ML22339A215
| ML22339A215 | |
| Person / Time | |
|---|---|
| Issue date: | 12/05/2022 |
| From: | Samir Darbali, Ismael Garcia NRC/NSIR/DPCP |
| To: | |
| References | |
| Download: ML22339A215 (17) | |
Text
U.S. Nuclear Regulatory Commissions Approach to Software Reliability Including Consideration of Common-Cause Failures Ismael L. Garcia Senior Technical Advisor Cyber Security and Digital Instrumentation & Control Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission (NRC)
Email: Ismael.Garcia@nrc.gov Technical Meeting on the Software Reliability of Digital Instrumentation and Control Systems for Nuclear Power Plant Safety 13-16 December 2022 Samir Darbali Electronics Engineer Division of Engineering and External Hazards Office of Nuclear Reactor Regulation U.S. NRC Email: Samir.Darbali@nrc.gov
Bottom Line Up Front The U.S. NRCs defense-in-depth regulatory approach for digital I&C safety systems includes a determination of software reliability and defense against potential common-cause failures (CCFs).
The U.S. NRC regulatory infrastructure relies on the use of a qualitative approach for determining software reliability.
- Such an approach is based on strong requirements on the deterministic behavior of the software to allow full verification and validation.
- The combination of strong design requirements that allow full verification and validation gives a high degree of confidence in the reliability of the software.
The NRC staff requested the NRC Commission expand the current policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth.
2
Outline
- High-level overview of the U.S. NRCs approach to software reliability
- Regulations
- Licensees and NRC staff guidance
- Current CCF policy
- Risk-informing the current CCF policy 3
U.S. NRCs Approach to Software Reliability 4
Federal Regulations 10 CFR 50.55a Codes and Standards 10 CFR 50 Domestic Licensing of Production and Utilization Facilities 10 CFR 50 Appendix A General Design Criteria 10 CFR 50 Appendix B Quality Assurance Criteria 10 CFR 52 Licenses, Certifications, and Approvals for Nuclear Power Plants IEEE 6031991 IEEE 2791971 Standard Criteria for Safety Systems I&C-related Regulatory Guides Criteria for Safety Systems (RG 1.153, RG 1.47, RG 1.62, RG 1.75)
Criteria for Safety System Computers (RG 1.152)
Single-Failure Criterion (RG 1.53)
Software Development and Digital Reliability (RG 1.168, RG 1.169, RG 1.170, RG 1.171, RG 1.172, RG 1.173)
Equipment Qualification (RG 1.180, RG 1.209)
Accident Monitoring Instrumentation (RG 1.97)
Instrument Sensing Lines (RG 1.151)
Periodic Testing (RG 1.22, RG 1.118)
Setpoints (RG 1.105)
Source: Document Collections l NRC.gov
U.S. NRCs Approach to Software Reliability
- 10 Code of Federal Regulations (CFR) 50.55a, Codes and standards
- Incorporates by reference the requirements in IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations
- IEEE Std 603-1991, Clause 5.15 (Reliability) - For those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that such goals have been achieved.
- IEEE Std 603-1991, Clause 5.9 (Control of Access) - The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof.
5
- 10 CFR 50, Appendix A, General Design Criterion (GDC) 1, "Quality Standards and Records
- Requires in part that systems and components important to safety be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
- GDC 21, "Protection System Reliability and Testability
- Requires in part that protection systems be designed for high functional reliability commensurate with the safety functions to be performed.
- Criterion III (Design Control) - Requires in part that quality standards be specified and that design control measures shall provide for verifying or checking the adequacy of design.
- Criterion V (Instructions, Procedures, and Drawings) - Requires in part that activities affecting quality shall be prescribed by "documented instructions, procedures, or drawings, of a type appropriate to the circumstances...."
6 U.S. NRCs Approach to Software Reliability
- Regulatory Guide 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants
- Endorses IEEE Std. 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.
- Contains guidance for the licensee to implement a Secure Development and Operational Environment (SDOE).
- Regulatory Guide 1.168, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants
- Endorses IEEE Std 1012-1998, IEEE Standard for Software Verification and Validation.
- Provides methods for meeting the regulatory requirements as they apply to verification and validation of safety system software.
7 U.S. NRCs Approach to Software Reliability
U.S. NRCs Approach to Software Reliability Regulatory Guide 1.22, Periodic Testing of Protection System Actuation Functions Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems Regulatory Guide 1.53, Application of the Single Failure Criterion to Safety Systems Regulatory Guide 1.62, Manual Initiation of Protective Actions Regulatory Guide 1.75, Criteria for Independence of Electrical Safety Systems Regulatory Guide 1.97, Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants Regulatory Guide 1.105, Setpoints for Safety Related Instrumentation Regulatory Guide 1.118, Periodic Testing of Electric Power and Protection Systems Regulatory Guide 1.151, Instrument Sensing Lines Regulatory Guide 1.153, Criteria for Safety Systems 8
U.S. NRCs Approach to Software Reliability Regulatory Guide 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Regulatory Guide 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Regulatory Guide 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Regulatory Guide 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Regulatory Guide 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Regulatory Guide 1.180, Guidelines for Evaluating Electromagnetic and Radio Frequency Interference in Safety Related Instrumentation and Control Systems Regulatory Guide 1.209, Guidelines for Environmental Qualification of Safety Related Computer Based Instrumentation and Control Systems in Nuclear Power Plants 9
U.S. NRCs Approach to Software Reliability
- Branch Technical Position (BTP) 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems
- Provides guidelines for evaluating software life cycle processes for digital computer-based I&C systems.
