ML19031C862

From kanterella
Jump to navigation Jump to search
2019 ANS Npic_Hmit Paper and Presentation
ML19031C862
Person / Time
Issue date: 01/31/2019
From: Ismael Garcia
Division of Engineering
To:
Garcia I
References
Download: ML19031C862 (21)
v  d  e


Text

Paper ID 25875 Qualification of Digital Instrumentation and Control Platform for use in Systems Important to Safety - Evaluation Guidance Mr. Ismael L. Garcia, P.E.

U.S. Nuclear Regulatory Commission 11555 Rockville Pike, Rockville, MD 20852-2738 Ismael.Garcia@nrc.gov ABSTRACT The qualification of digital Instrumentation and Control (I&C) platforms for use in systems important to safety at nuclear power plants is needed in order to demonstrate that these I&C platforms are suitable for their intended applications. Evaluation guidance in this area is warranted given the increase use of digital I&C systems in operating and new reactor designs as well as its safety implications. Therefore, this paper provides an evaluation guidance framework for assessing the qualification of a digital I&C platform for use in systems important to safety.

The framework addresses the following areas associated with the platform qualification: (1) the scope of qualification; (2) methods of qualification; (3) documentation; (4) the application of the qualification; and (5) the maintenance of the qualification. The methodology discussed by this paper is not to be construed as a requirement, regulation, or acceptable guidance by either domestic or international regulators; instead, it is intended to serve as a potential foundation or technical basis to be used for developing clear and sufficient regulatory guidance for assessing digital I&C platform qualification for use in systems important to safety.

Key Words: control, digital, instrumentation, platform, qualification 1

INTRODUCTION Digital I&C platforms are used for systems important to safety in nuclear power plants. A platform is a set of hardware and software components that may work co-operatively in one or more defined architectures or configurations. Some of these platforms have been developed for nuclear power applications but, many were developed for a wide range of industrial applications. The qualification of digital I&C platforms for use in systems important to safety at nuclear power plants is needed in order to demonstrate that these I&C platforms are suitable for their intended applications. Qualification in this context is the process of determining whether an I&C platform is suitable for operational use.

Domestic and international regulators agree that evaluation guidance for the qualification of digital I&C platforms for use in systems important to safety is warranted given its safety implications and the increase use of digital I&C systems in operating and new reactor designs. Such feedback is based on recent experience by domestic and international regulators during new reactor application reviews and while dealing with operating plant issues as well as an examination of the regulatory requirements, relevant industry standards, and international documents. The evaluation guidance discussed herein applies to both the qualification of Commercial-Off-The-Shelf (COTS) platforms as well as those developed specifically for important to safety nuclear applications. Furthermore, the guidance applies to the qualification of both hardware and software used in I&C platforms and does not assume that a particular digital I&C technology is used (e.g., microprocessor, Field Programmable Gate Array or FPGA).

Paper ID 25875 1.1 Definition of Terms The following definitions are specific to this paper:

Accreditation: The formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards [1].

Architecture: Organizational structure of the I&C systems of the plant which are important to safety [2].

Certificate: A document issued by an accredited body stating the applicable conditions to be met for certification and certifying compliance with relevant standards if the conditions are met [3].

Certification: The provision by an accredited body of written assurance (a certificate) that the product, service or system in question meets specific requirements [1].

Critical Characteristics: Those important design, material, and performance characteristics of a commercial off the shelf item that, once verified, will provide reasonable assurance that the item will perform its intended safety function [4].

Deterministic: A behavior that any given input sequence that is within the specification of the item will always produce the same outputs and response times, i.e. the time delay between stimulus and response has a guaranteed maximum and minimum [5].

Failure: Loss of the ability of a structure, system, or component to function with acceptance criteria [3].

Functional Requirements: Requirements that specify the required functions or behaviors of an item [5].

Graded Approach: For a system of control, such as a regulatory system or a safety system, a process or method in which the stringency of the control measures and conditions to be applied is commensurate, to the extent practicable, with the likelihood and possible consequences of, and the level of risk associated with, a loss of control [3].

I&C system: System, based on electrical and/or electronic and/or programmable electronic technology, performing I&C functions as well as service and monitoring functions related to the operation of the system itself [2].

Item important to safety: An item that is part of a safety group and/or whose malfunction or failure could lead to radiation exposure of the site personnel or member of the public [3].

Non-functional Requirements: Also known as quality requirements; these are requirements that specify inherent properties or characteristics of an item other than the required functions and behaviors. Example characteristics include analyzability, assurability, auditability, availability, compatibility, documentation, integrity, maintainability, performance, reliability, safety, security, usability and verifiability [5].

