ML13004A370: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 18: | Line 18: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:Public Comments and NRC Responses for Draft Regulatory Guide (DG) -1208, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" DG-1208 is Revision 1 of Re gulatory Guide (RG) 1.171 Page 1 A Federal Register Notice was published on August 22, 2012 (77 FR 50722) announcing the availability of Draft Regulatory Guide (DG) -1208, "Software Unit Testing for Digital Computer Software used in Safety Systems of Nuclear Power Plants" for public comment. DG-1208 is Revision 1 of Regulatory Guide (RG) 1.171 dated September 1997. The fo llowing table contains the public comments received and the NRC staff responses. | ||
Comments were received from the following individuals: 1. Swu Yih, Chien Hsin University 7F-1, 356 Huanbei Rd. | |||
Zhongli City, Taiwan, ROC (ADAMS - ML12332A220) 2. Mark Burzynski, New Clear Day, Inc. | |||
2036 Marina Cove Dr. | |||
Hixson, TX 37343 (ADAMS - ML122910759) | |||
: 3. David Herrell, MPR Associates, Inc. | |||
320 King St., Alexandria, VA 22314 (ADAMS - ML12346A034) | |||
Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response David Herrell DG-1208 (RG 1.171) | |||
General Comment With the current emphasis on FPGAs, one would have thought that the topic would have at least been mentioned in this draft. Incorporate sufficient guidance on software lifecycle techniques to support FPGA VHDL code development. Thank you for your comment. No changes have been made as a result of the comment. The information on software can be applied to the software of field-programmable gate arrays (FPGAs). For more direct information on FPGAs see NUREG/CR-7006, "Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems" (ADAMS Accession No. ML100880142) David Herrell DG-1208 (RG 1.171) | |||
General Comment This regulatory guide clearly defines the roles and responsibilities of licensees, applicants, and NRC staff for software processes. However, this reviewer's experience shows that most, if not almost all, safety software is not written by licensees or applicants. Rather, safety software and safety Thank you for your comment. No changes have been made as a result of the comment. The NRC is responsible for regulating commercial nuclear power plants and other uses of nuclear material through its licensing, inspection and enforcement of its regulations and requirements. | |||
Page 2 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response systems are designed and developed by various vendors. This regulatory guide does not define how software and system vendors are to apply the regulatory guidance. This regulatory guide does not define which version of the regulatory guide is to be applied by a software vendor, or the requirements for software vendors to maintain their programs current with regulatory guidance, which seems to be the | |||
NRC requirement, based on topical report submittals. Consistently define the application of RGs 1.168 through 1.173 for software and system vendors, throughout all sections of each of the regulatory | |||
guides. Define the expectations for use of current regulatory guides, since software and system vendors do not have the capability to commit to a given version of the regulatory guides and industry standards in a license. Define the expectations for use of current or older regulatory guides in topical report submissions, or point to other NRC documents that define these requirements. The NRC issues regulatory guidance documents, such as regulatory guides, standard review plans, and the NRC's Inspection Manual to aid licensees in meeting the agency's safety requirements. The NRC has no authority to regulate or direct the activities of software developers or software and system vendors. The NRC promulgates its regulatory guidance documents to the NRC's licensees and applicants and it is the responsibility of the licensee and applicant to define software and software system requirements to their vendors as needed to demonstrate compliance with the NRC regulations. David Herrell DG-1208 (RG 1.171) | |||
Section A second | |||
paragraph, last | |||
three lines The sentence structure is unnecessarily complex. | |||
Replace "-apply to all activities, including design, purchasing, installation, testing, operation, maintenance, or modification, that affect the safety-related functions of such systems and components | |||
" with ""-apply to all activities, that affect the safety-related functions of such systems and components, including design, purchasing, installation, testing, operation, maintenance, or modification" Thank you for your comment. As a result of the comment the sentence was revised as proposed. | |||
Page 3 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response David Herrell DG-1208 (RG 1.171) | |||
