ML081900197

From kanterella
Jump to navigation Jump to search

/2/3, Trip Report for NRC Staff Visit to Discuss Issues Identified in the Acceptance Review Letter Regarding the Digital Upgrade of the Reactor Protective System and Esps (TAC MD7999-MD8001)
ML081900197
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 07/23/2008
From: Olshan L
NRC/NRR/ADRO/DORL/LPLII-1
To: Baxter D
Duke Energy Carolinas
Olshan L N, NRR/DORL, 415-1419
References
TAC MD7999, TAC MD8000, TAC MD8001
Download: ML081900197 (12)


Text

July 23, 2008 Mr. David Baxter Vice President, Oconee Site Duke Energy Carolinas, LLC 7800 Rochester Highway Seneca, SC 29672

SUBJECT:

TRIP REPORT FOR U.S. NUCLEAR REGULATORY COMMISSION (NRC)

STAFFS VISIT TO OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, TO DISCUSS ISSUES IDENTIFIED IN THE ACCEPTANCE REVIEW LETTER REGARDING THE DIGITAL UPGRADE OF THE REACTOR PROTECTIVE SYSTEM (RPS) AND ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM (ESPS) (TAC NOS. MD7999, MD8000, AND MD8001)

Dear Mr. Baxter:

By letter dated January 31, 2008 (ML080730339), you submitted a license amendment request (LAR) to accommodate replacement of the existing Oconee Nuclear Station, Units 1, 2, and 3 (Oconee) analog based RPS and ESPS with a digital computer based RPS/ESPS. Some of the LAR supporting documents that were not docketed with the January 31, 2008, submittal were subsequently docketed in your letter dated April 3, 2008 (ML080990051). In our acceptance review letter dated April 24, 2008 (ML081070521), we identified six issues that will present significant challenges to completing a comprehensive review of the LAR. These issues were addressed in your LAR, Supplement 2, submitted April 29, 2008 (ML0812601673); Supplement 3, submitted May 15, 2008 (ML081430003); and Supplement 4, submitted May 28, 2008 (ML081550145).

The NRC staff visited the Oconee site the week of May 19, 2008, to discuss many issues related to our review of the LAR, including the six issues identified in our acceptance review letter.

Enclosed is the trip report of our site visit.

Please contact me at 301 415-1419 if you have any questions on this trip report.

Sincerely,

/RA/

Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287

Enclosure:

As stated cc w/encl: See next page

Mr. David Baxter Vice President, Oconee Site Duke Energy Carolinas, LLC 7800 Rochester Highway Seneca, SC 29672

SUBJECT:

TRIP REPORT FOR U.S. NUCLEAR REGULATORY COMMISSION (NRC)

STAFFS VISIT TO OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, TO DISCUSS ISSUES IDENTIFIED IN THE ACCEPTANCE REVIEW LETTER REGARDING THE DIGITAL UPGRADE OF THE REACTOR PROTECTIVE SYSTEM (RPS) AND ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM (ESPS) (TAC NOS. MD7999, MD8000, AND MD8001)

Dear Mr. Baxter:

By letter dated January 31, 2008 (ML080730339), you submitted a license amendment request (LAR) to accommodate replacement of the existing Oconee Nuclear Station, Units 1, 2, and 3 (Oconee) analog based RPS and ESPS with a digital computer based RPS/ESPS. Some of the LAR supporting documents that were not docketed with the January 31, 2008, submittal were subsequently docketed in your letter dated April 3, 2008 (ML080990051). In our acceptance review letter dated April 24, 2008 (ML081070521), we identified six issues that will present significant challenges to completing a comprehensive review of the LAR. These issues were addressed in your LAR, Supplement 2, submitted April 29, 2008 (ML0812601673); Supplement 3, submitted May 15, 2008 (ML081430003); and Supplement 4, submitted May 28, 2008 (ML081550145).

The NRC staff visited the Oconee site the week of May 19, 2008, to discuss many issues related to our review of the LAR, including the six issues identified in our acceptance review letter.

Enclosed is the trip report of our site visit.

Please contact me at 301 415-1419 if you have any questions on this trip report.

