ML081070521
| ML081070521 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 04/24/2008 |
| From: | Olshan L NRC/NRR/ADRO/DORL/LPLII-1 |
| To: | Brandi Hamilton Duke Energy Carolinas |
| Olshan L N, NRR/DLPM, 415-1419 | |
| References | |
| TAC MD7999, TAC MD8000, TAC MD8001 | |
| Download: ML081070521 (8) | |
Text
April 24, 2008 Mr. Bruce H. Hamilton Vice President, Oconee Site Duke Energy Carolinas, LLC 7800 Rochester Highway Seneca, SC 29672
SUBJECT:
ACCEPTANCE REVIEW OF JANUARY 31, 2008, LICENSE AMENDMENT REQUEST (LAR) FOR A DIGITAL UPGRADE TO THE REACTOR PROTECTIVE SYSTEM (RPS) AND ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM (ESPS) AT OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, (OCONEE) (TAC NOS.
MD7999, MD8000, AND MD8001)
Dear Mr. Hamilton:
By letter dated January 31, 2008 (available in the Agencywide Documents Access and Management System (ADAMS) under accession number ML080730339), Duke Power Company LLC, now called Duke Energy Carolinas, LLC (Duke, the licensee), submitted an LAR that would allow replacement of the current analog-based RPS/ESPS with a digital computer-based RPS/ESPS.
The Nuclear Regulatory Commission (NRC) staff has performed an acceptance review of the LAR in accordance with Revision 3 of the Office Nuclear Reactor Regulations Office Instruction, LIC 101, License Amendment Review Procedures (ADAMS Accession Number ML040060258), Appendix B, Guide for Processing License Amendments, Section 2.2. The NRC staff has determined that the licensee has provided sufficient information to accept this LAR and start a comprehensive review of the LAR.
However, the NRC staffs review has identified six issues that were discussed with Duke in a March 18, 2008, public meeting, that will present significant challenges to completing a comprehensive review of the LAR. Duke was requested to provide a schedule by April 1, 2008, for submitting additional information to address those issues. During the public meeting, Duke provided milestones of its activities for the digital modification and requested that the amendments be issued by March 31, 2009, to support the Unit 1 outage (scheduled for October through December 2009). The NRC staff informed Duke that issuing the amendments by March 31, 2009, was unlikely, but based on timely responses to the information requested during this meeting and all subsequent requests for additional information, the NRC staff stated that the license amendments may be issued by the end of August 2009. Also, the NRC staff stated that by March 31, 2009, the NRC staff would have a good indication as to whether the LAR would be found acceptable or not acceptable.
Issues
- 1.
Section 3.2.3 of Enclosure 1 of the LAR provides a summary of the Diversity and Defense-in-Depth (D3) assessment and states that the methodology and acceptance criteria of Branch Technical Position (BTP) HICB-19, Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems, were used in the assessment submitted March 20, 2003 (ADAMS Accession Number ML030920676). Section 3.2.3 provides a qualitative analysis of the current operator action response time of 2 minutes versus the 30-minute operator action time discussed in the Interim Staff Guidance (ISG) on D3, Digital Instrumentations and Controls (DI&C)-ISG-02, Task Working Group #2: Diversity and Defense-in-Depth Issues [ADAMS Number ML072540118]. Section 3.2.3 also explains the benefits of the diverse actuation for low-pressure and high-pressure injection for software common-cause failure concern. Duke was informed in the public meeting that the NRC staff will evaluate D3 assessment in accordance with the ISG on D3; additional information to support this evaluation will likely be required.
- 2.
Bi-directional communications among safety divisions and between safety and non-safety equipment (interdivisional communication) is acceptable provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems. The ISG, DI&C-ISG-04, Task Working Group #4: Highly-Integrated Control Rooms - Communication Issues (HICRc) [ADAMS Number ML072540138], describes the methods that the NRC staff will use to evaluate licensee compliance with NRC requirements with respect to interdivisional communication. The ISG section on interdivisional communication contains 20 NRC staff positions for which the NRC staff needs information beyond what has been provided in the LAR in order to evaluate the communications strategy of the LAR.
