ML22329A171
| ML22329A171 | |
| Person / Time | |
|---|---|
| Issue date: | 11/17/2022 |
| From: | Christina Antonescu Advisory Committee on Reactor Safeguards |
| To: | |
| References | |
| NRC-2172 | |
| Download: ML22329A171 (1) | |
Text
Official Transcript of Proceedings NUCLEAR REGULATORY COMMISSION
Title:
Advisory Committee on Reactor Safeguards Digital Instrumentation and Control Docket Number: (n/a)
Location: teleconference Date: Thursday, November 17, 2022 Work Order No.: NRC-2172 Pages 1-166 NEAL R. GROSS AND CO., INC.
Court Reporters and Transcribers 1716 14th Street, N.W.
Washington, D.C. 20009 (202) 234-4433
1 1
2 3
4 DISCLAIMER 5
6 7 UNITED STATES NUCLEAR REGULATORY COMMISSIONS 8 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 9
10 11 The contents of this transcript of the 12 proceeding of the United States Nuclear Regulatory 13 Commission Advisory Committee on Reactor Safeguards, 14 as reported herein, is a record of the discussions 15 recorded at the meeting.
16 17 This transcript has not been reviewed, 18 corrected, and edited, and it may contain 19 inaccuracies.
20 21 22 23 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1323 RHODE ISLAND AVE., N.W.
(202) 234-4433 WASHINGTON, D.C. 20005-3701 www.nealrgross.com
1 1 UNITED STATES OF AMERICA 2 NUCLEAR REGULATORY COMMISSION 3 + + + + +
4 ADVISORY COMMITTEE ON REACTOR SAFEGUARDS 5 (ACRS) 6 + + + + +
7 DIGITAL INSTRUMENTATION AND CONTROL SUBCOMMITTEE 8 + + + + +
9 THURSDAY 10 NOVEMBER 17, 2022 11 + + + + +
12 The Subcommittee met via hybrid in-person 13 and Video Teleconference, at 8:30 a.m. EST, Charles 14 Brown, Jr., Chairman, presiding.
15 COMMITTEE MEMBERS:
16 CHARLES H. BROWN, JR., Chair 17 RONALD G. BALLINGER, Member 18 VICKI BIER, Member 19 VESNA DIMITRIJEVIC, Member 20 GREGORY HALNON, Member 21 WALT KIRCHNER, Member 22 JOSE MARCH-LEUBA, Member 23 DAVID PETTI, Member 24 JOY L. REMPE, Member 25 MATTHEW SUNSERI, Member NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
2 1 ACRS CONSULTANTS:
2 DENNIS BLEY 3 MYRON HECHT 4 STEPHEN SCHULTZ 5
6 DESIGNATED FEDERAL OFFICIAL:
9 ALSO PRESENT:
10 ERIC BENNER, NRR 11 SAMIR DARBALI, NRR 12 MIKE EUDY, RES 13 GREG GALLETTI, NRR 14 KIM LAWSON-JENKINS, NSIR 15 KHOI NGUYEN, NRR 16 RICHARD STATTEL, NRR 17 DINESH TANEJA, NRR 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
3 1 CONTENTS 2 Call to Order . . . . . . . . . . . . . . . . . . 4 3 Opening Remarks by Chairman . . . . . . . . . . . .
4 Introductory Remarks . . . . . . . . . . . . . . 6 5 Purpose, Scope, and Regulatory Basis of 6 DG-1374 (Proposed Rev 4 of RG 1.152) . . . . . . 8 7 Public Comments . . . . . . . . . . . . . . . . 157 8 Status and Next Steps for Completion of 9 Proposed Rev 4 of RG 1.152 . . . . . . . . . . 160 10 Adjourn 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
4 1 P R O C E E D I N G S 2 8:37 a.m.
3 CHAIR BROWN: Good morning, everyone.
4 This is a meeting of the Digital 5 Instrumentation and Control Subcommittee. We are 6 operating in person and virtually. The meeting will 7 now come to order.
8 I'm Charles Brown, Chairman of the 9 Subcommittee meeting. ACRS members in attendance are 10 Matt Sunseri, Jose March-Leuba, Vesna Dimitrijevic, 11 Ron Ballinger, Dave Petti, Walt Kirchner, Vicki Bier, 12 Greg Halnon, and our Consultants Myron Hecht and 13 Dennis Bley. Christina Antonescu of the ACRS staff is 14 the Designated Federal Official for this meeting.
15 The purpose of this meeting is for the 16 staff to brief the Subcommittee on Draft Guide 1374, 17 proposed Revision 4 to Reg Guide 1.152, "Criteria for 18 Programmable Digital Devices in Safety-Related Systems 19 of Nuclear Power Plants."
20 The ACRS was established by statute and is 21 governed by the Federal Advisory Committee Act, FACA.
22 That means the Committee can only speak through its 23 published letter reports. We hold meetings to gather 24 information to support our deliberations.
25 Interested parties who wish to provide NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
5 1 comments can contact our office requesting time. That 2 said, we've set aside 15 minutes for comments from 3 members of the public attending or listening to our 4 meeting. Written comments are also welcomed.
5 And the meeting agenda for today's meeting 6 was published on the NRC's public meeting notice 7 website, as well as the ACRS meeting website.
8 On the agenda for this meeting and on the 9 ACRS meeting website are instructions as to how the 10 public may participate. No request for making a 11 statement to the Subcommittee has been received from 12 the public.
13 Due to COVID-19, we are conducting today's 14 meeting as a hybrid meeting.
15 A transcript of the meeting is being kept 16 and will be made available on our website. Therefore, 17 we request that participants in this meeting should 18 first identify themselves and speak with sufficient 19 clarity and volume, so that they can be readily heard.
20 All presenters please pause from time to 21 time to allow members to ask questions. Please, also, 22 indicate the slide number you are on when moving to 23 the next slide.
24 We have the MS Teams phone line, audio-25 only, established for the public to listen to the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
6 1 meeting.
2 Based on our experience from previous 3 virtual and hybrid meetings, I would like to remind 4 speakers to speak slowly.
5 We will take a short break after each 6 presentation to allow time for screen-sharing, as well 7 as at the Chairman's discretion during longer 8 meetings. There's only one presentation today, 9 correct? Okay.
10 Lastly, please do not use any virtual 11 meeting features to conduct sidebar technical 12 conversations, but rather contact the DFO, who is also 13 connected, if you have any technical questions, so we 14 can bring those to the floor. And the DFO, I'll 15 repeat again, is Christina Antonescu of the Nuclear 16 Regulatory Commission Advisory Committee staff.
17 We will now proceed with the meeting, and 18 I guess Mr. Khoi Nguyen is going to be making the 19 presentations. And he can share his screen, and it's 20 obviously being shared. And Eric Benner will make 21 some introductory remarks before we begin today's 22 presentation.
23 Eric?
24 MR. BENNER: Thank you, Member Brown.
25 As you indicate, I'm Eric Benner. I'm the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
7 1 Director of the Division of Engineering and External 2 Hazards in NRR, who has programmatic responsibility 3 for this technical area.
4 I won't repeat much of what the Chair 5 said. This is a collaboration between Research, our 6 Office of Research, and NRR to update this Reg Guide.
7 We continually look to endorse updated versions of 8 standards to help us in conducting our work.
9 We also work extensively with standards-10 developing organizations for those areas where we feel 11 the standard has a gap in it. We put what we call 12 either a condition and clarification, so that it's 13 complete for us when doing our reviews and groups of 14 those standards-developing organizations, when we have 15 those disconnects, to see if those issues can get 16 resolved and incorporated into the standards.
17 So, I'm happy to report we have some of 18 that, some of both of those things in today's 19 presentation; that this is a newer version of a 20 standard we had previously endorsed and we were able 21 to remove some conditions from the Reg Guide because 22 of our effective coordination with the standards-23 developing organizations.
24 So, not to take too much thunder away from 25 the main presenter, I will turn it over to Khoi NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
8 1 Nguyen.
2 MR. NGUYEN: Thanks, Eric.
3 Good morning. My name is Khoi Nguyen, 4 Electrical Engineer from the Electrical Engineering 5 Branch, from the Division of Engineering and External 6 Hazards in NRR.
7 I'm here to present Draft Guide 1374, the 8 proposed Revision 4 of Regulatory Guide 1.152, 9 "Criteria for Programmable Digital Devices in Safety-10 Related Systems of Nuclear Power Plants."
11 Next slide, please.
12 Today, you can see on the screen that we 13 go over the introduction; the scope of the Reg Guide 14 1.152; the Reg Guide applicability background; the 15 purpose of the Reg Guide revision; regulatory basis; 16 proposed changes, and finally, a summary.
17 Next slide, on slide 3, please. I'm 18 sorry, it's slide 4.
19 I will start the introduction with the 20 current revision, Revision 3 of the Reg Guide, which 21 endorsed IEEE Standard 7-4.3.2, 2003 version, the 22 "IEEE Standard Critical for Digital Computers in 23 Safety Systems of Nuclear Power Generating Stations."
24 The current revision of this Reg Guide 25 includes the "Secure Development and Operational NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
9 1 Environment, or SDOE, Guidance for Digital Computers 2 in the Safety Systems of the Nuclear Power Plants."
3 Next slide, please.
4 The proposed Revision 4 of Reg Guide 1.152 5 will endorse IEEE Standard 7-4.3.2, Revision 2016, 6 "IEEE Standard Criteria for Programmable Digital 7 Devices in Safety-Related Systems of the Nuclear Power 8 Generation," with exceptions and clarifications.
9 The revision also includes the "Secure 10 Development and Operational Environment Guidance for 11 Digital Computers in the Safety Systems of Nuclear 12 Power Plants."
13 MEMBER HALNON: Khoi, this is Greg Halnon.
14 Just a quick question.
15 Several places I read that this is all 16 being revised to keep up with the present digital 17 technology, but we're endorsing a guide that's almost 18 seven years old at this point. That IEEE standard, is 19 that purely 2016 technology, not 2022 technology?
20 MR. NGUYEN: As we understand, that IEEE 21 is in the process of updating the revision 2016 of the 22 standard. And we have the staff in this room, 23 actually, that is a working group that is responsible 24 for revising the standard, and I consult with these 25 staff. We are confident that there's not much changes NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
10 1 from the 2016 version to the next version. So, we are 2 confident, by endorsing this standard, we have the 3 latest, you know, information.
4 MEMBER HALNON: Will it take another six 5 years to endorse the next IEEE revision, or is it just 6 lagging for other reasons?
7 MR. NGUYEN: Actually, normally, we have 8 a 10-years cycle.
9 MEMBER HALNON: A 10-year cycle?
10 MR. NGUYEN: Yes. So, 2026, or maybe 11 2027, the next revision --
12 MEMBER HALNON: So, the window will be a 13 little tighter?
14 MR. NGUYEN: A little bit tighter, yes.
15 MEMBER HALNON: Thanks.
16 MR. BENNER: This is Eric Benner.
17 I would add that you're all aware that, in 18 the middle of the past decade, we had some significant 19 interactions with the Commission where we got some 20 redirects on how the staff should be looking at 21 digital I&C. So, we really focused on the high-22 profile issues that the Commission had raised to us.
23 But, as part of that activity, we had what 24 we called strategic long-term modernization. And in 25 that task, we talked about, hey, how are we going to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
11 1 revisit what people affectionately, or not 2 affectionately, called "the spaghetti chart of 3 guidance." So, that's sort of clean up the Reg 4 Guides; how the Reg Guides fit together; how our 5 internal guidance fits together. So, we're finally 6 starting to get that cleanup activity.
7 So, I would hope that in the future, if 8 we're able to manage our infrastructure in what I call 9 a more routine fashion, that we would significantly 10 shorten the time to keep the guidance in line with 11 more modern standards.
12 MEMBER HALNON: Thank you.
13 MR. NGUYEN: So, for the purpose of this 14 presentation, I will use the term "7-4.3.2" for short 15 for the IEEE standard and, also, "SDOE" for the Secure 16 Development and Operational Environment.
17 So, continue on slide 8.
18 The proposed Revision 4 of Reg Guide 1.152 19 also implements the Commission directions, which were 20 informed by the EDO letters to Commission, dated July 21 14, 2021.
22 Next slide, please.
23 The scope of Reg Guide 1.152 is with 24 regard to -- the proposed revision of Reg Guide 1.152 25 scope is to remain unchanged, which endorsed 7-4.3.2 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
12 1 as an acceptable approach to meet the regulatory 2 requirements for promoting, first of all, 3 reliability, design quality, and SDOE for the use of 4 programmable digital devices in the safety-related 5 systems of nuclear power generating stations.
6 Next slide, please.
7 MR. BENNER: I see a hand up. Walt?
8 MEMBER KIRCHNER: Yes, good morning. This 9 is Walt Kirchner.
10 Could you spend a little more time on 11 SDOE? And in particular, I'm interested to know about 12 access control in an operational environment and how 13 the guide provides for protecting the integrity of the 14 device and its software.
15 MR. NGUYEN: Let me --
16 MEMBER KIRCHNER: The concern is cyber 17 security, among others, since these are devices that 18 would be used in a safety-related system.
19 MR. NGUYEN: Okay. Let me make sure I 20 understand your question right. You want to make sure 21 the guidance in IEEE standard, whether it covers the 22 cyber security guidance on control of access?
23 MEMBER KIRCHNER: Well, no. What I want 24 to -- not quite. Both in the secure development and 25 the operational environment, how do you protect the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
13 1 integrity of the device and its software against 2 intrusion, malware, whatever? What guidelines are 3 there for a device that is deployed to support a 4 safety-related function?
5 Could you, just for the record, say what 6 this actually means? It's an acronym. We skip over 7 it quickly in presentations, but could you explain for 8 the record what does "SDOE" mean in terms of 9 expectations for a digital device used in a safety-10 related system?
11 MR. NGUYEN: I would like to ask Samir 12 Darbali to answer the question because he's the one 13 who is directly working on the guidance of the SDOE.
14 MR. DARBALI: Thank you, Khoi.
15 Good morning. My name is Samir Darbali.
16 CHAIR BROWN: Samir, this is Charlie 17 Brown.
18 MR. DARBALI: Yes?
19 CHAIR BROWN: I wanted to clarify, not 20 clarify, but just -- Walt, to make it clear, the SDOE 21 is the environment within the vendor's plant. So, 22 control of access is an issue once you get out into 23 the operational world where you've got equipment 24 installed and it's operating. Is that the vision 25 you're thinking about and the separation you're NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
14 1 referring to.
2 MEMBER KIRCHNER: Well, both. No, both, 3 actually, yes.
4 CHAIR BROWN: Okay, I understand that. I 5 just wanted to make sure that the SDOE is not 6 something -- that's something you build into it when 7 you're designing it to make sure it's safe, comes out 8 right, supposedly, and all that. You've asked that 9 question.
10 MEMBER KIRCHNER: Yes.
11 CHAIR BROWN: You also are talking about 12 the operational environment. I just wanted to make 13 sure we separated the two things into two pieces.
14 MEMBER KIRCHNER: Yes. No. Thanks, 15 Charlie. Yes, that clarifies it better.
16 CHAIR BROWN: That was it.
17 MR. DARBALI: Okay.
18 CHAIR BROWN: I just wanted to make sure 19 we were on the right track.
20 MR. DARBALI: Thank you.
21 Again, my name is Samir Darbali, NRR/DEX.
22 So, a secure development and operational 23 environment covers both the vendor side and the 24 operations side. And it's somewhat related to cyber 25 security. The nature of cyber security is that it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
15 1 focused on security and Part 73. Secure development 2 and operational environment is focused on safety and 3 reliability, and it's on Part 50.
4 The secure development side is at the 5 vendor's side, and it's those controls that the vendor 6 has on their development environment, whether it's the 7 use of firewalls by the computers that are used to 8 develop the system and create the code, that they're 9 not connected to the internet; that the software that 10 they're using to develop the system, it's secure. And 11 it does have some overlaps with formal cyber security.
12 The secure operational side includes 13 activities done by the vendor and by the licensee.
14 So, activities that the vendor does for a secure 15 operational environment include: does the system 16 allow for remote access? Does it have open physical 17 ports? Is there code in the software that is not 18 defined or that it provides functionality that's not 19 desired?
20 So, the vendor, based on the requirements 21 provided by the licensee, will ensure that the system 22 doesn't allow access, does not intend it, during 23 operations.
24 The licensee, on their part, ensures the 25 secure operational environment by making sure that the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
16 1 hardware is secure. So, the hardware is going to be 2 in a cabinet; that cabinet is going to be locked.
3 Typically, you'll see that those cabinet doors have 4 alarms. So, when somebody opens them, the operators 5 know somebody's working on channel alpha or channel 6 bravo.
7 Sometimes, also, some of those features 8 include if there's going to be a change made to 9 software, whether it is to make a change to a constant 10 or a set point or a change to firmware, you have to in 11 some cases use a key switch. So, that key is going to 12 be controlled by the control room operators. Also, 13 when you turn the key switch, operators would get an 14 alert somebody's working on this cabinet.
15 So, those are layers of defense that are 16 incorporated to ensure that nobody is making changes 17 to the system that they're not supposed to. Again, 18 this is somewhat different from cyber security 19 perspective which has some overlapping, but separate 20 requirements.
21 Hopefully, that made it clearer.
22 MR. NGUYEN: Thanks, Samir.
23 MEMBER MARCH-LEUBA: To follow up on that 24 line of thought, it's good to have a secure 25 development environment working close. But if you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
17 1 have been following developments in this area in the 2 last couple of years, one has to become very familiar 3 with the supply-side vulnerabilities.
4 MR. DARBALI: Right.
5 MEMBER MARCH-LEUBA: But more insidious 6 are others which are really supply side, but you're 7 young enough to know how programming is then. You 8 don't program everything; you just go out there to the 9 "GitHubs" and get yourself libraries. And some of 10 those libraries are used very widely. Log4j is the 11 most famous one that has happened recently that a Java 12 student wrote in 1990. Theoretically, he left it 13 needing rehab. And everybody and their mother uses it 14 and nobody maintains it.
15 And it had a very serious flaw that I 16 think that every single website in the world -- I 17 mean, just because you use an open-source library, is 18 there any guidance in the guide to warn you that just 19 having a lock and key on the cabinet is not good 20 enough?
21 Is there anything that you use in your 22 software? Because you know the software. You 23 actually program 10 percent of the lines of code, at 24 most. How do you verify the other 90 percent?
25 MR. DARBALI: So, there's guidance on the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
18 1 use of pre-developed software or commercial off-the-2 shelf software to ensure that it doesn't contain any 3 unintended code. But, again, this is from a safety 4 reliability side; whereas, Reg Guide 5.71 covers the 5 guidance on the supply chain for ensuring that secure 6 supply chain.
7 MEMBER MARCH-LEUBA: Yes, but every single 8 website in the world developed by the smartest people 9 out there, IT techs, people that work on protecting 10 and writing malware detection software had the log4j.
11 That's L-O-G No. 4j. Everybody uses that guidance 12 student library to create logs.
13 MR. DARBALI: Right.
14 MEMBER MARCH-LEUBA: So, I mean, there has 15 to be some warning for use of that. You have to state 16 in the documents (audio interference) --
17 MEMBER BIER: I would note, similar to 18 what Jose commented, that for many, many years, and 19 probably still, there was like a flawed random number 20 generator that was randomly used in lots of Monte 21 Carlo analysis. And it was well-known to be flawed, 22 but if you weren't an expert, you just went and 23 grabbed it and it looked good, so there you go.
24 MEMBER MARCH-LEUBA: I, myself, discovered 25 a flaw in Excel; it was actually log base 10 in Excel NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
19 1 1.0, and I reported it to Microsoft. I mean, things 2 happen.
3 MS. ANTONESCU: Chairman Brown, there are 4 two people --
5 MEMBER MARCH-LEUBA: There are some hands 6 up.
7 MS. ANTONESCU: Hands, yes, both Dinesh 8 and, also, Kim. Just call on them.
9 CHAIR BROWN: Yes, it says I'm plus 30.
10 How do I know who to call on?
11 MEMBER MARCH-LEUBA: Well, Dennis was 12 also --
13 MS. ANTONESCU: Well, Dinesh was first, 14 then Kim, and then, Dennis Bley also.
15 CHAIR BROWN: Okay. Dinesh, since you 16 were up first, do you want to comment?
17 MR. TANEJA: Yes. Good morning, everyone.
18 This is Dinesh Taneja.
19 So, I just wanted to give our recent 20 experience. I know that the Committee has heard that 21 we audited the SHINE, you know, program logic 22 development life cycle activities recently.
23 So, what we observed when it came to the 24 secure development environment, that the vendor 25 actually had a pretty tight, secure environment where NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
20 1 they are doing the development activities. This is 2 just saying that, you know, they were taking all the 3 necessary steps to ensure the purity and the sanity of 4 the work that they were developing has no infections 5 of any type.
6 And they were building in features such 7 as, you know, access during the operation is limited 8 to only the authorized personnel by putting in 9 password protections and different checks and 10 balances. So, to even access any of these parameters 11 for any kind of modification or set point changes 12 required some necessary steps and procedures on the 13 part of the operating staff.
14 So, that secure development environment 15 was pretty tight; at least, that's what we observed at 16 this specific one vendor that was doing the work.
17 And to Jose's point about the acquired 18 softwares, so there is a requirement that we have --
19 I think there is a Reg Guide we have on commercial 20 rededication of all the acquired softwares. So, they 21 are actually following that guidance on dedicating all 22 the acquired softwares and taking it through the 23 necessary due diligence of our regulatory requirements 24 of assuring that they actually do, you know, the 25 criticality analysis and checking everything before NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
21 1 they use any of these off-the-shelf items or, you 2 know, otherwise acquired software. So, we do have a 3 regulatory framework in place to address all these 4 concerns.
5 Also, I think Greg Galletti probably can 6 add more to it in that area, because he is our Vendor 7 Branch expert in this area. And I think he's online 8 also.
9 I just wanted to share that. Thank you.
10 CHAIR BROWN: Thank you, Dinesh.
11 Before I go on to the next hand, correct 12 me I don't state this correctly: SDOE is not in the 13 Reg Guide and it's often 7-4.3.2, is that correct? I 14 mean, and it looks like it's about the same as it was 15 in the previous version 7 -- I'm trying to connect the 16 dots here a little bit. There hasn't been a whole of 17 changes in that over the last -- was that the way it's 18 been applied; you all have been using that for a 19 while?
20 MR. NGUYEN: You are correct, Member 21 Brown. The 2016 version 7-4.3.2 incorporated the SDOE 22 guidance in --
23 CHAIR BROWN: It was in Rev 3, correct?
24 MR. NGUYEN: In Rev 3, yes.
25 CHAIR BROWN: Yes. Okay. You all moved NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
22 1 all that over. I mapped that over and it looked like 2 you kind of just moved it --
3 MR. NGUYEN: Yes.
4 CHAIR BROWN: -- for the most part.
5 MR. NGUYEN: Yes. And we examined to see 6 if the standard incorporated all of the principal 7 guidance and the important stuff from the Reg Guide 8 and Standard, and we confirmed that.
