8
Dedication of Commercial Off-the-Shelf Hardware and Software

INTRODUCTION

The nuclear industry typically obtains its components from vendors who apply the set of "nuclear-grade" criteria contained in Title 10 CFR Part 50, Appendix B. However, the nuclear industry has become a rather small market, and some vendors (such as Allen-Bradley) are discontinuing their nuclear-grade line of equipment. The decreasing number of suppliers is also leading to increasing costs for nuclear-grade equipment.

Therefore, there is potential for taking advantage of the lower cost and extensive history of widely used commercial off-the-shelf (COTS) equipment if it can be shown to meet the same quality requirements. As a result, it has become common for utilities and other companies to purchase COTS or commercial-grade items1 and then to qualify them for use in safety systems by performing a special qualification process called "dedication" to assure an equivalent level of quality as obtained for components developed and produced under the formal quality programs of Title 10 CFR Part 50, Appendix B. The utility typically does this "dedication" by specifying essential physical and performance characteristics of the item in question and then demonstrating that the item has these characteristics.

Qualification Process

For digital instrumentation and control (I&C) equipment and software developed for nuclear-grade service from the outset, the required assurance is developed by controlling and monitoring the software design and development process as well as through formal verification and validation (see Chapter 4). For commercial items, however, such processes are not generally performed with the requisite formality and documentation; and it can be difficult to go back and reperform them, particularly at an acceptable cost. Therefore, dedication of digital I&C systems is difficult insofar as it entails assuring software correctness and identifying and evaluating the failure modes with only limited knowledge and control of the software development processes.

In general, replacement commercial equipment can be used in nuclear power plant nonsafety grade applications if it meets the utility performance standards. These standards are usually satisfied by choosing proven, commercially available items that are widely used and have an acceptable performance record in similar applications. However, in applications whose performance can affect nuclear plant safety and the plant licensing basis, a higher standard must be met and the regulatory authorities must be satisfied that the performance and quality of a given item are compatible with the conditions of the license. For these applications, an agreed-upon method is needed for assessing and qualifying the items for their intended service.

Currently, dedication of COTS digital I&C systems tends to be achieved on an individual project basis by some utilities. A more well-defined and stable approach is needed. A key issue to be resolved is how to deal with the failure modes of the item, particularly unintended or unexpected results from software or hardware failures. This involves identifying the potentially damaging failure modes, assuring that these failure modes are subject to periodic or built-in testing so their occurrence is obvious to the operators, and assuring that the plant systems and the operator's procedures and training are such that the failures can be coped with. This issue makes the dedication and subsequent licensing process particularly challenging.

This issue is equally applicable to new plants or retrofits. But the issue is pressing for existing plants since there is a need for COTS digital I&C systems to replace aging and increasingly obsolete analog items.

Statement of the Issue

What methods should be agreed upon by the regulators and the licensees to evaluate and accept the use of commercial

