ML18206A438: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
Line 58: Line 58:
2
2


U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NEW REACTORS DIVISION OF CONSTRUCTION INSPECTION AND OPERATIONAL PROGRAMS VENDOR INSPECTION REPORT Docket No.:                  99902060 Report No.:                  99902060/2018-201 Vendor:                      Gutor Electronic LLC Hardstrasse 72-74 5430 Wettingen Switzerland Vendor Contact:             Mr. Cemal Yilmaz Gutor CS & Quality Director Cemal.Yilmaz@schneider-electric.com
U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NEW REACTORS DIVISION OF CONSTRUCTION INSPECTION AND OPERATIONAL PROGRAMS VENDOR INSPECTION REPORT Docket No.:                  99902060 Report No.:                  99902060/2018-201 Vendor:                      Gutor Electronic LLC Hardstrasse 72-74 5430 Wettingen Switzerland Vendor
 
==Contact:==
Mr. Cemal Yilmaz Gutor CS & Quality Director Cemal.Yilmaz@schneider-electric.com
                               +41 56 437 62 69 Nuclear Industry Activity:    Gutor Electronic LLC, a division of Schneider Electric, is a manufacturer of safety-related uninterruptable power supplies (inverters, battery chargers, regulated transformers).
                               +41 56 437 62 69 Nuclear Industry Activity:    Gutor Electronic LLC, a division of Schneider Electric, is a manufacturer of safety-related uninterruptable power supplies (inverters, battery chargers, regulated transformers).
Inspection Dates:            June 18-26, 2018 Inspectors:                  Jeffrey Jacobson              NRO/DCIP/QVIB-1      Team Leader Phil Natividad                NRO/DCIP/QVIB-1 Greg Galletti                  NRO/DCIP/QVIB-1 Aaron Armstrong                NRO/DCIP/QVIB-1 Approved by:                  Terry W. Jackson, Chief Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Enclosure 2
Inspection Dates:            June 18-26, 2018 Inspectors:                  Jeffrey Jacobson              NRO/DCIP/QVIB-1      Team Leader Phil Natividad                NRO/DCIP/QVIB-1 Greg Galletti                  NRO/DCIP/QVIB-1 Aaron Armstrong                NRO/DCIP/QVIB-1 Approved by:                  Terry W. Jackson, Chief Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Enclosure 2

Revision as of 10:20, 30 November 2019

Gutor Electronic LLC Nuclear Regulatory Commission Inspection Report 99902060/2018201, and Notice of Nonconformance
ML18206A438
Person / Time
Site: 99902060
Issue date: 08/06/2018
From: Todd Jackson
NRC/NRO/DCIP/QVIB1
To: Yilmaz C
Gutor Electronic LLC
Jacobson J, NRO/DCIP
References
IR 2018201
Download: ML18206A438 (22)


Text

August 6, 2018 Mr. Cemal Yilmaz Gutor CS & Quality Director Equipment & Transformers Energy Business Gutor Electronic LLC Hardstrasse 72-74 5430 Wettingen Switzerland

SUBJECT:

GUTOR ELECTRONIC LLC NUCLEAR REGULATORY COMMISSION INSPECTION REPORT NO. 99902060/2018-201, AND NOTICE OF NONCONFORMANCE

Dear Mr. Yilmaz:

On June 18-26, 2018, the U.S. Nuclear Regulatory Commission (NRC) staff conducted an inspection at Gutor Electronic LLCs (hereafter referred to as Gutor) facility in Wettingen, Switzerland. The purpose of this limited-scope routine inspection was to assess Gutors compliance with provisions of Title 10 of the Code of Federal Regulations (10 CFR) Part 21, Reporting of Defects and Noncompliance, and selected portions of Appendix B, Quality Assurance Program Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities.

This technically-focused inspection specifically evaluated Gutors implementation of the quality activities associated with the design, fabrication, and testing of components that comprise the Uninterruptable Power Supply System for the Westinghouse AP1000 reactors being constructed at the Vogtle Units 3 and 4 site. The enclosed report presents the results of the inspection.

This NRC inspection report does not constitute NRC endorsement of Gutors overall quality assurance (QA) program.

During this inspection, the NRC inspection team found the implementation of your QA program did not meet certain regulatory requirements imposed on you by your customers or NRC licensees. Specifically, the NRC inspection team determined that Gutor was not fully implementing its QA program in the areas of design control and instructions, procedures, and drawings. The specific findings and references to the pertinent requirements are identified in the enclosures to this letter. In response to the enclosed notice of nonconformance (NON),

Gutor should document the results of the extent of condition review for these findings and determine if there are any effects on other safety-related components.

Please provide a written statement or explanation within 30 days of this letter in accordance with the instructions specified in the enclosed NON. We will consider extending the response time if you show good cause for us to do so.

C. Yilmaz In accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding, of the NRCs Rules of Practice, the NRC will make available electronically for public inspection a copy of this letter, its enclosure, and your response through the NRC Public Document Room or from the NRCs Agencywide Documents Access and Management System, which is accessible at http://www.nrc.gov/reading-rm/adams.html. To the extent possible, your response should not include any personal privacy, proprietary, or Safeguards Information so that it can be made available to the public without redaction. If personal privacy or proprietary information is necessary to provide an acceptable response, please provide a bracketed copy of your response that identifies the information that should be protected and a redacted copy of your response that deletes such information. If you request that such material be withheld from public disclosure, you must specifically identify the portions of your response that you seek to have withheld and provide in detail the bases for your claim (e.g., explain why the disclosure of information would create an unwarranted invasion of personal privacy or provide the information required by 10 CFR 2.390(b) to support a request for withholding confidential commercial or financial information). If Safeguards Information is necessary to provide an acceptable response, please provide the level of protection described in 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements.

