Text

U.S. NUCLEAR REGULATORY COMMISSION REGULATORY GUIDE RG 1.250, Revision 0

Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

Issue Date: TBD Technical Lead: Dinesh Taneja

DEDICATION OF COMMERCIAL-GRADE DIGITAL INSTRUMENTATION AND CONTROL ITEMS FOR USE IN NUCLEAR POWER PLANTS

A. INTRODUCTION

Purpose

This regulatory guide (RG) describes an approach that is accept able to the staff of the U.S. Nuclear Regulatory Commission (NRC) to meet, in part, regu latory requirements for the dedication of commercial-grade digital instrumentation and control (I&C) i tems for use in nuclear power plant safety applications. It endorses, with clarifications, Nuclear Energy Institute (NEI) 17-06, Guidance on Using IEC 61508 SIL Certification to Support the Acceptance of Commer cial Grade Digital Equipment for Nuclear Safety Related Applications, Revision 1, issued Decemb er 2021 (Ref. 1), to supplement existing guidance.

Applicability

This RG applies to holders of, or applicants for, a power reactor operating license or construction permit under Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities (Ref. 2), as well as hol ders of, or applicants for, a power reactor combined license under 10 CFR Part 52, Licenses, Certification s, and Approvals for Nuclear Power Plants (Ref. 3). Specifically, this RG applies to the use of c ommercial grade items as basic components under 10 CFR Part 21, Reporting of Defects and Noncompliance (Ref. 4).

Applicable Regulations

• 10 CFR 21.3 defines basic component as, among other things com mercial grade items which have successfully completed the dedication process and provide s definitions for commercial grade item and dedication.

Written suggestions regarding this guide may be submitted throu gh the NRCs public Web site in the NRC Library at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/, under Document Collections, in Regulatory Guides, at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/co ntactus.html, and will be considered in future updates and enhancements to the Regulatory Guide series. During the development process of ne w guides suggestions should be sub mitted within the comment period for immediate consideration. Suggestions received outside of the co mment period will be considered if practical to do so or may be considered for future updates.

Electronic copies of this RG, previous versions of RGs, and oth er recently issued guides are also available through the NRCs public web site in the NRC Library at https://nrcweb.nrc.gov/reading-rm/doc-collections/reg-guides/, under Document Collections, in Regulatory Gu ides. This RG is also available through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under ADAMS Accession Number (No.) ML22153A408. The regulatory analysis is associated with a rulemaking and may be found in ADAMS under Accession No. ML22003A181. The associated draft guide DG-1402 may be f ound in ADAMS under Accession No. ML ML22003A180, and the staff responses to the public comments on DG-1402 may be found u nder ADAMS Accession No. ML22153A416.

Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

• 10 CFR 50.34(a)(7) and 10 CFR 50.34(b)(6)(ii) refer to Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 C FR Part 50, for the requirements for a quality assurance (QA) program for the design and constru ction of nuclear power plants licensed or approved under 10 CFR Part 50 or 10 CFR Part 52. Th ese regulations require preliminary and final safety analysis reports to include discus sion of how applicable requirements of Appendix B will be satisfied.

• 10 CFR 50.54(a)(3)-(4) establishes conditions to be included in every nuclear powe r reactor operating license issued under 10 CFR Part 50 and every combine d license issued under 10 CFR Part 52 regarding how licensees may make changes to their QA programs in.

• 10 CFR Part 50, Appendix B, Criterion III, Design Control, in cludes provisions for QA and quality control that are applicable to the acceptance and dedication process for commercial-grade digital I&C items. Criterion III design control requires, in pa rt, measures for the selection and review for suitability of application of materials, parts, equipment, and processes that are essential to the safety-related functions of the structures, systems, and components. These measures are applicable to a commercial-grade digital equipment for use as a basic component in a digital I&C system.

• 10 CFR Part 50, Appendix B, Criterion VII, Control of Purchased Material, Equipment, and Services, requires that measures shall be established to assure that purchased material, equipment, and services, whether purchased directly or through contractors and subcontractors, conform to the procurement doc uments. These measures shall include provisions, as appropriate, for source evaluation and selection, objective evidence of qual ity furnished by the contractor or subcontractor, inspection at the contractor or subcontractor so urce, and examination of products upon delivery. Documentary eviden ce that material and equipment conform to the procurement requirements shall be available at the nuclear power plant or f uel reprocessing plant site prior to installation or use of such material and equipment. This docume ntary evidence shall be retained at the nuclear power plant or fuel reprocessing plant site and shall be sufficient to identify the specific requirements, such as codes, standards, or specificati ons, met by the purchased material and equipment. The effectiveness of the control of quality by contractors and subcontractors shall be assessed by the applicant or designee at intervals consisten t with the importance, complexity, and quantity of the product or services.

