ML073100010

From kanterella
Jump to navigation Jump to search

Request for Additional Information for the Main Stream and Feedwater Isolation System Modification (Tac No. MD4839)
ML073100010
Person / Time
Site: Wolf Creek Wolf Creek Nuclear Operating Corporation icon.png
Issue date: 12/07/2007
From: Donohew J
NRC/NRR/ADRO/DORL/LPLIV
To: Muench R
Wolf Creek
Donohew J N, NRR/DORL/LPL4, 415-1307
References
TAC MD4839
Download: ML073100010 (14)


Text

December 7, 2007 Mr. Rick A. Muench President and Chief Executive Officer Wolf Creek Nuclear Operating Corporation Post Office Box 411 Burlington, KS 66839

SUBJECT:

WOLF CREEK GENERATING STATION - REQUEST FOR ADDITIONAL INFORMATION FOR THE MAIN STEAM AND FEEDWATER ISOLATION SYSTEM MODIFICATION (TAC NO. MD4839)

Dear Mr. Muench:

In its application dated March 14, 2007 (ET 07-0004), as supplemented by letters dated April 18, June 15, August 31, and September 20, 2007 (ET 07-0008, ET 07-0022, ET 07-0039, and ET 07-0041, respectively) the Wolf Creek Nuclear Operating Corporation (WCNOC) proposed to modify the safety-related main steam and feedwater isolation system (MSFIS) at Wolf Creek Generating Station.

Enclosed is a request for additional information. The enclosed questions were emailed to your staff on November 9, 2007, to be discussed in the meeting to be held with your staff on December 12, 2007, in Rockville, Maryland. Your staff has agreed to provide us with a schedule to provide responses to the enclosed questions in this meeting.

Sincerely,

/RA/

Jack N. Donohew, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-482

Enclosure:

Request for Additional Information cc w/encl: See next page

ML073100010 OFFICE NRR/LPL4/PM NRR/LPL4/LA DE/EICB/BC NRR/LPL4/BC NAME JDonohew JBurkhardt WKemper THiltz DATE 12/07/07 12/07/07 10/30/2007 12/07/07 Wolf Creek Generating Station February 2006 cc:

Jay Silberg, Esq. County Clerk Pillsbury Winthrop Shaw Pittman LLP Coffey County Courthouse 2300 N Street, NW 110 South 6th Street Washington, D.C. 20037 Burlington, KS 66839 Regional Administrator, Region IV Chief, Radiation and Asbestos Control U.S. Nuclear Regulatory Commission Section 611 Ryan Plaza Drive, Suite 400 Kansas Department of Health Arlington, TX 76011 and Environment Bureau of Air and Radiation Senior Resident Inspector 1000 SW Jackson, Suite 310 U.S. Nuclear Regulatory Commission Topeka, KS 66612-1366 P.O. Box 311 Burlington, KS 66839 Vice President Operations/Plant Manager Wolf Creek Nuclear Operating Corporation Chief Engineer, Utilities Division P.O. Box 411 Kansas Corporation Commission Burlington, KS 66839 1500 SW Arrowhead Road Topeka, KS 66604-4027 Supervisor Licensing Wolf Creek Nuclear Operating Corporation Office of the Governor P.O. Box 411 State of Kansas Burlington, KS 66839 Topeka, KS 66612 U.S. Nuclear Regulatory Commission Attorney General Resident Inspectors Office/Callaway Plant 120 S.W. 10th Avenue, 2nd Floor 8201 NRC Road Topeka, KS 66612-1597 Steedman, MO 65077-1032

REQUEST FOR ADDITIONAL INFORMATION RELATED TO MAIN STEAM AND FEEDWATER ISOLATION SYSTEM MODIFICATION LICENSE AMENDMENT REQUEST WOLF CREEK NUCLEAR OPERATING CORPORATION WOLF CREEK GENERATING STATION DOCKET NO. 50-482

1.0 INTRODUCTION

By application dated March 14, 2007, as supplemented by letters dated April 18, June 15, August 31, and September 20, 2007 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML070800193, ML071160332, ML071770452, ML072480530, and ML072700498, respectively), Wolf Creek Nuclear Operating Corporation (the licensee) proposed to modify the safety-related main steam and feedwater isolation system (MSFIS). The MSFIS is an engineered safety features actuation system that is designed to automatically close the main steam isolation valves (MSIVs) and main feedwater isolation valves (MFIVs) to close and isolate the main steamline and main feedwater lines during a design basis accident.

