NL-25-0072, – Units 3 and 4, License Amendment Request: Addition of RCS Tcold Engineered Safety Feature Actuation System (ESFAS) Instrumentation Function - Supplement

From kanterella
(Redirected from ML25090A283)
Jump to navigation Jump to search

– Units 3 and 4, License Amendment Request: Addition of RCS Tcold Engineered Safety Feature Actuation System (ESFAS) Instrumentation Function - Supplement
ML25090A283
Person / Time
Site: Vogtle  Southern Nuclear icon.png
Issue date: 03/31/2025
From: Coleman J
Southern Nuclear Operating Co
To:
Office of Nuclear Reactor Regulation, Document Control Desk
Shared Package
ML25090A281 List:
References
NL-25-0072
Download: ML25090A283 (1)
v  d  e


Text

Regulatory Affairs Director 3535 Colonnade Parkway Birmingham, AL 35243 WITHHOLD FROM PUBLIC DISCLOSURE UNDER 10 CFR 2.390 (DECONTROLLED UPON REMOVAL OF ATTACHMENT 2)

March 31, 2025 Docket Nos.: 52-025 NL-25-0072 52-026 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555-0001 Vogtle Electric Generating Plant - Units 3 and 4 License Amendment Request: Addition of RCS Tcold Engineered Safety Feature Actuation System (ESFAS) Instrumentation Function - Supplement On February 14, 2025, Southern Nuclear Operating Company (SNC) submitted a Combined License (COL) amendment request (LAR) for Vogtle Electric Generating Plant, Units 3 and 4 (ML25045A166). The proposed amendment revises COL Appendix A, Technical Specifications (TS) 3.3.8, Engineered Safety Feature Actuation System (ESFAS) Instrumentation, Table 3.3.8 1, to add a new Function 11.b, Reactor Coolant System (RCS) Cold Leg Temperature (Tcold) - High.

On March 3, 2025 and on March 18, 2025, SNC met with NRC Staff on public calls to discuss the submitted LAR. This supplement to the LAR provides additional detail as a result of these discussions regarding: (a) the NRC review criteria reflected in Digital Instrumentation and Controls Interim Staff Guidance, DI&C-ISG-06, Licensing Process, Revision 2 (ML18269A259),

specifically addressing the Alternate Review Process, (b) safety analyses unaffected by the proposed modification, and (c) one additional Updated Final Safety Analysis Report (UFSAR) mark up added to LAR Attachment 2.

The Enclosure to this letter provides the SNC supplemental information. The additional information provided in the Enclosure to this letter does not impact the regulatory evaluation (including the Significant Hazards Consideration Determination) or environmental considerations for the proposed changes provided in the February 14, 2025, submittal. provides an additional Updated Final Safety Analysis Report (UFSAR) markup was inadvertently omitted from the LAR Attachment 2. provides detailed logic drawings and contains Proprietary information; therefore, SNC requests that this Attachment be withheld under the provisions of 10 CFR 2.390. Attachment 2 contains information proprietary to Westinghouse Electric Company LLC

("Westinghouse"); it is supported by an Affidavit signed by Westinghouse, the owner of information. provides the Affidavit for Withholding Proprietary Information from Public Disclosure (CAW-25-013). The Affidavit sets forth the basis on which the information may be

U. S. Nuclear Regulatory Commission NL-25-0072 Page 2 withheld from public disclosure by the Nuclear Regulatory Commission ("Commission") and addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390.

Accordingly, it is respectfully requested that the information that is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR 2.390. Correspondence with respect to the copyright or proprietary aspects of Attachment 2 or the supporting Westinghouse Affidavit should reference CAW-25-013 and should be addressed to Rachel Christian, Manager, New Plants Licensing, Westinghouse Electric Company, 1000 Westinghouse Drive, Cranberry Township, Pennsylvania 16066. provides the Vendor Oversight Plan Summary in accordance with the guidance of DI&C-ISG-06 Section C.2.2, Licensee Prerequisites for the Alternate Review Process.

This letter contains no regulatory commitments. This letter has been reviewed and determined not to contain security-related information.

In accordance with 10 CFR 50.91, SNC is notifying the State of Georgia by transmitting a copy of this letter and its enclosure to the designated State Official.

If you have any questions, please contact Ryan Joyce at (205) 992-6468.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 31st of March 2025.

Respectfully submitted, Jamie M. Coleman Director, Regulatory Affairs Southern Nuclear Operating Company

Enclosure:

Supplemental Information

Additional LAR Attachment 2 Marked-up Page
LTR-GIC-25-017, Revision 0, Detailed Functional Diagrams (Proprietary)

(Withheld Information)

Westinghouse Affidavit for Withholding Proprietary Information from Public Disclosure CAW-25-013
Vendor Oversight Plan Summary

U. S. Nuclear Regulatory Commission NL-25-0072 Page 3 cc:

NRC Regional Administrator, Region ll NRR Project Manager - Vogtle 3 & 4 Senior Resident Inspector - Vogtle 3 & 4 Director, Environmental Protection Division - State of Georgia Document Services RTYPE: VND.LI.L00

Enclosure to NL-25-0072 Supplemental Information

1.

Summary Description

2.

Vendor Oversight Plan Summary

3.

DI&C-ISG-06, Licensing Process

4.

Safety Analyses Unaffected by the Proposed Modification

5.

Additional UFSAR Markup

Enclosure to NL-25-0072 Supplemental Information E-1 1

Summary Description The information provided in this Enclosure supplements the Southern Nuclear Operating Company (SNC) Vogtle Electric Generating Plant (VEGP) Units 3 and 4 License Amendment Request (LAR) Addition of RCS Tcold Engineered Safety Feature Actuation System (ESFAS) Instrumentation Function (ML25045A166), providing an additional coincident logic signal for actuation of the Passive Residual Heat Removal (PRHR Heat Exchanger (HX). This supplement provides additional detail regarding (a) the NRC review criteria reflected in Digital Instrumentation and Controls Interim Staff Guidance, DI&C-ISG-06, Licensing Process, Revision 2 (ML18269A259), specifically addressing the Alternate Review Process, (b) safety analyses unaffected by the proposed modification, and (c) one additional Updated Final Safety Analysis Report (UFSAR) markup added to LAR.

DI&C-ISG-06 Section C.2 recognizes that different approaches are available to licensees with regard to the use and application of NRC-approved topical reports, including the Alternate Review Process that facilitates review and approval at an earlier stage in the overall system life cycle. SNC is electing to use the guidance for the Alternate Review Process, which includes referencing NRC-approved topical reports to support the review.

VEGP Units 3 and 4 are the only currently operating nuclear power plants that were designed and constructed with a fully computer-based digital protection and safety monitoring system (PMS). The NRC found the design process described in UFSAR subsection 7.1.2.14.1 acceptable as documented in NUREG-1793, Final Safety Evaluation Report Related to Certification of the AP1000 Standard Plant Design, Section 7.2.5. The NRC approved the detailed design information, which was verified under inspections, tests, analyses, and acceptance criteria (ITAAC). For VEGP Units 3 and 4, demonstration that the as-built facility conforms to these commitments was required by ITAAC 2.5.02.12 [Index Number 551], as documented in NRC Integrated Inspection Reports 05200025/2019002 and 05200026/2019002 [ML19220B678].

The requested modification to PMS follows the same approved design processes outlined in UFSAR subsection 7.1.2.14.1 and UFSAR Figure 7.1-2.

2 Vendor Oversight Plan Summary Refer to Attachment 4 for the Vendor Oversight Plan Summary.

3 DI&C-ISG-06, Licensing Process As described in DI&C-ISG-06, the Alternate Review Process is predicated upon the licensee using a previously approved DI&C platform. VEGP Units 3 and 4 Protection and Safety Monitoring System (PMS) hardware utilizes the Common Qualified Platform (Common Q) platform described in WCAP-16097-P-A Common Qualified Platform Topical Report (ML13112A110) and WCAP-16096-P-A, Software Program Manual for Common Q' Systems (ML13081A047). There remain no regulatory commitments to complete plant-specific actions that are identified in these topical reports.

Enclosure to NL-25-0072 Supplemental Information E-2 DI&C-ISG-06 section C.2.1 identifies what should be provided when the licensee elects to use the Alternate Review Process. As part of this guidance, DI&C-ISG-06 provides Enclosure B, with the Alternate Review Process column labeled AR as an example of the information to be provided in support of a review utilizing the Alternate Review Process.

Below is the SNC supplemental information as outlined in DI&C-ISG-06, Enclosure B, AR 1.1 through 1.10, which addresses the D&IC-ISG-06 criteria associated with Sections C.2.2, and D.1 through D.8 in the Table below.

VEGP Units 3 and 4 are the only currently operating nuclear power plants designed and constructed with a fully computer-based digital protection and safety monitoring system (PMS). For computer-based systems or components with embedded computers, SRP Appendix 7.0-A describes a generic process for reviewing the unique aspects of computer-based systems, including hardware/software integration. The NRC approved the AP1000 design process described in AP1000 Design Control Document (DCD) subsection 7.1.2.14.1 acceptable as documented in NUREG-1793, Final Safety Evaluation Report Related to Certification of the AP1000 Standard Plant Design, Section 7.2.5. The NRC found the detailed design information provided satisfy the finality criteria in 10 CFR 52.63(a)(1)(iv) for inspections, tests, analyses, and acceptance criteria (ITAAC). For VEGP Units 3 and 4 ITAAC demonstrating that the as-built facility conforms to these commitments was required by ITAAC 2.5.02.12 [Index Number 551], as documented in NRC Integrated Inspection Reports 05200025/2019002, 05200026/2019002 [ML19220B678].

As a result, the Vogtle 3 and 4 current operating license includes a complete verification and validation program which is required to demonstrate the adequacy of PMS hardware and software as defined in UFSAR subsection 7.1.2.14. This program addresses the complete design process from the conceptual phase to the installation and checkout phase and describes the process documents, per UFSAR subsection 7.1.2.14.1 and UFSAR Figure 7.1-2, required to ensure changes to the PMS hardware and software meet quality and reliability requirements and provides confidence that the functional requirement are implemented in the computer system. This modification leverages the existing PMS hardware and software design processes which have already been reviewed and accepted by the NRC in the DCD application, COL application, and ITAAC and there have been no regulatory changes since the acceptance of the AP1000 PMS design at any of these stages which would require the existing PMS design process to be modified. Therefore, the PMS design process as described in UFSAR subsection should remain adequate to meet the process requirements of the ISG-06 Alternate Review Process. The following table addresses the software logic changes for this modification, in relation to the ISG-06 guidance, to support NRC review.

Changes to the existing PMS software are performed in accordance with the WCAP-16096-P-A Section 9, Software Maintenance Plan. The Software Maintenance Plan specifies the requirements for the maintenance and use of Protection class and Important-to-Safety class software used in Common Q Systems as defined in WCAP-16096-P-A Section 1.2.1.

The software maintenance plan includes a problem/modification identification classification and prioritization, analysis, design, implementation, test, and delivery.

The Problem/modification identification classification and prioritization phase as described in WCAP-16096-P-A Section 9.2 requires a software change request (SCR) as described in WCAP-16096-P-A Section 6.3.2.

