FINAL-RAI-10289-R1-Redacted JEXU-1041-1008, Safety System Digital Platform - Meltac

ML24296B178
Person / Time
Site:	99902039
Issue date:	10/22/2024
From:	Division of Operating Reactor Licensing
To:	Mitsubishi Electric Power Products
References
EPID L-2023-TOP-0036
Download: ML24296B178 (1)
v • d • e

Text

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 1

OFFICIAL USE ONLY - PROPRIETARY INFORMATION REQUEST FOR ADDITIONAL INFORMATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION REVIEW AND APPROVAL OF JEXU-1041-1008, SAFETY SYSTEM DIGITAL PLATFORM -

MELTAC MITSUBISHI MELTAC DOCKET NO. 99902039 ISSUE DATE: 10/22/2024

RAI-10

Title 10 of the Code of Federal Regulations (10 CFR) 50.55a(h), Protection and Safety Systems, requires that protection systems must be consistent with their licensing basis or may meet the requirements of the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Clause 5.6.1, Between Redundant Portions of a Safety System states, in part, that redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function during and following any design basis event requiring that safety function. General Design Criterion (GDC) 22, Protection system independence, of Appendix A to 10 CFR Part 50 states the following: The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

SRP BTP 7-19, Guidance for Evaluation of Defense in Depth and Diversity to Address Common-Cause Failure Due to Latest Design Defects in Digital Instrumentation and Control Systems, provides regulatory guidance for addressing the potential of common-cause failures (CCF).

On Page 14 of JEXU-1041-1162, Rev. 0 for Item 4.2 of RG 1.152, Rev. 4 and on Page 32 of JEXU-1041-1018, Rev. 1 for Clause 5.16 of IEEE Std. 7-4.3.2-2016, it states that Interface parts to the diverse actuation system, which are PIF modules, distribution modules and isolation modules, are not subject to any software CCFs because no software elements are included in these modules.

a. Please confirm if distribution modules have any software elements and clarify where distribution modules are described with no software elements included in the MELTAC Topical Report (TR).

b. As shown in Figure 4.1.2.4 of JEXU-1041-1008, Rev. 3, ((

..............................: (.)................

..........., (.)................ (...),... (.)................

.................................................. (.......

........)......................................

))

c. On Pages 45 and 47 of JEXU-1041-1018, Rev. 1, it states, in part, that ((

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 2

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

)) and is not subject to any software CCFs.

d. On Page 46 of JEXU-1041-1018, Rev. 1, it also states, in part, that ((

(...)........................

)). Please clarify if there is any situation in which ((

)).

e. In Figure 4.1.2-1 of JEXU-1041-1008, Terminal Unit is upgraded and used after the PIF module, please clarify if any software is included or embedded in such upgraded terminal units.

f. In Figure 4.3-14 of JEXU-1041-1008, it shows that optical cables are used to connect different trains or divisions. However, such optical cables are not found in the lists of modules and components of the Meltac Topical Report. Please clarify if such optical cables are included as part of the review on the revised Topical Report.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 3

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

RAI-11

Title 10 of the Code of Federal Regulations (CFR), Section 50.36 requires, in part, that each operating license issued by the U.S. NRC Commission contain technical specifications (TS) that set forth the limits, operating conditions, and other requirements imposed upon facility operation for the protection of public health and safety. BTP 7-17, RG 1.152, Rev. 4 and its endorsed IEEE Std. 7-4.3.2-2016 provide regulatory guidance on how the self-diagnostic features could be credited to either reduce or eliminate the channel operability tests. In Clause 5.9 of IEEE Std. 603-1991 on Control of Access, it states, in part, that the design shall permit the administrative control of access to safety system equipment.

On Page 6 of JEXU-1041-1162, Rev. 0 for Item 1.2.3(b) of RG 1.152, Rev. 4, it states that The evaluation of whether the self-diagnostics achieve the same acceptance criteria applied to the manual periodical channel operability test, which is an application-specific item, is performed at the application level.

a. There are platform-level self-diagnostics. Its not clear in the above document JEXU-1041-1162, Rev. 0 if the applicant wants to credit platform-level self-diagnostics to replace any generic manual surveillance requirement testing. If yes, additional information is requested to demonstrate how the platform-level self-diagnostics could be credited.

b. In Section 4.1.5.7 of JEXU-1041-1008 on Watchdog Timer (WDT), it says that ((

......,.............../.........../........&.....;.

)) The new section 4.1.5.5.4 of JEXU-1041-1008 on ((

(..).....

))

c. On Page 28 of JEXU-1041-1018, it says, in part, that The access controls requirements are satisfied by the specifications of the MELTAC platform described in Section 4.5 and 6.1.2 of JEXU-1041-1008. The NRC staff found that there is no change made to these two sections.

Please clarify and provide adequate information on how the requirement on the access control is addressed for any applicable new equipment, especially the new EI operation panel (EIOP).

