ML25051A229
| ML25051A229 | |
| Person / Time | |
|---|---|
| Site: | Peach Bottom  |
| Issue date: | 02/21/2025 |
| From: | Constellation Energy Generation |
| To: | NRC/NRR/DORL/LPL1 |
| Klett, AL | |
| Shared Package | |
| ML25051A234 | List: |
| References | |
| EPID L-2024-LRM-0009 | |
| Download: ML25051A229 (54) | |
Text
NRC Pre-submittal Meeting February 21, 2025
Constellation Energy
- Steve Flickinger, Principal Reg. Specialist, Corporate Licensing Curtiss-Wright
- Michael Kosman, Project Manager
- Robert Ammon, Technical Director, Project Engineer Sargent & Lundy
- Pareez Golub, Project Director, Digital Licensing SME
- Rick Paese, Digital I&C and HFE Consultant (Remote) l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 1
- Describe the Defense in Depth, Diversity and Common Cause Failure (CCF) Assessment approach and obtain NRC feedback.
- Present how the project will meet the requirements for a Secure Development and Operational Environment (SDOE).
- Present an overview of the Monitoring and Tuning System (MATS) function.
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 2
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 3
Purpose:
Describe the D3 Assessment and CCF Analysis approach and obtain NRC feedback Key Takeaways:
- CCF is addressed by crediting internal diversity of RadICS platform hardware and 100% testing of the software and the software-based logic to eliminate it from further consideration per BTP 7-19 Rev 9 and IEEE 7-4.3.2-2016
- Crediting internal diversity of RadICS platform hardware is approved in the TR SE (specific NRC statements are shown in the Technical Reference Slides at the end)
- 100% testing of the software and software-based logic will be performed to show software CCF is not credible and can be excluded from consideration
- 100% testing will be executed as part of the Factory Acceptance Test (FAT)
- A D3 Coping Analysis is not required because all potential CCFs can be eliminated per BTP 7-19 and IEEE 7-4.3.2
- Constellation requests NRCs feedback on this approach l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 4
Regulatory Guidance / Inputs: BTP 7-19 Rev 9, IEEE 7-4.3.2-2016 Section 5.16, TR PSAI 7.9 Key Takeaway: The CCF Analysis for the Peach Bottom ECCS CLS demonstrates that all potential CCF vulnerabilities can be excluded from consideration per BTP 7-19 and IEEE 7-4.3.2.
Compliance: BTP 7-19, IEEE 7-4,3,2 Section 5.16, TR PSAI 7.9
- 1) What are the potential CCF vulnerabilities?
- 2) How can the potential CCF vulnerabilities be eliminated?
- 3) Are there any residual vulnerabilities (ones that were not eliminated) that require a D3 coping analysis to address?
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 5
- Potential CCF vulnerabilities
- Latent design defects can come from: (per BTP 7-19)
- ((
- Potential CCF elimination - The consideration of CCF is eliminated through the RadICS platform internal diversity and rigorous QA and V&V activity of the RadICS Platform development methodology and 100% testing of the software and the software-based logic.
- ((
- ))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 7
- Potential CCF elimination - The consideration of CCF is eliminated through the RadICS platform internal diversity and rigorous QA and V&V activity of the RadICS Platform development methodology and 100% testing of the software and the software-based logic.
- Software Based Logic - ECCS CLS safety application logic
- The following slides describe the approach for performing 100% testing of ((
))a,c,e
- The test approach described in the following slides is being implemented to conclude that software-caused CCF is not credible and, therefore, a D3 coping analysis (as described in NUREG-6303) is unnecessary.
- NRC feedback on this test approach and identify any potential regulatory issues.