9 CHAIR BROWN: Okay. I don't know whether 10 that answers anybody else's questions. I just wanted 11 to make it clear that those particular guidances 12 that's been out there has been out and it's utilized.
13 And that's largely a facility-type operation as 14 opposed to what we do when -- we obviously have to 15 have some little piece of that when you're operating, 16 but you're not developing code at the vendors -- I 17 mean at the plant operators' location for the most 18 part.
19 There were two more hands up, you said?
20 Kim?
21 MS. LAWSON-JENKINS: Thank you, Member 22 Brown. I have a few very brief comments.
23 My name is Kim Lawson-Jenkins. I'm with 24 the Cyber Security Branch at the Nuclear Regulatory 25 Commission.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
23 1 There's one of the requirements in every 2 licensee cyber security plan, when they receive 3 software from a vendor, to verify that the vendor has 4 acknowledged that there are known vulnerabilities in 5 their software, or if there are, that they have 6 provided mitigations for those.
7 So, some of the examples that were 8 mentioned are very valid. They think there may be 9 vulnerabilities that are there that haven't been 10 exploited at that point, that later on have been, will 11 become exploitable because people have gotten more 12 sophisticated and smarter and figured out a way to 13 attack the system. And at that point, if the device 14 is operational in a system, the vendor contacts the 15 licensees to let them know about this vulnerability, 16 or they receive this information from a government 17 agency such as CISA, and then, the licensee will take 18 actions on it.
19 But there are, as was mentioned, 20 vulnerabilities that exist today that may not have 21 been exploited. So, those will have to be addressed.
22 Also, in the cyber security plans that are 23 currently being used, it is possible to do 24 vulnerability scans, but because of the safety-related 25 devices, the guidance gives examples where you can do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
24 1 this not when the system is operational, but before.
2 For example, a device becomes operational. They've 3 received a new device. They can run scans which can 4 verify whether there's something like Log4j or some 5 software that is in there. And then, like I said, 6 they can verify with the vendors that these, any known 7 vulnerabilities found, have been addressed. And also, 8 during system outages, they could run vulnerability 9 scans.
10 And like I said, basically, the area that 11 we're talking about now for secure development and 12 operational environments, they have to do with supply 13 chain. And it's very important because that's one of 14 those attack vectors that we really feel that, going 15 forward, we have to watch very carefully. And that's 16 covered, as I say, quite well in the cyber security 17 plans.
18 So, if you have any other questions, we 19 can definitely discuss those. But --
20 CHAIR BROWN: I'll have some other 21 questions later.
22 MS. LAWSON-JENKINS: Okay.
23 CHAIR BROWN: But I want to close this out 24 and make it clear that, when the software is brought 25 in -- say a vendor revises a software because he NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
25 1 discovered something, and the applicant says, okay, 2 we'll do that. They bring it in. They don't install 3 it, and then, scan it. They scan that software before 4 it gets installed. That's my understanding of the way 5 the system -- based on the guidance you've got in 6 here, they do all that. That's the smart thing to do.
7 So, I wanted to make sure that was clear 8 in everybody else's mind before we go on.
9 MEMBER MARCH-LEUBA: Yes. With the goal 10 in mind, I think we have been just fine, right?
11 CHAIR BROWN: We've got all day.
12 MEMBER MARCH-LEUBA: Yes. The problem is, 13 there is a false sense of security. Because a cyber 14 security plan exists, you say, "Aha, I'm covered."
15 You cannot tell me that Google doesn't know about 16 cyber security. This year, there have been seven CLA 17 updates to Chrome -- seven. I can't even count how 18 many Windows updates have been with similar internet 19 navigators. And there are many more in series 1 that 20 have not been found yet.
21 So, using a scan for the vulnerabilities 22 for 2021 doesn't do you any good because there are new 23 ones. You have to assume you have been penetrated and 24 do something to protect you against it.
25 What the IT guys here in our building are NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
26 1 doing, there's one guy already in a room monitoring 2 all the traffic on the web, making sure that nobody is 3 sending an evil viral vector where they're not 4 supposed to -- and assuming we've been penetrated.
5 And I'm warning about false sense of 6 security that having a plan gives you, because having 7 a plan is good for the 2021 vulnerabilities, or some 8 of those plans are 2008. There are new ones every 9 day. And so, the best thing to do is to have a good 10 architecture that segregates things as best as 11 possible, single trust, and assume you're going to 12 fail.
13 And when we're talking about this with 14 cyber security plans, the other concern I have, which 15 is a very serious concern, is that we concentrate 16 exclusively in critical digital assets and ignore or 17 kind of leave it to the student to work out with the 18 rest of the components. And specific examples are the 19 famous casino that got penetrated because somebody got 20 into their aquarium.
21 God knows how many of you have an IoT 22 device at home -- a thermostat, a smart TV, a router.
23 How many of those are out already? I mean, you have 24 those already inside your house and you don't know it.
25 The average time for a big company to find NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
27 1 out it has been penetrated is nine months. By the 2 time the payload is deployed and you know you've been 3 attacked, the bad guys have been inside your network 4 for nine months.
5 MR. BLEY: They're already there.
6 MEMBER MARCH-LEUBA: Yes, I mean, be 7 scared. Be very scared. That's all I can say.
8 And this sense of security that we did an 9 audit and everything looked good, I guarantee you it 10 wasn't. And next year, you'll find out why. I don't 11 know why. They don't know why; nobody does. But I 12 guarantee you there are faults.
13 Thank you.
14 CHAIR BROWN: That's why I still have a 15 mercury thermostat.
16 MS. ANTONESCU: Dennis Bley raised his 17 hand, Member Brown.
18 CHAIR BROWN: Yes, I'm just about to go to 19 him, when I finish saying something.
20 Dennis, are you still there?
21 MR. BLEY: Yes, Charlie, I'm still here.
22 CHAIR BROWN: Is your hand still up?
23 MR. BLEY: Yes. Let's see if I can 24 remember what I was going to say.
25 (Laughter.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
28 1 Two things right now. One is a comment; 2 one is a question.
3 The comment goes back to Eric's discussion 4 about the spaghetti of guidance. "Spaghetti" is a 5 nice word; I can think of others. We've had BTPs and 6 ISGs. We also point to standards which you need to 7 do. I think what we would like is to see all of this 8 eventually be in a NUREGs and Reg Guides, so you're 9 looking in one place to find it all.
10 One day, if the staff could give us a kind 11 of summary of how they're actually trying to clear up 12 this rats' nest of spaghetti, that would be very 13 helpful for me anyway. Dinesh brought up the 14 dedication of commercial equipment, which now ties 15 into these other things. So, understanding how we're 16 going to try to clarify all that would be really nice.
17 Now, in the Draft Reg Guide -- and I was 18 on the previous slide -- you point to IEEE Section 5.6 19 and 5.9 -- 5.6 on independence; 5.9 on control of 20 access to be of primary importance in protecting these 21 systems. I didn't go back to look at the previous 22 version of the Reg Guide. Were there any substantial 23 changes in the Reg Guide? And actually, I mean 24 substantial changes in the IEEE guidance in their 25 Sections 5.6 and 5.9. Or is this pretty much what NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
29 1 we've had before?
2 And that's for Khoi -- if he remembers he 3 was giving the presentation.
4 (Laughter.)
5 MR. NGUYEN: Yes, 5.6, yes, there's a 6 substantial change in Clause 5.6 and 5.9. And I call 7 that later on slide 11. Can you hold on that?
8 MR. BLEY: Yes.
9 MR. NGUYEN: Can you hold the question?
10 MR. BLEY: I certainly can. I just didn't 11 want it to get by until I knew you were going to talk 12 about it. But thank you.
13 MR. NGUYEN: We will. Yes, I will, yes.
14 MR. BLEY: All right.
15 CHAIR BROWN: But the differences between 16 7-4.3.2 -- the previous one is 2003.
17 MR. BLEY: Yes, I'm really looking for the 18 staff on this.
19 CHAIR BROWN: No, I'm just saying there 20 were two different IEEE standards. The older one was 21 2003 and the new one is 2016. So, I think they're 22 going to walk through some of the changes or 23 differences between them on a later slide. That's all 24 I was trying to make sure; that they've got that in 25 the slide pack.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
30 1 MR. NGUYEN: Yes, I will go over the major 2 changes in Revision 2016, 7-4.3.2, comparing with the 3 2003 version. And for each change, I will explain 4 what we reveal and how it is acceptable.
5 MR. BENNER: And this is Eric Benner 6 again.
7 I think it's going to be illustrative, 8 when we get there, of the migration. Because, as 9 Member Brown said, the guidance hasn't changed 10 significantly, but how it's packaged is. So, in 11 previous versions of the standard, the NRC staff felt 12 that there was more guidance that was necessary.
13 So, we put that in the surrounding 14 guidance documents, whether it was the previous Reg 15 Guide, whether it was from previous ISGs. But, as we 16 work with the working group, the IEEE Working Group, 17 we get them to ideally adopt what we think is the 18 appropriate guidance, such that our endorsement of 19 that guidance is a lot cleaner.
20 And as Khoi said, as we get into that 21 section of the presentation, he'll have some more 22 discrete mapping of how there was guidance in other 23 NRC guidance documents that has now migrated into the 24 underlying IEEE standard, such that we can just 25 endorse that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
31 1 CHAIR BROWN: Did that answer the question 2 for you, Dennis?
3 MR. BLEY: I'm waiting for the information 4 coming later, Charlie.
5 CHAIR BROWN: Okay. All right. I just 6 wanted to make sure we were on track to go on.
7 MR. NGUYEN: So, for slide 7, Reg Guide 8 1.152 is applicable to the applicant's and licensee's 9 attention to 10 CFR Part 50 and Part 52.
10 During the development of the Draft Guide, 11 the staff received the inquiry from many organizations 12 whether this Reg Guide is applicable to Part 53. And 13 the staff has concluded that, since Part 53 is 14 currently under development, therefore, staff is 15 unable to determine on the applicability of Part 53 to 16 this Reg Guide.
17 Any question on this?
18 MEMBER HALNON: Yes. Khoi, I know that, 19 I mean, you can't make something applicable to a 20 regulation that's not in place yet. But why wouldn't 21 it be able to be used for the advanced new reactor 22 stuff? Is there something in here that is antiquated 23 to where the new stuff can't be applicable? I mean, 24 will it be applicable without much to-do? I guess is 25 the question.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
32 1 MR. BENNER: I think I'll answer that.
2 This is Eric Benner.
3 I would say, generically, that once the 4 NRC has approved a method for use, that we'd be hard-5 pressed to say someone couldn't use that method. And 6 that's happened for a number of these standards.
7 These standards are all for power reactors, but when 8 other types of licensees, say a fuel cycle facility, 9 wants to use this, then we've kind of set the standard 10 that is acceptable.
11 So, for us, we have to look at it the 12 other way of -- and some of our applicants look at it 13 the other way of -- is it necessary? And that's 14 really where we're only going to go so far when we 15 talk about Part 53. It's because, depending on the 16 approaches that are adopted in Part 53, some of the 17 things in the Standard or Reg Guide may or may not be 18 necessary. But I feel pretty comfortable saying that, 19 once the staff has determined that it's acceptable for 20 meeting the technical requirements and regulations, 21 that we're not going to pull that back for any class 22 of licensee.
23 MEMBER HALNON: So, we're looking at 24 administratively, and possibly some slight 25 modifications in new technology and other things NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
33 1 that --
2 MR. BENNER: Right, right.
3 MEMBER HALNON: -- might be more 4 applicable? Yes, 53 may not be out for what, a couple 5 of years --
6 MR. BENNER: Right.
7 MEMBER HALNON: -- at best. So, okay. I 8 just wanted to make sure there were no showstoppers 9 there that you saw.
10 MR. BENNER: No. We certainly, like I 11 said, we find this technically acceptable. So, if a 12 licensee came in under Part 53 and wanted to adhere to 13 all of the attributes of this Reg Guide, we'd be hard-14 pressed to make any sort of, you know, technical or 15 regulatory argument as to why that wouldn't be 16 acceptable.
17 MEMBER HALNON: Got it. Thanks, Eric.
18 CHAIR BROWN: Relative to Greg's question, 19 what Parts some of these clarifications are applicable 20 to, and I don't want you to go into -- we can cover 21 this later. I'm just making you aware because he 22 brought it up.
23 In one of your clarifications, you stated 24 that licensees or applicants are going to use a 25 particular Reg Guide in preparing a certification NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
34 1 under 10 CFR 52. Why not Part 50, which is already in 2 place for people making changes?
3 MR. BENNER: Why? We can look at the 4 language in --
5 CHAIR BROWN: I'm just telling you that 6 it's in Section 3.
7 MR. BENNER: Yes.
8 CHAIR BROWN: It's 3.3 in the Reg Guide.
9 MR. BENNER: Yes, and that --
10 CHAIR BROWN: You only said Part 52, 11 but --
12 MR. BENNER: Okay. Well, maybe for 13 certifications, because there are no certifications in 14 Part 50. But we can look at the particular language.
15 CHAIR BROWN: Could somebody come in with 16 a certification under Part 50 --
17 MR. BENNER: No.
18 CHAIR BROWN: -- if they wanted to?
19 MR. BENNER: No.
20 CHAIR BROWN: They can't now?
21 MR. BENNER: No, they cannot. They never 22 could.
23 CHAIR BROWN: That's our answer then.
24 Thank you.
25 MR. BENNER: They never could. Right. In NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
35 1 Part 50, there are Construction Permits and Operating 2 Licenses.
3 CHAIR BROWN: And that's it?
4 MR. BENNER: And that's it.
5 CHAIR BROWN: Okay.
6 MR. BENNER: In Part 52, you have design 7 certifications --
8 CHAIR BROWN: Okay.
9 MR. BENNER: -- and combined licenses.
10 CHAIR BROWN: Okay.
11 MR. BENNER: So, yes, I mean, we can look 12 at the language to make sure we're good. It's good 13 for all.
14 CHAIR BROWN: No, I'm glad you brought it 15 up --
16 MR. BENNER: Okay.
17 CHAIR BROWN: -- because it's an issue.
18 All right. Thank you.
19 MR. NGUYEN: Any question on this slide?
20 CHAIR BROWN: Just one overall question.
21 I've got to find my right piece of paper, so I can say 22 it right.
23 In the new Reg Guide, Rev 4, in your page 24 4 discussion, you endorse 7-4.3.2-2016. And in that 25 paragraph, you state that the rule is still 603-1991.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
36 1 That's where the rule is, 10 CFR 50.55a(h). But the 2 references to IEEE X throughout it are to IEEE 3 603-2009. And that was a little bit -- I mean, if 4 something in 2009 conflicts with 1991, what rules?
5 There's no clarification of -- 2009 is not 6 in the rule anywhere. And if something in there 7 conflicts with the 1991 version, there's no 8 clarification that, hey, fine, we have no problem with 9 2009 because that's been there before. So, it was 10 another date before; 2003 or 2004, or some other date 11 was the previous IEEE standard. But that conflict was 12 not identified as who would rule under those 13 circumstances.
14 Just something to put in the hopper to 15 think about. That's going to be one of my main points 16 of issue to discuss later.
17 Go ahead, Khoi.
18 MR. NGUYEN: Thank you, Member Brown.
19 That's a good question.
20 We spent a lot of time discussing this 21 subject and reviewed 2009, the 1991 version, 2003 22 IEEE, and 2009 version of IEEE, and made sure that 23 there's no conflict like you mentioned. And we found 24 that there's no conflict.
25 The 2009 cover of specific criteria in NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
37 1 IEEE 1991 with some, you know, minor change in 2 language, but not major changes --
3 CHAIR BROWN: So, there's also some 4 expanded language in some circumstances --
5 MR. NGUYEN: Right.
6 CHAIR BROWN: -- when you go from 1991 to 7 the subsequent ones. I didn't have any problem with 8 that. It was just --
9 MR. NGUYEN: But there is no conflict.
10 CHAIR BROWN: So, you all have looked at 11 that to make sure --
12 MR. NGUYEN: Right. And we --
13 CHAIR BROWN: You were very careful to say 14 1991 is still in the rule. You were very clear in the 15 Reg Guide.
16 MR. NGUYEN: And we also worked with OGC 17 and made sure that when we referenced and endorsed 18 this, and the Reg Guide we have paragraph explain that 19 the second reference, like the 2009 version --
20 CHAIR BROWN: Yes.
21 MR. NGUYEN: -- and 7-4.3.2 is not what 22 we're endorsing. Like the --
23 CHAIR BROWN: Well, you're endorsing 24 7-4.3.2 --
25 MR. NGUYEN: Right.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
38 1 CHAIR BROWN: -- which says, See 2009, 2 603, for information.
3 MR. NGUYEN: The second reference.
4 CHAIR BROWN: So, fundamentally, you've 5 endorsed it by reference in a way via the later 6 IEEE -- 7 MR. NGUYEN: Unless we -- we, basically, 8 say that. The second reference in the Standard, the 9 Reg Guide is not endorsing that.
10 MR. BENNER: Yes, and we run -- this is 11 Eric Benner again. And like Khoi said, we've had a 12 lot of discussion with OGC, our legal counsel, on this 13 because the rule is the 1991 version, 603, is 14 incorporated by reference. So, there is no ambiguity 15 that that is the requirement. Guidance is just a way 16 to meet the rule.
17 So, it seems maybe unnecessary, but, in 18 reviewing, in endorsing 7-4.3.2, we are endorsing a 19 way that applicants can meet the requirements, which 20 is the 1991 version in the regulation. And like Khoi 21 said, we've done, because of this sort of awkwardness 22 of 7-4.3.2 that aligns itself with a later version of 23 IEEE 603, we did the exercise to make sure there was 24 no conflict there.
25 We have a separate activity, which I'm NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
39 1 sure we will be briefing the Committee on at the right 2 time, of what we're doing about IEEE 603. Because, as 3 you point out, not only is there a 2009 version, 4 there's a more recent version that we've worked 5 extensively with IEEE on, and we're looking for the 6 best avenues for applicants to use that version of the 7 standard, including maybe updating the rule to 8 incorporate the --
9 CHAIR BROWN: We tried to update the rule 10 about seven years ago --
11 MR. BENNER: Right.
12 CHAIR BROWN: -- and the Commission 13 rejected that.
14 MR. BENNER: Yes, yes. And we, hopefully, 15 have learned lessons from that activity. That is why 16 we'll be engaging stakeholders on what's the right 17 path for 603. And then, whatever plan we come up 18 with, that will be something we'll offer to the 19 Committee for your feedback on.
20 CHAIR BROWN: Well, I brought it up 21 because, literally, it goes in, in the 2016 version of 22 7-4.3.2, auxiliary features, multi-unit stations, 23 repair, reliability. In various places, it says, no 24 requirements beyond 2009 are necessary, which kind of 25 says 2009 is -- as long as you can say that the stuff NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
40 1 in there doesn't conflict -- I looked back in 1991, 2 and sometimes it was pretty sparse and they just had 3 a sentence, "Be careful," and there's a few more 4 things in 2009. So, I presume that's the case for 5 somebody --
6 MR. BENNER: Yes, I would say I don't 7 think, as Khoi said, any of it conflicts. So that we 8 have line of sight that, if you meet 7-4.3.2, or you 9 meet a pointer in 7-4.3.2 to 2009 603, in our mind, 10 that does meet the requirement, which is the 1991 11 version of 603.
12 CHAIR BROWN: Okay. All right. Thank 13 you.
14 Any other hands up? No.
15 Do you want to go on, Khoi?
16 MR. HECHT: This is Myron Hecht.
17 CHAIR BROWN: Oh, Myron, go ahead.
18 MR. HECHT: This is Myron. Yes.
19 So long as we're on the subject of 20 obsolescent or obsolete references, I just wanted to 21 point out that, on page 2 of the Draft Standard, under 22 "Related Guidance," it makes a reference to 23 SECY-93-087, which is being replaced by a standard 24 coming out in 2022, a Draft SECY. So, you might want 25 to replace -- or let me ask it as a question: should NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
41 1 that reference to SECY-93-087 be replaced?
2 MR. NGUYEN: Yes, thank you for the 3 question. The staff has thought about this subject 4 also and I have been reaching out to OGC on the 5 subject. And we got the reply that, similar to Part 6 53, the expanded SECY paper is still a work-in-7 progress. There's no decision, you know, from the 8 Commission what the expanded SECY looks like. So, we 9 cannot reference the paper that is not final yet.
10 MR. BENNER: Yes, the reference to that is 11 not SECY; it's the Staff Requirements Memorandum for 12 that SECY. So, we do not have a Staff Requirements 13 Memorandum in response to the modern SECY. Though, if 14 we do, if the Commission makes a decision, then that 15 would be an appropriate reference, but, right now, we 16 have no guidance from the Commission. We just have a 17 proposal to the Commission.
18 MR. BLEY: So, you're tracking that, and 19 before this becomes final, if the SRM becomes final, 20 you can update the reference?
21 MR. BENNER: Yes.
22 CHAIR BROWN: There was also feedback from 23 the staff we got, Dennis, that I guess came from OGC, 24 that if the new SECY didn't explicitly address 087, 25 only those parts of 087 that were addressed in the new NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
42 1 SECY are new, but anything in the old one still is in 2 play. So, 087 would still have to be covered under 3 this. That's the feedback we got relative to the 4 last, the SECY, the -- what is it? -- 0076, 22-0076 on 5 CCFs?
6 MR. BENNER: Uh-hum.
7 CHAIR BROWN: So, that right now is we're 8 waiting. Everybody is waiting for a response from the 9 Commission.
10 MR. NGUYEN: That's correct.
11 MR. BLEY: This gets kind of confusing.
12 MR. HECHT: I just wanted to say --
13 CHAIR BROWN: Are you still there?
14 MR. HECHT: Yes. I just wanted to make 15 the point that the new SECY, of course, does allow 16 significant change with respect to CCFs and allowing 17 this risk-based approach to be used for that, for less 18 serious hazards. The diversity requirement would be 19 somewhat relaxed. I'm not sure that has any bearing 20 on 1.152, but it might, and so, particularly for those 21 less hazardous, low-level hazards. So, that's really 22 the question.
23 MR. BLEY: This stuff gets kind of 24 confusing. I'm curious -- because I don't remember --
25 are there many places where specific revisions of, I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
43 1 mean versions of standards are called out in the 2 rules?
3 MR. BENNER: This is Eric Benner.
4 That section of the rules has -- it is a 5 limited set, and it's, basically, that as we --
6 (Unrelated comment from unknown 7 participant.)
8 CHAIR BROWN: Has somebody else got their 9 mic on? Ron? Eric?
10 MS. ANTONESCU: You're okay now, Member 11 Brown.
12 CHAIR BROWN: Okay.
13 MR. BENNER: This is Eric Benner again.
14 It is a finite set, and if you go to 10 15 CFR 50.55, it is a very finite set of codes that are 16 truly incorporated by reference into the regulations.
17 And it's, basically, in this technical domain, it's 18 IEEE 603 and its predecessor, IEEE 279. The big usage 19 of that area is for the various ASME standards that we 20 have mandated for licensees.
