Regulatory Guide 1.169: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 1: Line 1:
{{Adams
{{Adams
| number = ML12355A642
| number = ML003740102
| issue date = 07/19/2013
| issue date = 09/30/1997
| title = (Draft Was Issued as DG-1206, Dated August 2012) Revision 1, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
| title = (Draft Was DG-1055) Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
| author name = Orr M P, Sturzebecher K J
| author name =  
| author affiliation = NRC/RES/DE
| author affiliation = NRC/RES
| addressee name =  
| addressee name =  
| addressee affiliation =  
| addressee affiliation =  
| docket =  
| docket =  
| license number =  
| license number =  
| contact person = Orr M P
| contact person =  
| case reference number = DG-1206
| case reference number = DG-1055
| document report number = RG-1.169, Rev 1
| document report number = RG-1.169
| package number = ML12354A524
| document type = Regulatory Guide
| document type = Regulatory Guide
| page count = 15
| page count = 8
}}
}}
{{#Wiki_filter:U.S. NUCLEAR REGULATORY COMMISSION
{{#Wiki_filter:U.S. NUCLEAR REGULATORY  
July 2013  Revision 1 REGULATORY GUIDE
COMMISSION  
  OFFICE OF NUCLEAR REGULATORY RESEARCH
REGULATORY
Technical Lead Karl Sturzebecher Written suggestions regarding this guide or development of new guides may be submitted through the NRC's public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading
September
-rm/doc-collections/reg
1997 GUIDE OFFICE OF NUCLEAR REGULATORY  
-guides/contactus.html.    Electronic copies of this guide and other recently issued guides are available through the NRC's public Web site under the Regulatory Guides document collection of the NRC Library at http://www.nrc.gov/reading
RESEARCH REGULATORY
-rm/doc-collections/
GUIDE 1.169 (Draft was DG-1055) CONFIGURATION
and through the NRC's Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading
MANAGEMENT  
-rm/adams.html , under Accession No. ML12355A642.  The regulatory analysis may be found in ADAMS under Accession No. ML103200047 and the staff responses to the public comments on DG
PLANS FOR DIGITAL COMPUTER SOFTWARE USED IN SAFETY SYSTEMS OF NUCLEAR POWER PLANTS  
-1206 may be found in ADAMS under Accession No. ML12355A529.      REGULATORY GUIDE 1.169 (Draft was issued as D G-1206, dated August 2012)
  CONFIGURATION MANAGEMENT PLANS FOR DIGITAL COMPUTER SOFTWARE USED IN SAFETY SYSTEMS OF NUCLEAR POWER PLANTS


==A. INTRODUCTION==
==A. INTRODUCTION==
Purpose  This regulatory guide (RG) describes a method that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for use in complying with NRC regulations on configuration management plans for digital computer software used in the safety systems of nuclear power plants.
In 10 CFR Part 50, "Domestic Licensing of Pro duction and Utilization Facilities," paragraph
55a(a)(1)  
requires, in part, that systems and components be designed, tested, and inspected to quality standards commensurate with the safety function to be per forme


Applicable Rules and Regulations The regulatory framework the NRC has established for nuclear power plants consists of a number of regulations and supporting guidelines applicable to configuration management plans for computer software. Title 10, of the Code of Federal Regulations, Part 50, "Domestic Licensing of Production and Utilization Facilities" (10 CFR Part 50) (Ref. 1), Appendix A, "General Design Criteria for Nuclear Power Plants," General Design Criterion (GDC) 1, "Quality Standards and Records," requires, in part, that quality standards be established and implemented to provide adequate assurance that structures, systems, and components (SSCs) important to safety will satisfactorily perform their safety functions, and that the nuclear power unit licensee maintain and control appropriate records of the design and testing of SSCs important to safety throughout the life of the unit. Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 describes criteria that must be met by a quality assurance program for SSCs that prevent or mitigate the consequences of postulated accidents.  In addition to the SSCs that directly prevent or mitigate the consequences of postulated accidents, the criteria of Appendix B also apply to all activities that affect the safety
====d. I Criterion ====
-related functions of such SSCs , including activities such as designing, purchasing , installing , inspecting , testing , operating, maintaining, and modifying.
1, "Quality Standards and Re cords," of Appendix A, "General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 requires, in part, 1 that appropriate records of the design and testing of systems and components important to safety be .2 maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 describes criteria that must be met by a quality assur ance program for systems and components that prevent or mitigate the consequences of postulated accidents.


Further, Criterion III, "Design Control," of Appendix B to 10 CFR Part 50 requires, in part, that design changes "-shall be subject to design control measures commensurate with those applied to the original design
In particular, besides the systems and components that directly prevent or mitigate the consequences of postu lated accidents, the criteria of Appendix B also apply to all activities affecting the safety-related functions of such systems and components, such as designing, pur chasing, installing, testing, operating, maintaining, or lln this regulatory guide, many of the regulations have been paraphrased;
..." and "The design control measures shall provide for verifying or checking the adequacy of design, - by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program.
see 10 CFR Part 50 for the full text.modifying.


"  In 10 CFR 50.55a(a)(1), the NRC requires, in part, that systems and components be designed, fabricated, erected, tested, and inspected to quality standards commensurate with the importance of the RG 1.169, Rev. 1, Page
A specific requirement is contained in 10 CFR 50.55a(h), which requires that reactor protection systems satisfy the criteria of IEEE Std 279, "Criteria for Protection Systems for Nuclear Power Generating Stations." 2 Paragraph
2 safety function to be performed.  The regulations in 10 CFR 50.55a(h) require that reactor protection and safety systems satisfy the criteria in Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 603
4.3 of IEEE Std 279-19713 states that quality of components is to be achieved through the specification of requirements known to promote high quality, such as requirements for design, inspection, and testMany of the criteria in Appendix B to 10 CFR Part 50 contain requirements closely related to the con figuration management activity.
-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations" (including a correction sheet dated January 30, 1995) (Ref. 2), or in IEEE Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations" (Ref. 3).
These criteria shall be part of the evaluation of the recognized quality codes and standards selected for their applicability, adequacy and sufficiency and shall be supplemented or modified as needed to assure a quality product that will perform the required safety functionThe guidance on the safety systems equipment employing digital computers, and programs or firmware requires quality standards in the use of software configuration management.


This RG endorses IEEE Std. 828
Criterion III, "Design Control," of Appendix B requires measures for design documentation and identification and control of design interfaces.
-2005, "IEEE Standard for Software Configuration Management Plans," issued 2005 (Ref. 4), with the exceptions stated in Section C, "Staff Regulatory Guidance."  IEEE Std. 828-2005 describes methods acceptable to the NRC staff for use in complying with the NRC's regulations for quality standards that promote high functional reliability and design quality in software used in safety systems.


1Purpose of Regulatory Guides In particular, the methods are consistent with GDC 1 in Appendix A to 10 CFR Part 50 and the criteria for quality assurance programs in Appendix B to 10 CFR Part 50 as they apply to the maintenance and control of appropriate records of software development activitiesThe criteria of Appendices A and B to 10 CFR Part 50 apply to systems and related quality assurance processes, and the requirements also extend to software elements if those systems include software.
The same criterion also requires that design changes be subject to design control measures com mensurate with those used in the original design. Crite rion VI, "Document Control," requires that all docu ments that prescribe activities affecting quality, such as 2 Revision I of Regulatory Guide 1.153, "Criteria for Safety Systems," en dorses IEEE Std 603-1991,"Criteria for Safety Systems for Nuclear Pow er Generating Stations," as a method acceptable to the NRC staff for satis fying the NRC's regulations with respect to the design, reliability, qualifi cation, and testability of the power, instrumentation, and control portions of the safety systems of nuclear power plants3 1EEE publications may be obtained from the IEEE Service Center, 445 Hoes Lane, Piscataway, NJ 0885


The NRC issues RGs to describe methods the NRC staff considers acceptable for use in implementing specific parts of the agency's regulations, to explain techniques that the staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants, however RG s are not substitutes for regulations and compliance with them is not required.  The information provided by this RG is in the Standard Review Plan, NUREG
===4. USNRC REGULATORY ===
-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants:  LWR Edition," Chapter 7, "Instrumentation and Controls," (Ref. 5).  The NRC staff uses the NRC Standard Review during staff review of 10 CFR Part 50 and 10 CFR Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants," (Ref. 6) license applications.
GUIDES The guides are issued in the following ten broad disions: Regulatory Guides re Issued to describe and make available to the public such Informa bon as methods acceptable to the NRC staff for hmplementing specific parts of the Com- 1. Power Reactors 6. Products mission's regulations, techniques used bythestaff inevaluating specific problemsor pos 2. Research and Tost Reactors 7. Trarsportation tulated accidents.


Paperwork Reduction Act This RG contains information collection requirements covered by 10 CFR Part 50
and data needed by the NRC staff in Its review of applications rper.- I Fuels and Mateials Facilities
and 10 CFR Part 52 that the Office of Management and Budget (OMB) approved under OMB control number s 3150-00 11 and 3150-0151, respectfully. The NRC may neither conduct nor sponsor, and a person is not required to respond to, an information collection request or requirement unless the requesting document displays a currently valid OMB control number.
8. Occupational Health mits and licenses.


1  The term "safety systems" is synonymous with "safety
Regulatory guides ae not substitutes foregulations, and compliance
-related systems." The scope of the GDC includes systems, structures, and components "important to safety." However, the scope of this regulatory guide is limited to "safety systems," which are a subset of "systems important to safety."  Although not specifically scoped to include non
4. Environmental end Siting 9. Anitrust and Financial Review withViem Isnotrelred.
-safety-related but "important to safety systems" this regulatory guide provides methods that the staff finds appropriate for the design, development and implementation of all important to safety systems.  The NRC may apply this guidance in licensing reviews of non
-safety but important to safety digital software and may tailor it to account for the safety significance of the system software.


