go on.
6 MR. NGUYEN: So, for slide 7, Reg Guide 7
1.152 is applicable to the applicant's and licensee's 8
attention to 10 CFR Part 50 and Part 52.
9 During the development of the Draft Guide, 10 the staff received the inquiry from many organizations 11 whether this Reg Guide is applicable to Part 53. And 12 the staff has concluded that, since Part 53 is 13 currently under development, therefore, staff is 14 unable to determine on the applicability of Part 53 to 15 this Reg Guide.
16 Any question on this?
17 MEMBER HALNON: Yes. Khoi, I know that, 18 I mean, you can't make something applicable to a 19 regulation that's not in place yet. But why wouldn't 20 it be able to be used for the advanced new reactor 21 stuff? Is there something in here that is antiquated 22 to where the new stuff can't be applicable? I mean, 23 will it be applicable without much to-do? I guess is 24 the question.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 MR. BENNER: I think I'll answer that.
1 This is Eric Benner.
2 I would say, generically, that once the 3
NRC has approved a method for use, that we'd be hard-4 pressed to say someone couldn't use that method. And 5
that's happened for a number of these standards.
6 These standards are all for power reactors, but when 7
other types of licensees, say a fuel cycle facility, 8
wants to use this, then we've kind of set the standard 9
that is acceptable.
10 So, for us, we have to look at it the 11 other way of -- and some of our applicants look at it 12 the other way of -- is it necessary? And that's 13 really where we're only going to go so far when we 14 talk about Part 53. It's because, depending on the 15 approaches that are adopted in Part 53, some of the 16 things in the Standard or Reg Guide may or may not be 17 necessary. But I feel pretty comfortable saying that, 18 once the staff has determined that it's acceptable for 19 meeting the technical requirements and regulations, 20 that we're not going to pull that back for any class 21 of licensee.
22 MEMBER HALNON: So, we're looking at 23 administratively, and possibly some slight 24 modifications in new technology and other things 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 that --
1 MR. BENNER: Right, right.
2 MEMBER HALNON: -- might be more 3
applicable? Yes, 53 may not be out for what, a couple 4
of years --
5 MR. BENNER: Right.
6 MEMBER HALNON: -- at best. So, okay. I 7
just wanted to make sure there were no showstoppers 8
there that you saw.
9 MR. BENNER: No. We certainly, like I 10 said, we find this technically acceptable. So, if a 11 licensee came in under Part 53 and wanted to adhere to 12 all of the attributes of this Reg Guide, we'd be hard-13 pressed to make any sort of, you know, technical or 14 regulatory argument as to why that wouldn't be 15 acceptable.
16 MEMBER HALNON: Got it. Thanks, Eric.
17 CHAIR BROWN: Relative to Greg's question, 18 what Parts some of these clarifications are applicable 19 to, and I don't want you to go into -- we can cover 20 this later. I'm just making you aware because he 21 brought it up.
22 In one of your clarifications, you stated 23 that licensees or applicants are going to use a 24 particular Reg Guide in preparing a certification 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 under 10 CFR 52. Why not Part 50, which is already in 1
place for people making changes?
2 MR. BENNER: Why? We can look at the 3
language in --
4 CHAIR BROWN: I'm just telling you that 5
it's in Section 3.
6 MR. BENNER: Yes.
7 CHAIR BROWN: It's 3.3 in the Reg Guide.
8 MR. BENNER: Yes, and that --
9 CHAIR BROWN: You only said Part 52, 10 but --
11 MR. BENNER: Okay. Well, maybe for 12 certifications, because there are no certifications in 13 Part 50. But we can look at the particular language.
14 CHAIR BROWN: Could somebody come in with 15 a certification under Part 50 --
16 MR. BENNER: No.
17 CHAIR BROWN: -- if they wanted to?
18 MR. BENNER: No.
19 CHAIR BROWN: They can't now?
20 MR. BENNER: No, they cannot. They never 21 could.
22 CHAIR BROWN: That's our answer then.
23 Thank you.
24 MR. BENNER: They never could. Right. In 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 Part 50, there are Construction Permits and Operating 1
Licenses.
2 CHAIR BROWN: And that's it?
3 MR. BENNER: And that's it.
4 CHAIR BROWN: Okay.
5 MR. BENNER: In Part 52, you have design 6
certifications --
7 CHAIR BROWN: Okay.
8 MR. BENNER: -- and combined licenses.
9 CHAIR BROWN: Okay.
10 MR. BENNER: So, yes, I mean, we can look 11 at the language to make sure we're good. It's good 12 for all.
13 CHAIR BROWN: No, I'm glad you brought it 14 up --
15 MR. BENNER: Okay.
16 CHAIR BROWN: -- because it's an issue.
17 All right. Thank you.
18 MR. NGUYEN: Any question on this slide?
19 CHAIR BROWN: Just one overall question.
20 I've got to find my right piece of paper, so I can say 21 it right.
22 In the new Reg Guide, Rev 4, in your page 23 4 discussion, you endorse 7-4.3.2-2016. And in that 24 paragraph, you state that the rule is still 603-1991.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 That's where the rule is, 10 CFR 50.55a(h). But the 1
references to IEEE X throughout it are to IEEE 2
603-2009. And that was a little bit -- I mean, if 3
something in 2009 conflicts with 1991, what rules?
4 There's no clarification of -- 2009 is not 5
in the rule anywhere. And if something in there 6
conflicts with the 1991
- version, there's no 7
clarification that, hey, fine, we have no problem with 8
2009 because that's been there before. So, it was 9
another date before; 2003 or 2004, or some other date 10 was the previous IEEE standard. But that conflict was 11 not identified as who would rule under those 12 circumstances.
13 Just something to put in the hopper to 14 think about. That's going to be one of my main points 15 of issue to discuss later.
16 Go ahead, Khoi.
17 MR. NGUYEN: Thank you, Member Brown.
18 That's a good question.
19 We spent a lot of time discussing this 20 subject and reviewed 2009, the 1991 version, 2003 21 IEEE, and 2009 version of IEEE, and made sure that 22 there's no conflict like you mentioned. And we found 23 that there's no conflict.
24 The 2009 cover of specific criteria in 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 IEEE 1991 with some, you know, minor change in 1
language, but not major changes --
2 CHAIR BROWN: So, there's also some 3
expanded language in some circumstances --
4 MR. NGUYEN: Right.
5 CHAIR BROWN: -- when you go from 1991 to 6
the subsequent ones. I didn't have any problem with 7
that. It was just --
8 MR. NGUYEN: But there is no conflict.
9 CHAIR BROWN: So, you all have looked at 10 that to make sure --
11 MR. NGUYEN: Right. And we --
12 CHAIR BROWN: You were very careful to say 13 1991 is still in the rule. You were very clear in the 14 Reg Guide.
15 MR. NGUYEN: And we also worked with OGC 16 and made sure that when we referenced and endorsed 17 this, and the Reg Guide we have paragraph explain that 18 the second reference, like the 2009 version --
19 CHAIR BROWN: Yes.
20 MR. NGUYEN: -- and 7-4.3.2 is not what 21 we're endorsing. Like the --
22 CHAIR BROWN: Well, you're endorsing 23 7-4.3.2 --
24 MR. NGUYEN: Right.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 CHAIR BROWN: -- which says, See 2009, 1
603, for information.
2 MR. NGUYEN: The second reference.
3 CHAIR BROWN: So, fundamentally, you've 4
endorsed it by reference in a way via the later 5
IEEE -- 6 MR. NGUYEN: Unless we -- we, basically, 7
say that. The second reference in the Standard, the 8
Reg Guide is not endorsing that.
9 MR. BENNER: Yes, and we run -- this is 10 Eric Benner again. And like Khoi said, we've had a 11 lot of discussion with OGC, our legal counsel, on this 12 because the rule is the 1991 version, 603, is 13 incorporated by reference. So, there is no ambiguity 14 that that is the requirement. Guidance is just a way 15 to meet the rule.
16 So, it seems maybe unnecessary, but, in 17 reviewing, in endorsing 7-4.3.2, we are endorsing a 18 way that applicants can meet the requirements, which 19 is the 1991 version in the regulation. And like Khoi 20 said, we've done, because of this sort of awkwardness 21 of 7-4.3.2 that aligns itself with a later version of 22 IEEE 603, we did the exercise to make sure there was 23 no conflict there.
24 We have a separate activity, which I'm 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 sure we will be briefing the Committee on at the right 1
time, of what we're doing about IEEE 603. Because, as 2
you point out, not only is there a 2009 version, 3
there's a more recent version that we've worked 4
extensively with IEEE on, and we're looking for the 5
best avenues for applicants to use that version of the 6
standard, including maybe updating the rule to 7
incorporate the --
8 CHAIR BROWN: We tried to update the rule 9
about seven years ago --
10 MR. BENNER: Right.
11 CHAIR BROWN: -- and the Commission 12 rejected that.
13 MR. BENNER: Yes, yes. And we, hopefully, 14 have learned lessons from that activity. That is why 15 we'll be engaging stakeholders on what's the right 16 path for 603. And then, whatever plan we come up 17 with, that will be something we'll offer to the 18 Committee for your feedback on.
19 CHAIR BROWN: Well, I brought it up 20 because, literally, it goes in, in the 2016 version of 21 7-4.3.2, auxiliary features, multi-unit stations, 22 repair, reliability. In various places, it says, no 23 requirements beyond 2009 are necessary, which kind of 24 says 2009 is -- as long as you can say that the stuff 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 in there doesn't conflict -- I looked back in 1991, 1
and sometimes it was pretty sparse and they just had 2
a sentence, "Be careful," and there's a few more 3
things in 2009. So, I presume that's the case for 4
somebody --
5 MR. BENNER: Yes, I would say I don't 6
think, as Khoi said, any of it conflicts. So that we 7
have line of sight that, if you meet 7-4.3.2, or you 8
meet a pointer in 7-4.3.2 to 2009 603, in our mind, 9
that does meet the requirement, which is the 1991 10 version of 603.
11 CHAIR BROWN: Okay. All right. Thank 12 you.
13 Any other hands up? No.
14 Do you want to go on, Khoi?
15 MR. HECHT: This is Myron Hecht.
16 CHAIR BROWN: Oh, Myron, go ahead.
17 MR. HECHT: This is Myron. Yes.
18 So long as we're on the subject of 19 obsolescent or obsolete references, I just wanted to 20 point out that, on page 2 of the Draft Standard, under 21 "Related Guidance,"
it makes a
reference to 22 SECY-93-087, which is being replaced by a standard 23 coming out in 2022, a Draft SECY. So, you might want 24 to replace -- or let me ask it as a question: should 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 that reference to SECY-93-087 be replaced?
1 MR. NGUYEN: Yes, thank you for the 2
question. The staff has thought about this subject 3
also and I have been reaching out to OGC on the 4
subject. And we got the reply that, similar to Part 5
53, the expanded SECY paper is still a work-in-6 progress. There's no decision, you know, from the 7
Commission what the expanded SECY looks like. So, we 8
cannot reference the paper that is not final yet.
9 MR. BENNER: Yes, the reference to that is 10 not SECY; it's the Staff Requirements Memorandum for 11 that SECY. So, we do not have a Staff Requirements 12 Memorandum in response to the modern SECY. Though, if 13 we do, if the Commission makes a decision, then that 14 would be an appropriate reference, but, right now, we 15 have no guidance from the Commission. We just have a 16 proposal to the Commission.
17 MR. BLEY: So, you're tracking that, and 18 before this becomes final, if the SRM becomes final, 19 you can update the reference?
20 MR. BENNER: Yes.
21 CHAIR BROWN: There was also feedback from 22 the staff we got, Dennis, that I guess came from OGC, 23 that if the new SECY didn't explicitly address 087, 24 only those parts of 087 that were addressed in the new 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 SECY are new, but anything in the old one still is in 1
play. So, 087 would still have to be covered under 2
this. That's the feedback we got relative to the 3
last, the SECY, the -- what is it? -- 0076, 22-0076 on 4
CCFs?
5 MR. BENNER: Uh-hum.
6 CHAIR BROWN: So, that right now is we're 7
waiting. Everybody is waiting for a response from the 8
Commission.
9 MR. NGUYEN: That's correct.
10 MR. BLEY: This gets kind of confusing.
11 MR. HECHT: I just wanted to say --
12 CHAIR BROWN: Are you still there?
13 MR. HECHT: Yes. I just wanted to make 14 the point that the new SECY, of course, does allow 15 significant change with respect to CCFs and allowing 16 this risk-based approach to be used for that, for less 17 serious hazards. The diversity requirement would be 18 somewhat relaxed. I'm not sure that has any bearing 19 on 1.152, but it might, and so, particularly for those 20 less hazardous, low-level hazards. So, that's really 21 the question.
22 MR. BLEY: This stuff gets kind of 23 confusing. I'm curious -- because I don't remember --
24 are there many places where specific revisions of, I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 mean versions of standards are called out in the 1
rules?
2 MR. BENNER: This is Eric Benner.
3 That section of the rules has -- it is a 4
limited set, and it's, basically, that as we --
5 (Unrelated comment from unknown 6
participant.)
7 CHAIR BROWN: Has somebody else got their 8
mic on? Ron? Eric?
9 MS. ANTONESCU: You're okay now, Member 10 Brown.
11 CHAIR BROWN: Okay.
12 MR. BENNER: This is Eric Benner again.
13 It is a finite set, and if you go to 10 14 CFR 50.55, it is a very finite set of codes that are 15 truly incorporated by reference into the regulations.
16 And it's, basically, in this technical domain, it's 17 IEEE 603 and its predecessor, IEEE 279. The big usage 18 of that area is for the various ASME standards that we 19 have mandated for licensees.
20 So, we endorse a lot of different 21 standards, organization standards, but it is a very 22 small set that are truly incorporated by reference 23 into the regulations.
24 MR. BLEY: Thanks, Eric. That's what I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 thought, but it creates problems, you know. Okay.
1 CHAIR BROWN: Okay, Khoi. Slides back up.
2 MR. NGUYEN: Okay. Let's move to the next 3
slide, slide 8, please.
4 So, the 7-4.3.2 was developed in 1982 to 5
provide supplemental guidance on how to meet the 6
requirements in IEEE 2003 when using programmable 7
digital devices in safety systems in nuclear power 8
plants. Since then, the standard has been updated 9
periodically to encompass the evolving technologies 10 and to incorporate the NRC guidance, such as Reg Guide 11 and Interim Staff Guidance. And I will speak of these 12 guidances later.
13 Any questions on this slide?
14 (No response.)
15 On slide 9, the previous edition of 16 standards, 7-4.3.2, on the computer-based digital 17
- system, by changing the term "computer" to 18 "programmable digital device," Revision 2016 of 19 7-4.3.2 expanded the coverage to programmable digital 20 devices and to encompass the technologies of the 21 field-programmable gate array, or FPGA.
22 The term "programmable digital device" 23 envelopes any device that relies on software 24 instruction or programmable logic to accomplish a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 function. Examples include computer programmable 1
logic or hardware device, or any device with firmware.
2 Revision 2010 of IEEE Standard 7-4.3.2 3
incorporated the data communication independence 4
guidance from Interim Staff Guidance, or ISG-04, for 5
evaluating the communication independence between the 6
redundant portion of the safety system, the non-safety 7
division, and between safety and no safety systems.
8 I will talk more about the incorporation of the ISG-04 9
later on in the next few slides.
10 Any questions on this slide?
11 (No response.)
12 The next slide, slide 10.
13 I will go over the major changes in IEEE 14 Standard 7-4.3.2, 2016 version. The 2016 version of 15 the standard changed the term "computer" to 16 "programmable digital device," as I mentioned earlier.
17 It also incorporated SDOE guidance from Reg Guide 18 1.152, Revision 3 and providing the specific criteria 19 on the use of software tools used for digital devices 20 and the development of hardware, software, and 21 firmware, and programmable 22 It's also revising Annex D,
23 "Identification and Control of Hazards." And more on 24 this will be covered later.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 MEMBER HALNON: Khoi, could you elaborate 1
a little bit on the second bullet, "Incorporating the 2
SDOE guidance through Reg Guide Revision 3"?
3 MR. NGUYEN: Yes.
4 MEMBER HALNON: It feels kind of 5
incestuous that, you know, you're endorsing a document 6
that uses criteria out of your document. It doesn't 7
make a lot of sense.
8 MR. NGUYEN: As mentioned, though, by 9
Eric, we are working closely with the IEEE Working 10 Group and encourage them to adopt the NRC guidance, 11 either in the Reg Guide or ISG or BTP. So, we have a 12 clean endorsement.
13 MEMBER HALNON: Okay. So, then, the 14 Revision 3 information was not in the previous 15 versions of 7-4.3.2?
16 MR. NGUYEN: No.
17 MEMBER HALNON: So, that was an exception 18 you all took in Revision --
19 MR. NGUYEN: Yes. Yes.
20 MEMBER HALNON: Okay. I didn't go back 21 and look at Rev 3. Thanks. That makes sense.
22 MR. NGUYEN: Any other question?
23 (No response.)
24 We will move to slide 11.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 This slide and the next slide will 1
describe the major change in Revision 2016 of 7-4.2.3, 2
comparing with 2003 of the standard. I will go over 3
it one-by-one.
4 The first one is Clause 5.1. This clause 5
was expanded to include the criteria for the 6
programmable digital devices with respect to the 7
failure of a single device and the spurious actuation.
8 These criteria are consistent with criteria in Section 9
3.1.5 of ISG-04, and therefore, acceptable.
10 I will pause here for any questions 11 regarding to changing Clause 5.1.
12 (No response.)
13 MR. NGUYEN: Okay. The next one --
14 CHAIR BROWN: If we hear nothing, take 15 advantage of that.
16 MR. NGUYEN: All right. Clause 5.3.2 was 17 expanded to identify different software tools. The 18 identification supports the requirement of IEEE 19 Standard 828, the 2005 version, and should be the 20 standard for software configuration management plans, 21 which is endorsed by --
22 CHAIR BROWN: Which one are you on right 23 now? Which of the little lines?
24 MR. NGUYEN: The second line, Clause --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 CHAIR BROWN: Oh, Clause 5.3.2?
1 MR. NGUYEN: Yes.
2 CHAIR BROWN: Oh, okay. All right.
3 MR. NGUYEN: Yes. So, IEEE Standard 828 4
was endorsed by Reg Guide 1.169; therefore, 5
configuration management plan for digital computer 6
software used in the safety systems of nuclear power 7
plants.
8 Clause 5.5.4 was added as a new clause.
9 It was added to incorporate the ISG-04 guidance with 10 regard to communication independence, as I mentioned 11 earlier.
12 MR. BLEY: Khoi?
13 MR. NGUYEN: Yes?
14 MR. BLEY: This is Dennis Bley again.
15 I see a number of these are incorporating 16 ISG-04 guidance. Is it sufficient that you'll be able 17 to retire ISG-04 after this Reg Guide is final?