21 So, we endorse a lot of different 22 standards, organization standards, but it is a very 23 small set that are truly incorporated by reference 24 into the regulations.
25 MR. BLEY: Thanks, Eric. That's what I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
44 1 thought, but it creates problems, you know. Okay.
2 CHAIR BROWN: Okay, Khoi. Slides back up.
3 MR. NGUYEN: Okay. Let's move to the next 4 slide, slide 8, please.
5 So, the 7-4.3.2 was developed in 1982 to 6 provide supplemental guidance on how to meet the 7 requirements in IEEE 2003 when using programmable 8 digital devices in safety systems in nuclear power 9 plants. Since then, the standard has been updated 10 periodically to encompass the evolving technologies 11 and to incorporate the NRC guidance, such as Reg Guide 12 and Interim Staff Guidance. And I will speak of these 13 guidances later.
14 Any questions on this slide?
15 (No response.)
16 On slide 9, the previous edition of 17 standards, 7-4.3.2, on the computer-based digital 18 system, by changing the term "computer" to 19 "programmable digital device," Revision 2016 of 20 7-4.3.2 expanded the coverage to programmable digital 21 devices and to encompass the technologies of the 22 field-programmable gate array, or FPGA.
23 The term "programmable digital device" 24 envelopes any device that relies on software 25 instruction or programmable logic to accomplish a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
45 1 function. Examples include computer programmable 2 logic or hardware device, or any device with firmware.
3 Revision 2010 of IEEE Standard 7-4.3.2 4 incorporated the data communication independence 5 guidance from Interim Staff Guidance, or ISG-04, for 6 evaluating the communication independence between the 7 redundant portion of the safety system, the non-safety 8 division, and between safety and no safety systems.
9 I will talk more about the incorporation of the ISG-04 10 later on in the next few slides.
11 Any questions on this slide?
12 (No response.)
13 The next slide, slide 10.
14 I will go over the major changes in IEEE 15 Standard 7-4.3.2, 2016 version. The 2016 version of 16 the standard changed the term "computer" to 17 "programmable digital device," as I mentioned earlier.
18 It also incorporated SDOE guidance from Reg Guide 19 1.152, Revision 3 and providing the specific criteria 20 on the use of software tools used for digital devices 21 and the development of hardware, software, and 22 firmware, and programmable 23 It's also revising Annex D, 24 "Identification and Control of Hazards." And more on 25 this will be covered later.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
46 1 MEMBER HALNON: Khoi, could you elaborate 2 a little bit on the second bullet, "Incorporating the 3 SDOE guidance through Reg Guide Revision 3"?
4 MR. NGUYEN: Yes.
5 MEMBER HALNON: It feels kind of 6 incestuous that, you know, you're endorsing a document 7 that uses criteria out of your document. It doesn't 8 make a lot of sense.
9 MR. NGUYEN: As mentioned, though, by 10 Eric, we are working closely with the IEEE Working 11 Group and encourage them to adopt the NRC guidance, 12 either in the Reg Guide or ISG or BTP. So, we have a 13 clean endorsement.
14 MEMBER HALNON: Okay. So, then, the 15 Revision 3 information was not in the previous 16 versions of 7-4.3.2?
17 MR. NGUYEN: No.
18 MEMBER HALNON: So, that was an exception 19 you all took in Revision --
20 MR. NGUYEN: Yes. Yes.
21 MEMBER HALNON: Okay. I didn't go back 22 and look at Rev 3. Thanks. That makes sense.
23 MR. NGUYEN: Any other question?
24 (No response.)
25 We will move to slide 11.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
47 1 This slide and the next slide will 2 describe the major change in Revision 2016 of 7-4.2.3, 3 comparing with 2003 of the standard. I will go over 4 it one-by-one.
5 The first one is Clause 5.1. This clause 6 was expanded to include the criteria for the 7 programmable digital devices with respect to the 8 failure of a single device and the spurious actuation.
9 These criteria are consistent with criteria in Section 10 3.1.5 of ISG-04, and therefore, acceptable.
11 I will pause here for any questions 12 regarding to changing Clause 5.1.
13 (No response.)
14 MR. NGUYEN: Okay. The next one --
15 CHAIR BROWN: If we hear nothing, take 16 advantage of that.
17 MR. NGUYEN: All right. Clause 5.3.2 was 18 expanded to identify different software tools. The 19 identification supports the requirement of IEEE 20 Standard 828, the 2005 version, and should be the 21 standard for software configuration management plans, 22 which is endorsed by --
23 CHAIR BROWN: Which one are you on right 24 now? Which of the little lines?
25 MR. NGUYEN: The second line, Clause --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
48 1 CHAIR BROWN: Oh, Clause 5.3.2?
2 MR. NGUYEN: Yes.
3 CHAIR BROWN: Oh, okay. All right.
4 MR. NGUYEN: Yes. So, IEEE Standard 828 5 was endorsed by Reg Guide 1.169; therefore, 6 configuration management plan for digital computer 7 software used in the safety systems of nuclear power 8 plants.
9 Clause 5.5.4 was added as a new clause.
10 It was added to incorporate the ISG-04 guidance with 11 regard to communication independence, as I mentioned 12 earlier.
13 MR. BLEY: Khoi?
14 MR. NGUYEN: Yes?
15 MR. BLEY: This is Dennis Bley again.
16 I see a number of these are incorporating 17 ISG-04 guidance. Is it sufficient that you'll be able 18 to retire ISG-04 after this Reg Guide is final?
19 MR. NGUYEN: Yes, the staff has that 20 intention. But that will be done under, you know, a 21 different process. We may have to transfer or 22 incorporate the ISG-04 guidance to either the SRP or 23 BTP before we can retire ISG-04. But that's the 24 staff's intention.
25 MR. BLEY: Okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
49 1 MR. BENNER: Yes, Dennis, this is Eric 2 Benner again.
3 MR. BLEY: Yes, Eric?
4 MR. BENNER: That's clearly our intention.
5 Strictly speaking, Reg Guides are guidance to the 6 applicants, and the Standard Review Plan is guidance 7 to staff. But we are, as part of our overall plan, 8 our hope is for any of this interim stuff that's been 9 lying around to make sure it gets populated to both 10 the guidance to industry and the guidance the staff, 11 and then, sunset it.
12 MR. BLEY: So, Eric, for the poor guy out 13 in the field who's not been doing this before and is 14 now turning to your guidance, how does that person 15 know not to use certain parts of ISG-04? Do you have 16 a roadmap for them or something? Or is it just up to 17 them to figure it out?
18 MR. BENNER: We don't have the best 19 roadmap. That is something we've been working with 20 industry on to make it clear how -- that's the term 21 "the spaghetti chart" of how it all fits together.
22 So, that's certainly a communications challenge that 23 we have. I will admit there isn't the best roadmap as 24 to how it all fits together.
25 MR. BLEY: I hope you can come up with NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
50 1 one. We'd be interested in seeing it, but I don't 2 think it's a big, high issue for us. But I do feel 3 sorry for people who haven't been through the process 4 with you as we got to this point.
5 MR. BENNER: Yes, at a minimum, we can 6 talk about a dedicated discussion. We did have a 7 meeting with industry where we outlined what we 8 thought the appropriate to-be state was, and we got 9 very positive feedback. So, I think the people doing 10 this work kind of know the destination, but, then, 11 awkwardness is to get to that destination there's a 12 bunch of interim waypoints. So, it is going to be 13 somewhat of a challenge for everyone to keep it 14 straight for all those interim waypoints.
15 MR. BLEY: Okay.
16 MR. BENNER: Certainly, we can have a 17 discussion. On a minimum, we should just be able to 18 share the presentation materials we used in that 19 workshop with the Committee.
20 MR. BLEY: Okay. Thanks.
21 MR. NGUYEN: Then, moving on to change in 22 Clause 5.6, "Independence." Again, this clause was 23 revised to incorporate the ISG-04 guidance, mainly 24 data communication independence.
25 The next one is --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
51 1 CHAIR BROWN: No. No, stay right there 2 for a minute.
3 MR. NGUYEN: Okay.
4 CHAIR BROWN: I've got this thing open 5 right now. And there's some kind of conflicting 6 statements that I wanted to -- not conflicting --
7 absence of information.
8 MR. BLEY: Charlie, can you say the Reg 9 Guide, Charlie, for us to follow you?
10 CHAIR BROWN: Pardon? Yes, I'm looking at 11 the IEEE Standard 7-4.3.2, Section 5.6, 12 "Independence," which is what he's referring to right 13 now.
14 MR. BLEY: Okay. I just wanted to make 15 sure where you were. Okay. Thank you.
16 CHAIR BROWN: Yes, absolutely. I'm sorry 17 about that. I should have been more clear.
18 The very first sentence says, "In addition 19 to the requirements of 2009, data communication 20 between safety divisions" -- okay? -- "or between 21 safety and non-safety divisions shall not inhibit the 22 performance of the safety function."
23 Later on, it says, "The safety function of 24 each safety channel shall be protected from adverse 25 influence" -- this is in the third paragraph -- "from NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
52 1 outside the division of which that channel is a 2 member. Information outside the division shall not be 3 able to inhibit or delay," whatever.
4 Then it goes on to say, "This protection 5 shall be implemented within the affected division 6 rather than sources outside the division" -- in other 7 words, in a network farther away; you know where I'm 8 going -- "and shall not itself be affected by any 9 condition or information from outside the affected 10 division," which effectively says our communications 11 going anyplace else can be susceptible to being 12 bypassed.
13 And yet, we don't ever address 14 unidirectional communications. The word 15 "unidirectional" is not used anywhere in any of these 16 Reg Guides or the IEEE standard.
17 So, you have a large discussion which we 18 haven't gotten to relative to the cyber security 19 paragraph in the Reg Guide. I'm just saying there are 20 some inconsistencies relative to being clear.
21 And I'll just go ahead and bring this:
22 independence and control of access are virtually hand-23 in-glove when you really get down to it. I'm just 24 making a comparison to our previous standard analog 25 world. Physical security was all we had to worry NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
53 1 about.
2 And, in fact, if you look at the physical 3 security of a plant, it's multilayered. You've got 4 a fence with guards and guns just to get onto the 5 site. You can't get into the plant without going 6 through more guards and guns. You can't get into the 7 rooms where the I&C equipment is without keys, which 8 you can't get from anyplace but the main control room 9 or designated location with somebody -- you know, that 10 you take it and sign for it and be authorized to do 11 it. And then, on the cabinets, you have locks.
12 In other words, the system itself is its 13 first line of defense and everything else is a layer 14 outside to ensure you don't ever attack that very last 15 part of the fence.
16 Once we introduce computer systems into 17 these, we've now changed the metric. Physical 18 security still exists, but now we keep -- well, you 19 know where I'm going again -- we keep insisting that 20 we can't do design stuff in the system to make it 21 unidirectional, as its first line of defense. And 22 yet, we insist on we'll address it programmatically 23 when we do all the critical digital assets, networks.
24 How does it get in the fence in the first place?
25 There's not even a part in the Reg Guide NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
54 1 or IEEE standard. There's a big paragraph on physical 2 security. There is none on external electronic access 3 security.
4 There's a big disconnect, which, in my 5 view, is a huge safety gap in terms of how we address 6 this stuff. I'm not saying that the Reg Guide should 7 be a source of cyber security programmatic issues.
8 That's not the point. That would not be the right way 9 to do anything.
10 But the security of our safety systems 11 should be at least protected in the same manner, and 12 allowance when you're designing it, as we do with the 13 physical security and putting locks on the cabinets.
14 They come from the vendor that way. It's not like 15 they show up on the site and we weld padlocks onto the 16 doors. It's just that's not the way it's done.
17 So, that's an inconsistency in terms of 18 how we address that. And that's one of my concerns as 19 to how do we bridge that gap in your -- if I get the 20 right page here. Someplace in this mass of paperwork 21 that you gave me, there's the discussion on -- oh, 22 here it is, control of access in the Reg Guide, where 23 you rightly say the Reg Guide is not intended to 24 address cyber security, fundamentally. You know, that 25 comes under 5.7.1.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
55 1 But you state it in a manner that is just 2 inconsistent. You say it's not intended to address 3 "protective features, such as communication 4 independence and control of access to prevent 5 malicious cyber attacks." So, I mean, effectively --
6 but you have a little line at the end which says 7 licensees and applicants should also consider the 8 cyber security guidance in preparing a design 9 certification under Part 52. But nowhere in here do 10 we provide any guidance on what is an acceptable 11 method -- without dictating -- but what's an 12 acceptable method for providing this control of 13 access.
14 With the watchdog timers, you did that.
15 You did a good job of importing -- which is the first 16 time I've seen in it any of these documents -- a good 17 discussion on the watchdog timers. And I'm trying to 18 remember whether it's in the Reg Guide or whether it's 19 in the IEEE - 20 MEMBER HALNON: It's in the Reg Guide.
21 It's in diagnostics.
22 CHAIR BROWN: Pardon?
23 MEMBER HALNON: It's in the self-24 diagnostics section.
25 CHAIR BROWN: Under "Clarifications"?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
56 1 MEMBER HALNON: Yes.
2 CHAIR BROWN: How come I can't find it?
3 MEMBER HALNON: I'll find it for you.
4 CHAIR BROWN: I've got it written down 5 here somewhere.
6 MR. NGUYEN: The watchdog timer paragraph 7 was purposely written for you, Mr. Brown.
8 CHAIR BROWN: For me? I know. Well, it's 9 not for me.
10 MEMBER HALNON: It had "Charlie Brown" 11 written all over it.
12 CHAIR BROWN: It was for the Committee.
13 Nothing gets done without the Committee's agreement.
14 Where are the words -- did you find which 15 Reg Guide it is?
16 MEMBER HALNON: I'm looking for it. Yes, 17 I'm looking for it.
18 CHAIR BROWN: Oh, I found it. Okay. I 19 found it. Never mind.
20 Section 1, it's Clarification 1.2.1, where 21 you ended the discussion of watchdog timers, which was 22 a good explanation. I wasn't going to contest that at 23 all. But you ended it by saying, "One method the NRC 24 finds acceptable for indicating" -- and you talk about 25 other methods of doing -- you say they can do various NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
57 1 methods. You don't dictate it. Obviously, anybody 2 that uses a software timer in another little package 3 of new software, that's got to be, why would you do 4 that? It's kind of mindless. It's more software that 5 you have to deal with.
6 But here, you say, "One method the staff 7 agrees acceptable would be implementing a watchdog 8 timer to use a hardware-based device to perform WDT 9 counter reset timeout and failsafe functions." An 10 acceptable method, you left that out of the control of 11 access. The words were nice at the licensee, but it 12 would have been -- I probably wouldn't be having this 13 conversation if you had said, "A method that the staff 14 considers acceptable would be the use of 15 unidirectional, one-way, not configured, fast software 16 communication devices for communications external to 17 the safety systems."
18 And I don't mean just RPS. I mean, in 19 reality, when you think about safety systems -- take 20 your reactivity control system, for instance. You 21 really don't want to have bidirectional communication.
22 You want a guy to turn a switch and the rods go in or 23 they go out. You want to send data back to the main 24 control room to say, hey, this happened or this didn't 25 happen, because it may have -- it probably has got NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
58 1 software in the control system now, and you want to 2 know what it's doing. But that ought to be 3 unidirectional.
4 Under "Safety systems," those are not 5 safety systems per se, I don't think. They're -- I 6 don't know, how is, Greg, the reactivity control 7 system referred to? Are they safety-related or are 8 they --
9 MEMBER HALNON: Yes.
10 CHAIR BROWN: -- non-safety?
11 MEMBER HALNON: No, any reactivity control 12 would be safety-related.
13 CHAIR BROWN: Well, in here, they talk 14 about self-diagnostics for safety-related DI&C 15 systems. To, to me, that applies to safety systems 16 and things like rod control or other safeguard 17 controls, you've got to assume.
18 MEMBER HALNON: Charlie, I want to make 19 sure I'm clear on where you're going. This is Greg.
20 CHAIR BROWN: Okay, go ahead.
21 MEMBER HALNON: We started in 22 independence --
23 CHAIR BROWN: Yes.
24 MEMBER HALNON: -- and we transferred over 25 to controlled access, and then, went back to self-NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
59 1 diagnostics. Can you, in a sentence or two, describe 2 to me what -- I understand the relationship where it 3 says independence, you want it, you know, low 4 propagation of failure from safety to non-safety. And 5 I think that's where you get to the communication 6 piece, and you jumped to controlled access.
7 CHAIR BROWN: There are two separate 8 pieces.
9 MEMBER HALNON: Okay.
10 CHAIR BROWN: And, one, I was saying the 11 self-diagnostics and use of watchdog timers is in one 12 section, and it provides guidance on what the staff 13 would consider acceptable.
14 Now, we're out of that.
15 MEMBER HALNON: Okay.
16 CHAIR BROWN: Now, we go over to 17 independence and control --
18 MEMBER HALNON: It's in controlled access 19 they jump to 5.7.1, which, to me, is pretty 20 comprehensive. It may be almost too comprehensive --
21 CHAIR BROWN: Well, it is.
22 MEMBER HALNON: -- to figure out where you 23 need to go. But the basic, fundamental principles of 24 5.7.1 are, to me, as applied to the control of access, 25 which would bleed over into the independence NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
60 1 automatically because of the way you have to design 2 the control of access, which is -- or the cyber aspect 3 of it.
4 So, I --
5 CHAIR BROWN: Go ahead.
6 MEMBER HALNON: What I'm trying to figure 7 out, what is the deficient in the Reg that you're 8 talking about it?
9 CHAIR BROWN: In the past prior to your 10 arrival, we have frequently had many discussions in 11 design applications, because there was not -- in fact, 12 going back to 2009 and 2010, there was not -- they 13 were bidirectional communications in the things. And 14 we wrote our letters to say, no, they need to be 15 unidirectional, hardware-based, et cetera.
16 The response back was: can't deal with 17 that because that's cover programmatically under the 18 application 7.5.1, which you do five or six years 19 later. So, we'll come back and redesign the system 20 because we identified that they don't have 21 unidirectional. That's been going on now for years.
22 Now, it so happens that the applicants 23 have figured out pretty quickly that they probably 24 weren't going to get the Betty Crocker Good 25 Housekeeping Stamp of Approval from the Committee NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
61 1 without having unidirectional, one-way, hardware-2 based, and that's what they've done.
3 My point is, we can't dictate; we can't be 4 prescriptive. And I was trying to make a comparison 5 with the watchdog timer. We weren't prescriptive, but 6 we said there's a method acceptable which is what we 7 would like to see. It's not contained in the same 8 place, similar place, under the control of access.
9 MEMBER HALNON: Okay.
10 CHAIR BROWN: So, that's how I was 11 bouncing around, but not --
12 MEMBER HALNON: In your mind, you were 13 succinct.
14 CHAIR BROWN: I was very clear. Well, 15 it's a problem with my letters, as you all keep trying 16 to tell me.
17 (Laughter.)
18 No, I accept that.
19 MEMBER HALNON: Okay. Got it.
20 CHAIR BROWN: Okay. Did I clear that up?
21 We've gotten here much earlier than I 22 thought we would have gotten here. I wasn't --
23 MR. BENNER: Well, that's a first in the 24 discussion today.
25 Member Brown, I think we understand what NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
62 1 you're saying. I think we clearly can consider, 2 right, adding something similar about where 3 unidirectional communications can be one way of 4 addressing, a differential --
5 CHAIR BROWN: Yes, and maybe --
6 MR. BENNER: We've done that in our 7 guidance documents.
8 CHAIR BROWN: We ought to be kind of 9 specific.
10 MR. BENNER: Yes.
11 CHAIR BROWN: We want to make sure there 12 are hardware not configured by software. I mean, all 13 communications devices, you've got to take data and 14 you've got to format it and lay it out, so you can 15 send it out through the device.
16 MR. BENNER: Yes.
17 CHAIR BROWN: That's software. There's no 18 way you can get away from that. But configuring that 19 communication device should not be able to be done by 20 somebody coming into it and reformatting it, so now 21 it's not --
22 MEMBER MARCH-LEUBA: Let's be specific.
23 By "configuring," you mean changing the direction 24 of --
25 CHAIR BROWN: From unidirectional to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
63 1 bidirectional. Because a lot of the devices out there 2 have both methodologies them and they configure the 3 software based on the operating system.
4 MEMBER MARCH-LEUBA: Yes. Yes, but there 5 is an available configuration when you define the baud 6 rate and the pulse rate --
7 CHAIR BROWN: Yes. Yes, that's all --
8 MEMBER MARCH-LEUBA: And that can be done 9 by software.
10 CHAIR BROWN: That's right. Baud rate, 11 but that's not directionality. So, that's why we --
12 MEMBER MARCH-LEUBA: In the second 13 configuration, I'm always marking here a little bit 14 because it's broader than what you --
15 CHAIR BROWN: The main point is 16 unidirectional, data diode-type style stuff, whatever 17 the words may be. And I just think that's a way, by 18 putting that in along with the cyber part -- because 19 I'm not trying to intrude into the cyber world.
20 There's too much arguing about what CDAs you do, when, 21 and where, and everything else.
22 But I'm just thinking about the layers of 23 defense, and the equipment ought to be able to provide 24 its own defense, and do that at the early stages 25 during the design. And you talk about the design --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
64 1 I've forgotten where it was -- during the design 2 application, though. Yes, during the design 3 certification under Part 52.
4 So, when we had the back-and-forth -- this 5 is just discussion, okay? -- relative to the letter to 6 the Chairman and the responses --
7 MEMBER MARCH-LEUBA: Uh-hum.
8 CHAIR BROWN: -- and all that kind of 9 stuff, I didn't take issue -- we did not write a 10 letter in terms of the response. We waited because 11 you said you were going to go revise 1.152, 5.7; 12 BTP 7-19, on and on. So, talking about it in abstract 13 -- it was much better to talk about it with the 14 specific Reg Guides, and stuff.
15 But I view, as opposed to us saying it's 16 not a safety doubt, a safety concern, I think it is, 17 but there wasn't any sense in mounting a horse on the 18 pike and driving down the thing and seeing who we 19 could knock off the horse on the other end. It just 20 didn't make any sense.
21 And I was just trying to point out there's 22 a way to use your all's methodologies, get the point 23 across, such that we're not inhibited during the 24 design cert stage with this back-and-forth. Okay?
25 But, anyway, that's kind of covered that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
65 1 aspect.
2 MR. NGUYEN: I think Rich Stattel had 3 something to say.
4 CHAIR BROWN: Yes, Rich, go ahead.
5 MR. STATTEL: Thank you.
6 I'm Richard Stattel. I work in NRR.
7 I also want to mention that I was the NRC 8 representative on the working group that developed 9 these standards over these years.
10 And I think it's worth noting that, in 11 Annex E of the standard, there are sections that do 12 provide acceptable methods that include unidirectional 13 communication from safety to non-safety and between 14 divisions.
15 CHAIR BROWN: You didn't endorse it, 16 though.
17 MR. STATTEL: Yes, okay, I'll explain 18 that.
19 CHAIR BROWN: Okay.
20 MR. STATTEL: So, in the IEEE Working 21 Group, we did recognize those as acceptable ways to 22 instantiate communications independent.
