Text

March 23, 2018 Mr. Gilbert W. Remley Nuclear Systems Department Manager Mitsubishi Electric Power Products, Inc.

547 Keystone Drive Warrendale, PA 15086

SUBJECT:

REGULATORY AUDIT REPORT FOR NOVEMBER 28-30, 2017, MITSUBISHI ELECTRIC CORPORATION SAFETY SYSTEM DIGITAL PLATFORM - MELTAC

[MITSUBISHI ELECTRIC TOTAL ADVANCED CONTROLLER] -TOPICAL REPORT REVISION 0 (EPID L-2014-TOP-0006; TAC NO. MF4228)

Dear Mr. Remley:

By letter dated April 30, 2014 (Agencywide Documents Access and Management System Accession No. ML14121A415), Mitsubishi Electric Corporation (MELCO) submitted for U.S.

Nuclear Regulatory Commission (NRC) staff review the Licensing Topical Report (LTR), Safety System Digital Platform - MELTAC -Topical Report Revision 0. The LTR is supported by documentation that includes plans, requirements, design specifications, programming and hardware testing, independent verification and validation, and equipment qualification testing.

From November 28, 2017, through November 30, 2017, the U.S. Nuclear Regulatory Commission (NRC) staff performed a regulatory audit at the MELCO facility in Warrendale, Pennsylvania. The purpose of this letter is to provide MELCO with the results of the regulatory audit. Documented in the enclosed report are the observations the NRC staff identified during the audit.

If you have any questions regarding this matter, I may be reached at 301-415-7297 or by electronic mail at Joseph.Holonich@nrc.gov.

Sincerely,

/RA/

Joseph J. Holonich, Senior Project Manager Licensing Processes Branch Division of Licensing Projects Office of Nuclear Reactor Regulation Docket No. 99902039

Enclosure:

Regulatory Audit Report

ML18008A054; *concurrence via e-mail NRR-106 OFFICE NRR/DLP/PLPB/PM NRR/DLP/PLPB/LA* NRR/DE/EICB/BC NRR/DLP/PLPB/BC NRR/DLP/PLPB/PM NAME JHolonich DHarrison MWaters DMorey JHolonich DATE 02/28/2018 02/27/2018 03/12/2018 03/20/2018 3/23/2018 U.S. NUCLEAR REGULATORY COMMISSION STAFF REGULATORY AUDIT REPORT FOR THE MITSUBISHI ELECTRIC CORPORATION TOTAL ADVANCED CONTROLLER DIGITAL PLATFORM LICENSING TOPICAL REPORT BACKGROUND The U. S. Nuclear Regulatory Commission (NRC) staff is performing a safety evaluation (SE) of the Mitsubishi Electric Corporation (MELCO) Licensing Topical Report (LTR), Safety System Digital Platform - MELTAC [Mitsubishi Electric Total Advanced Controller] - Topical Report (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14121A413). MELCO is seeking generic approval of the MELTAC platform for use in safety systems in nuclear power plants.

REGULATORY AUDIT BASES As part of its evaluation, the NRC staff conducted an audit of the MELCO design and development processes used for the MELTAC Platform. This audit was performed in accordance with Office of Nuclear Reactor Regulation Office Instruction LIC-111, Regulatory Audits (ADAMS Accession No. ML082900195) at the MELTAC offices in Warrendale, Pennsylvania. The audit was performed in accordance with the audit plan which was sent to MELCO on September 27, 2017 (ADAMS Accession No. ML17243A384).

The basis of this audit was the MELCO LTR and the following regulations and regulatory guidance:

• The Code of Federal Regulations, Title 10 (10 CFR), Section 50.54 (10 CFR 50.54),

Conditions of licenses, (jj) and 10 CFR 50.55, Conditions of construction permits, early site permits, combined licenses, and manufacturing licenses, (i), require that structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.

• 10 CFR 50.55a, Codes and standards, (h), Protection and Safety Systems, incorporates the 1991 version of Institute of Electrical and Electronics Engineers (IEEE)

Standard 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, by reference, including the correction sheet dated January 30, 1995.