2.0 REQUEST FOR ADDITIONAL INFORMATION (RAI)

The following RAI questions come from the Nuclear Regulatory Commission (NRC) staff review of the licensee's application and supplemental letters listed above:

1. Verification and Validation (V&V) Planning Documentation. In trying to determine the acceptability of the V&V planning documentation, the staff considered two documents. The first is the Wolf Creek MSFIS "System Verification and Validation Plan," revision 0, supplied as Enclosure IV to letter dated March 14, 2007 (ET 07-0004). The second is CS Innovations Document 6101 00008, MSFIS V&V Plan, Revision 1.2, supplied as Enclosure 27 to letter dated June 15, 2007 (ET 07-0022). The combined requirements from these two documents were compared to the requirements of IEEE 1012 98, endorsed by Regulatory Guide (RG) 1.168. The staff has no questions concerning the V&V planning documentation, but notes that only one V&V report, the Wolf Creek MSFIS System Verification and Validation Report, revision 0, dated May 25, 2007, has been submitted to the staff. The V&V reports on the design, implementation and test activities V&V have not been received. A schedule for the submission of these documents is requested.
2. Provide a corrected and updated Requirements Traceability Matrix. The current version, revision 0, that was submitted in the letter dated June 15, 2007 (ET 07-0022), is not usable in the format presented. Examples are as follows:

A) For many of the requirements, as shown in Specification J 105(Q) for Replacement MSFIS System, Revision 2, the reference to CS Innovations Document 6101-0002, MSFIS System Specification, Wolf Creek

Generating Station, Revision 0.96, is difficult to follow. For example, the first item listed, WCl: 1.1 Work Included, is shown to be partially satisfied by the following: "SR1: The scope of the MSFIS project is to replace the existing MSFIS controls, with a control system based on the Advanced Logic." There is no indication of where "SR1" is to be found. This type of reference needs to include the paragraph or page number, in order to be useful to the staff.

B) Some of the requirements are not shown as satisfied, or are satisfied incorrectly. As an example, WC 1.7: Initial stock of repair parts for twenty years' use is not shown as being reflected in CS Innovations Document 6101 0002; however, that document contains Appendix B, "Spare Parts. The vendor will deliver one each fully populated MS and FS racks. CS Innovations Document 6101-0002 does not state whether or not these two racks will meet the 20-year requirement.

C) Some of the requirements in Specification J 105(Q) for Replacement MSFIS System, Revision 2, are incorrectly referenced. As an example, the above requirement for 20 years of spare parts is shown as WC 1.7, when the actual requirement is contained in Section 1.1.9.

D) The existing Requirements Traceability Matrix is written referencing CS Innovations Document 6101 0002, "MSFIS System Specification, Wolf Creek Generating Station," Revision 0.96. The current version of that document is Revision 0.98.

A schedule for the submission of a corrected and updated Requirements Traceability Matrix is requested.

3. Configuration Management (CM) Plans: To determine the acceptability of the CM planning, the staff again considered two documents. CM requirements and the methods to be used by the licensee are contained in Wolf Creek MSFIS Configuration Management Plan, revision 0, dated September 16, 2006, supplied as Enclosure III to letter dated April 18, 2007 (ET 07-0008). The CM used by the vendor during the design and test of the system are contained in CS Innovations Document 6101 00005, MSFIS Configuration Management Plan, Revision .8, supplied as Enclosure 31 to letter dated June 15, 2007 (ET 07-0022). The combined requirements from these two documents were compared to the requirements of IEEE 828 1998, endorsed by RG 1.169. It should be noted that neither plan mentions software, as a field programmable gate array (FPGA) does not contain software in the traditional sense. The FPGA is, however, programmed via a flash list, and the development of that flash list uses the same procedures as development of programming for a microprocessor-based system, and, therefore, the CM for the development of the flash list should be similar to the CM for the development of software programs.

A) Neither Wolf Creek MSFIS Configuration Management Plan, revision 0, or CS Innovations Document 6101 00005, MSFIS Configuration Management Plan, revision .8, follow the format or have the contents required by IEEE 828-1998. Is it the intent of Wolf Creek or CS Innovations to revise these documents; if not, why not; and if so, at what time would these revised documents be submitted?

B) Neither document discusses the CM of software tools. Discuss how the CM for these tools is maintained.

