W3F1-2021-0041, Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding License Amendment Request for Digital Upgrade to the Core Protection Calculator and Control Element Assembly Calculator System

From kanterella
(Redirected from ML21153A390)
Jump to navigation Jump to search

Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding License Amendment Request for Digital Upgrade to the Core Protection Calculator and Control Element Assembly Calculator System
ML21153A390
Person / Time
Site: Waterford Entergy icon.png
Issue date: 06/02/2021
From: Gaston R
Entergy Operations
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML21153A389 List:
References
W3F1-2021-0041
Download: ML21153A390 (58)
v  d  e


Text

Proprietary Information - Withhold from Public Disclosure Under 10 CFR 2.390 The balance of this letter may be considered non-proprietary upon removal of Enclosure 1 and Attachment 1.

Entergy Operations, Inc.

1340 Echelon Parkway Jackson, MS 39213 Tel 601-368-5138 Ron Gaston Director, Nuclear Licensing 10 CFR 50.90 W3F1-2021-0041 June 2, 2021 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding License Amendment Request for Digital Upgrade to the Core Protection Calculator and Control Element Assembly Calculator Systems Waterford Steam Electric Station, Unit 3 NRC Docket No. 50-382 Renewed Facility Operating License No. NPF-38 By letter dated July 23, 2020 (Reference 1), Entergy Operations Inc., (Entergy) requested an amendment to Appendix A, "Technical Specifications" (TS) of Renewed Facility Operating License NPF-38 for Waterford Steam Electric Station, Unit 3 (Waterford 3) to implement a digital upgrade to the Core Protection Calculator (CPC) system and Control Element Assembly Calculator (CEAC) system.

By letter dated April 29, 2021 (Reference 2), the U. S. Nuclear Regulatory Commission (NRC) staff informed Entergy that additional information is required to complete the review. A clarification call between the NRC and Entergy was previously conducted on April 28, 2021.

The additional information requested by the NRC in Reference 2 is provided in Enclosure 1 to this letter. Additional documents supporting the request for additional information (RAI) responses are provided in Attachments 1 and 2 to Enclosure 1. As noted in Reference 2, RAI-06 will be responded to at a later date.

The RAI responses in Enclosure 1 contain information proprietary to Westinghouse Electric Company LLC (Westinghouse). This is supported by an Affidavit signed by Westinghouse, the owner of the information, which is provided in Attachment 3. The Affidavit sets forth the basis on which the information may be withheld from public disclosure by the NRC and addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390. Accordingly, it is respectfully requested that the information which is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR 2.390.

Enclosure 2 provides a non-proprietary version of the RAI responses.

W3F1-2021-0041 Page 2 of 3 provides EQ-QR-412-CWTR3, Revision 2, "Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3." The attachment, in its entirety, contains information proprietary to Westinghouse. This is supported by an Affidavit signed by Westinghouse, the owner of the information, which is provided in . The Affidavit sets forth the basis on which the information may be withheld from public disclosure by the NRC and addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390. Accordingly, it is respectfully requested that the information which is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR 2.390.

In Reference 3, Entergy transmitted Revision 1 of the Entergy Vendor Oversight Plan (VOP)

Summary for the CPC/CEAC replacement project. This was provided as a replacement to 4 of the Reference 1 license amendment request (LAR). Attachment 2 to of this submittal provides Revision 2 of the Entergy VOP summary, and replaces, in its entirety, the revision Entergy transmitted in Reference 3.

Correspondence with respect to the copyright or proprietary aspects of Enclosure 1, , or the supporting Westinghouse Affidavits should reference CAW-21-5188 and CAW-21-5183 and should be addressed to Anthony J. Schoedel, Manager, Licensing Engineering, Westinghouse Electric Company, 1000 Westinghouse Drive, Cranberry Township, Pennsylvania 16066.

This letter contains no new regulatory commitments.

Should you have any questions or require additional information, please contact Paul Wood, Regulatory Assurance Manager, at 504-464-3786.

I declare under penalty of perjury; the foregoing is true and correct. Executed on June 2, 2021.

Respectfully, Ron Gaston RWG/jls

W3F1-2021-0041 Page 3 of 3 : Response to NRC Requests for Additional Information, Proprietary Attachments to Enclosure 1:

1. EQ-QR-412-CWTR3, Revision 2, "Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3," Proprietary
2. CPC Replacement Project Vendor Oversight Plan (VOP) Summary, Revision 2
3. Westinghouse Letter CAW-21-5188, Affidavit, Proprietary Information Notice, and Copyright in support of Enclosure 1, "Response to NRC Requests for Additional Information"
4. Westinghouse Letter CAW-21-5183, Affidavit, Proprietary Information Notice, and Copyright in support of Attachment 2, EQ-QR-412-CWTR3, Revision 2 : Response to NRC Request for Additional Information, Non-proprietary

References:

1) Entergy Operations, Inc. (Entergy) letter to U.S. Nuclear Regulatory Commission (NRC), "License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) system and Control Element Assembly Calculator (CEAC) system," W3F1-2020-0038, (ADAMS Accession No. ML20205L588), dated July 23, 2020
2) NRC letter to Entergy, "Waterford Steam Electric Station, Unit 3 -

Request for Additional Information RE: Digital Upgrade to the Core Protection and Control Element Assembly Calculator System (EPID L 2020 LLA-0164)," (ADAMS Accession No. ML21112A254), dated April 29, 2021

3) Entergy letter to NRC, "Revised Vendor Oversight Plan Summary -

License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System," dated January 29, 2021, (ADAMS Accession No. ML21029A156) cc: NRC Region IV Regional Administrator NRC Senior Resident Inspector - Waterford 3 NRC Project Manager Waterford 3 Louisiana Department of Environmental Quality, Office of Environmental Compliance (without Enclosure 1 and Attachment 1)

Attachment 2 to Enclosure 1 W3F1-2021-0041 CPC Replacement Project Vendor Oversight Plan (VOP) Summary, Revision 2

W3F1-2021-00015 Enclosure Page 1 of 20 CPC Replacement Project Vendor Oversight Plan (VOP) Summary, Revision 2

1. Background DI&C-ISG-06 Section C.2.2 provides Licensee Prerequisites for use of the Alternate Review Process (ARP) (Reference 7). In Section C.2.2.1, DI&C-ISG-06 describes that to use the ARP, the license amendment request (LAR) should provide a description of the licensee's Vendor Oversight Plan (VOP). Section C.2.2.1 says that the license amendment request (LAR) should include:

A description of the licensees Vendor Oversight Plan. The plan, when executed, can be used to ensure that the vendor: (1) executes the project consistent with the LAR, and (2) uses an adequate software QA program. The Vendor Oversight Plan, when executed, helps ensure that the vendor will meet both the process and the technical regulatory requirements. Vendor oversight is a series of licensee interactions with the vendor and progresses throughout the entire system development life cycle. The plan should address the intended interactions among the vendors design, test, verification and validation (V&V), and QA organizations.

The VOP is an important element of the ARP. Since the LAR approval is requested earlier in the project lifecycle than for the other DI&C-ISG-06 review processes (i.e. Tier 1, 2 or 3), the Staff needs to understand how the licensee intends to ensure that the vendor produces high quality software and system.

Entergy Operations, Inc. (Entergy) developed a VOP for the Waterford Steam Electric Station, Unit 3 (Waterford) Core Protection Calculator (CPC) System (CPCS) modification to ensure that Westinghouse executes the project consistent with:

Entergy procurement documents (Reference 1)

Westinghouse Software Program Manual (SPM) and Westinghouse platform-related documentation, which have been NRC-approved as described in LTR Section 6.1 (LAR Attachment 4)

Project description consistent with the LAR Revision 1 to the VOP Summary was submitted to the NRC on January 29, 2021 (ADAMS Accession No. ML21029A156), and summarized the contents of Entergy document VOP-WF3-2019-00236, Core Protection Calculator System Vendor Oversight Plan, Revision 3.

Revision 1 of the VOP Summary replaced, in its entirety, the original VOP Summary which was submitted to the NRC as Attachment 14 to Entergy's July 23, 2020 LAR (ADAMS Accession No. ML20205L587). This document has been issued for use. The project team is currently conducting vendor oversight activities of Westinghouse Electric Company (Westinghouse). The VOP Table of Contents is included on page 2 of Revision 1.

W3F1-2021-00015 Enclosure Page 2 of 20 Revision 2 to the VOP Summary documents the change control requirements for the VOP after issuance of the License Amendment, addresses how Entergy verifies requirements from the System Requirements Specification (SyRS) that were adopted without modification, provides examples of environmental critical characteristics, physical critical characteristics and performance critical characteristics (including CPU maximum load restriction), provides more detail on Requirements Traceability Analysis and further details document applicability to Entergys EN-DC-149 process. This document replaces, in its entirety, VOP Summary Revision 1 (i.e., Attachment 14 to the original LAR).

W3F1-2021-00015 Enclosure Page 3 of 20 Waterford Core Protection Calculator System Replacement Project Vendor Oversight Plan Table of Contents

W3F1-2021-00015 Enclosure Page 4 of 20

2. Vendor Oversight Plan (VOP) Scope This scope of the VOP is for the Westinghouse scope of the CPCS Replacement Project.

The Westinghouse scope includes the hardware, software, design documentation, and licensing documentation. The VOP does not cover vendor oversight of the Architect Engineer (A/E) performing the modification process activities. The A/E does not provide any oversight of Westinghouse activities or digital products. The A/E does not perform the DI&C-ISG-06 (Reference 7) activities associated with the "vendor". For Waterford, the A/E is typically referred to as the Engineer of Choice (EOC) in the project documents. Waterford vendor oversight of the A/E is performed by Entergy engineering procedures and owners acceptance review separate from this VOP (Reference 19).

Stakeholders identified in VOP Section 5 will participate in vendor oversight activities to the extent that vendor activities can affect their needs. The level of vendor oversight follows a procedure-driven graded approach, based on project and technical risk factors, which are described in VOP Section 6. All levels of the graded approach will include specifically defined performance measures and acceptance criteria which are described in VOP Section

7. The performance measurements described in the VOP include critical characteristics, design artifacts, and programmatic elements. The various levels of graded oversight are described in VOP Section 8. The site Corrective Action Process (CAP) will be used to document and ensure resolution of issues/problems. This is described in VOP Section 9.

Finally, oversight results will be documented as described in VOP Section 10.

Vendor oversight activities include:

Conducting audits Conducting Quality Surveillances of vendor activities under Waterford Quality Assurance (QA) program including activities for the CPCS Replacement Project Critical Procurement Plan (CPP). Note: QA surveillances are governed by existing Entergy procedures (Reference 4).

