Response to Request for Additional Information Relating to Replacement of the Main Steam and Feedwater Isolation Valves and Controls

ML073241402
Person / Time
Site:	Wolf Creek
Issue date:	11/16/2007
From:	Matthew Sunseri Wolf Creek
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
WO 07-0028
Download: ML073241402 (42)
v • d • e

Text

NUCLEAR OPERATING CORPORATION Matthew W. Sunseri Vice President Operations and Plant Manager November 16, 2007 WO 07-0028 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555

Reference:

1) Letter ET 07-0004, dated March 14, 2007, from T. J. Garrett, WCNOC, to USNRC

2) Letter dated August 8, 2007, from J. W. Lubinski, USNRC, to R. A. Muench, WCNOC

3) Letter ET 07-0039, dated August 31, 2007, from T. J. Garrett, WCNOC, to USNRC

4) Letter ET 07-0041, dated September 20, 2007, from T. J Garrett, WCNOC, to USNRC

Subject:

Docket No. 50-482: Response to Request for Additional Information Relating to Replacement of the Main Steam and Feedwater Isolation Valves and Controls Gentlemen:

Reference 1 provided a license amendment request that proposed revisions to Technical Specification (TS) 3.3.2, "Engineered Safety Feature Actuation System (ESFAS)

Instrumentation," TS 3.7.2, "Main Steam Isolation Valves (MSIVs)," and TS 3.7.3, "Main Feedwater Isolation Valves (MFIVs)" based on a planned modification to replace the MSIVs and associated actuators, MFIVs and associated actuators. This modification also planned replacement of the Main Steam and Feedwater Isolation System (MSFIS) controls.

On August 2, 2007, Wolf Creek Nuclear Operating Corporation (WCNOC) personnel met with the NRC staff to discuss five issues identified by the NRC associated with the review of the MSFIS controls modification. Subsequently, the NRC issued Reference 2, in which the NRC staff accepted the MSFIS controls modification license amendment request for review. This letter identified 5 issues requiring a response from WCNOC. Reference 3 provided responses to the 5 issues. With regard to issue 1, WCNOC provided in Reference 4 a difference analysis of RTCA DO-254/EUROCAE ED-80, "Design Assurance Guidance for Airborne Electronic Hardware," to Institute of Electrical and Electronics Engineers (IEEE) Std 7-4.3.2-2003, "IEEE PO. Box 411 / Burlington, KS 66839 / Phone: (620) 364-8831 An Equal Opportunity Employer M/F/HCNVET IA ,n

WO 07-0028 Page 2 Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." In a teleconference between NRC staff and WCNOC personnel on September 25, 2007, WCNOC agreed to provide a draft matrix of the IEEE Std 7-4.3.2-2003 requirements as they pertain to the MSFIS controls design. The draft matrix was provided by electronic mail on October 12, 2007. Enclosure I provides the Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design.

Enclosure I provides the proprietary WCNOC, "Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design," Rev. 0. Enclosure II provides the non-proprietary WCNOC, "Matrix of IEEE:

7-4.3.2 Requirements to MSFIS Controls Design," Rev. 0. As Enclosure I contains information proprietary to WCNOC, it is supported by an affidavit signed by WCNOC, the owner of the information. The affidavit sets forth the basis on which the information may be withheld from public -disclosure by the Commission and addresses with specificity the considerations listed in' paragraph (b)(4) of 10 CFR 2.390 of the Commission's regulations. Accordingly, it is respectfully requested that the information, which is proprietary to WCNOC, be withheld from.

public disclosure in accordance with 10 CFR 2.390 of the Commission's regulations. This affidavit is contained in Enclosure Ill.

The additional information provided in the Enclosures do not impact the conclusions of the No Significant Hazards Consideration provided in Reference 1. In accordance with 10 CFR 50.91, a copy of this submittal is being provided to the designated Kansas State official.

This letter contains no commitments. If you have any questions concerning this matter, please contact me at (620) 364-4008, or Mr. Kevin Moles, Manager Regulatory Affairs at (620) 364-4126.

Sincerely, Matthew W. Sunseri MWS/rlt Enclosures I - Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls. Design, Rev. 0 (Proprietary)

II - Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design, Rev. 0 (Non-Proprietary)

Ill - WCNOC Affidavit for Withholding Proprietary Information from Public Disclosure cc: E. E. Collins (NRC), w/e T. A. Conley (KDHE), w/e (Enclosure II only)

J. N. Donohew (NRC), w/e V. G. Gaddy (NRC), w/e Senior Resident Inspector (NRC), w/e

WO 07-0028 Page 3 STATE OF KANSAS )

COUNTY OF COFFEY )

Matthew W. Sunseri, of lawful age, being first duly sworn upon oath says that he is Vice President Operations and Plant Manager of Wolf Creek Nuclear Operating Corporation; that he has read the foregoing document and knows the contents thereof; that he has executed the same for and on behalf of said Corporation with full power and authority to do so; and that the facts therein stated are true and correct to the best of his knowledge, information and belief.

Matthew W. Sunseri Vice President Operations and Plant Manager SUBSCRIBED and sworn to before me this IL9 1day offly. 2007.

0

• RHONDA L.TIEMEYER l

OFFIALz EAL.-- MY COMMISSION EXPIRES Notary Public January 11,2010 Expiration Date at)

/ 0

Enclosure II to WO 07-0028 Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design, Rev. 0 Non-Proprietary

NON-PROPRIETARY MATRIX OF IEEE 7-4.3.2 REQUIREMENTS TO MSFIS CONTROLS DESIGN Sections 1, 2, and 3 of IEEE 7-4.3.2 are Scope, References, and Definitions and Abbreviations, respectively. They are not included in the below matrix as they are considered administrative information.

IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position

4. Safety system design basis 4. Safety system design basis The main steam supply system design basis is provided in Section 10.3.1.1 of NOTE-See Annex A for more information about the A specific basis shall be the USAR.

relationship of this standard to IEEE Std 603-1998. established for the design of The main feedwater system design basis is provided in Section 10.4.7 of the No requirements beyond IEEE Std 603-1998 are each safety system of the USAR.

necessary (see also Annex B). nuclear power generating station. The main steam and feedwater isolation controls design basis is provided in The design basis shall also be available as needed to facilitate Section 7.3.7 of the USAR.

the determination of the adequacy of the safety system, The design basis of the systems are not changed with the modifications to the including design changes. The valves and controls.

design basis shall be consistent with the requirements of ANSI/ANS 51.1-1983 or ANSI/ANS 52.1-1983 and shall document as a minimum: (See IEEE document for this information)

5. Safety system criteria None Required The following subclauses list the safety system criteria in the order they are listed in IEEE Std 603-1998. For some criteria, there are no additional requirements beyond what is stated in IEEE Std 603-1998. For other criteria, additional requirements are described in 5.1 through 5.15.

