ML110980761

From kanterella
Jump to navigation Jump to search

Audit Report of the Common Q Post Accident Monitoring System (Pams)
ML110980761
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 04/27/2011
From: Justin Poole
Plant Licensing Branch IV
To: Bhatnagar A
Tennessee Valley Authority
Poole Justin/DORL/ 301-415-2048
References
TAC ME2731
Download: ML110980761 (17)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555*0001 April 27, 2011 Mr. Ashok S. Bhatnagar Senior Vice President Nuclear Generation Development and Construction Tennessee Valley Authority 6A Lookout Place 1101 Market Street Chattanooga, TN 37402-2801

SUBJECT:

WATIS BAR NUCLEAR PLANT, UNIT 2 - AUDIT REPORT OF THE COMMON Q POST-ACCIDENT MONITORING SYSTEM (PAMS)

(TAC NO. ME2731)

Dear Mr. Bhatnagar:

The U.S. Nuclear Regulatory Commission (NRC) staff performed an audit of (1) commercial grade dedication, (2) requirements traceability, (3) configuration management, and (4) verifications and validation for the new or changed Common Qualified hardware and software to be used in the PAMS at the Watts Bar Nuclear Plant, Unit 2. The audit took place from February 28 to March 4, 2011, at the Westinghouse facility located in Pennsylvania.

Enclosed is the audit summary report prepared by the NRC staff.

If you should have any questions, please contact me at 301-415-2048.

ustin C. Poole, Project Manager Watts Bar Special Projects Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-391

Enclosure:

Audit Summary cc w/encl: Distribution via Listserv

REGULATORY AUDIT

SUMMARY

OF THE COMMERCIAL GRADE DEDICATION, REQUIREMENTS TRACEABILITY, CONFIGURATION MANAGEMENT, AND VERIFICATIONS AND VALIDATION FOR THE POST-ACCIDENT MONITORING SYSTEM USED AT WATIS BAR NUCLEAR PLANT, UNIT 2 BACKGROUND By letter to the Nuclear Regulatory Commission (NRC) dated December 5, 2008 (Agencywide Documents Access and Management System Accession No. ML083440224), as supplemented by letters dated February 28,2009 (ML090570741), February 5,2010 (ML100540143),

March 12,2010 (ML101680576), April 8, 2010 (ML101050203), April 27, 2010 (ML101230248),

June 18,2010 (ML101940236), June 30,2010 (ML101870617), July 14, 2010 (ML102030547),

July 30,2010 (ML102160349), August 20,2010 (ML102380256), September 2,2010 (ML102660074), September 9,2010 (ML102580279), October 5,2010 (ML102910324),

October 21,2010; October 26,2010 (ML103020322), December 3,2010 (ML103640220),

December 22, 2010, and February 25, 2011, the Tennessee Valley Authority (TVA) requested the approval of the Common Q based Post-Accident Monitoring System (PAMS). The staff performed the audit in accordance with the audit plan that was transmitted to TVA.

Individuals the staff interacted with included:

TVA:

Hilmes, Steve Clark, Steve Merten, Mat WEC*: Drake, Andrew P.

Uzman, Murat S.

Smith, Stephanie Stofko, Mark J.

Shakun, Matthew A.

Odess-Gillett, Warren R.

WEC (Part time):

Dlugolenski Jr., Stanley Manazir Jr., Richard M.

Packard, Stephen L.

Ryan, Martin P.

Brandt, Jonathan Downey, Shawn Konzel, Andrew Trozzi, Arthur J.

Slinski, Stephen Mutyala, Meena Stivason, Thomas Warner, Robert Marscher, Mark Scardina-Gazzo, Christine Tuite, Terry Erin, Larry Karaaslan, Secil Sfamenos, Nick Uzman, Mesut Buyan, Denny Very, Rick Kloes, Ken Sebesta, Barry

  • Westinghouse Electric Corporation Enclosure

- 2 AUDIT

SUMMARY

This audit was conducted in accordance with the regulatory basis identified in the audit plan.

As described in the audit plan, the following audit focus areas were covered

1. Commercial Grade Dedication,
2. Requirements Traceability,
3. Configuration Management, and
4. Verification and Validation Summaries of the specific audit activities and conclusions follow, categorized by their focus area. These were briefly described at the exit briefing. The results of this audit will be used to support the safety evaluation (SE) findings for both the Watts Bar Unit 2 (WBN2) Post-Accident Monitoring system and the Westinghouse Common Qualified (Common Q) Platform Topical Report WCAP-1609Y -P Revision 1.
1.