10 Source: https://www.nrc.gov/docs/ML1601/ML16019A308.pdf
11 SECY-93-087 (1993)
SRM-SECY-93-087 identifies four points to address digital I&C CCFs.
U.S. NRCs Policy to Address Digital I&C CCFs SRM-SECY-93-087 (1993)
SECY-18-0090 (2018)
BTP 7-19, Revision 8 (2021)
SECY-22-0076 (2022)
Commission Direction to the Staff Staff Guidance The Commission is currently reviewing SECY-22-0076 SECY-18-0090 clarifies the application of the Commissions direction in the four points within SRM-SECY-93-087.
SECY-22-0076 requests the Commission expand the current policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth.
Current Policy Proposed Expanded Policy BTP 7-19 provides guidance to the staff for the evaluation of defense-in-depth and diversity to address digital I&C CCFs.
Guidance will be developed after Commission direction Staff Papers to the Commission
SRM-SECY-93-087 - Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, identifies four points to address digital I&C CCFs:
- Point 1 requires a defense-in-depth and diversity (D3) assessment to demonstrate that CCFs have adequately been addressed.
- Point 2 requires the D3 assessment analyze each postulated CCF for each event evaluated in the accident analysis using best estimate methods to demonstrate adequate diversity.
- Point 3 requires a diverse means of actuation (manual or automatic) if a CCF could disable a safety function.
- Point 4 requires diverse main control room displays and manual controls for actuation of critical safety functions.
12 U.S. NRCs Current Policy to Address Digital I&C CCFs Source: https://www.nrc.gov/docs/ML0037/ML003708056.pdf
SECY-18-0090 - Plan for Addressing Potential Common Cause Failure in Digital Instrumentation and Control Clarifies the application of the Commissions direction in the four points within SRM-SECY-93-087.
Recognizes significant effort has been applied to the development of highly reliable digital I&C systems, but residual faults within digital systems may lead to CCFs.
Branch Technical Position (BTP) 7 Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure due to Latent Design Defects in Digital Safety Systems Supports a risk-informed graded approach based on safety significance of the digital I&C system.
Incorporates lessons-learned from previous operating reactor and new reactor reviews.
Supports expanded use of defensive measures to address digital I&C CCFs.
13 Sources: https://www.nrc.gov/docs/ML1817/ML18179A067.pdf https://www.nrc.gov/docs/ML2033/ML20339A647.pdf U.S. NRCs Current Policy to Address Digital I&C CCFs
SECY-22-0076 - Expansion of current policy on potential common-cause failures in digital instrumentation and control systems
- This SECY was issued on August 2022 to request that Commission expand the current policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth, including not providing any diverse automatic actuation of safety functions.
- The proposed expanded policy encompasses the current points of SRM-SECY-93-087 (with clarifications) and expands the use of risk-informed approaches in points 2 and 3.
- The current policy will continue to remain a valid option for licensees and applicants.
- The staffs goal is to provide more flexibility in addressing the digital I&C CCF challenge while continuing to ensure safety.
U.S. NRCs Approach to Risk-Informing the CCF Policy Source: https://www.nrc.gov/docs/ML2219/ML22193A290.html 14
15 Point 2 Risk-Informed Approach Point 3 Risk-Informed Approach Point 2 SRM-SECY-93-087, Point 2 (Clarified)
Point 3 SRM-SECY-93-087, Point 3 (Clarified)
Current Path Risk-Informed Path Proposed Expanded Policy to Address Digital I&C CCFs The Current Path allows for the use of best estimate analysis and diverse means to address a potential Digital I&C CCF The Risk-Informed Path allows for the use of risk-informed approaches and other design techniques or measures other than diversity to address a potential Digital I&C CCF Point 4 SRM-SECY-93-087, Point 4 (Clarified)
Point 1 SRM-SECY-93-087, Point 1 (Clarified)
U.S. NRCs Approach to Risk-Informing the Current CCF Policy
The U.S. NRCs defense-in-depth regulatory approach for digital I&C safety systems includes a determination of software reliability and defense against potential CCFs.
The U.S. NRC regulatory infrastructure relies on the use of a qualitative approach for determining software reliability.
- Such an approach is based on strong requirements on the deterministic behavior of the software to allow full verification and validation.
- The combination of strong design requirements that allow full verification and validation gives a high degree of confidence in the reliability of the software.
The NRC staff requested the NRC Commission expand the current policy for digital I&C CCFs to allow the use of risk-informed approaches to demonstrate the appropriate level of defense-in-depth.
16 Closing Remarks/Take-Aways