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 9
- Potential CCF mitigation [BTP 7-19]
- a. Testing covers the expected performance of the proposed DI&C system in each of its functional modes of operation and for all transitions between modes. For this purpose, testing should include the following:
- every possible combination of inputs, including every possible sequence of inputs (if the system has unused inputs, and the system can force them to a defined safe state (e.g., during a system failure), then those inputs need not meet this criterion)
- for systems with analog inputs, every combination of inputs over the entire operational range of the analog inputs, including defined over-range and under-range conditions
- every possible executable logic path (includes nonsequential logic paths)
- every functional state transition among all modes of operation
- testing results that conform to preestablished test cases to monitor for correctness of all outputs for every case
- b. Testing for latent design defects was conducted on a DI&C system that accurately represents the system to be installed, guaranteeing that the DI&C system installed will perform the same functions as the system tested.
- c. Testing results account for potential spurious operations.
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 10
- Software Based Logic
- [BTP 7-19] every possible combination of inputs, including every possible sequence of inputs (if the system has unused inputs, and the system can force them to a defined safe state (e.g., during a system failure), then those inputs need not meet this criterion)
- Every possible combinations of inputs will be tested.
Description of 100% Testing Coverage
((
))a.c.e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 11
- Software Based Logic
- ((
- Software Based Logic
- ((
- ))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 13
- Software Based Logic
- [BTP 7-19] every possible combination of inputs, including every possible sequence of inputs (if the system has unused inputs, and the system can force them to a defined safe state (e.g., during a system failure), then those inputs need not meet this criterion)
- Every possible combination of inputs will be tested.
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 14
- Software Based Logic
- Every possible combinations of inputs will be tested.
Control Outputs
- Each ECCS channel determines five safety-related protection functions:
- Wide Range Reactor Water Level > 45
- Wide Range Reactor Water Level < -48
- Wide Range Reactor Water Level < -160
- Reactor Pressure < 450 psig
- Reactor Pressure < 225 psig
- ECCS channel A and B only also have one additional safety-related protection function
- Software Based Logic Indication Outputs
- Each ECCS channel provide two safety-related indication functions:
- Reactor Water Differential Pressure (Fuel Zone)
- Reactor Pressure
- ECCS channel C only also have one additional safety-related indication function
- Software Based Logic Indication Outputs
- Each PAM output will be separately tested since they are input signal to output signal, no calculations using same approach of all possible input values l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 17
- Software Based Logic
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 18
- Software Based Logic
- [BTP 7-19] for systems with analog inputs, every combination of inputs over the entire operational range of the analog inputs, including defined over-range and under-range conditions
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 19
- Software Based Logic
- [BTP 7-19] every possible executable logic path (includes nonsequential logic paths)
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 20
- Software Based Logic
- [BTP 7-19] every functional state transition among all modes of operation
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 21
- Software Based Logic
- [BTP 7-19] testing results that conform to preestablished test cases to monitor for correctness of all outputs for every case
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 22
- Software Based Logic
- [BTP 7-19] b. Testing for latent design defects was conducted on a DI&C system that accurately represents the system to be installed, guaranteeing that the DI&C system installed will perform the same functions as the system tested.
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 23
- Software Based Logic
- [BTP [7-19]c. Testing results account for potential spurious operations.
- Validation testing will include testing of spurious input signals by testing all possible combinations of inputs.
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 24
- Software Based Logic
- [IEEE 7-4.3.2, Section 5.16]This testing shall be conducted on the PDD integrated with test hardware representing the target hardware.
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 25
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 26
- Key Takeaway: The RadICS Platform was previously qualified during the Topical Report. The additional non-RadICS Platform components will be qualified by performing additional EQ testing for those components.
- LAR submittal will include Equipment Qualification Test Plan (EQTP)
- Defines the plan for performing EQ testing for the ECCS CLS
- LAR will be supplemented with the Equipment Qualification Test Report (EQTR) after EQ testing completed.
- Documents EQ testing results.
