Umlr Open Items List for 2017 I&C Upgrade Audit

ML17193A373
Person / Time
Site:	University of Lowell
Issue date:	02/24/2020
From:	Duane Hardesty Office of Nuclear Reactor Regulation
To:	Office of Nuclear Reactor Regulation
Hardesty D
References
Download: ML17193A373 (9)
v • d • e

Text

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

1. 7.1 In the SAR, the applicant should describe the I&C systems, including block, logic, and process flow diagrams showing major components and subsystems, and connections among them. The applicant should summarize the technical aspects, safety, philosophy, and objectives of the I&C system design and should discuss such factors as redundancy, diversity, and isolation of functions.

The UMLRR SAR provides details on the I&C system in Ch. 7, however, it is not clear which systems and descriptions are existing or are new.

UMLRR should provide a copy of the SAR that contains change bars indicating new I&C systems descriptions (Ch. 7) and any new TS (Ch. 14). Alternately, an addendum or errata stating the changes to be made by license renewal for the I&C system.

UMLRR should provide the detailed design bases of any TS and surveillance tests. Describe the SR intervals specific to design and operation of the new systems.

For each new or modified system, UMLRR should indicate whether the system is a safety or non-safety system.

Closed - by RAI response 7.1a and 7.2 (Refer to RAI responses submitted by letter dated October 18, 2019, ADAMS Accession No. ML19291C293, in response to the NRC staffs RAI dated July 19, 2019, ADAMS Accession No. ML18092B090)

In its RAI response, UML provided an erratum to supplement the LAR to annotate actual hardware (HW) and software (SW) changes.

UML stated they would provide, under oath or affirmation, an affidavit stating the NMP-1000 user manual provided by General Atomics (GA) is applicable to UMass-Lowell.

UML stated that technical specifications (TS) 3.2.3, 3.2.5, and 4.2.3 provides the min. channel requirements, the setpoints, and the appropriate surveillance requirements (SR).

UML stated that the UMLRR items that could be considered as safety-related are specified in the proposed UML TSs.

2. 7.2 Design criteria and design documentation - Additional, potentially useful, documentation regarding the design criteria and bases for the General Atomic (GA) NMP systems are available. This documentation was prepared for other facilities. UMLRR should indicate which, if any of the below documents are applicable and the extent of their applicability to the UMLRR I&C install:

T9S900D980-FME Rev A NMP-1000 Failure Modes Effects Analysis NMP-1000 System Requirements Specification (SRS)

NLX-1000 SRS T9S900D940-SYR_RevA NMP-1000 T9S900D950-SYR_RevA NLX-1000 NMP1000 manual (NMP-1000 LPC E117-1017 Rev1 (1990)).

Closed by audit review UML stated they would provide correspondence from GA that would be submitted under oath or affirmation (O&A) that the documentation was applicable to the UML.

Additionally, UML provided correspondence from GA to UML that provided specific equipment modifications required to adapt the procured NMP-1000 to dual mode operation at the UMLRR.

3. Proprietary system documentation for docketing - All design documentation needs to be documented to be considered for use by the NRC in the licensing determination. All docketed information will be made publicly Closed by letter from content holder submitted UML to obtain affidavit from GA for applicable design documentation.

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

available unless the information is deemed to meet the criteria under 10 CFR 2.390 for withholding from public disclosure.

UMLRR should submit a request for withholding for any document submitted to the 50-223 docket with an affidavit from the content owner justifying withholding.

pursuant to 10 CFR 2.390.

By letter dated January 8, 2020 (ADAMS Accession No. ML20017A155), the NRC staff received a 10 CFR 2.390 withholding request, including redacted versions of the documentation from GA related the UML docket (50-223).

4. 7.2.4 System performance analysis (the new components of the I&C system).

UMLRR should describe the operation of the I&C system and present the analysis of how the system design meets the design criteria and design bases. The discussion should include accuracy, reliability, adequacy and timeliness of I&C system action, trip setpoint drift, quality of components, redundancy, independence, and single failure criteria.

