ML19225B369
| ML19225B369 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 06/12/1979 |
| From: | Engle L, Stolz J Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML19225B367 | List: |
| References | |
| SER-790612, NUDOCS 7907250072 | |
| Download: ML19225B369 (10) | |
Text
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORTING AKNDtiNT NO.12 (ARKANSAS POER AND LIGHT COWANY )
00CKET NO. 50-368 A.
Redundant Valve Position I ndication In Supplement No. 2 to the Arkansas Nuclear One-Unit 2 (MO-2) Safety Evaluation Report we stated that the Arkansas Power and Light Company (licensee) had comitted to providing redundant Class IE valve position indication in the control room for recirculation valve 2CV-5628-2.
The valve is located in the recirculation line from the engineered safety feature system punps to the refueling water storage tank.
The licensee submitted schematic diagrams for implementation of the required design modifications and verified that the installed equipnent would be environmentally and seismically qualified to maintain operability as required for this safety system.
Based on or, review of the schematics ar.o the licensee's comitments, we found 'ne design modifica*.ons to be acceptable.
However, the licensee stated that implementation of the design modifications could not be t.ompleted until after fuel loading because of procurement sched ul es. Therefore, in Menh_:t No. I to Operating License NPF-6, license condition 2.C.(3)(m) stir alated that design modifications for Valve 2C-5628-2 should be completed within six months from issuance on September 1,1978, of Mendmer.t tb.1.
On March 1,15
, the licensee advised us that the implementation of the design modifications had been completed and by letter dated April 4,1979, the Office of Inspection and Enforces. ent verified that the design modifications had been completed ir accordance with license condition 2.C.(3 )(m). Therefore, we find that the condition as stipulated in condition 2.C.(3)(m) has been fully satisfied, is no longer necessary and we conclude that Facility Operating License NF-6 can be amended by removing license conoition 2.C.(3)(m).
B.
Core P rotection C alculator System (CPCS) P osition N o.19, S oftware S of tware Chance P rcceedure Qualification in Supplement No. 2 to the Arkansas Nuclear One-Unit 2 Safety Evaluation Report, we identified in the Sumary Subsection of Section D.4.4.6 the outstanding items required for resolveing the CPCS Position No.19.
License condition 2.C.(3)(k)(4) to Operating License NF-6 stipulates:
"The licensee shall not make any changes to the CPCS sof tware until the Corr 1ission 5as reviewed and approved the licensee's responses to items (1), (2 ), (3 ) and (4 ) as identified in the Summary Subsection of Section D. t.4.6 of Suppl ement No. 2 to the Safety Evaluation Report."
7 907 25 0 W >
-, m I
Our review of itens (1), (2), (3) and (4) and our bases for re:raution of these items as specified in Position fb.19 are presented be.ow:
I tem 1; P osition 19 The licensee comitted to provide a revised Software Change Procedure to incorporate a Phase II test program consistent with the uparaded single channel test capability. The software change procedures, consisting of methodology and test case definition, are to be followd when specifying and implementing modifications to the quality assured ccre protection caiculator/ control element assembly calculator (CPC/CEAC) software and docunentation. References 1 and 2 are the software change procedures submitted by the licensea in response to the comitment.
The revised Phase Il test program is described in Reference 1.
It consists of input sweep tests, Dynamic Software Verification Tests (DSVT) and live input-single parameter tests on the single channel system to verify the performance of the integrated software / hardware system. Input sweep tests are to irclude a minimun of 50C cases which cover the region of CPC opera: son over the full range of each CPC input sensor signals.
The DSVT cases will be selected,<ith emphasis on testing the modified portions of the software.
A complete set of test cases used for the ANO-2 Phase II testing are defined, and five of the most limiting design basis events are identified as DSVT test cases to be executed for all software modifications. Additional tests cases are to be selected with consideration of the nature and complexity of the software change that has been performed.
Five live input single parameter test cases are also identified for application to all sof tware changes.
The bases for generation of acceptance criteria and for satisfaction of these criteria are described.
de reviewd the sof tware change crocedures in References 1 and 2 and a meeting was held with the licensee on November 9,1978 to discuss the procedures. While the meeting clarified many of our review concerns, a few concerns remained and these were formally defined to the applicant by means of a letter described in Reference 8.
These concerns required additional clarification of the acceptance criteria stated in Reference 1.
Specifically the acceptance criteria for input sweep test; did not address a method for identifying design errors which may exist in the s oftwa re. Also in our letter (Reference 8) to the licensae, we identified deficiencies in the verification for several of the change procedures presented in Reference 2.
4bb
[2.$
The licensee's response to our concerns regarding these procedures are presented in References 3 and 4.
