ML24208A159
| ML24208A159 | |
| Person / Time | |
|---|---|
| Site: | Limerick  |
| Issue date: | 07/25/2024 |
| From: | Marshall M Plant Licensing Branch 1 |
| To: | Rhoades D Constellation Energy Generation |
| Klett, AL | |
| Shared Package | |
| ML24208A166 | List: |
| References | |
| EPID L-2022-LLA-0140 | |
| Download: ML24208A159 (1) | |
Text
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION July 25, 2024 David P. Rhoades Senior Vice President Constellation Energy Generation, LLC President and Chief Nuclear Officer Constellation Nuclear 4300 Winfield Road Warrenville, IL60555
SUBJECT:
LIMERICK GENERATION STATION, UNITS 1 AND 2 - REGULATORY AUDIT PLAN SUPPORTING REVIEW OF THE SYSTEM DEVELOPMENT PORTION OF LIMERICK DIGITAL INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST (EPID L-2022-LLA-0140)
Dear David Rhoades:
By letter dated September 26, 2022 (non-publicly available), as supplemented by letters dated August 12, 2022 (Agencywide Documents Access and Management System Accession No. ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141),
February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324), April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),
September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),
March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), and June 29, 2024 (ML24180A157), Constellation Energy Generation, LLC (the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick) existing safety-related analog control systems with a single digital control system called plant protection system. The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2023. The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 26, 2023, the content of the replacement and the original are the same.
The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) plant protection system to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system, emergency core cooling system, reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments to this letter contains Proprietary Information. When separated from, this letter is DECONTROLLED.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.
The U.S. NRC staff has determined that a regulatory audit is needed to assist in the review of the Limerick digital I&C LARs. This audit will be focused on the digital I&C system development and vendor oversight portion of the LAR. The regulatory audit will be conducted remotely between August 19 and August 30, 2024. Additional details for the audit are in the enclosed audit plan.
The NRC has determined that the audit plan contains proprietary information pursuant to Title 10 of the Code of Federal Regulations Section 2.390, Public inspections, exemptions, requests for withholding. The proprietary information is indicated by text enclosed within double brackets. Accordingly, the NRC staff has also prepared a non-proprietary publicly available version of the audit plan, which is provided as Enclosure 2. The proprietary version of the audit plan is provided as Enclosure 1.
If you have any questions, please contact me by telephone at 301-415-2871 or by e-mail to michael.marshall@nrc.gov.
Sincerely,
/RA/
Michael L. Marshall, Jr., Senior Project Manager Plant Licensing Branch 1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-352 and50-353
Enclosures:
- 1. Audit Plan (Proprietary)
- 2. Audit Plan (Non-Proprietary)
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION AUDIT PLAN FOR SYSTEM DEVELOPMENT PORTION OF LIMERICK DIGITAL INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST CONSTELLATION ENERGY GENERATION, LLC LIMERICK GENERATING STATION, UNITS 1 AND 2 DOCKET NOS. 50-352 AND 50-353
1.0 BACKGROUND
By letter dated September 26, 2023 (Agencywide Documents Access and Management System Accession No. ML22269A569; non-public), as supplemented by letters dated August 12, 2022 (ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141),
February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324), April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),
September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),
March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), and June 29, 2024 (ML24180A157), Constellation Energy Generation, LLC (Constellation; the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick) existing safety-related analog control systems with a single digital control system called plant protection system (PPS). The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2023. The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 26, 2023, the content of the replacement and the original are the same.
The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) PPS to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system, emergency core cooling system, reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate the automatic isolation function for the turbine enclosure main steam line tunnel
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION temperature high indication, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.
The Limerick PPS is based on the NRC-approved Westinghouse Electric Company (Westinghouse) Common Q platform topical report, Revision 5 (ML21140A101). Section 5 of the licensing technical report (LTR) states that Westinghouse will be using the NRC-approved Common Q software program manual (SPM) topical report, Revision 5.1 (ML21146A203), as the framework for the design and development of the Common Q-based Limerick PPS replacement.
