ML053490139

From kanterella
Jump to navigation Jump to search
Units, 1, 2 and 3, Response to Request for Additional Information Pertaining to the License Amendment Request (LAR) for Rps/Esps Digital Upgrade Technical Specification Change (TSC) Number 2004-09, Supplement 4
ML053490139
Person / Time
Site: Oconee  Duke Energy icon.png
Issue date: 11/30/2005
From: Rosalyn Jones
Duke Power Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML053490139 (38)
v  d  e


Text

RONALD A JONES

_.o Duke Vice President rSPowere Oconee Nuclear Site Duke Power ONO0 VP / 7800 Rochester Hwy.

Seneca, SC 29672 864 885 3158 864 885 3564 fax November 30, 2005 U. S. Nuclear Regulatory Commission Washington, D. C. 20555 Attention: Document Control Desk

Subject:

Oconee Nuclear Station Docket Numbers 50-269, 270, and 287 Response to Request for Additional Information Pertaining to the License Amendment Request (LAR) for RPS/ESPS Digital Upgrade Technical Specification Change (TSC) Number 2004-09, Supplement 4 In a submittal dated February 14, 2005, Duke Energy Corporation (Duke) proposed to amend Appendix A, Technical Specifications, for Renewed Facility Operating Licenses DPR-38, DPR-47 and DPR-55 for Oconee Nuclear Station, Units 1, 2, and 3. The LAR requests NRC to approve the Reactor Protective System (RPS)/Engineered Safeguards Protective System (ESPS) modification and associated Technical Specification change.

By letter dated October 6, 2005, Duke provided responses to many of the questions in a Nuclear Regulatory Commission (NRC) Request for Additional Information (RAI) dated September 6, 2005.

Since many of the responses are tied to design deliverables in the RPS/ESPS modification schedule, Duke committed to provide the remaining responses on or before November 3, 2005, December 1, 2005, and January 12, 2006. provides Duke's responses to RAIs 1.D, 1.H, 1.I, 1.J, 1.0, l.T, 1.V, 4.b, and 27.

provides an updated list of NRC commitments associated with this LAR.

46DI www. dukepower. corn

U. S. Nuclear Regulatory Commission November 30, 2005 Page 2 If there are any questions regarding this submittal, please contact Boyd Shingleton at (864) 885-4716.

Very t

yours, R.

J nes, Vice President Oco ee Nuclear Site

U. S. Nuclear Regulatory Commission November 30, 2005 Page 3 cc:

Mr. L. N. Olshan, Project Manager Office of Nuclear Reactor Regulation U. S. Nuclear Regulatory Commission Mail Stop 0-14 H25 Washington, D. C.

20555 Dr. W. D. Travers, Regional Administrator U. S. Nuclear Regulatory Commission -

Region II Atlanta Federal Center 61 Forsyth St., SW, Suite 23T85 Atlanta, Georgia 30303 Mr. M. C. Shannon Senior Resident Inspector Oconee Nuclear Station Mr. Henry Porter, Director Division of Radioactive Waste Management Bureau of Land and Waste Management Department of Health & Environmental Control 2600 Bull Street Columbia, SC 29201

U. S. Nuclear Regulatory Commission November 30, 2005 Page 4 R. A. Jones, being duly sworn, states that he is Vice President, Oconee Nuclear Site, Duke Energy Corporation, that he is authorized on the part of said Company to sign and file with the U. S. Nuclear Regulatory Commission this revision to the Renewed Facility Operating License Nos.

DPR-38, DPR-47, DPR-55; and that all the statements and matters set forth herein are true and correct to the best of his o edge.

R. A. 4 es, Vice President Oconee Nuclear Site Subscribed and sworn to before me this day of Lo h

2005 Notary Publ c I

K

-i *1 Pr-Duke Response to Request for Additional Information (RAI)

Oconee Nuclear Station License Amendment Request for RPS/ESPS Digital Upgrade RAI 1.D Please provide the following documentation:

Oconee Software Quality Assurance Plan and any procedures specific to this system (BTP-14, Section 3.1.c). This may include vendor document, but must specifically show how the licensee will maintain -control of the hardware and software quality at the licensee site.

Duke Response to RAI 1.D Duke provided a copy of the SDQA plan in electronic format to the NRC Staff via electronic mail on November 30, 2005. Duke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390.

RAI 1.H Please provide the following documentation:

Oconee Software Development plan and related life-cycle documentation, if any applications software is being developed by the licensee (BTP-14, Section 3.1 b). If applications software is being developed by Framatome, please provide the following software life-cycle documents in accordance with Section 5.1.2 of Topical Report EMF-21 10, "Teleperm XS: A digital Reactor Protection System".

i. Requirements Definition ii. Technical Design Specification.

iii. Detailed Design Specification.

iv. Implementation Specification.

v. Integration Plan (BTP-14, Section 3.1.d).

vi. Test Plan Duke Response to RAI 1.H Duke provided a copy of the Integration Plan and Test Plan in electronic format to the NRC Staff via electronic mail on November 30, 2005. Duke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390.

The remaining documentation (Implementation Specification) required by EMF-21 10 is being prepared in accordance with the Implementation Phase Life-cycle of the FANP V&V Plan (FANP Document 51-5058661-00). This document is in preparation, review, and approval and is expected to be issued by January 28, 2006. Duke will provide this document when it is issued.

November 30, 2005 Page 2 RAI 1.1 Please provide the following documentation:

The documentation and plans which the licensee will determine that the RPS/ESPS system software meets the requirements. This would normally include:

i. Software Design Review.

ii. Source Code Review iii. Software Verification and Validation Plan (BTP-14, Section 3.1.j) iv. Verification and Validation Report Duke Response to RAI 1.1 In the October 6, 2005, submittal, Duke stated that software development is currently at the stage of completing V&V activities described in the Requirements Phase Life-cycle of the V&V Plan. Duke indicated that Software Design Reviews and Source Code Reviews are performed in later Software Life-cycle phases and were expected to be issued by October 31, 2005, and December 16, 2005, respectively.

After further review, Duke determined that the Software Design Review is captured by the design phase V&V Report. Duke provided a copy of this document in electronic format to the NRC Staff via electronic mail on November 30, 2005. Duke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390. Also, after further review, Duke determined the Source Code Review is captured by the implementation phase V&V Report. This document is expected to be issued by January 30, 2006. Duke will provide this document when issued.

RAI 1.J Please provide the following documentation:

Factory Acceptance Test (Specification item 9.2 - 9.6) and the Oconee Nuclear Station (ONS) Site Acceptance Test (Specification item 9.8), and any other test documentation which will be used.

Duke Response to RAI 1.J The Factory Acceptance Test (FAT) plan was provided in electronic format to the NRC via electronic mail on November 30, 2005. Duke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390.

RAI 1.0 Please provide the following documentation:

The Failure Modes and Effects Analysis (FMEA), including not only significant failure modes but all failure modes (specification item 2.1.cc, 2.3.u, 6.12, and 11.11).

November 30, 2005 Page 3 Duke Response to RAI 1.0 In the October 6, 2005, submittal, Duke stated that the FMEA was expected to be issued by November 30, 2005. Duke now expects the FMEA to be issued by December 15, 2005. Duke will provide a copy of the FMEA when issued.

RAI 1.T Please provide the following documentation:

The Software Installation Plan (BTP-14, Section 3.1.e).

Duke Response to RAI 1.T In the October 6, 2005, submittal, Duke stated that the Software Installation Plan was expected to be issued by November 30, 2005. Duke now expects this document to be issued by December 31, 2005. Duke will provide a copy of this document when issued.