• 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants General Design Criterion (GDC) 1, Quality standards and records GDC 2, Design bases for protection against natural phenomena GDC 4, Environmental and dynamic effects design bases GDC 13, Instrumentation and control GDC 19, Control Room GDC 20, Protection system functions GDC 21, Protection system reliability and testability GDC 22, Protective system independence GDC 23, Protective system failure modes Enclosure

GDC 24, Separation of protection and control systems GDC 25, "Protection system requirements for reactivity control malfunctions" GDC 29, "Protection against anticipated operational occurrences"

• 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

NUREG-0800, NRC Standard Review Plan, (SRP), Chapter 7, Table 7.1 (ADAMS Accession No. ML070460342) identifies Regulatory Guides (RGs), branch technical positions (BTPs), and industry standards that contain information, recommendations, guidance, and in general, provides an acceptable basis to implement the above requirements for both hardware and software features of safety-related (SR) digital instrumentation and control (I&C) systems.

Regulatory Audit Scope The purpose of the audit was to assess the capabilities of the MELTAC platform and to determine if a safety system based on the MELTAC platform will be capable of meeting criteria described in the previous section.

The NRC staff reviewed non-docketed procedures and records related to the MELTAC platform development processes. The NRC staff evaluated the effectiveness of software development activities to confirm that processes described in the MELTAC LTR are being implemented correctly to achieve a high quality digital I&C platform that can be used to perform SR functions in nuclear power plants. The NRC audit team consisted of Richard Stattel, and Samir Darbali of Office of Nuclear Reactor Regulation (NRR), as well as Dinesh Taneja of the Office of New Reactors (NRO).

Entrance Meeting The NRC staff provided an overview of the audit plan and discussed the objectives for the audit.

Facility logistics and the detailed schedule of audit activities were then reviewed and revised to accommodate availability of participants. Several interviews with key MELCO individuals were scheduled for later in the week.

Presentations by MELCO MELCO provided a presentation of the Mitsubishi company history as well as a product background discussion of the MELTAC platform. These presentations were followed by a demonstration of the MELTAC systems being used in the Advanced Pressurized Water Reactor (APWR) simulator.

Feedwater Control System Demonstration - MELTAC demonstrated an application of a MELTAC processor as a digital feedwater controller. During this presentation, a variety of transients were introduced to the simulated system to show how the MELTAC controllers responded. Faults were also introduced to the MELTAC controller system to show how a backup processor can assume control functions to maintain system control over the simulated plant processes. In one scenario, both main and backup processors were placed into a faulted state to show the fail-safe performance of the system.

Commercial Grade Dedication Presentation - MELCO presented the 10 CFR Part 50, Appendix B compliant commercial grade dedication process used for dedicating components of the MELTAC platform. A commercial grade dedication report was submitted to the NRC and is being reviewed as part of the MELTAC platform evaluation.

Programming Chassis Demonstration - At the NRC staff request, MELCO provided a demonstration of the programming procedures used for a MELTAC processor. This demonstration included a normal MELTAC central processing unit (CPU) chassis, a programming chassis, the MELTAC engineering tool (MELENS), and the Memory Integrity Check (MIC) function. During the

demonstration, the CPU module was removed from the normal CPU chassis and placed in the programming chassis. MELENS was used to make an application configuration change to the CPU module installed in the programming chassis. The MIC was then used to compare the application software in the CPU module with the one in MELENS. After confirming the application software was correctly transferred to the CPU module, the module was transferred to the normal CPU chassis.

During this demonstration the NRC staff also observed the MELTAC platform secure operational environment controls implemented to prevent inadvertent changes to the application software.

Anomaly Process Review Prior to the audit, MELCO was asked to prepare for discussions on a selected anomaly report that identified an issue with a program-specification validation and verification (V&V) Checklist.

