2CAN042201, Amendment 30 to the ANO Unit 2 Safety Analysis Report
| ML22124A156 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 04/27/2022 |
| From: | Sullivan J Entergy Nuclear Operations |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 2CAN042201 | |
| Download: ML22124A156 (67) | |
Text
SECURITY RELATED INFORMATION SAR SECTION 2.8 OF ENCLOSURE 1 TO BE WITHHELD FROM PUBLIC DISCLOSURE IN ITS ENTIRETY IN ACCORDANCE WITH 10 CFR 2.390
~entergy 2CAN042201 April 27, 2022 ATTN: Document Control_ Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
SUBJECT:
Amendment 30 to the ANO Unit 2 Safety Analysis Report Arkansas Nuclear One, Unit 2 NRC Docket No. 50-368 Renewed Facility Operating License No. NPF-6 Joseph C. Sullivan Site Vice President Arkansas Nuclear One Tel 479-858-3110 10 CFR 50.4(b)(6) 10 CFR 50.59(d)(2) 10 CFR 50.71(e) 10 CFR 54.37(b)
In accordance with 10 CFR 50.71(e) and 10 CFR 50.4(b)(6), enclosed is Amendment 30 of the Arkansas Nuclear One, Unit 2 (ANO-2) Safety Analysis Report (SAR). Included with this update are the current ANO-2 Technical Requirements Manual (TRM) and the current ANO-2 Technical Specification (TS) Bases. The TS Bases file also includes the Table of Contents which outlines the contents of both the TSs and the TS Bases, since the Table of Contents is revised by the licensee under 10 CFR 50.59. Pursuant to 10 CFR 50.71 (e)(4), these documents are being submitted within six months following the previous ANO-2 refueling outage (2R28) which ended November 29, 2021. Summaries of changes to the ANO-2 TRM and TS Bases are included in Attachments 1 and 2 of this letter for the period beginning October 5, 2020, and ending April 27, 2022.
In accordance with NEI 98-03, "Guidelines for Updating Final Safety Analysis Reports,"
Appendix A, Section A6, a list and short description of information removed from the SAR should be included with each SAR update submittal. For this reporting period, information was not removed from the SAR meeting the criteria of either Appendix A, Sections A4 or A5, of NEI 98-03, that would require reporting in accordance with NEI 98-03, Appendix A, Section A6.
Associated in part with the post September 11, 2001 response related to security sensitive information, Entergy has reviewed the ANO-2 SAR and determined that the items in the following paragraph contain information required to be withheld from public disclosure with respect to NRC Regulatory Issue Summary (RIS) 2015-17, "Review and Submission of Updates to Final Safety Analysis Reports, Emergency Preparedness Documents, and Fire Protection Documents."
Entergy Operations, Inc., Arkansas Nuclear One (ANO), 1448 SR 333, Russellville, AR 72802 SECURITY-RELATED INFORMATION - WITH OLD UNDER 10 CFR 2.390 DOCUMENTS TRANSMITTED HEREWITH CONTAIN SENSITIVE, UNCLASSIFIED INFORMATION. WHEN SEPARATED FROM THE SENSITIVE INFORMATION, THIS DOCUMENT IS DECONTROLLED.
SECURITY RELATED INFORMATION SAR SECTION 2.8 OF ENCLOSURE 1 TO BE WITHHELD FROM PUBLIC DISCLOSURE IN ITS ENTIRETY IN ACCORDANCE WITH 10 CFR 2.390 2CAN042201 Page 2 of 4 The following information is located on SAR Pages 2.8-1 through 2.8-10:
SAR Section 2.8.1, "Flood Related Information" SAR Section 2.8.1.1, "Probable Maximum Flood Combined with Wind Wave Action" SAR Section 2.8.1.2, "Probable Maximum Flood Combined with Ozark Dam Failure" SAR Section 2.8.1.3, "Probable Maximum Flood on Streams and Rivers" SAR Section 2.8.1.3.1, "Probable Maximum Precipitation" SAR Section 2.8.1.3.2, "Precipitation Losses" SAR Section 2.8.1.3.3, "Runoff Model" SAR Section 2.8.1.3.4, "Probable Maximum Flood Flow" SAR Section 2.8.1.3.5, "Water Level Determinations" SAR Section 2.8.1.3.6, "Coincident Wind Wave Activity" SAR Section 2.8.1.3. 7, "Site Drainage System" SAR Section 2.8.1.4, "Potential Dam Failures (Seismically Induced)"
SAR Section 2.8.1.5, "Design Basis for Subsurface Hydrostatic Loadings" SAR Section 2.8.2, "Additional Nat.ural Gas Pipeline Information" SAR Section 2.8.3, "Additional New Fuel Storage Information" The above is consistent with currently redacted information from the ANO-2 SAR (reference ML20294A313, ANO-2 SAR Amendment 29). Entergy requests the aforementioned information be withheld from public disclosure in accordance with 1 O CFR 2.390. Accordingly, a complete version and a redacted version of the ANO-2 SAR are included on the enclosed compact disc (CD).
In accordance with 10 CFR 54.37(b), after a renewed license is issued, the SAR update required by 10 CFR 50.71 (e) must include any systems, structures, and components (SSCs) newly identified that would have been subject to an aging management review or evaluation of time-limited aging analyses in accordance with 10 CFR 54.21. The SAR update must describe how the effects of aging will be managed such that the intended function(s) in 10 CFR 54.4(b) will be effectively maintained during the period of extended operation. For this reporting period, no new SSCs that would have been subject to an aging management review or evaluation of
. time-limited aging analyses in accordance with 1 O CFR 54.21 were identified.
A summary of the 1 O CFR 50.59 evaluations during the reporting period is normally included with the required SAR submittal or within 30 days thereafter. Attachment 3 contains a summary of the 1 O CFR 50.59 evaluations performed for ANO-2 over the aforementioned reporting period. Attachment 4 includes a copy of the evaluations.
SECURITY-RELATED INFORMATION -WITHOLD UNDER 10 CFR 2.390 DOCUMENTS TRANSMITTED HEREWITH CONTAIN SENSITIVE, UNCLASSIFIED INFORMATION: WHEN SEPARATED FROM THE SENSITIVE INFORMATION, THIS DOCUMENT 15 DECONTROLLED.
SECURITY RELATED INFORMATION SAR SECTION 2.8 OF ENCLOSURE 1 TO BE WITHHELD FROM PUBLIC DISCLOSURE IN ITS ENTIRETY IN ACCORDANCE WITH 10 CFR 2.390 2CAN042201 Page 3 of4 includes a list of SAR pages that were updated during the period beginning October 5, 2020, and ending April 27, 2022.
\\
If you have any questions or require additional information, please contact Riley Keele, Manager, Regulatory Assurance, at 479-858-7826.
I hereby certify that to the best of my knowledge and belief, the information contained in the above Licensing Basis Documents accurately reflects changes made since the previous submittal. The changes to these documents reflect information and analyses submitted to the Commission, prepared pursuant to Commission requirements, or made under the provisions of 10 CFR 50.59. Executed on April 27, 2022.
Sincerely, JCS/mar
Enclosures:
- 1. ANO-2 SAR Amendment 30 - Un-redacted Version (CD-ROM)
- 2. ANO-2 SAR Amendment 30 - Redacted Version (CD-ROM)
- 3. ANO-2 TRM (CD-ROM)
- 4. ANO-2 TS Table of Contents and TS Bases (CD-ROM)
Attachments to cover letter:
- 1. Summary of ANO-2 TRM Changes
- 2. Summary of ANO-2 TS Bases Changes
- 3. Summary of ANO-2 10 CFR 50.59 Evaluations
- 4. 10 CFR 50.59 Evaluations-From October 5, 2020 through April 27, 2022
- 5. List of Affected SAR Pages SECURITY-RELATED INFORMATION -WITHOLD UNDER 10 CFR 2.390 DOCUMENTS TRANSMITTED HEREWITH CONTAIN SENSITIVE, UNCLASSIFIED INFORMATION. WHEN SEPARATED FROM THE SENSITIVE INFORMATION, THIS DOCUMENT IS DECONTROLLED.
SECURITY RELATED INFORMATION SAR SECTION 2.8 OF ENCLOSURE 1 TO BE WITHHELD FROM PUBLIC DISCLOSURE IN ITS ENTIRETY IN ACCORDANCE WITH 10 CFR 2.390 2CAN042201 Page 4 of 4 cc:
NRC Region IV Regional Administrator NRC Senior Resident Inspector - Arkansas Nuclear One NRC Project Manager - Arkansas Nuclear One Designated Arkansas State Official
(
SECURITY-RELATED INFORMATION -WITHOLD UNDER 10 CFR 2.390 DOCUMENTS TRANSMITTED HEREWITH CONTAIN SENSITIVE, UNCLASSIFIED INFORMATION. WHEN SEPARATED FROM THE SENSITIVE INFORMATION, THIS DOCUMENT IS DECONTROLLED.
2CANQ42201 Summary of ANO-2 TRM Changes
2CAN042201 Page 1 of 1 Summary of AN0-2 TRM Changes The following changes to the Arkansas Nuclear One, Unit 2 (ANO-2) Technical Requirements Manual (TRM) were implemented in accordance with the provisions of 10 CFR 50.59.
Because these changes were implemented without prior NRG approval, a description is provided below:
Revision Section Summary 84 85 86 Acronyms bEHC FPT MT SFDP STS TS TSTF TS Amendment 322, "Fuel Handling Accident Changes and Adoption of TSTFs 51,286,471, and 571" and 3.9.1, B 3.1.x, Licensing Basis Document Change LBDC 20-034, B 3.3.3, B 3.9.1 "Update Seismic Monitor TRM to be consistent with E-Plan Revision 45" and "Common Feedwater TRM Editorial/Clarification Changes" 3.3.2, 3.7.8, 3.7.9, 3.7.10, 3.9.2, 3.9.4, 3.9.5, B 3.3.2, TS Amendment 323, "TS Relocations" B 3.7.8, B 3.7.9, B 3.7.10, B 3.9.2, B 3.9.4, B 3.9.5 Licensing Basis Document Change LBDCR 21-030 -
Engineering Change, EC-83032 "Turbine Control System Upgrades for MT and FPT DEHC" B 3.3.4 Licensing Basis Document Change LBDCR 20-033 -
1.1, 3.0.5, B 3.0.5 "Application to Adopt a SFDP". This change also adopts the STS definition of operable/operability and modifies TRM 3.0.5 to match TS definition of operability.
Digital Electrohydraulic Control Feedwater Purrp Turbine Main Turbine Safety Function Determination Program Standard Technical Specifications Technical Specifications Technical Specification Task Force 2CAN042201 Summary of ANO-2 TS Bases Changes 2CAN042201 Page 1 of 2 Summary of AN0-2 TS Bases Changes The following changes to the Arkansas Nuclear One, Unit 2 (ANO-2) Technical Specification (TS) Bases were implemented in accordance with the provisions of 10 CFR 50.59 and the Bases Control Program of ANO-2 TS 6.5.14. Because these changes were implemented without prior NRC approval, a description is provided below:
Revision Section Summary B 3.1.1.3, B 3.3.3.1, B 3.4:1.2, B 3.4.1.3, B 3.7.6.1, B 3.811.2, B TS Amendment 322, "Updated Fuel Handling Accident 78 3.8.2.2, B 3.8.2.3, B 3.8.2.4, B 3.9.1, Analysis and Adoption of TSTFs" B 3.9.2, B 3.9.4, B 3.9.5, B 3.9.8.1 B 3.1.1.3, B 3.3.3.5, B 3.7.2.1, B 3.7.5.1, B 3.7.9.1, B 3.7.12, B 79 3.9.3.a, B 3.9.5, TS Amendment 323, "TS Relocations" B 3.9.6, B 3.9.7, B 3.11.1, B 3.11.2,
\\
B 3.11.3 80 B 3.3.1.1 TS Amendment 324, "TSTF-569, Revise Response Time Testing Definition" 81 B 3.8 Engineering Change EC-89199, "Extend Engineering Safeguards Test Frequency from 18 to 36 Months" Engineering Change EC-90212, "Allow RVCH stud 82 B 3.9.8 tensioning and de-tensioning with level above lowered inventory" B 3.0.2, B 3.0.5, B 3.0.6, B 3.3.2.1, B 3.4.6.2, B 3.6.1.2, Licensing Basis Document Change LBDCR 20-033 -
83 B 3.6.3.1, B 3.7.3.1, B 3.8.1.1, B 3.8.1.2, "Application to Adopt a SFDP" B 3.8.2.1, B 3.8.2.2, B 3.8.2.4, B 6.5.19 84 B 3.7.8 TS Amendment 328, "One-Time Change to Support Proactive Upgrade of the ECP Supply Piping" 2CAN042201 Page 2 of 2 Acronyms Emergency Cooling Pond Reactor Vessel Closure Head ECP RVCH SFDP TSTF Safety Function Determination Program Technical Specification Task Force 2CAN042201 Summary of ANO-2 10 CFR 50.59 Evaluations 2CAN042201 Page 1 of 1 Summary of 1 0 CFR 50.59 Evaluations 50.59 #
50.59 Summary 2020-004 Engineering Change EC 77577 "ANO-2 EFW Pump Woodward Governor Controls Upgrade" 2021-001 Engineering Change EC 89288 "Temporary Modification to provide Core Operating Limit Supervisory System (COLSS) 'B' Reactor Coolant Pump (RCP) Speed Signal to 'D' Core Protection Calculator (CPC)"
2021-002 Engineering Change EC 83562 "Refuel Machine Upgrade (2H-1)"
2021-003 Engineering Change EC 83032 "Turbine Control System Upgrades for Main Turbine and Main Feed Pump Turbine Digital Electro-Hydraulic Control" 2CAN042201 10 CFR 50.59 Evaluations - From October 5, 2020 through April 27, 2022 (49 Pages)
J
ANO 50.59 Evaluation 2020-004
~Entergy NUCLEAR MANAGEMENT MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations ATTACHMENT9.1 I.