The SPM specifies the life cycle planning process for Common Q application software and the procedures and controls for the complete software development process for software to be developed for use with the Common Q platform in nuclear safety applications. The SPM includes processes for software project management, quality assurance, independent verification and validation (IV&V), and configuration management. Section 5.1.1 of the LTR, Plant Specific Action Item 1, further states that the Limerick PPS software development plan does not identify any alternatives to the Common Q SPM for the Limerick digital modernization project.
The licensee submitted a vendor oversight plan (VOP) summary as part of the LAR. The VOP summary states that Constellation developed a VOP for the Limerick digital modernization project to ensure that Westinghouse executes the project consistent with:
Constellation specification and procurement documents The Constellation Appendix B quality assurance program The NRC-approved Westinghouse SPM The Westinghouse Appendix B quality assurance program Section 5 of the VOP Summary states that vendor inspections [performed by the licensee] are classified as either routine or reactive. Routine inspections are pre-planned and scheduled throughout the software development life cycle to verify the vendor activities or products are in accordance with the requirements in the Constellation specification and Westinghouse SPM.
Reactive inspections are conducted in response to allegations, previous inspection nonconformances, or other information indicating the possibility that vendors are not meeting performance requirements.
From May 6, 2024, to May 10, 2024, the NRC staff conducted an inspection at the Westinghouse facilities in Warrendale, PA (ML24169A203). The purpose of this limited-scope routine inspection was to assess Westinghouses compliance with provisions of Title 10 of the Code of Federal Regulations (10 CFR) Part 21, Reporting of Defects and Noncompliance, and selected portions of Appendix B, Quality Assurance Program Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities. This inspection evaluated WECs implementation of the quality activities as they pertain to Westinghouses activities to support the development of the Limerick PPS.
During this inspection, the staff sampled corrective action program issue reports (CAP-IRs).
((
))
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION The NRC staff has determined that a regulatory audit is needed to assist in the review of the Limerick digital I&C LAR. This audit will be focused on the digital I&C system development and VOP summary portions of the LAR. This regulatory audit will enable the NRC staff to gain understanding, verify information, and identify information that may be required to support a safety determination in its safety evaluation.
The NRC staffs review of the digital I&C system development portion of the LAR includes the project management, quality assurance, IV&V, and configuration management for the Limerick digital modernization projects as stated in the above LAR. The NRC staffs review of the VOP summary portion of the LAR includes design control, corrective actions, and control of purchased material, equipment, and services.
2.0 REGULATORY AUDIT BASES A regulatory audit is a planned license activity that includes the examination and evaluation of primarily non-docketed information. The audit is conducted with the intent to gain understanding, to verify information, and to identify information that will require docketing to support the basis of a licensing or regulatory decision. Performing a regulatory audit is expected to assist the NRC staff in efficiently conducting its review and gaining insights to the licensees processes and procedures. Information that the NRC staff relies upon to make the safety determination must be submitted on the docket. This audit will be conducted in accordance with NRR Office Instruction LIC-111, Regulatory Audits, Revision 1, dated October 2019 (ML19226A274). This audit is being conducted to support the NRC staffs review of the Limerick digital I&C license amendment request. It should be noted that this audit is in addition to the ongoing open item audit being conducted remotely.
Regulations relevant to the NRC staffs review of the digital I&C system development and VOP summary portions of the LAR include:
Appendix A, General Design Criteria for Nuclear Power Plants, General Design Criterion (GDC) 1, Quality standards and records, of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities, which states, in part, structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.
Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, of 10 CFR Part 50:
o Criterion III, Design Control, which states, in part, that measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in 10 CFR 50.2 and as specified in the license application, for those structures, systems, and components to which Appendix B to 10 CFR Part 50
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION applies, are correctly translated into specifications, drawings, procedures, and instructions.
o Criterion V, Instructions, Procedures, and Drawings, which states that activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings. Instructions, procedures, or drawings shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished.
o Criterion VII, Control of Purchased Material, Equipment, and Services, which states, in part, that measures shall be established to assure that purchased material, equipment, and services, whether purchased directly or through contractors and subcontractors, conform to the procurement documents. These measures shall include provisions, as appropriate, for source evaluation and selection, objective evidence of quality furnished by the contractor or subcontractor, inspection at the contractor or subcontractor source, and examination of products upon delivery.