During the audit, MELCO presented documentation associated with this anomaly and explained the processes used for issue resolution. The NRC staff then selected two additional anomaly reports which had been generated during the MELTAC development process and reviewed associated documentation to evaluate and confirm understanding and use of the anomaly resolution processes.

The NRC staff found that anomalies are screened and reviewed in accordance with the MELCO 10 CFR Part 50, Appendix B quality assurance (QA) program. When issues identified conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and non-conformances, they were promptly identified and corrected.

MELCO reviews of anomaly reports include a process for identifying significant conditions adverse to quality.

The corrective measures reviewed by the NRC staff indicated that causes of the condition were determined and corrective actions were taken to preclude recurrence of the issue. The NRC staff observed that identification of significant condition adverse to quality including the cause of the condition and the corrective action taken were documented and reported to appropriate levels of MELCO management.

Requirements Thread Reviews To facilitate performance of requirements thread reviews, the NRC staff asked MELCO to prepare and discuss requirements traceability for several MELTAC system requirements.

MELCO presented each of these requirements and explained how the requirements had been implemented and tested during the MELTAC development processes. MELCO showed how the Requirements Traceability Matrices (RTMs) were used to trace requirements to design development activities performed.

For Independent V&V IV&V activities separate tables were created by the IV&V team which showed how required V&V activities were performed for each system requirement of the MELTAC platform components. These V&V compliance tables are included as appendices in the various component test reports. They also provide pointers to the specific test cases within these reports.

By referring to the RTMs and the IV&V tables in the test reports, the NRC staff was able to trace selected requirements to design implementation documents and to software coding and test documents. The NRC staff was also able to use the IV&V tables to confirm performance of required V&V activities as delineated in the MELTAC software VV plan.

Five requirements were successfully evaluated by the NRC staff.

Configuration Management The NRC staff conducted interviews with MELCO representatives to discuss the configuration management processes related to the storage and modification of the MELTAC platform software and controlled documents. The NRC staff asked several questions related to the storage of software and controlled documents and the check-out/check-in processes. MELCO walked the NRC staff through these processes and how they are implemented to prevent inadvertent changes to the software and controlled documents.

MELTAC Configuration Management Sheet Review The NRC staff reviewed several configuration management sheets to gain an understanding of how MELTAC platform configurations were being captured and controlled in accordance with the Software Configuration Management Plan (SCMP). The table format of the configuration management sheets was found to be standardized, clear, and concise.

The NRC staff asked several questions on how these sheets were used to ensure correct configurations and how they would be updated to reflect approved configuration changes to MELTAC equipment. It was noted that Configuration Status Sheets do not contain accounting of records associated with IV&V records. MELCO showed that V&V records were instead being managed under a different process and these documents were listed in V&V tables in the associated module Test Reports. The tables identifying V&V records, were found to provide adequate traceability and control over the configuration of these records.

The NRC staff then accessed several additional configuration management sheets for various MELTAC components to ascertain the configuration status of those modules and associated records and to confirm that configuration status accounting processes were correctly implemented and were effective in controlling the MELTAC platform integrity.

Secure Development and Operational Environment To support the secure development and operational environment portion of the audit, MELCO prepared a traceability matrix that demonstrates how the secure operational environment requirements are implemented in the MELTAC platform design as either physical, logical, or administrative controls. Although the implementation of these controls is dependent on the application, the NRC staff was able to trace selected secure operational environment requirements described in the LTR to design implementation documents and to software coding and test documents.

Because MELTAC development activities are performed in Kobe Japan, the NRC staff was unable to directly audit the secure development environment during the audit at the Warrendale facility. However, the NRC staff conducted interviews with MELCO representatives to discuss the physical, logical, and administrative controls implemented at the Kobe facilitys development environment.

Specifically, MELCO explained the process for preventing inadvertent changes to the MELTAC platform software and controlled documentation. MELCO also made available to the staff several internal procedures used for defining, implementing, and maintaining the secure development environment of the MELTAC platform. The NRC staff found that the secure development environment controls described matched those identified in the LTR and the SPM (JEXU-1041-1016).