OVERVIEW/ SIGNATURES1 Facility: Arkansas Nuclear One, Unit 2 (ANO-2)
EN-Ll-101 REV. 20 PAGE 1 OF 9 50.59 EVALUATION FORM Evaluation#/ Rev.#: 2020-004 / 0 Proposed Change / Document: EC 77577 / ANO-2 EFW Pump Woodward Governor Controls Upgrade Description of Change:
EC 77577 replaces the existing Woodward Type EGR governor control system for the ANO-2 EFW Pump 2P-7A Turbine 2K-3 with a new Woodward Model 505 governor control system. The governor valve's (2CV-0332) existing electro~hydraulic actuator is replaced with an electro-mechanical actuator: The lube oil that supplies the electro-hydraulic actuator is still needed for the turbine bearings; therefore, the electro-hydraulic actuator and EGR governor are removed and the lube oil lines are rerouted to connect directly to the lube oil pump. The analog controller for the governor is replaced with a digital controller that interfaces with the new actuator. The valve is modified using vendor design and parts to allow fit-up of the new actuator.
The new governor digital controls are housed in a new control panel, 2C143A, located in Room 2091 (relocated to be remote from EFW Pump 2P-7A to meet off-normal event environmental parameters).
The existing power source from 125 VDC Panel 2D24 is reused for the new governor system. Cables and conduits are re-routed or new ones are installed to coincide with new tie-in locations. Existing cables and conduit are reused to the extent feasible. The existing turbine control cabinet 2C143 is re-used as a termination panel for the cabling to the new governor controls. Existing speed probe 2SE-0336A-2 is replaced to accommodate a new magnetic pickup (MPU) for new station blackout (SBO) tachometer readout and two new MPUs, SE-03368-1/2, for use with the new Woodward governor control panel. All the new MPUs are provided by the vendor. Local speed indicator 2Sl-0329 on 2C143 is replaced with a new nuclear qualified 4-20 mA tachometer. Wiring for the new equipment does not impact existing alarms. The new Woodward 505 controller needs a start signal upon initiation of Emergency Feedwater.
A relay is added to cabinet 2C18 in parallel with the existing 94-0340-2 relay coil to satisfy the Woodward 505 controller's start signal requirement.
A new "Not Ready" signal is output from the 2C143A panel and provided to the control room as an EFAS
!NOP alarm by means of a second new relay (74-0340-2) in Panel 2D26. The unavailability signal is active immediately upon a shutdown of the 2K-3 turbine (i.e. removal of Steam Admission Valve open command) and remains active until the Woodward 505 Shutdown Sequence completes and approximately a 10 second delay built into the 505 control system. This informs the control room that steam pressure in the supply piping (i.e. reapplication of steam or restart of the turbine while this signal is active or in the midst of a Woodward 505 Shutdown Sequence) would risk a turbine overspeed trip (i.e.
when the MOOG Positioner is disengaged at Relay #1 low speed setting of =300 RPM allowing the Governor Valve to spring open with steam pressure present). This non-required feature is primarily an Operator aide while the train is out of service during surveillances as the signal will not prevent the pump from being started during an in-service actual start command and does not impact continuous run thereafter.
The proposed activity has the potential to adversely affect the method of performing or controlling a SAR described design function as described below:
- Entergy A TT AC HM ENT 9.1 NUCLEAR MANAGEMENT MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations EFW Pump Steam Turbine Governor Control System Replacement EN-Ll-101 I REV. 20 PAGE 2 OF 9 50.59 EVALUATION FORM The EFW pump turbine governor valve actuator is changed from an.electro-hydraulic actuator to an electromechanical actuator. The controller is changed from analog to digital. Unchanged is EFW Pump 2P-7 A Steam.Turbine 2K-3 overall control system "start" being accomplished by contact closure [from Emergency Feedwater Actuation Signal (EFAS) for automatic action, from a Control Room hand switch for manual Operator action]. Also unchanged is both 1) the overall control system "start" signal initiating opening of Steam Admission Valves to provide steam and motive force to the steam turbine and pump, as well as 2) the overall startup/valve sequence and setpoints (Bypass Valves open initially to provide limited steam, Main Valves begin opening 15 seconds later, system controls at Idle Speed until Main Valves get to =20% Open which initiates Ramp to Rated Speed). The exiting "start" signal; however, is now additionally provided directly to the controller for the new electromechanical actuator as an immediate electronic confirmatory permissive or "start" signal to begin control. This differs from the existing control system which begins controlling upon increased hydraulic pressure generated by a steam turbine driven hydraulic pump. In summary, the existing "start" signal (initiated from either automatic or manual actuation) to the Steam Admission Valves is now additionally provided directly to the controller which also enables the electromechanical actuator; in place of the current hydraulic pressurization from steam turbine rotation which enables the electro-hydraulic actuator. As such, one new point of failure (the added electronic control input) replaces an existing point of failure (the hydraulics) and is considered a potentially adverse impact to the method of performing or controlling a design function. SAR Section 10.4.9 acknowledges controls for automatic or manual operation from the control room (which again is related to the upstream initiation or "start" signal to the Steam Admission Valves and is unaffected).
Summary of Evaluation:
The EFW pump turbine governor valve actuator is changed from an electro-hydraulic actuator to an electromechanical actuator. The control system for the new electromechanical actuator is provided an electronic permissive or "start" signal to begin control. This differs from the existing control system which begins controlling upon increased hydraulic pressure input from Steam Turbine rotation. The existing "start" signal (whether automatic or manual start) to the Steam Admission Valves is additionally provided directly to the controller. The governor response is not changed and will continue to modulate as necessary to maintain existing speed setpoints, with the only difference being a digital controller using an electromechanical actuator rather than an analog controller using an electro-hydraulic actuator. All power, control, instrumentation, and special cables installed are manufactured and tested in accordance with standards for Class 1 E cables and appropriate isolation devices are installed to ensure adequate physical and electrical separation is maintained. Therefore, the proposed activity does not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR.
The EFW System is credited in response to accidents but is not an accident initiator. Failure effects associated with loss of EFW Turbine Driven Pump 2P-7A are previously evaluated in the SAR. In the event of a failure of EFW Turbine Driven Pump 2P-7A, EFW will be provided by Motor Driven Pump 2P-7B. The proposed activity does not introduce a common mode failure to both trains of the EFW system.
Based on the results of this 50.59 Evaluation, the proposed activity does not require prior NRC review and approval.
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 3 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM Is the validity of this Evaluation dependent on any other change?
D Yes
[gl No If "Yes," list the required changes/submittals. The changes covered by this 50.59 Evaluation cannot be implemented without approval of the other identified changes (e.g., license amendment request). Establish an appropriate notification mechanism to ensure this action is completed.
Based on the results of this 50.59 Evaluation, does the proposed change require prior NRC approval?
D Yes
[gl No
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20 I
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 4OF 9 ATTACHMENT 9.1 Preparer1*2:
Reviewer1*2:
Independent Review1*3:
Responsible Manager Concurrence1:
50.59 Program Coordinator Concurrence 1:
10 CFR 50.59 Evaluations 50.59 EVALUATION FORM*
Casey McCurrin / ORIGINAL SIGNED DIGITALLY / ENERCON / Design / 11-04-20 Name (print) / Signature / Company / Department I Date Rhouis Eric Allen / ORIGINAL SIGNED DIGITALLY / Entergy / DE-l&C / 11-04-20 Name (print) / Signature / Company / Department I Date N/A Name (print) / Signature / Company / Department I Date T. Hatfield I ORIGINAL SIGNED DIGITALLY / Entergy / Design Eng. / 11-04-20 Name (print) / Signature / Company / Department I Date David Bice/ see email below/ EOI / Regulatory Assurance/ 11-04-2020 Name (print) / Signature / Company / Department / Date Brian Patrick / ORIGINAL SIGNED BY BRIAN PATRICK / 11-05-20 Chairman's Name (print) / Signature / Date [GGNS P-33633, P-34230, & P-34420; W3 P-151]
2020-014 OSRC Meeting #
1 The printed name should be included on the form when using electronic means for signature or if the handwritten signature is illegible. Signatures may be obtained via electronic authentication, manual methods (e.g., ink signature), e-mail, or telecommunication. Signing documents with indication to look at another system for signatures is not acceptable such as "See EC" or "See Asset Suite." Electronic signatures from other systems are only allowed if they are included with the documentation being submitted for capture in eB (e,g., if using an e-mail, attach it to this form; if using Asset Suite, attach a screenshot of the electronic signature(s); if using PCRS, attach a copy of the completed corrective action).
2 Either the Preparer or Reviewer will be a current Entergy employee.
3 If required by Section 5.1 [2].
NUCLEAR QUALITY RELATED
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE 10 CFR 50.59 Evaluations ATTACHMENT 9.1 EMAILS From: BICE, DAVID B (ANO) <DBICE@entergy.com>
Sent: Wednesday, November 4, 2020 10:34 AM EN-Ll-101 I REV. 20 I
PAGE 5OF 9 50.59 EVALUATION FORM To: Casey McCurrin <cmccurrin@enercon.com>; ALLEN, RHOUIS E <RALLEN4@entergy.com>
Cc: Jeff Dietz <JDIETZ@ENERCON.COM>
Subject:
RE: ACTION REQ'D: 50.59 Eval Signature ASAP: EC 77577- (EFWWoodward Governor Replacement)will this EC make the PO12 milestone date of 11/5/2020?
I have reviewed the 5059 evaluation associated with EC 77577 and concur. This email may be used as my approval of the document. Thanks.
David Bice ANO Regulatory Assurance 5059 Program Coordinator
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 6OF9 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM II.
50.59 EVALUATION [10 CFR 50.59(c)(2)]
Does the proposed Change being evaluated represent a change to a method of evaluation ONLY? If "Yes," Questions 1 - 7 are not applicable; answer only Question 8. If "No," answer all questions below.
D Yes IZI No Does the proposed Change:
- 1.
Result in more than a minimal increase in the frequency of occurrence of an accident previously e'(aluated in the SAR?
D Yes IZI No
- 2.
BASIS:
The EFW System is credited in response to accidents but is not an accident initiator. Therefore, the proposed activity does not result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR.
Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the SAR?
BASIS:
D Yes IZI No The new controller and the new electromechanical actuator are now provided the existing overall "start" signal as an additional electronic permissive to begin control. This differs from the existing controller and electro-hydraulic actuator which began controlling upon increased hydraulic pressure input from the Steam Turbine rotation. This control input change represents a change in a point of failure although the signal comes from the same Safety Related relays that control the Steam Admission Valves. However, this new potential failure is mitigated by the inherently robust 1 E design and is equivalent to the potential failure of the existing electro-hydraulic control system which is required to pressurize (analog equivalent of a "start" signal) and regulate the normally open governor valve during initial steam admission. In reality, the new electromechanical system with its faster and more.responsive capability is arguably superior to the old electro-hydraulic system with its relatively slower responsiveness and potential for hydraulic contamination related issues. Therefore, the addition of an electrical start/enable signal being applied to the new electromechanical actuator/controller effectively in place of an existing hydraulic start/enable signal to the existing electro-hydraulic actuator/controller does not result in more than a negligible increase in the likelihood that the governor controls would fail and lead to an overspeed trip of the steam-driven EFW pump following EFW actuation.
The controller "start" signal is a Safety Related signal achieved through contacts from Safety Related relays. A new nuclear-qualified relay (94-0340-2A) is added to Panel 2D26 which communicates *
(via existing cables) with the existing 94-0340-2 relay in 2C18. The 94-0340-2 relay provides the open signal to the steam admission (bypass/main) Valves 2CV-0205-2 and 2CV-0340-2 upon initiation of the EFW system. Essentially, the same signal that opens the valves to provide steam pressure to "start" the existing analog controller will now simultaneously "start" the digital controller
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 7 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM to provide the same functionality. This satisfies the start signal to the Woodward 505 controller and initiation of initial run at "Idle" speed. A secondary ramp signal comes from the opening of the main steam admission valve, 2CV-0340-2 at 20% and initiates ramp up to and run at "Rated" speed, called the "Ramp Start" signal. The currently installed EFW governor start-up sequence is not changed. Steam admission (bypass/main) valves get an open signal for supply of steam and initial run at "Idle" speed with bypass opening first and main opening 15 seconds later. Then, when the main admission valve reaches 20% open, the controller ramps up to and runs at "Rated" speed. The only change is the addition of the new electric start signal to the controller. It is noted, however, that the added controller "start" input is the same as the existing "start" signal to the steam admission valves but is now also provided as a direct input to the controller.
The governor response is not changed and will continue to modulate as necessary to maintain existing speed setpoints, with the only difference being a digital controller using an electromechanical actuator rather than an analog controller using an electro-hydraulic actuator.
Additionally, all power, control, instrumentation, and special cables associated with EC 77577 are procured and installed per quality-related specifications. The existing "start" signal (whether automatic or manual start) to the Steam Admission Valves as a parallel "start" permissive directly to the controller is no more likely to fail than the current hydraulic pressure buildup allowing the governor to begin control. It is already an overall "start" signal for the application of steam and will now also input directly to the controller, but such specifics are beyond the level of detail of the licensing basis documentation. In the event of failure of automatic initiating circuitry, the system is capable of manual actuation from the control room (which is related to the upstream initiation or "start" signal to the Steam Admission Valves and is unaffected).
Therefore, the proposed activity does not result in more than minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component important to safety previously evaluated in the SAR.
- 3.
Result in more than a minimal increase in the. consequences of an accident previously evaluated in the SAR?
BASIS:
D Yes
~ No Failure effects associated with loss of EFW Turbine Driven Pump 2P-7A a.re evaluated in ANO-2 SAR Table 10.4-11. In the event of a failure of EFW Turbine Driven Pump 2P-7 A, emergency feedwater will be provided by the EFW Motor Driven Pump 2P-78. The proposed activity does not introduce a common mode failure to both trains of the EFW system. Therefore, the proposed activity does not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR.
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20 MANAGEMENT
~Entergy MANUAL INFORMATIONAL USE PAGE 8OF9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM
- 4.
Result in more.than a minimal increase in the 6onsequences ofa malfunction of an SSC important to safety previously evaluated in the SAR?