Sincerely, Terry W. Jackson, Chief /RA/

Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Docket No.: 99902060

Enclosures:

1. Notice of Nonconformance
2. Inspection Report No. 99902060/2018-201 and Attachment

ML18206A438 *via e-mail NRO-002 OFC NRO/DCIP NRO/DCIP NRO/DCIP NAME GGalletti PNatividad AArmstrong DATE 07/26/2018 07/26/2018 07/26/2018 OFC NRO/DCIP NRO/DCIP NRO/DCIP NAME JJacobson JBurke* TJackson DATE 07/30/2018 07/25/2018 08/06/2018

NOTICE OF NONCONFORMANCE Gutor Electronic LLC Docket No. 99902060 Hardstrasse 72-74 5430 Wettingen Switzerland Based on the results of a U.S. Nuclear Regulatory Commission (NRC) inspection conducted at Gutor Electronic LLCs (hereafter referred to as Gutor) facility in Wettingen, Switzerland, from June 18 through 26, 2018, Gutor did not conduct certain activities in accordance with NRC requirements that were contractually imposed upon them by their customers:

A. Criterion III of Appendix B to Title 10 of the Code of Federal Regulations (10 CFR)

Part 50, Design Control, states in part that, Measures shall also be established for the selection and review for suitability of application of materials, parts, equipment, and processes that are essential to the safety-related functions for the structures, systems and components.

Contrary to the above, as of June 26, 2018, Gutor failed to ensure the suitability of materials, parts, equipment, and processes that are essential to the safety-related functions of the inverters being supplied to the Vogtle Units 3 and 4 nuclear power plants (through Westinghouse). Specifically, as part of its commercial grade dedication process, Gutor failed to verify the functionality of the surge suppressors installed on the direct current (DC) input to the safety-related inverters being supplied to the Vogtle Units 3 and 4 nuclear power plants. These surge suppressors are installed to ensure the inverters can withstand voltage spikes of up to 4000 volts as required by Westinghouse Design Specification APP-DU01-Z0-001, Revision 7. Although Gutor tested the surge suppressors to ensure that they would not spuriously conduct at lower voltages, the components were not tested to ensure they would be capable of clamping voltage spikes of up to 4000 VDC to the required level of 2500 VDC, as per the design specification.

This issue has been identified as Nonconformance 99902060/2018-201-01.

B. Criterion V, Instructions, Procedures, and Drawings, of Appendix B to 10 CFR Part 50, requires that, Activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings.

Instructions, procedures, or drawings shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have been satisfactorily accomplished.

Contrary to the above, as of June 26, 2018, Gutor failed to ensure that the factory acceptance tests for the battery chargers being supplied to Vogtle Units 3 and 4 (through Westinghouse) contained the necessary acceptance limits, which had been specified in the Westinghouse design specifications. Specifically, the test procedures did not contain acceptance limits for the battery charger overvoltage protection circuitry setpoint.

Enclosure 1

Also, the test procedure did not provide sufficient guidance as to how to achieve the overvoltage signals utilized during testing to verify the functionality of the protection circuitry.

This issue has been identified as Nonconformance 99902060/2018-201-02.

Please provide a written statement or explanation to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001, with a copy to the Chief, Quality Assurance Vendor Inspection Branch-1, Division of Construction Inspection and Operational Programs, Office of New Reactors, within 30 days of the date of the letter transmitting this Notice of Nonconformance. This reply should be clearly marked as a Reply to a Notice of Nonconformance and should include for each noncompliance: (1) the reason for the noncompliance or, if contested, the basis for disputing the noncompliance; (2) the corrective steps that have been taken and the results achieved; (3) the corrective steps that will be taken to avoid further noncompliance; and (4) the date when the corrective actions will be completed.

Where good cause is shown, the NRC will consider extending the response time.

Because your response will be made available electronically for public inspection in the NRC Public Document Room or from the NRCs Agencywide Documents Access and Management System, which is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html, to the extent possible, it should not include any personal privacy, proprietary, or Safeguards Information (SGI) so that the NRC can make it available to the public without redaction. If personal privacy or proprietary information is necessary to provide an acceptable response, then please provide a bracketed copy of your response that identifies the information that should be protected and a redacted copy of your response that deletes such information. If you request that such material be withheld, you must specifically identify the portions of your response that you seek to have withheld and provide in detail the bases for your claim of withholding (e.g., explain why the disclosure of information would create an unwarranted invasion of personal privacy or provide the information required by 10 CFR 2.390(b) to support a request for withholding confidential commercial or financial information). If Safeguards Information is necessary to provide an acceptable response, please provide the level of protection described in 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements.

Dated this 06 day of August 2018.

2

U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NEW REACTORS DIVISION OF CONSTRUCTION INSPECTION AND OPERATIONAL PROGRAMS VENDOR INSPECTION REPORT Docket No.: 99902060 Report No.: 99902060/2018-201 Vendor: Gutor Electronic LLC Hardstrasse 72-74 5430 Wettingen Switzerland Vendor

Contact:

Mr. Cemal Yilmaz Gutor CS & Quality Director Cemal.Yilmaz@schneider-electric.com

+41 56 437 62 69 Nuclear Industry Activity: Gutor Electronic LLC, a division of Schneider Electric, is a manufacturer of safety-related uninterruptable power supplies (inverters, battery chargers, regulated transformers).