18 MR. NGUYEN: Yes, the staff has that 19 intention. But that will be done under, you know, a 20 different process. We may have to transfer or 21 incorporate the ISG-04 guidance to either the SRP or 22 BTP before we can retire ISG-04. But that's the 23 staff's intention.
24 MR. BLEY: Okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 MR. BENNER: Yes, Dennis, this is Eric 1
Benner again.
2 MR. BLEY: Yes, Eric?
3 MR. BENNER: That's clearly our intention.
4 Strictly speaking, Reg Guides are guidance to the 5
applicants, and the Standard Review Plan is guidance 6
to staff. But we are, as part of our overall plan, 7
our hope is for any of this interim stuff that's been 8
lying around to make sure it gets populated to both 9
the guidance to industry and the guidance the staff, 10 and then, sunset it.
11 MR. BLEY: So, Eric, for the poor guy out 12 in the field who's not been doing this before and is 13 now turning to your guidance, how does that person 14 know not to use certain parts of ISG-04? Do you have 15 a roadmap for them or something? Or is it just up to 16 them to figure it out?
17 MR. BENNER: We don't have the best 18 roadmap. That is something we've been working with 19 industry on to make it clear how -- that's the term 20 "the spaghetti chart" of how it all fits together.
21 So, that's certainly a communications challenge that 22 we have. I will admit there isn't the best roadmap as 23 to how it all fits together.
24 MR. BLEY: I hope you can come up with 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 one. We'd be interested in seeing it, but I don't 1
think it's a big, high issue for us. But I do feel 2
sorry for people who haven't been through the process 3
with you as we got to this point.
4 MR. BENNER: Yes, at a minimum, we can 5
talk about a dedicated discussion. We did have a 6
meeting with industry where we outlined what we 7
thought the appropriate to-be state was, and we got 8
very positive feedback. So, I think the people doing 9
this work kind of know the destination, but, then, 10 awkwardness is to get to that destination there's a 11 bunch of interim waypoints. So, it is going to be 12 somewhat of a challenge for everyone to keep it 13 straight for all those interim waypoints.
14 MR. BLEY: Okay.
15 MR. BENNER: Certainly, we can have a 16 discussion. On a minimum, we should just be able to 17 share the presentation materials we used in that 18 workshop with the Committee.
19 MR. BLEY: Okay. Thanks.
20 MR. NGUYEN: Then, moving on to change in 21 Clause 5.6, "Independence." Again, this clause was 22 revised to incorporate the ISG-04 guidance, mainly 23 data communication independence.
24 The next one is --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 CHAIR BROWN: No. No, stay right there 1
for a minute.
2 MR. NGUYEN: Okay.
3 CHAIR BROWN: I've got this thing open 4
right now. And there's some kind of conflicting 5
statements that I wanted to -- not conflicting --
6 absence of information.
7 MR. BLEY: Charlie, can you say the Reg 8
Guide, Charlie, for us to follow you?
9 CHAIR BROWN: Pardon? Yes, I'm looking at 10 the IEEE Standard 7-4.3.2, Section 5.6, 11 "Independence," which is what he's referring to right 12 now.
13 MR. BLEY: Okay. I just wanted to make 14 sure where you were. Okay. Thank you.
15 CHAIR BROWN: Yes, absolutely. I'm sorry 16 about that. I should have been more clear.
17 The very first sentence says, "In addition 18 to the requirements of 2009, data communication 19 between safety divisions" -- okay? -- "or between 20 safety and non-safety divisions shall not inhibit the 21 performance of the safety function."
22 Later on, it says, "The safety function of 23 each safety channel shall be protected from adverse 24 influence" -- this is in the third paragraph -- "from 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 outside the division of which that channel is a 1
member. Information outside the division shall not be 2
able to inhibit or delay," whatever.
3 Then it goes on to say, "This protection 4
shall be implemented within the affected division 5
rather than sources outside the division" -- in other 6
words, in a network farther away; you know where I'm 7
going -- "and shall not itself be affected by any 8
condition or information from outside the affected 9
division," which effectively says our communications 10 going anyplace else can be susceptible to being 11 bypassed.
12 And
- yet, we don't ever address 13 unidirectional communications.
The word 14 "unidirectional" is not used anywhere in any of these 15 Reg Guides or the IEEE standard.
16 So, you have a large discussion which we 17 haven't gotten to relative to the cyber security 18 paragraph in the Reg Guide. I'm just saying there are 19 some inconsistencies relative to being clear.
20 And I'll just go ahead and bring this:
21 independence and control of access are virtually hand-22 in-glove when you really get down to it. I'm just 23 making a comparison to our previous standard analog 24 world. Physical security was all we had to worry 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 about.
1 And, in fact, if you look at the physical 2
security of a plant, it's multilayered. You've got 3
a fence with guards and guns just to get onto the 4
site. You can't get into the plant without going 5
through more guards and guns. You can't get into the 6
rooms where the I&C equipment is without keys, which 7
you can't get from anyplace but the main control room 8
or designated location with somebody -- you know, that 9
you take it and sign for it and be authorized to do 10 it. And then, on the cabinets, you have locks.
11 In other words, the system itself is its 12 first line of defense and everything else is a layer 13 outside to ensure you don't ever attack that very last 14 part of the fence.
15 Once we introduce computer systems into 16 these, we've now changed the metric. Physical 17 security still exists, but now we keep -- well, you 18 know where I'm going again -- we keep insisting that 19 we can't do design stuff in the system to make it 20 unidirectional, as its first line of defense. And 21 yet, we insist on we'll address it programmatically 22 when we do all the critical digital assets, networks.
23 How does it get in the fence in the first place?
24 There's not even a part in the Reg Guide 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 or IEEE standard. There's a big paragraph on physical 1
security. There is none on external electronic access 2
security.
3 There's a big disconnect, which, in my 4
view, is a huge safety gap in terms of how we address 5
this stuff. I'm not saying that the Reg Guide should 6
be a source of cyber security programmatic issues.
7 That's not the point. That would not be the right way 8
to do anything.
9 But the security of our safety systems 10 should be at least protected in the same manner, and 11 allowance when you're designing it, as we do with the 12 physical security and putting locks on the cabinets.
13 They come from the vendor that way. It's not like 14 they show up on the site and we weld padlocks onto the 15 doors. It's just that's not the way it's done.
16 So, that's an inconsistency in terms of 17 how we address that. And that's one of my concerns as 18 to how do we bridge that gap in your -- if I get the 19 right page here. Someplace in this mass of paperwork 20 that you gave me, there's the discussion on -- oh, 21 here it is, control of access in the Reg Guide, where 22 you rightly say the Reg Guide is not intended to 23 address cyber security, fundamentally. You know, that 24 comes under 5.7.1.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 But you state it in a manner that is just 1
inconsistent. You say it's not intended to address 2
"protective
- features, such as communication 3
independence and control of access to prevent 4
malicious cyber attacks." So, I mean, effectively --
5 but you have a little line at the end which says 6
licensees and applicants should also consider the 7
cyber security guidance in preparing a design 8
certification under Part 52. But nowhere in here do 9
we provide any guidance on what is an acceptable 10 method -- without dictating -- but what's an 11 acceptable method for providing this control of 12 access.
13 With the watchdog timers, you did that.
14 You did a good job of importing -- which is the first 15 time I've seen in it any of these documents -- a good 16 discussion on the watchdog timers. And I'm trying to 17 remember whether it's in the Reg Guide or whether it's 18 in the IEEE - 19 MEMBER HALNON: It's in the Reg Guide.
20 It's in diagnostics.
21 CHAIR BROWN: Pardon?
22 MEMBER HALNON: It's in the self-23 diagnostics section.
24 CHAIR BROWN: Under "Clarifications"?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 MEMBER HALNON: Yes.
1 CHAIR BROWN: How come I can't find it?
2 MEMBER HALNON: I'll find it for you.
3 CHAIR BROWN: I've got it written down 4
here somewhere.
5 MR. NGUYEN: The watchdog timer paragraph 6
was purposely written for you, Mr. Brown.
7 CHAIR BROWN: For me? I know. Well, it's 8
not for me.
9 MEMBER HALNON: It had "Charlie Brown" 10 written all over it.
11 CHAIR BROWN: It was for the Committee.
12 Nothing gets done without the Committee's agreement.
13 Where are the words -- did you find which 14 Reg Guide it is?
15 MEMBER HALNON: I'm looking for it. Yes, 16 I'm looking for it.
17 CHAIR BROWN: Oh, I found it. Okay. I 18 found it. Never mind.
19 Section 1, it's Clarification 1.2.1, where 20 you ended the discussion of watchdog timers, which was 21 a good explanation. I wasn't going to contest that at 22 all. But you ended it by saying, "One method the NRC 23 finds acceptable for indicating" -- and you talk about 24 other methods of doing -- you say they can do various 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 methods. You don't dictate it. Obviously, anybody 1
that uses a software timer in another little package 2
of new software, that's got to be, why would you do 3
that? It's kind of mindless. It's more software that 4
you have to deal with.
5 But here, you say, "One method the staff 6
agrees acceptable would be implementing a watchdog 7
timer to use a hardware-based device to perform WDT 8
counter reset timeout and failsafe functions." An 9
acceptable method, you left that out of the control of 10 access. The words were nice at the licensee, but it 11 would have been -- I probably wouldn't be having this 12 conversation if you had said, "A method that the staff 13 considers acceptable would be the use of 14 unidirectional, one-way, not configured, fast software 15 communication devices for communications external to 16 the safety systems."
17 And I don't mean just RPS. I mean, in 18 reality, when you think about safety systems -- take 19 your reactivity control system, for instance. You 20 really don't want to have bidirectional communication.
21 You want a guy to turn a switch and the rods go in or 22 they go out. You want to send data back to the main 23 control room to say, hey, this happened or this didn't 24 happen, because it may have -- it probably has got 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 software in the control system now, and you want to 1
know what it's doing. But that ought to be 2
unidirectional.
3 Under "Safety systems," those are not 4
safety systems per se, I don't think. They're -- I 5
don't know, how is, Greg, the reactivity control 6
system referred to? Are they safety-related or are 7
they --
8 MEMBER HALNON: Yes.
9 CHAIR BROWN: -- non-safety?
10 MEMBER HALNON: No, any reactivity control 11 would be safety-related.
12 CHAIR BROWN: Well, in here, they talk 13 about self-diagnostics for safety-related DI&C 14 systems. To, to me, that applies to safety systems 15 and things like rod control or other safeguard 16 controls, you've got to assume.
17 MEMBER HALNON: Charlie, I want to make 18 sure I'm clear on where you're going. This is Greg.
19 CHAIR BROWN: Okay, go ahead.
20 MEMBER HALNON:
We started in 21 independence --
22 CHAIR BROWN: Yes.
23 MEMBER HALNON: -- and we transferred over 24 to controlled access, and then, went back to self-25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 diagnostics. Can you, in a sentence or two, describe 1
to me what -- I understand the relationship where it 2
says independence, you want it, you know, low 3
propagation of failure from safety to non-safety. And 4
I think that's where you get to the communication 5
piece, and you jumped to controlled access.
6 CHAIR BROWN: There are two separate 7
pieces.
8 MEMBER HALNON: Okay.
9 CHAIR BROWN: And, one, I was saying the 10 self-diagnostics and use of watchdog timers is in one 11 section, and it provides guidance on what the staff 12 would consider acceptable.
13 Now, we're out of that.
14 MEMBER HALNON: Okay.
15 CHAIR BROWN: Now, we go over to 16 independence and control --
17 MEMBER HALNON: It's in controlled access 18 they jump to 5.7.1, which, to me, is pretty 19 comprehensive. It may be almost too comprehensive --
20 CHAIR BROWN: Well, it is.
21 MEMBER HALNON: -- to figure out where you 22 need to go. But the basic, fundamental principles of 23 5.7.1 are, to me, as applied to the control of access, 24 which would bleed over into the independence 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 automatically because of the way you have to design 1
the control of access, which is -- or the cyber aspect 2
of it.
3 So, I --
4 CHAIR BROWN: Go ahead.
5 MEMBER HALNON: What I'm trying to figure 6
out, what is the deficient in the Reg that you're 7
talking about it?
8 CHAIR BROWN: In the past prior to your 9
arrival, we have frequently had many discussions in 10 design applications, because there was not -- in fact, 11 going back to 2009 and 2010, there was not -- they 12 were bidirectional communications in the things. And 13 we wrote our letters to say, no, they need to be 14 unidirectional, hardware-based, et cetera.
15 The response back was: can't deal with 16 that because that's cover programmatically under the 17 application 7.5.1, which you do five or six years 18 later. So, we'll come back and redesign the system 19 because we identified that they don't have 20 unidirectional. That's been going on now for years.
21 Now, it so happens that the applicants 22 have figured out pretty quickly that they probably 23 weren't going to get the Betty Crocker Good 24 Housekeeping Stamp of Approval from the Committee 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 without having unidirectional, one-way, hardware-1 based, and that's what they've done.
2 My point is, we can't dictate; we can't be 3
prescriptive. And I was trying to make a comparison 4
with the watchdog timer. We weren't prescriptive, but 5
we said there's a method acceptable which is what we 6
would like to see. It's not contained in the same 7
place, similar place, under the control of access.
8 MEMBER HALNON: Okay.
9 CHAIR BROWN: So, that's how I was 10 bouncing around, but not --
11 MEMBER HALNON: In your mind, you were 12 succinct.
13 CHAIR BROWN: I was very clear. Well, 14 it's a problem with my letters, as you all keep trying 15 to tell me.
16 (Laughter.)
17 No, I accept that.
18 MEMBER HALNON: Okay. Got it.
19 CHAIR BROWN: Okay. Did I clear that up?
20 We've gotten here much earlier than I 21 thought we would have gotten here. I wasn't --
22 MR. BENNER: Well, that's a first in the 23 discussion today.
24 Member Brown, I think we understand what 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 you're saying. I think we clearly can consider, 1
- right, adding something similar about where 2
unidirectional communications can be one way of 3
addressing, a differential --
4 CHAIR BROWN: Yes, and maybe --
5 MR. BENNER: We've done that in our 6
guidance documents.
7 CHAIR BROWN: We ought to be kind of 8
specific.
9 MR. BENNER: Yes.
10 CHAIR BROWN: We want to make sure there 11 are hardware not configured by software. I mean, all 12 communications devices, you've got to take data and 13 you've got to format it and lay it out, so you can 14 send it out through the device.
15 MR. BENNER: Yes.
16 CHAIR BROWN: That's software. There's no 17 way you can get away from that. But configuring that 18 communication device should not be able to be done by 19 somebody coming into it and reformatting it, so now 20 it's not --
21 MEMBER MARCH-LEUBA: Let's be specific.
22 By "configuring," you mean changing the direction 23 of --
24 CHAIR BROWN: From unidirectional to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 bidirectional. Because a lot of the devices out there 1
have both methodologies them and they configure the 2
software based on the operating system.
3 MEMBER MARCH-LEUBA: Yes. Yes, but there 4
is an available configuration when you define the baud 5
rate and the pulse rate --
6 CHAIR BROWN: Yes. Yes, that's all --
7 MEMBER MARCH-LEUBA: And that can be done 8
by software.
9 CHAIR BROWN: That's right. Baud rate, 10 but that's not directionality. So, that's why we --
11 MEMBER MARCH-LEUBA: In the second 12 configuration, I'm always marking here a little bit 13 because it's broader than what you --
14 CHAIR BROWN:
The main point is 15 unidirectional, data diode-type style stuff, whatever 16 the words may be. And I just think that's a way, by 17 putting that in along with the cyber part -- because 18 I'm not trying to intrude into the cyber world.
19 There's too much arguing about what CDAs you do, when, 20 and where, and everything else.
21 But I'm just thinking about the layers of 22 defense, and the equipment ought to be able to provide 23 its own defense, and do that at the early stages 24 during the design. And you talk about the design --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 I've forgotten where it was -- during the design 1
application, though. Yes, during the design 2
certification under Part 52.
3 So, when we had the back-and-forth -- this 4
is just discussion, okay? -- relative to the letter to 5
the Chairman and the responses --
6 MEMBER MARCH-LEUBA: Uh-hum.
7 CHAIR BROWN: -- and all that kind of 8
stuff, I didn't take issue -- we did not write a 9
letter in terms of the response. We waited because 10 you said you were going to go revise 1.152, 5.7; 11 BTP 7-19, on and on. So, talking about it in abstract 12
-- it was much better to talk about it with the 13 specific Reg Guides, and stuff.
14 But I view, as opposed to us saying it's 15 not a safety doubt, a safety concern, I think it is, 16 but there wasn't any sense in mounting a horse on the 17 pike and driving down the thing and seeing who we 18 could knock off the horse on the other end. It just 19 didn't make any sense.
20 And I was just trying to point out there's 21 a way to use your all's methodologies, get the point 22 across, such that we're not inhibited during the 23 design cert stage with this back-and-forth. Okay?
24 But, anyway, that's kind of covered that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 aspect.
1 MR. NGUYEN: I think Rich Stattel had 2
something to say.
3 CHAIR BROWN: Yes, Rich, go ahead.
4 MR. STATTEL: Thank you.
5 I'm Richard Stattel. I work in NRR.
6 I also want to mention that I was the NRC 7
representative on the working group that developed 8
these standards over these years.
9 And I think it's worth noting that, in 10 Annex E of the standard, there are sections that do 11 provide acceptable methods that include unidirectional 12 communication from safety to non-safety and between 13 divisions.
14 CHAIR BROWN: You didn't endorse it, 15 though.
16 MR. STATTEL: Yes, okay, I'll explain 17 that.
18 CHAIR BROWN: Okay.
19 MR. STATTEL: So, in the IEEE Working 20 Group, we did recognize those as acceptable ways to 21 instantiate communications independent.
22 When we were developing the Reg Guide, the 23 decision was made not to endorse Annex E. This was 24 made in the previous revision as well, right? And the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 reason was because the Annex is informative and it 1
doesn't provide the guidance. So, in other words, the 2
criteria for independence is in the body of the 3
standards. The Annex provides acceptable methods that 4
the IEEE considered to be acceptable. So, we 5
typically don't endorse methods; we endorse the 6
criteria, the acceptance criteria. So, I'm just 7
explaining that's the reasoning behind that.
8 CHAIR BROWN: Okay. No, I appreciate 9
that. I understand that. Thank you. I understand 10 that. Thank you, Rich.
11 MR. NGUYEN: I would like to add onto what 12 Rich just said. The reason we didn't endorse Annex E, 13 also, because the Annex is technology-focused and 14 provides a few methods or examples, but there are some 15 other examples out there for one-way communication.
16 If we endorse this, then it may send a strong message 17 that these are the only methods we accept.
18 So, I mean, for your comments on the 19 acceptable method the NRC staff can consider, we can 20 consider something like, but I wouldn't go far to go 21 to specific hardware like, you know, diodes.
