Text

Public Comments and NRC Responses for Draft Regulatory Guide (DG) -1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of Nuclear Power Plants" DG-1206 is Revision 1 of Re gulatory Guide (RG) 1.169 Page 1 A Federal Register Notice was published on August 22, 2012 (77 FR 50727) announcing the availability of Draft Regulatory Guide (DG) -1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of Nuclear Power Plants" for public commen

t. DG-1206 is Revision 1 of Regulatory Guide (RG) 1.168 dated September 1997. The following table contains the public comments recei ved and the NRC staff responses.

Comments were received from the following individuals: 1. David Herrell MPR Associates, Inc. 320 King St. Alexandria, VA 22314 (ADAMS - ML12346A034) 2. Matt Gibson Duke Energy Matt.Gibson@Duke-Energy.Com (ADAMS - ML12321A012) 3. Mark Burzynski, New Clear Day, Inc. 2036 Marina Cove Dr. Hixson, TX 37343 (ADAMS - ML122910783)

Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response

1. David Herrell DG-1206 (RG 1.169) General With the current emphasis on FPGAs, one would have thought that the topic would have at least been mentioned in this draft. Incorporate sufficient guidance on software lifecycle techniques to support FPGA VHDL code development. Thank you for your comment. No changes have been made in response to your comment. The information on software can also be applied to the software of field-programmable gate arrays (FPGAs). For more direct information on FPGAs see NUREG/CR-7006, "Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems" (ADAMS Accession No. ML100880142)

1. David Herrell DG-1206 (RG 1.169)

General This regulatory guide clearly defines the roles and responsibilities of licensees, applicants, and NRC staff for software processes. However, this reviewer's experience shows that most, if not almost all, safety software is not written by licensees or applicants. Rather, safety software and safety systems Thank you for your comment. No changes have been made in response to your comment. The NRC is responsible for regulating commercial nuclear power plants and other uses of nuclear material, such as in nuclear medicine, through its licensing, inspection Page 2 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response are designed and developed by various vendors. This regulatory guide does not define how software and system vendors are to apply the regulatory guidance.

This regulatory guide does not define which version of the regulatory guide is to be applied by a software vendor, or the requirements for software vendors to maintain their programs current with regulatory guidance, which seems to be the NRC requirement, based on topical report submittals. Consistently define the application of RGs 1.168 through 1.173 for software and system vendors, throughout all sections of each of the regulatory guides. Define the expectations for use of current regulatory guides, since software and system vendors do not have the capability to commit to a given version of the regulatory guides and industry standards in a license. Define the expectations for use of current or older regulatory guides in topical report submissions, or point to other NRC documents that define these requirements. and enforcement of its regulations and requirements. The NRC issues regulatory guidance documents, such as regulatory guides, standard review plans, and the NRC's Inspection Manual to aid licensees in meeting the agency's safety requirements. The NRC has no authority to regulate or direct the activities of software developers or software system vendors. The NRC promulgates its regulatory guidance documents to the NRC's licensees and applicants and it is the responsibility of the licensee and applicant to define software and software system requirements to their vendors as needed to demonstrate compliance with the NRC regulations.

1. David Herrell DG-1206 (RG 1.169)

Section A Page 1, last paragraph in the body of the text, 14th line - The structure of the sentence is awkward and difficult to read. Replace the wording "-

all activities, such as designing, purchasing, installing, testing, operating, maintaining, or modifying, that affect the safety-related functions of such structures, systems, and components-" with "all activities that affect the safety-related functions of such structures, systems, and components, including such activities as design, Thank you for your comment. We agree that sentence structure was awkward and it was revised to read as follows: "In particular, besides the SSCs that directly prevent or mitigate the consequences of postulated accidents, the criteria of Appendix B also apply to all activities that affect the safety-related functions of such SSCs, including activities such as designing, purchasing, installing, reviewing, testing, operating, maintaining, and modifying."

Page 3 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response purchase, installation, review, test, operation, maintenance, and modification."

1. David Herrell DG-1206 (RG 1.169)

Section A Page 1, last paragraph in the body of the text, 17th line - The phrase "design changes shall be subject to design control measures commensurate with those applied to the original design" generates problems when updating from analog to digital systems, or updating an older digital system to a newer digital system. Please provide clarification that current practices need to be used for current programs. This paragraph appears to require application of the analog or primitive software processes used in the last part of the 20th century to current replacement digital systems, or to modification to existing systems. That cannot be the intent of this guidance. Thank you for your comment. The commenter is correct, it is not the intent of this guidance to require the application of the same software V&V process used for the analog system. The intent of this guidance is to inform the user that new software must undergo V&V processes that are, at a minimum, equivalent to or "commensurate with" the design control measures applied to the original design. The specific language identified by the commenter is a direct quote from NRC regulations and is provided to inform the reader that the design control measures for software used in safety systems of nuclear power plants is required by existing regulations. The sentence has been modified to more clearly identify the quoted text.