Inspection Dates: June 18-26, 2018 Inspectors: Jeffrey Jacobson NRO/DCIP/QVIB-1 Team Leader Phil Natividad NRO/DCIP/QVIB-1 Greg Galletti NRO/DCIP/QVIB-1 Aaron Armstrong NRO/DCIP/QVIB-1 Approved by: Terry W. Jackson, Chief Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Enclosure 2

EXECUTIVE

SUMMARY

Gutor Electron LLC 99902060/2018-201 The U.S. Nuclear Regulatory Commission (NRC) staff conducted a vendor inspection at the Gutor Electronic LLCs (hereafter referred to as Gutor) facility in Wettingen, Switzerland to verify that it implemented an adequate quality assurance (QA) program that complies with the requirements of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities. In addition, the NRC inspection also verified that Gutor implemented a notification program that complies with 10 CFR Part 21, Reporting of Defects and Noncompliance.

This technically-focused, limited scope inspection specifically evaluated Gutors implementation of quality activities associated with the design, fabrication, and testing of safety-related components that comprise the uninterruptable power supply system for the AP1000 reactors currently under construction at Vogtle Units 3 and 4. The inspection team focused its review on Gutors implementation of processes for commercial-grade dedication and supplier oversight, design control, test control, corrective action, 10 CFR Part 21 notifications, and software development lifecycle verification and validation.

In the area of commercial-grade dedication and supplier oversight, the NRC inspection team identified Nonconformance 99902060/2018-201-01 in association with Gutors failure to implement the regulatory requirements of Criterion III, Design Control, of Appendix B to 10 CFR Part 50. Nonconformance 99902060/2018-201-01 cites Gutor for failing to ensure the suitability of materials, parts, equipment, and processes that are essential to the safety-related functions of the safety-related inverters being supplied to the Vogtle Units 3 and 4 nuclear power plants. Specifically, as part of its commercial grade dedication process, Gutor failed to verify the functionality of the surge suppressors.

In the area of design control, the inspection team verified that specific design parameters contained in the Westinghouse specifications (such as voltage regulation, total harmonic distortion, etc.) were properly captured into the design documents for the inverters and that the combination of design, factory acceptance, and qualification tests were sufficient to validate the performance of the equipment. No findings of significance were identified.

In the area of test control, the inspection team identified that the factory acceptance test procedure for the battery chargers did not contain instructions on how to achieve the overvoltage conditions necessary to test the circuitry and what specific overvoltage levels were to be verified (i.e., tolerances and acceptance criteria). This issue was identified as a Nonconformance 999020060/2018-201-02 to Criterion V, Instructions, Procedures, and Drawings, of Appendix B to 10 CFR Part 50.

In the area of corrective actions and 10 CFR Part 21, the NRC inspectors concluded that Gutor is implementing its policies and procedures consistent with the regulatory requirements of Criterion XVI, Corrective Action, and Criterion XV, Nonconforming Materials, Parts, or Components, of Appendix B to 10 CFR Part 50, and with 10 CFR Part 21. No findings of significance were identified.

2

In the area of software development lifecycle verification and validation, the inspection team verified Gutors policy and procedures for design control of safety-related software/firmware.

The inspection team identified that not all of the software/firmware documentation, including independent verification and validation, was complete at the time of inspection. Also incomplete at the time of the inspection was the final documentation of the commercial-grade dedication of the production software/hardware. For the work completed in these areas to date, the NRC inspectors verified that Gutors implementation of programming practices and functional testing were sufficient to satisfy regulatory requirements. The NRC may consider future inspections at Gutor to inspect completed implementation of the software/firmware and CGD development program.

3

REPORT DETAILS

1. Design Control - Commercial-Grade Dedication and Supplier Oversight
a. Inspection Scope The inspection team assessed Gutors processes and implementation for controlling purchased equipment to be used in the manufacture of the Class 1E inverters being supplied (through Westinghouse) to the Vogtle Units 3 and 4 nuclear power plants, including the purchasing of commercial components and subsequent commercial grade dedication (CDG). At Gutor, most components which are used to construct the inverters are purchased commercial grade and are then dedicated for safety-related application prior to manufacture/assembly. The team reviewed Gutors program for commercial grade dedication, which includes the development of technical evaluations and failure modes and effects analyses (FMEAs) for each component being dedicated, establishment of critical characteristics to be verified, and verification methods. The team selected several components and reviewed the implementation of the CGD program as applied these components. The team focused its review on the CGD activities associated with those components whose performance would not be expected to be verified through routine factory acceptance testing, including seismically-sensitive components and components whose performance could not be demonstrated without some sort of destructive testing. The team reviewed FMEAs and test plans associated with the CGD of the following components:

Item No. Description 950-9070 Surge Protection UNC1-530-3322 Circuit Breaker UNC1-540-1165 Switch OP9912A Relay Board OP2447-01 Printed Circuit Board

b. Findings and Observations No findings were identified by the inspection team associated with Gutors processes for ensuring control of purchased material. With regard to the implementation of its processes, no findings were identified with Gutors CGD of the relay boards, switches, circuit breakers, and printed circuit boards. With regard to the surge suppressors, which are being installed by Gutor in the inverters direct current (DC) input circuit to meet the surge withstand capacity specification of 4000 VDC as detailed in Westinghouse Design Specification APP-DU01-Z0-001, Revision 7, the team identified that Gutor failed to test the ability of the surge suppressor to perform its primary function of clamping voltage transients of up to 4000 VDC down to a maximum level of 2500 VDC.

