ML071370364
ML071370364 | |
Person / Time | |
---|---|
Site: | Wolf Creek |
Issue date: | 05/17/2007 |
From: | Donohew J NRC/NRR/DLPM/LPD4 |
To: | Wolf Creek |
Donohew J N, NRR/DORL/LP4, 415-1307 | |
Shared Package | |
ML071420095 | List: |
References | |
TAC MD4839 | |
Download: ML071370364 (41) | |
Text
NRC PRESENTATION MEETING ON MAY 17, 2007 WITH WOLF CREEK NUCLEAR OPERATING CORPORATION MAIN STEAM FEEDWATER ISOLATION SYSTEM UPGRADE TIMELINE FOR REVIEW OF LICENSEE'S REQUEST FOR MSFIS UPGRADE LICENSEE'S EMAIL DATED APRIL 6, 2007 NRC STAFF'S EMAILS DATED MAY 1 and 2, 2007 NRC STAFF'S EMAIL DATED MAY 16, 2007 DEVELOPMENT LIFE CYCLE OF THE MSFIS UPGRADE PROJECT
Timeline for Review of Licensee's Request for MSFIS Upgrade:
There was a pre-application review of the MSFIS upgrade, which was requested by the licensee. This involved a meeting held on June 28, 2006, and several conference calls. The pre-application review ended with the licensee's application dated March 14,2007. The staff was not given a list of information to be submitted or a draft application letter as part of the preapplication review. There were slides in the meeting on the project milestones including the phases of the project.
The licensee submitted its application on March 14, 2007, to (1) upgrade the MSFIS, (2) replace the main steam and feedwater isolation valves (MSFIVs), and (3) proposed associated TS changes to the same TSs.
Upon the initial determination of missing information, a table of this information was sent to the licensee, and the licensee addressed this information in its email dated April 6, 2007. (See .)
The licensee submitted a supplemental letter dated April 18, 2007. The letter acknowledged the above email, provided the information that was identified as readily available in the memo, and stated that the other information in the table would be provided as it became available. The licensee did not include its email dated April 5, 2007, in this letter.
After review of the information provided in the letters dated March 14 and April 18, 2007, the staff developed the points of deficiency (missing information) in these letters and these points were sent this to the licensee by emails dated May 1 and 2, 2007. (See Attachment 2.) These points were addressed by the licensee in its letter dated May 9, 2007.
At the time the points of deficiency were sent to the licensee, the licensee requested a meeting with the staff and a meeting was scheduled for May 17, 2007. The meeting notice was issued May 3, 2007 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML071220489). There was a question at the time when the meeting noticed was issued whether in fact the meeting would be needed if the staff was fully in agreement with the licensee's response to the points of deficiency; however, since the licensee's May 9, 2007, letter, it has been determined that the meeting is necessary.
In preparation for the meeting, the staff developed a list of documentation needed for staff review of the proposed MSFIS upgrade. This list is of more documentation than is needed for the staff to begin its review. This was sent to the licensee by email dated May 16, 2007 (See .) The staff wants to understand where the licensee is in the development life cycle of the MSFIS upgrade project (Attachment 4, the licensee's slide No. 16 in the meeting of June 28, 2006) and what of the documentation in the attached list is available or when it would be submitted to the staff.
ATTACHMENT 1 From: "Wideman Steven G" <stwidem@WCNOC.com>
To: "Jack Donohew" <JND@nrc.gov>
Date: 04/06/2007 5:27:27 PM
Subject:
RE: IMPORTANT Re: WCNOC MSFIS/MSIVs/MFIVs LAR - Table of Information (Rev. 2)
Jack - attached is revision 2 of the Table of Information. Changes (shown in red) made to the table are on page 2, 3, and 13 to show that the Nutherm Dedication Plan, Rev. 0, and the System Reliability Analysis are available now. These two documents are included on the CD that you should be receiving on Monday (4/9/07). [These documents were submitted in the WCNOC letter dated April 18, 2007.]
Steve Wideman WCNOC Licensing Original Message -----
From: Wideman Steven G Sent: Thursday, April 05, 2007 10:32 AM To: 'Jack Donohew' Cc: Guevel Patrick E; Hooper Diane M; Clarkson Gregory W
Subject:
RE: IMPORTANT Re: WCNOC MSFIS/MSIVs/MFIVs LAR - Table of Information Jack - attached is a revised table providing the information concerning the Nutherm surveys (audits) of CSI. The information is on page 5 (this time I numbered the pages).and the change is shown in red.
Regarding the CD on information, we will work to have the information (non-docketed at this stage) to you on Monday.
Steve Wideman WCNOC Licensing The information contained in this electronic correspondence is informally submitted to the NRC and is not considered as docketed correspondence by Wolf Creek Nuclear Operating Corporation (WCNOC). Should the NRC wish to assign a docket number to this correspondence, WCNOC requests it be contacted to obtain concurrence. [Through its project manager, the NRC contacted WCNOC on May 16, 2007, received permission to docket this email by including the email in its presentation at the meeting with WCNOC on May 17, 2007.]
Original Message -----
From: Jack Donohew [1]
Sent: Wednesday, April 04, 2007 4:59 PM To: Wideman Steven G
Subject:
IMPORTANT Re: WCNOC MSFIS/MSIVs/MFIVs LAR - Table of Information On the bottom of page 4 of the pdf attachment, there is the following info item: "Why do you believe the vendor is using a high quality
design process, and is meeting the requirements of 10 CFR? What quality control procedures are being used?"
Your response should have included what you said to me in the weekly call today. That 3rd parties like Nutherm International have already done some audits of CS Innovations. This is why your people stated in the Tuesday call that it was expected that CS Innovations QA was expected to meet Appendix B.
Also, can you not get us the CD(s) with add'l info by Monday, April 16th?
<JND>
>>> "Wideman Steven G" <stwidem@WCNOC.com> 04/04/2007 5:30:17 PM >>>
On March 21, 2007, WCNOC received an e-mail from the NRC Project Manager indicating that WCNOC's license amendment request dated March 14, 2007 (letter ET 07-0004) was missing a significant amount of information to support the review of the application and a telecon was suggested. A general response to the e-mail was provided on March 21, 2007 and WCNOC agreed that a telecon would be beneficial for discussing the level of detail necessary to support the review. A telecon was arranged for April 3, 2007.
Prior to the April 3, 2007 telecon (1:00 CDT), the NRC Project Manager provided by e-mail on April 3, 2007 (at 8:50 AM CDT) a generic list (table) of items that a reviewer would need to complete the review.
This table of items was based on Section 7 of the Standard Review Plan (page 7.0-6) and documents listed in Branch Technical Position HICB-14 (BTP 14), "Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems."
During the telecon on April 3, 2007, WCNOC agreed to provide on April 4, 2007 if the information in the generic list was currently available and if not currently available when it would be available. WCNOC is also providing additional input regarding the complexity of the modification and the level of detail provided in the license amendment request based on information provided by the NRC during the telecon.