• 10 CFR 52.79(a)(25) requires applicants for combined licenses to include a description of the QA program, applied to the design, and to be applied to the fabric ation, construction, and testing, of the structures, systems, and components of the facility. It not es that Appendix B to 10 CFR part 50 sets forth the requirements for QA programs for nuclear powe r plants. The description of the QA program for a nuclear power plant must include a discussion of how the applicable requirements of Appendix B to 10 CFR part 50 have been and will be satisfied, including a discussion of how the QA program will be implemented.

Related Guidance

• Regulatory Guide 1.164, Dedication of Commercial-Grade Items f or Use in Nuclear Power Plants (Ref. 5), describes methods that the NRC staff consider s acceptable in meeting regulatory requirements for the dedication of commercial-grade items and services used in nuclear power plants.

RG 1.250, Rev. 0, Page 2 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

• Electrical Power Research Institute (EPRI) TR-106439, Guidance on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Application, issued October 1996 (Ref. 6). As indicated in the NRC staffs safety evaluation rep ort (Ref. 7), EPRI TR-106439 contains a method acceptable to the NRC staff for dedicating co mmercial-grade digital equipment for use in nuclear power plant safety applications and meets th e requirements of 10 CFR Part 21.

Purpose of Regulatory Guides

The NRC issues RGs to describe methods that are acceptable to the staff for implementing specific parts of the agencys regulations, to explain techniqu es that the staff uses in evaluating specific issues or postulated events, and to describe information that the staff needs in its review of applications for permits and licenses. Regulatory guides are not NRC regulations and compliance with them is not required. Methods and solutions that differ from those set fort h in RGs are acceptable if supported by a basis for the issuance or continuance of a permit or license by the Commission.

Paperwork Reduction Act

This RG provides voluntary guidance for implementing the mandat ory information collections in 10 CFR Parts 21, 50, and 52 that are subject to the Paperwork R eduction Act of 1995 (44 U.S.C. 3501 et seq.). These information collections were approved by the Offic e of Management and Budget (OMB),

under control numbers 3150-0035, 3150-0011, and 3150-0151, resp ectively. Send comments regarding this information collection to the FOIA, Library, and Informati on Collections Branch (T6-A10M),

U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by e-mail to Infocollects.Resource@nrc.gov, and to the Desk Officer, Office o f Information and Regulatory Affairs, NEOB-10202 (3150-0035, 3150-0011, and 3150-0151), Office of Man agement and Budget, Washington, DC, 20503.

Public Protection Notification

The NRC may not conduct or sponsor, and a person is not require d to respond to, a collection of information unless the document re questing or requiring the col lection displays a currently valid OMB control number.

RG 1.250, Rev. 0, Page 3 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting B. DISCUSSION

Reason for Issuance

The NRC staff is issuing a new RG to endorse, with clarificatio ns, NEI 17-06, which provides supplemental guidance on an approach for licensees and applican ts to determine acceptability of the dependability critical characteristics of digital equipment dur ing the dedicating process pursuant to 10 CFR Part 21. NEI 17-06 leverages an internationally recognized safety integrity level (SIL) certification process that relies on International Electrotechnical Commission (IEC) 61508, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Sy stems, Edition 2.0, issued April 2010 (Ref. 8). Before this RG, there was no guidance available for a ccepting a third-party certification to support verifying critical characteristics of digital equipment. This RG provides guidance on an acceptable method to support verifying a digital I&C items dependability critical characteristics based on an accredited certification of compliance with an IEC 61508 SIL.

=

Background===

The process of dedication of commercial-grade equipment for use in safety-related applications may be applied to nuclear power plants. Dedication is an acceptance process to provide reasonable assurance that a commercial-grade item will perform its intende d safety function and, in this respect, is deemed equivalent to an item de signed and manufactured under a QA program under 10 CFR Part 50, Appendix B.

RG 1.164 describes methods that the NRC staff considers acceptable in meeting regulatory requirements for the dedication of commercial-grade items and services used in nuclear power plants.

