ML051920263
| ML051920263 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 07/27/2005 |
| From: | Olshan L NRC/NRR/DLPM/LPD2 |
| To: | Rosalyn Jones Duke Energy Corp |
| Olshan L N, NRR/DLPM, 415-1419 | |
| References | |
| TAC MC5895, TAC MC5896, TAC MC5897 | |
| Download: ML051920263 (7) | |
Text
July 27, 2005 Ronald A. Jones Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672
SUBJECT:
REVIEW ISSUES FOR DIGITAL UPGRADE OF RPS/ESPS FOR OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 (TAC NOS. MC5895, MC5896, AND MC5897)
Dear Mr. Jones:
By letter dated February 14, 2005, you submitted a license amendment request for a digital upgrade of the Reactor Protective System (RPS) and the Engineered Safeguards Protective System (ESPS) for Oconee Nuclear Station, Units 1, 2, and 3. You have proposed to replace the current analog-based RPS/ESPS with a digital-based Framatome TELEPERM XS system that will perform all the functions that are now being performed by separate analog systems.
At this point in our review we have identified a number of issues that need to be resolved.
Enclosed is a discussion of six of the more significant issues. You have requested that we complete our review in sufficient time to accommodate the implementation of the digital RPS/ESPS during the Fall 2006 refueling outage for Oconee, Unit 1. Based on the complexity of the issues that your proposed design presents, it is premature, at this time, to assume that these issues can be favorably resolved and that ultimately our approval can be obtained, or that our approval will be received by your need date.
It is our understanding that if our approval of your proposed amendment cannot be assured, you will need to act soon to initiate alternate arrangements for the RPS and ESPS design. The purpose of this letter is to alert you to this possibility.
If you have any questions on these issues, please contact Leonard N. Olshan at 301 415-1419.
Sincerely,
/RA/
Ledyard B. Marsh, Director Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287
Enclosure:
Review Issues cc w/encl: See next page
July 27, 2005 Ronald A. Jones Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672
SUBJECT:
REVIEW ISSUES FOR DIGITAL UPGRADE OF RPS/ESPS FOR OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 (TAC NOS. MC5895, MC5896, AND MC5897)
Dear Mr. Jones:
By letter dated February 14, 2005, you submitted a license amendment request for a digital upgrade of the Reactor Protective System (RPS) and the Engineered Safeguards Protective System (ESPS) for Oconee Nuclear Station, Units 1, 2, and 3. You have proposed to replace the current analog-based RPS/ESPS with a digital-based Framatome TELEPERM XS system that will perform all the functions that are now being performed by separate analog systems.
At this point in our review we have identified a number of issues that need to be resolved.
Enclosed is a discussion of six of the more significant issues. You have requested that we complete our review in sufficient time to accommodate the implementation of the digital RPS/ESPS during the Fall 2006 refueling outage for Oconee, Unit 1. Based on the complexity of the issues that your proposed design presents, it is premature, at this time, to assume that these issues can be favorably resolved and that ultimately our approval can be obtained, or that our approval will be received by your need date.
It is our understanding that if our approval of your proposed amendment cannot be assured, you will need to act soon to initiate alternate arrangements for the RPS and ESPS design. The purpose of this letter is to alert you to this possibility.
If you have any questions on these issues, please contact Leonard N. Olshan at 301 415-1419.
Sincerely,
/RA/
Ledyard B. Marsh, Director Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287
Enclosure:
Review Issues cc w/encl: See next page Distribution:
PUBLIC RidsNrrPMLOlshan (Hard Copy)
PDII-1 R/F RidsOgcRp RidsNrrDLpmLpdii1 (EMarinos)
RidsAcrsAcnwMailCenter RidsNrrLACHawes (Hard Copy)
RidsRgn2MailCenter RidsNrrDlpmDpr Accession Number: ML051920263 NRR-106 OFFICE PDII-1/PM PDII-1/LA PDII-1/SC EEIB/BC PDII/D DLPM/D NAME LOlshan CHawes EMarinos JCalvo EHackett LMarsh DATE 07/20/05 07/26/05 07/26/05 07/21/05 07/27/05 7/27/05 OFFICIAL RECORD COPY
Oconee Nuclear Station, Units 1, 2, and 3 cc:
Ms. Lisa F. Vaughn Duke Energy Corporation Mail Code - PB05E 422 S. Church St.
P.O. Box 1244 Charlotte, NC 28201-1244 Ms. Anne W. Cottingham, Esq.