- Complexity of the modification - the reviewer indicated that after an initial review of the application, that WCNOC had changed the design to be more complex and the review would take significantly more time. The reviewer specifically referred to Enclosure 1, Figure 3 that provided the Generic ALS Architecture. The architecture presented in the application is no different than the architecture presented at the WCNOC/NRC meeting on June 28, 2006, in which this same figure was used in the slide presentation by WCNOC. A good portion of the meeting was spent discussing this slide and in particular the Reliable ALS Bus (RAB) and Test ALS Bus (TAB) were discussed. Attendees at the meeting from the NRC included: J. Donohew, A. Howe, P. Rebstock, P. Loeser, N.
Carte, W. Kemper, and M. Waterman.
- Level of information in the license amendment request -
WCNOC believed that the level of information that was provided in the request would be sufficient to perform the review based on the additional reviews that were to be conducted by the research branch.
WCNOC believed that based on the discussions that had been held with the NRC (in particular the discussion on November 27, 2006) that the bulk of the technical reviews were going to be done by research and that the NRR technical branch would be able to utilize that review to perform an
abbreviated review. WCNOC had recognized that more information would be needed in order for the review to be completed.
WCNOC does not want to belabor these points as we need to move forward and support the NRC staff review in support of the schedule for installing the new MSIVs, MFIVs, and changes to the MSFIS.
The attached file includes a modified table (incorporates a new column) that provides some discussion regarding the information identified by the NRC as being needed and the availability of the information. The generic list identifies documents listed in Branch Technical Position HICB-14, "Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems." As discussed in the license amendment request, the MSFIS control system is based on the Advanced Logic System and does not utilize a microprocessor and therefore has no software component for the operation of the system. However, WCNOC has included in the table references to the ALS design planning documentation, design specific documentation, analysis documentation, verification and validation reports, and installation, operations, and maintenance documentation.
For the supplemental information that has been identified as currently available, WCNOC proposes the following:
- 1. WCNOC will provide the supplemental information that is currently available electronically on a CD by April 13, 2007. A number of the documents include proprietary information.
- 2. WCNOC will submit on the WCGS docket the supplemental information provided in item 1 above with the appropriate affidavits by May 4, 2007.
WCNOC also proposes that a working meeting be held the week of May 14, 2007 to go over the supplemental information being provided and to provide supporting details concerning the proposed modification to the MSFIS logic.
<<NRC Information Table.pdf>>
Steve Wideman WCNOC Licensing The information contained in this electronic correspondence is informally submitted to the NRC and is not considered as docketed correspondence by Wolf Creek Nuclear Operating Corporation (WCNOC).
Should the NRC wish to assign a docket number to this correspondence, WCNOC requests it be contacted to obtain concurrence.
Wolf Creek LAR Problems In general, the initial set of questions in intended to determine if the digital equipment used was designed in accordance with the applicable requirements specified in IEEE 603, as required by 10 CFR 50.55a, and in the General Design Criteria in 10 CFR 50, Appendix A.
Section 7 of the Standard Review Plan, on page 7.0-6, when discussing the system design evaluation, states that the evaluation should be based on:
"The key characteristics, performance requirements, general arrangements, and materials of construction of the systems to confirm there is reasonable assurance the final design will conform to the design bases with adequate margin for safety."
and "The applicant/licensee's analysis and technical justification to show that the I&C system design, including the underlying design bases and performance requirements, can perform appropriate safety functions."
The following are a generic list of items which a reviewer needs to know to understand what the new system is, how it works, what is supposed to do, and how we can determine that the final design will conform to the design bases with adequate margin for safety.
1 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE 1 WOLF CREEK1 ) (DOCUMENT)(2)
THE SYSTEM DESIGN( )
What are the types of equipment, Vendor: CS Inovation Logic Based Controls System, CS Innovations, manufacturer and model? What Brand: Advanced Logic Systems Advanced Logic System (ALS) documentation is available on the qualification No data on dedication or dedication process? The qualification and dedication of the system is being performed by Nutherm International. Further information is provided in:
Nutherm Qualifcation Report WCN-9715R w/attachments - available now Nutherm Dedication Plan WCN-9715DP - available in May now What type of digital device is used, i.e, pP, Actel Flash type FPGA - no other Actel FPGA PLC, ASIC? Which device is it? information is provided on which FPGA is used Actel ProASICplus 600 - APA600-BG456, Further FPGA information is provided in:
ALS Level 1 Design Specification (Chapter 18) -
available now What standards were used in the design and Unknown - Not discussed in Manufacturing standards used in the design and manufacture of the equipment? submittal manufacture are the Institute for Printed Circuits (IPC) standards. The design standards used are referenced in the MSFIS Level 1 Specification.
MSFIS Level 1 Specification (Chapter 1) - available now How many of these are in use at other sites, Unknown - Not discussed in WCNOC is not aware that this system is in use at any nuclear and non-nuclear? submittal nuclear or non-nuclear sites. ALS design is currently specific to WCGS. The ALS does utilize proven components that have been used in many applications including Military, Aerospace, and Spaceborne.
FPGA White Paper - available in May 2 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN( )
1 WOLF CREEK(1 ) (DOCUMENT) (2)
How reliable is the equipment? Is there a Unknown - Not discussed in Attachment 1, page 9 of 133, to ET07-0004 identifies failure history available, and if so, how submittal Mean Time Between Failures when discussing the accurate is it? application of SR 3.3.2.3 to the MSFIS.
Reliability numbers and failure history is available for the individual components. The System Reliability Analysis for ALS provides a calculated reliability of the system System Reliability Analysis - available in May now What type and how much memory is in each Unknown - Not discussed in There is no memory used in the FPGAs; only flip-flops device? submittal and gates. The boards each have a non-volatile memory attached for storing the setpoints. The setpoints use less than 256 bits/board.
ALS Level 1 Specification (Chapter 10) - available now Is the code in the device accessible to the Unknown - Not discussed in No - the code is not accessible to the end-user.
end-user? How many lines of code are there? submittal Zero lines of executable software ALS Level 1 Specification - available now What programing language was the code Some sort of schematic capture This is not a software solution so there is no software written in? What tools were used during was used - no other information is programming language for executable software.
software development? How were the tools provided qualified? The logic circuits are described in VHDL.
FPGA White Paper - available in May ALS Tools Overview - available now How was the code verified and tested? Are Unknown - Not discussed in This is not a software based system therefore there is those records available? submittal no executable software 3 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT)(')
How was the hardware tested? Are those Unknown - Not discussed in The hardware is tested to a system test plan and a records available? Was a written and verified submittal board test plan. There is an independent test system test plan used? for performing tests on both the individual boards as well as the entire system.
Board Test Plan and System Test Plan - available in May What are the environmental qualifications of Nutherm Qualification Report WCN- WCNOC specification J-105A defines the the equipment. Does this envelope the worst 9715R was provided. It is not environmental requirements for the system. These case plant conditions for instances where the known ifthis meets worst case requirements bound the worst case plant conditions for equipment is needed? How were these plant conditions which the equipment is required to operate. The qualifications proven? qualification results are provided in the Qualification Report from Nutherm International.
J-105A - available now Nutherm Qualifcation Report WCN-9715R w/attachments - available now What in the device is user modifiable? How Unknown - Not discussed in The device is not modifiable by the user. To make a will this be controlled? submittal modification WCNOC would be required to perform a design change package and utilize the services of CS Innovations (or an other vendor with suitable knowledge and qualifications) to modify the design of the system.