Platform: Set of hardware and software components that may work co-operatively in one or more defined architectures (configurations). The development of plant specific configurations and of the related application software may be supported by software tools. An I&C platform usually provides a number of standard functionalities (e.g. application functions library) that may be combined to generate specific application software [6].

Qualification: Process of determining whether a system or component is suitable for operational use. The qualification is performed in the context of a specific class of the I&C system and a specific set of qualification requirements [6]. (Note: Qualification of I&C

Paper ID 25875 systems is a plant-and application-specific activity while platform qualification relies to a large degree on qualification activities performed outside the framework of a specific plant design.)

1.2 Evaluation Guidance Framework Figure 1. I&C Platform Qualification - Evaluation Guidance Framework.

Fig. 1 above shows the evaluation guidance framework for assessing the qualification of an I&C platform to be used in systems important to safety. As shown in Fig. 1, the framework addresses the following areas associated with the platform qualification:

1. The scope of qualification;
2. Methods of qualification;
3. Documentation;
4. The application or use of the qualification; and
5. The maintenance of the qualification.

This evaluation guidance framework applies to both the qualification of COTS platforms as well as platforms developed specifically for systems important to safety. Sections 1.2.1 through 1.2.5 below discuss some of the key takeaways from this framework. Specifically, these sections discuss the kind of information and considerations associated with the platform qualification that would need to be assessed as part of the evaluation. The acceptability of the overall evaluation of qualification will be a matter for the regulatory body for the country in which the platform is to be used.

1.2.1 The Scope of Qualification The scope of the platform qualification should comprise of items including, but not limited to:

1. The hardware supporting or with the potential to affect the safety function (e.g., Central Processing Unit (CPU), memory chips, communication interface modules);

Paper ID 25875

2. The software supporting or with the potential to affect the safety function (e.g., operating system, library functions, communications software);
3. Embedded components such as power supplies, industrial digital devices of limited functionality or FPGA devices;
4. Software and hardware tools (e.g., calibration tools) used in the design, development, verification, validation, manufacturing, maintenance or modification of the platform; and
5. Documentation such as specifications, design documents, operation and maintenance manuals.

Although the specific application may not be known at the time of the qualification evaluation, the range or envelope of applications for the I&C platform and their critical characteristics should be defined.

The definition of the range of applications should include, but not be limited to: (1) the highest safety classification that the platform may fulfil; (2) the types of safety function(s) that the platform may fulfil; and (3) the non-functional requirements applicable to the platform (e.g., dependability, physical constraints, performance).

The platform should be classified according to its importance to safety, which will be driven by the application(s). So any constraints that the platform qualification imposes on its potential application (e.g.

maximum CPU load to maintain a deterministic behavior) should be explicitly identified during the qualification evaluation process. The platform qualification should also address, to the extent practicable, any digital I&C security requirements that may exist in the regulatory framework in which the platform is proposed for use.

1.2.2 Methods of Qualification The methods of qualification of I&C platforms for use in systems important to safety will vary depending upon the intended use of the platform. The platform may have been developed specifically for use in nuclear safety applications or may have been developed for general industrial use (i.e., it is considered a COTS platform). The following general guidance applies regardless of the intended use of the platform:

1. A graded approach should be taken to the qualification of the I&C platform; the qualification rigor applied should be commensurate with the safety classification of the intended application.
2. The qualification should include an evaluation of the outputs of the platform development process and a validation that the product is capable of meeting the functional and non-functional requirements.
3. The configuration management of the development and modification of the platform should be considered in the qualification.
4. The platform should be subject to equipment qualification (Electromagnetic Compatibility (EMC), environmental, seismic, etc.) in accordance with the standards and regulatory expectations applicable to the country in which it is to be used.
5. Access should be provided by the supplier to those artifacts (e.g., documentation, code, hardware) from the design, implementation, manufacture, verification and validation (V&V) of the platform necessary to facilitate the qualification. Access to such artifacts should be provided to the organization undertaking the qualification and also, as necessary, to the regulatory body for the country in which the platform is to be used.
6. If the information necessary to undertake the evaluation of the platform qualification is not available, then the decision may be that the platform is not suitable for use in systems important to safety.