Providing input to and review/confirmation of specific vendor activities and related information items Reviewing vendor design artifacts (e.g., specifications, drawings, analyses)

Observing or witnessing specific vendor activities Participating directly in specific vendor activities Coordinating multi-disciplined interactions between various stakeholders Communicating status, schedule, and results of oversight activities through daily or weekly Waterford/Westinghouse Project Management team teleconferences, Waterford/Westinghouse Engineering team teleconferences, Waterford/Westinghouse Licensing team teleconferences Capturing issues in Waterford/Westinghouse corrective action programs Elevating emerging risks and issues (if necessary) to decision makers with higher authority Updating the VOP (if necessary) based on emerging results The VOP is an umbrella document covering the range of activities in which Entergy is engaged to perform effective vendor oversight.

W3F1-2021-00015 Enclosure Page 5 of 20 The Quality Assurance Program Manual (QAPM) (Reference 30) provides a consolidated overview of the quality program controls which govern the operation and maintenance of Entergys quality related items and activities. The QAPM implements 10 CFR 50 Appendix B, and the QAPM is implemented through the use of approved procedures (e.g., policies, directives, procedures, instructions, or other documents) which provide written guidance for the control of quality related activities and provide for the development of documentation to provide objective evidence of compliance.

For the CPCS procurement process outlined in CPP-WF3-2019-002 (Reference 6), the main implementing procedures for the QAPM are as follows:

EN-MP-100, Critical Procurements (Reference 13),

EN-QV-108, QA Surveillance Process [QAPM C.2] (Reference 4),

EN-LI-102, Corrective Action Program [QAPM A.1, A.6, A.7, B.13, B.15] (Reference 21),

EN-DC-149, Acceptance of Vendor Documents [QAPM B14.a, b - Document Control]

(Reference 18) and EN-DC-115, Engineering Change Process [QAPM A.7, B.2, B.8, B.11, B.15]

(Reference 19).

The VOP works in coordination with existing Entergy Quality Assurance processes and procedures. The coordination with existing QA processes, procedures and staff ensures that all vendor documents, software and equipment meet all quality and design requirements.

Any update or change to the VOP, once the NRC has approved the license amendment, will require the development and approval of an Engineering Change in accordance with Entergy procedure EN-DC-115, "Engineering Change Process." As a part of the change, the NRC Safety Evaluation approving the amendment will be reviewed to ensure that the proposed VOP changes will not adversely impact the basis or requirements for NRC approval. This requirement is added to the VOP signature page to ensure this review occurs before VOP review and approval.

The remainder of this section details what references were used to create the VOP and how the existing Entergy procedures ensure the VOP and QA processes are interrelated.

The following key documents provide input to vendor oversight activities:

Critical Procurement Plan (CPP) (Reference 6)

Procurement specification and other Westinghouse contract documentation, Project-specific specifications, NRC DI&C-ISG-06 Rev. 2 Licensing Process, WCAP-16096 Common Qualified Platform Software Program Manual (Reference 9),

EPRI Digital Engineering Guide (DEG) (Reference 3) and EPRI Handbook for Evaluating Critical Digital Equipment and Systems (Reference 8).

There are several Entergy procedures which are being utilized to conduct vendor oversight activities under the VOP. Those procedures are described below:

W3F1-2021-00015 Enclosure Page 6 of 20 EN-MP-100 (Reference 13) provides guidance for the establishment of oversight activities to ensure critical materials and related services are planned and executed such that all applicable requirements are met. Monitoring, verification and acceptance phase activities are defined in the CPP during the Planning Phase. Verification can be either through the normal Receipt Inspection process or other activities outlined in the CPP. The CPP may require activities during manufacturing, testing, receipt inspection, pre-installation or post-installation testing.

The CPP provides a summary of the requirements and necessary actions including on-site services (when required), to ensure that the Critical Procurement will meet Entergys expectations. The CPP provides details for the project scope, the focus areas or scope of the project design and implementation, and the project risks for the procurement process. The scope of supply in Contract 10575450-01 (Reference 1), and the scope details in SPEC 00005-W (Reference 5), provide details for the CPC modification and equipment.

The CPP credits the management of the procurement risks based on the Westinghouse software verification and validation process, factory acceptance testing, performance of site acceptance testing, and rigorous software testing. QA surveillances will be performed to ensure the approved Westinghouse processes were followed. Actions in the CPP are controlled and documented as Waterford work tracking items.

EN-DC-149 (Reference 18) provides guidance for the review and approval of Westinghouse documents and drawings. EN-DC-149 establishes the process to be used to control the receipt, distribution, review, and revision of technical vendor documents originating from outside Entergy. The overall process governing the preparation, revision, review, approval, acceptance and use of vendor produced calculations is addressed in EN-DC-126 (Reference 25). The overall Engineering Report process is addressed by EN-DC-147 (Reference 26).

For such documents, the vendor acceptance should be documented as per the guidance in the above referenced procedures.

The technical review per EN-DC-149 will be performed to the level of detail described in Table 5.1 for Risk Ranked Review of Vendor Supplied Documents. The risk ranking is developed with the Pre-Job Brief in accordance with Sections 5.2 and 5.3 of EN-HU-104 (Reference 27). Attachment 9.6 of EN-HU-104 provides the methodology for determining the overall risk level of the activity.

EN-HU-104 (Reference 27) provides direction for the risk assessment of technical work, senior management notifications of results, pre-job briefs, independent third-party reviews (ITPR),

and post-job briefs to capture lessons learned. The CPC Replacement project risk rank is 1 or high- high. This risk ranking requires a Challenge Board, which includes station and fleet personnel with expertise in the area. An Independent Third-Party Review by A/E, consultant, or Off-site Specialists (ITPR) is being performed since this project is risk rank 1. EN-OM-132 (Reference 28) is being used to perform a risk assessment.

EN-OM-132 provides a consistent method within Entergy to evaluate and manage risks and can be applied to a broad range of issues. This process describes the method to perform risk assessments and is designed to be used when prompted or required by specific processes, such as EN-HU-104.

W3F1-2021-00015 Enclosure Page 7 of 20 EN-FAP-PM-004 (Reference 29) drives consistency and certainty in project delivery capabilities and outcomes through a process for project development, planning and execution.

The Project Manager establishes and updates the risk assessment, which is the Quantitative Risk Assessment (QRA). This process provides a comprehensive framework for project development, planning, and execution.

EN-PM-100 (Reference 12) establishes requirements and guidance to ensure a standard and predictable approach to project management throughout the life cycle of the project. This procedure provides requirements and guidance for risk and issue identification and management. The Project Manager is responsible for ensuring all risks and issues are identified, evaluated and managed properly.

3. Project Organization and Roles (Stakeholders)

The following stakeholder roles and responsibilities are described in the VOP.

Entergy Project Team Project Manager Assistant Project Manager Quality Assurance (QA) Representative Lead Responsible Engineer Digital or I&C Engineers Cyber Security Engineer System Engineer Lead Licensing Engineer Human Factors Engineer Maintenance Representative Operations Representative Simulator Representative Various Test Coordinator/Engineers Westinghouse Project Team Project Manager Quality Manager Design Engineers Cyber Security Engineer Simulator Project Representative Test Engineers and Software V&V Engineers CPCS Product Manager CPCS Technical Advisor CPCS Technical Lead CPCS Licensing lead

W3F1-2021-00015 Enclosure Page 8 of 20

4. Development and Assessment of Potential Project and Technical Risk Factors EN-HU-104 (Reference 27) provides direction for the risk assessment of technical work, senior management notifications of results, pre-job briefs, independent third-party reviews (ITPR),

and post-job briefs to capture lessons learned. Based on EN-HU-104, the CPC Replacement project risk rank is a 1 or high-high. An Independent Third-Party Review (ITPR) is being performed for critical documents.

All modes of plant operation were considered when assessing consequence risk factors.

The consequence risk factors assessment includes an evaluation of the following criteria:

Reactivity Management Reactor Scram or Lost/limited Generation Radiological release or exposure Potential for creating a serious personnel safety issue Operability issue affecting multiple trains of safety related system Regulatory non-compliance Unplanned Tech Spec entry into a shutdown LCO less than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Unplanned Safety System Actuation/Loss Regulatory open item created or not addressed Operator Workaround or challenge created or not addressed Unplanned Component Unavailability Tech Spec violation Reportable environmental consequence Repeat functional failure of Maintenance Rule systems, structures or components with potential to create new (a)(1) system Reactor coolant or steam generator chemistry transient outside of acceptable band As a result of the high-high risk ranking (EN-HU-104, Risk Rank 1), EPRI DEG Table 5-1 was considered to evaluate additional project and technical risk factors. The following project and technical risk factors were assessed in accordance with EPRI DEG (Reference 3), Table 5-1:

Schedule Technical Staff Conceptual Design Hazards Procurement Human Factors Engineering Data Communications Cyber Security Plant Integration Design Testing Configuration Management Training

W3F1-2021-00015 Enclosure Page 9 of 20 Per EPRI DEG Section 5.2.3, moderate risk factors indicate a need for supplemental oversight methods. Based on the risk categorization, vendor oversight activities have been prioritized.

5. Determine Performance Measures and Acceptance Criteria Performance measures and their acceptance criteria are included in the VOP. The scope of vendor oversight is expected to evolve during the project. Project-specific performance measures that warrant vendor oversight are updated as this list changes.

The performance measures are divided into three categories with acceptance criteria provided for each:

Critical Characteristics, Design Artifacts, and Programmatic Elements.

1. Critical Characteristics The Critical Characteristics are those important design, material, and performance characteristics of a system that, once verified, will provide reasonable assurance that the system will perform its intended critical functions. Note that the critical characteristics are drawn, in part, from the projects Critical Procurement Plan (Reference 6) and EPRI Topical Report 1011710 (Reference 8).

The critical characteristics are divided into the following categories:

Physical, Performance, Environmental, and Cyber.

Examples of physical critical characteristic verification include:

Understanding Westinghouses component identification approach and processes for identifying new revisions to platform hardware and software and verifying that Westinghouse changes the component identification when anything in the hardware or software changes.

Comparing the equipment part numbers to those listed in Common Q Topical Report (Reference 10), Hardware Design Documents (HDD), Bill of Material, and procurement documents. Where differences exist in part number or product revision, Entergy will review the Common Q topical report record of changes document for adequate qualification documentation (i.e., Equipment Qualification Summary Report (EQSR)) that demonstrate that the changes do not invalidate safety conclusions in the safety evaluation of the Common Q platform. See Configuration Management section.

W3F1-2021-00015 Enclosure Page 10 of 20 Reviewing the following data communications topics:

Per IEEE Std. 603, verifying there is adequate independence and separation between redundant, safety-related channels.