The inspection team identified that Gutor performed an FMEA for the surge suppressors, which identified the voltage/current characteristics as a critical characteristic that needed to be verified. However, the associated test plan for the surge suppressors failed to test the ability of the surge suppressor to perform its primary function of clamping voltage transients of up to 4000 VDC down to a maximum level of 2500 VDC. In addition, the factory acceptance testing of the assembled inverters (including surge suppressors) performed at Gutor only tests the inverters ability to withstand voltage transients up to a level of approximately 2800 VDC.

4

This issue was identified by the inspection team as a nonconformance to Criterion III, Design Control, of Appendix B to 10CFR Part 50. Gutor failed to ensure the suitability of materials, parts, equipment, and processes that are essential to the safety-related functions of the safety-related inverters being supplied to the Vogtle Units 3 and 4 nuclear power plants. Specifically, as part of its commercial grade dedication process, Gutor failed to verify the functionality of the surge suppressors installed on the DC input to the safety-related inverters being supplied to the Vogtle Units 3 and 4 nuclear power plants. This issue has been identified as Nonconformance 99902060/2018-201-01.

c. Conclusion

The NRC inspection team issued Nonconformance 99902060/2018-201-01 in association with Gutors failure to implement the regulatory requirements of Criterion III of Appendix B to 10 CFR Part 50. Nonconformance 99902060/2018-201-01 identifies Gutors failure to ensure the suitability of commercially procured surge suppressors used in the manufacture of safety-related inverters.

2. Design Control - Translation of Technical Requirements
a. Scope The inspection team reviewed Gutors translation of Westinghouse Design Specification APP-DU01-Z0-001, Design Specifications for Class 1E Inverters, Static Transfer and Manual Bypass Switches for IDS system, Revision 7, and Westinghouse Design Specification APP-DC01-Z0-001, Design Specification for Class 1E 250 VDC Battery Chargers for System IDS, Revision 8, into Gutor design and testing documents. Among the specific requirements reviewed were those related to ensuring the Class 1E DC Power and Uninterruptible Power System (IDS) equipment is designed and tested to withstand transient events such as that which occurred at the Forsmark Nuclear Power Plant (the Forsmark Event) described in NRC Information Notice 2006-18. The inspectors reviewed the design of the IDS system components (inverters, chargers, and regulating transformers) to ensure coordination of protective devices and protective circuitry included within the inverters and battery chargers. Such coordination is necessary to ensure that postulated electrical transients emanating from the non-Class 1E AC system supplying the chargers would be sufficiently isolated from the input to the inverter and the activation of any protective devices would be such that the battery chargers would trip before the inverters, thus preserving the ability of the inverters to feed essential AC circuits from the station batteries. The requirements for such coordination and protection are described further in Appendix H to Specification APP-DC01-Z0-001 and in Paragraph 4.1.4.14 of Specification APP-DU01-Z0-001, including the maximum credible transient AC voltage for which the input to the battery charger could be exposed to. Per Specification APP-DC01-Z0-001, during such transients, the battery charger is required to maintain the output voltage supplied to the battery bus (from which the inverters are supplied) to a level below that which would trip the inverters. In addition, the inspection team assessed Gutors establishment and implementation of the overvoltage protection setpoints for the battery charger DC output and the inverter DC input within the inverters and battery charges. The inspection team witnessed the initial set up and testing of the inverters which included loading of key setpoints into the equipment software, followed by factory acceptance testing to demonstrate acceptable equipment performance.

5

The team also verified that other specific design parameters contained in the Westinghouse specifications (such as voltage regulation, total harmonic distortion, etc.)

were properly captured in the design documents for the inverters and the factory acceptance testing was sufficient to validate the performance of the equipment.

b. Findings and Observations No findings of significance were identified with regard to Gutors translation of the Westinghouse technical requirements into the design of the battery chargers and inverters.
c. Conclusions The inspection team verified that the technical performance requirements contained within the Westinghouse purchase specification were being properly translated into design documents and that proper coordination was specified between the battery charger and inverter protective devices/circuitry.
3. Design Control - Software/Firmware Development Lifecycle, Verification and Validation
a. Inspection Scope

Background

Gutor manufactures Class 1E power supply systems for U.S. and foreign nuclear markets. The Gutor Class 1E Uninterruptable Power Supply System was being developed for the AP1000 units at the Vogtle site and includes subsystems designated XXW (AC-DC inverter), SDC (charger), and ISBS (independent static bypass switch).

For the XXW inverter design used in the AP1000 project, Gutor adapted their own commercial control software/firmware from similar inverters and power supplies which they manufacture for the commercial oil & gas industry and other similar industries.

Their ISBS subsystem design and manufacture was also performed under the same software development controls, and the SDC subsystem contains no programmable components.

Software/Firmware Lifecycle Development The inspectors reviewed Gutors procedures governing the control of design, Procedures Q100.003, Quality Manual for Projects Requiring ASME NQA-1 Compliance, Revision 8, and Q430.078, NQA-1 Design Control, Revision 4, to confirm Gutor was implementing a software design process consistent with NRC regulatory requirements.

Section 4.9, Software Design Control, of Procedure Q430.078 states, in part, that ASME NQA-1, Part II, Subpart 2.7, provides specific guidance for software design that should be utilized. In addition, Gutor developed and implemented their software/firmware development program in accordance with the International Electrotechnical Commission (IEC) Standard, IEC 60880, Nuclear Power Plants - Instrumentation and Control Systems Important to Safety - Software Aspects for Computer-based Systems Performing Category A Functions, 2nd Edition. The inspectors reviewed IEC 60880 to determine if it would provide a technically appropriate software development process.