Enclosure to NL-25-0072 Supplemental Information E-3 The Analysis phase as identified in WCAP-16096-P-A Section 9.3 involves a feasibility and detailed analysis of the modification. The detailed analysis as identified in WCAP-16096-P-A Section 9.3.2.2 involves identifying the software requirements specifications that require modification, for this modification there are no impacts to the subsystem design specification (SSyDS). This modification is using existing test plans.

At the Design phase the affected software modules are identified and the software design description (SDD) is revised to incorporate the modification into the design per WCAP-16096-P-A Section 9.4. At this stage a Requirements Traceability Matrix is generated. Requirements for traceability analysis are identified in WCAP-16096-P-A Section 5.4.5.3.

The Implementation phase as identified in WCAP-16096-P-A Section 9.5 involves compiling the modified source code and performing the IV&V activities in accordance with WCAP-16096-P-A subsections 5.5.6 and 5.5.8. This phase includes integration which includes running the revised software in an integrated system environment and includes informal integration and regression testing to validate that the system as a whole is fully operational prior to system testing. Note that module testing is not required for this modification because there are no new function blocks, this modification uses preexisting elements which have already undergone module testing.

The Test phase as identified in WCAP-16096-P-A Section 9.6 includes formal validation testing. After validation testing a test report is issued and reviewed in accordance with WCAP-16096-P-A Section 5.5.6. Factory acceptance testing (FAT) is performed in accordance with the methodology described in WCAP-16096-P-A Section 7.3.1.4.

The Delivery phase as identified in WCAP-16096-P-A Section 9.7 is the final acceptance of the modification prior to shipment to SNC and includes physical review of the new software in accordance with WCAP-16096-P-A Section 4.6.2.6. The metrics are collected in accordance with WCAP-16096-P-A Section 4.5.2.4. Installation and checkout in performed in accordance with WCAP-16096-P-A Section 5.5.7.

WCAP-16096-P-A section 7.2.4 describes the sequence of potential testing process activities and tasks for the test schedule:

Module Test (Not required for this modification)

Unit Test (Only a code review is performed)

Integration Test (Covered by regression testing)

Factory Acceptance Test (Covered by regression testing)

Site Acceptance Test (Performed and designed by site test personnel)

Enclosure to NL-25-0072 Supplemental Information E-4 ISG-06 Enclosure B Identified Alternate Review Process Applicable Sections ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

C.2.2 Licensee Prerequisites for the Alternate Review Process (ARP)

1. Refer to VOP Summary.
2. (a) NRC-approved topical reports WCAP-16097 and WCAP-16096 as cited in the VEGP 3&4 UFSAR Subsection 7.1.2.14 provides performing detailed software design, implementation, and testing for modifications as requested in the LAR.

(b) Westinghouse is performing the modification in accordance with NRC-approved 10 CFR 50 Appendix B program Quality Management System-A, Revision 8.1, ML20118C994. SNC will conduct vendor oversight of this process in accordance with Item 1.

3. Regulatory commitments - no additional regulatory commitments are proposed.

D Review Areas for the License Amendment Process D.1 through D.8 are Applicable to the Alternate Review Process per ISG-06 Enclosure B - see table entries below.

D.1.1 Plant System Description Refer to LAR Section 2.1 and VEGP UFSAR Chapter 7.

D.2.1 Existing System Architecture The existing PMS architecture and D.2.2 New System architecture are the same. Refer to LAR Section 2.1 and VEGP UFSAR Chapter 7.

D.2.2 New System Architecture.

The PMS architecture is unchanged as a result of this modification. There are no impacts to VEGP UFSAR Section 7.1.2 or WCAP-16675 for PMS system architecture.

Enclosure to NL-25-0072 Supplemental Information E-5 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.1 Information To Be Provided The LAR should describe the existing functions (i.e.,

design functions and service/test functions) performed by the portion(s) of the system being replaced. The LAR should also describe new functions.

Refer to LAR Section 2.1 for existing functions. Refer to LAR Section 2.4 for the changes associated with this modification. There are no new system functions or changes to service/test functions associated with this LAR.

The existing service/test function system requirements conform with the IEEE Std 603 design basis for VEGP 3&4 PMS described in the UFSAR 7.3.2.2. Conformance with the standards is unchanged. Compliance with IEEE 7-4.3.2 remains unchanged as a result of this LAR.

D.2.3.1 1.a Identification of the safety functions, including the trip/actuation functions credited for each anticipated operational occurrence and postulated accident See LAR Section 2.1 for System Design and Operation for those safety functions related to the LAR. Safety functions are unchanged from descriptions in the VEGP UFSAR.

D.2.3.1 1.b All monitored variables used to control each protective action See LAR Section 2.1.

D.2.3.1 1.c Minimum number and location of sensors and equipment relied upon for protective purposes The Tcold - High Function relies on four existing channels per loop. The existing PMS equipment is used to implement this change. See LAR Section 2.1 RCS Cold Leg Temperature.

Enclosure to NL-25-0072 Supplemental Information E-6 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.1 1.d Functionalityif there are TS setpoint changes, include input/output ranges and setpoints (for trip functions, the documentation defines the margins between setpoints and allowable values (including all applicable uncertainties))

The setpoint for the new Tcold - High will be developed, implemented, and documented in accordance with the requirements of TS 5.5.14, Setpoint Program as discussed in LAR Section 3.

D.2.3.1 1.e Performance, including accuracy and response times (where appropriate, performance requirements are defined for different initial plant conditions and design-basis events)

The accuracy and response times of the Tcold input is unchanged as the modified logic utilizes the same existing Tcold inputs. The Safety Analyses that assume PRHR HX actuation on Low-2 SG narrow range water level coincident with Low-2 startup feedwater flow, as modified to include a new Tcold - High coincident signal, continues to meet the performance, accuracy and response times assumed in the safety analysis.

See LAR Section 3. for the discussion on the overall time response assumed in the safety analysis.

D.2.3.1 1.f Appropriate signal filtering, signal validation, and interlocks to minimize the potential of spurious actions The Tcold - High function is provided by the same input as the existing Tcold - Low 2 and is input as an additional coincidence logic for PRHR actuation. The chance of spurious actuation is reduced because additional coincidence logic is relied on for PRHR HX actuation.

D.2.3.1 1.g The safety classification of each safety function and whether there are independence constraints from other functions based on safety classifications The existing PRHR HX safety related actuation has been designed with appropriate independence from other functions and from non-safety functions. The addition of a new coincident signal does not impact the existing design basis in this regard. Redundancy and independence remain met as documented in the Failure Modes and Effects Analysis (FMEA) WCAP-16438-P Section 6. There are no changes to the FMEA as a result of this LAR.

Enclosure to NL-25-0072 Supplemental Information E-7 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.1 1.h The range of transient and steady-state conditions throughout which the safety-related systems should perform, including conditions (e.g.,

environmental, plant process) with the potential to degrade the functions of safety-related system performance The transients and accident conditions for which the PRHR HX is required to mitigate remains unchanged as a result of this modification and continues to meet the required range of transient and steady-state conditions throughout which PRHR is required to perform. The hardware and signal inputs to PMS for the Tcold - High already exist for the Tcold -

Low 2 and is designed to withstand a harsh environment. See Section 3 of the LAR for a review of applicable transients and accidents the PRHR HX actuation logic impacts. There are no changes as a result of this LAR.

D.2.3.3 System Requirements Documentation This section applies as identified and described in subsections below.

D.2.3.3.1 Information To Be Provided The System Requirements Specification (SyRS) provided should address the overall architecture of the I&C systems, including but not limited to the following:

See subsections below:

Enclosure to NL-25-0072 Supplemental Information E-8 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.3.1 1a Define system requirements for the I&C functions in the modifications scope and the modifications effects on associated systems and equipment within the plants safety analysis The logic assignments made for this change are based on the existing architectural and functionality requirements for each of the applicable subsystems (BPL and LCL) contained in the system requirements and referred to as the PMS subsystem design specification (SSyDS) which remains unchanged.

The SSyDS and the various J3-300 series (J3) drawing markups supporting the LAR modification comprise the system requirements for the change. The J3 drawings are decomposed from the higher level UFSAR Figure 7.2-1 markups and are provided in Westinghouse Proprietary. For this modification the system level requirements in the J3 drawings are changing. There are no new requirements for the SSyDS as a result of this design change related to safety control of PRHR and the addition of Tcold - High logic. This is because the Tcold - High setpoint uses the existing RCS Tcold variable which meets the minimum performance requirements for ESF as discussed in UFSAR subsection 7.3.1.5 and UFSAR section 7.3.2.

D.2.3.3.1 1b Define the plant layout for the modification scope There are no plant layout changes as a result of this modification. PMS layout and architecture as described in VEGP UFSAR Chapter 7 and WCAP-16675, Section 2.1 and 2.2 remains unchanged.

D.2.3.3.1 1c Define the operational context for the modification scope and changes resulting from the modification The PRHR HX actuates automatically when required for mitigating a design basis accident.

The modification adds channel bistable trip status and Tcold - High actuation logic status, and alarm, to the existing safety display screens in the main control room in order to reflect the modified PRHR actuation logic as reflected in UFSAR Figure 7.2-1 (as described in the LAR) and various J3-300 series drawings. Existing PMS system requirements impose this update. See response to D.2.3.3.1 3d.

Enclosure to NL-25-0072 Supplemental Information E-9 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.3.1 1d Structure the overall I&C architecture and assigning I&C functions to the modification Scope The structure of the PMS architecture is unchanged as a result of the modification requested by this LAR. PMS architecture as described in VEGP UFSAR Chapter 7 and WCAP-16675, Section 2.1 and 2.2 remains unchanged. See the response to D.2.3.3.1 1a regarding the assigning of the new function in the I&C architecture.

D.2.3.3.1 1e Identifying the design criteria for the modification scope, including ensuring that features providing defense-in-depth in the existing system are not compromised and minimizing the potential for common-cause failure (CCF)

The design criteria for current PRHR HX actuation logic is described in LAR Section 2.4.

This activity minimizes unnecessary PRHR HX actuation by changing the PRHR HX actuation logic. There are no changes to any of the features providing defense-in-depth in the existing defense-in-depth coping analysis. There is no change to the DAS architecture or software.

Therefore, the existing Defense-in-Depth strategy for AP1000 is unchanged and the CCF coping analysis documented in VEGP 3&4 UFSAR subsection 7.7.1.11 is unchanged as a result of the LAR.

D.2.3.3.1 1f Describe how the modification fits within the overall architecture of the plants I&C systems and any changes to the architecture This is a software modification and there are no impacts to the overall PMS architecture in relation to performing the ESF actuation function. The PMS architecture described within SSyDS Section 2.2 and Figure 2.2-1 remains unchanged. The architecture as described in VEGP UFSAR Chapter 7 and WCAP-16674, Section 2, and WCAP-16675, Sections 2.1 and 2.2, remain unchanged. See the response to D.2.3.3.1 1a for how the modification fits into the PMS architecture.

D.2.3.3.1 1g Define system interfaces and the reasons for the interfaces (see Section D.2.5.1 of this ISG)

The PMS interfaces are unchanged as a result of this LAR. PMS interface architecture and communications as described in VEGP UFSAR Chapter 7 and WCAP-16674, Sections 4 and 5, and WCAP-16675 remain unchanged.

Enclosure to NL-25-0072 Supplemental Information E-10 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.3.1 2a Functionalityif there are TS setpoint changes, include input/output ranges and setpoints (for trip functions, the documentation defines the margins between setpoints and allowable values (including all applicable uncertainties))

The setpoint for the new Tcold - High function will be developed, implemented, and documented in accordance with the requirements of TS 5.5.14, Setpoint Program, as described in Section 3 of the LAR.