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 4

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

RAI-12

Title 10 of the Code of Federal Regulations (10 CFR) 50.55a(h), Protection and Safety Systems, requires that protection systems must be consistent with their licensing basis or may meet the requirements of the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Clause 5.4, Equipment Qualification of IEEE Std 603-1991 states, in part, that safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. MELTAC is a safety system digital platform which shall meet the requirements in the above Clause 5.4.

a. On Page 7 of JEXU-1041-1018 for Clause 5.4 of IEEE Std. 603-1991, it states, in part, that Appropriate testing is performed according to IEEE Std. 323 to substantiate conformance to the performance requirements as specified in the typical plant design. The MELTAC platform is qualified for the expected transient and steady state conditions at the typical nuclear power plant. On Page 23 of JEXU-1041-1018 for Clause 5.4 of IEEE Std. 7-4.3.2-2016, it also states, in part, that The MELTAC platform satisfies the equipment qualification testing requirements given in this Clause. The above quoted statements are not accurate at the end of the Phase 1 review and need to be changed accordingly because the qualification for the new and upgraded MELTAC equipment has not been submitted for review. The above statements and any similar sentences in the revised Topical Report and its supporting documents if applicable should be revised accordingly.

b. In Section A.4.2.4 on Page 107 of JEXU-1041-1018, it states in the Requirement that " Non-safety control and display stations capable of controlling safety equipment shall be qualified such that when adverse environments such as seismic conditions, EMI/RFI, power surges, and all other design basis conditions applicable to safety-related equipment at the same plant location occur, the non-safety control and display stations shall not produce spurious actuations and shall not have adverse effects upon any safety-related equipment or device as a result of a design basis condition, both during the condition and afterwards." However, NRC staff did not find any information on the qualification of non-safety control and display stations in the topical report and its supporting documents. Please provide adequate information to address this requirement. The above requirement will be treated as a plant specific action item (PSAI) in the safety evaluation if appropriate information is not submitted.

c. On Page 45 of JEXU-1041-1008, Rev. 3, it states, in part, that New IPL sub-boards may be required for US applications, due to changes in plant process components, changes in DAS interfaces and changes in priority logic. Please clarify if any new IPL sub-boards are required for applications in US. If yes, please confirm that such new IPL sub-boards will be included and qualified for the Phase 2 Review of this revised MELTAC TR.

d. On Page 22 of JEXU-1041-1018, it says, in part, that MELTAC platform software is developed according to an approved software quality assurance plan. However, no such information is found in the revised topical report. Please clarify or provide adequate information on how the software quality assurance and life cycle requirements are addressed for applicable new and upgraded modules and units, especially the new Excore Nuclear Instrumentation Signal Processing System with an operation panel.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 5

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

RAI-13

Title 10 of the Code of Federal Regulations (10 CFR) 50.55a(h), Protection and Safety Systems, requires that protection systems must be consistent with their licensing basis or may meet the requirements of the Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Clause 5.14 states in part, that human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals.

a. Clause 5.14, Human Factors Considerations of IEEE Std. 603-1991 and associated information was previously not reviewed and was treated as an application specific topic for the NRC approved MELTAC TR, Rev. 2. However, the newly submitted document JEXU-1041-1018, Rev. 1, includes new assessment on compliance with regulatory requirements in Clause 5.14. Please confirm if Clause 5.14 and relevant information for the Human Factors Considerations need to be evaluated for the Phase 1 Review of this revised MELTAC TR.

b. In Clause 5.3 of IEEE Std. 603-1991 on Quality, it states that components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program. Please clarify if the applicant wants NRC to evaluate the following two revised documents for the Phase 1 Review of this revised Meltac Topical Report to meet the the quality requirement.

JEXU-1041-1124-P, Revision 1, Summary of MELTAC Platform CGD Activity.

ESC Procedure N-G000-P, Revision 2, Quality Manual based on U.S. Nuclear Regulations.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION 6

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

RAI-14

Please provide clarifications for the following questions on documents and make corrections accordingly:

a. Document JEXU-1041-1032 is used on Pages 28 and 31, JEXU-1041-1140 used on Page 29, and JEXU-1041-1124 used on Page 33 of Document JEXU-1041-1018, but those references are not included in the Reference Table of Document JEXU-1041-1018.

b. Document JEXU-1041-1015, MELTAC platform ISG-04 Conformance Analysis was deleted from the Reference Table 1 of JEXU-1041-1018. But this document JEXU-1041-1015 is still used on Page 15 of JEXU-1041-1018, Rev. 1.

c. Several documents in their current version are included in the analyses in the two new supplements JEXU-1041-1018 and JEXU-1041-1162. But, a few of those referred documents such as MELTAC Platform Software Safety Analysis will be revised and submitted for the Phase 2 review. Please clarify if the two new supplements JEXU-1041-1018 and JEXU-1041-1162 will need to be revised and re-submitted for the Phase 2 Review accordingly.

d. Title of IEEE Std. 7-4.3.2-2016 used in Section 1.0 of the new supplement, Summary of Compliance to the IEEE Std. 603 and IEEE Std. 7-4.3.2 is not correct and needs to be revised accordingly.

e. In Section A.4.2.5 on Page 108 of JEXU-1041-1018, it states, in part, that ((

)) Please clarify if the above statement is true that ((

))

OFFICE NRR/DORL/LLPB/PM NRR/DORL/LLPB/BC NRR/DEX/EICB/BC NAME JSmith GGeorge FSacko DATE 10/22/2024 10/22/2024 10/19/2024