ML18253A137

From kanterella
Jump to navigation Jump to search
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2018-202
ML18253A137
Person / Time
Site: 99900404
Issue date: 09/13/2018
From: Todd Jackson
NRC/NRO/DCIP/QVIB1
To: Monahan J
Westinghouse
Galletti G, NRO/DCIP
References
IR 2018202
Download: ML18253A137 (23)
v  d  e


Text

September 13, 2018 Jill S. Monahan Manager, Licensing Inspections and Special Program Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, PA 16066

SUBJECT:

NUCLEAR REGULATORY COMMISSION INSPECTION OF WESTINGHOUSE ELECTRIC COMPANY REPORT NO. 99900404/2018-202

Dear Ms. Monahan:

On July 23 - August 2, 2018, the U.S. Nuclear Regulatory Commission (NRC) staff conducted an inspection at the Westinghouse Electric Company (WEC) facility in Cranberry Township, PA.

The purpose of the limited-scope inspection was to assess WECs compliance with the provisions of selected portions of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to Title 10 of the Code of Federal Regulations (10 CFR)

Part 50, Domestic Licensing of Production and Utilization Facilities, and 10 CFR Part 21, Reporting of Defects and Noncompliance.

This inspection evaluated aspects of WECs programs for the design, implementation, and testing of the Protection and Safety Monitoring System (PMS) systems for the Vogtle Units 3 and 4 currently under construction. The enclosed report presents the results of this inspection.

This NRC inspection report does not constitute NRC endorsement of your overall quality assurance (QA) or 10 CFR Part 21 programs.

During this inspection, the NRC staff evaluated aspects of WECs design and testing of the PMS. These activities were associated with inspections, tests, analyses, and acceptance criteria (ITAAC) from Appendix C from the Combined License for Vogtle Units 3 and 4.

Specifically, these activities were associated with ITAAC 2.5.02.06a.ii (Index No. 530), 2.5.02.11 (Index No. 550), and 2.5.02.12 (Index No. 551).

In accordance with 10 CFR 2.390, Public Inspections, Exemptions, Requests for Withholding, of the NRCs Rules of Practice, a copy of this letter, its enclosures, and your response (if applicable) will be made available electronically for public inspection in the NRC Public Document Room or from the NRCs document system, Agencywide Documents Access and Management System, which is accessible from the NRC Web site at http://www.nrc.gov/readingrm/adams.html. To the extent possible, your response should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the public without redaction. If personal privacy or proprietary information is necessary to provide an acceptable response, then please provide a bracketed copy of your response that identifies the information that should be protected and a redacted copy of your response that deletes such information. If you request that such material is withheld from public disclosure, you must specifically identify the portions of your response that you seek to have

J. Monahan withheld and provide in detail the bases for your claim (e.g., explain why the disclosure of information will create an unwarranted invasion of personal privacy or provide the information required by 10 CFR 2.390(b) to support a request for withholding confidential commercial or financial information). If safeguards information is necessary to provide an acceptable response, please provide the level of protection described in 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements.

Sincerely,

/RA/

Terry W. Jackson, Chief Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Docket No.: 99900404

Enclosure:

Inspection Report No. 99900404/2018-202 and Attachment

ML18253A137 *via email NRO-002 OFC NRO/DCIP NRO/DCIP NRO/DEI R-II/DCO NAME GGalletti PNatividad* WRoggenbrodt* LCastelli*

DATE 09/06/2018 09/07/2018 09/07/2018 09/12/2018 OFC R-II/DCO NRO/DCIP NRO/DCIP NAME RMathisIII* BGreen (Acting) TJackson DATE 09/07/2018 09/12/2018 09/13/2018 U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NEW REACTORS DIVISION OF CONSTRUCTION INSPECTION AND OPERATIONAL PROGRAMS VENDOR INSPECTION REPORT Docket No.: 99900404 Report No.: 99900404/2018-202 Vendor: Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, PA 16066 Vendor

Contact:

Jill S. Monahan Manager, Licensing Inspections and Special Programs Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, PA 16066 Email: monohajs@westinghouse.com Nuclear Industry Activity: Westinghouse Electric Company, LLC, located at 1000 Westinghouse Drive Cranberry Township, PA 16066, whose scope of supply includes but not limited to safety-related design, fabrication, testing, and delivery of the Protection and Safety Monitoring System and the non-safety Diverse Actuation System instruments and controls products to the current U.S. AP1000 plants under construction.

Inspection Dates: July 23 - August 2, 2018 Inspection Team Leader Greg Galletti NRO/DCIP/QVIB-1 Inspection Team Philip Natividad NRO/DCIP/QVIB-1 Lisa Castelli R-II/DCO/ITOP Robert Mathis III R-II/DCO/ITOP William Roggenbrodt NRO/DEIA/ICE Approved by: Terry W. Jackson, Chief Quality Assurance Vendor Inspection Branch-1 Division of Construction Inspection and Operational Programs Office of New Reactors Enclosure

EXECUTIVE

SUMMARY

Westinghouse Electric Company 99900404/2018-202 The U.S. Nuclear Regulatory Commission (NRC) staff conducted this vendor inspection to verify that Westinghouse Electric Company, LLC (hereafter referred to as WEC), implemented an adequate quality assurance program that complies with the requirements of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, and Domestic Licensing of Production and Utilization Facilities, and 10 CFR Part 21, Reporting of Defects and Noncompliance. The inspectors conducted this inspection at the WEC facility in Cranberry Township, Pennsylvania, on July 23 - August 2, 2018.