22 CHAIR BROWN: Well, data diodes are kind 23 of a generic --
24 MR. NGUYEN: Right. Because, out there, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 there's a --
1 CHAIR BROWN: A diode is a hardware, 2
fundamentally, a hardware-based device, and that's 3
what we're really looking for.
4 MR. NGUYEN: Right.
5 CHAIR BROWN: Just we've got to find a way 6
-- this Reg Guide is a critical Reg Guide. This is 7
the one I was waiting for to see what revisions would 8
come through and how you all would address it. And 9
the Reg Guide actually came out pretty decent for the 10 most part. I've got some other questions, but they 11 aren't on these high-level items.
12 And the WDT methodology that you used is 13 reasonable. You need a few words to do that for the 14 communication device because it does need to be clear 15 that it's unidirectional -- okay? -- and it's 16 hardware-based. That way, you don't get into the 17 software configured part of it. If it's hardware, 18 pretty much it's hardware.
19 I'm not familiar with every design that's 20 out there, but maybe hardware -- if I was a vendor, I 21 would not even have two directions. It would be one 22 literal output which you can't reverse physically.
23 You'd have to rewire it. And that's technology-24 neutral.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 Anyway, the issue is out on the table.
1 Obviously, that's something we will, I will be 2
addressing somehow in our response on this.
3 Are there any other -- Jose, do you have 4
anything else to say on that?
5 MEMBER MARCH-LEUBA: No, I think I would 6
like to see in the guide acceptable ways of 7
unidirectional. If you find a better one, please 8
submit it to us; we'll review it.
9 It simplifies -- when I'm a designer or an 10 applicant, I have to go to my boss and convince him to 11 let me spend money on doing something. And if that 12 something is in the guide, as an example, it's a lot 13 easier to do it. Anyway, I think it would be 14 worthwhile if it wasn't limited.
15 CHAIR BROWN: If you think unidirectional 16 devices are going to exorbitantly increase the price 17 and cost of building these systems, we're talking 18 about a 1 penny part in a $100 million operation.
19 That's a slight exaggeration, but then it's relative 20 to --
21 MR. NGUYEN: I don't think --
22 CHAIR BROWN: -- the line of resistance.
23 MR. NGUYEN: I'm sorry.
24 CHAIR BROWN: I'm sorry, go ahead, Khoi.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 MR. NGUYEN: I don't think that's a 1
concern from an applicant or a licensee. I think the 2
most concern is they have, in order to implement the 3
hardware for the communication, they have to revise a 4
lot of procedures because, currently, the plan is 5
using two-way communication for some specific tasks, 6
like set point change, firmware/software updated, data 7
connection. So, if you have the hardware device 8
installed permanently without revising the procedure, 9
that may be the problem.
10 CHAIR BROWN: I would disagree with that.
11 The communication out to the main control room into 12 all other safety systems are not the path you utilize 13 to make software changes. You use your maintenance 14 and test equipment. You reconnect a cable to go do 15 that. You control the software that goes in, whatever 16 you're going to do, and that's where you make your 17 adjustments.
18 MR. NGUYEN: Yes, and --
19 CHAIR BROWN: So, I would disagree with 20 that. Bidirectional communications to a main control 21 or any other network should not be on the table 22 anywhere. So, I would disagree with you. I would 23 agree with Eric that there's a simple way to do this.
24 It should be unidirectional or one-way, however you 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 want to phrase it. But we ought to find a way to 1
compromise and get our way -- not get our way -- but 2
get our way through this conundrum time after time.
3 MEMBER MARCH-LEUBA: I think the --
4 CHAIR BROWN: Go ahead.
5 MEMBER MARCH-LEUBA: I think the way on 6
this echo, saying a licensing review of reactor 7
containing two-way communication between 60 computers, 8
blah, blah, blah, would require much greater scrutiny.
9 And you warn the applicant, if you want to go this 10 way, you're going to pay your pound of flesh. Right?
11 CHAIR BROWN: We'll disagree with it when 12 it comes in.
13 MEMBER MARCH-LEUBA: And you have inherent 14 aversion to risk by saying it that way. But if you 15 have a reason for doing it --
16 CHAIR BROWN: That's why utilizing similar 17 words to the watchdog timer I think is a clear way of 18 saying it.
19 MEMBER MARCH-LEUBA: Yes.
20 CHAIR BROWN: And then, if someone wants 21 to take exception, they can.
22 MEMBER MARCH-LEUBA: No, but Appendix E, 23 echo, says the watchdog timer language, and it says, 24 if you don't do this, you guys be aware that it is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 going to take --
1 CHAIR BROWN: Where are you talking about 2
it?
3 MEMBER MARCH-LEUBA: It's the Appendix E 4
of 7-4.3.2.
5 CHAIR BROWN: Yes, but that's not 6
endorsed. I don't know what they do with that.
7 MEMBER MARCH-LEUBA: I'm saying that that 8
language is very valuable.
9 CHAIR BROWN: Yes, that's valuable in the 10 context of at least saying something similar to what 11 the watchdog timer words path is. And the words "it's 12 an acceptable method" would be to do that, because 13 that does not tell them they have to do it. It allows 14 them to -- and they can use whatever language that's 15 in the IEEE standard to get to where they want to go.
16 MEMBER PETTI: But you're talking about 17 putting some words into the Reg Guide, not into the 18 IEEE standard?
19 CHAIR BROWN: In the Reg Guide, oh, yes, 20 absolutely, not the --
21 MEMBER PETTI: Yes, yes.
22 CHAIR BROWN: And it would be in the 23 paragraph
- where, that exhaustive paragraph on 24 licensees and applications, blah, blah, blah. "A 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 suitable method for doing this would be the one-way, 1
unidirectional communication device, et cetera.
2 That would be -- anyway, that's where 3
we're ending. We can stop this. I think we've hit 4
this hard enough, unless somebody from my Committee 5
members would like to -- Steve, do you want to say 6
something.
7 MR. SCHULTZ: I have one more comment, and 8
it relates to -- this is Steve Schultz -- it relates 9
to the Branch Technical Position that the Committee 10 commented on --
11 CHAIR BROWN: 7-19?
12 MR. SCHULTZ: Yes, 7-19, that the 13 Committee commented on in 2021. And the Commissioners 14 were involved because our letter went to the 15 Commission related to that and the use of 16 unidirectional systems for defense-in-depth and 17 diversity.
18 CHAIR BROWN: Yes.
19 MR. SCHULTZ: And as I understood it, the 20 staff said that this would be addressed by doing back 21 to the Branch Technical Position and incorporating an 22 example; that unidirectional systems would be a way in 23 which to improve the review or simplify the review as 24 far as defense-in-depth opportunities were available.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 Is that something that's been done?
1 CHAIR BROWN: No, 7-19 has not been 2
brought back up on the table. It's still --
3 MR. SCHULTZ: Okay.
4 CHAIR BROWN: This was the first olive out 5
of the bottle.
6 MR. SCHULTZ: Coming back through it?
7 CHAIR BROWN: Yes.
8 MR. BENNER: Yes, this is Eric Benner 9
again.
10 From a timing standpoint, we had already 11 planned to update this Reg Guide. You're familiar 12 that we were in the throes of updating Reg Guide 5.71.
13 So, the direction we got from the EDO was for there to 14 be several guidance documents that we updated to 15 address this issue. So, it's timing issue.
16 CHAIR BROWN: Okay.
17 MR. BENNER: For the Branch Technical 18 Position, our schedule for updating that is longer 19 because we have two ongoing, major licensing reviews, 20 and our objective was to not update the BTP again 21 until we get pretty far through those reviews. So, we 22 could also incorporate lessons learned from those 23 reviews into that guidance document.
24 MR. SCHULTZ: So, all of the documentation 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 that changed hands at that time will be addressed when 1
that's revised later?
2 MR. BENNER: Uh-hum. Right.
3 MR. SCHULTZ: And is the same, then, true 4
for Reg Guide 5.71?
5 MR. BENNER: 5.71 I believe did have 6
changes made. That came to the -- I can't remember if 7
that was before the Committee or not. But changes 8
were made to that soon after we got the direction from 9
the EDO.
10 And I believe Kim is on the line. She 11 probably is much more knowledgeable than I am on that.
12 MR. SCHULTZ: That was going to, 13 essentially, reconnect to this Reg Guide to 14 demonstrate that there was a cross-reference, if you 15 will, between the two.
16 MR. BLEY: Before you go to Kim, I guess 17 I don't understand why all these wouldn't be 18 consistent, and why you wouldn't have something of the 19 language Charlie is talking about here if you're going 20 to have it over there.
21 MEMBER HALNON: Yes, that's what I was 22 hoping for.
23 MR. BENNER: Well, and for us, they are 24 consistent, right? Some of the things we've done here 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 were consistent with the other documents. So now, 1
we're being asked to maybe add something else, and 2
we're going to consider that, but I can't go back and, 3
you know, make the things that have already gone 4
through the chute consistent until their next review 5
cycle.
6 CHAIR BROWN: I'm looking at the letter, 7
the July 14th letter, right now that came back. And 8
they said, the team recommended they would revise 9
7-19, how the staff could reduce the scope of 10 defend/diversity when a
design includes 11 unidirectional. So, they had the words that they were 12 going to go do this, and then, also, at one point have 13 1.152 and Reg Guide 5.71 --
14 MR. SCHULTZ: Exactly, and it says --
15 CHAIR BROWN: And their reference is to 16 5.71 -- and they did incorporate into 1.152 references 17 to 5.71. It's just absent a sentence that they need 18 to put in.
19 MR. SCHULTZ: Yes, I understand that. And 20 I agree with you. It says, "as soon as practicable."
21 So, I'm sorry it's still coming; that's all.
22 MR. NGUYEN: So, what will come out on the 23 final version of this Reg Guide, the subject tried to 24 be consistent with all the guidance, BTP or all the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 Reg Guides.
1 CHAIR BROWN: The BTP is absent that right 2
now. You all did not incorporate the stuff we've 3
proposed. That's why we ended up writing the letter 4
to the Chairman, because we've through this rabbit 5
hole several times. Willing to wait. Okay?
6 Hopefully, I won't die before then.
7 But this particular Reg Guide is a key Reg 8
Guide defining how you use and communicate and 9
maintain independence when you're using computer-based 10 equipment. And they did a good job on the watchdog 11 timer in terms of making sure processors work. That 12 came out pretty decent, not dictatorial, but provided 13 a thought process on what you all would consider.
14 Using that same thought process for that 15 one particular paragraph in the Reg Guide, making it 16 similar would, I think, go a long way to getting this 17 issue out of our letters.
18 (Laughter.)
19 MR. NGUYEN: Okay. Thank you very much 20 for your suggestion, 21 CHAIR BROWN: We can go on, if you would 22 like.
23 MR. NGUYEN: And the staff will consider 24 your suggestion.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 All right. The next one is Clause 5.7.
1 This clause was expanded to include additional 2
guidance for the measurement and test equipment for 3
IT, which is consistent with current regulation and 4
considered good practice to ensure the proper 5
functionality of the safety system and the tests.
6 CHAIR BROWN: Before you leave 5.7, we 7
might as well go ahead and get this copy out on the 8
table as well. I thought I underlined all of -- I'll 9
just pick the one place I know I had it, since I've 10 marked it in red.
11 And it's referring to wireless 12 communications.
13 MR. NGUYEN: Which section you are at?
14 CHAIR BROWN: I'm in 5.7, "Capability for 15 Tests and Calibration."
16 MR. NGUYEN: Okay.
17 CHAIR BROWN: The third paragraph was the 18 first, I think it's the first mention. I was going to 19 call that up and see if I've got 7-4.3.2. And it's in 20 the third paragraph, the last sentence.
21 MEMBER MARCH-LEUBA: Do you want me to 22 read it?
23 It
- says, "Wireless receivers and 24 transmitters on temporarily connected M&TEs shall be 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 disabled prior to connecting to safety-related 1
equipment."
2 CHAIR BROWN: Yes, and similar words, 3
there's another set of words in 5.9.2. The last 4
paragraph says, "All wireless capabilities shall be 5
disabled on the workstations.
All wireless 6
capabilities on the M&TE equipment shall be disabled 7
prior to connecting to safety-related equipment."
8 But if you read the whole thing through 9
here, you get the thought process is that, not 10 directly, but indirectly, it says the use of wireless 11 is okay.
12 And just as an example, even with MT&E, it 13 says make sure you've disconnected your wireless 14 before you hook it up to your equipment to make 15 changes in set points or software changes, or whatever 16 you need to do. So, that's shutting the barn door 17 after you've already opened it up, after you've 18 downloaded from the vendor over the internet some 19 software package for changing or fixing a problem, and 20 now, it's in the M&TE. So, you disconnect it, and 21 now, you connect it to your toast; the virus is 22 planted. It doesn't compute. That's all I --
23 MEMBER MARCH-LEUBA:
So, you want 24 requirements on the measurement and testing equipment?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 CHAIR BROWN: It's just the issue is 1
wireless communications. You don't want to build 2
equipment that has wireless capability, and then, have 3
the vendor send the stuff directly to the safety 4
system via some wireless connection you have. The 5
wireless issue should be addressed more succinctly, a 6
little bit in more detail.
7 MEMBER MARCH-LEUBA: And wireless refers 8
to a dead-end network.
9 CHAIR BROWN: I don't know whether that's 10 the case or not.
11 MEMBER MARCH-LEUBA: I mean, you don't go 12 wireless more than 100 feet?
13 CHAIR BROWN: I don't know. I'm not an 14 expert on that. All I know is wireless says to me 15 wireless. You're running around wireless with your 16 cell phone all over the country and you're still 17 getting information and your software just changed.
18 If you're driving a car that's computer-19 driven with wireless connections, they can download 20 software while you're driving that stops your car.
21 So, that's wireless. Okay? It's available.
22 So, something needs to be done to address 23 the wireless issue. It's just these two side 24 discussions on the wireless issue that stuck out at 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 me.
1 MEMBER MARCH-LEUBA: For reference, the 2
instrument technician would have an iPad that he takes 3
to calibrate equipment in the safety system. And what 4
this tells it is that, before you disconnect the USB 5
to your safety-related system, you need to disable the 6
wireless antenna.
7 CHAIR BROWN: That's right.
8 MEMBER MARCH-LEUBA: What you're saying 9
is, five minutes before you disable the wireless 10 antenna, somebody might have some malware.
11 CHAIR BROWN: That's right.
12 MEMBER MARCH-LEUBA: And now, you inject 13 that via USB.
14 CHAIR BROWN: Exactly.
15 MEMBER MARCH-LEUBA: An issue.
16 MEMBER PETTI: You, basically, want those 17 iPads to have never seen --
18 CHAIR BROWN: They should have no wireless 19 connection. If they want to change the software, 20 there ought to be a package delivered CD, thumb drive, 21 whatever you do, you plug it into your iPad; you 22 download the --
23 MEMBER MARCH-LEUBA: You're just moving 24 the problem one more --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 CHAIR BROWN: Well, you've got your SDOE, 1
theoretically, which covers the download on that thumb 2
drive that you bring in. All I'm saying is there's 3
got to be a way to not -- there are more secure ways 4
to do things than with the wireless connections.
5 You're right, if a guy brings his iPad in, that it 6
could be a problem --
7 MEMBER MARCH-LEUBA: Uh-hum, I can see it.
8 CHAIR BROWN: -- what you do with it.
9 MEMBER MARCH-LEUBA: But it's difficult to 10
-- I mean, if you a vendor is going to send me an 11 update -- just a set point, for example, there must be 12 an update in the systems, the set point values 13
-- they're not going to send in paper anymore.
14 CHAIR BROWN: You don't actually do that.
15 I didn't ask for paper.
16 (Laughter.)
17 MEMBER MARCH-LEUBA: Yes, consideration 18 has to be given that the M&TE equipment is secure. It 19 should be assumed it's not secure.
20 MR. BENNER: I think we understand the 21 concern and the potential factor, because even -- you 22 know, it's a different factor, but the reality is, 23 like you say, if there's a software update for the 24 M&TE, it's got to come through some mechanism, right, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 whether it's wireless, right, or whether it's -- on my 1
car, I get an email and I can download it to a USB 2
thumb drive and put it in. All those vectors are a 3
way to get malware. And like you say, if you connect 4
the M&TE to the safety system, that's a vector.
5 So, I think we understand the concern and 6
we'll caucus --
7 CHAIR BROWN: You're going to connect.
8 MR. BENNER: Yes, by definition.
9 CHAIR BROWN: I mean, you've got to 10 connect something to it.
11 MR. BENNER: Yes. By definition, there 12 are multiple connections. There's a connection for 13 M&TE. There's a connection to the equipment, and 14 there's a connection to something to update --
15 CHAIR BROWN: To get the information 16 for --
17 MR. BENNER: So, it is whether the 18 appropriate controls for any vector, whether it's 19 wireless or whether it's other vectors.
20 CHAIR BROWN: I do know that one of the 21 design applications that we saw had a separate 22 maintenance cabinet, but you had to hook up a cable.
23 You know, you had to go open it up and connect a cable 24 up to the safety systems in order to download it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 Well, the downloads had to get into that maintenance 1
cabinet somehow. It's just a matter that no system 2
is 100 percent secure. No matter what you do in a 3
safety development and operating environment, there is 4
no 100 percent guarantee. It's just you don't make it 5
easier.
6 I don't know, I faced that issue 20 years 7
ago before I retired. Because the vendors, now that 8
we had E-Squared PROM that you could erase, boot back 9
up -- in the old days, we didn't have E-Squared PROM.
10 It was read-only. Okay?
11 And once we got it, oh, God, this opens up 12 a whole world. We can send a new software package 13 down to you via the internet and you can just plug it 14 into your stuff while it's in the ship. Bad idea.
15 Really bad idea.
16 So, we ended up going to laptops. So, 17 we'd get the information, put it on a thumb drive or 18 a CD, or whatever we had back then, put it into the 19 laptop. Take the laptop down and do it.
20 Now, did that mean it still could have a 21 problem? It could still have a problem, but it was 22 just what we had at the time.
23 MEMBER MARCH-LEUBA: No need to go into 24 the solution there. The guys should point out the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 problem and they should say that it's up to the 1
applicant to fix it.
2 CHAIR BROWN: Exactly. And this just 3
leaves it hanging in the air; that's all.
4 MR. NGUYEN: Thank you for the comment, 5
and the staff will consider the comment --
6 CHAIR BROWN: Okay.
7 MR. NGUYEN: -- and get back with you 8
later.
9 CHAIR BROWN: Let me see if I've missed --
10 the other suggestion I would make, since we're on the 11 control bullet, even though we haven't gotten to it on 12 your slide, when you introduce the -- what's it 13 called? -- control of access section, you've got 14 physical security as a 5.9.1, or something like that.
15 There ought to be a 5.9.2 which talks about, with the 16 introduction of software-based/computer-based systems, 17 we've now introduced a new path for access to the 18 systems, and talk about it in that context in terms of 19 how you have to deal with it and the levels of 20 security, the things you need to think about.
