Text

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION REGULATORY AUDIT PLAN FOR FRAMATOME ANP-10357P, REVISION 0, TXS COMPACT PLATFORM TOPICAL REPORT REGARDING EQUIPMENT QUALIFICATION AND SYSTEM DEVELOPMENT LIFE-CYCLE PROCESS MANAGEMENT DOCKET NO. 99902041 EPID L-2024-TOP-0029

1.0 BACKGROUND

By letter dated August 2, 2024 (Agencywide Documents Access and Management System (ADAMS) Package Accession No. ML24218A279), Framatome, Inc. (hereafter as Framatome) submitted Topical Report (TR) ANP-10357P, Revision 0, TXS COMPACT Platform Topical Report, for U.S. Nuclear Regulatory Commission (NRC) staffs review. As stated in the submittal letter, the TR presents the generic application of the TXS COMPACT system which has been developed as a new platform based on field programmable gate array technology that could be integrated with different modules from the TXS portfolio to implement safety related instrumentation and control (I&C) systems in nuclear power plants (NPPs). The TR describes the new TXS COMPACT platform modules, including configuration, diagnostics, monitoring, equipment qualification (EQ), communications, life-cycle management, reliability, quality assurance (QA), security, and regulatory compliance. Framatome submitted this TR to obtain NRC approval for use in NPP safety related I&C applications in United States (U.S).

By letter dated October 2, 2024 (ADAMS Accession No. ML24256A027), the NRC staff found that ANP-10357P, Revision 0 (hereafter referred to as the TR), in addition to the requested documents sufficient to begin its detailed technical safety review. However, the NRC staff has determined that a regulatory audit is needed to assist in the review of EQ and digital system development life-cycle activities documented in the TR. Due to language differences, different time zones, and other factors, face-to-face meetings and interactions are an efficient and preferred way to accomplish the audit objectives stated below.

This regulatory audit will enable the NRC staff to gain insights into the TXS COMPACT platform design details through face-to-face meetings with the Framatome technical experts and engineers. This regulatory audit also intends to verify TXS COMPACT platform functional and performance claims documented in the TR and identify undocketed information that may be required to support a safety determination in its safety evaluation (SE). The NRC staffs review of the TXS COMPACT EQ and system development life-cycle activities portions of the TR covers the environmental, electromagnetic compatibility, seismic, Class 1E (safety-related) to

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION non-Class 1E (non-safety-related) isolation qualifications, and the digital system life-cycle design and development process.

One of the main objectives of auditing EQ for this TXS COMPACT platform is to ensure that its potential for common cause failure due to environmental, electromagnetic interference and radio frequency interference (RFI), seismic, and Class 1E to non-Class 1E isolation effects is negligible. Another objective of the audit is to review documentation, observe simulations to ensure that the safety-related I&C equipment used for this TXS COMPACT platform can perform its designated safety functions during and after a design basis event. Considering its critical safety significance, TXS COMPACT safety-related I&C equipment must be qualified before being installed and used for safety-related I&C systems in a U.S. NPP.

Specifically, during the audit the NRC staff will assess non-docketed overall EQ program, testing plans, and procedures utilized by Framatome and its contractors to perform the four types of qualification testing (environmental, seismic, EMC, and Class 1E to non-Class 1E isolation) to qualify all equipment of this Framatome TXS COMPACT platform. The NRC staff will also verify testing summary results by auditing non-docketed, signed onsite testing records, safety function performance, qualifications of testing personnel, and accreditation of testing facilities used for qualifying this new TXS COMPACT platform.

The objectives of auditing the digital system development life-cycle activities are to witness performance of the critical functional requirements under the specified hazards, such as built-in self-diagnostic capabilities resulting in safe state, fail-safe actions, internal fault detections resulting in desired outcome, etc., and audit handling of anomalies identified during digital system development life-cycle process. Acceptable performance of critical design features of a digital I&C systems demonstrates adherence to the fundamental I&C design principle of deterministic behavior (system integrity and reliability). The NRC staff will also audit the process used to establish requirements specifications for the TXS COMPACT platform and audit the use of requirements traceability matrix at all phases of digital system development life-cycle activities, confirm that acceptable plans were prepared to control software development activities, evidence that the plans were followed in an acceptable software development life-cycle, and evidence that the life-cycle process produced acceptable design outputs.