23 When we were developing the Reg Guide, the 24 decision was made not to endorse Annex E. This was 25 made in the previous revision as well, right? And the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
66 1 reason was because the Annex is informative and it 2 doesn't provide the guidance. So, in other words, the 3 criteria for independence is in the body of the 4 standards. The Annex provides acceptable methods that 5 the IEEE considered to be acceptable. So, we 6 typically don't endorse methods; we endorse the 7 criteria, the acceptance criteria. So, I'm just 8 explaining that's the reasoning behind that.
9 CHAIR BROWN: Okay. No, I appreciate 10 that. I understand that. Thank you. I understand 11 that. Thank you, Rich.
12 MR. NGUYEN: I would like to add onto what 13 Rich just said. The reason we didn't endorse Annex E, 14 also, because the Annex is technology-focused and 15 provides a few methods or examples, but there are some 16 other examples out there for one-way communication.
17 If we endorse this, then it may send a strong message 18 that these are the only methods we accept.
19 So, I mean, for your comments on the 20 acceptable method the NRC staff can consider, we can 21 consider something like, but I wouldn't go far to go 22 to specific hardware like, you know, diodes.
23 CHAIR BROWN: Well, data diodes are kind 24 of a generic --
25 MR. NGUYEN: Right. Because, out there, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
67 1 there's a --
2 CHAIR BROWN: A diode is a hardware, 3 fundamentally, a hardware-based device, and that's 4 what we're really looking for.
5 MR. NGUYEN: Right.
6 CHAIR BROWN: Just we've got to find a way 7 -- this Reg Guide is a critical Reg Guide. This is 8 the one I was waiting for to see what revisions would 9 come through and how you all would address it. And 10 the Reg Guide actually came out pretty decent for the 11 most part. I've got some other questions, but they 12 aren't on these high-level items.
13 And the WDT methodology that you used is 14 reasonable. You need a few words to do that for the 15 communication device because it does need to be clear 16 that it's unidirectional -- okay? -- and it's 17 hardware-based. That way, you don't get into the 18 software configured part of it. If it's hardware, 19 pretty much it's hardware.
20 I'm not familiar with every design that's 21 out there, but maybe hardware -- if I was a vendor, I 22 would not even have two directions. It would be one 23 literal output which you can't reverse physically.
24 You'd have to rewire it. And that's technology-25 neutral.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
68 1 Anyway, the issue is out on the table.
2 Obviously, that's something we will, I will be 3 addressing somehow in our response on this.
4 Are there any other -- Jose, do you have 5 anything else to say on that?
6 MEMBER MARCH-LEUBA: No, I think I would 7 like to see in the guide acceptable ways of 8 unidirectional. If you find a better one, please 9 submit it to us; we'll review it.
10 It simplifies -- when I'm a designer or an 11 applicant, I have to go to my boss and convince him to 12 let me spend money on doing something. And if that 13 something is in the guide, as an example, it's a lot 14 easier to do it. Anyway, I think it would be 15 worthwhile if it wasn't limited.
16 CHAIR BROWN: If you think unidirectional 17 devices are going to exorbitantly increase the price 18 and cost of building these systems, we're talking 19 about a 1 penny part in a $100 million operation.
20 That's a slight exaggeration, but then it's relative 21 to --
22 MR. NGUYEN: I don't think --
23 CHAIR BROWN: -- the line of resistance.
24 MR. NGUYEN: I'm sorry.
25 CHAIR BROWN: I'm sorry, go ahead, Khoi.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
69 1 MR. NGUYEN: I don't think that's a 2 concern from an applicant or a licensee. I think the 3 most concern is they have, in order to implement the 4 hardware for the communication, they have to revise a 5 lot of procedures because, currently, the plan is 6 using two-way communication for some specific tasks, 7 like set point change, firmware/software updated, data 8 connection. So, if you have the hardware device 9 installed permanently without revising the procedure, 10 that may be the problem.
11 CHAIR BROWN: I would disagree with that.
12 The communication out to the main control room into 13 all other safety systems are not the path you utilize 14 to make software changes. You use your maintenance 15 and test equipment. You reconnect a cable to go do 16 that. You control the software that goes in, whatever 17 you're going to do, and that's where you make your 18 adjustments.
19 MR. NGUYEN: Yes, and --
20 CHAIR BROWN: So, I would disagree with 21 that. Bidirectional communications to a main control 22 or any other network should not be on the table 23 anywhere. So, I would disagree with you. I would 24 agree with Eric that there's a simple way to do this.
25 It should be unidirectional or one-way, however you NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
70 1 want to phrase it. But we ought to find a way to 2 compromise and get our way -- not get our way -- but 3 get our way through this conundrum time after time.
4 MEMBER MARCH-LEUBA: I think the --
5 CHAIR BROWN: Go ahead.
6 MEMBER MARCH-LEUBA: I think the way on 7 this echo, saying a licensing review of reactor 8 containing two-way communication between 60 computers, 9 blah, blah, blah, would require much greater scrutiny.
10 And you warn the applicant, if you want to go this 11 way, you're going to pay your pound of flesh. Right?
12 CHAIR BROWN: We'll disagree with it when 13 it comes in.
14 MEMBER MARCH-LEUBA: And you have inherent 15 aversion to risk by saying it that way. But if you 16 have a reason for doing it --
17 CHAIR BROWN: That's why utilizing similar 18 words to the watchdog timer I think is a clear way of 19 saying it.
20 MEMBER MARCH-LEUBA: Yes.
21 CHAIR BROWN: And then, if someone wants 22 to take exception, they can.
23 MEMBER MARCH-LEUBA: No, but Appendix E, 24 echo, says the watchdog timer language, and it says, 25 if you don't do this, you guys be aware that it is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
71 1 going to take --
2 CHAIR BROWN: Where are you talking about 3 it?
4 MEMBER MARCH-LEUBA: It's the Appendix E 5 of 7-4.3.2.
6 CHAIR BROWN: Yes, but that's not 7 endorsed. I don't know what they do with that.
8 MEMBER MARCH-LEUBA: I'm saying that that 9 language is very valuable.
10 CHAIR BROWN: Yes, that's valuable in the 11 context of at least saying something similar to what 12 the watchdog timer words path is. And the words "it's 13 an acceptable method" would be to do that, because 14 that does not tell them they have to do it. It allows 15 them to -- and they can use whatever language that's 16 in the IEEE standard to get to where they want to go.
17 MEMBER PETTI: But you're talking about 18 putting some words into the Reg Guide, not into the 19 IEEE standard?
20 CHAIR BROWN: In the Reg Guide, oh, yes, 21 absolutely, not the --
22 MEMBER PETTI: Yes, yes.
23 CHAIR BROWN: And it would be in the 24 paragraph where, that exhaustive paragraph on 25 licensees and applications, blah, blah, blah. "A NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
72 1 suitable method for doing this would be the one-way, 2 unidirectional communication device, et cetera.
3 That would be -- anyway, that's where 4 we're ending. We can stop this. I think we've hit 5 this hard enough, unless somebody from my Committee 6 members would like to -- Steve, do you want to say 7 something.
8 MR. SCHULTZ: I have one more comment, and 9 it relates to -- this is Steve Schultz -- it relates 10 to the Branch Technical Position that the Committee 11 commented on --
12 CHAIR BROWN: 7-19?
13 MR. SCHULTZ: Yes, 7-19, that the 14 Committee commented on in 2021. And the Commissioners 15 were involved because our letter went to the 16 Commission related to that and the use of 17 unidirectional systems for defense-in-depth and 18 diversity.
19 CHAIR BROWN: Yes.
20 MR. SCHULTZ: And as I understood it, the 21 staff said that this would be addressed by doing back 22 to the Branch Technical Position and incorporating an 23 example; that unidirectional systems would be a way in 24 which to improve the review or simplify the review as 25 far as defense-in-depth opportunities were available.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
73 1 Is that something that's been done?
2 CHAIR BROWN: No, 7-19 has not been 3 brought back up on the table. It's still --
4 MR. SCHULTZ: Okay.
5 CHAIR BROWN: This was the first olive out 6 of the bottle.
7 MR. SCHULTZ: Coming back through it?
8 CHAIR BROWN: Yes.
9 MR. BENNER: Yes, this is Eric Benner 10 again.
11 From a timing standpoint, we had already 12 planned to update this Reg Guide. You're familiar 13 that we were in the throes of updating Reg Guide 5.71.
14 So, the direction we got from the EDO was for there to 15 be several guidance documents that we updated to 16 address this issue. So, it's timing issue.
17 CHAIR BROWN: Okay.
18 MR. BENNER: For the Branch Technical 19 Position, our schedule for updating that is longer 20 because we have two ongoing, major licensing reviews, 21 and our objective was to not update the BTP again 22 until we get pretty far through those reviews. So, we 23 could also incorporate lessons learned from those 24 reviews into that guidance document.
25 MR. SCHULTZ: So, all of the documentation NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
74 1 that changed hands at that time will be addressed when 2 that's revised later?
3 MR. BENNER: Uh-hum. Right.
4 MR. SCHULTZ: And is the same, then, true 5 for Reg Guide 5.71?
6 MR. BENNER: 5.71 I believe did have 7 changes made. That came to the -- I can't remember if 8 that was before the Committee or not. But changes 9 were made to that soon after we got the direction from 10 the EDO.
11 And I believe Kim is on the line. She 12 probably is much more knowledgeable than I am on that.
13 MR. SCHULTZ: That was going to, 14 essentially, reconnect to this Reg Guide to 15 demonstrate that there was a cross-reference, if you 16 will, between the two.
17 MR. BLEY: Before you go to Kim, I guess 18 I don't understand why all these wouldn't be 19 consistent, and why you wouldn't have something of the 20 language Charlie is talking about here if you're going 21 to have it over there.
22 MEMBER HALNON: Yes, that's what I was 23 hoping for.
24 MR. BENNER: Well, and for us, they are 25 consistent, right? Some of the things we've done here NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
75 1 were consistent with the other documents. So now, 2 we're being asked to maybe add something else, and 3 we're going to consider that, but I can't go back and, 4 you know, make the things that have already gone 5 through the chute consistent until their next review 6 cycle.
7 CHAIR BROWN: I'm looking at the letter, 8 the July 14th letter, right now that came back. And 9 they said, the team recommended they would revise 10 7-19, how the staff could reduce the scope of 11 defend/diversity when a design includes 12 unidirectional. So, they had the words that they were 13 going to go do this, and then, also, at one point have 14 1.152 and Reg Guide 5.71 --
15 MR. SCHULTZ: Exactly, and it says --
16 CHAIR BROWN: And their reference is to 17 5.71 -- and they did incorporate into 1.152 references 18 to 5.71. It's just absent a sentence that they need 19 to put in.
20 MR. SCHULTZ: Yes, I understand that. And 21 I agree with you. It says, "as soon as practicable."
22 So, I'm sorry it's still coming; that's all.
23 MR. NGUYEN: So, what will come out on the 24 final version of this Reg Guide, the subject tried to 25 be consistent with all the guidance, BTP or all the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
76 1 Reg Guides.
2 CHAIR BROWN: The BTP is absent that right 3 now. You all did not incorporate the stuff we've 4 proposed. That's why we ended up writing the letter 5 to the Chairman, because we've through this rabbit 6 hole several times. Willing to wait. Okay?
7 Hopefully, I won't die before then.
8 But this particular Reg Guide is a key Reg 9 Guide defining how you use and communicate and 10 maintain independence when you're using computer-based 11 equipment. And they did a good job on the watchdog 12 timer in terms of making sure processors work. That 13 came out pretty decent, not dictatorial, but provided 14 a thought process on what you all would consider.
15 Using that same thought process for that 16 one particular paragraph in the Reg Guide, making it 17 similar would, I think, go a long way to getting this 18 issue out of our letters.
19 (Laughter.)
20 MR. NGUYEN: Okay. Thank you very much 21 for your suggestion, 22 CHAIR BROWN: We can go on, if you would 23 like.
24 MR. NGUYEN: And the staff will consider 25 your suggestion.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
77 1 All right. The next one is Clause 5.7.
2 This clause was expanded to include additional 3 guidance for the measurement and test equipment for 4 IT, which is consistent with current regulation and 5 considered good practice to ensure the proper 6 functionality of the safety system and the tests.
7 CHAIR BROWN: Before you leave 5.7, we 8 might as well go ahead and get this copy out on the 9 table as well. I thought I underlined all of -- I'll 10 just pick the one place I know I had it, since I've 11 marked it in red.
12 And it's referring to wireless 13 communications.
14 MR. NGUYEN: Which section you are at?
15 CHAIR BROWN: I'm in 5.7, "Capability for 16 Tests and Calibration."
17 MR. NGUYEN: Okay.
18 CHAIR BROWN: The third paragraph was the 19 first, I think it's the first mention. I was going to 20 call that up and see if I've got 7-4.3.2. And it's in 21 the third paragraph, the last sentence.
22 MEMBER MARCH-LEUBA: Do you want me to 23 read it?
24 It says, "Wireless receivers and 25 transmitters on temporarily connected M&TEs shall be NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
78 1 disabled prior to connecting to safety-related 2 equipment."
3 CHAIR BROWN: Yes, and similar words, 4 there's another set of words in 5.9.2. The last 5 paragraph says, "All wireless capabilities shall be 6 disabled on the workstations. All wireless 7 capabilities on the M&TE equipment shall be disabled 8 prior to connecting to safety-related equipment."
9 But if you read the whole thing through 10 here, you get the thought process is that, not 11 directly, but indirectly, it says the use of wireless 12 is okay.
13 And just as an example, even with MT&E, it 14 says make sure you've disconnected your wireless 15 before you hook it up to your equipment to make 16 changes in set points or software changes, or whatever 17 you need to do. So, that's shutting the barn door 18 after you've already opened it up, after you've 19 downloaded from the vendor over the internet some 20 software package for changing or fixing a problem, and 21 now, it's in the M&TE. So, you disconnect it, and 22 now, you connect it to your toast; the virus is 23 planted. It doesn't compute. That's all I --
24 MEMBER MARCH-LEUBA: So, you want 25 requirements on the measurement and testing equipment?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
79 1 CHAIR BROWN: It's just the issue is 2 wireless communications. You don't want to build 3 equipment that has wireless capability, and then, have 4 the vendor send the stuff directly to the safety 5 system via some wireless connection you have. The 6 wireless issue should be addressed more succinctly, a 7 little bit in more detail.
8 MEMBER MARCH-LEUBA: And wireless refers 9 to a dead-end network.
10 CHAIR BROWN: I don't know whether that's 11 the case or not.
12 MEMBER MARCH-LEUBA: I mean, you don't go 13 wireless more than 100 feet?
14 CHAIR BROWN: I don't know. I'm not an 15 expert on that. All I know is wireless says to me 16 wireless. You're running around wireless with your 17 cell phone all over the country and you're still 18 getting information and your software just changed.
19 If you're driving a car that's computer-20 driven with wireless connections, they can download 21 software while you're driving that stops your car.
22 So, that's wireless. Okay? It's available.
23 So, something needs to be done to address 24 the wireless issue. It's just these two side 25 discussions on the wireless issue that stuck out at NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
80 1 me.
2 MEMBER MARCH-LEUBA: For reference, the 3 instrument technician would have an iPad that he takes 4 to calibrate equipment in the safety system. And what 5 this tells it is that, before you disconnect the USB 6 to your safety-related system, you need to disable the 7 wireless antenna.
8 CHAIR BROWN: That's right.
9 MEMBER MARCH-LEUBA: What you're saying 10 is, five minutes before you disable the wireless 11 antenna, somebody might have some malware.
12 CHAIR BROWN: That's right.
13 MEMBER MARCH-LEUBA: And now, you inject 14 that via USB.
15 CHAIR BROWN: Exactly.
16 MEMBER MARCH-LEUBA: An issue.
17 MEMBER PETTI: You, basically, want those 18 iPads to have never seen --
19 CHAIR BROWN: They should have no wireless 20 connection. If they want to change the software, 21 there ought to be a package delivered CD, thumb drive, 22 whatever you do, you plug it into your iPad; you 23 download the --
24 MEMBER MARCH-LEUBA: You're just moving 25 the problem one more --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
81 1 CHAIR BROWN: Well, you've got your SDOE, 2 theoretically, which covers the download on that thumb 3 drive that you bring in. All I'm saying is there's 4 got to be a way to not -- there are more secure ways 5 to do things than with the wireless connections.
6 You're right, if a guy brings his iPad in, that it 7 could be a problem --
8 MEMBER MARCH-LEUBA: Uh-hum, I can see it.
9 CHAIR BROWN: -- what you do with it.
10 MEMBER MARCH-LEUBA: But it's difficult to 11 -- I mean, if you a vendor is going to send me an 12 update -- just a set point, for example, there must be 13 an update in the systems, the set point values 14 -- they're not going to send in paper anymore.
15 CHAIR BROWN: You don't actually do that.
16 I didn't ask for paper.
17 (Laughter.)
18 MEMBER MARCH-LEUBA: Yes, consideration 19 has to be given that the M&TE equipment is secure. It 20 should be assumed it's not secure.
21 MR. BENNER: I think we understand the 22 concern and the potential factor, because even -- you 23 know, it's a different factor, but the reality is, 24 like you say, if there's a software update for the 25 M&TE, it's got to come through some mechanism, right, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
82 1 whether it's wireless, right, or whether it's -- on my 2 car, I get an email and I can download it to a USB 3 thumb drive and put it in. All those vectors are a 4 way to get malware. And like you say, if you connect 5 the M&TE to the safety system, that's a vector.
6 So, I think we understand the concern and 7 we'll caucus --
8 CHAIR BROWN: You're going to connect.
9 MR. BENNER: Yes, by definition.
10 CHAIR BROWN: I mean, you've got to 11 connect something to it.
12 MR. BENNER: Yes. By definition, there 13 are multiple connections. There's a connection for 14 M&TE. There's a connection to the equipment, and 15 there's a connection to something to update --
16 CHAIR BROWN: To get the information 17 for --
18 MR. BENNER: So, it is whether the 19 appropriate controls for any vector, whether it's 20 wireless or whether it's other vectors.
21 CHAIR BROWN: I do know that one of the 22 design applications that we saw had a separate 23 maintenance cabinet, but you had to hook up a cable.
24 You know, you had to go open it up and connect a cable 25 up to the safety systems in order to download it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
83 1 Well, the downloads had to get into that maintenance 2 cabinet somehow. It's just a matter that no system 3 is 100 percent secure. No matter what you do in a 4 safety development and operating environment, there is 5 no 100 percent guarantee. It's just you don't make it 6 easier.
7 I don't know, I faced that issue 20 years 8 ago before I retired. Because the vendors, now that 9 we had E-Squared PROM that you could erase, boot back 10 up -- in the old days, we didn't have E-Squared PROM.
11 It was read-only. Okay?
12 And once we got it, oh, God, this opens up 13 a whole world. We can send a new software package 14 down to you via the internet and you can just plug it 15 into your stuff while it's in the ship. Bad idea.
16 Really bad idea.
17 So, we ended up going to laptops. So, 18 we'd get the information, put it on a thumb drive or 19 a CD, or whatever we had back then, put it into the 20 laptop. Take the laptop down and do it.
21 Now, did that mean it still could have a 22 problem? It could still have a problem, but it was 23 just what we had at the time.
24 MEMBER MARCH-LEUBA: No need to go into 25 the solution there. The guys should point out the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
84 1 problem and they should say that it's up to the 2 applicant to fix it.
3 CHAIR BROWN: Exactly. And this just 4 leaves it hanging in the air; that's all.
5 MR. NGUYEN: Thank you for the comment, 6 and the staff will consider the comment --
7 CHAIR BROWN: Okay.
8 MR. NGUYEN: -- and get back with you 9 later.
10 CHAIR BROWN: Let me see if I've missed --
11 the other suggestion I would make, since we're on the 12 control bullet, even though we haven't gotten to it on 13 your slide, when you introduce the -- what's it 14 called? -- control of access section, you've got 15 physical security as a 5.9.1, or something like that.
16 There ought to be a 5.9.2 which talks about, with the 17 introduction of software-based/computer-based systems, 18 we've now introduced a new path for access to the 19 systems, and talk about it in that context in terms of 20 how you have to deal with it and the levels of 21 security, the things you need to think about.
22 I'm not talking about just saying you've 23 got to relate it back to cyber security. It's just 24 it's a new path, and you've got to apply the same type 25 of rules.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
85 1 Now, if you're partway because 5.7.1 says 2 I'm going to look at all the data coming into a plant 3 or all the signals coming in or an internet, or what 4 have you, I've got -- I don't know how many -- four 5 levels or something like that in 5.7.1. You've got 6 part of that covered. It's just the stuff right down 7 at the equipment where we've right now been 8 discussing.
9 But it just ought to make it clear that, 10 hey, we've now introduced another significant source 11 of access that you have to think about at the 12 equipment level. Okay? Not asking for solutions.
13 Just you go through what are the issues involved with 14 it, just like you do with physical security. You talk 15 about the admin people physical security. Guys doing 16 this; sign in, blah, blah, blah. Oh, there's all 17 kinds of stuff you wrote down on physical security, 18 like it's the least important item, right? It's much 19 easier to do that than it is to do this other thing.
20 So, that's just the other suggestion in 21 terms of clarity in the Reg Guide, identifying this as 22 a second big, serious path. And we've mentioned that 23 in the letters. We've talked about that in our 24 letters to you before, about introducing this new 25 path, which you'll probably see again sooner or later.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
86 1 That was the only other point I had on the 2 control-of-access stuff, I think, unless I remember 3 something later.
4 MR. HECHT: Charlie, this is Myron.
5 CHAIR BROWN: Yes?
6 MR. HECHT: So, with regard to the 7 previous point on downloads of software to M&TE for 8 updates, either to M&TE itself or the actual computers 9 in the safety system, or I should say programmable 10 devices in the safety system, there are methods to 11 ensure the integrity of the downloads. You know, hash 12 codes for that. The software developers' computers, 13 you can check as to whether they've been altered when 14 they reach the destination.
15 And so that, if you can control what's 16 being received by the M&TE -- for example, through 17 only a specific wired connection to the laptop or 18 whatever device you're using to transfer the material, 19 the software to the safety system -- that, at the very 20 least, you can ensure the integrity of the file.
21 That's being done now.
22 CHAIR BROWN: Okay.
23 MR. HECHT: It's unlikely that malware 24 could be introduced that way.
25 CHAIR BROWN: Like I say, I'm not trying NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
87 1 to say how. I'm not a programmer and I'm not a hash-2 tagger. But there are methods that at least provide 3 some levels of security, and we ought to just 4 recognize that that needs to be done, now that we're 5 in this software configuration and access. And we 6 just don't discuss it. So, that's the suggestion.
7 Thank you, Myron.
8 MR. STATTEL: If I may, Charlie?
9 CHAIR BROWN: Yes.
10 MR. STATTEL: This is Richard Stattel 11 again.
12 I just want to speak a little bit about 13 the working group's perspective when we developed this 14 particular clause. So, I do understand your point.