This inspection evaluated aspects of WECs programs for the design, implementation, and testing of the Protection and Safety Monitoring System (PMS) systems for the Vogtle Units 3 and 4 currently under construction. The enclosed report presents the results of this inspection.

This NRC inspection report does not constitute NRC endorsement of your overall quality assurance (QA) or 10 CFR Part 21 programs.

During this inspection, the NRC staff evaluated aspects of WECs design and testing of the PMS, reviewed the vendors testing activities associated with the Reactor Trip and Engineered Safety Features (ESF) functionality, test phase results report and independent verification and validation (IV&V) testing phase summary report. These activities were associated with inspections, tests, analyses, and acceptance criteria (ITAAC) from Appendix C from the Combined License for Vogtle Units 3 and 4. Specifically, these activities were associated with ITAAC 2.5.02.06a.ii (Index No. 530), 2.5.02.11 (Index No. 550), and 2.5.02.12 (Index No. 551).

The following regulations served as the bases for this NRC inspection:

The information below summarizes the results of this inspection.

Protection and Safety Monitoring System Actuation of Reactor Trip and ESF (ITAAC 2.5.02.6a.ii (Parts 6.a and 6.b)

The inspectors concluded that WECs implementation of their policy and procedures for control of testing of the Reactor Trip and ESF functionality within the PMS system satisfy the regulatory requirements of Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. No findings of significance were identified.

PMS Test Phase Results Review and PMS IV&V Test Phase Summary Results Report Review (ITAAC 2.5.02.11d)

The inspectors concluded that WECs implementation of their policy and procedures for control of testing of the PMS system, throughout the different test phases, including Subassembly Hardware Tests (SHT), Cabinet Hardware Tests (CHT), Software Tests (EST), Channel Integration Tests (CIT), and System Integration Tests (SIT) demonstrates that control of testing and design change activities associated with the PMS system satisfy the regulatory requirements of Criterion III, Design Control, and Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. No findings of significance were identified.

PMS Test Phase Configuration Management and Verification & Validation Processes (ITAAC 2.5.02.12)

The inspectors determined that WECs implementation of its policies and procedures that govern the PMS test phase lifecycle activities and verification and validation activities were consistent with the requirements of Criterion III, Design Control, and Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. PMS testing was adequately controlled through processes for test configuration management and verification and validation activities. No findings of significance were identified.

REPORT DETAILS

1. Protection and Safety Monitoring System Actuation of Reactor Trip and Emergency Safety Features (ITAAC 2.5.02.6a.ii (Parts 6.a and 6.b))

Background

The inspectors reviewed the completed channel integration tests (CIT) for the reactor trip and Engineered Safety Features (ESF). CIT is used to isolate the testing of the Protection and Safety Monitoring System (PMS) to a single division in order to facilitate performance of reactor trip and ESF features, integrated logic processor component logic, qualified data display and nuclear instrumentation operation, channel accuracy, cabinet indications and status, and plant control system hardware interface functionality testing. The functionality of all intra-cabinet and inter-divisional cabling and communications is also verified. In addition, the inspectors reviewed subassembly hardware tests and hardware and software regression tests performed to verify functionality of the reactor trip channel.

a. Inspection Scope ITAAC 2.5.02.6a.ii (Part 6.a)

The inspectors reviewed APP-PMS-T1P-007, AP1000 Protection and Safety Monitoring System Reactor Trip Channel Integration Test Procedure, Revision 4, dated November 2017 to verify whether the prescribed testing would demonstrate that the PMS output signals to the reactor trip switchgear would be generated when the test signal reaches the trip setpoint. The inspectors reviewed test cases for High -3 Pressurizer Water Level Reactor Trip and Steam Generator 1 Water Level Low Reactor Trip to verify the trip outputs identified in APP-PMS-T5-001, AP1000 Protection and Safety Monitoring System Test Plan, Revision 5, dated July 2015 were validated.

These outputs included, first out annunciators, sequence of event points, maintenance and test panel indications, and safety displays indication for the function tested.

The inspectors held discussions with the vendors staff and reviewed the applicable reactor trip logic diagrams, PMS architecture drawings, test setup connections between the standard input output simulator (SIOS) and the PMS to confirm the test cases adequately executed the reactor trip logic and validated the functions and outputs identified in Test Plan T5-001.

The inspectors reviewed a sample of test data from APP-PMS-T1D-007, AP1000 PMS System System-Level Reactor Trip Channel Integration Test Data Sheets, Revision 8, to confirm that the recorded test data was within the expected response range, and where anomalies were documented, appropriate corrective actions were developed to identify and correct the causes, and appropriate evaluation, including retesting, if needed, was performed.