1  

Commercial-grade items are safety-related systems, components, or parts that were not designed and manufactured under a quality assurance program which complies with Title 10 CFR Part 50, Appendix B.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 71
8 Dedication of Commercial Off-the-Shelf Hardware and Software INTRODUCTION The nuclear industry typically obtains its components from vendors who apply the set of "nuclear-grade" criteria contained in Title 10 CFR Part 50, Appendix B. However, the nuclear industry has become a rather small market, and some vendors (such as Allen-Bradley) are discontinuing their nuclear-grade line of equipment. The decreasing number of suppliers is also leading to increasing costs for nuclear-grade equipment. Therefore, there is potential for taking advantage of the lower cost and extensive history of widely used commercial off-the-shelf (COTS) equipment if it can be shown to meet the same quality requirements. As a result, it has become common for utilities and other companies to purchase COTS or commercial-grade items1 and then to qualify them for use in safety systems by performing a special qualification process called "dedication" to assure an equivalent level of quality as obtained for components developed and produced under the formal quality programs of Title 10 CFR Part 50, Appendix B. The utility typically does this "dedication" by specifying essential physical and performance characteristics of the item in question and then demonstrating that the item has these characteristics. Qualification Process For digital instrumentation and control (I&C) equipment and software developed for nuclear-grade service from the outset, the required assurance is developed by controlling and monitoring the software design and development process as well as through formal verification and validation (see Chapter 4). For commercial items, however, such processes are not generally performed with the requisite formality and documentation; and it can be difficult to go back and reperform them, particularly at an acceptable cost. Therefore, dedication of digital I&C systems is difficult insofar as it entails assuring software correctness and identifying and evaluating the failure modes with only limited knowledge and control of the software development processes. In general, replacement commercial equipment can be used in nuclear power plant nonsafety grade applications if it meets the utility performance standards. These standards are usually satisfied by choosing proven, commercially available items that are widely used and have an acceptable performance record in similar applications. However, in applications whose performance can affect nuclear plant safety and the plant licensing basis, a higher standard must be met and the regulatory authorities must be satisfied that the performance and quality of a given item are compatible with the conditions of the license. For these applications, an agreed-upon method is needed for assessing and qualifying the items for their intended service. Currently, dedication of COTS digital I&C systems tends to be achieved on an individual project basis by some utilities. A more well-defined and stable approach is needed. A key issue to be resolved is how to deal with the failure modes of the item, particularly unintended or unexpected results from software or hardware failures. This involves identifying the potentially damaging failure modes, assuring that these failure modes are subject to periodic or built-in testing so their occurrence is obvious to the operators, and assuring that the plant systems and the operator's procedures and training are such that the failures can be coped with. This issue makes the dedication and subsequent licensing process particularly challenging. This issue is equally applicable to new plants or retrofits. But the issue is pressing for existing plants since there is a need for COTS digital I&C systems to replace aging and increasingly obsolete analog items. Statement of the Issue What methods should be agreed upon by the regulators and the licensees to evaluate and accept the use of commercial 1   Commercial-grade items are safety-related systems, components, or parts that were not designed and manufactured under a quality assurance program which complies with Title 10 CFR Part 50, Appendix B.

OCR for page 71
off-the-shelf digital I&C systems in safety applications in nuclear power plants? CURRENT U.S. NUCLEAR REGULATORY COMMISSION REGULATORY POSITIONS AND PLANS Current Position The U.S. Nuclear Regulatory Commission's (USNRC's) stated regulatory basis for addressing COTS hardware and software is rooted in the rule governing the use of commercial-grade items in general. In particular, the USNRC has issued a revised rule, Procurement of Commercial Grade Items by Nuclear Power Plant Licensees (Title 10 CFR Part 21) (USNRC, 1995b). As stated in the public announcement accompanying the rule: The new regulation clarifies the process for acceptance of "commercial-grade items" for safety-related applications. The process also ensures that this is done in a manner that avoids unnecessary delay and expense while maintaining an adequate level of plant safety. The regulation contains the following provisions: an expanded definition of "commercial-grade items"; a more flexible process allowing "dedication" licensees, manufacturers, or third parties which will ensure the item will perform its intended safety function, in addition to the quality assurance programs of dedicating entities; clarification that the entity performing the "dedication" is responsible for discovering and evaluating deficiencies, reporting any defects and failures to comply. The rule includes an important caveat, potentially applicable to digital I&C hardware and software used in safety systems. That is, the final rule reflects the USNRC position that not all components can be properly dedicated after the design or manufacturing process is completed. This caveat applies to that limited class of components for which quality assurance is an integral part of the manufacturing process, so that one or more of their critical characteristics cannot be attested to after the fact. The rule does not specifically mention digital I&C components. Subsequent activities by the USNRC staff in setting up procedures to review COTS in digital I&C applications clearly indicate the USNRC expects to use the new rule for digital systems. On this basis, the caveat does not appear to be intended to disallow digital I&C COTS. In order to provide specificity in applying the general rule, the use of digital I&C COTS is to be addressed in the revision to the Standard Review Plan (SRP) that is under way. A new branch technical position on dedication of COTS hardware and software is also currently under development. The revised SRP is expected to endorse, perhaps with some caveats or exceptions, the draft guidance provided in this area, EPRI [Electric Power Research Institute] TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications (EPRI, 1996). The USNRC participates in and follows the work of the EPRI working group on COTS that produced this guidance document. It also participates in several industry groups active in this area. Research and Plans The USNRC research staff indicated to the committee that they have no specific research or plans in this area except to participate in and monitor several industry working groups, to monitor any pertinent Halden Reactor Project results, and to evaluate the recommendations from the report prepared by the MITRE Corporation, High Integrity Software for Nuclear Power Plants (USNRC, 1995a). There is other work in progress at the national laboratories sponsored by the USNRC that is applicable to the COTS issue. For example, NUREG/CR-6421, A Proposed Acceptance Procedure for Commercial Off-the-Shelf (COTS) Software in Reactor Applications, was formally issued in early 1996 (USNRC, 1996). This work is being reviewed by the USNRC in developing the revised SRP and any needed branch technical positions. DEVELOPMENTS IN THE U.S. NUCLEAR INDUSTRY There are a number of U.S. nuclear industry groups working on COTS as applied to digital I&C applications in nuclear power plants. Most of these groups have at least informal communication and coordination since they share some of the same members and the same general goals. The activities and particular interest of each group are briefly discussed below. Electric Power Research Institute A nuclear industry working group sponsored by EPRI is developing an industry consensus guideline for cost-effective evaluation and acceptance of COTS digital equipment for real-time process monitoring, control, and protection (safety) applications in nuclear power plants (EPRI, 1996). This 35-member group of nuclear utilities and vendors is drawing from other safety-critical industry experience, and it hopes to obtain USNRC support and endorsement; USNRC staff members have attended meetings. The group's approach is based on the existing and widely used guideline for COTS, EPRI NP-5652, Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Related Applications (EPRI, 1988). The EPRI working group agreed at the outset to base its work on the use of NP-5652 because there is an extensive experience base in dedication, although very little of it to date applies to digital I&C components. As a result, the EPRI working group is trying to make clear how to apply the