BASIS:
D Yes r8J No Failure effects associated with loss of EFW Turbine Driven Pump 2P~7A are evaluated in ANO-2 SAR Table 10.4-11. In the event of a failure of Turbine Driven Pump P-7 A, EFW will be provided by the Motor Driven Pump 2P-7B. The proposed activity does not introduce a common mode failure to both trains of the EFW system. Therefore, the proposed activity does not result in more than a minimal increase in the consequences of a malfunction of a structure, system, or component in:iportant to safety previously evaluated in the SAR.
- 5.
Create a possibility for an accident of a different type than any previously evaluated in the D Yes SAR?
rgj No BASIS:
The proposed activity does not involve an accident initiator or failure not considered in the SAR and
\\,
is bounded by the existing single failure analysis for the EFW pumps. Therefore, the proposed activity does not create a possibility for an accident of a different type than previously evaluated in the SAR.
- 6.
Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the SAR?
BASIS:
D Yes r8J No Single failure analysis of the EFW system is provided in ANO-2 SAR Table 10.4-11. Failure effects associated with loss of EFW Turbine Driven Pump 2P-7A for a number of reasons (turbine failure, steam supply failure, pump failure, piping failure, etc.) are considered. In the event of a failure of Turbine Driven Pump 2P-7A, EFW will b\\:l provided by the Motor Driven Pump 2P-7B. The proposed activity does not introduce a common mode failure to both trains of the EFW system and is bounded by the most limiting effect which results in a loss of EFW Turbine Driven Pump 2P-7A. Therefore, the proposed activity does not create a possibility for a malfunction of a structure, system, or component important to safety with a different result than any previously evaluated in the SAR.
- 7.
Result in a design basis limit for a fission product barrier as described in the SAR being exceeded or altered?
BASIS:
D Yes r8J No The proposed activity does not affect design basis limits for fuel cladding, reactor coolant system boundaries, or containment pressure. Therefore, the proposed activity does not result in a design basis limit for a fission product barrier as described in the SAR being exceeded or altered.
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 9 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM
- 8.
Result in a departure from a method of evaluation described in the SAR used in establishing the design bases or in the safety analyses?
D Yes
[gj No BASIS:
This activity implements and installs a replacement EFW Pump Turbine governor control system and governor valve interface (stem, bonnet, and actuator). The bases calculations provided within the EC aren't required to utilize any calculational methodologies specified within the SAR to establish design bases function., The calculational methodology used for these types of qualifications are not specified within _the SAR and are consistent with industry standards. Therefore, the proposed change being evaluated does not result in a departure from a method of evaluation described in the SAR used in establishing the design bases or in the safety analyses.
If any of the above questions is checked "Yes," obtain NRC approval prior to implementing the change by initiating a change to the Operating License in accordance with NMM Procedure EN-Ll-103.
ANO 50.59 Evaluation 2021-001
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 1 OF 11 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM I.
OVERVIEW/ SIGNATURES1 Facility: ANO-Unit 2 Evaluation # / Rev. #: 2021-001 / 0 Proposed Change I Document:
EC-89288, TMOD to provide COLSS 'B' RCP Speed Signal to 'D' CPC Description of Change:
Due to intermittent failure of 'B' Reactor Coolant Pump (RCP) speed sensor input to the 'D' Core Protection Calculator (CPC) (protection system), the alternate RCP speed cable and sensor currently used as input to the Core Operating Limits Supervisory System (COLSS) (monitoring system) will be used to support RCP speed input to the 'D' CPC channel. A temporary modification is developed as a compensatory measure to allow use one of the RCP speed sensors, cable, and transmitter, currently providing input to the COLSS, as input to the 'D' CPC through the CPC transmitter enclosure located at the secondary shield wall inside containment.
Summary of Evaluation:
The Reactor Protective System (RPS) consists of sensors calculators, logic, switchgear, and other equipment necessary to monitor selected Nuclear Steam Supply System (NSSS) conditions and to effect reliable and rapid reactor shutdown (reactor trip) if any one or a combination of the monitored conditions reach a limiting safety system setting. The system functions are to protect the core (fuel design limits) and Reactor Coolant System (RCS) pressure boundary for anticipated operational occurrences (AOOs).
These same features include the capability of the RPS to operate, if need be, with up to two channels out of service (one bypassed and another tripped) and still meet the single failure criteria. The only operating restriction while in this condition (effectively one-out-of-two logic) is that no provision is made to bypass another channel for periodic maintenance. The system logic must be restored to at least a two-out-of-three condition prior to removing another channel for maintenance.
Various pressures, levels, and temperatures associated with the NSSS and the containment building are continuously monitored to provide signals to the RPS trip bistables. All protective parameters are measured with four independent and isolated process instrument channels. A typical protective channel consists of a sensor and transmitter, instrument power supply and current loop resistors, indicating meter and/or recorder, and trip bistable/calculator inputs. The status of each trip parameter is checked at the bistable level of the RPS. When a parameter reaches its respective trip value, the bistable logic generates contact opening signals to the logic matrices.
The wiring and components of each channel are physically and electrically separated from that of other like protective channels to provide independence. The output of each transmitter is typically an ungrounded current loop which has a live zero. The nuclear instruments provide a pulsed and current signal. The RCP speed sensors provide a pulsed signal. Signal isolation is provided for computer inputs and control board indicators. Each channel is powered from a separate vital bus.
The design function of the CPC is to monitor pertinent reactor core conditions and to provide an accurate, highly reliable means of initiating a reactor trip whenever the minimum core departure from nucleate boiling ratio (DNBR) approaches the design limit or peak local power density (LPD) approaches the fuel design limit, during reactor operation.
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANA GEM.ENT MANUAL INFORMATIONAL USE PAGE 2 OF 11 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM Four independentCPCs are provided, one in each protection channel. Calculation of DNBR and LPD is performed in each CPC, utilizing the input signals described below. The DNBR and LPD so calculated are compared to trip setpoints for initiation of a low DNBR trip or a high LPD trip.
A 2-out-of-4 coincidence of like trip signals is required to generate a reactor trip signal. A fuel design limit on DNBR is specified to protect the fuel cladding as discussed in Sections 4.4 of the SAR and the TSs.
The RPS provides a trip on low DNBR, which ensures that this Specified Acceptable Fuel Design Limit (SAFDL) is not exceeded for AOOs. Since DNBR cannot be directly measured, it is calculated as a function of several physical parameters. One of these physical parameters is core coolant mass flow rate.
The mass flow rate is obtained in the RPS using the pump speed inputs from the four RCPs, and the core inlet and outlet temperatures. The flow rate through each RCP is dependent upon the rotational speed of the pump and the pump head. This relationship is typically shown in pump characteristic curves. Flow changes resulting from changes in the loop flow resistance occur slowly due to core crud buildup, increase in steam generator resistance, etc. Calibration of the pump speed signal, relating pump rotational speed to flow, is performed periodically.
Flow reductions associated with pump speed reductions are more rapid than those produced from loop flow resistance changes. The pump rotational speed signal is converted to a pump flow using mathematical relationships based on pump characteristics and periodic loop flow calibrations. For those flow transients discussed in Chapter 15 of the SAR, these mathematical relationships are shown to produce a conservative value offlow relative to the flow calculated with the pump transient. The loop flow rates (normalized to design flow rates) calculated for each pump are summed to give a normalized core mass flow rate.
\\
These signals are transmitted to the CPCs which compute the flow rate. Adequate separation between probes is provided. The temporary RCP speed sensor circuit will not be routed in conformance with SAR Section 8.3.1.4.3 with the exception 'that the now safety related COLSS RCP speed signal cable will be run in non-safety related cable trays with non-safety related cables. These cables have been evaluated and determined that they are all low-l~vel instrumentation cables, none are safe-shutdown or constitute a safety channel, and. all are associated with the blue channel. These cables will become associated circuits as discussed in IEEE 384-1974, Section 4.6. IEEE 384°1974, Section 4.6.2, specifically states that non-Class 1 E instrumentation and control circuits are not required to be separated from associated*
circuits. Each channel is powered from a separate vital AC bus. This assures the independence of the redundant speed signals and RPS channels. SAR Sections 7.1.2.3 and 8.3.1.4.4 discuss specific labeling requirements for safety-related cables and cable trays, The COLSS cables and cable trays within the D-ring will not conform to these labeling requirements. As these cables and trays are inaccessible at power and this temporary modification is not expected to remain installed past the next ANO-2 refueling outage, it is acceptable that these cables and trays not meet the specific labeling requirements for safety related equipment.
A low DNBR trip, Variable Overpower Trip (VOPT), or RCP low speed trip will be initiated in the event of flow reduction transients caused by pump speed changes such as the 4-pump loss of coolant flow and the single RCP shaft seizure (see SAR Section 15.1.5). Anticipated flow reductions due to changes in the coolant loop resistance or pump wear occur more slowly and are small in magnitude. These reductions are monitored using instrumentation which is not part of the RCP speed sensing system.
I This method for measurement of coolant mass flow rate satisfies Section 4.8 of IEEE 279-1971. It also satisfies the below listed design bases for the anticipated transients and postulated accidents considered in Chapter 15.
~Entergy ATTACHMENT9.1 NUCLEAR MANAGEMENT MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations EN-Ll-101 REV. 20 PAGE 3 OF 11 50.59 EVALUATION FORM Each RCP has four independent, separate proximity sensors mounted in the RCP motor housing. The rotational speed of the RCP is measured by locating the proximity sensor near a disc that is attached to the shaft of the RCP motor. The disc has holes drilled at equidistant locations about its circumference. As the disc rotates, the proximity pickup senses the absence of metal at the location of each hole.
The signal processing equipment associated with the proximity sensor channel converts the signals from the sensor to voltage levels that correspond to the presence and absence of metal. Each voltage pulse that corresponds to a disc hole passing the probe is then conditioned to a standard pulse of fixed duration and voltage magnitude by the pulse shaping unit. The pulse output of the pulse shaping unit is conditioned by a "divide by N" circuit and is then utilized as an input to the CPC. This processing equipment also checks the input to see if it is in range or out of range. If the signal is out of r~nge a sensor failure alarm is generated.
Each scanning device produces a voltage pulse signal, the frequency of which is proportional to pump speed.
One revolution of the RCP shaft results in the production of 44 distinct pulses. The expected pulse amplitude is 10 volts. The pulse width is a function of the RCP speed. The expected pulse width at an operating speed of 891 rpm is 0.57 millisecond and the time between successive pulses will be 1.52 milliseconds.
Category 1 instrumentation and electrical equipment supplied by Combustion Engineering (CE) is designed such that it can meet the seismic qualification requirements established in IEEE 344-1971.
A CE Topical Report, CENPD-182, "Seismic Qualification of CE Instrumentation and Electric Equipment" was submitted in Decemoer, 1975. The seismic qualification program, upon which CENPD'-182 is based, was intended to satisfy the methods presented in Standard Review Plan (NRG NUREG 0800);
Section 3.10. This plan is divided into two sections, the first section referencing IEEE Standard 344-1971 and the second section referencing IEEE Standard 344-1975. This topical report presents a summary of the CE seismic qualification program utilized to demonstrate the seismic design adequacy of the instrumentation and control equipment supplied by CE.
The CPCs are seismically qualified; therefore, the CPC system is expected to be operable before, during, and after a seismic event. The safety-related features of seismic Category I equipment must operate as necessary to perform the intended function. By original design (as discussed in the aforementioned topical report), the RCP speed sensors, cabling, etc., (inputs to the CPCs) were also installed as seismic Category I components.
Each of the four redundant CPCs provides a contact opening to the RPS at the bistable level. A failure of
\\
one of the CPCs in the tripped condition will cause the reactor trip logic to revert to a 1-out-of-3 coincidence. Three intact calculators would remain to monitor the input parameters of which only on!3 is.
required to operate to effect a reactor trip (since the failed channel would already be tripped). If the failed channel is bypassed, then the reactor trip logic becomes 2-out-of-3. In this instance, the system can tolerate another single failure and still initiate a valid reactor trip. In summary, a single failure of the CPC that results in a failure to initiate a reactor trip will not cause loss of functional capability since only two of the three remaining channels are required to effect a reactor trip.
The COLSS consists of process instrumentation and algorithms used to continually monitor the limiting conditions for operation on:
A.
Peak linear heat rate (LHR);
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 4 OF 11 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM B.
Margin to Departure from Nucleate-Soiling (DNB);
C.
Total core power; and, D.
Azimuthal tilt.
The COLSS continually calculates DNB margin, peak LHR, total core power, and azimuthal tilt magnitude and compares the calculated values to the TS Limiting Condition for Operation on these parameters. If an LCO is exceeded for any of these parameters, a COLSS alarm is initiated and operator action is taken as required by the TSs. The COLSS is not seismically qualified or safety-related.
While the RPS functions to initiate a reactor trip at the specified limiting safety system settings, the COLSS is not required for plant safety since it does not initiate any direct safety-related function during anticipated operational occurrences or postulated accidents. The TSs define the LCO required to ensure that reactor-*
core conditions during operation are no more severe than the initial conditions assumed in the safety analyses and in the design of the low DNBR and high LPD trips. The COLSS serves to monitor reactor core conditions in an efficient manner and provides indication and alarm functions to aid the operator in maintenance of core conditions within the LCOs given in the TSs. When COLSS is out of service, certain TS action statements become applicable.
One of the algorithms performed in COLSS is the reactor coolant volumetric flow rate. The margin to DNB is a function of the reactor coolant volumetric flow rate. RCP rotational speed signals and pump differential pressure signals are monitored by COLSS and used to calculate the volumetric flow rate.
There are two COLSS RCP speed sensors for each RCP. Sensor validity checks are performed by COLSS on those measured input parameters used in the COLSS calculations. The validity checks consist of checking sensor inputs against the following criteria:
A.
Sensor out of range; and, B.
Deviations between like sensors:
If one of the two sensors' input is determined to be non-valid, it is automatically replaced by the redundant sensor's input.
Due to intermittent faiiure of 'B' RCP speed sensor input to the *b* CPC, the alternate RCP speed cable and sensor currently used as input to the COLSS will be used to support RCP speed input to the 'D" CPC channel. A temporary modification is developed as a compensatory measure to allow use one of the RCP speed sensors, cable, and transmitter, currently providing input to the COLSS, as input to the 'D' CPC through the CPC transmitter enclosure located at the secondary shield wall inside containment. /
The 'D' channel is plac;::ed in bypass, as allowed by the Technical Specifications (TSs), when intermittent failures of the 'B' RCP speed sensor occur. The concern is when a surveillance is performed on one of the other three channels, the 'D' CPC channel must be placed in a tripped status to allow the channel under surveillance to be placed in bypass. This leaves the system in a one-out-of-two reactor trip configuration.