UMLRR should also include the bases of any TS and surveillance tests with intervals specific to the design and operation of the systems.

Closed - by RAI response 7.1a In its RAI response, UML provided a description how the I&C systems meet the applicable design criteria guidance of NUREG-1537, Section 7.2 for the reactor protection system. Additional information was provided for the ThermoFisherScientific (TFS) Log power and period meter (PPM) by letter dated April 10, 2019 (ADAMS Accession No. ML19100A273).

5. 7.2.4 System performance analysis for satisfaction of functional and environmental design requirements (the new components of the I&C system) as provided in documentation from the equipment vendor including hardware and software requirements specifications, factory acceptance testing, and facility integration test plans and results UMLRR should provide information that compares the system design requirements are met by the new components of the I&C system, for system performance such as:

Quality (vendor or facility program for; equipment qualification including electromagnetic compatibility, temperature, pressure, radiation, relative humidity, power surges, and operational cycling; real-time, deterministic performance; online and periodic test provisions; communications independence; Closed - by RAI response 7.1a In its RAI response, UML provided a description how the I&C systems meet the applicable design criteria guidance of NUREG-1537, Section 7.2 for equipment qualification. Additional information was provided for the TFS Log PPM by letter dated April 10, 2019 (ADAMS Accession No. ML19100A273).

UML provided its written test plan and procedures for NRC staff review in NMP-1000 Linear Power Channel Installation Plan. Documentation was also provided on modifying the NMP-1000 to include natural convection mode.

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

UML provided vendor Acceptance Test results. (See item 2 for use of GA document).

Note: Vendor documentation states that the NMP-1000 was developed under NQA-1.

6. 7.2.5 Access Control and Cyber Security - UMLRR should explain how potential access control and cyber security vulnerabilities (physical and electronic) are adequately addressed for the digital safety system software and how administrative controls prevent/limit unauthorized physical and electronic access to critical digital assets.

UMLRR should describe or demonstrate physical access control, such as protective covers or recessed screwdriver adjustments (where control of access to rooms is provided in which safety system equipment is located) otherwise provisions such as alarms and locks on safety system panel doors, to limit access to setpoint and calibration adjustments to the extent necessary to prevent inadvertent adjustments.

UMLRR should describe or demonstrate setpoint, control, and configuration performed by software should require supervisory software checks (e.g., redundant entry, system pop-ups) to ensure entry is intentional UMLRR should describe or demonstrate that all hardware and software modifications are controlled and documented.

Closed to 2020 Audit item for UML configuration management of facility parameters important to safety (e.g.,

when a change is made to software is there reactor management confirmation of the new parameters.)

UML stated that facility procedures require:

- Password management*

- Key management

- Chain of custody Passwords are strong and are changed when people are no longer on staff UML also stated that:

- the Maintenance port on NMP-1000 will be disabled,

- that there is no firmware software that is modified by UML staff, and

- the method of changing setpoint has not changed for NMP-1000.

In its RAI response, UML provided an example of required supervisory notification for equipment changes to include supervision or performance by the Chief Reactor Operator or Reactor supervisor for calibrating NMP-1000 parameters.

7. 7.2.6-3 The software developer software life cycle should be described, and the products that will be produced by that life cycle identified. The software developer can be the applicant/licensee, the vendor, a company working on behalf of either, or a commercial software development company.

Closed by letter from content holder submitted In its response to RAI 7.13b, dated October 18, 2019 (. UML stated it received a An electronic communication dated 06/20/17, a

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

If the system(s) contains specifically developed software, provide a description of the software development activities. If the software or system development was delegated to others, the authority, duties, verifying, and any activities that can affect the safety-related functions should be discussed.