Commercial Grade Dedication As a way of explaining the Westinghouse commercial grade dedication (CGD) process, two WBN2 requirements that are being met via the use of commercial grade hardware were presented by Westinghouse. (1) The first was a requirement that the system shall be able to accept 4 to 20 milliamp DC signals with a maximum loop impedance of 600 Ohms. (2) The second was a requirement for the system to accept a thermocouple millivolt and voltage input of oto 10 VDC. One additional WBN2 requirement relating to a CGD hardware item (Common Q Power Supply DC to DC Converter module) was selected by the NRC staff for tracing. This requirement was for the system to be able to supply power to the Reactor Vessel Level Indication System (RVLlS) differential pressure circuits. No discrepancies were noted. The CGD process implementation was found to be consistent with the CGD procedures and processes described in the WBN2 Licensing Technical Report (L TR).

One WBN2 requirement that was being met via the use of a commercial grade software component was presented by Westinghouse. This requirement was for the system to be able to monitor the status of a Reactor Coolant Pump (RCP) under voltage coil and process this signal to be used as an input to the RVLlS level calculations. Two additional WBN2 requirements relating to CGD software components were selected and traced by the NRC staff. These requirements were for the system to be able to provide an indication of subcooled margin on the operator module flat panel display, and to provide an indication of core exit thermocouple temperature on the core mimic screen of the flat panel display system. No discrepancies or inconsistencies were noted.

The NRC staff examined the Westinghouse procedure being used for developing commercial dedication instructions as well as a recent Commercial Grade Dedication Survey report for the QNX operating system. No discrepancies or inconsistencies were identified.

- 3 Process The CGD process that was used for the Watts Bar PAMS is described in Section 7 of the TVAlWBN2 Post-Accident Monitoring System Licensing Technical Report. This CGD process was used to qualify certain hardware and software components of the Common Q PAMS that were not developed under the Westinghouse 10 CFR Part 50 Appendix B programs for use in WBN2. The CGD process is based upon the Westinghouse Quality Management System as a level 2 process by implementing procedure WEC 7.2 "Dedication of Commercial Grade Items."

The objective of WEC 7.2 is to provide reasonable assurance that commercial grade components of the WBN2 Common Q PAMS will perform their intended safety functions when called upon to do so and that the quality levels achieved for these dedicated components are equivalent to items that are manufactured and provided under a 10 CFR Part 50 Appendix B program.

Section 10 of the Common Q platform Topical Report (non-Proprietary: ML031820484; Proprietary: ML031830959), which is referenced by the TVA L TR for WBN2 provides a description of the generic CGD program used for commercial grade hardware and software components of the Common Q platform.

This audit activity involved performing a review of documentation produced as a result of the CGD activities as well as direct observations of these activities. Interviews were conducted with several key personnel who are involved in the performance of these activities. The following evaluation compares the documentation and observed activities with the processes described in the TVA LTR forWBN2.

Westinghouse provided an overview of the CGD process that is used for the qualification of hardware components of the Common Q system that were not designed or developed under a 10 CFR Part 50 Appendix B quality program. This overview included tracing the requirements for two specific hardware components that are used in the Watts Bar PAMS application. The components selected for this overview were the Analog Input circuit boards used for processing milliamp current signal inputs and for processing voltage signal inputs to the system. These tracing efforts illustrated how the CGD activities are documented and each of the documents associated with the sample components was referenced and discussed.

The actual CGD for these components was performed independently from the Watts Bar PAMS development process to support the development and maintenance activities of the Common Q platform. As the project design was performed, commercial grade components were selected from a list of available qualified components based upon their ability to meet the customer's requirements.

The first CGD thread was for the Analog Input Module A1687. The initial requirement used for this thread was derived from TVA Requirement No. 233 (See WNA-U-00058-WBT Section 11, "TVA Contract Compliance Matrix"), which states that the system must be able to accept 4 to 20 milliamp DC signals with a maximum loop impedance of 600 Ohms. This requirement was translated into both the WBN2 System Requirements Specification (SysRS - WNA-DS-01617 WBT) and the WBN2 System Design Specification (SysDS - WNA-DS-01667-WBT). The SysRS identifies which of the system's input parameters will require the use of this function.

The SysDS identifies the commercial grade component Analog Input module AI687 as being

-4 able to perform this required system function. The SysOS also defines where the AI687 boards are to be located. For the Watts Bar system there are four AI687 boards in each division and they are located in slots 11 through 14 of the RF620 rack.

The WBN2 PAMS Cabinet Assembly and AC160 Hardware Procurement drawing document showed that the AI687 card was in fact selected to perform the required functions. The AC160 Hardware Procurement drawing lists all parts and versions that are allowable for use in the system. It also lists sub components and versions which are acceptable for use in assemblies.

The AI687 card is an assembly which consists of a main board and a sub-board. Because the AI687 board is a commercial component, the procurement drawing references a CGO instruction as well as a certificate of conformance document to show that the dedication process has been performed. For the A1687, a commercial dedication instruction (COl 2625) is referenced.