Sincerely,

/RA/

Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287

Enclosure:

As stated cc w/encl: See next page Distribution:

Public RidsOgcRpResource LPL2-1 R/F RidsAcrsAcnw_MailCenterResource RidsNrrDorlLpl2-1Resource (MWong) RidsNrrDorlDpr RidsNrrDorlLAMOBrienResource (hard copy)

RidsNrrDorlPMLOlshanResource (hard copy)

Accession Number: ML081900197 *transmitted by memo dated OFFICE NRR/LPL2-1/PM NRR/LPL2-1/LA NRR/EICB/BC NRR/LPL2-1/BC LOlshan MOBrien WKemper* MWong 07/23/08 07/23/08 6/26/08 07/23/08 OFFICIAL RECORD COPY

Oconee Nuclear Station, Units 1, 2, and 3 cc:

Mr. Dave Baxter Mr. Leonard G. Green Vice President, Oconee Site Assistant Attorney General Duke Power Company LLC NC Department of Justice 7800 Rochester Highway P.O. Box 629 Seneca, SC 29672 Raleigh, NC 27602 Ms. Lisa F. Vaughn Mr. R. L. Gill, Jr.

Associate General Counsel and Managing Manager - Nuclear Regulatory Attorney Issues and Industry Affairs Duke Energy Carolinas, LLC Duke Power Company LLC 526 South Church Street - EC07H 526 S. Church St.

Charlotte, North Carolina 28202 Mail Stop EC05P Charlotte, NC 28202 Manager, LIS NUS Corporation Division of Radiation Protection 2650 McCormick Dr., 3rd Floor NC Dept of Environment, Health, & Natural Clearwater, FL 34619-1035 Resources 3825 Barrett Dr.

Senior Resident Inspector Raleigh, NC 27609-7721 U.S. Nuclear Regulatory Commission 7812B Rochester Highway Mr. Peter R. Harden, IV Seneca, SC 29672 VP-Customer Relations and Sales Westinghouse Electric Company Mr. Henry Porter, Director 6000 Fairview Road Division of Radioactive Waste Management 12th Floor Bureau of Land and Waste Management Charlotte, NC 28210 Dept. of Health and Env. Control 2600 Bull St. Mr. Dhiaa M. Jamil Columbia, SC 29201-1708 Group Executive and Chief Nuclear Officer Mr. B. G. Davenport Duke Energy Carolinas, LLC Regulatory Compliance Manager P. O. Box 1006-EC03XM Oconee Nuclear Site 526 South Church St.

Duke Energy Corporation Charlotte, NC 28201-1006 ON03RC 7800 Rochester Highway Mr. Charles Brinkman Seneca, SC 29672 Director, Washington Operations Westinghouse Electric Company Ronnie L. Gardner, PMP 12300 Twinbrook Parkway, Suite 330 Manager, Site Operations and Corporate Rockville, MD 20852 Regulatory Affairs AREVA NP Inc. Ms. Kathryn B. Nolan An AREVA AND Siemens Company Senior Counsel 3315 Old Forest Road OF -16 Duke Energy Carolinas, LLC Lynchburg, VA 24501 526 South Church Street - EC07H Charlotte, NC 28202

TRIP REPORT FOR NUCLEAR REGULATORY COMMISSION (NRC) STAFFS VISIT TO OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, TO DISCUSS ISSUES IDENTIFIED IN THE ACCEPTANCE REVIEW LETTER REGARDING THE DIGITAL UPGRADE OF THE REACTOR PROTECTIVE SYSTEM (RPS) AND ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM (ESPS)

Background

By letter dated January 31, 2008 (ML080730339), Duke Energy Carolinas, LLC (Duke, the licensee) submitted a license amendment request (LAR) to accommodate replacement of the existing Oconee Nuclear Station, Units 1, 2, and 3 (Oconee) analog based RPS and ESPS with a digital computer based RPS/ESPS. Some of the LAR supporting documents that were not docketed with the January 31, 2008, submittal were subsequently docketed by Duke letter dated April 3, 2008 (ML080990051). In the acceptance review letter dated April 24, 2008 (ML081070521), the NRC identified six issues that will present significant challenges to completing a comprehensive review of the LAR. These issues were addressed in LAR Supplement 2, submitted April 29, 2008 (ML0812601673); Supplement 3, submitted May 15, 2008 (ML081430003); and Supplement 4, submitted May 28, 2008 (ML081550145).

Plant Visit Four members of the Instrumentation and Control Branch (EICB) staff; W. Kemper, I. Ahmed, P.