Although not required, specific output documents that formally document the development process for the UMLRR upgrades would be helpful in documenting the successful completion/planning throughout the life cycle processes. The information to be reviewed may be contained in the following documents applicable to the UMLRR I&C upgrade:

Software Management Plan (SMP)

Software Development Plan (SDP)

Software Quality Assurance Plan (SQAP)

Software Integration Plan (SIntP)

Software Installation Plan (SInstP)

Software Maintenance Plan (SMaintP)

Software Training Plan (STrngP)

Software Operations Plan (SOP)

Software Safety Plan (SSP)

Software Verification and Validation Plan (SVVP)

Software Configuration Management Plan (SCMP)

Software Test Plan (STP) pursuant to 10 CFR 2.390.

• (related to available documentation in open item no. 2) representative of GA confirmed the UMLRR NMP1000 modules are identical to the INL NMP1000 modules detailed in the applicable GA documentation (RAI response 7.4a)..

(See audit Item No. 2 for documents provided for NRC staff review)

8. 7.2.6-4 Digital upgrades -Describe how the safety system software development activities have been carried out in their entirety and that independent V&V (IV&V) was performed by individuals or groups with appropriate technical competence in an organization separate from the development and program management organizations. UMLRR should provide documentation that shows the plan for the V&V and IV&V tasks, and when available, the results confirming IV&V has been successfully accomplished.

UMLRR should provide documentation that a configuration management program appropriately traces changes to safety system softwarefrom their point of origin to implementationand addresses any impacts on system safety, control console, or display instruments.

Closed to 2020 Audit of UML configuration management of facility parameters important to safety.

(related to documentation reviewed in Partially closed by reviewed documentation, RAI responses, and a letter* from content holder submitted pursuant to 10 CFR 2.390.

UML stated they would provide correspondence from GA that would be submitted under oath or affirmation (O&A) that the documentation was applicable to the UML.

(See audit Item No. 2 for documents provided for NRC staff review)

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

UMLRR should demonstrate assurance that the required computer system hardware and software are installed in the appropriate system configuration, including a program to ensure that the correct version of the software/firmware is installed in the correct hardware components.

audit open item no. 2)

UML provided procedural examples for design bases, design requirements, integration, system tests and verification procedures.

- UML described CM control in its response to RAI 7.7. However, evidence was not provided of version control to validate current parameters or when parameters are changed.

9. 7.2.6-5 Software configuration management (CM) should include a determination that any software modifications, including firmware, during the design process, and after acceptance of the software for use, will be made to the appropriate version and revision of the software.

UMLRR should describe the actual methods being used at both the vendor and UMLRR, to ensure controls are properly implemented.

UMLRR should describe how software changes after initial delivery will be reviewed, tracked and documented.

Closed by UML RAI response and letter from content holder submitted pursuant to 10 CFR 2.390.

GA provided SW CM plan, Quality Assurance (QA) plan and SW development plan.

UML stated that software/firmware changes are not readily accomplished and normally would be performed by the manufacturer. No software/CM changes are performed after manufacturer makes them for Lowell procurement.

10. 7.2.6-6 The digital computer system equipment for the displays and processor including hardware, software, firmware, and interfacesshould be reviewed to provide assurance that the required computer system hardware and software are installed on the appropriate system configuration.

UMLRR should provide a description of any applicable program used to ensure that the correct version of the software/firmware is installed on the correct hardware components Closed - by RAI response 7.6 and 7.7 UML stated that version verification will be added by UML Reactor checkout procedure for the NMP-1000 software version. UML also stated that the TFS Log PPM is completely analog. In its RAI response, UML stated that TS 6.2c requires the RSSC review and approval of proposed changes to the facility systems or equipment, procedures, and operations including the final check out procedure verifying the SW version.

11. 7.2.6-7 Evidence that the digital computer system equipment upgrade, including hardware, software, firmware, and interfaces, can perform its required functions should be provided.

Closed to 2020 Audit of UML procurement specifications Partially closed by reviewed documentation, RAI responses, and a letter* from content holder submitted pursuant to 10 CFR 2.390 for GA.

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

UMLRR should provide a description of the following set of activities for the safety system software related to the I&C upgrade:

A test plan that addresses key aspects of the test program, such as scope, risks, tasks, resources, responsibilities, and acceptance (pass or fail) criteria for the software item being tested.

