ML053630266
| ML053630266 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 01/10/2006 |
| From: | Olshan L Plant Licensing Branch III-2 |
| To: | Brandi Hamilton Duke Energy Corp |
| Olshan L N, NRR/DLPM, 415-1419 | |
| References | |
| TAC MC5895, TAC MC5896, TAC MC5897 | |
| Download: ML053630266 (8) | |
Text
January 10, 2006 Mr. Bruce H. Hamilton Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION CONCERNING THE OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, LICENSE AMENDMENT REQUEST FOR REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM DIGITAL UPGRADE (TAC NOS. MC5895, MC5896, AND MC5897)
Dear Mr. Hamilton:
By letter dated February 14, 2005, you submitted a license amendment request to change the technical specifications (TSs) for Oconee Nuclear Station, Units 1, 2, and 3. The amendments would allow the replacement of the current analog-based reactor protective system (RPS) and engineered safeguards protective system (ESPS) with a digital computer-based RPS and ESPS. The digital system will be the Framatome Advanced Nuclear Power TELEPERM XS (TXS) System.
On September 6, 2005, we sent you the first request for additional information (RAI), which contained 31 questions. Since that time, the review of the application has brought several additional questions to light, and to continue our review of the proposed TS change, we need your response to the enclosed RAI.
If you have any questions concerning this RAI, please contact me at 301 415-1419.
Sincerely,
/RA/
Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287
Enclosure:
RAI cc w/encl: See next page
January 10, 2006 Mr. Bruce H. Hamilton Vice President, Oconee Site Duke Energy Corporation 7800 Rochester Highway Seneca, SC 29672
SUBJECT:
REQUEST FOR ADDITIONAL INFORMATION CONCERNING THE OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3, LICENSE AMENDMENT REQUEST FOR REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM DIGITAL UPGRADE (TAC NOS. MC5895, MC5896, AND MC5897)
Dear Mr. Hamilton:
By letter dated February 14, 2005, you submitted a license amendment request to change the technical specifications (TSs) for Oconee Nuclear Station, Units 1, 2, and 3. The amendments would allow the replacement of the current analog-based reactor protective system (RPS) and engineered safeguards protective system (ESPS) with a digital computer-based RPS and ESPS. The digital system will be the Framatome Advanced Nuclear Power TELEPERM XS (TXS) System.
On September 6, 2005, we sent you the first request for additional information (RAI), which contained 31 questions. Since that time, the review of the application has brought several additional questions to light, and to continue our review of the proposed TS change, we need your response to the enclosed RAI.
If you have any questions concerning this RAI, please contact me at 301 415-1419.
Sincerely,
/RA/
Leonard N. Olshan, Project Manager Plant Licensing Branch II-1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-269, 50-270, and 50-287
Enclosure:
RAI cc w/encl: See next page Distribution Public LPL2-1 r/f RidsNrrDorlLplc(EMarinos)
RidsNrrPMLOlshan RidsNrrLAMOBrien(2)
RidsOgcRp RidsAcrsAcnwMailCenter BSingal, DORL DPR RidsRgn2MailCenter(MErnstes)
Accession Number: ML053630266 NRR-088 OFFICE NRR/LPL2-1/PM NRR/LPL2-1/LA NRR/LPL2-1/BC NAME LOlshan MOBrien EHackett for EMarinos DATE 1/10/06 1/10/06 1/10/06 OFFICIAL RECORD COPY
Oconee Nuclear Station, Units 1, 2, and 3 cc:
Ms. Lisa F. Vaughn Duke Energy Corporation 526 South Church Street P. O. Box 1006 Mail Code = EC07H Charlotte, North Carolina 28201-1006 Manager, LIS NUS Corporation 2650 McCormick Dr., 3rd Floor Clearwater, FL 34619-1035 Senior Resident Inspector U.S. Nuclear Regulatory Commission 7812B Rochester Highway Seneca, SC 29672 Mr. Henry Porter, Director Division of Radioactive Waste Management Bureau of Land and Waste Management Dept. of Health and Env. Control 2600 Bull St.
Columbia, SC 29201-1708 Mr. Michael A. Schoppman Framatome ANP 1911 North Ft. Myer Dr.
