ML19283C511

From kanterella
Jump to navigation Jump to search

LAR-19-001 Audit Summary Public Version
ML19283C511
Person / Time
Site: Vogtle  Southern Nuclear icon.png
Issue date: 10/10/2019
From: Jennivine Rankin
NRC/NRO/DLSE/LB2
To: Jennifer Dixon-Herrity
NRC/NRO/DLSE/LB2
Rankin J, NRO/DLSE/LB2
References
LAR 19-001
Download: ML19283C511 (21)


Text

OFFICIAL USE ONLY - PROPRIETARY INFORMATION October 10, 2019 MEMORANDUM TO: Jennifer L. Dixon-Herrity, Chief Licensing Branch 2 Division of Licensing, Siting, and Environmental Analysis Office of New Reactors FROM: Jennivine Rankin, Project Manager /RA/

Licensing Branch 2 Division of Licensing, Siting, and Environmental Analysis Office of New Reactors

SUBJECT:

AUDIT REPORT FOR VOGTLE ELECTRIC GENERATING PLANT UNITS 3 AND 4, REQUEST FOR LICENSE AMENDMENT: PROTECTION AND SAFETY MONITORING SYSTEM SURVEILLANCE REQUIREMENT REDUCTION TECHNICAL SPECIFICATION REVISION (LAR 19-001)

By letter dated March 25, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19084A309), Southern Nuclear Operating Company (the licensee) requested an amendment to Combined License (COL) Numbers NPF-91 and NPF-92, for Vogtle Electric Generating Plant (VEGP) Units 3 and 4.

The requested amendment proposes changes to Technical Specifications (COL Appendix A)

Sections 1.0, 3.1, 3.2, 3.3, 3.9, and 5.5 to remove the Surveillance Requirements (SRs) requiring manual Channel Checks, Channel Operational Tests (COTs), Actuation Logic Tests (ALTs), and Actuation Logic Output Tests (ALOTs) to be performed on Protection and Safety Monitoring System (PMS) components. Additionally, the approach for satisfying the reactor trip and Engineered Safety Feature Actuation System (ESFAS) response time test SRs for the PMS racks is also proposed to be changed. The amendment request also includes plant-specific Tier 2 changes.

CONTACT: Jennivine Rankin, NRO/DLSE/LB2 301-415-1530 OFFICIAL USE ONLY - PROPRIETARY INFORMATION

OFFICIAL USE ONLY - PROPRIETARY INFORMATION J. Dixon-Herrity Staff from the Office of Nuclear Reactor Regulation (NRR) and Office of New Reactors (NRO) in the Instrumentation and Controls Branch A (NRR/EICA), the Technical Specification Branch (NRR/STSB), the Reactor Assessment and Human Factors Branch (NRR/IRAB), the Quality Assurance Vendor Inspection Branch (NRR/IQVB), and PRA and Severe Accident Branch (NRO/SPRA) conducted an audit from June 17 - June 25, 2019, at the Westinghouse Electric Companys office in Rockville, MD. The audit was subsequently extended to August 28, 2019, for the NRC staff to examine additional documentation. The purpose of the audit was to gain a better understanding of the licensees proposed changes by examining relevant documented evidence that supports reaching a conclusion of reasonable assurance, and reviewing related documentation and non-docketed information to compliance with applicable regulations.

Docket Nos.: 52-025 and 52-026

Enclosure:

Non-Proprietary Regulatory Audit Report cc: See next page OFFICIAL USE ONLY - PROPRIETARY INFORMATION

ML19267A180 (Proprietary Audit Report)

ML19283C511 (Non-Proprietary Audit Report)

  • via email NRO-008 OFFICE DLSE/LB2/PM DLSE/LB2/LA DIRS/IQVB/BC NAME JRankin RButler KKavanagh*

DATE 9/26/19 9/26/19 9/27/19 OFFICE DE/EICA/BC DSS/STSB/BC DIRS/IRAB/BC NAME NSalgado* VCusumano* AMasters*

DATE 10/01/19 10/1/19 10/1/19 OFFICE DLSE/LB2/BC NAME JDixon-Herrity*

DATE 10/10/19 OFFICIAL USE ONLY - PROPRIETARY INFORMATION Vogtle Units 3 & 4 Mailing List (Revised 08/13/2019) cc:

Southern Nuclear Operating Company, Inc. Resident Inspector Document Control Coordinator Bin N-226-EC Vogtle Plant Units 3 & 4 3535 Colonnade Parkway 8805 River Road Birmingham, AL 35243 Waynesboro, GA 30830 Office of the Attorney General Mr. Barty Simonton 40 Capitol Square, SW Team Leader Atlanta, GA 30334 Environmental Radiation Program Air Protection Branch Resident Manager Environmental Protection Division Oglethorpe Power Corporation 4244 International Parkway, Suite 120 Alvin W. Vogtle Nuclear Plant Atlanta, GA 30354-3906 7821 River Road Waynesboro, GA 30830 Brian H. Whitley 3535 Colonnade Parkway, Bin N-226-EC Anne F. Appleby 42 Inverness Center Parkway, BIN B237 Olgethorpe Power Corporation Birmingham, AL 35243 2100 East Exchange Place Tucker, GA 30084 Mr. Michael Yox Site Regulatory Affairs Director County Commissioner Vogtle Units 3 & 4 Office of the County Commissioner 7825 River Road, Bin 63031 Burke County Commission Waynesboro, GA 30830 Waynesboro, GA 30830 Mr. Wayne Guilfoyle Commissioner District 8 Augusta-Richmond County Commission 4940 Windsor Spring Rd Hephzibah, GA 30815 Gwendolyn Jackson Burke County Library 130 Highway 24 South Waynesboro, GA 30830 Mr. Reece McAlister Executive Secretary Georgia Public Service Commission Atlanta, GA 30334 Page 1 of 3 OFFICIAL USE ONLY - PROPRIETARY INFORMATION