We have reviewed the revised procedures for the revisions and conclude that they resolve the concerns that we expressed in Reference 8.
The method for examining tests results for evidence of software design deficiencies which lead to processing uncertainties larger than a specified ccceptance level are addressed in an acceptable manner in Section 2.5.3.1 of Reference 3.
We a)db reviewd the Phase II test program presented in Reference 3 ap6 we find it acceptable for general application to all software changes, fnowever, for new projects and for extensive software modifications which are subject to staff review, the review of the Phase II test report will include an evaluation of the adequacy of the test cases sel ect ed.
All of the test cases defined in Table 2.5.1 of Reference 3 will be required when extensive modifications to t'ie sof tware are conducted.
/
Item 2; P osition 19 The licensee comittEd to provide a supplement to the Single Channel Qualification Test Report to demonstrate the acceptability of that system 1 or Phase II testing.
The lici nsee has provided a Single Channel Qualificatin Test Report describi d in Reference 5 to demonstrate the acceptability of that system 1or execution of the test program required for software changes specified in Reference 3.
Multi-variable transient capability was provided by the Dynamic Software Verification Test (DSVT) described in our hfety Evaluation Report, Supplement No. 2.
In addition, the testing included demonstration of the CFC high powr select option (neutron flo power versus core thermal power) and testing of interfaces between ths JAC, CPC, and operations module. All test results were compared t ; 'artran generated acceptance criteria and mre within the acceptacle range.
We also had our consultant audit the CPC Dynamic software Verification Field Test.
The purpose of the field test was to evaluate the adequacy of the quality assurance procedures for transfer of software from the Single Channel Test Facil.cy to the plant system (See Table 0.7, Position 19, Pars d, Supplement No. 2 to the Safety Evaluation Repcrt). Our consultant's evaluation as reported in Reference 7 stated that the tests were conducted in accordance with the test procedures. The report also stated that the field test results were acceptable as they agreed with the ex;ected test results stated in the test procedures. These same tests had also been suc:essf ully executed on the Single Channel Test Facility. Based on these results, we conclude that sof tware can be successf ully transferred from the Single Channel Test Facility to the Core Protection Calculator System at ANO-2.
Qbb 52t The staff has also concluded that the Single Channel Test Facility is an acceptable test system for testing of software changes as requeed by Position 19.
This conclusion is based on the noise test capability described in Reference 3 and summarized in Item (4 ) below as well as the test capability which has been demcnstrated and docu-mented in Reference 5.
Item 3; Position 19 Software C onsultant on P lant S afety C cmmittee In our assessment of sof tware change procedures presented in Safety Evaluation Report, Supplement No. 2, we concluded that a qualified sof tware consultant was required to serve on the Plant Safety Cormittee.
We established this requirement to ensure that a person with the technical expertise required to understand the function and design of the Core Protection Calculator System would be a menber of the Plant Safety Comittee and would review safety questions rege-ding the systen.
The licensee defined in Reference 13 a modification in the form of a proposed technical specification regarding the makeup of the Plant Safety Committee. We found the proposed technical specification unacceptable as it did not specify qualification requirements of the proposed member to the Comittee. The licensee then revised the proposed technical specification in Reference 11 and it was fcund to be acceptable.
In Reference 11, the licensee specifies a software exu ~'ance requirenent as follows:
"One of these two years of experience shall be with certified computer p rograns."
In response to a request from our Office of Inspection and Enforcement regarding the interpretation of certified computer prograns, we provide the following: Certified computer programs are those computer programs for which the validity of qualification test results has been attested to demonstrate conformance to the functional requirements of the computer p rogr am.
Thc licensee proposed a member of the plant staff, Mr. Thomas C. Cogburn, to be the Nuclear Engineer - Software Engineer for the pl ant safety committee. Mr. Cogourn's nuclear engineering qualifications are presented in kendment No. 44 of the S AR.
Mr. Cogburn's software engineering qualifi-cations were presented to the staff at an August 31, 1978, meeting with the apolicant. We have reviewed the candidate's qualifications in nuclear engineering and in sof tware engineering and find them acceptable in terms of the requirements for the position.
- 1 J D<
197 AL JrJ Based on our review and approval of the licensee' i prepostd technical specification for a software consultant, Technical Specification
- 6. 5.1.2 has been modified to incl ude a Nuclear Sof tware. Expert as a menber of the Plant Safty Comittee. Also, the generic qualifications for the membership on the Plant Safety Cormittee regarding the Nuclear Sof tware Expert have been defined in Technical Specification 6.5.1.2, Mministrative Controls.
Item 4; Position 19 The licensee comitted to describe a noise test program, including synthetic noise testing on the single channel test facility, for use in the qualification of sof tware changes.