- Planned for Q1/Q2 2026 l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 27
EQ Testing of the RadICS Platform
- EQ testing for the RadICS Platform components utilized was performed as part of the Topical Report and will not be repeated because identical components are being used for the ECCS CLS. The qualified components (see Table 6.1 of the TR for specific details) include (list limited to those components used for the ECCS CLS):
- Chassis and Backplane Hardware
- Ventilation Module (part of the Chassis Assembly)
- Logic Module Hardware
- Analog Input Module
- Discrete Input Module
- Analog Output Module
- Discrete Output Module
- I/O Protection Module for AIM, DIM and AOM
- I/O Protection Module for DOM
- Power Supply Cable l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 28
- EQ testing will be performed for the additional commercial components included in the ECCS channels (does not include MATS or the fiber cabling to the MATS):
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 29
- EQ testing will be performed for the ECCS CLS commercial equipment using the Training System as a test specimen
- Duplicate of ECCS channel B
- Includes extra panel meter found in ECCS channels C and D
- Testing will be performed to the same test specifications as the original RadICS Platform EQ testing.
- Documented in Table 9-1 of the RadICS Platform TR
- Testing process will be documented in the EQTP and will follow the process defined in 9.1.2 of the RadICS Platform TR l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 30
- Testing will be performed by the following Curtiss-Wright partners:
- Seismic - QualTech NP (a Curtiss-Wright Nuclear Division affiliated company)
- EMC - Analysis and Measurement Services (AMS)
- Environmental - QualTech NP
- Performed under the Curtiss-Wright 10 CFR 50 Appendix B QA Program
- All testing companies are on our Approved Supplier List
- Documented test results to be provided as a LAR supplement after completion of EQ testing l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 31
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 32
- Regulatory / Standards: RG 1.152, 10 CFR 73.54, PSAI 7.13
- Key Takeaway: The Curtiss-Wright System Development Methodology meets the approach specified in the RG 1.152 for a Secure Development Environment. The system will be developed under and meet all requirements of 10 CFR 73.54.
- Key Takeaway: Constellation will provide a Secure Operational Environment for the Installed System (including during all pre-installation testing). The system will be installed and operated under Constellations Cyber Security program that meets all requirements of 10 CFR 73.54
- Compliance: RG 1.152, 10 CFR 73.54 (Full)
- Details of the SDOE implementation will be provide in the Licensing Technical Report (LTR) to address PSAI 7.13 l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 33
- The replacement ECCS CLS will be designed, developed, staged, and tested at the Curtiss-Wright facility in Idaho Falls, Idaho.
- The Curtiss-Wright Idaho Falls, Idaho facility includes a location in the facility designated as a Secure Development and Operational Environment (SDOE) that meets the guidance in RG 1.152 for digital systems.
- ((
))a,c,e
- The Curtiss-Wright digital safety system development process also includes controls to meet the requirements of 10 CFR 73.54 l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 34
- System Development Methodology generates:
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 35
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 36
- Regulatory / Standards: None
- Key Takeaway: The replacement system includes a new Monitoring and Tuning System (MATS) capability to support maintenance and I&C testing. It also replicates data to the Plant Process Computer (PPC).
- Note: This is for information only based on a previous request from the NRC and is not applicable to LAR submittal.