Suite 705 Rosslyn, VA 22209 Mr. B. G. Davenport Regulatory Compliance Manager Oconee Nuclear Site Duke Energy Corporation ON03RC 7800 Rochester Highway Seneca, SC 29672 Ms. Karen E. Long Assistant Attorney General NC Department of Justice P.O. Box 629 Raleigh, NC 27602 Mr. R. L. Gill, Jr.
Manager - Nuclear Regulatory Issues and Industry Affairs Duke Energy Corporation 526 S. Church St.
Mail Stop EC05P Charlotte, NC 28202 Division of Radiation Protection NC Dept of Environment, Health, & Natural Resources 3825 Barrett Dr.
Raleigh, NC 27609-7721 Mr. Peter R. Harden, IV VP-Customer Relations and Sales Westinghouse Electric Company 6000 Fairview Road 12th Floor Charlotte, NC 28210 Mr. Henry Barron Group Vice President, Nuclear Generation and Chief Nuclear Officer P.O. Box 1006-EC07H Charlotte, NC 28201-1006
Enclosure REQUEST FOR ADDITIONAL INFORMATION ON OCONEE NUCLEAR STATION, UNITS 1, 2, AND 3 (OCONEE 1/2/3)
LICENSE AMENDMENT REQUEST, REACTOR PROTECTIVE SYSTEM/ENGINEERED SAFEGUARDS PROTECTIVE SYSTEM DIGITAL UPGRADE 32.
The licensee for Oconee (Duke Energy Corporation) has submitted a change in the design of its analog-based reactor protective system (RPS) and engineered safeguards protective system (ESPS) that integrates protective functions from both of these systems into a combined system using digital technology. In combining these two echelons of defense-in-depth, this proposed design is a first-of-its-kind approach. The Nuclear Regulatory Commission (NRC) staff is aware of information the Electric Power Research Institute (EPRI) presented to the NRC Advisory Committee on Reactor Safeguards (ACRS) on October 21, 2005, regarding defense-in-depth and diversity for digital upgrades (ML053120050). At that meeting, EPRI presented sample results of sensitivity studies for digital common cause failures that indicate that multiple diverse systems were important to maintaining a level of risk commensurate with the risk associated with an equivalent analog system.
a.
Please provide a summary of the scope, methods, and results of any calculations, analyses, or studies addressing the safety consequences of the combination of RPS and ESPS functions that demonstrates the level of safety provided by the proposed design is commesurate with that of the existing analog design.
b.
If no such calculations, analyses, or studies have been performed, please provide an equivalent analysis or justification that adequate safety of the public is maintained.
33.
The NRC staff has concluded that the interchannel communications used for 2ndmin/2ndmax online signal validations do not conform to the channel independence requirements of the Institute of Electrical and Electronics Engineers standards, i.e.,
IEEE 603-1991, Section 5.6.1 and IEEE 279-1971, Section 4.6, or the IEEE 603 or IEEE 279 channel definition in Section 2 of both standards. Please provide a design that meets the applicable standards or a relief request in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Section 50.55a, that justifies the approach. In either case, the appropriate documentation should be submitted expeditiously, to minimize schedule risk.
34.
The NRC staffs understanding is that isolation between the TXS system and the plant computer will be improved by the addition of a port tap hardware-based device. The acceptability of this isolation method depends on the port tap not providing any return path for communications from the plant computer. Please provide sufficient design details on the port tap device to show that there is no path for data to be transmitted into the port tap from the plant computer.
35.
The NRC staff believes that the permanent two-way communication path between the TXS system and the maintenance panel does not meet the requirements for isolation between safety-related and non-safety systems of IEEE 603, Sections 5.6.3 and
- 2 -
5.6.3.1(2). Please provide design details that conform to applicable standards or a relief request in accordance with 10 CFR 50.55a that justifies the approach. In either case, the appropriate documentation should be submitted expeditiously, to minimize schedule risk.
36.
After discussions with Framatome and the licensee, the staff understands that future RPS trip functions, #2 and #12, will be removed from the trip system logic until the trip functions have been approved by the NRC for all three Oconee units. Please provide the appropriately modified documentation to this effect. This includes the trip function descriptions, the software requirements specifications, and the software design descriptions.