ALS Level I Specification - available now What configuration control does the vendor Unknown - Not discussed in CS-Innovations has a QA Program in place to ensure have? If the licensee decides to buy a submittal an appropriate level of configuration control.
replacement device in 10 years, what assurance do they have that the new device WCNOC owns the rights to the full design of the will be the same as the old device? If it is system and would be able to utilize the services of different, how will the licensee know what the another vendor, with suitable knowledge and differences are, and how will those differences qualifications, to have additional boards built.
be evaluated by the licensee?
4 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT)(2)
Why do you believe the vendor is using a high Unknown - Not discussed in CS Innovations is working to a QA Program, which has quality design process, and is meeting the submittal not currently been directly audited by WCNOC. The requirements of 10 CFR? What quality CS Innovations procedures are available on request or control procedures are being used? can be reviewed during a vendor visit.
Nutherm International is specifically contracted by WCNOC to provide qualification and dedication activities for the ALS. At the initiation of the project, WCNOC met with Nutherm and CS Innovation to layout the oversite activities to be performed by Nutherm. Nutherm is performing surveys (audits) of the CS Innovations activites by periodically observing field activities at the CS Innovations site and reviewing CS Innovations documentation at Nutherm offices.
5 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT)(21 How will installation of this equipment affect Unknown - Not discussed in The modified MSFIS performs the same as the current the existing accident analysis, and the existing submittal design except that the system is comprised of advance licensing basis? logic technology. The Solid State Protection System and Reactor Protection System inputs the ESFAS signals, the Main Control Board handswithces input to the MSFIS cabinets, and the same actuation relays are utilized in the new design. (discussed in letter ET 07-004, Attachment I page 6 of 133). The response time requirements for the modified system is the same as the existing system requirements. Therefore, the modification to the MSFIS does not affect the accident analysis. For the existing licensing basis, a revision to the Technical Specifications and associated Bases is proposed to include a new Function 4.c and 5.b for the MSFIS Automatic Actuation Logic and Relays since the current Automatic Actuation Logic and Actuation Relays is specific to the Westinghouse SSPS.
Revisions to the Updated Safety Analysis Report (USAR) are identified with the development of the Design Change Package. Proposed changes to the USAR based on the modification to the MSFIS will be completed by June.
What provisions for diversity and defense-in- Unknown - Not discussed in The intent of the system architecture and design is not depth have been provided, that is, how will the submittal to contain any common mode failure points. The plant cope if all this equipment fails? system provides the ability for the operators to manually close the valves from the control room in the event of a total system failure.
6 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT) (2)
How will the licensee monitor and approve the Unknown - Not discussed in WCNOC is relying on Nutherm International, Baseline design processes? Does the licensee have submittal Engineering and internal expertise to monitor the personnel who are familiar with the technology design process.
in use? - Nutherm International is qualifying and dedicating the system and design.
- Baseline Engineering is providing an Independent VN of the system.
- WCNOC's design process provides for a detailed verification of the modification to the MSFIS.
WCNOC's Project Engineer was integral in the original development of the ALS Architecture.
These are the documents listed in Branch Technical position (BTP) 14 which are to be reviewed:
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(') WOLF CREEK(') (DOCUMENT) (2)
Planning Documentation: Not Provided or mentioned This type of information is available in:
Software Management Plan Design Development Document - available in May Software Development Plan Not Provided or mentioned Since this is not a software-based system this document provides the management and development plan for a hardware logic based system.
The only software executed in the system is on the M&TE laptop computer, which is used for testing and diagnostics. This laptop computer is not normally connected. When it is connected to the system there is an annunciation to the operator, the system is placed in a test mode, and the system is considered inoperable.
7 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE 1 WOLF CREEK(1 ) (DOCUMENT) (2)
THE SYSTEM DESIGN( )
Software Test Plan Not Provided or mentioned This type of information is available in:
System Test Plan - available in May Board Test Plan - available in May Since this is not a software-based system these documents provide the FPGA, board, and system level test plan for a hardware logic based system.
Software QA Plan Not Provided or mentioned This type of information is available in the:
System QA Plan - available now Since this is not a software-based system these documents provide the system QA plan for a hardware logic based system.
Integration Plan Not Provided or mentioned Since this is not a software-based system this document provides the integration of the system but does not contain integration of hardware and software.
The MSFIS System Specification (Level 1) along with the rack traveler provides the plan for how to integrate and test the system. The rack traveler and test results are available at vendor (CS Innovations) site.
Similar Information is provided in:
MSFIS Level I Specification - available now Installation Plan Not Provided or mentioned This information is provided in:
Maintenance plan Not Provided or mentioned Installation and Operating Manual - available in August 8 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT) (2)
Training plan Not Provided or mentioned This information is provided in:
Training Plan - available in June Operations Plan Not Provided or mentioned This information is provided in:
Installation and Operating Manual - available in August Software Safety Plan Not Provided or mentioned This is not a software-based system, therefore we do not believe this document is relevant.
Software V&V Plan Wolf Creek System V&V Plan was This information is provided in:
submitted and appears adequate System V&V Plan - submitted in LAR Software CM Plan V&V Plan mentions AP 05-005, This information is provided in:
"Design, Implementation &
Configuration Control of System Configuration Management Plan -
Modifications", but was not available now provided Design Specific Documentation Spec J-105A, ALS Level 1 This information is provided in the following Specification, and MSFIS documents:
Requirements Specifications specification were mentioned in V&V plan, but not provided J-105A - available now MSFIS Level I Specification - available now ALS Level 1 Specification - available now Requirement Traceability Matrix Mentioned in V&V plan, but not This information is provided in:
provided Traceability Matrix for ALS - available in May Design Specifications Mentioned in V&V plan, but not This information is provided in:
provided ALS Level 2 Board Specification - available in May ALS Level 2 FPGA Specification - available in May 9 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT) (2)
Major hardware component description Not Provided or mentioned This type of information is provided in the following and qualification documents:
MSFIS Level I Specification - available now ALS Level 1 Specification - available now Nutherm Qualifcation Report WCN-9715R w/attachments - available now note: this specific item is intended for a software-based system in which the underlying hardware would need to be described, in the case of the ALS the system is hardware based with no executable software therefore this information is inherent to the specification mentioned above.
Hardware & Software Architecture Limited description on Page 24 of This information is provided in the following 36 documents:
MSFIS Level I Specification - available now ALS Level 1 Specification - available now (note: this specific item is intended for a software-based system in which the underlying hardware would need to be described, in the case of the ALS the system is hardware based with no executable software therefore this information is inherent to the specification mentioned above.)
Software Requirements Specification Not Provided or mentioned This is not a software-based system, therefore we do not believe this document is relevant.
Software Design Description Not Provided or mentioned Code Listings Not Provided or mentioned This is not a software based system therefore there I I are no executable software code listings. The circuit 10 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(') WOLF CREEK(1 ) (DOCUMENT) (2) description (VHDL) and test bench is available for review at vendor site..
System Build Documentation Not Provided or mentioned This is not a software based system therefore there is no overall software build documentation, therefore we do not believe this document is relevant.