The inspectors reviewed SV3-PMS-T2R-007, Vogtle Unit 3 AP1000 Protection and Safety Monitoring System System-Level Reactor Trip Channel Integration Test Report, Revision 0, dated June 2017, which documents the results of the CIT performed on the Vogtle Unit 3 AP1000 PMS System-Level Reactor Trip function with the fuel load baseline software installed to verify the anomaly record issues resolutions were confirmed.

Additionally, the inspection team reviewed testing activities related to the reactor trip matrix terminal unit to verify that subassembly hardware tests were performed in accordance with Test Plan T5-001. The inspectors reviewed WNA-TP-00427-GEN, Standard Safety System Reactor Trip Matrix Termination Unit Test Procedure, Revision 10, dated March 2016, to verify that performance requirements and specifications contained in WNA-DS-01735-GEN, Standard Safety System Class 1E Reactor Trip Matrix Termination Unit Assembly Hardware Requirements Specification, Revision 4, dated April 2011, were appropriately translated into the test procedure. The inspectors reviewed Inspection Lot # (IL)-410495 for the reactor trip matrix termination unit. IL-410495 includes the inspection report, quality notifications, quality releases, certificate of conformance, and test records. IL-410495 was reviewed to verify that testing was conducted in accordance with the test procedure and that test results adequately validated performance attributes. Performance attributes included digital output trip configuration and operation, watchdog timer relay operation, voltage levels and resistor value verification, and manual switch operation. The inspectors also reviewed the test results to verify that the reactor trip matrix terminal unit was tested in both the under-voltage trip and shunt-trip configurations.

The inspectors reviewed Engineering and Design Change Coordination Report (E&DCR)

APP-GW-GEF-197 to assess the hardware change which added interposing relays to PMS to provide a path from reactor trip matrix termination unit through relay contacts to reactor trip switchgear under-voltage relays. The inspectors reviewed APP-PMS-T1P-051, AP1000 Protection and Safety Monitoring System Hardware Regression Test Procedure, Revision 4, dated January 2018, and SV4-PMS-T2R051, Vogtle Unit 4 AP1000 Protection and Safety Monitoring System Hardware Regression Test Report, Revision 4, dated January 2018, to verify the hardware change was analyzed and performance attributes were tested in accordance with Test Plan T5-001, Section 9.7, Regression Testing. Performance attributes included increased cabinet power supply output voltage, relay functionality, and relay time response.

The inspectors reviewed a sample of the APP-PMS-TIP-007, Appendix B, Requirements, identified as partially completed by the procedure test cases. The inspectors traced these requirements in the Dynamic Object Oriented Requirements System (DOORs) database to verify they were correctly identified in the requirements traceability matrix tool. The inspectors reviewed APP-PMS-T2R-100, PMS Fuel Load Baseline Summary Test Report, Revision 1, dated February 2018, to assess whether there were any outstanding open items for the reactor trip test cases.

ITAAC 2.5.02.6a.ii (Part 6.b)

The inspectors reviewed APP-PMS-T1P-008, AP1000 Protection and Safety Monitoring System System-Level Engineered Safety Features (ESF) Channel Integration Test Procedure, Revision 3, dated December 2017, and APP-PMS-TIP-009, AP1000 Protection and Safety Monitoring System Integrated Logic Processor Component Logic Channel Integration Test Procedure, Revision 7, to verify whether the prescribed testing would demonstrate that the PMS initiates ESF when the test signal reaches the trip setpoint and the output signals remain after the test signal is removed.

The inspectors reviewed the test cases for the In-Containment Refueling Water Storage Tank (IRWST) injection and Automatic Depressurization System (ADS) Fourth Stage Depressurization to verify the ESF outputs identified in APP-PMS-T5-001, AP1000 Protection and Safety Monitoring System Test Plan, Revision 5, dated July 2015, were validated. These functions and outputs included, main control room/remote shutdown room transfer switch function, sequence of event points, maintenance and test panel indications, and safety display indication.

The inspectors reviewed a sample of test data from APP-PMS-T1D-008, AP1000 PMS System System-Level ESF Channel Integration Test Data Sheets, Revision 8, and APP-PMS-T1D-009, AP1000 PMS Integrated Logic Processor Component Logic Integration Test Data Sheets, Revision 9, to confirm that the recorded test data was within the expected response range, and where anomalies were documented, appropriate corrective actions were developed to identify and correct the causes, and appropriate evaluation, including retesting, if needed, was performed.

Finally, the inspectors reviewed APP-PMS-T2R-100, PMS Fuel Load Baseline Summary Test Report, Revision 1, dated February 2018, to assess whether there were any outstanding open items for the ESF test cases.

b. Observations and Findings No findings of significance were identified.
c. Conclusions The inspectors concluded that WECs implementation of their policy and procedures for control of testing of the Reactor Trip and ESF functionality within the PMS system satisfy the regulatory requirements of Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. No findings of significance were identified.
2. PMS Test Phase Results Review (ITAAC 2.5.02.11d)
a. Inspection Scope The inspection team interviewed WEC personnel and reviewed supporting documentation to verify that activities associated with the testing phase supported the AP1000 PMS life cycle development process in accordance with ITAAC 2.5.2.11d, regulatory requirements and the licensing basis. The inspectors reviewed APP-PMS-T2R-100, AP1000 Protection and Safety Monitoring System Fuel Load Baseline Summary Test Report to verify that PMS tests were performed and test results were documented in accordance with APP-PMS-T5-001, AP1000 Protection and Safety Monitoring System Test Plan. The inspectors sampled testing associated with the different test phases, including Subassembly Hardware Tests (SHT), Cabinet Hardware Tests (CHT), Software Tests (EST), CIT, and System Integration Tests (SIT) to verify testing demonstrates that systems have been designed and implemented correctly in accordance with performance requirements. The inspectors reviewed test cases associated with Reactor Trip functions, Engineered Safety Feature Actuation System, Hardware Configuration, and Software Tests, including Steam Generator Low Level Reactor Trip, In-Containment Refueling Water Storage Tank (IRWST) Injection, Automatic Depressurization System Stage 4 Actuation, and Pressurizer High Level.