The COl 2625 identifies the critical design characteristics of the card assembly along with the verification methods used to ensure that these characteristics are met and what organizations are responsible for completing these actions. For the A1687, there are seven critical characteristics identified. For the purposes of this audit, the staff confirmed that the CGO process of developing and verifying critical characteristics was being followed by Westinghouse.

The technical adequacy of these characteristics was not evaluated. Five of these characteristics are verified by means of tests and inspections, and two are verified by way of the commercial grade survey. Both inspection activities and survey review instructions are included in the COL The inspection and test activities include visual inspections of digital images of the circuit boards as well as performance of energized tests to ensure that the board is capable of performing its required functions. The COl also includes a COl Data Sheet and COl Preparation Checklist which provide criteria for reviewing engineers to use in determining the acceptability of a given part.

For the purpose of this audit, the NRC staff reviewed the digital image of the AI687 board that is installed into slot 12 of the channel A WBN2 system. Slot 12 processes the cabinet temperature signal, two RVLlS capillary resistance temperature detector signals T 4, and T3, as well as eight Core Exit Thermocouple (CET) input signals. The staff requested that this board be removed from the system for a sample visual inspection of the assembly exterior. No discrepancies were noted during this inspection and all assembly serial numbers and quality control labeling were found to be consistent with the documentation for this module.

The Commercial Grade Survey (CGS) is performed as a minimum every 3 years to verify that the manufacturers' configuration control processes are being properly implemented and maintained. The following are some examples of activities performed during a CGS:

  • Review how the order is received and requirements are passed on to production.

Review controls for acceptability of component placement.

Review control of components, solder, and process and application of labels and stickers.

A similar thread evaluation was performed for the AI688 assembly by the NRC staff and no discrepancies were noted.

- 5 Common Q Power Supply Module A third component was selected by the staff to perform an independent assessment of the CGD process by examining the documentation associated with a power supply module that is used in the WBN2 PAMS to provide power to the RVLlS differential pressure loops. The starting point for this thread was Item No. 278 in the Contract Compliance Matrix. This requirement states in part that "the DC distribution system shall employ redundant DC power supplies with a single AC power source." (Note: This requirement was bundled in with several other requirements in the LTR.)

To meet this specification, requirements were created in the SysRS and in the SysDS. The SysRS describes the AC input specifications for the PAMS cabinet as being 120 VAC plus or minus 10 percent and 60 plus or minus 3HZ with a maximum current of 8 AMPS. The SysDS explains that two 300 V bulk power supplies are used in the system and that the output of these supplies provide source voltage to the DC to DC converters that are inserted into positions 3 through 8 of the power supply rack. The SysDS also shows that the DC to DC converters in slots 4 through 7 provide power to the three DP cells of the RVLlS. The selected component for this thread was the 28/28/24 DC-DC converter in slot 5 of the channel A PAMS that supplies power to DP2PS1, DP3PS1, and AUXPS1.

The WBN2 PAMS Cabinet Hardware Test Report identified the model and serial number for this board. This board was also removed for inspection by the NRC and the label information including the serial number and model number was confirmed to be consistent with its associated documentation.

Software Threads Westinghouse provided an additional demonstration of how the commercial dedication process is used for the qualification of software for the AC160. The primary emphasis of this demonstration was to show how customer specifications were being fulfilled via AC160 software components that had undergone this dedication process.

The thread started with TVA contract requirement No. 506 from Section 12 of the LTR. This requirement states that the RCP status is derived from the RCP under voltage coil. This requirement is being met using a digital input signal that is processed with a Digital Input DI620 module. The AC160 software module which controls the processing of digital signals is the DI620 data base element.

The Software Design Description was then consulted to determine how these requirements were being implemented for the Watts Bar PAMS application. Section R7.1.4.3 "RVLlS Monitoring" provides a description of how the RCP Status parameters are used as an input to the RVLlS algorithms to support the calculation of Reactor Vessel Level. It also provides a diagram that represents this algorithm. Within this figure, a block labeled Pump Status inputs represents how the digital inputs from the DI620 factor into the calculation of RV level. The Software Design Description provides additional details on how these algorithms function.

The data sheet for the DI620 and DIS620 shows that this software component was commercially dedicated using CDI 3389. CDI 3389 identifies the critical design characteristics

-6 of the AC160 core software along with the verification methods used to ensure that these characteristics are met and what organizations are responsible for completing these actions.

For AC160 software components, there are five Critical Characteristics identified. For the purposes of this audit, the staff confirmed that the CGD process of developing and verifying critical characteristics was being followed by Westinghouse. The technical adequacy of these characteristics was not evaluated. Two of these characteristics are verified by means of special tests and inspections performed at the dedication facility, and two are verified by means of the CGS. Both inspection activity and survey review instructions are included in the COL The inspection and test activities include visual inspections of software media. The COl also includes a COl data sheet and a COl preparation checklist which are similar to the checklists used for the dedication of system hardware components described above.