Test Plans and Documentation Not Provided or mentioned See individual items below Environmental test plans, procedures, and Nutherm Qualification Report This information is provided in the following document:
results WCN-9715R was provided Nutherm Qualifcation Report WCN-9715R w/attachments - available now.
Unit test plans, procedures, and results Not Provided or mentioned The module level test plan information is provided in:
Board Test Plan - available in May System Test Plan - available in May The board test results are contained in the individual board travelers and are available once the board has been built and tested.
The System test results will be available within the rack traveler.
Both the board test results and system test results can be reviewed at the vendor site.
Integration test plans, procedures, and Not Provided or mentioned This is not a software-based system. There is no results hardware/software integration. The unit test plans described above provide the overall system test plans and results.
11 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN"1 ) WOLF CREEK 1 ) (DOCUMENT) ()
Factory acceptance test plans, Not Provided or mentioned This information is provided in:
procedures, and results Factory Acceptance Test Procedure - available in May Factory Acceptance Test Report - available in August Site acceptance test plans, procedures, This information is provided in:
and results Site Acceptance Test Procedure - available in June Site Acceptance Test Report - available in October Installation test plans, procedures, and Not Provided or mentioned This information is provided in:
results Installation Test Procedure - available in September Installation Test Report- available in May 2008 after installation Analysis Documentation: Not Provided or mentioned Requirements Safety Analysis Design Safety Analysis Not Provided or mentioned The intent of the system architecture and design is not Code Safety Analysis Not Provided or mentioned to contain any common mode failure points. Since this is not a software-based system, it is not clear to Integration Safety Analysis Not Provided or mentioned WCGS what type of document would be required for Diversity and Defense-in-Depth Analysis as well as the Validation Safety Analysis Not Provided or mentioned additional analysis of a hardware based system.
Installation Safety Analysis Not Provided or mentioned Change Safety Analysis Not Provided or mentioned 12 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE 1)
THE SYSTEM DESIGN"1 ) WOLF CREEKW (DOCUMENT) (2)
Diversity and Defense-in-Depth Analysis Mentioned in V&V plan, but not provided Failure Modes and Effects Analysis Mentioned in V&V plan, but not This information is provided in:
(FMEA) provided System Reliability Analysis for ALS - available in May now Verification and Validation (V&V) Reports: Not Provided or mentioned This information is provided in the V&V Report, the V&V Report will be issued in 4 revisions.
V&V Requirements Analysis Report Revision 0 including the Requirements Analysis Report V&V Design Analysis Report Not Provided or mentioned - available in May.
V&V Implementation Analysis & Test Not Provided or mentioned Revision 1 including the Design Analysis Report, Report Implementation Analysis Report & Test Report, as well as the System Integration Analysis & Test Report -
V&V Integration Analysis & Test Report Not Provided or mentioned available in June.
V&V Validation & Test Report Not Provided or mentioned Revision 2 including the Validation & Test Report -
available in September.
V&V Validation & Test Report Not Provided or mentioned Revision 3 including the Post Installation Test Report V&V Change Report Not Provided or mentioned and Change Report - available after installation in May 2008.
System Verification and Validation Plan -
submitted in LAR Installation, Operations and Maintenance Not Provided or mentioned Documentation:
Operations Manuals Maintenance Manuals Not Provided or mentioned 13 4/6/07
INFORMATION NEEDED TO UNDERSTAND INFORMATION PROVIDED BY INFORMATION AVAILABLE THE SYSTEM DESIGN(1 ) WOLF CREEK(1 ) (DOCUMENT) (2)
Training Manuals Not Provided or mentioned This information is provided in:
Installation Configuration Tables Not Provided or mentioned Installation and Operating Manual - available in New setpoint calculations, if required Not Provided or mentioned August Spare Parts list Not Provided or mentioned Repair Planning Not Provided or mentioned System Retirements Plan Not Provided or mentioned (1) The information provided in these columns was provided by the NRC by e-mail dated April 3, 2007.
(2) The information provided in this column was provided by WCNOC.
14 4/6/07
ATTACHMENT 2 From: Jack Donohew To: Hooper, Diane; Wideman, Steve [Wolf Creek Nuclear Operating Corporation]
Date: 05/01/2007 4:50:53 PM
Subject:
5 Points of Deficiency in the MSFIS Information Provided Upon its review of the licensee's application submittals dated March 14 and April 18, 2007, the NRC staff has determined that there are the following 5 points of deficiency in the information provided. This is information needed for the NRC staff to begin its review of the proposed MSFIS upgrade.
<JND>
Jack..D.n..e.. .. .. ... wpd Page 1 The Wolf Creek Nuclear Operating Corporation (WCNOC) provided information in its submittals dated March 14 and April 18, 2007, on its proposed upgrade of the engineered safety feature actuation system (ESFAS) main steam and feedwater isolation system (MSFIS) using field programmable gate array (FPGA) technology..
In the submittals, there appears to be a basic misunderstanding as to the nature of a FPGA based system. In "Nutherm Dedication Plan for Replacement MSFIS System," Nutherm document number WCN-9715DP, the statement is made that "the MSFIS system is not a digital system in the strictest definition as it is not software based ...... ". ALS Level-1 System Specification, CS Innovation document 6000-00000, states "The ALS does not utilize a microprocessor and therefore has no software component for the operation of the system. The concern for software common mode failures is eliminated by incorporating a full hardware system which only uses proven design practices and methodologies for implementation of the hardware."
As is stated in IEEE Std 100-2000, "The Authoritative Dictionary of IEEE Standards Terms," the term "digital" is defined as "pertaining to quantities in the form of discrete, integral values," and a "digital device" is defined as "A device that operates on the basis.of discrete numerical techniques in which the variables are represented by coded pulses or states." A FPGA uses digital values, and is therefore a digital system.
One of the definitions of "software" in the same IEEE standard is "The programs, procedures, rules, and any associated documentation pertaining to the operation of an information processing system." The nature of a FPGA is also that the device is programed to perform its intended functions, and that programing is done using a variety of software tools. While it is true that the output of these tools is used to flash the FPGA into its intended configuration rather than being used as a program to tell a microprocessor what to do, in either case, the device is subject to programing and uses software tools to achieve its design objectives.
Therefore, the licensee would be as capable of changing the FPGA (i.e., by re-flashing the FPGA with new instructions) as it would be capable of changing any information processing system based on software by changing the software. How this "flashing the FPGA" would be done and controlled by the licensee must be explained to the same extent that changing the software of an information processing system would be done and controlled.
Based on the definitions in the IEEE standards and the staff's understanding of FPGA devices, the staff concluded that the FPGA system proposed by the licensee is a digital system and needs to rely on high quality software to meet its design objectives.
Upon its review of the licensee's application submittals dated March 14 and April 18, 2007, the NRC staff has determined that there are the following 5 points of deficiency in the information provided. This is information needed for the NRC staff to begin its review of the proposed MSFIS upgrade.
- 1. Appendix B Compliance Section IV, on "Procurement Document Control," of Appendix B, 10 CFR Part 50, states:
Measures shall be established to assure that applicable regulatory requirements, design bases, and other requirements which are necessary to assure adequate quality are suitably included or referenced in the documents for procurement of material,
Ja6k'bonohew`-'_D-oc_7'.wpd Page 2 1 Jac Doohw... p ... Pae '
equipment, and services, whether purchased by the applicant or by its contractors or subcontractors. To the extent necessary, procurement documents shall require contractors or subcontractors to provide a quality assurance program consistent with the pertinent provisions of this appendix.