21 I'm not talking about just saying you've 22 got to relate it back to cyber security. It's just 23 it's a new path, and you've got to apply the same type 24 of rules.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 Now, if you're partway because 5.7.1 says 1
I'm going to look at all the data coming into a plant 2
or all the signals coming in or an internet, or what 3
have you, I've got -- I don't know how many -- four 4
levels or something like that in 5.7.1. You've got 5
part of that covered. It's just the stuff right down 6
at the equipment where we've right now been 7
discussing.
8 But it just ought to make it clear that, 9
hey, we've now introduced another significant source 10 of access that you have to think about at the 11 equipment level. Okay? Not asking for solutions.
12 Just you go through what are the issues involved with 13 it, just like you do with physical security. You talk 14 about the admin people physical security. Guys doing 15 this; sign in, blah, blah, blah. Oh, there's all 16 kinds of stuff you wrote down on physical security, 17 like it's the least important item, right? It's much 18 easier to do that than it is to do this other thing.
19 So, that's just the other suggestion in 20 terms of clarity in the Reg Guide, identifying this as 21 a second big, serious path. And we've mentioned that 22 in the letters. We've talked about that in our 23 letters to you before, about introducing this new 24 path, which you'll probably see again sooner or later.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 That was the only other point I had on the 1
control-of-access stuff, I think, unless I remember 2
something later.
3 MR. HECHT: Charlie, this is Myron.
4 CHAIR BROWN: Yes?
5 MR. HECHT: So, with regard to the 6
previous point on downloads of software to M&TE for 7
updates, either to M&TE itself or the actual computers 8
in the safety system, or I should say programmable 9
devices in the safety system, there are methods to 10 ensure the integrity of the downloads. You know, hash 11 codes for that. The software developers' computers, 12 you can check as to whether they've been altered when 13 they reach the destination.
14 And so that, if you can control what's 15 being received by the M&TE -- for example, through 16 only a specific wired connection to the laptop or 17 whatever device you're using to transfer the material, 18 the software to the safety system -- that, at the very 19 least, you can ensure the integrity of the file.
20 That's being done now.
21 CHAIR BROWN: Okay.
22 MR. HECHT: It's unlikely that malware 23 could be introduced that way.
24 CHAIR BROWN: Like I say, I'm not trying 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 to say how. I'm not a programmer and I'm not a hash-1 tagger. But there are methods that at least provide 2
some levels of security, and we ought to just 3
recognize that that needs to be done, now that we're 4
in this software configuration and access. And we 5
just don't discuss it. So, that's the suggestion.
6 Thank you, Myron.
7 MR. STATTEL: If I may, Charlie?
8 CHAIR BROWN: Yes.
9 MR. STATTEL: This is Richard Stattel 10 again.
11 I just want to speak a little bit about 12 the working group's perspective when we developed this 13 particular clause. So, I do understand your point.
14 The overriding requirement here is really in the first 15 sentence of the paragraph.
16 CHAIR BROWN: Which one are you talking 17 about?
18 MR. STATTEL: This is 5.7, in that third 19 paragraph.
20 CHAIR BROWN: Yes.
21 MR. STATTEL: "The M&TE equipment used for 22 safety systems shall not adversely affect the safety 23 system functionality." And in our view, all vectors, 24 all threat vectors that went through M&TE really 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 should be addressed by that criteria there.
1 And it was brought to our attention while 2
we were developing this, well, if the M&TE, if the 3
laptop you're using to perform this -- you can have 4
all the controls you want on the configuration of that 5
laptop, but, then, if you have a wireless connection, 6
that's creating a separate vector that's above and 7
beyond that.
8 So, that is the reason why the working 9
group added that clause at the end. We weren't 10 intending it to be an allowance clause for wireless 11 communications. We just wanted to address that one 12 specific vector. We recognize there can be many other 13 vectors into the M&TE, but our intention was that 14 those would be addressed under the first criteria 15 there.
16 CHAIR BROWN: I got that point, but when 17 you start talking the use, that says, oh, well, if 18 we've got to think about it in this context, that must 19 mean it's okay --
20 MR. STATTEL: Right.
21 CHAIR BROWN: -- to apply it in some way, 22 shape, or form.
23 MR. STATTEL: I understand that.
24 CHAIR BROWN: And I understand. I don't 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 have any problem with the words you have there. I'm 1
not following this. We're not expansive enough 2
because it does give the implication that doing that 3
just -- that's really okay. But without subsequent --
4 we're kind of giving it a little bit of a stamp of 5
approval that you can use those techniques.
6 I mean, if I was a designer, I wouldn't 7
have anything be wireless, but that's my personal 8
opinion. I'm a dictator on my own stuff.
9 So, anyway, you'll probably see this.
10 Whatever the Committee comes out with, we're going to 11 write a letter on this whole subject, and it will be 12 whatever the Committee decides we want to put out. If 13 I can remember some of this stuff long enough to even 14 write a letter, it might be good. Hopefully, I get 15 the transcript rapidly since we have to write a letter 16 in another 14 days.
17 MR. BENNER: Yes, I was going to say, at 18 least in this case, the full Committee meeting is 19 pretty close to --
20 CHAIR BROWN: Yes, it's 12 days from now.
21 So, I'm on a real track to try to get the letter 22 written.
23 MR. NGUYEN: So, the staff will come up 24 with something to clarify the wireless criteria.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 CHAIR BROWN: Yes. Well, the fact that 1
the control of access is different, that's one thing.
2 And then, the wireless is another thing. We ought to 3
be a little bit more expansive. This is not intended 4
to say you should have a wireless plant. I don't know 5
what you do. I'm just thinking outside the box.
6 There was another package in here, while 7
we're talking about that, if I can -- in 7-4.3.2.
8 Where's the one on soft -- oh, it's 5.9.3, I think.
9 That whole thing talks about implementing intrusion 10 detection software, virus protection software, access 11 control software into the operating systems. And you 12 say it should be avoided.
13 MR. NGUYEN: That whole sections speaks to 14 that whole Clause 5.9.4.3 -- it was from Revision 3.
15 CHAIR BROWN: That might well be Revision 16
- 3. Then, I missed that. Okay. If I had seen this 17 then, I would have probably thrown up all over it.
18 You say, "When implementing cyber security 19 features" -- and this is in this operating system --
20 "the following shall be addressed as a minimum. They 21 shall be justified. Failure modes of the cyber 22 security. The non-intrusive software features may be 23 applied, but intrusive cyber security features shall 24 only be executing when safety systems are out of 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 service."
1 Well, what does that mean? That means a 2
cyber security system is useless. The safety system 3
is, theoretically, on all the time. Just the whole 4
issue of incorporating virus software detection 5
features into your operating system really compromises 6
the ability for the control system to complete its 7
operations, because it's got to be constantly updated.
8 It's reactive. You've got to constantly update virus 9
softwares.
10 MEMBER MARCH-LEUBA: The easiest, simplest 11 implementation -- and I think this is what the people 12 who wrote this were thinking about -- is that you 13 continuously check for the integrity of your 14 executable programs. They're encrypted and they have 15 a signature within them before you run them. And you 16 make sure they haven't been modified. That's a cyber 17 security feature and that can be --
18 CHAIR BROWN: Yes, but that's fixed.
19 Okay?
20 MEMBER MARCH-LEUBA: It's fixed, yes.
21 CHAIR BROWN: That's not intrusion 22 detection per se. It says my code is still what it 23 was before.
24 MEMBER MARCH-LEUBA:
- Well, that's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 intrusion. My code has not been modified.
1 CHAIR BROWN: Yes, they haven't broken 2
into my house because the door lock is not broken.
3 MEMBER MARCH-LEUBA: Yes.
4 CHAIR BROWN: It's just somewhere in here 5
it almost -- again, this is a little bit similar to 6
the thought process on the other one. You don't want 7
active virus detection software in the mainstream of 8
your operating system.
9 And I agree with Jose, there are built-in 10 things you don't have to constantly change. In other 11 words, how do you verify your code at the beginning is 12 the same as the one you started, you know, the same 13 you started with? That type of verification, you do 14 that with data checking when you send data -- with 15 checksums, and what's the other --
16 MEMBER MARCH-LEUBA: CRC?
17 CHAIR BROWN: Cyclic redundancy checks.
18 You do that all the time in terms of can you confirm 19 data that you send in is the same data coming out.
20 MR. NGUYEN: Fixsum.
21 CHAIR BROWN: Fixsum, cyclic redundancy 22 checks, et cetera, you use all the time for this type 23 of stuff. Because this is not -- that's on a data 24 transmission. That's a communication issue, not an 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 operational software.
1 MR. NGUYEN: But could that go to the 2
self-diagnostic detection?
3 CHAIR BROWN: I don't know. I'm just 4
saying that issue -- I'm just questioning whether we 5
ought to be a little bit more cautionary. That's in 6
the IEEE standard. I don't remember us saying 7
anything -- I don't remember 1.1.5.2 addressing virus, 8
you know, your Rev 4 or anything. I just think we 9
need some type of cautionary tale that incorporating 10 virus detection software that's active-type software 11 into the operating system, you should be careful.
12 MEMBER HALNON: But, Charlie, they use the 13 word "non-intrusive/intrusive." Are you conflating 14 the word "active" --
15 CHAIR BROWN: Active means something 16 that's constantly reviewing, stopping -- virus on your 17 computer --
18 MEMBER HALNON: Yes. No, I understand.
19 CHAIR BROWN: -- and it slows down.
20 MEMBER HALNON: I guess my question to you 21
-- I mean, everything you just said, I'm looking at 22 5.9.3 and I say it's there. So, I don't know. In my 23 simple way of reading things, I see it's there, but if 24 you feel like, you know, in your expertise, that it's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 not clear enough -- I mean, again, I'm in a learning 1
mode.
2 CHAIR BROWN: I couldn't write virus 3
protection software if you wanted me to.
4 MEMBER MARCH-LEUBA: Yes, but, if you read 5
5.9.3, it clearly says, "Implementation of cyber 6
security features directly in the safety system should 7
be avoided." That's exactly what you're saying. And 8
the previous sentence says you should do it outside on 9
the envelope.
10 CHAIR BROWN:
- Well, it
- says, 11 "peripherally."
12 MEMBER MARCH-LEUBA: Yes. So, before you 13 inject anything, you have to make sure it has run 14 cyber check. I think it is properly "implement."
15 CHAIR BROWN: So, you're all satisfied 16 with that?
17 MEMBER MARCH-LEUBA: I am.
18 MEMBER HALNON: Right, and it also says 19 that, when you mentioned that the intrusive cyber 20 security features shall only be executing when safety 21 systems are out of service, that emphasized the word 22 "intrusive safety." Just the one before that says 23 non-intrusive cyber security features can be applied, 24 and that's the self-diagnostic, self-reporting, the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 checksums, all those types of things that you were 1
talking about.
2 So, again, if there's some clarification 3
of language for the digital practitioner, then that's 4
one thing. But, at least from a descriptive mode, I 5
was following what you were saying and I saw it there.
6 CHAIR BROWN: Well, virus scanning when 7
the safety systems are out of service, but it's built 8
into the software --
9 MEMBER HALNON: No, it can't be.
10 CHAIR BROWN: Well --
11 MEMBER HALNON: Because it says earlier, 12 it says you can't have -- you shouldn't do that when 13 implementing cyber security deployment -- I mean, the 14 implementation of cyber security features directly in 15 the safety system should be avoided.
16 MEMBER MARCH-LEUBA: Yes, but, then, the 17 next paragraph says, if you really insist, you should 18 follow these guidelines.
19 CHAIR BROWN: Yes, if you really insist; 20 that's the next --
21 MEMBER HALNON: Again, that's --
22 MEMBER MARCH-LEUBA: And the staff is 23 telling them --
24 CHAIR BROWN: And then, it says, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 "inclusive cyber security systems."
1 MEMBER MARCH-LEUBA: The staff is telling 2
them don't do it.
3 CHAIR BROWN: So now, I've got intrusive 4
virus detection scanning. For instance, virus 5
scanning systems, for example, shall only be executed 6
when it's out of service. Well, but it's sitting 7
there and it's got to be updated at some point. That 8
means you've got to consciously come through and re-9 update it --
10 MEMBER MARCH-LEUBA: Uh-hum.
11 CHAIR BROWN: -- because a week later that 12 software is no good anymore. It's missed the last 15 13 upgrades.
14 MEMBER HALNON: But it's outside of the 15 safety system. So, it can't --
16 CHAIR BROWN: No, it's in the operating 17 system. Yes, it's in the operating system.
18 MEMBER BIER: Greg, I'm wondering whether 19 part of the kind of difference of opinion between you 20 and Charlie can be addressed by providing more 21 concrete examples in the places you're seeing.
22 MEMBER HALNON: Yes, I think you're right.
23 I think it's in the nomenclature language.
24 MEMBER BIER: Yes, you know, they have 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 some general terms that address it.
1 MEMBER HALNON: Yes.
2 MEMBER BIER: It's maybe not as specific 3
as Charlie would like, but it could be added. You 4
know, it could be supplemented with just "such as" 5
blah, blah, blah, and that might make it --
6 MEMBER HALNON: Yes, I agree, my language 7
is not precise to the digital world.
8 MEMBER BIER: Yes.
9 CHAIR BROWN: The non-intrusive one, it's 10 just you want to provide data going out somewhere for 11 diagnostic purposes? I didn't have any problem with 12 that. Okay? It's not really a cyber security 13 feature. It's really more of a monitoring what I've 14 got in there. I'm sending it out. Just as long as 15 it's one way, I'm happy with that.
16 But the intrusive features when you're 17 going to do virus scanning, that means, you know, the 18 next day whatever virus scanning codes you've got in 19 there is no good anymore. It's being updated 20 constantly.
21 I don't know about your computer, but I 22 know on my home computer I'm constantly seeing a 23 little flag comes up that says, "Hey, please download 24 this," or what have you.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 MEMBER HALNON: I have a Mac. It doesn't 1
require that.
2 (Laughter.)
3 CHAIR BROWN: Yes, well, everybody loves 4
the Mac.
5 MEMBER HALNON: I guess I could see where 6
you're going, but, again, I just want to emphasize 7
that I'm looking at it from a descriptive point of 8
view, and you're looking at it from a tacticianer, 9
practitioner's point of view. So, this is why I just 10 wanted a clarification of where you were going with 11 it.
12 CHAIR BROWN: Yes, again, how we deal with 13 that, up to this point we had not had to face that in 14 terms of intrusive virus detection software, because 15 the only time you would really need it was when you 16 would be downloading a new software package. If you 17 do not allow any -- if your control of access does not 18 allow stuff to come in from any other source other 19 than your controlled source, then you've put another 20 layer of protection there and you don't have to have 21 virus intrusive stuff.
22 If you have bidirectional communications 23 going, you know, clear out to the internet for your 24 safety system, then you've got a real problem. Okay?
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 That would mean you would have to have intrusive cyber 1
security features, and you don't want that.
2 That's another good reason for having your 3
unidirectional communications, because your 4
protection, basic protection systems, they take care 5
of themselves. They trip on their own. They do 6
everything on their own, and the manual controls are 7
literally manual controls.
8 Anyway, again, that was one of the other 9
issues relative to what's in 7-4.3.2. And both the 10 cyber thing as well as -- that's all under control of 11 access.
12 Oh, somebody reminded me we've been going 13 at this now for two hours and 15 minutes, almost 15 14 minutes.
15 And, oh-oh, did we just lose something?
16 MEMBER BIER: I think they just turned off 17 the shared slides.
18 CHAIR BROWN: Oh, okay. All right.
19 MEMBER BIER: I think we're okay.
20 CHAIR BROWN: Is everybody interested in 21 having a 15-minute break?
22 Okay. We will recess for 15 minutes and 23 return at -- what time is it? I can't read that.
24 10:49? Make it five after 11:00.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 Recessed.
1 (Whereupon, the above-entitled matter went 2
off the record at 10:49 a.m. and resumed at 11:07 3
a.m.)
4 CHAIR BROWN: Okay, we're back in session 5
now, a couple of minutes late, but we're okay. Khoi, 6
if you would like to go ahead and proceed.
7 MR. NGUYEN: Yes, I would.
8 So for clause 5.6, this one is the newest 9
clause, was added in 2010 to provide the criteria of 10 software testing to address common cause failures in 11 program or digital devices. The staff reviewed these 12 criteria and found that these criteria are consistent 13 with the testing acceptance criteria described in 14 Section 3.1.2.A of BTP 7-19, chap 8.
15 Clause 5.17 --
16 CHAIR BROWN: No, go back. Go back to 16 17 for a minute.
18 MR. NGUYEN: Sure.
19 CHAIR BROWN: This -- I'm trying to figure 20 out which way. I'm looking at the first sentence in 21 5.16. Thought I had a note -- common cause failure 22 that I cannot -- well. I didn't have any problem with 23 the reg guide, I mean the IEEE standard. It was a 24 matter of how it's emphasized.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 MEMBER HALNON: Are you talking about the 1
prevention --
2 (Simultaneous speaking.)
3 CHAIR BROWN: Yeah, well, it's like the 4
use of systems has led to concerns that design errors 5
have been caused. None of the stuff you talk about --
6 design errors are going to happen. You're not going 7
to get something right.
8 How you design the software, how you write 9
it is not a design error necessarily. How you do data 10 checking is not going to fix your problem, whether you 11 have an 8-bit or 16-bit work, it doesn't -- it's not 12 going to change errors happen in analog systems. You 13 do something wrong, you've got to go fix it.
14 The issue is not design errors so much as 15 software gets corrupted, or the most it can. And 16 particularly in interrupt-driven systems it can get 17 corrupted because you're moving around. You never 18 know whether it's going to come back to the path you 19 started with if the return doesn't necessarily lead 20 you back.
21 And wash-down timers fundamentally give 22 you some help with that if a processor doesn't finish 23 its sample period and you get reset. So it was a --
24 it was software design errors that gave me a little 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 bit of pause that it's kind of the -- not the message 1
it leads to. And one of our -- one of our letters, I 2
mean, I might -- I may even have that.
3 I think we used some words in one of our 4
letters, I can't remember which one it was.
5 MEMBER HALNON: Charlie, can I ask a quick 6
question while you're looking?
7 CHAIR BROWN: Yeah, go ahead.
8 MEMBER HALNON: In this section it talks 9
about if the consequence of potential of CCF is 10 unacceptable, a D3 analysis shall be prepared.
11 Isn't the D3 analysis part of the design 12 in the system in the first place, so that you know how 13 your defense-in-depth and diversity has to be built 14 into the system? This is saying you take the system, 15 you look for common cause failures, and then you do a 16 D3 analysis if it's not acceptable. Am I getting this 17 backwards, or is this a spaghetti thing?
18 MR. NGUYEN: That's the typical process.
19 MEMBER HALNON: That's a typical process.
20 Okay, I took away from the previous subcommittee 21 meetings that D3 analysis was part of the design of 22 the system in the first place.
