Draft Regulatory Guide: Issuance, Availability

AGENCY:

Nuclear Regulatory Commission.

ACTION:

Notice of Issuance and Availability of Draft Regulatory Guide, DG-1249, “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.”

FOR FURTHER INFORMATION CONTACT:

Timothy Mossman, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone: (301) 415-3647, e-mail Timothy.Mossman@nrc.gov or Deanna Zhang, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone: (301) 415-1946, e-mail Deanna.Zhang@nrc.gov.

SUPPLEMENTARY INFORMATION:

I. Introduction

The U.S. Nuclear Regulatory Commission (NRC) is issuing for public comment a draft guide in the agency's “Regulatory Guide” series. This series was developed to describe and make available to the public such information as methods that are acceptable to the NRC staff for implementing specific parts of the NRC's regulations, techniques that the staff uses in evaluating specific problems or postulated accidents, and data that the staff needs in its review of applications for permits and licenses.

The draft regulatory guide (DG) is temporarily identified with its task number, DG-1249, which should be mentioned in all related correspondence. DG-1249 is proposed Revision 3 of Regulatory Guide 1.152, dated January 2006. This guide describes a method that the staff of the NRC considers acceptable to implement Title 10, of the Code of Federal Regulations, Part 50, “Domestic Licensing of Production and Utilization Facilities” (10 CFR Part 50); 10 CFR 50.55a(h); General Design Criterion (GDC) 21, “Protection System Reliability and Testability,” of Appendix A, “General Design Criteria for Nuclear Power Plants,” to 10 CFR Part 50; and Criterion III, “Design Control,” of Appendix B, “Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants,” to 10 CFR Part 50 with regard to use of computers in safety systems of nuclear power plants. This guide applies to all types of commercial nuclear power plants.

DG-1249 acknowledges that 10 CFR 73.54, “Protection of Digital Computer and Communication Systems and Networks,” requires licensees to develop cyber-security plans and programs to protect critical digital assets, including digital safety systems, from malicious cyber attacks. Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities,” provides guidance to meet the requirements of 10 CFR 73.54. The combination of DG-1249 and the programmatic provisions under 10 CFR 73.54 should seamlessly address the secure design, development, and operation of digital safety systems. To seamlessly address these issues, DG-1249:

1. Eliminates all reference to cyber security, malicious activity, or attacks, as those considerations now fall under the purview of 10 CFR 73.54. Since there is now a regulation and associated guidance specifically designed to address cyber security, Regulatory Guide 1.152 no longer needs to address cyber security. To eliminate any duplication between the documents, references to cyber security and any protection against a malicious, intelligent adversary have been removed.

2. Emphasizes Regulatory Guide 1.152's focus on security for the protection of digital safety systems against non-malicious events, per Clauses 5.6.3 and 5.9 of the Institute of Electrical and Electronic Engineer (IEEE) standard 603-1991. Non-malicious events include incidents in which an operator or other plant personnel could inadvertently access the digital safety system and affect its ability to reliably perform its safety function. Non-malicious events also include undesirable behavior of connected systems which could degrade the reliable operation of the digital safety system.

3. Deletes Regulatory Positions 2.6 through 2.9, which address security in the operational phases of a system's life cycle. Licensing is complete once the Factory Acceptance Testing is concluded. The licensee's cyber security programs, to meet the requirements of 10 CFR 73.54, should now address these considerations. (Regulatory Positions 2.1 through 2.5 apply to licensing determinations in the evaluation of applications for license amendments, design certifications, and combined operating licenses.)

“Security,” in the context of DG-1249, refers to protective actions taken against a predictable set of non-malicious acts (e.g., inadvertent operator actions or the undesirable behavior of connected systems) that could challenge the integrity, reliability, or functionality of a digital safety system.

“Cyber security” refers to those measures and controls taken as part of compliance with 10 CFR 73.54 that protect digital systems against the malicious acts of an intelligent adversary.