C) The staff understands that the licensee is planning to stock blank boards, and flash them into the appropriate configuration as needed. This process and the configuration control of the flash lists are not mentioned in the Wolf Creek MSFIS CM Plan. Is it the intent of the licensee to create separate documentation and procedures for this issue, or will the current MSFIS CM Plan be modified to address this issue? In either case, the schedule for submitting this information is requested.

D) The staff noted that CS Innovation documents may have one or two digits after the decimal point, i.e., version 0.96 or 1.3. Explain this numbering scheme with respect to the significance of the revisions made to the documents.

E) CS Innovations appears to be using CVS code (page 20 of CS Innovations Document 6101-00005, MSFIS Configuration Management Plan," Revision .8) to control checkout and check in of controlled documents, instead of a librarian. Discuss who controls the CVS software and permissive actions.

F) IEEE 828 requires a section of the CM plan to discuss schedules and coordination of CM activities with other activities within the overall project (Section 4.4, page 9). Address why neither the Wolf Creek or the CS Innovations CM plans appear to include this item.

4. Quality Assurance (QA) Plans: Five documents were reviewed to determine the acceptability of the QA planning documentation. These are the following:
1) Wolf Creek MSFIS Quality Assurance Plan, Revision 0, supplied as Enclosure II to letter dated April 18, 2007 (ET 07-0008);
2) Nutherm WCN 9715QAP, Nutherm Quality Assurance Plan for CS Innovations Replacement MSFIS System," revision 0, supplied as Enclosure 6 to letter dated June 15, 2007 (ET 07-0022);
3) Nutherm QA-N-10179-5, "Quality Assurance Manual," Revision 5, supplied as Enclosure I6 to letter dated June 15, 2007 (ET 07-0022);
4) CS Innovations Document 6101-00009, MSFIS Quality Assurance Plan, Revision 0.5, supplied as Enclosure 32 to letter dated June 15, 2007 (ET 07-0022); and
5) CS Innovations Quality Assurance Manual, Revision 1, supplied as Enclosure 33 to letter dated June 15, 2007 (ET 07-0022).

The requirements from these five documents were compared to the requirements of Part 50 in Title 10 of the Code of Federal Regulations (10 CFR 50),

Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants and the following standards: IEEE Standard 730-1998, "IEEE Standard for Software Quality Assurance Plans" and IEEE 1074-1997, endorsed by RG 1.173.

The staff noted that as with the CM documentation, the QA documentation generally does not mention software. As before, the FPGA is a programmable device, and the development of that programming needs to use the same procedures as development of programming for a microprocessor-based system.

A) Wolf Creek MSFIS QA Plan is a minimum document, and does not fully meet the requirements of IEEE 730. Examples of the manner in which the plan does not meet these requirements are the following:

1) There is no requirement for a program design description, requirements specification, or user documentation.

This requirement should be added to the MSFIS QA Plan.

2) Section 2.4, Standards, Practices and Conventions does not contain any standards, practices, and conventions. The only requirement in this section is that the FPGAs be programmed using the Libero Integrated Design Environment.

This requirement should be added to the MSFIS QA Plan.

3) Section 2.5, Reviews and Audits," states that Both WCNOC and Nutherm International perform audits, managerial reviews, and supplier oversight, and that the Nutherm audit details would be in the Nutherm Quality Assurance Manual. IEEE 730 requires that this section should define the technical and managerial reviews and audits to be conducted.

Address how the reviews and audits are to be accomplished, and what further actions are required and how they are to be implemented and verified. Based on information provided to date, none of this appears to have been done for any licensee audits or reviews.

4) Section 2.6, Test states that the Verification and Validation Plan shall address the integrated testing to be performed," and that Each test shall be performed in accordance with a specific test procedure as described in the Verification and Validation Plan.

The MSFIS V&V Plan, Wolf Creek MSFIS System Verification and Validation Plan," Revision 0, does not contain test procedures, and the only test discussed is the FAT (Factory Acceptance Test).

Address when a corrected version of the Wolf Creek MSFIS QA Plan will be submitted.

B) Nutherm WCN 9715QAP, Nutherm Quality Assurance Plan for CS Innovations Replacement MSFIS System does not describe a QA Plan, but it briefly discusses the commercial grade dedication process.

1) The section on the Dedication Process, pages 5 through 9, states that Nutherm shall conduct surveys and surveillances of CSI during manufacture of the MSIFIS System replacement." There are no requirements for these surveys and surveillances, no schedule, references to procedures, or any acceptance criteria.