Section 2.6 of Reference 3 provides for evaluation of all software changes for possible effects of the core protection calculator / control element assembly calculator (CPC/CEAC) System response due to plant process noise. The evaluation will initially be analytical in nature and will evaluate the potential for significant alteration to the noise respanse. The modified (CPC/CEAC) sof tware is to be evaluated by testing for noise response if judged nece:ssary as a result of the analytical ev al uation.
The noise test program described by the licensee includes the use of simulated process inputs on the Single Channel Test Facility to provide the best available representation of actual plant noise, with the preferred source being FM tape recordings of in-plant noise on LPC/CEAC process inputs. The noise gerieration capability of the Single Channel Test Facility includes a 16-charinel FM tape recorder and appropriate amplification equipaent, broadband noise generator for random noise synthesis. Acceptance criteria for noise response test results is based on the retention of conserva ism in the trip variables and plant availability considerations.
The staff has reviewd the noise test capabilities and the approach to noise testing which has been described by the licensee and finds it generally acceptable for qualification of software changes. Fo we ve r,
af ter careful evaluation, we found specific aspects of the process noise evaluation proposed by the licensee in Section 2.6 cf Reference 3 we e unacceptable.
The licensee proposes that software changes to the CPC/ CEAC system be analytically evaluated for their potential to significantly alter the systems's response to plant process noise.
If the analytical evaluation indicates that the potential for significant alteration of the noise response exists, the modified software will be tested to verify that tne altered noise response of the system is acceptable.
9?
I+ 3 D DLU Our concern is that any unexpected effect of software changes c' noise response is more likely to go undetected since the random noise in plant simulator process inputs have been eliminated from the Phase II test program ia favor of DSVT. Therefore, the staff will not accept ar. evaluation of noise response as sufficient evidence of acceptable noise response in those instances where new projects or extensive software modifications subject to staff review are involved. The staff requires inclusion or process noise tests in all test programs subject to staff review 1.e., test programs related to changes which require staff review because of safety significance or because changes in technical specifications are involved. In summary, we did not find this aspect of tne process noise evaluation procedures presented in Section 2.6 of Reference 3 acceptable. In order to make the process noise evaluation acceptable to the staff, we require that noise response tests be incorporated into the qualification test for safety-mlated software char.ges.
fbwever, the applicant may generate and qua!'fy non-safety related changes to the software with the procedure., specified by References 3 and 4.
In response to the staff's concerns re3arding the adequacy of process noise evaluation procedures, the licensee has amended in Reference 7 Section 2.6 cf Reference 3.
We have reviewed this amendmeni and find it acceptable as the licensee commits to per ic-90h. testing for all safety relited program modifications and also when extensive modifica-tions are nade to the progran.
Verificat1on of Modified CPC/CEAC Fortraa Simulation Code During the course of our review of items I, 2, 3 and 4 to Position 19 as discossed above, we determined that verification of a modified CPC/
CEAC Fortran Simulation Code as identified in Reference 9 was an impcrtant step in the software change procedure. The licensee was therefore regeested to discuss the verification process, the use of design codes, and the docunentation and st:. cage of results for later audit.
In Section 1.3.2.1 of Reference 3 the licensee presented a brief discussion which described ;he verification process and the docuren-tation and storage of results. This ir. formation, coupl ed with the requirement in Appendix D. of Reference 4 that the system transient code be used to determine the required trip time for Phase II dynamic test cases, adequately addresses staff concerns on uis issue.
The staff herefore finds the verificatien methcdology for changes to the CPC/t.EAC Fortran Code acceptable.
66 327 S ursnary O n D osition 19 We have reviewed References 3, 4, 5, 7.12,13 and 14 which address the outstanding concerns specified in Position 19 regarding qualifica-tion of software change procedures. We have concluded that Position 19 is resolved and the licensee iaay proceed with software changes in accordance with the approved documentation.
Therefore, we find that the condition 2.C.(3)(k)(4) has been fully satisfied, is no longer necessary, and we conclude that Facility Operating Licensing NPF-6 can be amended by removing license condition
- 2. C. (3 )( k) (4 ).
E nvironmental Consideration We have determined that the amendment does not authorize a change in effluent types or total amounts nor an increase in power level and will not result in any s enificant environmental impact. Having made this detennination, we hm e furhter concluded that the amendment involves an action which is insignificant from the standpoint of environmental impact and, pursuant to 10 CFR Sl.5(d)(4), that an enviroamental impact and/cr negative declaration and environmental impact appraisal need not be precared in connection with the issuance of this amendment.
Conclusion We have concluded, based on the considerations discussed above that (1) because the amendment does not involve a significant increase in the probability or consequences of accidents previously considered or a significar.t decrease in any safety margin, it does not involve a significant hazards consideration, (2) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (3 ) such activities will be 456 323
_ conducted in compliance with the Comission's regulations and the issuan::e of this amendment will not be inimical to the comon defense and security or to the health and safety of the public.