OCR for page 71
NP-5652 standard to the new issues presented by digital I&C, microprocessor-based systems. For example, NP-5652 recognizes four methods for verifying critical characteristics of a commercial device: (1) special tests and inspections, (2) commercial grade survey of supplier, (3) source verification, and (4) acceptable supplier/item performance record. For many existing components such as bolts or mechanical devices, the method of inspection or testing is adequate by itself. As is discussed elsewhere in this report, however, for digital devices including software, inspection and testing of the final product is not likely to be satisfactory. The EPRI working group also recognizes this and expects that rather than depending on a single method, a combination of the four methods must be used for digital I&C COTS applications. A second-tier document will provide specific examples and more detailed ''how to" guidance (see below). The EPRI working group has issued its guidance in draft form (EPRI, 1996). This guidance currently suggests an approach that applies criteria and verification activities appropriate for (or commensurate with) the safety significance of the application. This approach is based on the same principles as have been recognized in the USNRC's Generic Letter 95-02 as well as in the USNRC rule on dedicating commercial items (USNRC, 1995) and USNRC guidance on FIGURE 8-1 Equivalent level of assurance for nuclear grade and commercial digital equipment. Source: EPRI. the use of 10 CFR 50.59. That is, not all digital I&C applications warrant an exhaustive treatment of every aspect of the design, implementation, and quality assurance provisions. Rather, the dedication activities should be commensurate with the complexity and safety significance of the specific application. Because the USNRC staff in the past has been reluctant to accept COTS for safety-grade digital I&C applications, the EPRI working group is proceeding in two steps. First, the group is developing its high-level guideline (issued in draft form, EPRI, 1996) on which to build an industry and USNRC consensus as to how the use of COTS indigital I&C safety-grade applications could be made acceptable. The final form of this high-level guideline was to be issued during 1996. Somewhat in parallel, the working group will also develop a complementary set of more detailed guidance on how to implement the guideline. The approach of the EPRI working group compares the vendor development, integration, testing, and configuration control processes (commercial grade) with the approach in Title 10 CFR Part 50, Appendix B (nuclear grade) (see Figure 8-1). It then assesses whether other factors compensate for differences; these factors include a careful review of operating history and experience, additional verification and