Section A Third paragraph, next to last line - Please clarify the version of NUREG-0800 used in reviews. After the phrase "The NRC staff uses the" add the phrase "latest version of" to provide guidance to industry. Thank you for your comment. No changes have been made as a result of the comment. The NRC staff does not identify specific revisions for some guidance documents. This type of dynamic referencing is done because different licensees and applicants may have committed to different versions of the guidance documents and it would be inappropriate to always use the "latest version" of the guidance document for reviews when different applicants and licensees may have committed to alternate versions. David Herrell DG-1208 (RG 1.171) | |||
Section B, page 3 In the paragraph beginning "Several criteria in Appendix B-" the word "Criterions" is used. The plural form of criterion is criteria. While "criterions" shows up in several informal dictionaries, it should not be used in formal writing. Suggest rephrasing the start of the second sentence to either "The listed criteria are only part-" or "Each criterion listed below is only part-" to use correct grammar. Thank you for your comment. As a result of the comment the word was changed to "criteria." David Herrell DG-1208 (RG 1.171) | |||
Section B, page 3, Bullet for Criterion VI -The sentence provided is unnecessarily complex. Suggest rephrasing the sentence from: "-activities affecting quality, such as instructions, procedures, and drawings, be subject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel" to "-activities affecting quality be subject to controls that ensure that documents are reviewed for adequacy and approved for release by Thank you for your comment. No changes have been made as a result of the comment. The proposed change adds unnecessary complexity. | |||
Page 4 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response authorized personnel. These documents include instructions, procedures, and drawings. Changes to the documents are subject to at least the same controls." David Herrell DG-1208 (RG 1.171) | |||
Section C.1 page 5, last line The sentence is overly restrictive, in that it requires the information to be provided in this document. At least for Item a in the list, providing reference to the document that contains these records should be | |||
sufficient. Revise the text to allow at least Item A to be referenced from the testing documentation, rather than duplicated in each testing document. Thank you for your comment. No changes have been made as a result of the comment. The requirements are a carry over from the original RG 1.171 Rev 0. Swu Yih DG-1208 (RG 1.171) | |||
Section C.2 "Test Program" discusses "criteria" for measuring test completeness. The idea/concept of "criteria for measuring test completeness" is a very effective and objective tool for reviewing the quality of unit test results of digital I&C systems, and which has been a common practice in other safety related disciplines, e.g., aviation. However, in DG -1208, this important issue-"criteria for measuring test completeness"- is not described in reasonable detail as it should be. For instance, DG-1208 says "The staff believes that statement coverage is an insufficient criterion for measuring test completeness," then, it states the licensee should identify and justify the unit testing coverage criteria that it will use," Based on our experience in using RG 1.171 on Lungmen ABWR project, we believe that it is better to let the regulators to prescribe clearly what is Thank you for your comment. No changes have been made as a result of the comment. The concept of "statement coverage" still holds today unless it's not a Von Neumann model computer being used. The domain of the application as it affects the underlying operating system, from whatever program language | |||
design, still executes along a set of states and state transitions no matter what the advancement in program language. As for the regulator prescribing directions verses the licensee, the NRC is responsible for regulating commercial nuclear power plants and other uses of nuclear material through its licensing, inspection and enforcement of its regulations and requirements. The NRC issues regulatory guidance documents, such as regulatory guides, standard review plans, and the NRC's Inspection Manual to aid licensees in Page 5 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response "sufficient criterion for measuring test completeness," rather than leave it to the licensee, which almost always lead to a controversial, confusing and unpredictable review process. Both IEC 61508 and RTCA DO-178B give very clear and detail definition of what is "sufficient criterion for measuring test completeness," and both have been extensively applied for many projects for many years, therefore, we suggest NRC to consider to give clear definition of acceptable "sufficient criterion for measuring test completeness," in RG 1.171. Also, the concept of "statement coverage" comes from traditional control-flow based computer programming language, such as C, Ada, fortran, etc., | |||
