Text

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION AUDIT REPORT

SUMMARY

FOR THE REVIEW OF MITSUBISHI ELECTRIC CORPORATIONS TOPICAL REPORT JEXU-1041-1008, REVISION 3, SAFETY SYSTEM DIGITAL PLATFORM - MELTAC -

DOCKET NO. 99902039 (EPID L-2023-TOP-0036)

1.0 BACKGROUND

By audit plan dated September 13, 2023 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML23249A230), the U.S. Nuclear Regulatory Commission (NRC) staff conducted a virtual audit for understanding of information submitted to the NRC by letter dated June 16, 2023 (ML23167C167), related to the Mitsubishi Electric Corporation (MELCO) Topical Report (TR) JEXU-1041-1008, Revision 3, Safety System Digital Platform -

MELTAC -. The virtual audit was conducted from September 25, 2023, to March 30, 2024.

The NRC staff performed a virtual audit to support timely completion of a safety evaluation (SE) in accordance with Office of Nuclear Reactor Regulation Office Instructions LIC-111, Regulatory Audits, and LIC-500, Topical Report Review Process.

2.0 REGULATORY AUDIT OBJECTIVES The objective of the audit was to increase review process efficiency through interaction with the MELCO technical experts. During the audit, the NRC staff sought clarification of basic design information of the updated MELTAC Platform, as described in Revision 3 of the associated TR, to verify conformance to applicable regulations, standards, guidelines, plans, and procedures.

During the audit, the NRC staff review focused on changes from the previously approved MELTAC Platform TR, Revision 2. The SE for Revision 3 of the TR is intended to be used in conjunction with the SE for the currently approved revision. The NRC staff reviewed pertinent documentation made available by MELCO. A more detailed narrative on the topics covered is included below in Section 4.0, Discussion, of this audit report. A list of all the documents that the NRC staff reviewed is included in Section 5.0, Documents Reviewed.

The NRC audit team was composed of the following members:

Calvin Cheung, Technical Reviewer (NRR/DEX/EICB)

Jack Zhao, Technical Reviewer (NRR/DEX/EICB)

Richard Stattel, Technical Reviewer (NRR/DEX/EICB)

Nick Smith, Project Manager (NRR/DORL/LLPB)

Lois James, Project Manager (NRR/DORL/LLPB)

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION The following personnel represented or supported MELCO during the audit:

Jay Sneddon, MEPPI Ken-ichi Furuno, MELCO 3.0 REGULATORY AUDIT BASES The audit was conducted with the intent to gain understanding, to verify information, and to identify information that will require docketing to support the basis of a regulatory decision.

The regulatory audit bases used for this audit include:

Title 10 of the Code of Federal Regulations (10 CFR), Domestic Licensing of Production and Utilization Facilities, Sections 50.54(jj) and 10 CFR 50.55(i), which require that structures, systems, and components subject to the codes and standards in 10 CFR 50.55a, Codes and Standards, must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.

For applicants for construction permits, operating licenses, combined licenses, standard design approvals, design certifications, or manufacturing licenses filed after May 13, 1999, 10 CFR 50.55a(h)(3) requires compliance with IEEE Std 603-1991 and the correction sheet dated January 30, 1995.

Appendix A, General Design Criterion (GDC) 2, Design bases for protection against natural phenomena, of 10 CFR Part 50, which states, in part, that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions.

Appendix A, GDC 4, Environmental and Dynamic Effects Design Bases, of 10 CFR Part 50, which states, in part, that structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.

Appendix A, GDC 21, Protection System Reliability and Testability, requires, in part, that protection systems be designed for high functional reliability commensurate with the safety function to be performed.

For this audit, the NRC staff also used the following NRC regulatory guidance:

Regulatory Guide (RG) 1.152, Criteria for use of Computers in Safety Systems of Nuclear Power Plants, which endorses IEEE Std. 7-4.3.2, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, with a few noted exceptions, provides guidance for complying with requirements for safety systems that use digital computer systems. Additional guidance on the application of IEEE Std. 7-4.3.2 is provided in Standard Review Plan, Appendix 7.1-D, Guidance for Evaluation of the Application of IEEE Std. 7-4.3.2.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION RG 1.75, Criteria for Independence of Electrical Safety Systems, describes a method acceptable to the NRC staff for complying with the NRCs regulations with respect to the physical independence requirements of the circuits and electric equipment that comprise or are associated with safety systems. IEEE Std. 384-1992, Standard Criteria for Independence of Class 1E Equipment and Circuits, is endorsed in RG 1.75, Revision 3, with a few specific regulatory positions.

RG 1.100, Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants, which describes methods that the staff of the U.S. NRC considers acceptable for use in the seismic qualification of electrical and active mechanical equipment and the functional qualification of active mechanical equipment for nuclear power plants. IEEE Std. 344-2013, IEEE Standard for Seismic Qualification of Equipment for Nuclear Power Generating Stations, and IEEE Std. C37.98-2013, IEEE Standard for Seismic Qualification Testing of Protective Relays and Auxiliaries for Nuclear Facilities, are endorsed in RG 1.100, Revision 4, with specific regulatory positions.

RG 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, endorses and includes guidance for conformance with Military Standard MIL-STD-461G, Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment, and International Electrotechnical Commission (IEC) 61000 series standards for evaluation of the impact of electromagnetic interference, radio frequency interference, an electrical fast transient, and electrical power surges on safety-related instrumentation and control (I&C) systems.

RG 1.209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, which endorses IEEE Std. 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, with enhancements and exceptions.