RG 1.164 endorses, with exceptions or clarifications, EPRI 3002002982, Plant Engineering: Guideline for the Acceptance of Commercial-Grade Items in Nuclear Safety-Related Applications, Revision 1 to EPRI NP-5652 and TR-102260, issued September 2014 (Ref. 9). A h istory of commercial-grade dedication of items and services in the nuclear industry is doc umented in the background section of RG 1.164. In part, EPRI 3002002982 provides guidance for two metho ds: Method 2Commercial-Grade Survey, and Method 4Item/Supplier Performance Record. The use of an accredited SIL certification to IEC 61508 relates to these two methods. EPRI 3002002982, Section 14.1, Digital Equipment and Computer Programs Integral to Plant SSCs references TR-106439, which the NRC staff evaluated as documented in a safety evaluation report (Ref. 7). Where RG 1.1 64 and EPRI 3002002982 consider the broad scope of dedication of commercial-grade items, TR-106439 provides guidance specific to digital equipment.

In part, TR-106439 provides acceptance criteria and methods of verification for the critical characteristics of dependability. TR-106439 states that the verification of dependability characteristics typically involves a commercial-grade survey of the vendors pr ocesses (Method 2) and a review of the vendor performance record and product operating history (Method 4). The NRC staff safety evaluation report (Ref. 7) highlights that TR-106439 proposes a combination of methods, including Methods 2 and 4, for digital I&C items. As documented in the NRC staff safety evaluation report for TR-106439, the NRC staff determined that TR-106439 contains an acceptable meth od for dedicating commercial-grade digital equipment for use in nuc lear power plant safety applications and meets the requirements of 10 CFR Part 21. The NRC staff furt her concluded that when digit al equipment is dedicated using the methods described in TR-106439, it may be considered equivalent to digital equipment designed and manufactured under a 10 CFR Part 50, Appendix B, QA program. Th e NRC staff noted that licensees referencing TR-106439 should docum ent application-specific details about the dedication process and specific critical characteristics.

RG 1.250, Rev. 0, Page 4 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

Section 4.2 of TR-106439 provides guidance for defining and ver ifying critical characteristics that will provide reasonable assurance that the item will perfo rm its intended safety function. This guidance states:

a complete definition of requirements, including hardware, software, human-machine interface, quality, and reliability requirements, is an importa nt prerequisite for dedication of a commercial-grade item. It is especially important for digi tal equipment, where experience has shown that many of the problems that occur are due to inadequate definition of requirements. For software-based equipment, in addition to design requirements for the intended f unctions and anticipated failure modes, it is particularly important to identify requirements related to unused, and unint ended or prohibited functions.

The types of critical characteristics considered within TR-1064 39 for many types of devices include physical or performance characteristics. For digital equipment, however, a third type of characteristic, referred to as dependability, is identified a s being important when dedicating digital equipment that includes software. Dependability characteristics address attributes that are difficult to verify through testing or inspection alone and are heavily infl uenced by the quality of the processes used to produce the device or software. High-quality software is typ ically achieved by building quality in, using a systematic life cycle development approach that include s validation and verification steps at each stage of the development life cy cle. The degree of dependability of digital devices is also influenced by the incorporation of designed-in elements to provide a robust h ardware and software architecture, self-checking features, hardware-or software-based watchdog ti mers, and controlled failure management, such as use of redundant processors with automatic fail-over ca pabilities.

An evaluation process that incorporates a critical examination of hardware and software development processes, design f eatures (e.g., fault tolerance, diagnostic monitoring coverage, fail-safe design), and historical operating performance is used to assess the overall dependability of a digital device. TR-106439 refers to this assessment as a critical digit al review (CDR). The CDR relies on an understanding of the specific progr ammable logic and hardware features embodied in the design, to verify that they are correct and appropriate considering the intended application.

Table 4-1 in TR-106439 summarizes a set of attributes associate d with dependability critical characteristics for digital equipment. This table provides acce ptance criteria, methods of verification, and remarks on the application of those methods of verification. Ta ble 4-2 in TR-106439 identifies examples of design factors that can be evaluated in assessing digital it em quality. However, TR-106439 states, The dedicator must determine which activities are appropriate for e ach application. In general, the choice and extent of activities undertaken t o verify adequate quality, and the specific criteria applied in making the assessment, depend on the safety significance and complexity of the device. Ultimately, this process necessitates a high level of engineering judgment and can resul t in variability among reviewers. Further, the CDR relies on a survey team that includes specialists who u nderstand the device design, programmable logic, and system in which it will be applied, in addition to QA and programmatic issues.

