Licensees Handouts for Oconee, Summary of December 13, and 14, 2006

ML070080325
Person / Time
Site:	Oconee
Issue date:	12/13/2006
From:	Duke Energy Corp, Duke Power Co
To:	Office of Nuclear Reactor Regulation
Olshan L N, NRR/DORL, 415-1419
References
TAC MD2471, TAC MD2472, TAC MD2473
Download: ML070080325 (59)
v • d • e

Text

luke 11 ergy Oconee Nuclear Station RPSIESPS Digital Upgrade December 13, 2006

Duke Energy

Agenda,

Opening Remarks

• Project Status

• • Topics of Discussion

• .Summary of Discussions (all topics)

• • • Closing Remarks 2

,oIntroductions 4,6 Purpose of Today's Meeting & Expected Outcome Meeting Purpose SBrief NRC management-on project status SAddress IEEE Compliance issues Expected Outcome SEstablish common understanding of project sta tus & schedule SDefined path forward on resolving IEEE 603 Compliance issues SEstablish clear understanding of NRC Staff reviewer information needs SAgreement on level of detail for LAIR related to IEEE Compliance 3

4*ý A REV A stop work expected to be lifted on December 31, 2006 4LAR Pre-Submittal Meetings starting in December 2006 SLAR Re-Submittal in Summer 2007 4LAR approval by Spring 2009

+oN Initial implementation - Fall 2009 on Unit 1 4

k Duke

!Energy Toics of Discussion Today (Separate handout)

• IEEE 603 Compliance Tomorrow (Separate handouts)

• .Diverse HPI Actuation System SDigital LAR Licensing Plan o,: Vertical Slice 5

kDuke

!Energy IEE 60 Coplanc

~-4W*~

,.*~ ARE VA slides 6

luke

,n ergy Summary of lEEE discussion

r.

~

~m Defined path forward on resolving IEEE 603 Compliance issues

• • Establish clear understanding of NRC Staff reviewer information needs

• s Agreement on level of detail for LAR related to, IEEE Compliance 7

luke

ilm.ergy Clo..sing Re~marks

• • AREVA developing technical document that contains information provided today 4ý Duke proposes to include the non-proprietary information in the LAIR (possible technical meeting to discuss level of detail)

• The proprietary document will be made available for staff review/audit at time of LAIR submittal

• .Actions 8

' uke

!fl rgy Diverse HPI Actuation System Oconee Nuclear Station December 14, 2006

D~uke

!En ergy Agenda

• • o Opening Remarks

• 0 Background

• Design process

• • Diverse HPI Design Requirements

• • Closing Remarks 2

~.Introductions SPurpose of Meeting & Expected Outcome

-Meeting Purpose SDescribe process used to design and install SDescribe the design criteria for the diverse HPI actuation system and the information that will be provided in the LAIR SProvide NRC an understanding of the affect on RPSIES digital upgrade design documents

• Expected Outcome SNRC agreement with proposed diverse HPI actuation design requirements SMutual understanding of Duke plans to install diverse HPI SNRC agreement -of Duke approach 3

r Duke

• • Duke's D3 assessment concluded that a diverse LPI actuation system was needed to mitigate a LBLOCA due to operator response time

• • Concluded that the remaining Chapter 15 events analyzed could be mitigated by manual operator actions and diverse systems as allowed by BTP-1 9

• • Duke's D3 assessment credited manual operator action to actuate HPI within 5 minutes of an SIBLOCA

• .NRC concerned that operator would not be able to initiate HPI within 5 minutes for SBLOCAs that do not depressurize the RCS

• • This concern apparently originated from the Oconee RPS/ESPS common processor design noo April 2006 - Duke verbally committed to install a diverse HPI actuation system to resolve NRC concerns with common processor

• Design criteria established based upon Diverse LPI Actuation system 4

Diverse LPI actuation system SDesign initiated in 12/04 shortly after receiving NRC acceptance of Duke's proposed design criteria presented in

.11/17/04 Duke/NRC meeting

.~Design details provided by letter dated 10/6/05

.Design substantially complete

• Hardware installed in Unit 1 system

• Design reflected in current Unit 1 RPS/ES design documents 5

Duke En ergy Dsg rcs P

Diverse HPI actuation system

• Conceptualized Design Details discussed between AREVA and Duke Spring 2006

• • Similar design criteria to Diverse LPI Actuation System

.. Unit 1 RPS/ESPS design documents (typical of all 3 units) continue to be developed

,0:4 Due to the current state of the project, the diverse HPI actuation system will not be reflected in the Unit 1 RPS/ES design documents

• LAR will provide complete description of diverse HPI actuation system

• Final design currently scheduled to be complete in Fall 2007

Diverse HPI actuation system to be installed in Unit I hardware prior to FAT

• • Fully tested during FAT, SAT and Post Implementation Testing 6

P.Duke Preliminary Diverse HPI Actuation System RIC IRB pressure signals (buffered I E to non E1 E

120VAC power X,

-x x

BYPASSED Light H

+4D Rese Ch 3

Bli momentary)

(.

'I IRB 1'T 24i 24VD EVEND ODD_

Voters powerN TXS ts TX TXS.............~........................

O------

D----g--

Ch3OdTyiadhd vnTyia TRIP relay

~-24VDCEVEN K5 voter power I~-..--.--.-,---.----------

Ch__

3Kd6yia C

vnTpca RPrly (new winow Cab 1nwwndw4 I ~ ~ ~

~

~

~

~

~

2 Divrs LPOyIADvrsPP TiD

! Duke Design Criteria

1) The system shall be of sufficient quality to perform the necessary function under the associated event conditions and within the required time (BTP HICB-19 B.1 -

similar to AMSAC/DSS design requirements). Equipment to be Non-Safety Related

2) Automatic and manual actuation capability. Incorporate into design

3) Actuate HPI on Low RC Pressure. Incorporate into design

4)

Accuracy - Setpoints will be chosen such that ESPS Actuation of HPI prior to

.diverse HPI actuation including instrumentation loop error is the designed orientation. Total Loop Uncertainty calculations confirm setpoints

5) Minimize Inadvertent Actuation - Use multi-channel logic in "can actuate to initiate" manner. Diverse HPI configured 2 out of 3 channels required for actuation

6) Diverse Hardware and Software required - both analog and digital applications are acceptable provided diversity is maintained. Proposed design utilizes conventional analog devices and relays.

8

(continued)

7) Diverse sensors not required - Follow BWOG AMSAC/DSS guidance if using existing RPS/ESPS sensors. Signal buffers used to provide isolation

8) Diverse power source to RPS/ESPS not required. Battery backup not required.

Non-Safety 120 VA C to be utilized.

9)

Physical separatio n not required. Proposed equipment location is in Cabinet 16.

l0) Electrical separation is required. Separation requirements maintained within RPS/ESPS cabinets.

11) Safety to non-safety isolation required. Qualified isolation devices used where required.

