ML052450096

From kanterella
Revision as of 16:23, 8 December 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

RAI, Reactor Protective System/Engineered Safeguards Protection System Digital Upgrade
ML052450096
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 09/06/2005
From: Olshan L
NRC/NRR/DLPM/LPD2
To: Rosalyn Jones
Duke Energy Corp
Olshan L N, NRR/DLPM, 415-1419
References
TAC MC5895, TAC MC5896, TAC MC5897
Download: ML052450096 (12)
v  d  e


Text

September 6, 2005 Mr. Ronald A. Jones Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672

SUBJECT:

REQUEST FOR ADDITIONAL INFORMATION CONCERNING THE OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 LICENSE AMENDMENT REQUEST FOR REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTION SYSTEM DIGITAL UPGRADE (TAC NOS. MC5895, MC5896, AND MC5897)

By letter dated February 14, 2005, you submitted a license amendment request to change the technical specifications (TSs) for Oconee Nuclear Station, Units 1, 2, and 3. The amendments would allow the replacement of the current analog based Reactor Protective System (RPS) and Engineered Safeguards Protective System (ESPS) with a digital computer based RPS and ESPS. The digital system will be the Framatome Advanced Nuclear Power TELEPERM XS (TXS) System.

On March 30, 2005, a draft version of 27 questions was provided to you by e-mail.

Subsequently, we met with you on August 17, 2005, to discuss these questions and four additional questions. Enclosed are these 31 questions. Please provide, within 30 days, a response to these questions or a schedule for when a response will be provided.

If you have any questions, please contact me at 301 415-1419.

Sincerely,

/RA/

Leonard N. Olshan, Project Manager, Section 1 Project Directorate II Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287

Enclosure:

As stated

September 6, 2005 Mr. Ronald A. Jones Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672

SUBJECT:

REQUEST FOR ADDITIONAL INFORMATION CONCERNING THE OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 LICENSE AMENDMENT REQUEST FOR REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTION SYSTEM DIGITAL UPGRADE (TAC NOS. MC5895, MC5896, AND MC5897)

By letter dated February 14, 2005, you submitted a license amendment request to change the technical specifications (TSs) for Oconee Nuclear Station, Units 1, 2, and 3. The amendments would allow the replacement of the current analog based Reactor Protective System (RPS) and Engineered Safeguards Protective System (ESPS) with a digital computer based RPS and ESPS. The digital system will be the Framatome Advanced Nuclear Power TELEPERM XS (TXS) System.

On March 30, 2005, a draft version of 27 questions was provided to you by e-mail.

Subsequently, we met with you on August 17, 2005, to discuss these questions and four additional questions. Enclosed are these 31 questions. Please provide, within 30 days, a response to these questions or a schedule for when a response will be provided.

If you have any questions, please contact me at 301 415-1419.

Sincerely,

/RA/

Leonard N. Olshan, Project Manager, Section 1 Project Directorate II Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287

Enclosure:

As stated Distribution:

PUBLIC RidsNrrPMLOlshan RidsNrrDlpmDpr PDll-1 R/F RidsOgcRp RidsNrrDlpmLpdii1 RidsAcrsAcnwMailCenter RidsNrrLACHawes RidsRgn2MailCenter Accession Number: ML052450096 NRR-088 OFFICE PDll-1/PM PDll-1/LA PDll-1/SC NAME LOlshan CHawes EMarinos DATE 9/6/05 9/6/05 9/6/05 OFFICIAL RECORD COPY

REQUEST FOR ADDITIONAL INFORMATION ON OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 LICENSE AMENDMENT REQUEST REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTION SYSTEM DIGITAL UPGRADE

1. Please provide the following documentation: (Note - whenever a Specification item is referenced, the specifications are the Duke Power Reactor Protective System (RPS)

Replacement Project Specification No. OSS-0311.00-00-0013 and Engineered Safeguard Features Actuation System Replacement Project Specification No. OSS-0311.00-00-0012.)

Whenever a section of NUREG-0800, the Standard Review Plan (SRP), is referenced, the NRC staff will review the item requested using the identified portion of the SRP, and, therefore, the licensee should identify and explain any deviations from the BTP-14.

A. Design requirements and design basis for the RPS/Engineered Safeguards Protection System (ESPS) TELEPERM XS (TXS) system as it will be installed at Oconee. This should include a detailed system description with system architecture and system specification for the planned TXS and any subsystems. This should include a copy of information supplied by the licensee to the vendor, and the vendor system, and hardware and software design specifications as described in specification item 11.4.