EPRI report TR-1 06439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, discusses the commercial grade use of complex digital systems in section 6.4. The example given is for the dedication of programmable logic controllers, but the level of complexity and the processes required is similar. The discussion on identification and verification of critical characteristics states:
"In this case the commercial grade vendor survey is a central part of the dedication. The survey requires extensive interaction with the PLC vendor. Initial contact is made and information obtained to prepare for the survey. Then a one-week visit (typical for a relatively complex device like this one) is made to the manufacturer's site where the bulk of the survey information is collected and evaluation performed. This includes evaluation of the vendor's QA program, digital system development process, verification and validation practices, configuration management program, and problem reporting procedures. In addition, a detailed critical design review of the PLC hardware and software architecture is performed, including evaluation of real-time task processing and robustness of failure management provisions."
Based upon the information provided, EICB could not determine how the proposed FPGA's.
were dedicated for safety related use. Wolf Creek and their vendor, CS Innovations chose to use a highly complex FPGA, the Actel ProASICplus APA600, which has 600,000 system gates, 128K onboard memory, 21,504 registers, and an I/O capacity of 356.
The licensee has provided two documents, "Nutherm Qualification Report for CS Innovations Replacement MSFIS System," Nutherm document number WCN-9715R, and "Nutherm Dedication Plan for Replacement MSFIS System," Nutherm document number WCN-9715DP.
The qualifications report discusses only the physical qualification of the FPGA, such as temperature, seismic, and EMI, but does not discuss the quality of design and fabrication of the actual FPGA, The second document, the Nutherm Dedication Plan, requires a commercial grade dedication process, but the licensee did not provide documentation of what was done.
For example, there is no indication in the documentation provided that a vendor survey was conducted when selecting the Actel ProASICplus APA600 for use in this system, or that any commercial grade dedication was done. Based on the requirements in 10 CFR Appendix B and EPRI report TR-106439, the staff would have expected to see documentation of a vendor survey, with an analysis of the Actel quality control and any existing documentation of previous qualifications of the Actel ProASICplus APA600. Without this information, the staff is unable to determine if the Actel ProASICplus APA600 is a suitable device to use in this application.
- 2. Acceptable Method Per Regulatory Guide 1.152 Regulatory Guide 1.152, "Criteria for Use of Computers in Safety Systems Of Nuclear Power Plants," endorses IEEE 7-4.3.2, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," as a method that the staff has found acceptable for complying with the Commission's. regulations for promoting high functional reliability, design quality, and cyber-security. IEEE 7-4.3.2 cites the used of verification and validation as necessary to meet quality requirements.
I Jack Donohew - DocT.wpd Page 3 1 The licensee, in the original submittal of March 14, 2007, provided the Wolf Creek MSFIS System Verification and Validation Plan. The licensee did not provide the V&V plans for the design contractor, CS Innovation; the qualification contractor, Nutherm; or the V&V consultant.
None of the V&V plan outputs were provided. Without this information, the staff is unable to determine what V&V was actually done, whether this level of V&V is adequate, or if the V&V was done correctly.
- 3. IEEE 7-4.3.2, section 5.3.2, Compliance IEEE 7-4.3.2, section 5.3.2, "Software Tools," states that a) a test tool validation program shall be developed to provide confidence that the necessary features of the software tool function as required, or that b) the software tool shall be used in a manner such that defects not detected by the software tool will be detected by V&V activities.
The licensee has provided a list of software tools used in the development of the proposed FPGA The list includes:
FPGA design tool: Libero Integrated Design Environment Version 7.1sp2" for Windows XP platform.
Simulation Tool: ModelSim 6.1 b Actel Edition produced by Mentor Graphics Synthesis Tool: Synplify 8.5F Actel Edition produced by Synplicity Place-and-Route Tool: Actel Designer Version 7.2.3.2 Programming (Flashing) Tool: Actel FlashPro Version 7.1.0.13 together with FlashPro LITE programming adaptor Schematic Capture Tool: Altium Designer Version 6.6.7903 PCB Layout Tool: Altium Designer Version 6.6.7903 Gerber Analysis Tool: Altium Designer Version 6.6.7903 Analog Circuit Simulation Tool: SIMetrix Circuit Simulation Version There is no indication in the documentation provided how the criteria contained in IEEE 7-4.3.2, section 5.3.2 were met. In addition, there is no documentation on how those software tools were dedicated for safety related use in a nuclear power plant.
- 4. IEEE 603-1991 Compliance 10 CFR 50.55.a(h) requires compliance with IEEE 603-1991. -This standard, in section 5.3, "Quality," requires that components and modules "shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program." 10 CFR Appendix B requires a "quality assurance program to be applied to the design, fabrication, construction, and testing of the
Jack .Dono'hew - Doc7.wpd Page 4 structures, systems, and components of the facility." It also states that "the applicant may delegate to others, such as contractors, agents, or consultants, the work of establishing and executing the quality assurance program, or any part thereof, but shall retain responsibility therefor."
The licensee provided the Wolf Creek "MSFIS Quality Assurance Plan" and the "MSFIS Configuration Management Plan," but these plans show how the quality assurance and configuration management will be conducted after the completed FPGA is accepted by the licensee. Neither of these documents discuss the quality assurance and configuration management methods used by the system developer, CS Innovation, during the design and implementation phases of the life cycle. Based on the information submitted, EICB could not determine if an 10 CFR 50 Appendix B quality assurance program was used during the design process, or if any quality control was used.
- 5. Acceptable Method Per Branch Technical Position 14 The Standard Review Plan, NUREG-0800, Chapter 7, Branch Technical Position 14 (BTP-14),
"Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems," shows an acceptable method for the software development process to meet the quality requirements of 10 CFR 50 Appendix B. A number of documents are to be reviewed by NRC staff to meet the review criteria of BTP 14. Enclosure 1 to this memorandum lists these documents, the Wolf Creek comment or commitment, and the EICB analysis of that comment or commitment. EICB finds that a number of documents which should have been prepared at this point in the design process are not yet available. Overall, the incomplete nature of the documentation does not provide a record for review by NRC that demonstrates that CS Innovation is using a high quality design process, or that Wolf Creek has been monitoring their contractor to assure this required high quality. In addition, Wolf Creek has stated that since the FPGA is not a software based system, a number of these documents are not required. In fact, the FPGA relies on software for one-time programing by flashing a particular pattern of links rather than repeatedly providing instructions for a microprocessor. This type of device is just as program driven as a microprocessor device, including that the FPGA chosen by Wolf Creek is re-programable, similar to the reprogramming capability of microprocessor based systems, by re-flashing the FPGA. Accordingly, the staff needs to review the process that was used to develop the FPGA flash list to evaluate the adequacy of the FPGA programing.