OCR for page 71
validation, and use of special testing and (failure or hazard) analysis. The operating experience must be documented and relevant (be operated in a nearly identical application). The goal of the EPRI approach is to achieve an equivalent level of assurance for both nuclear-unique and commercial-grade, dedicated equipment. Nuclear Utilities Software Management Group The Nuclear Utilities Software Management Group (NUSMG) has developed Guidance for the Dedication of Commercial Grade Computer Software (NUSMG, 1995) to provide guidance on dedication of COTS software for design, maintenance, and operation of safety applications in nuclear power plants. The guideline may also be used for review of software modifications. The NUSMG approach relies on functional requirements and acceptance criteria review, vendor survey audits, past customer surveys, similar operating history, review of software discrepancies, vendor and independent acceptance testing, and failure analysis. USNRC staff members have attended meetings of this seven-member utility group. IEEE 7-4.3.2 Working Group IEEE 7-4.3.2 is a principal standard for quality assurance of digital I&C systems. The standard, except for the annex, has recently been endorsed by the USNRC through issuance of Regulatory Guide 1.152. The annex to the 1993 edition of this standard (IEEE, 1993) addressed some of the technical issues associated with vendor development processes in a format similar to a typical commercial-grade survey, e.g., how the part was built, quality control methods. The standard identified specific safety requirements to test and confirm, in a manner similar to EPRI NP-5652 (EPRI, 1988). Presently, the IEEE 7-4.3.2 working group, which consists of approximately 17 individuals from utilities, vendors, the USNRC, national laboratories, and other entities, is embarking upon a one- to two-year effort to update this standard to more fully address vendor supply, COTS, and commercial-grade dedication (Richard Blauw, working group chairman, personal communication to Tracy Wilson, March 28, 1996). The annex to the standard will also be improved to allow use of documented, relevant commercial experience—and to note its limitations. USNRC staff members have been involved in the work of this group, which has also interacted with both the EPRI and NUSMG groups described above. DEVELOPMENTS IN THE FOREIGN NUCLEAR INDUSTRY The staff of Ontario Hydro and British Nuclear Electric have reported to the committee that they are conducting research on the use of COTS. For example, Ontario Hydro's OASES standard includes guidance on evaluation of COTS based on operating history, user input, goodness of design, software quality assurance process, and the maintenance process. A failure modes analysis may then place constraints on COTS component usage based on system design impacts, and additional verification testing and reviews may be conducted to gain additional assurance (Joannou, 1995). While there are no current licensing limitations, the Japanese reportedly do not use COTS in safety applications, only in nonsafety-related applications. However, in their latest plant designs, which are being developed with General Electric, it appears that some of the key safety-grade digital equipment and software places heavy reliance on prior satisfactory service in nonnuclear applications to establish the bases for the acceptable quality of the nuclear grade applications (Simon, 1996). DEVELOPMENTS IN OTHER SAFETY-CRITICAL INDUSTRIES The EPRI working group on COTS has reportedly interacted extensively with other safety-critical industries, and the grou's guidance (EPRI, 1996) is based on lessons learned from those applications. Examples known directly to the committee of COTS applications in other safety-critical industries include the new Mission Control Center at NASA's Johnson Space Center, which reported that technical and functional requirements were met at an $80 million savings by significant use of COTS hardware and software (Loral, 1996). The railroad industry is also beginning to use some COTS in switching signal designs (Profetta, 1996); but the implantable medical device sector does not yet use COTS in internal devices, although apparently it uses COTS in external devices for programming the digital circuits actually implanted (Elliott, 1996). International Society for Measurement and Control The SP 67 Nuclear Power Plant Standards Committee of the International Society for Measurement and Control2 (ISA) is charged with development of standards for I&C systems in nuclear power plants and associated industries. A subcommittee of SP 67 (SP 67.16, Safety-Related, Digital-Based System Upgrades at Nuclear Power Plants) is monitoring the design, testing, installation, and licensing of analog-to-digital upgrades and the need for appropriate standards and guidelines. One of the working groups under SP 67.16 is examining the issue of dedication of commercial-grade (COTS) hardware and software (including firmware) in nuclear safety-related control, protection, and monitoring applications (Timothy Hurst, working group chairman, personal communication to 2   Formerly known as the Instrument Society of America.