IEC 61508 is an international, p erformance-based standard for the functional safety of electrical, electronics, and programmable electronic equipment that address es standardization issues raised by the use of programmable electronic systems. IEC 61508 defines stand ards for manufacturers to follow during product development to ensure th at their products will have a p redictably high level of resistance to random hardware and systematic design failures. Nuclear indus try studies conducted within the past few years indicate that devices certified to conform to the pro visions of the standard can be expected to

RG 1.250, Rev. 0, Page 5 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

experience a low probability of f ailure on demand and to be relatively free from design flaws leading to systematic failures.

The IEC 61508 standard is composed of seven parts:

(1) Part 1: General requirements (2) Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems (3) Part 3: Software requirements (4) Part 4: Definitions and abbreviations (5) Part 5: Examples of methods for the determination of safety int egrity levels (6) Part 6: Guidelines on the application of IEC 61508-2 and IEC 61 508-3 (i.e., Parts 2 and 3)

(7) Part 7: Overview of techniques and measures

The goal of IEC 61508, and of functional safety in general, is for the automatic safety functions to perform their intended functions correctly or for the system to fail in a safe and predictable manner.

The standard focuses attention on risk-based safety-related sys tem design and ensures the attention to detail that is vital to safe system design.

Manufacturers of electronic and programmable electronic equipme nt for safety applications seek independent third-party certification to ensure functional safe ty in accordance with IEC 61508. This certification verifies key criteria within IEC 61508 to demonst rate the reliability goals and the systematic capability specifications for a targeted SIL. Compliance is evaluated by accredited third-party certifying bodies that assess and certify that a product has been designed and developed in accordance with the standard. The certifying bodies follow a rigorous process that verifies that a products hardware and software design as well as its manufacturing and quality contro l procedures satisfy the IEC 61508 standards established for the products SIL claim. The certifyi ng bodies also verify the products built-in fault detection capabilities in addition to performing a failur e modes, effects, and diagnostics analysis to ascertain failure rate data needed for use in verifying the SIL. The certifying bodies also analyze a devices failure data in actual field experience (historical use). Upon completion of the verification and analysis process, the certifying bodies will provide a certific ate of compliance to IEC 61508 criteria and document the results of their an alysis in the form of a certification report. The product safety manual describes the conditions of use under which the product has been found to meet the predicted failure rate and that must be maintained by the user to ensure the device wi ll continue to comply with the failure rate provisions of the IEC 61508 standard.

To be established as a credible entity, the certifying body is accredited by the national accrediting body. The accrediting body ensures that a certifying body is competent to perform the necessary evaluations of the manufacturers products. In the United State s, the currently recognized accrediting body is the American National Standards Institute National Accrediting Board (ANAB). Accrediting bodies around the world are linked under the International Accr editation Forum Multilateral Recognition Arrangement.

Since early 2016, external nuclear power industry stakeholders have engaged the NRC staff about SIL certification, the certification process, and the accredita tion process. From this engagement, the NEI produced NEI 17-06, which provides guidance for the use of an a ccredited SIL certification to IEC 61508 within a digital I&C items dedication for its critical charact eristics of dependability. This topic has been part of related agency activities to modernize the NRC regulatory infrastructure to enable the expanded safe use of digital I&C (Ref 10).

Under NEI 17-06, the critical cha racteristic of dependability described in TR-106439 for commercial grade dedication of electronic and programmable electronic equipment is verified if the

RG 1.250, Rev. 0, Page 6 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

equipment is manufactured to an appropriate SIL level in confor mance with IEC 61508. The dedicating entity verifies the dependability critical characteristics, i.e., that the equipment is manufactured to the appropriate SIL through inspections, tests, or analyses supplemented by a commercial grade survey.