The MSFIS System was misidentified as the MSIFIS System.

Provide a summary of the results of these surveys and surveillances.

2) This section also states: "NI personnel shall verify by direct observation any critical manufacturing steps or manufacturer testing necessary as part of the dedication plan. The surveillance activities shall be coordinated to coincide with these activities. The results of surveillance activities shall be recorded in accordance with NI procedural requirements."

Provide the results of this direct observation.

3) In addition, this section states Qualification will be based on testing performed on a test specimen in accordance with the NI Qualification Plan.

Since the FPGA is a programmable device, the qualification will also depend on review and approval of the lifecycle process to determine that the various lifecycle activities were of sufficiently high quality for the device to be used in safety related systems.

Provide the additional steps needed to determine that the lifecycle processes are of sufficient high quality.

4) This section states that Any deviation from design, material, and performance characteristics relevant to the safety function of this system shall be documented by means of the NI nonconformance system. Nonconformance dispositions shall be documented in accordance with the NI quality assurance program.

Provide examples of completed nonconformance reports and dispositions.

5) The Performance section of the Dedication Process states that Performance testing shall be performed at Nutherm as part of the dedication. The FAT performed at NI will confirm the performance capability of the units. Testing shall be performed in accordance with a Nutherm test procedure.

Is it the intent to perform factory acceptance testing at the factory, disassemble the system, ship it and all required test equipment, test computers, and software to Nutherm, re assemble the FPGA system and the test system, and perform the factory acceptance test again? In addition, since the factory acceptance test is generally designed by the factory, what additional testing in accordance with a Nutherm test procedure will be performed?

6) The Dependability section of the Dedication Process states that "NI Quality Assurance shall be performing surveys and surveillances to confirm CSI adherence to these requirements (The recommendations of DO-254)."

Provide the results of these surveys and surveillances, in particular those dealing with the quality of the programming.

C) Nutherm QA-N-10179-5, "Quality Assurance Manual." The staff notes that software, programmable systems, or lifecycle were not mentioned in the QA Manual.

1) What is the basis for using this QA Manual for QA of a programmable system lifecycle design process?
2) In Section 7.2, Program Requirements,Section I, Quality Records," has the following requirement:

"Measures for evaluation and selection of procurement sources, and the results therefrom, shall be documented and shall include one or more or the following:

A. Evaluation of the supplier's history of satisfactorily providing an identical or similar product or service.

B. Supplier's current quality records supported by documented qualitative and quantitative information which can be objectively evaluated.

C. Supplier's technical and quality capability as determined by a direct evaluation of supplier's facilities and personnel and implementation of the supplier's QA Program."

Discuss of these three methods was used and provide documentation of this evaluation.

D) CS Innovations Document 6101-00009, MSFIS Quality Assurance Plan, Revision 0.5. The staff again notes that the FPGA programming lifecycle is not mentioned, nor is the flash list shown as one of the minimum documents governing the requirements, development, verification, and validation of the MSFIS system that falls within the scope of this quality plan. Address how this will be corrected.

In addition, the staff notes that the programming lifecycle is not one of the set of minimum reviews shown in Section 5. Address whether an additional lifecycle review be added, or the FPGA Design Review Procedure, document 9002-00026, will be modified to include a programming lifecycle review.

E) CS Innovations, Quality Assurance Manual, Revision 1. The staff notes that this is a general QA manual that appears to not be intended for software or programming QA. CS Innovations needs to develop a programming QA program based upon the requirements of IEEE 730-1998, and insert a pointer in the basic QA manual to the programming QA manual.

5. Commercial Grade Dedication Plans: The commercial grade dedication process was determined by review of one document, Nutherm Dedication Plan for Replacement MSFIS System, Revision 2, Nutherm document number WCN-9715DP, submitted as Enclosure I to letter dated August 31, 2007 (ET 07-0039).

The staff was also able to evaluate the success of this plan, since the Nutherm Qualification Report (NQR) for CS Innovations Replacement MSFIS System, Revision 0, Nutherm document number WCN-9715R, was supplied as Enclosure V to letter dated March 14, 2007 (ET 07-0004). These two NUTHERM documents are addressed below:

A) On page 6 of the NUTHERM Dedication Plan, Nutherm stated: "Following the recommended practice in EPRI TR106439, Nutherm will base dedication activities on EPRI Report 5652 with 'appropriate supplemental guidance' applied to digital specific issues. As part of that supplemental guidance, Table 4.1, "Critical Characteristics Matrix for Digital Equipment,"

and Table 6 4, "ESFAS Programmable Logic Controller (Characteristics),

in EPRI TR-106439 were used as a basis for the development of the dedication activities.