5.1 Single-failure criterion 5.1 Single-failure criterion The Advanced Logic System (ALS) has been architected such that no single No requirements beyond IEEE Std 603-1998 are The safety systems shall perform failure shall prevent the system from performing the safety function. CS necessary (see also Annex B). all safety functions required for a Innovations (CSI) 6101-00006, MSFIS Safety Assessment," provides a design basis event in the detailed functional failure path analysis as well as a component level failure presence of modes and effects analysis (FMEA) to ensure the single failure criterion is met a) Any single detectable failure with in the ALS. Further, the System Reliability Analysis for Advance Logic within the safety systems System includes a FMEA which shows that the single failure criterion is met concurrent with all identifiable but for all creditable single failures and all failures caused by the single failure.

nondetectable failures.

b) All failures caused by the single failure. References c) All failures and spurious CSI 6101-00006 (Enclosure 36 to ET 07-0022)]

system actions that cause or are WCNOC System Reliability Analysis for Advanced Logic System (Enclosure caused by the design basis event VII to ET 07-0008) requiring the safety functions.

The single failure could occur prior to, or at any time during, the 1 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position design basis event for which the safety system is required to function. The single-failure criterion applies to the safety systems whether control is by automatic or manual means.

IEEE Std 379-1994 provides guidance on the application of the single-failure criterion. (See also [B3].) IEEE Std 7-4.3.2-1993 addresses common cause failures for digital computers.

This criterion does not invoke coincidence (or multiple-channel) logic within a safety group; however, the application of coincidence logic may evolve from other criteria or considerations to maximize plant availability or reliability. An evaluation has been performed and documented in other standards to show that certain fluid system failures need not be considered in the application of this criterion [B3]. The performance of a probabilistic assessment of the safety systems may be used to demonstrate that certain postulated failures need not be considered in the application of the criterion. A probabilistic assessment is intended to eliminate consideration of events and failures that are not credible; it shall not be used in lieu of the single-failure criterion. IEEE Std 352-1987 and IEEE Std 577-1976 provide guidance for reliability analysis.

Where reasonable indication exists that a design that meets the single-failure criterion may not satisfy all the reliability Rev. 0 22 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 [WCNOC Position requirements specified in Clause 4, item i) of the design basis, a probabilistic assessment of the safety system shall be performed. The assessment shall not be limited to single failures. If the assessment shows that the design basis requirements are not met, design features shall be provided or corrective modifications shall be made to ensure that the system meets the specified reliability requirements.

5.2 Completion of protective action 5.2 Completion of protective This functionality exists in the current design and will be retained in the ALS No requirements beyond IEEE Std 603-1998 are action MSFIS. After a trip signal (ESFAS input or ALL CLOSE input) is received, necessary. The safety systems shall be the trip signal must first no longer be present and then operator action designed so that, once initiated (OPEN switch on MCB) is required to re-open the valves.

automatically or manually, the intended sequence of protective actions of the execute features References shall continue until completion. CSI 6101-00002 (Enclosure 38 to ET 07-0022)

Deliberate operator action shall be required to return the safety systems to normal. This requirement shall not preclude the use of equipment protective devices identified in Clause 4, item k) of the design basis or the provision for deliberate operator interventions. Seal-in of individual channels is not required.

5.3 Quality 5.3 Quality CS Innovations has established a 10 CFR 50 Appendix B Quality Assurance Hardware quality is addressed in IEEE Std 603-1998. Components and modules shall (QA) program. Within this program they have provided a framework for the Software quality is addressed in IEEE/EIA Std 12207.0- be of a quality that is consistent design development process. Procedure QCP-3, "Design Control "is the top 1996 and supporting standards. Computer development with minimum maintenance level design related procedure within the CS Innovations QA program. This activities shall include the development of computer requirements and low failure top level procedure describes the high level development process steps.

hardware and software. The integration of the computer rates. Safety system equipment QCP-3 references a lower tier procedure, 9002-00033, "Hardware Design hardware and software and the integration of the shall be designed, manufactured, Development Procedure," for more details of the design development process.

computer with the safety system shall be addressed in inspected, installed, tested, the development process. operated, and maintained in Procedure 9002-00033 provides a more detailed discussion of the design accordance with a prescribed development process. It provides a flowchart of the overall process beginning A typical computer system development process quality assurance program (See with the customer requirements to the final product or system under consists of the following life cycle processes: ASME NQA-1-1994). Guidance development. Procedure 9002-00033 references three lower tier procedures 0 Rev.

3 3 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position

- Creating the conceptual design of the system, on the application of this criteria for specifics regarding the electrical wiring, board design and development, translation of the concepts into specific system for safety system equipment and FPGA design and development.

requirements employing digital computers

- Using the requirements to develop a detailed system and programs or firmware is Procedure 9002-00034, "Electrical Wiring Design Development Procedure,"

design found in IEEE Std 7-4.3.2-1993. procedure 9002-00035, "Board Design Development Procedure," and

- Implementing the design into hardware and software procedure 9002-00036, "FPGA Design Development Procedure," each provide functions a detailed flow chart and descriptions of the activities within the respective

- Testing the functions to assure the requirements have design flows.

been correctly implemented

- Installing the system and performing site acceptance testing

- Operating and maintaining the system References

- Retiring the system CSI QCP-3 (Enclosure 33 to ET 07-0022)

CSI 9002-00033 (Enclosure 39 to ET 07-0022)

In addition to the requirements of IEEE Std 603-1998, CSI 9002-00034 (Enclosure 39 to ET 07-0022) the following activities necessitate additional CSI 9002-00035 (Enclosure 39 to ET 07-0022) requirements that are necessary to meet the quality CSI 9002-00036 (Enclosure 39 to ET 07-0022) criterion:

- Software development

- Qualification of existing commercial computers (see 5.4.2)

- Use of software tools

- Verification and validation

- Configuration management

- Risk Management 5.3.1 Software development N/A A review of CS Innovations 6101-00009, "MSFIS Quality Assurance Plan,"

Computer software shall be developed, modified, or determined that the MSFIS Quality Assurance (QA) Plan is consistent with the accepted in accordance with an approved software requirements of IEEE/EIA 12207.0-1996. The CS Innovations MSFIS QA Plan quality assurance (QA) plan consistent with the has been tailored to the replacement MSFIS Controls project in accordance requirements of IEEE/EIA 12207.0-1996. The software with paragraph 1.3 of IEEE/EIA 12207.0-1996.

QA plan shall address all software that is resident on the computer at run time (i.e., application software, References network software, interfaces, operating systems, and CSI 6101-00009 (Enclosure 39 to ET 07-0022) diagnostics). Guidance for developing software QA plans can be found in IEC 60880 (1986-09) [B4] and IEEE Std 730TM-1998 [B8].

4 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.3.1.1 Software quality metrics N/A CS Innovations 6101-00009, "MSFIS Quality Assurance Plan," includes The use of software quality metrics shall be requirements for defect tracking and process improvement, and the CS considered throughout the software life cycle to Innovations 6101-00008, "MSFIS V&V Plan," includes the life cycle phase assess whether software quality requirements are characteristics identified in IEEE 7-4.3.2, with the exception of performance being met. When software quality metrics are used, history. Performance history is maintained by the WCNOC maintenance the following life cycle phase characteristics should program.

be considered:

- Correctness/Completeness (Requirements phase) References

- Compliance with requirements (Design phase) CSI 6101-00009 (Enclosure 39 to ET 07-0022)

- Compliance with design (Implementation phase) CSI 6101-00008 El

- Functional compliance with requirements (Test (ncosure 27 to ET 07-0022) and Integration phase)

- On-site functional compliance with requirements (Installation and Checkout phase)

- Performance history (Operation and Maintenance phase)

The basis for the metrics selected to evaluate software quality characteristics should be included in the software development documentation. IEEE Std 1061 TM-1998 [B131] provides a methodology for the application of software quality metrics.