The proposed temporary modification will utilize the output of the COLSS transmitter on the biological shield wall. A temporary cable will then be routed to the 'D' CPC transmitter enclosure and landed on the terminal block to connect to the CPC input. There are no changes proposed to the CPCs or COLSS hardware or software; therefore, there are no impacts on the uncertainties used in the calculations
~Entergy NUCLEAR MANAGEMENT MANUAL QUALITY RELATED EN-Ll-101 REV. 20 INFORMATIONAL USE PAGE 5 OF 11 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM performed in the CPCs and COLSS and the resulting values are not impacted. COLSS and CPCs remain independent of each other A "dummy" value will be provided as input to COLSS for the alternate RCP speed 'indication.
EC-78244 replaced the entire RCP Shaft Speed Senso'r system in 2R27. The EC replaced all 24 of the probes, the extension cable, the proximitor, the signal processing assembly including the regulator, the pulse shaper and the power supply. The EC installed components that are safety related (CPCs) and non-safety related (COLSS).
It should be noted that this temporary modification impacts only the '8' RCP speed input signal to the
'D' CPC. All the other inputs to this channel are not impacted. No other hardware chan'ge to the CPCs or COLSS is being proposed. This modification does not impact any of the software or data (i.e., input validity check algorithm, the pump curves, or the uncertainties) stored in the CPCs or COLSS.
With the installation of this temporary modification, the 'D' CPC channel will be returned to an operable status (i.e., perform its safety function) with respect to the intermittent speed sensor failures described above. This one input to one channel of the CPCs will not be conforming to its original design following installation of the temporary modification. The non-conformance is due to the fact the CPC system is originally designed to be seismically qualified from the sensor to the CPC. The routing of the cable used by COLSS inside the biological shield is routed through a non-seismically qualified cable tray.
If the proposed modification fails (i.e., the RCP speed indication from COLSS to the 'D' CPC channel fails) in a seismic event, that channel will provide a trip signal as designed. The proposed modification does not impact any of the other three channels of CPCs or any other inputs to the 'D' cpc channel. Because failure of the COLSS RCP speed sensor would result in a trip of the 'D' CPC channel, the design function
.and the TS requirements of the CPC are maintained.
This temporary modification does not apply or alter any method of evaluation of a design function as described in the SAR. However, because a non-seismically qualified RCP speed signal (COLSS input) will temporarily be used as input to the 'D' CPC, the modification is conservatively considered adverse to the method of performing or controlling the design function of the CPCs; therefore, a 10 CFR 50.59 evaluation has been performed.
Is the validity of this Evaluation dependent on any other change?
D Yes
[8J No If "Yes," list the required changes/subm1ttals. The changes covered by this 50.59 Evaluation cannot be implemented without approval of the other identified changes (e.g., license amendment request). Establish an appropriate notification mechanism to ensure this action is completed.
Based on the results of this 50.59 Evaluation, does the proposed change require prior NRC approval?
D Yes
[8J No
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~E,,,tergy MANAGEMENT
!'JIANUAL INFORMATIONAL USE PAGE 6 OF 11 ATTACHMENT9.1 Preparer1*2:
Reviewer1*2 :
Independent Review1*3:
Responsible Manager Concurrence 1:
50.59 Program Coordinator Concurrence 1:
1 O CFR 50.59 Evaluations 50.59 EVALUATION FORM Robert W. Clark / see email below I EOI / Regulatory Assurance / 03-09-21 Name (print) / Signature / Company / Department I Date David Bice / see email below I EOI / Regulatory Assurance / 03-09-21 Name (print) / Signature / Company / Department I Date N/A Name (print) / Signature / Company / Department / Date Bryan Daiber I see email below I EOI / Manager, Systems Engineering / 03-10-21 Name (print) / Signature / Company / Department / Date Michael Hall / see email below I EOI / Regulatory Assurance / 03-10-21 Name (print) / Signature / Company / Department / Date Brian Patrick / see OSRC Meeting Minutes / 04-02-21 Chairman's Name (print) / Signature / Date [GGNS P-33633, P-34230, & P-34420; W3 P-151]
2021-006 OSRC Meeting #
1 The printed name should be included on the form when using electronic means for signature or if the handwritten signature is illegible. Signatures may be obtained via electronic authentication, manual methods (e.g., ink signature), e-mail, or telecommunication. Signing documents with indication to look at another system for signatures is not acceptable such as "See EC" or "See Asset Suite." Electronic signatures from other systems are only allowed if they are included with the documentation being submitted for capture in eB (e.g., if using an e-mail, attach it to this form; if using Asset Suite, attach a screenshot of the electronic signature(s); if using PCRS, attach a copy of the completed corrective action).
2 Either the Preparer or Reviewer will be a current Entergy employee.
3 If required by Section 5.1 [2].
NUCLEAR QUALITY RELATED
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE 10 CFR 50.59 Evaluations ATTACHMENT9.1 EMAILS From: Clark, Robert <RCLARK@entergy.com>
Sent: Tuesday, March 9, 2021 11 :32 AM To: BICE, DAVID 8 (ANO) <DBICE@entergy.com>
Subject:
CPC Temporary Modification 10 CFR 50.59 Evaluation EN-Ll-101 REV. 20 PAGE 7 OF 11 50.59 EVALUATION FORM I am requesting you to perform peer review of the attached 50.59 Evaluation. The evaluation is associated with EC 89228, the temporary modification to the CPCs.
From: BICE, DAVID 8 (ANO)
Sent: Tuesday, March 9, 2021 11 :47 AM To: Clark, Robert <RCLARK@entergy.com>
Subject:
RE: CPC Temporary Modification 10 CFR 50.59 Evaluation I have reviewed and concur with the 5059 associated with EC 89228. This email represents the Reviewer signature on the subject 5059 form.
From: Hall, Michael Sent: Wednesday, March 10, 2021 10:01 AM To: Clark, Robert Cc: SMITH, JEANNIE M; Daiber, Bryan
Subject:
RE: 10 CFR 50.59 Evaluation I have reviewed the 50.59 for the EC-89228, TMOD to provide COLSS 'B' RCP Speed Signal to 'D' CPC.
This email represents the 50.59 Program Coordinator Concurrence signature on the 5059 form.
From: Daiber, Bryan Sent: Wednesday, March 10, 2021 6:12 PM To: Clark, Robert; Hall, Michael Cc: SMITH, JEANNIE M
Subject:
RE: 10 CFR 50.59 Evaluation I have reviewed the 1 0CFR50.59 evaluation that was attached and approve with no comments.
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 8 OF 11 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM II.
50.59 EVALUATION [10 CFR 50.59(c)(2)]
Does the proposed Change being evaluated represent a change to a method of evaluation ONLY? If "Yes," Questions 1 - 7 are not applicable; answer only Question 8. If "No," answer all questions below.
D Yes
~ No Does the proposed Change:
- 1.
Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR?
D Yes
~ No
- 2.
BASIS:
The CPCs, as a core protection system, provide two trip signals out of several potential trip signals to mitigate accidents evaluated in the ANO-2 SAR based on process inputs, including the RCP speed for each RCP. These process inputs and the CPCs are not initiators for any accident evaluated in the SAR.
The monitoring system, COLSS, does not initiate any automatic protection actions and is not an initiator for any accident. The loss of COLSS is an anticipated operating occurrence. This temporary modification does not impact the frequency of this occurrence.
The proposed temporary modification does not require any changes to plant equipment or modes of operation. The initiators to accidents previously evaluated in the ANO-2 SAR are not affected and the probability of an accident is not increased due to the proposed temporary modification Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component (SSC) important to safety previously evaluated in the SAR?
BASIS:
D Yes
~ No The proposed temporary modification will route a cable from one of the two 'B' RCP speed sensors that is currently used by COLSS to the 'D' CPC channel using a routing that is not seismically qualified. This modification does not impact any internal hardware of the CPCs or COLSS. The software and data stored in the CPCs and COLSS is not altered by this modification. No other input signals to the 'D' CPC channel are impacted.
The algorithm for the input validity checks is not altered by this modification. The pump-specific curve and uncertainties stored in the CPCs and COLSS that are used in the calculations performed by the CPCs and COLSS are not impacted by this modification, The RCP speed probe generates a sinusoidal waveform. The waveform has a specific amplitude and triggers a count in the pulse counter card at a certain voltage threshold on the either the rising or falling edge of the signal. The sinusoidal nature of the signal is generated by a proximity sensor on the RCP but the voltage source is generated by the proximitor on the outside of the D-Ring wall.
QUALITY RELATED EN-Ll-101 REV. 20 NUCLEAR MANAGEMENT
~Entergy MANUAL INFORMATIONAL USE PAGE 9 OF 11 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM A seismic event causing a false signal in the cable is not considered to be credible due to the requirement of having to match the waveform and the signal amplitude to match an operating RCP.
In addition, the loss of the speed signal will result in a trip being generated by the CPC channel; therefore, the non-seismicity of the COLSS related RCP speed signal will not prevent the CPC frOIT"!
performing its design function.
No other changes in the assumptions concerning the SSC important to safety availability or failure modes were made in the proposed change. The SSCs will be maintained and operated within the licensing basis for AN0-2 and does not impact the design function of the CPCs. Based on the above discussion, the proposed temporary modification will not result in more than a minimal increase in'the likelihood of an SSC important to safety malfunctioning..
- 3.
Result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR?
BASIS:
D Yes C8J No The proposed temporary modification does not prevent the CPCs from performing the associated design functions credited in the SAR. The proposed modification does not alter any assumptions or inputs to any radiological dose calculations. The results of the radiological dose calculations remain the same.
(
No changes in the radiological release rate/ duration and no new release mechanisms result due to the installation of the proposed temporary modification and no impact to any of the radiation release barriers will occur due to the implementation of the proposed change. Based on the above, the proposed temporary modification will not result in more than a minimal increase in the consequences of an accident previously evaluated in the SAR.
- 4.
Result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the SAR?
BASIS:
D Yes C8J No The proposed temporary modification will restore one channel of CPC to an operable status with respect to the intermittent failures of the 'B' RCP speed signal and not impact the operability of COLSS. The proposed change does not conform to the original design for the CPCs (RCP speed signal input seismically qualified); however, it does allow the CPC channel to perform its design function.
The proposed temporary modification does not alter any SSC that would introduce a new accident initiator or failure mechanism that has not already been considered in the SAR. Because the CPC will continue to provide appropriate trip signals as designed and because the malfunction of any CPC channel as considered in the SAR is not altered, the temporary modification will not result in
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 10 OF 11 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the SAR.
- 5.
Create a possibility for an accident of a different type than any previously evaluated in the D Yes SAR?
[8'.I No BASIS:
The CPC process inputs and the function of the CPCs are not accident initiators. Tt,e loss of an RCP speed input to the CPCs will result in a trip of that channel of the CPCs as designed.
The loss of COLSS is an anticipated operating occurrence. When COLSS is out of service, certain TS action statements become applicable.
The proposed temporary modification does not alter any SSC that would introduce a new accident initiator or failure mechanism that has not already been considered in the SAR. The possibility for an accident of a different type than any previously evaluated in the SAR will not be created by the introduction of the proposed change:
.6.
Create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the SAR?
BASIS:
D Yes
[8'.I No This temporary modification impacts the CPCs and COLSS. CPCs are important to safety while the COLSS is not safety-related. The proposed modification does temporarily modify the design of one RCP speed signal input to one channel of the CPCs. The proposed modification utilizes a cable routing through a non-seismically qualified pathway. The CPC system is itself remains seismically qualified. No other input signals to the 'D' CPC channel are impacted by the proposed temporary modification.
If the proposed modification fails (i.e., the RCP speed indication to one CPC channel fails) in a seismic event, that CPC channel will provide a trip signal as designed. The proposed modification does not impact any of the other three channels of CPCs or any other inputs to this channel. There are no other credible new failures introduced by the proposed change.
The CPCs and COLSS are independent of each other. A failure of COLSS will not impact the design function of the CPCs as described in the SAR. Furthermore, the failure of one CPC channel will not result in preventing a reactor trip since only 2 of the 4 channels are needed to effect a trip.
Therefore, the proposed change will not create the possibility for a malfunction of an SSC important to safety that has a different result than those already evaluated in the SAR.
NUCLEAR QUALITY RELATED EN-Ll-101 REV. 20 MANAGEMENT
~Entergy MANUAL INFORMATIONAL USE PAGE 11 OF 11 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM
- 7.
Result in a design basis limit for a fission product barrier as described in the SAR being exceeded or altered?
BASIS:
D Yes
~ No The CPCs are designed to protect the fuel from reaching or exceeding the design basis limits of the fuel. With the implementation of this temporary modification, the CPCs will continue to perform as designed. This proposed modification does not impact any of the fission product barriers.
~
COLSS will continue to monitor the parameters associated with the core and alert the operators to any challenges to the fuel. The fission product barriers are not impacted by the proposed changes to COLSS.
The proposed temporary modification does not result in a SAR described design basis limit for a fission product barrier being exceeded or altered.
- 8.
Result in a departure from a method of evaluation described in the SAR used in establishing the design bases or in the safety analyses?
BASIS:
D Yes
~ No With the implementation of the proposed temporary modification, there are no changes to the CPC or COLSS hardware or software. The DNBR and LPD calculations will continue to be performed in accordance with the design and licensing basis.
This temporary modification does use a cable routing that is partially not seismically qualified. The CPCs are a seismically qualified system. As discussed previously, if this cable was to fail and the RCP speed signal was lost to the 'D' CPC, the CPC would still perform its design function of providing a channel trip as described in the SAR. In accordance with the guidance provided in NEI 96-07, "Guidelines for 10 CFR 50.59 Implementation," Revision 1, this does not constitute a departure from a methodology of evaluation described in the SAR.
