ML082410088
| ML082410088 | |
| Person / Time | |
|---|---|
| Site: | Watts Bar  |
| Issue date: | 08/25/2008 |
| From: | Bajestani M Tennessee Valley Authority |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| TAC MD6311 | |
| Download: ML082410088 (12) | |
Text
i Tennessee Valley Authority, Post Office Box 2000, Spring City, TN 37381-2000 August 25, 2008 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Stop: OWFN P1-35 Washington, D.C. 20555-0001 Gentlemen:
In the Matter of Tennessee Valley Authority
))
Docket No. 50-391 WATTS BAR NUCLEAR PLANT (WBN) - UNIT 2 - WESTINGHOUSE EAGLE-21 PROCESS PROTECTION SYSTEM (TAC NO. MD6311)
References:
1.
NRC letter dated May 7, 2008,'Watts Bar Nuclear Plant Unit 2 -
Licensing Basis Regarding Eagle-21 Process Protection System (TAC NO. MD6311)
- 2.
TVA letter dated December 5, 2007, "Watts Bar Nuclear Plant (WBN) - Unit 2 - Westinghouse Eagle-21 Process Protection System"
- 3.
NRC letter dated December 27, 2007, "Watts Bar Nuclear Plant, Unit 2 - Receipt of Letter Regarding Use of Westinghouse Eagle-21 Process Protection System (TAC NO. MD631 1)"
- 4.
TVA letter dated February 28, 2008, 'Watts Bar Nuclear Plant (WBN) - Unit 2 - Westinghouse Eagle-21 Process Protection System (TAC MD631 1)"
The purpose of this letter is to respond to the NRC request for additional information (RAI) regarding the use of the Westinghouse Electric Corporation Eagle-21 process protection system for WBN Unit 2 (Reference 1). The requested information is provided in the enclosure to this letter.
IX(:))C Printed on recycled paper
U.S. Nuclear Regulatory Commission Page 2 August 25, 2008 By letter dated December 5, 2007 (Reference 2), TVA informed the NRC of the intention to use the Westinghouse Eagle-21 process protection system for WBN Unit 2 based on fidelity with WBN Unit 1, familiarity with the system, its proven design, and the reliability it has shown in service at both WBN and Sequoyah Nuclear Plant.
By letter dated December 27, 2007 (Reference 3), NRC requested additional information on the use of the Westinghouse Electric Corporation Eagle-21 process protection system for WBN Unit 2. TVA responded to this request by letter dated February 28, 2008 (Reference 4).
If you have any questions, please contact me at (423) 365-2351.
Sincerely, Masoud B je tani Watts Bar it 2 Vice President Enclosure cc: (see page 3)
U.S. Nuclear Regulatory Commission Page 3 August 25, 2008 Enclosure cc (Enclosure):
Lakshminarasimh Raghavan U.S. Nuclear Regulatory Commission MS 08H4A One White Flint North 11555 Rockville Pike Rockville, Maryland 20852-2738 Patrick D. Milano, Senior Project Manager U.S. Nuclear Regulatory Commission MS 08H4 One White Flint North 11555 Rockville Pike Rockville, Maryland 20852-2738 Loren R. Plisco, Deputy Regional Administrator for Construction U. S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center, Suite 23T85 61 Forsyth Street, SW, Atlanta, Georgia 30303-8931 U. S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center 61 Forsyth Street, SW, Suite 23T85 Atlanta, Georgia 30303-8931 NRC Resident Inspector Unit 2 Watts Bar Nuclear Plant 1260 Nuclear Plant Road Spring City, Tennessee 37381
Enclosure I WBN Unit 2 Eagle-21 Request for Additional Information NRC Question 1: On page El-1 of Enclosure I to the February 28, 2008 letter, TVA stated that an external interface was added that included a serial-to-ethemet controller board in each Eagle-21 multibus chassis. TVA further stated that it is not possible for the nonsafety-related integrated computer system signals to feedback to the safety related Eagle 21.
Has this addition and the associated changes been tested to prove this statement? If so provide the test procedures and test results.
TVA Response: A test to confirm that data cannot propagate from the non-safety Plant Integrated Computer System (ICS) link to the safety portion of the Eagle-21 system was not performed. The rationale is that it is physically impossible for such a propagation to occur. The Serial Ethernet Controller (SEC) board which interfaces with the ICS link receives data by passively listening (i.e.,
receive only, no handshake) to the Loop Control Processor (LCP) (safety portion of system) to Test Sequence Processor (non-safety portion of system) datalink.
The LCP Datalink Handler card which is transmitting the message is a one-way, broadcast communication link and has no receive capability. The SEC board only uses the Multibus bus connection for power and is installed in the non-safety tester portion of the Eagle-21 system. Thus there is no data connection that would allow data transmission between the non-safety ICS link and the safety portion of the Eagle-21 system. The design meets the requirements of IEEE Std 7-4.3.2-1993, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," Annex G, for safety to non-safety communications. Figure 1 shows the electrical and communication isolation points.