Loeser, and N. Carte; and the Oconee Project Manager, L. Olshan, visited Oconee from May 19 through May 22, 2008. The purpose of the visit was:

1. To ensure that the licensee has properly considered the requirements for effective digital system design in the upgrade.
2. To ensure that the licensee has properly evaluated engineering practices used by AREVA when developing the digital RPS/ESPS systems.
3. To assess previous quality issues with the digital system submittals and to determine what actions the licensee has taken to assure these issues do not re-occur.

The following major topics, that included the issues identified in the acceptance review letter, were discussed along with the review of pertinent documents to assess the licensee=s effective oversight and active involvement in developing the LAR documents:

1. D3: Discussion of the Diversity and Defense-in-Depth (D3) analysis and changes in D3 methods (e.g., Diverse High Pressure Injection Actuation System (DHPIAS)) since the previous NRC staff review. This topic is related to Issue No. 1 in the NRC acceptance review letter.
2. COMM: Discussion of two-way communications (COMM) between safety divisions and between safety and non-safety equipment. This focused on the Interim Staff Guidance (ISG) #4, and how the Oconee RPS/ESPS system compares to this guidance. This topic

is related to Issue No. 2 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 2.

3. SPM: Discussion of the use of the vendor (AREVA) Software Program Manual (SPM) when developing application-specific planning documentation and to what degree these documents are considered stand-alone documents for application software quality assessment. This topic is related to Issue No. 3 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 2.
4. V&V: Discussion on Duke's review of the vendors Verification and Validation (V&V) program and exceptions to Institute of Electrical and Electronics Engineers (IEEE) 1012, specifically addressing test generation responsibilities. This topic is related to Issue No. 5 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 4.
5. FAT: Discussion and document review of Dukes acceptance of Factory Acceptance Testing (FAT). This topic is related to Issue No. 6 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 4.
6. Exceptions: Discussion and review of how Duke has evaluated and approved all other exceptions or deviations from the NRC guidance documents in the LAR. This topic is related to Issue No. 5 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 4.
7. Changes: Discussion of Dukes acceptance of changes to the TELEPERM XS platform hardware, software, and development procedures since approval of the TXS Topical Report in 2000. This includes changes listed in LAR Enclosure 1, Section 2.7, Tables 2-3, 2-4, and 2-5. This topic is related to Issue No. 4 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 3.
8. QMP: Discussions of Oconees RPS/ESPS Quality Management Plan (QMP) and Licensing and Quality Steering Team (LQST) activities outcomes in addressing the LAR documents completeness and accuracy. This topic is related to Issue No. 5 in the NRC acceptance review letter and the licensee=s response to this issue in Supplement 3.

Discussion Summary

1. D3 Discussed: (1) the D3 analysis and changes in D3 methods (i.e., DHPIAS) since the previous NRC staff review; (2) the basis for current required timing for manual action and how that required time has changed; and (3) how the licensee has verified that the required time for manual action is realistic, what assumptions were made during this determination, (e.g., what system failure modes were assumed) and how realistic these assumptions were.

(1) The NRC staff and Duke discussed the D3 analysis and changes that have been incorporated into the analysis since the previous review (e.g., DHPIAS).

Duke explained how the addition of the DHPIAS improves the plant responses to plant transients and design-basis accidents (DBAs) with a software common cause failure (SWCCF). The NRC staff understands that with the addition of the Diverse Low Pressure Actuation System (DLPIAS) and the DHPIAS, and the built-in conservatism of the D3 best- estimate analysis program used, the plant response is not much different than that described in the Chapter 15 analyses with RPS and Engineered Safety Features (ESF) working.

Addition of the DLPIAS and DHPIAS provides a plant response that does NOT require any manual operator actions for at least 30 minutesCwith exception of a manual reactor trip during a small break loss-of-coolant accident (SBLOCA); this action is required within 2 minutes of the transient. However, Oconee already has a requirement within its current licensing basis (CLB) to trip the reactor and reactor coolant pumps within 2 minutes during an SBLOCA due to minimum sub-cooling margin requirements. Therefore, even though this manual action is required in much less than 30 minutes, it is a reasonable exception to the D3 ISG criteria.