6

The inspectors reviewed Procedure Q320.264, Software Verification and Validation Plan, Revision 01, that described major independent verification and validation (IV&V) activities associated with the XXW firmware development including: Management, Development, Design, Implementation, Test, Installation & Checkout, Operation, and Maintenance, as well as anomaly reporting and resolution throughout the IV&V lifecycle activities. Procedure Q320.264 requires each of these lifecycle activities to be documented in an Activity Summary Report (ASR) and each task within a lifecycle activity, including test procedure generation, test execution and verification, baseline change assessment and traceability analysis, will be documented through the completion of task-specific checklists.

The inspectors requested a sample of completed ASRs and task-specific checklists for the requirements, design, and implementation phases. However, at the time of the inspection, the vendors implementation of these software development controls was not complete and final documentation of the activities specified in selected lifecycle phases were unavailable for review. Gutor stated they had elected to proceed to the testing phase by deferring all IV&V documentation to a single final IV&V report they intend to complete at the end of testing. Additionally, the Software/Firmware Requirements Traceability Matrix (RTM) was also found to be partially completed at the time of the inspection. As a result, the inspectors were not able to review completed ASRs or individual task-specific checklists for the production firmware. These items represent significant firmware development milestones that are required by the Gutor firmware design program to meet the requirements of 10 CFR Appendix B and an NQA-1 Quality program.

Firmware Code Development The inspectors reviewed Gutors policies and procedures governing firmware source code development processes and use, as described in Procedures Q430.078, NQA-1 Design Control, Revision 4, Q320.214, Firmware Development Standard, Revision 6, and Q320.215, Gutor Firmware Coding Rules, Revision 3, to confirm the firmware was designed, controlled, tested, and verified in accordance with the project requirements consistent with those described in the Quality Manual for Projects Requiring ASME NQA-1 Compliance.

The inspectors reviewed a sampling of Gutors working-level software/firmware coding guidelines used to produce the current software revision, the code change/revision control tools, the programming/debugging tools, and Gutors procedures for their use.

Additionally, the inspectors reviewed a sample of source code for the XXW inverter as well as witnessing a portion of the functional testing for the first of the AP1000 XXW inverters being manufactured for Vogtle Unit 3.

Cyber Security Review The inspectors reviewed Gutors procurement and design specifications, and procedures governing cyber security to confirm they were implementing cyber security controls consistent with those specifications. Specifically, the inspectors reviewed Westinghouse Procedure APP-DU01-Z0-001, Design Specification for Class 1E Inverters, Static Transfer and Manual Bypass Switches for IDS System, Revision 7.

Section 3.2.3, System hardening requirements, of Procedure APP-DU01-Z0-001 7

states, in part, that system hardening shall be performed in accordance with Westinghouse Document APP-GW-E0-004, AP1000 Electronic System Security Controls, Revision 4.

Document APP-GW-E0-004 provided a set of actions (i.e., Tool Kit) that is considered cyber security requirements under the AP1000 Cyber Security Program for electronic systems. These requirements map directly to critical vulnerabilities that have been observed in current and legacy digital systems.

The inspectors sampled the requirements in Document APP-GW-E0-004 and traced the implementation of those requirements from the Cyber Security Compliance Matrix to Document Q320.181 List of open issues Cyber Security, Revision 2, to the System Requirements Specification (SRS) and the RTM to confirm Gutor had adequately translated these requirements into the design and requirements specifications and performed tests to confirm adequate implementation. Specifically, the inspectors reviewed coding practices, software quality assurance (QA), malware detection and protection, and external connectivity control requirements and verified those requirements were adequately incorporated into the system requirements and design specifications and that tests were developed to verify adequate implementation of those requirements.

The inspectors also reviewed Westinghouse Document APP-GW-E0-004, Sub-part Cyber Security Compliance Matrix to confirm that individual task requirements from Document APP-GW-E0-004 were captured, evaluated for applicability, and gaps identified. The inspectors also reviewed a sample of the implemented resolution actions to ensure that any identified gaps had been appropriately addressed.

The inspectors also discussed the firmware coding practices and coding environment established to minimize the potential for cyber intrusion or introduction of malware.

Document SP6.3, Firmware Summary Controller XXW, Revision 01, provides a detailed listing of each electrically-erasable programmable read-only memory (EEPROM) used in the XXW system and includes the specific version of the firmware in each module and its checksum value which is used to verify proper code installation.

Commercial Grade Dedication of Software The inspectors reviewed Procedure Q320.249, XXW CGD Work Plan, Revision 02, that defines the CGD work activities to be implemented by Gutor and sampled completed dedication information associated with each work activity that was available including: a description of the critical characteristics identified for the firmware based on physical, performance, and dependability categories; the failure analyses to be performed including any fault trees, the FMEA, and software common cause failure analysis; a review of prior operating experience installation data for XXW systems; and a critical digital review consisting of a threat and risk analyses and system and process orientation.

The inspectors reviewed Document Q320.252, XXW Safety Function/Critical Characteristics, Revision 02, that provides a technical evaluation of the system to determine the physical, performance and dependability critical characteristics, acceptance criteria, and verification methods for each characteristic.

8

The inspectors verified the acceptance criteria for the physical and performance critical characteristics, such as system behaviors, redundancy behavior, and behavior under abnormal/failure conditions, were compliant with project-specific system technical data and IEC Standard 62040-3, Uninterruptible Power System (UPS) - Part 3: Method of Specifying Performance and Test Requirements, 2nd Edition. However, at the time of the inspection, Gutor had not delineated the specific acceptance criteria or specific routine test activities that will be credited for completion of the dedication activities.