For platforms developed for nuclear safety applications, the platform should be developed using the recognized nuclear standards, practices, and regulatory framework applicable in the country in which it is

Paper ID 25875 to be used. Thus, any deviations from the recognized nuclear standards, practices, and regulatory framework should be identified and justified. For platforms developed for general industrial use, or COTS, the following guidance applies:

1. The platform supplier should provide information such as the following prior to commencement of the qualification exercise: (1) The demonstration of an accredited quality management system; (2) A commitment to provide access to all artifacts necessary to complete the qualification, including those from sub-suppliers and certification bodies; and (3) Confirmation of the continued support of the platform.
2. The qualification of the platform may incorporate a combination of some or all the following methods: (1) Development process review; (2) Confirmation of the implementation of the suppliers quality management processes; (3) Independent confidence-building measures; (4)

Operating experience; and (5) Certification. Additional information concerning these methods is discussed below; but overall, the method or combination of methods used for the qualification should be justified. The acceptability of the overall qualification will be a matter for the regulatory body for the country in which the platform is to be used. For example, for the highest safety classification systems, the first two methods listed below could be considered mandatory.

a. Development process review: The platform design, development, manufacture, V&V, and maintenance should be reviewed against the nuclear standards, practices and regulatory framework applicable for the country in which it is to be used (Note: Such a process may be known in some countries as a commercial grade survey.). Any discrepancies found during the review should be addressed through the undertaking of compensating activities to be performed by the supplier, the licensee/applicant, and/or a sub-supplier.

Compensating activities should be targeted at the discrepancies found and may include, but are not limited to, the reverse engineering and verification of design documentation or additional analysis and testing.

b. Confirmation of the implementation of the suppliers quality management processes: This method includes activities such as witnessing at the suppliers premises the hardware fabrication and assembly, software development and testing, and supplier inspection activities. The approach taken to the suppliers procurement and use of components and products from sub-suppliers should also be demonstrated to be adequate for the platform in question. The development processes and products of sub-suppliers should be verified using the methods discussed herein. (Note: Sub-suppliers may themselves utilize components from other suppliers. Such components should be justified using the methods described herein. The platform qualification documentation should explicitly state and justify the depth to which analysis of the supply chain has been undertaken. This justification should consider the criticality of the components in fulfilling the safety functions performed by the platform.)
c. Independent confidence-building measures: This method includes tests, inspections, and analyses. It may be used to supplement the review of the platform development process by demonstrating that the platform product itself fulfills the range of applications and critical characteristics defined for its qualification. The independent confidence-building measures should be implemented and/or observed by an organization other than the platform supplier to ensure that this aspect of the qualification minimizes undue commercial influences. (Note: The supplier should conduct its own tests, inspections, and analyses as part of the platform development process.)
d. Operating experience: This method may be used to support the qualification of the platform. The amount of field data and the conditions under which the data is to be collected should be demonstrated to be sufficient as defined by the nuclear standards,

Paper ID 25875 practices, and regulatory framework applicable to the country in which the platform is to be used. The data should be shown to be applicable to the supplier, model, and version of the platform and its components. The platform operating experience should be shown to be relevant to the range of intended nuclear applications. The extent to which operating experience may be relied upon will vary from country to country; however, this method alone is insufficient to support the qualification of a platform for use in a system important to safety.

e. Certification: Platform suppliers may utilize a certification organization to assess the suppliers development process and product against a particular standard or standards.

The certification organization issues a certificate claiming compliance by the platform with that particular standard or standards. The acceptability of product certificates as a direct means of qualification varies between countries. It is not usually the case that a certificate alone would be considered acceptable as a qualification for the platform. The evidence generated as a result of a certification exercise should be made available in order to allow confirmation by the platform user and regulatory body of the acceptability of the certification process itself as well as the platform product. Such evidence would usually be similar to that generated using the methods described herein. Where certification of a platform forms part of its qualification, the certificate and evidence supporting it should identify the make, model, and version of all components within the scope of that certification. The range of applications and critical characteristics for which the platform has been certified should be explicitly stated. Information concerning the accreditation of the certifying body should be readily available and access should be provided to the certifying body personnel in order to confirm their competency for the activities they have undertaken.

3. Regardless of which methods are employed, sufficient evidence to complete an adequate qualification of an I&C platform may not always be available. In some cases, full access to qualification evidence that does exist will not always be possible due to suppliers intellectual property concerns. In such circumstances, architectural means may be employed to address or mitigate failures of the platform. For example, failures of a particular platform may be mitigated by the operations of a separate, diverse platform controlling the same plant equipment. The acceptability of this approach instead of an adequate platform qualification will be a matter for the regulatory body for the country in which the platform is to be used.
4. COTS platforms will usually contain functions not required for the fulfillment of nuclear safety functions. Depending upon the safety class of the platform, it may be necessary to remove such functions or to demonstrate that they do not interfere with the fulfillment of the safety functions.