The inspection team reviewed testing activities associated with the steam generator low-low level reactor trip to verify that software tests were performed in accordance with APP-PMS-T2R-100. Specifically, the inspectors reviewed testing related to the reusable software element (RSE) for the steam generator water level compensation (SGWLCOMP) to verify that element software tests were performed as required. The inspectors reviewed WNA-TP-02289-GEN, Element Software Test Procedure for SGWLCOMP Custom PC Element, and WNA-TR-01439-GEN, Element Software Test Report for SGWLCOMP Custom PC Element, to verify that performance requirements contained in WNA-DS-01492-GEN, Standard Reusable Software Element Document for Steam Generator Water Level Compensation Custom PC Element, were appropriately captured in the test procedure and validated in the test results. The inspectors verified that the SGWLCOMP reusable software element provided appropriate steam generator water levels taking into account the corresponding steam line pressure.

In addition, the NRC teams inspection sampling of these testing examples also served as inspection sampling of Appendix D of the IV&V Phase Summary Report. For example, it was noted that the RSE for Steam Generator Level Compensation was not exercised at multiple different values during SIT due to being more fully tested at multiple values during EST. Therefore, inspectors reviewed IV&V Requirements Traceability Analyses (RTAs) for that RSED and also a sampling of additional EST test procedures and test reports to verify complete testing coverage.

The inspectors reviewed testing documentation of the integrated logic cabinet (ILC) to ensure CHT were performed in accordance with the APP-PMS-T5-001, AP1000 PMS Test Plan. The CHT verifies the cabinet as-built hardware configuration against approved design drawings including the verification of electrical continuity. The inspectors reviewed VS3-PMS-T2R-002, V. C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Report, to verify that testing was performed in accordance with the test procedure and test data sheets as documented in VS3-PMS-T1P-002, V. C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Procedure, and VS3-PMS-T1D-002, V.C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Data Sheets. VS3-PMS-T1P-002 serves as the test specification and test procedure for this ILC CHT as allowed by the APP-PMS-T5-001, AP1000 PMS Test Plan. The test results were reviewed to ensure that the following attributes were verified for the ILC:

  • Correct Alternating Current (AC) and Direct Current (DC) power distribution wiring was installed in the cabinet.
  • AC input voltages were within specifications with/without cabinet loads.
  • AC power distribution to the DC power supplies and components were correct.
  • DC power distribution to cabinet components was correct.
  • Cabinet cooling fans were correctly wired and functioned correctly.
  • DC voltages for the DC power distribution were within specifications.

The inspection team reviewed testing activities associated with the ESF to verify that channel integration tests were performed in accordance with APP-PMS-T5-001, AP1000 PMS Test Plan. The CIT is a functional test that verifies integration of the released software with the deliverable hardware. Specifically, the inspectors reviewed testing related to IRWST injection and recirculation. The inspectors reviewed test reports APP-PMS-T2R-008, AP1000 Protection and Safety Monitoring System System-Level Engineered Safety Features Channel Integration Test Report, and APP-PMS-T2R-009, AP1000 Protection and Safety Monitoring System Integrated Logic Processor Component Logic Channel Integration Test Report to verify that testing was conducted in accordance with the test specifications, procedure, and data sheets. The inspectors reviewed the test results to verify that the following test cases were validated in the CIT configuration:

  • Squib Valve Controller Terminal Unit Operation
  • Main Control Room/Remote Shutdown Room Transfer Switch Operation
  • Component Interface Module (CIM) Operation The inspectors reviewed testing documentation for PMS in the SIT configuration to ensure that testing was adequately performed in accordance with APP-PMS-T5-001, AP1000 PMS Test Plan. The SIT provides the cross-channel integrated systems testing for the PMS cabinets and addresses the PMS requirements. The inspectors reviewed APP-PMS-T2R-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Report, to verify that abnormal conditions testing was conducted in accordance with APP-PMS-T1P-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Procedure. Specifically, the inspectors reviewed test results of the integrated logic cabinet during a power cycle of one PMS channel to verify that no adverse interactions occurred between independent functions and no spurious actuations of the component interface modules were observed. The inspectors reviewed documented test anomalies to verify that test deficiencies/failures were properly identified and corrective actions were appropriately implemented.