1. David Herrell DG-1206 (RG 1.169)

Section A Page 2, third paragraph, fourth line - In the paragraph starting "The NRC issues regulatory-" simplify the sentence structure. Replace "

applicants, however

" with "applicants. However, "for consistency with other regulatory guides". Thank you for your comment. No change has been made in response to the comment. The existing sentence is designed to eliminate the "choppy sentence" transition issue. See Diana Hacker's "A Writer's Reference," Page 112. The use of ";

however," has been revised.

1. David Herrell DG-1206 (RG 1.169)

Section A Page 2, third paragraph, next to last line - Please clarify the version of NUREG-0800 used in reviews.

After the phrase "The NRC staff uses the

" add the phrase "latest version of" to provide guidance to industry. Thank you for your comment. No change has been made in response to the comment. The NRC staff does not identify specific revisions for some guidance documents. This type of dynamic referencing is done because different licensees and applicants may have committed to different versions of the guidance Page 4 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response documents and it would be inappropriate to always use the "latest version" of the guidance document for reviews when different applicants and licensees may have committed to alternate versions.

1. David Herrell DG-1206 (RG 1.169)

Section B Page 3, third paragraph, second sentence - In the paragraph beginning "

Several criteria in Appendix B-" the word "Criterions" is used. The plural form of criterion is criteria. While "criterions" shows up in several informal dictionaries, it should not be used in formal writing. Suggest rephrasing the start of the second sentence to either "The listed criteria are only part-" or "Each criterion listed below is only part-" to use correct grammar. Thank you for your comment. The term "Criterions" was revised to "criteria." 2. Matt Gibson

DG-1206 (RG 1.169)

Page 8, Section C.6. Item 'k' in the list for documentation: "

commercial software items that are safety system software

." The first paragraph identifies all software deliverables of safety systems are to be identified and controlled as configuration items. Item 'a' states "requirements, designs, and code". There is no distinction about the

type of code (source, object, executable), therefore the presumption is that all code which has already been stated in the first paragraph. Item 'k' seems to imply that there is something possibly different in "commercial software items" than what has already been explicitly defined by the first paragraph and Item 'a'. There is no definition provided as to what could possibly be "commercial software" that is not already included. Recommend this item be eliminated or clarification should be given. Thank you for your comment. As a result of your comment Item k was deleted.

Page 5 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response

1. David Herrell DG-1206 (RG 1.169)

Section C.7 Page 8, Staff Regulatory Position 7, first paragraph, second line - The second line inappropriately eliminates any software developed by a vendor under a Research and Development (R&D) program from these regulatory requirements. Delete the word "contractually" which will restore software developed by any vendor for safety related use back into the regulatory requirements. Thank you for your comment. The sentence was revised to remove the term "contractually."

1. David Herrell DG-1206 (RG 1.169) Section C.7 Page 8, Staff Regulatory Position 7, second paragraph, lines 6 While the comment made is correct (EPRI TR-106439 ha s never been endorsed by a regulatory guide), the technical report has been endorsed through an NRC SER. Include a statement in the RG text that EPRI TR-106439 has been endorsed by the NRC through a Safety Evaluation Report, dated 17 July 1997. Thank you for your comment. In response to the comment. The paragraph has been revised to indicate that the NRC issued a saferty evaluation report on July 17, 1997 that endorses EPRI TR-106439.

1. David Herrell DG-1206 (RG 1.169)

Section C.8 Page 9, Staff Regulatory Position 8, first paragraph, lines 2 Redundant information is provided in this sentence. Delete the phrase "

issued 2003" from the sentence, as the phrase is redundant to the reference to the IEEE Std. in the same sentence, which also includes the issue date with the standard number. Thank you for your comment. No changes have been made in response to the comment. The IEEE title may use the year as part of the number for the standard, however that doesn't mean that it is improper to state the year issued as part of the citation. 2. Matt Gibson

DG-1206 (RG 1.169)

Page 9 Section C.9 The "Downward Adaptation" in IEEE Std. 828-2005 allows for the omission of standard requirements where they do not apply to a project. An example standard requirement w ithin IEEE 828-2005 is Section 3.1 where the scope of the SCM is defined.