Address if Table 4.1 and 6 4 were part of the supplemental guidance, and what are the other parts.

B) On page 17 in the Critical Characteristics Matrix, Nutherm listed, as the validation method for the critical characteristics of signal conditioning, bistable and logic functions, the following: Review of design, input modules, logic function through Source Verification Review of Vendor Testing at CS Innovations, Review of Module Level Verification.

There is no description of the basis for this review or of the acceptance criteria. There is also no indication in the NQR that this "review" was performed. Address this review, providing a description of the review and the acceptance criteria, and provide the documentation on this review if the review has been completed.

C) On page 18 in the Critical Characteristics Matrix, Nutherm listed as the validation method for the critical characteristics of Quality of Design and Manufacturer, the validation method shown as follows:

Commercial Grade Survey and/or Source Inspection including:

  • Review of CSI QA program against relevant standards
  • Review of CSI procedures for digital system/software development, V&V, testing for each module
  • Thread audits checking actual practices for QA and software development and control
  • Check of the degree to which QA program and software development process were applied
  • Check of degree to which experience with previous design/revision were applied.

There appears to be no description of (1) the basis for the above reviews, audits, and checks (RACs), and (2) the acceptance criteria for the RACs.

There is also no indication in the NQR that the above RACs were performed. Provide the basis of the above RACs, which standards were used as a reference, and the documentation of the results of the RACs if performed.

D) There are a number of items in Table 6 4 of EPRI TR-106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Application," dated October 1996, which have not been

included in the Nutherm commercial grade dedication process. These items are the following, which are listed under method of verification in Tables 6-4b and 6-4c of the EPRI report:

1) Table 6-4b, Page 6-28, for response time: "Review of PLC

[programmable logic controller] system design, including input sample rate, processing time, and total cycle time including output propagation and covering worst case combination of times for each series PLC from sensing to actuation. Final verification via testing of integrated system."

2) 6-4b, Page 6-29, for behavior under abnormal/faulted conditions:

"Review of vendor testing, detailed review of controller design and hardware/software architecture during commercial grade survey, failure analysis including FMEA for the controller, plus special tests performed by the utility to examine behavior under expected abnormal/faulted conditions, verifying safe response of controller."

3) Table 6-4c, Page 6-30, for built-in quality:

"Commercial grade survey, including:

  • Review of vendor QA program against relevant standards.
  • Review of vendor procedures and practices for digital system/software development, V&V, and testing for each module/unit to be procured, and how these processes have evolved. Supplemental documentation prepared as necessary.
  • Thread audit to check actual practices for QA and software development and control.
  • Check of degree to which QA program and software development process were applied in the design and production of the item(s) to be procured.
  • Check of degree to which experience with previous designs has been factored into each succeeding design, evolving to a mature process and product
  • Review of controller design, software architecture including real time task management, and implementation of diagnostics and error detection such as watchdog timer features.
  • Review of software coding procedures or guidelines used in development.
  • Samples of the software code reviewed to check adherence to established coding practices and to support the thread audit.
4) Table 6-4c, Page 6-32 and 6-33, for failure management: "Review of the PLC design, hardware and software architecture, and real time task management, performed as part of the commercial grade survey, and an FMEA performed by the vendor, identifies important internal failure modes, evaluates self test and diagnostic features provided in the design, including items such as watchdog times, and assesses the impact of failures on the PLCs functions.

This includes evaluation of potential abnormal conditions and events (ACEs) per IEEE 7-4.3.2.

System level failure analysis for the ESFAS identifies the most important failure modes for the PLC from the standpoint of the system's safety functions and effect on plant availability. Each of these is evaluated specifically, using information from reviews above, to determine potential causes and likelihood of occurrence, and ensure that these failures are adequately addressed in the design.

Review of product operating history to verify absences of specific critical failure. Review of vendor testing, and performance of special challenge tests designed to test for possible critical failure modes in response to abnormal conditions (e.g., degraded power supply voltage, combinations of input signal failures, HMI errors, configuration errors, etc.). The failure analysis and evaluation of backups in event of PLC failure (defense-in-depth evaluation) identifies capability to manually actuate each of the ESFAS functions that normally would be actuated automatically by the PLCs. The manual actuation capability could be used in the unlikely event of common cause failure of redundant PLCs (the four bistable channels, or the two actuation trains) and, on a best estimate basis, adequately mitigate the consequences of the pertinent design-basis accidents analyzed in the FSAR [Final Safety Analysis Report for the plant]."