- 3.
The LAR states that the TELEPERM XS (TXS) application software development was performed in accordance with the AREVA Software Program Manual (SPM), AREVA NP Quality Management Manual, 56-5015885-007. The NRC staff is currently reviewing the referenced SPM; however, this is not an approved program at this time.
Therefore, the licensee should provide stand alone documents for application software quality assessment.
- 4.
Section 2.7 of Enclosure 1 of the LAR identifies various TXS system hardware, software, and development procedure changes. Those changes are listed and explained in Tables 2-3, 2-4, and 2-5. The differences are between the TXS topical report approved by the NRC (NRC letter dated May 5, 2000, Acceptance for Referencing of Licensing Topical Report EMF-2110(NP), Revision, TELEPERM XS : A Digital Reactor Protection System ) (ADAMS Number ML003711856) and the Oconee digital platform design.
The LAR does not contain enough information for the NRC staff to reach a determination of the acceptability of these deviations. Therefore the NRC staff needs information to make an acceptability determination.
LIC-101 provides the framework for processing license amendments (and other licensing actions, where applicable) and states: "If a licensee in their application or the NRC staff during its review identifies a deviation from the process or limitations
associated with a topical report, the staff should address the deviation in its safety evaluation (SE) for the plant-specific license amendment application. To address deviations from approved topical reports, the SE for the subject amendment should identify the limitation or condition, evaluate the proposed deviation against appropriate regulatory criteria, and specifically explain why the deviation is acceptable (or not acceptable)."
- 5.
Regulatory Guide (RG) 1.168, Revision 1, Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, dated February 2004 endorses IEEE (Institute of Electrical and Electronics Engineers) 1012-1998, IEEE Standard for Software Verification and Validation, and IEEE 1028-1997, IEEE Standard for Software Reviews and Audits, with the exceptions stated in the Regulatory Position of RG 1.168. RG 1.168 describes a method acceptable to the NRC staff for complying with parts of the NRC's regulations for promoting high functional reliability and design quality in software used in safety systems. Standard Review Plan (SRP) Table 7-1 and Appendix 7.1-A identify Regulatory Guide 1.168 as SRP acceptance criteria for reactor trip systems (RTS) and for engineered safety features systems (ESFS).
The LAR and other associated documents have described certain exceptions to IEEE 1012-1998. In particular, IEEE 1012 makes the generation of various test plans the duty of the Verification and Validation (V&V) organization. The AREVA V&V plan, document 51-9010419-005, "Oconee Nuclear Station Unit 1 RPS/ESFS Controls Upgrade Software Verification and Validation Plan," makes this test plan generation the responsibility of the design or test organizations. The information provided in the LAR and in AREVA document 51-9047317-009, "Position Paper: Conformance of TELEPERM XS Application Software with IEEE Ste 1012-1998," does not contain sufficient detail to allow the NRC staff to determine the acceptability of this deviation.
The NRC staff will need additional information to determine if the proposed alternative to the requirements of IEEE 1012 will provide an equivalent confidence in a high quality test process, and therefore an equivalent confidence in the safety of the resultant system. The additional information to be provided should include the information that the licensee used to make its determination that this alternative to IEEE 1012 was acceptable, and may include the following:
- Documentation of independent V&V group's assessment of testing
- Documentation of V&V group's role/interaction with the test group
- Documentation of how problems identified by the test were resolved
- Documentation of Duke's review of the V&V testing practices
- 6.
The LAR documentation indicates that use of the SIVAT (Simulation and Validation Tool) makes component and integration tests unnecessary. This approach is unfamiliar to the NRC staff and does not appear to be consistent with industry standards and regulatory guidance. The use of the SIVAT was not identified in the TXS topical report, and the software tested by the SIVAT is not the actual compiled operational code, but is rather an adapted version of the application code. It appears that the first time the actual operational code is tested is during the Factory Acceptance Test (FAT), and this test was developed by the design and test group, not the V&V Group.