- MATS is a non-safety related system external to the ECCS channels that receives all data and status from the Logic Module (LM) in each RadICS chassis
- Connection from each LM is via a fiber optic connection as a unidirectional output
- Unidirectional output from LM reviewed in the RadICS Platform TR and credited as meeting the applicable requirements of ISG 04
- Fiber optic connection provides electrical isolation
- MATS replicates all data and status from the safety system to the Plant Process Computer (PPC) via a digital link through the Level 4 Cyber Security firewall (existing) l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 37
- One MATS per unit (no unit-to-unit connections)
- Will be installed in an existing spare cabinet
- Provides data display capability for Maintenance and I&C Technicians
- Supplemental information only
- Not required for any operational condition
- Not required for any surveillance test procedure
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 38
- AIM - Analog Inputs Module
- AMS - Analysis and Measurement Services
- AOM - Analog Outputs Module
- ASL - Approved Supplier List
- C-W - Curtiss-Wright
- CEG - Constellation Energy Generation
- CLS - Compensated Level System
- DIM - Discrete Inputs Module
- DOM - Discrete Outputs Module
- DSS - Digital Safety System
- EMC - Electro-Magnetic Compatibility
- HFE - Human Factors Engineering
- IOPM - I/O Protection Module
- LAR - License Amendment Request
- MATS - Monitoring and Tuning System
- MCR - Main Control Room
- NRC - Nuclear Regulatory Commission
- PAMS - Post Accident Monitoring System
- PBAPS - Peach Bottom Atomic Power Station
- PPC - Plant Process Computer
- PSAI - Plant Specific Action Item
- QA - Quality Assurance
- QAPD - Quality Assurance Program Description
- QP - Quality Procedure
- SME - Subject Matter Expert
- TR - Topical Report
- V&V - Verification and Validation
- VAL - Validation
- VER - Verification
- WI - Work Instruction
- RPC Radiy - designer of the RadICS digital safety platform. Parent company of RPC Radics LLC
- RPC Radics LLC - RadICS Topical Report Submitter
- RadICS - digital safety system platform developed by RPC Radiy l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 40
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 41
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 42
- Potential CCF elimination
- Internal diversity of RadICS platform hardware credited by the NRC multiple times in the RadICS Platform Topical Report (TR) Safety Evaluation (SE)
- The RadICS platform does, however, include several internal design features that can be credited by a licensee to meet or support the criteria of BTP 7-19. [SE Section 3.9, Page 69]
- The RadICS platform does however contain design features described in Section 10 of the RadICS TR including protective measures for identifying and mitigating platform component CCFs. A licensee can credit these features in a plant specific D3 assessment to determine if common mode failures of the RadICS based system have been adequately addressed. [SE Section 3.9, page 69, 70]
- However, it is evident that mitigation features of the RadICS design can be used by a licensee to support a subsequent plant specific D3 analysis to meet this requirement. [SE Section 3.9, age 70]
- Consistent with NUREG/CR-6303, the NRC staff determined that licensees can use these diversity attributes in future system applications of the RadICS platform for plant-specific evaluations to determine whether platform and application logic CCFs can be eliminated from further consideration. [SE Section 3.9, page 77]
- The NRC agrees that some diversity strategies, as evaluated in Table 3.8-1 could be credited in the D3 analyses performed by a licensee. [SE Section 3.9, page 77]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 43
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE (see reference slides for specific NRC statement)
- The NRC evaluated the RadICS platform ED development processes and determined they are acceptable. [SE Section 3.4.3.3, Page 31]
- The NRC staff evaluated all phases of the RadICS platform safety lifecycle. [SE Section 3.5, Page 32]
- The NRC staff concludes that the RPC Radiy FSMP meets the requirements for management planning outlined in IEEE Std. 1074-2006 as endorsed by RG. 1.173 and is therefore, acceptable. [SE Section 3.5.1.1, Page 34]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 44
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE (see reference slides for specific NRC statement)
- The NRC staff finds the RPC Radiy choice of a development lifecycle acceptable because the waterfall model is well suited for projects with known and stable requirements and where few changes to requirements are anticipated. [SE Section 3.5.1.2, Page 35]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 45
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE
- The NRC staff finds the RPC Radiy choice of a development lifecycle acceptable because the waterfall model is well suited for projects with known and stable requirements and where few changes to requirements are anticipated. [SE Section 3.5.1.2, Page 35]