Documentary evidence that material and equipment conform to the procurement requirements shall be available at the nuclear power plant site prior to installation or use of such material and equipment.
o Criterion XVI, Corrective Action, which states that measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly identified and corrected. In the case of significant conditions adverse to quality, the measures shall assure that the cause of the condition is determined, and corrective action taken to preclude repetition. The identification of the significant condition adverse to quality, the cause of the condition, and the corrective action taken shall be documented and reported to appropriate levels of management.
For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, Section 50.55a(h), Protection and safety systems, of 10 CFR Part 50, requires protection systems to meet the requirements in Institute of Electrical and Electronic Engineers (IEEE) Standard (Std) 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or the requirements in IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Limerick received construction permits on May 19, 1974.
IEEE Std 279-1971 is included in the licensing basis for Limerick, and as stated in the LAR will not change the Limerick licensing basis. Clause 4.3 of IEEE Std 279-1971, Quality of Components and Modules states that:
Components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels shall be achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 3.0 PURPOSE AND SCOPE The NRC staff will review non-docketed plans, procedures, and records related to the system development and vendor oversight for the digital modification described in the LAR. The audit scope includes the Limerick PPS project management, quality assurance, IV&V, configuration management, and vendor oversight.
If needed, the NRC staff will discuss the overall digital I&C system development process and plans utilized by Constellation and its contractors (e.g., Westinghouse).
The regulatory guidance (RG) that the NRC staff plan to use for the audit activities are:
Standard Review Plan, Branch Technical Position (BTP) 7-14, Guidance on Software Reviews for Digital Computer Based Instrumentation and Control Systems.
RG 1.152, Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 7-4.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations.
RG 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, IEEE Std 1012, IEEE Standard for Software Verification and Validation, and IEEE Std 1028, IEEE Standard for Software Reviews and Audits.
RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 828, IEEE Standard for Configuration Management in Systems and Software Engineering.
RG 1.170, Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 829, IEEE Standard for Software and System Test Documentation.
RG 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 1008, IEEE Standard for Software Unit Testing.
RG 1.172, Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 830, IEEE Recommended Practice for Software Requirements Specifications.
RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 1074, IEEE Standard for Developing a Software Project Life Cycle Process.
This guidance was used by the NRC staff to review the approved topical report.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 4.0 INFORMATION AND OTHER MATERIAL NECESSARY FOR THE REGULATORY AUDIT For each documentation request identified below, please upload a list of applicable documents by August 5, 2024 to an online portal (see special request section of this plan). After the lists of documents have been uploaded, the staff requests a walk-through to understand how the listed documents address the information requests on August 7, 2024. The staff will then provide a detailed list of requested documents by August 8, 2024. The requested documents should be uploaded by August 14, 2024 to an online portal.
Project Management Processes:
o Documentation to demonstrate that the Limerick PPS project risk has been managed in accordance with Section 8 of WPMR-PMP-2020-000076, Limerick Generating Station (LGS) Plant Protection System (PPS) Digital Modernization Project (DMP) Project Management Plan, Revision 3. At a minimum, this should include documentation that demonstrates the performance of: (1) problem identification, (2) impact assessment, and (3) development of risk-mitigation plans for risks that have the potential to significantly affect system quality goals.
o Documentation to demonstrate that the Tollgate process has been followed, in accordance with Section 1.9 of WPMR-PMP-2020-000076, Revision 3, to ensure ((
)) At a minimum, this should include documentation that demonstrates (1) the use of the waterfall model for software development, and (2) that each life cycle phase is being completed before completion of any subsequent life cycle phase.
o The tollgate checklist documenting the tollgate review acceptance, as described in Section 1.9 of WPMR-PMP-2020-000076, Revision 3.
Project Quality:
o Documentation to demonstrate that the Limerick PPS project meets the software quality assurance requirements as described in the Common Q SPM and WNA-PQ-00538-GLIM, Project Quality Plan, Revision 2. At a minimum, this should include procedures for, and documentation that demonstrates the performance of: (1) Management Reviews, (2) Identification and Reporting of Conditions Adverse to Safety, (3) First of a Kind Project Planning and Oversight (4) Document Control, (5) Quality Records, (6) Design and Development Process, and (7) Design Change Control Process.