23 But I think for our designers, there was 24 an iterative nature. Okay, it's certainly a 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 consideration, so okay.
1 CHAIR BROWN: Okay, one of our letters, or 2
at some point, I'm not remember exactly where, but 3
we've mentioned this before. The use of software-4 based obviously provide a lot of benefits in terms of 5
the operations. But the new modes of common cause 6
failures, not design errors, but unused code.
7 I mean, you look at some of the platforms 8
you used, there's a lot of code in there that does 9
other things but you may not use it in your 10 application when you program your application code 11 into it.
12 Unintended or prohibited functions that 13 can get buried in that type of code. Silent failures, 14 lockup, it just doesn't come back on track. Failure 15 to complete processing all your safety functions in 16 the same -- with a software operating cycle.
17 All those -- all those things, they're not 18 design errors, they're things that can occur just 19 because the nature of the software and the software 20 processing system. When your mouse stops moving, you 21 know something's -- not -- you didn't do anything, all 22 of a sudden it just didn't work. You clicked on 23 something and it doesn't work.
24 And the primary protection against, is 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 this my perspective, it's not the Committee 1
perspective, this is my own perspective. In the 2
safety
- systems, particularly protection and 3
safeguards, are -- you have a robust, multi-division 4
architecture. Architecture is not mentioned in any of 5
these, either the reg guide or the other one.
6 In other words, redundancy, independence, 7
how you process. Deterministic, you don't, but that's 8
a better way to do it if you can. Defense-in-depth 9
and diversity are all factors, as well as manual 10 backup of controls for doing stuff.
11 And I just, to me, focusing common cause 12 failures functionally looking at design -- design, you 13 know, design issues, which is what's in the -- which 14 is what's in the IEEE standard, is -- seems to be some 15 amplification explaining that it's where you kind of 16 counter the just thought-of design process.
17 I tried to look and see if the -- your 18 writeup in 4.1 doesn't really cover all of that, that 19 type of a water front. It's just a suggestion to 20 think about in terms of emphasis. Do you send the 21 wrong message that it's design errors that you're --
22 that you're -- which is what the IEEE standards calls 23 out in that -- in that particular section.
24 So haven't figured out how I'm going to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 address that yet, if I even do. But it's just 1
something to put on the table. That's -- because the 2
function is fundamentally focused on design errors.
3 Anyway, that's just something to think about, I wanted 4
to bring it up since we were on that section.
5 If you have any comment, you can go ahead 6
and make it. You look like you're pondering 7
something, Eric.
8 MR. NGUYEN: I have some something.
9 CHAIR BROWN: Okay, you're not pondering, 10 that's fine.
11 MR. BENNER: I'm pondering, I'm hoping 12 that one of the people more knowledgeable than I will 13 jump in.
14 MR. STATTEL: I can speak a little bit to 15 it. This is Rich Stattel again.
16 CHAIR BROWN: Yeah.
17 MR. STATTEL: So, again when we were 18 developing this, the term software failure was brought 19 up. And in our discussions we came to the realization 20 the word failure implies that it worked one day and 21 then something happened and then the software started 22 behaving differently.
23 And the reality of it is for the people in 24 the software industry, that's -- that's not how 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 software works, right. It can't fail, it can't wear 1
out, it can't just behave one way one day and then 2
something happened and it doesn't behave that way.
3 But it can manifest itself in a failure, 4
right. So we essentially, we create -- we coined this 5
term design errors, right. And then in the second 6
paragraph, we defined the latent software fault.
7 So we tried to explain how a software 8
design error can be undetected, and it kind of leads 9
into a scenario where it appears that the software is 10 functioning correctly one minute and then later it 11 doesn't.
12 But the reality of it is the conditions 13 that basically led to that latent failure emerging and 14 showing up as a system failure -- so we -- this is an 15 attempt to explain the relationship between a software 16 design error, because they're all -- software is 17 designed, and it's always an error when something's 18 wrong with it. And the actual system performance, 19 which appears more like a failure.
20 CHAIR BROWN: So your view of software 21 design error is not a functional operational system 22 need, just have something -- but yet it's programmed 23
-- not programmed incorrectly. Or it's programmed --
24 that's the way --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
107 MR. STATTEL: It's always -- it's always 1
programmed incorrectly, right.
2 CHAIR BROWN: Oh, yeah, if you want 3
something to do X and it doesn't do X.
4 MR. STATTEL: Right, but we -- we 5
recognize that you can't achieve perfect software, 6
right. So there's always some potential, and it 7
should be minimized, that's really our guidance here, 8
there's always some potential that there are some 9
latent scenarios or latent errors, we'll call them, 10 that could -- could turn out to manifest themselves as 11 system failures or system faults if the right 12 conditions emerge, presented.
13 And again -- again, the guidance is to, 14 you know, do the best you can to avoid those errors, 15 those design errors.
16 CHAIR BROWN: Okay, but you're thinking 17 more of how the software execute type design errors as 18 opposed to software executing a design feature and the 19 design feature is incorrect.
20 MR. STATTEL: So I'm thinking you're --
21 you're referring to like a software requirements 22 error.
23 CHAIR BROWN: Yeah.
24 MR. STATTEL: That just implemented the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
108 way it was called for in the requirements.
1 CHAIR BROWN: Yeah, or a functional 2
operational thing you want to have happened and it's 3
confusing. It can come out one or the other, but you 4
don't know it.
5 MR.
STATTEL:
But in the design 6
engineering world, that's also a design error, so. So 7
you --
8 CHAIR BROWN: So you're all-encompassing 9
in your role.
10 MR. STATTEL: It was just the view that we 11 took on that. We did not want to use the term 12 software failure because that implied --
13 CHAIR BROWN: Software doesn't fail, I 14 understand.
15 MR. STATTEL: Right, it doesn't really 16 fail.
17 CHAIR BROWN:
I never liked that 18 terminology. Okay.
19 MEMBER BIER: It didn't fail because it 20 never worked in the first place, right?
21 MR. STATTEL: Correct, correct.
22 CHAIR BROWN: All right, I'd like to be so 23 confident. All right, go ahead. Where we going --
24 MR. BLEY: Charlie, before you leave that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
109 one.
1 CHAIR BROWN: Yeah, Dennis. Go ahead.
2 MR. BLEY: I like what they're saying a 3
lot. It's kind of akin to, and the first ideas on 4
this I think came out of the Athena approach for 5
human-involved
- failures, which means when the 6
situation turns out wrong for you, people can act 7
funny.
8 People have pursued this in software. I 9
was involved with some who did, Eric Hollnagel and 10 Steve Epstein pursued it a bit.
11 And our former consultant, Sergio Guarro, 12 did provide some really nice examples in this area.
13 He was a former consultant to NRC on this, and that 14 work got dropped along the way. I'm not sure what 15 happened there, but there's a pretty interesting 16 history behind those ideas and it might be worth going 17 back and looking at that one of these days.
18 CHAIR BROWN: Well, I don't have those.
19 MR. BLEY: You did once. I can provide it 20 to you.
21 MR. STATTEL: This is also a similar 22 perspective that Nancy Leveson, Dr. Leveson, put into 23 her book. And essentially dispelling the notion that 24
-- of a -- that a software can actually fail.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
110 MR. HECHT: Software is a list of 1
instructions. This is Myron. It doesn't fail any 2
more than a recipe or a sheet of music fails. It's in 3
the performance or in the implementation that failures 4
occur. And that happens at the system level. That 5
happens when a microprocessor or a digital device 6
executes that software and puts out stuff that you 7
don't expect it to.
8 So strictly speaking, no, software doesn't 9
fail because it -- any more than a bad magazine 10 article fails. But people use the term software 11 failure to really mean system failures caused by 12 software defects.
13 MR. BLEY: Well, Myron, that's -- I think 14 that's really true today. But 20, 30 years ago, 15 people kind of had it embedded that there was such a 16 thing, and that, you know, you would have one failure 17 per thousand lines of code or something like that.
18 And but I think I agree with you.
19 MR. HECHT: That was one -- that was one 20 defect, a thousand lines of codes, that's how thing 21 used to be measured. And they're still measured that 22 way. The defect density, but defect density you hope 23 is correlated with software -- system reliability, the 24 software component thereof. I won't use the term 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
111 software reliability.
1 But you know, earlier work (inaudible),
2 they came up with a full taxonomy of how to deal with 3
software failures. And basically there was a defect, 4
a triggering event leading to a processor failure.
5 And then it leading to the execution failure. Then 6
leading to effects on the outside.
7 MR. BLEY: And there's a real difference 8
between that point of view, which kind of assumes that 9
that defect density is proportional to system failure, 10 and to the idea that what really happens is one of 11 those defects is buried in a place that never gets 12 exercised by the test program by normal operations 13 until one day the right set of incoming conditions 14 occurs and then you execute it and find it. Which is 15 substantially different in likelihood.
16 Anyway, this is a diversion, so we 17 probably ought to get back to the present.
18 MR. HECHT: Okay, I agree. But I agree 19 with you, Dennis.
20 CHAIR BROWN: You all do have some words 21 on that in the reg guide, in 4.1. I think you just 22 add it up, so. If you -- uh, oh, we just lost him?
23 MR. NGUYEN: No, I think he's changing his 24 screen.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
112 CHAIR BROWN: That's not a slide.
1 MR. BENNER: Yeah, no, my -- I think Mike 2
Eudy is trying to read all our minds and say which 3
document we're looking at --
4 MR. EUDY: Yeah, I'm sorry.
5 MR. BENNER: Whether it's the reg guide or 6
the presentation. I think he's done a great job. If 7
you're okay, we can move back to the presentation.
8 CHAIR BROWN: We can move back to the 9
slide. I think we'll --.
10 MR. NGUYEN: Okay, move on to clause 9.17.
11 This one is a new clause, was added to provide 12 guidance for the use of commercial digital equipment.
13 The staff collaborated with the Division of Reactor 14 Oversight to evaluate the discourse and concluded that 15 the guidance in this clause is consistent with both 16 Appendix B of 10 CFR Part 50 and 10 CFR Part 21.
17 These items are also consistent with the 18 NRC-endorsed ASME NQA S-1 2015, subparts 2.7 and 2.14.
19 Also consistent with the Electrical Power Researchers, 20 or EPRI, Technical Report 106439, EPRI Technical 21 Report 3002002982, which is endorsed by Reg Guide 22 1.164.
23 MEMBER HALNON: I just got to -- I think 24 it's an administration issue. In item 3 where you say 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
113 you don't -- you don't endorse Annex C but you do 1
endorse 5.17. You go to 5.17 and it says, the first 2
thing in there says no, go to Appendix C.
3 And then Appendix C further has the 4
concept of digital delta, which is not endorsed but 5
it's used in Appendix D, which is endorsed.
6 Do you see the confusion I get in the 7
circular conversation that we're having about what's 8
endorsed, what's not endorsed, what can I use, what I 9
can't use? I just think that, you know, to me it was 10 confusing to when I went through that chain of 11 administrative ties to different sections.
12 So this is all in the reg guide.
13 MR. NGUYEN: Can you repeat the section in 14 the reg --
15 MEMBER HALNON: Yeah, so in the Reg Guide 16 No. 3 under the background, it says that Annex C has 17 not received NRC endorsement. This reg guide endorses 18 5.17. So you go to 5.17 of the IEEE document, and it 19 says, no, see Annex C. Well, you didn't endorse that.
20 And then you go to Annex D, which you did 21 endorse, and it talks about the digital delta, which 22 says go to Appendix C to figure out what that is. So 23 24 MR. NGUYEN: Let me try this way.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
114 MEMBER HALNON: There's not -- it's not a 1
technical issue, it's more just administration and how 2
confusing it is when you bring in, you know, you're 3
either going to have to clarify that Appendix C 4
digital delta applies to what we're talking about in 5
Appendix D or Annex D, I'm sorry. And that 5.17 is 6
all-inclusive, but it says go to Annex C, which you 7
say you don't endorse.
8 So somehow you got to tighten that up a 9
little bit, in my mind. Maybe I'm not reading it 10 correctly, but that's the way I read it.
11 CHAIR BROWN: I would amplify that. I had 12
-- yeah, in spades, because my notes were how can you 13 endorse 5.17 when we've now got 1.164 and 1.250, all 14 the commercial dedication stuff is tied up in the NEI 15 documents and those topical reports. And how does 16 that merge with the stuff in Annex C, which we're not 17 endorsing for the COD stuff.
18 It just seems to me we've just gone 19 through the drill of a commercial dedication process.
20 And why even endorse 5.17? You really ought to just 21 endorse for commercial dedication the reg guides and 22 documentation that we already have in place and not 23 refer to Annex C.
24 MEMBER HALNON: Which it does list. The 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
115 endorsement of 5.17 adds in this circular conversation 1
about --
2 CHAIR BROWN: Yeah, but the stuff we've 3
endorsed, the reg guides we've put out -- exactly.
4 They come -- it says further guidance for commercial 5
is in all these documents. Well, why bother with 6
5.17? It just confuses things.
7 MEMBER HALNON: And --
8 CHAIR BROWN: The circular references back 9
to Annex C.
10 MEMBER HALNON: The majority of Annex C is 11 verbiage out of a reg -- I mean a generic letter. So 12 it's you don't endorse their generic letter on. It's 13 just a --
14 CHAIR BROWN: Well, did you read all of --
15 did you read all of 5.17? There's four -- there's 16 four, five, six, six pages all tied up under use of 17 commercial equipment.
18 MEMBER HALNON: Yeah.
19 CHAIR BROWN: In 5.17. Well, do those 20 apply, or is it the topical reports and 1.164 and 21 1.250? I got -- there was no way in the time to go 22 back --
23 MEMBER HALNON: Well, it gets to the 24 spaghetti thing that we talked about earlier.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
116 CHAIR BROWN: Yeah.
1 MEMBER HALNON: That's getting worked out.
2 CHAIR BROWN: This isn't spaghetti, this 3
is a humongous lasagna of spaghetti.
4 MR. NGUYEN: Yeah, we recognize the 5
spaghetti problem. We have many guidance on the same 6
topics. However, we look at the -- in the different 7
angle to see whether this guidance is endorsable or if 8
it doesn't, we'll, you know, make the exception.
9 In this case, we say it's not perfect but 10 it's one way, one approach acceptable for staff to 11 review. But does, you know, applicant or licensee to 12 use or Reg Guide 1.250 and Reg Guide 1.164 you 13 mentioned as another method.
14 CHAIR BROWN: Why go to all the effort of 15 having 1.164 and -- we spent humongous amounts of time 16 doing -- going back through those topical reports and 17 the NEI guidance and 1.250. And now we say, oh, well, 18 here's another thing. IEEE put out this thing, and 19 that looks okay also. I just, this is just 20 incongruent to me.
21 And I hadn't -- I know what I would be 22 recommending, but I'm not going to say it here in the 23 meeting. But it seems to me that that whole thing 24 ought to be just canned and just say we're not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
117 endorsing Annex C and we're -- 5.17 is not endorsed 1
either.
2 MEMBER HALNON: It would suffice to me if 3
you just eliminate my confusion, however that may be.
4 CHAIR BROWN: Well, I hated to do all that 5
work and review all that stuff just to come back and 6
say hey, there's this -- why didn't you all just 7
instead of going through 1.250, why didn't we just 8
come off here with IEEE 7-4.3.2 5.17. If that's good 9
enough, why not? We shouldn't have two ways of doing 10 it, that's all I'm saying.
11 MR. NGUYEN: For your information also, 12 when this reg guide was developed, Reg Guide 1.250 13 still under development. So --
14 CHAIR BROWN: Well, we'll give you a 15 suggestion then.
16 MR. NGUYEN: So just for the information, 17 I'm not saying that what you're saying is wrong, but 18 19 CHAIR BROWN: I got that. I'm not 20 accusing anybody of malfeasance. It's probably the 21 case since we just wrote the letter on that several 22 months ago.
23 MEMBER BIER: I wonder if part of the 24 problem with the spaghetti of referring to different 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
118 reg guides is the desire to keep options open for 1
industry if, you know, in year X we said a certain 2
method was endorsed, that somebody may have gone 3
forward with that and we don't want to now change and 4
say hey, somebody else came out with a better way, no, 5
just got to do that.
6 Is that part of what's driving the 7
complication, or just not having the time and budget 8
to go through and clean up all the different reg 9
guides?
10 MR. BENNER: Well, this Eric Benner. So 11 I think that's an element of it. Member Brown said 12 there shouldn't be two ways, and I would push back on 13 that. There should be as many as there -- that are 14 acceptable. So we, you know, we did a heavy lift on 15 the Reg Guide 1.250 to -- for a new way.
16 We're not -- we're not removing this way, 17 so I mean, it's as simple as that. I think we can 18 certainly go back, and regarding the clarification to 19 make sure, you know, to the reader that we don't --
20 we're not creating confusion by, like you say, 21 endorsing 5.17, explicitly saying we're not endorsing 22 Annex C.
23 I can see how, well, what's that mean, 24 right. So we'll go back and look at that.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
119 CHAIR BROWN:
- Well, we had a
1 recommendation in our letter that said, hey, if you're 2
going to go endorse commercial equipment and this to 3
certify with, that you have to make sure whatever 4
you're going to be certifying is capable of 5
incorporating. And you all -- requirements that are 6
in the other reg guides that deal we with when we're 7
doing it.
8 And you all did that. You prepared a 9
paragraph, it came out just fine, okay. That's not in 10 here. So do we need to now modify your reg guide to 11 go put that information in, along with your statement 12 on 5.17?
13 Because it's another caveat relative to --
14 because we were -- we were pretty focused on trying to 15 make sure that whatever commercial stuff gets out, 16 it's going to be able to be functionally utilized by 17 the applicants for -- and meet the other requirements 18 that we have.
19 This doesn't address that issue. It's 20 just hey, we'll dedicate this stuff and find out it 21 works and do some hazard analysis and everybody's 22 going to walk away happy.
23 And the confusion is the spaghetti 24 approach, we don't endorse the Annex, 5.17 we do 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
120 endorse. But then we throw all the other stuff in, 1
here's some more information to allow you to go 2
dedicate. Well, is it a mish-mash, do they have to 3
blend them? It's just --
4 MR. BENNER: And they certainly don't have 5
to blend it with Reg Guide 1.250, because that was a 6
discrete way for using civil certifications in your 7
commercial grade dedication programs. Now, the 8
interface between this and just the overall reg guide 9
on commercial grade dedication programs, there clearly 10 is overlap between those two.
11 CHAIR BROWN: This did not get as much 12 overview on the commercial dedication.
13 MR. NGUYEN: Also -- sorry.
14 CHAIR BROWN: Go ahead, no, go ahead, 15 Khoi.
16 MR. NGUYEN: So I would like to point out 17 that when Reg Guide 1.250 applied to both analog and 18 digital. This clause specifically prepared for our 19 program for digital device and had some good criteria 20 for the digital devices. So, and we couldn't find 21 anything that not acceptable to endorse.