The inspectors compared the technical data from Document 4A-1120086301/23, Technical Data - WDW 3015-250/208-EAN, Revision 1, to the completed Test Report 4A-1120086301/39GB, Test Report EQ-UNIT (DU), Revision 3, to confirm the acceptance criteria for the performance critical characteristics identified in Document Q320.252. The inspectors requested the completed review document from Gutor to confirm adequate implementation of the verification methods used to confirm that the acceptance criteria were met. However, Gutor indicated the review document will not be completed until routine testing for each system configuration is complete.

The inspectors also reviewed Document Q320.265, Failure Analysis and its appendices, and verified the fault tree, FMEA, and common cause failure analyses were adequately detailed regarding hardware and software causes of potential failures, their effects, and mitigating design factors.

Additionally, the inspectors reviewed a sample of the software quality documentation used in support of the dependability critical characteristic review. These documents included the SRS, System Design Description (SDD), Software Verification and Validation Plan (SVVP), RTM, and Final Software Verification and Validation Report (SVVR). The inspectors verified the SRS, SDD, and SVVP provided an adequate description of the system, the associated system technical and quality requirements, and defines the required IV&V activities necessary throughout the software lifecycle. As noted previously, the implementation of the SVVP and RTM were still under development, and the final SVVR was not completed at the time of the inspection.

Since Gutors manufacturing process takes credit for commercial grade dedication of most of their subcomponents, including the circuit boards with the programmable read-only-memory (EEPROM) chips containing software/firmware, Gutor was relying on the functional testing as the completion of the CGD of the software/firmware, the software/firmware design completion, and the functional testing of the SDLC. As a result, the inspectors were not able to review Gutors final CGD report for the XXW software/firmware release.

In addition to special tests and inspections conducted during in-process fabrication and final factory acceptance testing, Gutors software/firmware dedication processes take credit for German regulatory certification of revisions of the software/firmware, as well as its extensive commercial use worldwide and operating experience, as evidence by the historical reliability and quality of the base software/firmware. The inspectors confirmed the commercial operating history provided additional evidence of reliability and quality of the production software. However, the inspectors did not rely on the German certification as the adequacy of the certification process and its implementation was not included within the scope of the inspection activities.

9

b. Observations and Findings No findings of significance were identified.

c. Conclusion

The inspectors concluded that Gutors implementation of their policy and procedures for control of the design of safety-related software/firmware satisfies the regulatory requirements set forth in Criterion III, Design Control, of Appendix B to 10 CFR Part 50.

However, as noted, significant firmware development milestones, that are required by the Gutors firmware design program to meet the requirements of 10 CFR Appendix B and an NQA-1 Quality program were not completed at the time of the inspection and could not be evaluated. The NRC may consider future inspections at Gutor to inspect completed implementation of the software/firmware and CGD development program. No findings of significance were identified.

4. Test Control
a. Scope The inspection team reviewed Gutors control of factory acceptance testing for the AP1000 inverters which were undergoing testing during the inspection. The scope of the factory acceptance testing includes both the initial set-up and calibration of the inverters, as well as the follow-on static and dynamic testing to verify proper equipment performance. Among the parameters verified during the factory acceptance testing are:

rated full load output; high voltage insulation; temperature rise; measurement of total harmonic distortion; overcurrent /overload capability, power loss and efficiency, total harmonic distortion, power factor, output voltage adjustment range, and verification of protective device set-points. The factory acceptance testing is being utilized by Gutor as a verification method for verifying the critical characteristics of many of the internal components in the equipment, including the imbedded software/firmware.

The inspection team observed testing in accordance with Test Procedures No. 4A-1120086301/38GB, Inverter SV3-IDSA-DU-1 System type 3015-250/208 EAN, Revision 2 and No. 4A-1120086301/39GB, Test Report DU system type WDW 3015-250/208 EAN 15KVA, Revision 2.

b. Findings and observations The inspection team identified that Gutor failed to ensure that factory acceptance test procedures for the battery chargers being supplied to Vogtle Units 3 and 4, contained appropriate acceptance criteria, as necessary to ensure the manufactured devices conformed to the purchase specifications. Specifically, Test Procedure 1120086101/38GB, Test Procedure for 1E Rectifier, Revision 4, did not provide sufficient guidance as to how to verify the correct settings for the overvoltage protective circuitry which monitors the output of the battery chargers. The test procedure did not contain instructions on how to achieve the overvoltage conditions necessary to test the circuitry, what specific levels were to be verified, tolerances, or acceptance criteria that needed to be met. This issue was identified as a Nonconformance to Criterion V, Instructions, Procedures, and Drawings, of Appendix B to 10 CFR Part 50, as Gutor failed to ensure that the factory acceptance tests for the battery chargers being supplied 10

to Vogtle Units 3 and 4 contained acceptance limits, which had been specified in the Westinghouse design specifications. This issue has been identified as Nonconformance 99902060/2018-201-02.

c. Conclusions Notwithstanding Nonconformance 99902060/2018-201-02 cited above associated with verification of the overvoltage protection circuitry, the inspection team concluded that the scope of the factory acceptance testing appeared sufficient to demonstrate performance of the manufactured battery chargers and inverters, provided that appropriate design and qualification testing is done to address performance requirements that cannot be demonstrated through routine factory acceptance testing. Among the performance requirements that were not covered by the factory acceptance testing are those associated with performance under temperature extremes, seismic performance, and electromagnetic interference/radio-frequency interference requirements. These are being verified separately through the qualification and dedication program.
5. 10 CFR Part 21, Corrective Action, and Nonconforming Materials, Parts, or Components
a. Inspection Scope The inspectors reviewed Gutors corrective action program which requires that all nonconforming conditions be documented in Gutors QA software log in accordance with Procedure Q730.002, Control of Nonconformities, Revision 10. The QA software program automatically and electronically notifies the QA manager of the nonconforming conditions who then assigns the nonconformance to the responsible staff for evaluation.