The inspectors reviewed the functional diagrams and test cases for Steam Generator Narrow Range Water Level Low-2 Reactor Trip Time Response, Pressurizer Water Level High-3 Reactor Trip Time Response, and ADS Stage 4 Actuation Time Response testing. The inspectors reviewed a sample of the data sheets from APP-PMS-TID-012, Protection and Safety Monitoring System Interfaces and Response Time System Integration Test Data Sheets, Revision 7, and test data from VS3-PMS-T2R-012, PMS System Interfaces and Response Time - System Integration Test Report, Revision 0, dated March 2016. The inspectors reviewed the test quiescent state and trip state data for the test cases. In addition, the inspectors reviewed the test results to confirm that the recorded test data met the pass criteria.

b. Observations and Findings No findings of significance were identified.
c. Conclusions The inspectors concluded that WECs implementation of their policy and procedures for control of testing of the PMS system, throughout the different test phases, including SHT, CHT, EST, CIT, and SIT demonstrates that testing of the PMS system satisfy the regulatory requirements of Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. No findings of significance were identified.
3. PMS IV&V Test Phase Summary Results Report Review
a. Inspection Scope The inspectors reviewed SV0-IVV-JQR-021, Protection and Safety Monitoring System Independent V&V Summary Report, Revision 4, dated April 2018. Section 1.4, Evaluation of Open Issues, stated, in part, that, a final design review (FDR) covering Baseline 5 of the Protection and Safety Monitoring System (PMS) was conducted in 2011, and subsequent changes made to the PMS design were evaluated using the design change proposal (DCP) and E&DCR processes to determine what impact any changes to the software (and hardware) might have on the system.

The inspectors sampled several DCPs and E&DCRs to verify that these design modification processes provided an adequate and effective method to evaluate design changes that impacted the PMS baseline. The inspectors also reviewed various test procedures/test data sheets as well as WNA-AR-00363-WAPP, AP1000 PMS Regression Analysis Change Report or (RACR), Revision 5, to confirm that testing and regression activities adequately addressed design changes.

The inspectors reviewed SV0-IVV-JQR-021, Appendix C, "Open Issues," of the IV&V Phase Summary Report, as well as, WEC's process for identifying and evaluating remaining open issues after completion of the testing phase. The inspectors verified that the remaining open items were related to process efficiencies and did not affect any of the PMS system safety functions.

The inspectors reviewed a sample of IV&V task reports to verify adequate completion of tasks associated with the PMS software design evaluation, software requirements traceability analysis, functional analysis, and software testing tools evaluations. In addition, the inspectors reviewed IV&Vs work instructions and processes for creating requirements traceability matrices using proven commercial software-industry tools.

The inspectors reviewed SV0-IVV-JQR-021, Appendix A.5, Integration Phase Checklist, and noted that the functional design review had not been completed. The inspectors confirmed that the input documents to the functional design review had been reviewed by the IV&V team, however the final assembly of the design review had not been conducted as changes to the software were anticipated during the initial test program at the site. The inspectors also reviewed Appendices A and C of SV0-IVV-H5R-001, IV&V Software Requirements Fulfillment Assessment, Revision 1, and confirmed that all remaining items identified during the initial system testing (IST) that needed further steps to be fulfilled were accounted for. The inspectors also noted that the vendor had implemented SharePoint modules to aid in tracking these issues.

b. Observations and Findings No findings of significance were identified.
c. Conclusions The inspectors determined that WECs IV&V organization is adequately implementing IV&V Plan requirements associated with testing of the PMS system, regression activities associated with design changes, and monitoring of software fulfilment requirements that will be continued through on-site IST program implementation.

The inspectors concluded that WECs implementation of their policy and procedures for control of testing and design change activities associated with the PMS system satisfy the regulatory requirements set forth in Criterion III, Design Control, and Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. No findings of significance were identified.

4. PMS Test Phase Configuration Management and Verification & Validation Processes (ITAAC 2.5.02.12)
a. Scope The NRC inspectors assessed WECs testing configuration management, and verification and validation (V&V) management process implementation throughout the PMS testing life cycle phase. The inspectors selected and verified a representative sample of lifecycle phase-specific activities to determine the effectiveness of the processes in complying with commitments outlined in ITAAC 2.5.02.12 and the AP1000 licensing basis.

Test Phase Configuration Management The inspectors evaluated various WEC documents related to testing configuration management to verify compliance with the PMS Software Configuration Management Plan and the AP1000 Protection and Safety Monitoring System Test Plan. The inspectors performed interviews, a review of configuration management documents, and a walk-through of processes, to verify that WECs process controlling the configuration of testing conducted throughout the PMS lifecycle were adequate.

Verification & Validation The inspectors evaluated various WEC verification and validation documents to verify compliance with the Software Program Manual and the PMS Software Verification and Validation Plan. Various V&V output documents and task reports developed throughout the PMS life-cycle testing phase were sampled to verify alignment with the higher level process requirements. The inspectors selected a sample of attributes from the required IV&V phase activities and interviewed IV&V personnel to assess whether the IV&V effort adequately performed the required tasks. Specifically, the inspectors reviewed WECs IV&V documentation to verify completion of the application code review, IV&V configuration management release records, requirements traceability, and the IV&V baseline configuration management assessment.