Finally, the test case for providing functional verification of the RCP status processing within the Processor Module Software Test Procedure was reviewed. This test validated the operation of this function block specifically for the WBN2 PAMS by simulating all combinations of RCP run statuses into the function block software and confirming that all intermediate and output signals responded in accordance with the software requirements. Two additional software requirement threads were evaluated by the staff during the audit and no deficiencies were identified. These requirements were:

Providing Indication of Sub-Cooled Margin in specific Flat Panel Display System (FPDS) screens.

Providing indication of Core Exit Thermocouple temperatures on the Core Mimic screen of the FPDS.

WEC 7.2 This procedure identifies the roles and responsibilities for Engineering, Quality, and the Dedication Facility with regard to the CGD processes. It also provides direction on how sampling techniques could be used to provide an adequate level of inspection/testing for a particular commercial product. Four methods for accepting commercial grade items are provided. Guidance for how to conduct these methods is also provided.

1. Special Inspections and Tests
2. Commercial Grade Survey of Supplier
3. Source Verification
4. Acceptable Supplier /Item Performance Record Only methods 1 and 2 were identified for the CGD threads reviewed during this audit.

The execution of CDls can be performed by either an independent Appendix B supplier or by Westinghouse. The procedure also provides direction on how to identify and document the completion of CGD.

Commercial Grade Survey Report The NRC staff examined a recent Commercial Grade Dedication Survey report. The survey was performed in Ontario Canada at the QNX Software Systems (QSS), LTD facilities. Its

- 7 purpose was to verify the implementation of controls for applicable characteristics of the dedicated ONX operating system. The critical characteristics surveyed were: Software Identification, Software Integrity, and Error reporting. The survey plan identified acceptance criteria for the critical characteristics. The report and results of the survey concluded that the operating system controls were adequate and that Westinghouse needs to continue to maintain a software support agreement for error reporting with the supplier.

2.

Requirements Traceability Several requirements (Nos. R2.1-1, R2.5.1-1, R3.2.1-3, R2.6.2.2.20-2, & R2.5.3.4.12-2) were selected from the SysRS (WNA-DS-01617-WBT: a proprietary document) and traced forward into the downstream engineering documents.

R2.1-1 Required that a certain project specific document be created. This document was created, but it was not evaluated by verification and validation 01&V), since the document was not required to be evaluated by V&V in the Software Program Manual (SPM).

R2.5.1-1 This requirement incorporates initialization requirements from the Common 0 PAMS SysRS (OOOOO-ICE-30156) by reference. The WBN2 PAMS SRS (WNA-SD-00239-WBT Rev. 2) also incorporated the same requirement by referencing the same section.

R3.2.1-3 Required a certain accuracy requirement that was addressed in the factory acceptance test acceptance criteria. Note: input accuracy requirements are not typically addressed in application software.

R2.6.2.2.20-2 Required that certain functionality exists on the flat panel display via push buttons.

R2.5.3.4.12-2 Required that a specific formula be used for the calculation of uncompensated dynamic head.

In addition, a new version of the L TR was examined. This new version contains an additional section to indicate the origin of each requirement in the SysRS. This section was used to identify the origin of several sampled requirements. The origin of several requirements was identified as "engineering judgment;" however, the associated rationale was not obvious from examination of the requirement. Westinghouse explained the associated engineering judgment and agreed to add this explanation to the L TR.

WBN2 Action: The "engineering judgment" response will be updated to include a one to two sentence explanation of the judgment.

Two errors were found on software release records: (1) a test procedure was referenced whereas the associated test report should have been, and (2) one of the final object files was not listed whereas it should have been.

- 8 WBN2 Action: These release records will be corrected and an extent of condition evaluation will be performed.

3.

Configuration Management The staff examined the implementation of the vendor's Software Configuration Management Plan (SCMP), as found in Section 6 of the SPM, for the WBN2 Common Q PAMS.

SPM Section 6.2.2.1 states, in part, that a software librarian and/or system administrator may be named to maintain controlled software, records, backup copies in a separate building of deliverable software, and backup copies of software tools. The WBN2 Common Q PAMS project has a software librarian that maintains the controlled software. According to the work instruction for the software librarian, WNA-WI-00157-GEN, Rev. 1, the project has two software libraries, one that is used by the design team to create or modify the software. The other library contains verified software that only the software librarian can update and which allows only read access to other users. IT maintains backup copies of the software and software tools, which can be requested if needed by the software librarian. Backup copies are made on a weekly basis, with older versions being deleted after 60 days. Backing up all files on a weekly basis meets the requirements in Section 6.5 of the SPM. A Software Release Record (SRR) is created by the design team once a piece of software is ready for V&V. The SRR references a specific revision of the software, which the V&V team uses for review. Once the software is reviewed by V&V, a Software V&V Release Record is created, and the code is placed by the librarian in the controlled library. Any associated images with the verified code are recreated from the code that was verified. Based on a discussion with the Software Librarian, the backup copies are maintained in Windsor, CT, which is in a different location from the other libraries.