Duke stated that with the addition of the DHPIAS, all anticipated transients and design-basis accidents, with the exception of SBLOCA, now meet the 30-minute criteria for manual actions in ISG#2. For the SBLOCA, the operators have been trained to trip the reactor and the reactor coolant pumps (RCPs) within 2 minutes for nearly 30 years.

This practice was instituted in Babcock and Wilcox (B&W) plants as a lesson learned from the Three Mile Island (TMI) event in 1979. This action remains as a manual operator action because there are certain transients for which it is not always prudent to trip the RCPs. Therefore, the CLB requires the operators to perform the reactor trip and RCP trip functions manually. The operators have demonstrated their proficiency in performing this manual action with an SBLOCA through years of re-qualification training.

Therefore, this exception to the ISG#2 criteria is acceptable. Based on this understanding and some additional information that Duke will provide to the NRC staff, this issue should be resolved.

(2) The basis for the 2-minute manual operator action is within the design basis for B&W plants and was not changed by the addition of the digital system.

(3) Duke described the stimulator runs that were used to justify that the operator action times assumed in the D3 analysis were realistic; certain indications were made unavailable to the operators, but false indications were not induced as a result of the simulated software common cause failure (SWCCF). Since the Oconee D3 design strategy complies largely with ISG#2, the NRC staff does not believe it will be necessary to conduct additional simulator testing. Also, the previous simulator exercises performed to validate the Oconee D3 strategy is bounding since the current Oconee D3 strategy now incorporates the DHPIAS and therefore many of the manual operator actions that were required in less than 30 minutes are now not needed for at least 30 minutes. However, the NRC staff informed Duke that EICB would have to confer with the Human Factors Branch to gain their agreement on this concept. Also, Duke agreed to provide the DHPIAS and DLPIAS actuation setpoints that support the current D3 strategy.

Furthermore, Duke agreed to describe the built-in conservatism of the D3 best-estimate analysis program regarding the analyzed plant responses to Chapter 15 DBAs with an SWCCF.

It was agreed that the NRC staff would request, and Duke would provide, explanations and setpoint values as documented in Action Items No. 1.1 through 1.4.

2. COMM Discussed: (1) two-way communications between safety divisions and between safety and non-safety equipment. This focused on the ISG #4 guidance and how the Oconee TXS system compares to this guidance; (2) the port tap, its method of operation, and verification of the one-way communications link; (3) the verification of an interposing communications processor for safety-related inter-channel communications; and (4) the verification of data independence/isolation techniques for safety-related to non-safety communications.

The NRC staff was provided a copy of the December 13, 2006, briefing slides on the digital replacement project that addressed, in part, communications, and after review of these slides, the NRC staff had a number of questions on the material presented. Duke committed to provide answers to the questions. The NRC staff will put these questions in the next request for additional information (RAI).

(1) The NRC staff and Duke reviewed Enclosure 3 of Supplement 2, APosition Paper (AREVA Document No. 51-9076647): Alignment of Oconee RPS/ESPS with ISG #4,@

and identified areas where additional information, better discussion, or specific values are needed. The following illustrates the NRC staffs preliminary conclusions regarding the TXS design comparison with ISG #4:

(a) ISG Item Nos.1, 2, 4-8, 13, and 15-17 appear to be adequately addressed, (b) ISG Item Nos. 9, 10, 12, and 14 need additional information, and (c) ISG Item Nos. 3, 11, and 18-20 are not sufficiently addressed; NRC to request additional information as needed.

(2) Duke stated that it had verified the port tap one-way communications link, but were unable to provide the data. Duke will forward this information to the NRC staff. (See Action Item Nos. 2.1 & 2.2).

(3) Duke told NRC staff that Duke thought that the isolation communication processor was on the SVE2 board, but was unable to provide that information at the time. This data will also be forwarded to the NRC staff.

(4) There are two cases where communications occur between the TXS system via a Monitoring and Service Interface (MSI), which is the class 1E to non-safety boundary, and non-safety-related (NSR) systems. One path is from the TXS system to the NSR gateway. This is a one-way communication link through the port tap. There is no signal path into the TXS safety system from the gateway, so no communications can interfere with the system. The other path is bi-directional communication between the TXS system and the NSR service unit. The service unit is isolated from other plant equipment, so there is no communications path to the service unit except from safety-related equipment (the TXS). These communication design features appear to comply with ISG #4 criteria; however, as stated above, additional information will likely be needed to fully understand the communication strategy.