RG 1.169, Rev. 1, Page
Methods andisolutions different from thosesetoutinlheguldes
3
5. Materials and Plant Protection
10. General will be acceptable If they provide a basis for the findings requisite to the Issuance or oon tinuence of a permit or cense by the Commission.


==B. DISCUSSION==
Single copies of regulatory guides may be obtained free of charge bywrlilng the Printing, This guide was issued after consideration of comments received from the public. Corn- Graphics and Distribution Branch, Office of Adminisation.
Description of Change This revision to RG 1.169 addresses two new areas with in IEEE Std. 828
 
-2005. The first is addressed by the addition of a new Staff Regulatory Guidance position 12, "Release Management and Delivery."  IEEE Std. 828
U.S. Nuclear Regulatory Com mens and suggestions for Improvenents In these guides re encouraged stall tines, and mission. Washington, OC 20555-0001;
-2005 has added this new section in order to control the overall software release management objectives. This new area for the "software configuration management" (SCM)
or by fax at (301)41515272.
complements the existing standard work found in the software life
 
-cycle project plan.
guides will be revised, as eppropriae.
 
to accommodate comments :nd to reflect new in Ion~on or experience.
 
Issued guides may also be purchased from the National Technical Information Service on Written comments may be submitted to the Rules Review and Diectives Branch DFIPS, a standing order basis. Details on this service may be obtained by writing NTIS, 5285 Port ADM, U.S. Nuclear Regulatory Commission, Washington.
 
DC 20555-0001.
 
Royal Road, Springfield, VA 22161.
 
instructions, procedures, and drawings, be subject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel.
 
Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires, in part, that parts and components be identi fied to prevent the use of incorrect or defective parts or components.
 
Criterion XVI, "Corrective Action," requires that conditions adverse to quality, such as fail ures, malfunctions, deficiencies, and others, be identi fied, and that the cause be determined, the condition be corrected, and the entire process be documented.
 
Crite rion XVII, "Quality Assurance Records," requires in part that sufficient records be maintained so that data that is closely associated with the qualification of per sonnel, procedures, and equipment be identifiable and retrievable.


The second new area refers to security features or mechanisms which can play a critical role in supporting software security at higher levels of assurance.  IEEE Std. 1012
This regulatory guide, which endorses IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," 3 and ANSI/IEEE  
-2004, "IEEE Standard for Software Verification and Validation," (Ref. 7), as endorsed by RG 1.168, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Ref. 8) requires a security analysis be performed during the development, operation, and maintenance life cycle processes.  IEEE Std. 828
Std 1042-1987, "IEEE Guide to Software Configuration Manage ment," 3 with the exceptions stated in the Regulatory Position, describes methods acceptable to the NRC staff for complying with the NRC's regulations for pro moting high functional reliability and design quality in software used in safety systems.4 In particular, the methods are consistent with the previously cited Gener al Design Criteria and the criteria for quality assurance programs of Appendix B as they apply to the mainte nance of appropriate records of, and control of, soft ware development activities.
-2005 adds to this by requiring measures to control security information such as the results of security analyses.  To meet criteria of IEEE Std. 603
-1991 and 10 CFR 50, Appendix B, the controlled development of digital safety system software is to be performed in a secure development and operational environment (SDOE).  For guidance to establish an SDOE, refer to RG 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," (Ref. 9). 
  This RG is based on standards and describes methods acceptable for any safety system software and discusses the required SCM activities.  It is the responsibility of the applicant or licensee to determine how the required activities will be implemented.


Background The use of industry consensus standards, such as IEEE standards, is part of an overall approach to meeting the requirements of 10 CFR Part 50 when developing safety systems for nuclear power plants.  Compliance with these standards does not guarantee that regulatory requirements will be met.  However, such compliance does ensure that practices accepted within various technical communities will be incorporated into the development and quality assurance processes used to design safety systems.  These practices are based on past experience and represent industry consensus on approaches used for the development of such systems.
The criteria of Appen dices A and B apply to systems and related quality assurance processes and, if those systems include soft ware, the requirements extend to the software elements.


This RG refers to software incorporated into the instrumentation and control systems covered by Appendix B to 10 CFR Part 50 as "safety system software.The identification, control, and documentation of safety system software must be accomplished as part of the effort to comply with NRC
In general, information provided by regulatory guides is reflected in the Standard Review Plan (NUREG-0800).  
requirementsIn addition to the record maintenance requirement of GDC 1, Appendix B provides detailed quality assurance criteria, including criteria for administrative control, design documentation control, design interface control, design change control, document control, identification and control of parts and components, and control and retrieval of qualification information associated with parts and componentsFor software, these activities are often referred to collectively as SCM.    Several criteria in Appendix B of 10 CFR Part 50 contain requirements closely related to configuration management activities.  These listed criteria are only part of and not the entire requirement: 
The Office of Nuclear Reactor Regu lation uses the Standard Review Plan to review applica tions to construct and operate nuclear power plantsThis regulatory guide will apply to the revised Chapter 7 of the Standard Review PlanThe information collections contained in this regu latory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Manage ment and Budget, approval number 3150-0011.
  Criterion II, "Quality Assurance Program," requires, in part, that activities affecting quality be accomplished under suitably controlled conditions.


RG 1.169, Rev. 1, Page
The NRC may not conduct or sponsor, and a person is not 4 The term "safety systems" is synonymous with "safety-related systems." The General Design Criteria cover systems, structures, and components "important to safety." The scope of this regulatoty guide is, however, lim ited to "safety systems," which are a subset of "systems important to safety." required to respond to, a collection of information un less it displays a currently valid OMB control number.
4  Criterion III, "Design Control," requires, in part, that measures be established for design documentation and the identification and control of design interfaces. This criterion also requires that design changes be subject to design control measures commensurate with those used for the original design.


Criterion V, "Instructions, Procedures, and Drawings," requires, in part, activities affecting quality be prescribed by documented instructions, procedures, or drawings of a type appropriate to the circumstances and that these activities be accomplished in accordance with these instructions, procedures, or drawingsCriterion V further requires that instructions, procedures, and drawings include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished.
==B. DISCUSSION==
The use of industry consensus standards is part of an overall approach to meeting the requirements of 10 CFR Part 50 when developing safety systems for nuclear power plants. Compliance with standards does not guarantee that regulatory requirements will be metHowever, compliance does ensure that practices accepted within various technical communities will be incorporated into the development and quality assur ance processes used to design safety systems. These practices are based on past experience and represent in'dustry consensus on approaches used for development of such systems.


Criterion VI, "Document Control," requires, in part, that all documents that prescribe activities affecting quality, such as instructions, procedures, and drawings, be subject to controls that ensure that authorized personnel review documents, including changes, for adequacy and approve them for release.
Software incorporated into instrumentation and control systems covered by Appendix B will be referred to in this regulatory guide as safety system software.


Criterion VII, "Control of Purchased Material, Equipment, and Services," requires, in part, that measures be established to ensure that purchased material conforms to the specifications in procurement documents.
For safety system software, identification, control, and documentation of the software must be accomplished as part of the effort to achieve compliance with the NRC's requirements.


Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires, in part, that parts and components be identified to prevent the use of incorrect or defective parts or components.
In addition to the record mainte nance requirement of Criterion  
1 of Appendix A, Appendix B to 10 CFR Part 50 provides detailed quali ty assurance criteria, including criteria for administra tive control, design documentation, design interface control, design change control, document control, identification and control of parts and components, and control and retrieval of qualification information asso ciated with parts and components.


Criterion XIII, "Handling, Storage and Shipping," requires, in part, that measures be established to control handling, storage, shipping, and preservation of materials to prevent damage.
For software, these activities are often called, in aggregate, "software con figuration management" (SCM). SCM is identified as a safety system criterion by the industry standard, IEEE Std 7-4.3.2-1993, "Standard Criteria for Digital Com puters in Safety Systems of Nuclear Power Generating Stations," 3 which is endorsed by Revision I of Regula tory Guide 1.152, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants." Configuration management is a significant part of high quality engineering activities and is already re quired by the NRC staff for structures, systems, and components important to safety. While the principles and intentions of traditional configuration management apply equally to software, there is also a significant change in emphasis for which traditional hardware con figuration management systems might not be suffi cient. This is because with software there is a greater emphasis on design process and the deliverable product is more like a design output. In the production of engi neered hardware, design outputs are inputs to a manufacturing process, and configuration management
1.169-2 activities focus on ensuring that design outputs and manufacturing process variables are traceable to identi fiable manufactured products.


Criterion XIV, "Inspection, Test, and Operating Status," requires, in part, that measures be established to indicate the status of inspections and tests and the identification of items passing the inspections and tests.
In contrast, with engi.> neered software, a large amount of design process in formation and many intermediate design outputs are associated with the final design output. Relatively many software engineering changes are expected and encountered.


Criterion XVI, "Corrective Action," requires, in part, that conditions adverse to quality, such as failures, malfunctions, and deficiencies, be identified and that the cause be determined, the condition be corrected, and the entire process be documented.
Consequently, although similar in intent to hardware configuration management, software con figuration management requires a change in emphasis, with expansion of the importance of intermediate de sign baselines and associated design process informa tion. The needs for robust change management and identification and control of product versions are also substantially increased.


Criterion XVII, "Quality Assurance Records," requires, in part, that sufficient records be maintained so that data that are closely associated with activities affecting quality, such as the qualification of personnel, procedures, and equipment, are identifiable and retrievable.
One consensus standard on software engineering, IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," and one IEEE guide, ANSI/IEEE
Std 1042-1987, "IEEE Guide to Software Configuration Management" (reaffirmed in 1993), describe software industry approaches to SCM that are generally accepted in the software engineering community.