2.0 REGULATORY AUDIT BASES An audit is a planned regulatory activity that includes the examination and evaluation of primarily non-docketed information and other associated aspects. The regulatory audit is conducted with the intent to gain understanding, to verify information, and to identify information that will be required to be docketed to support the basis of a regulatory decision. Performing a regulatory audit is expected to assist the NRC staff in efficiently conducting its review and gaining insights into the applicants processes, specification, procedures, testing results, and other associated activities. Information that the NRC staff relies upon to make the safety determination must be submitted on the docket. This regulatory audit will be conducted in accordance with the NRC Nuclear Reactor Regulation (NRR) Office Instruction LIC-111, Regulatory Audits, Revision 2, dated December 30, 2024 (ADAMS Accession No. ML24309A281). This regulatory audit is to be performed to support the NRC staffs review of the TR.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Regulations relevant to the NRC staffs review of the EQ and digital system development life-cycle portions of the TR include:

Title 10 of the Code of Federal Regulations (10 CFR) 50.54(jj) and 10 CFR 50.55(i) require that structures, systems, and components subject to the codes and standards in 10 CFR 50.55a, Codes and Standards, must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.

Appendix A, General Design Criterion (GDC) 2, "Design bases for protection against natural phenomena," of 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, which states, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions.

Appendix A, GDC 4, Environmental and Dynamic Effects Design Bases, of 10 CFR Part 50, which states, in part, that structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

Appendix A, GDC 21, Protection System Reliability and Testability, of 10 CFR Part 50 requires, in part, that protection systems be designed for high functional reliability commensurate with the safety function to be performed.

10 CFR 50.55a(h) states that protection systems of nuclear power reactors of all types must meet the requirements specified in 10 CFR 50.55a(h), and each combined license for a utilization facility is subject to the conditions in 10 CFR 50.55a(h). 10 CFR 50.55a(h)(2) mandates compliance with the requirements stated in Institute of Electrical and Electronic Engineers (IEEE) Standard (Std.) 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, IEEE Std. 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE Std. 603-1991, IEEE Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995, for NPPs with construction with CPs [construction permits]

issued before January 1, 1971, 10 CFR 50.55a(h)(2) requires compliance with their plant-specific licensing basis or permits (CPs) issued between January 1, 1971, and May 13, 1999. For NPPs IEEE Std. 603-1991 and the correction sheet dated January 30, 1995. For applicants for CPs, operating licenses, combined licenses, standard design approvals, design certifications, or manufacturing licenses filed after May 13, 1999, 10 CFR 50.55a(h)(3) requires compliance with IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.

There is a clause in both IEEE Std. 279 and Std. 603 on EQ requiring safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, Criterion III, Design Control, requires, in part, that quality standards be specified and that design control measures shall provide for verifying or checking the adequacy of design. Criterion V, Instructions, Procedures, and Drawings, requires, in part, that activities affecting quality shall be prescribed by documented procedures of a type appropriate to the circumstances Branch Technical Position (BTP) 7-14, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, outlines such procedures for software. Criterion VI, Document Control, requires, in part, that measures shall be established to control the issuance of documents which prescribe all activities affecting quality. These measures shall assure documents, including changes, are reviewed for adequacy and approved for release by authorized personnel. Criterion VII, Control of Purchased Material, Equipment, and Services," addresses control of purchased material, equipment, and services. Further, Criterion XI, Test Control, requires, in part, that a test program be established to demonstrate that systems and components will perform satisfactorily in service.

3.0 SCOPE AND PURPOSE The scope of this regulatory audit mainly includes the qualification of all equipment and system development life-cycle process for the Framatome TXS COMPACT platform. The NRC audit team members will review non-docketed testing plans, technical requirements, specifications, procedures, and detailed onsite testing records related to the four types of EQ testing for the Framatome TXS COMPACT platform components. During the audit, the NRC staff will audit the overall EQ program, testing plans, and procedures utilized by Framatome and its contractors for qualifying all equipment included in the TR. The NRC staff will also discuss, and interview Framatomes subject matter experts associated with the EQ of the Framatome TXS COMPACT platform. Relevant accreditation and qualification information for the equipment testing facilities and personnel will also be audited.