5 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.3.2 Software tools CS Innovations utilizes several software tools to achieve the final design of the Software tools used to support software development ALS. These software tools are critical aspects to ensure the final ALS processes and verification and validation (V&V) hardware meets the intended design objectives.

processes shall be controlled under configuration management. Tools selected for a particular project are controlled by configuration management. Specifically, the tools utilized in the development life cycle for a One or both of the following methods shall be used to particular project are configuration controlled and maintained with all files confirm the software tools are suitable for use: associated with that project.

a) A test tool validation program shall be developed to CS Innovations performs a tool assessment and qualification to ensure that provide confidence that the necessary features of the the tool(s) are capable of performing the particular design or verification software tool function as required. activity to an acceptable level of confidence. Tool assessment and qualification has two fundamental aspects: 1) ensures the proper tool is used b) The software tool shall be used in a manner such for a particular activity in the development of the ALS, and 2) identifies how the that defects not detected by the software tool will be output of a particular tool is independently assessed within the V&V Activities.

detected by V&V activities. Tool assessment and qualification is described in CS Innovations 6000-00010 "ALS Design Tools," Chapter 2. Tool assessment and qualification satisfy the Tool operating experience may be used to provide methods described in IEEE 7-4.3.2, Section 5.3.2, to confirm the software additional confidence in the suitability of a tool, tools are suitable for use.

particularly when evaluating the potential for undetected defects. Tool operating experience has also been utilized for determining software tool suitability. CS Innovations 6000-00010, "ALS Design Tools," discusses the experience with the software tools being utilized.

References CSI 6000-00010 (Enclosure III to ET 07-0039)

CSI 6101-00005 (Enclosure 31 to ET 07-0022) 6 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.3.3 Verification and validation CS Innovations employs a V&V process for developing ALS based NOTE-See IEEE Std 1012-1998 and IEEE Std applications as described in 6101-00008, "MSFIS V&V Plan." CS Innovations 1012a TM-1998 [B10] for more information about implements a top level V&V plan for a particular application utilizing the ALS.

software V&V. The purpose of the V&V plan is to establish a consistent method for providing V&V sufficient to ensure safety and risk mitigation for the successful V&V is an extension of the program management and deployment of the system. For ALS based applications the V&V activities are systems engineering team activities. V&V is used to performed as part of the ongoing development and manufacturing process to identify objective data and conclusions (i.e., proactive facilitate the timely detection of errors. The V&V activities are also performed feedback) about digital system quality, performance, to analyze and test the system with respect to the hardware interfaces, and development process compliance throughout the customer interfaces, and the safety related functionality.

system life cycle. Feedback consists of anomaly reports, performance improvements, and quality CS Innovation's also performs ALS specific V&V activities that are independent improvements regarding the expected operating of the replacement MSFIS Controls application V&V activities. ALS specific conditions across the full spectrum of the system and V&V activities are encompassed within the various procedures that deal with its interfaces. the design development process. This includes procedures such as 9002-00033, "Hardware Design Development Procedure," 9002-00034, "Electrical V&V processes are used to determine whether the Wiring Design Development Procedure," 9002-00035, "Board Design development products of an activity conform to the Development Procedure," and 9002-00036, "FPGA Design Development requirements of that activity, and whether the system Procedure."

performs according to its intended use and user needs. This determination of suitability includes CS Innovations requires specific design reviews during each phase of the assessment, analysis, evaluation, review, inspection, project. The design review requirements are specified in procedures 9002-and testing of products and processes. 00024, "Electrical Wiring Design Review Procedure," 9002-00025, "Board Design Review Procedure," and 9002-00026, "FPGA Design Review This standard adopts the IEEE Std 1012-1998 Procedure." The required reviews are summarized as follows: d terminology of process, activity and task, in which software V&V processes are subdivided into activities, which are further subdivided into tasks. The term V&V effort is used to reference this framework of V&V processes, activities, and tasks.

V&V processes shall address the computer hardware and software, integration of the digital system components, and the interaction of the resulting computer system with the nuclear power plant.

The V&V activities and tasks shall include system testing of the final integrated hardware, software, firmware, and interfaces.

The software V&V effort shall be performed in accordance with IEEE Std 1012-1998. The IEEE Std 1012-1998 V&V requirements for the highest integrity level (level 4) apply to systems developed using this standard (i.e., IEEE Std 7-4.3.2TM). See IEEE Std 1012-1998 Annex B for a definition of integrity level 4 software.

Rev. 0 77 Rev. 0 -

NON-PROPRIETARY WCNOC Position c, d IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 References CSI 6101-00008 (Enclosure 27 to ET 07-0022)

CSI 9002-00036 (Enclosure 39 to ET 07-0022)

CSI 6000-00008 (Enclosure 28 to ET 07-0022)

CSI 9002-00034 (Enclosure 39 to ET 07-0022)

CSI 9002-00035 (Enclosure 39 to ET 07-0022) 8 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.3.4 Independent V&V (IV&V) requirements The CS Innovations V&V team is responsible for the V&V performance of all The previous section addresses the V&V activities to phases of the system life cycle. The V&V organization performs reviews, be performed. This section defines the levels of audits, tests and analysis in addition to normal design reviews performed independence required for the V&V effort. IV&V within the CS Innovations organization. The V&V team is responsible for the activities are defined by three parameters: technical organization of the V&V activities, as well as creating the V&V plan for a independence, managerial independence, and particular project. Given the fact that CS Innovations is a small company, they financial independence. These parameters are have chosen to head the V&V team with the president of the company. This described in Annex C of IEEE Std 1012-1998. ensures maximum familiarization with the design principles, features of the ALS, customer requirements, etc. Although this does not constitute The development activities and tests shall be verified independence between financial interests and the V&V effort, it does and validated by individuals or groups with appropriate emphasize the focus on the V&V effort. Independence of the financial interests technical competence, other than those who was not deemed necessary given the president of the company has a high developed the original design. interest in the V&V conducted in the best possible manner, and that the final product outcome be of the highest quality possible.

Oversight of the IV&V effort shall be vested in an organization separate from the development and To ensure the V&V effort is a value added aspect of the overall process the program management organizations. The V&V effort V&V team is staffed with members familiar with all processes used within CS shall independently select Innovations from design, to manufacturing, to final test procedures and a) The segments of the software and system to be execution of the test equipment. This ensures a complete independent analyzed and tested, understanding of the system, without support from the design team for b) The V&V techniques, and interpretations of the functionality of the system and the results of testing.

c) The technical issues and problems upon which to act.

References The V&V effort shall be allocated resources that are CSI 6101-00008 (Enclosure 27 ET 07-0022) independent of the development resources.

See Annex C of IEEE Std 1012-1998 for additional guidance.