5) Table 6-4c, Page 6-33, for configuration control: "Review of configuration control program against appropriate standards during vendor survey, and inspection of actual practices and implementation of program for samples of the software used in the PLC to be procured (including both legacy and new software).

Since the above items deal with the lifecycle design and test processes, they should have been considered in during the commercial grade dedication process for the proposed MSFIS modification. From the documentation submitted, it appears that they have not been considered. Address why these items were not considered during the commercial grade dedication process, and, if these items were considered and the reviews were done, provide the documentation showing this.

As a general note, the staff finds that the commercial grade dedication process used to dedicate the CS Innovations FPGA design was insufficient for this type of design modification because it does not appear, from the documentation submitted, to evaluate the lifecycle process in sufficient detail to determine that this product is of sufficient high quality to use in a nuclear safety related system. Explain how these items will be addressed in the commercial grade dedication process.

6. Project and Management Plans: The project and management plans reviewed were (1) the Wolf Creek MSFIS Controls Replacement Project Plan, Revision 2, dated August 22, 2007, and submitted as Enclosure II to letter dated August 31, 2007 (ET 07-0039); and (2) the CS Innovations Document 6101 00000, MSFIS Management Plan, revision 0.4, received as Enclosure 34 to letter dated June 15, 2007 (ET 07-0022). The staff has no additional questions on these plans at this time.
7. Installation Plan: The installation plan reviewed is the Wolf Creek MSFIS Installation Plan, Revision 1, dated May 29, 2007, and submitted as Enclosure 18 to letter dated June 15, 2007 (ET 07-0022). The staff has no additional questions on these plans at this time.
8. Maintenance Plan: The maintenance plan reviewed is the Wolf Creek MSFIS Maintenance Plan, Revision 1, dated May 29, 2007, and submitted as Enclosure 20 to letter the dated June 15, 2007 (ET 07-0022). In Section 2.3, Implementation Characteristics, pages 6 and 7, this document states that "The replacement MSFIS controls will be treated the same as other hardware based systems in the plant. Therefore the existing procedures for controlling plant equipment can be employed "as is." Previous discussions between the staff and Wolf Creek personnel indicated that Wolf Creek plans to stock un programmed FPGA boards, and would program those cards to the required configuration as needed for repair parts. In Section 2.4, Maintenance Procedures, page 7, the plant states that All procedures required for maintenance of the replacement MSFIS controls will be generated or existing procedures revised as a part of the WCNOC Plant Modification Process.

Provide the procedure which will be used to program stock FPGA boards into application specific boards. Also, provide the required modifications to the maintenance plan.

9. Software Tool Verification Program: The software tool program reviewed was CS Innovations Report 6000-00010, "ALS Design Tools," Revision 0.95, dated August 30, 2007, and supplied as Enclosure III to letter dated August 31, 2007 (ET 07-0039). The staff also reviewed CS Innovations procedures 9002-00036 "FPGA Design Development Procedure" and 9002 00026 FPGA Design Review Procedure.

The basis for the staff's review is IEEE Std. 7 4.3.2 2003, Section 5.3.2, Software Tools. This section states the following:

"Software tools used to support software development processes and verification and validation (V&V) processes shall be controlled under configuration management. One or both of the following methods shall be used to confirm the software tools are suitable for use:

a) A test tool validation program shall be developed to provide confidence that the necessary features of the software tool function as required.

b) The software tool shall be used in a manner such that defects not detected by the software tool will be detected by V&V activities.

Tool operating experience may be used to provide additional confidence in the suitability of a tool, particularly when evaluating the potential for undetected defects."

CS Innovations Report 6000-00010 states, in Section 2, page 4, that the tools have been assessed to state why CS Innovations is confident in the tools ability and how the tool output is independently assessed. The staff does not see this assessment in the report. As an example, in Section 4.2, Synthesis, the report states that the design engineers will identify and verify the critical path in the design, but there is no description of how this is done. In Section 4.3, Place and Route, it states that the design engineer will review output files to verify that the tools perform as expected, but there is no description of how this is done. The generic procedures referenced, CS Innovations documents 9002-00036 - "FPGA Design Development Procedure" and 9002-00026 - FPGA Design Review Procedure," provide a checklist of items, but do not describe the process.