However, most current digital I&C systems are not implemented in these languages any more. Most digital I&C manufacturers adopt Function Block Diagram (FBD) as the coding language, therefore, RG 1.171 should to define suitable coverage criteria for FBD-based digital I&C systems. meeting the agency's safety requirements. The NRC has no authority to regulate or direct the activities of software developers or software and system vendors. The NRC promulgates its regulatory guidance documents to the NRC's licensees and applicants and it is the responsibility of the licensee and applicant to define software and software system requirements to their vendors as needed to demonstrate compliance with the NRC regulations. | |||
David Herrell DG-1208 (RG 1.171) | |||
Section C.3, page 6, 3 rd line The phrase "design changes shall be subject to design control measures commensurate with those applied to the original design" generates problems when updating from analog to digital systems, or updating an older digital system to a newer digital system. Please provide clarification that current practices need to be used for current programs. This paragraph appears to require application of the analog or primitive software processes used in the last part of Thank you for your comment. No changes have been made as a result of the comment. Early in this sentence the referenced phrase comes from Criterion III and is not available for changing. The basic control function required is universal whether it's adapted by digital or analog instrumentation and controls. | |||
Page 6 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response the 20 th century to current replacement digital systems, or to modification to existing systems. That cannot be the intent of this guidance. David Herrell DG-1208 (RG 1.171) Section C.6, 1 st paragraph, 2 nd line - There is no need for a semicolon in the text. Break the sentence at the semicolon, making the single sentence into two separate sentences. Replace "they" with "The annexes" Thank you for your comment. No changes have been made as a result of the comment. The text editing is correct. Mark Burzynski DG-1208 (RG 1.171) | |||
Section D DG-1208 Section D states: | |||
"Licensees may use the information in this regulatory guide for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59. Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues." | |||
Does the first sentence of imply that this regulatory guide is not for actions which do require NRC review and approval? Thank you for your comment. The answer to your question is that the regulatory guide information can be used for any software installation.}} | |||
Revision as of 04:52, 13 October 2018
| ML13004A370 | |
| Person / Time | |
|---|---|
| Issue date: | 07/19/2013 |
| From: | NRC/RES/DE/RGDB |
| To: | |
| Orr M P | |
| Shared Package | |
| ML12354A534 | List: |
| References | |
| DG-1208 RG-1.171, Rev. 1 | |
| Download: ML13004A370 (6) | |
Text
Public Comments and NRC Responses for Draft Regulatory Guide (DG) -1208, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" DG-1208 is Revision 1 of Re gulatory Guide (RG) 1.171 Page 1 A Federal Register Notice was published on August 22, 2012 (77 FR 50722) announcing the availability of Draft Regulatory Guide (DG) -1208, "Software Unit Testing for Digital Computer Software used in Safety Systems of Nuclear Power Plants" for public comment. DG-1208 is Revision 1 of Regulatory Guide (RG) 1.171 dated September 1997. The fo llowing table contains the public comments received and the NRC staff responses.
Comments were received from the following individuals: 1. Swu Yih, Chien Hsin University 7F-1, 356 Huanbei Rd.
Zhongli City, Taiwan, ROC (ADAMS - ML12332A220) 2. Mark Burzynski, New Clear Day, Inc.
2036 Marina Cove Dr.
Hixson, TX 37343 (ADAMS - ML122910759)
- 3. David Herrell, MPR Associates, Inc.
320 King St., Alexandria, VA 22314 (ADAMS - ML12346A034)
Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response David Herrell DG-1208 (RG 1.171)
General Comment With the current emphasis on FPGAs, one would have thought that the topic would have at least been mentioned in this draft. Incorporate sufficient guidance on software lifecycle techniques to support FPGA VHDL code development. Thank you for your comment. No changes have been made as a result of the comment. The information on software can be applied to the software of field-programmable gate arrays (FPGAs). For more direct information on FPGAs see NUREG/CR-7006, "Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems" (ADAMS Accession No. ML100880142) David Herrell DG-1208 (RG 1.171)
General Comment This regulatory guide clearly defines the roles and responsibilities of licensees, applicants, and NRC staff for software processes. However, this reviewer's experience shows that most, if not almost all, safety software is not written by licensees or applicants. Rather, safety software and safety Thank you for your comment. No changes have been made as a result of the comment. The NRC is responsible for regulating commercial nuclear power plants and other uses of nuclear material through its licensing, inspection and enforcement of its regulations and requirements.