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Vogtle Units 3 & 4 Mailing List Email acchambe@southernco.com (Amy Chamberlian) agaughtm@southernco.com (Amy Aughtman) awc@nei.org (Anne W. Cottingham) becky@georgiawand.org (Becky Rafter) bhwhitley@southernco.com (Brian Whitley)

Bill.Jacobs@gdsassociates.com (Bill Jacobs) bjadams@southernco.com (Brad Adams) bwwaites@southernco.com (Brandon Waites) castelca@westinghouse.com (Curtis Castell) comerj@westinghouse.com (James Comer) crpierce@southernco.com (C.R. Pierce) dahjones@southernco.com (David Jones) david.hinds@ge.com (David Hinds) david.lewis@pillsburylaw.com (David Lewis) dgbost@southernco.com (Danny Bost) dlfulton@southernco.com (Dale Fulton) drculver@southernco.com (Randy Culver) durhamdc@westinghouse.com (David Durham) ed.burns@earthlink.net (Ed Burns) edavis@pegasusgroup.us (Ed David) erg-xl@cox.net (Eddie R. Grant) fdhundle@southernco.com (Forrest Hundley) fhwillis@southernco.com (Fred Willis)

G2NDRMDC@southernco.com (SNC Document Control)

George.Taylor@opc.com (George Taylor) graysw@westinghouse.com (Scott W. Gray) jadwilli@southernco.com (J.D. Williams) james1.beard@ge.com (James Beard) jantol1dj@westinghouse.com (David Jantosik) jenmorri@southernco.com (Jennifer Buettner)

JHaswell@southernco.com (Jeremiah Haswell) jim@ncwarn.org (Jim Warren)

John.Bozga@nrc.gov (John Bozga)

Joseph_Hegner@dom.com (Joseph Hegner) jpredd@southernco.com (Jason R. Redd) karen.patterson@ttnus.com (Karen Patterson) karlg@att.net (Karl Gross) kmstacy@southernco.com (Kara Stacy) kroberts@southernco.com (Kelli Roberts)

KSutton@morganlewis.com (Kathryn M. Sutton) kwaugh@impact-net.org (Kenneth O. Waugh) markus.popa@hq.doe.gov (Markus Popa) mdmeier@southernco.com (Mike Meier) media@nei.org (Scott Peterson)

Page 2 of 3 OFFICIAL USE ONLY - PROPRIETARY INFORMATION

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Vogtle Units 3 & 4 Mailing List Melissa.Smith@Hq.Doe.Gov (Melissa Smith) mike.price@opc.com (M.W. Price)

MKWASHIN@southernco.com (MKWashington) mlgraves@southernco.com (Michelle Graves)

MSF@nei.org (Marvin Fertel) myox@southernco.com (Mike Yox) nirsnet@nirs.org (Michael Mariotte)

Nuclaw@mindspring.com (Robert Temple)

Paul@beyondnuclear.org (Paul Gunter) pbessette@morganlewis.com (Paul Bessette) r.joshi15@comcast.net (Ravi Joshi)

Ronald.Jones@scana.com (Ronald Jones) rwink@ameren.com (Roger Wink) sabinski@suddenlink.net (Steve A. Bennett) sara@cleanenergy.org (Sara Barczak) sblanton@balch.com (Stanford Blanton)

Shiva.Granmayeh@hq.doe.gov (Shiva Granmayeh) sjackson@meagpower.org (Steven Jackson) skauffman@mpr.com (Storm Kauffman) sroetger@psc.state.ga.us (Steve Roetger) stephen.burdick@morganlewis.com (Stephen Burdick) tom.miller@hq.doe.gov (Tom Miller)

TomClements329@cs.com (Tom Clements)

Vanessa.quinn@dhs.gov (Vanessa Quinn) vcsummer2n3@gmail.com (Brian McIntyre) wasparkm@southernco.com (Wesley A. Sparkman) wayne.marquino@gmail.com (Wayne Marquino) weave1dw@westinghouse.com (Doug Weaver)

William.Birge@hq.doe.gov (William Birge) x2gabeck@southernco.com (Gary Becker) x2kmseib@southernco.com (Kristin Seibert)

Page 3 of 3 OFFICIAL USE ONLY - PROPRIETARY INFORMATION

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Report of Regulatory Audit on License Amendment Request Related to Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision Vogtle Electric Generating Plant, Units 3 and 4 (LAR 19-001)

A. Background By letter dated March 25, 2019 (Reference 1), Southern Nuclear Operating Company (SNC or the licensee) requested an amendment to Combined License (COL) Numbers NPF-91 and NPF-92, for Vogtle Electric Generating Plant (VEGP) Units 3 and 4 (References 2 and 3).

The requested amendment requires changes to the Technical Specifications (TS) (COL Appendix A) and associated plant-specific Tier 2 changes.

The requested amendment proposes to change TS Sections 1.0, 3.1, 3.2, 3.3, 3.9, and 5.5. The Surveillance Requirements (SRs) requiring manual Channel Checks, Channel Operational Tests (COTs), Actuation Logic Tests (ALTs), and Actuation Logic Output Tests (ALOTs) to be performed on Protection and Safety Monitoring System (PMS) components are proposed to be removed from the TS. A change is also proposed to the approach utilized for the manner by which reactor trip and engineered safety features actuation system (ESFAS) response time tests are implemented.

The purpose of this audit is to gain a better understanding of the PMS built-in self-diagnostic functions, test results that verify and validate the PMS self-diagnostic functions, and quality assurance aspects of the design, implementation, testing, and future design control and configuration management of the credited self-diagnostic functions.

B. Bases This regulatory audit is based on the following bases:

  • Vogtle Electric Generating Plant, Unit 3, Current Facility Combined License NPF-91, Revised September 23, 2019, License Condition 2.D.(2)(a) (Agencywide Documents Access and Management System (ADAMS) Accession No. ML14100A106).
  • Vogtle Electric Generating Plant, Unit 4, Current Facility Combined License NPF-92, Revised September 23, 2019, License Condition 2.D.(2)(a) (ADAMS Accession No. ML14100A135).