The NRC staff will also assess associated documents, records, and processes that support the TXS COMPACT platform development life cycle. Specifically, the NRC staff will review implementation of Framatome procedures conforming to the applicable International Electrotechnical Commission (IEC) standards for the TXS COMPACT platform development process. The NRC staff will evaluate the effectiveness of hardware description language (HDL) programmed devices (HPD) development activities to determine the degree to which processes described in the TXS COMPACT TR are being implemented to achieve a high reliability and quality system for use in a nuclear facility in US.

Development process for the TXS COMPACT platform follows guidelines from international standards IEC 60987, Nuclear power plants - Instrumentation and control important to safety -

Hardware requirements, IEC 61513, Nuclear power plants - Instrumentation and control important to safety - General requirements for systems, IEC/IEEE 60780-323, Nuclear facilities

- Electrical equipment important to safety - Qualification, IEC 60880, Nuclear power plants -

Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions, IEC 62138, Nuclear power plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category B or C functions, and IEC 62566, Nuclear power plants - Instrumentation and control important to safety - Development of HDL-programmed integrated circuits for systems performing category A functions.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION The NRC staff will also assess Framatome Inc.s procurement and supplier oversight activities of Framatome SAS1 and Framatome GmBH2. In addition, the NRC staff will assess the relationship among the Framatome Inc. QA Program, Framatome Integrated management System Manual, TXS QA Plan: TXS Compact AS Field Programmable Gate Arrays (FPGA),

and TXS Compact Quality Management Plan to understand how the requirements of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities are being met.

For this audit, the NRC staff also plans to use the following regulatory guidance for the EQ and system development life-cycle activities:

Regulatory Guide (RG) 1.28, Rev. 5, Quality Assurance Program Criteria (Design and Construction), which endorses American Society of Mechanical Engineers (ASME)

Nuclear Quality Assurance (NQA)-1, Quality Assurance Requirements for Nuclear Facility Applications. This revision of RG 1.28 endorses, with certain clarifications and regulatory positions, three versions of the ASME NQA-1 standard: NQA-1-2015 and is subject to the provisions and modifications identified in the RG. This RG provides an adequate basis for complying with the pertinent QA requirements of Appendix B to 10 CFR Part 50.

RG 1.75, Rev. 3, Criteria for Independence of Electrical Safety Systems, describes a method acceptable to the NRC staff for complying with the NRCs regulations with respect to the physical independence requirements of the circuits and electric equipment that comprise or are associated with safety systems. IEEE Std. 384-1992, Standard Criteria for Independence of Class 1E Equipment and Circuits, is endorsed in RG 1.75, Rev. 3, with a few specific regulatory positions.

RG 1.100, Rev. 4, Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants, which describes methods that the staff of the U.S. NRC considers acceptable for use in the seismic qualification of electrical and active mechanical equipment and the functional qualification of active mechanical equipment for NPPs. IEEE Std. 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations, and IEEE Std. C37.98-2013, IEEE Standard for Seismic Qualification Testing of Protective Relays and Auxiliaries for Nuclear Facilities, are endorsed in RG 1.100, Rev. 4, with specific regulatory positions.

RG 1.180, Rev. 2, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, endorses and includes guidance for conformance with Military Standard MIL-STD-461G, Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment, and IEC 61000 series standards for evaluation of the impact of electromagnetic interference, radio frequency interference, an electrical fast transient, and electrical power surges on safety-related I&C systems.

RG 1.209, March 2007, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, which 1 Framatome GmbH, based in Erlangen, Germany is a wholly owned subsidiary of Framatome S.A.S.

2 Framatome in Germany is comprised of Framatome GmbH and its subsidiary Advanced Nuclear Fuels GmbH. https://www.framatome.com/en/about/locations/germany/

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION endorses IEEE Std. 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, with enhancements and exceptions.

EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, as endorsed by NRC presents a specification in the form of a set of requirements to be applied to the generic qualification of programmable logic controllers (PLCs) for application and modification to safety-related l&C systems in NPPs. It is intended to provide a qualification envelope corresponding to a mild environment that should meet regulatory acceptance criteria for a wide range of plant-specific safety-related applications.

RG 1.152, Rev. 4, Criteria for use of Computers in Safety Systems of Nuclear Power Plants, which endorses IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, with a few noted exceptions, provides guidance for complying with requirements for safety systems that use digital computer systems. Additional guidance on the application of IEEE Std. 7-4.3.2 is provided in SRP Appendix 7.1-D, Guidance for Evaluation of the Application of IEEE Std. 7-4.3.2, RG 1.168, Rev. 2, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, endorses IEEE Std. 1012, IEEE Standard for Software Verification and Validation, as providing methods acceptable to the NRC for meeting the regulatory requirements as they apply to verification and validation (V&V) of safety system software, subject to the exceptions listed. Further, it also endorses IEEE Std. 1028, IEEE Standard for Software Reviews and Audits, as providing an approach acceptable to the staff for carrying out software reviews, inspections, walkthroughs, and audits, subject to the exceptions listed.

RG 1.169, Rev. 1, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, endorses IEEE Std. 828, IEEE Standard for Configuration Management Plans, as providing an acceptable approach for planning configuration management, subject to specific provisions identified in the RG.

RG 1.170, Rev. 1, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std. 829, IEEE Standard for Software Test Documentation, subject to the provisions and exceptions identified in the RG, identifies an acceptable method for satisfying test documentation requirements.

RG 1.171, Rev. 1, Software Unit Testing for Digital Computer Software used in Safety Systems of Nuclear Power Plants, which endorses the American National Standards Institute (ANSI)/IEEE Std. 1008, IEEE Standard for Software Unit Testing, subject to the provisions and exceptions identified in the RG, identifies an acceptable method for satisfying software unit testing requirements.

RG 1.172, Rev. 1, Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std. 830, IEEE Recommended Practice for Software Requirements Specifications, subject to the provisions and exceptions identified in the RG, describes an acceptable approach for preparing software requirements specifications for safety system software.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION RG 1.173, Rev. 1, Developing Software Life Cycle Processes for Digital Computer Software used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std. 1074, IEEE Standard for Developing Software Life Cycle Processes, subject to the provisions and exceptions identified in the RG, as providing an approach acceptable to the NRC staff for meeting the regulatory requirements and guidance as they apply to development processes for safety system software. NUREG/CR-6101, Software Reliability and Safety in Nuclear Reactor Protection Systems.

4.0 INFORMATION AND OTHER MATERIAL NECESSARY FOR THE REGULATORY AUDIT If available, please make documents related to the following areas accessible to the NRC audit team members to review:

o All testing plans, procedures, and sequences used for the EQ.

o Records for EQ tests conducted, including any failures which might have occurred during the complete environmental qualification testing process and the documentation that demonstrates the failures or deficiencies were corrected or resolved.

o Documentation to demonstrate the implementation of a suitable QA program implemented at the applicants and/or its contractors facilities.

o Purchase orders from the applicant to its contracted facilities, including to Framatome SAS, Framatome GmBH, and other testing facilities.

o Framatome SAS QA Program Manual (or document equivalent to Framatome Inc. QA Program (see Reference 69 in the TXS COMPACT TR)).

o Framatome GmBH QA Program Manual (or document equivalent to Framatome Inc. QA Program (see Reference 69 in the TXS COMPACT TR)).

o Framatome Inc. supplier audit reports for Framatome SAS Paris, Lyon, and Framatome GmBH.

o Corrective action reports in response to Framatome Inc. supplier audit report findings.

o Documents to show the Certifications of Accreditation and Calibration for the EQ test equipment.

o Test reports, both summary (if available) and detailed, produced by the applicant and its contractor, if any.