Procedure Q730.002 and the program software also directs the Gutor staff to Procedure Q610.027 Repair / Rework, Revision 3, for the rework and repair of nonconforming equipment/material, Procedure Q320.213, Instruction for Special Release, Revision 1, and Procedure Q320.212, Applications for Special Release, Revision 2, for using material as-is, scrap evaluations, and process.

Corrective/Preventive Action Requests (CARs) are generated for each deficiency if directed by Procedure Q730.002 and Gutors QA software. The CARs are assigned electronically to the responsible staff for evaluation and resolution of nonconformances that represent more significate conditions adverse to quality. The QA Manager assigns the investigation to the appropriate employee based on the details of the reported condition identified. Gutors QA software requires that the QA Manager conduct an evaluation using Procedure Q660.023, NQA-1 Part 21 Evaluations and Notifications, Revision 0, for all nonconformances and customer complaints to determine if 10 CFR Part 21 reporting is required.

The NRC inspection team reviewed a sample of CARs and Part 21 evaluations from the past 3 years. The inspectors also reviewed a sample of nonconformances from 2016 through the present, as well as a sampling of technical evaluations of nonconformances for potential Part 21 applicability. The attachment to this report lists the documents reviewed by the NRC inspection team.

11

b. Observations and Findings No findings of significance were identified.
c. Conclusions The NRC inspectors concluded that Gutor is implementing its policies and procedures that govern 10 CFR Part 21, corrective actions and nonconforming materials, consistent with the regulatory requirements of Criterion XVI, Corrective Action and Criterion XV, Nonconforming Materials, Parts, or Components, of Appendix B to 10 CFR Part 50, and with 10 CFR Part 21. No findings of significance were identified.

12

Attachment

1. Entrance and Exit Meetings On June 18, 2018, the NRC inspection team discussed the scope of the inspection with Cemal Yilmaz, Quality Director, and other members of Gutors management, factory, and technical staff. On June 26, 2018, the NRC inspection team presented the inspection results and observations during an exit meeting with Cemal Yilmaz, and other members of Gutors management, factory, and technical staff. The attachment to this report lists the attendees of the entrance and exit meetings, as well as those individuals whom the NRC inspection team interviewed.
2. Entrance/Exit Meeting Attendees/Persons Interviewed Name Title Affiliation Entrance Exit Interviewed Inspection Team Jeffrey Jacobson NRC X X Leader Greg Galletti Inspector NRC X X Phil Natividad Inspector NRC X X Aaron Armstrong Inspector NRC X X Sergey Landolt Quality Engineer Gutor X X X Nuclear Sales Michael May Gutor X Manager Nuclear Sales Finn Jorgensen Gutor X X Director Chief Technology Gert Andersen Gutor X X Officer Dragan Djordjevic Assembly Manager Gutor X X Noel Suarez Test Bay Manager Gutor X X X Supply Chain Daniel Eberli Gutor X X Manager Andreas Bossart Plant Director Gutor X X Nuclear Engineering Andre Wey Gutor X X X Manager Philipp Moor Project Manager Gutor X X Southern Supplier Compliance Rod Cude Nuclear X X Supervisor Company Frank Rademacher Project Manager Gutor X X X Cemal Yilmaz Quality Director Gutor X X X 1

Name Title Affiliation Entrance Exit Interviewed Westinghouse Brennen Hydzik Product Engineer Electric X Company R&D Senior Herbert Laumer Gutor X Firmware Engineer Marcel Schuster Test Technician Gutor X

3. Inspection Procedures Used Inspection Procedure (IP) 36100, Inspection of 10 CFR Part 21 and Programs for Reporting Defects and Noncompliance, dated February 13, 2012 IP 43002, Routine Inspections of Nuclear Vendors, dated January 27, 2017 IP 43004, Inspection of Commercial-Grade Dedication Programs, dated January 27, 2017 IP 35710, Quality Assurance Inspection of Software Used in Nuclear Applications, dated January 30, 2018
4. List of Items Opened, Closed, and Discussed Item Number Status Type Description 99902060/2018-201-01 Open NON Criterion III 99902060/2018-201-02 Open NON Criterion V
5. Applicable ITAAC N/A
6. Documents Reviewed Procedures
  • Q660.041, Handling of 10 CFR Part 21 / Part 50.55(e) issues, Revision 6, dated August 18, 2015
  • Q320_252, XXW Safety Function Critical Characteristics, Revision 02, dated February 18, 2016
  • Q320.265, Failure Analysis -- Applicable Products: Gutor XXW (Revision SP6.3),