The LAR states that the SIVAT is a qualified tool for testing. The NRC staff has not reviewed and approved the SIVAT, and therefore does not understand why the SIVAT is considered qualified. Topical Report EMP-21 10, "TELEPERM XS: A Digital Reactor Protection System," and the NRCs staff safety evaluation report on the topical report do not mention the SIVAT.
The validation tool which is mentioned in the TXS topical report is RETRANS (report Section 2.4.3.3.3, page 2-61). The report states: "As a diverse measure to detect potential software faults not found by the means described in Section 3.2.1, the verification tool "RETRANS" developed by GRS-ISTec is used as an independent testing tool. The generated code can be analyzed by RETRANS to identify the function block modules and reveal the connections between them. The result of this process should yield the information elements contained in the design database as input on the SPACE editor for engineering the I&C functions. A comparison of the result of the validator analysis with the content of the design database for the I&C functions confirms correct application of the tool for code generation and relieves the code generator of exaggerated quality verification demands, particularly in the introductory phase."
Additionally, the NRC staff does not understand the following statement on page 11 of the AREVA Software V&V Plan, "The test verifies that the requirements have been translated, without errors, into function diagrams, and that the software automatically generated from these function diagrams provides the functionality required in terms of I/O response." The NRC staff does not understand how the proposed software testing using the SIVAT can demonstrate that system requirements specification have been correctly translated into the code.
The NRC staff notes that testing performed by unit and integration tests should be performed on the actual operational code, and, therefore, it may be necessary to perform additional software testing such as the following:
- 1. Perform unit and integration tests on the actual operation code instead of a simulation. This will require developing test procedures, test results, and V&V reports on the test of actual operational code.
- 2. Expand the FAT to include testing that is normally done during unit and integration testing. This may include: a) fault injection by deliberately passing bad information from one software unit to another, b) simulating hardware failures, c) communications errors, and d) diagnostic failures. This is only a short example of the types of testing the NRC staff will expect to be added to FAT.
The licensee may choose to provide such additional information as needed for the NRC staff to reach a conclusion that the SIVAT testing already planned will provide an equivalent confidence in a high-quality test process, and therefore an equivalent confidence in the safety of the resultant system. One of the items required for this determination would be a determination that the SIVAT was qualified in a manner similar to that required for software performing safety-related functions, and that the software lifecycle process of the SIVAT development meet the requirements for that type of software.
Licensees Dates of Submittals to Resolve the Issues By letter dated April 3, 2008 (ML080990086), Duke provided the following schedule to submit information to address issues 2 thru 6.
- 1.
ISG 4 Compliance Matrix----------------------------------------------------------April 30, 2008
- 2.
TXS Application Software Development Plan--------------------------------April 30, 2008
- 3.
Additional Information Justifying TXS System Hardware, Software Development Procedure Changes----------------------------------------------May 15, 2008
- 4.
Additional Information to Justify Proposed Alternative to the Requirements of IEEE 1012-------------------------------------------------------May 29, 2008
- 5.
Additional Information on SIVAT Testing---------------------------------------May 29, 2008 Duke further stated that additional Duke/NRC interactions will be needed prior to providing these responses to ensure that the issues are well understood and that the additional information provided satisfies NRC staff needs.
Conclusion The six issues identified above present significant challenges to completing a comprehensive review of the LAR in terms of regulatory requirements and the protection of public health and safety. Duke has provided the above schedule for providing the information in a timely manner, which supports a timely review of the LAR. However, the FAT report and post-FAT Requirement Traceability Matrix availability dates (January 2009 and February 2009), as indicated by Duke in the March 18, 2008, meeting handout (ADAMS Number ML080840040),
challenges the NRC staff schedule for issuance of the amendments. Therefore, the NRC staff in an April 2, 2008, telecon requested that Duke determine if the FAT schedule can be advanced by 2 to 3 months, i.e., FAT procedure available in July 2008, FAT in August-September 2008, and FAT report in October-November 2008. On April 15, 2008, Duke informed the NRC staff that the FAT schedule could not be advanced. Furthermore, the NRC staff has learned that the Advisory Committee on Reactor Safeguards (ACRS) is interested in reviewing this LAR, which may have some impact on the schedule.