o Identification, description, and quantity of the sample equipment to be tested including significant information, such as manufacturer, model(s), and serial numbers to uniquely identify the sample equipment.

o Equipment safety function(s) to be demonstrated.

o Mounting, connection, and other interface requirements.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 6.0 LOGISTICS The audit will start on March 31 and end on April 4, 2025, and will be conducted at EDF Tower, La Defense Paris, France The audit will commence at 9:00 a.m. each day from March 31, 2025 (Monday) to April 4, 2025 (Friday) and conclude by noon on April 4, 2025. During the audit entrance briefing, the NRC staff will provide an overview of the audit plan, agenda, and objectives. During the exit briefing, the NRC staff will provide a summary of the audit, and its observations to be made during the audit.

The audit team will not remove any non-docketed documents or other materials from the location of the audit. If the audit team identifies information that requires docketing to support the basis for a regulatory decision concerning the review of the Framatome TXS COMPACT platform TR, the NRC staff will use the request for additional information (RAI) process.

Any changes in the audit logistics will be properly coordinated and communicated with the applicant.

7.0 SPECIAL REQUEST If available, please provide the audit team with an enclosed conference room or similar space for the audit teams use and access to the guest Wi-Fi at the audit location.

8.0 DELIVERABLES An audit summary report, which may be made public, will be prepared within 90 days after the completion of the audit.

9.0 AUDIT AGENDA The initial audit agenda is attached and is subject to changes.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Agenda for Regulatory Audit on Equipment Qualification and System Development Lifecycle Process of the TXS COMPACT Platform Date: March 31 to April 4, 2025 Location: EDF Tower, La Defense, Paris, France Date and Time Topics and Activities Attendees March 31, 2025 (Monday) 9:00 - 9:15 AM Introduction NRC Audit Team and Framatome Staff 9:15 - 9:30 AM Overview of audit plan and agenda NRC Audit Team 9:30 - 11:30 AM Overview and status presentation of the TXS COMPACT Platform Framatome Staff 11:30 - 12:00 PM Environmental qualification and the process used to establish system requirements specifications NRC Audit Team 12:00 - 1:00 PM Lunch break 1:00 - 4:15 PM Continue audit with focus on Class 1E to non-Class 1E isolation qualification testing NRC Audit Team and Framatome Staff 4:15 - 5:00 PM Daily briefing and questions and answers (Q&A) session if necessary NRC Audit Team and Framatome Staff April 1, 2025 (Tuesday) 9:00 - 12:00 PM Seismic qualification and the use of requirements traceability matrix at all phases of digital system development life-cycle process NRC Audit Team 12:00 - 1:00 PM Lunch break 1:00 - 2:30 PM Tour facilities and witness demonstrations for system performance NRC Audit Team and Framatome Staff 2:30 - 4:15 PM Continue the mornings audit NRC Audit Team 4:15 - 5:00 PM Daily briefing and Q&A session if necessary NRC Audit Team and Framatome Staff April 2 and 3, 2025 (Wednesday and Thursday) 9:00 - 12:00 PM EMC qualification, plans prepared to control software development activities, and evidence showing the plans were followed in an acceptable software development life-cycle and the life-cycle process produced acceptable design outputs NRC Audit Team

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Date and Time Topics and Activities Attendees 12:00 - 1:00 PM Lunch break 1:00 - 4:15 PM Continue the mornings audit and audit undocketed documents and evidence related to accreditation of qualification testing facilities and personnel, suitable QA program, etc.

NRC Audit Team 4:15 - 5:00 PM Daily briefing and Q&A session if necessary NRC Audit Team and Framatome Staff April 4, 2025 (Friday) 9:00 - 10:00 AM Prepare audit summary NRC Audit Team 10:00 AM to 12:00 PM Brief audit summary, potential requests for additional information (RAI), and Q&A session if necessary NRC Audit Team and Framatome Staff At Noon Audit ends Notes:

1. While performing audit work, interview and discussion with relevant Framatome staff and its contractors may be requested by NRC audit team if necessary.

2. Time and duration for touring the facilities and witnessing the system performance demonstration can be adjusted according to Framatomes schedule.