Per IEEE Std. 603, verifying there is adequate Class 1E to non-1E isolation.

Ensuring the Project Failure Modes and Effects Analysis (FMEA) addresses detection of failed links and failed equipment.

Human Factors - In accordance with Entergy procedure EN-DC-163 (Reference 20), review the human factors engineering design implementation approach relative to human action requirements, associated monitoring information/variables, and human system interface (HSI) design requirements.

Examples of performance critical characteristic verification include:

Confirming input ranges and signal conditioning for how the system processes each input, including attributes for loop error accuracy and setpoint accuracy.

Confirming that the data, presented on the video display units (VDUs) or flat panel displays (FPD), is per the SyRS(s) and Waterford project operations representative input.

Confirming that the features that are provided for surveillance testing or calibration are in accordance with the SyRS(s).

Confirming that the on-line and off-line self-test and diagnostic capabilities of the system (i.e., platform and application) are in accordance with the SyRS(s). As a minimum this will confirm when an application-specific self-diagnostic detects a failure, what is annunciated and where is it annunciated.

Confirming that the response time and throughput for the system meets the SyRS(s).

Confirming that the Central Processing Unit (CPU) maximum load restrictions are implemented and meet the SyRS(s).

Examples of environmental critical characteristic verification include:

Confirming that the systems operating temperature range envelopes the range of temperatures expected in the plant (including interior cabinet temperatures) and understand any effects on system operation from changes in temperature.

Confirming that the Waterford humidity range to which the system will be exposed is within system tolerance and understand any effects on system operation from changes in humidity.

Confirming that the systems radiation limits are in accordance with system requirements.

Confirming the system testing for susceptibility to electrostatic discharge (ESD) events, or, as many electrical engineers are recommending, restricting

W3F1-2021-00015 Enclosure Page 11 of 20 the end user and require that appropriate ESD protection methods be employed when transporting, installing, storing or working on the system.

Evaluating the heat released by the system and any needs for ventilation, cooling, or heating.

Confirming that the system is designed considering RF frequencies in use at Waterford to minimize interference, i.e. test the system for Electromagnetic Compatibility (EMC), which includes radiated and conducted susceptibility and emissions.

The CPC/CEAC system is safety related, designated Class 1E. Equipment which is not safety related is designated as non-safety related. Non-safety related equipment shall be physically separated and electrically isolated from Class 1E, safety related equipment, in accordance with the Waterford licensing basis. In instances where electrical signals are used as inputs to the CPC/CEAC System, the non-safety related signals are electrically isolated from the CPC/CEAC system. In instances where CPC/CEAC signals are used as inputs to non-safety related equipment, such as annunciators and operator display devices, the CPC/CEAC signals shall be electrically isolated from the non-safety related equipment.

The non-safety related equipment shall not interact with adjacent safety related equipment. Westinghouse shall seismically qualify the safety related (Seismic Category 1) equipment in accordance with the Waterford licensing basis. The seismic qualification of Class 1E equipment (replacement CPCS) located within the support structure (racks, cabinets) shall be determined by either test or analysis. The tests shall demonstrate both structural integrity and functional operability.

The replacement APC MUX and cabinet fans shall meet seismic 2/1 criteria.

Design inputs and/or Critical Characteristics, Cyber Security (Reference 23),

Software Quality Assurance (Reference 24) or other design requirements specific to the procurement of the CPCS are evaluated in the CPP. This includes critical characteristics to be verified during construction of the CPCS modification. Critical characteristics will be verified during factory testing and V&V activities, which will bound the design requirements.

Oversight of critical characteristics utilizes the following vendor oversight activities:

Conducting vendor audits and quality surveillances Reviewing Westinghouse design output documents Participating in Factory Acceptance Testing Conducting Site Acceptance Testing Observing or witnessing specific vendor activities Capturing issues in Waterford/Westinghouse corrective action programs

2. Design Artifacts The Design Artifacts are the set of design output documents described in the Westinghouse procurement documentation. These documents are generated in

W3F1-2021-00015 Enclosure Page 12 of 20 accordance with the Westinghouse SPM, which is NRC-approved. Examples of design artifacts include: System Requirements Specification (SyRS), Software Requirements Specification (SRS), Availability Analysis, Licensing Technical Report (LTR).

Waterford engineering procedures and processes provide the review framework for these design documents. Entergy procedure EN-DC-149, Acceptance of Vendor Documents, provides the process to be used to control the receipt, distribution, review, and revision of applicable technical vendor documents. Note: applicability to EN-DC-149 is determined based on the use of the Westinghouse design artifact. If the design artifact is used as direct design input, the document will be reviewed and approved in accordance with EN-DC-149. However, if the document is only a reference, that document will be reviewed as part of the overall design artifact review but will not be reviewed and approved in accordance with EN-DC-149.

This process:

Ensures review by appropriate departments and disciplines, Ensures that affected documents, programs, and data bases are updated, Ensures that the vendor is in compliance with the design specification and purchase order, Ensures the document is consistent with plant licensing and design basis, and Ensures technical review is performed based on the risk ranking of the project documents.

In addition, Entergy is utilizing the independent third-party review (ITPR) review process for critical design artifacts (e.g., SyRS, SRS, LTR, etc.). This independent review, by industry subject matter experts, allows:

Entergy to provide additional, independent oversight of the Westinghouse products Entergy to receive independent feedback on the quality of their vendor oversight of Westinghouse design artifacts Oversight of the design artifacts utilizes the following vendor oversight activities:

Conducting vendor audits Reviewing Westinghouse design output documents (e.g., specifications, drawings, analyses)

Providing input to and review/confirmation of specific vendor activities and related information items Coordinating multi-disciplined interactions between various stakeholders Capturing issues in Waterford/Westinghouse corrective action programs Of particular note, Entergy verifies that Waterford-specific requirements in the System Requirements Specification (SyRS) are correct, understandable, unambiguous, fulfill the purchase specification and are developed in accordance with the Software Program Manual section 10.2.1. Any requirements that are adopted without modification from 00000-ICE-30158 Revision 14 are validated using

W3F1-2021-00015 Enclosure Page 13 of 20 Requirements Phase IV&V and Design Phase IV&V audits by comparing to Requirements Traceability Matrix (RTM), factory acceptance testing and site acceptance testing, including a system validation test.

3. Programmatic Elements The Programmatic Elements include the vendors programs and processes relevant to the project. The elements of the system lifecycle are described in the Westinghouse SPM (Reference 9). The SPM describes the requirements for the software design and development process including the software/hardware interface. The SPM also describes the requirements for the use of software in Common Q systems.

The following SPM plans are developed:

Software Safety Plan, which identifies the processes that, will reasonably assure that safety-critical software does not have hazards that could jeopardize the health and safety of the public.

Software Quality Assurance Plan (SQAP), which describes the process and practice of developing and using software. The SQAP addresses standards, conventions, reviews, exception reporting and other software quality issues.

Software Verification and Validation Plan (SVVP), which describes the method of assuring correctness of the software.

Software Configuration Management Plan (SCMP), which describes the method of maintaining the software in an identifiable state at all times.

Software Test Plan, which describes the method for testing software.

Some of these SPM plans will have project-specific instances (i.e., SVVP, SCMP, and Software Test Plan). These project-specific plans will be evaluated to ensure they are developed in accordance with the SPM.

The SPM describes the software lifecycle phases as:

Concept Requirements Analysis Design Implementation or Coding Test Installation and Checkout Operation and Maintenance Retirement Throughout the Westinghouse software life-cycle, a software requirements traceability analysis (RTA) will be performed by Westinghouse and a requirements traceability matrix (RTM) maintained for each system. The Westinghouse design team shall be responsible for the RTM to the point of identifying the code satisfying the requirement, and the Westinghouse IV&V team shall be responsible for adding information to the RTM related to testing that it performs. The IV&V team shall be

W3F1-2021-00015 Enclosure Page 14 of 20 responsible for the RTA. The IV&V team shall review the RTM for the adequacy and accuracy of the software requirements tracing.

Entergy will verify that Westinghouse follows the V&V requirements in the NRC-approved Common Q SPM, WCAP-16096, for Requirements Traceability Analysis (RTA). A review of the Westinghouse documentation as described in the following statements will be performed to determine the effectiveness of the Westinghouse IV&V efforts.

Problems identified by the V&V effort are documented and tracked through resolution, together with any action items required to mitigate or eliminate each problem. A record is kept of actions taken in response to the action items and the appropriate configuration management activities is performed.

Entergy will verify that requirements traceability, created by the design engineers, provides linkage between each requirement imposed on the software or logic by the system requirements document into appropriate system documents and into software functional and detailed design and into software and system testing. The traceability provides a means to trace requirements both forwards between predecessor and successor documents and backwards from successor documents back up to the predecessor documents. Traceability is updated and extended as design, implementation and validation take place. Traceability is verified to be complete at the completion of each lifecycle activity group. Traceability extends from the system requirements and design through the software and logic requirements, design, implementation, integration, unit testing, module testing, software integration testing, and system integration testing. WESTINGHOUSEs software lifecycle defines the level of detail, software tools, and methodology to be used.

In parallel to the review of the Westinghouse IV&V, the DOORs output RTM documents will be reviewed to verify that all requirements from the design documents have been addressed.

The current version of the Requirements Traceability Matrix for the Core Protection Calculator System Upgrade project, WNA-RTM-00076-CWTR3, will be reviewed to ensure the system design RTM details are correctly addressed in this document to demonstrate the fulfilment of the technical and process requirements for the Core Protection Calculator System upgrade as specified in the Entergy purchase specification, SPEC-18-00005-W, "Core Protection Calculator Purchase Specification.

W3F1-2021-00015 Enclosure Page 15 of 20 Reviews will be performed of verification and validation (V&V) for each applicable lifecycle phase for each plan through Test. The Installation and Checkout, Operations and Maintenance, and Retirement phases are Entergy responsibility and not included in scope of VOP. However, per SPM PSAI #4, Entergy will review the Westinghouse Technical Manual, provided in accordance with Reference 1, to verify it satisfies the requirements for the Software Operations Plan per the Common Q SPM.

Oversight of the programmatic elements utilizes the following vendor oversight activities:

Conducting vendor audits Reviewing Westinghouse design output documents Providing input to and review/confirmation of specific vendor activities and related information items Observing or witnessing specific vendor activities Participating directly in specific vendor activities Coordinating multi-disciplined interactions between various stakeholders Capturing issues in Waterford/Westinghouse corrective action programs The VOP provides acceptance criteria related to the following important system development topics. Example Acceptance criteria are provided in sub-bullets below:

Quality Assurance o Ensure that Westinghouse complies with the requirements of Appendix B to 10 CFR Part 50 and 10 CFR Part 21 to control the quality of safety-related materials, equipment, and services, o Ensure the Software Quality Assurance (SQA) program in accordance with the SPM is effective in controlling the software development process to assure quality, and meets the commitments described in the LAR for SQA.

