Text

NRC Research to Enable Performance-based Safety Evaluation of Digital Systems Sushil Birla1, Derek Halverson1, Sergiu Basturescu1, Norbert Carte1, Mauricio Gutierrez 1U.S. Nuclear Regulatory Commission, Rockville MD, USA Sushil.Birla@nrc.gov

[Placeholder for Digital Object Identifier (DOI) to be added by ANS]

INTRODUCTION The NRC has undertaken research to enable performance-based safety evaluation of digital instrumentation and control (DI&C) systems of the highest-criticality (such as reactor protection systems). This research will enable a more effective and efficient regulatory process, i.e., it will enable a substantial reduction in the calendar time, cost, and uncertainty perceived by stakeholders seeking design certifications, licenses or license amendments.

Performance-based evaluation criteria The research produces performance-based technical evaluation criteria (e.g., without dependence on prescriptive aspects such as diversity in design). The criteria focus on the safety outcome, assuring that the safety function will be executed correctly when demanded and no hazardous condition can be found in the design to prevent the performance of the safety function as intended. The criteria are derived from this safety outcome, using sound scientific, logical, and engineering principles. The criteria are intended to enable evaluation without necessitating diversity in the design. To that intent, the technical criteria focus on precluding the possibility of hazardous defects from the earliest phase of the development process, i.e., allow for confirmation that the design is correct by construction. To enable these objectives, the technical criteria will allow the use of novel approaches of system assurance, incorporation of mathematical evidence of safety.

Focus on Systematic causes While replicated redundancy provides adequate protection against random failure of traditional hardware components of nuclear safety-related

systems, the introduction of digital elements in these systems has introduced the potential of systematic causes of malfunction.

These causes are rooted in the concept and design of the system - mostly due to inadequately specified engineering requirements to prevent hazardous conditions in the design.

Replicated redundancy does not provide protection against such systematic causes. This is recognized in Title 10, Code of Federal Regulations Part 50 Appendix A Introduction as follows,... some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined These matters include:...

(4) Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems...

Leveraging the NRCs topical report process As part of its topical report review process, the NRC has provision for certifying a system design generically, i.e., the certified design may be used by any licensee (or applicant for license amendment) in a specific plant without any further NRC review of the pre-certified design (other than for the application-specific conditions of use). Safe reuse of a design (without the provision of diversity) requires more precision in the technical evaluation criteria than in the traditional context. This research has developed the necessary criteria leveraging the established (but underutilized) principles of Domain Engineering. Criteria for evaluating the work products of earlier phases of system development (e.g.,

specifications of engineering requirements and specification of the system architecture) are expressed rigorously through models based on a mathematical foundation. Thus, an applicant may present the safety analysis of the engineering requirements of the system and its architecture using model-based systems engineering leveraging tool-based automation assistance. Correspondingly, the research also includes constraints on the modeling languages and tools upon which the correctness of construction depends. The NRCs topical report process may also be used for the pre-certification of these modeling languages, tools, and associated verification and validation processes. The domain engineering approach leveraged in this research allows for pre-certification of components that are much more fine-grained than in the traditional use of the design certification process at the NRC (i.e., certification of complete DI&C platforms). The pre-certification of finer-grained components and their composition rules allows for the certification of a much broader family of platforms or the licensing of a much broader family of systems with significantly reduced burden of regulatory approval. This approach is supported with a domain-specific framework including libraries of reusable assets.

Safety assurance case: evidence organizing paradigm Based on interest expressed by the industry, additional NRC research supports the evaluation of a safety analysis report focused on the safety outcome and how the information from verification and validation supports the safety outcome through the logical integration structure of a safety assurance case. Development of the safety analysis report in this form would be much more effective and efficient than the traditional organization (paralleling the NRCs review guidance). The research provides technical criteria to evaluate a safety assurance case and includes an illustrative example of creating it with the support of a library of building blocks.

ENDNOTE The views expressed herein are those of the authors and do not represent an official position of the U.S. NRC.