12) Equipment must be qualified for its intended location. All logic equipment located in

.a mild environment (Control Room) 9

__g D e sig n C riter a (continued)

13) Operating Bypasses or Maintenance Bypasses a) Appropriate Operating and or Maintenance Bypasses must be determined.

b) Appropriate human factors and task analyses performed along with OPS training to prevent inadvertent bypassing c) Administrative procedures used to address Operating Bypass

14) The Diverse HPI Actuation System actions go to completion once initiated -

reset controlled by procedure, same as existing ESPS

15) Information Readouts provided in Control Room for Operator awareness and system monitoring shall be the same as during normal operation

16) Augmented Quality Program (GL85-06) is not required. Non Safety Related commercial industrial products will be utilized

17) Software Quality Assurance - The proposed design does not require the use of any software 10

CI sigeak n*: Going forward SDiverse HPI actuation system will be integral part of RPSIES LAR

)~LAIR will include detailed design description and reflect conformance to proposed criteria

)-Approach consistent with what was previously presented by Duke (2004) and accepted by the staff for the Diverse LPI actuation system 11

D~uke

!Energy Digital LAR Licensing Plan Oconee Nuclear Station December 14, 2006 A

Agenda

• Opening Remarks

• • Duke LAR Process

• Format of LAR STechnical Information - format, scope, level of detail, supporting documents

• Security Considerations

• • Regulatory Evaluation

• • Regulatory Commitments

• • Closing Remarks

• • Potential Future Meeting Topics (Pre-Submittal) 2

Purpose of Meeting & Expected Outcome EMeeting Purpose SDescribe Duke digital licensing plan for RPS/ES SProvide NRC the bases for Duke plan SObtain NRC feedback SExpected Outcome SMutual understanding of Duke plan SEstablish clear understanding of NRC Staff reviewer information needs

>Agreement on format and level of detail for LAR 3

k Duke FEneirgy DukeLAR evelpmet Process

• .Duke Internal Process Overview SProject Plan SValidation and Verification (V&V)

>Internal Review SPORC/NSRB Reviews

• LAR. Format & Content Development Proces s

>Similar to approach used for ONS License Renewal SSample sections provided SDiscussion meetings SLetters documenting staff comments 4

Duke Energy Forat of LAR NEI 06-02, LAR Guidelines, November 2006

• • Summary Description

• Detailed Description n*: Technical Evaluation evo Regulatory Evaluation

• Environmental Consideration

• References n*: Attachments including TS pages, TS Bases, Regulatory Commitments 5

Duke Energy Format of Technical Evaluation

• • EPRI TR - 102348, Rev._ 1, Guideline for Licensing Digital Upgrades, as endorsed by NRC RIS 2002-22

• +.* DG -1145, Chapter C.1.7, Instrumentation & Controls Proposed Digital -RPSIES LAIR Outline (Handout)

SVertical Slices for selected Sections of LAR 6

k Duke

!Energy Tecnic Dcumets Staff finding based on docketed information SLAR Ishould contain sufficient information for all findings to be made STechnical documents will be available for staff to verify information in LAR SStaff review of LAR and validation by its review of technical documents will provide the basis for the findings Approximately 90% of the documents identified in the 1/11/06 NRC letter will be completed at time of submittal SRemaining documents will be provided post-submittal

• ~No draft technical documents will be provided 7

At-Ad Duke Ene rgy Technical Docurnen ts Availability

IBMu, 43 documents listed in NRC letter dated 1/11/06

• Those in blue italics text are not being changed as a result of the digital upgrade

• Those in bold red text will be available after LAR submittal and prior to RPS/ES implementation

-All other will be available for review/audit when the LAR is submitted 1

Detailed System Architecture

2.

Oconee 1 RPS&ESPS Requirements Traceability Matrix (FAT version)

3.

Teleperm XS Product Information on Release 3.0.7A of TXS Software

4.

Oconee Nuclear Station TXS RPS/ESPS Replacement System Cabinet Design: 1 PPSCA0005

5.

Oconee Nuclear Station TXS RPS/ESPS Replacement System Cabinet Design: 1 PPSCA0006

6. ONS Units 1, 2, & 3 RPS/ESF Controls Upgrade Failure Mode and Effects Analysis

7.

ONS 1, 2, & 3 RPS/ESF Controls Upgrade Design Specification for Key Locks and Key Switches

8.

Software Requirements Specification,ONS-1 RPS/ESF Software Requirements Specification (QAl)

9. ONS Unit 1: RPS and ESFAS Replacement Project Open Item Form, "HW Typicals for CRD (Control Rod Drive) UV (under voltage) Test Jacks, Doc Step 3.12 110.

ONS 1, 2, & 3 RPS/ESF Controls Upgrade Hardware Design Solutions 1 -.

ONS Unit 1 - RPS & ESFAS Configuration Management Plan

12.

Oconee Nuclear Station, Units 1, 2, & 3 RPS/ESF Controls Upgrade ID Coding Concept

'13.

ONS Units 1, 2, & 3 RPS/ESFAS Controls Upgrade Verification and Validation Plan

'14.

ONS Unit 1 RPS/ESFAS Controls Upgrade Software Design Description

'15.

ONS Unit 1 RPS/ESFAS Controls Upgrade Software Requirements Review Report.

16.

ONS Unit 1 - RPS & ESFAS Factory Acceptance Test Plan

17.

Dedication Package for Absopulse Power Supply

'18.

ONS Units 1, 2, & 3 RPS/ESFAS Controls Upgrade Software Safety Plan

'19.

ONS Units 1, 2, & 3 RPS/ESFAS Controls Upgrade Software Installation Plan

20.

TXS Supplemental EQ (Equipment Qualification) Summary Test Report 0

P Energy Technical Documents Availability 21 ONS RPS/ESFAS Replacement Project EQ Summary Test Report

22.

TUV Certificate on Communication Processor 213.

TUV Documentation on SCP2 Testing

24.

TUV Certificate on Processing Module

25.

FANP (Framatome ANP) Report, "TELEPERM XS Simulation - Concept of Validation and Verification

26.

Configuration Management

27.

Software and Data Quality Assurance (SDQA) Program

28.

Reactor Building Narrow Range Pressure Instrument Loop Accuracy Calculation (ESFAS)

29.

Wide Range RCS Pressure Uncertainty, (ESFAS HPI & LPI setpoints)

30.

RPS Main Feedwater Pump Pressure Instrument Loop Accuracy Calculation

31.

RPS Flux/Flow Ratio Uncertainty Evaluation

32.

Reactor Building Pressure Instrument Loop Accuracy Calculation ('ESFAS & RPS)

33.

RPS RCS Pressure & Temperature Trip Function Uncertainty Analysis and Variable Low Pressure Safety Limit

34.

Power-imbalance Safety Limits and Tech. Spec. Setpoints Using Error-Adjusted Flux/Flow Ratio of 1.094

35.

RPS High Flux and Pump/Power Monitor Trip Function Uncertainty Analysis

36.

ONS Unit 1 - RPS & ESFAS System Functional Description

37.

Engineered Safeguard Feature Actuation System (ESFAS) Replacement Project Specification

38.

Reactor Protection System (RPS) Replacement Project Specification 39).

Duke Power Company, Oconee Nuclear Station, "Nuclear Instrumentation RPS Removal from and Return to Service for Channels A, B, C and D, Rev. 031, ETQS No. RPS-Q-ENTRY

40.

Documentation of Software Requirements and SDQA for RPS/ESFAS System Replacement

41.

SIVAT LSELS Specifications, Job 4310002, Outputs: EFHV0037

42.