Configuration Management o Ensure that the Westinghouse Configuration Management Release Reports identifies, names, and describes the documented physical and functional characteristics of the code, specifications, design, and data elements to be controlled for the project. Verify that Westinghouse follows the configuration management process in the NRC-approved Common Q SPM.

Software Verification and Validation (V&V) o Verify that Westinghouse follows the V&V requirements in the NRC-approved Common Q SPM. The description of the software V&V processes will address the following:

V&V organization responsibilities, V&V processes, activities, and tasks, V&V reporting,

W3F1-2021-00015 Enclosure Page 16 of 20 V&V administrative controls for anomaly resolution and reporting, task iteration policy, and deviation policy, and V&V test documentation.

Software Safety o Verify that documentation exists to show that the safety analysis activities have been successfully accomplished for each life cycle activity group. In particular, the documentation will show that:

System safety requirements have been adequately addressed for each activity group, No new hazards have been introduced; that the software or logic requirements, design elements, and code elements that can affect safety have been identified, and All other software or logic requirements, design, and code elements will not adversely affect safety.

Secure Development Environment o Verify that the Westinghouse has a development environment that complies with the requirements the NRC-approved Common Q SPM, Section 12. SDE documentation exists for key attributes including:

Having a method for identifying the origin of critical components and ensuring that all critical asset components are compliant with the suppliers security requirements and free of counterfeits.

Cyber Security o Verify that all known cyber security vulnerabilities of the operating system, vendors software, firmware, or hardware is remediated or a description of why the vulnerability is not a concern for the system as installed is supplied.

Software Lifecycle Processes o Verify that Westinghouse plans and performs application software lifecycle activities in a traceable and orderly manner in accordance with the SPM. The VOP evaluates the following lifecycle areas:

Software Requirements - Ensure that project requirements are examined, understandable, and unambiguous. Reference is made to applicable drawings, specifications, codes, standards, regulations, procedures or instructions. Verify that security requirements are specified commensurate with the risk from unauthorized access or use.

The requirements traceability shows where in the software or application logic design, the required action is being performed as well as providing traceability back to the system requirements that generated these software requirements.

Software Design - Verify that the architecture is sufficiently detailed to allow for understanding the operation, flow of data, and the deterministic nature of the software or logic. Verify the technical adequacy of the design and ensure internal completeness, consistency, clarity, and correctness of the software design.

W3F1-2021-00015 Enclosure Page 17 of 20 In addition, the software or logic design specification will be reviewed to determine that it is understandable and traceable to the software requirements. While the software design will consider the operating environment, measures to mitigate the consequences of problems will also be an integral part of the design.

Hardware Requirements o Verify the hardware is designed and manufactured to meet the physical and functional requirements described in the procurement specification, SyRS(s),

and design documents and drawings.

Plant Specific Action Items (PSAIs) o Ensure that PSAIs identified in the Topical Reports and further discussed in the Licensing Technical Report (LTR), are addressed as described in the LAR.

Entergy engineering procedures and processes provide the review framework for these design documents. Entergy procedure EN-DC-149, Acceptance of Vendor Documents, provides the process to be used to control the receipt, distribution, review, and revision of technical vendor documents (Reference 18). This process:

Ensures review by appropriate departments and disciplines Ensures that affected documents, programs, and data bases are updated Ensures that the vendor is in compliance with the design specification and purchase order Ensures the document is consistent with plant licensing and design basis Ensures technical review is performed based on the risk ranking of the project documents

6. Implement Appropriate Oversight Methods As discussed in Section 4 above, vendor oversight is based on risk factors. Therefore, the amount and specific focus of the oversight activities vary as the project evolves.

Oversight of Westinghouse occurs based on the various Risk Factors (VOP Section 5) and Performance Measures (VOP Section 6). Waterford may adjust the risk factors as the project progresses.

LOW RISK factors indicate continued use of routine oversight methods, such as:

Periodic Audits Periodic Surveillances Routine Design Reviews Routine Project Meetings

W3F1-2021-00015 Enclosure Page 18 of 20 MODERATE RISK factors indicate a need for supplemental oversight methods, such as:

Increased surveillance frequency Interim design reviews Challenge boards Increased frequency of project meetings HIGH RISK factors indicate a need for extraordinary oversight methods, such as:

Placement of oversight staff inside the vendors organization Management intervention Stop work order and implement recovery plan

7. Perform Corrective Actions Condition reports for entry into the corrective action program document vendor performance or quality that is in question. The following conditions, as a minimum, trigger a condition report:

Westinghouse noncompliance with the Westinghouses own quality program, software processes, or hardware processes Nuclear safety may be adversely impacted if the digital item is installed and operated Unit generation may be adversely impacted if the digital item is installed and operated Digital item quality simply cannot be assured Digital item quality cannot be assured without a significant project delay Digital item quality is not assured, and identical or similar digital items are already installed in the facility, in other applications, and are considered operable or available Westinghouse has been awarded other Entergy POs or contracts to deliver other digital items, and performance measures indicate that the quality of the other items may not be assured If the Waterford project team identifies performance issues, oversight would be enhanced to include:

Periodic meetings to discuss and resolve issues Additional technical reviews or surveillances Management Intervention Stop work and implement recovery plan

W3F1-2021-00015 Enclosure Page 19 of 20

8. Documentation Per the EPRI DEG, for high consequence and high technology configurability, vendor oversight must be documented. Through DI&C-ISG-06 and public interactions, the NRC has expressed an interest in vendor oversight. Documentation would help provide assurance to the NRC, during an inspection, that Waterford has been conducting oversight of Westinghouse through the system development lifecycle.

Vendor oversight can be documented through multiple methods:

Formal audit plans/reports Comments/feedback on design artifacts through the owner acceptance engineering process Teleconference notes Emails Written correspondence between Waterford and Westinghouse Note that documentation format may vary but the content will provide the vendor oversight level of detail and corrective actions (if any).

9. Attachments The VOP includes attachments for:

CPCS Replacement Project Division of Responsibility CPCS Replacement Project Organization Chart o Entergy CPCS Project Organization Chart o Westinghouse CPCS Project Organization Chart

W3F1-2021-00015 Enclosure Page 20 of 20

10. References
1. Entergy procurement documents including Contract 10575450-01
2. American Society of Mechanical Engineers (ASME), NQA-1:2015, Quality Assurance Requirements for Nuclear Facility Applications
3. EPRI Technical Report 3002011816, Digital Engineering Guide (DEG)
4. EN-QV-108, QA Surveillance Process
5. SPEC-18-00005-W, Rev 0
6. CPCS Replacement Project Critical Procurement Project (CPP), CPP-WF3-2019-002 (WTWF3-2019-00236)
7. NRC DI&C-ISG-06, Licensing Process, Revision 2
8. EPRI Topical Report 1011710, Handbook for Evaluating Critical Digital Equipment and Systems
9. WCAP-16096, Westinghouse Software Program Manual (SPM) for Common Q' Systems
10. WCAP-16097, Westinghouse Common Qualified Platform Topical Report
11. CWTR3-19-21 R2, Attachment 1, Compliance Matrix
12. NMM procedure EN-PM-100, Conduct of Project Management
13. NMM procedure EN-MP-100, Critical Procurements
14. IEEE Std. 1028, Standard for Software Requirements and Audits
15. IEEE Std. 344-1975, Seismic Qualification of Equipment for Nuclear Power Generating Stations
16. RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Revision 3
17. CWTR3-19-23, Westinghouse Cyber Security Compliance Matrix
18. NMM procedure EN-DC-149, Acceptance of Vendor Documents
19. NMM procedure EN-DC-115, Engineering Change Process
20. NMM procedure EN-DC-163, Human Factors Evaluation
21. EN-LI-102, Corrective Action Program
22. EN-DC-117, Post Modification Testing and Special Instructions
23. EN-IT-103, Nuclear Cyber Security Program
24. EN-IT-104, Software Quality Assurance Program
25. EN-DC-126, Engineering Calculation Process
26. EN-DC-147, Engineering Reports
27. EN-HU-104, Technical Task Risk & Rigor
28. EN-OM-132, Nuclear Risk Management Process
29. EN-FAP-PM-004, Project Implementation - Segment 3 & 4
30. Entergy Quality Assurance Program Manual, Rev 39, Effective July 16, 2020

Attachment 3 to Enclosure 1 W3F1-2021-0041 Westinghouse Letter CAW-21-5188, Affidavit, Proprietary Information Notice, and Copyright in support of Enclosure 1, "Response to NRC Requests for Additional Information"

Westinghouse Non-Proprietary Class 3 CAW-21-5188 Page 1 of 3 COMMONWEALTH OF PENNSYLVANIA:

COUNTY OF BUTLER:

(1) I, Anthony J. Schoedel, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2) I am requesting the proprietary portions of CWTR3-RPS-RF-L1-000001, Revision 0 be withheld from public disclosure under 10 CFR 2.390.

(3) I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4) Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii) The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii) Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable

Westinghouse Non-Proprietary Class 3 CAW-21-5188 Page 2 of 3 others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

(5) Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

Attachment 4 to Enclosure 1 W3F1-2021-0041 Westinghouse Letter CAW-21-5183, Affidavit, Proprietary Information Notice, and Copyright in support of Attachment 2, EQ-QR-412-CWTR3, Revision 2

Westinghouse Non-Proprietary Class 3 CAW-21-5183 Page 1 of 3 COMMONWEALTH OF PENNSYLVANIA:

COUNTY OF BUTLER:

(1) I, Anthony J. Schoedel, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2) I am requesting the proprietary portions of EQ-QR-412-CWTR3, Revision 2 be withheld from public disclosure under 10 CFR 2.390.

(3) I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4) Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii) The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii) Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable

      • This record was final approved on 5/11/2021 11:50:44 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 CAW-21-5183 Page 2 of 3 others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

(5) Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

      • This record was final approved on 5/11/2021 11:50:44 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 CAW-21-5183 Page 3 of 3 (6) The attached submittal contains proprietary information throughout, for the reasons set forth in Sections S(a) and (c) of this Affidavit. Accordingly, a redacted version would be of no value to the public.