Under NEI 17-06, the commercial grade survey takes the form of certification under IEC 61508 (which uses ISO/IEC 17065, Conformity assessment Requirements for b odies certifying products, processes and services, (Ref 11) for the certification process) by an ac credited certifying body. The dedicating entity, in accordance with NEI 17-06, dedicates the certification as a commercial grade service provided by the certifying body. Therefore, the NRC staff considers SIL certification as described in NEI 17-06 to be a commercial grade survey for the purposes of 10 CFR Part 21. Verification of acceptability of the certifying bodys commercial grade surveys is supplemented by the dedicating entitys own commercial grade survey, either through observation of the accreditation o f the certifying body or observation of a certification using the checklist provided in NEI 17-06, Append ix D. Thus, a dedicating entity need only dedicate the services of the certifying body on a periodic basis.

The NRC staff has reviewed IEC 61508, 2.0 Edition and ISO/IEC 1 7065:2012 for use as described in NEI 17-06 and observed the accreditation of exida. com LLC by ANAB in 2021. The NRC staffs review and observation show that IEC 61508 process has many parallels to the requirements of 10 CFR Part 50, Appendix B and, therefore, the staff concludes tha t SIL certification by exida.com LLC or other ANAB accredited certifying bodies is a reliable method fo r verifying acceptability of the dependability critical characteristics of electronic and progra mmable electronic equipment, if dedicated in conformance with the staff positi ons described in section C bel ow.

Consideration of International Standards

The International Atomic Energy Agency (IAEA) works with member states and other partners to promote the safe, secure, and peaceful use of nuclear technologies. The IAEA develops Safety Requirements and Safety Guides for protecting people and the en vironment from harmful effects of ionizing radiation. This system of safety fundamentals, safety requirements, safety guides, and other relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC staff considered IAEA Safet y Requirements and Safety Guides pursuant to the Commissions International Policy Statement (Re f. 12) and Management Directive and Handbook 6.6, Regulatory Guides (Ref. 13).

The NRC staff did not identify any IAEA Safety Requirements or Guides with information related to the topic of this RG.

Documents Discussed in Staff Regulatory Guidance

This RG endorses, in part, the use of one or more codes or sta ndards developed by external organizations, and other third-party guidance documents. These codes, standards, and third-party guidance documents may contain references to other codes, standards or third-party guidance documents (secondary references). If a secondary reference has itself been incorporated by reference into NRC regulations as a requirement, then licensees and applicants mus t comply with that standard as set forth in the regulation. If the secondary reference has been endorsed in a RG as an acceptable approach for meeting an NRC requirement, then the standard constitutes a met hod acceptable to the NRC staff for meeting that regulatory requirement as described in the specific RG. If the secondary reference has neither been incorporated by refe rence into NRC regulations nor endorsed in a RG, then the secondary reference is neither a legally-binding requirement nor a gener ic NRC approved acceptable approach for meeting an NRC requirement. However, licensees and applicants m ay consider and use the information in the secondary reference, if appropriately justified, consistent with current regulatory practice, and consistent with applicable NRC requirements.

RG 1.250, Rev. 0, Page 7 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting C. STAFF REGULATORY GUIDANCE

1. The NRC staff endorses, with the following clarifications, N EI 17-06, Revision 1, as a method acceptable to the staff on using IEC 61508 SIL certification to support the acceptance of commercial-grade digital equipment that is dedicated as a basic component in accordance with EPRI TR-106439.

a. NEI 17-06 states that it describes a method for using the accr edited SIL certification process in lieu of a commercial grade surv ey as a dedication acceptance method to provide reasonable assurance that the dependability critical characteristics of digital devices are adequately controlled. The NRC staff considers SIL certification to be a commercial grade survey for the purposes of 10 CFR Part 21 and u nderstands that NEI means the SIL certification process is in lieu of the commercial grade survey method described in EPRI 30 02002982. Thus, the NRC staff considers dedication of the certifying bodys services and verification of certification to the appropriate SIL to be adequate to verify dependability critical characteristics for use in the method described in EPRI TR 106439.

b. NEI 17-06 states, among other things, that the certifying body s services should be dedicated by

[a] U.S. NRC licensee, their designee, or the dedicating entit y. To be clear, each dedicating entity should dedicate the services of each certifying body who se certificates the dedicating entity wishes to rely on, and should not rely on dedication by, e.g., another NRC licensee. Accreditation activity observations performed in accordance with NEI 17-06 Section 5.3 may be performed by a U.S. NRC licensee, their designee, or the dedicating entity. If more than one licensee or dedicating entity intends to use SIL certification from a singl e certifying body, a licensee or dedicating entity may either perform commercial grade dedicatio n of the certifying body or arrange for commercial grade dedication of the certifying body on behalf of itself and other licensees or dedicating entities to reduce the number of commer cial grade dedications of the certifying body. The scope of this commercial grade dedication should address the needs of all the purchasers, and all the purchasers for whom the commercial grade dedication was conducted should receive the relevant records. Each of the licensees or d edicating entities relying on the results of a commercial grade dedication performed on behalf of licensees or dedicating entities remains individually responsible for the adequacy of the commercial grade dedication.