The objective of this revision is to (1) clarify the relationship between 10 CFR Part 50 and 10 CFR Part 73, “Physical Protection of Plants and Materials,” regarding the security of digital safety systems, (2) remove regulatory positions that are now covered by other regulations to eliminate the potential for any perceived conflict, and (3) to clarify the remaining regulatory positions.

The NRC staff is revising Regulatory Guide 1.152 to provide what the staff considers to be an acceptable method of meeting the NRC regulations. Previous revisions should not be used by applicants for new licensing actions. NRC staff believes that continued use of previous revisions of the Regulatory Guide by existing nuclear power plant licensees is acceptable (i.e., meets all NRC requirements, and provides reasonable assurance of adequate protection to public health and safety, and common defense and security). Revision of this Regulatory Guide does not modify any prior commitments made by licensees to the NRC or Agreement States. Therefore, a licensee that has made a commitment must continue to meet that prior commitment, or the commitment should be modified in accordance with the licensee's commitment management process. The previous revision of this Regulatory Guide will continue to be publically available on the NRC public Web site.

II. Further Information

The NRC staff is soliciting comments on DG-1249. Comments may be accompanied by relevant information or supporting data and should mention DG-1249 in the subject line. Comments submitted in writing or in electronic form will be made available to the public in their entirety through the NRC's Agencywide Documents Access and Management System (ADAMS).

ADDRESSES:

You may submit comments by any one of the following methods. Please include Docket ID NRC-2010-0216 in the subject line of your comments. Comments submitted in writing or in electronic form will be posted on the NRC Web site and on the Federal rulemaking Web site Regulations.gov. Because your comments will not be edited to remove any identifying or contact information, the NRC cautions you against including any information in your submission that you do not want to be publicly disclosed.

The NRC requests that any party soliciting or aggregating comments received from other persons for submission to the NRC inform those persons that the NRC will not edit their comments to remove any identifying or contact information, and therefore, they should not include any information in their comments that they do not want publicly disclosed.

Federal Rulemaking Web site: Go to http://www.regulations.gov and search for documents filed under Docket ID NRC-2010-0216. Address questions about NRC dockets to Carol Gallagher 301-492-3668; e-mail Carol.Gallagher@nrc.gov.

Mail comments to: Cindy K. Bladey, Chief, Rules, Announcements, and Directives Branch, Office of Administration, Mail Stop: TWB-05-B01M, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by fax to RDB at (301) 492-3446.

You can access publicly available documents related to this notice using the following methods:

NRC's Public Document Room (PDR): The public may examine and have copied for a fee publicly available documents at the NRC's PDR, Room O1 F21, One White Flint North, 11555 Rockville Pike, Rockville, Maryland.

NRC's Agencywide Documents Access and Management System (ADAMS): Publicly available documents created or received at the NRC are available electronically at the NRC's Electronic Reading Room at http://www.nrc.gov/reading-rm/adams.html. From this page, the public can gain entry into ADAMS, which provides text and image files of NRC's public documents. If you do not have access to ADAMS or if there are problems in accessing the documents located in ADAMS, contact the NRC's PDR reference staff at 1-800-397-4209, 301-415-4737, or by e-mail to pdr.resource@nrc.gov. DG-1249 is available electronically under ADAMS Accession Number ML100490539. The regulatory analysis may be found in ADAMS under Accession No. ML101320317. In addition, electronic copies of DG-1249 are available through the NRC's public Web site under Draft Regulatory Guides in the “Regulatory Guides” collection of the NRC's Electronic Reading Room at http://www.nrc.gov/reading-rm/doc-collections/

Federal Rulemaking Web site: Public comments and supporting materials related to this notice can be found at http://www.regulations.gov by searching on Docket ID: NRC-2010-0216.

Comments would be most helpful if received by August 20, 2010. Comments received after that date will be considered if it is practical to do so, but the NRC is able to ensure consideration only for comments received on or before this date. Although a time limit is given, comments and suggestions in connection with items for inclusion in guides currently being developed or improvements in all published guides are encouraged at any time.

Regulatory guides are not copyrighted, and Commission approval is not required to reproduce them.