OCR for page 71
Tracy Wilson, March 28, 1996; and working group charter). The group is considering testing, installation, operations, and configuration control aspects. The approximately 20 members of this working group represent nuclear utilities, vendors, regulators, academicians, and others. The ISA SP 67.16 working group is interfacing with the EPRI working group (including having reciprocal members) and providing comments on the draft EPRI guidelines (EPRI, 1996). It is awaiting completion of the EPRI work before it develops its plans. The EPRI guidelines may be used to provide the basis for the development of an ISA/ANSI [American National Standards Institute] standard or guideline on COTS, although this may be several years away. USNRC staff members attend meetings of this ISA working group. Military Uses of COTS In 1994, the Department of Defense embarked upon an effort to reduce its reliance upon military specifications and to more fully adopt the use of COTS hardware and software. These efforts were addressed in a recent report by the Defense Science Board (1994). Also, the Canadian Department of National Defense is sponsoring research by the Canadian National Research Council on use of COTS in systems development, particularly the attendant development, deployment, and maintenance problems of integrating disparate COTS components with software extensions ("glue") (National Research Council of Canada, 1996). However, the committee is unaware of any specific guidance for evaluation of COTS that has yet resulted from these efforts. ANALYSIS At present there is no clear guidance for the dedication of COTS digital I&C hardware and software for safety-related application in nuclear power plants. To address this need, several industry groups are working to develop guidance documents and standards. The USNRC is participating in and monitoring the efforts of these groups with the intent of eventually endorsing the results. Such endorsement may, however, be subject to caveats or exceptions, a possibility raised by issues of consistency and efficiency: Will the eventual results produced by the different groups be consistent? Can the process be brought to closure relatively quickly so that specific, definitive regulatory guidance can be given? With respect to the first question, contacts with the groups involved and brief reviews of the initial results, particularly EPRI TR-106439 (EPRI, 1996), indicate that there is sufficient informal coordination and communication between the various groups to allow the desired consistency to be achieved. The natural staging or sequencing of the work by the groups will also aid in achieving consistency, in that the EPRI working group's draft guidance document has already been issued, giving the other groups the benefit of the EPRI results as a guide to their own efforts. Further, the participation by USNRC staff in these working groups can also help bring consistency to these efforts. With regard to the second question—whether the USNRC will be able to efficiently utilize the results in developing definitive regulatory guidance—the committee expects that the USNRC staff's early interaction with the working groups will put the USNRC in a position to move quickly on its formal endorsement. An important use USNRC staff can make of its interaction with the various working groups is to review the applicable work of the national laboratories so that any differences from the evolving industry guidelines are recognized and resolved. For example, NUREG/CR-6421 (USNRC, 1996) and EPRI TR-106439 both provide suggested approaches to acceptance of COTS digital components. Differences between the two that the USNRC needs to address in developing their regulatory guidance documents include: The NUREG/CR-6421 approach is more detailed and relies more heavily on information extracted from existing standards. EPRI TR-106439 has less detail and counts on its second-tier "how to" guidance to provide more of this detail. Both documents have methods for making COTS dedication activities commensurate with safety significance. NUREG/CR-6421 considers only safety significance and largely follows the IEC 1226 standard. The EPRI approach uses both safety classification and complexity of the component. The two documents present their criteria in different ways, but both intend that in qualifying COTS a considerable amount of engineering judgment be applied in determining that the dedicated component meets the necessary standards. The second-tier EPRI guidance will provide examples and more explicit details as to the mechanics and specific techniques of this process. The NUREG report tends to be more prescriptive. In connection with resolving these differences, the committee calls attention to the need for the COTS guidance to be clear on necessary attributes that the hardware and software must have. Once these attributes are well-defined, there may be various acceptable methods of assessing whether or not the attributes are adequately provided. These methods can include appropriate testing and experience reviews. Once these methods are defined and used, requisite experience will accumulate and provide increasing confidence. The committee notes that the FAA's DO-178B, Software Considerations in Airborne Systems and Equipment Certification (FAA, 1992), is primarily based on defining needed attributes, rather than methods of proving these attributes; the FAA document also includes guidance on assuring that these attributes are adequately satisfied by COTS. The committee suggests that the USNRC and the industry groups consider this FAA document in further work on COTS. To summarize the committee's view of COTS, its use