37.
ESFAS (Engineered Safety Features Actuation System) Emergency Override Function a.
During the Framatome site visit on November 14-18, 2005, the reason for the ESFAS emergency override pushbuttons was explained as necessary to remove power output from the ESFAS voter so that the manual action circuit could now apply and control the power. This seems to be the function of the auto/manual selector switches, described in calculation OSC-8623, Section 20.6. Please explain how the emergency override function meets the IEEE 603-91, Section 5.2, Completion of Protective Action, requirement, that once initiated, the intended sequence of protective actions shall continue until completion. It would appear that the function of the emergency override is specifically to interrupt the protective action and prevent completion of the intended sequence.
b.
The staff understands that the ESFAS emergency override function will be modified such that the actuation override annunciator can not be powered down while the ESPS system is being overridden, and that the use of this function will be limited to those circumstances in which plant procedures require the use of the ESPS override function. Please provide documentation of the appropriate design changes, and documentation on the plant operation procedures that authorize use of this function.
38.
The proposed system includes lead/lag modules and a complementary bias signal that modify the measured signals before they are submitted to the main processors. It does not appear that such modules exist in the present (analog) system, and yet the licensee has indicated that the proposed system is functionally identical to the present system as far as safety functions are concerned. Please address the following in regard to these modules:
a.
Explain why the introduction of these modules, which seem capable of dramatically altering the system response to plant conditions, does not constitute a substantive change relative to the present (analog) system.
b.
Explain how the settings associated with these modules are to be computed. Show that the computed settings will not adversely impact the dynamic response of the system as compared with the dynamic response of the present system. Show that the net steady-state signal gain presented by these modules is either constrained to unity or appropriately addressed in all applicable scaling and setpoint
- 3 -
calculations. Show that the combined effect of these modules and any noise suppression circuitry or other dynamic compensation built into the data acquisition modules (A/D conversion units) upon the measured signal is acceptable.
c.
Explain how the settings associated with these modules are to be controlled. In particular, explain how it will be ensured that the settings that are actually implemented will not be adjusted to values which compromise the response of the system. If it is physically possible to adjust the settings to inappropriate values (values which alter the dynamic or steady-state response of the system), explain how future proposed adjustments will be reviewed and approved prior to implementation. If such adjustments are not physically possible, explain why this is so.
d.
If the modules are intended for noise suppression, describe the characteristics of the noise that they are intended to suppress and show that the noise suppression will not impact the system response to credible rapid changes in the measured signals. Explain why such noise suppression is needed in the proposed system but not in the present system, or show that the present system does have this feature and that the implementation in the proposed system is equivalent to that in the present system and is constrained to remain so. Explain why such noise suppression would be implemented after the A/D conversion rather than before it.
e.
According to Framatome ANP document 01-1007776-03, "Teleperm XS Function Blocks," Version 2.60, the PT1 Tlag parameter value must be greater than the signal sampling period, Ta. In the proposed Oconee 1 RPS/ESPS application, the safety functions will be processed every 50 ms; consequently, the signal sampling period, Ta, is 50 ms. However, the Tlag parameter value entered for signal filtering in Framatome ANP document 51-5065423-01, "Oconee Nuclear Station, Unit 1 RPS/ESFAS Controls Upgrade Software Design Description," has been set at 0.00001 s (0.01 ms). This parameter value (0.01 ms) is not within the required Framatome ANP PT1 function block parameter value range. Describe the process by which appropriate values for Gain and Tlag will be determined. Also, describe the process by which the corresponding MUL-K module parameters will be determined such that the signal filtering process will not adversely affect signal response times or trip function performance.
f.