Criterion XVIII, "Audits," requires, in part, that a comprehensive system of audits be conducted, results of those audits be documented, and follow
They provide guidance for planning and executing an SCM program. Together, this IEEE stan dard and guide elaborate on the important features required in an SCM program that may be under>j emphasized in traditional hardware configuration man agement programs.
-up actions taken where indicated.


Configuration management is a significant part of engineering activities and is already addressed by NRC requirements for structures, systems, and components important to safety.  Although the principles and intentions of traditional configuration management apply equally to software, software RG 1.169, Rev. 1, Page
The relationship of IEEE Std 1042-1987 to IEEE Std 828-1990 is important.
5 involves a significant change in emphasis for which traditional hardware configuration management systems might not be sufficient.  Software requires a greater emphasis on the design process, and the deliverable product is more like a design output.  In the production of engineered hardware, design outputs are typically inputs to a manufacturing or construction process, and configuration management activities focus on ensuring that design outputs and manufacturing or construction process variables are traceable to identifiable manufactured or construction products.  In contrast, in the production of engineered software, design process information may result in the development of many intermediate design outputs generally associated with the final design output.  Typically, numerous software engineering changes are expected and encountered during the coding and testing phases.  Consequently, although similar in intent to hardware configuration management, SCM requires a change in emphasis and the expansion of the importance of intermediate design baselines and associated design process information.  Appropriate SCM records accurately capture every change and provide a reliable and powerful tool to compare every difference between any two intermediate versions of a software implementation.  The need for robust and detailed change management and for rigorous identification and control of product versions is also substantially increased.


One consensus standard on software engineering, IEEE Std. 828
IEEE Std 1042-1987 is a tutorial guide that explains how to comply with IEEE Std 828-1990.
-2005, as endorsed by this RG , describes software industry approaches to SCM that are generally accepted in the software engineering community.  This standard provides guidance for planning and executing a SCM program.  Software configuration management is a formal engineering discipline that is a part of an overall system configuration management process.  Software configuration management provides the methods and tools used to identify and control software throughout its development and use.  The IEEE Std. 828
-2005 elaborates on the important features required in an SCM program that traditional hardware configuration management programs may underemphasize.  The software engineering community recognizes that the development of an effective SCM program hinges upon a well
-defined software configuration management plan.


Clause 3.3 of IEEE Std. 828
Section 1.1, "Scope," of IEEE Std 1042-1987 states that the guide provides suggestions and examples and "presents an interpretation of how IEEE Std 828-1983 [since updated to IEEE Std 828-1990]
-2005 describes seven functional areas for grouping configuration management activities:
can be used for planning the management of different kinds of computer program development and maintenance activities." The actual criteria to be met for compliance with the standard are contained in IEEE Std 828-1990..  
  1. configuration identification (Clause 3.3.1),  2. configuration control (Clause 3.3.2),  3. configuration status accounting (Clause 3.3.3), 4. configuration evaluation and reviews (Clause 3.3.4), 5. interface control (Clause 3.3.5), 6. subcontractor/vendor control (Clause 3.3.6), and
Both the standard and the guide apply to general purpose software development and mainte nance efforts, and they do not have specific criteria for safety system software.
7. release management and delivery (Clause 3.3.7).
  However, while IEEE Std. 828
-2005 requires that SCM plans describe provisions for these activities, the standard has no minimum set of activities for safety system software.  Staff Regulatory Guidance position 4 of this RG specifies a minimum set of the safety system software activities.


Harmonization with International Standards The International Atomic Energy Agency (IAEA) has established a series of safety guides and standards constituting a high level of safety for protecting people and the environment.  IAEA safety guides are international standards to help users striving to achieve high levels of safety. Pertinent to this RG, IAEA Safety Guide NS
C. REGULATORY
-G-1.1, "Software for Computer Based Systems Important to Safety in Nuclear Power Plants" issued September 2000 (Ref. 1
POSITION IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," provides an approach acceptable to the NRC staff for meeting the ./ requirements of 10 CFR Part 50, as applied to software, in planning configuration management of safety sys tem software, subject to the provisions listed below.ANSI/IEEE
0) discusses the importance of configuration management plans for computer software used in safety related systems. This RG incorporates similar RG 1.169, Rev. 1, Page
Std 1042-1987, "IEEE Guide to Soft ware Configuration Management," subject to the pro visions listed below, provides guidance acceptable to the NRC staff for carrying out software configuration management plans produced under the auspices of IEEE Std 828-1990.
6 configuration management recommendations and is consistent with the basic principles provided in IAEA Safety Guide NS
-G-1.1.    Documents Discussed in Staff Regulatory Guidance This RG endorses, in part, the use of one or more codes or standards developed by external organizations, and other third party guidance documents.  These codes, standards and third party guidance documents may contain references to other codes, standards or third party guidance documents ("secondary references").  If a secondary reference has itself been incorporated by reference into NRC regulations as a requirement, then licensees and applicants must comply with that standard as set forth in the regulation.  If the secondary reference has been endorsed in a RG as an acceptable approach for meeting an NRC requirement, then the standard constitutes a method acceptable to the NRC staff for meeting that regulatory requirement as described in the specific RG.  If the secondary reference has neither been incorporated by reference into NRC regulations nor endorsed in a RG, then the secondary reference is neither a legally
-binding requirement nor a "generic" NRC approved acceptable approach for meeting an NRC requirement.  However, licensees and applicants may consider and use the information in the secondary reference, if appropriately justified, consistent with current regulatory practice, and consistent with applicable NRC requirements.


C.  STAFF REGULATORY GUIDANCE
IEEE Std 1042-1987 should be used with the definitions of IEEE Std 828-1990 to implement the details of plans prepared pursuant to IEEE Std 828-1990.
  This RG applies to all aspects of the software life cycle within the system life
-cycle context.  IEEE Std. 828
-2005 provides an approach that the NRC staff considers acceptable for satisfying the agency's regulatory requirements with respect to configuration management plans for safety system software with the exceptions and additions listed in these regulatory positions.  In this section of the guide, the cited criteri a refer to Appendix B to 10 CFR Part 50 unless otherwise noted.


1. Definitions IEEE Std. 828
In the provisions listed below, ref erence is made to explanatory sections of IEEE Std 1042-1987 where appropriate to clarify SCM concepts.
-2005 refers to IEEE/Electronic Industries Association (EIA) 12207.0
-1996, "Industry Implementation of International Standard ISO/IEC 12207:1995 (ISO/IEC 12207) Standard for Information Technology
-Software Life Cycle Processes," issued March 1998 (Ref. 1
1), for definitions of the technical terms that are enumerated in Clause 2 of IEEE Std. 828
-2005.  These definitions are acceptable with the clarifications and additions noted below.


a. Baseline.  Meaning (1) of the term "baseline" from IEEE Std. 828
To meet the cited requirements of Appendix A to 10 CFR Part 50 by complying with the cited criteria of Appendix B, the following exceptions are necessary and will be considered by the NRC staff in the review of submittals from applicants and licensees. (In this Regu latory Position, the cited criteria are in Appendix B to 10 CFR Part 50 unless otherwise noted.),
-2005 is to be used.  "Formal review and agreement" is considered to mean that responsible management has reviewed and approved a baseline. Baselines are subject to change control.  Regulatory Position 2 of this regulatory guide describes the acceptable baseline change approval authority.


b. Interface.  All four variations of the meaning of the term "interface" in IEEE Std. 828
===1. DEFINITIONS ===
-2005 are to be used, depending on the context. Meaning (1), "a shared boundary across which information is passed," is interpreted broadly according to Criterion III to include design interfaces between participating design organizations.
IEEE Std 828-1990 refers to IEEE Std 610.12-1990, "IEEE Standard Glossary of Software Engineering Terminology," for definitions of the tech nical terms that are enumerated in section 1.3 of IEEE Std 828-1990.


====c. Configuration Audit====
These definitions are acceptable with the following clarifications and additions:
. In the context of an audit for delivery of a product, a configuration audit includes both a functional configuration audit and a physical configuration audit.
1.1 Baseline Meaning (1) of baseline is to be used in IEEE Std 828-1990.


RG 1.169, Rev. 1, Page
Formal review and agreement is taken to mean that responsible management has reviewed and approved a baseline.
7 2. Authority Levels Hierarchies of change approval authority levels are permitted, provided that the required authority level is commensurate with the life
-cycle stage (nearness to release) and the product's importance to safety.  The promotion of a software product from one level of safety significance to another level of safety significance could involve a change in level of control (as described in Clause 3.3.2.3 of IEEE Std.


828-2005) and a change in responsible individual.
Baselines are subject to change control. Acceptable baseline change approval authority is described in Exception
2 below.  1.2 Promotion The term "promotion," as defined in Section 1.4 of IEEE Std 1042-1987, is added to the list of defined terms.  1.3 Interface All four variations of the meaning of interface are to be used in IEEE Std 828-1990, depending upon the context. Meaning (1), "A shared boundary across which information is passed," is interpreted broadly according to Criterion III to include design interfaces between participating design organizations.


3. Acceptance Criteria The SCM plan should describe the criteria for selecting control points, as defined in Clause 2.1.1 of IEEE Std. 828
1.4 Configuration Audit IEEE Std 610.12-1990
-2005, and establish the correspondence between control points identified in the plan and baselines, project milestones, and life
refers the definition of con figuration audit to two other audits without specifying whether one or both definitions are meant. In the 1.169-3 context of an audit for delivery of a product, a configu ration audit includes both a functional configuration audit and a physical configuration audit.
-cycle milestones.    4. Configuration Management The minimal set of safety system software activities to be covered by the SCM plan should accomplish the following: 
  a. identification and control of all software designs and code;
b. identification and control of all software design interfaces;
c. control of all software design changes;
d. control of software documentation (user, operating, and maintenance documentation);
e. control of software vendors supplying safety system software;
f. control and retrieval of qualification information associated with software designs and code; g. software configuration audits;
h. status accounting; and i. control of building, release, and delivery of products.