Item 'f)' lists "Limitations, such as time constraints, which apply to the Plan." Item 'g)' lists "Assumptions Thank you for your comment. No changes have been made as a result of the comment. The project assumptions as described in Section 3.1 of IEEE Std. 828-2005 could be the degree of customer participation or the availability of automated aids during the software development plan. These factors are again outlined in IEEE Std. 1074- 2006, Annex, Page 6 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response that might have an impact on the cost, schedule or ability to perform SCM activities (e.g., assumptions of the degree of customer participation in the SCM activities or the availability of automated aids)." These standard requirements may very well not apply to the safety system software under configuration control. If the Reg. Guide does not allow omission of standard requirements such as this when they do not apply, how is the user of the reg. guide capable of meeting it? Recommend clarification on what specifically are the standard requirements of concern that should not be omitted from a safety system software instead of a carte blanche nothing can be omitted. A., Section1.3.1.2. where the software feasibility is analyzed and identified within a release management plan and required as a plan configuration management activity. Thus RG 1.169, regulatory position #9, takes an exception to Clause 4.2 in IEEE Std. 828-2005, which provides omission when deemed not applicable. The software configuration plan must identify the corrective action for software conditions adverse to quality, and as per Criterion XVI, such failures, malfunctions, and deficiencies, be identified and that the cause be de termined, the condition be corrected, and the entire process be documented.

1. David Herrell DG-1206 (RG 1.169)

Page 9 Section C.10 Page 9 Staff Regulatory Position 10, only paragraph, lines 3 The phrase "commensurate with those applied to the original design" is problematic. This phrase generates problems when updating from analog to digital systems, or updating an older digital system to a newer digital system. Thank you for your comment. No changes have been made as a result of the comment. The original design of a software system is to perform a function such as turning a pump on or off. Whether that function is controlled by a mechanical device such as a mechanical float arm and switch or an analog or digital computer system, the function and hence the original design, remains the same.

1. David Herrell DG-1206 (RG 1.169)

Page 9 Section C.11 Page 9 Staff Regulatory Position 11, only paragraph, next to last line - The phrase "-activities authorized by the operating license-" restricts the application of this guidance to applicants and licensees, eliminating vendors from this guidance. It is also not clear whether this guidance applies in the period

before, or after, an operating license exists. Please Thank you for your comment. No changes have been made as a result of the comment. As stated in the introduction of this regulatory guide, this guidance document describes a method that the staff of the NRC considers acceptable for use in demonstrating compliance with the NRC's regulations dealing with configuration management plans for digital computer Page 7 Comments on DG-1206, "Configuration Management Plans for Digital Computer Software used in Safety Systems of NPPs" DG-1206 is Rev. 1 of RG 1.169 Originator Draft Guide Comment NRC Response reword this statement for appropriate coverage of this standard to vendors, and to licensees and applicants who do not have an operating license. software used in the safety systems of nuclear power plants. Every commercial nuclear power plant in the country must be licensed by the NRC and must operate in accordance with the terms and conditions of the license. Thus the phrase "-activities authorized by the operating license

-" is correct.

3. Mark Burzynski DG-1206 (RG 1.169) Section D.

DG-1206 Section D states: "Licensees may use the information in this regulatory guide for actions which do not require NRC review and approval such as changes to a facility design under 10 CFR 50.59. Licensees may use the information in this regulatory guide or applicable parts to resolve regulatory or inspection issues." Does the first sentence of imply that this regulatory guide is not for actions which do require NRC review and approval? No. - The statement in Section D reads as follows: "Licensees may use the information-" The use of the word "may" indicates that compliance with the guidance is optional for activities that require NRC

review and approval as well as for activities that do not require NRC review and approval. As stated in Section A of this regulatory guide, "-regulatory guides are not substitutes for regulations and compliance with them is not required."

1. David Herrell DG-1206 (RG 1.169)

References The current note 6 states that this report must be purchased. Since this report is older and since the report did have a NRC SER issued, this report is freely available from the EPRI web site, at www.EPRI.com. Please update the note to state that a PDF electronic version is freely available from EPRI, but that printed copies still require purchase, to be consistent with DG-1267. Thank you for your comment. No changes have been made as a result of the comment. The footnote states that copies of the referenced documents "-may be purchased-" The word "may" indicates one option available to the reader. It is not a mandatory statement and the reader is free to pursue alternative methods of obtaining the referenced documents.