The PT1 module parameter values for Gain and Tlag are 0 and 0.00001, respectively, for each signal filtering application in the software design description (SDD) schematic diagrams. The corresponding MUL-K parameter values are 1.0 for each of the signal filtering loops. Applying these parameter values to a steady state signal results in a filtered signal that is biased low by a factor of the Tlag/(Tlag
+ Ta). A preliminary staff analysis indicates that to ensure the PT1 module does not contribute a bias to the signal (AI1) that is to be used for subsequent trip calculations, the PT1 Gain value should be set to -(Tlag/Ta). Alternatively, the binary input value, BI1, should be set to 1 (TRUE) and the Gain should be to 0.0 to ensure the output signal from the PT1 module is set to 0.0. Please provide analytical confirmation that the PT1 parameters are set to appropriate values for bypassing the PT1 function.
- 4 -
39.
Various sections of OSC-8623 state that all new ESFAS output contacts will have a 0-to-15 minute adjustable software time delay on closure, and that all time delays will be set to zero seconds. What is the purpose for this time delay capability, under what circumstances would this time delay be used, and how will this time delay value be controlled?
40.
Requirements traceability is presently maintained by the system developer (Framatome ANP) using its automated configuration management processes. Requirements traceability and configuration management responsibilities will be transferred to the licensee upon delivery and transfer of the integrated system operations and maintenance functions to the licensee. Please provide information on how the information maintained by the system developer's automated processes will be transferred to the licensee, such that configuration management and requirements traceability will not be adversely affected by a change in automated configuration management and requirements traceability processes.
41.
Provide an updated revision of the requirements traceability listings, the system requirements specification, and the software design description.
42.
Provide the following SPACE listings for the hardware:
a.
A cabinet equipment list (subracks, modules) with codes (KKS, AKZ, etc.),
mounting locations, and complete parameter settings list (e.g., addresses, measuring ranges, options and pin assignment of the I/O modules);
b.
The switch and jumper settings to be performed on the modules; c.
A list of the signals applied to the I/O modules; and d.
A software/hardware assignment list for each processing module (list of the function diagram modules executing on this processing module).
43.
Provide the following SPACE listings for the software:
a.
A list of the function diagram modules executing on the processing modules complete with ID code and internal SPACE ID number; b.
A parameter settings list for each function diagram module that provides an overview of the function block modules used, complete with internal SPACE ID number, coordinates of the layout on the function diagram; and c.
Complete parameterization information.
Also, please explain how the value of these parameters will be determined and controlled.
44.
Provide a discussion of the process used to develop the validation test plans and bases for defining the test envelopes for each requirement. If validation test results have been
- 5 -
obtained, provide a representative sample of the test results including the test procedures and the test reports.
45.
Section 23.4, "RPS Manual Bypass Keylock Switch," in the Duke Energy Corporations calculation, OSC-8623, Rev. 1, describes the RPS manual bypass keylock switch function. The discussion states, 23.4.2 The RPS MANUAL BYPASS Keylock Switch allows putting the complete RPS channel into Bypass for maintenance activities. This includes power-down of the TXS computer of the RPS channel. If the RPS MANUAL BYPASS Keylock Switch is in the "ON" position, it....
23.4.4 The RPS MANUAL BYPASS Keylock Switch status information is sent to the Statalarm panel 1SA5, windows 1, 13, 25, 37; see Section 22 for window descriptors.
OSC-8623, Section 22.4, "1SA5 Panel," indicates that the existing window descriptors for window 1, window 13, window 25, and window 37 are: "RP Channel A Trip Bypass,"
"RP Channel B Trip Bypass," "RP Channel C Trip Bypass," and "RP Channel D Trip Bypass," respectively, and will remain unchanged.
In reviewing the RPS manual bypass keylock switch configuration in the SDD, it was found that the corresponding ESPS functions on an RPS microprocessor are also bypassed when the keylock switch is operated. However, there are no panel windows planned for indicating that the ESPS Set 1 functions for the corresponding RPS channel have been bypassed. This could be an equipment configuration risk-management issue, in that, if the corresponding ESPS 2 functions have been or are planned to be bypassed for maintenance, bypassing the corresponding RPS/ESF (emergency safety feature) channel would place the ESPS in a 2-channel configuration, which is not in conformance with single failure requirements. A potential solution could be to change the windows to reflect the bypassing of RPS and ESPS functions in a channel. For example, window 1 could state, "RP/ESF 1 Channel A Trip Bypass."
Describe actions to be taken to ensure that operators are informed about this potential equipment configuration risk.