3. SPM Discussed: (1) the use of the vendor=s unapproved SPM for developing application specific planning documentation and to what degree these documents are considered stand-alone documents for application software quality assessment; (2) the criteria used by Duke when reviewing and accepting the specific planning documentation; and (3) the vendors Configuration Control Board.

It was agreed that the NRC staff would not consider reference, in the LAR and associated documents, of the vendor=s SPM as part of the LAR review. These references will be removed by Duke when a document is revised. The intent is to divorce the Oconee LAR from the SPM to the point that approval or disapproval of the SPM will have no effect on the Oconee LAR.

It was agreed that the NRC staff would request, and Duke would provide, documentation as described in Action Item Nos. 3.1 through 3.6.

(1) It was noted that LAR Supplement 2 indicates that reference to the vendors SPM is not necessary for the Oconee RPS/ESPS project as described therein, and the NRC reasonable-assurance determination should be based on the Oconee RPS/ESPS software development procedures; for example, LAR Supplement 2, Enclosure 2, page 3 states, ASoftware installation is controlled by the Software Generation and Download Procedure, which is a configuration item governed by the Oconee Software Configuration Management Plan (SCMP).

Also, Supplement 2, Table 2, ADisposition of References to the SPM from the ONS RPS/ESPS LAR,@ identifies that the Software Installation Plan (SInstP) is addressed by the Oconee ASoftware Generation and Download Procedure.@

Duke has not yet docketed the software generation and download procedure. This procedure was skimmed during the site visit and appears to be appropriate detail for this purpose. Two potential issues were identified:

(a) The procedure did not appear to contain any checks that items were done correctly.

(b) The procedure contains scripts that may be used to perform software generation and download steps, but does not contain instructions to check that these steps were successfully accomplished.

(2) The process for review and acceptance of deviations of the SPM from SRP acceptance criteria was the same as for all other deviation or exceptions. Explanation of exceptions, which include Dukes detailed evaluation and acceptance, are documented and will be provided under Item No. 6, AExceptions.@

(3) Duke explained that the vendor performs change control activities, but does not hold formal configuration control board meetings as stipulated in IEEE-1042-1987, Section 2.2.5. The NRC staff suggested that Duke clarify the vendors change control process to illustrate who actually participates in the process rather than saying that it does not have a change control board. (See also SCMP Section 2.2.2 - AREVA NP Inc. Doc. No.: 51-

9006444-005). It appears that the vendors process may satisfy the intent of a change control board, without actually having such a standing committee, which the NRC staff may be able to credit.

4. V&V Discussed: (1) Duke's review (and associated acceptability criteria) of the vendor=s V&V and exceptions to IEEE 1012, specifically addressing test generation responsibilities (This was a follow-up to the discussions held during the April 29-30, 2008, meeting); (2) the data produced by Duke personnel to document its acceptability determination; (3) the path forward to disposition of this issue; and (4) an apparent inconsistency between the software requirement specification (SRS) and the requirements traceability matrix (RTM).

Subsequent to the discussions, Duke provided a AResponse to NRC Issue 5" in Supplement 4 of the LAR, dated May 28, 2008. The NRC staff will review the information and discuss with Duke during the biweekly telecons.

(1 & 2) The NRC staff and Duke discussed Duke=s review of the vendor=s plans and design outputs. It appears that Duke has performed approximately a 25-percent verification that the Software Design Description (SDD) contains all of the requirements from the SRS and will perform a 100-percent verification that the FAT procedures test the SDD. Duke described the activities that it performed to reach an acceptability determination for the documents that the vendor produced for the Oconee project. Duke recognized the limitations of the vendor=s V&V process and, therefore, performed a 100-percent review of the SDD and will perform a 100-percent review of the FAT Specification and FAT Procedures. This has the effect of providing an additional level of V&V to the vendor=s products. In addition, Duke had QA personnel at the vendor for a considerable amount of time and repeatedly checked on the vendor=s processes.

The NRC staff plans to request a description of Dukes review and oversight activities in an RAI so that this information is on the docket and can be used in the SER. (See Action Item Nos. 4.1 & 4.2).