D.2.3.3.1 2b Performance, including accuracy and response times; where appropriate, performance requirements are defined for different initial plant conditions and design basis events See response to D.2.3.1 1.e. Accuracy and time response requirements are the same for PMS across the operating modes. Both accuracy and time response remain unchanged.

D.2.3.3.1 2c Appropriate signal filtering, signal validation, and interlocks to minimize the potential for spurious actions See response to D.2.3.1 1f.

D.2.3.3.1 3a Intended location and the physical constraints relevant to the installation of the system in the plant.

There are no physical locations or physical constraints that apply to this LAR. Only software installation is required.

D.2.3.3.1 3b Physical and functional interfaces of the system with the supporting systems and equipment PMS physical and functional interfaces are unchanged as a result of this LAR. There are no impacts to WCAP-16674.

Enclosure to NL-25-0072 Supplemental Information E-11 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.3.3.1 3c Physical and functional interfaces of the system with other systems and equipment with which it exchanges information PMS physical or functional interfaces are unchanged with regard to information exchange as a result of this LAR as documented in WCAP-16674.

D.2.3.3.1 3d Interfaces with the operator or maintenance technician Updates to the maintenance and test panels which are located in the PMS divisional rooms, include maintenance and test features (e.g. test injections and setpoint calibration/modification screens) and diagnostic indications which do not feed safety control logic. These updates to existing displays are driven by existing requirements in Section 3.9 of the SSyDS. The PMS communications and interfaces remain unchanged in WCAP-16674. Alarm and actuation status as depicted on the J-300 series drawings is displayed in the MCR.

D.2.3.3.1 4a-d The SyRS should specify environmental conditions applicable to the system There are no changes to the PMS equipment or environmental conditions.

Equipment qualification is unaffected by this LAR. There are no changes to equipment qualification requirements as described in the SSyDS.

The SyRS should establish the requirements for any service/test functions available in the systems NRC-approved platform In addition to the UFSAR Figure 7.2-1 and J3 drawing requirements, there exist written requirements in the SSyDS Sections 3.8 and 3.9 that are unchanged as a result of this modification, which describe the maintenance and test features associated with the newly added logic.

These maintenance and test features for the modification are implemented based upon existing requirements and are not unique to this modification.

The use of the service/test functions from the Common Q Platform topical report are documented in WCAP-16775. This document is not impacted by this LAR.

D.2.4 Functional allocation There are no impacts. See response for D.2.3.3.1 1a.

Enclosure to NL-25-0072 Supplemental Information E-12 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.5.1 1a Input and output interfaces with other plant equipment (e.g.

mechanical components) and plant sensor or actuators, whether hardwired or using some form of data communication, including provisions for isolation The existing input and output interfaces with plant equipment remain unchanged as a result of this LAR. The PMS communications and interfaces remain unchanged in WCAP-16674 and WCAP-16675.

D.2.5.1 1b Interfaces with control room displays, indicators, controls, and alarm systems, including the systems role and interfaces with post-accident monitoring and any reference by emergency plan implementing procedures, including provisions for isolation (including credited manual operator actions)

The modification contains updates to add bistable trip and Tcold - High status and alarm to the safety display screens in the main control room in order to reflect the new logic which was added within UFSAR Figure 7.2-1 and the J3-300 series drawings for the Tcold - High input to PRHR actuation logic. The system requirements for this already exist in the SSyDS and the modified J3 drawings. PMS operations as described in UFSAR Chapter 7 and WCAP-16675 remain unchanged.

Additionally, this activity does not impact any accident monitoring variables or information displays required for post-accident monitoring described in UFSAR Section 7.5.

Enclosure to NL-25-0072 Supplemental Information E-13 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.5.1 1c Human-system interfaces for the licensees maintenance and engineering workstations used for test and maintenance, whether considered internal or external to the new plant system, including provisions for isolation There are no changes to any human-system interface requirements. See section D.2.3.3.1 3d above.

D.2.5.1 2a Support and auxiliary systems, normal power sources, emergency power sources, and heating, ventilation, and air conditioning (HVAC),

including the impact of single failure in a supporting system, the diverse means of annunciating such failures, and the means of repair and restoration; this includes the HVAC and the diverse means of annunciation of HVAC failure, along with a coping procedure The existing auxiliary systems, normal power sources, emergency power sources, and HVAC remain unchanged as a result of this LAR.

Enclosure to NL-25-0072 Supplemental Information E-14 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.5.1 2b If a NRC-approved topical report is referenced, the communication features from this topical report that are proposed for the replacement system The communication features described in NRC-approved topical report WCAP-16097 as cited in the VEGP 3&4 UFSAR Ch 7 are unchanged as a result of the LAR. Common Q communication features as applied to AP1000 PMS are described in WCAP-16674 as referenced in the VEGP 3&4 UFSAR Chapter 7. The document remains unchanged as a result of this LAR.

D.2.5.1 2c and d How identified hazards are controlled in communication features The logic changes in the PMS for this LAR do not introduce any new hazards that are not already identified in the VEGP 3&4 UFSAR. The PMS FMEA WCAP-16438 and software hazard analysis remain unchanged as a result of this LAR.

D.2.5.1 2e How malfunctions are detected by the self-test and self-diagnostics for each interface or logical group of interfaces There are no new types of malfunctions introduced to the PMS software.

The standard requirements regarding data quality, default conditions, and software failure apply to this modification just as they do for other PMS software logic.

The SSyDS discusses quality and default conditions related to setpoints and ESF logic within Sections 3.4.1 and 3.4.4.1. Section 3.8 and 3.9 discuss self-diagnostics and testing related to the software and how the failures/faults are displayed. Additional discussion is available in Section 3.10.2.1 for the safety displays specifically. Section 4.5.1.2.2 discusses how applicable failures/faults are transmitted to DDS for alarming. These requirements do not need to change and are still applicable for the modification described in this LAR.

D.2.5.1 2f Features that affect the SOE The LAR has no impact on the existing PMS Secure and Operational Environment. Secure development and operational environments for the PMS for design and operation are described in UFSAR subsection 7.1.1 and UFSAR subsection 7.1.7 Reference 22.

D.2.5.1 2g If multidivisional controls and displays are applied, how the controls and displays are applied in accordance with DI&C-ISG-04 The non-safety multidivisional displays for controlling safety components are unaffected by this LAR. Note: multidivisional displays only apply to the non-safety Ovation system.

Enclosure to NL-25-0072 Supplemental Information E-15 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.2.6 Fundamental Design Principles in the New Architecture The fundamental design principles remain unchanged because the PMS architecture is unchanged (i.e., there is no replacement system architecture) as a result of the LAR. There are no impacts to the PMS architecture as described in WCAP-16675.

D.3 Hardware Equipment Qualification The equipment used is not changed as a result of this LAR and therefore the qualification is unaffected. See D.2.3.3.1 4a-d for more information.

Additionally, any relevant test reports are generated during the test phase as described in WCAP-16096-P-A Section 9.6. Test reports are generated in accordance with WCAP-16096-P-A Section 5.5.6.

D.4 Digital Instrumentation and Control System Design Processes The same DI&C design process described in the VEGP 3&4 UFSAR subsection 7.1.2.14.1 and UFSAR Figure 7.1-2 is used to implement this modification (see WCAP-16096 Section 9 and WCAP-15927 as referenced in this LAR).

UFSAR Figure 7.1-2 contains a listing of documents utilized for the AP1000 safety system software design, implementation, and verification/validation. This figure contains reference to AP1000 process and plan documents which were utilized during the creation of the AP1000 design as well as the iterations for the design thereafter. Processes and plans were developed to evaluate design changes limited to the scope of the changed items between those revisions/iterations. Regarding the scope of this LAR, the same processes and plans are utilized. The change related to this LAR is no different than a standard iteration during the design process. This process defined in UFSAR Figure 7.1-2 is written to meet the requirements of WCAP-16096-P-A. WCAP-16096-P-A section 9.5 describes the implementation phase which includes integration and regression testing to validate the system as a whole. Regression testing is part of the IV&V process as described in WCAP-16096-P-A Section 5.5.6 and 5.5.8.

Enclosure to NL-25-0072 Supplemental Information E-16 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.4.2.1 System and Software Development Activities The development and life cycle of DI&C safety-related systems follows the guidance of VEGP 3&4 UFSAR subsection 7.1.2.14.1 and UFSAR Figure 7.1-2 (see WCAP-16096 and WCAP-15927 as referenced in this LAR).

More specifically WCAP-16096 Section 9 describes the software maintenance plan which specifies the requirements for the maintenance and use of Protection class and Important-to-Safety class software used in Common Q Systems. The software maintenance plan identifies the process for modifying Common Q software in use by an operating plant.

This process includes the identification of a software change via a software change request, identification of any new or impacted requirements and the generation of a requirements traceability matrix, compiling the source code and performing IV&V activities such as regression testing in an integrated system environment, and validation testing via factory acceptance testing and the generation of a test report.

D.4.2.1.1 Plant and Instrumentation and Control System Safety Analysis See LAR Section 3 for a discussion on the safety analysis.

Software IV&V processes for software changes are described in WCAP-16096 Section 5.5.

D.4.2.1.2 Instrumentation and Control System Requirements I&C system requirements are addressed in the analysis phase identified in WCAP-16096 Section 9.3, where any new or modified software requirement specifications are identified. I&C system requirements are addressed in the design phase identified in WCAP-16096 Section 9.4, where any impacts to the SDD are identified and the requirements traceability matrix is generated. I&C system requirements are addressed in the implementation and testing phase identified in WCAP-16096 Section 9.5 and 9.6, where IV&V activities validate proper implementation of software requirements into software. Note there are no impacts to the subsystem design specification as a result of this modification.

D.4.2.1.3 Instrumentation and Control System Architecture The digital I&C system architecture process description is addressed in WCAP-16096, and WCAP-15927. There are no changes to the system architecture and therefore this process is not relevant to this modification.

Enclosure to NL-25-0072 Supplemental Information E-17 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.4.2.1.4 Instrumentation and Control System Design The digital I&C design is developed in accordance with WCAP-16096 Section 9.2. This phase includes the identification of affected software modules and identification of SDD revisions to incorporate the modification into the design. At this stage a requirements traceability matrix is generated. Requirements for traceability analysis are identified in WCAP-16096-P-A Section 5.4.5.3.

D.4.2.1.5 Software Requirements The analysis and design processes define the process for identifying and modifying any software requirements as defined in WCAP-16096 Section 9.3 and 9.4. Additional information on the general requirements for software documentation is defined in WCAP-16096-P-A Section 10.

D.4.2.1.6 Software Design The software design process is described in WCAP-16096-P-A Section 9.4 and the software design description is discussed in WCAP-16096 Section 10.3.

D.4.2.1.7 Software Implementation Software is implemented in accordance with WCAP-16096-P-A Section 9.5 implementation process. This process involves compiling the modified source code and performing the IV&V activities in accordance with WCAP-16096-P-A subsections 5.5.6 and 5.5.8. This phase includes integration which includes running the revised software in an integrated system environment and includes informal integration and regression testing to validate that the system as a whole is fully operational prior to system testing. Note that module testing is not required for this modification.