From: Jack Donohew To: Wideman, Steve Date: 05/02/2007 10:46:12 AM
Subject:
The Table Is Attached
I.-Ja-c,-k Donohfew_-- D-6c-9-.Wp-d Pg 11
.Page ENCLOSURE Documents Referenced in BTP-14 Status - Wolf Creek Comments Staff Comment Planning Documentation:
Software Management Plan Not needed since FPGA is not software The FPGA operation is based on the based. "flash program", which is software based.
The information we need is that on the development of the "flash program" rather than on program code, but the development requirements are the same.
Software Development Plan Similar information in Design Development Document, available in May.
Software Test Plan System test plan available in May Board test plan available in May Software QA Plan System QA Plan provided April 18 This is Wolf Creek QA Plan, not the vendor software QA plan Integration Plan Similar Information is provided in: The staff disagrees that this is not a MSFIS Level 1 Specification provided on software based system (see above)
April 18. Since this is not a software-based system this document provides the integration of the system but does not contain integration of hardware and software.
ENCLOSURE
I Jack D99ohew - Doc9.wpd Page 2 1 I Jac I
.D.. ew.. oc.wp . .. P....ge...2. I Installation Plan In Installation and Operating Manual - IEEE 1074, "IEEE Standard for available in August Developing Software Life Cycle Maintenance plan Processes", endorsed by RG1. 173, shows the relationship between plans and activities, and shows that the planing outputs are used as inputs for the design activities. Therefore, at least the first version of a plan needs to be prepared to provide those outputs prior to the start of the associated activity, and that plan should be available for review if the activity has started. For this reason, while the actual procedures would be in the Installation and Operating Manual, the planning and the documentation of the planning should be available now Training plan Training Plan - available in June As above, the training may be available in June, but the planning and documentation of the planning should be available now.
Operations Plan In Installation and Operating Manual - As above, the manual with procedures available in August may be expected later, but the planning and documentation of the planning should have been done.
Software Safety Plan Wolf Creek: This is not a software-based The system is software based, it is just system, therefore we do not believe this that the result of the programing is a document is relevant. "flash program" rather than program code ENCLOSURE
I Ja6k bo6ohew'--boc9W pd' Page 31 Page 3 I akDnhw-Dc.w Software V&V Plan System V&V Plan - submitted in LAR Only the Wolf Creek V&V plan was submitted. The software developer and independent V&V contractor V&V plans were not submitted, therefore we do not know what V&V was actually required during the development process. The Wolf Creek System V&V Plan appears adequate.
Software CM Plan Wolf Creek CM Plan provided April 18 Only the Wolf Creek CM plan was submitted. The software developers CM plan was not submitted, therefore we do not know what CM was actually required during the development process.
Design Specific Documentation Requirements Specifications Spec J-105A, ALS Level 1 Specification, OK and MSFIS specification provided April 18 Requirement Traceability Matrix Available in May The matrix is used to demonstrate that the requirements of each phase have been addressed in the following phase.
The portions of the matrix reflecting the portions of the planning and design cycles already completed should be available now. The completed matrix, showing all development and testing could be submitted later.
ENCLOSURE
Jack Donohew "Doc9.wpd Page 4 1 Design Specifications ALS Level 2 Board Specification and ALS The specifications should be available Level 2 FPGA Specification - available in before the design is started.
May Hardware & Software Architecture MSFIS Level 1 Specification, ALS Level 1 These show what is required, not what Specification, and Nutherm Qualification was designed.
Report WCN-9715R provided April 18 Software Requirements Specification Wolf Creek: This is not a software-based The system is software based. This system, therefore we do not believe this document could be called the Software Design Description document is relevant. "Programing Requirements Specification".
Code Listings Wolf Creek: This is not a software based The equivalent of code listings for a system therefore there are no executable FPGA would be the flash list and circuit software code listings. The circuit description. These documents should be description (VHDL) and test bench is submitted.
available for review at vendor site.
System Build Documentation Wolf Creek: This is not a software based The equivalent of build documentation for system therefore there is no overall a FPGA would be the Circuit description.
software build documentation, therefore It should be submitted.
we do not believe this document is relevant.
Test Plans and Documentation Environmental test plans, Nutherm Qualification Report WCN- OK procedures, and results 9715R w/attachments provided April 18 Unit test plans, procedures, and Board Test Plan - available in May OK, but should have been ready. The results boards have been built and tested Integration test plans, procedures, This is not a software-based system. There is integration between the and results There is no hardware/software hardware and the flash list.
integration. The unit test plans described above provide the overall system test plans and results ENCLOSURE
I Ja6k. D6n-ohew'--D_ o"'c9'_.wpd' Jh.Page 5 Factory acceptance test plans, Factory Acceptance Test Procedure - OK procedures, and results available in May Factory Acceptance Test Report -
available in August Site acceptance test plans, Site Acceptance Test Procedure - OK procedures, and results available in June Site Acceptance Test Report - available in October Installation test plans, procedures, Installation Test Procedure - available in OK and results September Installation Test Report- available in May 2008 after installation Analysis Documentation:
Requirements Safety Analysis Wolf Creek: The intent of the system BTP 14 describes an analysis to show Design Safety Analysis architecture and design is not to contain that the design of the system, and the Code Safety Analysis any common mode failure points. Since way the FPGA was programed is safe.
Integration Safety Analysis this is not a software-based system, it is Validation Safety Analysis not clear to WCGS what type of Installation Safety Analysis , document would be required for Diversity Change Safety Analysis and Defense-in-Depth Analysis as well as the additional analysis of a hardware based system.
Diversity and Defense-in-Depth Not provided and no comment from Wolf BTP-14 emphasizes quality, diversity and Creek defense-in-depth as protection against common cause failures.
Failure Modes and Effects Analysis System Reliability Analysis for ALS - A System Reliability Analysis shows how (FMEA) available in May reliable the system will be. A FMEA shows the effect of a failure. A reliability I analysis is not the same at a FMEA ENCLOSURE
Jack Donohew - Doc9.wpd Page 6 Verification and Validation (V&V) This information is provided in the V&V At each stage of development, an Reports: Report, the V&V Report will be issued in analysis should have been done by the V&V Requirements Analysis Report 4 revisions. V&V group to determine if the V&V Design Analysis Report Revision 0 including the Requirements requirements of the previous stage were V&V Implementation Analysis & Test Analysis Report - available in May. met. These reports document the V&V Report Revision 1 including the Design Analysis process.
V&V Integration Analysis & Test Report, Implementation Analysis Report Report & Test Report, as well as the System V&V Validation & Test Report Integration Analysis & Test Report -
V&V Validation & Test Report available in June.
V&V Change Report Revision 2 including the Validation & Test Report - available in September.
Revision 3 including the Post Installation Test Report and Change Report -
available after installation in May 2008.
Installation, Operations and Maintenance Documentation:
Operations Manuals This information is provided in: Comment only: The setpoint Maintenance Manuals Installation and Operating Manual - calculations, repair planning and system Training Manuals available in August retirements plan are utility activities, and Installation Configuration Tables should not be included in a vendor New setpoint calculations, if required manual.