The audit plan is available in ADAMS under Accession No. ML19154A557.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Enclosure

OFFICIAL USE ONLY - PROPRIETARY INFORMATION C. Logistics Date: June 17 - August 28, 2019 Location: The audit was conducted primarily through the Westinghouse Electric Companys (WEC) electronic reading room (ERR). A meeting with WEC subject matter experts was conducted between June 17 through June 25, 2019, at WECs office at 11333 Woodglen Drive Suite 202, Rockville, Maryland 20852.

D. Audit Team Members The following U.S. Nuclear Regulatory Commission (NRC) staff members participated in the audit:

Jennivine Rankin, Project Manager, Lead Jack Zhao, Senior Electronics Engineer, Technical Reviewer Dinesh Taneja, Senior Electronics Engineer, Technical Reviewer William Roggenbrodt, Electronics Engineer, Technical Reviewer Craig Harbuck, Senior Reactor Systems Engineer, Technical Reviewer Greg Galletti, Senior Reactor Operations Engineer, Technical Reviewer Molly Keefe-Forsyth, Human Factors Specialist, Technical Reviewer Dawnmathews Kalathiveettil, Electronics Engineer, Technical Reviewer Malcolm Patterson, Reliability and Risk Analyst, Technical Reviewer E. Licensee and Industry Staff Participants Stephanie Agee (SNC)

Pareez Golub (SNC)

Bob Hirmanpour (SNC)

Michael Elmer (SNC)

Richard Paese (WEC)

John Wiesemann (WEC)

Warren Odess-Gillett (WEC)

Steven Merkiel (WEC)

Steven Billman (WEC)

F. Documents Audited

  • APP-PMS-T5-001, AP1000 Protection and Safety Monitoring System Test Plan, Revision 5, July 2015.
  • WNA-PV-00054-WAPP, AP1000 Protection and Safety Monitoring System Software Verification and Validation Plan, Revision 8, August 2016.
  • WNA-WI-00452-GEN, Regression Testing Work Instruction, Revision 0, February 2014.
  • WNA-WI-00497-GEN, Common Q Regression Analysis Preparation Work Instruction, Revision 2, April 2015.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 2

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

  • APP-PMS-GHY-006, AP1000 Protection and Safety Monitoring System Software Design Description for Interface and Test Processor, Revision 20, May 2019.
  • WNA-DS-02122-GEN, Standard Reusable Software Element Document for Channel Check Custom PC Element, Revision 6, July 2014.
  • WNA-TP-02763-GEN, Element Software Test Procedure for CHAN_CHK Custom PC Element, Revision 1, August 2014.
  • WNA-TR-02258-GEN, Element Software Test Report for CHAN_CHK Custom PC Element, Revision 2, September 2014.
  • APP-PMS-J4-020, AP1000 System Design Specification for the Protection and Safety Monitoring System, Revision 18, March 2019.
  • APP-PMS-T1D-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Data Sheets, Revision 10, September 2017.
  • APP-PMS-T1D-019, AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Data Sheets, Revision 7, May 2016.
  • APP-PMS-T1P-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Procedure, Revision 8, December 2017.
  • APP-PMS-T1P-019, AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Procedure, Revision 8, December 2017.
  • APP-PMS-T2R-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Report, Parts 1-7, Revision 0, November 2017.
  • SV4-PMS-T2R-019, Vogtle Unit 4 AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Report, Parts 1-3, Revision 0, February 2016.
  • 3BDS 005 740R501, S600 I/O Hardware Advant Controller 160 for Westinghouse, Version 1.3.
  • APP-DDS-J4-011, AP1000 Data Display and Processing System Datalink Interface Specification, Revision 5, January 2019.
  • APP-GW-GJP-812, 12 Hour Technical Specification Surveillance, Revision 3, October 22, 2018.
  • APP-PMS-AR-001, AP1000 Protection and Safety Monitoring System Reliability Analysis, Revision 4, May 2018.
  • APP-PMG-GHY-008, AP1000 Protection and Safety Monitoring System Software Design Description for the Maintenance and Test Panel, Revision 17, October 2018.
  • APP-PMS-GJP-810, Protection and Safety Monitoring System Division B 92 Day RT COL And ESF COT, Revision 1, December 27, 2018.
  • APP-PMS-GJP-873, Division A Automatic ESF Signals - Reactor Trip Logic Test, Revision 1, August 8, 2018.
  • APP-PMS-J0M-003, AP1000 Protection and Safety Monitoring System - Technical Manual, Revision 1, February 2018.
  • GBRA095801, WEG Intern AC160 Maintenance AC160 Product Specification for AP1000 PMS Analyses, Revision E.
  • GIC-SSP-FSD-19-003, PMS Channel Check Category 2 (Calculated Value) Error Analysis, Revision 0.
  • IC-12-054, NIS Time Response During EQ Testing, Revision 0.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 3