- The NRC staff determined that the RadICS development process meets the criterion of BTP 7-14, Section B.3.1.2.4 [SE Section 3.5.1.2, Page 35]
- The NRC staff finds the software integrity level approach used for the RadICS platform acceptable. The NRC staff also reviewed the RadICS V&V planning documentation and confirmed that RadICS platform logic development V&V activities are performed to the equivalent of software integrity level 4 requirements as defined in Std. IEEE Std. 1012-2004 [SE Section 3.5.1.2, Page 35]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 46
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE
- The NRC staff determined the Radiy QMS and FSMP are consistent with the criteria provided by IEEE Std. 1074-2006, IEEE Standard for Developing Software Life Cycle Processes, as endorsed by RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. In addition, the FSMP acceptably addresses the development planning activity criteria of BTP 7-14. [SE Section 3.5.1.2 Page 36]
- The NRC staff found that the overall QA planning effort applied to the development of RPC Radiy developed products through the CGD by Radics LLC conforms to the requirements of 10 CFR Part 50, Appendix B, and the overall RadICS platform QA program. [SE Section 3.5.1.3, Page 37]
- The NRC staff determined the Radics LLC QA programs in conjunction with the activities defined in the RadICS platform QA plans are consistent with the QA guidance criteria of IEEE Std. 7-4.3.2-2003. [SE Section 3.5.1.3, Page 37]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 47
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE
- The NRC staff determined the RadICS integration plans provide an acceptably documented method for performing product integration activities needed for safety related digital I&C system development. [SE Section 3.5.1.4, Page 38]
- The NRC staff determined that RadICS safety life cycle documentation shows that system safety requirements have been adequately addressed for each defined safety life cycle activity. [SE Section 3.5.1.5, Page 39]
- The NRC staff determined that safety planning for RadICS components is appropriate for RadICS platform-based safety systems and is therefore acceptable. [SE Section 3.5.1.5, Page 39]
- The NRC staff determined that an adequate level of independence exists between these organizations and that an appropriate level of technical competence is established and maintained within the independent V&V staff. [SE Section 3.5.1.6, Page 40]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 48
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE
- The NRC staff finds the RadICS platform V&V processes and identified alternative activities to be consistent with the criteria of IEEE Std. 1012-2004, IEEE Standard for Software Verification and Validation, as endorsed by RG 1.168. [SE Section 3.5.1.6, Page 42]
- The NRC staff concludes that CM planning processes used to support RadICS platform development conform to the requirements identified in IEEE Std. 828-2005, as endorsed by RG 1.169. [SE Section 3.5.1.7, Page 43]
- The NRC staff determined the RadICS platform test plans are sufficiently comprehensive to demonstrate that a RadICS platform-based safety system will perform its required safety functions in a satisfactory manner. [SE Section 3.5.1.8, Page 44]
- The NRC staff determined that RadICS platform safety analysis activities are acceptable and are compliant with SRP BTP 7-14, Section B.3.2.1. [SE Section 3.5.2.1, Page 46]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 49
- Potential CCF elimination
- Software - RadICS Platform software
- Module Platform Logic
- Application Function Block Library
- High quality software development process used by RPC Radiy and credited in the RadICS TR SE
- The NRC staff concludes that the development functional and process characteristics of the V&V effort are acceptable. V&V activities performed for the RadICS platform logic development are acceptable and are compliant with SRP BTP 7-14, Section B.3.2.2. [SE Section 3.5.2.2, Page 47]
- The NRC staff determined the CM processes and activities performed meet the requirements of IEEE Std. 828-1998 and ANSI/IEEE Standard 1042-1987 and are therefore acceptable. The RPC Radiy and Radics LLC CM activities adequately address the guidance in BTP 7-14 Section B.3.2.3. [SE Section 3.5.2.3, Page 47]
- The NRC staff determined that requirements tracing processes used for the RadICS platform hardware and logic implementation provide reasonable assurance that all requirements are correctly implemented and were consistent with BTP 7-14 criterion and are therefore acceptable. [SE Section 3.5.2.4, Page 49]
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 50
- ((
))a,c,e l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 51
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 52
l PBAPS ECCS COMPENSATED LEVEL SYSTEM REPLACEMENT PROJECT 53