Teleperm XS Function Blocks, Version 2.60 FB-ADDON, Version 1.2 413 SIVAT-TXS Simulation Based Validation Tool, Version 1.4.0 9

Duke wwn ergy Technical Documents Availability Other documents 2.b Oconee I RPS&ESFAS Requirements Traceability Matrix (post FAT version) 16.a ONS Unit I - RPS & ESFAS Factory Acceptance Test Procedures 16.b ONS Unit I - RPS & ESFAS Factory Acceptance Test Results Report 44 Site Acceptance Test Plan 44.a Site Acceptance Test Plan Procedures 44.b Site Acceptance Test Results Report 45 UI1 Parameter Calc OSO 8695 10

Duke

)w~EnergyCyber Security Considerations

• NEI 04-04, Cyber Security Program for Power Reactors, as endorsed by NRCletter dated December 23, 2005

• §73.55 (in) Rulemaking in-progress - expect to be complete before LAR SE is complete - Duke will be required to be in compliance with it for all digital systems within scope of the rule

Duke internal documents to implement both

• Level of detail - LAR must not contain sensitive or safeguards information

• ~Sample LAR section developed

.*Technical documents will be available for staff inspection / audit Oconee LAR Section 3.8 will address cyber security considerations 11

7uke 11 nergy Regula tory EvaIuation 0

0 000 0

• 00 0

004 Chapter 4 of LAR Regulatory Requirements Regulatory Guidance Sample Chapter 4 12

Duke Enry egulatorComtes

• .For those technical documents not available at time of LAR submittal and required for staff review / audit, Duke plans to provide regulatory commitments regarding when the documents will be completed and available

• .Tracked and managed by Oconee Corrective Action Program

• Listed in Enclosure 2 of the LAR 13

k Duke Wnergy Example of Regula tor Comitments Page Attachment The following commitment table identifies those actions committed to by Duke Power Company LLC d/b/a Duke Energy Carolinas, LLC (Duke) in this submittal:

-Commitment

1.

Duke will make the Oconee Calculation associated with Power-imbalance Safety Limits and Tech. Spec. Setpoints Using Error-Adjusted Flux/Flow Ratio of 1.094 available for NRC review/audit.

2 Duke will make the Unit 1 FAT Procedures available for NRC review /audit Commitment Date prior to modification implemementation TBD Other actions discussed in the su bmittal represent intended or planned actions by Duke. They are described to the Nuclear Regulatory Commission (NRC) for the NRCs information and are not regulatory commitments.

14

k Duke FEnergy Closing ivemarks Sample section provide STable of Contents D 3 SCyber Security SRegulatory Evaluation SRegulatory Commitments

• Request formal staff feedback by letter

<*Future Meetings 15

Duke Energy

,ics (Pre-Submittal)

oil, I

• .Modification Process and Quality Management Plan

• RPS/ES Project Plan

• • Technical Specifications

+Level of detail vertical slices for selected sections

• Cyber Security

• Licensing Review Process Plan to have these meetings in 1 st quarter of 2007' 16

1. Summary Description Summary description of the purpose of the LAR

2. Detailed Description 2.1 Introduction 2.2 RPS 2.3 ES 2.4 Diverse Instrumentation & Control (/&C) Systems

3. Technical Evaluation 3.1 Introduction 3.2 Digital Instrumentation, & Control Systems General Description 3.2.1 Design Criteria 3.2.2 Identificationliof the I & C Design 3.2.3 Defense-in-Depth and Diversity 3.2.4 Functional Requirements 3.2.5 Life,Cycle Process Planning 3.2.6 Life Cycle Process Requirements

ý3.2. 7, Software Life Cycle Process Design Outputs Digital LAR Outline 121406.doc

3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.3.10 3.3.11 3.3.12 3.3.13 3.3.14 3.3.15 3.3.16 3.3.17 3.3.18 3.3.19 3.3.20 3.3.21 Digital RPS/ES LAR Outline (12/14/2006)

Conformance with IEEE Std 603 Single-Failure Criterion Completion of Protective Action Quality Equipment Qualification.

System Integrity IndependenceA Capability for Test and Calibration Information Displays Control of Access Repair Identif ication Human factors Considerations Reliability Automatic Control Manual Control Interaction between the Sense and Command Features and Other Systems Derivation of System Inputs Capability for Testing and Calibration of System Inputs Operating Bypasses Maintenance Bypass Setpoints Digital LAR Outline 121406.doc

Digital RPS/IES LAR Outline 3

(12/14/2006) 3.4 Conformance with IEEE Std 7-4.3.2 3.4.1 Single-Failure Criterion 3.4.2 Completion of Protective Action 3.4.3 Quality 3.4.3.1 Software Development (IEEE Std 7-4.3.2 Clause 5.3.1) 3.4.3.2 Use of software tools (IEEE Std 7-4.3.2 Clause 5.3.2) 3.4.3.3 Verification and validation (IEEE Std 7-4.3.2 Clause 5.3.3 and 5.3.4) 3.4.3.4 Configuration Management (IEEE Std 7-4.3.2 Clause 5.3.5) 3.4.3.5 Risk Management Use of software tools (IEEE Std 7-4.3.2 Clause,5.3.6) 3.4.3.6 Qualification oflexisting commercial computers Use of software tools (IEEE Std 7-4.3.2 Clause 5.3.7) 3.4.4 Software Life Cycle Planning 3.4.5 Software Life Cycle Process Implementation 3.4.6 Software Life Cycle Process Design Outputs 3.4.7 Equipment Qualification 3.4.7.1 Computer System Testing 3.4.7.2 Qualification of Existing Commercial Computers 3.4.8 System Integrity 3.4.9 Independence 3.4.10 Capability for Test and Calibration 3.4.11 Information Displays 3.4.12 Control of Access Digital LAR Outline 121406.doc

Digital RPS/ES LAR Outline 4

(12/14/2006) 3.4.13 Repair 3.4.14 Identification 3.4.15 Human Factors Considerations 3.4.16 Reliability 3.5 Pre-installation Testing, Installation, Post-Installation Testing 3.5.1 Introduction 3.5.2 Testing 3.5.2.1 Governing Testing Standards 3.5.2.2 Factory Acceptance Tests 3.5.2.3 Site Acceptance Tests 3.5.3 Installation 3.5.4 Post-installation 3.6 Operation, Maintenance, and Support 3.6.1 Introduction' 3.6.2 Procedures 3.6.3 Trainhing 3.6.4ý,,,,Simulator 3.61.;5 Configuration Management 3.6.6 Periodic Surveillance 3.7 Failure Modes and Effects Analysis 3.8 Cyber Security Considerations 3.9 Conclusion Digital LAR Outline 121406.doc

Digital RPSIES LAR Outline 5

(12/14/2006)

4. Regulatory Evaluation 4.1 Significant Hazards Considerations 4.2 Applicable Regulatory Requirements/Criteria 4.3 Precedent

.4.4 Conclusions

5. Environmental Considerations

6. References Enclosures

1.

Licensee Evaluation

• Attachment 1 - TS Page Markups

• Attachment 2 - Changes to TS Bases

• Attachment 3 - Retyped TS Pages

2.

List of Commitments Digital LAR Outline 121406.doc

2. Detailed Description 2.1 Introduction (later) 2.2 RPS (later) 2.3 ES (later) 2.4 Diverse Instrumentation & Control (l&C) Systems Duke provided a Defense-in-Depth & Diversity (D-in-D&D) assessment by letter..-,

dated March 20, 2003. Duke presented the results of the D-in-D&D assessment iný a July 1, 2003, meeting with NRC and provided additional information requested, by the NRC by letters dated September 23, 2004, October 26, 2005, Decerniber 15,1 2005, and April 26, 2006. The NRC issued a Safety Evaluation (SE) for Oconee's D-in-D&D for the RPS/ESPS modification by letter dated May 1,20.By letter dated May 18, 2006, the NRC withdrew this SE indicating that tbey.,woulId address this matter in connection with Duke's future SE on the licensei~frnendment request for the digital upgrade of the RPS/ESPS. On July 20, 2Q06,ýDuke submitted a letter to the NRC confirming our understanding that no further b-in-D&D assessment will be required by Duke and no further review will be requi 'red by the NRC related to D-in-D&D assessment. In that letter Duke indicated that we would provide a brief summary of the D-in-D&D assessment in the re-sulb mittal of the RPS/ESPS LAR and then reference the March 20, 2003, D-in-Ei&D submittal and the associated Request for Additional Information (RAI) respons~es.ý The D-in-D&D assessment determined that a diverse Low Pressure Injection (LPI) actuation system would be required 'tomitigate the LBLOCA. To resolve NRC concerns associated with using "aý. common processor for three channels of RPS and one set of three ESPS channelsw,', Duke agreed to install a diverse High Pressure Injection (HPI) actuation syster'i~to address NRC concerns associated with crediting manual operator action to initiate HPI for some SBLOCAs. The diverse HPI system will also provide additional defense in depth & diversity.

