Text

AP1000 Protection and Safety Monitoring System (PMS)

NRC Review Plan Revision C

Purpose:

The purpose of this document is to propose a schedule for the review of AP 1000 PMS design.

Review dates are selected, where meaningful NRC reviews can be accomplished based on the NRC's plan for technical review in the instrumentation and control systems area.

A schedule of proposed human factors engineering (HFE) reviews is being prepared in a separate document.

NRC Review Process:

The NRC will confirm that the as-built computer-based plant l&C system conforms to the certified design. The design acceptance criteria will be verified to be met as part of the l&C system Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC). The ITAAC reviews will be performed by the NRC prior to fuel load at specified points in the system lifecycle.

The NRC staff will use a two-part approach for the review of the PMS as follows:

• Detailed functional review at the block diagram level to ensure appropriate implementation of NRC requirements related to postulated single failures, common-mode failures, appropriate signal isolation, and other aspects of NRC review. This review will establish the detailed functional requirements for the I&C systems.

• Review of the implementation of digital l&C systems to meet the functional system requirements. Review points will be selected based on the system lifecycle process to verify that the implementation is proceeding in accordance with the design certification.

A review will be done for each phase of the I&C system software and hardware development process.

The review guidance provided in SRP Chapter 7, Rev. 4, 1997, wvill be used by the staff in review of the I&C system design, installation and operation. Of particular note is the guidance in Appendix 7-A, Branch Technical Position (BTP) 14, "Guidance on Software Reviews for Digital Computer-Based I&C Systems" which applies to the plant-specific software application.

Technical Review Plan:

Table 1 below provides the review schedule. It includes the proposed review date for each lifecycle phase and a list of documents that will be available for the staff's review. The list of documents is correlated with the list of reference topics provided in BTP 14, Figure 7-A-1.

Review dates are specified in "Months ARO". The phase definitions identified in parenthesis in Column 2 are consistent with the Common Q design terminology.

Revision C Page 1 of 7 Attachment 6

ff APIOOO PMS NRC Review Plan Table 2 below defines the'scope of each review with specific references to ITAACs that are included in the AP1000 Design Control Document. This table provides the details of each planned review including a cross reference of the contents of each available document wvith the design commitment and associated acceptance criteria that it attempts to satisfy.

Actions to Prepare for NRC Reviews:

• Review and determine how to address cyber security. This should include an evaluation of DG-1 130, NEI 04-04, and NUREG/CR-6847.

• Map BTP-14 with the Common Q approved design process.

• Perform an internal audit to assess readiness prior to each scheduled NRC reviewv.

Revision C Page 2 of 7

AP I000 PMS NRC Review Plan Table t. Review Schedule Review Date Completion of System Lifecycle Phasc BTP 14, Figure 7-A-1 Reference Topics Available Documents (Months ARO) 12 Design Requirements (Concept Phase) Software Management Plan Software Program Manual Software Development Plan Project Quality Plan Software QA Plan Project Document Index Integration Plan Commercial Gmde Dedication Plan Installation Plan API000 V&V Plan Maintenance Plan System Test Plan Training Plan Operations Plan Soft-are Safety Plan Softvare V&V Plan Software CM Plan 26 System Definition (Requirements Requirements Specifications Generic Safety System Requirements Analysis Phase) Requirements Safety Analysis APIOOO Safety System Requirements V&V Requirements Analysis Report Functional Requirements CM Requirements Analysis Report System Hardware Requirements Software Requirements Specification System Interface Requirements Revision C Page 3 of 7

AP1000 PMS NRC Review Plan Table 1. Review Schedule Review Date Completion of System Lifecycle Phase BTP 14, Figure 7-A-1 Reference Topics Availablc Documents (Months ARO)

Requirements Phase V&V Report Requiremcnts Phase RTM Project Documcnt Indcx 40 Hardware and Software Development, Design Specifications System Design Specification consisting of hardwvare and softare Hardware & Software Architecture System Architecture Drawings Phase & Implementation Phase) Design Safety Analysis Hardwvare Design Drawings V&V Design Analysis Report CM Release Report CM Design Report Custom Software Element Design Specifications Code Listings Reusable Software Type Specifications Code Safety Analysis Module/Unit Test Procedures V&V Implementation Analysis & Test Report Modulc/Unit Test Reports CM Implementation Report BPL Softwarc Design Description LCL Softiware Design Description ITP Softmare Design Description ILC Software Design Description MUX Softvare Design Description MTP Software Design Description Design and Implementation Phase V&V Reports Revision C Page 4 of 7

I APIOOO PMS NRC Review Plan Table 1. Review Schedule Review Date Completion of System Lifecycle Phase BTP 14, Figure 7-A-1 Reference Topics Available Documents (Months ARO)