Spare Parts list Repair Planning System Retirements Plan ENCLOSURE
ATTACHMENT 3 From: Jack Donohew To: Hooper, Diane Date: 05/16/2007 5:48:21 PM
Subject:
Attached List of Documentation Needed for Staff Review of MSFIS Upgrade Attached is the list of information that the NRC staff will hand out in the meeting on May 17, 2007. It is the list of documentation needed for the staff review of the proposed upgrade of the safety-related Main Steam and Feedwater Isolation System (MSFIS). This list is of more documentation than is needed for the staff to begin its review. The staff wants to understand where the licensee is in the development life cycle of the project (licensee's slide No. 16 in the meeting of June 28, 2006) and what of the documentation in the attached, list is available or when it would be submitted.
<JND>
DOCUMENTATION NEEDED FOR STAFF REVIEW OF THE WOLF CREEK MSFIS ACTUATION SYSTEM The following documentation is required for the staff to determine if the specification, design, development, test, production, verification and validation, and commercial grade dedication processes were of sufficient high quality to result in a product useable in a safety-related application at a nuclear power plant.
It is understood that each of the documents listed below may not be an independent document, and that several of these documents may be combined, or that the information required may be contained in several documents. If this is the case, it is requested that the licensee provide a reference document showing where the various information may be found.
It is also understood that some documentation, particularly that concerning the later stages of the life cycle process, may not yet be completed and reviewed. In those cases, the staff will require a schedule for submission of these documents. It is expected, however, that planning documentation and procedures for activities already performed will be available.
- 1. Commercial Grade Dedication process:
The staff needs to understand how the commercial grade dedication process is being accomplished. In this regard, the staff requires:
A) The documentation on the selection of Nutherm International as the Appendix B commercial grade dedication contractor. This should include the determination that Nutherm International has the personnel and experience necessary to perform this type of commercial grade dedication.
B) The documentation on the selection of Baseline Engineering as the independent Verification & Validation contractor, including the determination that Baseline Engineering has the personnel and experience necessary to perform verification and validation of a process resulting in a product intended for safety related use in a nuclear power plan, and that this product would be the equivalent of a product designed and manufactured under an Appendix B process.
C) The documentation on the selection of CS Innovations as the commercial grade design and manufacturing contractor, showing that CS Innovations has the personnel and experience necessary to perform this type of design, and why the licensee believed this design would be capable of commercial grade dedication to be the equivalent of a product designed and manufactured under an Appendix B process.
D) The documentation of the selection of the ALS product line as suitable for commercial grade dedication.
E) The documentation of the selection of the basic components contained in the ALS product, such as the basic field programmable gate array (FPGA), the Actel ProASICplus APA600, as suitable for commercial grade dedication.
F) The documentation of the selection of the software used during the development process as suitable for design and manufacture of product intended for safety related use in a nuclear power plan, and that this product would be the equivalent of a product designed and manufactured under an Appendix B process. commercial grade dedication.
G) The plans and procedures used by Nutherm International to verify that the quality of design and manufacture process was sufficient to determine that of the FPGA based MSFIS actuation system was the equivalent of a product designed and manufactured under an Appendix B process. The Nutherm International Dedication Plan, WCN-9715DP mentions this as a critical characteristic for the replacement MSFIS actuation system, but does not discuss how this determination will be made, or what the requirements are.
- 2. Verification & Validation (V&V) Plans and Procedures The Wolf Creek V&V plan was received. Three additional plans are needed:
A) The V&V plan or whatever plan used by CS Innovations to assure the correctness of their design.
B) The V&V procedures or whatever procedures used by CS Innovations to assure the correctness of their design.
C) The V&V plan used by Baseline Engineering to provide independent V&V for the CS Innovations planing, design, and test activities D) The V&V procedures used by Baseline Engineering to during the independent V&V activities E) The Nutherm International V&V plan or whatever plan was used to assure the correctness of the commercial grade dedications process F) The Nutherm International V&V procedures or whatever procedure was used to assure the correctness of the commercial grade dedications process.
A) The plan used by CS Innovations to perform configuration management during the development process. This should show the following items:
- Method for change control of development and V&V documentation
- version control of pre-released burn or flash lists; version control
- historical recording and archiving of released verified source code modules; historical recording and archiving of verified and validated burn or flash lists
- control of hardware manufacturing.
- How and where the software tools under configuration management are stored.
B) The plan used by Baseline Engineering during the independent V&V process.
C) The plan used by Nutherm International during the commercial grade dedication process.
D) The plan which The licensee will use to maintain configuration management after delivery of the MSFIS actuation system.
- 5. Quality Assurance Plans and Procedures Four Quality Assurance plans are needed:
A) The plans and procedures used by CS Innovations to perform quality assurance activities during the development process.
B) The plans and procedures used by Baseline Engineering to perform quality assurance activities during the independent V&V process.
C) The plans and procedures use~d by Nutherm International to perform quality assurance activities during the commercial grade dedication process.
D) The plans and procedures which The licensee used for quality assurance activities during the specification process and will use after delivery of the MSFIS actuation system.
- 6. Management Plans Four Management Plans are needed:
A) The management plan used by CS Innovations which shows the management characteristics which display the purpose, organization, oversight, responsibilities, and security for this project.
B) The management plan used by Baseline Engineering which shows the management characteristics which display the purpose, organization, oversight, responsibilities, and security for this project.
C) The management plan used by Nutherm International which shows the management characteristics which display the purpose, organization, oversight, responsibilities, and security for this project.
D) The management plan used by the licensee which shows the management characteristics which display the purpose, organization, oversight, responsibilities, and security for this project.
- 7. Development Plan Four Development Plans are needed.
A) The Development Plan used by CS Innovations which shows the development life cycle model that will be used in this project, the objectives of each life cycle activity group and its context within the overall project, and the strategy for managing the technical development effort.
B) The Development Plan used by Baseline Engineering which shows the V&V activities for the development life cycle that will be used in this project, the objectives of each of the phase of the V&V activities for each life cycle activity group and its context within the overall project, and the strategy for managing the V&V effort.
C) The Development Plan used by Nutherm International which shows the commercial grade dedication activities to assure high quality of the development life cycle that will be used in this project, the context of each of these activities within the overall project, and the strategy for managing the overall commercial grade dedication effort.
D) The Development Plan used by the licensee which shows how the licensee will monitor the activities of CS Innovations, Baseline Engineering, and Nutherm International during the life cycle that will be used in this project, and the method to be used by the licensee to determine that the design and commercial grade dedication process are sufficient to assure that the final product is suitable for safety related use in a nuclear power plan, and that this product would be the equivalent of a product designed and manufactured under an Appendix B process.
- 8. Test Plan Development of a test plan is a V&V activity, therefore the staff requires:
A) The Baseline Engineering test plans for the factory and site acceptance tests and for installation tests.
B) The CS Innovations test plans for design tests.
C) The documentation of the Nutherm International review of the test plan.
- 9. Installation Plan This plan would be specific to the Wolf Creek site, and would be produced by the licensee. There may be input to this plan from the system designer, CS Innovations.
- 10. Maintenance plan This plan would be specific to the Wolf Creek site, and would be produced by the licensee. This plan should discuss the methods and responsibilities involved with the possible future modifications of the MSFIS actuation system, requirements for documentation and reporting of failures, and requirements for regression testing of any future modifications. These plan may consist of two parts. The first part concerns the those actions by the licensee to maintain the system design, and a second part may be required if the licensee relies on the system vendor to perform certain maintenance functions. The second part would consist of the vendor's plans and procedures. For this reason, there may be input to this plan from CS Innovations and Nutherm International.