15 The overriding requirement here is really in the first 16 sentence of the paragraph.
17 CHAIR BROWN: Which one are you talking 18 about?
19 MR. STATTEL: This is 5.7, in that third 20 paragraph.
21 CHAIR BROWN: Yes.
22 MR. STATTEL: "The M&TE equipment used for 23 safety systems shall not adversely affect the safety 24 system functionality." And in our view, all vectors, 25 all threat vectors that went through M&TE really NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
88 1 should be addressed by that criteria there.
2 And it was brought to our attention while 3 we were developing this, well, if the M&TE, if the 4 laptop you're using to perform this -- you can have 5 all the controls you want on the configuration of that 6 laptop, but, then, if you have a wireless connection, 7 that's creating a separate vector that's above and 8 beyond that.
9 So, that is the reason why the working 10 group added that clause at the end. We weren't 11 intending it to be an allowance clause for wireless 12 communications. We just wanted to address that one 13 specific vector. We recognize there can be many other 14 vectors into the M&TE, but our intention was that 15 those would be addressed under the first criteria 16 there.
17 CHAIR BROWN: I got that point, but when 18 you start talking the use, that says, oh, well, if 19 we've got to think about it in this context, that must 20 mean it's okay --
21 MR. STATTEL: Right.
22 CHAIR BROWN: -- to apply it in some way, 23 shape, or form.
24 MR. STATTEL: I understand that.
25 CHAIR BROWN: And I understand. I don't NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
89 1 have any problem with the words you have there. I'm 2 not following this. We're not expansive enough 3 because it does give the implication that doing that 4 just -- that's really okay. But without subsequent --
5 we're kind of giving it a little bit of a stamp of 6 approval that you can use those techniques.
7 I mean, if I was a designer, I wouldn't 8 have anything be wireless, but that's my personal 9 opinion. I'm a dictator on my own stuff.
10 So, anyway, you'll probably see this.
11 Whatever the Committee comes out with, we're going to 12 write a letter on this whole subject, and it will be 13 whatever the Committee decides we want to put out. If 14 I can remember some of this stuff long enough to even 15 write a letter, it might be good. Hopefully, I get 16 the transcript rapidly since we have to write a letter 17 in another 14 days.
18 MR. BENNER: Yes, I was going to say, at 19 least in this case, the full Committee meeting is 20 pretty close to --
21 CHAIR BROWN: Yes, it's 12 days from now.
22 So, I'm on a real track to try to get the letter 23 written.
24 MR. NGUYEN: So, the staff will come up 25 with something to clarify the wireless criteria.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
90 1 CHAIR BROWN: Yes. Well, the fact that 2 the control of access is different, that's one thing.
3 And then, the wireless is another thing. We ought to 4 be a little bit more expansive. This is not intended 5 to say you should have a wireless plant. I don't know 6 what you do. I'm just thinking outside the box.
7 There was another package in here, while 8 we're talking about that, if I can -- in 7-4.3.2.
9 Where's the one on soft -- oh, it's 5.9.3, I think.
10 That whole thing talks about implementing intrusion 11 detection software, virus protection software, access 12 control software into the operating systems. And you 13 say it should be avoided.
14 MR. NGUYEN: That whole sections speaks to 15 that whole Clause 5.9.4.3 -- it was from Revision 3.
16 CHAIR BROWN: That might well be Revision 17 3. Then, I missed that. Okay. If I had seen this 18 then, I would have probably thrown up all over it.
19 You say, "When implementing cyber security 20 features" -- and this is in this operating system --
21 "the following shall be addressed as a minimum. They 22 shall be justified. Failure modes of the cyber 23 security. The non-intrusive software features may be 24 applied, but intrusive cyber security features shall 25 only be executing when safety systems are out of NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
91 1 service."
2 Well, what does that mean? That means a 3 cyber security system is useless. The safety system 4 is, theoretically, on all the time. Just the whole 5 issue of incorporating virus software detection 6 features into your operating system really compromises 7 the ability for the control system to complete its 8 operations, because it's got to be constantly updated.
9 It's reactive. You've got to constantly update virus 10 softwares.
11 MEMBER MARCH-LEUBA: The easiest, simplest 12 implementation -- and I think this is what the people 13 who wrote this were thinking about -- is that you 14 continuously check for the integrity of your 15 executable programs. They're encrypted and they have 16 a signature within them before you run them. And you 17 make sure they haven't been modified. That's a cyber 18 security feature and that can be --
19 CHAIR BROWN: Yes, but that's fixed.
20 Okay?
21 MEMBER MARCH-LEUBA: It's fixed, yes.
22 CHAIR BROWN: That's not intrusion 23 detection per se. It says my code is still what it 24 was before.
25 MEMBER MARCH-LEUBA: Well, that's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
92 1 intrusion. My code has not been modified.
2 CHAIR BROWN: Yes, they haven't broken 3 into my house because the door lock is not broken.
4 MEMBER MARCH-LEUBA: Yes.
5 CHAIR BROWN: It's just somewhere in here 6 it almost -- again, this is a little bit similar to 7 the thought process on the other one. You don't want 8 active virus detection software in the mainstream of 9 your operating system.
10 And I agree with Jose, there are built-in 11 things you don't have to constantly change. In other 12 words, how do you verify your code at the beginning is 13 the same as the one you started, you know, the same 14 you started with? That type of verification, you do 15 that with data checking when you send data -- with 16 checksums, and what's the other --
17 MEMBER MARCH-LEUBA: CRC?
18 CHAIR BROWN: Cyclic redundancy checks.
19 You do that all the time in terms of can you confirm 20 data that you send in is the same data coming out.
21 MR. NGUYEN: Fixsum.
22 CHAIR BROWN: Fixsum, cyclic redundancy 23 checks, et cetera, you use all the time for this type 24 of stuff. Because this is not -- that's on a data 25 transmission. That's a communication issue, not an NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
93 1 operational software.
2 MR. NGUYEN: But could that go to the 3 self-diagnostic detection?
4 CHAIR BROWN: I don't know. I'm just 5 saying that issue -- I'm just questioning whether we 6 ought to be a little bit more cautionary. That's in 7 the IEEE standard. I don't remember us saying 8 anything -- I don't remember 1.1.5.2 addressing virus, 9 you know, your Rev 4 or anything. I just think we 10 need some type of cautionary tale that incorporating 11 virus detection software that's active-type software 12 into the operating system, you should be careful.
13 MEMBER HALNON: But, Charlie, they use the 14 word "non-intrusive/intrusive." Are you conflating 15 the word "active" --
16 CHAIR BROWN: Active means something 17 that's constantly reviewing, stopping -- virus on your 18 computer --
19 MEMBER HALNON: Yes. No, I understand.
20 CHAIR BROWN: -- and it slows down.
21 MEMBER HALNON: I guess my question to you 22 -- I mean, everything you just said, I'm looking at 23 5.9.3 and I say it's there. So, I don't know. In my 24 simple way of reading things, I see it's there, but if 25 you feel like, you know, in your expertise, that it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
94 1 not clear enough -- I mean, again, I'm in a learning 2 mode.
3 CHAIR BROWN: I couldn't write virus 4 protection software if you wanted me to.
5 MEMBER MARCH-LEUBA: Yes, but, if you read 6 5.9.3, it clearly says, "Implementation of cyber 7 security features directly in the safety system should 8 be avoided." That's exactly what you're saying. And 9 the previous sentence says you should do it outside on 10 the envelope.
11 CHAIR BROWN: Well, it says, 12 "peripherally."
13 MEMBER MARCH-LEUBA: Yes. So, before you 14 inject anything, you have to make sure it has run 15 cyber check. I think it is properly "implement."
16 CHAIR BROWN: So, you're all satisfied 17 with that?
18 MEMBER MARCH-LEUBA: I am.
19 MEMBER HALNON: Right, and it also says 20 that, when you mentioned that the intrusive cyber 21 security features shall only be executing when safety 22 systems are out of service, that emphasized the word 23 "intrusive safety." Just the one before that says 24 non-intrusive cyber security features can be applied, 25 and that's the self-diagnostic, self-reporting, the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
95 1 checksums, all those types of things that you were 2 talking about.
3 So, again, if there's some clarification 4 of language for the digital practitioner, then that's 5 one thing. But, at least from a descriptive mode, I 6 was following what you were saying and I saw it there.
7 CHAIR BROWN: Well, virus scanning when 8 the safety systems are out of service, but it's built 9 into the software --
10 MEMBER HALNON: No, it can't be.
11 CHAIR BROWN: Well --
12 MEMBER HALNON: Because it says earlier, 13 it says you can't have -- you shouldn't do that when 14 implementing cyber security deployment -- I mean, the 15 implementation of cyber security features directly in 16 the safety system should be avoided.
17 MEMBER MARCH-LEUBA: Yes, but, then, the 18 next paragraph says, if you really insist, you should 19 follow these guidelines.
20 CHAIR BROWN: Yes, if you really insist; 21 that's the next --
22 MEMBER HALNON: Again, that's --
23 MEMBER MARCH-LEUBA: And the staff is 24 telling them --
25 CHAIR BROWN: And then, it says, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
96 1 "inclusive cyber security systems."
2 MEMBER MARCH-LEUBA: The staff is telling 3 them don't do it.
4 CHAIR BROWN: So now, I've got intrusive 5 virus detection scanning. For instance, virus 6 scanning systems, for example, shall only be executed 7 when it's out of service. Well, but it's sitting 8 there and it's got to be updated at some point. That 9 means you've got to consciously come through and re-10 update it --
11 MEMBER MARCH-LEUBA: Uh-hum.
12 CHAIR BROWN: -- because a week later that 13 software is no good anymore. It's missed the last 15 14 upgrades.
15 MEMBER HALNON: But it's outside of the 16 safety system. So, it can't --
17 CHAIR BROWN: No, it's in the operating 18 system. Yes, it's in the operating system.
19 MEMBER BIER: Greg, I'm wondering whether 20 part of the kind of difference of opinion between you 21 and Charlie can be addressed by providing more 22 concrete examples in the places you're seeing.
23 MEMBER HALNON: Yes, I think you're right.
24 I think it's in the nomenclature language.
25 MEMBER BIER: Yes, you know, they have NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
97 1 some general terms that address it.
2 MEMBER HALNON: Yes.
3 MEMBER BIER: It's maybe not as specific 4 as Charlie would like, but it could be added. You 5 know, it could be supplemented with just "such as" 6 blah, blah, blah, and that might make it --
7 MEMBER HALNON: Yes, I agree, my language 8 is not precise to the digital world.
9 MEMBER BIER: Yes.
10 CHAIR BROWN: The non-intrusive one, it's 11 just you want to provide data going out somewhere for 12 diagnostic purposes? I didn't have any problem with 13 that. Okay? It's not really a cyber security 14 feature. It's really more of a monitoring what I've 15 got in there. I'm sending it out. Just as long as 16 it's one way, I'm happy with that.
17 But the intrusive features when you're 18 going to do virus scanning, that means, you know, the 19 next day whatever virus scanning codes you've got in 20 there is no good anymore. It's being updated 21 constantly.
22 I don't know about your computer, but I 23 know on my home computer I'm constantly seeing a 24 little flag comes up that says, "Hey, please download 25 this," or what have you.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
98 1 MEMBER HALNON: I have a Mac. It doesn't 2 require that.
3 (Laughter.)
4 CHAIR BROWN: Yes, well, everybody loves 5 the Mac.
6 MEMBER HALNON: I guess I could see where 7 you're going, but, again, I just want to emphasize 8 that I'm looking at it from a descriptive point of 9 view, and you're looking at it from a tacticianer, 10 practitioner's point of view. So, this is why I just 11 wanted a clarification of where you were going with 12 it.
13 CHAIR BROWN: Yes, again, how we deal with 14 that, up to this point we had not had to face that in 15 terms of intrusive virus detection software, because 16 the only time you would really need it was when you 17 would be downloading a new software package. If you 18 do not allow any -- if your control of access does not 19 allow stuff to come in from any other source other 20 than your controlled source, then you've put another 21 layer of protection there and you don't have to have 22 virus intrusive stuff.
23 If you have bidirectional communications 24 going, you know, clear out to the internet for your 25 safety system, then you've got a real problem. Okay?
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
99 1 That would mean you would have to have intrusive cyber 2 security features, and you don't want that.
3 That's another good reason for having your 4 unidirectional communications, because your 5 protection, basic protection systems, they take care 6 of themselves. They trip on their own. They do 7 everything on their own, and the manual controls are 8 literally manual controls.
9 Anyway, again, that was one of the other 10 issues relative to what's in 7-4.3.2. And both the 11 cyber thing as well as -- that's all under control of 12 access.
13 Oh, somebody reminded me we've been going 14 at this now for two hours and 15 minutes, almost 15 15 minutes.
16 And, oh-oh, did we just lose something?
17 MEMBER BIER: I think they just turned off 18 the shared slides.
19 CHAIR BROWN: Oh, okay. All right.
20 MEMBER BIER: I think we're okay.
21 CHAIR BROWN: Is everybody interested in 22 having a 15-minute break?
23 Okay. We will recess for 15 minutes and 24 return at -- what time is it? I can't read that.
25 10:49? Make it five after 11:00.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
100 1 Recessed.
2 (Whereupon, the above-entitled matter went 3 off the record at 10:49 a.m. and resumed at 11:07 4 a.m.)
5 CHAIR BROWN: Okay, we're back in session 6 now, a couple of minutes late, but we're okay. Khoi, 7 if you would like to go ahead and proceed.
8 MR. NGUYEN: Yes, I would.
9 So for clause 5.6, this one is the newest 10 clause, was added in 2010 to provide the criteria of 11 software testing to address common cause failures in 12 program or digital devices. The staff reviewed these 13 criteria and found that these criteria are consistent 14 with the testing acceptance criteria described in 15 Section 3.1.2.A of BTP 7-19, chap 8.
16 Clause 5.17 --
17 CHAIR BROWN: No, go back. Go back to 16 18 for a minute.
19 MR. NGUYEN: Sure.
20 CHAIR BROWN: This -- I'm trying to figure 21 out which way. I'm looking at the first sentence in 22 5.16. Thought I had a note -- common cause failure 23 that I cannot -- well. I didn't have any problem with 24 the reg guide, I mean the IEEE standard. It was a 25 matter of how it's emphasized.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
101 1 MEMBER HALNON: Are you talking about the 2 prevention --
3 (Simultaneous speaking.)
4 CHAIR BROWN: Yeah, well, it's like the 5 use of systems has led to concerns that design errors 6 have been caused. None of the stuff you talk about --
7 design errors are going to happen. You're not going 8 to get something right.
9 How you design the software, how you write 10 it is not a design error necessarily. How you do data 11 checking is not going to fix your problem, whether you 12 have an 8-bit or 16-bit work, it doesn't -- it's not 13 going to change errors happen in analog systems. You 14 do something wrong, you've got to go fix it.
15 The issue is not design errors so much as 16 software gets corrupted, or the most it can. And 17 particularly in interrupt-driven systems it can get 18 corrupted because you're moving around. You never 19 know whether it's going to come back to the path you 20 started with if the return doesn't necessarily lead 21 you back.
22 And wash-down timers fundamentally give 23 you some help with that if a processor doesn't finish 24 its sample period and you get reset. So it was a --
25 it was software design errors that gave me a little NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
102 1 bit of pause that it's kind of the -- not the message 2 it leads to. And one of our -- one of our letters, I 3 mean, I might -- I may even have that.
4 I think we used some words in one of our 5 letters, I can't remember which one it was.
6 MEMBER HALNON: Charlie, can I ask a quick 7 question while you're looking?
8 CHAIR BROWN: Yeah, go ahead.
9 MEMBER HALNON: In this section it talks 10 about if the consequence of potential of CCF is 11 unacceptable, a D3 analysis shall be prepared.
12 Isn't the D3 analysis part of the design 13 in the system in the first place, so that you know how 14 your defense-in-depth and diversity has to be built 15 into the system? This is saying you take the system, 16 you look for common cause failures, and then you do a 17 D3 analysis if it's not acceptable. Am I getting this 18 backwards, or is this a spaghetti thing?
19 MR. NGUYEN: That's the typical process.
20 MEMBER HALNON: That's a typical process.
21 Okay, I took away from the previous subcommittee 22 meetings that D3 analysis was part of the design of 23 the system in the first place.
24 But I think for our designers, there was 25 an iterative nature. Okay, it's certainly a NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
103 1 consideration, so okay.
2 CHAIR BROWN: Okay, one of our letters, or 3 at some point, I'm not remember exactly where, but 4 we've mentioned this before. The use of software-5 based obviously provide a lot of benefits in terms of 6 the operations. But the new modes of common cause 7 failures, not design errors, but unused code.
8 I mean, you look at some of the platforms 9 you used, there's a lot of code in there that does 10 other things but you may not use it in your 11 application when you program your application code 12 into it.
13 Unintended or prohibited functions that 14 can get buried in that type of code. Silent failures, 15 lockup, it just doesn't come back on track. Failure 16 to complete processing all your safety functions in 17 the same -- with a software operating cycle.
18 All those -- all those things, they're not 19 design errors, they're things that can occur just 20 because the nature of the software and the software 21 processing system. When your mouse stops moving, you 22 know something's -- not -- you didn't do anything, all 23 of a sudden it just didn't work. You clicked on 24 something and it doesn't work.
25 And the primary protection against, is NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
104 1 this my perspective, it's not the Committee 2 perspective, this is my own perspective. In the 3 safety systems, particularly protection and 4 safeguards, are -- you have a robust, multi-division 5 architecture. Architecture is not mentioned in any of 6 these, either the reg guide or the other one.
7 In other words, redundancy, independence, 8 how you process. Deterministic, you don't, but that's 9 a better way to do it if you can. Defense-in-depth 10 and diversity are all factors, as well as manual 11 backup of controls for doing stuff.
12 And I just, to me, focusing common cause 13 failures functionally looking at design -- design, you 14 know, design issues, which is what's in the -- which 15 is what's in the IEEE standard, is -- seems to be some 16 amplification explaining that it's where you kind of 17 counter the just thought-of design process.
18 I tried to look and see if the -- your 19 writeup in 4.1 doesn't really cover all of that, that 20 type of a water front. It's just a suggestion to 21 think about in terms of emphasis. Do you send the 22 wrong message that it's design errors that you're --
23 that you're -- which is what the IEEE standards calls 24 out in that -- in that particular section.
25 So haven't figured out how I'm going to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
105 1 address that yet, if I even do. But it's just 2 something to put on the table. That's -- because the 3 function is fundamentally focused on design errors.
4 Anyway, that's just something to think about, I wanted 5 to bring it up since we were on that section.
6 If you have any comment, you can go ahead 7 and make it. You look like you're pondering 8 something, Eric.
9 MR. NGUYEN: I have some something.
10 CHAIR BROWN: Okay, you're not pondering, 11 that's fine.
12 MR. BENNER: I'm pondering, I'm hoping 13 that one of the people more knowledgeable than I will 14 jump in.
15 MR. STATTEL: I can speak a little bit to 16 it. This is Rich Stattel again.
17 CHAIR BROWN: Yeah.
18 MR. STATTEL: So, again when we were 19 developing this, the term software failure was brought 20 up. And in our discussions we came to the realization 21 the word failure implies that it worked one day and 22 then something happened and then the software started 23 behaving differently.
24 And the reality of it is for the people in 25 the software industry, that's -- that's not how NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
106 1 software works, right. It can't fail, it can't wear 2 out, it can't just behave one way one day and then 3 something happened and it doesn't behave that way.
4 But it can manifest itself in a failure, 5 right. So we essentially, we create -- we coined this 6 term design errors, right. And then in the second 7 paragraph, we defined the latent software fault.
8 So we tried to explain how a software 9 design error can be undetected, and it kind of leads 10 into a scenario where it appears that the software is 11 functioning correctly one minute and then later it 12 doesn't.
13 But the reality of it is the conditions 14 that basically led to that latent failure emerging and 15 showing up as a system failure -- so we -- this is an 16 attempt to explain the relationship between a software 17 design error, because they're all -- software is 18 designed, and it's always an error when something's 19 wrong with it. And the actual system performance, 20 which appears more like a failure.
21 CHAIR BROWN: So your view of software 22 design error is not a functional operational system 23 need, just have something -- but yet it's programmed 24 -- not programmed incorrectly. Or it's programmed --
25 that's the way --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
107 1 MR. STATTEL: It's always -- it's always 2 programmed incorrectly, right.
3 CHAIR BROWN: Oh, yeah, if you want 4 something to do X and it doesn't do X.
5 MR. STATTEL: Right, but we -- we 6 recognize that you can't achieve perfect software, 7 right. So there's always some potential, and it 8 should be minimized, that's really our guidance here, 9 there's always some potential that there are some 10 latent scenarios or latent errors, we'll call them, 11 that could -- could turn out to manifest themselves as 12 system failures or system faults if the right 13 conditions emerge, presented.
14 And again -- again, the guidance is to, 15 you know, do the best you can to avoid those errors, 16 those design errors.
17 CHAIR BROWN: Okay, but you're thinking 18 more of how the software execute type design errors as 19 opposed to software executing a design feature and the 20 design feature is incorrect.
21 MR. STATTEL: So I'm thinking you're --
22 you're referring to like a software requirements 23 error.
24 CHAIR BROWN: Yeah.
25 MR. STATTEL: That just implemented the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
108 1 way it was called for in the requirements.
2 CHAIR BROWN: Yeah, or a functional 3 operational thing you want to have happened and it's 4 confusing. It can come out one or the other, but you 5 don't know it.
6 MR. STATTEL: But in the design 7 engineering world, that's also a design error, so. So 8 you --
9 CHAIR BROWN: So you're all-encompassing 10 in your role.
11 MR. STATTEL: It was just the view that we 12 took on that. We did not want to use the term 13 software failure because that implied --
14 CHAIR BROWN: Software doesn't fail, I 15 understand.
16 MR. STATTEL: Right, it doesn't really 17 fail.
18 CHAIR BROWN: I never liked that 19 terminology. Okay.
20 MEMBER BIER: It didn't fail because it 21 never worked in the first place, right?
22 MR. STATTEL: Correct, correct.
23 CHAIR BROWN: All right, I'd like to be so 24 confident. All right, go ahead. Where we going --
25 MR. BLEY: Charlie, before you leave that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
109 1 one.
2 CHAIR BROWN: Yeah, Dennis. Go ahead.
3 MR. BLEY: I like what they're saying a 4 lot. It's kind of akin to, and the first ideas on 5 this I think came out of the Athena approach for 6 human-involved failures, which means when the 7 situation turns out wrong for you, people can act 8 funny.
9 People have pursued this in software. I 10 was involved with some who did, Eric Hollnagel and 11 Steve Epstein pursued it a bit.
12 And our former consultant, Sergio Guarro, 13 did provide some really nice examples in this area.
14 He was a former consultant to NRC on this, and that 15 work got dropped along the way. I'm not sure what 16 happened there, but there's a pretty interesting 17 history behind those ideas and it might be worth going 18 back and looking at that one of these days.