RAI 1.V Please provide the following documentation:

The Software Operations Plan (BTP-14, Section 3.1.h).

Duke Response to RAI 1. V In the November 3, 2005, submittal (Supplement 2), Duke indicated that the Software Operations Plan is captured by the Oconee SDQA plan.

Duke provided a copy of the SDQA plan in electronic format to the NRC Staff via electronic mail on November 30, 2005. Duke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390.

RAI4 The submittal identified several differences between the TXS system approved by the NRC and the system proposed for installation lat ONS, principally the SVE CPU module and the communications modules. Please provide the following Information:

B.

The environmental test data which verified the new equipment qualifications, including temperature, humidity, radiation, seismic, and electromagnetic qualifications.

Duke Response to RAI 4.B Duke provided a copy of Test Report # 968/K 11 0.0002 in electronic format to the NRC Staff via electronic mail on November 30, 2005. DJke requests that this document be withheld from public disclosure pursuant to 10 CFR 2.390. This document covers the qualification testing of the SCP2 communication processor. Duke requests that these documents be withheld from public disclosure pursuant to 10 CFR 2.390.

November 30, 2005 Page 4 In the October 6, 2005, submittal, Duke stated that a qualification summary report addressing Oconee specific equipment such as relays, breakers, transmitters, etc., was expected to be issued by November 17, 2005. Duke now expects this document to be issued by December 22, 2005. Duke will provide a copy of this document when issued.

RAI 27

Please show how the Teleperm XS RPSIESPS system as installed at ONC (sic) will comply with the following sections of IEEE Std. 603-1991 (as required by 10 CFR 50.55a). If this information is already contained in sufficient detail in the February 14, 2005 submittal, please reference the section of the submittal where the information is discussed.

Section 4.1 Section 4.4 Section 4.5 Section 4.6 Section 4.4 Section 4.7 Section 4.8 Section 4.9 Section 5.1 Section 5.2 Section 5.3 Section 5.4 Section 5.5 Section 5.6 Section 5.7 Section 5.8 Section 5.9 Section 5.10 Section 5.11 Section 5.12 Section 5.13 Section 5.14 Identification of the design basis events Identification of variables monitored Minimum criteria for manual initiation and control of protective actions Identification of the minimum number and location of sensors Identification of the analytical limit associated with each variable.

Range of transient and steady-state conditions Identification of conditions having the potential for causing functional degradation of safety system performance Identification of the methods used to determine reliability of the safety system design Single-Failure Criterion Completion of Protective Action Quality Equipment Qualification System Integrity Independence Physical independence.

Electrical independence.

Communications Independence.

Capability for Test and Calibration Information Displays Control of Access Repair Identification Auxiliary Features Multi-Unit Stations Human Factors Considerations November 30, 2005 Page 5 Section 5.15 Sections 6.1 and 7.1 Sections 6.2 and 7.2 Section 6.3 Section 7.3 Section 6.4 Section 6.5 Sections 6.6 and 7.4 Sections 6.7 and 7.5 Section 6.8 Section 8 Reliability Automatic Control Manual Control Interaction Between the Sense and Command Features and Other Systems Completion of Protective Action Derivation of System Inputs Capability for Testing and Calibration Operating Bypasses Maintenance Bypass Setpoints Power Source Requirements November 30, 2005 Page 6 Duke Response to RAI 27 The Bases for compliance to each Section of IEEE 603-1991 is provided in the table below.

Show now the Ieleperm XS Reactor Protective System (RPS/ESPS system as installed at Oconee will comply with Section 4.1, Identification of the design basis events.

n he design Dasis snail document the design basis events applicable to each mode, along with the initial conditions and allowable limits of plant conditions for each event.

I ne Reactor Protective System trIPS) and Engineered Safeguards Protective System (ESPS) are required by Oconee Nuclear Station (ONS) Technical Specifications (TSs) to be operable in MODES 1-4. The design basis events applicable to these MODES and the analyses of the limiting cases are described in Chapter 15 of the ONS Updated Final Safety Analysis Report (UFSAR), including the analysis methods and assumptions. The allowable limits for design basis parameters are summarized in Reference 11.

The specific RPS or ESPS functions credited in each analysis are documented in the Design Basis Document (DBD) for each system (References 5 and 6). The DBDs are referenced source documents for the RPS/ESPS functional requirements specification (Reference 9), which serves as the source document for the RPS/ESPS project design.

[27B Show how the Teleperm IEEE Std. 603-1991 Section Reference 9 includes all the input XS RPS/ESPS system

4.4 requires

`The design variables, or combination of variables, that as installed at Oconee basis shall document the shall be monitored by the RPS/ESPS will comply with Section variables, or combination of system in order to execute and control

,4.4, Identification of variables, that are to be each protective function. The variables variables monitored.

monitored to manually or monitored for RPS are provided in Duke's automatically control each response to RAI 2 Table 1 (Duke letter protective action."

dated October 6, 2005). The variables monitored for ESPS are provided in RAI 2 Table 2.

27C Show how the Teleperm The design basis shall No changes were made that require XS RPS/ESPS system document the protective different manual actions. The controls as installed at Oconee actions that may be currently being used for RPS trips and will comply with Section controlled manually initially or ESF actuations will continue to be used.

4.5, Minimum criteria for subsequent to initiation. See Credited manual actuations are not manual initiation and IEEE Std 494-1974.

processed through the TXS system.

control of protective actions.

27C

1. The design basis shall No changes were made that require document the points in time different manual actions. The controls and the plant condition currently being used for RPS trips and during which manual control ESF actuations will continue to be used.

is allowed.

Credited manual actuations are not

__ processed through the TXS system.

November 30, 2005 Page 7 2: The design basis shall document the justification for permitting control by manual means.

No changes were made that require different manual actions. The controls currently being used for RPS trips and ESF actuations will continue to be used.

Credited manual actuations are not processed through the TXS system.

27C 3: The design basis shall No changes were made that require document the range of different manual actions. The controls environmental conditions currently being used for RPS trips and imposed upon the operator ESF actuations will continue to be used.

during conditions throughout Credited manual actuations are not which manual operations processed through the TXS system.

shall be performed.

27C 4: The design basis shall No changes were made that require document the variable that different manual actions. The controls shall be displayed for the currently being used for RPS trips and operator to use in taking ESF actuations will continue to be used.

manual action.

Credited manual actuations are not processed through the TXS system.

27D Show how the Teleperm For variables that have This modification does not change the XS RPS/ESPS system spatial dependence, i.e. vary minimum number and location of sensors.

as installed at Oconee as a function of position, the will comply with Section design basis shall document 4.6, identification of the the minimum number and minimum number and locations of sensors required location of sensors.

for protective purposes.

27E Show how the Teleperm See 27B, above See 27B, above XS RPS/ESPS system as installed at Oconee will comply with Section 4.4, identification of the analytical limit associated with each variable.

27E1:

The design basis shall This modification does not change document the analytical limit analytical limits. Duke currently does not associated with each variable anticipate any setpoint changes as a result

[for each event analyzed].

of this modification.

27E2:

The design basis shall Reference 9 includes the ranges, in both document the ranges electrical and physical units, for each (normal, abnormal, and analog input variable among the sense accident conditions) for each and command features. These ranges are variable.

not being changed in connection with this modification.

November 30, 2005 Page 8

'.) I I UV19 I D s ign bais saill document the rates of change of each variable to be accommodated until proper completion of the protective action is ensured.

