Quality and Security

There is no single software quality assurance (SQA) approach mandated for nuclear facilities in the USA. DOE has its standards and directives; while the NRC has its regulations and regulatory guides. These in turn reference many other national consensus standards. For example: from ASME, IEEE, and NIST. All of these allow tailoring and none mandate a specific implementation of quality requirements.

If there is one foundational document from which all others can be said to flow it would be ASME NQA-1, Quality Assurance Requirements for Nuclear Facility Applications. IMHO, if any software quality assurance program is in full compliance with the requirements of NQA-1, it can be reasonably argued to be in compliance with both DOE and NRC SQA requirements. (Any issues will be related to shortcomings in the DOE and NRC regulations and directives or their related national consensus standards. Not with the consensus approach to software quality assurance.) Personally, I would like to see all SQA independent verification and validation (IVV) and uncertainty quantification (UQ) programs be traceable to NQA-1 requirements. I think anyone involved with software at a nuclear facility should be generally familiar with the SQA approach taken by NQA-1.

But NQA-1 has its shortcomings. These shortcomings are not specific to just nuclear facilities and so are of general interest.

For one thing, NQA-1 is not freely available. (It's current cost is $220.) It is unacceptable that finding out what "the law" is should cost money, or that documenting NQA-1 requirements and justifications should be a potential copyright concern.

A larger and technical issue is cyber security. Cyber security plans and management are mostly developed, approved and administered independent from a nuclear facility's general SQA staff and management. (For example, the NIST 800 series of cyber security standards offer many checklists and templates cyber security personnel can choose from.) NQA-1 does not offer any specific guidance on the proper relationship between software quality and cyber security requirements, processes or personnel. This is not so much a criticism of NQA-1 as the current state-of-the-art.

Another issue is guidance on the quantitative relationship between cyber security and nuclear safety. How is cyber security to be integrated with a nuclear facility's probabilistic risk assessment (PRA)? For example, how are cyber security threats to control systems (SCADA, DCS, PLC) to be quantified? Again, this issue of risk and uncertainty quantification is mostly a function of the current state-of-the-art.

No comments:

Post a Comment