The accidents described in the SAR that credit a CPC trip are not impacted by this'proposed temporary modification. The proposed temporary modification does not result in a departure from a method of evaluation described in the SAR used in establishing the design bases or in the safety analyses.
If any of the above questions is checked "Yes," obtain NRC approval prior to implementing the change by initiating a change to the Operating License in accordance with NMM Procedure EN-Ll-103.
ANO 50.59 Evaluation 2021-002
QUALITY RELATED EN-Ll-101 REV. 20
~Entergy NUCLEAR MANAGEMENT MANUAL INFORMATIONAL USE PAGE 1 OF 9 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM I.
OVERVIEW/ SIGNATURES1 Facility: Arkansas Nuclear One Unit 2 Evaluation# FFN-2021-002 /Rev.#: 00 Proposed Change I Document: Refuel Machine Upgrade-(2H-1) / EC 83562, FCR 89720 Description of Change:
The ANO Unit 2 Refueling Machine (RFM), 2H-1, control system will be replaced with a new system provided by Westinghouse/PaR. The existing Refueling Machine Control Console (2C405) will be replaced with a programable logic controller I Personal Computer (PLC/PC) based dual processor control console that will allow for the automatic, semi-automatic, and manual modes of operation.
The existing bridge and trolley drive assemblies will be replaced and include a servo motors, couplings, brakes and dual encoder position system and the associated wiring. The existing hoist drive assembly will be replaced and includes a motor, drum, brakes, wire rope with fittings and equalizer, limit switches, a position encoder system, load weighing and the associated wiring.
Power and control cables along with a cable management system for building connection points will be provided. The fuel handling equipment boundary zone protection and interlock circuits will be upgraded.
A load simulator ana* all software and programming logic required for the new system to operate will be provided.
The RFM bridge, trolley, mast structures as well as grapple and other components remain unchanged.
Field Change Request (FCR) 89720 converts vendor provided documents (e.g., Service Manual, Operations Manual, Load Weighing Calibration Procedure, electromagnetic interface/ radio-frequency interface (EMI/RFI) Report, Software Requirements Specification (SRS), Factory Acceptance Test (FAT) procedure and report, Site Acceptance Test (SAT) procedure, and Failure Modes and Effects Analysis (FMEA)) into ANO plant documents The electrical voltage drop calculation CALC-94-E-0001-02 was revised to include previously approved changes into a new revision of the calculation. ANO 2 Refueling Machine Controls Upgrade Zinc and Aluminum Calculations CALC-20-E-0013-03 was created to account for a decrease in the painted ar~a in Containment. Revised drawings are being issued as part of FCR 89720 along with point-to-point internal wiring drawings.
All remaining vendor drawings and documentation are being issued as part of FCR 89720 except for the SAT Report and the software qualification documentation, both of which will be issued following the installation of this modification per FCR 90517.
The EC 83562 PAD is the overarching PAD for this modification. All open assumptions from EC 83562, FCR 89000, FCR 89452, and FCR 90516 are evaluated and closed in the PAD for EC 83562.
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 2 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM Description *of Safety Evaluation:
The Process Applicability Document for EC 83562 / FCR 89720 identified that the existing refueling bridge console (2C405) is equipped with a push button that requires manual operator actuation to allow movement of the bridge and/or trolley after any hoist movement. The function of this push button is described in the FSAR (Section 9.1.4.5.1.E Refueling Machine Movement Interlock), "Denies movement of the bridge and trolley while the fuel hoist is operating. An additional circuit is provided which, after initiation of a hoisting operation, requires that a separate switch be actuated before normal operation of the movement drives is possible". The new console eliminates this push button and automatically performs this operator action.
Per NEI 96-07 Rev 1 Section 4.2.1, a Safety Evaluation should be performed when an Activity converts a feature that was automatic to manual or vice versa. This Safety Evaluation addresses this specific change in EC 83562.
Summary of Evaluation:
_J The existing RFM control console (2C405) is equipped with Bridge Trolley Interlocks (BTls) that essentially prevent movement of the RFM bridge and/or trolley when fuel is being raised or lowered (the hoist is in the Fuel-only region and is loaded, the fuel spreader is not fully retracted, the hoist is in either the Low Zone, or not in the up limit when outside the core area, etc.).
The BTI is a protective design feature that is intended to prevent damage to a fuel assembly, or parts of the RFM. With the existing console, the refueling bridge operator is required to press a BTI-Reset button on the console to allow horizontal movement of the RFM bridge and/or trolley once the BTI limiting conditions have cleared. If this button were pressed when the hoist is in motion, or when any other limiting condition is still present, the BTI would continue to prohibit the RFM bridge and/or trolley movement. The BTI-Reset push button provides a redundant manual design feature that requires operator action to verify the BTI limiting conditions have cleared.
The new RFM control console is, equipped with an upgrade BTI that prevents movement of the Refueling Bridge and/or Trolley during hoist movements but the redundant manual BTI-Reset pushbutton has been eliminated. However, once BTI limiting conditions have been cleared, manual Operator action is still required to begin horizontal movement of the RFM bridge and/or trolley. Therefore, the Operator is still required to perform a manual action to allow bridge or trolley movement after the BTls limiting conditions have cleared.
Is the validity of this Evaluation dependent on any other change?
D Yes t8l No If "Yes," list the required changes/submittals. The changes covered by this 50.59 Evaluation cannot be implemented without approval of the other identified changes (e.g., license amendment request).
Establish an appropriate notification mechanism to ensure this action is completed.
Based on the results of this 50.59 Evaluation, does the proposed change require prior NRC approval?
D Yes t8l No
~Entergy NUCLEAR MANAGEMENT MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations EN-Ll-101 REV. 20 PAGE 3 OF 9 ATTACHMENT9.1 50.59 EVALUATION FORM Preparer1*2:
Al Evans/ ORIGINAL SIGNED DIGITALLY/ Kinectrics /Civil/Structural/ 10/12/2021 Reviewer1*2:
Independent Review1*3:
Responsible Manager Concurrence1:
50.59 Program Coordinator Concurrence1:
OSRC1:
Name (print)/ Signature/ Company I Department I Date Rhouis Eric Allen/ ORIGINAL SIGNED DIGITALLY/ Entergy/ DE l&C / 10/12/2021 Name (print)/ Signature/ Company I Department I Date N/A Name (print) / Signature / Company I Department I Date T. Hatfield/ ORIGINAL SIGNED DIGITALLY/ Entergy/ DE Mgr/ 10/12/2021 Name (print) / Signature I Company I Department I Date Michael Hall/ ORIGINAL SIGNED DIGITALLY/ Entergy/ Reg. Assurance l 10/12/2021 Name (print)/ Signature I Company I Department I Date Brian Patrick/ ORIGINAL SIGNED DIGITALLY/ 10/13/2021 Chairman's Name (print) / Signature / Date [GGNS P-33633, P-34230, & P-34420; W3 P-151]
OSRC-2021-023 OSRC Meeting #
1 The printed name should be included on the form when using electronic means for signature or if the handwritten signature is illegible. Signatures may be obtained via electronic authentication, manual methods (e.g., ink signature), e-mail, or telecommunication. Signing documents with indication to look at another system for signatures is not acceptable such as "See EC" or "See Asset Suite." Electronic signatures from other systems are only allowed if they are included with the documentation being submitted for capture in eB (e.g., if using an e-mail, attach it to this form; if using Asset Suite, attach a screenshot of the electronic signature(s); if using PCRS, attach a copy of the completed corrective action).
2 Either the Preparer or Reviewer will be a current Entergy employee.
3 If required by Section 5.1 [2].
~Entergy NUCLEAR MANAGEMENT
.MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations EN-Ll-101 REV. 20 PAGE 4OF 9 ATTACHMENT9.1 50.59 EVALUATION FORM II.
50.59 EVALUATION [10 CFR 50.59(c)(2)]
Does the proposed Change being evaluated represent a change to a method of evaluation ONLY? If "Yes," Questions 1 - 7 are not applicable; answer only Question 8. If "No,"
answer all questions below.
D Yes
~ No BASIS:
The new RFM control console was designed and built by Westinghouse/PaR in compliance with codes and standards specified in the FSAR. As such, this Engineering Change does not deviate from method of evaluation specified in the licensing basis. Therefore, this Engineering Change does not result in a change to a methodology of evaluation.
Does the proposed Change:
- 1.
Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the UFSAR?
BASIS:
D Yes
~ No FSAR *section 15.1.23 'Fuel Handling Accident' evaluates the impact of a fuel assembly dropped during fuel handling. This analysis assumes a failure of and drop of a fuel assembly with attached appurtenances.
EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM. A redundant manual pushbutton interlock design feature is eliminated; however, the corresponding automatic interlock remains along with manual Operator action to command horizontal movement of the RFM bridge and/or trolley. Based on the qualitative assessment/evaluation that addresses system design attributes of the RFM, single failures being encompassed by existing failure modes, extensive OE, and that the software being controlled is in accordance with the Entergy procedure (EN-IT-104), the replacement system is equal or better (i.e., tias a sufficiently low likelihood of failure). In fact, electrical interlocks cannot result in the dropping of a fuel assembly and mechanical stops and positive locks prevent damage to or dropping of the fuel assemblies. As such, initiation of a Fuel Handling Accident or even fuel damage is no more likely and is not increased. EC 83562 does not change the design functions of the RFM and as such, does not make a Fuel Handling Accident more likely.
Therefore, EC 83562 does not more than minimally increase the frequency of occurrence of an accident previously evaluated in the FSAR.
~Entergy NUCLEAR MANAGEMENT MANUAL QUALITY RELATED EN-Ll-101 REV. 20 INFORMATIONAL USE PAGE 5 OF 9 10 CFR 50.59 Evaluations ATTACHMENT9.1 50.59 EVALUATION FORM
- 2.
Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component impor:tant to safety previously evaluated in the UFSAR?
BASIS:
EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM.
The existing refueling control console (2C405) is equipped with a Bridge Trolley Interlock (BTI) that essentially prevents movement of the RFM bridge and/or trolley when the hoist is being raised or lowered (the hoist is in the Fuel-only region and is loaded, the fuel spreader is not fully retracted, the hoist is in either the Low Zone, or not in the up limit when outside the core area, etc.).
The BTI is a protective design feature that is intended to prevent damage to a fuel assembly, or the RFM. With the existing console, the refueling bridge operator is required to press a BTI-Reset button on the console to allow horizontal movement of the RFM bridge and/or trolley once the BTI limiting conditions have cleared. If this button were pressed when the hoist is in motion, or when any other limiting condition is still present, the BTI would continue to prevent any RFM bridge and/or trolley movement. The BTI-Reset push button provides a redundant manual design feature that requires operator action to verify the BTI limiting conditions have cleared.
The new RFM control console is equipped with an upgraded BTI that prevents movement of the RFM bridge and/or trolley but the redundant manual BTI-Reset pushbutton has been eliminated. After operation of the hoist there is a delay, and the bridge/trolley movement interlock is automatically released to allow movement of the bridge or trolley and only disengages if no other bridge/trolley movement interlocks are engaged. Once BTI limiting conditions have been cleared, manual Operator action is still required to begin horizontal movement of the RFM bridge and/or trolley. Therefore, the Operator is still required to perform a manual action that verifies the BTls limiting conditions have cleared.
The upgrade to the RFM was developed under a quality of design process that includes a software requirements manual, software V&V, the use of checksums to confirm no programming changes/corruption occurred, and a FAT/SAT are performed to verify operation. Based on the qualitative assessment/evaluation that addresses system design attributes of the RFM, quality of design processes employed, single failures being encompassed by existing failure modes, extensive OE, and that the software being controlled is in accordance with the Entergy procedure (EN-IT-104), the replacement system is equal or better and the likelihood of the software or PLC causing an accident is sufficiently low. This assessment did not identify a new RFM failure mode or change the RFM malfunctions such that it would result in a different outcome.
The Single Failure Mode Analysis of the Fuel Handling Equipment is documented in SAR Table 9.1-5. The components in SAR Table 9.1-5 impacted by this change are the refueling machine fuel hoist weight system, refueling machine hoist motor, bridge drive motor, electronic position indication, refueling machine pressure, brakes on refueling machine fuel hoist, and the refueling machine electronic hoist position indication. Based D Yes IZI No
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 6 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM on the vendor provided FMEA (CALC-ANO2-IC-21-00001), no single failure of an electrical component will result in the uncontrolled motion of the fuel and system level failures are bounded by these failure modes of the new system.
Therefore, this change does not result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component important to safety previously evaluated in the FSAR.
- 3.
Result in more than a minimal increase in the consequences of an accident previously evaluated in the UFSAR?
BASIS:
D Yes
~ No EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM.
FSAR Section 15.1.23 'Fuel Handling Accident' evaluates the consequences of a fuel assembly dropped during fuel handling and includes assuming possibly attached appurtenances (CEA, fuel grapple, etc.) were attached and fell with the assembly, consistent with RG 1.183 assumptions.
EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM. EC 83562 does not change the design functions of the RFM, does not impact bounding consequences, and does not impact any accident mitigation functions and as such, does not increase the consequences of a Fuel Handling Accident.
Therefore, EC 83562 does-not more than minimally increase the consequences of an accident previously evaluated in the FSAR.
- 4.
Result in more than a minimal increase in the consequences of a malfunction of a structure, system, or component important to safety previously evaluated in the UFSAR?
BASIS:
D Yes
~ No In the event that the BTI fails, the worst-case result is a dropped fuel assembly during fuel handling. The Operator can engage the E-Stop resulting in the cutting of power to the equipment or physical hard stops which provide a non-digital/non-software-based protection if the BTI were to fail. The consequence of a dropped fuel assembly is evaluated in FSAR Section 15.1.23 'Fuel Handling Accident'. This analysis bounds any refueling bridge malfunctions.
EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the Refueling Bridge. EC 83562 does not change the design functions of the RFM, does not impact bounding consequences, and does not impact any accident mitigation functions and as such, does not change the consequences of a malfunction of the RFM.
Therefore, EC 83562 does not more than minimally increase the consequences of a malfunction of a structure, system, or component important to safety previously evaluated in the FSAR.
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20
~Entergy MANAGEMENT MANUAL INFORMATIONAL USE PAGE 7 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM
- 5.