I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on: S/ /( /:J.o~ I Anthony J. Schoedel, Manager Licensing Engineering

      • This record was final approved on 5/11/2021 11:50:44 AM. (This statement was added by the PRIME system upon its validation)

Enclosure 2 to W3F1-2021-0041 Response to NRC Requests for Additional Information Non-proprietary W3F1-2021-0041 Page 1 of 25 BACKGROUND By letter W3F1 2020 0038 dated July 23, 2020, as supplemented by letters W3F1 2021 0002, W3F1 2021 0015, W3F1 2021 0025, and W3F1 2021 0026 dated January 22 and 29, and March 5 and 19, 2021, respectively (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML20205L588, ML21024A005, ML21029A156, ML21064A535, and ML21082A393, respectively), Entergy Operations, Inc. (the licensee) applied for a license amendment to Renewed Facility Operating License NPF-38 for the Waterford Steam Electric Station, Unit 3 (Waterford 3). The proposed amendment would revise Waterford 3 Technical Specifications (TS) in order to implement a modification replacing an existing digital core protection calculator system (CPCS). Based on its review of the application, the U.S. Nuclear Regulatory Commission (NRC) staff determined that, to complete its review, it needs a response to its request for additional information (RAI) in Section 2 below.

The NRC staff has been using an "open item" (OI) process (ADAMS Accession No. ML20289A267) to support the licensing review and identify potential RAIs. The RAIs below reference OI numbers discussed during partially closed meetings held on September 22, October 21, and November 4 and 18, 2020; and January 6 and 21, February 3 and 17, and March 3 and 17, 2021. The NRC maintains OIs in a spreadsheet that is attached to the meetings summaries dated October 22, and December 17, 2020; February 19 and 22, and April 1, 2, and 8, 2021 (ADAMS Accession Nos. ML20288A742, ML20315A267, ML20325A321, ML20325A241, ML21032A013, ML21039A268, ML21071A286, ML21075A032, and ML21085A865, respectively).

The NRC has also audited various licensee documents to support its licensing review and identify potential RAIs. The NRCs audit plan dated October 1, 2020, as supplemented by email dated March 22, 2021, is in ADAMS at Accession Nos. ML20268B324 and ML21084A255, respectively). RAIs generated from the audit are included in Section 2.

Diversity and Defense-in-Depth (DID)

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999 (Waterford 3 received its construction permit on November 14, 1974), Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," Section 50.55a(h), "Protection and safety systems," requires protection systems to meet the requirements in Institute of Electrical and Electronic Engineers (IEEE)

Standard (Std) 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," or the requirements in IEEE Std 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995.

General Design Criterion 22, "Protection system independence," of Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50 states:

The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

W3F1-2021-0041 Page 2 of 25 SECY-93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," dated April 2, 1993 (ADAMS Accession No. ML003708021), Item II.Q, as clarified by Staff Requirements Memorandum (SRM)-SECY-93-087 (ADAMS Accession No. ML003708056), Item 18, describes the NRC position concerning defense against potential common -mode failures in digital instrumentation and controls (I&C) systems. NRC Branch Technical Position 7-19, Revision 7, "Guidance for Evaluation of Diversity and Defense-in Depth in Digital Computer-Based Instrumentation and Control Systems Review Responsibilities," of NUREG-0800, "Standard Review Plan for the Review of Safety analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor]

Edition (SRP)," dated August 2016 (ADAMS Accession No. ML16019A344), provides guidance to NRC staff for evaluating an applicants diversity and DID assessment, design, and the design of manual controls and displays to ensure conformance with the NRC position on diversity and DID and to confirm that the licensee has reasonably addressed vulnerabilities to common-cause failures.

RAI-01 (DID, OI-35.1)

The licensees licensing technical report (LTR), LTR-TA-19-154, "Waterford 3 Core Protection Calculator System Safety Function Table," Table A-1, identifies fifteen events described in Chapter 15 of the Updated Final Safety Analysis Report (UFSAR) that credit the Waterford 3 CPCS. The NRC staff requests the licensee to confirm that the events described in the UFSAR that credit the CPCS trips are limited to those events listed in LTR-TA-19-154, Table A-1. This RAI corresponds to OI 35.1.

Entergy Operations, Inc. (Entergy) Response The purpose of LTR-TA-19-154 is to identify the Chapter 15 events for which the Waterford Steam Electric Station, Unit 3 (Waterford 3) Core Protection Calculator System (CPCS) responds. It is an independently reviewed engineering analysis, and as such the references listed in LTR-TA-19-154 are the sources of information to inform the analysis. Thus, the events described in the Updated Final Safety Analysis Report (UFSAR) that credit the CPCS trips are limited to those events listed in LTR-TA-19-154, Table A 1.

W3F1-2021-0041 Page 3 of 25 RAI-02 (DID, OI-35.2)

The NRC staff requests the licensee to identify the backup safety-related analog trip for each of the fifteen Chapter 15 events (discussed in the previous RAI) that credit the CPCS. If a backup analog trip does not exist for a specific event, then the NRC staff requests the licensee to identify if an alarm or other means is provided so that the licensee can take manual actions to cope with the event. This RAI corresponds to OI 35.2.

Entergy Response Entergy provided LTR-TA-21-17 Revision 1," Waterford 3 CPCS Safety Function Table - PPS Backup" in letter W3F1-2021-0026, dated March 19, 2021 (ADAMS Accession No. ML21082A393). LTR-TA-21-17, Revision 1 identifies the backup safety-related analog trips for each of the events that credit the CPCS. In all cases, a backup safety-related analog trip exists except for the CEA Misoperation - Single Rod Drop / CEA Sub-group Drop event. The single CEA and subgroup drop events do not generate a reactor trip.

W3F1-2021-0041 Page 4 of 25 Equipment Qualification (EQ)

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999 (Waterford 3 received its construction permit on November 14, 1974),

10 CFR 50.55a(h) requires protection systems to meet the requirements in IEEE Std 279-1968, IEEE Std 279-1971, or IEEE Std 603-1991, and the correction sheet dated January 30, 1995.

In its license amendment request (LAR), the licensee indicated that the CPCS design meets certain clauses in IEEE Std 603-1991. Clause 5.4 of IEEE Std 603-1991 requires, in part, that safety system equipment shall be qualified by type test, previous operating experience, analysis, or any combination of these three methods to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis.

A similar clause is IEEE Std 279-1971, Clause 4.4, "Equipment Qualification," which the LTR states is in the licensees current licensing basis.

RAI-03 (EQ, OI-31)

In its LAR supplement dated January 22, 2021, the licensee provided the report, EQ-QR-412-CWTR3, Revision 1, "Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3," which provides EQ testing results for various equipment. The report states that some project devices, such as the Auxiliary Protective Cabinet multiplexer, analog input module AI688, analog output module AO650, and the 24-volt direct current core protection calculator (CPC) power supply assembly, failed to comply with certain EQ testing requirements. The NRC staff understands that the licensee developed new tests. The NRC staff requests the licensee to describe the resolution of the failure of electromagnetic compatibility EQ testing for applicable project equipment. This RAI corresponds to OI 31.

Entergy Response The supplemental EMC testing is summarized in EQ-QR-412-CWTR3, "Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3," and was performed to address: 1) variations in signal cable shield grounding for the AI688 and AO650 cards, and 2) a revision to one of the power supplies.

Previous testing performed on the AI688 and AO650 cards showed compliance with the electromagnetic compatibility (EMC) requirements of NRC Regulatory Guide (RG) 1.180, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," Revision 1. However, review of the installation at Waterford 3 identified that the plant installation was inconsistent with the previous test program configuration that was going to be credited for qualification. Therefore, the previous EMC test data could not be credited for the Waterford 3 installation and the EMC tests that were applicable to the AI688 and AO650 cards were repeated with the signal cable shields terminated consistent with the Waterford 3 installation. Test programs are typically performed generically, starting with the most severe test levels identified in RG 1.180 in order to facilitate the potential use of the test data for varying installation scenarios. Susceptibility observed during testing is characterized and addressed either by physical restriction (e.g., installation restriction to maintain the cabinet doors closed during operation) or threshold testing (i.e., the test level is reduced to achieve acceptable results and the reduced level becomes an installation restriction). The test results summarized in EQ-QR-412-CWTR3 confirm compliance W3F1-2021-0041 Page 5 of 25 with the requirements of RG 1.180 subject to the installation restrictions identified to provide an effective protection match consistent with the severity of the environment.

Additionally, one of the 24V power supplies that had been previously EMC qualified was also subjected to supplemental testing. The revision of the power supply that was identified to be used in the Waterford 3 upgrade was an updated version of the power supply that had been subjected to testing. The revision to the power supply could not be justified without additional testing of the potentially affected functions. Therefore, the revised power supply was subjected to supplemental testing as summarized in EQ-QR-412-CWTR3. Similar to the testing performed on the AI688 and AO650 cards, the tests on the power supply were performed starting with the most severe test levels identified in RG 1.180 to support varying installation scenarios. The EMC tests performed on the updated power supply confirmed acceptable performance with the identified installation restrictions summarized in EQ-QR-412-CWTR3 to provide an effective protection match consistent with the severity of the environment.

Note that there were no EMC issues with the Auxiliary Protective Cabinet multiplexer during the EMC test program; No supplemental testing was performed.

W3F1-2021-0041 Page 6 of 25 RAI-04 (EQ, OI-33)

In its LAR supplement dated January 22, 2021, the licensee provided the report, EQ-QR-412-CWTR3, Revision 1, which describes various EQ tests. The NRC staff finds that the project equipment under test is different for the electromagnetic compatibility, environmental, and seismic testing. The NRC staff understands that some devices were already qualified and not included in the equipment under test. The NRC staff requests the licensee to explain why the equipment under test is different for the three different types of EQ testing. This RAI corresponds to OI 33.

Entergy Response Most of the CPCS equipment listed in Table 2.1-1 of EQ-QR-412-CWTR3 was qualified by prior Westinghouse Electric Company (Westinghouse) test programs. Discussion of prior qualification is documented in Section 3 of EQ-QR-412-CWTR3.

For the equipment that required new testing for the Waterford 3 application, some equipment was tested as complete assemblies, including the APC MUX and AC power distribution panel.

In other cases, individual components were tested based on the change from the assemblies previously qualified, such as the surge suppressor on the DC power distribution panel. Some of these individual components only required specific testing and did not need to be included in all three phases of testing.

For example, the surge suppressor only required EMC testing; Seismic and environmental testing were justified by similarity to the previously qualified surge suppressor originally used in the DC power distribution panel. Additionally, the line filter and other components had to be moved from the AC power distribution panel to a separate panel. The separate line filter panel was then included in the subsequent seismic test while the EMC and environmental tests only list the AC power panel with a note discussing the modifications to that panel.

W3F1-2021-0041 Page 7 of 25 RAI-05 (EQ, OI-31, 33)

The NRC staff requests the licensee to provide the latest revision of EQ-QR-412-CWTR3 (if not Revision 1) as an attachment to the RAI response.

Entergy Response The latest revision of EQ-QR-412-CWTR3 is Revision 2. Attachment 1 to this enclosure provides EQ-QR-412-CWTR3, Revision 2.