A test specification that provides test designs, test cases, and test procedures, including the detailed procedures and instructions for testing as well as the feature or test case acceptance criteria to be employed during the testing effort.

A test report, test incident reports, test logs, and test summary reports that provide for the recording and summarization of test events and that serve as the basis for evaluating test results meet the requirements for the system and software.

for design control of TFS Log PPM In its RAI response, UML provided evidence of UML/Vendor collaboration for ensuring the NMP-1000 met the requirements for the UMLRR (RAI response 7.9a, 7.11, and 7.12)

12. 7.6 Verify that the testing, calibration, and inspections of the control console instrumentation, display instruments, and safety systems for Drives control and Process controls are sufficient to show that, once performed, they confirm the operability of the related system. UMLRR verification should include confirming that surveillance test and self-test features address failure detection, self-test features (e.g., monitoring memory and memory reference integrity, using watchdog timers or processors, monitoring communication channels, monitoring central processing unit status, and checking data integrity), and actions taken upon failure detection.

UMLRR should identify any technical specification/surveillance requirements for minimum operability.

Closed - by RAI response 7.14 In its RAI response, UML stated that the proposed TS verifications include confirming that surveillance test and self-test features address failure detection, self-test features (e.g.,

monitoring memory and memory reference integrity, using watchdog timers or processors, monitoring communication channels, monitoring central processing unit status, and checking data integrity), and that appropriate actions are taken upon failure detection (related operator alarm and reactor scram).

13. Graded approach - Guidance for identifying the principal design criteria is provided on a system basis in Sections 7.3 7.7 of the ISG. Subsections in Section 7.2 provide guidance on digital upgrades, access control, and cyber security. Because UMASS Lowell is a 1 MWt NPR a risk-informed or a graded approach may be appropriate in identifying or eliminating design criteria for further consideration. In what areas were a graded approach or risk-informed approach used. UMLRR should describe and provide justification for grading.

Closed - by RAI response 7.1 In its response to RAI 7.1, [as opposed to using a graded-approach] UML selected new equipment for the UMLRR that are in wide use at other similar research reactors. For example, the facility procured a wide range logarithmic power/period instrument (model TR-10) from ThermoFisher-

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

Scientific (TFS) has been installed and used at several NRC licensed non-power reactors, including: MURR, RINSC, NCSU, Ohio State University, Penn State University, Texas A&M, Oregon State University, Reed College, MU-Rolla, and UC-Irvine. Similarly, UML stated that the replacement NMP-1000 is a second-generation version of the NMP 1000, which was purchased to the same performance specification as that which is currently installed and in use.

14. UMLRR may propose the Thermo Fisher Scientific Neutron Flux Monitoring Systems in lieu of the equivalent GA NLW1000 system; The Thermo Fisher Scientific system is not described in the UMLRR application for license renewal that includes the proposed I&C upgrade; UMLRR should provide updated information pertaining to the Thermo Fischer system if it will be implemented Closed to 2020 Audit item for UML to post TFS documentation.

In its response to RAI 7.1a., UML stated a facility staff decision was made not to use the GA logarithmic power/period channel for technical reasons. Instead, the facility procured a wide range logarithmic power/period instrument (model TR-10) from ThermoFisher-Scientific (TFS). During the audit, UML also stated that they would continue to use the NLI (not using NLW) and in RAI response 7.4a.,

UML stated that the NLW and NLX systems do not apply.

15. The NRC reviewers noted unused code was detected and subsequently removed as noted in 4.2.1.2 of the document:

T9S900D980-FME RevA NMP-1000 Failure Modes Effects Analysis.pdf UMLRR should verify and document this unused code was removed from subsequent NMP-1000 units, specifically the one sold to UMass.

Closed - by RAI response 7.13.a In its RAI 7.13a. response, UML stated it had received an electronic communication dated 07/14/17, in which a GA representative confirmed the unused code was removed from all product releases, including the NMP1000 modules procured by UMLRR.