Other quality assurance activities may serve or control some of these functions; in that case, the SCM plan should describe the division of responsibility.
===2. AUTHORITY ===
LEVELS Section 2.2.4 of IEEE Std 1042-1987 is modified to permit hierarchies of change approval authority lev els, as described in that section and discussed in section 3.3.2.1, provided the required authority level is com mensurate with life cycle stage (nearness to release) and product importance to safety. The promotion of a soft ware product might involve a change in level of control and responsible individual.


An SCM program that complies with IEEE Std. 828
===3. ACCEPTANCE ===
-2005 should take control of contractually developed or qualified commercial software products that are safety system software.  This means, for example, that the exact version of the product should be identified and controlled according to the change control procedures applied to other configuration items, and the SCM system should track and report its usage.    5. Corrective Action Criterion XVI requires, in part, that conditions adverse to quality, such as failures, malfunctions, and deficiencies, are identified and that the cause be determined, the condition be corrected, and the entire process be documented.  In software development or maintenance activities, the responsibility for these activities is often distributed among several organizations, possibly leading to a fragmented view of the correction process.  Clause 3.3.2 of IEEE Std. 828
CRITERIA Criterion II, "Quality Assurance Program," states that activities affecting quality are to be accomplished under suitably controlled conditions.
-2005 requires a description of the correction process, including change requests, change evaluation, change approval, change implementation, change verification, and changed
-version release.  The preliminary steps leading to a change request should also be described, including the responsibility for executing and documenting anomaly reports, problem analyses, and statistical monitoring of software performance.  If other documents describe these activities, the descriptions may be included by reference to those documents.


RG 1.169, Rev. 1, Page
Criterion V, "Instructions, Procedures, and Drawings," states that instructions, procedures, or drawings are to include appropriate quantitative or qualitative acceptance crite ria for determining that important activities have been satisfactorily accomplished.
8  6. Documentation Clause 3.3.1.1 of IEEE Std. 828
-2005 requires, as a minimum, that the SCM plan lists all configuration items to be delivered.  This meets the requirements of Criterion VIII with regard to safety system software if all software deliverables are identified and controlled as configuration items.  It also meets the requirements of Criteria III, VI, and VII.


For safety system software, configuration items or controlled documents should include the following: 
Section 1.3 of IEEE Std 828-1990 defines "control point." The software con figuration management (SCM) plan should describe the criteria for selecting control points and establish the correspondence between control points identified in the plan and baselines, project milestones, and life cycle milestones.
  a. software requirements, designs, and code; b. data files used and called directly or indirectly by software;
c. support software used in development (exact versions);
d. libraries of software components essential to safety;
e. software plans that could affect quality;
f. test software requirements, designs, or code used in testing;
g. test results used to qualify software;
h. analyses and results used to qualify software;
i. software documentation;
j test cases;
k. databases and software configuration data;
and l. software change documentation.  Items that could change because of design changes, review, or audit should be configuration items subject to formal change control.  Other items, such as compilers, that may not change but are necessary to ensure correct software production should also be configuration items, thereby ensuring that all factors contributing to the executable software are controlled.  This also is useful in areas such as maintenance, future software development, and tracing the impact of reported errors, faults, and th e performance of appropriate regression analysis to support the acceptance of future changes to the software.  Items that are retained for historical or statistical purposes may be controlled documents.


7. Control of Purchased Materials The SCM program that complies with IEEE Std. 828
===4. CONFIGURATION ===
-2005, as endorsed by this RG, should take control of contractually developed or qualified commercial software products that are safety system software.  This meets the requirements of Criteria VII and VIII with regard to safety system software. This means, for example, that the exact version and build number of the product should be identified and controlled according to the change control procedures applied to other configuration items, and the product's usage should be tracked and reported.
MANAGEMENT
Section 2.3 of IEEE Std 828-1990 describes four functional areas under which configuration manage ment activities are grouped: configuration identifica tion, configuration control, status accounting, and con figuration reviews and audits. However, while IEEE Std 828-1990 requires that SCM plans describe provi sions for these activities, it has no minimal set of activi ties for safety system software.


For the use of commercial grade software in safety related digital systems, additional detailed information on acceptance processes appear s in Electric Power Research Institute (EPRI) Topical Report (TR)-106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications," issued October 1996 (Ref. 1
Criterion II, "Quality Assurance Program," states that activities affecting quality are to be accomplished under suitably con trolled conditions.
2), which was endorsed by an NRC safety evaluation report (SER) dated July 17, 1997 (Ref. 1
3).  8. Development Tools Tools used in the development of safety system software should be handled according to IEEE Std. 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power RG 1.169, Rev. 1, Page
9 Generating Stations," issued 2003 (Ref. 1
4), as endorsed by RG 1.152.  In particular, an SCM program operated by the using organization that complies with IEEE Std. 828
-2005 should take control of tools (i.e., tools should be treated as configuration items).  SCM Plans should identify that software tools used in the production of safety system software be considered as a configuration item.


9. Acceptance Criteria Clause 4.2, "Downward Adaptation," of IEEE Std. 828
Criteria III, "Design Control";
-2005 specifies conditions under which some requirements in the standard may be omitted when deemed not applicable to a particular scope, limited complexity, or unusual environment for a project.  In order to maintain acceptance criteria established in accordance with Criterion V and suitably controlled conditions (in accordance with Criteria II and VIII) for safety system software, this regulatory guide does not endorse this clause.
VI, "Document Control";
VII, "Control of Purchased Ma terial, Equipment, and Services";
VIII, "Identification and Control of Materials, Parts, and Components";
XVII, "Quality Assurance Records";
and XVIII, "Au dits," address various aspects of the need for control ling designs, documentation, and materials.


10. Design Verification Clause 3.3.2(d) of IEEE Std. 828
For safety system software, the minimal set of activities must ac complish the following- identification and control of all software designs and code, identification and control of all software design interfaces, control of all software design changes, control of software documentation (user, operating, and maintenance documentation), control of software vendors supplying safety system software, control and retrieval of qualification informa tion associated with software designs and code, soft ware configuration audits, and status accounting.
-2005 requires a definition of the verification, implementation, and release of a change.  The criteria for verification must meet the requirements of Criterion III, which requires that design changes be subject to design control measures commensurate with those applied to the original design.  This encompasses the reexamination of any appropriate safety analysis related to the change.    11. Software Configuration Management Plan Clause 3.1(g) of IEEE Std. 828
-2005 requires the SCM plan to address the assumptions upon which the plan is based, including assumptions that might have an impact on cost and schedule.  Any use of cost and schedule criteria must be consistent with the requirement of 10 CFR 50.57(a)(3) that there be reasonable assurance that the activities authorized by the operating license can be conducted without endangering public health and safety.


1 2. Release Management and Delivery Clause 3.3.7 of IEEE Std. 828
Some of these functions or documents may be per formed or controlled by other quality assurance activi ties; in this case the SCM plan should describe the divi sion of responsibility.
-2005 requires that the SCM plan describe how the building, release, delivery, change control, master copies of code, and documentation of software will be formally controlled "in accordance with the policies of the organizations involved."  This control should include the preservation of materials used to deliver the software and a change control mechanism sufficient to ensure the correction of faults identified in the software.


13. Backfit Clarification Clause 1.1 of IEEE Std. 828
===5. CORRECTIVE ===
-2005 states:  "It also applies to noncritical software and to software already developed."  Such statements in the standard should not be interpreted as requirements for backfit as defined in 10 CFR 50.109, "Backfitting."  Section D of this RG provides the NRC staff position on backfitting as it concerns this guidance.
ACTION Criterion XVI, "Corrective Action," requires that conditions adverse to quality, such as failures, malfunc tions, deficiencies, and others, be identified, the cause be determined, the condition be corrected, and the en tire process be documented.


14. Annexes    IEEE Std. 828
In software development or maintenance, the responsibility for these activities is often distributed among several organizations, possi bly leading to a fragmented view of the correction process. Section 2.3.2 of IEEE Std 828-1990 requires a partial description of the correction process, including change requests, change evaluation, change approval, change implementation, change verification, and changed-version release. The preliminary steps leading to a change request should also be described, including responsibility for executing and documenting anomaly reports, problem analyses, and statistical monitoring of software performance.
-2005 contains two informative annexes.  These annexes are listed here as sources of information; they have not received regulatory endorsement unless otherwise noted:
  Annex A, "Bibliography," lists IEEE standards that are useful in implementing and interpreting the test requirements contained in IEEE Std. 828
-2005. The paragraph titled "Other Codes and RG 1.169, Rev. 1, Page
10 Standards"
in Section B of this regulatory guide provides the NRC staff position on the endorsement and use of other standards.


Annex B, "Relationship of IEEE Std. 828
If these activities are described by other documents, the descriptions may be included by reference.
-2005 to Other Standards," describes the relationship of IEEE Std. 828
-2005 to IEEE/Electronic Industries Association (EIA) Std. 12207.1
-1997, "Industry Implementation of International Standard ISO/IEC 12207:1995 (ISO/IEC 12207) Standard for Information Technology
-Software Life Cycle Processes
-Life Cycle Data," issued April 1998, and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Technical Report (TR)
-19759:2005, "Software Engineering
-Guide to the Software Engineering Body of Knowledge (SWEBOK)," issued 2005 (Ref. 1
5).  The NRC does not endorse this annex because the agency has endorsed neither IEEE/EIA Std. 12207.1-1997 nor ISO/IEC TR
-19759:2005.