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

  • LTS-NIS-19-011, AP1000 Plant NIS Response Time Evaluation, Revision 0.
  • MOD 00-3571, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Test Description AC160*1.3 Controller Partition 4.1 Error Handler, Revision 1.
  • MOD 00-3572, Oskarshamn 1 - Project O1 Mod, Test Report: Partition 4.1 Error Handling, Revision 1.
  • MOD 97-3184, Oskarshamn 1 - Project O1 Mod, Qualification of Category A I&C Self Supervision and test functions FMEA, Revision 3.
  • MOD 97-7766, Oskarshamn 1 - Project O1 Mod, Qualification of Category A I&C, Design and Life Cycle Evaluation Report on Previously Developed Software in ABB AC160, I/O Modules and Tools, Revision 1.
  • MOD 97-7771, Oskarshamn 1 - Project O1 Mod, Qualification of Category A I&C, Final Quality Assessment and Justification Report, Revision 6.
  • RD10027, Solid State Protection System Response Time Failure Analysis, Revision 0, November 10, 1992.
  • SV0-IVV-JQR-021, Vogtle AP1000 Protection and Safety Monitoring System Independent Verification and Validation Summary Report, Revision 4, April 2018.
  • SV3-PMS-T2R-012, Vogtle Unit 3 AP1000 Protection and Safety Monitoring System Interfaces and Response Time - System Integration Test Report, Revision 1, August 2017.
  • SV4-PMS-T2R-012, Vogtle Unit 4 AP1000 Protection and Safety Monitoring System Interfaces and Response Time - System Integration Test Report, Revision 0, May 2017.
  • WNA-CN-00162-WAPP, AP1000 Protection and Safety Monitoring System Time Response Calculations, Revision 12.
  • WNA-TR-03135-GEN, Analyses of DO630 Relay Time Response Testing, Revision 0, November 2013.
  • APP-FSAR-GEF-045, PMS Watchdog Timer Change and Additional Common Q Design Description Changes, Revision 0.
  • APP-GW-J9Y-001, Standard Acronyms and Definitions, Revision 3, September 2016.
  • IC-19-002, Questions for KHNP on Protection System Testing, March 25, 2019.
  • WCAP-14036-P-A, Elimination of Periodic Protection Channel Response Time Tests, Revision 1, October 6, 1998.
  • WCAP - 15776, Safety Criteria for the AP1000 Instrumentation and Control Systems, April 2002.
  • WCAP-15927-P, Design Process for AP1000 Common Q Safety Systems, Revision 7, October 2018.
  • WCAP-16438-P, FMEA of AP1000 Protection and Safety Monitoring System, Revision 8, April 2019.
  • WCAP-16675-P, AP1000 Protection and Safety Monitoring System Architecture Technical Report, Revision 8, October 2017.
  • GIC-SSP-FSD-19-005, Attachment A, Document Tracing Table for AC160 Diagnostics, Revision 0.
  • GIC-SSP-FSD-19-005, Evidence of Documentation for AC160 Platform Diagnostics, April 5, 2019.
  • WNA-TR-02718-GEN, CIM SRNC Subsystem Test Report, Revision 4, September 2015.
  • WNA-TP-04019-GEN, CIM SRNC Subsystem Test Procedure, Revision 2, December 2014.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 4

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

  • WNA-DS-01272-GEN, Safety System Remote Node Controller Requirements Specification, Revision 9, September 2013.
  • WNA-DS-01271-GEN, Component Interface Module Hardware Requirements Specification, Revision 10, January 2013.
  • 6105-60136, CIM-SRNC ISE Test Task Report, Revision 1, July 2015.
  • 6105-20010, Component Interface Module Requirement Traceability Matrix, Revision 20, October 2015.
  • 6105-10010, Safety System Remote Node Controller Requirement Traceability Matrix, Revision 17, September 2015.
  • 6105-00021, CIM SRNC IC&V Simulation Environment Specification, Revision 5, September 2015.
  • APP-PMS-J4-102, AP1000 Protection and Safety Monitoring System Software Requirements Specification, Revision 21.
  • SV0-IVV-H5R-001, Protection and Safety Monitoring System IV&V Software Requirements Fulfillment Assessment, Revision 1, September 2018.
  • SV0-IVV-JQR-021, Vogtle AP1000 Protection and Safety Monitoring System Independent Verification and Validation Summary Report, Revision 4, April 2018.
  • WNA-DS-01715-GEN, Standard Reusable Software Element Document for PM Diagnostic Type Circuit, Revision 6, September 2017.
  • WNA-RL-00412-GEN_Rv4_Verified, Software Release Record for PM_DIAG Type Circuit

- Verified, Revision 0, August 2017.

  • WNA-TP-02411-GEN, Element Software Test Procedure for PM_DIAG Type Circuit, Revision 1, February 2018.
  • WNA-TR-01922-GEN, Element Software Test Report for PM_DIAG Type Circuit, Revision 3, February 2018.
  • MOD-K920-30, Oskarshamn 1 - Project O1 Mid, Qualification of Category A I&C, Functional Analysis, PS Software, VRTX, Revision 0.
  • APP-FSAR-GEF-049, PMS Technical Specification Surveillance Requirement, Revision 0.
  • SV0-PMS-AR-001, Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination, Revision 0, March 2019.
  • MOD 00-2118, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Functional Analysis PS Software, VRTX Partition 19, Revision 0, September 2000.
  • GKWF310281 (Req. Spec for AC166 BPS - SW Requirements for PM646) documented in 970170651 (Advant Power BPS Testabdeckung System Test/FMEA Software test).
  • NA 4.54, I&C Standard Safety System Platform Configuration Control Process, Revision 1.
  • WNA-PC-00005-WAPP, AP1000 I&C Projects Configuration Management Plan, Revision 6, October 2016.
  • W2-8.6-105, External Computer Software, Revision 1.
  • W2-9.5-102, Commercial Dedication Process, Revision 1.
  • WNA-PV-00009-GEN, V&V Process for the Common Q Safety System, Revision 9.
  • APP-PMS-J1-001, AP1000 Protection and Safety Monitoring System Functional Requirements, Revision 14.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 5

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

  • 6105-00013, CIM-SRNC IV&V Plan, Revision 10.
  • 6105-00005, CIM-SRNC Test Plan, Revision 8.

G. Description of Audit Activities and Summary of Observations The NRC staff examined documentation supporting license amendment request (LAR)19-001 and discussed material with subject matter experts in the areas of Quality Assurance, Human Factors, Instrumentation and Controls, and Technical Specifications. Audit activities within each of these areas is described below.

Quality Assurance Review of PMS Diagnostics The NRC staff reviewed a sample of PMS diagnostics including both platform level (Common Q) and application level (PMS) to verify the diagnostic functions were developed, implemented, and tested under a suitable quality assurance program. In addition, the NRC staff reviewed the processes for maintaining design configuration and implementing design changes to the PMS and Common Q diagnostic functions, as well as sampled testing and operational anomalies associated with the PMS and Common Q diagnostic functions to assure they are being adequately addressed.