I I IV Iats tVI IjIdlIu VI acuI valIauIe during design basis events requiring protective action by the RPS/ESPS are documented in the references to Reference 9, and the limiting time delays assumed in the associated accident analyses are summarized in Table 15-35 of Reference 4.

The time responses allocated for the TXS RPS/ESPS are specified in Reference 9 for each RPS and ESPS function. These time response requirements exclude sensor response times and ESF actuation times, and therefore differ from the overall delay times assumed in the accident analyses.

27F Show how the Teleperm The design basis shall The TXS RPS/ESPS system will be XS RPS/ESPS system document the range of installed at ONS inside the control room as installed at Oconee environmental conditions envelope, which is maintained in a mild will comply with Section during normal, abnormal, and Environmental Qualification (EQ) 4.7, range of transient accident conditions environment, in order to assure its and steady-state throughout which the safety habitability for human operators.

conditions.

system shall perform.

27F 1: The design basis shall The TXS RPS/ESPS design basis as document the range of documented in References 7 and 8 radiation conditions during specifies the total integrated dose (TID),

normal and accident including both normal and accident i

conditions.

conditions is < 1.0E-03 Rad.

27F 2: The design basis shall The TXS RPS/ESPS design basis as document the range of documented in References 7 and 8 ambient temperature specifies the range of ambient temperature conditions during normal and conditions during normal and accident X accident conditions.

ondions is 60-100IF.

I i

~~~~~~~~~. _..__....

$27F 3: The design basis shall The TXS RPS/ESPS system will be l

document the range of installed inside the control room, which is iatmospheric pressure designed to be maintained at a positive conditions during normal and pressure with respect to adjacent areas accident conditions.

during normal and accident conditions.

127F 4: The design basis shall The TXS RPS/ESPS design basis as document the range of documented in References 7 and 8 humidity conditions during specifies the range of humidity conditions normal and accident during normal and accident conditions is conditions.

3 - 80% RH (non-condensing)

November 30, 2005 Page 9 5: The design basis shall document the range of vibration conditions during normal and accident conditions.

I he I X5 KFlS/IbP design basis as documented in Attachment F of Reference 7 and Attachment G of Reference 8 specifies the seismic response spectra for a design basis earthquake. This specification envelopes the range of seismic based vibration conditions that could occur during normal and accident conditions.

27F 6: The design basis shall The TXS RPS/ESPS design basis as document the range of documented in References 7 and 8 electrical power conditions, specifies the range of electrical power e.g. voltage and frequency, supply conditions during normal and during normal and accident accident conditions in the 120 V 60 Hz AC conditions.

vital power system as +/-10% voltage and

_3% frequency.

J27G Show how the Teleperm The design basis shall The design basis for protecting the XS RPS/ESPS system document the conditions RPS/ESPS safety system against the as installed at Oconee having potential to effects of missiles, pipe breaks, and fires is will comply with Section functionally degrade safety described in References 5 and 6. This 4.8, identification of system performance, and for portion of the design is not being changed conditions having the which [design] provisions in connection with this modification.

potential for causing have been incorporated to functional degradation of retain capability, including safety system missiles, pipe breaks, and performance.

fires.

27G The design basis shall All non safety related systems are isolated document the provisions for from the TXS systems by qualified protection from failures in isolation devices. Electrical isolation will non-safety-related systems, be performed by class 1 E isolation means where applicable.

such that the maximum credible voltage or current transient applied to the non-1 E side will not degrade the operation of the circuit on the other side. Data communications with non-safety-related systems is isolated using one-way communication paths where applicable.

Also non-safety SSCs are not located in proximity to the RPS/ESPS safety channels in a manner that their failure could jeopardize the capability of the safety system to perform its safety function.

27H Show how the Teleperm The design basis shall Quantitative reliability goals have been XS RPS/ESPS system document the methods used established in References 7 and 8 for the as installed at Oconee to determine system TXS RPS and ESPS systems, in terms of will comply with Section reliability, and any qualitative operational unavailability, at <1.OE-05. The 4.9, identification of the or quantitative reliability methodology used to determine system methods used to goals imposed on the system reliability is consistent with IEEE Std 352-determine reliability of design.

1987 and IEEE Std 577-1976.

the safety system design.

See also the response to RAI 27W.

November 30, 2005 Page 10 Z(I Show now the I eleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.1 Single-Failure Criterion.

I ne safety system snail perform all safety functions, both automatic and manual, required for a design basis event in the presence of I his Is addressed In the I A-I opica Report, Section 7.1 (Reference 1).

(1) any single detectable failure within the system, concurrent with all identifiable but non-detectable failures, plus (2) all [consequential] failures caused by the single failure, plus (3) all failures (or spurious actions) that caused or are caused by the DBE under consideration.

Achievement of the single-failure criterion is demonstrated with the use of a failure modes and effects analysis (FMEA),

performed in accordance with IEEE Std 352-87.

A FMEA has been performed on the system architecture proposed for the ONS RPS/ESPS. It demonstrates that the TXS RPS/ESPS will comply with the single failure criterion as defined in IEEE 603-1991 and IEEE Std 379-2000.

~~~~~~~~...

27J Show how the Teleperm XS The system shall be designed This is addressed in the TXS Topical RPS/ESPS system as so that, once initiated Report, Section 7.2.

installed at Oconee will automatically or manually, the comply with Section 5.2, intended sequence of Completion of Protective protective actions of the Action.

execute features shall continue until completion.

27J This requirement shall not Each of the eight ESPS logic channels will preclude provision for have an individual AUTO/MANUAL deliberate operator pushbutton selector switch. Selecting interventions.

MANUAL causes the relay output (RO) contacts for each actuated component in the associated digital logic channels (Channels 1 through 8) to go OPEN, thus allowing operator manual control of the individual components from the normal component control switch.

November 30, 2005 Page 1 1 Show now the i eleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.3, Quality.

Safety systers shal be designed, manufactured, installed, and tested in accordance with a prescribed QA program. (ANSI/ASME NQA-1 -1989)

I 1Is Is iaUUFessU III I Sections 2.1 and 7.3.

Project design, manufacturing, and testing activities are being performed by Framatome-ANP (FANP) under a QA program approved by Duke Power Co. The FANP QA program meets 10 CFR 50, Appendix B and ASME NQA-1 -1 989, through the NQA-1 b-1 991 Addenda.

Platform software development is being performed by Framatome-GmbH following Siemens procedures that have been reviewed and approved by the NRC (Reference 2).

Application software development is being performed by FANP-ICE in Alpharetta, GA, following a Software Quality Assurance Plan (SOAP) that complies with the requirements of ANSI/ASME NQA-1 a Subpart 2.7-1995 and IEEE Std 730-2002.

Site installation and post-installation testing will be performed under the ONS QA program as described in the UFSAR.

27L Show how the Teleperm Safety system equipment This is addressed in TXS Topical Report XS RPS/ESPS system shall be qualified (by type Sections 2.2 and 7.4. The results of this as installed at Oconee test, previous operating testing are documented in Reference 10 will comply with Section experience, analysis, or any and summarized in Attachment 3 to 5.4, Equipment combination of these) to Reference 3.

Qualification.

substantiate that it will be capable of meeting the performance requirements specified in the design basis.

27L 5.4.1: Qualification of Class A complete listing of the related EQ reports 1 E equipment shall be in Is provided in Reference 10 and Section 8 accordance with IEEE Std of Reference 1.

323-1983.

27L 5.4.2: Qualification of Class IEEE Std 627-1980, Standard for Design 1 E equipment shall be in Qualification of Safety Systems Equipment accordance with IEEE Std Used in Nuclear Power Generating 627-1980.

