January-February 2019 NPJ

Nuclear Plant Journal, January-February 2019 NuclearPlantJournal.com 35 The NRC has also assessed approaches used by nuclear regulatory authorities from other countries for digital I&C permitting. For example, the NRC has participated in the Working Group on Digital I&C (WGDIC) 5 within theNuclear Energy Agency’s (NEA’s) Committee on Nuclear Regulatory Activities. This effort was formed to promote harmonization and improvements in nuclear safety through the development of consensus positions to address digital I&C topics and technical issues of concern to NEA member countries, for both operating and new reactors. From this effort, the NRC gained valuable insights into how regulatory authorities from other countries permit the use of digital I&C systems and equipment for nuclear safety applications. One insight gained is that there is a universal recognition that defense-in-depth and diversity provisions are needed to protect against potential common cause failure vulnerabilities that could challenge plant safety. However, nuclear regulatory authorities from different countries accept a variety of methods for demonstrating that common cause failure vulnerabilities are adequately addressed. The NRC is exploring how the permitting approaches used by these regulatory authorities can be incorporated into the NRC’s digital I&C regulatory framework to support a more safety-focused review. Comparison of Approaches to Permitting the Use of Digital I&C in Safety Applications Safety-critical industries, such as the civil aviation, medical device, automobile, railroad, and chemical process industries, and the military, have adopted the use of digital I&C technologies. However, not all of the industries are subject to an explicit permitting process or regulatory approval for the equipment used in their respective safety applications. This report focuses on the civil aviation, automobile, and medical devices industries because, similar to the civilian nuclear sector, these industries are subject to regulations that require permitting for digital I&C within the broader process of certifying or licensing a whole device or system to assess if application of these components satisfies the relevant safety goals, objectives, and requirements. A. Civil Aviation The Federal Aviation Administration’s (FAA’s) permitting approach, known as its design approval, uses a combination of mandatory requirements and voluntary guidance. The process 6 consists of five phases, each with different levels of engagement between the applicant and FAA, to increase efficiency. One practice used by FAA is the appointment of designated engineering representatives 7 as third party verifiers for the aircraft. This representative may approve or recommend approval of technical data to the FAA in support of aircraft certification. Safety-critical equipment applicable to each certified aircraft must receive approval by the FAA, using a rigorous process demonstrating that the equipment design is appropriate for the equipment’s intended functions. At its highest-level, FAA guidance provides a general safety assessment process and includes the ability to apply gradations to development and test activities. Airworthiness regulations 8 for instrument systems of the certified aircraft specify the use of the design principles of single- failure proof designs, independence, and equipment isolation. The FAA has published advisory circulars that recognize voluntary consensus standards for aircraft avionics equipment to address the permitting process for each airframe as a part of the overall aircraft certification process. 9 These voluntary industry consensus standards and recommended practices are coordinated internationally. For digital I&C specific guidance, Advisory Circular 20-115D 10 recognizes DO-178C, “Software Considerations in Airborne Systems and Equipment Certification,” as one consensus standard that supports satisfying airworthiness requirements for airborne systems relating to the production of software. DO-178C applies a graded approach for classifying the software based on the consequences to the aircraft, crew, and passengers due to software failure. Any software that commands, controls, and monitors safety-critical functions is most likely assigned to the highest software level (i.e., its failure may result in catastrophic consequences, including deaths and loss of the airplane). The rigor of software design requirements and development/testing activities is based on the classification of the software. To improve efficiency, the FAA also established a method for approving “Integrated Modular Avionics” as a way to allow an approved generic digital platform to be used for many aircraft applications. There are many similarities in the high-level regulatory requirements (e.g., single-failure tolerant designs, independence, and equipment isolation) between the nuclear power and civil aviation industries. In addition, both the FAA and the NRC endorse consensus standards as voluntary guidance that applicants and licensees can use to satisfy regulatory requirements. Specific to digital I&C, both the FAA and the NRC have established methods for permitting generic digital I&C platforms that can be used for a variety of safety applications. Several elements from the FAA’s permitting approach could apply to the NRC’s digital I&C permitting approach. For example, the NRC could adopt a more graded approach to digital I&C equipment classification that is based on the consequence of the equipment’s failure to overall plant safety, with an appropriately applied set of design, development, and testing requirements. The use of third party certifiers is another FAA concept the NRC could adopt as a way to address key critical characteristics required of devices that are dedicated for safety applications under the NRC’s commercial grade dedication process. The NRC is considering these elements as part of the overall digital I&C regulatory framework modernization efforts and has held periodic interactions with the FAA to facilitate this effort. The NRC (Continued on page 36)