Common Q Diagnostic Function Review The NRC staff reviewed the following diagnostic functions, ((

)) and associated platform qualification documentation developed by ASEA Brown Boveri (ABB) and WEC to support the use of the Common Q platform for safety-related applications. These documents were created from the initial evaluation work performed by WEC Germany (WEG), Technischer Überwachungsverein, e.V. (Germany), and ABB and the activities related to the Oskarshamn 1 - Project O1 Modification Project (MOD-97-7771, MOD 97-3184, MOD 97-7766, MOD-00-3571, MOD-00-3572, and GKWF310281, GBRA095801). The NRC staff verified that the qualification and test records specifically addressed design review and code verification through testing to confirm that the Common Q diagnostics credited in the SNC LAR were adequately developed and functioned satisfactorily.

The NRC staff reviewed the code modification process and discussed the implementation of the process with cognizant WEC representatives for NRC staff to confirm and code revisions are adequately controlled, documented, verified, and approved using defined quality practices. The NRC staff reviewed the ABB Revision Control System management procedures and Configuration Management Plan for the AC160*1.3 controller (3BDS 005 654) that govern revisions to the Common Q platform. In addition, the NRC staff discussed controls applied to maintain configuration of the Common Q platform including work performed by WEG tasked with performing the verification and validation (V&V) for the platform. ((

)) The NRC staff noted that all proposed changes are also evaluated by the platform Configuration Control Board (CCB) governed by the WEC QA Level 3 procedure (NA 4.54). This procedure requires a Safety System Platform Change Evaluation (SSPCE) to be completed. The SSPCE has a checklist of items that requires evaluation for impact. The NRC staff reviewed a sample of SSPCE checklists associated with OFFICIAL USE ONLY - PROPRIETARY INFORMATION 6

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Common Q diagnostics to confirm adequate implementation of the platform change process. SNC has agreed to submit a supplement to the LAR to provide additional description of this process (see Section J.3 of this audit summary).

The NRC staff reviewed testing error logs and operational data compiled for commercial nuclear power applications using the Common Q platform to verify that code performance issues were being formally identified, documented, and evaluated for potential impact on the PMS system. The NRC staff discussed the ABB Tracker program used to document operation experience issues with Common Q platform deployments with the cognizant WEC staff, and reviewed all Tracker issues related to Common Q diagnostic functions to verify that issues identified were adequately evaluated for impact on the Common Q diagnostics being credited in the SNC LAR. The NRC staff confirmed that the Tracker process included routine periodic reviews of issues by ABB and WEC, prioritization of issues based on significance, and any issues requiring a potential design change were formally documented through purchase orders between ABB and WEC. SNC has agreed to submit a supplement to the LAR to provide additional description on the Tracker Program (see Section J.4 of this audit summary).

The NRC staff reviewed a sample of the activities performed by ABB and WEC to establish suitability and reliability of the Common Q platform for use in safety-related applications. These activities included: (1) the development of a Failure Modes, Effects, and Diagnostics Analysis on each of the AC160 modules by ABB. The results of that work were used in the WEC PMS reliability analysis (APP-PMS-AR-001); (2) the performance of commercial surveys and operating experience evaluations of ABB by WEC (MOD 97-7771, MOD 97-7766); and (3) review of SSPCE checklists which contain an item requiring evaluation of changes on the reliability and performance of the AC160 modules. The NRC staff reviewed these activities to determine if they supported establishing an adequate basis for use of the Common Q platform.

PMS Application Diagnostic Function Review The NRC staff reviewed the following PMS application diagnostic functions, ITP inter-channel comparison, ITP intra-channel comparison, and Reactor Trip (RT) Matrix Monitoring and associated PMS system lifecycle documentation to support the development and testing of the PMS system. The NRC staff reviewed (APP-PMS-J4-020, APP-PMS-J4-102, and APP-PMS-J1-001) to confirm that it adequately described the requirement specification associated with the intra and inter channel comparator and RT Matrix, and confirmed that those requirements were adequately translated into test plans and procedures (APP-PMS-T5-001, APP-PMS-T1P-014 and APP-PMS-T1P-019). The NRC staff also reviewed the requirements traceability matrix (RTM) table (Appendix F.1 of APP-PMS-J4-020) and confirmed the requirements associated with the PMS application diagnostics were documented and relevant source system design requirements documentation was identified.

The NRC staff verified that the test procedures and test records specifically addressed the PMS application diagnostic functions to confirm that the PMS application diagnostics were adequately developed and performed satisfactorily. The NRC staff reviewed system integration testing of the sampled diagnostic functions described in test procedures (APP-PMS-T1P-014 and APP-PMS-T1P-019), and associated test data sheets, and confirmed that all test cases (Nos. 362, 363, 364, and 365) associated with inter-channel and test cases (Nos. 358-361) associated with intra-channel comparison were completed satisfactorily. These tests were performed in accordance OFFICIAL USE ONLY - PROPRIETARY INFORMATION 7

OFFICIAL USE ONLY - PROPRIETARY INFORMATION with WEC V&V process plans (WNA-PV-00009-GEN, WNA-PV-00054-WAPP) and the PMS testing process administrative controls (APP-PMS-T5-001).

The NRC staff reviewed test data sheets and associated the Automation Issue Tracking System (RITs) data records for the PMS diagnostic functions sampled to verify that PMS software performance issues were being formally identified, documented, and evaluated for potential impact on the PMS system. The NRC staff confirmed that there were no current RITs issues that have any significant impact on the diagnostics credited in the SNC LAR. The NRC staff reviewed system integration testing report and independent verification and validation (IV&V) test summary report (SV3-PMS-T2R-012 and SV0-IVV-JQR-021) and confirmed these summary reports did not contain any outstanding issues associated with the PMS or Common Q diagnostic functions being credited in the LAR.