Electric Power Research Institute (EPRI) TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants, as endorsed by NRC presents a specification in the form of a set of requirements to be applied to the generic qualification of programmable logic controllers (PLCs) for application and modification to safety-related l&C systems in nuclear power plants. It is intended to provide a qualification envelope corresponding to a mild environment that should meet regulatory acceptance criteria for a wide range of plant-specific safety-related applications.

Chapter 7, Instrumentation and Controls of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants.

4.0 DISCUSSION The audit began with a detailed overview of the changes from the previously approved MELTAC Platform TR, Revision 2, and review of the documents listed in Section 5.0 of this audit report. In the audit plan, the NRC listed several documents needed for clarification or discussion. Most of these were directly linked to potential requests for additional information (RAI) questions. Topic areas discussed during the audit include:

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Qualification testing including electromagnetic interference and general equipment qualification for new and modified modules/components Inter-divisional communication for safety-related functions as it relates to Interim Staff Guidance (ISG)-04 and RG 1.152.

Development lifecycle plans for the modules.

During the audit, the NRC staff had the following observations and discussed them with the applicant:

Section 5.0 of the MELTAC TR, Revision 3, states, in part, that If any module is updated, and it is determined that qualification re-testing is required by the evaluations conducted in accordance with Section 6.1.7, the module will be tested with the same method and acceptance criteria. The same method and acceptance criteria will also be used for any new MELTAC modules. However, some testing standards and their criteria, especially for electromagnetic compatibility have been changed in the MELTAC TR, Revision 3.

Plant Specific Action Item (PSAI) 5.2.4 of the SE for the approved original MELTAC TR requires the licensees to demonstrate that the generically qualified MELTAC Platform equipment envelops the site conditions. However, Page 5 of the MELTAC TR states, in part, that there is no additional site-specific EMI (electromagnetic interference) qualification.

The PSND termination unit modules are included in Appendix A, Hardware Specification, of the MELTAC TR, Revision 3, which describes modules that are used for safety systems. However, Generic Open Item 5.1.2 of the original SE states that the PSND termination unit module has not been qualified.

Section 3.1.17 of the MELTAC Platform ISG-04 Conformance Analysis Report states that ((

)) but the equipment qualification testing for new and modified modules are not conducted yet.

Section 4.3.2 of the MELTAC TR, Revision 3, states that the Control Network can also be used to communicate non-safety data between different divisions. Staff Position 3 of Digital I&C-ISG-04 says that A safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function.

Section 3.1.3 of MELTAC Platform ISG-04 Conformance Analysis Report states that

((

)) However, in Section 3.1.16 of the Platform ISG-04 Conformance Analysis Report, Revision 1, it states that ((

)) But inter-division vital communications include safety functions.

The top of Page 26 of the ISG-04 Conformance Analysis Report states that...Control Network fault may affect the safety function However, at the bottom of Page 106 of the MELTAC TR, Revision 3, it states that inter-divisional communication for safety-related functions is not implemented in the Control Network.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION The currently approved wording in section 4.3.2 of the MELTAC TR states that Inter-divisional communication for safety-related functions is not implemented in the Control Network. However, the proposed changes shown in the same section of MELTAC TR, Revision 3, include interdivisional communication among safety divisions and communication with non-safety controllers.

Based on the above observations made during this audit, the NRC staff generated nine RAI questions (ML24010A072) and held a clarification call on January 17, 2024, with MELCO to ensure a shared understanding of information sought in the RAI questions. During that meeting, MELCO identified information already available to the staff and staff deleted one RAI question (ML24019A029). By letter dated March 15, 2024, MELCO provided the RAI responses (ML24078A429).

5.0 DOCUMENTS REVIEWED The following documents provided by MELCO were reviewed by the NRC staff during the audit:

Original Documents requested for review:

MELTAC-Nplus S Environmental Test Report, JEXU-1041-1044 MELTAC-Nplus S Seismic Test Report, JEXU-1041-1045 MELTAC-Nplus S EMC/ESD Test Report, JEXU-1041-1046 MELTAC-Nplus S Isolation Test Report, JEXU-1041-1047 Additional Documents provided through the audit:

Safety System Digital Platform MELTAC-Nplus S System Specification, JEXU-1024-1010, Rev. M2 Safety System Platform MELTAC-Nplus S Update Project (PART2) Safety Analysis Plan, JEXU-1028-1271, Rev. D MELTAC-Nplus S Design Change Development for SMR160 List of Software Safety Function CCs (MELTAC), JEXU-1028-1435, Rev. A MELTAC-Nplus S Design Change Development for SMR160 List of Software Safety Function CCs (NIS), JEXU-1028-1436, Rev. A MELTAC-Nplus S Design Change Development for SMR160 Hazard Analysis Report, JEXU-1028-1437, Rev. A Safety System Platform MELTAC-Nplus S Update Project (PART2) SVVP, JEXU-1035-0011, Rev. A Safety System Platform MELTAC-Nplus S Update Project (PART2) Regression Analysis Report, JEXU-1035-1006, Rev. A (MULTIPLE) N-Series of ESC Procedures

6.0 CONCLUSION

The audit accomplished the objectives listed in Section 2.0 by allowing direct interaction with MELCOs technical experts. The NRC staff participants were able to obtain clarification on

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION multiple questions and supporting documentation. The NRC staff continued its review of the TR Revision 3 and have subsequently issued RAI questions (ML24010A018) to address the issues where further docketed information is necessary to complete the safety review.