Stations, has not been used. This standard has been withdrawn, and is no longer endorsed by the IEEE. It was deleted from IEEE Std 603 in 1998.

November 30, 2005 Page 12 Show now the I eleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.5 System Integrity.

I he satery systems snail De designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis.

I he I XS satety system has been designea and tested to confirm the equipment demonstrates system performance adequate to ensure completion of protective actions over the range of transient and steady-state conditions of both the power supply and the environment.

See the response to RAI 27F for additional details.

27N Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.6 Independence (Physical, Electrical &

Communications independence).

1. Redundant portions of a safety system shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish the safety function during and following any DBE requiring that function.

NOTE: Duke addressed this part of RAI 27 in response to RAI 6 in letter dated November 3,2005. This response compliments what has already been provided.

This is addressed in TXS Topical Report Section 7.6.

The TXS RPS/ESPS safety system at ONS is implemented using four separate and independent process channels of Reactor trip and three independent channels for ESF actuation. Physical separation of the field sensors and actuated devices, including instrumentation and power cables is consistent with IEEE Std 279-1971 and UFSAR Sections 7.2 and 7.3. Field sensors and actuated devices are not being changed by this modification.

Redundant channels that provide signals for the same protective functions are located in different panels, ensuring they are physically separated with metal barriers, and electrically isolated.

Where redundant equipment communicates via data links, the TXS architecture has been designed to preserve independence between channels. Communications independence is provided in accordance with the guidance of IEEE Std. 7-4.3.2-1993, Annex G.

November 30, 2005 Page 13

2. Safety system equipment required to mitigate a specific DBE shall be independent of, and physically separated from, the effects of the DBE to the degree necessary to

[perform its safety function].

EQ per 5.4 is one way to meet this requirement.

I The I XS RPS/ESPS will be installed at ONS in the control room, where it is protected from the dynamic and environmental effects of the Design Basis Events (DBEs) for which it is credited to function. The control room is classified as a mild EQ zone.

The TXS RPS/ESPS has been environmentally qualified by testing to the criteria of IEEE Std 323-1983 and EPRI TR-1 07330.

4..-

27N

3. The safety system design shall be such that credible failures in and consequential actions by other systems shall not prevent the safety system from [performing its safety functions].

All non safety related systems are isolated from the TXS systems by qualified isolation devices. Furthermore, system interactions have been reviewed and the conclusion reached that there is no credible failure scenario for one safety system that would prevent any other safety system from performing its safety function.

The Class 1 E MSI computers are required to isolate the Class 1 E safety actuation channels from the Non 1 E service unit and operator aid computer (OAC). By means of the MSI computer it can be ensured that any failure in the service unit or OAC cannot prevent the capability of the TXS RPS/ESPS to perform its safety functions.

MSI computers are physically separated from the equipment in the safety actuation channels. Due to space limitations, they will be installed in the RPS-E cabinet. This location affords equivalent seismic qualification and protection from environmental and dynamic effects of any DBE.

The power supplied to the RPS-E cabinet is designated Non 1 E. However, the power source for RPS-E is isolated and derived from the same DC sources as the Vital AC panel boards for RPS channels A through D. This power source exception is considered acceptable because the MSI will perform its isolation function satisfactorily, even if it is de-energized due to a loss of power.

November 30, 2005 Page 14 Equipment that is used Tor both safety and non-safety functions shall be classified as part of the safety systems.

A~S documenmea in Remerence 9, ine i xbi RPS/ESPS develops certain signals for use in both safety and non-safety functions performed by external systems. All components in the safety signal path up to and including the qualified isolator are Class 1 E and part of the safety system.

27N Isolation devices used to Class 1 E electrical and optical isolation effect a safety system devices are employed to preserve boundary shall be classified independence of the TXS from non-safety as part of the safety system.

systems. These isolation devices are classified as part of the safety system, are located in Class 1 E panels, and are designed and qualified to meet the requirements of IEEE Std 603-1991. This subject is discussed in more detail in Section M.1 5 of Attachment 3 to Reference 3.

2NNo credible failure on the Electrical isolation will be performed by non-safety side of an class 1 E isolation means such that the isolation device shall prevent maximumn credible voltage or current any portion of a safety transient applied to the non-I E side will system from meeting its not degrade the operation of the circuit on minimum performance the other side.

requirements during and following any DBE requiring See related response to RAI 27G its safety function.

27N A failure in an isolation Electrical isolation devices are included in device shall be evaluated in the Failure Modes and Effects Analysis the same manner as a failure (FMEA) which evaluates the potential of any other equipment in a impacts of their failure modes in the same safety system.

manner as is done for other RPS/ESPS equipment. The FMEA is discussed in more detail in the response to RAI 271, a b o v e.

November 30, 2005 Page 15 I

1IIII i

I ii i

[Non-safety] equipment in other systems that is in physical proximity to safety system equipment, but neither an associated circuit nor another Class 1 E circuit, shall be physically separated from the safety system equipment to the degree necessary to retain the safety system function in the event of the failure of the non-safety equipment.

Separation may be achieved by physical barriers or acceptable distance, but shall be in accordance with the requirements of IEEE Std 384-1981.

I nere are no unanalyzed non-satery SU5s located in physical proximity to the TXS RPS/ESPS equipment such that their failure could jeopardize the safety system function The new configured digital safety l&C system is located in the same place as the existing cabinet and utilizes the existing field cables for input and output signals.

The existing channel separation for these instances will be maintained.

Portions of the RPS/ESPS external to the TXS that are existing plant equipment and will remain so are separated by physical barriers and/or distance from non-safety equipment, following the recommendations in IEEE Std 279-1971 as endorsed by 10CFR50.55a(h). Existing equipment that is not being modified will not be requalified to IEEE Std 603-1991.

127N Physical barriers used to The TXS RPS/ESPS system equipment effect a safety system will be installed at ONS in Class-1 E, boundary shall meet the seismically-qualified cabinets. The requirements of 5.3, 5.4, and cabinets provide physical barriers to effect 5.5 for the applicable a boundary between channels. The conditions specified in 4.7 cabinets meet all the system integrity and 4.8 of the design basis.

requirements specified, including seismic qualification to the required response spectra defined in References 5 and 6. A brief description is included in Attachment

_3 to Reference 3.

27N Where a single random The implementation of the TXS platform failure in a non-safety system does not introduce any new events or can both result in a DBE and cause any change in the current ONS also prevent proper action of analysis of single failures, causing an a portion of the safety system event while concurrently preventing the designed to mitigate that safety action with the same single failure.

event, the remaining portions There are no new single failures within a of the safety system shall be non-safety system that can result in a DBE capable of providing the and also prevent proper operation of the safety function even when TXS safety system designed to mitigate degraded by any separate that event. The ONS Chapter 15 Safety single failure. See IEEE Std.

Analysis will remain the same with the TXS 379-1988.

platform modification.

November 30, 2005 Page 16 Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.7, Capability for Test and Calibration.

calibration shall be provided while retaining the capability of the safety systems to accomplish their functions.

This capability shall be provided during power operation, and shall duplicate, as closely as practicable, performance of the safety function.

IIII1 Ib dUUIrUbWU11 f I

Sections 2.5 and 7.7.

~270i jTesting of Class 1 E systems This is addressed in TXS Topical Report shall be in accordance with Section 7.7.

the requirements of IEEE Std. 338-1987.

20Exceptions to testing and The capability to perform testing of the calibration at power are TXS platform while at-power is provided.

allowed, where this capability This is addressed in TXS Topical Report cannot be provided without Section 7.7.

adversely affecting the safety

'or operability of the generating station. In this case:

(1) appropriate justification shall be provided.