Winston and Strawn LLP 1700 L St, NW Washington, DC 20006 Manager, LIS NUS Corporation 2650 McCormick Dr., 3rd Floor Clearwater, FL 34619-1035 Senior Resident Inspector U.S. Nuclear Regulatory Commission 7812B Rochester Highway Seneca, SC 29672 Mr. Henry Porter, Director Division of Radioactive Waste Management Bureau of Land and Waste Management Dept. of Health and Env. Control 2600 Bull St.
Columbia, SC 29201-1708 Mr. Michael A. Schoppman Framatome ANP 1911 North Ft. Myer Dr.
Suite 705 Rosslyn, VA 22209 Mr. B. G. Davenport Regulatory Compliance Manager Oconee Nuclear Site Duke Energy Corporation ON03RC 7800 Rochester Highway Seneca, SC 29672 Ms. Karen E. Long Assistant Attorney General NC Department of Justice P.O. Box 629 Raleigh, NC 27602 Mr. R. L. Gill, Jr.
Manager - Nuclear Regulatory Issues and Industry Affairs Duke Energy Corporation 526 S. Church St.
Mail Stop EC05P Charlotte, NC 28202 Mr. Richard M. Fry, Director Division of Radiation Protection NC Dept of Environment, Health, & Natural Resources 3825 Barrett Dr.
Raleigh, NC 27609-7721 Mr. Peter R. Harden, IV VP-Customer Relations and Sales Westinghouse Electric Company 6000 Fairview Road 12th Floor Charlotte, NC 28210 Mr. Henry Barron Group Vice President, Nuclear Generation and Chief Nuclear Officer P.O. Box 1006-EC07H Charlotte, NC 28201-1006
REVIEW ISSUES WITH OCONEE RPS/ESPS DIGITAL REPLACEMENT ISSUE 1: MODIFICATION OF THE TXS SYSTEM SINCE REVIEW AND APPROVAL The Framatome TELEPERM XS (TXS) system to be installed at Oconee is not the TXS system presented in the topical report and reviewed by the Nuclear Regulatory Commission (NRC) staff. Since the time of the NRC staff review, Framatome had modified the original central processing unit (CPU) and communications modules. In the case of the CPU module, the original microprocessor was an Intel 486, and the system proposed for Oconee uses an AMD K-6. Attachment 3 to the February 14, 2005, submittal also states that the communications module has been modified, but does not describe those modifications. These changes are significant because they will require an NRC staff review of the hardware, software and environmental qualifications of these modules. In order to perform this review, the NRC staff will need details on all changes:
A. Exact description of the changes, including changes to support chip sets, printed circuit board artwork, and software changes. Software change descriptions should include changes to the basic input/output system for the different processor.
B. The environmental test data which verified the new equipment qualifications, including temperature, humidity, radiation, seismic, and electromagnetic qualifications.
C. Test data showing that the existing software did not require modification, or if modifications were required, a description of those software changes and how the changes were tested.
The NRC staff considers that the original review of the hardware and software for the microprocessor and support chip set, as well as the review of the temperature, humidity, radiation, seismic, and electromagnetic test and qualification constituted a substantive portion of the finding that the TXS system was suitable for safety-related use in nuclear power plants, and therefore the safety evaluation on the topical report for the TXS is not applicable to the portions of the system that were modified.
ISSUE 2: TECHNICAL SPECIFICATIONS MODIFICATIONS The Technical Specifications (TS) for Oconee describes the Reactor Protective System (RPS) and Engineered Safeguards Protective System (ESPS) functions separately, with separate portions of the TS for the instrumentation associated with the RPS and ESPS. In the February 14, 2005, license amendment request (LAR), Duke Power has requested replacement of the current analog based RPS and ESPS with one digital computer based Framatome TXS system that would perform all the functions previously performed by the analog systems. The proposed TS, however, continues with separate portions of the TS for in instrumentation associated with the RPS and ESPS.
If this consolidation is implemented, the instrumentation TS may require a modification, combining the sections on RPS and ESPS, to reflect the actual configuration at Oconee. As this would be the first time that a licensee would be implementing a modification that would combine RPS and ESPS as a single system, the decision on how the TS should reflect this consolidation will set a precedent for future consolidations of functions in TS. The schedule impact of this process is unknown at this time.
ISSUE 3: LACK OF ISOLATION BETWEEN SAFETY AND NON-SAFETY SYSTEMS According to information contained within the February 14, 2005, LAR and as clarified during a technical discussion with Duke and Framatome personnel held at Oconee on June 2, 2005, the TXS system proposed for use at Oconee will be connected to the plant computer and outside world via an ethernet connection. This connection does not have a one-way link, but depends upon software to filter and reject incorrect or malicious signals.