5.3.5 Software configuration management N/A CS Innovations 6101-00005, "MSFIS Configuration Management Plan," is Software configuration management shall be based on IEEE Std 828 and the guidance in IEEE Std 1042. The Configuration performed in accordance with IEEE Std 1042-1987. Management (CM) Plan identifies the configuration items that are under IEEE Std 828TM-1998 [B9] provides guidance for the configuration management, provides detailed requirements and development of software configuration management responsibilities for the change process, and defines the baselining process.

plans. The CM Plan also includes detailed requirements for document and software identification, release, archiving and audits.

The minimum set of activities shall address the following: Reference a) Identification and control of all software designs and code CSI 6101-00005 (Enclosure 31 to ET 07-0022) b) Identification and control of all software design functional data (e.g., data templates and data bases) c) Identification and control of all software design interfaces d) Control of all software design changes e) Control of software documentation (user, operating, and maintenance documentation) 9 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position f) Control of software vendor development activities for the supplied safety system software g) Control and retrieval of qualification information associated with software designs and code h) Software configuration audits i) Status accounting Some of these functions or documents may be performed or controlled by other QA activities. In this case, the software configuration management plan shall describe the division of responsibility.

A software baseline shall be established at appropriate points in the software life cycle process to synchronize engineering and documentation activities. Approved changes that are created subsequent to a baseline shall be added to the baseline.

The labeling of the software for configuration control shall include unique identification of each configuration item, and revision and/or date time stamps for each configuration item.

Changes to the software/firmware shall be formally documented and approved consistent with the software configuration management plan. The documentation shall include the reason for the change, identification of the affected software/firmware, and the impact of the change on the system. Additionally, the documentation should include the plan for implementing the change in the system (e.g.,

immediately implementing the change, or scheduling the change for a future version).

10 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 4 +

5.3.6 Software project risk management N/A Risk management is addressed by CS Innovations 6101-00008, "MSFIS V&V Software project risk management is a tool for problem Plan," in conjunction with procedure QCP-16, "Corrective Action." The Plan prevention: identifying potential problems, assessing specifies the V&V activities which shall be completed at each phase of the life their impact, and determining which potential problems cycle and the corresponding task iteration and audit policies.

must be addressed to assure that software quality goals are achieved. Risk management shall be References performed at all levels of the digital system project to provide adequate coverage for each potential problem CSI 6101-00008 (Enclosure 27 to ET 07-0022) area. Software project risks may include technical, CSI QCP-16 (Enclosure33 to ET 07-0022) schedule, or resource-related risks that could compromise software quality goals, and thereby affect the ability of the safety computer system to perform safety related functions. Software project risk management differs from hazard analysis, as defined in 3.1.31, in that hazard analysis is focused solely on the technical aspects of system failure mechanisms.

I +/-

5.4 Equipment qualification In addition to the equipment qualification criteria provided by IEEE Std 603-1998, the requirements listed in 5.4.1 and 5.4.2 are necessary to qualify digital computers for use in safety systems.

5.4.1 Computer system testing Qualification testing was performed on the ALS equipment per the Computer system qualification testing (see 3.1.36) requirements in WCNOC Specification J-105A. The qualification testing was shall be performed with the computer functioning with completed with a full ALS rack, including all circuit cards installed, as well as software and diagnostics that are representative of the assembly panel. The ALS rack was configured with the complete those used in actual operation. All portions of the functionality being the production system to be installed at Wolf Creek computer necessary to accomplish safety functions, or Generating Station for the MSFIS Controls. This logic included all diagnostics those portions whose operation or failure could impair and self test capabilities of the ALS. The equipment was functionally tested safety functions, shall be exercised during testing. This before each test and after the completion of each test. During the qualification includes, as appropriate, exercising and monitoring the testing the equipment was actuated to perform the safety related function memory, the CPU, inputs and outputs, display while all diagnostics and self-test capabilities were functioning. The functions, diagnostics, associated components, qualification testing proved that the equipment was capable of accomplishing communication paths, and interfaces. Testing shall all safety functions and that the safety function was not impaired due to the demonstrate that the performance requirements self-test, diagnostics, or other features of the system not directly required to related to safety functions have been met. accomplish the safety function.

References WCNOC Specification J-105A(Q) (Enclosure I to ET 07-0008)

NI WCN-9715R, Rev. 0 (Enclosure VI to ET 07-0008) 5.4.2 Qualification of existing commercial The replacement MSFIS Controls have been developed by CS Innovations.

computers The replacement MSFIS Controls is based on the ALS. CS Innovations has NOTE-See Annex C for more information about developed the ALS for safety critical applications across multiple industries, commercial grade item dedication. with a particular focus on the nuclear industry. At the time the replacement MSFIS Controls project began, CS Innovations was considered by WCNOC as 11 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position The qualification process shall be accomplished by a commercial supplier. CS Innovations indicated their intention to develop a 10 evaluating the hardware and software design using the CFR 50 Appendix B program during the execution of the replacement MSFIS criteria of this standard. Acceptance shall be based Controls project. However, due to the fact CS Innovations was considered by upon evidence that the digital system or component, WCNOC to be a commercial supplier at the beginning of the project, a third including hardware, software, firmware, and interfaces, party qualifier and dedicator was contracted by WCNOC to provide adequate can perform its required functions. The acceptance confidence that the ALS based replacement MSFIS Controls could achieve the and its basis shall be documented and maintained with required safety function. Nutherm International was contracted by WCNOC to the qualification documentation. fulfill the role as the third party qualifier and dedicator.

In those cases in which traditional qualification CS Innovations has continued developing their 10 CFR 50 Appendix B processes cannot be applied, an alternative approach Program throughout the execution of the replacement MSFIS Controls Project.

to verify a component is acceptable for use in a safety- WCNOC performed a 10 CFR 50 Appendix B audit of the CS Innovations related application is commercial grade dedication. program in September 2007. The results of the WCNOC audit found the CS The objective of commercial grade dedication is to Innovations Appendix B program to be satisfactory. The audit identified four verify that the item being dedicated is equivalent in administrative findings which did not effect the actual hardware developed quality to equipment developed under a 10 CFR 50 under the program. Therefore, WCNOC has added CS Innovations to the Appendix B program [B16]. approved supplier list for safety-related equipment. Subsequent orders from WCNOC to CS Innovations may be safety-related orders, in this case a third The dedication process for the computer shall entail party qualifier and dedicator will not be necessary.

identification of the physical, performance, and development process requirements necessary to Nutherm International has provided the 1) qualification and 2) dedication provide adequate confidence that the proposed digital services for the replacement MSFIS Controls Project.

system or component can achieve the safety function.