22 And again, we are not trying to say that 23 this, you know, the endorsement of this have to be 24 working in conjunction with all the reg guides. No, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
121 this is one way to -- one approach to meet the 1
regulation for a programmable digital device.
2 And we also reference to Reg Guide 1.250 3
for commercial grade dedication for more information.
4 But I don't know. We may need to clarify the 5
reference.
6 And I see in clause 5.17 to the -- not 7
make, you know, the confusion that why we're not 8
endorsing. And I see endorsed -- and we endorse cross 9
and the cross-reference. And I see -- so we will make 10 that clarification.
11 CHAIR BROWN: Well, I'm not sure how our 12 phraseology is going to come out in the letter, so 13 we'll see if we -- how we deal with that.
14 MR. BENNER: I think we understand the 15 concern expressed by the members.
16 MR. NGUYEN: Think we move on?
17 CHAIR BROWN: Yes.
18 MS. ANTONESCU: Member Brown, we have --
19 we have Greg Galletti from the Reactor Oversight and 20 Quality Assurance and Vendor Inspection. He had his 21 hand up.
22 CHAIR BROWN: Oh, I didn't see the -- I 23 didn't see the hand up.
24 MR. GALLETTI: No problem. Greg Galletti 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
122 with the Quality Assurance Vendor Inspection Branch.
1 Actually, during the discussions, my thought had been 2
captured, so I actually put my hand down. But I do 3
understand the conversation that you've provided and 4
will certainly take a look into that.
5 CHAIR BROWN: This is on 5.17?
6 MR. GALLETTI: Yes.
7 CHAIR BROWN: Annex to the discussion we 8
just had, right?
9 MR. GALLETTI: Yes, correct.
10 CHAIR BROWN: Okay, all right, thank you.
11 MR. NGUYEN: All right, clause 5.18. This 12 clause was added to clarify the concept of the 13 simplicity and complexity. It doesn't provide any 14 guidance except for the clarification for those two 15 terms. Any question on this slide?
16 CHAIR BROWN: The simpler the better, 17 right? Pardon.
18 MEMBER HALNON: Thus the ALARA of the 19 digital world.
20 CHAIR BROWN: There's no such thing as 21 simple in the digital world.
22 MEMBER HALNON: As simple as reasonably 23 achievable.
24 MR. NGUYEN: Now we move to next slide, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
123 slide 13. This slide and the next slide that cover, 1
you know, what we already discussed while the meeting, 2
you know, the direction from the Commission to revise 3
two reg guides, 1.152 and 5.71.
4 So if you're not opposing, I can skip 5
these two slides. Okay.
6 CHAIR BROWN: Go to the next slide.
7 MR. NGUYEN: Yeah, that's a paragraph into 8
the -- into the reg guide, and you --
9 CHAIR BROWN: This is the one I suggested 10 that we add some --
11 MR. NGUYEN: Right, and we're already 12 talking about.
13 CHAIR BROWN: Some words similar to the 14 wash-down timer words for application.
15 MR. NGUYEN: So we can skip to slide 15.
16 This slide provides the mapping between the regulation 17 and the guidance. 10 CFR 50, Part 50.55(A)(h) 18 requires that the protection system for nuclear power 19 plants meet the requirement of IEEE Standard 279 and 20 603 and the correction sheet depending the licensing 21 basis of the plant for safety systems using digital 22 programmable computers, 603, 1991 reference 742, 1982 23 for guidance for meeting the requirements.
24 So the mapping between the regulation from 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
124 the top to on the left was a guidance that endorsing 1
the IEEE. So this is very straightforward.
2 Any question on this?
3 CHAIR BROWN: I'll tell you in a minute.
4 I've lost the page. Oh, no, that's, yeah. Anybody 5
else have any comment on this particular slide? No?
6 I don't.
7 MR. NGUYEN: All right, we're on slide 16.
8 We already discussed about the incorporation of the 9
SEO, the guidance from EPRI of the reg guide to 2016 10 version of 742. So for this proposed revision of the 11 reg guide, we removed -- that's SDOE guidance.
12 CHAIR BROWN: Now go -- this reminded me 13 of one. Go back to slide -- no, that one, go ahead.
14 I just meant I might have gotten lost here. Slide 16 15 is what I'm -- that's different than the slide 16.
16 Somewhere I called up -- they called up the wrong set 17 of slides. How many total slides do you have?
18 MR. NGUYEN: Twenty, twenty-two.
19 CHAIR BROWN: I got 28.
20 MEMBER HALNON: Did you make your own 21 slides, Charlie?
22 CHAIR BROWN: No, it was an earlier 23 version, and there was another set that came out. And 24 obviously open for the purpose of this discussion.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
125 MEMBER HALNON: On our SharePoint there's 1
this one I opened up.
2 CHAIR BROWN: Yeah, I downloaded it, it's 3
just a matter of whether I deleted the other one.
4 Bear with me while I struggle here.
5 MR. NGUYEN: Is that the same slides we 6
sent you on Monday?
7 CHAIR BROWN: I think I got a set earlier.
8 MR. NGUYEN: I don't know if we ever send 9
you earlier. I don't know.
10 MS. ANTONESCU: Yeah, I don't remember 11 sending an earlier version.
12 CHAIR BROWN: No, I'm looking at a set of 13 slides that had 28 in that says for this meeting.
14 MEMBER HALNON: Go to the SharePoint and 15 pull up the new one.
16 CHAIR BROWN: All I got to do is find my 17 file. I downloaded, I'm just going back to my file 18 right now, from the Subcommittee meeting. Going to 19 SharePoint I'll lose everything.
20 I had a draft from 11/3, it opened this 21 other one up. This one is 22 slides. Is that the 22 right one? I'll close the other one. Not going to 23 change what I need to do. Accept.
24 I'm glad I had the other slides up because 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
126 (inaudible) had a large discussion that was pretty 1
decent on diversity, which was deleted completely.
2 And I've moved to Rev 4, that rev be open right now.
3 MR. NGUYEN: Which section on Rev 3 are 4
you talking?
5 CHAIR BROWN: It was in the discussion.
6 I think it was in the discussion.
7 MR. NGUYEN: When we developed this new 8
revision, we structured the discussion section to 9
what, you know, basically what the change we 10 incorporated in the new revision. We're not go back 11 to the previous version discussion to copy it over.
12 I thought you were talking a guidance, but.
13 CHAIR BROWN: I'm in the -- I'm in the 14 guidance.
15 MR. NGUYEN: Yeah, but you're talking 16 about Section B, right, discussion?
17 CHAIR BROWN: I think I'm in the 18 background section. You kept one part of it and then 19 you deleted the rest.
20 MR. NGUYEN: We typically -- normally we 21 don't copy the discussion from one revision to the 22 other. We structure to matching the content of the 23 new revision.
24 CHAIR BROWN: There was a section in there 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
127 that talked about with the introduction of digital 1
systems, concerns have emerged about the possibility 2
of design errors, etc., etc. The design techniques of 3
functional diversity, design diversity, diversity in 4
operation within the four echelons of defense, etc.
5 Actuation control, on and on and on.
6 Then it went on to the justification for 7
equipment diversity or the diversity related to 8
software such as real-time systems, etc., etc. All 9
that was deleted from Rev -- it wasn't deleted. Rev 10 3 had it, you did not move it to Rev 4. That was on 11 page 3 of the reg guide.
12 So that -- I looked through the rest just 13 to see where there was a discussion, it was almost 14 like diversity disappeared from the realm of 15 usefulness on the common cause failure world. That 16 was the -- that was the problem I had. It didn't seem 17 like to be a good idea to me to throw diversity out 18 with the baby or the bathwater.
19 I'm not hearing anything.
20 MR. NGUYEN: I already told you that we're 21 not copying you know the --
22 CHAIR BROWN: I know you don't, but 23 there's -- well, you copied a lot of it. A lot of Rev 24 3, I mapped Rev 3 into Rev 4, and you duplicated a lot 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
128 of the stuff from Rev into Rev 4. So the point that 1
you don't copy stuff over is not correct. You 2
reworded some of the stuff, but fundamentally the idea 3
was there. So that was --
4 MR. NGUYEN: If the discussion support the 5
guidance we provide, then yes, we will have it. But 6
for common cause failure, we basically referenced to 7
BTP 7-19. So if we are talking about some diversity 8
in the discussion section and --
9 CHAIR BROWN: I'm sorry, it was on page 2, 10 2 and 3, 2 and 3.
11 MR. NGUYEN: Yeah, and the last section on 12 the common cause failure we don't say a thing about 13 diversity. I think that is awkward.
14 CHAIR BROWN: I'm trying to remember 15 whether -- where diversity's even used in the reg 16 guide. I don't remember. I thought I key worded that 17 at one time in Rev 4. Am I correct?
18 MR. STATTEL: There's an annex problem.
19 CHAIR BROWN: Pardon?
20 MR. STATTEL: There's an annex.
21 CHAIR BROWN: But it wasn't endorsed.
22 MR. STATTEL: Correct.
23 CHAIR BROWN:
That part I
didn't 24 understand. Diversity seems to have -- it's not 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
129 endorsed. It's not even discussed. And I, it just 1
seems to me that that doesn't go in the direction that 2
we ought to be going. So completely divorce ourselves 3
is almost like the way to help on common cause stuff 4
is not diversity. It's anything else you can think 5
about but not diversity.
6 And I know we've got thoughts in the mill 7
people would like to not have as much diversity. It's 8
a different issue. But the reg guide, it's -- that 9
should be settled in a different way rather than just 10 have it disappear from the reg guide.
11 MR. NGUYEN: No, no, you're talking about 12 the spaghetti. The purpose of this reg guide is not 13 provide the specific guidance on the common cause 14 failure because we have BTP 7-19 address it. So if 15 you must see the guidance by including the discussion 16 of diversity for common cause failure and not 17 providing the actual guidance, I don't think that's a 18 good idea.
19 CHAIR BROWN: Well, we had BTP 7-19 before 20 and we had Rev 3 before. It didn't seem to cause a 21 difficulty to -- because that -- I mean, you've got 22 the -- you've got common cause failures all wrapped up 23 in this IEEE standard.
24 You've got common cause failures mentioned 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
130 in your reg guide. And there is, with that -- what 1
you're telling me is you ought not even bother to have 2
a section on common cause failures in here because 3
we'll address it under BTP 7-19. And that doesn't seem 4
to compute.
5 MR. NGUYEN: Yeah, that BTP 7-19 is eight 6
levers compared to the previous version that, you 7
know.
8 CHAIR BROWN: I know, we reviewed that.
9 MR. NGUYEN: Right. I'm talking about Rev 10 3, and the Rev 3 BTP 7-19 is a different animal. And 11 I'm sorry, I didn't prepare the Revision 3 of the reg 12 guides. And I don't have to, you know, repeat what I 13 don't agree on.
14 MEMBER PETTI: Doesn't this sort of agree 15 with your idea if you keep all aspects of digital I&C 16 in all the reg guides, it's a huge problem to try to 17 make sure it's always consistent.
18 The fact that it sits over in another 19 document, it seems to me it unravels the spaghetti 20 somewhat, if you will. It makes it cleaner and helps 21 as you're going to -- as you're trying to align 22 everything.
23 CHAIR BROWN: I'm sorry, Steve. Go ahead.
24 MR. STATTEL: Well, it can if it's clear, 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
131 but that's what we were talking about earlier. If 1
it's properly cross-referenced. In the Rev 4 here, it 2
appears in the Section 4.2 and it does mention common 3
cause failure and diversity and refers to the branch 4
technical position. But that's the -- that's the 5
extent of it.
6 As Charlie's saying, there was a much, 7
much larger discussion in Rev 3. Now it just appears 8
as reference to the other documents, which is a good 9
thing. But it has to be clear in both places.
10 MEMBER HALNON: It repeats that same 11 reference in Item 2, you know, where it's talking 12 about Annex A, Annex B endorsement, that Annex B is 13 not endorsed but go to BTP 7-19. And it also 14 references NUREG 800 for defense-in-depth and 15 diversity. So --
16 CHAIR BROWN: It references what?
17 MEMBER HALNON: NUREG 0800.
18 CHAIR BROWN: Oh, NUREG.
19 MEMBER HALNON: Which is, again, repeats 20 BTP 7-19. So I didn't have an issue with it. And I 21 mean, I went through and just searched on diversity 22 and it seems to show up appropriately throughout. But 23 I did not go back to Rev 3, Charlie, and read to see 24 it everything I expected was in diversity. Hit that 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
132 pretty hard under that last Subcommittee meeting.
1 CHAIR BROWN: Yeah. You said it's -- you 2
see it in Rev 4, where?
3 MEMBER HALNON: Page 2.
4 CHAIR BROWN: The only place I saw was on 5
page 2 where they --
6 MEMBER HALNON: Page 2.
7 (Simultaneous speaking.)
8 CHAIR BROWN: -- related guidance.
9 MEMBER HALNON: Page 5. Under number 2 on 10 page 5. And on page 11.
11 CHAIR BROWN: Again that's under -- it's 12 not endorsed.
13 MEMBER HALNON: It goes on --
14 MEMBER MARCH-LEUBA: I think V is not 15 endorsed but criticality --
16 MEMBER HALNON: It goes on into the 17 reference.
18 MR. NGUYEN: Yeah, he's talking about BTP 19 7-19.
20 MEMBER HALNON: Right. And then I'm --
21 CHAIR BROWN: I guess my difficulty with 22 that is we discussed the annexes, which aren't 23 endorsed. And then we say oh, by the way --
24 MEMBER HALNON: Well, look page 11, 10 and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
133 11.
1 CHAIR BROWN: That's where I'm going next.
2 That's where the --
3 MEMBER HALNON: Common cause failure is 4
listed and it talks about 4.2 is specifically on 5
diversity.
6 CHAIR BROWN: Okay, all right. I yield.
7 My eyeballs started falling apart after trying to 8
collate four different documents.
9 MEMBER HALNON: I don't blame you, yeah.
10 It's a lot of stuff.
11 MR. NGUYEN: So are we on?
12 CHAIR BROWN: Yeah, you're okay on that.
13 Let me make sure I make a note of that so I don't spin 14 my wheels. Okay, go ahead then.
15 MR. NGUYEN: We continue on slide 16. So 16 the endorsement, including additional guidance for 17 protection and seal diagnostics if used in the digital 18 I&C system. The guidance and clarification for 19 control access, we already talk about this. And 20 endorsement of Annex D, which I will cover more -- in 21 more detail later. Next slide, slide 17.
22 So the first stop decision, 1.B(1), we're 23 talking about the endorsement of Annex D. So the NRC 24 has worked closely with the IEEE working groups to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
134 enhance the hazard analysis guidance in Annex D. And 1
the 2016 version of the 742 updated Annex D in part to 2
implement the NRC staff feedback related to the IEEE 3
hazard analysis guidance.
4 The NRR staff collaborated with the Office 5
of Research via the research -- a system request to 6
assess whether Annex D support an adequate technical 7
basis for establishing consistently all of the written 8
guidance for licensee and applicant in the use of the 9
new hazard analysis technique as an additional means 10 for demonstrating set date.
11 So this draft guide endorse Annex D with 12 clarification to provide technical basis for applying 13 and evaluating the hazard analysis in supporting the 14 set date demonstration. Next slide, slide 18.
15 For system interpret the criteria, this 16 draft guide clarify my -- I think the guidance for 17 seal diagnostic if used in the digital I&C system.
18 This guidance is consistent with BTP 7-17 guidance for 19
-- guidance on seal test and surveillance test 20 provision.
21 Also this proposed revision of this reg 22 guide for the first time officially consider crediting 23 seal diagnostic to either reduce or eliminate the 24 channel operability test, provided certain criteria 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
135 are met. Currently, crediting seal diagnostic for 1
surveillance requirement review and approve on the 2
case-by-case basis.
3 The NRC staff worked closely with IEEE 4
working group to enhance the IEEE seal diagnostic 5
guidance with the industry enhanced guidance. And the 6
staff reviews licensing successes in approving these 7
type of request. Considering the credit for seal 8
diagnostic would enhance efficiency and effectiveness 9
of the staff licensing reviews.
10 The staff also clarified clause 5.6 by 11 including the SE-4 guidance. That has not been 12 incorporated by 742, including software instruction, 13 error checking, point-to-point data communication and 14 data capacity.
15 Any question on this slide?
16 CHAIR BROWN: Yes. Now I can't find where 17 I -- I don't disagree necessarily. One place I read 18 this and whether it was is this -- it might have been 19 in the IEEE standard. They listed a bunch of stuff 20 that said in addition to what you listed for not 21 having to do operability test. One of the line items 22 was you do 100% testing. And is that in the IEE 23 standard?
24 MR. NGUYEN: No, but we decided not to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
136 include that as a clarification --
1 (Simultaneous speaking.)
2 CHAIR BROWN: Yes, I noticed, I noticed 3
that. And, I don't, I'm not disagreeing with that.
4 MR. NGUYEN: Yes, I.
5 CHAIR BROWN: There was a list of four or 6
five items in order to be able to discredit. Now I'm 7
trying to, I read all of them.
8 MR. NGUYEN: Yes, there are few item I 9
didn't describe that we didn't, we didn't include it 10 because either it's not necessary, or it's not 11 practical.
12 Unnecessary like the 10 CFR 50.49 13 environment requirements that we don't need to include 14 it into.
15 I mean the IC 4 has it, but the standard 16 didn't, and I don't think we, that we need to because 17 safety related equipment automatically required to 18 meet 10 CFR 50.49. So it's a redundant thing to list 19 it in there.
20 For the 100 percent testing requirement, 21 there's no way you can test the software 100 percent 22 unless you only have two or three IOs. That's doable.
23 CHAIR BROWN: No, I'm not disagreeing, it's 24 just that, oh, here it is. Yes, it's in section 5.16 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
137 of the 7-4.3.2, which is --
1 MR. NGUYEN: I'm sorry, it's 5.16?
2 CHAIR BROWN: Yes, common cause failures, 3
and it says PPDD is not considered susceptible to CDF, 4
if the PDD is shown to be deterministic in performance 5
documentation of all functional states, and all 6
transitions between states in its testable base, 7
testing every possible combination of inputs.
8 So that, is that still in play? You don't 9
take that away in the Reg Guide? It's just this was 10 inconsistent to me with the, what number are we on?
11 Which point? System integrity?
12 MR. NGUYEN: You mean independent, right?
13 CHAIR BROWN: Yes, it's 1.2.3 about self-14 diagnostics should be credited. Or operational tests.
15 This says it can be discounted that be 16 susceptible to CCF. I presume this is still in play, 17 then? You didn't negate that in the Reg Guide? Page 18 36, 5.16.
19 And it says, testing every possible 20 combination for PDDs that include analogue testing of 21 every combination of input. Testing every possible 22 executable logic path, including non-sequential.