The NRC staff also reviewed a QA audit report for an audit conducted by the MELCO QA department in November 2016 that verified, in part, that secure development environment controls were satisfactorily implemented. MELCO informed the NRC staff this type of audit is

conducted annually, and that the most recent QA audit was performed in November 2017.

However, the report for this most recent QA audit had not yet been completed at the time of the NRC audit in Warrendale.

MELCO informed the NRC staff that although there are procedures and internal audits that describe and evaluate the MELTAC secure environment controls, a formal vulnerability assessment of the MELTAC platform had not been documented. MELCO informed the staff that it will document the vulnerability assessment and make it available in the Network-Attached Storage (NAS) portal for staff review.

On January 16, 2018, MELCO provided on the portal the Conformance of MELTAC Platform Development to RG1.152 Rev.3 [Criteria for Use of Computers in Safety Systems of Nuclear Power Plants (ADAMS Accession No. ML102870022)], which contains the MELTAC vulnerability assessment report. The staff reviewed this report and found that MELCO identified the development environment assets and equipment, identified and categorized the associated vulnerabilities, and identified the corresponding secure development controls. The report then identifies the final vulnerability level taking into account these secure controls.

Generic Open Items and Plant Specific Open Items Discussion The NRC presented a draft list of Plant Specific Actions Items (PSAIs) which could be included in the MELTAC safety evaluation. This list is included as Appendix A to this report. Each draft item was explained and NRC potential expectations for resolving these items during application development was discussed. One of these items included restrictions for use of the Safety Video Display Unit (S-VDU) such that manual operator actions to control safety related components could not be performed. MELCO explained that the intended applications for S-VDUs included credited manual operator actions and asked the NRC staff to evaluate and reconsider this PSAI. An open item was created to facilitate further discussions to determine use of the S-VDU module in MELTAC applications.

The NRC staff also presented a draft list of Generic Open Items (GOIs) which could be included in the MELTAC safety evaluation. This list is also provided in Appendix A of this report. Each draft item was explained and potential NRC staff expectations for resolving these items subsequent to issuance of the MELTAC safety evaluation was discussed. There are four GOIs which will need to be resolved prior to a plant being able to install and operate a MELTAC based safety system.

These GOIs identify MELTAC platform components which will likely be needed for a safety system application but do not currently meet the environmental qualifications to allow their use.

These components are; Termination Unit module, CPU fan module, and certain power supply modules. MELCO is expected to submit an update to the LTR for evaluation in order to close these GOIs upon completion of qualification testing. Once closed, these GOIs will no longer need to be addressed by licensees using the MELTAC platform for systems that include these components.

Exit Meeting During the exit meeting, MELTAC personnel were provided with a summary of the NRC staff observations made during the audit. The NRC staff also provided a list of audit related documents requested to be placed onto the NAS server to support the audit report development.

The NRC staff explained changes to be made to the Open Items as a result of the audit activities and discussions as follows:

A formally closed Open Item was re-opened due to a question of whether the APWR required reference to harsh environment installations of the MELTAC equipment. MELCO would like to keep referencing RG 1.89, Qualification of Class 1E Equipment for Nuclear Power Plants (ADAMS Accession No. ML012880422) in Safety System Digital Platform -

MELTAC- Topical Report (JEXU-1041-1008), to maintain consistency with US-APWR design, which is referencing RG 1.89 even for mild environment. During the audit, the NRC staff reviewed the technical report referenced by the US-APWR Design Certification and found that it referenced mild environment criteria and therefore was not intended to be approved for harsh environment conditions. This has since been resolved and the MELTAC LTR safety evaluation will only allow use of MELTAC equipment when installed in Mild Environments.

• A new Open Item was created based on an agreement made during the audit to include the qualified MELTAC Component Table proposed for the NRC staff safety evaluation to allow MELTAC to comment and provide feedback.

• A new Open Item was created to address discrepancies within the MELTAC LTR identified during the audit with the Power Interface Module configurations.