D.4.2.1.8 Software Integration The software integration process is performed as part of WCAP-16096 Section 9.5. This process involves compiling the modified source code and performing the IV&V activities in accordance with WCAP-16096-P-A subsections 5.5.6 and 5.5.8. This phase includes integration which includes running the revised software in an integrated system environment and includes informal integration and regression testing to validate that the system as a whole is fully operational prior to system testing. Note that module testing is not required for this modification.

Enclosure to NL-25-0072 Supplemental Information E-18 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.4.2.1.9 Instrumentation and Control System Testing The test process is described in WCAP-16096 Section 9.6. This process includes formal validation testing. After validation testing, a test report is issued and reviewed in accordance with WCAP-16096-P-A Section 5.5.6.

Factory acceptance testing (FAT) is conducted during the test phase and is performed in accordance with the methodology described in WCAP-16096-P-A Section 7.3.1.4.

D.4.2.2 Project Management Processes The required elements of a Software Management Plan are contained within Sections 2, 4.3, 5.5.1, and 6.2 of WCAP-16096.

D.4.2.3 Software Quality Assurance Processes Software quality assurance plan is described in WCAP-16096-P-A Section

4.

D.4.2.4 Software Verification and Validation Processes Software verification and validation processes are described in WCAP-16096, and modified by WCAP-15927. More specifically, WCAP-16096-P-A Section 9.3 describes the analysis phase and includes the feasibility and detailed analysis of the modification. WCAP-16096-P-A Section 9.5 describes the implementation phase and performing the IV&V activities in accordance with WCAP-16096-P-A subsections 5.5.6 and 5.5.8, and regression testing. WCAP-16096-P-A Section 9.6 describes the testing phase and includes the generation of test reports in accordance with WCAP-16096-P-A Section 5.5.6, and includes Factory acceptance testing (FAT) performed in accordance with the methodology described in WCAP-16096-P-A Section 7.3.1.4.

D.4.2.5 Configuration Management Processes Configuration management plan is described in WCAP-16096 Section 6 and software configuration management documentation is described in WCAP-16096-P-A.

Enclosure to NL-25-0072 Supplemental Information E-19 ISG-06 Applicable Section Criteria Summary ISG-06 Enclosure B Identified Alternate Review Process:

VEGP 3&4 Application (a)

D.5 Applying a Referenced Topical Report Safety Evaluation The application of the NRC-approved Common Q Topical Reports (WCAP-16096 and WCAP-16097) to PMS, referenced in the VEGP 3&4 UFSAR, and the associated NRC Safety Evaluation Plant Specific Action Items were demonstrated satisfied during completion of ITAAC 2.5.02.12

[Index Number 551] as documented in NRC Integrated Inspection Reports 05200025/2019002, 05200026/2019002 [ML19220B678], are not affected by this LAR.

SNC will provide oversight of the performance of the modification activities, in accordance with the VEGP 3&4 QA program and Vendor Oversight Plan per section C.2.2.

D.6 Compliance/Conformance Matrix for IEEE Standards 603-1991 and 7-4.3.2-2003 Conformance to these standards as described in the VEGP 3&4 UFSAR are unaffected by this LAR. The same design requirements apply for implementation of the LAR. The existing service/test function system requirements conform with the IEEE Std 603 design basis for VEGP 3&4 PMS described in the UFSAR 7.3.2.2. Compliance with IEEE 7-4.3.2 remains unchanged as a result of this LAR.

D.7 Technical Specifications Technical Specifications changes and related instrumentation setpoints are addressed in the LAR.

D.8 Secure Development and Operational Environment The secure development and operation environments described in the VEGP 3&4 UFSAR are unaffected by this LAR. The same secure and operational environments will be used for implementation and operation of the modification.

Secure development and operational environments for the protection and safety monitoring system are used during design as described in UFSAR subsection 7.1.1 and UFSAR subsection 7.1.7 Reference 22.

Enclosure to NL-25-0072 Supplemental Information E-20 (a)

Referenced WCAPs applicable revisions and Titles:

WCAP-16097-P-A, Revision 3, Common Qualified Platform Topical Report WCAP-16096-P-A, Revision 4, Software Program Manual for Common QTM Systems WCAP-16675-P, Revision 10, AP1000 Protection and Safety Monitoring System Architecture Technical Report WCAP-16438-P (Proprietary), WCAP-16438-NP (Non-Proprietary), Revision 3, FMEA of AP1000 Protection and Safety Monitoring System WCAP-16674-P, Revision 9, AP1000 I&C Data Communication and Manual Control of Safety Systems and Components WCAP-15927-P, Revision 8, Design Process for AP1000 Common Q Safety Systems.

Enclosure to NL-25-0072 Supplemental Information E-21 4

Safety Analyses Unaffected by the Proposed Modification The only events potentially impacted by the PRHR HX actuation logic changes are those that credit PRHR HX actuation on Low 2 SG NR level coincident with Low 2 SFW flow and High Tcold signals. No other PRHR HX actuation functions are affected. The following Table identifies each non-LOCA event in which PRHR actuation is credited and which function or assumption actuates PRHR. The events in bold were evaluated further. The non-bolded items are not impacted since PRHR actuation does not involve the Low 2 narrow range steam generator level signal.

The only potentially impacted events, as shown, are LOAC and LONF, which were evaluated for impacts resulting from PRHR HX actuation logic changes as discussed in the LAR. The evaluation presented in the LAR demonstrated that the modified PRHR HX actuation logic would not change any analysis results presented in the UFSAR.

UFSAR Section Event PRHR Actuation Signal 15.1.4 Inadvertent Opening of a Steam Generator Relief or Safety Valve (Inadvertent SG Valve Opening)

The PRHR Hx is assumed to start at time zero for conservatism.

15.1.5 Steam System Piping Failure (Hot Zero Power case)

(HZP SLB) 15.1.6 Inadvertent Operation of the PRHR Heat Exchanger Spurious (initiating event) 15.2.6 Loss of ac Power to the Plant Auxiliaries (LOAC or LOOP)

Low-2 NR SG Level w/ Low-2 SFW and High Tcold (LONF and LOAC) or Low-2 WR SG Level (LONF with Coincident LOAC) 15.2.7 Loss of Normal Feedwater Flow (LONF)

[section includes LONF with Coincident LOAC case]

15.2.8 Feedwater System Pipe Break (FLB)

Low-2 WR SG Level 15.5.1 Inadvertent Operation of the Core Makeup Tanks During Power Operation (Inadvertent CMT)

High-3 PZR Level 15.5.2 Chemical and Volume Control System Malfunction That Increases Reactor Coolant Inventory (CVS Malfunction)

CMT Actuation on Low Tcold Safeguards 19E.4.10.2 Safe Shutdown Evaluation Low-2 WR SG Level

Enclosure to NL-25-0072 Supplemental Information E-22 5

Additional UFSAR Markup SNC has identified that an additional UFSAR markup was inadvertently omitted from the LAR Attachment 2. Refer to Attachment 1 for the additional markup. The description of PRHR HX actuation during normal cooldowns on a loss of startup feedwater is revised to reflect the modification to include the Tcold - High coincident signal. The remaining event description is unaffected by the proposed modification. The remainder of the LAR markups remain applicable.

Additional LAR Attachment 2 Marked-up Page Additional LAR Attachment 2 Marked-up Page Insertions Denoted by Text Box

6.3-40 Revision 12 VEGP 3&4 - UFSAR 6.3.3.4 Shutdown Events The passive core cooling system components are available whenever the reactor is critical and when reactor coolant energy is sufficiently high to require passive safety injection. During low-temperature physics testing, the core decay heat levels are low and there is a negligible amount of stored energy in the reactor coolant. Therefore, an event comparable in severity to events occurring at operating conditions is not possible and passive core cooling system equipment is not required. The possibility of a loss of coolant accident during plant startup and shutdown has been considered.

During shutdown conditions, some of the passive core cooling system equipment is isolated. In addition, since the normal residual heat removal system is not a safety-related system, its loss is considered. Containment recirculation may be impacted by shutdown maintenance activities which remove access hatches or curbs located at the 107'-2 plant elevation. Subsection 3.4.1.2.2.1 discusses containment flooding events in further detail.

As a result, gravity injection is automatically actuated when required during shutdown conditions prior to refueling cavity floodup, as discussed in Subsection 6.3.3.3.2. The operator can also manually actuate other passive core cooling system equipment, such as the passive residual heat removal heat exchanger, if required for accident mitigation during shutdown conditions when the equipment does not automatically actuate.

6.3.3.4.1 Loss of Startup Feedwater During Hot Standby, Cooldowns, and Heat-ups During normal cooldowns, the steam generators are supplied by the startup feedwater pumps and steam from the steam generator is directed to either the main condenser or to the atmosphere. There are two nonsafety-related startup feedwater pumps, each of which is capable of providing sufficient feedwater flow to both steam generators to remove decay heat. These pumps are also automatically loaded on the nonsafety-related diesel-generators in the event normal ac power and offsite power are lost. Since these pumps are nonsafety-related, their failure is considered.

In the event of a loss of startup feedwater, the passive residual heat removal heat exchanger is automatically actuated on Low-2 steam generator narrow range water level and provides safety-related heat removal. The passive residual heat removal heat exchanger can maintain the reactor coolant system temperature, as well as provide for reactor coolant system cooldown to conditions where the normal residual heat removal system can be operated.

Since the chemical and volume control system makeup pumps are nonsafety-related, they may not be available. In this case, the core makeup tanks automatically actuate as the cooldown continues and the pressurizer level decreases. The core makeup tanks operate in a water recirculation mode to maintain reactor coolant system inventory while the passive residual heat removal heat exchanger is operating.

The in-containment refueling water storage tank provides the heat sink for the passive residual heat removal heat exchanger. Initially, the heat addition increases the water temperature. Within one to two hours, the water reaches saturation temperature and begins to boil. The steam generated in the in-containment refueling water storage tank discharges to containment. Because the containment integrity is maintained during cooldown Modes 3 and 4, the passive containment cooling system provides the safety-related ultimate heat sink. Therefore, most of the steam generated in the in-containment refueling water storage tank is condensed on the inside of the containment vessel and drains back into the in-containment refueling water storage tank via the condensate return gutter arrangement. This allows it to function as a heat sink for greater than 14 days, as discussed in Subsection 6.3.1.2.1.

with High RCS cold leg temperature Affidavit Westinghouse Affidavit for Withholding Proprietary Information from Public Disclosure CAW-25-013

      • This record was final approved on 03/21/2025 15:19:27. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-25-013 Page 1 of 2 Commonwealth of Pennsylvania:

County of Butler:

(1)

I, Rachel Christian, Manager, New Plants Licensing, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2)

I am requesting LTR-GIC-25-017, Revision 0 Enclosure 2 be withheld from public disclosure under 10 CFR 2.390.

(3)

I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4)

Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i)

The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii)

The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii)

Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

      • This record was final approved on 03/21/2025 15:19:27. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-25-013 Page 2 of 2 (5)

Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a)

The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b)

It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c)

Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d)

It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e)

It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f)

It contains patentable ideas, for which patent protection may be desirable.

(6)

The attached submittal contains proprietary information throughout, for the reasons set forth in Sections (5) (a) and (5) (c) of this Affidavit. Accordingly, a redacted version would be of no value to the public.

I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief. I declare under penalty of perjury that the foregoing is true and correct.