(2) acceptable reliability shall be otherwise demonstrated, and (3) the capability shall bDe provided while the station is shut down.

November 30, 2005 Page 17 27P FF Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.8, Information Displays.

Display information provided for manually controlled actions for which no automatic control is provided, and that are required for the safety systems to accomplish their safety function, shall be part of the safety systems and shall meet the requirements of IEEE Std. 497-1981.

I he information displays provided to support manual operator actions during a DBE are not being changed in connection with the TXS RPS/ESPS project. These have been previously defined as part of the post-accident monitoring requirements in accordance with RG 1.97, Rev. 2, which are described in Section 7.5 of Reference 4.

The adequacy of the control room information displays was demonstrated by NUREG-0737 Control Room Design reviews, and will be reviewed again as part of Human Factors Engineering (HFE) reviews being performed in support of the new design.

IEEE Std 497-1981 was not used, and was never endorsed by the NRC in RG 1.97.

The current version of IEEE Std 497(2002) incorporates applicable requirements from IEEE Std. 497-1981, ANS Std. 4.5-1980, RG 1.97, to present digital design techniques for post-accident monitoring displays. This version will be used as part of the HFE reviews being performed for the ONS RPS/ESPS project.

27P The design shall minimize The possibility of ambiguous or confusing the possibility of ambiguous indications is minimized by the application indications that could be of HFE principles, as discussed in the confusing to the operator.

response to RAI 27V, below.

27P Display instrumentation shall This is addressed in TXS Topical Report provide accurate, complete, Section 7.8. RPS/ESPS channel status and timely safety system information is provided in the control room status. This information shall for channel trip, trouble, and test for each include indication and RPS and ESPS channel. In addition, identification of protective bypass information is provided for each actions of the sense and RPS channel and ESPS voter. This status command features and the information is displayed on the Statalarm execute features. Status Panels, described in Section 22 of indication need not be part of Reference 9. The Statalarm Panels are the safety systems.

classified as Non 1 E, and are electrically

___isolated from the TXS by Class 1 E relays.

November 30, 2005 Page 18

AF IRA!

2

4IEE6o3..1991 Require 1Res ments

ponse 27P If the protective actions of This is addressed in TXS Topical Report some part of a safety system Section 7.8. If a channel is bypassed for have been bypassed or any reason, a signal is provided to deliberately rendered facilitate continuous indication of this inoperative for any purpose condition.

other than an operating bypass, continued indication Limiting conditions for maintenance and of this fact for each affected test bypass conditions are provided in safety group shall be plant specific Technical Specifications, and provided in the control room.

are not being changed by the license Bypass indication need not amendment request.

be part of the safety systems.

27P Bypass indication shall be The bypasses are annunciated in the automatically actuated if the control room. Bypasses are alarmed on bypass is expected to occur the OAC via the TXS Gateway.

more frequently than once a year and is expected to occur when the affected system is required to be operable.

.~~~~~~~~~~.

27P The capability shall exist in Lamp test push buttons will be provided in the control room to manually the control room on 1 VB2 to manually test activate bypass display the odd and even ESPS status lamps.

indication.

Lamp push buttons are provided in the control room to manually test statalarm lamps.

The capability for manual activation exists in the RPS/ESPS cabinets, by operating the bypass keyswitch. The cabinets are located in the instrument room adjoining the control room.

27P Information displays shall be Most information displays will remain as located accessible to the they are. The information displays operator.

receiving inputs from the RPS/ESPS consist of the Statalarm Panels SA1, 2, 5, and 7, the OAC, and the event recorder, all of which are located in the control room and accessible to the control room operator. An ESF status panel is provided to display ESF component status.

27P Information displays provided The location of information displays to support manually provided to support manual operator controlled protective actions actions during a DBE are not being shall be visible from the changed in connection with the TXS location of the controls used RPS/ESPS project. These have been to effect the actions.

previously reviewed as part of the ONS RG 1.97 review and NUREG-0737 Control Room Design Reviews.

I November 30, 2005 Page 19 27Q Show how the Teleperm The design shall permit the This is addressed in TXS Topical Report XS RPS/ESPS system administrative control of Sections 2.6 and 7.9. Access to the TXS as installed at Oconee access to safety system RPS/ESPS hardware is controlled using a will comply with Section equipment. These controls combination of station administrative 5.9, Control of Access.

shall be supported by procedures and system design features.

provisions within the system, The system is located inside the Protected or in the generating station Area, to which access is controlled by design, or by a combination station security features and site security thereof.

forces. The system is located inside the control room, to which access is restricted to authorized persons.

Access to the processors is via front and rear mounted cabinet doors. During normal operation, the cabinet doors will be closed and locked, monitored and alarmed, allowing operators to be aware of and investigate the reason for any open doors.

Only one key type for all cabinet doors will exist for ONS-1 (different from Unit 2 or 3 door key types), so that the protection system service unit access is restricted.

The service unit is protected against unauthorized interventions, using keylock switches and passwords. Authorized operator actions are monitored and logged by the central server of the service unit.

Independent of the control of the rights to use the service unit, commands sent from the service unit to the function processors are only executed if the function processors are in an appropriate operating mode. This operating mode is controlled administratively by procedure and by an individual key switch located in the specific channel.

27R Show how the Teleperm The safety systems shall be This is addressed in TXS Topical Report XS RPS/ESPS system designed to facilitate timely Section 7.10.

as installed at Oconee recognition, location, will comply with Section replacement, repair, and 5.10, Repair.

adjustment of malfunctioning equipment.

November 30, 2005 Page 20 Show now the Ieleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.11, Identification.

Safety system equipment shall be distinctly identified for each redundant portion in accordance with the requirements of IEEE Std 384-1981 and IEEE Std 420-1982.

Marking and identification requirements are detailed in Section 13 of References 7 and 8. When installed, equipment will be labeled in the field using distinctive color-coded tags to identify channel assignments (gray, yellow, blue, and orange for Channels A, B, C, and D, respectively), in accordance with existing ONS site procedures. Channel independence and separation within the TELPERM equipment is in accordance with IEEE Std 384.

27S Identification shall be Tags and labels used to identify train distinguishable from any assignment are easily distinguishable from identifying markings for other other markings due to their specific color purposes (e.g. fire protection coding.

or phase identification on power cables).

27S Associated documentation IEEE Std 494-1974 (ANSI N41.28-1976) is shall be distinctly identified in not used to identify safety-related accordance with the documentation for the TXS RPS/ESPS.

requirements of IEEE Std This standard was withdrawn in 1997, and 494-1974.

is no longer endorsed by IEEE. The applicable documentation requirements are detailed in Section 11 of References 7 and 8. Safety-related documents are entered into FANP and ONS records following procedures that implement requirements meeting the intent of IEEE Std 494-1974.

Additionally, a project software configuration management plan (SCMP) complying with IEEE Std. 828-1998 as endorsed by RG 1.169 is issued to implement the control requirements for software media and documentation.

November 30, 2005 Page 21 Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.12, Auxiliary Features.

Auxiliary supporting features (e.g. power, HVAC) shall meet all the requirements of this standard. (i.e. 1 E)

I his is addressed in I XS I opical i-eport Section 7.12.

Auxiliary supporting systems (e.g. HVAC, 120 VAC, etc) interfacing with the TXS RPS/ESPS panels are not being modified in connection with this design change.

These and other legacy systems at ONS-1 were designed and installed following guidance in IEEE Std 279-1971, and this standard remains the design and licensing basis for these supporting features following the modification.