The design df both 'diverse systems is described and illustrated below. Design requirements for these systems are also listed below.

2 2.4.1 Diverse LPI Actuation System The diverse LPI actuation system will use analog bi-stable trip units and 2 out of 3 relay logic actuated on Low RCS Pressure. See Figure below.

RCS Pressure (buff ered t E to non-1 E)

_______PPSCA0016 Bistable Tripped LightQ IF i

ES yp..ssLightQ 1,

.24VDC fro. Cob16 S. S

'1

)o rsitpply-24 DO Even A BYPAS' r.16 I -M Vot----

---

i I

- A 24 VOC EVEN PPSCAOM1 Ch 4 Even Typical*

i' T

ee voter poyer (new wnrdo Iw)

........ (fl ewv window)%

Dies P k)Diverse LPI A

Bypassed Ti LAR Chapter 2, Diverse Instrumentation & Control (l& C) Systems 121406. doc

3 2.4.2 Diverse HPI Actuation System The diverse HPI actuation system will use analog bi-stable trip units and 2 out of 3 relay logic actuated on Low RCS Pressure. See Figure below.

RCS Prwessre (buttered I E to non-1 E)

ARCS Pres T-

~

T T

T ta

'X

~x x

x ~x A',pn~ill i

F s

3 ypaessLight

___/ r t1j 24 VD3C B

G A

B C

MdiP Div-rio~ '

J I

24 VD 24 VOCL VOddeEr BYPASS rat

ýZ. I

\\j'

/Oter 2

~ Vpter Voter,2

'~Trip reiy Eý 24 VOC6EVE 66 PPSCA001 Ch 1 Odd rypi.ci Ch 2 Even Typical Tnp relayQý r24 VOC 80D

---

voter power (new widwinew window)

Diverse HPI Diverse (API A

2.4.3 Compliance to the Design Requirements for diverse IPI and HPI actuation systems:

The design requirements for both diverse actuation systems are listed below. Where appropriate, a sta~tement of how the diverse actuation systems will comply with these design requiremelnts~is made.

1. The system shall be of sufficient quality to perform the necessary function under the assbciatedl event conditions and within the required time (BTP HICB-119 B. 1).

The proposed system will be a combination of Safety and Non-Safety Related components.. The interface with the LPI and HPI actuation circuits and the LPI and HPI Diverse Disable Bypass switches will be Safety related. The bi-stable devices, two out of three logic relays, and annunciator circuits will be supplied as non safety related and wired for isolation and separation accordingly. The power for the bi-stables and relay logic will be non safety related.

The quality of the components will be based on selection of known components that have a proven reliability. The relays and disable bypass switch selected will be the same as those supplied for the ES actuation circuits. The bi-stables will be standard commercial grade quality.

LAR Chapter 2, Diverse Instrumentation & Control (l&C) Systems 121406.doc

4

2. Automatic and manual actuation capability.

" The diverse HPI actuation system will provide for automatic actuation of the Channel 1 and 2 components. This includes HPI pumps and HPI injection valves.

The diverse LPI actuation system will provide for automatic actuation of the Channel 3 and Channel 4 components. This includes LPI pumps, LPSW pumps and LPI Injection valves.

Manual initiation is accomplished with the existing Trip/Reset buttons located on the main control board. The logic for these manual trips bypasses the.,

TXS logic and allows the Operator to initiate ES actuation on a per channel, basis independent of TXS software.

3. Actuate LPI and HPI on Low RC Pressure The diverse LPI actuation system will actuate only on Low. Reactor Coolant Pressure. The basis for this is the diverse LPI actuation-system is intended to provide automatic LPI injection to cover the case of !the Large Break Loss of Coolant Accident (LBLOCA) in case the TXS has a~common mode software failure. Loss of coolant pressure is the most appropriate indication that a LBLOCA has occurred.

The diverse HPI actuation system will,actuate only on Low Reactor Coolant Pressure. The basis for this is the: diverse HPI actuation system is intended to provide automatic HPI injection to' cover the case of the Small Break Loss of Coolant Accident (SBLOCA) ini case the TXS has a common mode software failure. Loss of cooA lat: pressure is the most appropriate indication that a SBLOCA has occurred~

4. Accuracy - Setpoints will be chosen that permit ESPS Actuation prior to the diverse actuation systemn ac'tuation including instrumentation loop error.

• The setpointsfor the diverse LPI and HPI actuation systems will be chosen to allow the ESP& to actuate first.

5. Minimize Inadvertent Actuation - Use multi-channel logic in "an actuate to initiate"

-manner. For example; 2 out of 2 channels required

• The 2 out of 3 logic will minimize inadvertent actuations. Actuation circuit relays are energized to actuate. Loss of power will not result in actuation.

6. Diverse Hardware and Software required - both analog and digital applications are acceptable provided diversity is maintained

• Diverse hardware (bi-stables) is being provided. No Software is being provided for the diverse LPI or HPI actuation systems.

7. Diverse Sensors not required - Follow BWOG AMSAC/DSS guidance if using existing RPS/ESPS sensors LAR Chapter 2, Diverse Instrumentation & Control (l&C) Systems 121406.doc

5

• The Reactor Coolant Pressure signals will be isolated from the safety related signals utilizing the TXS SNV1 isolators. The signal split is on the front end of the TXS and is not affected by the software of the TXS computers.

8. Diverse power source to RPS/ESPS not required. Battery backup not required

• Power will be from a non-safety related, battery backed inverter.

9. Physical Separation not required

• Physical separation will be maintained as it relates to IEEE -384 sep Iaration criteria between safety related and non-safety components.

10. Electrical Separation is required. Electrical separation per ONS requirements.

• Electrical separation between safety and non-safety will b9ým~aintained by the use of qualified isolation devices.

11. Safety to Non-Safety Isolation required.

• Qualified isolation devices will be used to maintain safety to non-safety isolation.

12. Equipment must be qualified for its intended location. All logic equipment shall be located in a Mild Environment.

• All equipment associated with' th diverse LPI and HPI actuation systems with the exception of the transmni

~r s and associated cabling (which is Environmentally Qualified)"tis l:ocated in the Control Room and will be qualified for the environment tasdd on manufacturer product specification sheets.

13. Operating Bypasses or Maintenance Bypasses

- Appropriate Operating and or Maintenance Bypasses must be determined.

- Appropriate human factors and task analyses performed along with OPS training to prevent inadvertent bypassing

- Administrative procedures used to address Operating Bypass T he Diverse LPI or HPI Disable Bypass Switches will be used to bypass the 4diverse actuation systems for both maintenance and operations. The procedures will require that the diverse LPI and HPI actuation systems be bypassed on controlled shutdowns at the same time that bypasses are initiated for the ESPS.

14. Dive rse HPI or ILPI Actuation System Actions go to completion once initiated -

reset controlled by procedure, same as existing ESPS The above criteria and requirements will be met.

15S. Information Readouts provided in Control Room for Operator awareness and system monitoring shall be the same as during normal operation.

LAR Chapter 2, Diverse Instrumentation & Control (I&C) Systems 121406.doc

6

• Existing readouts will continue to be utilized. No additional indicators will be provided.

16. Augmented Quality Program (GL85-06) is not required. Non Safety Related commercial industrial products consistent with application are acceptable.