B. Procurement Specification. If this does not include specific hardware and software specifications, please provide them. If the specification is revised or updated during the course of this project, please provide those updates.

C. Oconee Software Management Plan (BTP-14, Section 3.1.a). The plan should show how the licensee will manage the software independent of the vendor.

D. Oconee Software Quality Assurance Plan and any procedures specific to this system (BTP-14, Section 3.1.c). This may include vendor document, but must specifically show how the licensee will maintain control of the hardware and software quality at the licensee site.

E. Oconee Configuration Management Manual, including the Software Configuration Management Plan (BTP-14, Section 3.1.k). This may include vendor document, but must specifically show how the licensee will maintain control of the hardware and software configuration at the licensee site. This plan should show how the licensee will insure the correct configuration of the system and software independent of the vendor.

F. The Oconee safety analyses and the Framatome software safety analysis as required by specification item 7.3, including the licensee acceptance of the Framatome software safety analysis (BTP-14, Section 3.2.a).

G. Oconee Nuclear Station, Unit 3 RPS/ESF Controls Upgrade, Software V&V Plan, Document 51-5024087-00.

H. Oconee Software Development Plan and related life-cycle documentation, if any applications software is being developed by the licensee (BTP-14, Section 3.1.b).

ATTACHMENT

If applications software is being developed by the Framatome, please provide the following software life-cycle documents in accordance with Section 5.1.2 of Topical Report EMF-2110, Teleperm XS: A digital Reactor Protection System.

i. Requirements Definition ii. Technical Design Specification iii. Detailed Design Specification iv. Implementation Specification
v. Integration Plan (BTP-14, Section 3.1.d) vi. Test Plan I. The documentation and plans which the licensee will determine that the RPS/ESPS system software meets the requirements. This would normally include:
i. Software Design Review ii. Source Code Review iii. Software Verification and Validation Plan (BTP-14, Section 3.1.j) iv. Verification and Validation Report J. Factory Acceptance Test (Specification item 9.2 - 9.6) and the Oconee Nuclear Station (ONS) Site Acceptance Test (Specification item 9.8), and any other test documentation which will be used.

K. The Oconee system and software training plan (BTP-14, section 3.1.g). Please included User Instruction Manual and an explanation of what training will be provided to control room operators, I&C maintenance personnel and plant engineering, as described in specification item 12.

L. The RPS/ESPS specification compliance matrix (specification item 11.12.a).

M. The updated ONS UFSAR Chapter 15, Accident Analyses. This analysis should include an accident analysis which assumes that a common mode software failure renders unavailable all safety-related functions which are performed by the Teleperm XS RPS/ESPS system. If manual actions is credited, show what indications the operators would have which are not dependant on the Teleperm XS RPS/ESPS system.

N. The Human Factors Review, including the standards used. This should include any analysis done to demonstrate conformance with specification item 5.4.i and 5.6.

O. The Failure Modes and Effects Analysis (FMEA) including not only significant failure modes but all failure modes (specification item 2.1.cc, 2.3.u, 6.12, and 11.11).

P. Siemens (FANP) Report, 66-5015893, "TXS Supplemental Equipment Qualification, Summary Test Report" and TÜV test report, 968/K 109.00/02 dated September 13, 2002.

Q. The RPS/ESPS System Instrument Setpoint Calculations and Instrument Accuracy Uncertainty Calculations. If the ONS setpoint methodology is derived from ISA 67.4,

please state which methodology is used. Has the setpoint methodology been reviewed and approved by NRC? If so, please provide the appropriate reference documents.

The intent is to demonstrate: 1) That in accordance with plant specific action item 10 contained in the April 13, 2000, SER on the TXS topical report, that overly conservative setpoints that may occur due to the elimination of analog system drift are not retained, as this would increase the possibility that the TXS equipment may be performing outside the vendor specifications, and 2) to show that the approach that is used to develop the proposed limits provides adequate assurance that the plant will operate in accordance with the safety analyses, and that operability is ensured in the Technical Specifications.

R. The output from the RETRANS tool and the analysis comparing this output to the design data base. If a different validation tool, not previously reviewed and approved by the NRC staff, is being used, please provide sufficient information on that tool to show that the tool can be relied upon to perform its task, as well as the output of that tool and the analysis of that output showing that the design data base was correctly implemented in the plant specific safety-related software. In addition, please show how this new tool was dedicated for safety-related use, and the configuration control as required by IEEE Std. 7-4.3.2, paragraph 5.3.2.

S. The RPS/ESFAS Software Defense-in-Depth and Diversity Analysis provided by Teleperm in accordance with specification item 6.13.