The NRC staff did the equivalent of a thread audit on the Duke review effort and determined that Duke was providing a significant additional level of confidence in the quality of the final product. The NRC staff identified the following four issues that it will pursue in an audit of the vendor:

(a) V&V Review of Tracing vs. Performance of Tracing (b) Tracing of Individual Requirements: Procedural guidance vs. performance (c) Duke Energys Software Parameters - Not Traced (d) Not All Requirements in SRS are traced (3) The NRC staff and Duke agreed that the path forward was for Duke to document its additional effort and submit that documentation with the next V&V report. The NRC staff will then be able to give Duke appropriate credit for the work Duke has done.

(4) The NRC staff specifically noted that the SRS (AREVA Doc No 51-9054435-002) states:

AThe TXS Gateway software, MSI, and the RPS instrumentation channel E functions are classified non-safety, but they shall be developed and maintained at the same level as the safety related software.@

The NRC staff noted that the ATXS Gateway software, MSI, and the RPS channel E functions@ do not appear to be addressed in the RTM (AREVA Doc No. 51-9062040-002) and therefore do not seem to be treated as safety-related as required by the SRS.

5. FAT Discussed: (1) Duke=s review process (and associated acceptability criteria) for the FAT specifications and procedures that Duke is currently using; (2) impact of crediting FAT for V&V in lieu of simulation and validation tool (SIVAT); (3) additional FAT to address self monitoring SDD requirements; and (4) FAT of self-monitoring features.

Duke decided to remove all reference to SIVAT from its V&V documentation in order to reduce regulatory uncertainty. The intent is to separate the Oconee LAR from SIVAT to the point that approval or disapproval of SIVAT will have no effect on the Oconee LAR.

The only testing credited in the LAR or reviewed by the NRC staff will be FAT.

(1) Based on the explanation received, the NRC concluded that Duke is independently verifying that the FAT specifications and procedures are testing the requirements in the SDD. Duke also explained that, as a separate activity, it checked that the SDD incorporated the requirements of the SRS and equipment specifications.

(2) Duke decided not to credit SIVAT testing in the Oconee RPS/ESPS LAR. The NRC staff requested that Duke identify the documentation impacted by this decision. It was agreed that the NRC staff would request an explanation of what documentation is impacted by the change in the testing strategy and that Duke would respond by identifying the documents impacted, summarizing the impact, and providing a schedule for the revision to these documents. (See Action Item Nos. 5.1 & 5.2)

The SRS (AREVA Doc No 51-9054435-002) states:

The TXS Gateway softwareshall be developed and maintained at the same level as the safety related software.

The NRC staff needs to know what developed and maintained at the same level means.

Does it mean that the TXS Gateway life cycle will be traced with the same RTM as that for the safety-related software?

Additionally, the SVVP (AREVA Doc No 51-9010419-005) states:

Athe functionality of [TXS Gateway software] is verified via line-by-line code review...@

The NRC staff noted that it is not an accepted practice to credit Aline-by-line code review@

instead of software functional testing of safety-related software; therefore, TXS Gateway software does not seem to be treated as safety-related as required by the SRS.

(3) The TXS system self-monitoring features were described in the TXS Topical Report, but these features are utilized in application programs, and therefore the application programming that uses these features should be tested at FAT. This is particularly important if Duke wants to credit these self-monitoring features for the CHANNEL FUNCTIONAL TEST in the Technical Specifications (TSs), or if Duke wants to credit these self-monitoring features for extending the surveillance interval of the CHANNEL FUNCTIONAL TEST in the TSs.

6. Exceptions Duke and the NRC staff discussed how Duke evaluated and approved all exceptions or deviations to regulatory documents and criteria that are referenced in the Oconee RPS/ESPS LAR from the approved NRC guidance documents referenced in Chapter 7 of the SRP; the criteria used by Duke personnel when reviewing and accepting the exceptions or deviations in the LAR not specifically noted in this review plan; and the documentation used by Duke personnel in reaching this determination of acceptability.

During the discussion, Duke stated that the words conform or comply, when stated in the LAR, means that the guidance document or standard was fully complied with. Duke stated that when in the LAR it states that a guidance document or standard was followed, it does not mean that Duke or its vendor fully complied with the guidance document or the standard.