• There are no unique or special procurement requirements.

• High quality, industrial grade components will be used

17. Software Quality Assurance

• The design of the diverse actuation systems will not require the use of any software.

LAR -Chapter 2, Diverse Instrumentation & Control (l&C) Systems 121406.doc

3.8 Cyber Security Considerations The Duke Process Computer System Integrity directive has been revised to implement the cyber security requirements contained in NEI 04-04, Cyber Security Program for Power Reactors, Revision 1. By letter dated December 23, 2005, NRC informed NEI that NEI 04-04 is an acceptable method for establishing and maintaining a cyber security program at nuclear power plants. The NEI Nuclear Strategic Issues Advisory Committee (NSIAC) approved NEI 04-04 in early 2006 and established a mandatory schedule for implementation by all power reactors.

In addition to the above, the NRC initiated a proposed rulemaking entitled Power Reactor Security Requirements (Federal Register notice dated October 26,-.200.6).

This rulemaking includes a proposed new rule §73.55(m), Digital computer and communication networks. At the time of submittal of this license amendment request, the rule making is in progress, but it is expected to be completed' in the near future. Accordingly, Duke will be required to comply with the requirements of

§73.55(m) when the rule is effective. The Duke Process Computer;%S~ystemn Integrity directive will be revised as necessary to meet all the rqieO9%of §73.55(m) when the rule is issued in its final form.

Therefore, Duke has in place programs that currently meet or will meet the applicable requirements for cyber security. The Pioce~s Computer System Integrity directive is considered to be proprietary in acco Ir aceýwith §2.390(d) and therefore is being withheld from public disclosure andis~eavailable for staff inspection and review.

LAR Section 3.8, Cyber LAR Section 3.8 Cyber Security Considerations 121406.doc

I

4.

Regulatory Evaluation 4.1 Significant Hazards Consideration Later 4.2 Applicable Regulatory Requirements/Criteria The following addresses the regulatory requirements and plant-specific design bases related to the proposed change.

4.2.1 Regulatory Requirements 4.2.1.1 Technical Specification 3.3.1 - "Reactor Protective Systems" The regulatory basis for TS 3.3.1 is to automatically initiate a reactor trip to: protect against violating the core fuel design limits and the Reactor Coolant Systern (RCS) pressure boundary during anticipated transients. By tripping the reactor,'the RPS also assists the Engineered Safeguards (ES) Systems in mitigating accidents.

4.2.1.2 Technical Specifications 3.3.5 - "Engineered..Safeguards Protective Systems Analog Instrumentation," and 3.3.7 - "Enginee'red Safeguards Protective System (ESPS) Digital Automatic Actuation Logic Channels,"

The regulatory basis for TS 3.3.5, and TS 3.3.7, is 4'6ýa 6tornatically initiate necessary safety systems, based on the values of selected Junit Parameters, to protect against violating core design limits and to mitigate accidents.

4.2.1.3 10 CFR 50.55a (h) - "Codes and Standards" 10 CFR 50.55a (h) requires the Oconee protections systems to meet the requirements of either IEEE Std. 279, "Criteria for..Prob't e..ction Systems for Nuclear Power Generating Stations," or IEEE Std. 603-199-1"ýýrCneria for Safety Systems for Nuclear Power Generating Stations," and thebctrection sheet dated January 30, 1995. The criteria contained in IEEE Standard '603 -1991 establish minimum functional and design requirements for the power, instrumentation, and control portions of safety systems for nuclear power generating stations.

Note that at the ti me "of the LAR development, the 10 CFR 73.55 rulemaking is still in progre~s and it is expected that it will not be completed until after the LAR submittal in summer 2007.

4.2.14 10 CFR 50.62 - "Requirements for reduction of risk from anticipated trani~ents without scram (ATWS) events for light-water-cooled nuclear power plants" 10 CFR 50.62 (c) requires that Oconee have equipment from sensor output to final actuation device, that is diverse from the reactor trip system, to automatically initiate the auxiliary (or emergency) feedwater system and initiate a turbine trip under conditions indicative of an ATWS. This equipment must be designed to perform its function in a reliable manner and be independent (from sensor output to the final actuation device) from the existing reactor trip system.

LAR Chapter 4, Regulatory Evaluation 121406.doc

2 10 CFR 50.62 (c)(2) requires that Oconee have a diverse scram system from the sensor output to interruption of power to the control rods. This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system (from sensor output to interruption of power to the control rods).

4.2.1.5 10 CFR 50, Appendix A - "General Design Criteria for Nuclear Power Plants" The original licensing of Oconee precedes the development and issuance of the General Design Criteria (GDC) as they exist in the current regulations. For Oconee, the design criteria are termed "Principle Design Criteria (PDC). The P00 for Oconee Units 1,5'2 and 3 were developed in consideration of the seventy General Design Criteria for Nuclear,ý Power Plant Construction Permits that were proposed by the AEC in a rule-mnaking-published for 1 OCFR Part 50 in the Federal Register of July 11, 1967. Ocon~ee"U"FSAR Section 3.1 lists the seventy criteria proposed by the AEC, together with~ Duke's response indicating our interpretation of an agreement with the intent of each criterion.

A comparison of the Oconee PDC's to the 10 CFR 50 Append.,ix A GDC's is provided in of this enclosure.SI.1:,

A 4.2.1.6 NEI 04 "Cyber Security Program for PoWd'ri Reactors," and 10 CFR j

I'-,

a 73.55(m) Rulemaking -"Requirements for physicali protection of licensed activities in nuclear power reactors against radiological sab~otage" NSIAC and NSIR endorsed NEI 04-04 to addresses cyber security requirements until pending rulemaking to change 10 CFR 73,55(m) is completed. Duke will comply with NEI 04-04, as it relates to the RPS/ESPS digital modification, on the time line required for complying with those requirements.

4.2.2 Regulatory Guidance.,

Note that in many instances,, the IEEE Standards endorsed by NRC RGs have been superseded by a later revision of the standard. Later editions of IEEE standards provided the regulatory positions in the RGs are also addressed. This last sentence is con fusing.

4.2.2.1 EPRI Topical Report (TR)-1 02348, Revision 1 - "Guideline on Licensing Digital Upgrades" NRC endorsed the use of EPRI Topical Report (TR)-1 02348, Revision 1 as a guideline forl iieehsing digital upgrades by Regulatory Information Summary (RIS) 2002-22 (N6V~ember 25, 2002). Duke used TR-1 02348, Revision 1 (March 2002) as the basic guidance document for the format and content of this LAR (See Section 4.5 of TR-1 02348).

EPRI Report TR-1 02348, Revision 1, recognizes that regulatory review guidance in the Standard Review Plan (SRP)(NUREG-0800) has also been expanded to cover digital systems and that these guides and standards provide a broad base of common understanding for design, evaluation, and implementation of digital systems. Several industry initiatives and EPRI-sponsored projects have made use of these guides and LAR Chapter 4, Regulatory Evaluation 121406.doc

3 standards to qualify digital equipment on a generic basis for safety related applications in nuclear power plants.

4.2.2.2 SECY 93-087 - "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs" The NRC staff documented its position with respect to common-mode failures in SECY 93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," and was subsequently modified in the associated Staff Requirements Memorandum.

4.2.2.3 Branch Technical Position HICB-1 9 - "Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems" The NRC staff established acceptance guidelines for defense-in-depth and diversity (0-in-D&D) assessments in Branch Technical Position HICB-19. Th, :BT-P provides guidance to NRC Staff for review of an applIicant/l icen see's 0-in-&

assessment and design of manual controls and displays to ensure that the requirements of the NRC position on D-in-D&D for l&C systems incorporating digital clonmputer-based reactor trip systems (RTS) or engineered safety features actuation 1,systems (ESFAS) are followed.