23 This is a huge, huge leap to do that. And 24 yet over here we talk about self-diagnostics being 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
138 able to be credited to not perform periodic tests.
1 MR. NGUYEN: I think we talking about two 2
different tests here.
3 CHAIR BROWN: Maybe we are. I just --
4 (Simultaneous speaking.)
5 MR. NGUYEN: Right.
6 CHAIR BROWN: -- one it seems is targeted 7
at can't, you can't prove you're not susceptible to a 8
CCF, which is virtually impossible to meet.
9 The other one has a set of categories, it 10 says if you, you're self-diagnostics test gets you 11 enough information, then you don't have to come 12 through and do manual operational tests.
13 So I presume that means manual operational 14 tests to make sure you're working correctly.
15 MR. NGUYEN: Right. That's a different 16 test than the one that you talking about that's 17 section 5.16. That's what the test, software testing 18 for the design face.
19 CHAIR BROWN:
I did.
The channel 20 operability test the way you, that means manual?
21 MR. NGUYEN: Manual, yes. That applies to 22 23 (Simultaneous speaking.)
24 CHAIR BROWN: You really ought to say 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
139 manual. It's not clear what that means. With my old 1
job, that doesn't necessarily have to be manual, 2
depending on what you're doing.
3 Anyway, all right, is they're different.
4 I was conflating the two.
5 MR. NGUYEN: Yes, they are two different --
6 (Simultaneous speaking.)
7 CHAIR BROWN: All right.
8 MR. NGUYEN: -- type of test. Not the 9
same.
10 CHAIR BROWN: Back to the slide.
11 MR. NGUYEN: Okay, we now on slide 19. No 12 further control access.
13 We already talk about this, so I don't 14 want to, you know.
15 CHAIR BROWN: Go back to 16 again, or 18 16 again. Just I want to make sure I understand the 17 second one.
18 Staff position 1(b)(2) is independence.
19 MR. NGUYEN: Yes, we already talk about 20 this and --
21 (Simultaneous speaking.)
22 CHAIR BROWN: Let me finish.
23 MR. NGUYEN: Okay.
24 CHAIR BROWN: That includes the self, and 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
140 the self-diagnostics is also covered under that? No, 1
that's under --
2 (Simultaneous speaking.)
3 MR. NGUYEN: No, no.
4 CHAIR BROWN: -- that's 1(b)(1)?
5 MR. NGUYEN: Right. That's a different 6
section.
7 CHAIR BROWN: Oh, okay. No, no, that's 8
fine. All right, I've got okay's written all the way 9
down the page. Just getting my pages in order again.
10 Okay, go ahead.
11 MR. NGUYEN: So, on slide 19 we already 12 discuss the extensively on the control access so I'm 13 not going to cover it.
14 On the contrary, also we talk about this.
15 We, the proposed revision of this Reg Guide simply is 16 this reference to BTP 7-19 for common cause failure 17 guidance.
18 CHAIR BROWN: That's 1(b)(4), right?
19 (No audible response.)
20 CHAIR BROWN: Five pages back. Got it.
21 MR. NGUYEN: Any question on this one, this 22 slide?
23 CHAIR BROWN: Anybody else?
24 (No audible response.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
141 CHAIR BROWN: Okay.
1 MR. NGUYEN: All right.
2 So for summary, Reg Guide 1152 is one of 3
the primary Reg Guides used by applicants and the 4
licensee manners in the development of digital ANC 5
license application. Reactor certification, and this 6
is the ANC topical reports.
7 Updating this Reg Guide is considered a 8
high priority based on recent, recent licensing 9
experience.
10 And, in direction with the stakeholders 11 that contributed to the update of the 2016 version of 12 742.
13 Next slide.
14 So the staff proposed the revision of the 15 Reg Guide 1152, to update information and guidance in 16 the area of the functionality, reliability, desired 17 quality, and SDOE for programmable digital devices in 18 the safety-related systems of a nuclear power plant, 19 to support NRC guidance and review of practices to 20 ensure that the guidance in these areas is current, 21 and consistent with the staff position.
22
- First, it has the efficiency and 23 effectiveness of the licensee review.
24 That will conclude my presentation.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
142 CHAIR BROWN: Any other?
1 MEMBER MARCH-LEUBA: Overall, my concerns 2
earlier.
3 CHAIR BROWN: Okay. Okay, Eric did you 4
have any notes about what you think you're walking 5
away with, or do you just want me to surprise you?
6 MR. BENNER: I think Khoi was taking better 7
notes as to the things we're, we're going to look at.
8 So we can either listen to your list, or 9
we can just go through our list.
10 CHAIR BROWN: It's not extensive. It's 11 just --
12 (Simultaneous speaking.)
13 MR. BENNER: Yes.
14 CHAIR BROWN: -- I'm trying to integrate 15 a lot of stuff we resolved in the conversation.
16 MR. BENNER: Uh huh.
17 CHAIR BROWN: I may not remember that for 18 long, but I can also go back in the transcript and 19 figure out that --
20 (Simultaneous speaking.)
21 MR. BENNER: No, I think Khoi can just list 22 the issues that we said we were going to go back and 23 24 (Simultaneous speaking.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
143 CHAIR BROWN: Well, I'll give you what --
1 MR. BENNER: Okay, okay.
2 CHAIR BROWN: -- I've got.
3 MR. BENNER: Okay.
4 CHAIR BROWN: No, go ahead and give me what 5
you've got, and then that way --
6 MR. BENNER: You'll correct the record.
7 CHAIR BROWN: Well, you might say that. I 8
wasn't going to phrase it quite that way.
9 MR. NGUYEN: All right, let me try.
10 So in Section 3.3, there's reference to 11 the design specification for --
12 (Simultaneous speaking.)
13 CHAIR BROWN:
A mention watch
- dog, 14 something similar to the watch dog.
15 MR. NGUYEN: Yes, we will consider to 16 include the language similar to the watch dog.
17 CHAIR BROWN: Yes.
18 MR. NGUYEN: For example --
19 (Simultaneous speaking.)
20 CHAIR BROWN: Make it positive language.
21 So not, don't --
22 MR. BENNER: Yes, an example regarding --
23 CHAIR BROWN: Yes --
24 MR.
BENNER:
unidirectional 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
144 communications.
1 CHAIR BROWN: -- this is a method we would 2
consider acceptable. Kind of the same words. It 3
ought to be a positive, not a if you try to slip it by 4
us we may accept it type language.
5 MR. NGUYEN: So how you read this concern 6
from 1 to 10?
7 CHAIR BROWN: What, which one?
8 MR. NGUYEN: The first one.
9 MR. BENNER: Eleven, Khoi. It's an 11 on 10 a scale of 1 to 10.
11 MR. NGUYEN: No, yes, so I would do that 12 first, you know? Which one is the most important I 13 will do it first.
14 MEMBER HALNON: If 1 is important, 10 is 15 not, and everything's a 5.
16 MR. NGUYEN: Okay.
17 So the next one, I don't know if this a 18 concern but there were question on roadmap of ICO-4, 19 for the end user, how the user, the guidance for it.
20 But that probably is in a question --
21 (Simultaneous speaking.)
22 CHAIR BROWN: I don't remember talking 23 about that one.
24 MR. NGUYEN: Oh, then forget about it.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
145 CHAIR BROWN: Somebody brought that up.
1 MR. BENNER: Yes, I think that was Danner.
2 I wouldn't call that an issue for this Reg Guide, but 3
at some point, a communication between the staff and 4
the committee about how all this fits together --
5 (Simultaneous speaking.)
6 CHAIR BROWN: When are you going to retire, 7
is kind of his question.
8 Did we get all, are we going to be able to 9
retire ISG-4 because you've captured everything.
10 MR. BENNER: Yes, and the short answer is 11 no, because it also has to populate to the staff 12 guidance and the standard review plan.
13 CHAIR BROWN: Yes.
14 MEMBER HALNON: Eric, we had similar 15 conversations with the Source Term Group, you know, 16 and they effectively built the roadmap on a website 17 and some documents so that you might look at what they 18 did, and that could be, you know, inform what you do 19 first.
20 MR. BENNER: Okay, thank you.
21 MR. NGUYEN: But that wouldn't be the 22 action item for this right?
23 CHAIR BROWN: No.
24 MR. NGUYEN: This is the --
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
146 (Simultaneous speaking.)
1 MR. BENNER: No, this was just we need to 2
understand the roadmap of how you get from, you know, 3
a blank sheet of paper to a design.
4 And, understand where you guys as a staff 5
review, and what guidance is being given and that sort 6
of thing.
7 The whole, you know, aspect of it so that 8
we understand how we get from A to B.
9 MR. NGUYEN: Okay, thank you.
10 So the next item would be the concern on 11 the wireless capable device.
12 So we need to clarify the wireless capable 13 device use for NTE must be controlled by some process 14 that makes sure that the device is not caught, not 15 become the pathway for virus, blah blah blah.
16 CHAIR BROWN: Yes. I'm not trying to 17 dictate that it's just we ought to, right now it just 18 kind of implies abstract but if you --
19 (Simultaneous speaking.)
20 MR. BENNER: Yes, we'll look at that factor 21 in the language.
22 CHAIR BROWN: Yes.
23 MR. BENNER: And I definitely want to --
24 (Simultaneous speaking.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
147 CHAIR BROWN: I understand definitely what 1
Rich was talking about why it's there. I don't 2
disagree with the comments.
3 MR. BENNER: We'll want to look at the 4
whole body of the language in there, to see what maybe 5
there are changes versus integration, so.
6 CHAIR BROWN: Okay, next one?
7 MR. NGUYEN: The next one the same language 8
used for Section 3.3, you want to incorporate in 9
Section 5.9 control access.
10 CHAIR BROWN: Well, you already mentioned 11 that one.
12 MR. NGUYEN: Yes, but you say in two 13 places.
14 CHAIR BROWN: Yes, well it's taken from 3.3 15 something similar in whatever the paragraph. But what 16 was it, 3, no take it from the watch dog time repair 17 graph and put it in 3.3, something similar.
18 I don't know where that was. That was 19 back in --
20 (Simultaneous speaking.)
21 MR. NGUYEN: 5.9.
22 CHAIR BROWN: 5.9. Was that in the --
23 MR. NGUYEN: In the --
24 (Simultaneous speaking.)
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
148 CHAIR BROWN: That's in the Reg Guide?
1 MR. NGUYEN: -- the Reg Guide.
2 CHAIR BROWN: Yes.
3 MEMBER MARCH-LEUBA: 5.9 is controlled by 4
the, I'm sorry, Section --
5 (Simultaneous speaking.)
6 MR. NGUYEN: 3.1.3.1.
7 CHAIR BROWN: Yes, 1.2.1. That's where the 8
watch dog timer words were. That's back, that's the 9
same issue you mentioned before, okay?
10 Do you have another one written down, or 11 is that it?
12 MS. LAWSON-JENKINS: You wanted a new 13 section 5. --
14 (Simultaneous speaking.)
15 MR. NGUYEN: You don't have any more as I 16 was talking.
17 CHAIR BROWN: Oh, yes, the 5.9 trying to 18 get into --
19 (Simultaneous speaking.)
20 CHAIR BROWN: -- try to highlight that in 21 7-4.3.2 just the physical security, and then it has a 22 whole bunch of stuff.
23 The real point now when you've introduced 24 computers and it is now not just physical, it's 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
149 electronic access.
1 So there ought to be something, change, I 2
don't care whether you change the title whatever you 3
write up in here that says hey, to clarify this means 4
electronic control.
5 Because you can't change the IEEE 6
standard. That's the way it is. But just a 7
clarification that 5.9 --
8 (Simultaneous speaking.)
9 MR. NGUYEN: Should be supplement with.
10 CHAIR BROWN: -- 1.2.1 or something, and 11 make it physical security.
12 And now it introduces electronic control, 13 electronic access, which is a vulnerability due to the 14 computer systems.
15 Just to highlight it, and then to have 16 some discussion about what that means. That's all.
17 Doesn't have to be extensive, just how you deal with 18 it, okay?
19 And, then is that it or you've got another 20 one?
21 MR. NGUYEN: One more. We will clarify 22 clause 5.17.
23 MR. BENNER: Yes, all things commercial 24 grade dedication, I think.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
150 CHAIR BROWN: That's the --
1 (Simultaneous speaking.)
2 MR. BENNER: I think we'll take a fresh 3
look at.
4 (Simultaneous speaking.)
5 MR.
NGUYEN:
That's incorporated by 6
reference.
7 MR. BENNER: Annex C, Annex D.
8 MR. NGUYEN: Yes, Annex C, and so that's 9
the last one I have.
10 MEMBER HALNON: I just had one other thing 11 I feel compelled to ask Charlie to just mention, that 12 you guys said you're going to try and tighten the 13 window between revisions.
14 Not a recommendation or anything, just a 15 statement that we recognize that this was seven years 16 and, you know, the present process looks like it will 17 tighten that to be more contemporary, or something to 18 that effect.
19 But just didn't want you to, I didn't want 20 to lose that point because I think it's in the 21 regulatory world, seven years doesn't seem long, but 22 it actually is.
23 In a digital world, there's a lot of 24 developments between now and then.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
151 CHAIR BROWN: That would be good to go up 1
if you did anything, up in the purpose of the Reg 2
Guide would be a good place to say that.
3 I was just trying to think about --
4 (Simultaneous speaking.)
5 MEMBER HALNON:
I just wanted to 6
acknowledge in letter that we talked about it.
7 CHAIR BROWN: If you want to give me 8
something?
9 MEMBER HALNON: Yes, I'll give it to you.
10 Staff recognizes it and then, you know, agrees that 11 it's going to get, going to get better.
12 MR. BENNER: Yes, the committee's going to 13 do what it's going to do. I don't know if we would 14 put that in the Reg Guide itself because that's, the 15 Reg Guide is the product.
16 MEMBER HALNON: I agree.
17 MR. BENNER: But the comment is about the 18 overall process and framework.
19 MEMBER HALNON: Yes.
20 CHAIR BROWN: We'll try to take --
21 (Simultaneous speaking.)
22 MEMBER HALNON: I'll just give you a 23 sentence or two.
24 CHAIR BROWN: Okay, something to try to 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
152 reflect what his thought process is.
1 I had one other item. The way I've got it 2
written is Annex C you've got that covered, the 5.17 3
the wireless points.
4 Hopefully we can get the transcript to you 5
so you, we went through a lot of discussions.
6 The 3.3 with the watch dog timer words 7
similar to and the 1.2.1 where you pull them out of 8
there, and then something similar for the cyber 9
paragraph, which was back I think in 3.3.
10 And the last item I had is that, and a 11 good place to do this in the Reg Guide. I'm big on 12 preambles and highlighting what you're trying to do, 13 like the background type stuff.
14 You go from the regulation paragraph in 15 the beginning where you cite every regulation in the 16 world in the 10, 279 this, that and the other thing in 17 the 10 CFR stuff.
18 Then you talk about the working group 19 integrating that stuff in. Then you get leap right 20 into INC that use PDDs, adopt advanced technology, et 21 cetera, et cetera, et cetera.
22 A lead in to this, that paragraph to me is 23 we don't talk about architectures. The application of 24 these devices and then architecture that is, meets the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
153 fundamental design principles, is what's critical in 1
all of this stuff. We keep doing it every time.
2 This is an ideal place because this is the 3
devices that you're
- using, and how they're 4
incorporated and integrated into an architecture that 5
is, you know, robust, multi-divisional meets the 6
design independence redundancy determinant, whatever, 7
whatever the words are.
8 I'll probably say something in the letter 9
relative to that, and then leads in to that paragraph, 10 and that how that provides protection in this world 11 from a lot of different problems that you can cover in 12 CCF world.
13 And then all the rest of it flows because 14 now it's sort of categorized hey, we've got a new 15 world. Computers, they do things. Introduce new 16 problems. Robust system takes cares of some of those, 17 a lot of those, not all but a lot of them.
18 In my opinion, it takes care of a huge 19 amount of them if you maintain independence strictly, 20 asynchronous operation not just within the devices 21 internally to each
- channel, but also between 22 divisions, that, that robust architecture is valuable.
23 And we really need to, you know, I'm 24 looking for the right word. Propagate that into the 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
154 standard so that people understand what's going on, is 1
a good reference.
2 So I'll probably ask, I'll try to provide 3
something as an example, but you guys can point you on 4
whatever you want to do.
5 Other than that, any other opinions 6
relative to the, that you want to voice? I haven't 7
gone out to public comment yet.
8 MEMBER BIER: I just want to express that 9
I thought this was a super constructive meeting on all 10 sides.
11 That you know, you guys seem to have 12 understood where we were coming from, and we 13 understood what you're constraints were.
14 And it's really nice to see such a 15 contentious issue suddenly, you know, kind of I don't 16 know what you're going to end up writing of course, 17 but you know, the idea that it could be resolved to 18 like everybody's satisfaction is just really nice.
19 And I appreciate the process and the pain 20 and suffering it took to get to this point. So.
21 CHAIR BROWN: I appreciate that reflection.
22 And just to communicate, one of the problems that we 23 have is when we review stuff, we have to look at it in 24 a complex system, from a top level down.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
155 There's no way when we, and we have to 1
come away satisfied that major concerns and potential 2
problems are addressed.
3 Without digging down into infinite weeds 4
like those reflected in spades in the IEEE standard.
5 I mean I did go through it. I compared it 6
with the 2000 or whatever the last one was that was 7
referenced, which I think was 2003 in the Reg Guide, 8
Rev. 3.
9 So I did a mapping back and forth. The 10 new one is a lot better than the old one. Okay, 11 there, it was definitely Rich, you guys did a good 12 job. Did you hear me? Wake up.
13 You guys did a good job on the 16 version.
14 There's a lot of good stuff. The working, however 15 they came out of this with the working group, it came 16 out I think, pretty, pretty good.
17 MR. STATTEL: Thank you.
18 CHAIR BROWN: And, I think you guys should 19 get some kudos for that. That was not an easy task, 20 particularly in an international.
Was that 21 international, or was that just U.S.-based?
22 MR.
STATTEL:
We did have some 23 international representatives.
24 CHAIR BROWN: You did, okay.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
156 I'm just we're just trying to get to the 1
point where we make these reviews easy, and we make, 2
and ensure that the applicant get on with his business 3
and get this stuff included, incorporated into the 4
plans.
5 Because it's a significant improvement in 6
overall performance with these systems, IC analogue 7
systems.
8 So, you know where our focus, you know 9
where my focus is by now after 14 years, and that's 10 managed to work with the committee. They've accepted 11 my conclusions if I say it looks okay, they kind of 12 say it's okay.
13 And so and if you look at the last SHINE, 14 if you look at NuScale, if you look at APR 1400, we 15 blitzed through those.
16 ESPWR 14 years ago was like sucking blood 17 out of rocks, because it was bottom up if you need 18 your positions. You don't need to review this 19 anymore, sorry.
