05000483/FIN-2013005-01

Finding

Title

Solid State Protection System Modifications

Description

The inspectors identified an unresolved item associated with the implementation of the licensees process to comply with 10 CFR 50.59 for a digital modification of the solid state protection system (SSPS) logic and control boards. This item remains unresolved pending further review by the NRC staff to determine if this issue constitutes a violation of NRC requirements.The SSPS logic and control boards provide the coincidence logic to produce actuation signals for operation of the reactor protection system and the engineered safety features actuation systems. Modification Package 10-0053, SSPS Printed Circuit Board Replacement, Version 000.2, evaluated a digital modification to the existing SSPS logic and control boards. This modification replaced existing obsolete printed circuit boards with replacement boards supplied by Westinghouse. The modification replaced universal logic printed circuit boards, safeguards driver printed circuit boards, undervoltage driver printed circuit boards, and semi-automatic tester printed circuit boards. The original circuit boards used fixed logic devices (i.e. transistor-transistor logic) whereas the replacement circuit boards used programmable logic devices (i.e. complex programmable logic devices (CPLD)) to perform the required logic operation for the design function of the SSPS. The licensee performed a safety evaluation for this modification in accordance with Procedure APA-ZZ-00143, 10 CFR 50.59 Reviews. This procedure stated that its purpose was to describe the process for compliance with the requirements of 10 CFR 50.59 using the guidelines contained in NEI 96-07, Guidelines for 10 CFR 50.59 Evaluations, Revision 1. The procedure included the screening questions to be used to determine whether a plant change required an evaluation against the criteria in 10 CFR 50.59(c)(2). Section 4 of NEI 96-07, Revision 1, states that a 10 CFR 50.59 evaluation is required when a change adversely affects the design function or the method of performing or controlling a design function. The guidance also states that an example that would require an evaluation is a change that introduces a new type of accident or malfunction. The guidance also states that if a change has both positive and adverse effects, the change would require a 10 CFR 50.59 evaluation and should focus on the adverse effects. Additionally, NEI 01-01, Guideline on Licensing Digital Upgrades, Revision 1, Section 4.3.2, states that most digital upgrades to redundant safety systems should be conservatively treated as adverse and should require an evaluation. This section also states that some examples of adverse effects that should be evaluated are those that change functionality in a way that increases complexity and introduces different behavior or potential failure modes. The licensee concluded in their 10 CFR 50.59 evaluation that the replacement of SSPS cards did not meet the criteria in 10 CFR 50.59(c)(2), because the modification did not adversely affect the function of the SSPS as described in the final safety analysis report. The basis for that conclusion consisted, in part, of the following statements in the 50.59 evaluation:

The CPLD contains no software or programmable code; rather, the CPLD is configured during manufacturing by loading a data file that programs the logic gates in the device. Thus, the CPLD is hardware-based and does not utilize software to perform its function. Hardware is distinguished from software by the degree of testability. The CPLD-based board does not have the characteristics associated with microprocessor based systems such as modifiable code, branches or interrupts, decision-making capability, lockups, and common-mode software failure susceptibility. Thus, failures can be treated as single random hardware failures. The failure of the CPLD will cause the failure of all logic circuits on the board, similar to other failure scenarios for the original-design board. The frequency of hardware failures for the new-design cards, including the CPLD, is therefore comparable to what it was for the original-design boards.

The three safety-related boards that support protective actuation functions have been fully tested as documented in Westinghouse WNA-TR-02644-SCP, Solid State Protection System New Design Circuit Boards Final Logic Test Report, which concludes that the new boards have the same output responses as the original boards such that the criteria for 100 percent testing is satisfied. The steady state operation for every possible logic input verifies the new design SSPS circuit boards operate identical to the original design circuit boards and that no unpredicted or unexpected outputs occur for any possible logic combination input.

The failure modes analyses, qualification processes, and testing of the new circuit boards do not indicate a more than minimal increase in the likelihood of occurrence of a malfunction as a result of this change. The new version circuit boards are still in compliance with the general design criteria. Overall, the replacement of the existing SSPS digital circuit boards with the new design SSPS digital circuit boards does not provide a trend toward increasing the likelihood of malfunction of the structures, systems, or components. The inspectors reviewed the 10 CFR 50.59 evaluation and the Westinghouse supporting information for the replacement cards and identified various issues of concern associated with the design, testing, and operation of the replacement circuit boards, which could represent adverse effects, with a more than minimal increase in the likelihood of occurrence of a malfunction, to the design function of the SSPS as described in the final safety analysis report. These potential adverse effects would have required an evaluation against the criteria in 10 CFR 50.59(c)(2) as directed by site

Procedure APA-ZZ-00143, and the self-imposed NEI guidance (NEI 96-07 and NEI 01-01). Specifically, the inspectors identified that:

While the licensee concluded that the CPLD-based circuit boards contained no software because the manufacturer used a data file or firmware set during initial configuration to program the logic gates in the device board, section 5.3.3.2 of NEI 01-01, defined that type of feature as Base Software. Additionally, NEI 01-01, section 4.3.2, Software Considerations, indicates that digital modifications that involve the use of software applications should be conservatively treated as an adverse effect, due to the potential introduction of new failure modes (software based failures, including common cause failures not previously evaluated, especially when modifications involve redundant safety systems (i.e. reactor protection system or engineered safety features actuation system). The 10 CFR 50.59 evaluation did not contain sufficient information to exclude the data file from the definition of Base Software and the associated design considerations in NEI 01-01.