The dedication process shall apply to the computer 1) The qualification of the equipment has been completed per WCNOC hardware, software, and firmware that are required to requirements as identified in specification J-105A(Q). The qualification plan accomplish the safety function. The dedication process and qualification results are provided in Nutherm International documents for software and firmware shall, whenever possible, WCN-9715P, "Nutherm Qualification Plan," Rev.1, and WCN-9715R, "Nutherm include an evaluation of the design process. There Qualification Report," Rev.0. As discussed in the response to 7-4.3.2 - 2003, may be some instances in which a design process Section 5.4.1, the equipment was exercising all portions of the functionality cannot be evaluated as part of the dedication process. required to accomplish the safety functions as well as all functionality of the For example, the organization performing the built-in self-testing, diagnostics, and other functionality not directly required to evaluation may not have access to the design process accomplish the safety function.

information for a microprocessor chip, to be used in the safety system. In this case, it would not be possible to 2) The Nutherm International dedication process has identified the physical, perform an evaluation to support the dedication. performance, and dependability characteristics necessary to provide adequate Because the dedication process involves all aspects of confidence that the proposed digital system can achieve the safety function.

life cycle processes and manufacturing quality, commercial grade item dedication should be limited to The physical characteristics are those characteristics of the item which deals items that are relatively simple in function relative to with its cohstruction, materials, shape, form and fit, etc. The ALS physical their intended use. characteristics have been compared with the qualified equipment to ensure similarity. Any differences have been noted and evaluated for impact on Commercial grade item dedication involves preliminary qualification by the Nutherm Engineering Department.

phase and detailed phase activities. These phase activities are described in 5.4.2.1 through 5.4.2.2. The performance characteristics of the ALS are the operational critical characteristics as determined by a technical evaluation. The performance characteristics have been verified through testing and analysis. The performance testincl verifies proper operation of the system and compliance 12 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position with the WCNOC specification J-105A. Nutherm International will performa detailed test procedure, TPS-9064, "Final Acceptance Testing for Main Steam Feedwater Isolation System (MSFIS) Rack," to verify the performance aspects of the replacement MSFIS Controls.

The dependability characteristics of the ALS focuses on items such as reliability and built-in quality. The dependability of a digital system is strongly influenced by the development process and the personnel involved in the design, development, verification, and validation of the digital equipment. The ALS is considered a software-based digital system which depends on high quality software utilized in the development to ensure the intended design objective is achieved. However, the system does not contain, nor rely on, software or firmware for the execution of the system. Given the fact that the ALS is software-based digital system, as described above, the dependability aspects of the ALS are critical to ensure adequate confidence that the ALS can achieve the safety function. The Nutherm International Final Dedication Report will provide the final results and conclusions regarding the dedication process employed.

References WCNOC Specification J-105A(Q) (Enclosure I to ET 07-0008)

NI WCN-9715R, Rev. 0 (Enclosure VI to ET 07-0008) 5.5 System integrity In addition to the system integrity criteria provided by IEEE Std 603-1998, the following are necessary to achieve system integrity in digital equipment for use in safety systems:

- Design for computer integrity

- Design for test and calibration

- Fault detection and self-diagnostics 13 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.5.1 Design for computer integrity The computer shall be designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function. For example, input and output processing failures, precision or roundoff problems, improper recovery actions, electrical input voltage and frequency fluctuations, and maximum credible number of coincident signal changes.

If the system requirements identify a safety system preferred failure mode, failures of the computer shall not preclude the safety system from being placed in that mode. Performance of computer system restart operations shall not result in the safety system being inhibited from performing its function.

14 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position c,d 5.5.2 Design for test and calibration Test and calibration functions shall not adversely affect the ability of the computer to perform its safety function. Appropriate bypass of one redundant channel is not considered an adverse effect in this context. It shall be verified that the test and calibration functions do not affect computer functions that are not included in a calibration change (e.g., setpoint change)..

V&V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration The on-line test capabilities of the ALS are fully contained within the ALS data. V&V, configuration management, and QA shall system, thus no separate test systems are required.

be required when the test and calibration function is inherent to the computer that is part of the safety The ALS does not implement setpoints, e.g., calibration settings for specific system. trip points, for the replacement MSFIS Controls. Therefore specific concerns regarding the calibration and changing of setpoints do not apply.

V&V, configuration management, and QA are not required when the test and calibration function is resident on a separate computer and does not provide References the sole verification of test and calibration data for the CSI 6000-00000 (Enclosure 37 to ET 07-0022) computer that is part of the safety system.

15 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.5.3 Fault detection and self-diagnostics Computer systems can experience partial failures that can degrade the capabilities of the computer system, but may not be immediately detectable by the system.

Self-diagnostics are one means that can be used to assist in detecting these failures. Fault detection and self-diagnostics requirements are addressed in this subclause.

The reliability requirements of the safety system shall be used to establish the need for self-diagnostics. Self diagnostics are not required for systems in which References failures can be detected by alternate means in a timely manner. If self-diagnostics are incorporated into the CSI 6000-00000 (Enclosure 37 to ET system requirements, these functions shall be subject S i 2.1, 2.7.1,sure.37 .4 07-0022) to the same V&V processes as the safety system Sections; 2.1, 2.7.1, 2.7.3, 7.4 functions.

If reliability requirements warrant self-diagnostics, then computer programs shall incorporate functions to detect and report computer system faults and failures in a timely manner. Conversely, self-diagnostic functions shall not adversely affect the ability of the computer system to perform its safety function, or cause spurious actuations of the safety function. A typical set of self-diagnostic functions includes the following:

- Memory functionality and integrity tests (e.g.,

PROM checksum and RAM tests)

- Computer system instruction set (e.g., calculation tests)

- Computer peripheral hardware tests (e.g.,

watchdog timers and keyboards)

- Computer architecture support hardware (e.g.,

address lines and shared memory interfaces)

- Communication link diagnostics (e.g., CRC checks)

Infrequent communication link failures that do not result in a system failure or a lack of system functionality do not require reporting.

When self-diagnostics are applied, the following self-diagnostic features shall be incorporated into the system design:

a) Self-diagnostics during computer system startup b) Periodic self-diagnostics while the computer system is operating c) Self-diaqnostic test failure reportinq 16 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.6 Independence 5.6 Independence The ALS MSFIS will be installed in the existing Group 1 and Group 4 In addition to the requirements of IEEE Std 603-1998, 5.6.1 Between redundant cabinets, maintaining the current safety group separations. New switches data communication between safety channels or portions of a safety system installed on the MCB to control both trains include physical barriers which between safety and nonsafety systems shall not inhibit Redundant portions of a safety meet the requirements of IEEE Std 384-1992.

the performance of the safety function. system provided for a safety function shall be independent of, IEEE Std 603-1998 requires that safety functions be and physically separated from, separated from nonsafety functions such that the each other to the degree nonsafety functions cannot prevent the safety system necessary to retain the capability from performing its intended functions. In digital systems, of accomplishing the safety safety and nonsafety software may reside on the same function during and following any computer and use the same computer resources. design basis event requiring that safety function.

Either of the following approaches is acceptable to 5.6.2 Between safety systems The ALS MSFIS equipment has been seismically qualified by the Appendix B address the previous issues: and effects of design basis supplier, Nutherm International.

a) Barrier requirements shall be identified to provide event adequate confidence that the nonsafety functions cannot Safety system equipment interfere with performance of the safety functions of the required to mitigate the software or firmware. The barriers shall be designed in consequences of a specific accordance with the requirements of this standard. The design basis event shall be nonsafety software is not required to meet these independent of, and physically requirements. separated from, the effects of the b) If barriers between the safety software and nonsafety design basis event to the degree software are not implemented, the nonsafety software necessary to retain the capability functions shall be developed in accordance with the of meeting the requirements of requirements of this standard. this standard. Equipment qualification in accordance with Guidance for establishing communication independence 5.4 is one method that can be is provided in Annex E. used to meet this requirement.