• The Open Item on vulnerability assessment is being held open pending a MELCO action to make the MELTAC system vulnerability analysis document available for NRC staff review on the NAS portal.

• A new Open Item was created to address a proposed PSAI for inclusion into the safety evaluation which restricts the use of the S-VDU. MELCO requested that the NRC revise this PSAI based on its intended application use of S-VDU as a means of manually controlling safety related plant components.

Audit Objectives Achieved During this audit, the NRC staff performed interviews with members of the design, V&V, and QA organizations. The NRC staff determined that an adequate level of independence exists between these organizations and that an appropriate level of technical competence is established and maintained within the IV&V staff.

Software Verification and Validation - By conducting several requirements thread reviews, the NRC staff was able to confirm the MELTAC Platform software V&V program (SVVP) met the criteria outlined in the MELTAC SVVP which was developed in accordance with IEEE Standard 1012, IEEE Standard for Software Verification and Validation. The MELTAC V&V program is implemented in a manner which reliably verifies and validates design outputs at each stage of the MELTAC software development process.

Configuration Management - By reviewing the SCMP and the configuration management sheets for various MELTAC components, the NRC staff was able to verify the MELTAC configuration management processes include control measures for both hardware and software configuration management. The configuration management programs used for the MELTAC platform were found to be effectively controlling the platform components being evaluated.

Software Quality Assurance (SQA) - The NRC staff reviewed several MELCO QA procedures made available on the NAS portal and interviewed MELCO personnel to assess the SQA program (SQAP) effectiveness. The SQAP was found to conform to the requirements of 10 CFR Part 50, Appendix B, and the MELCO overall QA program. The MELTAC SQAP identifies which QA procedures are applicable to specific software processes. It also identifies particular methods for implementing QA procedural requirements. The NRC staff found the MELTAC SQAP to be an effective augmentation to the overall MELCO QA programs.

Software Safety - The NRC staff verified that software safety plans and procedures used for MELTAC safety analysis activities are effective at ensuring software safety. The review of anomaly reports indicated that MELCO personnel have an understanding of the importance of identifying issues that could affect product and plant safety and of the processes for resolving identified problems. For each of the anomalies reviewed by the NRC, the method of identification was documented and an assessment of the severity level of the anomaly was performed by MELCO in order to determine the level of safety impact. The NRC staff was also able to follow the documentation trail and to review the activities credited for resolving each of the identified anomalies.

Secure Development Environment - The NRC staff reviewed information pertaining to the MELTAC platform development environment. The results of this review activity will be used to determine conformance to the secure development environment requirements of RG 1.152, Revision 3.

Because MELTAC development activities are performed in Kobe Japan, the NRC staff was unable to directly audit the secure development environment during the audit at the Warrendale facility.

List of Audit

Participants:

Name Role/Title Organization Richard Stattel Lead Technical Reviewer NRC / NRR Samir Darbali Technical Reviewer NRC / NRR Dinesh Taneja Sr. Electronics Engineer NRC / NRO Akira Kubo Design Team I&C Engineer MELCO Tomonori Yamane Design Team I&C Engineer MELCO Tomohide Ishikawa Design Team I&C Engineer MELCO Hitomi Sasaki Design Team I&C Engineer MELCO Takumi Hiyamizu Design Team I&C Engineer MELCO Yoshinori Tani Design Team I&C Engineer MELCO Makoto Ito V&V Team I&C Engineer MELCO Manabu Taniguchi Senior Manager MELCO Kazushi Sasashige Information Technology Section MELCO Makoto Shibahara Quality Assurance Section MELCO

Appendix A Draft List of Potential Plant-Specific Action Items and Generic Open Items (November 28, 2017) 1.0 PLANT-SPECIFIC ACTION ITEMS The following plant-specific actions should be performed by an applicant or licensee referencing this safety evaluation for a safety related system based on the Mitsubishi Electric Total Advanced Controller (MELTAC) platform.