Second party commercial vendors were involved in the manufacturing of the CPLDs as well as the development of the data file software. The inspectors found that there was not sufficient information in the 10 CFR 50.59 evaluation and supporting vendor information, to determine the level of quality assurance placed into the development of the CPLDs to ensure reliable operation of this logic device. Furthermore, licensee discussions with Westinghouse confirmed that the second party commercial vendors were not qualified to 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

The testing performed by the vendor for the development of the CPLDs only covered the combinations of inputs and outputs (hardware functional testing) required for the design function of the SSPS. However, the 50.59 evaluation and supporting vendor information did not contain sufficient information to determine if the testing performed by the vendor was sufficient enough to cover other possible sequence of device states due to the relative complexity of the CPLDs operation. This would include software-induced states associated with the CPLDs themselves and the embedded data file, which could result in malfunctions of the SSPS.

This issue remains unresolved pending further NRC review of additional information provided by Westinghouse to address the concerns described above, in order to determine the adequacy of the licensees 50.59 evaluation and whether or not the issue represents a violation of 10 CFR 50.59, Changes, Tests, and Experiments. The licensee entered this issue in the corrective action program as Callaway Action Request 201306081 to address operability of the SSPS and evaluate the need for a license amendment. The licensee completed a prompt operability determination. The inspectors reviewed the operability determination and did not identify any issues regarding the operability of the SSPS cards. This issue is being tracked as URI 05000483/2013005-01, Solid State Protection System Modifications.

01
Site:	Callaway
Report	IR 05000483/2013005 Section 1R17
Date counted	Dec 31, 2013 (2013Q4)
Type:	URI:
cornerstone	Mitigating Systems
Identified by:	NRC identified
Inspection Procedure:	IP 71111.17
Inspectors (proximate)	T Hartman Z Hollcraft A Allen D Proulx G George J Braisted N O'Keefe P Elkmann P Jayroe R Strobled Proulxg George J Braisted N O'Keefe P Elkmann P Jayroe T Hartman Z Hollcraftb Bacag George J Braisted J O'Donnell J Patel L Ricketson M Williams N O'Keefe P Hernandez S Alferink T Hartman Z Hollcraft
INPO aspect
'
v • d • e

Finding - Callaway - IR 05000483/2013005

1(0)2(0)3(4)4(4)5(5)201(0)301(1)302(0)403(1)404(2)405(0)501(0)502(0)

IR 05000483/2013005: 1 2 3 4 5

Finding List (Callaway) @ 2013Q4

CCA Matrix: 2013Q4

	Q	CCA	Title
05000483/FIN-2013301-01	2013Q1		Failure to Maintain Initial Operator Licensing Examination Integrity
05000483/FIN-2013003-01	2013Q2	P.5	Failure to Monitor and Maintain Emergency Core Cooling System Room Coolers
05000483/FIN-2013003-02	2013Q2	H.6	Failure to Appropriately Pre-plan and Perform Maintenance on the Unit Auxiliary Transformer
05000483/FIN-2013003-03	2013Q2	H.2	Failure to Appropriately Pre-plan and Perform Maintenance on Safeguards Transformer B
05000483/FIN-2013003-04	2013Q2	P.2	Failure to Correctly Screen Repetitive Equipment Failures
05000483/FIN-2013404-01	2013Q2	H.13	Security
05000483/FIN-2013404-02	2013Q2	H.14	Security
05000483/FIN-2013004-01	2013Q3	H.7	Failure to Administer a Comprehensive Requalification Operating Test
05000483/FIN-2013005-02	2013Q4		Ultimate Heat Sink Cooling Tower - Incorrect Action Criteria in Control Room Evacuation Procedure
05000483/FIN-2013005-03	2013Q4	H.13	Failure to Correct Non-conservative Safety Related Equipment Oil Leakage Criteria
05000483/FIN-2013005-04	2013Q4	H.7	Failure to Class and Describe a Radioactive Material Shipment Correctly and Failure to Include all Required Hazard Communication Information in a Radioactive Shipment Document
05000483/FIN-2013403-01	2013Q4		Security
05000483/FIN-2013005-01	2013Q4		Solid State Protection System Modifications

Self-Identified List (Callaway)

	Q	Title
05000483/FIN-2013004-02	2013Q3	Licensee-Identified Violation
05000483/FIN-2013004-03	2013Q3	Licensee-Identified Violation
05000483/FIN-2013004-04	2013Q3	Licensee-Identified Violation
05000483/FIN-2013005-05	2013Q4	Licensee-Identified Violation

[Callaway Findings full list]

05000483/FIN-2013005-01

Navigation menu

Search