The NRC staff reviewed the PMS application code modification process and discussed the implementation of the process with cognizant WEC staff to confirm and code revisions are adequately controlled, documented, verified, and approved using defined quality practices. The NRC staff reviewed the PMS Software Verification and Validation Plan and Regression Testing Work Instruction (WNA-PV-00054-WAPP, WNA-WI-00452-GEN) governing regression analysis considerations applied to revisions to the PMS system, and the engineering design modification process procedure (APP-GW-GAP-420) which provides guidance for the evaluation of changes to the systems. The NRC staff confirmed that the documents included appropriate controls for maintaining system design requirements and configuration and provided adequate guidance for evaluating system modifications to determine any testing or analysis requirements needed for such modifications.

CIM/SRNC Subsystem Diagnostic Function Review The NRC staff reviewed the following Component Interface Module (CIM) / Safety Remote Node Controller (SRNC) diagnostic functions, ((

)) and associated CIM/SRNC subsystem lifecycle documentation to support the development and testing of the CIM subsystem.

The NRC staff reviewed (WNA-DS-01271-GEN, WNA-DS-01272-GEN) to confirm that it adequately described the requirement specification associated with the selected CIM/SRNC diagnostics and confirmed that those requirements were adequately translated into test plans and procedures (WNA-TP-04019-GEN, 6105-00021). The NRC staff also reviewed the RTM tables (6105-10010 and 6105-20010) and confirmed the requirements associated with the CIM/SRNC subsystem diagnostics were documented and relevant source system design requirements documentation was identified.

The NRC staff verified that the test procedures and test records specifically addressed the CIM/SRNC subsystem diagnostic functions to confirm that the CIM/SRNC subsystem diagnostics were adequately developed and performed satisfactorily. The NRC staff reviewed subsystem testing of the sampled diagnostic functions described in test procedure (WNA-TP-04019-GEN) and confirmed that testing associated with the CIM/SRNC subsystem diagnostic functions were completed satisfactorily. These tests were performed in accordance with WEC V&V process and test plans (6105-00013 and 6105-00005).

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 8

OFFICIAL USE ONLY - PROPRIETARY INFORMATION On-going Verification of Diagnostic Functionality The NRC staff discussed the system features and additional administrative controls planned to be implemented to ensure the continued adequate functionality of the PMS system diagnostic functions during operations with the cognizant SNC and WEC staff. The system diagnostics are automatically executed on a continuous basis and provide operator notification in the event of a failure. ((

)) These diagnostic tests are designed to report system failures to the operator immediately upon detection without needing to wait for periodic functional tests. These diagnostic failures can be seen on the System Health Event Log Display and as a division fault on the SD System Health Summary Alerts Display.

Additionally, as part of normal control room operators rounds additional observations are taken and are recorded via the Unit Control Log. These include: Checking for ((

)); Checking the Safety Visual Displays for each Division for Health Status; and Unit Control Log entry of conditions such as, control board walkdowns, unexpected alarms, entry into Abnormal or Emergency Operating Procedures, and recording Reactor trip or ESF actuations and Protective relay actuations.

The Plant Control System and Nuclear Application System will also display the overall health for equipment related to both safety-related functions and technical specification limited conditions for operation, including the PMS.

The NRC staff further noted that monthly PMS system health reports will be prepared by the PMS systems engineer using data from the various internal PMS event logs including system operation and error tracking. If results from these reports indicate issues with any self-diagnostic functions, they will be further evaluated and dispositioned in accordance with the licensees design control and corrective action programs. In cases where such issues affect the Common Q diagnostic functions, these will be recorded for inclusion in the ABB Tracker system. SNC has agreed to submit a supplement to the LAR to provide additional information on how PMS health will be monitored (see Section J.7 of this audit summary).

Instrumentation and Controls (I&C)

The objective of the audit from the I&C prospective was to 1) assure that the PMS self-diagnostics/testing functions execute deterministically and provide adequate test coverage that is comparable to the PMS SRs proposed to be removed in this LAR; and 2) confirm that the quality of PMS self-diagnostics/testing functions comply with the Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Appendix B requirements. During the audit the NRC staff reviewed numerous non-docketed documents and held discussions with SNC and WEC staff related to the self-diagnostic functions of the PMS, which are proposed to be credited by the licensee for supporting the changes proposed in the LAR. The PMS for the VEGP AP1000 plants mainly consists of two major subsystems: One is the Common Q based subsystem and the other is the field programmable gate array (FPGA) based CIM-SRNC subsystem. Auditing results and observations are summarized below.

During both the initial safety review of this LAR and audit, the NRC staff did not find confirmatory information in the LAR nor within the licensing bases for the VEGP AP1000 plants to show that the OFFICIAL USE ONLY - PROPRIETARY INFORMATION 9

OFFICIAL USE ONLY - PROPRIETARY INFORMATION self-diagnostic functions of the Common Q based PMS system would be executed deterministically during operation. This lack of information is likely due to the fact that the self-diagnostic functions of the Common Q based PMS system were not credited during the AP1000 design certification and hence the NRC staff was not focused on this topic during the safety evaluation of the I&C systems for the AP1000 certification application and VEGP AP1000 COL application. During the on-site audit, the NRC staff requested the licensee to provide and docket additional information to demonstrate how the self-diagnostic functions of the Common Q based PMS system, which are proposed to be credited in this LAR, would perform deterministically and reliably during system operation. After the portion of the audit held at WECs office in Rockville was completed, the licensee provided additional information, which states, in part, that for the Common Q microprocessor, ((

)). SNC has agreed to supplement the LAR to provide additional information on ((

)) the execution of self-diagnostics (see Section J.2 of this audit report).