Note that a revision to this guidance may be issued during the development of the LAR and prior to it submittal in summer 2007.

4.2.2.4 Regulatory Guide (RG) 1.47 - "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems," Revision 0, May 1973 The RIG describes an acceptable mmethod for implementing the requirements of Section 4.13 of IEEE Stdl 279-1971 andCiriterion XIV of Appendix B to 10 CFR 50 with respect to indicating the bypass or inoperable status of portions of the protection system, systems actuated or controlled byfthe protection system, and auxiliary or supporting systems that must be operable for the' protection system and the system it actuates to perform their safety related functions.,'

4.2.2.5 RG 1.53 - "Application of the Single-Failure Criterion to Nuclear Power Plant Protection, Systems," Revision 2, November 2003 Conformhance with the requirements of IEEE Std 379-2000, "Application of the Single-Failure'C7riterion to Nuclear Power Generating Station Safety Systems," provides methods acceptable to the NRC staff for satisfying the NRC's regulations with respect to the application of the single-failure criterion to the electrical power, instrumentation, and control portions of nuclear power plant safety systems.

4.2.2.6 RG 1.62 - "Manual Initiation of Protective Actions," Revision 0, October 1973 Paragraph (h), "Protection Systems," of Section 50.55a, "Codes and Standards," of 10 CFR Part 50, "Licensing of Production and Utilization Facilities," requires that protection systems meet the requirements set forth in the Institute of Electrical and Electronics LAR Chapter 4, Regulatory Evaluation 121406.doc

4 Engineers "Criteria for Nuclear Power Piant Protection Systems" (IEEE 279)(1). Section 4.17, "Manual Initiation," of IEEE Std 279-1971 requires that protection systems include means for manual initiation of each protective action at the system level and that the single-failure criterion-as set forth in Section 4.2 of IEEE 279 be met. This guide describes a method acceptable to the AEC Regulatory staff for complying with the requirements of Section 4.17 of IEEE Std 279-1971 for including the means for manual initiation of protective actions.

.4.2.2.7 Draft Regulatory Guide DG-1145 (RG 1.70 Supplement)- "Combined License Applications for Nuclear Power Plants (LWR Edition)"

Draft Regulatory Guide DG-1 145, "Combined License Applications for Nuclear Power Plants (LWR Edition)," provides guidance on digital l&C systems in Section, 1'.7 (check).

The information provided in this chapter emphasizes those instruments and associated equipment which constitute the protection and safety systems. It also refers~to the same h ierarchy of rules/regulatory guidance; 10 CFR 50.55a(h) requires protection systems to meet the requirements of IEEE Std 603-1991, "IEEE Standard Critpeia: for Safety Systems for Nuclear Power Generating Stations."

It goes on to state that IEEE Std 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generatin~g Stations," which provides criteria for applying IEEE Stdl 603 to computer systems, w'as endorsed by Regulatory Guide 1. 152, Rev.2. DG 1145 states that other I EEE Standards ref erenced in the DG should be the revision endorsed by the currentf revision of a regulatory guide unless a specific revision in the document is provided.

Note that at the time of the LAR developmet, this regulatory guidance is not final. It is expected to be final prior to the LAIR submittal date in summer 2007.

4.2.2.8 RG 1.75 - "Physical Independence of Electric Systems," Revision 3, February 2005 Conformance with the, refq~ui'rements of IEEE Std. 384-1992, "Standard Criteria for Independence of Cla,§14 E Equipment and Circuits," provides a method that the NRC staff considers ac~ceptable for satisfying the agency's regulatory requirements concerning physical jihdependence of the circuits and electrical equipment that comprise or are associated.with safety systems, subject to the following (as described in the RG) 4.2.2.9 RG 1.1 18 - "Periodic Testing of Electric Power and Protection Systems,"

Revisio'n,3, April 1995 Confd,rmance with the requirements of IEEE Std. 338-1987, "Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems," provides a method acceptable to the NRC staff for satisfying the Commission's regulations with respect to periodic testing of electric power and protection systems if the following exceptions are complied with: (as described in the RG)

LAR Chapter 4, Regulatory Evaluation 121406.doc

5 4.2.2.10 RG 1.152 - "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" NRC Regulatory Guide (RG) 1.152, Revision 1, January 1996 indicates that conformance with the requirements of IEEE Std 7-4.3.2-1993, "Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," with the exception of relying solely on quantitative reliability goals (Section 5.15), is a method acceptable to the NRC staff for satisfying the Commission's regulations with respect to high functional reliability and design quality requirements for computers used as components of a safety system. Revision 2 to this RG was issued January 2006 endorsing IEEE Std 7-4.3.2-2003 with additional regulatory requirements for security matters. These security matters are addressed more appropriately in NEI 04-04, "Cyber Security Program for Power Reactors."

RG 1.152 indicates that IEEE Std 7-4.3.2-1993 evolved from ANSI/IEEE',ANS-7-4.3.2-1982, and is a significant improvement. The 1993 version was approved by the IEEE Standards Board on September 15, 1993. It further indicates thatthii§ s'tandard identifies guidelines for digital computers (including hardware, software, firMware, and interfaces) to supplement IEEE Standard 603-1991 and that the NRC staffjbc~ognizes that development processes for computer systems continue to evolve.

Section 2 of IEEE Standard 7-4.3.2-1 993 references, sveral industry codes and standards. If a referenced standard has been sepc!'ately incorporated into the Commission's regulations, licensees and applicants mrust comply with the standard as set forth in the regulation. If the referenced stahd~ard has been endorsed by the NRC staff in a regulatory guide, the standard con~s.tituies an acceptable method of meeting a.

regulatory requirement as described in the, f ~ulatory guide. If a referenced standard has been neither incorporated into the, Commission's regulations nor endorsed in a regulatory guide, licensees and a,pplic ants may consider and use the information in the referenced standard if appropriatelyjustified, consistent with current regulatory practice.

4.2.2.11 RG 1.153 - "Criteria for; Safety Systems" and IEEE 603-1991 - "IEEE Standard Criteria for Safety ;Systems for Nuclear Power Generating Stations" NRC Regulatory Guid,(RG) 1.153 indicates that conformance with the requirements of IEEE Std 603-4991 pirovides a method acceptable to the NRC staff for satisfying the Commission's regut~lations with respect to the design, reliability, qualification, and testability 9,f thellpower, instrumentation, and control portions of the safety systems of nuclear po,;wer plants.

The, new digital equipment that replaces the existing analog system will comply with IEEE 603-1991 and later editions. Per RG 1.153, conformance with the requirements of IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations" (including the correction sheet dated January 30, 1995), provides a method acceptable to the NRC staff for satisfying the Commission's regulations with respect to the design, reliability, qualification, and testability of the power, instrumentation, and control portions of the safety systems of nuclear power plants.

Section 3 of IEEE Std. 603-1991 references several industry codes and standards. If a, referenced standard has been incorporated separately into the Commission's regulations, licensees and applicants must comply with that standard as set forth in the LAR Chapter 4, Regulatory Evaluation 121406.doc

6 regulation. If the referenced standard has been endorsed in a regulatory guide, the standard constitutes a method acceptable to the NRC staff of meeting a regulatory requirement as described in the regulatory guide. If a referenced standard has been neither incorporated into the Commission's regulations nor endorsed in a regulatory guide, licensees and applicants may consider and use the information in the referenced standard if appropriately justified, consistent with current regulatory practice. RG 1.153 indicates that the following GDC's are applicable to the power, instrumentation, and control portions of nuclear power plant safety systems: 2, 4, 5, 10, 12, 13, 15, 17, 18, 20, 21, 22, 23, 24, 25, 29, 34, 37, and 54.