==D. IMPLEMENTATION==
===6. DOCUMENTATION ===
The purpose of this section is to provide information on how applicants and licensees
Section 2.3.1.1 of IEEE Std 828-1990 requires, as a minimum, that all configuration items that are to be delivered be listed in the SCM plan. This fulfills the in tent of Criterion VIII, "Identification and Control of Materials, Parts, and Components," with regard to safety system software if all software deliverables are identified and controlled as configuration items. Crite rion III, "Design Control," requires measures for de sign documentation, identification and control of de sign interfaces, and control of design changes.
2  may use this guide and information about the NRC's plans for using this RG.  In addition, it describes how the staff complies with 10 CFR 50.109, "Backfitting" and any applicable finality provisions in 10 CFR Part
 
52, "Licenses, Certifications, and Approvals for Nuclear Power Plants."
Criterion VI, "Document Control," requires that all documents that prescribe activities affecting quality, such as instructions, procedures, and drawings, be sub ject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel.
Use by Applicants and Licensees Applicants and licensees may voluntarily
3  use the guidance in this document to demonstrate compliance with the underlying NRC regulations.  Methods or solutions that differ from those described in this RG may be deemed acceptable if they provide sufficient basis and information for the staff to verify that the proposed alternative demonstrates compliance with the appropriate NRC regulations.  Current licensees may continue to use guidance the NRC found acceptable in the past to comply with the identified regulations, as long as their current licensing basis remains unchanged.


Licensees may use the information in this RG for actions that do not require NRC review and approval, such as changes to a facility design under 10 CFR 50.59, "Changes, Tests, and Experiments."  Licensees may use the information in this RG or applicable parts to resolve regulatory or inspection issues.   This RG is not being imposed upon current licensees and may be voluntarily used by existing licensees.
Criterion XVII, "Quality Assurance Records," requires in part that suf ficient records be maintained so that data that is closely associated with the qualification of personnel, proce dures, and equipment will be identifiable and retriev able. This regulatory guide applies to all aspects of the software life cycle within the system life cycle context.1.169-4 Therefore, for safety system software, configuration items or controlled documents should include the fol lowing:
* Software requirements, designs, and code a Support software used in development (exact ver sions) a Libraries of software components essential to safety
* Software plans that could affect quality
* Test software requirements, designs, or code used in testing a Test results used to qualify software
* Analyses and results used to qualify software
* Software documentation
* Databases and software configuration data
* Commercial software items that are safety system software
* Software change documentation Items that could change because of design changes, review, or audit should be configuration items subject to formal change control. Other items that may not change but are necessary to ensure correct software pro duction, such as compilers, should also be configura tion items, thereby ensuring that all factors contribut ing to the executable software are understood.


If a licensee believes that the NRC either is using this RG or requesting or requiring the licensee to implement the methods or processes in this RG in a manner inconsistent with the discussion in this implementation section, then the licensee may file a backfit appeal with the NRC in accordance with the guidance in NUREG
This also is useful in areas such as maintenance, future software development, and tracing the impact of reported bugs.  Items that are retained for historical or statistical pur poses may be controlled documents.
-1409, "Backfitting Guidelines," (Ref.


16) and the NRC Management Directive 8.4, "Management of Facility
7. CONTROL OF PURCHASED
-Specific Backfitting and Information Collection" (Ref.
MATERIALS
Criterion VII, "Control of Purchased Material, Equipment, and Services," requires measures to ensure that purchased material conforms to procurement docu ments. Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires measures to be established for the identification and control of materials, parts, and components.


17).                                              
Contractually devel oped or qualified commercial software products that are safety system software must be taken under control by an SCM program that complies with IEEE Std 828 1990 as endorsed by this regulatory guide. This means, for example, that the exact version of the product is .2 identified and controlled according to the change con trol procedures applied to other configuration items and that its usage is tracked and reported.


2 In this section, "licensees" refers to licensees of nuclear power plants under 10 CFR Parts 50 and 52; and the term "applicants" refers to applicants for licenses and permits for (or relating to) nuclear power plants under 10 CFR Parts 50 and 52, and applicants for standard design approvals and standard design certifications under 10 CFR Part 52.
===8. DEVELOPMENT ===
TOOLS Tools used in the development -of safety system software should be handled according to IEEE Std 7-4.3.2-1993, "Standard Criteria for Digital Comput ers in Safety Systems of Nuclear Power Generating Sta tions," as endorsed by Revision 1 of Regulatory Guide 1.152. In particular, tools must be taken under control (i.e., treated as a configuration item) by an SCM pro gram operated by the using organization that complies with IEEE Std 828-1990 as endorsed by this regulatory guide.


3  In this section, "voluntary" and "voluntarily" mean that the licensee is seeking the action of its own accord, without the force of a legally binding requirement or an NRC representation of further licensing or enforcement action.
===9. ACCEPTANCE ===
CRITERIA Criterion V, "Instructions, Procedures, and Draw ings," requires that instructions, procedures, and draw ings include appropriate quantitative or qualitative ac ceptance criteria for determining that important activities have been satisfactorily accomplished.


RG 1.169, Rev. 1, Page
In addition, Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires measures to be established for the identification and control of materials, parts, and components;
11 Use by NRC Staff During regulatory discussions on plant
and Criterion II, "Quality Assurance Program," states that activities af fecting quality must be accomplished under suitably controlled conditions.
-specific operational issues, the staff may discuss with licensees various actions consistent with staff positions in this RG, as one acceptable means of meeting the underlying NRC regulatory requirement.  Such discussions would not ordinarily be considered backfitting, even if prior versions of this RG are part of the licensing basis of the facility.  However, unless this RG is part of the licensing basis for a facility, the staff may not represent to the licensee that the licensee's failure to comply with the positions in this RG constitutes a violation.


If an existing licensee voluntarily seeks a license amendment or change and (1) the staff's consideration of the request involves a regulatory issue directly relevant to this new or revised RG, and (2) the specific subject matter of this RG is an essential consideration in the staff's determination of the acceptability of the licensee's request, then the staff may request that the licensee either follow the guidance in this RG or provide an equivalent alternative process that demonstrates compliance with the underlying NRC regulatory requirementsThis action is not considered backfitting as defined in 10 CFR 50.109(a)(1) or a violation of any of the issue finality provisions in 10 CFR Part 52.
In order to maintain acceptance criteria established in accordance with Criterion V and suitably controlled conditions (in accordance with Cri teria II and VIII) for safety system software, section 3.2 of IEEE Std 828-1990 is not endorsed by this regulatory guide.  1


The staff does not intend or approve any imposition or backfitting of the guidance in this RG. The staff does not expect any existing licensee to use or commit to using the guidance in this RG, unless the licensee makes a change to its licensing basis. The staff does not expect or plan to request licensees to voluntarily adopt this RG to resolve a generic regulatory issue. The staff does not expect or plan to initiate NRC regulatory action that would require the use of this RGExamples of such unplanned NRC regulatory actions include issuance of an order requiring the use of the RG, requests for information under 10 CFR 50.54(f) as to whether a licensee intends to commit to use of this RG, generic communication, or promulgation of a rule requiring the use of this RG without further backfit consideration.
===0. DESIGN VERIFICATION ===
IEEE Std 828-1990, in paragraph
2.3.2(4), re quires a definition of the verification, implementation, and release of a change. The criteria for verification must be consistent with Criterion III, "Design Con trol," which requires that design changes be subject to design control measures commensurate with those ap plied to the original design. This encompasses the re examination of any appropriate safety analysis related to the change1U. SCM PLAN IEEE Std 828-1990, in paragraph
2.1(7), requires the SCM plan to address the assumptions upon which the plan is based, including assumptions that might have an impact on cost and schedule.


RG 1.169, Rev. 1, Page
Any use of cost and schedule criteria must be consistent with the re quirement of 10 CFR 50.57(aX3)
12 REFERENCES
that there be reason able assurance that the activities authorized by the oper ating license can be conducted without endangering the health and safety of the public.1.169-5
4    1. U.S. Code of Federal Regulations (CFR) "Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, "Energy." 
12. BACKFIT CLARIFICATION
  2. Institute of Electrical and Electronic Engineers (IEEE) Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," Piscataway, NJ, 1991 (including a correction sheet dated January 30, 1995).
Section 1.1 of IEEE Std 828-1990 states "It also applies to non-critical software and to software already developed." Such statements in the standard should not be interpreted as requirements for backfit. See the Im plementation section of this regulatory guide for the NRC staff's position on backfitting regarding this guidance.
5 3.  IEEE Std. 279
-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," Piscataway, NJ, 1971.


4. IEEE Std. 828
13. OTHER CODES AND STANDARDS
-2005, "IEEE Standard for Software Configuration Management Plans," Piscataway, NJ, 2005. 5. U.S. Nuclear Regulatory Commission (NRC), NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Chapter 7, "Instrumentation and Controls," Washington, DC.  6. CFR, "Licenses, Certifications, and Approvals for Nuclear Power Plants," Part 52, Chapter 1, Title 10, "Energy."    7. IEEE Std. 1012
IEEE Std 828-1990 and IEEE Std 1042-1987 ref erence other industry codes and standards.
-2004, "IEEE Standard for Software Verification and Validation," Piscataway, NJ, 2004. 8. NRC Regulatory Guide (RG) 1.168, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Washington, DC.


9. NRC RG 1.152, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," Washington, DC.
These refer ences to other standards should be treated individually.


10. International Atomic Energy Agency (IAEA) Safety Guide NS
If a referenced standard has been incorporated separately into the NRC's regulations, licensees and applicants must comply with that standard as set forth in the regulation.
-G-1.1, "Software for Computer Based Systems Important to Safety in Nuclear Power Plants" issued September 2000, Vienna, Austria.6 1 1.    Institute of Electrical and Electronics Engineers and Electronic Industries Association (IEEE/EIA) S td. 12207.0-199 6, "Industry Implementation of International Standard ISO/IEC 12207:1995 (ISO/IEC 12207) Standard for Information Technology
- Software Life Cycle Processes," IEEE/EIA, Engineering Department, Piscataway, NJ, March 199


===8.     ===
If the referenced standard has been en dorsed in a regulatory guide, the standard constitutes a method acceptable to the NRC staff of meeting a regu latory requirement as described in the regulatory guide.  If a referenced standard has been neither incorporated into the NRC's regulations nor endorsed in a regulatory guide, licensees and applicants may consider and use the information in the referenced standard, if appropri ately justified, consistent with current regulatory prac tice.