Oss i
L. B. Engl Project Manager Light Water Reactors Branch fb. I Division of Project Management J. FD Stol z, Chief
' Light Water Reactors B nch No.1 DWision of Project Management Enclosure :
CPCS References
& Meeting Minutes Dtte of Insuance:
JUN 121979
[4 [] h 329
ENCLOSURE TO THE SAFETY EVALUATION SUPPORTING AMENDMENT N0. 12 TO FACILITY OPERATING LICENSE NPF-6 REFERENCES 1.
CEN-39(A)-P "CPC Protection Algorithm Software Change Procedure,"
September 22, 1978, Arkansas Nuclear One - Unit (P roprietary)
CEN-39(A)-NP "CPC Protection Algorithm Software Change Procedure",
September 22, 1978, Arkansas Nuclear Ore - Unit 2, Docket 50-368.
Available in NRC PDR for inspection and copying for a fee.
2.
CEN-39(A)-P, Supplement 1-P, " Core Protection Algorithm Software Change Procedure Supplement", September 29, 1978, Docket 50-368.
Available in NRC PDR for inspection and copying for a fee.
CEN-39(A)-NP, Supplement 1-NP, "CPC Protection Algorithm Software Change Proecdure Supplement", September 29, 1978, Docket 50-368.
Anilable in NRC POR for inspection and copying for a fee.
3.
CEN-39(A)-P, Revision 02, "CPC Protection Algorithm Software Change Procedure", December 21,1978 (Propreitary).
CEN-39(A)-NP, Revision 02, "CPC Protection Algorithm Software Change Procedure", December 21, 1978. Available in NRC PDR for inspection and copying for a fee.
4.
CEN-39(A)-P, Supplement 1-P, Revision 01, "CPC Protection Algorithm Software Change Procedure Supplement" January 5,1979.
(Proprietary)
CEN-39(A)-NP Supplement 1-NP Revision 01, "CPC Protection Algorithm Software Change Procedure Supplement" January 5,1979. Available in NRC PDR for inspection and copying for a fee.
5.
CEN-71(A)-P, Supplement 1-P " Core Protection Calculatory Single Channel Qualification Test Report", Septemoer 22, 1978, Arkansas Nuclear One-Unit 2, Proprietary.
CEN-71(A)-NP, Supplement 1-NP, "Cor u Protecticn Calculator Single Channel Qualification Report", September 22, 1978, Docket 50-36d.
Available in NRC PDR for inspection and copying for a fee.
6.
Letter, to J.
C. Stolz, NRC, from Daniel H. Williams, Arkansas Pcwer and Light Cenpany, subject:
"Arkans3s Nuclear One-Unit 2, Docket No:
50-368, License NPF-6, CPC Documentation" Dated August 30, 1978. Available in NRC PDR for inspection and copying for a fee.
[4 5 [
k 7.
Letter, to L. Beltracchi, NRC, f rom J. B. Pullock, ORNL, subject:
Audit of "CPC Dynamic Sof tware Verification Field Test Procedures" July 6, 1978. Available in NRC POR for inspection and copying for a fee.
8.
Letter, to William Cavanaugh III, Arkansas Power and Light Company, from J. F. Stolz, NRC, subject:
" Core Protection Calculator System Position 19", dated December 13, 1978.
9.
Letter, to William Cavanaugh III, Arkansas Power and Light Company, from John F. Stolz, NRC, subject:
" Core Protection Calculator System Startup Test Audit" November 28, 1978. Available in NRC PDR for inspection and copying for a fee.
- 10. Letter, to Honorable Joseph M. Hendrie, Chairman, U. S. Nuclear Regulatory Cornission, from Stephen Lawreski, Chairman, Advisory Corrmittee cn Reactor Safeguards, subject:
" Report on Arkansas Nuclear One, Unit 2 Nuclear Power Plant", April 12, 1978.
- 11. Letter, to J. F. Stolz, NRC, From William CAvanaugh III, Arkansas Power and Light Company, " Supplemental Information to a Proposed Technical Specification", February 26, 1979.
- 12. CEN-55(A)-P " Phase II Design Qualification Test Procedure",
June 24,1977. Supplement 1-P, July 18,1977.
- 13. Letter to J. F. Stolz, NRC, from William Cavanaugh III, Arkansas Power and Light Company, " Proposed Technical Specification",
November 17, 1978.
14.
Letter to J. F. Stolz, NRC, from David C. Trimble, Arkansas Power and Light Company, "CPC CEN 39" April 17,1979.
il[)b
$h b
_