The inspectors verified that the process developed and actions taken by WEC IV&V to review open items for the test phase was adequate and in accordance with documented plans and procedures.

b. Observation and Findings No findings of significance were identified.

c. Conclusion

The inspectors determined that WECs implementation of its policies and procedures that govern the PMS test phase lifecycle activities were consistent with the requirements of Criterion XI, Test Control, of Appendix B to 10 CFR Part 50. PMS testing was adequately controlled through processes for test configuration management and verification and validation activities. No findings of significance were identified.

4. Entrance and Exit Meetings On July 23, 2018, the inspectors presented the inspection scope during an entrance meeting with Mr. Chris Crefeld, Director, Global Instrumentation and Controls, and other WEC personnel. On August 2, 2018, the inspectors presented the inspection results during an exit meeting with Mr. Chris Crefeld, Director, Global Instrumentation and Controls, and other WEC personnel.

ATTACHMENT

1. PERSONS CONTACTED AND NRC STAFF INVOLVED:

Name Affiliation Entrance Exit Interviewed Chris Crefeld WEC X X X Jill Monahan WEC X X X Greg Glenn WEC X X X Steven Packard WEC X X Roger Constantino WEC X Lisa Manning WEC X Pavel Tyrpak WEC X X Chris Srock WEC X John Jurczak WEC X Brian Domitrovich WEC X X X John Wiesemann WEC X X X Darin Orendi WEC X X Blaise Macione WEC X X Greg Turk WEC X X X Amanda Miller WEC X Hasan Serdar Uyar WEC X X X Dino Copetas WEC X X X Murat Uzman WEC X Brian Schleger WEC X X X Maryna Tyrpak WEC X X X Kevin Lunz WEC X X David Malarik WEC X X X Steve Merkiel WEC X X Rose Wang WEC X Bob Phillips WEC X Matt Thompson WEC X Kasey Corbin WEC X X Mike Vallarta WEC X X Darryl Muetzel WEC X Dave Lisenby SNC X X Pat Combes WEC X Remington Iddings WEC X Harry Putnam WEC X Mark Mamo WEC X Matt Shakun WEC X Robert Hirmanpour SNC X X X Mark Malmo SNC X X Tom Petrik SNC X Mike Yox SNC X Name Affiliation Entrance Exit Interviewed Jim Hughes SNC X X Bret Banks SNC X Kara Stacy SNC X Amanda Pugh SNC X X Greg Galletti NRC X X Lisa Castelli NRC X X William Roggenbrodt NRC X X Robert Mathis III NRC X X Philip Natividad NRC X

2. INSPECTION PROCEDURES USED:

IP 43002, Routine Inspections of Nuclear Vendors, dated July 15, 2013 IP 60001.22, Inspection of Digital Instrumentation and Control (DI&C) System/Software Design Acceptance Criteria (DAC)-Related ITAAC, dated December 19, 2011

3. LIST OF ITEMS OPENED, CLOSED, AND DISCUSSED:

Item Number Status Type Description Applicable ITAAC none

4. INSPECTIONS, TESTS, ANALYSES, AND ACCEPTANCE CRITERIA (ITAAC):

The U.S. NRC inspectors identified the following ITAAC related to components being designed, manufactured, and tested at WEC. For the ITAAC listed below, the inspectors reviewed WECs QA controls in the areas of design control, test control, inspection, nonconforming materials parts and components, and corrective actions. The listing of these ITAAC does not constitute that they have been completed.

This section of the inspection report focuses on the vendors implementation of aspects of their QA program for the activities affecting quality associated with the design and testing of the aspects of the AP1000 PMS. This included a review of completed Generic AP1000 Baseline (BL) 8.4 PMS software and hardware design and testing documentation and review of Reactor Trip and ESFAS functionality. These activities are associated with ITAAC 2.5.02.11 (Index No. 550), 2.5.02.12 (Index No. 551), and 2.5.02.06a.ii Parts 6.a and 6.b (Index No. 530), respectively. The goal of these inspection activities is to examine the governing documents and samples of engineering activities that demonstrate the implementation of the design commitments and design attributes as stated in the ITAAC design commitments.

ITAAC ITAAC Design Commitment Inspections, Acceptance Criteria Index Section No. Tests, Analyses No.

530 2.5.02.06a.ii 6.a) The PMS initiates An operational ii) PMS output signals to the an automatic reactor test of the reactor trip switchgear after the trip, as identified in as-built PMS will test signal reaches the Table 2.5.2-2, when be performed specified limit. This needs to plant process signals using real or be verified for each automatic reach specified limits. simulated test reactor trip function.

signals.

Appropriate PMS output signals 6.b) The PMS initiates An operational are generated after the test automatic actuation of test of the signal reaches the specified engineered safety as-built PMS will limit. These output signals features, as identified in be performed remain following removal of the Table 2.5.2-3, when using real or test signal. Tests from the plant process signals simulated test actuation signal to the actuated reach specified limits. signals. device(s) are performed as part of the system-related inspection, test, analysis, and acceptance criteria.

ITAAC ITAAC Design Commitment Inspections, Acceptance Criteria Index Section No. Tests, Analyses No.