4.2.2.12 RG 1.168 - "Verification, Validation, reviews., and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Revision 1, February 2004 This regulatory guide endorses IEEE Std 101 2-1 998, "IEEE Standard for,Software Verification and Validation," and IEEE Std 1028-1 997, "IEEE Standard for Soft ware Reviews and Audits." IEEE Std 101 2-1 998, with the exceptions stated'in the Regulatory Position, describes a rniethod acceptable to the NRC staff for compBlying with parts of the NRC's regulations for promoting high functional reliability an 'd d'esign quality in software used in safety systems. In particular, the method is consistent with the previously cited General Design Criteria and the criteria for quality assurance programs in Appendix B, as applied to software verification and validation (V&V). The criteria of Appendices A and B apply to systems and related quality assurancep pi'rocesse~s. If those systems include software, the requirements extend to the softvare'belements. IEEE Std 1028-1 997 provides guidance acceptable to the NRC staff for carrying out software reviews, inspections, walkthroughs, and audits subject t6 certain provisions.

The Regulatory Position of the RG, indicates that the annexes to IEEE Std 101 2-1 998 and IEEE Std 1028-1997 contain inforýmation that may be useful, but the information in these annexes should not be viewed as the only possible solution or method. Since a consensus has not been reached,, in the nuclear industry regarding the use of these methods, these annexes are not e'ndorsed by the NRC staff, except as noted in the RG.

4.2.2.13 RG 1.169 - "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Revision 0, September 199 This regulatory guide, which endorses IEEE Std 828-1990, "IEEE Standard for Software Configuration Management Plans," and ANSI/EEE Std 1042-1 987, "IEEE Guide to Software Configuration Management," with the exceptions stated in the Regulatory Po,siti"on,,'describes methods acceptable to the NRC staff for complying with the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. In particular, the methods are consistent with the previously cited General Design Criteria and the criteria for quality assurance programs of Appendix B as they apply to the maintenance of appropriate records of,' and control of, software development activities. The criteria of Appendices A and B apply to systems and related quality assurance processes and, if those systems include software, the requirements

.extend to the software elements.

LAR Chapter 4, Regulatory Evaluation 121406.doc

7 4.2.2.14 RG 1.170 - "Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Revision 0, September 1997 This regulatory guide endorses ANSI/IEEE Std 829-1983, "IEEE Standard for Software Test Documentation," with the exceptions stated in the Regulatory Position. This guide describes methods acceptable to the NRC staff for complying with parts of the NRC's regulations for achieving high functional reliability and design quality in software used in safety systems. In particular, the methods are consistent with the previously cited General Design Criteria and the criteria for quality assurance programs of Appendix B as they apply to the documentation of software testing activities. The criteria of Appendices A and B apply to systems and related quality assurance processes, and if those sy-stems include software, the requirements extend to the software elements.

4.2.2.15 RG 1.171 - "Software Unit Testing for Digital Computer Software in Safety Systems of Nuclear Power Plants," Revision 0, September 1997 This regulatory guide endorses ANSI/EEE Std 1008-1 987, "IEEE Standard for Software Uhit Testing," with the exceptions stated in the Regulatory Position.. IEEE Std 1008-1987 describes a method acceptable to the NRC staff for complyi~ng 'With parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. The appendices to IEEE Std 1008-1 9817 are not endorsed by this regulatory guide except as noted in the RG. The criteria'of Appendices A and B apply to systems and related quality assurance processes, a-nd'if thiose systems include software, the requirements extend to the softwa e "elements.

4.2.2.16 RG 1.172 - "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nulclear Power Plants," Revision 0, September 1997 This regulatory guide endorses, IEEE Std 830-1993, "IEEE Recommended Practice for Software Requirements Specifications," with the exceptions stated in the Regulatory Position. IEEE Std 830-1 993.,describes a method acceptable to the NRC staff for complying with the NRCt's r1d Tgulations for achieving high functional reliability and design quality in software used 'inl safety systems. In particular, the method is consistent with GDC 1 and the criteria for quality assurance programs in Appendix B as they apply to the development of software requirements specifications. The criteria of Appendices A and B apply' t6 s"ystems and related quality assurance processes, and if those systems include software;' the requirements extend to the software elements.

Severa I.exceptions to IEEE Std 830-1993 are listed in the Regulatory Position for this RG th~at the NRC Staff states will be considered in their review of submittals from appilicants and licensees.

LAR Chapter 4, Regulatory Evaluation 121406.doc

8 4.2.2.17 RG 1.173 - "Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," Revision 0, September 1997 The requirements contained in IEEE Std 1074-1 995, "IEEE Standard for Developing Software Life Cycle Processes," provide an approach acceptable to the NRC staff for meeting the requirements of 10 CFR Part 50 and the guidance in Revision 1 of Regulatory Guide 1.152, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants," as they apply to development processes for safety system software, subject to the provisions listed below. The appendices to IEEE Stdl 1074-1 995 are no :t endorsed by this regulatory guide. To meet the requirements of 10 CFR 50.55a(h) n Appendix A to 10 CFR Part 50 as ensured by complying with the criteria of Appendix B applied to the development processes for safety system software, the follow~ing provisions are necessary and will be considered by the NRC staff in the',review of applicant submittals. (In this Regulatory Position, the cited criteria are in Appni Bt 10 CFR Part 50 unless otherwise noted.)

4.2.2.18 RG 1.180 - "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety Related Instrumentation an Control Systems,"

Revision 1, October 2003 This guidance recommends design and installation practices to limit the impact of electromagnetic effects, testing practices to assess the emissions and susceptibility of equipment, and testing practices to evaluate tIHepower SWO of the equipment.

Operating envelopes characteristic of the electromagnetic environment in nuclear power plants are cited in this guidance as the basis for'-'establishing acceptable testing levels.

Table 1 lists the specific regulatory positions" on EMC that are set forth in the RG. This guidance is applicable to all new safety-related systems or modifications to existing safety-related systems that includle, an 'alog, digital, or hybrid (i.e., combined analog and digital) electronics equipment. The e~ndorsed test methods for evaluating the electromagnetic emissions, EMI/R,FI susceptibility, and power surge withstand capability of safety-related equipment~ are intended for application in test facilities or laboratories before installation.

4.3 Precedent The TELEPERM XS system, as described in Siemens (FANP) Topical Report EMF-21 10 (NP), R~evision 1, "TXS: A Digital Reactor Protection System" (Reference 2), will replace the preser~ ONS RPS and ESPS as described in ONS UFSAR Chapter 7. The data acquisition process, the signal validation, and the protection logic for these systems will be pIerformed by the TXS System.

By letter dated May 5, 2000, the NRC issued a safety evaluation (SE) which found the TELEPERM XS System as described in Topical Report EMF-21 1 0(NP), Revision 1, "TELEPERM XS: A Digital Reactor Protection System," acceptable for referencing in license applications to the extent specified in the topical report and NRC SE. Based on the information provided and the review conducted, the NRC staff concluded that the design of the TXS system is acceptable for safety-related instrumentation and control (l&C) applications and meets the relevant regulatory requirements. The cover letter to the SE indicates that the NRC staff will not repeat its review and acceptance of the LAR Chapter 4, Regulatory Evaluation 121406.doc

9 matters described in the report, when the report appears as a reference in license applications, except to assure that the material presented is applicable to specific plant involved. The cover letter further states that the NRC staff's acceptance applies only to the matters described in the report.

The SE requires the several plant specific actions to be performed by an applicant when requesting NRC approval for installation of a Siemens (FANP) TXS system. The installation prerequisites listed in the SE have been met as noted in Attachment 2.