SPM Section 6.3 specifies guidance for information to be included in header blocks for source files in order to maintain configuration identification. Source files headers for the FPDS follow this guidance, and so do the examples for c-code headers in Coding Standards and Guidelines for Common Q Systems, 00000-ICE-3889, Rev. 12. The staff reviewed the header for an FPDS source file, callbacks.c, and the header followed the guidelines. However, in the source files for the AC160, the header does not strictly follow the SPM, due to the process that creates those source files. Most of this information, including revision history, is instead contained in the footer of those files. This is in accordance with Work Instructions (WI) for Releasing AC160 Code, WNA-WI-00054-GEN, Rev. 3, November 2009. WI WNA-WI-00179-GEN, Rev.O, October 2010, Generic Common Q: Common Q Software Optical Media Work Instruction details labeling guidance for compact disks (CDs). The guidance in the WI listed a set of minimum information, including project identity, software identity, SRR as listed in Westinghouse's document tracking system, and optical media creation date, but did not have a clear link to the format specified for media in Section 6.3 of the SPM. However, at the time of the audit, no CDs had been created for this project.

WBN2 Action: The LTR will include an explanation that the media labeling processes have changed since the last submittal of the SPM.

Generic Action: Revise the SPM to reflect the current media labeling process.

- 9 The staff examined the channel integration test/factory acceptance test (CIT/FAT) report, baseline documents, and associated Software Implementation Release Reports to confirm that the SRRs included in the CIT/FAT report matched the established baseline at the time. The specific SRR confirmed was the SRR for PAMS Train A software for the original and regression testing done in the CIT/FAT report. Exception Reports created due to initial testing created related Software Change Requests, and were regression tested, if necessary.

The staff examined the software change process, and traced an issue identified in an Exception Report through to its testing. A Software Change Request (SCR) can be driven by an Exception Report, or as a result of an enhancement request, and the process for creating an SCR can be found in WNA-WI-00121-GEN, Rev.1 Common Q Exception Report (ER) & SCR Work Instruction. An SCR form contains the information and approval listing listed in Section 6.3.2 of the SPM.

One internal audit was done by Westinghouse's quality assurance (QA) organization in the area of requirements traceability management at the time of the audit, but the audit report was still in draft at the time of the inspection. Based on discussion with QA personnel, the way that QA monitors adherence to the configuration management plan is through internal audits and self assessments.

The project schedule did record the establishment of configuration baselines, but there was no formal milestone for implementation of change control procedures. However, there were milestones related to SCRs and SRRs.

The Software V&V report did include assessments for the configuration management of the different phases of the life cycle.

4.

Verification and Validation The NRC asked for the V&V team supervisor (Murat Uzman) to identify the V&V team. The following list was provided:

Nick Sfamenos Secil Karaaslan Murat Uzman (supervisor)

Sandra Glasser John Faulkner I pekTetokoglu Avraham Niedelarnn Vasilii Savtchouk Joe Carretta (integration tests)

Vicki Williamson (integration tests)

Terry Tuite (integration tests)

The following people participated in the audit:

Nick Sfamenos Secil Karaaslan Murat Uzman The NRC started with software-development-process requirements identified in the software program manual (SPM - ML050350234) and traced these software-development-process requirements through to their implementation. (In general the NRC recognizes that augmentation of, or deviations from the requirements in the SPM are explicitly allowed by the SPM, if they are described and justified in either a project quality plan or a project specific independent V&V (IV&V) plan. The central ideas are: (1) not all tasks are applicable to all projects, and (2) some projects may require additional tasks in order to achieve a high quality

- 10 software-development-process.) In the deviations and issues cited below, these deviations, even if justifiable, were not described and justified, which is not in accordance with the SPM.

Since: (1) the NRC required (in the Common Q topical report SE) the SPM to be used for all Common Q systems, (2) TVA required that the SPM be used in the PAMS contract, and (3) TVA stated to the NRC that the SPM was being used, this condition must be addressed.

(A)

Section 5 of the SPM under V&V team roles and responsibilities states that "The verifier is also the independent reviewer for the design team." For the WBN2 Common Q PAMS project, this did not occur. The independent review was conducted by the design team and the document was approved and issued before the V&V team receives the document for review.

The V&V team explained that it reviewed all of the documentation issued during a design phase concurrently (e.g., phase review).