c. Section 7.3 of NEI 17-06 states, [t]he U.S. nuclear industry o bservations will be performed initially on a three (3) year frequency with the possibility of re-evaluating the frequency based on the results of the observations. To be consistent with NRC staff-accepted practices, the certifying bodies IEC 61508 SIL certification process should b e observed every 3 years.

d. Section 1.4 of NEI 17-06 states, [a] commercial grade item is an item that is not a basic component. This would not be a correct definition for complian ce with NRC requirements. To clarify, 10 CFR 21.3 defines a basic component to include a com mercial grade item that has completed the dedication process. Thus, when the NRC uses the t erm basic component, that term includes dedicated commerc ial grade items. As stated in 10 CFR 21.3, [w]hen applied to nuclear power plants licensed pursuant to 10 CFR Part 50, comme rcial grade item means a structure, system, or component, or part thereof that affects i ts safety function, that was not designed and manufactured as a basic component.

e. Section 6.3 of NEI 17-06 provides guidance to verify certificat es with the issuing certifying body to ensure the certificate is not expired or otherwise invalidat ed. Dedicating entities should

RG 1.250, Rev. 0, Page 8 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

implement that guidance for all certificates to avoid acceptance of counterfeit or fraudulent certificates.

2. The NRC staff endorses, with the following clarifications, the use of IEC 61508, Edition 2.0 as described in NEI 17-06.

a. The NRC staff is aware that unaccredited certifying bodies exist that claim to provide SIL certification under IEC 61508. However, NEI 17-06 reiterates th at certifying bodies be accredited by signatories to the International Accreditation Forum Multila teral Recognition Arrangement.

The NRC staff has not reviewed and is not endorsing the use of SIL certification by certifying bodies that have not been accredited in conformance with the mu tual recognition arrangement as described in NEI 17-06. Therefore, dedicating entities should v erify the certifying bodys accreditation consistent with the guidance in section 6.3 of NEI 17-06.

b. The NRC staff recognize that manufacturers and certifying bo dies may use later editions of IEC 61508, and that NEI 17-06 does not appear to limit itself to th e use of Edition 2.0, but the NRC staff can only endorse editions of standards that the NRC staff have specifically reviewed. In the event that dedicating entity wishes to dedicate an item manufactured and certified under a later edition of IEC 61508, the dedicating entity should verify that the substantive standards of the later edition related to the dependab ility characteristic remain unchanged from the 2.0 Edition the NRC staff is endorsing in this RG. Not e, however, that dedicating entities relying on certification under a later edition than endorsed by this RG will be responsible fo r ensuring that the item meets the requirements of 10 CFR Part 21 and Appendix B to Part 50.

3. The NRC staff endorses the use of ISO/IEC 17065:2012 for us e by certifying bodies to perform commercial grade surveys as described in NEI 17-06.

RG 1.250, Rev. 0, Page 9 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting D. IMPLEMENTATION

The NRC staff may use this RG as a reference in its regulatory processes, such as licensing, inspection, or enforcement. However, the NRC staff does not intend to use the guidance in this RG to support NRC staff actions in a manner that would constitute bac kfitting as that term is defined in 10 CFR 50.109, Backfitting, and as described in NRC Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information R equests (Ref. 14), nor does the NRC staff intend to use the guidance to affect the issue finality of an approval under 10 CFR Part 52, Licenses, Certifications, and Approvals for Nuclear Power Plants. The staff also does not intend to use the guidance to support NRC staff ac tions in a manner that constitu tes forward fitting as that term is defined and described in Management Directive 8.4. If a licensee believ es that the NRC is using this regulatory guide in a manner inconsistent with the discussion in this Impl ementation section, then the licensee may file a backfitting or forward fitting appeal with the NRC in ac cordance with the process in Management Directive 8.4.