Based on Duke providing a high quality application and supporting documentation that reasonably conforms to regulatory guidance and the associated industry standards, acceptable responses to items 2-6 as noted above, and timely response to licensee actions requested by the NRC staff during the LAR review, the amendments may be issued by August 30, 2009.
However, the FAT test schedule and issuance of the associated documentation as noted above may cause additional delays beyond this date.
Sincerely,
/RA/
Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287 cc: See next page
Based on Duke providing a high quality application and supporting documentation that reasonably conforms to regulatory guidance and the associated industry standards, acceptable responses to items 2-6 as noted above, and timely response to licensee actions requested by the NRC staff during the LAR review, the amendments may be issued by August 30, 2009.
However, the FAT test schedule and issuance of the associated documentation as noted above may cause additional delays beyond this date.
Sincerely,
/RA/
Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287 cc: See next page Distribution:
PUBLIC RidsOgcRp LPL2-1 R/F RidsNrrDorlDpr RidsNrrLAMOBrien (hard copy)
NCarte, NRR RIdsNrrPMLOlshan (hard copy)
IAhmed, NRR RidsNrrDorlLpl2-1 (MWong)
RidsRgn2MailCenter (KWeaver)
RidsAcrsAcnw&mMailCenter WKemper, NRR PLoeser, NRR Accession Number: ML081070521 OFFICE NRR/LPL2-1/PM NRR/LPL2-1/LA NRR/ADES/DE/EICB NRR/LPL2-1/BC NAME LOlshan MOBrien phone concurrence WKemper MWong DATE 4/24/08 4/18/08 4/24/08 4/24/08 OFFICIAL RECORD COPY
Oconee Nuclear Station, Units 1, 2, and 3 cc:
Mr. Bruce H. Hamilton Vice President, Oconee Site Duke Power Company LLC 7800 Rochester Highway Seneca, SC 29672 Ms. Lisa F. Vaughn Associate General Counsel and Managing Attorney Duke Energy Carolinas, LLC 526 South Church Street - EC07H Charlotte, North Carolina 28202 Manager, LIS NUS Corporation 2650 McCormick Dr., 3rd Floor Clearwater, FL 34619-1035 Senior Resident Inspector U.S. Nuclear Regulatory Commission 7812B Rochester Highway Seneca, SC 29672 Mr. Henry Porter, Director Division of Radioactive Waste Management Bureau of Land and Waste Management Dept. of Health and Env. Control 2600 Bull St.
Columbia, SC 29201-1708 Mr. Michael A. Schoppman Framatome ANP 1911 North Ft. Myer Dr.
Suite 705 Rosslyn, VA 22209 Mr. B. G. Davenport Regulatory Compliance Manager Oconee Nuclear Site Duke Energy Corporation ON03RC 7800 Rochester Highway Seneca, SC 29672 Mr. Leonard G. Green Assistant Attorney General NC Department of Justice P.O. Box 629 Raleigh, NC 27602 Mr. R. L. Gill, Jr.
Manager - Nuclear Regulatory Issues and Industry Affairs Duke Power Company LLC 526 S. Church St.
Mail Stop EC05P Charlotte, NC 28202 Division of Radiation Protection NC Dept of Environment, Health, & Natural Resources 3825 Barrett Dr.
Raleigh, NC 27609-7721 Mr. Peter R. Harden, IV VP-Customer Relations and Sales Westinghouse Electric Company 6000 Fairview Road 12th Floor Charlotte, NC 28210 Mr. Henry Barron Group Vice President, Nuclear Generation and Chief Nuclear Officer P.O. Box 1006-EC07H Charlotte, NC 28201-1006 Mr. Charles Brinkman Director, Washington Operations Westinghouse Electric Company 12300 Twinbrook Parkway, Suite 330 Rockville, MD 20852 Ms. Kathryn B. Nolan Senior Counsel Duke Energy Carolinas, LLC 526 South Church Street - EC07H Charlotte, NC 28202