19 CHAIR BROWN: Well, I don't have those.
20 MR. BLEY: You did once. I can provide it 21 to you.
22 MR. STATTEL: This is also a similar 23 perspective that Nancy Leveson, Dr. Leveson, put into 24 her book. And essentially dispelling the notion that 25 -- of a -- that a software can actually fail.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
110 1 MR. HECHT: Software is a list of 2 instructions. This is Myron. It doesn't fail any 3 more than a recipe or a sheet of music fails. It's in 4 the performance or in the implementation that failures 5 occur. And that happens at the system level. That 6 happens when a microprocessor or a digital device 7 executes that software and puts out stuff that you 8 don't expect it to.
9 So strictly speaking, no, software doesn't 10 fail because it -- any more than a bad magazine 11 article fails. But people use the term software 12 failure to really mean system failures caused by 13 software defects.
14 MR. BLEY: Well, Myron, that's -- I think 15 that's really true today. But 20, 30 years ago, 16 people kind of had it embedded that there was such a 17 thing, and that, you know, you would have one failure 18 per thousand lines of code or something like that.
19 And but I think I agree with you.
20 MR. HECHT: That was one -- that was one 21 defect, a thousand lines of codes, that's how thing 22 used to be measured. And they're still measured that 23 way. The defect density, but defect density you hope 24 is correlated with software -- system reliability, the 25 software component thereof. I won't use the term NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
111 1 software reliability.
2 But you know, earlier work (inaudible),
3 they came up with a full taxonomy of how to deal with 4 software failures. And basically there was a defect, 5 a triggering event leading to a processor failure.
6 And then it leading to the execution failure. Then 7 leading to effects on the outside.
8 MR. BLEY: And there's a real difference 9 between that point of view, which kind of assumes that 10 that defect density is proportional to system failure, 11 and to the idea that what really happens is one of 12 those defects is buried in a place that never gets 13 exercised by the test program by normal operations 14 until one day the right set of incoming conditions 15 occurs and then you execute it and find it. Which is 16 substantially different in likelihood.
17 Anyway, this is a diversion, so we 18 probably ought to get back to the present.
19 MR. HECHT: Okay, I agree. But I agree 20 with you, Dennis.
21 CHAIR BROWN: You all do have some words 22 on that in the reg guide, in 4.1. I think you just 23 add it up, so. If you -- uh, oh, we just lost him?
24 MR. NGUYEN: No, I think he's changing his 25 screen.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
112 1 CHAIR BROWN: That's not a slide.
2 MR. BENNER: Yeah, no, my -- I think Mike 3 Eudy is trying to read all our minds and say which 4 document we're looking at --
5 MR. EUDY: Yeah, I'm sorry.
6 MR. BENNER: Whether it's the reg guide or 7 the presentation. I think he's done a great job. If 8 you're okay, we can move back to the presentation.
9 CHAIR BROWN: We can move back to the 10 slide. I think we'll --.
11 MR. NGUYEN: Okay, move on to clause 9.17.
12 This one is a new clause, was added to provide 13 guidance for the use of commercial digital equipment.
14 The staff collaborated with the Division of Reactor 15 Oversight to evaluate the discourse and concluded that 16 the guidance in this clause is consistent with both 17 Appendix B of 10 CFR Part 50 and 10 CFR Part 21.
18 These items are also consistent with the 19 NRC-endorsed ASME NQA S-1 2015, subparts 2.7 and 2.14.
20 Also consistent with the Electrical Power Researchers, 21 or EPRI, Technical Report 106439, EPRI Technical 22 Report 3002002982, which is endorsed by Reg Guide 23 1.164.
24 MEMBER HALNON: I just got to -- I think 25 it's an administration issue. In item 3 where you say NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
113 1 you don't -- you don't endorse Annex C but you do 2 endorse 5.17. You go to 5.17 and it says, the first 3 thing in there says no, go to Appendix C.
4 And then Appendix C further has the 5 concept of digital delta, which is not endorsed but 6 it's used in Appendix D, which is endorsed.
7 Do you see the confusion I get in the 8 circular conversation that we're having about what's 9 endorsed, what's not endorsed, what can I use, what I 10 can't use? I just think that, you know, to me it was 11 confusing to when I went through that chain of 12 administrative ties to different sections.
13 So this is all in the reg guide.
14 MR. NGUYEN: Can you repeat the section in 15 the reg --
16 MEMBER HALNON: Yeah, so in the Reg Guide 17 No. 3 under the background, it says that Annex C has 18 not received NRC endorsement. This reg guide endorses 19 5.17. So you go to 5.17 of the IEEE document, and it 20 says, no, see Annex C. Well, you didn't endorse that.
21 And then you go to Annex D, which you did 22 endorse, and it talks about the digital delta, which 23 says go to Appendix C to figure out what that is. So 24 --
25 MR. NGUYEN: Let me try this way.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
114 1 MEMBER HALNON: There's not -- it's not a 2 technical issue, it's more just administration and how 3 confusing it is when you bring in, you know, you're 4 either going to have to clarify that Appendix C 5 digital delta applies to what we're talking about in 6 Appendix D or Annex D, I'm sorry. And that 5.17 is 7 all-inclusive, but it says go to Annex C, which you 8 say you don't endorse.
9 So somehow you got to tighten that up a 10 little bit, in my mind. Maybe I'm not reading it 11 correctly, but that's the way I read it.
12 CHAIR BROWN: I would amplify that. I had 13 -- yeah, in spades, because my notes were how can you 14 endorse 5.17 when we've now got 1.164 and 1.250, all 15 the commercial dedication stuff is tied up in the NEI 16 documents and those topical reports. And how does 17 that merge with the stuff in Annex C, which we're not 18 endorsing for the COD stuff.
19 It just seems to me we've just gone 20 through the drill of a commercial dedication process.
21 And why even endorse 5.17? You really ought to just 22 endorse for commercial dedication the reg guides and 23 documentation that we already have in place and not 24 refer to Annex C.
25 MEMBER HALNON: Which it does list. The NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
115 1 endorsement of 5.17 adds in this circular conversation 2 about --
3 CHAIR BROWN: Yeah, but the stuff we've 4 endorsed, the reg guides we've put out -- exactly.
5 They come -- it says further guidance for commercial 6 is in all these documents. Well, why bother with 7 5.17? It just confuses things.
8 MEMBER HALNON: And --
9 CHAIR BROWN: The circular references back 10 to Annex C.
11 MEMBER HALNON: The majority of Annex C is 12 verbiage out of a reg -- I mean a generic letter. So 13 it's you don't endorse their generic letter on. It's 14 just a --
15 CHAIR BROWN: Well, did you read all of --
16 did you read all of 5.17? There's four -- there's 17 four, five, six, six pages all tied up under use of 18 commercial equipment.
19 MEMBER HALNON: Yeah.
20 CHAIR BROWN: In 5.17. Well, do those 21 apply, or is it the topical reports and 1.164 and 22 1.250? I got -- there was no way in the time to go 23 back --
24 MEMBER HALNON: Well, it gets to the 25 spaghetti thing that we talked about earlier.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
116 1 CHAIR BROWN: Yeah.
2 MEMBER HALNON: That's getting worked out.
3 CHAIR BROWN: This isn't spaghetti, this 4 is a humongous lasagna of spaghetti.
5 MR. NGUYEN: Yeah, we recognize the 6 spaghetti problem. We have many guidance on the same 7 topics. However, we look at the -- in the different 8 angle to see whether this guidance is endorsable or if 9 it doesn't, we'll, you know, make the exception.
10 In this case, we say it's not perfect but 11 it's one way, one approach acceptable for staff to 12 review. But does, you know, applicant or licensee to 13 use or Reg Guide 1.250 and Reg Guide 1.164 you 14 mentioned as another method.
15 CHAIR BROWN: Why go to all the effort of 16 having 1.164 and -- we spent humongous amounts of time 17 doing -- going back through those topical reports and 18 the NEI guidance and 1.250. And now we say, oh, well, 19 here's another thing. IEEE put out this thing, and 20 that looks okay also. I just, this is just 21 incongruent to me.
22 And I hadn't -- I know what I would be 23 recommending, but I'm not going to say it here in the 24 meeting. But it seems to me that that whole thing 25 ought to be just canned and just say we're not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
117 1 endorsing Annex C and we're -- 5.17 is not endorsed 2 either.
3 MEMBER HALNON: It would suffice to me if 4 you just eliminate my confusion, however that may be.
5 CHAIR BROWN: Well, I hated to do all that 6 work and review all that stuff just to come back and 7 say hey, there's this -- why didn't you all just 8 instead of going through 1.250, why didn't we just 9 come off here with IEEE 7-4.3.2 5.17. If that's good 10 enough, why not? We shouldn't have two ways of doing 11 it, that's all I'm saying.
12 MR. NGUYEN: For your information also, 13 when this reg guide was developed, Reg Guide 1.250 14 still under development. So --
15 CHAIR BROWN: Well, we'll give you a 16 suggestion then.
17 MR. NGUYEN: So just for the information, 18 I'm not saying that what you're saying is wrong, but 19 --
20 CHAIR BROWN: I got that. I'm not 21 accusing anybody of malfeasance. It's probably the 22 case since we just wrote the letter on that several 23 months ago.
24 MEMBER BIER: I wonder if part of the 25 problem with the spaghetti of referring to different NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
118 1 reg guides is the desire to keep options open for 2 industry if, you know, in year X we said a certain 3 method was endorsed, that somebody may have gone 4 forward with that and we don't want to now change and 5 say hey, somebody else came out with a better way, no, 6 just got to do that.
7 Is that part of what's driving the 8 complication, or just not having the time and budget 9 to go through and clean up all the different reg 10 guides?
11 MR. BENNER: Well, this Eric Benner. So 12 I think that's an element of it. Member Brown said 13 there shouldn't be two ways, and I would push back on 14 that. There should be as many as there -- that are 15 acceptable. So we, you know, we did a heavy lift on 16 the Reg Guide 1.250 to -- for a new way.
17 We're not -- we're not removing this way, 18 so I mean, it's as simple as that. I think we can 19 certainly go back, and regarding the clarification to 20 make sure, you know, to the reader that we don't --
21 we're not creating confusion by, like you say, 22 endorsing 5.17, explicitly saying we're not endorsing 23 Annex C.
24 I can see how, well, what's that mean, 25 right. So we'll go back and look at that.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
119 1 CHAIR BROWN: Well, we had a 2 recommendation in our letter that said, hey, if you're 3 going to go endorse commercial equipment and this to 4 certify with, that you have to make sure whatever 5 you're going to be certifying is capable of 6 incorporating. And you all -- requirements that are 7 in the other reg guides that deal we with when we're 8 doing it.
9 And you all did that. You prepared a 10 paragraph, it came out just fine, okay. That's not in 11 here. So do we need to now modify your reg guide to 12 go put that information in, along with your statement 13 on 5.17?
14 Because it's another caveat relative to --
15 because we were -- we were pretty focused on trying to 16 make sure that whatever commercial stuff gets out, 17 it's going to be able to be functionally utilized by 18 the applicants for -- and meet the other requirements 19 that we have.
20 This doesn't address that issue. It's 21 just hey, we'll dedicate this stuff and find out it 22 works and do some hazard analysis and everybody's 23 going to walk away happy.
24 And the confusion is the spaghetti 25 approach, we don't endorse the Annex, 5.17 we do NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
120 1 endorse. But then we throw all the other stuff in, 2 here's some more information to allow you to go 3 dedicate. Well, is it a mish-mash, do they have to 4 blend them? It's just --
5 MR. BENNER: And they certainly don't have 6 to blend it with Reg Guide 1.250, because that was a 7 discrete way for using civil certifications in your 8 commercial grade dedication programs. Now, the 9 interface between this and just the overall reg guide 10 on commercial grade dedication programs, there clearly 11 is overlap between those two.
12 CHAIR BROWN: This did not get as much 13 overview on the commercial dedication.
14 MR. NGUYEN: Also -- sorry.
15 CHAIR BROWN: Go ahead, no, go ahead, 16 Khoi.
17 MR. NGUYEN: So I would like to point out 18 that when Reg Guide 1.250 applied to both analog and 19 digital. This clause specifically prepared for our 20 program for digital device and had some good criteria 21 for the digital devices. So, and we couldn't find 22 anything that not acceptable to endorse.
23 And again, we are not trying to say that 24 this, you know, the endorsement of this have to be 25 working in conjunction with all the reg guides. No, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
121 1 this is one way to -- one approach to meet the 2 regulation for a programmable digital device.
3 And we also reference to Reg Guide 1.250 4 for commercial grade dedication for more information.
5 But I don't know. We may need to clarify the 6 reference.
7 And I see in clause 5.17 to the -- not 8 make, you know, the confusion that why we're not 9 endorsing. And I see endorsed -- and we endorse cross 10 and the cross-reference. And I see -- so we will make 11 that clarification.
12 CHAIR BROWN: Well, I'm not sure how our 13 phraseology is going to come out in the letter, so 14 we'll see if we -- how we deal with that.
15 MR. BENNER: I think we understand the 16 concern expressed by the members.
17 MR. NGUYEN: Think we move on?
18 CHAIR BROWN: Yes.
19 MS. ANTONESCU: Member Brown, we have --
20 we have Greg Galletti from the Reactor Oversight and 21 Quality Assurance and Vendor Inspection. He had his 22 hand up.
23 CHAIR BROWN: Oh, I didn't see the -- I 24 didn't see the hand up.
25 MR. GALLETTI: No problem. Greg Galletti NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
122 1 with the Quality Assurance Vendor Inspection Branch.
2 Actually, during the discussions, my thought had been 3 captured, so I actually put my hand down. But I do 4 understand the conversation that you've provided and 5 will certainly take a look into that.
6 CHAIR BROWN: This is on 5.17?
7 MR. GALLETTI: Yes.
8 CHAIR BROWN: Annex to the discussion we 9 just had, right?
10 MR. GALLETTI: Yes, correct.
11 CHAIR BROWN: Okay, all right, thank you.
12 MR. NGUYEN: All right, clause 5.18. This 13 clause was added to clarify the concept of the 14 simplicity and complexity. It doesn't provide any 15 guidance except for the clarification for those two 16 terms. Any question on this slide?
17 CHAIR BROWN: The simpler the better, 18 right? Pardon.
19 MEMBER HALNON: Thus the ALARA of the 20 digital world.
21 CHAIR BROWN: There's no such thing as 22 simple in the digital world.
23 MEMBER HALNON: As simple as reasonably 24 achievable.
25 MR. NGUYEN: Now we move to next slide, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
123 1 slide 13. This slide and the next slide that cover, 2 you know, what we already discussed while the meeting, 3 you know, the direction from the Commission to revise 4 two reg guides, 1.152 and 5.71.
5 So if you're not opposing, I can skip 6 these two slides. Okay.
7 CHAIR BROWN: Go to the next slide.
8 MR. NGUYEN: Yeah, that's a paragraph into 9 the -- into the reg guide, and you --
10 CHAIR BROWN: This is the one I suggested 11 that we add some --
12 MR. NGUYEN: Right, and we're already 13 talking about.
14 CHAIR BROWN: Some words similar to the 15 wash-down timer words for application.
16 MR. NGUYEN: So we can skip to slide 15.
17 This slide provides the mapping between the regulation 18 and the guidance. 10 CFR 50, Part 50.55(A)(h) 19 requires that the protection system for nuclear power 20 plants meet the requirement of IEEE Standard 279 and 21 603 and the correction sheet depending the licensing 22 basis of the plant for safety systems using digital 23 programmable computers, 603, 1991 reference 742, 1982 24 for guidance for meeting the requirements.
25 So the mapping between the regulation from NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
124 1 the top to on the left was a guidance that endorsing 2 the IEEE. So this is very straightforward.
3 Any question on this?
4 CHAIR BROWN: I'll tell you in a minute.
5 I've lost the page. Oh, no, that's, yeah. Anybody 6 else have any comment on this particular slide? No?
7 I don't.
8 MR. NGUYEN: All right, we're on slide 16.
9 We already discussed about the incorporation of the 10 SEO, the guidance from EPRI of the reg guide to 2016 11 version of 742. So for this proposed revision of the 12 reg guide, we removed -- that's SDOE guidance.
13 CHAIR BROWN: Now go -- this reminded me 14 of one. Go back to slide -- no, that one, go ahead.
15 I just meant I might have gotten lost here. Slide 16 16 is what I'm -- that's different than the slide 16.
17 Somewhere I called up -- they called up the wrong set 18 of slides. How many total slides do you have?
19 MR. NGUYEN: Twenty, twenty-two.
20 CHAIR BROWN: I got 28.
21 MEMBER HALNON: Did you make your own 22 slides, Charlie?
23 CHAIR BROWN: No, it was an earlier 24 version, and there was another set that came out. And 25 obviously open for the purpose of this discussion.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
125 1 MEMBER HALNON: On our SharePoint there's 2 this one I opened up.
3 CHAIR BROWN: Yeah, I downloaded it, it's 4 just a matter of whether I deleted the other one.
5 Bear with me while I struggle here.
6 MR. NGUYEN: Is that the same slides we 7 sent you on Monday?
8 CHAIR BROWN: I think I got a set earlier.
9 MR. NGUYEN: I don't know if we ever send 10 you earlier. I don't know.
11 MS. ANTONESCU: Yeah, I don't remember 12 sending an earlier version.
13 CHAIR BROWN: No, I'm looking at a set of 14 slides that had 28 in that says for this meeting.
15 MEMBER HALNON: Go to the SharePoint and 16 pull up the new one.
17 CHAIR BROWN: All I got to do is find my 18 file. I downloaded, I'm just going back to my file 19 right now, from the Subcommittee meeting. Going to 20 SharePoint I'll lose everything.
21 I had a draft from 11/3, it opened this 22 other one up. This one is 22 slides. Is that the 23 right one? I'll close the other one. Not going to 24 change what I need to do. Accept.
25 I'm glad I had the other slides up because NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
126 1 (inaudible) had a large discussion that was pretty 2 decent on diversity, which was deleted completely.
3 And I've moved to Rev 4, that rev be open right now.
4 MR. NGUYEN: Which section on Rev 3 are 5 you talking?
6 CHAIR BROWN: It was in the discussion.
7 I think it was in the discussion.
8 MR. NGUYEN: When we developed this new 9 revision, we structured the discussion section to 10 what, you know, basically what the change we 11 incorporated in the new revision. We're not go back 12 to the previous version discussion to copy it over.
13 I thought you were talking a guidance, but.
14 CHAIR BROWN: I'm in the -- I'm in the 15 guidance.
16 MR. NGUYEN: Yeah, but you're talking 17 about Section B, right, discussion?
18 CHAIR BROWN: I think I'm in the 19 background section. You kept one part of it and then 20 you deleted the rest.
21 MR. NGUYEN: We typically -- normally we 22 don't copy the discussion from one revision to the 23 other. We structure to matching the content of the 24 new revision.
25 CHAIR BROWN: There was a section in there NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
127 1 that talked about with the introduction of digital 2 systems, concerns have emerged about the possibility 3 of design errors, etc., etc. The design techniques of 4 functional diversity, design diversity, diversity in 5 operation within the four echelons of defense, etc.
6 Actuation control, on and on and on.
7 Then it went on to the justification for 8 equipment diversity or the diversity related to 9 software such as real-time systems, etc., etc. All 10 that was deleted from Rev -- it wasn't deleted. Rev 11 3 had it, you did not move it to Rev 4. That was on 12 page 3 of the reg guide.
13 So that -- I looked through the rest just 14 to see where there was a discussion, it was almost 15 like diversity disappeared from the realm of 16 usefulness on the common cause failure world. That 17 was the -- that was the problem I had. It didn't seem 18 like to be a good idea to me to throw diversity out 19 with the baby or the bathwater.
20 I'm not hearing anything.
21 MR. NGUYEN: I already told you that we're 22 not copying you know the --
23 CHAIR BROWN: I know you don't, but 24 there's -- well, you copied a lot of it. A lot of Rev 25 3, I mapped Rev 3 into Rev 4, and you duplicated a lot NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
128 1 of the stuff from Rev into Rev 4. So the point that 2 you don't copy stuff over is not correct. You 3 reworded some of the stuff, but fundamentally the idea 4 was there. So that was --
5 MR. NGUYEN: If the discussion support the 6 guidance we provide, then yes, we will have it. But 7 for common cause failure, we basically referenced to 8 BTP 7-19. So if we are talking about some diversity 9 in the discussion section and --
10 CHAIR BROWN: I'm sorry, it was on page 2, 11 2 and 3, 2 and 3.
12 MR. NGUYEN: Yeah, and the last section on 13 the common cause failure we don't say a thing about 14 diversity. I think that is awkward.
15 CHAIR BROWN: I'm trying to remember 16 whether -- where diversity's even used in the reg 17 guide. I don't remember. I thought I key worded that 18 at one time in Rev 4. Am I correct?
19 MR. STATTEL: There's an annex problem.
20 CHAIR BROWN: Pardon?
21 MR. STATTEL: There's an annex.
22 CHAIR BROWN: But it wasn't endorsed.
23 MR. STATTEL: Correct.
24 CHAIR BROWN: That part I didn't 25 understand. Diversity seems to have -- it's not NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
129 1 endorsed. It's not even discussed. And I, it just 2 seems to me that that doesn't go in the direction that 3 we ought to be going. So completely divorce ourselves 4 is almost like the way to help on common cause stuff 5 is not diversity. It's anything else you can think 6 about but not diversity.
7 And I know we've got thoughts in the mill 8 people would like to not have as much diversity. It's 9 a different issue. But the reg guide, it's -- that 10 should be settled in a different way rather than just 11 have it disappear from the reg guide.
12 MR. NGUYEN: No, no, you're talking about 13 the spaghetti. The purpose of this reg guide is not 14 provide the specific guidance on the common cause 15 failure because we have BTP 7-19 address it. So if 16 you must see the guidance by including the discussion 17 of diversity for common cause failure and not 18 providing the actual guidance, I don't think that's a 19 good idea.
20 CHAIR BROWN: Well, we had BTP 7-19 before 21 and we had Rev 3 before. It didn't seem to cause a 22 difficulty to -- because that -- I mean, you've got 23 the -- you've got common cause failures all wrapped up 24 in this IEEE standard.
25 You've got common cause failures mentioned NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
130 1 in your reg guide. And there is, with that -- what 2 you're telling me is you ought not even bother to have 3 a section on common cause failures in here because 4 we'll address it under BTP 7-19. And that doesn't seem 5 to compute.
6 MR. NGUYEN: Yeah, that BTP 7-19 is eight 7 levers compared to the previous version that, you 8 know.
9 CHAIR BROWN: I know, we reviewed that.
10 MR. NGUYEN: Right. I'm talking about Rev 11 3, and the Rev 3 BTP 7-19 is a different animal. And 12 I'm sorry, I didn't prepare the Revision 3 of the reg 13 guides. And I don't have to, you know, repeat what I 14 don't agree on.
15 MEMBER PETTI: Doesn't this sort of agree 16 with your idea if you keep all aspects of digital I&C 17 in all the reg guides, it's a huge problem to try to 18 make sure it's always consistent.