It is requested that the licensee either provide a description of how the assessment of the output of the tools is done, or be prepared to discuss this aspect in detail during the planned site visit to CS Innovations in February of 2008.

10. Test Plan: The test plan reviewed was CS Innovations Document 6101-00004, "MVSFIS System Test Plan," Rev. 0.8, dated June 9, 2007, and submitted as Enclosure 35 to letter dated June 15, 2007 (ET 07-0022). This document contains both the system test plan and procedures. The staff has no additional

questions on this plan at this time; however, the staff did not review the test procedures in the preparation of this RAI.

The staff noted that Wolf Creek has not yet submitted test plans for site acceptance tests or for installation tests. Provide a schedule for when these documents will be submitted to the staff for review.

11. Environmental Test Plans: The documents reviewed to determine the acceptability of the environmental test plans were the Nutherm, Qualification Report for CS Innovations Replacement MSFIS System," Nutherm Document Number WCN-9715R, Rev. 0, dated February 16, 2007, including Appendix I, II, III, VI, V, and VI, provided as Enclosure VI to letter dated April 18, 2007 (ET 07-0008); and Wolf Creek Generation Station Specification J-105A(Q),

Revision 2, "Replacement MSFIS System," dated October 3, 2006, and provided as Enclosure 1 to letter dated April 18, 2007 (ET 07-0008). The combined requirements in these documents were compared to the requirements of IEEE Standard 323-1974/1983, IEEE Standard 344 1987, EPRI Report TR-102323, Military Standard MIL-STD-461E, and the International Electrotechnical Commission (IEC) 6100 series endorsed by RG 1.180, Revision 1, as discussed below:

A) EMC Susceptibility Test NRC RG 1.180, Revision 1, specifies two test methods acceptable to the NRC staff in regard to susceptibility testing for safety related instrumentation and controls (I&C) systems in nuclear power plants, and lists the detailed tests of the two methods as Table 6 and Table 7 on page 19. These two methods are the following:

1) EMI/RFI test methods in MIL-STD-461E
2) EMI/RFI test methods in IEC 61000-4 RG 1.180, Rev.1, Section 4, page 18, also states: "It is intended that either set of test methods be applied in its entirety, without selective application of individual methods (i.e., no mixing and matching of test methods) for susceptibility testing." The test methods proposed, however, appear to mix and match test methods, in that the licensee provided an incomplete test set of IEC 6100-4 susceptibility tests, did not perform the tests of IEC 61000-4-9, 61000-4-10, and 61000-4-13, and did perform two additional MIL-STD-461E susceptibility tests, CS101 and RS101, from the other set. Provide justification for this. As stated above, the licensee can choose either test method MIL-STD-461E or IEC 61000-4, but it is requested that the licensee provide the entire set of test results of the selected method.

B) The licensee quoted an excerpt of EPRI TR-10323, Rev. 2, Appendix D, "NRC Safety Evaluation Report," page D-16, as stated below:

The staff also disagreed with the Working Group not recommending a low frequency range (30 Hz to 50 kHz) radiated susceptibility test for equipment qualification because low frequency magnetic field in the equipment location can attenuate rapidly within a short distance. The staff believes that such a test would provide increased assurance that equipment is not susceptible to radiated magnetic fields in the frequency range of 30 Hz to 50 kHz. In response, the Working Group agreed to revise TR-102323 to recommend a low frequency radiated susceptibility test limit consistent with Figure 5-4 of TR-102323. Licensees could, however, justify a less restrictive test limit under certain circumstances such as the presence of an equipment shield of ferrous metal or installing the new equipment at a substantial distance from potential sources.

The licensee then indicated that IEC 61000-4-9 and IEC 61000 10 were not included based on this evaluation. Since the waiver of these two EMC susceptibility tests is only allowed under special conditions, provide the justification why the tested equipment satisfied these special conditions.

C) Nutherm, on page 13 of WCN-9715R, stated that "The MSFIS system contains only DC power and signal lines, therefore susceptibility test 61000-4-13 is not applicable and will not be performed." Since the area in which the equipment will be located has AC power, and the DC power supply for the MSFIS is contained in the base of the cabinet, provide justification of why this test was not performed. This justification should include the distance to the nearest AC power lines and the expected signal strength.