5.6.3 Between safety systems There are no changes from the existing MSFIS design.

and other systems The safety system design shall be such that credible failures in and consequential actions by other systems, as documented in Clause 4, item h) of the design basis, shall not prevent the safety systems from meeting the c~d requirements of this standard.

5.6.3.1 Interconnected equipment a) Classification. Equipment that is used for both safety and nonsafety functions shall be classil'ed aspart of the safety systems. Isolation devices used to effect a safety system Rev. 0 17 17 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position boundary shall be classified as part of the safety system.

b) Isolation. No credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiring that safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system.

5.6.3.2 Equipment in proximity There are no changes from the existing MSFIS design.

a) Separation. Equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associated circuit nor another Class 1 E circuit, shall be physically separated from the safety system equipment to the degree necessary to retain the safety systems capability to accomplish their safety functions in the event of the failure of non-safety equipment. Physical separation may be achieved by physical barriers or acceptable separation distance. The separation of Class 1 E equipment shall be in accordance with the requirements of IEEE Std 384-1992. (See [B13.)

b) Barrier. Physical barriers used to effect a safety system boundary shall meet the requirements of 5.3, 5.4 and 5.5 for the applicable conditions specil:ed in Clause 4, items g) and h) of the design basis.

_____________________________________________________ I ______________________________ I Rev. 0 18 18 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.6.3.3 Effects of a single There are no changes from the existing MSFIS design.

random failure Where a single random failure in a nonsafety system can result in a design basis event, and also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure. See IEEE Std 379-1994 for the application of this requirement.

5.6.4 Detailed criteria As described above, the IEEE Std 7-4.3.2-1993 requirements have been IEEE Std 384-1992 provides applied to the ASU service and test connection.

detailed criteria for the independence of Class 1 E equipment and circuits [B11].

IEEE Std 7-4.3.2-1993 provides References guidance on the application of this criteria for the separation and CSI 6000-00000 (Enclosure 37 to ET 07-0022) isolation of the data processing NI WCN-9715R, Rev. 0 (Enclosure VI to ET 07-0008) functions of interconnected computers.

19 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.7 Capability for test and calibration 5.7 Capability for testing and The ALS includes the capability for a maintenance bypass function. The No requirements beyond IEEE Std 603-1998 are calibration replacement MSFIS Controls implementation provides a maintenance bypass necessary. Capability for testing and for each of the Main Steam Isolation Valve (MSIV) and Main Feedwater calibration of safety system Isolation Valve (MFIV). When a single train is in bypass, the opposite train equipment shall be provided maintains the capability to perform the MSFIS safety function (also see the while retaining the capability of position associated with Section 5.3.2).

the safety systems to accomplish their safety functions. The -

capability for testing and calibration of safety system equipment shall be provided during power operation-and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1E systems shall be in accordance with the requirements of IEEE Std 338-1987. Exceptions to testing and calibration during power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. In this case:

- Appropriate justification shall be provided (e.g., demonstration that no practical design exists),

- Acceptable reliability of equipment operation shall be otherwise demonstrated, and

- The capability shall be provided while the generating station is shut down.

5.8 Information displays 5.8.1 Displays for manually There are no changes from the existing MSFIS design.

No requirements beyond IEEE Std 603-1998 are controlled actions necessary.

The display instrumentation provided for manually controlled actions for which no automatic control is pro- vided and the display instrumentation required for the safety systems to accomplish their safety functions shall be part of the safety 20 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position systems and shall meet the requirements of IEEE Std 497-1981 [B10]. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator.

5.8.2 System status indication The ALS MSFIS includes a "Summary Trouble Alarm" for each train on the MCB. This alarm will activate on any system fault.

Display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator. The display instrumentation provided for safety system status indication need not be part of the safety systems.

5.8.3 Indication of bypasses The ALS MSFIS includes a STATUS indicator for each train on the MCB. This If the protective actions of some will indicate if any valve is in bypass mode.

part of a safety system have been bypassed or deliberately rendered inoper- ative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.

a) This display instrumentation need not be part of the safety systems.

b) This indication shall be automatically actuated if the bypass or inoperative condition is expected to occur more Rev. 0 21 21 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position frequently than once a year, and is expected to occur when the affected system is required to be operable.

c) The capability shall exist in the control room to manually activate this display indication.

5.8.4 Location The Summary Trouble Alarm and Status indicators are located on the MCB Information displays shall be alarm and status panels in the same locations as the existing system.

located accessible to the operator. Information displays provided for manually controlled References protective actions shall be visible CSI 6000-00000 (Enclosure 37 to ET 07-0022) from the location of the controls used to affect the actions.

5.9 Control of access 5.9 Control of access Physical access is controlled by plant security. Administrative controls limit No requirements beyond IEEE Std 603-1998 are The design shall permit the access when the ASU is connected.

necessary. administrative control of access to safety system equipment.

These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof.

5.10 Repair 5.10 Repair The ALS MSFIS contains extensive on-line continuous self-test, failure No requirements beyond IEEE Std 603-1998 are The safety systems shall be detection and isolation, and off-line diagnostic aids.

necessary. designed to facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment.

5.11 Identification 5.11 Identification To. provide assurance that the required computer system In order to provide assurance hardware and software are installed in the appropriate that the requirements given in system configuration, the following identification this standard can be applied requirements specific to software systems shall be met:: during the design, construction, a) Firmware and software identification shall be used to maintenance, and operation of assure the correct software is installed in the correct the plant, the following hardware component.

22 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position b) Means shall be included in the software such that the requirements shall be met:

identification may be retrieved from the firmware using software maintenance tools. a) Safety system equipment No changes to existing safety group identification (cabinet nameplates and c) Physical identification requirements of the digital shall be distinctly identified for color-coded wiring).

computer system hardware shall be in accordance with each redundant portion of a the identification requirements in IEEE Std 603-1998. safety system in accordance with the requirements of IEEE Std 384-1992 and IEEE Std 420-1982.

b) Components or modules There are no changes from the existing MSFIS design.

mounted in equipment or assemblies that are clearly identified as being in a single redundant portion of a safety system do not themselves require identification.

c) Identification of safety system There are no changes from the existing MSFIS design.

equipment shall be distinguishable from any identifying markings placed on equipment for other purposes (e.g., identification of fire protection equipment, phase identification of power cables).

d) Identification of safety system There are no changes from the existing MSFIS design.

equipment and its divisional assignment shall not require frequent use of reference material.

e) The associated There are no changes from the existing MSFIS design.

documentation shall be distinctly identified in accordance with the requirements of IEEE Std 494-c,d 1974 [B9].

f) The versions of computer hardware, programs, and software shall be distinctly identified in accordance with IEEE Std 7-4.3.2-1993.