4  Publicly available NRC published documents are available electronically through the Electronic Reading Room on the NRC's public Web site at: http://www.nrc.gov/reading
==D. IMPLEMENTATION==
-rm/doc-collections/The documents can also be viewed online or printed for a fee in the NRC's Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD; the mailing address is USNRC PDR, Washington, DC 20555; telephone 301
The purpose of this section is to provide informa tion to applicants and licensees regarding the NRC staff's plans for using this regulatory guide. No backfit ting is intended or approved in connection with this guideExcept in those cases in which an applicant or li censee proposes an"acceptable alternative method for complying with the specified portions of the NRC's regulations, the methods in this guide will be used in the evaluation of submittals in connection with applica tions for construction permits and operating licenses.
-41 5-4737 or (800) 397
-4209; fax (301) 415
-3548; and e-mail pdr.resource@nrc.gov
5  Copies of Institute of Electrical and Electronics Engineers (IEEE) documents may be purchased from the Institute of Electrical and Electronics Engineers Service Center, 445 Hoes Lane, PO Box 1331, Piscataway, NJ 08855 or through the IEEE's public Web site at http://www.ieee.org/publications_standards/index.html.    6  Copies of International Atomic Energy Agency (IAEA) documents may be obtained through their Web site: WWW.IAEA.Org/
or by writing the International Atomic Energy Agency P.O. Box 100 Wagramer Strasse 5, A
-1400 Vienna, Austria.  Telephone (+431) 2600
-0, Fax (+431) 2600
-7, or E-Mail at Official.Mail@IAEA.Org


RG 1.169, Rev. 1, Page
This guide will also be used to evaluate submittals from operating reactor licensees that propose system modi fications voluntarily initiated by the licensee if there is a clear nexus between the proposed modifications and this guidance.1.169-6 BIBLIOGRAPHY
13 1 2. Electric Power Research Institute (EPRI) TR-106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications,"
Hecht, H., A.T. Tai, Y.S. Tso, "Class 1E Digital Sys tems Studies," NUREG/CR-6113, USNRC, October 1993.1 Institute of Electrical and Electronics Engineers, "Stan dard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," IEEE Std 7-4.3.2, 1993.  Lawrence, J.D., "Software Reliability and Safety in Nuclear Reactor Protection Systems," NUREG/ CR-6101 (UCRL-ID-117524, Lawrence Livermore National Laboratory), USNRC, November 1993.1 lCopies may be purchased at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (tele phone (202)512-2249);
Palo Alto, CA, 1996.
or from the National Technical Information Ser vice by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161.  Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;
telephone
(202)634-3273;
fax (202)634-3343.


7 13.   Letter from Matthews, D. B., Chief, Generic Issues and Environmental Projects Branch, Division of Reactor Program Management, NRC, to Torok, R.C., Project Manager, Nuclear Power Group, EPRI, dated July 17, 1997, titled "Review of EPRI topical report TR
Lawrence, J.D., and G.G. Preckshot, "Design Factors for Safety-Critical Software," NUREG/CR-6294, USNRC, December 1994.1 Seth, S., et al., "High Integrity Software for Nuclear Power Plants: Candidate Guidelines, Technical Basis and Research Needs," 1 NUREG/CR-6263, USNRC, June 1995.1 USNRC, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants," Regulatory Guide 1.152, Revision 1, January 1996.2 USNRC, "Standard Review Plan," NUREG-0800, February 1984.  2 Single copies of regulatory guides may be obtained free of charge by writ ing the Office of Administration, Printing, Graphics and Distribution Branch, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001;
-106439, 'Guideline on Evaluation and Acceptance of commercial Grade digital Equipment for Nuclear Safety Applications' (TAC
or by fax at (301)415-5272.
No. M94127)" (ADAMS Accession No. ML092190664).
1 4. IEEE Std. 7
-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," NJ, 2003.


1 5. International Organization for Standardization (ISO)
Copies are available for in spection or copying for a fee from the NRC Public Docunient Room at 2120 L Street NW, Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;
Std. ISO/IEC TR 19759:2005, "Software Engineering
telephone
- Guide to the Software Engineering Body of Knowledge (SWEBOK)," Geneva , Switzerland
(202)634-3273;
, 2005.8 1 6.  NRC, NUREG
fax (202)634-  
-1409, "Backfitting Guidelines," NRC, Washington, DC. (ADAMS Accession No. ML032230247)
334
1 7. NRC, Management Directive 8.4, "Management of Facility
-Specific Backfitting and Information Collection," NRC, Washington DC. (ADAMS Accession No. ML050
110156)                                           


7  Copies of the listed Electric Power Research Institute (EPRI) standards and reports may be purchased from EPRI, 3420 Hillview Ave., Palo Alto, CA 94304; telephone 800
===3. REGULATORY ===
-313-3774; fax 925
ANALYSIS A separate regulatory analysis was not prepared for this regulatory guide. The regulatory analysis prepared for Draft Regulatory Guide DG-1055, "Configura tion Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," provides the regulatory basis for this guide. A copy of the regulatory analysis is available for inspection and copying for a fee at the NRC Public Document Room, 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;  
-609-1310. 8  Copies of International Organization for Standardization (ISO) documents may be obtained by writing to the International Organization for Standardization, 1, c
phone (202)634-3273;
fax (202)634-3343.


====h. de la Voie====
1.169-7
-Creuse, CP 56, CH
)UNITED STATES NUCLEAR REGULATORY
-1211 Geneva 20, Switzerland, Telephone: +41.22.749.01.11, Fax: +41.22.749.09.47, by e
COMMISSION
-mail at sales@iso.org, or online at the ISO Store Web site: http://www.iso.org/iso/store.htm
WASHINGTON, DC 20555-0001 FIRST CLASS MAIL POSTAGE AND FEES PAID USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 m -IL 0 CD z IL i z I0 w ,uJ}}
.}}


{{RG-Nav}}
{{RG-Nav}}

Revision as of 16:57, 31 August 2018

(Draft Was DG-1055) Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants
ML003740102
Person / Time
Issue date: 09/30/1997
From:
Office of Nuclear Regulatory Research
To:
References
DG-1055 RG-1.169
Download: ML003740102 (8)


U.S. NUCLEAR REGULATORY

COMMISSION

REGULATORY

September

1997 GUIDE OFFICE OF NUCLEAR REGULATORY

RESEARCH REGULATORY

GUIDE 1.169 (Draft was DG-1055) CONFIGURATION

MANAGEMENT

PLANS FOR DIGITAL COMPUTER SOFTWARE USED IN SAFETY SYSTEMS OF NUCLEAR POWER PLANTS

A. INTRODUCTION

In 10 CFR Part 50, "Domestic Licensing of Pro duction and Utilization Facilities," paragraph

55a(a)(1)

requires, in part, that systems and components be designed, tested, and inspected to quality standards commensurate with the safety function to be per forme

d. I Criterion

1, "Quality Standards and Re cords," of Appendix A, "General Design Criteria for Nuclear Power Plants," of 10 CFR Part 50 requires, in part, 1 that appropriate records of the design and testing of systems and components important to safety be .2 maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 describes criteria that must be met by a quality assur ance program for systems and components that prevent or mitigate the consequences of postulated accidents.

In particular, besides the systems and components that directly prevent or mitigate the consequences of postu lated accidents, the criteria of Appendix B also apply to all activities affecting the safety-related functions of such systems and components, such as designing, pur chasing, installing, testing, operating, maintaining, or lln this regulatory guide, many of the regulations have been paraphrased;

see 10 CFR Part 50 for the full text.modifying.

A specific requirement is contained in 10 CFR 50.55a(h), which requires that reactor protection systems satisfy the criteria of IEEE Std 279, "Criteria for Protection Systems for Nuclear Power Generating Stations." 2 Paragraph

4.3 of IEEE Std 279-19713 states that quality of components is to be achieved through the specification of requirements known to promote high quality, such as requirements for design, inspection, and test. Many of the criteria in Appendix B to 10 CFR Part 50 contain requirements closely related to the con figuration management activity.

Criterion III, "Design Control," of Appendix B requires measures for design documentation and identification and control of design interfaces.

The same criterion also requires that design changes be subject to design control measures com mensurate with those used in the original design. Crite rion VI, "Document Control," requires that all docu ments that prescribe activities affecting quality, such as 2 Revision I of Regulatory Guide 1.153, "Criteria for Safety Systems," en dorses IEEE Std 603-1991,"Criteria for Safety Systems for Nuclear Pow er Generating Stations," as a method acceptable to the NRC staff for satis fying the NRC's regulations with respect to the design, reliability, qualifi cation, and testability of the power, instrumentation, and control portions of the safety systems of nuclear power plants. 3 1EEE publications may be obtained from the IEEE Service Center, 445 Hoes Lane, Piscataway, NJ 0885

4. USNRC REGULATORY

GUIDES The guides are issued in the following ten broad disions: Regulatory Guides re Issued to describe and make available to the public such Informa bon as methods acceptable to the NRC staff for hmplementing specific parts of the Com- 1. Power Reactors 6. Products mission's regulations, techniques used bythestaff inevaluating specific problemsor pos 2. Research and Tost Reactors 7. Trarsportation tulated accidents.

and data needed by the NRC staff in Its review of applications rper.- I Fuels and Mateials Facilities

8. Occupational Health mits and licenses.

Regulatory guides ae not substitutes foregulations, and compliance

4. Environmental end Siting 9. Anitrust and Financial Review withViem Isnotrelred.

Methods andisolutions different from thosesetoutinlheguldes

5. Materials and Plant Protection

10. General will be acceptable If they provide a basis for the findings requisite to the Issuance or oon tinuence of a permit or cense by the Commission.