1.1 MELTAC Platform Changes - An applicant referencing this safety evaluation should demonstrate that the MELTAC platform used to implement the plant-specific system is unchanged from the generic platform addressed in this safety evaluation. Otherwise, the licensee should clearly and completely identify any modification or addition to the generic MELTAC platform as it is employed and provide evidence of compliance by the modified platform with all applicable regulations that are affected by the changes. In addition, the applicant must verify that modules, features, and or functions that require configuration are properly configured and tested to meet system requirements.

1.2 Error and Failure Detection and Management - An applicant or licensee referencing this safety evaluation must review the defined system failure states and ensure these states are consistent with system requirements. The applicant should review how errors and failures are indicated and managed upon being detected.

1.3 Application Software Development Process - An applicant or licensee referencing this safety evaluation should provide oversight to ensure the development of its Application Software was performed in accordance with a process that is equivalent to the one described in the MELTAC Platform Application Software Program Manual (Reference 30.1) as evaluated in Section TBD of this safety evaluation.

1.4 System cycle time - The licensee must perform timing analyses and functional testing of the application implementation and system configuration to demonstrate that response time performance satisfies application specific requirements established in the plants safety analysis report.

1.5 Plant Specific Equipment Qualification - The licensee must demonstrate that the generic qualification envelope established for the MELTAC platform bounds the corresponding plant-specific environmental conditions (i.e., temperature, humidity, radiation and Electro-Magnetic Compatibility (EMC) for the location(s) in which the equipment is to be installed.

The licensee should ensure that specific equipment configuration of MELTAC components to be installed is consistent with that of the MELTAC equipment used for environmental qualification tests.

1.6 Plant Specific Seismic Qualification - An applicant or licensee referencing this safety evaluation must demonstrate that the qualified seismic withstand capability of the MELTAC platform bounds the plant-specific seismic withstand requirements. See Section TBD of this safety evaluation for boundary conditions established for the MELTAC platform during Seismic testing.

1.7 Magnetic Field Installation Restrictions - An applicant or licensee referencing this safety evaluation must demonstrate that the MELTAC platform is not installed in areas with strong magnetic fields.

1.8 Failure Modes and Effects Analysis - An applicant or licensee referencing this safety evaluation must perform a system-level Failure Modes and Effects Analysis (FMEA) to demonstrate that the application-specific use of the MELTAC platform identifies each potential failure mode and determines the effects of each. The FMEA should demonstrate that single-failures, including those with the potential to cause a non-safety system action (i.e., a control function) that results in a condition requiring protective action (i.e., a protection function), cannot can adversely affect the protection functions, as applicable.

1.9 Application Specific System Reliability - An applicant or licensee referencing this safety evaluation should perform a deterministic system-level evaluation of the degree of redundancy, diversity, testability, and quality provided in a MELTAC platform-based safety system to determine if the degrees provided are commensurate with the safety functions being performed. An applicant or licensee should confirm that a resultant MELTAC platform-based system continues to satisfy any applicable reliability goals that the plant has established for the system. This plant-specific action should consider the effect of possible failures, system-level design features provided to prevent or limit the failures effects, and any application-specific inclusion of a maintenance bypass to support plant operations.

1.10 Setpoint Methodology - An applicant must perform an analysis of accuracy, repeatability, thermal effects, and other necessary data for use in determining the contribution of the MELTAC platform to instrumentation uncertainty in support of setpoint calculations. See Section TBD of this safety evaluation for additional information on MELTAC setpoint methodology.

1.11 System Testing and Surveillance - Since MELCO stated that a combination of surveillance, software diagnostics, and automatic self-tests are necessary to provide comprehensive coverage of all platform failures, the applicant must establish periodic surveillance testing necessary to detect system failures for which automatic detection is not provided. The applicant must also define appropriate surveillance intervals to provide acceptable comprehensive coverage of identifiable system failure modes.

1.12 Diversity and Defense-In-Depth Analysis - An applicant or licensee referencing this safety evaluation must perform a plant-specific Diversity and Defense-In-Depth analysis for safety system applications of the MELTAC platform.