20 We had an architect that looked like a 21 stick man that I drew in the first grade.
22 AP 1000 was better. They ended up having 23 to fire the INC manager because he didn't want to do 24 what we wanted the next guys thought it was a good 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
157 idea to do what we thought was good, and they, then it 1
flew through.
2 We didn't get everything because we didn't 3
understand as much as we do now. It's evolved some, 4
but trying to make it easy for both us, you all, and 5
the applicants.
6 That's the purpose of going through this 7
stuff and winnowing out the comments. So I hope, I 8
hope you all take it that way.
9 This is not meant to be a for bows and 10 arrows approach to doing business. How do we get to 11 the same place.
12 How do I open this up for public comment, 13 Dave?
14 MR. HECHT: Charlie? Charlie, this is 15 Myron Hecht. There was just one other point that 16 Vicki made. I don't know if Vicki wants to make this 17 into an action item.
18 But in the discussion about intrusive 19 cyber security measures versus non-intrusive versus 20 not doing them because you were convinced that you are 21 protected, Vicki had suggested, and this is in Section 22 5.9, or clause 5.9.
23 Vicki had suggested perhaps adding some 24 concrete examples in the Reg Guide would help.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
158 CHAIR BROWN: Okay, I missed that. Can you 1
pencil something up a little bit? Doesn't have to be 2
extensive.
3 You understand what her comment was, Eric, 4
Khoi?
5 MR. NGUYEN: Not really. And, can you 6
elaborate, please?
7 CHAIR BROWN: Was that in the Reg Guide or 8
in the IEEE Standard? I don't remember.
9 MEMBER BIER: I think it was in the Reg 10 Guide, but I would have to go back and look. Thank 11 you for the reminder, Myron.
12 Greg, what do you think? Is that 13 something that's important enough to push? You were 14 the one who kind of said it looked okay as is.
15 MEMBER HALNON: I thought it looked okay as 16 is.
17 CHAIR BROWN: Do you remember what section 18 that was? Myron said 5.9.
19 MEMBER HALNON: It's 5.9.3.
20 CHAIR BROWN: Oh, yes.
21 MEMBER HALNON: It had to do with the, you 22 know, the system being out of service if you're going 23 to be intrusive on the virus software.
24 And, it made a lot of sense to me. I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
159 didn't see any holes in it.
1 CHAIR BROWN: It would be difficult I 2
think, to put together examples.
3 MEMBER HALNON: I'm afraid, I worry about 4
examples only because people key in on the example as 5
the requirement.
6 CHAIR BROWN: Yes.
7 MEMBER HALNON: And they.
8 MEMBER BIER: And, then they don't do the 9
ones that you didn't give as examples.
10 MEMBER HALNON: Exactly.
11 MEMBER BIER: So.
12 MEMBER HALNON: Exactly. But I thought it 13 was clear to me starting from a design when I had to 14 15 (Simultaneous speaking.)
16 CHAIR BROWN: Are you happy with that, 17 Vicki?
18 MEMBER BIER: Yes, I'm happy to let that go 19 and say okay as is.
20 CHAIR BROWN: All right, so before I go to 21 public, the ones I've got is the confusion on the 22 annex thing, 5.17.
23 3.3, 1.21 the words, architecture in the 24 intro that sub-wireless. I'm not sure how I'm going 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
160 to phrase that.
1 I'm going to try to make it so we, I'm 2
sure I'll have plenty of help from them since I've got 3
some, a lot of people here are listening. They'll 4
make sure I phrase this in a proper manner.
5 And, that was probably the three or four 6
or so areas that I would be thinking about addressing 7
in some way in the letter.
8 The architecture thing, I mentioned the 9
architecture part for the intro, or the background 10 paragraph, whatever.
11 Other than that, is there anybody on the 12 public line that would like to make a comment?
13 MS. ANTONESCU: Member Brown, there was one 14 more item on the agenda regarding staff next steps for 15 completion of proposed Reg Guides. Rev. 4.
16 CHAIR BROWN: There was one more item on 17 the agenda?
18 MS. ANTONESCU: Yes, just for the staff to 19 let us know what the next steps will be on completion 20 of the Rev. 4 to Reg Guide 1.5.
21 CHAIR BROWN: Oh, okay.
22 MEMBER HALNON: Has it gone for public 23 comment yet?
24 CHAIR BROWN: No.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
161 MS. ANTONESCU: This is before public 1
comment.
2 MEMBER HALNON: I don't mean the committee, 3
I meant the actual document.
4 CHAIR BROWN: No, they have not sent it out 5
yet.
6 MR. BENNER: No. Mike, did you, I mean 7
you're list, and I think I can give a high level 8
summary, but you're the name on the agenda. Do you 9
want to discuss the next steps, or do you want me to?
10 MR. EUDY: You talking to me, Eric, Mike 11 Eudy?
12 MR. BENNER: Yes.
13 MR. EUDY: Yes, well I guess the next steps 14 would be, you know, to get the letter so we know what, 15 you know, what we would want to consider modifications 16 to the draft Guide before we issue it for public 17 comment.
18 And, it sounds like that meeting is on 19 November 29th and we would be --
20 (Simultaneous speaking.)
21 CHAIR BROWN: Yes, full committee meeting 22 is I think we're first on the agenda on the 29th, 23 that's what Christina, is that correct, Christina?
24 MS. ANTONESCU: Yes, 29th.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
162 CHAIR BROWN: Okay.
1 So we're first up, then we'll be doing our 2
letter you know, a day or two later after we finish 3
the other items.
4 And I have now 12 days to build a letter 5
that's coherent, which is going to be a challenge.
6 But I will get there.
7 MEMBER MARCH-LEUBA: Keep it short. This 8
is usually short.
9 CHAIR BROWN: I, you know how I write 10 letters.
11 MEMBER MARCH-LEUBA: I know, this is why I 12 offer advice.
13 CHAIR BROWN: They have to stand on their 14 own. In this case, I think I can make it clear 15 without getting overwhelmingly verbose.
16 So from our standpoint, we did this 17 quickly so we could try to get it to you because we 18 didn't have an opportunity to do this earlier because 19 of all kinds of others.
20 We couldn't get it scheduled as well. So 21 our opportunity is to try to get this done so you all 22 can get it out to the public comment.
23 I just wanted to make sure we covered 24 highlights, and not have to do it after the public 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
163 comment.
1 And you all felt that was better to have 2
us all internally on kind of the same page before you 3
went out, in this circumstance.
4 Doesn't have to be all the time, it's just 5
in this particular circumstance based on the nature of 6
this particular Reg Guide.
7 Okay? Now, any public comment? Anybody 8
out there that would like to say something, or provide 9
information or comment?
10 MR. SCAROLA: Yes, this is Ken Scarola from 11 Nuclear Automation Engineering. Can you hear me okay?
12 CHAIR BROWN: Not very well. Can I do 13 that?
14 MR.
SCAROLA:
Probably because I'm 15 traveling in my car.
16 CHAIR BROWN: Oh.
17 MR. SCAROLA: I have to apologize. I just 18 joined the meeting about 20 minutes ago. I was tied 19 up this morning.
20 But if you can hear me, my comment 21 pertains to Section 2.1.1. You may have already 22 talked about this and if you have, please stop me and 23 I will just relinquish and not comment.
24 But I have a concern about this section 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
164 because it's as written and it may just be ambiguity, 1
but as written, it seems to negate what the industry 2
has been trying to accomplish with (telephonic 3
interruption) workstations.
4 And the reason I say that is as written, 5
it says that on non-safe, or on inter-divisional 6
communications, and that would be a non-safe work 7
station, can't send any software instructions to a 8
safety system while the safety system is in service.
9 But that's exactly what we are trying to 10 do with non-safe work stations. We want the operators 11 to work at the same work stations for controlling both 12 safety and non-safe systems during all modes of 13 operation. Including when the safety system is in 14 service.
15 So an operator can use a non-safe work 16 station to open and close a safety related valve.
17 Start and stop a safety related pump.
18 And that would happen while the safe 19 system is in service, but there would certainly be 20 priority logic in the safety system such that if the 21 safe system demands a safe of those components, then 22 it's different than what the non-safe work station is 23 requesting. Then the safety function commands would 24 have priority.
25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
165 So that section 2.1.1 for me is a real 1
problem. Because it negates things that have already 2
been approved on APR 1400, US-APWR, and I believe even 3
on AP 1000.
4 CHAIR BROWN: Section --
5 (Simultaneous speaking.)
6 MR. SCAROLA: It's the words software 7
instructions that give me a problem. Because software 8
instructions could encompass those normal control 9
commands.
10 CHAIR BROWN: I thank you for your comment.
11 MEMBER MARCH-LEUBA: Can I make a comment?
12 CHAIR BROWN: Yes, go ahead.
13 MEMBER MARCH-LEUBA: I didn't get your name 14 the previous member of the public. This is Jose 15 March-Leuba.
16 If you could write down what you said and 17 send it to us, to the TFO, we would put your comments 18 property in the record.
19 Because we couldn't understand half of 20 what you said. So if you could write it down and send 21 it to Christina, it will be good.
22 Thank you.
23 MR. SCAROLA: I will be happy to do that.
24 Now let me just summarize by saying I 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
166 recommend changing the words software instructions to 1
instructions that could alter the software of the 2
safety function processor.
3 We need to distinguish those. Normal 4
control functions are different than functions that 5
could alter the safety functions of the processor.
6 I'll put my comments in writing. Thank 7
you.
8 CHAIR BROWN: Thank you.
9 I didn't get the name. Oh, it's Ken, 10 okay.
11 Are there any other public comments?
12 (No audible response.)
13 CHAIR BROWN: Hearing none, if there is no 14 other comments from the members, we can close this 15 meeting.
16 Anybody object? I don't think they're 17 going to object.
18 (No audible response.)
19 CHAIR BROWN: Okay, meeting is adjourned.
20 (Chorus of thank you.)
21 (Whereupon, the above-entitled matter went 22 off the record at 12:42 p.m.)
23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Here is the comment offered verbally and also in writing by Ken Scarola at the ACRS DI&C subcommittee meeting on November, 17, 2022:
Section 2.1.1 has an ambiguity problem:
2.1.1 Provisions for interdivisional communication should be included to prevent the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or not in service.
Software instructions could mean a control command from a non-safety control and display workstation to open a valve or start a pump, which is exactly what we want to use multidivisional workstations for, while the safety system is in normal operation. This functionality for non-safety workstations to safety system communication was approved by the staff for APR1400, USAPWR (maybe also AP1000). Therefore, I recommend changing "software instructions" to "instructions that could alter the software of the safety function processor".
Advisory Committee on Reactor Safeguards Digital Instrumentation & Controls Systems Subcommittee Briefing November 17, 2022 Draft Guide 1374 - Proposed RG 1.152, Revision 4 Criteria for Programmable Digital Devices in Safety-related Systems of Nuclear Power Plants
Working Group
- NRR/DEX
- NRR/DORL
- Michael Marshall
- NRR/DRO
- NRR/DSS
- Khadijah West 2
- NSIR/DPCP
- RES/DE
Presentation Outline 3
- Introduction
- Scope of RG 1.152
- RG 1.152 Applicability
- Background
- Purpose of RG Revision
- Regulatory Basis
- Proposed Changes
- Summary
- Q&A
Introduction
- Current Regulatory Guide (RG) 1.152, Revision 3
- Endorses IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.
- Includes secure development and operational environment (SDOE) guidance for digital computers in the safety systems of nuclear power plants.
4
Introduction (Cont.)
- Proposed RG 1.152, Revision 4
- Endorses IEEE Std 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations with exceptions and clarification.
- Includes additional guidance for fault detection and self-diagnostics, if used, in digital instrumentation and control (DI&C) systems.
- Implements the Commissions direction, which was informed by the OEDO letter to the Commission dated July 14, 2021 (ML21187A293).
5
Scope of RG 1.152 This RG endorses IEEE Std. 7-4.3.2 as an acceptable approach to meet regulatory requirements for promoting high functional reliability, design quality, and a SDOE for the use of programmable digital devices in the safety-related systems of nuclear power generating stations.
6
RG 1.152 Applicability
- Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities
- 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants 7
=
Background===
- IEEE Std 7-4.3.2 was developed in 1982 to supplement IEEE Std 603 with criteria for programmable digital computer systems in safety systems of nuclear power generating stations.
- Since then, IEEE Std 7-4.3.2 has been updated periodically to encompass the evolving digital technologies.
8
Background (Cont.)
- The previous editions of IEEE Std 7-4.3.2 covers only computer-based digital systems. Revision 2016 of IEEE Std 7-4.3.2 expands the coverage to programmable digital devices and to encompass technologies that were not covered in the previous editions.
- The previous version (Revision 2010) of IEEE Std 7-4.3.2 incorporated the data communication independence guidance from Digital I&C Interim Staff Guidance (ISG)-04, Highly Integrated Control Rooms -
Communications Issues, for evaluating communication independence.
9
Background (Cont.)
- Major Changes in IEEE Std 7-4.3.2 - 2016:
Changing the term "computer" to "programmable digital devices" to encompass technologies such as Field Programmable Gate Arrays (FPGAs).
Incorporating SDOE guidance from RG 1.152, revision 3.
Providing specific criteria on the use of software tools used for digital devices and development of hardware, software, firmware, and programmable logic.
Revising Annex D, Identification and Control of Hazards.
10
Background (Cont.)
Delta Between 2003 and 2016 Versions of IEEE Std 7-4.3.2 Clauses with Major Changes 7-4.3.2 - 2016 5.1 - Single Failure Criterion Additional criteria for programable digital devices (PDDs) 5.3.2 - Software Tools Expanded to define software tools for PDDs 5.5.4 - Prioritization of Functions New - Incorporated ISG-04 guidance 5.6 - Independence Incorporated ISG-04 guidance 5.7 - Capability for Test and Calibration Included additional guidance for the measurement and test equipment (M&TE) 5.8 - Information Displays Incorporated ISG-04 guidance 5.9 - Control of Access Incorporated secure development and operational environment guidance from RG 1.152, R3 11
Background (Cont.)
Delta Between 2003 and 2016 Versions of IEEE Std 7-4.3.2 Clauses with Major Changes 5.16 - Common Cause Failure Criteria New - Included new guidance with respect to testing for addressing potential CCFs in PDDs 5.17 - Use of Commercial Digital Equipment New - Included new guidance for the use of commercial digital equipment 5 Simplicity New - clarifies simplicity concept Annex D - Identification and Control of Hazards Restructured the format and added a section to describe a process of performing hazard analysis (HA) activities in conjunction with software development processes.
12
Purpose of RG 1.152, Revision 4
- Enhances efficiency and effectiveness of licensing reviews.
- To implement the Commissions direction (SRM-CTH210414-3), which was informed by the OEDO memorandum to the Commission dated July 14, 2021, (ML21187A293) that addressed the ACRS concern pertaining to Uni-directional communications from high safety to lower safety systems and internal plant to external systems connected to the internet.
Revise RG 1.152 to reference RG 5.71 and include information to make applicants for Design Certifications aware of cyber security requirements that apply to an operating license or combined license, and how these requirements could be considered during design phase and inform Commission.
13
Purpose of RG 1.152, Revision 4 (Cont.)
A statement has been added:
RG 5.71 provides an acceptable approach to meet the requirements of 10 CFR 73.54. For licensees that choose to provide, as part of their license submittal, descriptions of cybersecurity design features intended to address the guidance of RG 5.71, the extent of the staffs review of these features is limited to ensuring that these features do not adversely affect or degrade the systems reliability or its capability to perform its safety functions. Licensees and applicants should also consider the cybersecurity guidance in RG 5.71 in preparing a design certification under 10 CFR Part 52.
14
Regulatory Basis 15 Incorporating by reference Referencing IEEE Std 7-4.3.2 - 2003 IEEE Std 279-1968 IEEE Std 603-1991 10 CFR 50.55a(h)
RG 1.152 - R0 RG 1.152 - R1 RG 1.152 - R2 Endorsing IEEE Std 7-4.3.2 - 1993 IEEE Std 7-4.3.2 - 1982 Supplementing IEEE Std 603-1980 Endorsing Endorsing IEEE Std 7-4.3.2 - 2003 RG 1.152 - R3 Endorsing IEEE Std 7-4.3.2 - 2016 RG 1.152 - R4 Endorsing Supplementing IEEE Std 603-1991 Supplementing IEEE Std 603-1998 Supplementing IEEE Std 603-1998 Supplementing IEEE Std 603-2009 Non-Digital Safety System Requirements Digital Safety System Requirements IEEE Std 279-1971
Proposed Changes
- Remove SDOE guidance
- Endorse Revision 2016 of IEEE Std 7-4.3.2 with exceptions and clarifications, including:
Additional guidance for fault detection and self-diagnostics, if used, in DI&C systems.
Guidance and clarification for control of access.
Endorsement of Annex D, Identification and Control of Hazards.
16
Proposed Changes (Cont.)
System Integrity (Staff Position 1.b(1))
- Endorsement of Annex D, Identification and Control of Hazards.
Annex D was updated, in part, to implement the NRC staffs feedback related to the IEEE hazard analysis (HA) guidance.
The Office of Research, via a research assistance request, assessed whether the updated Annex D supports an adequate technical basis for establishing consistent regulatory guidance.
This draft guide endorses Annex D with clarifications to provide technical basis for applying and evaluating HA in support of safety demonstrations.
17
Proposed Changes (Cont.)
System Integrity (Cont.)
- Include additional guidance for fault detection and self-diagnostics, if used, in DI&C systems.
Self-diagnostics, if integrated into the safety-related DI&C systems, could be credited, on an application-specific basis, to either reduce or eliminate the channel operability tests, provided certain criteria are met.
Independence (Staff Position 1.b(2))
- Include applicable ISG-04 guidance that has not been incorporated into IEEE Std 7-4.3.2-2016.
18
Proposed Changes (Cont.)
Control of Access (Staff Position 1.b(3))
Include guidance for providing safeguards to safety-related PDDs before installation.
Clarify the applicability of the control of access guidance for safety-related programmable digital devices and including a reference to RG 5.71 as directed by the Commission.
Common Cause Failures (CCFs) (Staff Position 1.b(4))
Include a note in which the NRC staff uses the guidance in BTP 7-19 to evaluate the applicants defense-in-depth and diversity assessment as a means to address CCFs.
19
Summary RG 1.152 is one of the primary RGs used by applicants and licensees in the development of digital I&C license applications, reactor certifications, and digital I&C topical reports.
The update to RG 1.152 is a high priority based on recent licensing experience and interactions with stakeholders that contributed to the update to IEEE Std 7-4.3.2 in 2016.
20
Summary (Cont.)
The staff proposes the revision of RG 1.152 to
- Update information and guidance in the areas of functional reliability, design quality, and a SDOE for programmable digital devices in the safety-related systems of nuclear power plants.
- Support NRC guidance and review practices.
- Ensure that the guidance in these areas is current and consistent with the staffs position.
Thus, enhancing the efficiency and effectiveness of licensing review.
21
Questions?