Affects on these systems by the TXS RPS/ESPS changes are being evaluated and addressed and will be tested as part of implementation as indicated in of Reference 3 in response to the TXS SER Section 6 plant specific action item 14 (Reference 2).

27U Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.13, Multi-Unit Stations.

Sharing of SSCs between units at multi-unit generating stations is permissible, provided that the ability to simultaneously perform required safety functions in all units is not impaired.

There is no sharing on RPS. There is limited sharing on a system basis for ESPS for Keowee starts and LPSW initiation and is in accordance with applicable GDC's associated with sharing of components between units.

ONS Units 1 and 2 share a common control room, and the RPS/ESPS cabinets for both units will be located in this shared structure. The ability of each RPS/ESPS to perform their required safety functions is unimpaired by sharing a common structure. Sharing of a common control room is the current design and licensing basis for ONS Units 1 and 2, and is not being changed in connection with this modification.

November 30, 2005 Page 22 Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.14, Human Factors Considerations.

Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals, in accordance with IEEE Std 1023-1988.

HFE has been a design consideration on the RPS/ESPS since the conceptual design stage, and work continues through the requirements definition and detailed design phases. HFE principals are being applied to all HSI features within the scope of the project, at a level commensurate with their relative importance to safety.

HSI features include the control board modifications, the maintenance screen layouts displayed on the Graphic Service Monitor (GSM), and the new displays to be used on the OAC. An ESF status panel is provided to display ESF component status.

The HFE work is being performed following Reference 12 and using the guidance of IEEE Std 1023-1988, NUREG-0700 Rev. 2, NUREG-0711 Rev.

2, and SRP Chapter 18. HFE reviews of the control room modifications will include a review of commitments made in response to NUREG-0737.

j27W

{

l f

Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 5.15, Reliability.

For those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that such goals have been achieved.

IEEE Std 352-1987 and IEEE Std 577-1976 provide guidance.

This is addressed in TXS Topical Report Sections 2.4 and 7.14.

The RPS reliability or failure to trip on demand probability [PFD], currently assumed in the ONS PRA is 1.OE-6/demand. The ESPS channel PFD assumed in the PRA is 1.12E-03/demand.

Both these PFD values have been adopted by FANP as quantitative reliability goals for the RPS/ESPS.

To demonstrate achievement of the reliability goals, a hardware reliability analysis has been performed following the methods recommended in IEEE Std 352-1987. The limiting results of this analysis for the RPS are a PFD of 5.44E-1 0 per demand, considering that for each DBE there is a primary and at least one backup trip function.

For the ESPS, the calculated PFD is 2.78E-05 per demand, per logical channel.

For the RPS, the calculated operational unavailability is 9.83E-07.

November 30, 2005 Page 23 I2X Show now the I eleperm XS RPS/ESPS system as installed at Oconee will comply with Sections 6.1 and 7.1, Automatic Control.

6.1 Means shall be provided to automatically initiate and control all protective actions, except as justified in 4.5.

The safety system shall be designed such that the operator is not required to take any action prior to the time and plant conditions specified In 4.5 following the onset of each design basis event.

7.1 Means shall be incorporated in the execute features to receive and act upon automatic control signals from the sense and command features consistent with 4.4 of the design basis.

I his is addressed in IXS Topical Report Section 7.15. The TXS RPS/ESPS at ONS will automatically initiate all required protective actions to mitigate DBEs that occur in plant modes in which the system is required to be OPERABLE by the ONS Technical Specifications, except those events justified in the response to RAI 27C, above.

The TXS RPS/ESPS at ONS is designed such that the operator is not required to take any action prior to the time specified in Reference 6.

November 30, 2005 Page 24 Show how the Ieleperm XS RPS/ESPS system as installed at Oconee will comply with Sections 6.2 and 7.2, Manual Control.

in the control room to implement manual initiation at the division level of the automatic protective actions.

This means shall minimize the number of discrete operator manipulations, and shall depend on the operation of a minimum of equipment consistent with the constraints of 5.6.1.

7.2 If manual control of any actuated component in the execute features is provided, the additional design features necessary to accomplish such manual control shall not defeat requirements 5.1 and 6.2. Capability shall be provided to receive and act upon manual control signals from the sense and command features consistent with the design basis.

nhis is addressed in I XS I opical Report Section 7.16. Means are provided in the control room for manual reactor trip at the system level, and emergency safeguards actuation at the channel level.

Requirements to perform operator manual actions remain minimal. The manual actuation of reactor trip is performed by a hard-wired pushbutton on the MCB, bypassing the TXS trip logic and directly connected to the control circuits of the trip breakers.

Depressing the manual TRIP/RESET pushbutton will initiate a TRIP signal to the associated ESPS Channel in two ways: (1) via an input to the TXS Channel logic, and (2) directly to the associated Channel output relays bypassing the TXS. The manual or automatic TRIP signal can be reset by depressing the associated Channel RESET button. These ESPS manual actuation paths do not pass through the TXS software and therefore, are not dependent on the correct functioning of the software.

Manual control of individual ESF components is provided using AUTO/MANUAL switches that bypass the TXS platform. Each of the eight ESPS logic channels will have an individual AUTO/MANUAL selector switch. Once an ESPS signal is actuated, the AUTO light on this switch is illuminated while automatic ESPS operations proceed to completion.

However, if it is desired to take manual control of an individual component, the MANUAL mode may be selected, after which the individual components associated with that channel may be operated from their normal component control switches.

ESPS Channels 1 and 2 Load Shed AUTO/MANUAL switches will allow the Load Shed logic to remain enabled even if the operator selects MANUAL on the AUTO/MANUAL switch for Channels 1 and 2.

ti I

I I

II I.

November 30, 2005 Page 25 Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 6.3, Interaction Between the Sense and Command Features and Other Systems.

6.3.1 Where a single credible event, including all direct and consequential results of that event, can cause a non-safety system action that results in a condition requiring protective action, and can concurrently prevent that action, [either alternate channels or equipment shall be provided that is not subject to failure caused by the same event.]

An initiating event in a non-safety system that results in a DBE, and also could prevent proper action of a RPS/ESPS function to mitigate the event, will be mitigated by an associated backup function.

Failures of non safety related SSC's have been evaluated on the replacement RPS/ESPS. No adverse affects were identified.

127Z 6.3.2 Provisions shall be included so that the requirements in 6.3.1 can be met in conjunction with the requirements in 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating non-safety signals taken from redundant channels, or initiating protective action from the bypassed channel.

The ONS RPS has 4 channels with only 3 required by Technical Specifications. One channel can be placed in maintenance bypass, and the remaining three will perform all protective functions while continuing to meet the single-failure criterion. In this case the coincidence logic is 2/3 instead of the normal 2/4. With one channel bypassed the RPS will continue to meet the single failure and channel independence criteria.

The ONS ESPS has 2 sets of 3 channels with only one set being required by Technical Specifications. All three channels of a redundant set can be removed from service for maintenance.

With one channel or set of channels bypassed the ESPS will continue to meet the single failure and channel independence criteria.

Individual RPS and ESPS channels can also be placed in a "TRIP" condition, if necessary, by using the RPS or ESPS logic Channel Trip keylock switches.

November 30, 2005 Page 26 Show now the I eleperm XS RPS/ESPS system as installed at Oconee will comply with Section 7.3, Completion of Protective Action.

I he design of the execute features shall be such.that once initiated, the protective actions shall go to completion. This does not preclude the use of equipment protective devices identified in 4.11, nor provision for deliberate operator interventions.