The NRC noted that Section 4.1 of the RPS and ESFAS replacement project specifications (Duke Doc Nos. OSS-0311.00-00-0013 and OSS-0311.00-00-0012, respectively) required that certain standards be used and that the ASupplier@ identify all standards used and any exceptions to the standards used. The NRC also noted that Section 4.9 of these specifications requires that all deviations be approved in writing by the APurchaser.@ The NRC noted that the Aposition papers Y@ identify exceptions, but do not include an evaluation that provides a comparable assurance of being in compliance with the regulations. It was agreed that the NRC staff would request, and Duke will provide, documentation identifying the standards used and any associated deviations, including the associated acceptability determination. (See Action Item Nos. 6.1 & 6.2)

Note: Duke provided a general description of the Duke oversight of RPS/ESPS Design and Testing Activities in LAR Supplement 4.

7. Changes Discussed: Duke=s process for the acceptance of changes to the TXS platform hardware, software, and development procedures since approval of the TXS Topical Report in 2000, including changes listed in LAR Enclosure 1, Tables 2-3, 2-4, and 2-5.

The NRC staff reviewed the tables in Section 2.7 of Enclosure 1 of the LAR and identified individual issues where additional information would be needed to demonstrate that the change would not affect the functionality and qualification of the TXS system. The NRC staff needs additional information on this section of the LAR to independently reach an acceptability determination.

Supplement 3 to the LAR was provided on May 15, 2008, to explain deviations to the TXS Topical Report. The NRC staff reviewed this supplement during the site visit and

determined that Supplement 3 actually provided an explanation for not providing the information requested. Supplement 3 states, sufficient information on TXS system hardware, software, and procedure changes was included in the LAR and other correspondence to address the conditions of the SE for the AREVA TXS Topical Report.@

Duke listed the basis for this conclusion as the following:

1) The Safety Evaluation (SE) for the TXS Topical Report approved the TXS design principles and development method;
2) NRC reviewed and audited the TXS configuration management and design change process during the Topical Report review;
3) There were no findings identified during a recent NRC inspection of the TXS Configuration Management and Design Change Process; and
4) The documents included with the LAR contain necessary information to evaluate TXS system changes.

NRC staffs findings on each of the four points are as follows:

1) The NRC staff agrees with Duke=s statement, but not with Duke=s conclusion, on this item. The NRC staffs SE approved the TXS design principles and development methods that were implemented in the documentation that was reviewed and was used to develop the platform which was approved by SE in May 2000. Adherence to these principles and methods will reduce regulatory uncertainty associated with the review and approval of changes to the approved platform; however, adherence to these design principles and development methods is not sufficient by themselves to ensure acceptability of future designs.

The TXS design used in the Oconee application is different than that which was previously approved. Although similar design principles and methods may have been used to produce the Oconee TXS system, the NRC staff is required to evaluate the output of those processes to verify the acceptability of the functionality, quality, and qualification of the Oconee application.

The intent of the plant-specific action items was to ensure that the approved TXS system was suitable for the application proposed. LAR table 1-1, TXS SER Plant-Specific Action Items,@ does not provide sufficient information related to the changes (the NRC staff discussed specific examples of information needed in Tables 2-3, 2-4, and 2-5 line items to satisfy items 1, 2,15, and 17 of Table 1-1 during the site visit) associated with the Oconee TXS system.

2) The NRC staff agrees with Dukes statement that the NRC staff reviewed and audited the TXS configuration management and design change documentation process during the topical report review. This was necessary for approval of the TXS platform in May, 2000. However, that approval does not mean that future designs and process changes documented using these processes will be acceptable to the NRC staff. The NRC staff is required to review the output of these processes (typically on a sampling basis) to reach a reasonable-assurance determination.
3) The NRC staff does not agree with Duke=s conclusion on this item. The inspection, as identified in the May 7, 2008, report (ML081190190) focused on compliance with 10 CFR Part 21 and selected portions of Appendix B to 10 CFR Part 50. This NRC inspection report stated, Athe report does not constitute NRC endorsement of AREVA=s overall quality assurance program. Specific aspects of the Oconee TXS platform design and manufacture were not reviewed during this audit.
4) The NRC staff does not agree with Duke=s conclusion. While the information provided is necessary, it is not sufficient to evaluate the changes to the TXS system. Additional information is needed to understand the basis for Dukes conclusion that the function, qualification, and quality of the changed components are acceptable. This additional information will also allow the NRC staff to reach an independent determination that the changes are consistent with the previous NRC staff determination of a high-quality product and reasonable assurance of safe operation.
8. QMP Discussed: Oconee=s RPS/ESPS Quality Management Plan (QMP) and Licensing and Quality Steering Team (LQST) activities in addressing the LAR documents completeness and accuracy.