T. The Software Installation Plan (BTP-14, Section 3.1.e).

U. The Software Safety Plan (BTP-14, Section 3.1.i).

V. The Software Operations Plan (BTP-14, Section 3.1.h).

2. List All functions currently performed by the existing RPS and ESPS. Indicate which of these functions will now be performed by the TXS.
3. List all hardware modules and software components which will be used in the TXS RPS/ESPS system, including the revision level. This should include the detailed Bill of Materials described in specification item 2.3.w and the hardware and software documentation as described in specification item 11.5 and 11.6. Are any of these revision levels of either hardware and software different from those previously reviewed and approved by NRC? If so, please provide the change control documentation and results of regression testing.
4. The submittal identified several differences between the TXS system approved by the NRC and the system proposed for installation at ONS, principally the SVE CPU module and the communications modules. Please provide the following information:

A. Exact description of the changes, including changes to support chip sets, printed circuit board artwork, and software changes. Software change descriptions should include changes to the basic input/output system (BIOS) for the different processor.

B. The environmental test data which verified the new equipment qualifications, including temperature, humidity, radiation, seismic, and electromagnetic qualifications.

C. Test data showing that the existing software did not require modification, or if modifications were required, a description of those software changes and how the changes were tested.

D. Page 3-48 of EMF-2110 states that a ISTec/TÜV-Nord issued a certificate for the CP486. Has a similar certificate been issued for the new SVE CPU? If so, please provide that certificate.

5. List the online continuous self-testing and diagnostic functions. Do these differ or add to the diagnostic functions reviewed in the original TXS SER? Please provide sufficient information for the NRC staff to determine either that the diagnostics and self test have not changed since the original SER, or that they have changed, sufficient information for the NRC staff to review those changes.
6. Section 4.9 of topical report EMF-2110 states Signal transmission between redundant class 1E channels may be required for availability or reliability reasons. If required it will be performed by serial fiber optic Profibusses in an end to end configuration. Since the February 14, 2005, submittal states that the TXS sets exchange their process data via point-to-point fiber-optic data links and that by comparison (Data Validation) between the redundant values, outlying signals are rejected and the optimum representative signal is selected, it would appear that this feature used in the ONE RPS/ESFS application. How is the requirement for channel independence maintained in accordance with IEEE 279-1971, as referenced in the Duke Power specification item 5.4.f? Please describe in detail all communications and data exchange between channels.
7. The February 14, 2005, submittal states that the new RPS system will enhance the RPS/Operator Aid Computer (OAC) interface. The TELEPERM-OAC gateway will make additional information available to the OAC on RPS process variables and equipment status.

Please provide details on this enhancement, listing what additional information will be available, and all software and hardware changes to the TXS system required for these changes. In addition, please show how isolation is maintained. Please describe in detail all communications and data exchange between the safety-related RPS/ESPS TXS system and any non-safety system. How does this meet the Standard Review Plan, Section 7.9 criterion that the communications systems does not present an electronic path by which unauthorized personnel can change plant software or display erroneous plant status information to the operators and Such connections should be one-way communication paths.

8. Please explain how the use of dual port RAM as a interface maintain the requirement for independence? Is the safety side input port write only, or the non-safety output port read only?

How does this prevent cyber intrusion and maintain security of the system.

9. The February 14, 2005, submittal states, in Section K, that The digital upgrade of the RPS and ESPS will not have a significant impact on the Oconee PRA results. Please provide information on how this determination was reached, including the data used to make this determination. Please justify considering that a single hardware failure will disable one channel of all RPS/ESPS functions in which the TXS is used, and one common mode failure could eliminate all RPS/ESPS functions in which the TXS is used.
10. The February 14, 2005, submittal in Section K, refers to The expected high reliability of the digital actuation systems. What is the value of this expected high reliability, and how was it

determined? How was software reliability calculated, and how was this software reliability included in the expected high reliability value?