23 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.12 Auxiliary features 5.12 Auxiliary features As one element of the Engineered Safety Features Actuation System No requirements beyond IEEE Std 603-1998 are Auxiliary supporting features (ESFAS), the ALS MSFIS does not contain any auxiliary features as defined necessary. shall meet all requirements of here. The complete ALS MSFIS has been designed to meet this standard.

this standard.

Other auxiliary features that perform a function that is not required for the safety systems to accomplish their safety functions, and are part of the safety systems by association (i.e., not isolated from the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level. Examples of these other auxiliary features are shown in Figure 3 and an illustration of the application of this criteria is contained in Annex A.

5.13 Multi-unit stations 5.13 Multi-unit stations This is not applicable as WCGS is a single unit facility.

No requirements beyond IEEE Std 603-1998 are The sharing of structures, necessary. systems, and components between units at multi-unit generating stations is permissible provided that the ability to simultaneously perform required safety functions in all units is not impaired. Guidance on the sharing of electrical power systems between units is contained-in IEEE Std 308-1991.

Guidance on the application of the single failure criterion to shared systems is contained in IEEE Std 379-1994.

24 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position 5.14 Human factor considerations 5.14 Human factor Human factor considerations were a major design goal of the ALS MSFIS No requirements beyond IEEE Std 603-1998 are considerations project. All operator information is available on the front panels. Controls and necessary. Human factors shall be indicators are clearly labeled and grouped and show the state of the system considered at the initial stages for efficient evaluation of system status.

and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals, in accordance with IEEE Std 1023-1988.

5.15 Reliability 5.15 Reliability The quantitative reliability goal established for the ALS MSFIS was to exceed NOTE-See Annex F for more information about the For those systems for which the two year mean time between failure (MTBF) of the existing MSFIS reliability criterion. either quantitative or qualitative equipment. A System Reliability Analysis (SRA) was performed in accordance reliability goals have been with IEEE Std 352-1987 and IEEE Std 577-1976. The SRA shows that the In addition to the requirements of IEEE Std 603-1998, established, appropriate analysis reliability goal has been far exceeded.

when reliability goals are identified, the proof of meeting of the design shall be performed the goals shall include the software. The method for in order to confirm that such References determining reliability may include combinations of goals have been achieved. IEEE analysis, field experience, or testing. Software error Std 352-1987 and IEEE Std 577- VII to ET 07-0008) recording and trending may be used in combination with 1976 provide guidance for analysis, field experience, or testing. reliability analysis. Guidance on the application of this criteria for safety system equipment employing digital computers and programs or firmware is found in IEEE Std 7-4.3.2-1993.

6. Sense and command features-functional and 6. Sense and command design requirements features-functional and No requirements beyond IEEE Std 603-1998 are design requirements necessary. In addition to the functional and design requirements in Clause 5, the requirements listed in 6.1 through 6.8 shall apply to the sense and command features.

6.1 Automatic control This requirement is not applicable to the extent that the MSFIS does not Means shall be provided to automatically initiate protective actions, however as an element of the ESFAS, automatically initiate and control the MSFIS provides automatic MSIV and MFIV closure, without operator all protective actions except as 25Re.

25 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements I IEEE 603-1998 1 WCNOC Position justified in Clause 4, item e). The intervention, when commanded via the ESFAS trip input.

safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in Clause 4, item e) following the onset of each design basis event. At the option of the safety system designer, means may be provided to automatically initiate and control those protective actions of Clause 4, item e).

6.2 Manual control Main Control Board (MCB) MSFIS control functions are provided (essentially Means shall be provided in the unchanged from the existing system) which meet this requirement.

control room to a) Implement manual initiation at the division level of the automatically initiated protective actions. The means provided shall minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.

b) Implement manual initiation and control of the protective actions identified in Clause 4, item e) that have not been selected for automatic control under 6.1. The displays provided for these actions shall meet the requirements of 5.8.1.

c) Implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in Clause 4, item j). The information provided to the operators, the actions required of these operators, and the quantity and location of associated displays and controls shall be appropriate for 26RvI 26 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements 3IEEE 603-1998 WCNOC Position the time period within which the actions shall be accomplished and the number of available qualified operators.

Such displays and controls shall be located in areas that are accessible, located in an environment suitable for the operator, and suitably arranged for operator surveillance and action.

6.3 Interaction between the No change from the existing system of two trains of MSFIS.

sense and command features and other systems 6.3.1 Requirements Where a single credible event, including all direct and consequential results of that event, can cause a non- safety system action that results in a condition requiring protective action, and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, one of the following requirements shall be met:

a) Alternate channels not subject to failure resulting from the same single event shall be provided to limit the consequences of this event to a value specified by the design basis. Alternate channels shall be selected from the following:

1) Channels that sense a set of variables different from the principal channels.

2) Channels that use equipment different from that of the principal channels to 27 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements [ IEEE 603-1998 1 WCNOC Position WCNOC Position IEEE 603-1998 IEEE 7-4.3.2-2003 Requirements sense the same variable.

3) Channels that sense a set of variables different from those of the principal channels using equipment different from that of the principal channels.

4) Both the principal and alternate channels shall be part of the sense and command features.

b) Equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases.

Such equipment is considered a part of the safety system. See Figure 5 for a decision chart for applying the requirements of this clause.

6.3.2 Provisions No change from the existing system. Only one train of MSFIS is required to Provisions shall be included so close a valve.

that the requirements in 6.3.1 can be met in conjunction with the requirements of 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiating a protective action from the bypassed channel.

6.4 Derivation of system inputs No change from the existing system. Each train of ALS MSFIS utilizes To the extent feasible and independent inputs from switches on the MCB and valve position practical, sense and command instrumentation on the valve actuators.

feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis.

28 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements fIEEE 603-1998 WCNOC Position 6.5 Capability for testing and calibration 6.5.1 Checking the operational ALS MSFIS continuous self-test functions include all of the MSFIS inputs and availability the existing manual system test capabilities are retained. This includes Means shall be provided for complete testing of the safety function from the ESFAS input to the valve checking, with a high degree of actuation outputs.

confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation. This may be accomplished in various ways; for example:

a) By perturbing the monitored variable, b) Within the constraints of 6.6, by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable, or c) By cross-checking between channels that bear a known relationship to each other and that have read- outs available.

6.5.2 Assuring the operational ALS MSFIS provides continuous self-test features and extensive redundancy availability within each train. Failures are annunciated in the Control Room.

One of the following means shall be provided for assuring the operational availability of each sense and command feature required during the post-accident period:

a) Checking the operational availability of sensors by use of the methods described in 6.5.1.

b) Specifying equipment that is stable and the period of time it retains its calibration during the post- accident time period.

29 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 1 WCNOC Position 6.6 Operating bypasses This -requirement is not applicable. The ALS MSFIS does not include any Whenever the applicable operating bypass functions.

permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions:

a) Remove the appropriate active operating bypass(es).

b) Restore plant conditions so that permissive conditions once again exist.

c) Initiate the appropriate safety function(s).

6.7 Maintenance bypass If one train of ALS MSFIS is in maintenance bypass, the other train retains the Capability of a safety system to capability to perform the safety function. Administrative controls prevent both accomplish its safety function trains from being in bypass simultaneously.

shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features should continue to meet the requirements of 5.1 and 6.3.