Create a possibility for an accident of a different type than any previously evaluated in the UFSAR?
BASIS:
D Yes IZl No FSAR Section 15.1.23 'Fuel Handling Accident' evaluates the consequences of a fuel assembly dropped during fuel handling. This analysis bounds any refueling bridge malfunctions. EC 83562 does not involve any new initiators or failures and cannot result in exceeding existing analysis bounds.
EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM. The RFM is operated in containment during refueling operations which isolates it with respect to interaction with other systems, structures, and components.
The upgrade to the RFM was developed under a quality of design process that includes a software requirements manual, software V&V, the use of checksums to confirm no programming changes/corruption occurred, and a FAT/SAT are performed to verify operation. The BTI interlock is maintained and will be engaged to not allow bridge and trolley movement, when any of the following conditions exist: 1) the hoist is being operated, 2) the Mast Bumper switch is open/actuated, 3) the hoist is loaded in the Fuel-only region and the Off-Index is on, 4) the fuel spreader is not fully retracted, 5) the hoist is not at the up limit when outside the core area, 6) the hoist is in the Low Zone with the Grapple Weight Only. The BTI interlock will only disengage when all the conditions listed above are cleared. The conditions for the Refueling Machine Movement (existing machine) to engage are similar.
Therefore, EC 83562 does not create the possibility of an accident of a different type than previously evaluated in the FSAR.
NUCLEAR QUALITY RELATED EN-Ll-101 I REV. 20 MANAGEMENT
"'=':PEntergy MANUAL INFORMATIONAL USE PAGE 8 OF 9 10 CFR 50.59 Evaluations ATTACHMENT 9.1 50.59 EVALUATION FORM
- 6.
Create a possibility for a malfunction of a structure, system, or component important to safety with a different result than any previously evaluated in the UFSAR?
BASIS:
D Yes
~ No EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM. When in service, the RFM is operated in containment during refueling operations which isolates it with respect to interaction with other systems, structures, and components (SSCs). Therefore, no un-evaluated SSCs can malfunction as a result of a BTI failure.
In the event that the BTI were to fail, the worst-case result is a dropped fuel assembly during fuel handling. The Operator can engage the E-Stop resulting in the cutting of power to the equipment or physical hard stops which provide a non-digital/non-software-based protection if the BTI were to fail.
FSAR Section 15.1.23 'Fuel Handling Accident' evaluates the consequences of a fuel assembly dropped during fuel handling. In the absence of no new un-analyzed accidents, there can be no new consequences not previously analyzed.
Therefore, EC 83562 does not create the possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the UFSAR
- 7.
Result in a design basis limit for a fission product barrier as described in the UFSAR being exceeded or altered?
BASIS:
D Yes
~ No EC 83562 'ANO Unit 2 Refuel Machine Upgrade' addresses obsolescence issues and enhances features of the RFM. This EC makes no changes to the Grapple and Hoist box mechanical structures that lift and support the fuel during movement. Movement of the fuel by the machine is controlled within the fuel handling limits specified in FSAR Section 4.2.1. Therefore, this EC does not impact fuel design or means of release of radiation due to fuel accidents and remains bounded by previously evaluated scenarios.
Therefore EC 83562 does not result in a design basis limit for a fission product barrier as described in the UFSAR being exceeded or altered.
~Entergy ATTACHMENT9.1 NUCLEAR MANAGEMENT MANUAL QUALITY RELATED INFORMATIONAL USE 10 CFR 50.59 Evaluations EN-Ll-101 I REV. 20 PAGE 9 OF 9 50.59 EVALUATION FORM
- 8.
Result in a departure from a method of evaluation described in the UFSAR used in establishing the design bases or in the safety analyses?
D Yes
[8J No BASIS:
The EC involves hardware and software changes to the refueling bridge following standard industry codes and standards. The EC does not involve a change to an accident analysis, or the assumption made in any accident analysis.
Therefore, EC83562 does not result in a departure from a method of evaluation described in the UFSAR used in establishing the design bases or in the safety analysis.
If any of the above questions is checked "Yes," obtain NRC approval prior to implementing the change by initiating a change to the Operating License in accordance with NMM Procedure EN-Ll-103.
ANO 50.59 Evaluation 2021-003
ATTACHMENT 9.1 Sheet1 of16 I.
OVERVIEW/ SIGNATURES1 Facility: ANO Unit 2 Proposed Change/Document:
50.59 EVALUATION FORM Evaluation # / Rev. #: FFN-2021-003 / Rev 0 EC 83032: "Turbine Control System Upgrades for MT and FPT DEHC" Description of Change:
The existing ANO Unit 2 General Electric (GE) Mark I Main Turbine Generator (MTG) Electrohydraulic Control (EHC) & Main Feedwater Pump Turbine (MFWPT) EHC systems have obsolescence and single-point vulnerability issues.
EC 83032 is an upgrade of the Turbine Controls System (TCS) changing it from an electrohydraulic system to a Digital Instrument & Controls (Dl&C) system. A Dl&C system has inherently different failure characteristics which may produce unique software common cause failures (software CCF).
Replacement of Mechanical Overspeed:
Westinghouse uses Woodward (hardware/software) for its Diverse Overspeed Protection System (OOPS)
System which is replacing the existing mechanical overspeed system described in Safety Analysis Report (SAR) Section 10.2.2.3.
Analog to Digital Upgrade:
EC 83032 replaces the current ANO Unit 2 analog EHC systems with new Digital Electro-Hydraulic Control (DEHC) Distributed Control System (DCS) which consists of a Main Turbine Control and Protection System (TCPS) and a Main Feed Pump Turbine Control System (FPTCS). The new DEHC is provided by Westinghouse and is based upon an Ovation (software/hardware) platform supplied by Emerson Process Management (EPM).
Summary of Evaluation:
Process Applicability Determination (PAD)
A PAD was performed to assess the ANO Unit 2 TCS upgrade EC 83032. The results of the PAD identify that the following portions of the change requiring additional evaluation:
Replacement of Mechanical Overspeed Analog to Digital Upgrade NEI 96-07 Appendix D Rev 1: "Supplemental Guidance for Application of 10 CFR 50.59 to Digital Modifications' May 2020 provides guidance for assessing Dl&C modifications. The NRC issued Revision 2 to RG 1.187 which endorsed NEI 96-07, Appendix D Rev 1 and emphasizing the need for qualitative assessments. A qualitative assessment is a specific type of technical-based engineering evaluation useful to 10 CFR 50.59 evaluations when responding to evaluation criteria 10 CFR 50.59(c)(2)(i), (ii), (v) and (vi).
This evaluation is based on the following issues:
Replacement of Mechanical Overspeed:
The existing mechanical-hydraulic overspeed trip is being replaced with a Diverse Overspeed Protection System (OOPS) consisting of three overspeed trip modules with three passive speed probes. When turbine speed reaches 110%, OOPS trips a solenoid actuating the emergency trip system. There is a hardwired backup overspeed trip (independent of the OOPS) consisting of three Speed Detector Modules (SDMs) with
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 2 of 16 three active speed probes. When the turbine speed reaches 112% it trips a solenoid draining the emergency trip header.
One feature of the new DEHC System is the use of redundant and diverse sensors, probes, transmitters, and trip devices to reduce single point vulnerabilities of the turbine overspeed protection. The modified configuration provides two independent, and diverse overspeed trip systems in addition to normal speed control which meets the requirements of SAR Section 10.2.2.3. SAR Section 10.2.3 states that a turbine missile is improbable which is partially based on overspeed protection. The requirements of TRM 3.3.4 ensure that the turbine overspeed protection system is tested regularly, functions properly, and that the assumption of a turbine overspeed system as identified in SAR 10.2.3 is met. The description of overspeed in TRM B3.3.4 is consistent with the plant licensing basis described in SAR Section 10.2.3. This evaluation shows that the changes to the overspeed protection are acceptable.
This EC replaces the mechanical-hydraulic overspeed trip with a OOPS. Overspeed Reliability and Fault Tree Analysis concludes that the new OOPS does not adversely impact the probability of failure from turbine overspeed. The replacement of the mechanical-hydraulic overspeed trip has no impact on accident mitigation or the consequences of an accident.
Analog to Digital Upgrade This EC upgrades the reliability of the ANO Unit 2 MT and FPT EHC Systems without changing the functional requirements of the systems as described in the SAR.
The TCS upgrade does not change plant operating parameters that would result in an increased challenge to systems, structures or components (SSCs) important to safety, or the frequency of any accident described in the SAR.
Although the TCS upgrade replaces the mechanical overspeed trip device with a OOPS, potential failure modes introduced by the modification, such as susceptibility to Electromagnetic Interference (EMI),
firmware problems, power supply failure, and solenoid trip valve failure, have been shown by the Reliability and Fault Tree Analysis to not adversely affect the probability of failure of the main turbine to trip upon an overspeed condition. In fact, due to eliminating the mechanical overspeed trip mechanism and trip block, which were susceptible to failure modes not applicable to the new digital system (such as mechanical linkage binding or failure and sticking dump valves due to hydraulic oil impurities), the redundancy added by the new digital system combined with the ability to test it online with relatively low risk results in similar to higher reliability than the mechanical system it replaced.
The upgraded TCPS system performs self-tests and on line diagnostics that are capable of identifying and isolating failures of individual 1/0 cards, out of tolerance inputs, buses, power supplies, processors, and network communication issues.
The upgraded TCS assures that no failure of a single active component within the system will result in the loss of continuous validated demand signals to TCS valves or operator displays; nor will failure of individual modules cause the control system to trip the turbine resulting in a plant transient.
The sensor enhancements will interface with the existing Turbine Supervisory Instrumentation (TSI) which is used for indication only.
A Software Hazards Analysis (SHA) (WNA-AR-00887-CARK2 Rev O - June 2020) was performed for ANO Unit 2. When used in conjunction with the project Susceptibility Analysis (SA) (WNA-AR-008880CARK2, Rev.
0 dated August 2020) and the Failure Modes & Effects Analysis (FMEA) (WNA-AR-00886-CARK2, Rev. 0 dated July 2020), they systematically identify and assess potential failure sources within the instrumentation and control (l&C) equipment, along with preventive and limiting measures within the l&C that reduce the likelihood of failures and/or reduce the undesired effects of them.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 3 of 16 Together these analyses provide a qualitative assessment that the software hazards for the TCS upgrade have been analyzed including software CCF and conclude that the TSC upgrade will not more than minimally increase challenges to the plant licensing basis.
The following conclusions are supported from the platform and project specific analyses contained in the SHA:
The implementation processes and plans used for the different stages of the software life cycle process, including software configuration management and software verification and validation (V&V) - provide reasonable assurance that this is a mitigation strategy in preventing plant software hazards due to latent defects.
The Ovation platform history and operating experience provide reasonable assurance that the Ovation platform software is stable and that platform related software errors are tracked and corrected when identified.
The project-specific Ovation software release has been reviewed and the types of defects have been reviewed along with their categories of significance. The SHA did not identify significant failures that impair functionality.
The results of the SHA do not include any significant issues that would adversely impact the CARK2 DCS configuration. The CARK2 DCS platform software has no applicable safety notifications or product advisories against it.
The project-specific and Ovation platform design and implementation processes strongly support an assessment of the evaluation criteria for a quality software implementation program. As a result of the in-depth defenses against software errors there is reasonable assurance that the likelihood of software malfunctions and common cause failures is minimized. Software related failures should not result in more than a minimal increase in the likelihood of malfunctions that could contribute to the frequency of accidents described in the Updated Safety Analysis Report.
The system-level failure analysis identified no malfunctions (software hazards) that affect the transient and accident analysis in Chapter 15 of the SAR. The notable results of the failure analysis have identified no new hazards. The SHA lists malfunctions that can cause operational events that are already possible with existing control system and/or plant equipment. As a result, there is no impact on the analysis of the SAR Chapter 15 events.
The SHA is used in conjunction with the project SA which provides a systematic assessment of potential failure sources that can contribute to common cause failures. In the SA, the preventive and limiting measures within the l&C are evaluated to provide assurance that there is a low likelihood of common cause failures and/or their undesired effects do not create malfunctions that challenge the transient and accident analyses in Chapter 15 of the SAR.
Main Turbine Trip The main turbine trip does not result in a reactor trip. The Plant Protective System (PPS) provides for the Reactor Trip System (RTS) and the Engineered Safety Features Actuation System (ES FAS). The PPS uses a 2-out-of-4 coincidence of like trip signals to generate a reactor trip. The PPS de-energizes the Control Element Drive Mechanism Control System (CEDMCS) which provides a trip signal to the turbine and the Feedwater Control System (FWCS). SAR Chapter 7.2.1.1.1 identifies twelve trips of the RPS and that a 'Loss of Load' was deleted from the RPS design. In the event of a turbine trip a reactor trip would occur as a result of high pressurizer pressure. Therefore, the PPS will trip the main and FW pump turbines, however, the main and FW pump turbines do not provide an input to the PPS.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 4 of 16 Feedwater Pump Turbine Trip The Feedwater pump turbine trip does not result in a reactor trip. SA~ Section 10.4. 7. discusses the control of the main feedwater pump turbines. In the event of a main turbine trip, one feedwater pump will trip and the other will remain running and accelerate to match the demand of the steam generators to prevent a reactor trip. After a reactor trip without a Main Steam Isolation Signal (MSIS) or Containment Spray Actuation Signal (CSAS), the feedwater pump will be run at minimum speed to provide inventory for steam generator level control. EC 83032 will not change this control logic. These components have no input to the safety related PPS.
Based upon this evaluation this modification can be implemented without license amendment.
~------------------------------------,
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 5 of 16 Is the validity of this Evaluation dependent on any other change?
D Yes
~ No If "Yes," list the required changes/submittals. The changes covered by this 50.59 Evaluation cannot be implemented without approval of the other identified changes (e.g., license amendment request). Establish an appropriate notification mechanism to ensure this action is completed.
Based on the results of this 50.59 Evaluation, does the proposed change
- D Yes
~ No require prior NRC approval?
Preparer1:
"\\E? 4.f.