When the I AS RPIS signals a reactor trip, the CRD breakers are opened and the reactor is tripped immediately. No provision for operator intervention is provided. The operator will proceed according to the procedural guidance in the Emergency Operating Procedure (EOP).

When the sense and command features reset, the execute features shall not automatically return to normal; they shall require separate, deliberate operator action to be returned to normal.

After the initial protective action has gone to completion, the execute features may require manual control or automatic control (i.e., cycling) of specific equipment to maintain completion of the safety function.

Both RPS and ESPS reset functions require at least two separate and deliberate operator actions to return the system to normal following a trip. No reset button actuation will result in an actuated device changing back to its non-actuated state.

When the TXS ESPS signals an ESF actuation signal, the system actuations will go to completion automatically.

Should deliberate operator action be desired, Auto/Manual switches are provided, as described in the response to RAI 27J, above. These switches allow individual components to be controlled manually as necessary in the event manual operator action is required.

In addition, the ONS TXS ESPS will feature two ESPS Emergency Override pushbuttons in order to allow manual control for software common mode failures, as described in Section 21 of Reference 9. These pushbuttons de-energize power to all odd or even output relays at the system level, in order to allow manual control.

27AB Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 6.4, Derivation of System Inputs.

To the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis.

The variables used for RPS and ESPS are the same as those currently being used at ONS. For RPS and ESPS trip functions credited as primary protection in the DBE analyses, inputs are derived from signals that are direct measures (e.g., neutron flux, pressure, temperature, and flow) of the parameters of interest, as specified in Reference 4.

For backup and anticipatory trips, inputs may be derived from diverse and indirect measures (e.g. RCP motor current in lieu of RCS flow), which are specified as the desired variables per References 5, 6, and 9.

November 30, 2005 Page 27 Show now the Ieleperm XS RPS/ESPS system as installed at Oconee will comply with Section 6.5, Capability for Testing and Calibration.

Means snall De provided for checking with a high degree of confidence the operational availability of each sense and command feature input sensor required for a safety function during reactor operation, by:

(1) perturbing the monitored

variable, (2) using a substitute input to the sensor of the same
nature, (3) cross-checking between channels that bear a known relationship to one another.

I his is addressed in I XS I opical Report Section 7.7. Calibrations will be performed on the frequency given in the ONS TSs.

These calibrations will be performed by using either perturbing the monitored variable or substituting input techniques.

Cross checking of channels is performed as follows. Equivalent analog signals of different measuring channels (i.e.,

redundant channels) will be continuously compared with each other to detect and monitor channel signal deviations. This includes the entire instrument chain consisting of sensor, transducer, input signal module and the associated equipment for signal transfer. If the signals are not within a pre-defined tolerance range, this condition is alarmed on the Unit Statalarm and input to the plant OAC. Channel deviations are not excluded from processing in the safety calculations.

27AD Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Sections 6.6 and 7.4, Operating Bypasses.

6.6/7.4 Whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s).

The design of the TXS RPS/ESPS for ONS includes one Operating Bypass; the RPS Shutdown Bypass, which is described in Section B. 1.a of Attachment 3 to Reference 3.

The position of the Shutdown Bypass switch in each channel is alarmed on the Statalarm panel in the control room. The permissive conditions for using the Shutdown Bypass are that the NI power range signal is <5% and the RCS narrow range pressure signal is S1 720 psig. If the shutdown bypass keyswitch on an RPS train is moved to the Bypass position when these permissive conditions do not exist, then a reactor trip signal from that train is generated.

November 30, 2005 Page 28 Show now the I eleperm XS RPS/ESPS system as installed at Oconee will comply with Sections 6.7 and 7.5, Maintenance Bypass.

6.7 CapaDility om a samety system to accomplish its safety function shall be retained while equipment is in maintenance bypass.

During such bypass operation, the features shall continue to meet the requirements of 5.1 and 6.3 (single failure and freedom from system interactions).

nhis is addressed in I XS I opical Repon, Section 7.20.

7.5 Portions of the execute features with a degree of redundancy of one shall be designed such that when a portion is placed in maintenance bypass (reducing its degree of redundancy to zero), the remaining portions provide acceptable reliability.

The placement of a channel into Bypass is administratively controlled by the plant operations staff. Placement of a channel into Bypass requires physical access to the channel and can not be done remotely.

(Physical access via locked cabinets is also administratively controlled). The TXS RPS Is designed with the capability to permit any channel to be placed into BYPASS during power operation without initiating a protective action at the system level.

The ONS RPS has four redundant channels Placing a channel into BYPASS causes the RPS to go into a 2 out of 3 configuration. Provisions have been made to allow maintenance bypass of one of the ESPS voter subsystems provided the redundant voter subsystem is operable.

When a channelvoter is in bypass, the remaining channels/voters are sufficient to provide protective action while continuing to meet the singile failure criterion.

27AF Show how the Teleperm The allowance for This is addressed in TXS Topical Report XS RPS/ESPS system uncertainties between the Section 7.21.

as installed at Oconee process analytical limit will comply with Section documented in Section 4.4 The RPS/ESPS System Instrument 6.8, Setpoints.

and the device setpoint shall Setpoint Calculations, Instrument Accuracy be determined using a Calculations, and Instrument Uncertainty documented methodology.

Calculations will be updated as a result of Refer to ISA S67.040-1987.

the TXS modification.

These calculations will employ a setpoint uncertainty methodology that follows the guidance in ISA S67.04-1994, as endorsed by RG 1.105, Rev. 2.

l.

27AF Where it is necessary to Multiple setpoints are used in the ONS provide multiple setpoints for TXS design, in RPS Functions 1 and 5. In adequate protection for a each case, positive means are provided to particular mode of operation ensure that the more restrictive setpoint is or set of operating used when required. This is achieved conditions, the design shall through the use of a Shutdown Bypass provide positive means of keyswitch feature, which shall ensuring that the more automatically insert the more restrictive restrictive setpoint is used setpoints when preparing to enter a when required.

shutdown. This feature is described in more detail in Section B.1.a of Attachment 3 to Reference 3.

See also the response to RAI 27AD, above.

November 30, 2005 Page 29 Show how the Teleperm XS RPS/ESPS system as installed at Oconee will comply with Section 8, Power Source Requirements.

Class 1 E power systems that are required to provide power to facets of the safety system are governed by the criteria of this standard (603-91),

and are considered a portion of the safety systems.

No modifications were made to accommodate the replacement RPS/ESPS.

I _______________________________________________

T At f

i27AG The capability of the safety systems to accomplish their safety functions shall be retained while power sources are in maintenance bypass.

Portions of the power sources with a degree of redundancy of one shall be designed such that when a portion is placed in bypass (reducing its degree of redundancy to zero), the remaining portions provide acceptable reliability.

Each RPS or ESPS channel is fed by an Absopulse Power supply consisting of four 500 watt internal power supply modules, for a total power availability of 2000 wafts.

Each channel consumes less than 1000 watts, therefore a reserve of 100% is normally provided. Should one of the modules be removed, the remaining three modules will provide full power for the channel load with approximately 50%

reserve capacity. Thus, even if two modules are removed simultaneously, the channel would retain operability.

All power supply modules are hot swappable and can be replaced without affecting the redundant modules. It is not necessary to reduce the degree of redundancy to zero in order to perform maintenance on any component of the power supply. If for some reason, the entire channel must be powered down for maintenance, the remaining channels are capable of performing the required protective functions.

L-1-1-1--l November 30, 2005 Page 30

REFERENCES:

1.