Single copies of regulatory guides may be obtained free of charge bywrlilng the Printing, This guide was issued after consideration of comments received from the public. Corn- Graphics and Distribution Branch, Office of Adminisation.

U.S. Nuclear Regulatory Com mens and suggestions for Improvenents In these guides re encouraged stall tines, and mission. Washington, OC 20555-0001;

or by fax at (301)41515272.

guides will be revised, as eppropriae.

to accommodate comments :nd to reflect new in Ion~on or experience.

Issued guides may also be purchased from the National Technical Information Service on Written comments may be submitted to the Rules Review and Diectives Branch DFIPS, a standing order basis. Details on this service may be obtained by writing NTIS, 5285 Port ADM, U.S. Nuclear Regulatory Commission, Washington.

DC 20555-0001.

Royal Road, Springfield, VA 22161.

instructions, procedures, and drawings, be subject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel.

Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires, in part, that parts and components be identi fied to prevent the use of incorrect or defective parts or components.

Criterion XVI, "Corrective Action," requires that conditions adverse to quality, such as fail ures, malfunctions, deficiencies, and others, be identi fied, and that the cause be determined, the condition be corrected, and the entire process be documented.

Crite rion XVII, "Quality Assurance Records," requires in part that sufficient records be maintained so that data that is closely associated with the qualification of per sonnel, procedures, and equipment be identifiable and retrievable.

This regulatory guide, which endorses IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," 3 and ANSI/IEEE Std 1042-1987, "IEEE Guide to Software Configuration Manage ment," 3 with the exceptions stated in the Regulatory Position, describes methods acceptable to the NRC staff for complying with the NRC's regulations for pro moting high functional reliability and design quality in software used in safety systems.4 In particular, the methods are consistent with the previously cited Gener al Design Criteria and the criteria for quality assurance programs of Appendix B as they apply to the mainte nance of appropriate records of, and control of, soft ware development activities.

The criteria of Appen dices A and B apply to systems and related quality assurance processes and, if those systems include soft ware, the requirements extend to the software elements.

In general, information provided by regulatory guides is reflected in the Standard Review Plan (NUREG-0800).

The Office of Nuclear Reactor Regu lation uses the Standard Review Plan to review applica tions to construct and operate nuclear power plants. This regulatory guide will apply to the revised Chapter 7 of the Standard Review Plan. The information collections contained in this regu latory guide are covered by the requirements of 10 CFR Part 50, which were approved by the Office of Manage ment and Budget, approval number 3150-0011.

The NRC may not conduct or sponsor, and a person is not 4 The term "safety systems" is synonymous with "safety-related systems." The General Design Criteria cover systems, structures, and components "important to safety." The scope of this regulatoty guide is, however, lim ited to "safety systems," which are a subset of "systems important to safety." required to respond to, a collection of information un less it displays a currently valid OMB control number.

B. DISCUSSION

The use of industry consensus standards is part of an overall approach to meeting the requirements of 10 CFR Part 50 when developing safety systems for nuclear power plants. Compliance with standards does not guarantee that regulatory requirements will be met. However, compliance does ensure that practices accepted within various technical communities will be incorporated into the development and quality assur ance processes used to design safety systems. These practices are based on past experience and represent in'dustry consensus on approaches used for development of such systems.

Software incorporated into instrumentation and control systems covered by Appendix B will be referred to in this regulatory guide as safety system software.

For safety system software, identification, control, and documentation of the software must be accomplished as part of the effort to achieve compliance with the NRC's requirements.

In addition to the record mainte nance requirement of Criterion

1 of Appendix A, Appendix B to 10 CFR Part 50 provides detailed quali ty assurance criteria, including criteria for administra tive control, design documentation, design interface control, design change control, document control, identification and control of parts and components, and control and retrieval of qualification information asso ciated with parts and components.

For software, these activities are often called, in aggregate, "software con figuration management" (SCM). SCM is identified as a safety system criterion by the industry standard, IEEE Std 7-4.3.2-1993, "Standard Criteria for Digital Com puters in Safety Systems of Nuclear Power Generating Stations," 3 which is endorsed by Revision I of Regula tory Guide 1.152, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants." Configuration management is a significant part of high quality engineering activities and is already re quired by the NRC staff for structures, systems, and components important to safety. While the principles and intentions of traditional configuration management apply equally to software, there is also a significant change in emphasis for which traditional hardware con figuration management systems might not be suffi cient. This is because with software there is a greater emphasis on design process and the deliverable product is more like a design output. In the production of engi neered hardware, design outputs are inputs to a manufacturing process, and configuration management

1.169-2 activities focus on ensuring that design outputs and manufacturing process variables are traceable to identi fiable manufactured products.

In contrast, with engi.> neered software, a large amount of design process in formation and many intermediate design outputs are associated with the final design output. Relatively many software engineering changes are expected and encountered.

Consequently, although similar in intent to hardware configuration management, software con figuration management requires a change in emphasis, with expansion of the importance of intermediate de sign baselines and associated design process informa tion. The needs for robust change management and identification and control of product versions are also substantially increased.

One consensus standard on software engineering, IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," and one IEEE guide, ANSI/IEEE Std 1042-1987, "IEEE Guide to Software Configuration Management" (reaffirmed in 1993), describe software industry approaches to SCM that are generally accepted in the software engineering community.

They provide guidance for planning and executing an SCM program. Together, this IEEE stan dard and guide elaborate on the important features required in an SCM program that may be under>j emphasized in traditional hardware configuration man agement programs.

The relationship of IEEE Std 1042-1987 to IEEE Std 828-1990 is important.

IEEE Std 1042-1987 is a tutorial guide that explains how to comply with IEEE Std 828-1990.

Section 1.1, "Scope," of IEEE Std 1042-1987 states that the guide provides suggestions and examples and "presents an interpretation of how IEEE Std 828-1983 [since updated to IEEE Std 828-1990]

can be used for planning the management of different kinds of computer program development and maintenance activities." The actual criteria to be met for compliance with the standard are contained in IEEE Std 828-1990..

Both the standard and the guide apply to general purpose software development and mainte nance efforts, and they do not have specific criteria for safety system software.

C. REGULATORY

POSITION IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," provides an approach acceptable to the NRC staff for meeting the ./ requirements of 10 CFR Part 50, as applied to software, in planning configuration management of safety sys tem software, subject to the provisions listed below.ANSI/IEEE Std 1042-1987, "IEEE Guide to Soft ware Configuration Management," subject to the pro visions listed below, provides guidance acceptable to the NRC staff for carrying out software configuration management plans produced under the auspices of IEEE Std 828-1990.

IEEE Std 1042-1987 should be used with the definitions of IEEE Std 828-1990 to implement the details of plans prepared pursuant to IEEE Std 828-1990.

In the provisions listed below, ref erence is made to explanatory sections of IEEE Std 1042-1987 where appropriate to clarify SCM concepts.

To meet the cited requirements of Appendix A to 10 CFR Part 50 by complying with the cited criteria of Appendix B, the following exceptions are necessary and will be considered by the NRC staff in the review of submittals from applicants and licensees. (In this Regu latory Position, the cited criteria are in Appendix B to 10 CFR Part 50 unless otherwise noted.),

1. DEFINITIONS

IEEE Std 828-1990 refers to IEEE Std 610.12-1990, "IEEE Standard Glossary of Software Engineering Terminology," for definitions of the tech nical terms that are enumerated in section 1.3 of IEEE Std 828-1990.

These definitions are acceptable with the following clarifications and additions:

1.1 Baseline Meaning (1) of baseline is to be used in IEEE Std 828-1990.

Formal review and agreement is taken to mean that responsible management has reviewed and approved a baseline.

Baselines are subject to change control. Acceptable baseline change approval authority is described in Exception

2 below. 1.2 Promotion The term "promotion," as defined in Section 1.4 of IEEE Std 1042-1987, is added to the list of defined terms. 1.3 Interface All four variations of the meaning of interface are to be used in IEEE Std 828-1990, depending upon the context. Meaning (1), "A shared boundary across which information is passed," is interpreted broadly according to Criterion III to include design interfaces between participating design organizations.

1.4 Configuration Audit IEEE Std 610.12-1990

refers the definition of con figuration audit to two other audits without specifying whether one or both definitions are meant. In the 1.169-3 context of an audit for delivery of a product, a configu ration audit includes both a functional configuration audit and a physical configuration audit.

2. AUTHORITY

LEVELS Section 2.2.4 of IEEE Std 1042-1987 is modified to permit hierarchies of change approval authority lev els, as described in that section and discussed in section 3.3.2.1, provided the required authority level is com mensurate with life cycle stage (nearness to release) and product importance to safety. The promotion of a soft ware product might involve a change in level of control and responsible individual.

3. ACCEPTANCE

CRITERIA Criterion II, "Quality Assurance Program," states that activities affecting quality are to be accomplished under suitably controlled conditions.

Criterion V, "Instructions, Procedures, and Drawings," states that instructions, procedures, or drawings are to include appropriate quantitative or qualitative acceptance crite ria for determining that important activities have been satisfactorily accomplished.

Section 1.3 of IEEE Std 828-1990 defines "control point." The software con figuration management (SCM) plan should describe the criteria for selecting control points and establish the correspondence between control points identified in the plan and baselines, project milestones, and life cycle milestones.

4. CONFIGURATION

MANAGEMENT

Section 2.3 of IEEE Std 828-1990 describes four functional areas under which configuration manage ment activities are grouped: configuration identifica tion, configuration control, status accounting, and con figuration reviews and audits. However, while IEEE Std 828-1990 requires that SCM plans describe provi sions for these activities, it has no minimal set of activi ties for safety system software.