Executed on: 3/21/2025 Signed electronically by Rachel Christian Vendor Oversight Plan Summary Vendor Oversight Plan Summary Vendor Oversight Plan Summary A4-1 Vogtle Electric Generating Plant, Units 3 and 4 Passive Residual Heat Removal Actuation Logic Modification Vendor Oversight Plan (VOP), Revision 0, Summary

1.

Background

By letter dated March 3, 2025 (ADAMS Accession No. ML25045A166), Southern Nuclear Corporation (SNC) has submitted a license amendment request (LAR) for Vogtle Electric Generating Plant, Units 3 and 4 (VEGP 3&4) to add a new Technical Specification that will reflect revised actuation logic for the Passive Residual Heat Removal (PRHR) Heat Exchanger Engineered Safety Feature that is part of the Protection and Safety Monitoring System (PMS). SNC has developed a Vendor Oversight Plan (VOP) based on the guidance in Section C.2.2.1 of DI&C-ISG-06. SNC developed the VOP in support of the PRHR Actuation Logic Change modification to describe oversight activities and document conformance. This VOP will confirm that WEC executes the project consistent with:

SNC specification and procurement documents The SNC 10 CFR 50 Appendix B Quality Assurance program The NRC-approved WEC Software Program Manual (SPM)

The WEC 10 CFR 50 Appendix B Quality Assurance program SNC has developed the VOP as a revisable document controlled by SNC Quality Assurance Records Administrative procedure NMP-AD-025, Quality Assurance and Non-Quality Records Administration and the VOP change requirements described in section 3 of this VOP Summary and in section 1.4 of the VOP.

The VOP provides a description of SNCs activities that, when executed, will provides assurance that WEC software changes will meet process, technical, and regulatory requirements. The VOP identifies the committed series of interactions between SNC and WEC throughout the entire system development life cycle. The VOP Table of Contents is provided below.

Vendor Oversight Plan Summary A4-2 Vogtle Electric Generating Plant, Units 3 and 4 Vendor Oversight Plan Table of Contents 1.0 PURPOSE 1.1.

Overview 1.2.

Project Scope 1.3.

Vendor Oversight Plan Scope 1.4 Revisions to the Vendor Oversight Plan 2.0 ABBREVIATIONS

3.0 REFERENCES

4.0 APPLICABLE SNC PROCEDURES 4.1.

Quality Management Procedures 4.2.

Supply Chain Management Procedures 4.3.

Project Management Procedures 4.4.

Engineering and Design Control Procedures 4.5.

Risk Management Procedures 4.6.

Corrective Action Procedures 5.0 STAKEHOLDERS AND ROLES 5.1.

SNC Stakeholders 5.2.

WEC Stakeholders 6.0 DEVELOPMENT AND ASSESSMENT OF POTENTIAL PROJECT AND TECHNICAL RISK FACTORS 7.0 PERFORMANCE MEASURES AND ACCEPTANCE CRITERIA 7.1.

Critical Characteristics 7.1.1.

Performance Critical Characteristics 7.1.2.

Cyber Critical Characteristics 7.2.

Design Artifacts 7.2.1 Generic Design Artifact Oversight Activities 7.2.2 Oversight of Specific Documents 7.3.

Programmatic Elements 7.3.1.

Requirements Traceability Analysis IV&V 7.3.2.

Quality Assurance 7.3.3.

Configuration Management 7.3.4.

Software IV&V 7.3.5.

Software Regression Analysis IV&V 7.3.6.

Software Test Plan 7.3.7.

Software Safety 7.3.8.

Secure Development Environment 7.3.9.

Cyber Security 7.3.10. Software Life Cycle Processes 7.3.11. Plant Specific Action Items (PSAIs) 8.0 IMPLEMENTATION OF APPROPRIATE OVERSIGHT METHODS 9.0 CORRECTIVE ACTIONS 10.0 DOCUMENTATION ATTACHMENT: ENGINEERING SURVEILLANCE AND DESIGN REVIEW REPORT AND OBSERVATION TEMPLATE Vendor Oversight Plan Summary A4-3

2.

Vendor Oversight Plan (VOP) Scope The scope of the VOP addresses the WEC processes and products for the PRHR Actuation Logic Change software modification. This includes design and testing deliverables that WEC will provide. This VOP excludes any hardware changes associated with the PRHR Actuation Logic Change modification since those hardware changes are governed by other procedures and processes. This VOP is exclusively for the safety related software change described in the LAR. The WEC processes and procedures include software and design documentation. The VOP does not address oversight of the modification process or licensing activities as these have existing oversight process implementations.

SNCs vendor oversight activities include:

Conducting scheduled and structured on-site or remote surveillances of WEC software design and development processes, as well as vendor surveillances.

Conducting on-going quality and design-related review interactions (e.g., owners acceptance reviews) with WEC to confirm the final product meets the intended functions and constraints.

Conducting Quality audits of vendor activities in accordance with SNC Nuclear Development Quality Assurance Manual (NDQAM) (Note: These audits are governed by existing SNC Nuclear Oversight (NO) procedures, referenced in Section 4 of the VOP, and are not intended to be detailed in this summary document).

Providing input to WEC design and development activities, as well as reviewing/confirming specific WEC activities.

Performing owners acceptance reviews of WEC design and Verification and Validation (V&V) artifacts (e.g., specifications, procedures, traceability matrices).

Observing or witnessing specific WEC validation and testing activities.

Participating directly in specific vendor activities.

Coordinating multi-discipline interactions among various stakeholders.

Periodically communicating status, schedule, and results of oversight activities through SNC/WEC Project Management team teleconferences, SNC/WEC Engineering team teleconferences, and SNC/WEC Licensing team teleconferences.

Capturing issues in SNC corrective action program.

Elevating emerging risks and issues (if necessary) to decision makers with higher authority.

Updating the VOP (if necessary) based on emerging results.

Conducting scheduled Risk Review Meetings.

The VOP establishes four strategic objectives through the use of SNC processes and procedures:

Verify WEC activities are fulfilling the contract and regulatory obligations through identified audits and review activities.

Document performance of oversight activities and results.

Perform timely and adequate follow up and closure Verify WEC inspectors have the necessary knowledge and skills to successfully validate acceptance criteria.

The results of the VOP will confirm that the activities related to software development coincide with the WEC specified software lifecycle activities, as described in the WEC SPM.

3.

Procedural Basis for VOP The SNC Nuclear Development Quality Assurance Manual (NDQAM) implements 10 CFR 50 Appendix B for VEGP 3&4 and is implemented through the use of approved procedures (e.g., policies, directives, procedures, instructions, or other documents) which provide written guidance for the control of quality related activities and provide for the development of documentation to provide objective evidence of compliance.

Vendor Oversight Plan Summary A4-4 The VOP is designed to be an umbrella document covering the range of activities in which SNC is engaged to perform effective vendor oversight. A hierarchy of SNC procedures ensure the effectiveness of vendor quality activities and products. These procedures fall under quality management, supply chain management, project management, design control, risk management, and corrective action.

The following key documents provide input to vendor oversight activities:

SNC Quality program, procurement, project management, supply chain management, design control, and risk management procedures SNC-WEC Procurement contract and other associated documents NRC-approved WCAP-16096-P-A, Common Qualified Platform Software Program Manual (SPM)

Electric Power Research Institute (EPRI) Technical Report 3002011816, Digital Engineering Guide (DEG)

EPRI Topical Report 1011710, Handbook for Evaluating Critical Digital Equipment and Systems The hierarchy of SNC procedures, and the role of each in the effective oversight of WEC is described in VOP Section 4.0, as summarized below. In addition, the information below includes a description of the administrative controls that SNC will utilize for any changes to the VOP.

Stakeholders identified in VOP Section 5 will participate in vendor oversight activities. The level of vendor oversight follows a graded approach, based on project, technical, and vendor performance risk factors, which will be described in VOP Section 6. All levels of the graded approach will include specifically defined performance measures and acceptance criteria, which are described in VOP Section 7. The various levels of graded oversight activities will be described in VOP Section 8. The SNC Corrective Action Program (CAP) (i.e., SNC procedure NMP-GM-002, Corrective Action Program) will be used to document and provide resolution of issues/problems. This is described in VOP Section 9. Finally, oversight results will be documented as described in VOP Section 10.

VOP Change Process As described in VOP Section 1.4, "Revisions to the Vendor Oversight Plan," the VOP is considered a Controlled Document. Changes to the VOP that are identified require the following actions, prior to implementation:

Initiation of a Condition Report (CR) in the SNC Corrective Action Program to track and document the approval, implementation, and communication (i.e., to all stakeholders) of the change.

Review, approval, and administration of the change in accordance with SNC procedures B-GEN-ENG-038, Vogtle 3&4 Startup Engineering Change Procedure, NMP-ES-045-001, Technical Oversight Reviews of Engineering Products, and NMP-AD-025, Quality Assurance and Non-Quality Records Administration.

Review of the NRC Safety Evaluation approving the digital upgrade license amendment to confirm that the proposed VOP changes will not adversely impact the basis or requirements for NRC approval (i.e., as described in VOP Section 1.4).

Quality Management The NDQAM is the NRC-approved SNC 10 CFR 50 Appendix B Program for VEGP 3&4 and is implemented through the use of approved procedures (e.g., policies, directives, procedures, instructions, or other documents). These procedures provide written guidance for the control of quality related activities and provide for the development of documentation to provide objective evidence of compliance. With respect to the PRHR Actuation Logic Change modification, the primary implementing procedures for the NDQAM are as follows:

Vendor Oversight Plan Summary A4-5 NOS-201, Supplier Quality Program Evaluation sets forth the general administrative requirements for the supplier quality evaluation program, including the maintenance of the SNC Qualified Suppliers List (QSL).

NOS-204, Supplier Audit/Survey Report Review provides instructions and guidelines for the performance of audit/survey report reviews to verify report acceptability for the qualification of suppliers to be included on the SNC QSL.

ND-QA-005, Quality Assurance Reviews, This procedure provides requirements and guidance for the performance of reviews conducted by Nuclear Development Quality Assurance (NDQA). It specifically addresses procedure reviews and reviews associated with corrective actions related to NDQA audits and surveillances.

ND-QA-008, Training and Qualification of Quality Assurance Personnel, provides the requirements and guidance for the training and qualification of Nuclear Development Quality Assurance (QA) personnel.

This procedure implements ASME NQA-1-1994 and the SNC NDQAM for the initial and recurring certification of QA personnel as a qualified Lead Auditor. This procedure also provides guidance to QA personnel for Surveillance Lead qualification and departmental training independent of NQA-1-1994 requirements.

ND-QA-019, Vogtle 3 & 4 Supplier Qualification describes the process for qualification and oversight of VEGP 3&4 Suppliers.

NOS-202, Supplier Safety-Related Program Audits, defines Quality Assurance Audits conducted by SNC Nuclear Oversight (NOS) for suppliers and prospective suppliers that supply equipment, materials, and services for nuclear power plant safety related applications to SNC. The purpose of the audit is to evaluate the ability of the supplier to meet applicable SNC, regulatory, and industry requirements and standards. This procedure applies to supplier quality assurance audits performed by NOS or contracted personnel to evaluate Safety Related suppliers for inclusion on the SNC QSL.