Page 2 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response systems are designed and developed by various vendors. This regulatory guide does not define how software and system vendors are to apply the regulatory guidance. This regulatory guide does not define which version of the regulatory guide is to be applied by a software vendor, or the requirements for software vendors to maintain their programs current with regulatory guidance, which seems to be the
NRC requirement, based on topical report submittals. Consistently define the application of RGs 1.168 through 1.173 for software and system vendors, throughout all sections of each of the regulatory
guides. Define the expectations for use of current regulatory guides, since software and system vendors do not have the capability to commit to a given version of the regulatory guides and industry standards in a license. Define the expectations for use of current or older regulatory guides in topical report submissions, or point to other NRC documents that define these requirements. The NRC issues regulatory guidance documents, such as regulatory guides, standard review plans, and the NRC's Inspection Manual to aid licensees in meeting the agency's safety requirements. The NRC has no authority to regulate or direct the activities of software developers or software and system vendors. The NRC promulgates its regulatory guidance documents to the NRC's licensees and applicants and it is the responsibility of the licensee and applicant to define software and software system requirements to their vendors as needed to demonstrate compliance with the NRC regulations. David Herrell DG-1208 (RG 1.171)
Section A second
paragraph, last
three lines The sentence structure is unnecessarily complex.
Replace "-apply to all activities, including design, purchasing, installation, testing, operation, maintenance, or modification, that affect the safety-related functions of such systems and components
" with ""-apply to all activities, that affect the safety-related functions of such systems and components, including design, purchasing, installation, testing, operation, maintenance, or modification" Thank you for your comment. As a result of the comment the sentence was revised as proposed.
Page 3 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response David Herrell DG-1208 (RG 1.171)
Section A Third paragraph, next to last line - Please clarify the version of NUREG-0800 used in reviews. After the phrase "The NRC staff uses the" add the phrase "latest version of" to provide guidance to industry. Thank you for your comment. No changes have been made as a result of the comment. The NRC staff does not identify specific revisions for some guidance documents. This type of dynamic referencing is done because different licensees and applicants may have committed to different versions of the guidance documents and it would be inappropriate to always use the "latest version" of the guidance document for reviews when different applicants and licensees may have committed to alternate versions. David Herrell DG-1208 (RG 1.171)
Section B, page 3 In the paragraph beginning "Several criteria in Appendix B-" the word "Criterions" is used. The plural form of criterion is criteria. While "criterions" shows up in several informal dictionaries, it should not be used in formal writing. Suggest rephrasing the start of the second sentence to either "The listed criteria are only part-" or "Each criterion listed below is only part-" to use correct grammar. Thank you for your comment. As a result of the comment the word was changed to "criteria." David Herrell DG-1208 (RG 1.171)
Section B, page 3, Bullet for Criterion VI -The sentence provided is unnecessarily complex. Suggest rephrasing the sentence from: "-activities affecting quality, such as instructions, procedures, and drawings, be subject to controls that ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel" to "-activities affecting quality be subject to controls that ensure that documents are reviewed for adequacy and approved for release by Thank you for your comment. No changes have been made as a result of the comment. The proposed change adds unnecessary complexity.