Design and Implementation Phase RTM Project Document Index TBD System Integration and Test (rest System Build Documentation Phase) Integration Safety Analysis V&V Integration Analysis & Test Report CM Integration Report Validation Safety Analysis V&V Validation Analysis & Test Report CM Validation Report TBD Installation (Installation and Checkout Operations Manuals Phase) Installation Configuration Tables Maintenance Manuals Training Manuals Installation Safety Analysis V&V Installation Analysis & Test Report CM Installation Report Revision C Page 5 of 7

APIOQO PMS NRC Review Plan Revision C Page 6of 7

APIOOO PMS NRC Review Plan Table 2. May 2006 Concept Phase Review DCD Table Design Commitment Document Acceptance Criteria Satisfied 2.5.2-8 Rcference ITAAC Reference Item 1la PMS hardware and softvare is developed using a planned Establishment of plans and methodologies.

design process xvhkh provides for specific design documentation and reviews during the design requirements phase. -

Revision C Page 7 of 7

Comments on Draft NEI 04-01. Rev D - 4.3.9.7 FSAR Chapter 7 The implementation of the design of the plant-specific safety l&C systems is covered by the Chapter 7 DAC/ITAAC. The use of design acceptance criteria enables the staff to arrive at a safety determination regarding a specific aspect of the overall plant design. By designating the DAC in the design certification rule, the Commission will establish the criteria which the staff will utilize to confirm that the as-built plant conforms to the design certification. The determination that the DAC have been satisfied will be made throughout the design implementation and construction process, as part of ITAAC program.

The NRC staff intends to perform inspections that will audit the satisfactory completion of ITAAC requirements, including the DAC. In accordance with section 52.99, "At appropriate intervals during construction, the NRC staff shall publish in the Federal Register notices of the successful completion of inspections, tests, and analyses."

The staff will use a two-part approach for the review of advanced instrumentation and controls (l&Cs). The first part will involve a detailed, functional review at the block diagram level, to ensure appropriate implementation of NRC requirements related to postulated single failures, common-mode failures, appropriate signal isolation, and other aspects of NRC review. This review will establish the detailed functional requirements for the l&C systems.

The second part of the review will address the implementation of digital control systems to meet the functional system requirements. This will rely upon a formal process with phased ITAAC for design development. The ITAAC will all be specified in the design certification rule but could be satisfied at various points in time. An early ITAAC would address the procedures to be used by the COL holder to implement an acceptable design process for digital control systems.

Acceptance criteria for the various phases of the design program would be specified, such that the NRC could objectively inspect and determine whether the licensee's procedure met the ITAAC criteria. As the design is subsequently developed and implemented, subsequent ITAAC would be used to verify key steps in the development process that have been satisfactorily accomplished. Because design detail is not available in this review area, and several design implementation methods would be acceptable to the staff, the ITAAC requirements and acceptance criteria in the design certification will be general in nature. The applicants and the NRC will establish agreed upon review points in the design development process to verify that the implementation is proceeding in accordance with the design certification.

The review guidance provided in SRP Chapter 7,Rev 4, 1997, will be used' by the staff in review of the of the l&C system design, installation and operation. Of particular note is the guidance in Appendix 7-A, Branch Technical Position 14 - Guidance on Software Reviews for Digital Computer-Based l&C Systems which applies to the plant-specific software application in either the Eagle or Common Q platform. The review will be done at every life-cycle stage of the I&C system software and hardware development process. Additional guidance based on the lessons learned by using the guidance of SRP Chapter 7 in the review of computer-based I&C system design implementation at Temelin (Czech Republic -W Eagle system) and the Lungmen Project (Taiwan - twin GE ABWRs), and guidance on Cyber Security will be part of the review. The lessons learned changes are included (high-lighted) in the BTP - 14 version below; and the discussion on cyber security items follows.

'I Figure 2: Software Life Cycle Life Planning Requirements Design Acdvities Implementation Integration Validation installation Operartons &

Cycle Acdviries Activities Activities Activities ActIvitles Acdvites Maintenance Actvity Activities Groups

1. 17 17 .

Software Requirements Design Code Lsftings System Buld Operations Management Specifications Specifications Documentation Manuals Plan Software Hardware & Inshtalation Development Software Configuration Plan Architecture Tables Software QA Plan Integration Plan Instalatilon plan Maintenance Maintenance plan Manuals Trainng plan Training Manuals Operations Plan Software Requirements Design Safety Code Safety Integration Validation Installation Change Safety Safety Plan Safety Analysis AnalysIs Safety Analysis Safety Safety Analysis Analysis Analysis Analysis Software V&V V&V Design V&V V&V V&v V&V V&V Change V&V Plan Requirements Analysis Report Implementation Integration Varldation & Volidation & Report Analysis Analysis & Test Analysis & Test Test Report Test Report Report Report Report Software CM CM CM Design CM CM Integration CM CM CM Change Plan Requirements Report Implementation Report Vaffdation Installatlon Report Analysis Report Report Report Report

! ______________ _____________ .JL J. ___________

ANote: A separate document Is not required for each topic Identified, however, project documentation should encompass a/l the topics.

Process DesZgn Prcss 4