The modification of the platform to remove such functions may lead to unintended consequences and reduce or remove the credit that may be taken for operating experience, for example.

5. In the case that the platform allows users to define their own library functions, these functions should be qualified by the user using the methods described above. The impact of the addition of these functions to the platform should be considered and demonstrated not to affect the qualification of the platform.

1.2.3 Documentation A report should be produced following completion of the qualification exercise by the qualifying party.

The qualification report should be subject to configuration management and as a minimum should clearly identify the following:

1. The make, model, and version of all components in the platform (hardware and software, including embedded components) that are considered to be within the scope of the qualification;

Paper ID 25875

2. The range of applications and critical characteristics that the platform has been qualified against;
3. The tools that have been assessed as part of the qualification exercise;
4. The artifacts that were assessed as part of the qualification exercise;
5. Any constraints that the platform qualification imposes on its application (e.g., maximum CPU load which then exceeds the limit that maintains determinism);
6. A justification of the method or combination of methods used for the qualification (see Section 1.2.2 above); and
7. A justification of the depth to which analysis of the supply chain has been undertaken.

1.2.4 The Application or Use of the Qualification The safety justification of an I&C system for use in an important to safety application should integrate the qualification of the platform with the justification for the application. The I&C platform may be qualified for use in a specific application or for use in a range of applications. In either case, the user should demonstrate that they understand the scope of the qualification and that the platform is used within the range of applications and critical characteristics for which it was qualified.

In some cases, a platform may have been previously qualified using standards and practices not recognized within the regulatory framework for the country in which it is to be used. If credit is to be taken for the previous qualification, then the user should demonstrate equivalence of the standards and practices used with those applicable to the regulatory framework for the country in which it is to be used. Any differences should be justified and may warrant further analysis and/or testing.

There may be additional items that may not be included as part of the platform qualification, such as architectural and interface requirements. These items should be identified in the qualification documentation and addressed in support of the applications using the platform. Furthermore, application-specific testing or analyses may be required to supplement the supplier's tests in order to: (1) build confidence in the platform and its functionality; and (2) examine its response to specific conditions or abnormal events, which are not performed in suppliers qualification.

1.2.5 The Maintenance of the Qualification The licensee/applicant is responsible for ensuring that the qualification of the platform used in a particular I&C application is up to date and supports the current configuration on the plant. (Note: The criteria for what constitutes an up-to-date qualification varies from country to country.) As such, the licensee/applicant should ensure that changes in other systems or equipment within the plant do not invalidate the qualification of the platform, such as the introduction of new equipment that invalidates the environmental qualification (e.g., temperature, EMC) of the platform.

Therefore, both the licensee/applicant and the supplier should have configuration control and change management systems in place to facilitate maintenance of the qualification. Specifically, the licensee/applicant should establish and maintain a process by which the supplier may inform them of any changes in their products in a timely manner such that changes may be understood and their impact analyzed prior to the components products being used in the plant. The licensee/applicant should ensure that changes in the configuration or use of the platform in a particular application do not invalidate the qualification. In the process of deciding whether to use COTS products or not, the licensee/applicant should consider the life expectancy of the platform (anticipating obsolescence) and the sustainability of the supplier.

2 CONCLUSIONS There may be different approaches when performing the evaluation of the qualification of a digital I&C platform for use in systems important to safety. This paper does not prescribe a particular approach

Paper ID 25875 but instead provides a sample framework for evaluating such qualification. Nonetheless, the approach taken for performing the evaluation of the qualification of a digital I&C platform should be justified for suitability for the particular important to safety application.

The methodology discussed by this paper is not to be construed as a requirement, regulation, or acceptable guidance by either domestic or international regulators. Instead, it is intended to serve as a potential foundation or technical basis to be used for developing clear and sufficient regulatory guidance for assessing the qualification of a digital I&C platform for use in systems important to safety.

3 ACKNOWLEDGMENTS This paper was derived from the ongoing work being performed by the Nuclear Energy Agency (NEA)

Committee on Nuclear Regulatory Activities (CNRA) Working Group on Digital Instrumentation and Control (WGDIC), which I have the honor and privilege to chair. For additional information concerning the NEA/CNRA WGDIC visit: https://www.oecd-nea.org/nsd/cnra/

(Note: The goal of the NEA/CNRA WGDIC is not to independently develop new regulatory standards.