All audits incorporate performance-based auditing concepts, along with programmatic elements, as necessary, to conclude that items produced, and services provided by the suppliers processes will meet the established requirements. When the audit is a Nuclear Procurement Issues Corporation (NUPIC) Joint Audit led by SNC, there are NUPIC guidelines that must be in compliance with this procedure and NUPIC documents. In the event of a conflict between the NUPIC process and SNC procedure, SNC processes and procedures will be followed to perform audit activities NOS-401, Supplier Quality Surveillance, The purpose of this procedure is to set forth the requirements for the Nuclear Oversight (NOS) supplier quality surveillance program. Supplier quality surveillance may be performed:

To supplement or provide additional confidence in a suppliers quality assurance program when the design and/or manufacturing processes are complex or have been found to be deficient in some area(s).

To witness pre-determined points in the manufacturing, inspection, and/or testing process.

To confirm supplier compliance with purchase order requirements.

To verify that a supplier of commercial grade items adequately controls specified critical characteristics Supply Change Management The following is the principal Supply Chain Management procedure that will be used for the PRHR Actuation Logic Change modification.

NMP-GM-011, Procurement, Receipt, and Control of Materials and Services establishes the processes and responsibilities for non-Supply Chain Management (SCM) personnel and the interface with SCM personnel involved in the procurement, receipt, and control of materials and services for SNC.

Vendor Oversight Plan Summary A4-6 Project Management With respect to the PRHR Actuation Logic Change modification, the primary implementing procedures and instructions for project management are as follows:

NMP-ES-067, Major Project Management, defines the roles, responsibilities, and the multi-phase process by which major projects are managed by the SNC Fleet Projects group.

NMP-ES-067-004, Major Project Management Instruction establishes the responsibilities, requirements, and provides instruction for SNC Project Managers, Program Managers, and Fleet Capital Cost Controls Staff throughout the lifecycle of a project. It describes the steps needed to successfully deliver a project that meets it technical, functional, and business objectives. The process described in this instruction is based on the SNC Project Management Body of Knowledge (PMBOK) and INPO 09-002, Excellence in Nuclear Project Management.

NMP-ES-067-005, Fast Track Project Instruction, supplements the project management requirements in NMP-ES-067-004, Major Project Management Instruction, and establishes the responsibilities, requirements, and provides instruction for all projects where the standard project process will not support established project milestones, outage readiness milestones, on-line work milestones or work completion commitment dates. This procedure provides additional guidance to ensure that the project is successfully implemented NMP-ES-067-009, SNC Major Project Management Procurement Strategy Development, provides guidance to SNC project managers on contracting, including interface with the procurement management process. This guidance provides a consistent approach for understanding and collaboration with Supply Chain Management on the procurement management process. The requirements are applied in a graded approach where the level of analysis, documentation and detail provided in project deliverables are established commensurate with the scope, complexity, budget, schedule, and other relevant factors of the project.

Project Management procedures NMP-ES-067-003, Graded Approach to Major Project Management, and NMP-ES-067-006, Project Risk Management, are described below under Risk Management.

Engineering and Design Control Procedures The following lists and describes the Engineering and Design Control procedures that will be used for the PRHR Actuation Logic Change modification.

NMP-ES-040-001, Preparation and Revision of Procurement Specifications for Engineered Components, establishes the requirements for preparation of new or revision to existing procurement specifications for engineered equipment, systems, and components. As stated in this instruction, an SNC procurement specification presents SNCs technical requirements, including vendor oversight expectations and vendor document submittal requirements.

NMP-ES-042, Design Input and Verification Process provides instructions for establishing and documenting design inputs and design verifications that are required for individual design processes.

NMP-ES-045, Design Authority, defines and implements the SNC design authority. This is accomplished by defining the divisions of responsibilities for design-related activities and by endorsing processes and procedures used to control design activities.

NMP-ES-045-001, Technical Oversight Reviews of Engineering Products, provides guidance for conducting the technical oversight reviews required for engineering technical activities developed by external contractors, as well as engineering products prepared internally by SNC.

Vendor Oversight Plan Summary A4-7 B-GEN-ENG-038, Vogtle 3&4 Startup Engineering Change Procedure establishes the Owners Acceptance Review process for design change products produced by WEC following Design Authority Turnover (DATO).

NMP-ES-050, Requests for Engineering Review sets for the responsibilities, requirements, instructions, and guidance for initiating and responding to Requests for Engineering Review (RERs).

This process may be used for but is not limited to requesting technical information or requesting an engineering evaluation, study, recommendation and/or decision.

NMP-ES-095, Interface Procedure for IP-ENG-001, Standard Design Process, endorses industry procedure IP-ENG-001, Standard Design Process (Revision 3), as written, including the associated forms. Industry procedure. This procedure provides cross-references of the generic SDP terminology to SNC-specific terms, guidance on roles and responsibilities, reference tables on interfacing procedures with instructions, transition instructions, records, and addresses SNC and site-specific regulatory commitments. This procedure also endorses industry procedure NISP-EN-04, Standard Digital Engineering Process, as written. Industry procedure NISP-EN-04 supplements the SDP by addressing additional engineering activities applicable to modifications involving programmable electronic equipment.

NMP-GM-007, Acquisition and Development of Technology Solutions for Southern Nuclear, defines standard processes to acquire, develop, and implement new or upgraded Technology Solutions that will help SNC achieve strategic objectives or address operational needs. The procedure requires:

SNC policies are considered and applied, including the Technology Policy, Technology Acquisition Standard, and the Business Technology Delivery Framework The Technology Organization is appropriately engaged, investments are reviewed, prioritized, and approved, and the appropriate Supply Chain Management (SCM) organization is leveraged.

A sustainable support model is planned, defined, and mobilized before a new Technology Solution is implemented.

The objectives of plant safety and reliability are fully supported NMP-MA-014, Post Maintenance Testing/Post Modification Testing, and NMP-MA-014-001 Post Maintenance Testing Guidance, establish the requirements and process that SNC will use to develop and conduct Post Modification testing to confirm that modified equipment will perform its intended function when returned to service upon completion of the modification. For the PRHR Actuation Logic Change modification, Post Modification Testing will include a Factory Acceptance Test (FAT) and Site Acceptance Test (SAT).

SNC will witness the FAT for the lead unit.

SNC will witness the FAT for the subsequent unit, performed in accordance with the WEC SPM.

NMP-GM-014, Cyber Security for Digital Plant Systems, describes the requirements and responsibilities for the effective implementation of the SNC Cyber Security Plan (CSP) consistent with the requirements of 10 CFR 73.54, Protection of Digital Computer and Communication Systems and Networks.

B-GEN-CSEC-002, Cyber Security Team (CST) Implementation Instructions, establishes the roles and responsibilities of the CST in accordance with the VEGP 3&4 CSP and document the governing process for the CST.

Vendor Oversight Plan Summary A4-8 Risk Management Procedures NMP-AD-050, Integrated Risk Management, provides the overall Risk Management philosophy and governance for SNC. The overall goal of these policies and procedures is to eliminate or reduce risk to an acceptable level. SNC has numerous areas where risks are identified, evaluated, and managed.

This procedure provides a typical flow chart demonstrating how the risks are handled from initial identification through implementation in the field.

NMP-ES-067-006, Project Risk Management describes the responsibilities, requirements, and instructions associated with managing risk on major projects. Project Risk Management is the systematic process of identifying, analyzing, and responding to project risks. This includes maximizing the probability and/or consequences of positive risk events (opportunities) and minimizing or eliminating the probability and/or consequences of negative risk events (threats) that could impact project objectives.

NMP-ES-067-003, Graded Approach to Major Project Management, establishes and describes the process in which a graded approach to project management is applied to individual major projects based on the SNC Project Risk Profile rating. This includes defining project tool requirements, project management sponsorship requirements, and establishing a consistent, scalable approach to the application of Project Readiness Assessments and oversight.

NMP-GM-027, Plant Health Process, describes the process to identify, screen, develop, assess, rank and approve resolutions for issues affecting plant equipment reliability or health. It establishes an effective process to increase equipment reliability and unit availability by aligning the organizations focus on correcting material condition issues, maintaining a risk elimination bias, and improving system performance, achieved through critical challenge of system, component, program health issues, risk mitigation and bridging strategies, and action plans.

Corrective Action Procedures NMP-GM-002, Corrective Action Program, outlines roles and responsibilities, provides definitions, and establishes a general outline of the regulatory-required SNC Corrective Action Program (CAP). It encompasses the processes for documenting, as a Condition Report (CR), Significant Conditions Adverse to Quality (SCAQs), Conditions Adverse to Quality (CAQs), Conditions Adverse to Regulatory Compliance (CARCs), as well as non-regulatory Business Items.

4.

Project Organization and Roles The following key organizational roles and responsibilities for the project are described in the VOP.

SNC Project Team Project Manager Nuclear Oversight Responsible Design Engineer DI&C Engineers Cyber Security Engineer Information Technology (IT) Representative System Engineer Supply Chain Management Representative Licensing Engineer Operations Representative Senior Test Director Test Director Vendor Oversight Plan Summary A4-9 WEC Project Team Project Manager Quality Manager Design Engineers Test Engineers and Software V&V Engineers Technical Advisor Technical Lead Licensing Lead

5.

Development and Assessment of Potential Project and Technical Risk Factors SNC procedures NMP-AD-050, NMP-ES-067-003, and NMP-ES-067-006 provide direction for the risk assessment of technical work, senior management notifications of results, pre-job briefs, independent third-party reviews (ITPR), and post-job briefs to capture lessons learned. Based on the risk categorization, SNCs vendor oversight activities have been prioritized as described in VOP Section 7.0 and summarized below in Section 7 of this VOP Summary.

This approach is consistent with and implements the guidance in both the EPRI DEG and NISP-EN-04 on the use of a graded approach for oversight of DI&C engineering activities and products. With respect to vendor oversight planning, this guidance includes identification and assessment of potential vendor risk factors and application of the appropriate level of oversight (i.e., graded approach) based on the relative risk of each factor.

6.

Performance Measures and Acceptance Criteria Performance measures and their acceptance criteria will be included in the VOP. The performance measures will be divided into three categories with acceptance criteria provided for each:

Critical Characteristics: The important design, material, and performance characteristics of a system that, once verified, will provide reasonable assurance that the system will perform its intended critical functions.

Design Artifacts: The set of design output documents produced by WEC Programmatic Elements: These include WECs programs and processes relevant to the project, as described in the WEC SPM Critical Characteristics The critical characteristics applicable to PRHR Actuation Logic Change modification (i.e., a software-only change) are divided into the following categories:

Performance Cyber In that hardware changes that are part of the PRHR Actuation Logic Change modification are excluded from this VOP, the Physical and Environmental Critical Characteristics are not applicable.

Vendor Oversight Plan Summary A4-10 Oversight of critical characteristics utilizes the following vendor oversight activities:

Conducting vendor audits and quality surveillances in accordance with the SNC NDQAM Conducting pre-planned on-site or remote vendor surveillances.

Conducting on-going quality and design-related review interactions with and providing feedback to WEC to confirm the final product meets the intended functions and constraints.

Reviewing WEC design output documents Participating in Factory Acceptance Testing Conducting Site Acceptance Testing Observing or witnessing specific vendor testing activities Capturing issues in SNC/WEC corrective action programs Performance Critical Characteristics Verify the logic functions being modified, focusing on the relevant aspects of the system that have been included in the requirements traceability matrix (RTM).

o Acceptance criteria: Requirements from the design inputs and the SNC purchase and design specifications are source inputs to the RTM.