During the audit, the NRC staff also reviewed relevant documents on the quality of the Common Q platform level self-diagnostic functions for the PMS Common Q based subsystem. Specifically, the NRC staff reviewed documents, which SNC had obtained from WEC Germany, and are related to the qualification of the Common Q based safety system for the Oskarshamn 1 Project. The Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Final Quality Assessment and Justification (FQAJ) Report document describes the shortcomings of a version of the Advant Controller (AC) which is an earlier version of the AC160 controller used in the PMS. The FQAJ report describes an issue that was discovered during testing about how, in some fault cases, should a lower priority diagnostic function fail to complete its execution because of a higher priority task continuing to execute, the failure of the lower priority diagnostic to execute completely would not be recognized by the Common Q platform. To correct this issue, ((

)) the AC160 controller version that is utilized by the PMS. The NRC staff reviewed a sample of the test procedures described in the FQAJ report that were utilized during the Oskarshamn qualification and confirmed that the diagnostic functions had been demonstrated to operate as designed. The NRC staff, therefore, confirmed that the Common Q platform level diagnostic functions were adequately tested. The outcomes of the overall testing program of the AC160 controller microprocessor and accompanying diagnostics were summarized in the FQAJ report. The FQAJ report concludes the Product Software Qualification (PSQ) of the AC160 Product is suitable for use in the O1 MOD project for Category A I&C. While the NRC staff does not recognize Category A I&C qualification as equivalent to the qualification pedigree customarily expected by the NRC staff to justify a determination that an item is qualified as a basic component suitable for use in nuclear reactor safety-related applications, the staffs review of the documentation, provided to the staff during the audit, enabled the staff to better understand how the platform diagnostics for the Common Q portion of the PMS were designed and tested, and thereby will support the NRC staffs determination whether these self-diagnostic functions for the Common Q based PMS are acceptable and will perform as designed.

In addition, during the audit, due to a lack of information in the LAR and licensing bases, the NRC staff asked the licensee to document what would happen to the PMS, if any self-diagnostic function of the Common Q based PMS system fails to satisfactorily execute and complete its operation.

((

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 10

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

)). SNC has agreed to supplement the LAR to provide additional information on

(( )) the execution of self-diagnostics (see Section J.2 of this audit report).

The Common Q Advant Controller (AC) 160 software for the PMS includes a real-time operating system called VRTX. The VRTX operating system executes the control units of the application program, self-diagnostic functions, and communication interfaces. During the audit, the NRC staff found in a non-docketed document that there are still some open items for as-found faults in the VRTX. The NRC staff asked the licensee and staff members of its agent, WEC, if those open items were resolved and closed, but no answer was provided during the on-site portion of the audit. The NRC staff was not presented with any document showing the resolution of those open items and was unable to locate any related information in the material presented to the staff.

Because of the critical role played by the VRTX in the Common Q platform, the licensee was asked to provide evidence to show that those open items for the as-found faults were successfully resolved. After the on-site portion of the audit was completed, the licensee placed Document MOD 00-2118, Revision 0 in the ERR to address the staffs concern. The NRC staff reviewed this document, and verified that all the as-found faults or known errors identified during the qualification process of Common Q platform were addressed and resolved adequately.

The PMS CIM-SRNC subsystem serves as the priority module for safety-related components between the safety-related PMS and the non-safety-related control system. In the existing licensing documents for the VEGP AP1000 plant, there is only a high-level description of the self-diagnostic testing functions for the CIM-SRNC subsystem. During the initial review and on-site audit on the CIM-SRNC portion of the PMS for this LAR, the NRC staff concluded that there is lack of relevant information in the LAR and licensing documents for the VEGP Units 3 and 4 plants on what specific self-diagnostic/testing functions in the FPGA-based CIM-SRNC subsystem could be credited to support the removal of the ALOT SRs. During the safety evaluation of the CIM-SRNC subsystem for the AP1000 design certification application and VEGP Units 3 and 4 COL application, the self-diagnostic functions of the FPGA-based CIM-SRNC subsystem were not credited and hence were not evaluated during its licensing review. Therefore, the NRC staff requested the licensee to provide and docket supplemental information to justify the proposed removal of ALOT SRs by crediting the self-diagnostic/testing functions of the FPGA-based CIM-SRNC. After the on-site portion of the audit was finished, the licensee provided a writeup on the CIM-SRNC self-diagnostic/testing functions. Based upon the newly presented materials, the NRC staff verified that the PMS safety path self-diagnostic testing for the CIM-SRNC portion includes self-checking ((

)).

After reviewing the relevant information provided by the licensee, the NRC staff verified that the CIM-SRNC subsystem provides a ((

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 11

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

)) and could be used to support the removal of ALOT SRs proposed in the LAR. In addition, the NRC staff found that for each self-diagnostic feature, there exists a mechanism to detect and report its failure. The NRC staff will use this information to support making a safety determination related to the CIM-SRNC self-diagnostic capabilities. SNC has agreed to supplement the LAR with the additional information regarding the CIM-SRNC self-diagnostic testing functions (see Section J.5 of this audit summary).

While conducting the initial evaluation, the NRC staff identified that the LAR and its supporting documents did not provide a sufficient level of information related to testing requirements, procedures, or results. Without this supporting evidence the staff was unable to verify that the licensee demonstrated that the CIM-SRNC self-diagnostic functions were adequately tested.

During the audit, the staff requested the licensee to place the necessary documents in the ERR to show that the CIM-SRNC self-diagnostic functions were adequately tested. In document 6105-00021, CIM SRNC IV&V Simulation Environment Specification, the NRC staff verified there are independent validation and verification testing requirements specified for the self-diagnostic functions, (( )). The NRC staff also reviewed documents WNA-TP-04019-GEN, Revision 2, CIM SRNC Subsystem Test Procedure, 6105-20010, Revision 20, CIM Requirement Traceability Matrix, 6105-10010, Revision 17, SRNC Requirement Traceability Matrix, WNA-DS-01271-GEN, Revision 10, CIM Hardware Requirements Specification, and WNA-DS-01272-GEN, Revision 9, SRNC Requirements Specification that the licensee placed in the ERR. From reviewing those documents, the NRC staff also verified that there are specific testing requirements for the CIM-SRNC self-diagnostic functions. The NRC staff will use this information to determine if the testing requirements, procedures, and results for the CIM-SRNC self-diagnostic functions are satisfactory.