As such, the technical work develop by the NEA/CNRA WGDIC is not legally binding and do not constitute additional obligations for the regulators or the licensees. Instead, the technical work resulting from the NEA/CNRA WGDIC constitutes guidelines, recommendations, or assessments that the NEA/CNRA participants agree are good to highlight during their safety reviews of operating and new reactors. The development of technical guidance for assessing the qualification of digital I&C platforms for systems important to safety follows the WGDIC examination of the regulatory requirements of the participating members and of relevant industry standards and International Atomic Energy Agency (IAEA) documents.)

4 REFERENCES

1. International Organization for Standardization (ISO), https://www.iso.org/certification.html (2018).
2. IEC 61513, Ed.2: Nuclear power plants - Instrumentation and control important to safety - General requirements for systems, (2011).
3. IAEA Safety Glossary Terminology Used in Nuclear Safety and Radiation Protection, http://www-ns.iaea.org/downloads/standards/glossary/iaea-safety-glossary-rev2016.pdf (2016).
4. EPRI TR-106439: Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, https://www.nrc.gov/docs/ML1033/ML103360462.pdf (1996).
5. IAEA SSG-39: Design of Instrumentation and Control Systems for Nuclear Power Plants, http://www-pub.iaea.org/MTCD/publications/PDF/Pub1694_web.pdf (2015).
6. IEC 63084 TR: Nuclear power plants - Instrumentation and control important to safety - Platform qualification for systems important to safety, (2017).

2018 International Congress on Advances in Nuclear Power Plants Qualification of Digital Instrumentation and Control Platform for use in Systems Important to Safety -

Evaluation Guidance Ismael L. Garcia Senior Technical Advisor Digital Instrumentation & Control Office of Nuclear Reactor Regulation U.S. NRC Email: Ismael.Garcia@nrc.gov Place logo or company name here

Acknowledgements

  • The evaluation guidance discussed herein was derived from the ongoing work being performed by the Nuclear Energy Agency (NEA) Committee on Nuclear Regulatory Activities (CNRA) Working Group on Digital Instrumentation and Control (WGDIC)

2

Road Map

  • Introduction
  • Evaluation Guidance

- The Scope of Qualification

- Methods of Qualification

- Documentation

- The Application or Use of the Qualification

- The Maintenance of the Qualification

  • Closing Remarks/Take-aways 3

Introduction

  • Platform - A set of hardware and software components that may work co-operatively in one or more defined architectures or configurations
  • The qualification of digital I&C platforms for use in systems important to safety at nuclear power plants is needed to demonstrate suitability for their intended applications
  • Evaluation guidance in this area is warranted given the increase use of digital I&C systems in operating and new reactor designs and its safety implications 4

Evaluation Guidance Framework 5

Evaluation Guidance - Scope

  • The scope of the platform qualification should be defined, and should comprise of items such as:

- Software/Hardware with the potential to affect a safety function

- Software/Hardware tools

- Documentation

  • The range or envelope of applications for the I&C platform and their critical characteristics should be defined
  • Any constraints that the platform qualification imposes on its potential application should be explicitly identified 6

Evaluation Framework - Methods

  • The qualification of the platform may incorporate a combination of some or all the following methods:

- Development process review

- Confirmation of the implementation of the suppliers quality management processes

- Independent confidence-building measures

- Operating experience

- Certification

  • Sufficient evidence to complete an adequate qualification of an I&C platform may not always be available 7

Evaluation Framework - Documentation

  • A report should be produced following completion of the qualification exercise and as a minimum should clearly identify items such as:

- The make, model, and version of all components in the platform that are considered to be within the scope of the qualification

- The range of applications and critical characteristics that the platform has been qualified against 8

Evaluation Framework -

The Application or Use of the Qualification

  • The platform should be used within the range of applications and critical characteristics for which it was qualified
  • A platform may have been qualified using standards and practices not recognized within the regulatory framework for the country in which it is to be used

- Perform an equivalence evaluation

  • Application-specific testing or analyses may be required to supplement the supplier's tests 9

Evaluation Framework -

Maintenance of the Qualification

  • The licensee/applicant should ensure that changes in other systems or equipment within the plant do not invalidate the qualification of the platform
  • The licensee/applicant and the supplier should have configuration control and change management systems in place to facilitate maintenance of the qualification 10

Closing Remarks/Take-Aways

  • There may be different approaches when performing the evaluation of the qualification of a digital I&C platform for use in systems important to safety
  • The approach taken for performing the evaluation of the qualification of a digital I&C platform should be justified for suitability for the particular important to safety application
  • The methodology discussed herein is not to be construed as a requirement or regulation 11

12

Retrieved from "https://kanterella.com/w/index.php?title=ML19031C862&oldid=4938427"