19 The fact that it sits over in another 20 document, it seems to me it unravels the spaghetti 21 somewhat, if you will. It makes it cleaner and helps 22 as you're going to -- as you're trying to align 23 everything.
24 CHAIR BROWN: I'm sorry, Steve. Go ahead.
25 MR. STATTEL: Well, it can if it's clear, NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
131 1 but that's what we were talking about earlier. If 2 it's properly cross-referenced. In the Rev 4 here, it 3 appears in the Section 4.2 and it does mention common 4 cause failure and diversity and refers to the branch 5 technical position. But that's the -- that's the 6 extent of it.
7 As Charlie's saying, there was a much, 8 much larger discussion in Rev 3. Now it just appears 9 as reference to the other documents, which is a good 10 thing. But it has to be clear in both places.
11 MEMBER HALNON: It repeats that same 12 reference in Item 2, you know, where it's talking 13 about Annex A, Annex B endorsement, that Annex B is 14 not endorsed but go to BTP 7-19. And it also 15 references NUREG 800 for defense-in-depth and 16 diversity. So --
17 CHAIR BROWN: It references what?
18 MEMBER HALNON: NUREG 0800.
19 CHAIR BROWN: Oh, NUREG.
20 MEMBER HALNON: Which is, again, repeats 21 BTP 7-19. So I didn't have an issue with it. And I 22 mean, I went through and just searched on diversity 23 and it seems to show up appropriately throughout. But 24 I did not go back to Rev 3, Charlie, and read to see 25 it everything I expected was in diversity. Hit that NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
132 1 pretty hard under that last Subcommittee meeting.
2 CHAIR BROWN: Yeah. You said it's -- you 3 see it in Rev 4, where?
4 MEMBER HALNON: Page 2.
5 CHAIR BROWN: The only place I saw was on 6 page 2 where they --
7 MEMBER HALNON: Page 2.
8 (Simultaneous speaking.)
9 CHAIR BROWN: -- related guidance.
10 MEMBER HALNON: Page 5. Under number 2 on 11 page 5. And on page 11.
12 CHAIR BROWN: Again that's under -- it's 13 not endorsed.
14 MEMBER HALNON: It goes on --
15 MEMBER MARCH-LEUBA: I think V is not 16 endorsed but criticality --
17 MEMBER HALNON: It goes on into the 18 reference.
19 MR. NGUYEN: Yeah, he's talking about BTP 20 7-19.
21 MEMBER HALNON: Right. And then I'm --
22 CHAIR BROWN: I guess my difficulty with 23 that is we discussed the annexes, which aren't 24 endorsed. And then we say oh, by the way --
25 MEMBER HALNON: Well, look page 11, 10 and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
133 1 11.
2 CHAIR BROWN: That's where I'm going next.
3 That's where the --
4 MEMBER HALNON: Common cause failure is 5 listed and it talks about 4.2 is specifically on 6 diversity.
7 CHAIR BROWN: Okay, all right. I yield.
8 My eyeballs started falling apart after trying to 9 collate four different documents.
10 MEMBER HALNON: I don't blame you, yeah.
11 It's a lot of stuff.
12 MR. NGUYEN: So are we on?
13 CHAIR BROWN: Yeah, you're okay on that.
14 Let me make sure I make a note of that so I don't spin 15 my wheels. Okay, go ahead then.
16 MR. NGUYEN: We continue on slide 16. So 17 the endorsement, including additional guidance for 18 protection and seal diagnostics if used in the digital 19 I&C system. The guidance and clarification for 20 control access, we already talk about this. And 21 endorsement of Annex D, which I will cover more -- in 22 more detail later. Next slide, slide 17.
23 So the first stop decision, 1.B(1), we're 24 talking about the endorsement of Annex D. So the NRC 25 has worked closely with the IEEE working groups to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
134 1 enhance the hazard analysis guidance in Annex D. And 2 the 2016 version of the 742 updated Annex D in part to 3 implement the NRC staff feedback related to the IEEE 4 hazard analysis guidance.
5 The NRR staff collaborated with the Office 6 of Research via the research -- a system request to 7 assess whether Annex D support an adequate technical 8 basis for establishing consistently all of the written 9 guidance for licensee and applicant in the use of the 10 new hazard analysis technique as an additional means 11 for demonstrating set date.
12 So this draft guide endorse Annex D with 13 clarification to provide technical basis for applying 14 and evaluating the hazard analysis in supporting the 15 set date demonstration. Next slide, slide 18.
16 For system interpret the criteria, this 17 draft guide clarify my -- I think the guidance for 18 seal diagnostic if used in the digital I&C system.
19 This guidance is consistent with BTP 7-17 guidance for 20 -- guidance on seal test and surveillance test 21 provision.
22 Also this proposed revision of this reg 23 guide for the first time officially consider crediting 24 seal diagnostic to either reduce or eliminate the 25 channel operability test, provided certain criteria NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
135 1 are met. Currently, crediting seal diagnostic for 2 surveillance requirement review and approve on the 3 case-by-case basis.
4 The NRC staff worked closely with IEEE 5 working group to enhance the IEEE seal diagnostic 6 guidance with the industry enhanced guidance. And the 7 staff reviews licensing successes in approving these 8 type of request. Considering the credit for seal 9 diagnostic would enhance efficiency and effectiveness 10 of the staff licensing reviews.
11 The staff also clarified clause 5.6 by 12 including the SE-4 guidance. That has not been 13 incorporated by 742, including software instruction, 14 error checking, point-to-point data communication and 15 data capacity.
16 Any question on this slide?
17 CHAIR BROWN: Yes. Now I can't find where 18 I -- I don't disagree necessarily. One place I read 19 this and whether it was is this -- it might have been 20 in the IEEE standard. They listed a bunch of stuff 21 that said in addition to what you listed for not 22 having to do operability test. One of the line items 23 was you do 100% testing. And is that in the IEE 24 standard?
25 MR. NGUYEN: No, but we decided not to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
136 1 include that as a clarification --
2 (Simultaneous speaking.)
3 CHAIR BROWN: Yes, I noticed, I noticed 4 that. And, I don't, I'm not disagreeing with that.
5 MR. NGUYEN: Yes, I.
6 CHAIR BROWN: There was a list of four or 7 five items in order to be able to discredit. Now I'm 8 trying to, I read all of them.
9 MR. NGUYEN: Yes, there are few item I 10 didn't describe that we didn't, we didn't include it 11 because either it's not necessary, or it's not 12 practical.
13 Unnecessary like the 10 CFR 50.49 14 environment requirements that we don't need to include 15 it into.
16 I mean the IC 4 has it, but the standard 17 didn't, and I don't think we, that we need to because 18 safety related equipment automatically required to 19 meet 10 CFR 50.49. So it's a redundant thing to list 20 it in there.
21 For the 100 percent testing requirement, 22 there's no way you can test the software 100 percent 23 unless you only have two or three IOs. That's doable.
24 CHAIR BROWN: No, I'm not disagreeing, it's 25 just that, oh, here it is. Yes, it's in section 5.16 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
137 1 of the 7-4.3.2, which is --
2 MR. NGUYEN: I'm sorry, it's 5.16?
3 CHAIR BROWN: Yes, common cause failures, 4 and it says PPDD is not considered susceptible to CDF, 5 if the PDD is shown to be deterministic in performance 6 documentation of all functional states, and all 7 transitions between states in its testable base, 8 testing every possible combination of inputs.
9 So that, is that still in play? You don't 10 take that away in the Reg Guide? It's just this was 11 inconsistent to me with the, what number are we on?
12 Which point? System integrity?
13 MR. NGUYEN: You mean independent, right?
14 CHAIR BROWN: Yes, it's 1.2.3 about self-15 diagnostics should be credited. Or operational tests.
16 This says it can be discounted that be 17 susceptible to CCF. I presume this is still in play, 18 then? You didn't negate that in the Reg Guide? Page 19 36, 5.16.
20 And it says, testing every possible 21 combination for PDDs that include analogue testing of 22 every combination of input. Testing every possible 23 executable logic path, including non-sequential.
24 This is a huge, huge leap to do that. And 25 yet over here we talk about self-diagnostics being NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
138 1 able to be credited to not perform periodic tests.
2 MR. NGUYEN: I think we talking about two 3 different tests here.
4 CHAIR BROWN: Maybe we are. I just --
5 (Simultaneous speaking.)
6 MR. NGUYEN: Right.
7 CHAIR BROWN: -- one it seems is targeted 8 at can't, you can't prove you're not susceptible to a 9 CCF, which is virtually impossible to meet.
10 The other one has a set of categories, it 11 says if you, you're self-diagnostics test gets you 12 enough information, then you don't have to come 13 through and do manual operational tests.
14 So I presume that means manual operational 15 tests to make sure you're working correctly.
16 MR. NGUYEN: Right. That's a different 17 test than the one that you talking about that's 18 section 5.16. That's what the test, software testing 19 for the design face.
20 CHAIR BROWN: I did. The channel 21 operability test the way you, that means manual?
22 MR. NGUYEN: Manual, yes. That applies to 23 --
24 (Simultaneous speaking.)
25 CHAIR BROWN: You really ought to say NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
139 1 manual. It's not clear what that means. With my old 2 job, that doesn't necessarily have to be manual, 3 depending on what you're doing.
4 Anyway, all right, is they're different.
5 I was conflating the two.
6 MR. NGUYEN: Yes, they are two different --
7 (Simultaneous speaking.)
8 CHAIR BROWN: All right.
9 MR. NGUYEN: -- type of test. Not the 10 same.
11 CHAIR BROWN: Back to the slide.
12 MR. NGUYEN: Okay, we now on slide 19. No 13 further control access.
14 We already talk about this, so I don't 15 want to, you know.
16 CHAIR BROWN: Go back to 16 again, or 18 17 again. Just I want to make sure I understand the 18 second one.
19 Staff position 1(b)(2) is independence.
20 MR. NGUYEN: Yes, we already talk about 21 this and --
22 (Simultaneous speaking.)
23 CHAIR BROWN: Let me finish.
24 MR. NGUYEN: Okay.
25 CHAIR BROWN: That includes the self, and NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
140 1 the self-diagnostics is also covered under that? No, 2 that's under --
3 (Simultaneous speaking.)
4 MR. NGUYEN: No, no.
5 CHAIR BROWN: -- that's 1(b)(1)?
6 MR. NGUYEN: Right. That's a different 7 section.
8 CHAIR BROWN: Oh, okay. No, no, that's 9 fine. All right, I've got okay's written all the way 10 down the page. Just getting my pages in order again.
11 Okay, go ahead.
12 MR. NGUYEN: So, on slide 19 we already 13 discuss the extensively on the control access so I'm 14 not going to cover it.
15 On the contrary, also we talk about this.
16 We, the proposed revision of this Reg Guide simply is 17 this reference to BTP 7-19 for common cause failure 18 guidance.
19 CHAIR BROWN: That's 1(b)(4), right?
20 (No audible response.)
21 CHAIR BROWN: Five pages back. Got it.
22 MR. NGUYEN: Any question on this one, this 23 slide?
24 CHAIR BROWN: Anybody else?
25 (No audible response.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
141 1 CHAIR BROWN: Okay.
2 MR. NGUYEN: All right.
3 So for summary, Reg Guide 1152 is one of 4 the primary Reg Guides used by applicants and the 5 licensee manners in the development of digital ANC 6 license application. Reactor certification, and this 7 is the ANC topical reports.
8 Updating this Reg Guide is considered a 9 high priority based on recent, recent licensing 10 experience.
11 And, in direction with the stakeholders 12 that contributed to the update of the 2016 version of 13 742.
14 Next slide.
15 So the staff proposed the revision of the 16 Reg Guide 1152, to update information and guidance in 17 the area of the functionality, reliability, desired 18 quality, and SDOE for programmable digital devices in 19 the safety-related systems of a nuclear power plant, 20 to support NRC guidance and review of practices to 21 ensure that the guidance in these areas is current, 22 and consistent with the staff position.
23 First, it has the efficiency and 24 effectiveness of the licensee review.
25 That will conclude my presentation.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
142 1 CHAIR BROWN: Any other?
2 MEMBER MARCH-LEUBA: Overall, my concerns 3 earlier.
4 CHAIR BROWN: Okay. Okay, Eric did you 5 have any notes about what you think you're walking 6 away with, or do you just want me to surprise you?
7 MR. BENNER: I think Khoi was taking better 8 notes as to the things we're, we're going to look at.
9 So we can either listen to your list, or 10 we can just go through our list.
11 CHAIR BROWN: It's not extensive. It's 12 just --
13 (Simultaneous speaking.)
14 MR. BENNER: Yes.
15 CHAIR BROWN: -- I'm trying to integrate 16 a lot of stuff we resolved in the conversation.
17 MR. BENNER: Uh huh.
18 CHAIR BROWN: I may not remember that for 19 long, but I can also go back in the transcript and 20 figure out that --
21 (Simultaneous speaking.)
22 MR. BENNER: No, I think Khoi can just list 23 the issues that we said we were going to go back and 24 --
25 (Simultaneous speaking.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
143 1 CHAIR BROWN: Well, I'll give you what --
2 MR. BENNER: Okay, okay.
3 CHAIR BROWN: -- I've got.
4 MR. BENNER: Okay.
5 CHAIR BROWN: No, go ahead and give me what 6 you've got, and then that way --
7 MR. BENNER: You'll correct the record.
8 CHAIR BROWN: Well, you might say that. I 9 wasn't going to phrase it quite that way.
10 MR. NGUYEN: All right, let me try.
11 So in Section 3.3, there's reference to 12 the design specification for --
13 (Simultaneous speaking.)
14 CHAIR BROWN: A mention watch dog, 15 something similar to the watch dog.
16 MR. NGUYEN: Yes, we will consider to 17 include the language similar to the watch dog.
18 CHAIR BROWN: Yes.
19 MR. NGUYEN: For example --
20 (Simultaneous speaking.)
21 CHAIR BROWN: Make it positive language.
22 So not, don't --
23 MR. BENNER: Yes, an example regarding --
24 CHAIR BROWN: Yes --
25 MR. BENNER: -- unidirectional NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
144 1 communications.
2 CHAIR BROWN: -- this is a method we would 3 consider acceptable. Kind of the same words. It 4 ought to be a positive, not a if you try to slip it by 5 us we may accept it type language.
6 MR. NGUYEN: So how you read this concern 7 from 1 to 10?
8 CHAIR BROWN: What, which one?
9 MR. NGUYEN: The first one.
10 MR. BENNER: Eleven, Khoi. It's an 11 on 11 a scale of 1 to 10.
12 MR. NGUYEN: No, yes, so I would do that 13 first, you know? Which one is the most important I 14 will do it first.
15 MEMBER HALNON: If 1 is important, 10 is 16 not, and everything's a 5.
17 MR. NGUYEN: Okay.
18 So the next one, I don't know if this a 19 concern but there were question on roadmap of ICO-4, 20 for the end user, how the user, the guidance for it.
21 But that probably is in a question --
22 (Simultaneous speaking.)
23 CHAIR BROWN: I don't remember talking 24 about that one.
25 MR. NGUYEN: Oh, then forget about it.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
145 1 CHAIR BROWN: Somebody brought that up.
2 MR. BENNER: Yes, I think that was Danner.
3 I wouldn't call that an issue for this Reg Guide, but 4 at some point, a communication between the staff and 5 the committee about how all this fits together --
6 (Simultaneous speaking.)
7 CHAIR BROWN: When are you going to retire, 8 is kind of his question.
9 Did we get all, are we going to be able to 10 retire ISG-4 because you've captured everything.
11 MR. BENNER: Yes, and the short answer is 12 no, because it also has to populate to the staff 13 guidance and the standard review plan.
14 CHAIR BROWN: Yes.
15 MEMBER HALNON: Eric, we had similar 16 conversations with the Source Term Group, you know, 17 and they effectively built the roadmap on a website 18 and some documents so that you might look at what they 19 did, and that could be, you know, inform what you do 20 first.
21 MR. BENNER: Okay, thank you.
22 MR. NGUYEN: But that wouldn't be the 23 action item for this right?
24 CHAIR BROWN: No.
25 MR. NGUYEN: This is the --
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
146 1 (Simultaneous speaking.)
2 MR. BENNER: No, this was just we need to 3 understand the roadmap of how you get from, you know, 4 a blank sheet of paper to a design.
5 And, understand where you guys as a staff 6 review, and what guidance is being given and that sort 7 of thing.
8 The whole, you know, aspect of it so that 9 we understand how we get from A to B.
10 MR. NGUYEN: Okay, thank you.
11 So the next item would be the concern on 12 the wireless capable device.
13 So we need to clarify the wireless capable 14 device use for NTE must be controlled by some process 15 that makes sure that the device is not caught, not 16 become the pathway for virus, blah blah blah.
17 CHAIR BROWN: Yes. I'm not trying to 18 dictate that it's just we ought to, right now it just 19 kind of implies abstract but if you --
20 (Simultaneous speaking.)
21 MR. BENNER: Yes, we'll look at that factor 22 in the language.
23 CHAIR BROWN: Yes.
24 MR. BENNER: And I definitely want to --
25 (Simultaneous speaking.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
147 1 CHAIR BROWN: I understand definitely what 2 Rich was talking about why it's there. I don't 3 disagree with the comments.
4 MR. BENNER: We'll want to look at the 5 whole body of the language in there, to see what maybe 6 there are changes versus integration, so.
7 CHAIR BROWN: Okay, next one?
8 MR. NGUYEN: The next one the same language 9 used for Section 3.3, you want to incorporate in 10 Section 5.9 control access.
11 CHAIR BROWN: Well, you already mentioned 12 that one.
13 MR. NGUYEN: Yes, but you say in two 14 places.
15 CHAIR BROWN: Yes, well it's taken from 3.3 16 something similar in whatever the paragraph. But what 17 was it, 3, no take it from the watch dog time repair 18 graph and put it in 3.3, something similar.
19 I don't know where that was. That was 20 back in --
21 (Simultaneous speaking.)
22 MR. NGUYEN: 5.9.
23 CHAIR BROWN: 5.9. Was that in the --
24 MR. NGUYEN: In the --
25 (Simultaneous speaking.)
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
148 1 CHAIR BROWN: That's in the Reg Guide?
2 MR. NGUYEN: -- the Reg Guide.
3 CHAIR BROWN: Yes.
4 MEMBER MARCH-LEUBA: 5.9 is controlled by 5 the, I'm sorry, Section --
6 (Simultaneous speaking.)
7 MR. NGUYEN: 3.1.3.1.
8 CHAIR BROWN: Yes, 1.2.1. That's where the 9 watch dog timer words were. That's back, that's the 10 same issue you mentioned before, okay?
11 Do you have another one written down, or 12 is that it?
13 MS. LAWSON-JENKINS: You wanted a new 14 section 5. --
15 (Simultaneous speaking.)
16 MR. NGUYEN: You don't have any more as I 17 was talking.
18 CHAIR BROWN: Oh, yes, the 5.9 trying to 19 get into --
20 (Simultaneous speaking.)
21 CHAIR BROWN: -- try to highlight that in 22 7-4.3.2 just the physical security, and then it has a 23 whole bunch of stuff.
24 The real point now when you've introduced 25 computers and it is now not just physical, it's NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
149 1 electronic access.
2 So there ought to be something, change, I 3 don't care whether you change the title whatever you 4 write up in here that says hey, to clarify this means 5 electronic control.
6 Because you can't change the IEEE 7 standard. That's the way it is. But just a 8 clarification that 5.9 --
9 (Simultaneous speaking.)
10 MR. NGUYEN: Should be supplement with.
11 CHAIR BROWN: -- 1.2.1 or something, and 12 make it physical security.
13 And now it introduces electronic control, 14 electronic access, which is a vulnerability due to the 15 computer systems.
16 Just to highlight it, and then to have 17 some discussion about what that means. That's all.
18 Doesn't have to be extensive, just how you deal with 19 it, okay?
20 And, then is that it or you've got another 21 one?
22 MR. NGUYEN: One more. We will clarify 23 clause 5.17.
24 MR. BENNER: Yes, all things commercial 25 grade dedication, I think.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
150 1 CHAIR BROWN: That's the --
2 (Simultaneous speaking.)
3 MR. BENNER: I think we'll take a fresh 4 look at.
5 (Simultaneous speaking.)
6 MR. NGUYEN: That's incorporated by 7 reference.
8 MR. BENNER: Annex C, Annex D.
9 MR. NGUYEN: Yes, Annex C, and so that's 10 the last one I have.
11 MEMBER HALNON: I just had one other thing 12 I feel compelled to ask Charlie to just mention, that 13 you guys said you're going to try and tighten the 14 window between revisions.
15 Not a recommendation or anything, just a 16 statement that we recognize that this was seven years 17 and, you know, the present process looks like it will 18 tighten that to be more contemporary, or something to 19 that effect.
20 But just didn't want you to, I didn't want 21 to lose that point because I think it's in the 22 regulatory world, seven years doesn't seem long, but 23 it actually is.
24 In a digital world, there's a lot of 25 developments between now and then.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
151 1 CHAIR BROWN: That would be good to go up 2 if you did anything, up in the purpose of the Reg 3 Guide would be a good place to say that.
4 I was just trying to think about --
5 (Simultaneous speaking.)
6 MEMBER HALNON: I just wanted to 7 acknowledge in letter that we talked about it.
8 CHAIR BROWN: If you want to give me 9 something?
10 MEMBER HALNON: Yes, I'll give it to you.
11 Staff recognizes it and then, you know, agrees that 12 it's going to get, going to get better.
13 MR. BENNER: Yes, the committee's going to 14 do what it's going to do. I don't know if we would 15 put that in the Reg Guide itself because that's, the 16 Reg Guide is the product.
17 MEMBER HALNON: I agree.
18 MR. BENNER: But the comment is about the 19 overall process and framework.
20 MEMBER HALNON: Yes.
21 CHAIR BROWN: We'll try to take --
22 (Simultaneous speaking.)
23 MEMBER HALNON: I'll just give you a 24 sentence or two.
25 CHAIR BROWN: Okay, something to try to NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
152 1 reflect what his thought process is.
2 I had one other item. The way I've got it 3 written is Annex C you've got that covered, the 5.17 4 the wireless points.
5 Hopefully we can get the transcript to you 6 so you, we went through a lot of discussions.
7 The 3.3 with the watch dog timer words 8 similar to and the 1.2.1 where you pull them out of 9 there, and then something similar for the cyber 10 paragraph, which was back I think in 3.3.
11 And the last item I had is that, and a 12 good place to do this in the Reg Guide. I'm big on 13 preambles and highlighting what you're trying to do, 14 like the background type stuff.
15 You go from the regulation paragraph in 16 the beginning where you cite every regulation in the 17 world in the 10, 279 this, that and the other thing in 18 the 10 CFR stuff.
19 Then you talk about the working group 20 integrating that stuff in. Then you get leap right 21 into INC that use PDDs, adopt advanced technology, et 22 cetera, et cetera, et cetera.
23 A lead in to this, that paragraph to me is 24 we don't talk about architectures. The application of 25 these devices and then architecture that is, meets the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
153 1 fundamental design principles, is what's critical in 2 all of this stuff. We keep doing it every time.