Criterion II, "Quality Assurance Program," states that activities affecting quality are to be accomplished under suitably con trolled conditions.

Criteria III, "Design Control";

VI, "Document Control";

VII, "Control of Purchased Ma terial, Equipment, and Services";

VIII, "Identification and Control of Materials, Parts, and Components";

XVII, "Quality Assurance Records";

and XVIII, "Au dits," address various aspects of the need for control ling designs, documentation, and materials.

For safety system software, the minimal set of activities must ac complish the following- identification and control of all software designs and code, identification and control of all software design interfaces, control of all software design changes, control of software documentation (user, operating, and maintenance documentation), control of software vendors supplying safety system software, control and retrieval of qualification informa tion associated with software designs and code, soft ware configuration audits, and status accounting.

Some of these functions or documents may be per formed or controlled by other quality assurance activi ties; in this case the SCM plan should describe the divi sion of responsibility.

5. CORRECTIVE

ACTION Criterion XVI, "Corrective Action," requires that conditions adverse to quality, such as failures, malfunc tions, deficiencies, and others, be identified, the cause be determined, the condition be corrected, and the en tire process be documented.

In software development or maintenance, the responsibility for these activities is often distributed among several organizations, possi bly leading to a fragmented view of the correction process. Section 2.3.2 of IEEE Std 828-1990 requires a partial description of the correction process, including change requests, change evaluation, change approval, change implementation, change verification, and changed-version release. The preliminary steps leading to a change request should also be described, including responsibility for executing and documenting anomaly reports, problem analyses, and statistical monitoring of software performance.

If these activities are described by other documents, the descriptions may be included by reference.

6. DOCUMENTATION

Section 2.3.1.1 of IEEE Std 828-1990 requires, as a minimum, that all configuration items that are to be delivered be listed in the SCM plan. This fulfills the in tent of Criterion VIII, "Identification and Control of Materials, Parts, and Components," with regard to safety system software if all software deliverables are identified and controlled as configuration items. Crite rion III, "Design Control," requires measures for de sign documentation, identification and control of de sign interfaces, and control of design changes.

Criterion VI, "Document Control," requires that all documents that prescribe activities affecting quality, such as instructions, procedures, and drawings, be sub ject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel.

Criterion XVII, "Quality Assurance Records," requires in part that suf ficient records be maintained so that data that is closely associated with the qualification of personnel, proce dures, and equipment will be identifiable and retriev able. This regulatory guide applies to all aspects of the software life cycle within the system life cycle context.1.169-4 Therefore, for safety system software, configuration items or controlled documents should include the fol lowing:

  • Software requirements, designs, and code a Support software used in development (exact ver sions) a Libraries of software components essential to safety
  • Software plans that could affect quality
  • Test software requirements, designs, or code used in testing a Test results used to qualify software
  • Analyses and results used to qualify software
  • Software documentation
  • Databases and software configuration data
  • Commercial software items that are safety system software
  • Software change documentation Items that could change because of design changes, review, or audit should be configuration items subject to formal change control. Other items that may not change but are necessary to ensure correct software pro duction, such as compilers, should also be configura tion items, thereby ensuring that all factors contribut ing to the executable software are understood.

This also is useful in areas such as maintenance, future software development, and tracing the impact of reported bugs. Items that are retained for historical or statistical pur poses may be controlled documents.

7. CONTROL OF PURCHASED

MATERIALS

Criterion VII, "Control of Purchased Material, Equipment, and Services," requires measures to ensure that purchased material conforms to procurement docu ments. Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires measures to be established for the identification and control of materials, parts, and components.

Contractually devel oped or qualified commercial software products that are safety system software must be taken under control by an SCM program that complies with IEEE Std 828 1990 as endorsed by this regulatory guide. This means, for example, that the exact version of the product is .2 identified and controlled according to the change con trol procedures applied to other configuration items and that its usage is tracked and reported.

8. DEVELOPMENT

TOOLS Tools used in the development -of safety system software should be handled according to IEEE Std 7-4.3.2-1993, "Standard Criteria for Digital Comput ers in Safety Systems of Nuclear Power Generating Sta tions," as endorsed by Revision 1 of Regulatory Guide 1.152. In particular, tools must be taken under control (i.e., treated as a configuration item) by an SCM pro gram operated by the using organization that complies with IEEE Std 828-1990 as endorsed by this regulatory guide.

9. ACCEPTANCE

CRITERIA Criterion V, "Instructions, Procedures, and Draw ings," requires that instructions, procedures, and draw ings include appropriate quantitative or qualitative ac ceptance criteria for determining that important activities have been satisfactorily accomplished.

In addition, Criterion VIII, "Identification and Control of Materials, Parts, and Components," requires measures to be established for the identification and control of materials, parts, and components;

and Criterion II, "Quality Assurance Program," states that activities af fecting quality must be accomplished under suitably controlled conditions.

In order to maintain acceptance criteria established in accordance with Criterion V and suitably controlled conditions (in accordance with Cri teria II and VIII) for safety system software, section 3.2 of IEEE Std 828-1990 is not endorsed by this regulatory guide. 1

0. DESIGN VERIFICATION

IEEE Std 828-1990, in paragraph

2.3.2(4), re quires a definition of the verification, implementation, and release of a change. The criteria for verification must be consistent with Criterion III, "Design Con trol," which requires that design changes be subject to design control measures commensurate with those ap plied to the original design. This encompasses the re examination of any appropriate safety analysis related to the change. 1U. SCM PLAN IEEE Std 828-1990, in paragraph

2.1(7), requires the SCM plan to address the assumptions upon which the plan is based, including assumptions that might have an impact on cost and schedule.

Any use of cost and schedule criteria must be consistent with the re quirement of 10 CFR 50.57(aX3)

that there be reason able assurance that the activities authorized by the oper ating license can be conducted without endangering the health and safety of the public.1.169-5

12. BACKFIT CLARIFICATION

Section 1.1 of IEEE Std 828-1990 states "It also applies to non-critical software and to software already developed." Such statements in the standard should not be interpreted as requirements for backfit. See the Im plementation section of this regulatory guide for the NRC staff's position on backfitting regarding this guidance.

13. OTHER CODES AND STANDARDS

IEEE Std 828-1990 and IEEE Std 1042-1987 ref erence other industry codes and standards.

These refer ences to other standards should be treated individually.

If a referenced standard has been incorporated separately into the NRC's regulations, licensees and applicants must comply with that standard as set forth in the regulation.

If the referenced standard has been en dorsed in a regulatory guide, the standard constitutes a method acceptable to the NRC staff of meeting a regu latory requirement as described in the regulatory guide. If a referenced standard has been neither incorporated into the NRC's regulations nor endorsed in a regulatory guide, licensees and applicants may consider and use the information in the referenced standard, if appropri ately justified, consistent with current regulatory prac tice.

D. IMPLEMENTATION

The purpose of this section is to provide informa tion to applicants and licensees regarding the NRC staff's plans for using this regulatory guide. No backfit ting is intended or approved in connection with this guide. Except in those cases in which an applicant or li censee proposes an"acceptable alternative method for complying with the specified portions of the NRC's regulations, the methods in this guide will be used in the evaluation of submittals in connection with applica tions for construction permits and operating licenses.

This guide will also be used to evaluate submittals from operating reactor licensees that propose system modi fications voluntarily initiated by the licensee if there is a clear nexus between the proposed modifications and this guidance.1.169-6 BIBLIOGRAPHY

Hecht, H., A.T. Tai, Y.S. Tso, "Class 1E Digital Sys tems Studies," NUREG/CR-6113, USNRC, October 1993.1 Institute of Electrical and Electronics Engineers, "Stan dard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," IEEE Std 7-4.3.2, 1993. Lawrence, J.D., "Software Reliability and Safety in Nuclear Reactor Protection Systems," NUREG/ CR-6101 (UCRL-ID-117524, Lawrence Livermore National Laboratory), USNRC, November 1993.1 lCopies may be purchased at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328 (tele phone (202)512-2249);

or from the National Technical Information Ser vice by writing NTIS at 5285 Port Royal Road, Springfield, VA 22161. Copies are available for inspection or copying for a fee from the NRC Public Document Room at 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;

telephone

(202)634-3273;

fax (202)634-3343.

Lawrence, J.D., and G.G. Preckshot, "Design Factors for Safety-Critical Software," NUREG/CR-6294, USNRC, December 1994.1 Seth, S., et al., "High Integrity Software for Nuclear Power Plants: Candidate Guidelines, Technical Basis and Research Needs," 1 NUREG/CR-6263, USNRC, June 1995.1 USNRC, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants," Regulatory Guide 1.152, Revision 1, January 1996.2 USNRC, "Standard Review Plan," NUREG-0800, February 1984. 2 Single copies of regulatory guides may be obtained free of charge by writ ing the Office of Administration, Printing, Graphics and Distribution Branch, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001;

or by fax at (301)415-5272.

Copies are available for in spection or copying for a fee from the NRC Public Docunient Room at 2120 L Street NW, Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;

telephone

(202)634-3273;

fax (202)634-

334

3. REGULATORY

ANALYSIS A separate regulatory analysis was not prepared for this regulatory guide. The regulatory analysis prepared for Draft Regulatory Guide DG-1055, "Configura tion Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," provides the regulatory basis for this guide. A copy of the regulatory analysis is available for inspection and copying for a fee at the NRC Public Document Room, 2120 L Street NW., Washington, DC; the PDR's mailing address is Mail Stop LL-6, Washington, DC 20555-0001;

phone (202)634-3273;

fax (202)634-3343.

1.169-7

)UNITED STATES NUCLEAR REGULATORY

COMMISSION

WASHINGTON, DC 20555-0001 FIRST CLASS MAIL POSTAGE AND FEES PAID USNRC PERMIT NO. G-67 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE, $300 m -IL 0 CD z IL i z I0 w ,uJ