Al Evans/ -f".? tl,\\,V* I Kinectrics /Civil-Structural/ 11-9-2021 Name (print) / Signature / Company/ Department/ Date Reviewer2:
Zach Lehr/ ORIGINAL SIGNED DIGITALLY/ Entergy/ Major Fleet Proj. / 11/13/2021 Name (print) / Signature / Company/ Department/ Date Independent Review2:
N/A Responsible Manager Concurrence:
50.59 Program Coordinator Concurrence:
OSRC:
Name (print)/ Signature/ Company/ Department/ Date Vincent Bond/ ORIGINAL SIGNED DIGITALLY/ Entergy I Major Fleet Proj. / 11/13/2021 Name (print) /Signature/ Company/ Department/ Date Michael Hall/ ORIGINAL SIGNED DIGITALLY/ Entergy/ Reg. Assurance/ 11/15/2021 Name (print)/ Signature/ Company/ Department/ Date Brian Patrick/ ORIGINAL SIGNED DIGITALLY/ 11/15/2021 Chairman's Name (print)/ Signature/ Date [GGNS P-33633, P-34230, & P-34420; W3 P-151]
OSRC-2021-026 OSRC Meeting #
1 The printed name should be included on the form when using electronic means for signature or if the handwritten signature is illegible. Signatures may be obtained via ele.ctronic authentication, manual methods (e.g., ink signature), e-mail, or telecommunication. Signing documents with indication to look at another system for signatures is not acceptable such as "See EC" or "See Asset Suite." Electronic signatures from other systems are only allowed if they are included with the documentation being submitted for capture in eB (e.g., if using an e-mail, attach it to this form; if using Asset Suite, attach a screenshot of the electronic signature(s); if using PCRS, attach a copy of the completed corrective action).
1 Either the Preparer or Reviewer will be a current Entergy employee.
2 If required by Section 5.1 [2].
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 6 of 16 II.
50.59 EVALUATION [10 CFR 50.59(c)(2)]
Does the proposed Change being evaluated represent a change to a method of evaluation ONLY? If "Yes," Questions 1 - 7 are not applicable; answer only Question 8.
If "No," answer all questions below.
D Yes
~ No Does the proposed Change:
- 1.
Result in more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the UFSAR?
BASIS:
D Yes
~ No The new TCS Digital Electro-Hydraulic Controls System (DHCS) has been evaluated to assure that it will not more than minimally increase the frequency of the main turbine and feedwater pump turbine trips.
The ANO Unit 2 SAR Chapter 15 identifies the main turbine and FW pump turbine trip as initiating events in the following transients:
SAR Section 15.1.7: 'Loss of External Load and/or Turbine trip' SAR Section 15.1.8: 'Loss of Normal Feedwater Flow' SAR Section 15.1.29: 'Turbine Trip with Coincident Failure of Turbine Bypass Valves to Open' SAR Section 15.1.33: 'Turbine Trip with Failure of Generator Breaker to Open' The ANO Unit 2 SAR Chapter 15 also lists accidents that the new control system for the main turbine and FW pumps have the potential to be an initiator of the event:
SAR Section 15.1.10: Excess Heat Removal due to Secondary System Malfunction SAR Section 15.1.36: Transients Resulting from the instantaneous Closure of a single MSIV Digital Electro-Hydraulic Controls (DEHC) System The software used in this upgrade has been subjected to a detailed validation and verification process that includes factory acceptance testing, on-site acceptance testing, and post-upgrade testing that ensures software integrity. These actions are taken to assure that the likelihood of a software failure is sufficiently low that implementing this DEHC upgrade will not increase the frequency of occurrence of an accident previously evaluated in the SAR.
The SHA, when used in conjunction with the project SA and the FMEA provide a qualitative assessment concluding that the failure likelihood introduced by the modified TCS is sufficiently low.
Some of the specific conclusions made in the SHA include the following:
The Westinghouse/Emmerson software development, control, and V&V processes provide reasonable assurance that this is a mitigation strategy to prevent plant software hazards. Additional factory acceptance testing, on-site acceptance testing, and post modification implementation testing assure that the Ovation software operates as designed.
The Ovation Platform has a large installed base and operating experience that provides reasonable assurance that the software is stable, performs as required, and errors are tracked and corrected when identified. Additionally, the version for ANO has been reviewed and any identified defects do not result in significant failures and do not impair functionality.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 7 of 16 The combination of the SHA along with the SA evaluations show that there is a low likelihood of common cause failures and that any defects will not create malfunctions that challenge the transient and accident analyses contained in SAR Chapter 15. The SHA further states that the likelihood of common cause failure in Ovation resulting in failure of the system to perform its intended functions has been qualitatively determined to not be greater than the current system.
The SHA concludes that the upgraded control system will not result in a more than a minimal increase in the frequency of an accident previously evaluated in the SAR.
Ovation provides additional diagnostics and redundance features to assist the operator in diagnosing faults and addressing failures. This minimizes operator interventions or operator burden to support system operation.
The TCS is designed so that a single system component failure does not impact plant monitoring and controls functions, along with a single failure will not prevent the turbine from tripping when required to trip.
Single Point Vulnerabilities A detailed fault tree analysis was performed as part of this TCS upgrade. The DEHC System upgrade reduces the number of Single Point Vulnerabilities (SPVs) and adds speed signal redundancy while maintaining the existing design function of the system. This will improve the TCS reliability and minimizes the probability of spurious turbine overspeed trips.
In conclusion, based on the fault tree analysis, there is a sufficiently low likelihood that the new hardware will result in an increase in the frequency of occurrence of an accident previously evaluated in the SAR.
The upgraded TCS assures that a single active component within the system will neither result in a loss of continuous validated demand signals to TCS valves or operator displays, nor will failure of individual modules cause the control system to trip the turbine and cause a plant transient. The control elements in the new system are configured to allow unrestricted operation with a single failure and to facilitate on line replacement of the failed component. The existing system is not fault tolerant and does not provide fault detection and failure response capability.
Main Turbine Overspeed Trip Functions The ANO Unit 2 SAR identifies the following Anticipated Operational Occurrences (AOOs) in SAR Section 10.2.2.3: "Turbine Generator Overspeed Protection" The existing mechanical-hydraulic overspeed trip is being replaced with a Diverse Overspeed Protection System (OOPS) consisting of three overspeed trip modules (with redundant sources of power and UPS backup) with three passive speed probes. When turbine speed reaches 110%,
OOPS trips a solenoid actuating the emergency trip system.
There is a hardwired backup overspeed trip (independent of the OOPS) consisting of three Speed Detector Modules (SDMs) with three active speed probes each with redundant sources of power plus UPS backup. When the turbine speed reaches 112% it trips a solenoid draining the emergency trip header.
One feature of the new DEHC System is the use of redundant and diverse sensors, probes, transmitters, and trip devices to reduce single point vulnerabilities of the turbine overspeed protection.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 8 of 16 The modified configuration provides two independent, and diverse overspeed trip systems which complies with the requirements of SAR Section 10.2.2.3 "Turbine Generator Overspeed Protection" and is consistent with the description contained in TRM B.3.3.4 "Turbine Overspeed Protection".
It is important to note that the TCS (Ovation) control system functions to control turbine speed and is the first layer of defense to prevent a turbine overspeed event and also trips the turbine on a loss of all three active speed probes.
Potential failure modes introduced by the overspeed modification, such as susceptibility to Electromagnetic Interference (EMI), firmware problems, power supply failure, and solenoid trip valve failure, have been shown by the Reliability and Fault Tree Analysis to not adversely affect the probability of failure of the main turbine to trip upon an overspeed condition. In fact, due to eliminating the mechanical overspeed trip mechanism and trip block, which were susceptible to failure modes not applicable to the new digital system (such as mechanical linkage binding or failure and sticking dump valves due to hydraulic oil impurities), the redundancy added by the new digital system combined with the ability to test it on line with relatively low risk results in similar to higher reliability than the mechanical system it replaced.
Turbine Missiles SAR Section 10.2.3: "Turbine Missiles" states:
"Because of the redundancy and reliability of the turbine control and protection system, the close control of oil purity, the periodic check of steam admission valve freedom, and the high value of the bursting overspeed, any missile resulting from a turbine generator overspeed incident is hypothetical only and not considered credible."
The TCS upgrades retain redundant and diverse overspeed protection, therefore, turbine missiles remain a hypothetical event.
Turbine Control Valves The EC does not impact the physical design or function of the turbine control valves or their actuators. The turbine performance requirements are not being changed, so there is no increased probability of the turbine operating outside of its design limitations than with the current TCS configuration.
Normal Feedwater Pump Turbine Response SAR Section 10.4.7. discusses the control of the main feedwater pump turbines, and SAR section 15.1.8 describes a loss of normal feedwater flow. In the event a main turbine trip, one feedwater pump will trip, and the other will remain running and accelerate to match the demand of the steam generators to prevent a reactor trip. After a reactor trip without an MSIS or CSAS, the feedwater pump will be run at minimum speed to provide inventory for steam generator level control. EC 83032 will not change this control logic and these components have no input to the safety related RPS.
Main Steam Isolation Signal {MSIS) and Containment Spray Actuation System {CSAS)
The original EHC system had one train of MSIS and CSAS wired into the trip logic of the front standards for each feed pump. This logic was then cross-tied to the opposite pump to ensure either GREEN or RED train trip signal would trip both feed pumps.
The new system utilizes the existing MSIS and CSAS contacts and wiring from each trip channel.
These are wired into each MFWPT Ovation control system and software to trip each MFWPT (the RED channel is wired to MFWPT A controller, while the GREEN channel is wired to MFWPT B
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 9 of 16 controller). These relays are retained to provide the necessary isolation between MSIS/CSAS and the non-safety related MFWPT control trip logic.
In addition, a cross-trip in the TCS software allows the opposite trip channel to trip each MFWPT (the GREEN channel to trip MFWPT A and the RED channel to trip MFWPT B). This provides diversity in the trip logic. Additional redundancy is employed with the existing field signal interfacing with three separate input modules per train on different branches within different cabinets to further improve reliability such that a single input module failure will not inadvertently cause or prevent a MFWPT trip.
Conclusion With the failure likelihood introduced by the modified TCS being sufficiently low, there is not more than a minimal increase in the frequency of occurrence of an accident previously evaluated in the SAR.
This evaluation finds the new design to provide an enhancement to the reliability of the new system with respect to the original EHC control system. By increasing the number of redundant instruments that sense turbine parameters and the use of two out of three logic, the change increases redundancy and reliability, eliminates numerous SPVs and EC 83032 will reduce the potential for spurious turbine trips and equipment failures.
- 2.
Result in more than a minimal increase in the likelihood of occurrence of a malfunction of a structure, system, or component important to safety previously evaluated in the UFSAR?
BASIS:
D Yes
~ No The main turbine or feedwater pump turbine trip function is not credited for any ANO Unit 2 Chapter 15 SAR transient or accident analyses.
A detailed fault tree analysis was performed as part of this TCS upgrade modification. No new failure modes that could cause a plant transient or a turbine trip were identified. The upgrades have eliminated many of the SPVs in the TCS System. This will improve the TCS reliability and minimize spurious trips.
The TCS upgrade provides the same functions with respect to turbine control as the system currently evaluated in the SAR. The upgraded system does not create any new functions or interfaces with important to safety components that are not included in the system as currently configured.
The upgraded TCPS system performs self-tests and on line diagnostics that are capable of identifying and isolating failures of individual 1/0 cards, out of tolerance inputs, buses, power supplies, processors, and network communication issues.
The upgraded TCS assures that no failure of a single active component within the system will result in the loss of continuous validated demand signals to TCS valves or operator displays; nor will failure of individual modules cause the control system to trip the turbine resulting in a plant transient.
Overspeed Trip The existing mechanical-hydraulic overspeed trip is being replaced with a OOPS consisting of three overspeed trip modules with three passive speed probes. Wheh turbine speed reaches 110%, OOPS trips a solenoid actuating the emergency trip system. There is a hardwired backup overspeed trip (independent of the OOPS) consisting of three SD Ms with three active speed probes. When the turbine speed reaches 112% it trips a solenoid draining the emergency trip header. The modified configuration provides two independent and diverse overspeed trip systems, which is consistent with the existinQ requirements described in SAR Section 10.2.2.3 "Turbine Generator Overspeed
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet10of16 Protection". The revised overspeed trip device, replacing the existing mechanical-hydraulic overspeed trip, does not have any interaction with any SSC important to safety.
Turbine Missiles SAR Section 10.2.3: "Turbine Missiles" states:
"Because of the redundancy and reliability of the turbine control and protection system, the close control of oil purity, the periodic check of steam admission valve freedom, and the high value of the bursting overspeed, any missile resulting from a turbine generator overspeed incident is hypothetical only and not considered credible."
The TCS upgrades retain redundant and diverse overspeed protection; therefore, turbine missiles remain a hypothetical event.
Software The SHA, when used in conjunction with the project SA and the FMEA provide a qualitative assessment concluding that the failure likelihood introduced by the modified TCS is sufficiently low.
Some of the specific conclusions made in the SHA include the following:
Software related failures should not result in more than a minimal increase in the likelihood of malfunctions that could contribute to the frequency of accidents as described in the SAR.
The q\\,Jalitative software assessment and the evaluation of possible system malfunctions performed in the SHA provide reasonable assurance that the likelihood of software common cause failure is minimized and should not result in more than a minimal increase in the likelihood of malfunctions leading to an increase in the frequency of occurrence of an accident.
Conclusion With the failure likelihood introduced by the TCS upgrade being sufficiently low, there is not more than a minimal increase in the likelihood of occurrence of a malfunction of an SSC important to safety previously evaluated in the SAR.
This evaluation finds the new design to provide an enhancement to the reliability of the new system with respect to the original EHC control system. By increasing the number of redundant instruments that sense turbine parameters and the use of two out of three logic, the change increases redundancy and reliability, eliminates numerous SPVs and EC 83032 will reduce the potential for spurious turbine trips and equipment failures.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 11 of 16
- 3.
Result ih more than a minimal increase in the consequences of an accident previously evaluated in the UFSAR?
1 IYes
~ No.
BASIS:
Neither the turbine trip function or the FW pump trip function is credited for any ANO Unit 2 Chapter 15 SAR transient or accident analyses.