Information provided in Section 3 of this enclosure and Attachment 2 provides justification for differences to the TXS System approved by the NRC in the SE.

4.4 Conclusions Later LAR Chapter 4, Regulatory Evaluation 121406.doc

10 Cross-Reference of Current General Design Criteria in 10 CFR Part 50 to Oconee Licensing Basis General Design Criteria Current 10 CFR Part 50, Appendix A Corresponding Oconee Licensing Basis General Design Criteria General Design Criteria (applicable to RPSIES systems*)

(Section 3.1 of the Oconee UFSAR)

Criterion 1 - Quality Standards and Records Section 3.1.1 - Criterion 1 - Quality Standards, Section 3.1.5 - Criterion 5 -Records

__________________________________Requirements Criterion 4 - Environmental and Missile Design Section 3.1.2 - Criterion 2 - Performance Bases Standards Criterion 13 - Instrumentation and Control Section 3.1.12 - Criterion 13 Instrumentation

_________________________________and Control Systems Criterion 20 - Protection System Functions Section 3.1.14 - Criterion 14 - Core Protection Systems Section 3.1.15.-C-riterion 15 - Engineered Safety Feature$ -ýProtection Systems Criterion 21 - Protection System Reliability and Section,3.1.19,,' Criterion 19 - Protection Testability System$i Reliability Criterion 22 - Protection System Independence t16tin:3.1.20 - Criterion 20 - Protection Systems Redundancy and Independence Criterion 23 - Protection System Failure Modes Section 3.1.26 - Criterion 26 - Protection Systems Fail-Safe Design Criterion 24 - Separation of Protection'and Section 3.1.22 - Criterion 22 - Separation of Control Systems Protection and Control Instrumentation Systems

• From NRC Safety Evaluation on Teleperm XS System dated May 8, 2000 LAR Chapter 4, Regulatory Evaluation 121406.doc

I1I Cross-Reference of TELEPERM Topical Report SE Plant Specific Action Items to Location in Oconee LAR PSAI PSAI Desc LAR LAR Desc Section 1 The licensee must demonstrate that the generic qualification bounds the plant 3.3.4 Equipment Qualification specific condition (i.e., temperature, humidity, seismic, and electromagnetic 3.4.7 Equipment Qualification compatibility) for the locations(s) in which the TXS equipment is to be installed.

The generic qualification data must comply with EPRI qualification requirements specified in EPRI TR-1 07330 and TR-102323-Rl (see SER Sections 2.1.2.1, 2.1.2.2, and 2.1.2.3).

2 The licensee's plant-specific software development V&V activities and 3.2.5 Life Cycle Process Planning configuration management procedures must be equivalent to industry standards 3.2.6 Life Cycle Profc36s~

and practices endorsed by the NRC (as referenced in SRP BTP HICB-14, 3.3.3 Requirementse "Guidance on Software Reviews for Digital Computer-Based Instrumentation and 3.4.3 Quality Control Systems") (see SER Sections 4.4, 2.2.3, 2.2.4).

3.4.4 quality Software Life Cycle Planning 3

If the licensee develops a TXS auxiliary feedwater control system, the licensee

'Not applicable must include automatic initiation and flow indication (TM Action Plan Item Il.E.1

.2). The licensee needs to confirm that the plant-specific application conforms to

____the requirements of 10 CFR 50.34 (f)g(2)(xii) (see Section 5.0).

4 If the licensee replaces existing accident monitoring instrumentation (TMI Action Not applicable Plan Item lI.F.1) display capabilities with a TXS system, including the bypass~nd inoperable status information, the licensee needs to confirm that the newisys"v" provides equivalent sampling and analyzing features, and meets ther iq u i~r 6meb t of 10 CFR 50.34 (f)(2)(xvii) (see Section 5.0).

5 If the licensee installs a TXS inadequate core cooling dletectioiiýsystem, the Not applicable licensee needs to confirm that the new system conforms to the reqjuirements of 10 CFR 50.34(f)(2)(xviii) (see Section 5.0).

6 If the licensee installs a TXS containment isolation s.Vstemi(TM Action Plan Item Not applicable ILlE.4.2), the licensee must verify that the plant's - ificaipplication conforms to the requirement of 10 CFR 50.34 (f)(2)(xiv) (see,, Section 5.0).

7 For monitoring plant conditions following core damhage, the licensee must verify Not applicable that the TXS system meets the processing and display portions of the requirements of 10 CFR 50.34(f)(2)(kix) ý(see Section 5.0).

8 If the licensee installs a T)(S syst h for mionitoring reactor vessel water level Not applicable during post -accident conditions,,thelicensee must provide plant-specific verifcatio of te ranes, adconirm that human factors issues have been addressed, as required by 1dOCER 50.34(f)(2)(xxiv) (see Section 5.0).

9 If the licensee installs a TXS reactor protection system, the licensee must provide 2.4 Diverse Instrumentation &

confirmation that the TXS is diverse from the system for reducing the risk from Control anticipated transients without scram (ATIMS), as required by 10 CFR 50.62. If 3.2.3 Defense-in-Depth and Diversity the licenseeiristalls a TXS ESFAS, the licensee must provide confirmation that the clversif~rei~uirements for plant systems (feedwater, auxiliary feedwater, turi&c6,1qontrols, etc.) are maintained (see SER Section 5.0) 10 Setpoints will be evaluated on a plant-specific basis, The licensee must ensure 3.3.21 Setpoints that, when the TXS system is installed, overly conservative setpoints that may occur due to the elimination of analog system drift are not retained, as this would increase the possibility that the TXS equipment may be performing outside the vendor specifications. The licensee must provide the staff with a revised setpoint analysis that is applicable to the installedTXS system(s)_(seeSERSection_4.0).

LAR Chapter 4, Regulatory Evaluation 121406.doc

12 PSAI PSAI Desc LAR LAR Desc Section 11 The licensee must evaluate plant-specific accident analyses to confirm that a 3.3.21 Setpoints TXS reactor trip system (RTS) includes the provision to detect-accident 3.5.2 Testing conditions and anticipated operational occurrences in order to initiate reactor shutdown (safety analysis confirmation for accuracy and time response) consistent with the accident analysis presented in Chapter 15 of the plant safety

____analysis report (see SER Section 4.3)._____

12 The staff requires that each licensee ensure that the plant-specific TXS 3.2.3 Defense-in-Depth and Diversity application complies with the criteria of defense against common-mode failures in

____digital instrumentation and control systems (see SER Section 4.1).

.13 The licensee should propose plant-specific Technical Specifications including 2.2 RPS periodic test intervals (see SER Section 4.2) 2.3 ES 3.6.6 Periodit!Su vei Ilance 14 The licensee should demonstrate that the power supply to the TXS system 2.2 RPS complies with EPRI TR-1 07330 requirements (see SER Section 2.1.2.4).

2.3 ES 15 The licensee should demonstrate that the qualification of the isolation devices 3.3.6 Independence was performed in accordance with EPRI TR-1 07330 requirements (see SER 314.9 In dependence Section 2.1.3).

16 The licensee should demonstrate that Siemens (FANP) TXP (control systems) or Not applicable other manufacturer's control systems satisfy the acceptance guidance set forth in Section 4.1 of this safety evaluation (see SER Section 4.1).

17 The licensee should address the need for a requirement traceability matrifr(RTM) 3.2.5 Life Cycle Process Planning for enumerating and tracking each system requirement throughout itslife,,cycle, 3.2.6 Life Cycle Process particularly as part of making future modifications (see SER Scin4).

3.2.7 Requirements 3.4.4 3.4.5 3.4.6 LAR Chapter 4, Regulatory Evaluation.12 1406.doc