WBN2 Action: For the WBN2 PAMS project, the IV&V Summary report will be revised to clarify that the V& V team verifier does not perform the role of independent reviewer for the design team.

Generic Action: Programmatically, the SPM will be revised to clarify that the V&V team verifier does not perform the role of independent reviewer for the design team.

(B)

The NRC observed that there are generally four kinds of signature blocks on WBN2 Common Q PAMS project documents: Author, Verifier, Reviewer, & Approver; Westinghouse QA procedures (Le., WEC 6.1) define the responsibilities associated with each of these signatures. Based on the examination of the Westinghouse procedures (WEC 6.1 & WEC 3.3.3), only the Verifier is required to meet 10 CFR Part 50 Appendix B requirements regarding independent review.

Some design team documents contain a signature block for each of the four categories identified above (e.g., SysRS - WNA-DS-01617-WBT-P Rev. 3), and some design team documents do not contain a Verifier signature block (e.g., SRS - WNA-SD-00239-WBT Rev. 2); therefore, it was not clearly demonstrated that all documents that were required to be independently reviewed were in fact independently reviewed.

Westinghouse explained that the standard document template did not contain a Verifier signature block; this was a source of confusion. Westinghouse explained that each document requiring independent review was in fact independently reviewed; however, no documentation supporting this position was provided.

WBN2 Action: For the WBN2 PAMS project, Westinghouse will provide documentation in their Rockville, Maryland offices demonstrating that each document requiring independent review was in fact independently reviewed. CAPs No. 11-061-M047 will contain a commitment to provided documented evidence of appropriate independent reviews.

Generic Action: See CAPs No. 11-061-M047: This issue will also be addressed programmatically, possibly providing additional templates, and specifying templates for

- 11 specific categories of documents. (There currently exists one template that is used for both safety-related and nonsafety-related documents.)

(C)

The SPM requires the QA department to perform various in-process audits or assessments (e.g., SPM Section 4.6.2.8, "Managerial Reviews," which is "... to assess the execution of all actions and the items identified in this SQAP [Software Quality Assurance Plan].") to ensure compliance with the SPM for a given project. The QA department performed one audit (Westinghouse Internal Audit No. WEC-10-63) of requirements traceability 2 weeks prior to the NRC audit and this audit documentation was in draft form. The QA department did not fulfill all of its obligations under the SPM.

Also, given the number of discrepancies between the SPM and the processes followed, and QAs associated oversight responsibilities, QA oversight of SPM compliance was ineffective.

WBN2 Action: For the WBN2 PAMS project, Westinghouse will perform a complete and comprehensive self-assessment to evaluate compliance with the SPM, with respect to V&V requirements.

Generic Action: This issue will also be addressed programmatically.

(D)

The SPM requires that the IV&V Team use a comment resolution process like that identified in SPM Exhibit 4-4. This process requires the Design Team to provide disposition for each documented comment. The IV&V team uses the ER database for corresponding with the Design Team. All ERs listed all the document comments, but some ERs did not document the disposition for each comment.

WBN2 Action: All ERs were reviewed and an additional ER was opened to ensure that each comment is individually addressed.

(E)

The NRC noted that the use of the term "Verifier!! in the SPM is inconsistent with the definition of the same term in WEC 6.1. The SPM does define responsibilities for the V&V Team verifier; these responsibilities include the responsibilities for a "Verifier!! as defined in WEC 6.1; however, this not being done.

Generic Action: Westinghouse to ensure that consistent terminology is used in the SPM and QA implementing procedures.

(F)

The body of the SPM makes reference to specific sections of Institute of Electrical and Electronics Engineers (IEEE) 829, but the sections referenced are inconsistent with the year of the standard identified in the references section. (IEEE 829 section numbering has changed over the years.)

Generic Action: Westinghouse to ensure internal consistency of the next revision of the SPM.

(G)

The NRC noted that the SPM is internally inconsistent with some sections specifying that the V&V team is responsible for configuration management and some sections specifying that the design team is responsible.

- 12 Generic Action: The next revision of the SPM will be internally consistent and specify that the design team is responsible for configuration management. The V&V team will issue software release records for software that has been issued from the Design Team to the V&V team and has successfully completed the associated verification and validation activities.

(H)

SPM Section 4.6.2.9 states:

The Software Configuration Management Plan (SCMP) Review is held to evaluate the adequacy and completeness of the configuration management methods defined in the SCMP (SECTION 6) and their implementation. The review shall be performed by the V&V team, and results documented to identify all deficiencies found. The design team shall plan for the resolution of deficiencies.

Westinghouse stated that no review of the adequacy and completeness of Section 6, "SCMP," was performed by the WBN2 V&V Team since the NRC had approved the SPM (Le., the NRC found the SCMP - SPM Section 6-to be adequate).