550 2.5.02.11 11. The PMS hardware Inspection will A report exists and concludes and software is be performed of that the process defines the developed using a the process organizational responsibilities, planned design process used to design activities, and configuration which provides for the hardware management controls for the specific design and software. following:

documentation and reviews during the a. Not used.

following life cycle b. Specification of functional stages: requirements.

c. Documentation and review
a. Not used of hardware and software.
b. System definition d. Performance of system phase tests and the documentation
c. Hardware and of system test results, software including a response time development phase, test performed under consisting of maximum CPU loading to hardware and demonstrate that the PMS software design and can fulfill its response time implementation criteria.
d. System integration e. Performance of installation and test phase tests and inspections.
e. Installation phase 551 2.5.02.12 12. The PMS software Inspection will A report exists and concludes is designed, tested, be performed of that the process establishes a installed, and the process method for classifying the PMS maintained using a used to design, software elements according to process which test, install, and their relative importance to incorporates a graded maintain the safety and specifies approach according to PMS software. requirements for software the relative importance assigned to each safety of the software to safety classification. The report also and specifies concludes that requirements requirements for: are provided for the following software development
a. Software functions:

management including a. Software management documentation including documentation requirements, requirements, standards, standards, review review requirements, and requirements, and procedures for problem procedures for reporting and corrective problem reporting action. Software and corrective action. management requirements may be documented in the ITAAC ITAAC Design Commitment Inspections, Acceptance Criteria Index Section No. Tests, Analyses No.

b. Software software quality assurance configuration plan, software management management plan, software development including historical plan, software safety plan, records of software and software operation and and control of maintenance plan; or these software changes. requirements may be combined into a single
c. Verification and software management plan.

validation including requirements for b. Software configuration reviewer management including independence. historical records of software and control of software changes.

Software configuration management requirements are provided in the software configuration management plan.

c. Verification and validation including requirements for reviewer independence.

Verification and validation requirements are provided in the verification and validation plan.

5. DOCUMENTS REVIEWED:

APP-IVV-JQR-014, Protection and Safety Monitoring System Safety Display Code Review Report, Revision 0, dated January 2018 APP-PMS-GEF-134, PMS Software Update to resolve Site and Factory Testing Issues.