Page 4 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response authorized personnel. These documents include instructions, procedures, and drawings. Changes to the documents are subject to at least the same controls." David Herrell DG-1208 (RG 1.171)
Section C.1 page 5, last line The sentence is overly restrictive, in that it requires the information to be provided in this document. At least for Item a in the list, providing reference to the document that contains these records should be
sufficient. Revise the text to allow at least Item A to be referenced from the testing documentation, rather than duplicated in each testing document. Thank you for your comment. No changes have been made as a result of the comment. The requirements are a carry over from the original RG 1.171 Rev 0. Swu Yih DG-1208 (RG 1.171)
Section C.2 "Test Program" discusses "criteria" for measuring test completeness. The idea/concept of "criteria for measuring test completeness" is a very effective and objective tool for reviewing the quality of unit test results of digital I&C systems, and which has been a common practice in other safety related disciplines, e.g., aviation. However, in DG -1208, this important issue-"criteria for measuring test completeness"- is not described in reasonable detail as it should be. For instance, DG-1208 says "The staff believes that statement coverage is an insufficient criterion for measuring test completeness," then, it states the licensee should identify and justify the unit testing coverage criteria that it will use," Based on our experience in using RG 1.171 on Lungmen ABWR project, we believe that it is better to let the regulators to prescribe clearly what is Thank you for your comment. No changes have been made as a result of the comment. The concept of "statement coverage" still holds today unless it's not a Von Neumann model computer being used. The domain of the application as it affects the underlying operating system, from whatever program language
design, still executes along a set of states and state transitions no matter what the advancement in program language. As for the regulator prescribing directions verses the licensee, the NRC is responsible for regulating commercial nuclear power plants and other uses of nuclear material through its licensing, inspection and enforcement of its regulations and requirements. The NRC issues regulatory guidance documents, such as regulatory guides, standard review plans, and the NRC's Inspection Manual to aid licensees in Page 5 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response "sufficient criterion for measuring test completeness," rather than leave it to the licensee, which almost always lead to a controversial, confusing and unpredictable review process. Both IEC 61508 and RTCA DO-178B give very clear and detail definition of what is "sufficient criterion for measuring test completeness," and both have been extensively applied for many projects for many years, therefore, we suggest NRC to consider to give clear definition of acceptable "sufficient criterion for measuring test completeness," in RG 1.171. Also, the concept of "statement coverage" comes from traditional control-flow based computer programming language, such as C, Ada, fortran, etc.,
However, most current digital I&C systems are not implemented in these languages any more. Most digital I&C manufacturers adopt Function Block Diagram (FBD) as the coding language, therefore, RG 1.171 should to define suitable coverage criteria for FBD-based digital I&C systems. meeting the agency's safety requirements. The NRC has no authority to regulate or direct the activities of software developers or software and system vendors. The NRC promulgates its regulatory guidance documents to the NRC's licensees and applicants and it is the responsibility of the licensee and applicant to define software and software system requirements to their vendors as needed to demonstrate compliance with the NRC regulations.
David Herrell DG-1208 (RG 1.171)
Section C.3, page 6, 3 rd line The phrase "design changes shall be subject to design control measures commensurate with those applied to the original design" generates problems when updating from analog to digital systems, or updating an older digital system to a newer digital system. Please provide clarification that current practices need to be used for current programs. This paragraph appears to require application of the analog or primitive software processes used in the last part of Thank you for your comment. No changes have been made as a result of the comment. Early in this sentence the referenced phrase comes from Criterion III and is not available for changing. The basic control function required is universal whether it's adapted by digital or analog instrumentation and controls.
Page 6 Comments on DG-1208, "Software Unit Testing for Digital Comput er Software used in Safety Systems of Nuclear Power Plants" DG-1208 is Rev. 1 of RG 1.171 Originator Draft Guide Comment NRC Response the 20 th century to current replacement digital systems, or to modification to existing systems. That cannot be the intent of this guidance. David Herrell DG-1208 (RG 1.171) Section C.6, 1 st paragraph, 2 nd line - There is no need for a semicolon in the text. Break the sentence at the semicolon, making the single sentence into two separate sentences. Replace "they" with "The annexes" Thank you for your comment. No changes have been made as a result of the comment. The text editing is correct. Mark Burzynski DG-1208 (RG 1.171)
Section D DG-1208 Section D states:
"Licensees may use the information in this regulatory guide for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59. Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues."
Does the first sentence of imply that this regulatory guide is not for actions which do require NRC review and approval? Thank you for your comment. The answer to your question is that the regulatory guide information can be used for any software installation.