Human Factors The NRC staff reviewed alarm response procedures to determine if the operators will respond appropriately to any alarms through the written procedures and the associated training. SNC also discussed with the NRC staff that the impacts of the operating procedures, training, and previously completed human factors engineering (HFE) V&V activities will be evaluated per inspection, test, analysis, and acceptance criteria (ITAAC) 3.200.01e. SNC has agreed to supplement the LAR with summary of human factors engineering and operator task impacts resulting from the proposed LAR (see Section J.1 of this audit summary).

Technical Specification In the area of technical specifications, the NRC staff focused on assessing the fault-detection capability of the PMS self-diagnostics to verify that the applicant had adequately justified reliance on the self-diagnostics to provide assurance of PMS digital component operability, without manual periodic surveillances to exercise PMS logic, through documented evaluations and factory testing results. To that end, the NRC staff reviewed the following documents:

  • SV0-PMS-AR-001, Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination, Revision 0, March 2019.

WESTINGHOUSE PROPRIETARY CLASS 2 OFFICIAL USE ONLY - PROPRIETARY INFORMATION 12

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

  • WCAP-16675-P, AP1000 Protection and Safety Monitoring System Architecture Technical Report, Revision 8, October 2017.
  • CIM SRNC IV&V, Simulation Environment Specification 6105-00021, Revision 5, September 2015. WESTINGHOUSE PROPRIETARY CLASS 2
  • ND-19-0168, Southern Nuclear Operating Company Vogtle Electric Generating Plant Units 3 and 4, Request for License Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR-19-001), March 25, 2019.

o Enclosure 1, Request for License Amendment Regarding PMS SR Reduction TS Revision (LAR 19-001), WESTINGHOUSE PROPRIETARY CLASS 2 Appendix A, Supporting Figures, WESTINGHOUSE PROPRIETARY CLASS 2 o Enclosure 3, Proposed Changes to Licensing Basis Documents Markup of affected portions of COL Appendix A, Technical Specifications Markup of affected portions of Technical Specification Bases The NRC staff evaluated if the PMS FMEA had assessed the credible failures, ((

)) for each signal processing and communications (input and output) node in each PMS division, including the bistable processor logic (BPL), HSL, local coincidence logic (LCL), reactor trip interface (RTI), integrated logic processor (ILP), SRNC, and the CIM.

These included assessment of failures of platform self-testing functions and PMS application software self-test functions. For most of the failure modes considered, the safety function of the division is not affected, (( )), and the proper functioning of the three other PMS divisions to initiate all reactor trip system (RTS) and ESFAS actuated devices. In addition, most of the considered failure modes will be detected by

(( )) and ((

)) alert operators in the control room.

The NRC staff reviewed draft versions of plant alarm response procedures and discussed the available information on the control room safety displays with licensee staff. From this it appears that upon occurrence of a division fault alarm, the control room operators and plant support staff will identify the faulted component within a short time period. They can be expected to replace the faulted hardware soon thereafter while retaining operability of the affected division. With the continuous monitoring of PMS operability by the built-in self diagnostics, which can detect any failure detectable by the manual logic tests, it appears that the manual surveillances would only marginally improve on the reliable automatic fault-detection capability of the PMS self-diagnostic functions.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 13

OFFICIAL USE ONLY - PROPRIETARY INFORMATION The NRC staff and SNC discussed updating the plant licensing basis to explain how the PMS self-diagnostic functions will provide reasonable assurance that the PMS, RTS, and ESFAS functions are operable and that the PMS-related limiting conditions for operation will be met, in lieu of manual SRs that otherwise would be needed to satisfy 10 CFR 50.36(c)(3). SNC agreed to supplement the LAR with this type of information (see Section J.6 of this audit summary).

H. Exit Briefing The NRC staffs audit exit briefing was conducted on August 28, 2019, where the open items from the audit were discussed.

I. Requests for Additional Information (RAI) Resulting from Audit No RAIs were issued as a result of this audit.

J. Open Items and Proposed Closure Paths The NRC staff noted the following items needed to be addressed as a result of the audit. SNC has agreed to submit information in the following areas:

1. Summary of human factors engineering and operator task impacts due to the elimination of operators manual surveillances. In addition, reference to the associated ITAAC that requires evaluation of impact to operating procedures, training, and previously completed HFE validation activities.
2. Additional description regarding the relationship between ((

)).

3. Description of the AC160 modification process for configuration management control.
4. Description of the Operating Experience Review (Tracker Program) for disposition of issues process.
5. Description of CIM FPGA Diagnostic Descriptions for Self-Checking Logic, ((

)).

6. Appropriate FSAR and TS Bases changes to document the basis for operability of the systems.
7. Additional description of what occurs to produce a division alarms and what occurs to ensure system health of the PMS (e.g. system engineers monthly reports which account for health/error/faults of the system).

K. Deviations from the Audit Plan The duration of the audit was extended from June 25 to August 28, 2019, to allow the NRC staff to examine documents that were added to the ERR following the meeting with the vendor subject matter experts at WECs office in Rockville, MD.

L. References

1. Southern Nuclear Operating Company, Vogtle Electric Generating Plant Units 3 and 4, Request for License Amendment Regarding Protection and Safety Monitoring System OFFICIAL USE ONLY - PROPRIETARY INFORMATION 14

OFFICIAL USE ONLY - PROPRIETARY INFORMATION Surveillance Requirement Reduction Technical Specification Revision (LAR-19-001),

March 25, 2019 (ADAMS Accession No. ML19084A308).

2. Vogtle Electric Generating Plant, Unit 3, Current Facility Combined License NPF-91, Revised September 23, 2019, (ADAMS Accession No. ML14100A106).
3. Vogtle Electric Generating Plant, Unit 4, Current Facility Combined License NPF-92, Revised September 23, 2019, (ADAMS Accession No. ML14100A135).
4. Vogtle Electric Generating Plant, Units 3 and 4 Updated Final Safety Analysis Report, Revision 6 and Tier 1, Revision 5, August 11, 2017 (ADAMS Accession No. ML17172A218).

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 15