Siemens Power Corp Topical Report EMF-21 10(NP), Rev. 1; 'TELEPERM XS: A Digital Reactor Protection System"

2.

USNRC; Safety Evaluation by the Office of Nuclear Reactor Regulation - Siemens Power Corporation Topical Report EMF-21 1O(NP), Rev. 1; ADAMS Accession No. ML003711856

3.

License Amendment Request for Reactor Protective System/Engineered Safeguards Protective System Digital Upgrade, Technical Specification Change (TSC) Number 2004-09; ADAMS Accession No. ML050550470

4.

ONS UFSAR; Chapter 7, "Instrumentation and Control" and Chapter 15, "Accident Analysis"

5.

OSS-0254.00-00-2002, Revision 8, Reactor Protection System Design Basis Specification

6.

OSS-0254.00-00-2003, Revision 12, Engineered Safety Features Actuation System Design Basis Specification

7.

OSS-0311.00-00-0013, Reactor Protective System (RPS) Replacement Project Specification

8.

OSS-0311.00-00-0012, Engineered Safeguards Features Actuation System (ESPS)

Replacement Project Specification

9.

OSC-8623, Rev. 2, "RPS & ESPS System Functional Description"

10.

FANP Report. 66-5015893; "TXS Supplemental Equipment Qualification Summary Test"

11.

OSS-0254.00-00-4005, Rev. 13; "Design Basis Specification for the Design Basis Event"

12.

EM-4.17, Rev. 0; "Human Factors Engineering Procedure" Updated List of NRC Commitments (from Duke Letters dated October 6, 2005 and November 3,2005)

RAI Commitment Status 11.D The final approved SDQA document is in preparation, review and Provided approval and is expected to be issued by December 1, 2005. Duke will Rev. 0 provide the final approved plan when Issued. [Note: In the context 11/30/05 used "final approved" means Revision 0 to the approved plan.]

1.F The Software Safety Analysis Plan is in preparation, review, and Provided approval and is expected to be issued by October 31, 2005. Duke will 11/2/05 provide a copy of the plan when issued.

1.H These documents are in preparation, review, and approval and are Integration expected to be issued by the dates indicated below:

and Test Plans iv.

Implementation Specification January 28, 2006 provided

v.

Integration Plan November 30, 2005 11/30/05 vi.

Test Plan November 30, 2005 Duke will provide these documents when they are issued.

1.1 Software Design Reviews and Source Code Reviews are performed in Design later Software Life-cycle phases and are expected to be issued by phase V&V October 31, 2005, and December 16, 2005, respectively. Duke will report provide these documents when they are issued. The Verification and provided Validation Report is being provided in phases and are in preparation, 11/30/05 review, and approval and are expected to be issued by:

1) design phase - November 15, 2005
2) implementation - January 30, 2006
3) testing phase - May 4, 2006 Duke will provide these reports when they are issued.

1I.J The FAT Plan, FAT Procedure, and FAT Report are expected to be FAT Plan issued by the dates indicated below:

provided 11/30/05 FAT Plan November 30, 2005 FAT Procedure February 28, 2006 FAT Report May 4, 2006 Duke will provide the FAT Plan, Procedure, and Report when issued.

November 30, 2005 Page 2 Updated List of NRC Commitments (from Duke Letters dated October 6,2005 and November 3, 2005)

RAI Commitment Status 1.J The Site Acceptance Test (SAT) Plan, SAT Procedure, and SAT Report In progress are expected to be issued by the dates indicated below:

SAT Plan February 28, 2006 SAT Procedure March 28, 2006 SAT Report June 30, 2006 Duke will provide the SAT Plan, Procedure, and Report when they are issued.

1.K The Oconee User Instruction Manual is in preparation, review, and In progress approval and is expected to be issued by December 15, 2005. Duke will provide this document when it is issued.

1.K Duke will submit an explanation of what training has been provided by Provided FANP to Duke by November 3,2005.

11/3/05 1.K Training for control room operators, l&C maintenance personnel and In progress plant engineering is being developed as part of the modification process. Duke will provide additional explanation of this training by January 12, 2006.

1.L The requirements matrix is a living document, and is updated at the end In progress of each V&V phase. Duke expects to issue the next updates by February 14, 2006, and May 4, 2006. Duke will provide these updates when they are issued.

1.0 The FMEA is in preparation, review, and approval and is expected to be In progress issued by December 15, 2005. Duke will provide a copy of the FMEA when it is issued.

1.Q These calculations (Setpoint) require revision as a result of the In progress RPS/ESPS digital modification. The revised calculations will address any margin gains or losses. The required revisions are in preparation, review, and approval and are expected to be issued by December 31, 2005. Duke will provide a summary of the results of the revised calculations when issued.

1.R Additional information related to the qualification of the SIVAT Provided simulation tool is in preparation and will be submitted as a revision to 11/3/05 this RAI response by December 1, 2005.

November 30, 2005 Page 3 Updated List of NRC Commitments (from Duke Letters dated October 6,2005 and November 3, 2005)

RAI Commitment Status 1.T The Software Installation Plan is in preparation, review, and approval In progress and is expected to be issued by December 31, 2005.

1.U The Software Safety Plan is in preparation, review, and approval and is Provided expected to be issued by November 30, 2005.

11/2/05 1.V Duke will provide a date when Software Operations Plan can be Provided provided by November 3, 2005.

11/3/05 4.A &

The response to RAI 4.A and 4.C will be included in Duke's response to Provided 4.C RAI 30. The response to RAI 4.B is in preparation and will be 11/3/05 submitted by November 3, 2005.

4.B Test Report # 968/K 110.00/02 is currently being translated from Provided German to English. Duke will provide this document to the NRC staff 11/30/05 when it is available.

4.B A qualification summary report addressing Oconee specific equipment In progress such as relays, breakers, transmitters, etc., is in preparation, review and approval and is expected to be issued by December 22,2005.

Duke will provide this document when it is issued.

6 Duke will respond to the question related to channel independence in Provided our response to RAI-27. [Note - this question was addressed in 11/3/05 response to RAI 6.]

6 Duke's response to the question related to communications and data Provided exchange is in preparation and will be submitted by November 3, 2005.

11/3/05 7c Duke will submit more information regarding the hardware solution by Provided November 3,2005.

11/3/05 10 Duke provided a preliminary response to this question on June 30, Provided 2005. After discussions with the staff on August 17, 2005, Duke agreed 11/3/05 to revise this response. The response to this RAI is in preparation and will be submitted by November 3, 2005.

15 The response to this RAI is in preparation and will be submitted by Provided December 1, 2005.

11/3/05 18 The response to this RAI is in preparation and will be submitted by In progress January 12, 2006. Duke will provide the system response time reports to NRC (expected to be submitted by May 4, 2006).

November 30, 2005 Page 4 Updated List of NRC Commitments (from Duke Letters dated October 6, 2005 and November 3, 2005)

RAI Commitment Status 21,22 Duke discussed the preliminary response provided to the draft RAI in Provided the August 17, 2005, Duke/NRC RAI meeting and agreed to revise this 11/3/05 response. This response is in preparation and will be submitted by November 3, 2005.

27 The response to this RAI is in preparation and will be submitted by Provided December 1,2005.

12/1/05 29 The response to this RAI is in preparation and will be submitted by Provided December 1,2005.

11/3/05 30 The response to this RAI is in preparation and will be submitted by Provided December 1,2005.

11/3/05 31 The response to this RAI is in preparation and will be submitted by Provided December 1,2005.

11/3/05

Retrieved from "https://kanterella.com/w/index.php?title=ML053490139&oldid=5372113"