OCR for page 71
provides a major opportunity but also presents a challenge. The use of COTS could likely be very helpful in addressing the increasing obsolescence of installed I&C systems in nuclear plants by expanding the sources of modern equipment available for use. The challenge, particularly for safety-critical applications, is to obtain the needed quality at an acceptable cost. Dedication of commercial components requires much more information than commercial vendors are accustomed to supplying. This is because the key is assessing whether the previous applications are sufficiently similar to the application of interest and how effective the proper experience is in establishing the adequacy of important attributes such as reliability.3 Some vendors may be unwilling to provide or share their proprietary information, particularly about development or testing procedures and results of service experience. Further, utilities and the USNRC will have to be proactive about finding ways to pool needed information, perhaps, in part, by providing and maintaining dedication on more generic components. Nevertheless, the key uncertainty is whether dedication of commercial digital I&C components will be cost-effective. Only experience will provide a definitive answer. CONCLUSIONS AND RECOMMENDATIONS Conclusions Conclusion 1. Use of COTS hardware and software is an attractive possibility for the nuclear industry to pursue, provided that a technically adequate dedication process can be formulated and that this process does not negate the cost advantages of COTS. Conclusion 2. The recently developed draft guideline of the EPRI working group, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, appears to have potential as the basis for reaching industry and USNRC consensus on the COTS issue. In view of this possibility, the committee notes that the guideline and the follow-on (second-tier) guidance should assure that the necessary and sufficient attributes of digital I&C application are defined for both hardware and software. Once these attributes are well-defined, various acceptable methods of assessing the validity of the attributes can be more readily ascertained and used and the requisite experience gained. As an example of the type of approach the committee considers appropriate, the EPRI working group and the USNRC staff should consider the FAA's DO-178B guideline for digital avionics, Software Considerations in Airborne Systems and Equipment Certification, which includes guidance on COTS. Conclusion 3. Software quality assurance and safety and reliability assessment methods are strongly related to COTS. The committee's conclusions in Chapters 4 and 6, respectively, should therefore also be considered. Dedication processes for COTS should also prove relevant in cases where standardized software is reused among similar nuclear applications. Conclusion 4. The USNRC involvement in the EPRI, NUSMG, IEEE, and ISA working groups is very useful and should aid the USNRC in developing specific guidance to address the COTS issue. Conclusion 5. The approach to COTS must apply criteria and verification activities commensurate with the safety significance and complexity of a specific application. For example, the level of verification activities applied to small-scale replacements of recorders and indicators would not be the same as that applied to large-scale replacements of reactor protection systems. Recommendations Recommendation 1. The USNRC staff should assure that their involvement in the EPRI, NUSMG, IEEE, and ISA working groups means that USNRC concerns and positions are being addressed so that any standards or guidelines developed by these groups can be quickly accepted and endorsed by the USNRC. Recommendation 2. The USNRC should establish what research is needed to support USNRC acceptance of COTS in safety applications in nuclear plants. This research should then be incorporated into the overall research plan. Recommendation 3. The USNRC regulatory guidance on the use of COTS should recognize and be based on the principle that criteria and verification activities are to be commensurate with the safety significance and complexity of the specific application. REFERENCES Defense Science Board. 1994. Acquiring Defense Software Commercially. Washington, D.C.: Defense Science Board. Elliott, L. 1996. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., April 16. EPRI (Electric Power Research Institute). 1988. Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Related Applications. EPRI NP-5652. Palo Alto, Calif. EPRI. EPRI. 1996. Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications (draft). EPRI TR-106439. Palo Alto, Calif.: EPRI (Also Ray Torok, EPRI, briefing to the committee, Irvine, Calif., February 28, 1996.) 3   There is controversy as to whether public domain COTS or proprietary COTS will be more acceptable. For example, some argue that proprietary COTS is more likely to be superior because the application may be more nearly similar to the intended use and there can be a more systematic collection of problems and documented resolutions. Others argue that public domain COTS, if it is properly "aged," is more reliable because it will have experienced far more different operational settings which should make it less susceptible to environmental problems. The committee does not have any information which leads to a conclusion as to which is more reliable.

OCR for page 71
FAA (Federal Aviation Administration). 1992. DO-178B, Software Considerations in Airborne Systems and Equipment Certification. Washington, D.C.: FAA. IEEE (Institute of Electrical and Electronics Engineers). 1993. IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations. IEEE Std 7-4.3.2–1993. New York.: IEEE. Joannou, P. 1995. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., December 14. Loral (Loral Space Information Systems). 1996. Mission Control Center Upgrade at NASA Johnson Space Center, Loral Corporation press release. Houston, Tx. National Research Council of Canada. 1996. Project summary: Using COTS Software in Systems Development. Ottawa: National Research Council of Canada. NUSMG (Nuclear Utilities Software Management Group). 1995. Guidance for the Dedication of Commercial Grade Computer Software (revision 5). Birdsboro, Pa.: NUSMG. January 4. Profetta, J. 1996. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Washington, D.C., April 16. Simon, B. 1996. Presentation to the Committee on Application of Digital Instrumentation and Control Systems to Nuclear Power Plant Operations and Safety, Irvine, Calif., February 29. USNRC (U.S. Nuclear Regulatory Commission). 1995a. High Integrity Software for Nuclear Power Plants. Report prepared by the Mitre Corporation for USNRC. NUREG/CR-6263. Washington, D.C.: USNRC. USNRC. 1995b. Procurement of Commercial Grade Items by Nuclear Power Plant Licensees. Title 10 CFR Part 21. Washington, D.C.: USNRC. USNRC. 1996. A Proposed Acceptance Procedure for Commercial Off-the-Shelf (COTS) Software in Reactor Applications. NUREG/CR-6421. Washington, D.C.: USNRC.