11. In the safety evaluation for EPRI TR-102323, the NRC staff concluded that TR-102323 provide an acceptable method for assessing the qualification of digital equipment to the nuclear plant EM environment without the need for plant specific EMI surveys if the plant specific EM environment is confirmed to be similar to that identified in TR-102323". Please show how it was determined that the EM environment at ONC was similar to that identified in TR-102323.
12. The February 14, 2005, submittal states that TXS equipment qualification criteria bound the plant specific qualification levels for the applicable locations at ONS. Please provide the worst case plant specific accident environmental conditions for the locations where the TXS equipment will be located.
13. The February 14, 2005, submittal, in response to plant specific requirement 9, as listed in the NRC staff SER on the TXS Topical Report, stated that The Oconee AMSAC and DSS systems' attributes have been evaluated for diversity between them and the TXS based RPS/ESPS for the categories of Design Diversity, Human Diversity, Equipment Diversity, Software Diversity, Functional Diversity, and Signal Diversity. Please provide that evaluation.
14. The submittal, in response to plant specific requirement 12, as listed in the NRC staff SER on the TXS Topical Report, stated that a plant specific risk informed Defense-in-Depth and Diversity assessment to justify eliminating the need to install the diverse LPI actuation in early 2005. Please provide that assessment, keeping in mind that NRC has neither reviewed or approved the EPRI Report 1002835, Guideline for Performing Defense-in-Depth and Diversity Assessments for Digital Upgrades.
15. The submittal, in response to plant specific requirement 14, as listed in the NRC staff SER on the TXS Topical Report, stated: The power supplies will be commercially dedicated and qualified by Framatome ANP for this ONS safety related, Quality Condition 1 application.

Please provide the test plans, procedures and reports.

16. The submittal, in response to plant specific requirement 14, stated: The TXS communication from the safety I&C system to the non-safety plant information system is done via the Monitoring and Service Interface (MSI). Please describe this communications link, and the manner in which it maintains isolation? Is this a communications path a broadcast type one-way communication path used without handshaking or acknowledgment signals? If the communications is not a broadcast, please explain the cyber security provisions used by the TXS RPS/ESPS system.
17. How is access control for the TXS cabinets maintained? Who controls the keys? Please provide a proposed access list or the access list for physical access to the existing cabinets.

This should be in sufficient detail to allow the NRC staff to make a determination of the physical security of the TXS system.

18. Please discuss the response time requirements for the RPS/ESPS functions. What is the expected worst case response time for the TXS systems as it will be installed at ONS, and how will that response time be tested at ONC? This should include a discussion of the

microprocessor cycle times, sampling rates, and testing procedures. In addition, please provide the system response time test reports as discussed in specification item 6.14.

19. What provisions for repair parts has been made? How many spare boards and modules will be delivered with the system? For what period of time has Framatome guaranteed that additional parts of the same revision level as the original be available? If parts are received with a different revision level, how will they be evaluated, and under what conditions will NRC approval be required? This should include the list of recommended spare parts as required by specification item 15.
20. Please show how and where the software under configuration management is stored, and who is the software librarian is. Is the librarian designated by name, or by some other means?
21. Please discuss what provisions have been made for the repair and maintenance of components, PC boards and software. This should include a copy of the Software Maintenance Plan, which itself should meet the requirements of SRP BTP-14, Section 3.1.f.
22. Will ONC or Framatome modify software if errors are discovered? How will those modifications be tested, both by the organization making the changes and by the licensee?
23. Will all documentation, training manuals, software listings, screen data and error massages be in English? Where is the application specific software being developed and tested?
24. In Attachment 3, Figure 1, there are two cabinets labeled Status (Cab 8) and Status (Cab 9). Please describe the functions performed by each. What hardware and software will be used in these functions and how will each be qualified?
25. In the same Figure 1, the fifth bullet states One RPS computer ("RPS-E") providing information to the control board and the Integrated Control System (ICS) and implementing the functions of the TXS Monitoring and Service Interface (MSI). Please describe RPS-E fully, including function, hardware, software, interconnects, and qualification.
26. In Figure 2 there is an input described as RPS Input Channel E. Please state where this input is from and what function it performs.
27. Please show how the TXS RPS/ESPS system as installed at ONC will comply with the following sections of IEEE Std. 603-1991 (as required by 10 CFR 50.55a). If this information is already contained in sufficient detail in the February 14, 2005, submittal please reference the section of the submittal where the information is discussed.

Section 4.1 Identification of the design basis events Section 4.4 Identification of variables monitored Section 4.5 Minimum criteria for manual initiation and control of protective actions Section 4.6 Identification of the minimum number and location of sensors Section 4.4 Identification of the analytical limit associated with each variable.

Section 4.7 Range of transient and steady-state conditions Section 4.8 Identification of conditions having the potential for causing functional degradation of safety system performance

Section 4.9 Identification of the methods used to determine reliability of the safety system design Section 5.1 Single-Failure Criterion Section 5.2 Completion of Protective Action Section 5.3 Quality Section 5.4 Equipment Qualification Section 5.5 System Integrity Section 5.6 Independence

  • Physical independence.
  • Electrical independence.
  • Communications independence.