TCS has no function for accident mitigation or limiting the consequences of an accident. Also, the function and performance of the TCS, as described in the SAR, is nofbeing changed, with the exception being the replacement of the existing mechanical-hydraulic overspeed trip with a more reliable design.
Overspeed Trip The existing mechanical-hydraulic overspeed trip is being replaced with a OOPS consisting of three overspeed trip modules with three passive speed probes. When turbine speed reaches 110% OOPS trips a solenoid actuating the emergency trip system.
There is a hardwired backup overspeed trip (independent of the OOPS) consisting of three SOMs with three active speed probes. When the turbine speed reaches 112% it trips a solenoid draining the emergency trip header.
The modified configuration provides two independent and diverse overspeed trip systems which is consistent with the existing requirements described in SAR Section 10.2.2.3 "Turbine Generator Overspeed Protection". It is important to note that the TCS (Ovation) control system normally functions to control turbine speed and is the first layer of defense to prevent a turbine overspeed.
The replacement of the mechanical-hydraulic overspeed trip has no impact on accident mitigation or the consequences of an accident.
The TCS upgrade has no impact on the radiological consequences of an accident.
The TCS upgrade does not impact the performance of any control valves in th'at neither the control valves nor valve actuators are being modified. Additionally, the turbine valve response times are not credited in any accident analyses described in the SAR.
As described in SAR Sections 15.1.7, 15.1.8. 15.1.29 and 15.1.33 a turbine trip is assumed to be an initiator in the accident analyses. These accident analyses address the worst-case conditions and are bounding scenarios.
Conclusion The TCS upgrade does not result in more than a minimal increase in the consequences of an accident previously evaluated in the ANO Unit 2 SAR.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 12 of 16
- 4.
- 5.
Result in more than a minimal increase in the consequences of a malfunction of a structure, system, or component important to safety previously evaluated in the UFSAR?
BASIS:
1 IYes IZI No The TCS upgrade is a reliability enhancement to the existing system described in the SAR. The TCS upgrades do not change the function or performance requirements for the system as described in the SAR. The TCS upgrade does not increase any plant operating parameters that would result in increased challenges to components important to safety. There are no new interface requirements with SSCs important to safety that function to limit the cons,equences of an accident established by this upgrade.
The turbine trip function is not credited for any ANO Unit 2 Chapter 15 SAR transient or accident analyses.
Conclusion The TCS upgrade does not result in more than a minimal increase in the consequences of a malfunction of an SSC important to safety previously evaluated in the SAR.
Create a possibility for an accident of a different type than any previously evaluated in the UFSAR?
BASIS:
Impact on Existing Accident Analysis I
OI Yes
!ZII No The ANO U2 specific TCS upgrade SHA evaluated the TCS upgrade related system-level hazards to ensure that the results would be bounded by the results of malfunctions or accidents previously considered in the SAR. Applicable hazards identified and their related ANO SAR sections included:
- Loss of External Load and/or Turbine Trip - SAR Section 15.1. 7 Loss of Normal Feedwater Flow - SAR Section 15.1.8 Loss of All Normal and Preferred AC Power to the Station Auxiliaries - SAR Section 15.1.9
- Excess Heat Removal due to Secondary System Malfunction - SAR Section 15.1.10 Major Secondary System Pipe Breaks with or without a concurrent Loss of AC Power -
SAR Section 15.1.14 Steam Generator Tube Rupture with or without a concurrent Loss of AC Power - SAR Section 15.1.18 Loss of Condenser Vacuum - SAR Section 15.1.28
- Turbine Trip with coincident Failure of Turbine Bypass Valves to Open - SAR Section 15.1.29 Loss of One DC System - SAR Section 15.1.31
- Turbine Trip with Failure of Generator Breaker to Open - SAR Section 15.1.33
- Transients Resulting from the instantaneous Closure of a single MSIV - SAR Section 15.1.36 The evaluation determined that the results of potential TCS upgrade failures are enveloped by the current SAR Chapter 15 analyses.
A SHA review of the ANO U2 SAR Chapter 15 events was also performed to identify any new system-level hazards regarding the digital TCS upgrade. No new system-level hazards or failure modes were identified as a result of this review.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 13 of 16 A SHA evaluation of sub-system level software failures, including software common cause failures and cyber security events/cyber-attacks, to determine their impact on the identified system-level hazards, concluded that potential sub-system level software failures would not lead to different types of accidents or impact plant SAR analyses.
No TCS upgrade software interfaces were identified through which the TCS upgrade could adversely impact any safety-related equipment or functions.
Impact on Anticipated Operational Occurrences (AOOs)
The ANO Unit 2 SAR identifies the following Anticipated Operational Occurrences (AOOs):
SAR 10.2.2.3: "Turbine Generator Overspeed Protection The existing mechanical-hydraulic overspeed trip is being replaced with a OOPS consisting of three overspeed trip modules with three passive speed probes. When turbine speed reaches 110% OOPS trips a solenoid actuating the emergency trip system.
Although the TCS upgrade replaces the mechanical overspeed trip device with a OOPS, potential failure modes introduced by the modification, such as susceptibility to Electromagnetic Interference (EMI), firmware problems, power supply failure, and solenoid trip valve failure, have been shown by the Reliability and Fault Tree Analysis to not adversely affect the probability of failure of the main turbine to trip upon an overspeed condition. In fact, due to eliminating the mechanical overspeed trip mechanism and trip block, which were susceptible to failure modes not applicable to the new digital system (such as mechanical linkage binding or failure and sticking dump valves due to hydraulic oil impurities), the redundancy added by the new digital system combined with the ability to test it online with relatively low risk results in similar to higher reliability than the mechanical system it replaced.
The consequences of a failure of the existing mechanical-hydraulic overspeed trip system or its replacement OOPS are the same. There is rcio new accident type created by the failure of the upgraded overspeed trip system.
The turbine trip function is not credited for any ANO Unit 2 Chapter 15 SAR transient or accident analyses.
Impact on the Probability of a.Turbine Missile SAR Section 10.2.3: 'Turbine Missiles" states:
"Because of the redundancy and reliability of the turbine control and protection system, the close control of oil purity, the periodic check of steam admission valve freedom, and the high value of the bursting overspeed, any missile resulting from a turbine generator overspeed incident is hypothetical only and not considered credible."
The TCS upgrades retain redundant and diverse overspeed protection; therefore, turbine missiles remain a hypothetical event.
Impact of Digital Modification The new DEHC System will reduce single point vulnerabilities while maintaining the existing design functions of the system; therefore, provide more reliable operation reducing the probability of these transient events. The TCS provides for turbine speed control and protection with the same function and interface requirements of the current system. The DEHC FMEA did not identify any new failure modes. Therefore, the turbine trip remains the worst-case initiator of the current bounding Chapter 15 accident analyses related to the main turbine.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 14 of 16 The operation of the TCS is bounded by the current failure modes of the control system, turbine overspeed or inadvertent trip, which are both described in the SAR. Any logic failures or software failures are bounded by these events.
The TCS upgrade does not involve any new operating interfaces or parameter changes that would impact systems associated with initiation of an accident (reactivity control, reactor pressure boundary, or core cooling) other than the currently analyzed turbine trip event.
The SHA did not identify any new system level hazards. The SHA evaluation included sub-system level software failures and software common cause failures.
The SHA when used in conjunction with the project SA and the FMEA provide a qualitative assessment concluding that the TCS upgrade does not introduce any failures that are as likely to happen as those in the SAR that can initiate an accident of a different type.
Conclusion Therefore, the ANO Unit 2 TCS upgrade does not create a possibility for an accident of a different type than any previously evaluated in the ANO Unit 2 SAR.
- 6.
Create a possibility for a malfunction of a structure, system, or component important to safety with a different result than any previously evaluated in the UFSAR?
BASIS:
IOI Yes
[gJ No The TCS upgrade does not change the function or performance requirements of this system as described in the SAR such that the components important to safety are required to function in a different manner than currently analyzed. The worst-case malfunction of the upgrade TCS system remains a turbine trip, feed water pump trip, inadvertent turbine stop/ control valve actuation or turbine overspeed.
There are no new interfaces with SSCs important to safety created by this TCS upgrade. Interfaces with adjacent SSCs important to safety have been identified with the appropriate requirements being included in the design, such as separation and seismic 11/1 qualification analysis. No TCS upgrade software interfaces were identified through which the TCS upgrade which could adversely impact any other equipment or functions.
The turbine trip function is not credited for any ANO Unit 2 Chapter 15 SAR transient or accident analyses.
The TCS upgrade SHA review did not identify any new system level hazards. The SHA evaluation of sub-system level software failures, including software common cause failures, contains malfunctions that can cause operational events that are already possible with the existing control system and plant equipment.
Conclusion The SHA when used in conjunction with the project SA and the FMEA provide a qualitative assessment concluding that the ANO Unit 2 TCS upgrade does not create a possibility for a malfunction of an SSC important to safety with a different result than any previously evaluated in the SAR.
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 15 of 16
- 7.
- 8.
Result in a design basis limit for a fission product barrier as described in the UFSAR being exceeded or altered?
BASIS:
IYes
~ No The TCS is not credited with functioning to maintain any fission product barrier. The function of the TCS is unchanged by the upgrade and no new interfaces with systems that form fission product barriers are created. The TCS upgrade does not change the operating or design conditions of any system such that the challenge to a barrier is increased.
SAR Section 5.2.1.5 discusses design transients evaluated for fission product barrier (RPV and RCS system) and includes consideration for turbine trips from full load. By increasing the number of instruments that sense turbine parameters, EC 83032 will reduce the potential for spurious turbine trips; however, this does not impact the assumed number of full load turbine trips in this analysis.
Conclusion The TCS upgrade does not result in a design basis limit for a fission product barrier as described in the SAR as beinQ exceeded or altered.
Result in a departure from a method of evaluation described in the UFSAR used in establishing the design bases or in the safety analyses?
1 Yes
~ No
ATTACHMENT 9.1 50.59 EVALUATION FORM Sheet 16 of 16 BASIS:
The proposed TCS upgrade involves improving the reliability of the TCS. The new system is based upon the current design and digital control strategy improvements. There is no impact to devices connected to the turbine that function as anticipatory reactor trip signals and, most importantly, these signals are not credited in any safety analyses.
The TCS upgrade does not impact the design of the turbine control valves or the performance of the valve operators. The valve response times are not credited in the design basis accidents described in Chapter 15 of the SAR. See response to Question 3 above.
The new TCS changes the method of sensing a turbine overspeed but maintains two independent and diverse overspeed protection methods as described in SAR Section 10.2.2.3 "Turbine Generator Overspeed Protection". The upgrade does not change the value for the maximum turbine overspeed, and this does not increase the possibility of a turbine missile to where this would be considered a design basis everit.
Although the TCS upgrade replaces the mechanical overspeed trip device with a OOPS, potential failure modes introduced by the modification, such as susceptibility to Electromagnetic Interference (EMI), firmware problems, power supply failure, and solenoid trip valve failure, have been shown by the Reliability and Fault Tree Analysis to not adversely affect the probability of failure of the main turbine to trip upon an overspeed condition. In fact, due to eliminating the mechanical overspeed trip mechanism and trip block, which were susceptible to failure modes not applicable to the new digital system (such as mechanical linkage binding or failure and sticking dump valves due to hydraulic oil impurities), the redundancy added by the new digital system combined with the ability to test it online with relatively low risk results in similar to higher reliability than the mechanical system it replaced.
Conclusion The ANO Unit 2 TCS upgrade does not affect a method of evi;3luation described in the SAR and used in the safety analyses or to establish a design basis.
If any of the above questions is checked "Yes," obtain NRC approval prior to implementing the change by initiating a change to the Operating License in accordance with NMM Procedure EN-Ll-103.
2CAN042201 List of Affected SAR Pages
2CAN042201 Page 1 of 1 List of Affected SAR Pages The following is a list of SAR pages revised in Amendment 30 to support corrections, modifications, implementation of licensing basis changes, etc., as described in the Table of Contents of each SAR chapter (reference Enclosure 1 of this letter). Information relocated froni one page to another in support of the aforementioned revisions is not considered a change; therefore, these pages are not included in the following list. In addition, pages associated with the individual Table of Contents are not listed below as related revisions are administrative only changes.
Cover Page Figure 4.3-4 8.4-1 10.4-33 1.2-8 Figure 4.3-5 Figure 8.3-6 10.4-34 3.1-2 Figure 4.3-6 Figure 8.3-17 Figure 10.2-6 3.1-8 Figure 4.3-7 9.1-12 Figure 10.4-3 3.6-3 Figure 4.3-8 9.1-15 15.1-138 3.6-20 Figure 4.3-9 9.1-26 18.2_;3 3.6-21 Figure 4.3-10 9.1-32 3.6-22 6.2-42 9.1-39 3.13-12 6.7-82 9.4-1 3.13-13 7.3-10 9.4-2 3.13-14 7.3-27 9.4-3 3.13-15 7.8-96 9.4A 3.13-16 8.3-8 9.4-7 3.13-17 8.3-14 Figure 9.1-6 3.13-20 8.3-15 Figure 9.4-1 Figure 3.2-1 8.3-16 10.2-2 Figure 3.2-6 8.3-17 10.2-3 4.2~18 8.3-18 10.2-4 4.7-6 8.3-19 10.2-5 4.7-14 8.3-20 10.2-6 4.7-22 8.3-44 10.2-7 Figure 4.3-1 8.3-64 10.4-19 Figure 4.3-1A 8.3-65 10.4-21 Figure 4.3-1C 8.3-66 10.4-22 Figure 4.3-1 D 8.3-67 10.4-26 Figure 4.3-1 E 8.3-69 10.4-27 Figure 4.3-2 8.3-72 10.4-28 Figure 4.3-3 J
8.3-80 10.4-29 2CAN042201 ANO-2 SAR Amendment 30 - Un-redacted Version (CD Rom)
(4293 Pages) 2CAN042201 ANO-2 SAR Amendment 30 - Redacted Version (CD Rom)
(4293 Pages) 2CAN042201 ANO-2 TRM (CD Rom)
(158 Pages) 2CAN042201 ANO-2 TS Table of Contents and TS Bases (CD Rom)
(151 Pages)