Verify that the modified logic functions perform as required.

o Acceptance criteria: Successful completion of FAT and SAT.

Verify changes to the original design requirements and specifications for component modifications are identified as new requirements.

o Acceptance criteria: Changes from the original design requirements and specifications have been documented as new design requirements.

While not an exhaustive list, the following will be reviewed as part of owners acceptance reviews for the performed as a minimum for the VEGP 3&4 PRHR Actuation Logic Change modification project.

Confirm input ranges and setpoints. This can be done as part of the factory acceptance testing or as part of the site acceptance testing.

o Acceptance criteria: Correct input ranges and setpoints.

Confirm outputs, output ranges, and data types are appropriate for interfacing systems. This can be done as part of the factory acceptance testing or as part of the site acceptance testing.

o Acceptance criteria: Correct outputs, output ranges, and data types are appropriate for interfacing systems.

Verify that the features that are provided for surveillance testing or calibration are in accordance with the procurement specification and are included in the RTM.

o Acceptance criteria: The software requirements associated with testing are included in the RTM.

Confirm that the response time requirements are included in the Requirements Traceability Analysis.

o Acceptance criteria: Response time requirements are documented and traced through design and testing.

Confirm that the Central Processing Unit (CPU) maximum load requirements are addressed.

o Acceptance criteria: CPU maximum load requirements are specified and traced through the development and testing process.

Cyber Critical Characteristics Oversight of cyber security critical characteristics are addressed as a Programmatic Element.

Vendor Oversight Plan Summary A4-11 Design Artifacts SNC will perform owners acceptance review of applicable WEC design artifacts in accordance with B-GEN-ENG-038. Oversight of WEC design artifacts involves the following vendor oversight activities.

Generic Design Artifact Oversight Activities SNC is crediting the software development process defined in NRC approved WCAP-16096, Software Program Manual for Common Q' Systems, as modified by WCAP-15927, Design Process for AP1000 Common QTM Safety under Westinghouses QA program.

Conduct vendor quality audits in accordance with the SNC NDQAM and associated implementation procedures.

o Acceptance criteria: Completion of required audits.

Conduct on-going quality and design-related review interactions with and provide feedback to WEC.

o Acceptance criteria: Documentation of quality and design-related review interactions exists and is documented as part of the owners acceptance of the design documents, which are WEC deliverables.

Review WEC design output documents.

o Acceptance criteria: Owners acceptance review the WEC deliverables, and the completion of VOP surveillance reports.

Verify completion and documentation of multi-discipline interactions among various stakeholders.

o Acceptance criteria: Multi-discipline interactions conducted and documented.

Review and evaluate the WEC corrective action program procedures and other processes for capturing issues.

o Acceptance criteria: Verification of a process to capture issues including a correction action program.

Capture issues in WEC corrective action program.

o Acceptance criteria: Issues meeting the WEC corrective action program criteria have been entered into the program tracking.

Oversight of Specific Documents Documents and test reports developed by WEC and issued to SNC will receive, as a minimum an owners acceptance review. More detailed technical reviews of important documents may be performed as determined in detail project planning or as a result of oversight review findings.

Verify that VEGP 3&4-specific requirements are correct, understandable, unambiguous, fulfill the purchase specification, and are developed in accordance with SPM Section 10.2.1.

o Acceptance criteria: Requirements from the DC design inputs and the SNC procurement documents have been included in the RTM as a source input. This item is a design input or design requirement consideration for the DC. Similar RTM verifications are listed in other steps.

Verify requirements that are adopted without modification are validated using Requirements Phase IV&V and Design Phase IV&V surveillances.

o Acceptance criteria: RTM inputs match the RTM requirements source inputs.

Verify requirements that are adopted without modification are validated by factory acceptance testing, including a system validation test.

o Acceptance criteria: Successful completion of FAT and SAT.

Vendor Oversight Plan Summary A4-12 Verify the requirements in the Software Requirements Specification (SRS) are correct, understandable, unambiguous, fulfill the purchase specification, and are developed in accordance with SPM Section 10.2.2. Each requirement will be traceable to one or more system requirements, and the RTM will show where in the software or application logic the required action is performed and where the particular requirement is tested. The SRS will be developed in accordance with SPM Section 10.2.2.

o Acceptance criteria: RTM SRS requirements match the SRS requirements.

Review the IV&V report on the software or logic design specifications, including all identified problems documented by the IV&V team. If the software or logic design specifications is reviewed after completion of the IV&V effort, no errors are expected.

o Acceptance criteria: All issues or problems are resolved.

Verify the SDD is developed in accordance with SPM Section 10.3.

o Acceptance criteria: The SDD complies with the SPM process.

Verify that the Software Hazards Analysis (SHA) identifies the hazardous states, sequences of actions that can cause the system to enter a hazardous state, and sequences of actions intended to return the system from a hazardous state to a non-hazardous state and is developed in accordance with the SPM Section 3.4.1.

o Acceptance criteria: The SHA is part of the owners acceptance for this WEC deliverable.

RTM SHA requirements match the SHA, and that the SHA requirements are traced to at least one SRS requirement.

Verify that WEC provides a Failure Modes and Effects Analysis (FMEA) that demonstrates compliance with the procurement specification. The WEC FMEA will identify the effects that result from credible failures of individual components and modules.

o Acceptance criteria: Owners acceptance of the FMEA.

Programmatic Elements The Programmatic Elements include WEC programs and processes relevant to the project. The elements of the system lifecycle are described in the WEC SPM. The SPM describes the requirements for the software design, development, and revision process. The SPM also describes the requirements for the use of software in Common QTM systems. The WEC software development process documents that will be revised by Westinghouse to implement this change will be based on the credited Westinghouse development and revision process.

Review selected WEC deliverables to validate the scope of documents revised to implement this change is consistent with the credited change process.

o Acceptance criteria: Owners acceptance review of the documents.

Review the factory acceptance test (FAT) procedure.

o Acceptance criteria: Validate that the FAT procedure covers the complete scope of functions in the modified software.

Witness the FAT and the resolution of any anomalies.

o Acceptance criteria: Completion of FAT test report.

Vendor Oversight Plan Summary A4-13 Requirements Traceability WEC will perform a software requirements traceability analysis (RTA) and maintain a requirements traceability matrix (RTM). The WEC team shall be responsible for the RTM to the point of identifying the requirements and the testing that is performed to validate the requirements.

Review the RTM for the adequacy and accuracy of the software requirements tracing.

o Acceptance criteria: Owners acceptance review of the RTM.

The IV&V team will verify that WEC complies with the IV&V requirements in the NRC-approved Common QTM SPM for RTA. A review of the WEC documentation, as described in the following statements, will be performed to determine the effectiveness of the WEC IV&V efforts.

WCAP-16096, RTA The Requirements Traceability Analysis (RTA) is the task of ensuring the completeness and accuracy of the RTM; all lower-level requirements and design features are derived from higher level requirements, and that all higher level requirements are allocated to lower requirements, design features, and tests. The traceability analysis also provides a method to cross-reference each software requirement against all of the documents and other software items in which it is addressed. The purpose of this analysis is to verify that the design team addresses every requirement throughout the design life cycle process. The IV&V team is responsible for performing the RTA.

The team will confirm that WEC documentation will exist that shows that the IV&V tasks have been successfully accomplished for each life cycle activity group. Specific performance measures and acceptance criteria are:

Verify that the software RTA is performed in accordance with the NRC-approved Common QTM SPM for RTA.

o Acceptance criteria: SPM requirements are being used for the RTA and the RTM process.

Verify that the IV&V requirements are performed in accordance with the NRC-approved Common QTM SPM.

o Acceptance criteria: SPM requirements are being used for the IV&V process. Problems identified by the IV&V effort are documented and tracked through resolution, together with any action items required to mitigate or eliminate each problem. A record is kept of actions taken in response to the action items and the appropriate configuration management activities are performed.

Identify the process used for documenting problems identified by the IV&V effort.

o Acceptance criteria: Process used to document problems during the IV&V effort complies with the SPM.

Verify problems identified during the IV&V effort are documented and resolved in accordance with the process.

o Acceptance criteria: A sample of problems found during the IV&V effort were documented and resolved in accordance with the process.

In parallel to the review of the WEC IV&V, SNC will review segments of the RTM by examining the upstream and downstream document references for correct linkage. WEC will combine and load VEGP 3&4 requirements into the WEC Dynamic Object-Oriented Requirements System (DOORS) tool, becoming a source requirements module for traceability to lower-level documentation. The RTM is an output product of the WEC DOORS tool. The fulfillment of SNC requirements by project-specific documentation will be shown by linkages between DOORS module renditions of the project-specific documentation or by a DOORS index module(s) (e.g., an index module containing a list of documents).

The RTM document will be updated throughout the project, as identified in the project schedule as different types of definition and design/implementation level documentation are created.

Vendor Oversight Plan Summary A4-14 WCAP-16096, RTM The Requirements Traceability Matrix (RTM) is either a table of information prepared manually, or a report generated from a requirements database. The RTM associates requirements with the documentation and software that satisfies them. Requirements are entered in the matrix and are organized into successive lower level requirements as described in each document. The requirements are then traced through the software lifecycle to the design, code, and test documentation. The design team is responsible for creating the RTM to the point of identifying the code satisfying the requirement. IV&V will complete the RTM identifying validation of the requirement.

SNC will review the current version of the RTM for the PRHR Actuation Logic Change modification project to verify the system design RTM details are correctly addressed in this document to demonstrate the fulfilment of the technical and process as specified in the SNC Purchase Specification.

Identify the phases of the project (e.g., Requirements Phase IV&V, Design Phase IV&V) for performing surveillances of the RTM.

o Acceptance criteria: RTM surveillance activities provide for 100% verification of the RTM.

Verify that the RTM contains the requirements from the procurement and design specifications, and that these requirements are traceable through the downstream documents including the FAT.

o Acceptance criteria: All requirements from the procurement and design specifications have been identified in the RTM, and all requirements are traceable to implementation.

Quality Assurance SNC will verify the desired level of quality in the service and product to confirm specified requirements are met and are in alignment with the SNC NDQAM and software quality design attributes discussed in the LAR. To accomplish this, SNC will perform the following.

Confirm that WEC complies with the requirements of Appendix B to 10 CFR Part 50 and 10 CFR Part 21 to control the quality of SR materials, equipment, and services.

o Acceptance criteria: Completion of supplier audit program described in the NDQAM, and verification of WEC compliance.

Confirm the SQA program, in accordance with the SPM, is effective in controlling the software development process to confirm quality and meets the commitments described in the LAR for SQA.

o Acceptance criteria: WEC SPM and SQA (if applicable) are in compliance with NMP-GM-007.

Configuration Management As required by the SPM, a WEC configuration control board will exist with the authority to authorize all changes to baselines. Problem reports will be prepared to describe anomalous and inconsistent software or logic and documentation. Problem reports that require corrective action will invoke the change control activity. Change control will preserve the integrity of configuration items and baselines by providing protection against their change. To confirm this, SNC will perform the following.

Verify that the WEC Configuration Management Release Reports identify, name, and describe the documented physical and functional characteristics of the code, specifications, design, and data elements to be controlled for the project and will verify that WEC follows the configuration management process in the NRC-approved Common QTM SPM.

o Acceptance criteria: The WEC Configuration Management process is in compliance with the SPM.