The NRC approved the SPM, in part, based on requirements it contained for future actions. If the SCMP - SPM Section 6 - was adequate for all projects that could ever be imagined, then there is no reason to describe a project specific SCMP in the SPM. The NRC had understood this clause to mean that each project would evaluate the SCMP for acceptability and completeness for that project, and if not, then that project would create a project specific SCMP.

WBN2 Action: Westinghouse to document a WBN2 specific adequacy and completeness evaluation.

Generic Action: Westinghouse to clarify in the next revision of the SPM.

(I)

SPM Section 6.2.2, "SCM Responsibilities," states, "The V&V Group... is responsible for implementation of adequate measure to manage and control the software configuration... " SPM Section 6.2.2.1, "Requirements Phase," states, "1. Define the software items that are to be controlled via this SCMP." The V&V Team did not perform this activity during the requirements phase. The Design Team used the project plan to define in high level terms the generic software that will be used for WBN2 PAMS. The Design Team used the baseline report to define the generic software documents to be used; the software release records reference these generic documents.

WBN2 Action: TVAlWEC to add a section to the PAMS Common Q L TR to identify and justify deviations from the SPM.

Generic Action: The requirement phase of the SCMP in the SPM will be revised to include a discussion on generic vs. project-specific requirements. The SPM will also be updated to include where these software items are defined.

- 13 (J)

SPM Section 4.6.2.9 states:

The Software Configuration Management Plan (SCMP) Review is held to evaluate the adequacy and completeness of the configuration management methods defined in the SCMP (SECTION 6) and their implementation. The review shall be performed by the V&V team, and results documented to identify all deficiencies found. The design team shall plan for the resolution of deficiencies.

SPM Section 6.2.2, "SCM Responsibilities," states:

The V&V Group... is responsible for implementation of adequate measure to manage and control the software configuration...

SPM Sections 4.6.2.9 & 6.2.2 are inconsistent.

WBN2 Action: The responsibilities for configuration management will clearly be defined as the design Team activity and not a V&V Team Activity in the next revision of the LTR.

Generic Action: The responsibilities for configuration management will consistently be defined as the Design Team activity and not a V&V Team Activity in the next revision of the SPM.

(K)

SPM Section 4.5.2.1! "Coding Standards" states, 'The V& V team shall review the applicable coding standards for each project for acceptability." Westinghouse credits the V&V signature on the generic coding standards document as addressing this requirement.

Generic Action: The SPM will be clarified.

Documents Commercial Grade Dedication

  • Commercial Dedication Instructions CDI3389, AC160 and AMPL Control Configuration Advanced Software Media
  • Commercial Dedication Instructions CDI2625, AC160 Controller Assemblies
  • Watts Bar Unit Two System Requirements Specification WNA-DS-01617-WBT
  • ABB Certificate of conformance for AC160 equipment 2156486
  • PAMS SDS WNA-DS-01667-WBT-P,R4
  • Production order completion form 40037985 Common Q power supply for PAMS MW01204469x002-003
  • Shop Traveler reports
  • Inspection Reports
  • Production Test Record for the common Q power supply chassis test
  • WBN2 PAMS Cabinet Hardware Test Report

- 14 Common Q Power supply procurement drawing 2C48394 ENICS Manufacturing certificate of conformity for selected AC160 circuit board