NOTE-For portions of the sense and command features that cannot meet the requirements of 5.1 and 6.3 when in maintenance bypass, acceptable reliability of equipment operation shall be demonstrated (e.g., that the period allowed for removal from service for maintenance bypass is sufficiently short, or additional measures are taken, or both, to ensure there is no significant detrimental effect on overall Rev. 0 30 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position sense and command feature availability).

6.8 Setpoints This requirement is not applicable to ALS MSFIS. There are no analog inputs The allowance for uncertainties or setpoints.

between the process analytical limit documented in Clause 4, item d) and the device setpoint shall be determined using a documented methodology. Refer to ANSI/ISA S67.04-1994.

Where it is necessary to provide multiple setpoints for adequate protection for a particular mode of operation or set of operating conditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required.

The devices used to prevent improper use of less restrictive setpoints shall be part of the sense and command features.

7. Execute features-functional and design In addition to the functional and requirements design requirements in Clause 5, No requirements beyond IEEE Std 603-1998 are the requirements listed in 7.1 necessary. through 7.5 shall apply to the execute features.

7.1 Automatic control There are no changes from the existing MSFIS design.

Capability shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with Clause 4, item d) of the design basis.

7.2 Manual control There are no-changes from the existing MSFIS design. The ALS MSFIS inputs If manual control of any actuated are prioritized in the logic, with the ESFAS "ALL CLOSE" input having the component in the execute highest priority.

features is provided, the 31 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position additional design features in the execute features necessary to accomplish such manual control shall not defeat the requirements of 5.1 and 6.2. Capability shall be provided in the execute features to receive and act upon manual control signals from the sense and command features consistent with the design basis.

7.3 Completion of protective Following receipt of an ESFAS close signal, an MSIV or MFIV cannot be action opened until the ESFAS signal is no longer present. This is consistent with the The design of the execute logic of the existing system.

features shall be such that, once initiated, the protective actions of the execute features shall go to completion. This requirement shall not preclude the use of equipment protective devices identified in Clause 4, item k) of the design basis or the provision for deliberate operator interventions. When the sense and command features reset, the execute features shall not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal. After the initial protective action has gone to completion, the execute features may require manual control or automatic control (i.e.,

cycling) of specific equipment to maintain completion of the safety function.

7.4 Operating bypass This requirement is not applicable. The ALS MSFIS does not include any operating bypass functions.

Whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions 32 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions:

a) Remove the appropriate active operating bypass(es).

b) Restore plant conditions so that permissive conditions once again exist.

c) Initiate the appropriate safety function(s).

7.5 Maintenance bypass If one train of ALS MSFIS is in maintenance bypass, the other train retains the The capability of a safety system capability to perform the safety function. Administrative controls prevent both to accomplish its safety function trains from being in bypass simultaneously.

shall be retained while execute features equipment is in maintenance bypass. Portions of the execute features with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (i.e.,

reducing temporarily its degree of redundancy to zero), the remaining portions provide acceptable reliability.

33 Rev. 0

NON-PROPRIETARY IEEE 7-4.3.2-2003 Requirements IEEE 603-1998 WCNOC Position

8. Power source requirements 8.1 Electrical power sources There are no changes from the existing MSFIS design.

No requirements beyond IEEE Std 603-1998 are Those portions of the Class 1E necessary. power system that are required to provide the power to the many facets of the safety system are governed by the criteria of this document and are a portion of the safety systems. Specific criteria unique to the Class 1 E power systems are given in IEEE Std 308-1991.

8.2 Non-electrical power sources This requirement is not applicable.

Non-electrical power sources, such as control-air systems, bottled-gas systems, and hydraulic systems, required to provide the power to the safety systems are a portion of the safety systems and shall provide power consistent with the requirements of this standard.

Specific criteria unique to non-electrical power sources are outside the scope of this standard and can be found in other standards. 11 [84, B5]

8.3 Maintenance bypass Ifone train of the NK DC bus feeding the MSFIS is in a maintenance bypass, the other MSFIS train retains the capability to perform the safety function.

The capability of the safety Administrative controls prevent both trains from being in bypass systems to accomplish their simultaneously.

safety functions shall be retained while power sources are in maintenance bypass. Portions of the power sources with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (i.e., reducing temporarily its degree of redundancy to zero), the remaining portions provide acceptable reliability.

34 Rev. 0

Enclosure III to WO 07-0028 WCNOC Affidavit for Withholding Proprietary Information from Public Disclosure

AFFIDAVIT STATE OF KANSAS ))ss COUNTY OF COFFEY )

Before me, the undersigned authority, personally appeared Matthew W. Sunseri, who, being by me duly sworn according to law, deposes and says that he is authorized to execute this Affidavit on behalf of Wolf Creek Nuclear Operating Corporation (WCNOC), and that the averments of fact set forth in this Affidavit are true and correct to the best of his knowledge, information, and belief:

Matthew W. Sunseri Vice President Operations and Plant Manager Sworn to and subscribpd before me this ..!1' day of fb/enher ,2007 Notary Public 1

(1) I am Vice President Operations and Plant Manager, Wolf Creek Nuclear Operating Corporation (WCNOC), and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in WCNOC's submittal of the Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design, and am authorized to apply for its withholding on behalf of WCNOC.

(2) I am making this Affidavit in conformance with the provisions of 10 CFR Section 2.390 of the Commission's regulations and in conjunction with WCNOC letter WO 07-0028 which includes the Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design accompanying this Affidavit.

(3) I have personal knowledge of the criteria and procedures utilized by WCNOC in designating information as a trade secret, privileged or as confidential commercial or financial information.

(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.390 of the Commission's regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by WCNOC.

(ii) The information is of a type customarily held in confidence by other organizations and not customarily disclosed to the public. Based on a review of 10 CFR 2.390, the information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any other company without license from WCNOC constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage, e.g., by optimization or improved marketability.

(c) Its use by another company would reduce its expenditure of resources or improve its competitive position in the design, assurance of quality, or licensing a similar product.

(d) It is not the property of WCNOC, but must be treated as proprietary by WCNOC according to agreements with the owners of the information.

There are sound reasons behind the WCNOC position which include the following:

(a) It is information which is marketable in many ways.

2

(b) Use by other companies would put WCNOC at a competitive disadvantage by reducing their expenditure of resources at our expense.

(c) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable as the total competitive advantage. If other companies acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving WCNOC of a competitive advantage.

(iii) The information is being transmitted to the Commission in confidence and, under the provisions of 10 CFR Section 2.390, it is to be received in confidence by the Commission.

(iv) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or method to the best of our knowledge and belief.

(v) The proprietary information sought to be withheld in this submittal is the Matrix of IEEE 7-4.3.2 Requirements to MSFIS Controls Design.

The subject information could only be duplicated by competitors if they were to invest time and effort equivalent to that invested by WCNOC provided they have the requisite talent and experience.

Public disclosure of this information is likely to cause substantial harm to the competitive position of WCNOC because it would simplify design and evaluation tasks without requiring a commensurate investment of time and effort.

3