RAI-06 (LTR, various OIs)

The licensee provided WCAP 18484, "Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System," in an attachment to its license amendment request (LAR). The LTR describes how the licensee intends to meet the applicable regulatory criteria and review guidance in NRCs Digital Instrumentation and Controls (I&C)-Interim Staff Guidance (ISG) 06, Revision 2, "Licensing Process," dated December 2018 (ADAMS Accession No. ML18269A259). The licensee provided the NRC, via a web based audit portal, a draft LTR update, which would address various OIs when submitted formally to the NRC. The NRC staff requests the licensee to provide the "final" version of the LTR as a supplement to the LAR.

Entergy Response Entergy will provide the final version of the LTR at a later date, as specified in the RAI.

W3F1-2021-0041 Page 8 of 25 Response Times (RT)

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999 (Waterford 3 received its construction permit on November 14, 1974),

10 CFR 50.55a(h) requires protection systems to meet the requirements in IEEE Std 279-1968, IEEE Std 279-1971, or IEEE Std 603-1991 and the correction sheet dated January 30, 1995. In its LAR, the licensee indicated that the CPCS design meets applicable clauses in IEEE Std 603-1991. Clause 5.5, "System Integrity," of IEEE Std 603-1991, requires that the safety system be designed to accomplish its safety functions under the full range of application conditions enumerated in the design basis. A similar clause, Clause 4.5, "Channel Integrity," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

RAI-07 (RT, OI-17)

Section 3.2.6, "CPCS Design Function," of Attachment 4 to the LAR, describes the estimated impact of the CPCS delay time on thermal margin degradation. This section of the LAR indicates that the basis for the estimate is the control element assembly (CEA) rod drop time LAR (ADAMS Accession Nos. ML15197A106 and ML15226A346)2 submitted in 2015 that increased the CEA rod drop time in the safety analysis by an additional 200 milliseconds (ms) because of a hold coil delay that needed to be accounted for. The licensees method for the CPCS delay time estimate on thermal margin results extrapolates the thermal margin degradation of the CEA rod drop for a 200-ms delay with the increase in CPCS response times.

The NRC staff requests the licensee to:

a) explain the acceptability of the extrapolation method used to estimate the effect of the CPCS delay time on thermal margin degradation, and the methods that will be used for performing the reload analysis. This RAI corresponds to OIs 17.1 and 17.1.1.

b) identify and justify the values of the CPCS delay times used in the thermal margin estimate for each of the applicable transients and accidents listed in Table 3.2.6-1 of Attachment 4 to the LAR. This RAI corresponds to OI 17.2.

c) discuss the actions to ensure that the values of the CPCS delay time used in the thermal margin estimate are the limiting values applicable to Waterford 3 when the CPCS is installed for operation. The NRC staff also requests the licensee to clarify the adequacy of the response time requirements specified in the reference design in terms of the thermal limits (i.e., departure from nuclear boiling ratio and linear heat generation rate) calculation. This RAI corresponds to OIs 17.3 and 17.3.1.

d) explain whether the CPCS delay time values used in the thermal margin estimate are limiting values. If not, then explain the actions taken to ensure that the thermal margin estimate for the preinstalled CPCS condition is acceptable. This RAI corresponds to OI 17.4.

2 The NRC approved License Amendment No. 246 for Waterford 3 on November 13, 2015 (ADAMS Accession No. ML15289A143).

W3F1-2021-0041 Page 9 of 25 Entergy Response a) Entergy letters W3F1-2015-0040 (Reference 1) and W3F1-2015-0061 (Reference 2) submitted a license amendment request (LAR) to increase control element assembly drop time. This request was approved under Waterford 3 license amendment 246 (Reference 3).

Entergy letter W3F1-2015-0061 provided the limiting events results with a control element assembly drop time increase of 200 milliseconds. The results in W3F1-2015-0040 and W3F1-2015-0061 can be used to extrapolate the new CPCS time impacts on the analysis results. The letter W3F1-2015-0061 showed small changes for the 200 milliseconds and within the acceptance limits. It is reasonable to use the same extrapolation to judge that the analysis results will remain within the acceptance limits (i.e., the largest delay is 53.5 msec).

In addition, the reload analyses will incorporate the new CPC response times to ensure the accident analyses thermal margin requirements cover any analysis impacts under the reload 10 CFR 50.59 review.

References:

a. Entergy letter to NRC, "License Amendment Request to Revise Control Element Assembly Drop Times," (W3F1-2015-0040), (ML15197A106), dated July 2, 2015
b. Entergy letter to NRC, "Supplement to Revise Control Element Assembly Drop Times Associated with Technical Specification 3.1.3.4," (W3F1-2015-0061), (ML15226A346),

dated August 14, 2015

c. NRC letter to Entergy, "Waterford Steam Electric Station, Unit 3 -Issuance of Amendment Re: Changes to Technical Specification 3.1.3.4 Regarding Control Element Assembly Drop Times (CAC NO. MF6459)," (ML15289A143), dated November 13, 2015 b) The identification and justification for the CPCS delay time values in the thermal margin estimate for each applicable transient and accident listed in Table 3.2.6-1 is documented in Westinghouse letter LTR-GIC-20-003, "Waterford 3 CPCS Response Time Information for FSAR and Technical Specification" [ML21095A193]. A second Westinghouse document, WNA-CN-00572-CWTR3, "Core Protection Calculator System Response Time Calculation" provides the response time calculation for the Waterford 3 CPCS (ML21095A193).

c) LTR Section 3.2.6 states, "As part of the normal fuel reload process, Waterford runs the safety analysis of record with the Waterford 3 CPCS calculated response times to validate that acceptable margin is maintained. It is the fuel reload process performed under 10 CFR 50.59 that evaluates the results of the rerun of the safety analysis prior to core reload." If the results become more limiting, the analyses results will be evaluated against the 10 CFR 50.59 criteria. If the 10 CFR 50.59 criteria requires NRC approval, then a new submittal will be generated. Based upon previous analysis impacts, it is expected that the response time changes will be covered in the reload under 50.59.

In addition, Entergy described the Westinghouse reload process in response to NRC RAI-8 in letter W3F1-2015-0062 (Reference 1).

LTR-GIC-20-003 (ML21095A193) correlates the response time calculated in WNA-CN-00572-CWTR3, (ML21095A193) to the various CPCS trips. LTR-GIC-20-003 describes the adequacy of the new response time requirements. After further investigation, Entergy determined that the revised calculated response times are not bounded by the reference W3F1-2021-0041 Page 10 of 25 design, and the Waterford 3 CPCS System Requirements Specification, WNA-DS-04517-CWTR3, needed to specify these new response time requirements. A Westinghouse Corrective Action Issue Report (IR-2020-11971) was issued. A new Revision 5 of WNA-DS-04517-CWTR3 with the new response time requirements has been submitted to the NRC (ML21024A005).

Other than updating the revision of WNA-DS-04517-CWTR3 to Revision 5, the LTR is not impacted because it only referred to the Palo Verde Nuclear Generating Station (PVNGS) response times, and stated that Waterford 3-specific response times would be calculated.

Reference:

1. Entergy letter to NRC, "Control Element Assembly Drop Times Submittal Request for Additional Information," (W3F1-2015-0062), (ML15268A019), dated September 23, 2015 d) The CPCS delay time values used in the thermal margin estimate are not the limiting values for the Waterford 3 CPCS. The limiting values for the CPCS response times are defined in the Waterford 3 CPCS System Requirements Specification, WNA-DS-04517-CWTR3, Revision 5 (ML21024A005), Table 2.4.1.3-1 under the heading "CPCS Maximum Permitted Response Time (Seconds)." These values are the acceptance criteria for response time testing performed during the CPCS Factory Acceptance Test. These values correlate to the times in LTR-GIC-20-003, Table 2, Column 1 (ML21095A193).

W3F1-2021-0041 Page 11 of 25 RAI-08 (RT, OI-36.1)

In its LAR supplement dated March 5, 2021, the licensee provided the report, LTR-GIC-20-003, Revision 1, "Waterford 3 CPCS Response Time Information for FSAR [Final Safety Analysis Report] and Technical Specification," in which Table 2 identifies the proposed response times to be used in the safety analysis. Table 2.4.1.3-1, "CPCS Response Times," in the report WNA-DS-04517-CWTR3, Revision 5, "System Requirements Specification for the Core Protection Calculator System," identifies the minimum CPCS response times to be used in the safety analysis. Some of the response times identified in Table 2.4.1.3-1 are lower than those identified LTR-GIC-20-003. The NRC staff requests the licensee to identify which response times will be used for the proposed safety analysis criteria. This RAI corresponds to OI 36.1.

W3F1-2021-0041 Page 12 of 25 Entergy Response

((

))a, c (CAW-21-5188)

W3F1-2021-0041 Page 13 of 25 Software Development (SD)

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999 (Waterford 3 received its construction permit on November 14, 1974),

10 CFR 50.55a(h) requires protection systems to meet the requirements in IEEE Std 279-1968, IEEE Std 279-1971, or IEEE Std 603-1991 and the correction sheet dated January 30, 1995. In its LAR, the licensee indicated that the CPCS design meets applicable clauses in IEEE Std 603-1991. Clause 5.5, "System Integrity," of IEEE Std 603-1991, requires that the safety system be designed to accomplish its safety functions under the full range of application conditions enumerated in the design basis. A similar clause, Clause 4.5, "Channel Integrity," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

The acceptance criterion for testing activities is contained in the SRP, Branch Technical Position 7-14, Revision 6, "Guidance on Software Reviews for Digital Computer Based Instrumentation and Control Systems," Section B.3.2.4, "Acceptance Criteria for Testing Activities," (ADAMS Accession No. ML16019A308).

RAI-09 (SD, OI 41)

The NRC staff audited WNA-PD-00594-CWTR3, "Software Development Plan for the Core Protection Calculator," Revision 2. Section 5.5, "Software Test Plan," of WNA-PD-00594-CWTR3 states that the Waterford 3 Test Plan is derived from the Common Q Software Program Manual (SPM), Section 7, and provides a reference for the Waterford 3-specific test plan, WNA-PT-00303-CWTR3, "Test Plan for the Common Q Core Protection Calculator System."

However, the LTR does not mention the use of a Waterford 3 specific test plan. Section 5.2.9 of the LTR states, "Testing will be conducted in accordance with the Common Q SPM, Section 7 describing the levels of testing of the software modules and units (e.g., MTP [maintenance and test panel] and OM [operator module]) culminating with an integrated system test. Section 7 of the SPM also describes the methodology for response time testing."