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

16. The UMLRR safety analysis report (SAR) submitted for license renewal indicates 16 Alarms and Indicators. According to 50.59 screen 16-01, there are 22 alarms and indicators. UMLRR should update the SAR to indicate the additional alarms and indicators. Also, indicate where these alarms previously resided or if they are new alarms.

Closed - by RAI response 7.3.b and Appendix B UML stated in its RAI 7.3.b response that Table 7-1 is inclusive of the facility changes associated with I&C. The requested 50.59 reviews are included in the appendix B of the response.

17. The UMLRR SAR describes a Failure Analysis for components of the I&C system. In example, 7.4.1.1.5 describes the output neither increasing or decreasing. The SAR then states that the linear power channels operate independently (1 of 2 mode). This description does not appear to meet the TS requirements for min. No. of channels nor to be a detectable failure (I.e.,

system is actually 1 of 1). See also 7.4.1.2.5 UMLRR should consider developing a table (or similar) that provides the diversity, redundancy, and defense-in-depth for (and between) monitoring to protect from safety-related failures.

Closed by audit review During the audit, UML stated that the two linear channels (NMP-1000) operate independently of each other; i.e., either channel is capable of scramming the reactor. However, the TS Table 3.2.3-1, item 2. TS Table 3.2.5-1, item 3 only rely on one of the two channels (do not take credit in SAR or TS for redundancy).

18. Intentionally blank to preserve numbering of Open Items N/A N/A

19. To determine if the human-system interface (HSI) aspects of a display modification have an adverse effect on UFSAR-described design functions, potential impacts due to the number and/or type of parameters displayed by and/or available from the HSI should be addressed in the Screen.

According to 50.59 screen 16-01, there are 6 additional alarms and indicators on the new display panel. Consideration of a digital modification's impact due to the number and/or type of parameters displayed by and/or available from the HSI involves an examination of the actual number and/or type of parameters displayed by and/or available from the HSI and how they could impact the performance and/or satisfaction of UFSAR-described design functions. An increase in the amount of information that is provided such that the amount of available information has a detrimental impact on the operator's ability to discern a particular condition or to perform a specific task. The evaluation should also consider logical grouping and relevance.

Closed - by RAI response 7.3.b and Appendix B In its RAI response, UML provided a copy of all 50.59 reviews related to the UMLR I&C systems (Appendix B).

20. The UMLRR SAR states the ARMS was installed in 1999, the PCS in 2001, and the DCS in 2003. Each system was installed under 10 CFR 50.59, and subsequently reviewed during routine inspections.

UMLRR is requested to provide copies of the listed 50.59 reviews for the I&C audit. Other 50.59 modifications to the facility since last license renewal are also requested, if any.

Closed - by RAI response 7.3 In its RAI response, UML provided a copy of all 50.59 reviews related to the UMLR I&C systems (Appendix B)

UMLR Audit Open Items File Name: UMLRR 2017 Audit Open Items list -- Final-February 2020.docx Date Printed: 02/24/2020 4:03:38 PM No.

Description Status

Response

21. UMLRR SAR, Section 7.6.2.1 Failure Analysis states each HMI employs a failsafe watchdog timer that activates trip relays in the scram circuit.

UMLRR is requested to provide additional information on the watchdog, including whether they are required by UMLRR TSs and how they are surveilled.

Closed - by RAI response 7.14 UML provided explanation of when and how the watchdog timer activates the trip relays in the scram circuit in its RAI response

22. The UMLRR SAR describes many alarm and trip functions that activate trip relays or contacts in the RPS scram circuit. However, no diagram is provided for the Scram circuit train showing the arrangement and configuration of the circuit.

UMLRR should provide a diagram depicting the overall trip circuit showing how each circuit is arranged to ensure a protective system action interrupting the scram circuit.

Closed to 2020 Audit UML provided diagram in its RAI response. However, the document was not readable.

Follow-on request submitted under 2020 audit