RG 1.250, Rev. 0, Page 10 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting REFERENCES 1

1. Nuclear Energy Institute, NEI 17-06, Guidance on Using IEC 615 08 SIL Certification to Support the Acceptance of Commercial Grade Digital Equipment fo r Nuclear Safety Related Applications, Revision 1, Washington, DC, December 2021 (Agenc ywide Documents and Management System (ADAMS) Accession No. ML21337A380). 2

2. U.S. Code of Federal Regulations (CFR), Domestic Licensing of Production and Utilization Facilities, Part 50, Chapter 1, Title 10, Energy.

3. CFR, Licenses, Certifications, and Approvals for Nuclear Power Plants, Part 52, Chapter 1, Title 10, Energy.

4. CFR, Reporting of Defects and Noncompliance, Part 21, Chapter 1, Title 10, Energy.

5. U.S. Nuclear Regulatory Commission (NRC), Regulatory Guide (RG) 1.164, Dedication of Commercial-Grade Items for Use in Nuclear Power Plants, Washington, DC.

6. Electric Power Research Institute (EPRI), TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, Palo Alto, CA, October 1996.3

7. NRC, Safety Evaluation by the O ffice of Nuclear Reactor Regulation Electric Power Research Institute Topical Report, TR-106439, Guideline on Evaluation a nd Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, July 17, 1997 (ADAMS Accession No. ML12205A284).

8. International Electrotechnical Commission (IEC), IEC 61508, Fu nctional Safety of Electrical/Electronic/Programmable Electronic Safety-related Sy stems, Edition 2.0, Geneva, Switzerland, April 2010.4

9. EPRI, 3002002982, Plant Engineering: Guideline for the Accepta nce of Commercial-Grade Items in Nuclear Safety-Related Applications, Revision 1 to EP RI NP-5652 and TR-102260, Palo Alto, CA, September 2014 (ADAMS Accession No. ML18199A161).

1 Publicly available NRC published documents are available electronically through the NRC Library on the NRCs public Web site at http://www.nrc.gov/reading-rm/doc-collections/ and through the NRCs Agencywide Documents Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html. The documents can also be viewed online or printed for a fee in the NRCs Public Document Room (PDR) at 11555 Rockville Pike, Rockville, MD. For problems with ADAMS, contact the PDR staff at 301-415-4737 or (800) 397-4209; fax (301) 415-3548; or e-mail pdr.resource@nrc.gov.

2 Publications from the Nuclear Energy Institute (NEI) are ava ilable at their Web site: http://www.nei.org/ or by contacting the headquarters at Nuclear Energy Institute, 1776 I Street NW, Washington DC 20006-3708, Phone: 202-739-800, Fax 202-785-4019.

3 Copies of Electric Power Research Institute documents may be obtained through their website https://www.epri.com/research/products/; by writing the Electric Power Research Institute, 3420 Hillview Avenue, Palo Alto, CA 94304; by telephone (800) 313-3774; or by e-mail askepri@epri.com.

4 Copies of International Elec trotechnical Commission (IEC) documents may be obtained through their website http://www.iec.ch/; by writing the IEC Central Office, 3 rue de Varembé, P.O. Box 131, 1211 Geneva 20, Switzerland; or by telephone + 41 22 919 0211.

RG 1.250, Rev. 0, Page 11 Pre-decisional copy for the Advisory Committee on Reactor Safeguards to support the September 7, 2022, public meeting

10. NRC, SECY-21-0091, Annual Upda te on Activities to Modernize th e U.S. Nuclear Regulatory Commissions Digital Instrumentation and Controls Regulatory In frastructure, Washington, DC, October 25, 2021 (ML21253A212).

11. ISO/IEC 17065, Conformity assessment Requirements for bodies certifying products, processes and services, First Edition, Geneva, Switzerland, Se ptember 20125

12. NRC, Nuclear Regulatory Commiss ion International Policy Statement, Federal Register, Vol. 79, No. 132, pp. 39415-39418 (79 FR 39415), Washington, DC, July 10, 2014.

13. NRC, Management Directive (MD) 6.6, Regulatory Guides, Washington, DC.

14. NRC, MD 8.4. Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests.

5 Copies of International Organization for Standardization (IS O) documents may be obtained through their website http://www.iso.org; by writing the ISO copyright office, Post Office Box 56, 1211 Geneva 20, Switzerland; or by telephone + 41 22 749 01 11.

RG 1.250, Rev. 0, Page 12