The NRC staff requests the licensee to (1) explain how WNA-PT-00303-CWTR3 is derived from the SPM, Section 7, and (2) how WNA-PT-00303-CWTR3 will be used in conjunction with Section 7 of the SPM. This RAI corresponds to OI 41.

Entergy Response (3) WNA-PT-00303-CWTR3, "Test Plan for the Common Q Core Protection Calculator System," identifies that it will address the Integration Test, System Validation Test, and Factory Acceptance Test (FAT) portions of the Common Q testing sequence by reperforming the same set of tests that were conducted for the reference design (PVNGS CPCS). These correspond to the Level 3 and Level 4 testing levels specified in Software Program Manual (SPM), Table 7.3-1. The software component testing (i.e., Module Test and Unit Test) that correspond to Level 1 and Level 2 of Table 7.3-1 are considered satisfied through the reference plant except for those modules revised as a result of changes for the Waterford 3 CPCS project. Note that some Unit Testing will be reperformed as part of the Level 3 and 4 testing (e.g., OM and MTP display testing). In regards to SPM Exhibit 7-1, all of the initial test program is intended to be completed in full. From a system level testing perspective, this is being treated as a first application and W3F1-2021-0041 Page 14 of 25 any applicable system testing will be performed. There will be no sampling or reduction in scope (i.e., Westinghouse is not making any use of n-th of a kind methods).

(4) WNA-PT-00303-CWTR3 is the implementation test plan for the Waterford 3 CPCS project that must meet the criteria in SPM Section 7.

W3F1-2021-0041 Page 15 of 25 Technical Specifications (TSs)

The regulations in 10 CFR 50.90, "Application for amendment of license, construction permit, or early site permit," 10 CFR 50.34, "Contents of applications; technical information";

and 10 CFR 50.36, Technical specifications," require that whenever a holder of an operating license under this part desires to amend the license, the application for an amendment must fully describe the changes desired and follow the form prescribed for original applications, including proposed TSs. To ensure that the amendment contains the correct TSs, the NRC staff requests the following information.

RAI-10 (TS, OI-19)

The cover page for Attachment 2 to the LAR lists TS page 3/4 2-6a as a clean TS page; however, the mark-up and submitted clean TS page is numbered 3/4 2-6 rather than 3/4 2-6a.

The NRC staff requests the licensee to confirm that the page number (3/4 2-6a) listed in the cover page was a typographical error and that 3/4 2-6 is the correct page number.

This RAI corresponds to OI 19.

Entergy Response The Attachment 2 cover page contains a typographical error in the list of pages included. Page "3/4 2-6a" is in error. The Attachment 2 list entry should be "3/4 2-6". Entergy provided a revised version of the Attachment 2 list entry in letter dated May 21, 2021 (ML21141A000).

W3F1-2021-0041 Page 16 of 25 RAI-11 (TS, OI-20)

The cover page of Attachment 1 to the LAR lists TS page 3/4 10-2 as having markups; however, the marked up version of this page is not provided in the LAR. The cover page of Attachment 2 lists page 3/4 10-2, however, a clean version of this page is not included in Attachment 2. The NRC staff requests the licensee to confirm whether it intended to propose changes to this TS page and, if so, to provide the proposed marked up and clean TS pages, as applicable. This RAI corresponds to OI 20.

Entergy Response TS 3.10.2 is being revised in four places to replace "Functional Unit 15" with Functional Unit 9c".

This is purely editorial as a result of the changes to TS 2.2.1 and 3.3.1, which redesignated the CPCs as Functional Unit 9c in Tables 2.2-1 and 3.3-1.

The markup and clean copies of TS page 3/4 10-2 were inadvertently omitted from the LAR submittal. Entergy provided the omitted markup and clean TS pages in letter dated May 21, 2021 (ML21141A000).

W3F1-2021-0041 Page 17 of 25 Vendor Oversight Plan (VOP)

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999 (Waterford 3 received its construction permit on November 14, 1974),

10 CFR 50.55a(h) requires protection systems to meet the requirements in IEEE Std 279-1968, IEEE Std 279-19F71, or IEEE Std 603-1991 and the correction sheet dated January 30, 1995.

Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50, provides quality assurance requirements that shall be applied to the design, fabrication, construction, and testing of the structures, systems, and components.

Revision 2 of ISG-06, defines the licensing process used to support the review of LARs associated with safety-related digital I&C equipment modifications in operating plants. The Alternate Review Process described in ISG-06, Revision 2, allows the NRC staff to decide whether to approve a LAR after the system design is completed and evaluated but before the system has been built and factory acceptance testing completed. Acceptability of the application-specific digital I&C platform system is partially based on the licensees oversight and evaluation of the vendors digital I&C system development process activities, as described in the licensees VOP and VOP Summary.

The licensee submitted the report, WF3F1-2021-0015, "CPC Replacement Project Vendor Oversight Plan (VOP) Summary," Revision 1, in Attachment 14 of its LAR. The VOP Summary identifies the sections of the VOP and summarizes how the VOP will ensure the licensees oversight of its vendors (Westinghouse Electric Company, LLC (WEC)s) involvement (e.g., hardware, software, design documentation, and licensing documentation) in the CPCS replacement project. The NRC staff reviewed Revision 1 of the VOP Summary to verify that its described activities will ensure that all process and technical regulatory requirements will be met, and that there is reasonable assurance that the digital systems will be appropriately developed, implemented, and tested with appropriate vendor oversight by the licensee.

RAI-12 (VOP, OI 38)

The licensees execution of the VOP, as described in the LAR, as supplemented, provides confidence that the licensee will verify that its vendor executes the project consistent with the LAR, and provides reasonable assurance that the as-built and tested CPCS will continue to meet the design and quality regulatory requirements of 10 CFR 50.55a(h), via IEEE Stds 279-1971 and 603-1991, and applicable criteria in Appendix B to 10 CFR Part 50.

The NRC staff audited VOP-WF3-2019-00236, "WF3 Core Protection Calculator System Replacement Project Vendor Oversight Plan," Revision 3, to identify details supporting the VOP Summarys description of vendor oversight activities and associated processes to perform these activities. However, the licensee does not describe in its LAR, the change control requirements for the VOP. Therefore, the NRC staff does not have sufficient information to determine whether the VOP will be executed as described in the LAR, with reasonable assurance that controls are in place to prevent changes in the oversight activities identified in VOP version audited by the NRC staff and the corresponding VOP Summary version reviewed by the staff that could invalidate the NRC staffs safety conclusions.

W3F1-2021-0041 Page 18 of 25 In response to OI 38, the licensee stated, in part:

The Vendor Oversight Plan (VOP) will be updated to provide wording to notify personnel of the need to review the approved Safety Evaluation Report (SER) prior to approval of changes to the document. The VOP will then be formally loaded into the Entergy document control system as an engineering controlled document via the Engineering Change process, which is governed by existing Entergy procedure EN-DC-115. Future changes to the VOP would require an Engineering Change, and as part of that change process, personnel would review the SER per added wording in the VOP to ensure non-conservative changes are not made (i.e., non-conservative changes refer to changes that reduce Entergys oversight of vendor actions or ability to meet both the process and technical regulatory requirements).

The NRC staff requests the licensee to provide this OI response in a supplement to its LAR and to clarify whether the VOP will be classified as a design document for safety-related systems that is controlled under the Quality Assurance Program (QAP) for Waterford 3 and, therefore, will be subject to the engineering change control process under the QAP. This RAI corresponds to OI 38.

Entergy Response Entergy has revised VOP-WF3-2019-00236, "WF3 Core Protection Calculator System Replacement Project Vendor Oversight Plan," (i.e., Revision 4) to add a note to the Signature Form to document that an Engineering Change is required to update the document once the NRC Safety Evaluation is approved. In addition, the note states that the approved Safety Evaluation must be reviewed to ensure bases or requirements are not adversely impacted by changes. VOP-WF3-2019-00236, Revision 4 will be captured as a quality-related document in the Entergy document control system. Therefore, any change to this document will fall under the Entergy QA program using existing procedures, thus ensuring the document is revised, reviewed and approved under those established processes and procedures.

The Vendor Oversight Plan (VOP) Summary, Revision 2 reflects the above change and is provided in Attachment 2 of this enclosure.

W3F1-2021-0041 Page 19 of 25 RAI-13 (VOP, OI 6(b), OI 9(c), OI 10, OI 27, OI 30.1)

Appendix B, Criterion III, "Design Control," of 10 CFR Part 50, requires, in part, that quality standards be specified and that design control measures shall provide for verifying or checking the adequacy of design. Appendix B, Criterion VII, "Control of Purchased Material, Equipment, and Services," requires, in part, that measures be established to assure that purchased material, equipment, and services from contractors (e.g., vendors) conform to procurement documents.

The licensee submitted the report, WNA-DS-04517-CWTR3, as part of its LAR. This document identifies the system requirements for the Waterford 3 CPCS. WNA-DS-04517-CWTR3 states that each requirement adopted without modification from Westinghouse Specification 00000-ICE-30158, "System Requirements Specification for the Common Q Core Protection Calculator System," Revision 14, applies to the Waterford 3 CPCS. When there is a difference between the requirements in 00000-ICE-30158, Revision 14 and the Waterford 3 CPCS functional requirements, WNA-DS-04517-CWTR3 identifies how the requirements in 00000-ICE-30158, Revision 14 were modified for the Waterford 3 CPCS.

The NRC staff audited VOP-WF3-2019-00236 to identify details supporting the VOP Summarys description of vendor oversight activities and associated processes to perform these activities.

The NRC staff observed that the VOP and VOP Summary did not adequately describe how the licensee will ensure that its vendor has verified each requirement in WNA-DS-04517-CWTR3 during implementation of the CPCS system development lifecycle and, thus, how the licensee meets the requirements of Criterion III and Criterion VII of Appendix B to 10 CFR Part 50 and how the CPCS system meets the requirements of Clause 4.3 of IEEE Std 279-1971 and Clause 5.3 of IEEE Std 603-1991. Therefore, the NRC staff requests the licensee to (1) confirm it has revised the VOP to provide information regarding how the system requirements within WNA-DS-04517-CWTR3 that were adopted without modification from 00000-ICE-30158, Revision 14, will be verified, including tested as part of factory acceptance testing, by the licensees vendor oversight activities, and (2) supplement the LAR with the corresponding changes to the VOP Summary to reflect these VOP changes. This RAI corresponds to OI 6(b),

OI 9(c), and OI 30.1.