Revision 00, dated October 26, 2015

  • Q100.003, Quality Manual for Projects Requiring ASME NQA-1 Compliance, Revision 8, dated January 25, 2013
  • Q730.025, NQA-1 Control of Nonconforming Items, Revision 0, dated September 20, 2013 2
  • Q660.051, Guidelines for Analysis of Critical Characteristics, Revision 1, dated January 26, 2017
  • Q320.264, Software Verification and Validation Plan (SVVP), Revision 01, dated February 25, 2015
  • Q730.032, Instructions for Special Release, Revision 1, dated March 21, 2017
  • Q320.213, Instructions for Special Release, Revision 1, dated August 1, 2015
  • Q320.238, Firmware Development Tools, Revision 1
  • Q320.181, List of Open Issues Cyber Security FW, Revision 2, dated December 13, 2013
  • Q320.182, Modification Protocol Cyber Security FW, Revision 2, dated December 13, 2013
  • Q320.186, Task Clarification Cyber Security FW, Revision 2, dated December 13, 2013
  • Q320.212, Applications for Special Release, Revision 2
  • Q730.018, Handling of Customer Complaints, Revision 4, dated March 29, 2017
  • Q320.215, GUTOR Firmware Coding Rules, Revision 3, dated May 1, 2013
  • Q630.079, Pink Binder Handling Instruction, Revision 5, dated October 31, 2017
  • Q730.019, Non NR Conforming Products, Revision 6, dated September 9, 2013
  • Q320.214, Firmware Development Standard, Revision 6, dated December 2, 2013
  • Q730.002, Control of Nonconformities, Revision 10, dated March 07, 2017
  • Q320.239, Code Review Checklist, Revision 1, dated February 14, 2013
  • Q460.015, PXW WXW Settings, Revision 17
  • Q320.237, SVN Structure GUTOR, Revision 1, dated December 14, 2010
  • Q460.012, PXW Testing Checklist, Revision 12, dated December 6, 2017
  • Q660.023, NQA-1 Part 21 Evaluations and Notifications, Revision 0, dated November 28, 2013
  • Q430.078, NQA-1 Design Control, Revision 4, dated January 18, 2017
  • Q320_261, XXW RTM Rev00 - table XXW SP6.3, dated October 30, 2015
  • Q320_249, XXW CGD Work Plan, Revision 2, dated October 26, 2015
  • Q320_265_B, XXW FMEA Rev00, dated November 10, 2015
  • Q610.027, Rework / Repair, Revision 3, dated November 7, 2017 Miscellaneous FMEA Report 1129986321 (WDW 3015-250/208-EAN EQ), Failure Modes and Effects Analysis Report for Gutor UPS System 1120086321 (WDW 3015-250/208-EAN EQ),

Revision 1 Schneider Electric Instruction Q660.051, Guideline for Analysis of Critical Characteristics, Revision 1, dated 1/26/2017 Product specification sheet for 950-9070 Surge Protector Dehnguard 600 V Max, DG S 600, Revision 2 Wiring Diagram for Class 1E inverter, 1120086301/05, Revision 11 3

Westinghouse Design Specification App-DU01-Z0-001, Design Specifications for Class 1E Inverters, Static Transfer and Manual Bypass Switches for IDS system, Revision 7, dated January 4, 2016 Westinghouse Design Specification APP-DC01-Z0-001, Design Specification for Class 1E 250 VDC Battery Chargers for System IDS, Revision 8, dated August 30, 2016 Test Procedure 1120086101/38GB, Test Procedure for 1E Rectifier, Revision 4 Test Doc No 4A-1120086301/39GB, Test Report DU system type WDW 3015-250/208 EAN 15KVA, Revision 2 Westinghouse APP-GW-E0-004, AP1000 Electronic System Security Controls, Revision 4, dated May 24, 2012 International Electrotechnical Commission Standard, IEC 60880, Nuclear Power Plants - Instrumentation and Control Systems Important to Safety - Software Aspects for Computer-based Systems Performing Category A Functions, 2nd Edition, dated 2006 International Electrotechnical Commission Standard, IEC standard 62040-3, Uninterruptible Power System (UPS) - Part 3: Method of Specifying Performance and Test Requirements, 2nd Edition, dated March 2011 Report 290, UPS Dedication Project Critical Digital Review, Revision 1, dated June 1, 2010 FWTR Cyber Security FW, Revision 3, dated December 13, 2013 SP6.3, Firmware Summary Controller XXW, Revision 01, dated December 15, 2014 4A-1120086301/23, Technical Data - WDW 3015-250/208-EAN, Revision 1 4A-1120086301/39GB, Test Report EQ-UNIT (DU), Revision 3, dated April 10, 2018 Corrective Action Requests 44463 dated March 15, 2016 44872 dated April 28, 2016 45763 dated July 18, 2016 36582 dated December 16, 2014 43121 dated November 5, 2015 29423 dated January 13, 2014 56569 dated February 26, 2018 28175 dated October 1, 2013 31523 dated June 12, 2014 44463, dated June 14 2016 44872, dated April 28, 2016 58875, dated June 20, 2018 58914, dated June 20, 2018 58947, dated June 20, 2018 4

Test Observations Test Doc No 4A-1120086301/38GB, Inverter SV3-IDSA-DU-1 System type 3015-250/208 EAN, Revision 2 - for inverter SN 1120086301

  • Section 1.1 Visual inspection
  • Section 1.6 Rated Output
  • Section 1.7 Overcurrent /overload Capability test
  • Section 1.9 Power loss determination and Efficiency test
  • Section 1.10 Measurement of THD/TDF for Voltage and Current
  • Section 1.12 Measurement of output voltage
  • Section 1.13 Conformation of output voltage adjustment range test
7. Acronyms and Abbreviations A Ampere AC alternating current ASR Activity summary report CAR corrective action request CAP corrective action program CFR Code of Federal Regulations CGD commercial grade dedication CGI commercial grade item DC direct current ISBS independent static bypass switch IDS Class 1E DC Power and Uninterruptible Power System IEC International Electrotechnical Commission IV&V independent verification and validation NON Notice of Nonconformance NRC U.S. Nuclear Regulatory Commission PO purchase order QA quality assurance QAP quality assurance procedure RG regulatory guide RTM Software/Firmware Requirements Traceability Matrix SDD System Design Description SRS System Requirements Specification SVVP Software Verification and Validation Plan SVVR Software Verification and Validation Report V Volt VAC Volts alternating current VDC Volts direct current 5