IEEE Std. 603-1991, incorporated by reference into Title 10 of the Code of Federal Regulations (10 CFR) Section 50.55a(h), in Section 5.6.3.1 (2), Isolation, states No credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiring that safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system.
In addition, an ethernet connection raises cyber-security concerns of deliberate and malicious attempt to circumvent to disable safety-related functions.
In the past, the NRC staff has found that a one-way broadcast link, with no request or acknowledgment functions, was the preferable method of providing information from the safety-related systems to the non-safety systems within the plant. With no possibility of communications from the non-safety systems, the issues of isolation, failures on the non-safety side, cyber-security and deliberate or accidental interference with safety-related functions were eliminated.
The proposed system connects the logic channels to a gateway via an ethernet link. The maintenance and service interface (MSI) connects to this gateway via an ethernet link. This gateway communicates to the service unit and other non-safety systems, again via ethernet.
The service unit is used for system test and modification, and is a stand-alone system.
In the June 2, 2005, technical discussion, Duke and Framatome stated that the ethernet link between the gateway and the non-safety systems would be modified to be a broadcast only link. This would provide the required isolation, but the broadcast link would be in the non-safety portion of the circuitry. This method of isolation would need to ensure that this broadcast link can not be modified in the future without further specific NRC staff review and approval.
This modification has not yet been done or tested, and a schedule for this modification has not been provided. For these reasons, a schedule for review of this modification can not be predicted.
ISSUE 4: INTERCONNECTIONS BETWEEN THE SAFETY-RELATED CHANNELS The TXS system proposed for use at Oconee interconnects the individual safety channels via fiberoptic links to share sensor data and test signals, and that this interconnection was required for operation of the second minimum/maximum signal selection of each channel. This connection between safety channels was confirmed during the June 2, 2005, technical discussion at Oconee. This type of interconnection appears to be inconsistent with the design requirements of IEEE 279, Criteria for Protection Systems for Nuclear Power Generating Stations, and IEEE 603, Criteria for Safety Systems for Nuclear Power Generating Stations, required by 10 CFR 50.55a, Codes and standards, subsection (h), Protection and safety systems.
The current RPS and ESPS systems at Oconee do not have such an interconnection, and if the interconnection was removed, Oconee will have the same functionality as the system currently in use. This interconnection is not required to maintain the existing design basis, but Oconee stated that the reason for the the second minimum/maximum signal selection and the interconnection required for the signal selection is to enhance the Oconee ability to reject non-coincident trips.
Further discussions of this feature of the design are required for the NRC staff to reach a conclusion about its acceptability in accordance with protective system requirements.
ISSUE 5: LACK OF REVIEW PRECEDENT The Framatome TXS system has not previously been used in a safety-related application at a U.S. nuclear power plant, and no system has ever been implemented using the degree of consolidation being proposed for Oconee. Until now, digital replacement systems have replaced individual functions. This is the first wholesale digital replacement of all safety-related systems and would also be the first time one type of digital system has been used to implement both trip and mitigation functions.
There is no precedent upon which to base this review, and therefore, whatever is done during the review will be providing precedent for all future reviews of this type. Duke has, in the past, been the first utility to make use of other new technology, and therefore, Duke should anticipate that by being the first utility to propose such a system, the review would be more difficult than if previous reviews of this nature had been completed.
Since this is the first review of this type, it should be expected that the review effort, and therefore, the length of time required for this review will be greater than the review of a similar digital system which has been previously reviewed for similar applications.
ISSUE 6: HIGH DEGREE OF COMPLEXITY This is a highly complex system, with a significant amount of plant and function specific software. The review of the software specification, comparison with old functional requirements, and review of the Software Verification and Validation Plan (V&V) and test procedures will be a major undertaking. The software specification and the software have not yet been provided to the NRC staff, and our understanding is that the plant specific software has not yet been written, verified or tested, and therefore the software specification, application specific software, V&V and test procedures are not yet available for review. The NRC staff has been told that the final Software Data Quality Assurance document, V&V, and Software Configuration Management Plan will not be available for NRC staff review until November 2005, and the factory and site acceptance tests will not be available for review until early in 2006. The previous estimate of 2000 hours0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br /> of review time with a 21-month review schedule was made on the assumption that the documentation required for review would be available as needed.
Notwithstanding, the potential for modification to the hardware and software to address the above concerns, the software and hardware documentation is not currently available to the NRC staff for review.