1.13 DI&C ISG-04, Task Working Group #4: Highly-Integrated Control Rooms-Communications Issues (HICRc) - Although the NRC staff determined that the MELTAC platform includes features to support satisfying various sections and clauses of DI&C ISG-04 (ADAMS Accession No. ML083310185), an applicant or licensee referencing this safety evaluation must evaluate the MELTAC platform based-system for full compliance with this guidance. The applicant or licensee should consider its plant-specific design basis. This safety evaluation does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with its direct and indirect consequences.

1.14 IEEE Standard 603, EEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations - Although the NRC staff determined that the MELTAC platform supports satisfying various sections and clauses of IEEE Standard 603-1991, an applicant or licensee referencing this safety evaluation should identify the approach taken to satisfy each applicable clause of IEEE Standard 603-1991. Because this safety evaluation does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with its direct and indirect consequences, an applicant or licensee should identify its plant-specific design basis for

its safety system application and the applicability of each IEEE Standard 603-1991 clause to its application-specific MELTAC platform-based safety system or component. In addition, the applicant or licensee should demonstrate that the plant-specific and application-specific use of the MELTAC platform satisfies the applicable IEEE Standard 603-1991 clauses in accordance with the plant-specific design basis and safety system application.

1.15 IEEE Standard 7-4.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations - Even though the NRC staff determined that the MELTAC platform supports satisfying various sections and clauses of IEEE Standard 7-4.3.2-2003, an applicant or licensee referencing this safety evaluation should identify the approach taken to satisfy each applicable clause of IEEE Standard 7-4.3.2-2003. The applicant or licensee should consider its plant-specific design basis. This safety evaluation does not address a specific application, establish a definitive safety system or protective action, or identify and analyze the impact of credible events along with its direct and indirect consequences. The applicant or licensee should identify its plant-specific design basis for its safety system application and the applicability of each IEEE Standard 7-4.3.2-2003 clause to its application-specific MELTAC platform-based safety system or component. Further, the applicant or licensee should demonstrate that the plant-specific and application-specific use of the MELTAC platform satisfies the applicable IEEE Standard 7-4.3.2-2003 clauses in accordance with the plant-specific design basis and safety system application.

1.16 Secure Development and Operational Environment - An applicant or licensee referencing this safety evaluation for a SR plant-specific application should ensure that a secure development and operational environment has been established for its plant-specific application, and that it satisfies the applicable regulatory evaluation criteria of RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.

1.17 Safety - Video Display Unit (D-VDU) - The S-VDU is not approved for use in a manner such that it is required to be operational when the MELTAC safety system is called upon to initiate an automatic safety function. If a licensee installs a MELTAC application that includes implementation of one or more S-VDU, the licensee must verify that automatic control functions do not depend on the operation of the safety VDU processors. The use and failure modes of the S-VDU must be addressed in the plant-specific FMEA. See Section 3.5.2.6.

2.0 GENERIC OPEN ITEMS On the basis of its review of the MELTAC platform, the staff has identified the following generic open items:

2.1 Qualified Platform Components - This safety evaluation is limited to components of the MELTAC Platform listed in Table 3.2-1 of this safety evaluation. Use of other components for safety related applications is not approved by the NRC and may be subject to additional regulatory evaluation and qualification testing.

2.2 Termination Unit Module - MELCO has not conducted seismic and environmental qualification testing on the PSND Termination Unit Module. Additional qualification testing of the PSND must be completed prior to implementation of these modules in safety related applications.

2.3 Central Processing Unit Fan Assembly Module - Fans used during equipment qualification testing were functionally equivalent to the KFNJ but not the same. Additional qualification

testing of the KFNJ must be completed prior to implementation of these modules in safety related applications 2.4 Power Supply - Only the large capacity PPSJ-13 power supplies are qualified and approved for platform use. Use of other P/S modules such as small capacity PPSJ will be application specific. Additional qualification testing of such power supplies must be completed prior to implementation of these modules in safety related applications.