Section 5.7 Capability for Test and Calibration Section 5.8 Information Displays Section 5.9 Control of Access Section 5.10 Repair Section 5.11 Identification Section 5.12 Auxiliary Features Section 5.13 Multi-Unit Stations Section 5.14 Human Factors Considerations Section 5.15 Reliability Sections 6.1 and 7.1 Automatic Control Sections 6.2 and 7.2 Manual Control Section 6.3 Interaction Between the Sense and Command Features and Other Systems Section 7.3 Completion of Protective Action Section 6.4 Derivation of System Inputs Section 6.5 Capability for Testing and Calibration Sections 6.6 and 7.4 Operating Bypasses Sections 6.7 and 7.5 Maintenance Bypass Section 6.8 Setpoints Section 8 Power Source Requirements

28. Please show which functions applicable to other users (specification item 5.4.l) were removed from the ONC software.
29. The SRP chapters 7.2, Reactor Trip System, and Chapter 7.3, Engineered Safety Features System, require specific comments in the NRC staff SER on compliance with 10 CFR Part 50, TMI action requirements, and various General Design Criteria. Please show how the TXS RPS/ESPS system as installed at ONC will comply with these requirements. If this information is already contained in sufficient detail in the February 14, 2005, submittal or in other documents previously submitted to the staff, please reference where the information is discussed.
30. In order to show that the software and hardware being used for the RPS/ESPS TXS system as it will be installed at ONC is being designed, manufactured and tested in the same manner as was originally reviewed and approved by the NRC staff in the TXS SER, please list all Framatome procedures, manuals, specifications, and software and hardware design tools which have been modified or changed since that original SER. Provide sufficient details, including the change control documentation, on these changes that the NRC staff may

determine that the changes do not invalidate any conclusions reached by the NRC staff on the acceptability of the original items.

31. Please show the history of the TXS operating system:

A. In how many applications has the operating system been used in the past, and for what period of time?

B. Has there ever been a failure to perform the assigned function?

C. How many of these uses in the past have been at international nuclear power plants and how may at U.S. nuclear power plants?

Is the operating system version to be used with the ONC RPS/ESPS TXS system the same as the version originally approved in the April 13, 2000, SER on the TXS topical report? If not, please provide the following information:

D. What changes have been made to the operating system originally approved?

E. How often has the version to be used with the ONC RPS/ESPS TXS system been used and for what period of time?

F. Has there ever been a failure of the version to be used with the ONC RPS/ESPS TXS system to perform the assigned function?

G. How many of these uses of the version to be used with the ONC RPS/ESPS TXS system have been at international nuclear power plants and how many at U.S. nuclear power plants?

Oconee Nuclear Station, Units 1, 2, and 3 cc:

Ms. Lisa F. Vaughn Mr. R. L. Gill, Jr.

Duke Energy Corporation Manager - Nuclear Regulatory 526 South Church Street Issues and Industry Affairs P. O. Box 1006 Duke Energy Corporation Mail Code = EC07H 526 S. Church St.

Charlotte, North Carolina 28201-1006 Mail Stop EC05P Charlotte, NC 28202 Manager, LIS NUS Corporation Division of Radiation Protection 2650 McCormick Dr., 3rd Floor NC Dept of Environment, Health, & Natural Clearwater, FL 34619-1035 Resources 3825 Barrett Dr.

Senior Resident Inspector Raleigh, NC 27609-7721 U.S. Nuclear Regulatory Commission 7812B Rochester Highway Mr. Peter R. Harden, IV Seneca, SC 29672 VP-Customer Relations and Sales Westinghouse Electric Company Mr. Henry Porter, Director 6000 Fairview Road Division of Radioactive Waste Management 12th Floor Bureau of Land and Waste Management Charlotte, NC 28210 Dept. of Health and Env. Control 2600 Bull St. Mr. Henry Barron Columbia, SC 29201-1708 Group Vice President, Nuclear Generation and Chief Nuclear Officer Mr. Michael A. Schoppman P.O. Box 1006-EC07H Framatome ANP Charlotte, NC 28201-1006 1911 North Ft. Myer Dr.

Suite 705 Rosslyn, VA 22209 Mr. B. G. Davenport Regulatory Compliance Manager Oconee Nuclear Site Duke Energy Corporation ON03RC 7800 Rochester Highway Seneca, SC 29672 Ms. Karen E. Long Assistant Attorney General NC Department of Justice P.O. Box 629 Raleigh, NC 27602

Retrieved from "https://kanterella.com/w/index.php?title=ML052450096&oldid=2260075"