Configuration Management:
o Documentation to demonstrate that the Limerick PPS project meets software configuration management requirements as described in the SPM and WNA-PC-00071-GLIM, Limerick Generating Station Plant Protection System Digital Modernization Project Configuration Management Plan, Revision 1. At a minimum, this should include documentation that demonstrates the performance of (1) configuration control, (2) configuration status accounting, and (3) configuration audits and review reports.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Independent Verification & Validation:
o The training requirements and qualification records for the IV&V staff involved in the Limerick PPS project, in accordance with Section 2.4 of WNA-PV-00123-GLIM, Plant Protection System Software Verification and Validation Plan, Revision 0.
o Documentation to demonstrate that the Limerick PPS IV&V team has maintained independence from the design team, in accordance with the SPM and Section 2.4 of WNA-PV-00123-GLIM, Revision 0.
o Objective evidence (which includes, but is not limited to records, IV&V analyses and test reports, anomaly dispositions, etc.) that the IV&V team has conducted the activities identified in WNA-PV-00123-GLIM.
Vendor Oversight:
o A list of all the Owners Acceptance Review (OAR) forms for the Limerick PPS project.
o Documentation to demonstrate that Constellation has performed oversight of Westinghouse for the Limericks PPS, in accordance with the VOP summary. At a minimum, this should include (1) audit and inspection reports, including any associated audit/inspection findings and disposition of these findings; and (2) documentation of owners acceptance reviews performed in accordance with CC-AA-103-1003, Owners Acceptance Review of external Engineering Technical Products, for Limerick PPS documents. In addition, letters documenting Constellations oversight activities, including the review of Westinghouse corrective actions should be provided.
5.0 AUDIT TEAM The members of the audit team are:
Samir Darbali, Senior Electronics Engineer, Audit Team Leader William Roggenbrodt, Electronics Engineer, Audit Team Member Deanna Zhang, Senior Reactor Operations Engineer, Audit Team Member Aaron Armstrong, Reactor Operations Engineer, Audit Team Member Michael Marshall, Senior Project Manager, Audit Team Member 6.0 LOGISTICS The audit will start on August 19, 2024, and end on August 30, 2024. The audit will be conducted remotely. During the audit entrance briefing, the NRC staff will provide an overview of the audit plan and discuss the objectives for the audit. During the exit briefing, the NRC staff will provide a summary of the NRC audit and its observations made during the audit. With the exception of the day of the entrance and exit, the NRC staff will meet with the representatives of Constellation each afternoon between 2:00 pm and 4:00 pm to discuss the documents being audited.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION The audit team will not remove any non-docketed documents or other materials from the online portal or location of the audit. If the audit team identify information that requires docketing to support the basis for a regulatory decision concerning the review of the Limerick digital I&C license amendment request, the NRC staff will use the request for additional information process.
Any changes in the audit logistics will be coordinated and communicated through NRC project managers that assigned to the review of the Limerick digital I&C LAR.
7.0 SPECIAL REQUEST The NRC staff would like access to the requested documents through an online portal (i.e., electronic portal, ePortal, electronic reading room) that allows the audit team access via the internet. The following conditions associated with the online portal must be maintained throughout the duration that the audit team has access to the online portal:
the online portal will be password-protected, and separate passwords will be assigned to each audit team member the online portal will be sufficiently secure to prevent the audit team from printing, saving, downloading, or collecting any information on the online portal conditions of use of the online portal will be displayed on the login screen and will require acknowledgment by each audit team member The licensee should ensure any information uploaded to the online portal is appropriately marked regarding sensitivity (e.g., proprietary information). NRC staff will confirm with the licensee the sensitivity of any information uploaded to the online portal.
Username and password information should be provided directly to the NRC staff on the audit team. The NRC project managers assigned to the audit team will provide Constellation the names and contact information of the NRC staff who will be participating in the audit. All communications should be coordinated with one of the NRC project managers assigned to the Limerick digital I&C LAR review. The NRCs licensing project manager will inform the licensee via routine communications when the NRC staff no longer needs access to the portal (e.g., 30 days after the end of the audit).
8.0 DELIVERABLES An audit summary, which may be public, will be prepared after the completion of the audit. If the NRC staff identifies information during the audit that is needed to support its regulatory decision, the NRC staff will issue requests for additional information to the licensee.