  • WBN2 PAMS Cabinet assembly drawing
  • AC160 hardware procurement drawing Requirements Traceability
  • WCAP-16096-NP-A, Rev. 1A, Software Program Manual for Common Q Systems 956080 Rev. 1, ICCMS-86 WEC 6.1 Rev. 2, "Document Control" NSNP 3.3.3 Rev. 3, 'Design Verification by Independent Design Review or Alternate Calculation" WNA-VR-00279-WBT Rev. 4, RTM for Common Q PAMS
  • WNA-RL-00646-WBT Rev. 5, Common Q Software Release Report for WBN2 PAMS TrainA
  • WNA-VR-00283-WBT-P Rev. 4, IV&V Summary Report WNA-U-00058-WBT-P Rev. 3 Draft, Common Q PAMS Licensing Technical Report WNA-AR-00201-WBT Rev. 0, PAMS Compliance with Application Restrictions (RTM for Restrictions)
  • WNA-VR-00280-WBT Rev. 2, RTM for RVUS Custom PC Elements WNA-TR-02413 Rev. 0 & Rev. 1, PAMS CIT/FAT Test Report
  • WNA-DS-01070-Gen Rev. 5, Application Restrictions for Generic Common Q Qualifications
  • WNA-TR-02387 -WBT Rev. 1, PAMS FPD SW Test Report WNA-TR-02210-GEN Rev. 1, Element Software Test Report for DHCALC Custom PC Element
  • WNA-PT-00138-WBT Rev. 0, PAMS Test Plan
  • WNA-PT-00138-WBT-P Rev. 0, PAMS Test Plan
  • APP PMS-TS-001 Rev. 1, AP 1 000 Test Plan Page 7-17 of AP100 DCD SER
  • WNA-TP-02673-GEN Rev. 0, Element Software Test Procedure for DHCLAC Custom PC Element QA Audit Plan for Common Q PAMS
  • WNA-PD-00073-WBT Rev. 0, Project Plan for WBN2 NSSS Completion I&C
  • WNA-ER-00105-WBT Rev. 0, WBN2 PAMS Preliminary Design Review
  • WNA-ER-00143-WBT, CQ PAMS Final Design Review Configuration Management
  • WNA-WI-00157 -Gen, Rev. 1, September 2010, Microsoft Visual SourceSafe Work Instructions for the IV&V Software Librarian
  • WNA-RL-00441-Gen, Rev. 7, Custom PC Element Library Software Release Record
  • WNA-RL-00441-GEN_Rev7 _Verified, Rev 0, Custom PC Element Library Software Release Record
  • WEC-10-63 Dated February 7, 2011. I nternal Audit
  • WNA-WI-00050-GEN, Rev 3, September 2010, Work Instructions for Storing AC160 Files in Microsoft Visual SourceSafe
  • 00000-ICE-3889, Rev. 12, Coding Standards and Guidelines for Common Q Systems

- 15 WNA-WI-00121-GEN, Rev.1, Common Q ER & SCR Work Instruction WNA-WI-00179-GEN, Rev.O, October 2010, Generic Common Q: Common Q Software Optical Media Work Instruction

  • WNA-WI-00054-GEN, Rev. 3, November 2009, Work Instructions for Releasing AC160 Code Configuration Management, NA 4.37 Rev 1, 04/20109
  • WNA-IG-00109-GEN, Rev.O, November 2007, Configuration Management Implementation Guideline WNA-TR-02413-WBT, Rev. 1, February 2011, Post Accident Monitoring System Channel Integration Test/Factory Acceptance Test Report
  • WNA-VR-002B3-WBT-P, Rev.4, IV&V Summary Report for the Post Accident Monitoring System Exception Report DT-BOB SCR-511 "Revise the Static crossover code in LVLMTR CPCE" issue date 10/13/2010
  • WNA-RL-00646-WBT, Rev.2, Common Q Software Release Record for Watts Bar Unit 2 PAMS Train A, PAMA
System, CALLBACKS_C-00-022010/11/03
  • WNA-RL-00646-WBT Rev 4, Common Q Software Release Record for Watts Bar Unit 2 PAMS Train A, PAMA
  • Assessment of Software Configuration Management Plan for Common Q Projects, Received 3/4/2011 Verifications and Validation

April 27, 2011 Mr. Ashok S. Bhatnagar Senior Vice President Nuclear Generation Development and Construction Tennessee Valley Authority 6A Lookout Place 1101 Market Street Chattanooga, TN 37402-2801

SUBJECT:

WATTS BAR NUCLEAR PLANT, UNIT 2 - AUDIT REPORT OF THE COMMON Q POST-ACCIDENT MONITORING SYSTEM (PAMS)

(TAC NO. ME2731)

Dear Mr. Bhatnagar:

The U.S. Nuclear Regulatory Commission (NRC) staff performed an audit of (1) commercial grade dedication, (2) requirements traceability, (3) configuration management, and (4) verifications and validation for the new or changed Common Qualified hardware and software to be used in the PAMS at the Watts Bar Nuclear Plant, Unit 2. The audit took place from February 28 to March 4, 2011, at the Westinghouse facility located in Pennsylvania.

Enclosed is the audit summary report prepared by the NRC staff.

If you should have any questions, please contact me at 301-415-2048.

Sincerely, IRA!

Justin C. Poole, Project Manager Watts Bar Special Projects Branch Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-391

Enclosure:

Audit Summary cc w/encl: Distribution via Listserv DISTRIBUTION:

RidsOgcRp Resource RidsRgn2MailCenter Resource PUBLIC RidsNrrDorlLpwb Resource RidsNrrDeEicb Resource LPWB Reading File RidsNrrLABClayton Resource RidsNrrPMWattsBar2 Resource RidsAcrsAcnw_MailCTR Resource NCarte, NRR ADAMS Accession No. ML110980761

  • via memo OFFICE LPWB/PM LPWB/LA EICB/BC LPWB/BC NAME JPoole BClayton GWilson*

SCampbel1 DATE 4/22/11 4/22/11 3/28/11 4/27/11 OFFICIAL AGENCY RECORD

Retrieved from "https://kanterella.com/w/index.php?title=ML110980761&oldid=5281386"