- 11. Safety Plan While a FPGA based system does not have software, it does have a burn or flash list, the correctness of which will determine the proper operation of the FPGA based system.
This burn or flash list is generated using a variety of software tools, in a manner somewhat analogous to the tools used to generate the operational software of a microprocessor based system. For this reason, the staff requires a safety plan which will have some of the characteristics of a software safety plan. There should be three safety plans:
A) The CS Innovations safety plan which describes the safety effort, how the safety activities are coordinated with the development activities, and the interactions between the safety organization and the V&V organization. This plan also needs to discuss the methods to be used to reduce safety risks caused by failures of the various software tools to an acceptable level. The safety plan should include a requirement that a safety analysis be performed and documented on each of the principal design documents:
requirements, design descriptions, and burn or flash list. Hazards, including abnormal events and conditions and malicious modifications, should be analyzed and documented. Hazard reduction efforts should be documented.
B) The Nutherm International safety plan, which shows that commercial grade dedication of a product designed and built to commercial standards and using commercial processes does not increase the safety risks.
C) The licensees evaluation and acceptance of the CS Innovations and Nutherm International safety plans.
- 12. Requirements Specifications The staff has received the Wolf Creek Specification J-105A(Q) for Replacement MSFIS System. At this time, the staff does not believe there any additional requirements specifications are required.
- 13. Requirement Traceability Matrix.
The staff requires a Requirement Traceability Matrix for those portions of the design already done, and a schedule for the remainder of the Requirement Traceability Matrix.
- 14. Design Specifications The staff has received the CS Innovations ALS Level-1 System Specification, revision 1.0. At this time, the staff does not believe there any additional design specifications are required.
- 15. Detailed Architecture Description The staff review will require not only the description, but the reviews which determined the design is suitable.
A) The CS Innovations detailed architecture description. This need to include the system description, processor subsystem, input/output subsystem, test subsystem, and any other subsystems as needed. These descriptions should not only be of the electronic part of the system, but also a Physical description discussing cabinets used, I/O cabling, interconnect wiring, and general layout.
B) The Nutherm International evaluation of the detailed architecture description, and the reasoning behind the decision that the CS Innovations final product is suitable for safety related use in a nuclear power plan, and that this product would be the equivalent of a product designed and manufactured under an Appendix B process.
C) The licensees evaluation and acceptance of the CS Innovations architecture and of the Nutherm International review of that architecture.
- 16. Flash or Burn List
- 17. System Build Documentation This would be a detailed description of the system as it will be installed at Wolf Creek.
- 18. Test Plans and Documentation - Test procedures must be based upon the test plans mentioned in section 8 of this list.
A) Environmental test plans, procedures, and results. The following undocketed reports have been received by the staff:
Nutherm Qualification Report WCN-9715R, Rev. 0 Nutherm Qualification Report WCN-9715R, Rev. 0 App. I Nutherm Qualification Report WCN-9715R, Rev. 0 App. II Nutherm Qualification Report WCN-9715R, Rev. 0 App. III Nutherm Qualification Report WCN-9715R, Rev. 0 App. IV Nutherm Qualification Report WCN-9715R, Rev. 0 App. V Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 1 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 2 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 3 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 4 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 5 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 6 Nutherm Qualification Report WCN-9715R, Rev. 0 App. VI Part 7 Nutherm Qualification Report WCN-9715R, Rev. 0 App. Vl Part 8 The staff does not expect any additional reports, but requires these reports be docketed.
B) Factory acceptance test procedures, and results - The staff expects four documents for the test procedures and for the test results:
- i. The CS Innovations Test procedure and the test results.
ii. The Baseline Engineering analysis of the test procedures verifying that the procedures will test the items required by the test plan, and that the results show that the tests demonstrated that the system meet the requirements.
iii. The Nutherm International analysis of the CS Innovations and Baseline Engineering analysis reports showing that the tests demonstrated that the final product is suitable for safety related use in a nuclear power plan, and that this product is the equivalent of a product designed and manufactured under an Appendix B process.
iv. The licensee review and acceptance reports of the previous procedures, results, and analysis.
C) Site acceptance test procedures, and results - The staff expects four documents for the test procedures and for the test results:
- i. The CS Innovations Test procedure and the test results.
ii. The Baseline Engineering analysis of the test procedures verifying that the procedures will test the items required by the test plan, and that the results show that the tests demonstrated that the system meet the requirements.
iii. The Nutherm International analysis of the CS Innovations and Baseline Engineering analysis reports showing that the tests demonstrated that the final product is suitable for safety related use in a nuclear power plan, and that this product is the equivalent of a product designed and manufactured under an Appendix B process.
iv. The licensee review and acceptance reports of the previous procedures, results, and analysis.
D) Installation test procedures, and results - The staff expects the licensee procedure and the test results, with the licensee review and determination that the FPGA MSFIS system meets all licensee. requirements and expectations.
- 19. Diversity and Defense-in-Depth Analysis - This analysis must demonstrate that there is sufficient diversity and defense-in-depth to meet the requirements of 10 CFR 50, Appendix A, General design Criterion 22 on protection system independence, as described in the Standard Review Plan Appendix 7.1-A, section 2.h.
- 20. V&V Reports - For each of these reports, there should be three documents, the report written by the independent V&V contractor, Baseline Engineering, the analysis of the report by Nutherm International showing that the report shows that the covered portion of the life cycle is suitable to produce a final product suitable for safety related use in a nuclear power plan, and that this product will be the equivalent of a product designed and manufactured under an Appendix B process, and the licensee acceptance of the report and analysis.
A) V&V Requirements Analysis Report B) V&V Design Analysis Report C) V&V Implementation Analysis & Test Report D) V&V Validation & Test Report
- 21. An analysis of all IEEE 603 requirement, with a description of how the FPGA based MSFIS actuation system meets all these requirements.
- 22. The Standard used by CS Innovations during the design process. The May 9, 2007 letter ET 07-0013 from the licensee stated that the licensee considered the Federal Aviation Administration guidance document RTCA DO-254/EUROCAE ED-80, "Design Assurance Guidance for Airborne Electronic Hardware," to be more appropriate guidance than IEEE 7-4.3.2. In this respect, the staff requires:
A) A copy of RTCA DO-254/EUROCAE ED-80, "Design Assurance Guidance for Airborne Electronic Hardware," for staff review.
B) Documentation on how and why this determination was made.
C) A comparison of the requirements of the Federal Aviation Administration guidance document RTCA DO-254/EUROCAE ED-80 and IEEE 7-4.3.2.
- 23. Installation, Operations and Maintenance Documentation - It is expected that each of the following manuals be available for review prior to installation, that there is a Nutherm International evaluation of these manuals as suitable for a safety-related system, and a licensee acceptance of these manuals.
A) Operations Manuals B) Maintenance Manuals C) Training Manuals D) Repair Planning Development Life Cycle Concept Requirenments Design .System Installation Phase Phase Integration Phase Phase Phase And Test Phase Validation Verification Validation Testing Verification Verification Verification Verification 28 June 2006 Wolf Creek Generating Station 16