Duke discussed the changes in its oversight activities, which appear to be effective. Duke is taking ownership of the process and now appears to be providing thorough review of the vendors documentation.

Duke described its extensive review of the documents produced by the vendor and the extensive presence of the Duke QA auditor at the vendors facility during the recovery effort. Both these quality management activities are an enhancement over the oversight of the previous LAR, which was submitted February 14, 2005. The NRC staff will likely use this information as part of its acceptability determination. (See Action Item Nos. 8.1 &

8.2)

Duke provided a general description of the ADuke Oversight of RPS/ESPS Design and Testing Activities@ in Supplement 4. Duke described its oversight activities as part of the engineering change process. These oversight activities are in addition to the normal oversight processes to ensure high quality work by the vendor. Duke agreed to provide additional information regarding its actions to ensure that a high-quality product was provided from the vendor.

Audit Action Items The following is a summary of the action items associated with the review activities.

1 D3: Diversity and Defense-in-Depth 1.1 Duke to provide explanation of how adding diverse LPI and HPI has changed the D3 analysis.

1.2 Duke to provide setpoints for the LPI and HPI diverse actuation systems.

1.3 Duke to provide the NRC a summary of the D3 assessment that includes the following:

(1) Explanation that the 2-minute reactor trip has always been a part of the Oconee licensing basis and is required now with the RPS/ESPS system and will continue to be required after the new digital system is installed.

(2) Explanation of the combined affect that DLPIAS/DHPIAS has on the original D3 analysis.

(3) Description of what diverse indications are available to the operator and indicate any affect that a software common mode failure would have on operator interpretation of the event.

1.4 Duke to provide qualitative discussion of the expected outcome of events where fuel damage occurs.

1.5 NRC to request the information that Duke will provide.

2 COMM: Communications 2.1 NRC to request data verifying the one-way communication link of the port tap.

2.2 Duke to respond by providing the requested information.

3 SPM: Software Program Manual 3.1 NRC to request OI-1457, ATELEPERM XS Software Quality Assurance Plan.@

3.2 NRC to request AREVA NP Inc. Document No. 51-9001942-004, AOconee Nuclear Station, Unit 1 RPS/ESPS Controls Upgrade Software Generation and Download,@

3.3 Duke to provide a description of how the Duke documents map to BTP 7-14.

3.4 Duke to provide documentation of its acceptability determination of the BTP 7-14 position paper.

3.5 Duke to provide documentation of the acceptability determination for all deviations documented per the requirements of Section 4.9 of the replacement project specifications.

3.6 NRC to request the information that Duke will provide.

4 V&V: Verification and Validation 4.1 NRC to request a detailed description of the Duke review and oversight activities of its vendor.

4.2 Duke to submit a detailed description of the review and oversight activities.

4.3 NRC to investigate the identification of the software librarian in an Oconee-specific document.

5 FAT: Factory Acceptance Testing 5.1 NRC to request an explanation of what documentation is impacted by the change in the testing strategy.

5.2 Duke to respond by identifying the documents impacted, summarizing the impact, and providing a schedule for the revision to these documents.

5.3 Duke to remove ASIVAT@ from Duke-specific documentation, since the use of this tool will not be credited.

6 Exceptions 6.1 NRC to request the documentation identifying all standards used by the supplier and any deviations from these standards, including any associated acceptability determination.

6.2 Duke to respond by providing the requested information.

7 Changes 7.1 NRC to request an explanation of the changes to the TXS system since the TXS Topical Report.

7.2 Duke to respond by providing: (1) fact-based explanation of changes, and (2) and explanation of how these facts can be combined to arrive at an acceptability determination.

7.3 NRC to research the applicability of the words in LIC-101.

8 QPM 8.1 NRC to request an explanation of the Duke review of documentation produced by its vendor and of Duke=s vendor audit activities.

8.2 Duke to respond by providing: (1) a detailed explanation of the activities requested, (2) providing examples of the issues identified by Duke, and (3) how issues were resolved.

Principal Contributors: Paul Loeser, NRR/DE/EICB Norbert Carte, NRR/DE/EICB Iqbal Ahmed, NRR/DE/EICB William Kemper, NRR/DE/EICB Date: July 23, 2008