Vendor Oversight Plan Summary A4-15 Verify the use of a configuration control board, and the implementation of problems reports as part of the Configuration Management process.

o Acceptance criteria: Based on a sample, configuration changes resulting from problem reports are implemented based on the WEC Configuration Management process.

Conduct quality audits of life cycle activities to confirm that configuration management procedures were carried out in the life cycle process implementation.

o Acceptance criteria: Correct execution of configuration management procedures.

Review the software and documentation to be shipped to confirm it is part of the NRCs approved topical report.

o Acceptance criteria: A surveillance based upon procurement receipt instructions for PSAI No.

23 is conducted prior to shipment of equipment.

Per WCAP-16096 PSAI No. 6, review the Record of Changes in WCAP-16097 Appendix 5 prior to shipment of deliverables to the site.

o Acceptance criteria: LAR response to PSAI No. 6 is documented in the procurement receipt instructions.

Software Independent Verification and Validation (IV&V)

The management of IV&V spans all life cycle phases. Software development is a cyclic and iterative process. Documentation will exist that shows that the IV&V tasks have been successfully accomplished for each life cycle activity group. The acceptance criterion for software or logic IV&V implementation is that the tasks in the IV&V plan have been carried out in their entirety. In particular, the documentation will show that the requirements, design, implementation, test phase, and applicable installation/checkout design outputs satisfy the specified system requirements. The test phase IV&V activities will demonstrate that unit and subsystem tests required by the IV&V plan were successfully completed. The final test phase IV&V report will describe the procedures followed and the tests performed during integration. The IV&V effort shall re-perform previous IV&V tasks or initiate new IV&V tasks to address software changes.

Review the Requirements Traceability associated with the software IV&V. The methods identified in this section will be used to verify the software IV&V effort is in compliance with the SPM for Requirements Traceability.

o Acceptance criteria: Based on the specific method used, no errors with the IV&V Requirements Traceability and no unresolved problems are identified.

Verify that IV&V verification reviews have been completed successfully and that anomalies have been resolved, with the results reviewed and retested appropriately.

o Acceptance criteria: No unresolved anomalies exist in the IV&V reports. Anomaly reports comply with the SPM and IV&V process.

Verify that validation and acceptance tests and reports required by the IV&V plan were successfully completed.

o Acceptance criteria: The IV&V tests and reports are complete and follow the IV&V plan as discussed.

Review procedures for handling errors and anomalies encountered during the reviews and tests.

These procedures include correction procedures (including configuration management) and provision for re-review and re-test to confirm the problems are resolved. A final report summarizing the IV&V testing is provided.

o Acceptance criteria: The anomaly resolution process complies with the IV&V process and the SPM.

Verify the implementation of source code in the software development environment.

o Acceptance criteria: The software development environment is in compliance with the SPM.

Vendor Oversight Plan Summary A4-16 Software Regression Analysis IV&V NOTE: The term regression analysis is only applicable to software regression analysis, and the definition for this is based on the WEC SPM. Per the SPM, regression analysis is performed by the WEC design team or the IV&V Team. Based on the SPM, regression analysis shall be performed to determine the extent of re-testing activities that may be necessary to re-verify and/or re-validate any changes to a tested element. As DCs are introduced, regression analysis must be performed to determine what tests need to be repeated or introduced to maintain the level of system validation achieved during the first-of-a-kind test program. The SPM requires a regulated change process, described in Section 9, that consists of a formal software change request process for documenting and approving changes and performing regression analyses on changes.

A Baseline Change Assessment by WEC will evaluate proposed software changes for effects on previously completed IV&V tasks. When changes are made, iteration of affected tasks is conducted, and includes re-performing previous IV&V tasks or initiating new IV&V tasks to address the software changes.

An IV&V report shall document the IV&V activities regarding the modification. This must include, or reference, a regression analysis, including test requirements and results.

Regression analysis shall be performed to determine the extent of re-testing activities that may be necessary to re-verify and/or re-validate any changes to a tested element. Design modifications or detection of latent design errors or programming bugs may bring about these changes.

The SPM requires a regulated change process, described in Section 9, that consists of a formal software change request process for documenting and approving changes and performing regression analyses on changes.

Verify software regression analysis is performed in accordance with the SPM as discussed above.

o Acceptance criteria: Based on a sample, software changes are in compliance with the SPM for IV&V regression analysis.

Software Test Plan The Software Test Plan defines the process for testing Common Q' safety systems. This plan identifies testing activities and test documentation required to verify and validate a Common Q' safety system throughout the software life cycle.

Review and verify Software Test Plan and the system validation test as discussed above for compliance with the SPM and the design requirements.

o Acceptance criteria: Owners acceptance of the Software Test Plan and the system validation test is complete.

Software Safety Verify that WEC follows the requirements in the NRC-approved Common QTM SPM, Section 3 for Software Safety Plan. The safety plan describes the safety analysis implementation tasks that are to be performed.

o Acceptance criteria: SPM Section 3 criteria are part of the Software Safety Plan.

Vendor Oversight Plan Summary A4-17 Verify that documentation exists to show that the safety analysis activities have been successfully accomplished for each life cycle activity group.

o Acceptance criteria: Safety analysis activities are complete with documentation that complies with the Software Safety Plan.

Secure Development Environment (SDE)

Verify that WEC has a development environment that complies with the requirements of the Common QTM SPM, Section 12 and that SDE documentation exists for key attributes.

o Acceptance criteria: The SDE is in compliance with Section 12 of the SPM, with specific emphasis on required documentation.

Cyber Security Review the activities associated with addressing controls for system and services acquisition, as set forth in the NRC-approved SNC CSP.

o Acceptance criteria: The applicable activities are in compliance with the VEGP 3&4 CSP Software Life Cycle Processes SNC will verify that WEC plans and performs application software life cycle activities in a traceable and orderly manner in accordance with the SPM. The VOP evaluates the following life cycle areas, and SNC will perform the described actions in each of these areas.

Software Requirements - Confirm that project requirements are examined, understandable, and unambiguous. Reference is made to applicable drawings, specifications, codes, standards, regulations, procedures, or instructions. Verify that security requirements are specified commensurate with the risk from unauthorized access or use. The requirements traceability shows where in the software or application logic design the required action is performed as well as providing traceability back to the system requirements that generated these software requirements.

o Acceptance criteria: Successful completion of the RTM and IV&V verification activities previously discussed for the software requirements.

Software Design - Verify that the architecture is sufficiently detailed to allow for understanding the operation, flow of data, and the deterministic nature of the software or logic. Verify the technical adequacy of the design and verify internal completeness, consistency, clarity, and correctness of the software design. In addition, the software or logic design specification will be reviewed to determine that it is understandable and traceable to the software requirements. While the software design will consider the operating environment, measures to mitigate the consequences of problems will also be an integral part of the design.

o Acceptance criteria: Successful completion of the RTM and IV&V verification activities previously discussed for the software requirements.

Software Implementation - Verify that as software components and modules are implemented, they are individually tested and then combined into larger units for testing. Verify that designers are not serving as reviewers or testers. Verify that sufficient review is performed of the implementation. Verify traceability back to Software Design. The SPM addresses crediting regression analysis for software components and modules.

o Acceptance criteria: Successful completion of the RTM and IV&V verification activities previously discussed for the software requirements.

Vendor Oversight Plan Summary A4-18 Software Integration - A software integration process is developed to describe the methods for integrating software components and modules into software units. Aggregates of components and modules tested during implementation are integrated into a software unit. Prior to delivery, the licensee reviews the system build documents to verify that the software or logic delivered and installed on the safety system is the same software or logic which underwent the IV&V process, and which was factory acceptance tested, as identified by version and revision. The build documentation identifies software or logic by version, revision, and date. Confirm that the software and configuration provided do not have unintended functions in the default configuration and that the complete configuration, including the default configuration, is documented and verified. The SPM addresses crediting regression analysis for software.

o Acceptance criteria: Successful completion of the RTM and IV&V verification activities previously discussed for the software requirements.

Software Testing - Verify comprehensive test procedures exist that demonstrate the software was fully tested and adequately performs all intended functions. Testing demonstrates that the software properly handles abnormal conditions and events as well as credible failures, does not perform adverse unintended functions, and does not degrade the system either by itself or in combination with other functions or configuration items. Any abnormal conditions and events that cannot be tested are documented, and the documentation notes where earlier testing was performed. When changes are made during software development, documented regression testing confirms that there are no unintended effects, and the system or component still complies with its specified requirements. The SPM addresses crediting regression analysis for software testing.

o Acceptance criteria: Successful completion of the RTM and IV&V verification activities previously discussed for the software requirements. Successful completion of unit tests, module tests, functional tests, integrated tests, and factory acceptance tests.

Plant Specific Action Items (PSAIs)

Verify that PSAIs identified in the WEC platform topical reports are addressed in WEC deliverables.

o Acceptance criteria: Owners acceptance of these documents, which are WEC deliverables.

7.

Implementation of Appropriate Oversight Methods Oversight of WEC is based on the various Risk Factors (VOP Section 6) and Performance Measures (VOP Section 7). SNC may adjust the risk factors as the project progresses.

LOW RISK factors indicate continued use of routine oversight methods, such as:

Periodic Audits Periodic Surveillances Routine Design Reviews Routine Project Meetings MODERATE RISK factors indicate a need for supplemental oversight methods, such as:

Increased surveillance frequency Interim design reviews Challenge boards Increased frequency of project meetings HIGH RISK factors indicate a need for extraordinary oversight methods, such as:

Placement of oversight staff inside the vendors organization Management intervention Stop work order and implement recovery plan Vendor Oversight Plan Summary A4-19

8.

Perform Corrective Actions In accordance with NMP-GM-002, Corrective Action Program, condition reports (CRs) will be the entry point into the corrective action program to document vendor performance or quality that is in question.

The following conditions, as a minimum, trigger the initiation of a CR:

WEC noncompliance with the WEC quality program, software processes, or hardware processes Nuclear safety may be adversely impacted if the digital item is installed and operated Unit generation may be adversely impacted if the digital item is installed and operated Digital item quality cannot be assured Digital item quality cannot be assured without a significant project delay Digital item quality is not assured, and identical or similar digital items are already installed in the facility, in other applications, and are considered operable or available Periodic meetings to discuss and resolve issues Additional technical reviews or surveillances Management Intervention Stop work and implement recovery plan

9.

Documentation As discussed in the EPRI DEG, for high consequence and high technology configurability, vendor oversight must be documented. This documentation will help provide assurance to external stakeholders that SNC has been conducting oversight of WEC through the system development lifecycle.

Vendor oversight can be documented through multiple methods:

Formal audit plans/reports Comments/feedback on design artifacts through the owner acceptance engineering process Teleconference notes Emails Written correspondence between SNC and WEC Documentation format may vary, but the content will provide the vendor oversight level of detail and corrective actions (if any).

10.

Attachments The VOP includes the following attachment:

Engineering Surveillance and Design Review Report and Observation Template

Retrieved from "https://kanterella.com/w/index.php?title=NL-25-0072,_–_Units_3_and_4,_License_Amendment_Request:_Addition_of_RCS_Tcold_Engineered_Safety_Feature_Actuation_System_(ESFAS)_Instrumentation_Function_-_Supplement&oldid=5465775"