APP-PMS-J3-320, AP1000 Detailed Functional Diagram Pressurizer Level Reactor Trip, Revision 8, dated February 2017 APP-PMS-J3-321, AP1000 Detailed Functional Diagram Steam Generator 1 Narrow Range Water Level Reactor Trips, Revision 8, dated March 2017 APP-PMS-J3-369, AP1000 Detailed Functional Diagram ADS Stage 4 Actuation and Reset Control Divisions A and B, Revision 6, dated May 2014 APP-PMS-T1D-007, AP1000 PMS System System-Level Reactor Trip Channel Integration Test Data Sheets, Revision 8 APP-PMS-T1D-008, AP1000 PMS System System-Level ESF Channel Integration Test Data Sheets, Revision 8 APP-PMS-T1D-009, AP1000 PMS Integrated Logic Processor Component Logic Integration Test Data Sheets, Revision 9 APP-PMS-T1P-007, AP1000 Protection and Safety Monitoring System Reactor Trip Channel Integration Test Procedure, Revision 4, dated November 2017 APP-PMS-T1P-008, AP1000 Protection and Safety Monitoring System System-Level Engineered Safety Features Channel Integration Test Procedure, Revision 3, dated December 2017 APP-PMS-T1P-009, AP1000 Protection and Safety Monitoring System Integrated Logic Processor Component Logic Channel Integration Test Procedure, Revision 7, dated December 2017 APP-PMS-T1P-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Procedure, Revision 8, dated December 2017 APP-PMS-T1P-051, AP1000 Protection and Safety Monitoring System Hardware Regression Test Procedure, Revision 4, dated January 2018 APP-PMS-T2R-009, Protection and Safety Monitoring System Integrated Logic Processor Component Logic Channel Integration Test Report, Revision 0, dated August 2017 VS3-PMS-T2R-012, PMS System Interfaces and Response Time - System Integration Test Report, Revision 0 APP-PMS-T2R-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Report, Revision 0, dated November 2017 APP-PMS-T2R-100, AP1000 Protection and Safety Monitoring System Fuel Load Baseline Summary Test Report, Revision 1, dated February 2018 APP-PMS-T5-001, AP1000 Protection and Safety Monitoring System Test Plan, Revision 5, dated July 2015 IL-410495, Inspection Lot for Reactor Trip Matrix Termination Unit, dated August 2012 IVV_Task_RSED_RTA_WNA-DS-01519-GEN, IV&V Task Report for Requirements Traceability Analysis of WNA-DS-01519-GEN, Revision 0, dated December 14, 2012 IVV-H5R-001, PMS IV&V Software Requirements Fulfillment Assessment, Revision 0, dated March 2018 SV0-IVV-JQR-014, Vogtle AP1000 Protection and Safety Monitoring System Safety Display Code Review Report, Revision 2, dated June 2014 SV0-IVV-JQR-021, Vogtle AP1000 Protection and Safety Monitoring System Independent Verification and Validation Summary Report, Revision 4, dated April 2018 SV3-PMS-T2R-007, Vogtle Unit 3 AP1000 Protection and Safety Monitoring System System-Level Reactor Trip Channel Integration Test Report, Revision 0, dated March 2016 SV4-PMS-T2R051, Vogtle Unit 4 AP1000 Protection and Safety Monitoring System Hardware Regression Test Report, Revision 4, dated January 2018 VS3-PMS-T2R-008, V.C. Summer Unit 3 AP1000 Protection and Safety Monitoring System System-Level Engineered Safety Features Channel Integration Test Report, Revision 0, dated July 2017 VS3-PMS-T1P-002, V. C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Procedure, Revision 0, dated October 2013 VS3-PMS-T1D-002, V.C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Data Sheets, Revision 2, dated August 2015 VS3-PMS-T2R-002, V. C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Integrated Logic Cabinet Hardware Test Report, Revision 0, dated March 2017 WNA-DS-01491-GEN, Standard Reusable Software Element Document for Pressurizer Water Level Compensation Custom PC Element, Revision 14, dated November 2016 WNA-DS-01492-GEN, Standard Reusable Software Element Document for Steam Generator Water Level Compensation Custom PC Element, Revision 10, dated November 2016 WNA-DS-01735-GEN, Standard Safety System Class 1E Reactor Trip Matrix Termination Unit Assembly Hardware Requirements Specification, Revision 4, dated April 2011 WNA-IG-300320-GEN, Execution of Inspection Lots, Revision 3, dated October 2013 WNA-TP-02288-GEN, Element Software Test Procedure for PZWLCOMP Custom PC Element, Revision 1, dated November 2016 WNA-TP-02289-GEN, Element Software Test Procedure for SGWLCOMP Custom PC Element, Revision 1, dated November 2016 WNA-TR-01438-GEN, Element Software Test Report for PZWLCOMP Custom PC Element, Revision 3, dated November 2016 WNA-TR-01439-GEN, Element Software Test Report for SGWLCOMP Custom PC Element, Revision 3, dated November 2016 WNA-TP-00427-GEN, Standard Safety System Reactor Trip Matrix Termination Unit Test Procedure, Revision 10, dated June 2017 WNA-VT-00048-WAPP, IV&V Task Report for RSED RTA for WNA-DS-01492-GEN, Revision 2, dated December 2016 WNA-VT-00259-WAPP, IV&V Task Report for Tools Evaluation, Revision 2, dated December 2016 WNA-VT-00302-WAPP, IV&V Task Report for RSED RTA for WNA-DS-01653-GEN, Revision 0, dated September 2015 WNA-VT-00618-SV0, IV&V Task Report for Vogtle AP1000 PMS Open Issues Assessment, Revision 0, dated March 2018 WNA-VT-00700-WAPP, IV&V Task Report for the QDPS Software Design Description RTA and Software Design Evaluation, Revision 0, dated November 2017 WNA-VT-00703-WAPP, IV&V Task Report for the SD Software Design Description RTA and Software Design Evaluation, Revision 1, dated November 2017 WNA-WI-00362-GEN, Instructions for Updating IV&V RTA Modules, Revision 6, dated March 2015 WNA-WI-00433-GEN, Instructions for Performing IV&V Fulfillment Assessment, Revision 2, dated June 2017 DCP/E&DCR APP-GW-GEE-4623, PMS ESF Actuation Latching Changes APP-GW-GEE-5493, Addition of Interposing Relays to the PMS BCCs in the RTS UVR Trip Path APP-GW-GEE-4823, Automation and Field Services/ AP1000 Safety System Functional/System Engineering APP-GW-GEF-1917, Engineering and Design Change Coordination Report, Addition of Interposing Relays to the PMS Bistable/Coincidence Logic Cabinet (BCC)s in the Reactor Trip Switchgear (RTS) Under-voltage Release (UVR) Trip Path, Revision 0, dated February 2017 Quality program/corrective actions RITS 55785, 47887, 55733, 58596, 39601, 60435 CAP IR-2018-6487, CAP IR-2018-6823 Corrective action documentation initiated during this inspection CAP IR-2018-13098, dated July 26, 2018 CAP IR-2018-13422, dated August 1, 2018 Condition Report (CR)-50002274 dated August 3, 2018

6. ACRONYMS:

AC Alternating Current ADS Automatic Depressurization System BL Baseline CHT Cabinet Hardware Tests CIM Component Interface Module CIT Channel Integration Tests DC Direct Current DCP Design Change Proposal DOORs Dynamic Object Oriented Requirements System E&DCR Engineering and Design Change Request ESFAS Engineered Safety Feature Actuation System EST Element Software Tests IL Inspection Lot ILC Integrated Logic Cabinet IRWST In-Containment Refueling Water Storage Tank IST initial system testing ITAAC Inspections, Tests, Analyses, and Acceptance Criteria IV&V Independent Verification and Validation NRC Nuclear Regulatory Commission QA Quality Assurance PMS Protection and Safety Monitoring System RSE Reusable Software Element RSED Reusable Software Element Document SGWLCOMP Steam Generator Water Level Compensation SHT Subassembly Hardware Tests SIOS standard input output simulator SIT System Integration Tests V&V Verification and Validation WEC Westinghouse Electric Company

Retrieved from "https://kanterella.com/w/index.php?title=ML18253A137&oldid=2399430"