Entergy Response 00000-ICE-30158, Rev 14, "System Requirements Specification for the Common Q Core Protection Calculator System," is the basis document for WNA-DS-04517-CWTR3, "System Requirements Specification for the Core Protection Calculator System." WNA-DS-04517-CWTR3 is the delta document for Waterford 3. Requirements traceability is to WNA-DS-04517-CWTR3. WNA-DS-04517-CWTR3 includes sections of 00000-ICE-30158, Rev 14, by reference, which are those sections that were not specifically shown as being modified, added, or deleted. These applicable or unchanged sections of 00000-ICE-30158, Rev 14, were reviewed when WNA-DS-04517-CWTR3, Rev 0, was reviewed and approved for owners acceptance, in accordance with EN-DC-149, "Acceptance of Vendor Documents." Entergy reviewed 00000-ICE-30158 Rev 14 against WNA-DS-04517-CWTR3, Revision 5. Any design requirements from 00000-ICE-30158, Rev 14, that were not identified in WNA-DS-04517-CWTR3, Rev 5, will be reviewed against the Requirements Traceability Matrix during the Requirements Phase Independent Verification and Validation (IV&V) VOP Audit, and the Design Phase IV&V VOP Audit. This review will determine if these requirements are included as part of W3F1-2021-0041 Page 20 of 25 another document, such as WNA-DS-04618-CWTR3, or if a requirement will need to be added to WNA-DS-04517-CWTR3.

Based on the regression analysis for n-th of kind systems described in WCAP-16096-P, "Software Program Manual for Common Q Systems," the only requirements traceability will be for the modified Waterford 3 software.

A regression analysis of the software is at a lower level of review than doing a regression analysis of the System Requirements Specification, and Entergy considered this review to be of greater value that a document review since this include the complete implementation of any changes. Entergy performed a regression analysis VOP audit of the current PVNGS code (release 6.7), which was the base line for the Waterford 3 project, to the PVNGS initial code (release 5.0) to confirm the SPM was followed for design quality, requirements traceability, and IV&V including testing.

00000-ICE-30158, Rev 7 to Rev 13 were not specifically reviewed or audited, since these were not credited for any vendor oversight activity or project activity. The VOP audit of the regression analysis of the software was considered by Entergy to be the best method to access the difference from the Palo Verde software to be used as the baseline for the Waterford 3 software.

VOP-WF3-2019-00236, Revision 4 provides additional detail on how Entergy validates System Requirements Specification requirements that are adopted without modification from 00000-ICE-301158 Revision 14. These changes are also reflected in the VOP Summary Revision 2 contained in Attachment 2 to this enclosure.

W3F1-2021-0041 Page 21 of 25 RAI-14 (VOP, OI 21, OI 30.2)

In its LAR, the licensee stated that the CPCS design meets applicable clauses in IEEE Std 603-1991, which has the following clauses:

Clause 5.4, "Equipment Qualification," requires that safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. A similar clause, Clause 4.4, "Equipment Qualification," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

Clause 5.5, "System Integrity," requires that the safety system be designed to accomplish its safety functions under the full range of application conditions enumerated in the design basis. A similar clause, Clause 4.5, "Channel Integrity," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

Clause 5.6.1, "Independence Between Redundant Portions of a Safety System,"

requires, in part, that redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function. A similar clause, Clause 4.6, "Channel Independence," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

Clause 5.6.3, "Independence Between Safety Systems and Other Systems," requires, in part, that the safety system design shall be such that credible failures in and consequential actions by other systems shall not prevent the safety systems from meeting the requirements of this standard. A similar clause, Clause 4.7, "Control and Protection System Interaction," is in IEEE Std 279-1971, which the LTR states is in the licensees current licensing basis.

Criterion III of Appendix B to 10 CFR Part 50 requires, in part, that quality standards be specified and that design control measures shall provide for verifying or checking the adequacy of design. Criterion VII requires, in part, that measures be established to assure that purchased material, equipment, and services from contractors (e.g., vendors) conform to procurement documents.

Section 5, "Determine Performance Measures and Acceptance Criteria," of the VOP Summary identifies physical, performance, environmental, and cyber as critical characteristics that, once verified, will provide reasonable assurance that the system will perform its intended critical functions. Section 5 of the VOP Summary identifies the oversight activities that will be performed to verify these critical characteristics.

The NRC staff audited VOP-WF3-2019-00236, Revision 3, to verify details supporting the VOP Summarys description of the VOP. Section 7 of the VOP provided detailed descriptions of each type of critical characteristic. In addition, for performance characteristics, the VOP identified a list of functions that will be confirmed as a minimum for the CPCS project. The NRC staff reviewed this list of functions and did not find the central processing unit (CPU) load design restrictions for the CPCS project as functions that will be verified by the licensee under this list.

W3F1-2021-0041 Page 22 of 25 As stated in Section 3.2.7.2.7 of WCAP-18484-P, ((

)) Therefore, verifying that the CPCS meets the CPU load restrictions is critical for ensuring deterministic behavior of the CPCS. As such, the CPU load restriction is a critical characteristic that the licensee should specifically verify in the as-built CPCS in order to demonstrate that the complete designed, implemented, and tested CPCS meets the deterministic behavior criteria in Clause 5.5 of IEEE Std 603-1991 and Clause 4.5 of IEEE Std 279-1971.

In addition, the VOP Summary does not contain sufficient information regarding the description of the environmental, performance, and physical characteristics necessary for the NRC staff to conclude that the complete designed, implemented, and tested CPCS meets the standards in Clauses 5.4, 5.5, 5.6.1, and 5.6.3 of IEEE Std 603-1991, and the corresponding Clauses 4.4, 4.6, and 4.7, respectively, in IEEE Std 279-1971. Specifically, the VOP Summary does not provide a description of:

the environmental characteristics that the licensee will verify as part of the VOPs vendor oversight activities, the CPU load design restrictions and the response time and throughput for the system as performance characteristics that the licensee will verify as part of the VOPs vendor oversight activities, and the physical characteristics that the licensee will verify as part of the VOPs vendor oversight activities.

Therefore, the NRC staff requests the licensee to (1) provide descriptions and examples of functions that it will verify as part of its vendor oversight activities in accordance with Criterion III and Criterion VII of Appendix B to 10 CFR Part 50, for environmental, performance, and physical characteristics within the VOP Summary; (2) confirm it has revised the VOP to include the deterministic performance attributes (e.g., CPU load design restrictions) as a critical characteristic; and (3) supplement the LAR with the corresponding changes to the VOP Summary to reflect these VOP changes, to demonstrate the complete designed, implemented, and tested CPCS meets Clause 5.5 of IEEE Std 603-1991 and Clause 4.5 of IEEE Std 279-1971. This RAI corresponds to OI 21 and OI 30.2.

Entergy Response VOP Summary, Revision 2, which is included as Attachment 2 to this enclosure, provides detailed examples of physical critical characteristic, performance critical characteristic and environmental critical characteristic verification from the VOP document.

VOP-WF3-2019-00236, Revision 4 includes the CPU load design restriction as a key example of a performance critical characteristic that will be verified.

W3F1-2021-0041 Page 23 of 25 VOP Summary Revision 2 reflects the changes made to VOP Revision 4 to demonstrate that the complete designed, implemented and tested CPCS complies with Clause 5.5 of IEEE Standard 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations,"

and Clause 4.5 of IEEE Standard 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations."

W3F1-2021-0041 Page 24 of 25 RAI-15 (VOP, OI 39)

Appendix B, Criterion III of 10 CFR Part 50 requires, in part, that quality standards be specified and that design control measures shall provide for verifying or checking the adequacy of design.

Appendix B, Criterion VII requires, in part, that measures be established to assure that purchased material, equipment, and services from contractors (e.g., vendors) conform to procurement documents.

The NRC staff audited VOP-WF3-2019-00236, Revision 3, to identify details supporting the VOP Summarys description of vendor oversight activities and associated processes to perform these activities. During this audit, the NRC staff also verified whether the licensees performance of the vendor oversight activities for the requirements phase of the CPCS development lifecycle were conducted in accordance with the VOP. The NRC staff had the following observations during the audit:

5. The description of oversight activities related to independent verification and validation (V&V) is distributed over various sections of the VOP. As a result, the VOP does not describe consistently the planned oversight activities of the vendors independent V&V tasks and reports for each phase of the CPCS development lifecycle.
6. The terminology used regarding requirements traceability analysis within the VOP does not distinguish between the traceability activities that will be performed by the licensee and the independent V&V activities performed by the vendor.
7. The VOP does not clearly distinguish between design artifacts that would be audited by the licensee and those that would be reviewed and accepted in accordance with the licensees procedures, EN-DC-149, "Acceptance of Vendor Documents."
8. The numbering scheme used in the VOP does not allow for oversight activity topics and associated descriptions within each topic to be clearly identifiable.

Because, in part, of the issues identified in these observations, it appears that the licensee had not yet performed certain oversight activities related to vendor independent V&V tasks and outputs for the requirements phase of the CPCS development lifecycle. The VOP Summary is derived from the content of the VOP and, as such, these observations also apply to the VOP Summary. During the audit, the licensee expressed its intention to address the issues identified in the observations. Therefore, the NRC staff requests the licensee to (1) confirm that it has revised the VOP to address the issues identified in the above four observations, and (2) supplement the LAR with the corresponding changes to the VOP Summary to reflect the VOP changes, to demonstrate that the VOP and VOP Summary contain clear and consistent descriptions of vendor oversight activities to meet the requirements of Criterion III and Criterion VII of Appendix B to 10 CFR Part 50.

W3F1-2021-0041 Page 25 of 25 Entergy Response

5. VOP-WF3-2019-00236, Revision 4 updates the descriptions of independent verification and validation (V&V) to consistently describe the planned oversight activities.
6. VOP-WF3-2019-00236 Revision 4 adds a detailed Requirements Traceability Analysis V&V section to distinguish between the traceability activities that will be performed by the licensee and the independent V&V activities performed by the vendor. Additionally, a Software V&V section is also added to clarify V&V in different life cycle phases.
7. VOP-WF3-2019-00236 Revision 4 updates the Design Artifacts section to distinguish when design artifacts are reviewed and accepted in accordance with EN-DC-149.
8. VOP-WF3-2019-00236 Revision 4 updates the numbering scheme throughout the document to allow for oversight activity topics and associated descriptions within each topic to be identifiable and more easily referenced.

VOP Summary, Revision 2 (i.e., Attachment 2 to this enclosure) reflects the applicable VOP-WF3-2019-00236 Revision 4 changes to meet the requirements of Criterion III and VII of Appendix B to 10 CFR Part 50.

Retrieved from "https://kanterella.com/w/index.php?title=W3F1-2021-0041,_Response_to_U._S._Nuclear_Regulatory_Commission_Request_for_Additional_Information_Regarding_License_Amendment_Request_for_Digital_Upgrade_to_the_Core_Protection_Calculator_and_Control_Element_Assembly_Calculator_System&oldid=3409691"