3 This is an ideal place because this is the 4 devices that you're using, and how they're 5 incorporated and integrated into an architecture that 6 is, you know, robust, multi-divisional meets the 7 design independence redundancy determinant, whatever, 8 whatever the words are.
9 I'll probably say something in the letter 10 relative to that, and then leads in to that paragraph, 11 and that how that provides protection in this world 12 from a lot of different problems that you can cover in 13 CCF world.
14 And then all the rest of it flows because 15 now it's sort of categorized hey, we've got a new 16 world. Computers, they do things. Introduce new 17 problems. Robust system takes cares of some of those, 18 a lot of those, not all but a lot of them.
19 In my opinion, it takes care of a huge 20 amount of them if you maintain independence strictly, 21 asynchronous operation not just within the devices 22 internally to each channel, but also between 23 divisions, that, that robust architecture is valuable.
24 And we really need to, you know, I'm 25 looking for the right word. Propagate that into the NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
154 1 standard so that people understand what's going on, is 2 a good reference.
3 So I'll probably ask, I'll try to provide 4 something as an example, but you guys can point you on 5 whatever you want to do.
6 Other than that, any other opinions 7 relative to the, that you want to voice? I haven't 8 gone out to public comment yet.
9 MEMBER BIER: I just want to express that 10 I thought this was a super constructive meeting on all 11 sides.
12 That you know, you guys seem to have 13 understood where we were coming from, and we 14 understood what you're constraints were.
15 And it's really nice to see such a 16 contentious issue suddenly, you know, kind of I don't 17 know what you're going to end up writing of course, 18 but you know, the idea that it could be resolved to 19 like everybody's satisfaction is just really nice.
20 And I appreciate the process and the pain 21 and suffering it took to get to this point. So.
22 CHAIR BROWN: I appreciate that reflection.
23 And just to communicate, one of the problems that we 24 have is when we review stuff, we have to look at it in 25 a complex system, from a top level down.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
155 1 There's no way when we, and we have to 2 come away satisfied that major concerns and potential 3 problems are addressed.
4 Without digging down into infinite weeds 5 like those reflected in spades in the IEEE standard.
6 I mean I did go through it. I compared it 7 with the 2000 or whatever the last one was that was 8 referenced, which I think was 2003 in the Reg Guide, 9 Rev. 3.
10 So I did a mapping back and forth. The 11 new one is a lot better than the old one. Okay, 12 there, it was definitely Rich, you guys did a good 13 job. Did you hear me? Wake up.
14 You guys did a good job on the 16 version.
15 There's a lot of good stuff. The working, however 16 they came out of this with the working group, it came 17 out I think, pretty, pretty good.
18 MR. STATTEL: Thank you.
19 CHAIR BROWN: And, I think you guys should 20 get some kudos for that. That was not an easy task, 21 particularly in an international. Was that 22 international, or was that just U.S.-based?
23 MR. STATTEL: We did have some 24 international representatives.
25 CHAIR BROWN: You did, okay.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
156 1 I'm just we're just trying to get to the 2 point where we make these reviews easy, and we make, 3 and ensure that the applicant get on with his business 4 and get this stuff included, incorporated into the 5 plans.
6 Because it's a significant improvement in 7 overall performance with these systems, IC analogue 8 systems.
9 So, you know where our focus, you know 10 where my focus is by now after 14 years, and that's 11 managed to work with the committee. They've accepted 12 my conclusions if I say it looks okay, they kind of 13 say it's okay.
14 And so and if you look at the last SHINE, 15 if you look at NuScale, if you look at APR 1400, we 16 blitzed through those.
17 ESPWR 14 years ago was like sucking blood 18 out of rocks, because it was bottom up if you need 19 your positions. You don't need to review this 20 anymore, sorry.
21 We had an architect that looked like a 22 stick man that I drew in the first grade.
23 AP 1000 was better. They ended up having 24 to fire the INC manager because he didn't want to do 25 what we wanted the next guys thought it was a good NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
157 1 idea to do what we thought was good, and they, then it 2 flew through.
3 We didn't get everything because we didn't 4 understand as much as we do now. It's evolved some, 5 but trying to make it easy for both us, you all, and 6 the applicants.
7 That's the purpose of going through this 8 stuff and winnowing out the comments. So I hope, I 9 hope you all take it that way.
10 This is not meant to be a for bows and 11 arrows approach to doing business. How do we get to 12 the same place.
13 How do I open this up for public comment, 14 Dave?
15 MR. HECHT: Charlie? Charlie, this is 16 Myron Hecht. There was just one other point that 17 Vicki made. I don't know if Vicki wants to make this 18 into an action item.
19 But in the discussion about intrusive 20 cyber security measures versus non-intrusive versus 21 not doing them because you were convinced that you are 22 protected, Vicki had suggested, and this is in Section 23 5.9, or clause 5.9.
24 Vicki had suggested perhaps adding some 25 concrete examples in the Reg Guide would help.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
158 1 CHAIR BROWN: Okay, I missed that. Can you 2 pencil something up a little bit? Doesn't have to be 3 extensive.
4 You understand what her comment was, Eric, 5 Khoi?
6 MR. NGUYEN: Not really. And, can you 7 elaborate, please?
8 CHAIR BROWN: Was that in the Reg Guide or 9 in the IEEE Standard? I don't remember.
10 MEMBER BIER: I think it was in the Reg 11 Guide, but I would have to go back and look. Thank 12 you for the reminder, Myron.
13 Greg, what do you think? Is that 14 something that's important enough to push? You were 15 the one who kind of said it looked okay as is.
16 MEMBER HALNON: I thought it looked okay as 17 is.
18 CHAIR BROWN: Do you remember what section 19 that was? Myron said 5.9.
20 MEMBER HALNON: It's 5.9.3.
21 CHAIR BROWN: Oh, yes.
22 MEMBER HALNON: It had to do with the, you 23 know, the system being out of service if you're going 24 to be intrusive on the virus software.
25 And, it made a lot of sense to me. I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
159 1 didn't see any holes in it.
2 CHAIR BROWN: It would be difficult I 3 think, to put together examples.
4 MEMBER HALNON: I'm afraid, I worry about 5 examples only because people key in on the example as 6 the requirement.
7 CHAIR BROWN: Yes.
8 MEMBER HALNON: And they.
9 MEMBER BIER: And, then they don't do the 10 ones that you didn't give as examples.
11 MEMBER HALNON: Exactly.
12 MEMBER BIER: So.
13 MEMBER HALNON: Exactly. But I thought it 14 was clear to me starting from a design when I had to 15 --
16 (Simultaneous speaking.)
17 CHAIR BROWN: Are you happy with that, 18 Vicki?
19 MEMBER BIER: Yes, I'm happy to let that go 20 and say okay as is.
21 CHAIR BROWN: All right, so before I go to 22 public, the ones I've got is the confusion on the 23 annex thing, 5.17.
24 3.3, 1.21 the words, architecture in the 25 intro that sub-wireless. I'm not sure how I'm going NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
160 1 to phrase that.
2 I'm going to try to make it so we, I'm 3 sure I'll have plenty of help from them since I've got 4 some, a lot of people here are listening. They'll 5 make sure I phrase this in a proper manner.
6 And, that was probably the three or four 7 or so areas that I would be thinking about addressing 8 in some way in the letter.
9 The architecture thing, I mentioned the 10 architecture part for the intro, or the background 11 paragraph, whatever.
12 Other than that, is there anybody on the 13 public line that would like to make a comment?
14 MS. ANTONESCU: Member Brown, there was one 15 more item on the agenda regarding staff next steps for 16 completion of proposed Reg Guides. Rev. 4.
17 CHAIR BROWN: There was one more item on 18 the agenda?
19 MS. ANTONESCU: Yes, just for the staff to 20 let us know what the next steps will be on completion 21 of the Rev. 4 to Reg Guide 1.5.
22 CHAIR BROWN: Oh, okay.
23 MEMBER HALNON: Has it gone for public 24 comment yet?
25 CHAIR BROWN: No.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
161 1 MS. ANTONESCU: This is before public 2 comment.
3 MEMBER HALNON: I don't mean the committee, 4 I meant the actual document.
5 CHAIR BROWN: No, they have not sent it out 6 yet.
7 MR. BENNER: No. Mike, did you, I mean 8 you're list, and I think I can give a high level 9 summary, but you're the name on the agenda. Do you 10 want to discuss the next steps, or do you want me to?
11 MR. EUDY: You talking to me, Eric, Mike 12 Eudy?
13 MR. BENNER: Yes.
14 MR. EUDY: Yes, well I guess the next steps 15 would be, you know, to get the letter so we know what, 16 you know, what we would want to consider modifications 17 to the draft Guide before we issue it for public 18 comment.
19 And, it sounds like that meeting is on 20 November 29th and we would be --
21 (Simultaneous speaking.)
22 CHAIR BROWN: Yes, full committee meeting 23 is I think we're first on the agenda on the 29th, 24 that's what Christina, is that correct, Christina?
25 MS. ANTONESCU: Yes, 29th.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
162 1 CHAIR BROWN: Okay.
2 So we're first up, then we'll be doing our 3 letter you know, a day or two later after we finish 4 the other items.
5 And I have now 12 days to build a letter 6 that's coherent, which is going to be a challenge.
7 But I will get there.
8 MEMBER MARCH-LEUBA: Keep it short. This 9 is usually short.
10 CHAIR BROWN: I, you know how I write 11 letters.
12 MEMBER MARCH-LEUBA: I know, this is why I 13 offer advice.
14 CHAIR BROWN: They have to stand on their 15 own. In this case, I think I can make it clear 16 without getting overwhelmingly verbose.
17 So from our standpoint, we did this 18 quickly so we could try to get it to you because we 19 didn't have an opportunity to do this earlier because 20 of all kinds of others.
21 We couldn't get it scheduled as well. So 22 our opportunity is to try to get this done so you all 23 can get it out to the public comment.
24 I just wanted to make sure we covered 25 highlights, and not have to do it after the public NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
163 1 comment.
2 And you all felt that was better to have 3 us all internally on kind of the same page before you 4 went out, in this circumstance.
5 Doesn't have to be all the time, it's just 6 in this particular circumstance based on the nature of 7 this particular Reg Guide.
8 Okay? Now, any public comment? Anybody 9 out there that would like to say something, or provide 10 information or comment?
11 MR. SCAROLA: Yes, this is Ken Scarola from 12 Nuclear Automation Engineering. Can you hear me okay?
13 CHAIR BROWN: Not very well. Can I do 14 that?
15 MR. SCAROLA: Probably because I'm 16 traveling in my car.
17 CHAIR BROWN: Oh.
18 MR. SCAROLA: I have to apologize. I just 19 joined the meeting about 20 minutes ago. I was tied 20 up this morning.
21 But if you can hear me, my comment 22 pertains to Section 2.1.1. You may have already 23 talked about this and if you have, please stop me and 24 I will just relinquish and not comment.
25 But I have a concern about this section NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
164 1 because it's as written and it may just be ambiguity, 2 but as written, it seems to negate what the industry 3 has been trying to accomplish with (telephonic 4 interruption) workstations.
5 And the reason I say that is as written, 6 it says that on non-safe, or on inter-divisional 7 communications, and that would be a non-safe work 8 station, can't send any software instructions to a 9 safety system while the safety system is in service.
10 But that's exactly what we are trying to 11 do with non-safe work stations. We want the operators 12 to work at the same work stations for controlling both 13 safety and non-safe systems during all modes of 14 operation. Including when the safety system is in 15 service.
16 So an operator can use a non-safe work 17 station to open and close a safety related valve.
18 Start and stop a safety related pump.
19 And that would happen while the safe 20 system is in service, but there would certainly be 21 priority logic in the safety system such that if the 22 safe system demands a safe of those components, then 23 it's different than what the non-safe work station is 24 requesting. Then the safety function commands would 25 have priority.
NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
165 1 So that section 2.1.1 for me is a real 2 problem. Because it negates things that have already 3 been approved on APR 1400, US-APWR, and I believe even 4 on AP 1000.
5 CHAIR BROWN: Section --
6 (Simultaneous speaking.)
7 MR. SCAROLA: It's the words software 8 instructions that give me a problem. Because software 9 instructions could encompass those normal control 10 commands.
11 CHAIR BROWN: I thank you for your comment.
12 MEMBER MARCH-LEUBA: Can I make a comment?
13 CHAIR BROWN: Yes, go ahead.
14 MEMBER MARCH-LEUBA: I didn't get your name 15 the previous member of the public. This is Jose 16 March-Leuba.
17 If you could write down what you said and 18 send it to us, to the TFO, we would put your comments 19 property in the record.
20 Because we couldn't understand half of 21 what you said. So if you could write it down and send 22 it to Christina, it will be good.
23 Thank you.
24 MR. SCAROLA: I will be happy to do that.
25 Now let me just summarize by saying I NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
166 1 recommend changing the words software instructions to 2 instructions that could alter the software of the 3 safety function processor.
4 We need to distinguish those. Normal 5 control functions are different than functions that 6 could alter the safety functions of the processor.
7 I'll put my comments in writing. Thank 8 you.
9 CHAIR BROWN: Thank you.
10 I didn't get the name. Oh, it's Ken, 11 okay.
12 Are there any other public comments?
13 (No audible response.)
14 CHAIR BROWN: Hearing none, if there is no 15 other comments from the members, we can close this 16 meeting.
17 Anybody object? I don't think they're 18 going to object.
19 (No audible response.)
20 CHAIR BROWN: Okay, meeting is adjourned.
21 (Chorus of thank you.)
22 (Whereupon, the above-entitled matter went 23 off the record at 12:42 p.m.)
24 25 NEAL R. GROSS COURT REPORTERS AND TRANSCRIBERS 1716 14th STREET, N.W., SUITE 200 (202) 234-4433 WASHINGTON, D.C. 20009-4309 www.nealrgross.com
Here is the comment offered verbally and also in writing by Ken Scarola at the ACRS DI&C subcommittee meeting on November, 17, 2022:
Section 2.1.1 has an ambiguity problem:
2.1.1 Provisions for interdivisional communication should be included to prevent the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or not in service.
Software instructions could mean a control command from a non-safety control and display workstation to open a valve or start a pump, which is exactly what we want to use multidivisional workstations for, while the safety system is in normal operation. This functionality for non-safety workstations to safety system communication was approved by the staff for APR1400, USAPWR (maybe also AP1000). Therefore, I recommend changing "software instructions" to "instructions that could alter the software of the safety function processor".
Draft Guide 1374 - Proposed RG 1.152, Revision 4 Criteria for Programmable Digital Devices in Safety-related Systems of Nuclear Power Plants Advisory Committee on Reactor Safeguards Digital Instrumentation & Controls Systems Subcommittee Briefing November 17, 2022
Working Group
- NRR/DEX
- RES/DE
- NSIR/DPCP
- Khoi Nguyen - Michael Eudy - Ismael Garcia
- David Rahn - Paul Rebstock - Kim Lawson-Jenkins
- NRR/DORL
- Michael Marshall
- NRR/DRO
- NRR/DSS 2
Presentation Outline
- Introduction
- Scope of RG 1.152
- RG 1.152 Applicability
- Background
- Purpose of RG Revision
- Regulatory Basis
- Proposed Changes
- Summary
- Q&A 3
Introduction
- Current Regulatory Guide (RG) 1.152, Revision 3
- Endorses IEEE Std 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.
- Includes secure development and operational environment (SDOE) guidance for digital computers in the safety systems of nuclear power plants.
4
Introduction (Cont.)
- Proposed RG 1.152, Revision 4
- Endorses IEEE Std 7-4.3.2-2016, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations with exceptions and clarification.
- Includes additional guidance for fault detection and self-diagnostics, if used, in digital instrumentation and control (DI&C) systems.
- Implements the Commissions direction, which was informed by the OEDO letter to the Commission dated July 14, 2021 (ML21187A293).
5
Scope of RG 1.152 This RG endorses IEEE Std. 7-4.3.2 as an acceptable approach to meet regulatory requirements for promoting high functional reliability, design quality, and a SDOE for the use of programmable digital devices in the safety-related systems of nuclear power generating stations.
6
RG 1.152 Applicability
- Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities
- 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants 7
Background
- IEEE Std 7-4.3.2 was developed in 1982 to supplement IEEE Std 603 with criteria for programmable digital computer systems in safety systems of nuclear power generating stations.
- Since then, IEEE Std 7-4.3.2 has been updated periodically to encompass the evolving digital technologies.
8
Background (Cont.)
- The previous editions of IEEE Std 7-4.3.2 covers only computer-based digital systems. Revision 2016 of IEEE Std 7-4.3.2 expands the coverage to programmable digital devices and to encompass technologies that were not covered in the previous editions.
- The previous version (Revision 2010) of IEEE Std 7-4.3.2 incorporated the data communication independence guidance from Digital I&C Interim Staff Guidance (ISG)-04, Highly Integrated Control Rooms -
Communications Issues, for evaluating communication independence.
9
Background (Cont.)
- Major Changes in IEEE Std 7-4.3.2 - 2016:
- Changing the term "computer" to "programmable digital devices" to encompass technologies such as Field Programmable Gate Arrays (FPGAs).
- Incorporating SDOE guidance from RG 1.152, revision 3.
- Providing specific criteria on the use of software tools used for digital devices and development of hardware, software, firmware, and programmable logic.
- Revising Annex D, Identification and Control of Hazards.
10
Background (Cont.)
Delta Between 2003 and 2016 Versions of IEEE Std 7-4.3.2 Clauses with Major Changes 7-4.3.2 - 2016 5.1 - Single Failure Criterion Additional criteria for programable digital devices (PDDs) 5.3.2 - Software Tools Expanded to define software tools for PDDs 5.5.4 - Prioritization of Functions New - Incorporated ISG-04 guidance 5.6 - Independence Incorporated ISG-04 guidance 5.7 - Capability for Test and Included additional guidance for the measurement and test Calibration equipment (M&TE) 5.8 - Information Displays Incorporated ISG-04 guidance 5.9 - Control of Access Incorporated secure development and operational environment guidance from RG 1.152, R3 11
Background (Cont.)
Delta Between 2003 and 2016 Versions of IEEE Std 7-4.3.2 Clauses with Major Changes 5.16 - Common Cause Failure New - Included new guidance with respect to testing for Criteria addressing potential CCFs in PDDs 5.17 - Use of Commercial New - Included new guidance for the use of Digital Equipment commercial digital equipment 5 Simplicity New - clarifies simplicity concept Annex D - Identification and Restructured the format and added a section Control of Hazards to describe a process of performing hazard analysis (HA) activities in conjunction with software development processes.
12
Purpose of RG 1.152, Revision 4
- Enhances efficiency and effectiveness of licensing reviews.
- To implement the Commissions direction (SRM-CTH210414-3), which was informed by the OEDO memorandum to the Commission dated July 14, 2021, (ML21187A293) that addressed the ACRS concern pertaining to Uni-directional communications from high safety to lower safety systems and internal plant to external systems connected to the internet.
Revise RG 1.152 to reference RG 5.71 and include information to make applicants for Design Certifications aware of cyber security requirements that apply to an operating license or combined license, and how these requirements could be considered during design phase and inform Commission.
13
Purpose of RG 1.152, Revision 4 (Cont.)
A statement has been added:
RG 5.71 provides an acceptable approach to meet the requirements of 10 CFR 73.54. For licensees that choose to provide, as part of their license submittal, descriptions of cybersecurity design features intended to address the guidance of RG 5.71, the extent of the staffs review of these features is limited to ensuring that these features do not adversely affect or degrade the systems reliability or its capability to perform its safety functions. Licensees and applicants should also consider the cybersecurity guidance in RG 5.71 in preparing a design certification under 10 CFR Part 52.
14
Regulatory Basis 10 CFR 50.55a(h)
Incorporating by reference IEEE Std 279-1968 IEEE Std 279-1971 IEEE Std 603-1991 Non-Digital Digital Safety System Requirements Safety System Requirements Referencing RG 1.152 - R0 Endorsing IEEE Std 7-4.3.2 - 1982 Supplementing IEEE Std 603-1980 RG 1.152 - R1 Endorsing IEEE Std 7-4.3.2 - 1993 Supplementing IEEE Std 603-1991 Endorsing RG 1.152 - R2 IEEE Std 7-4.3.2 - 2003 Supplementing IEEE Std 603-1998 Endorsing RG 1.152 - R3 IEEE Std 7-4.3.2 - 2003 Supplementing IEEE Std 603-1998 Endorsing RG 1.152 - R4 IEEE Std 7-4.3.2 - 2016 Supplementing IEEE Std 603-2009 15
Proposed Changes
- Remove SDOE guidance
- Endorse Revision 2016 of IEEE Std 7-4.3.2 with exceptions and clarifications, including:
Additional guidance for fault detection and self-diagnostics, if used, in DI&C systems.
Guidance and clarification for control of access.
Endorsement of Annex D, Identification and Control of Hazards.
16
Proposed Changes (Cont.)
System Integrity (Staff Position 1.b(1))
- Endorsement of Annex D, Identification and Control of Hazards.
- Annex D was updated, in part, to implement the NRC staffs feedback related to the IEEE hazard analysis (HA) guidance.
- The Office of Research, via a research assistance request, assessed whether the updated Annex D supports an adequate technical basis for establishing consistent regulatory guidance.
- This draft guide endorses Annex D with clarifications to provide technical basis for applying and evaluating HA in support of safety demonstrations.
17
Proposed Changes (Cont.)
System Integrity (Cont.)
- Include additional guidance for fault detection and self-diagnostics, if used, in DI&C systems.
- Self-diagnostics, if integrated into the safety-related DI&C systems, could be credited, on an application-specific basis, to either reduce or eliminate the channel operability tests, provided certain criteria are met.
Independence (Staff Position 1.b(2))
- Include applicable ISG-04 guidance that has not been incorporated into IEEE Std 7-4.3.2-2016.
18
Proposed Changes (Cont.)
Control of Access (Staff Position 1.b(3))
- Include guidance for providing safeguards to safety-related PDDs before installation.
- Clarify the applicability of the control of access guidance for safety-related programmable digital devices and including a reference to RG 5.71 as directed by the Commission.
Common Cause Failures (CCFs) (Staff Position 1.b(4))
- Include a note in which the NRC staff uses the guidance in BTP 7-19 to evaluate the applicants defense-in-depth and diversity assessment as a means to address CCFs.
19
Summary
- RG 1.152 is one of the primary RGs used by applicants and licensees in the development of digital I&C license applications, reactor certifications, and digital I&C topical reports.
- The update to RG 1.152 is a high priority based on recent licensing experience and interactions with stakeholders that contributed to the update to IEEE Std 7-4.3.2 in 2016.
20
Summary (Cont.)
The staff proposes the revision of RG 1.152 to
- Update information and guidance in the areas of functional reliability, design quality, and a SDOE for programmable digital devices in the safety-related systems of nuclear power plants.
- Support NRC guidance and review practices.
- Ensure that the guidance in these areas is current and consistent with the staffs position.
Thus, enhancing the efficiency and effectiveness of licensing review.
21
Questions?