NRC Question 2: On page E1-I of Enclosure 1, TVA stated that the main control room annunciator printer was replaced with a central processing unit and a monitor as part of a prior design change. Identify whether this modification has any impact on the defense against common mode failure, since TVA's analysis was based on manual action. Is there a possible common mode failure that could disable both the Eagle-21 and the central processing unit?
TVA Response: The Main Control Room central processing' unit (CPU) that replaced the annunciator printer receives alarm status changes from the annunciator system and transmits this data to the ICS. This was part of a larger modification that upgraded the plant computer and interfaces, including the communication link between Eagle-21 and the ICS referenced in question 1. The El-1
CPU, annunciator, and ICS are not safety-related equipment and have no accident mitigation functions. Although the ICS indirectly provides support to safety-related systems by alerting operators that an abnormal condition may exist, operators cannot procedurally take safety-related action based solely on ICS indication. Safety-related instrumentation is provided for operator actions required for accident mitigation and for automatic protective actions. There is no interface between this CPU and Eagle-21. The CPU and operating system are standard commercial products. The Eagle-21 software was developed specifically for application in the reactor protection system. These systems--
Eagle-21 and the annunciator CPU--are distinct in hardware, software, and function. There is no failure mode of the CPU that could affect the performance of the Eagle-21 functions.
NRC Question 3: In its December 27, 2007 request for additional information (ADAMS Accession No. ML073610443), the NRC staff requested the list of commitments made by TVA for the Eagle-21 system. In its response, TVA listed four items that will remain open pending completion of these activities. However, the NRC staff has noted that in Supplement 13 of its Safety Evaluation Report for Unit 1, its acceptance was based on a TVA commitment to maintain administrative control on the use of walkie-talkies, portable telephones and temporary equipment in areas where the use of walkie-talkies is already prohibited.
Identify any further commitments made by TVA during the acceptance of the Eagle 21 system.
TVA Response: TVA's letter of February 28 (Reference 3-1) provided a summary of significant TVA correspondence related to Eagle-21. A summary of each letter and the open actions required for licensing WBN Unit 2 were provided.
Reference 3-2 stated that plant procedures prohibit the use of radiotranceivers in the vicinity of Eagle-21 equipment except in emergency. TVA's Business Practice BP-364, "Control of Portable Two-Way Radios," controls the usage of radio transmitting equipment and cell phones inside WBN operating areas, especially areas that are susceptible to Radio Frequency Interference (RFI). The auxiliary instrument room, where the Eagle-21 is located, is designated as a radio sensitive area, with requirements identified for the Eagle-21 protection system.
Reference 3-1 provided an open action required for licensing to perform an electromagnetic interference (EMI)/RFI site survey of the WBN Unit 2 Eagle-21 system during hot functional testing.
El-2
NRC Question 4: In Item 3 of Enclosure 2, TVA states that the flow measurement uncertainty will be validated as part of the reactor protection system evaluation, which is included in the scope of the Eagle-21 installation.
Provide further details to clarify the meaning of this commitment.
TVA Response: The reactor coolant system (RCS) Flow Measurement Uncertainty (FMU) refers to calorimetric uncertainty in percentage of RCS flow.
The original WBN FMU (1984) was based on the use of the Foxboro analog process racks and the resistance temperature detector (RTD) bypass lines. As part of the upgrade to the Eagle-21 digital process racks with the RTD bypass lines eliminated, TVA committed to reanalysis of the FMU. This commitment was completed in 1994 for WBN Unit 1 in Reference 4-1. After accounting for the effects of the Eagle-21 changes, the final FMU for WBN Unit 1 was determined to be 1.5 percent of rated RCS flow. TVA expects that the FMU for WBN Unit 2 will be the same. TVA will confirm the WBN Unit 2 FMU as part of the Eagle-21 installation.
NRC Question 5: On page E1-8 of Enclosure 1, TVA discusses instrument setpoint methodology. The NRC staff has had much interaction with the industry on this issue, and the staff has issued Regulatory Information Notice (RIS) 2006-17, which provides guidance on the acceptable instrument setpoint methodologies..
Provide the instrument setpoint methodology and a discussion about how the requirements RIS 2006-17 are met.
TVA Response: TVA submitted the setpoint methodology for both WBN units in Reference 5-1.
In Supplemental Safety Evaluation Report 15 to NUREG-0847 (Reference 5-2), the NRC staff concluded that WBN's setpoint methodology was acceptable and in compliance with Regulatory Guide 1.105, "Instrument Setpoints for Safety-Related Systems," and ISA S67.04, "Setpoints for Nuclear Safety-Related Instrumentation Used in Nuclear Power Plants."
In Reference 5-3, TVA committed to resolve the issue of setpoint methodology for determining, setting and evaluating as-found setpoints for drift susceptible instruments for WBN Unit 2 using the Browns Ferry Nuclear Plant Technical Specification 453 precedent (see NRC ML061680008).
NRC Question 6: On pages 2 and 3 of Attachment 1 to Enclosure 1, hardware changes made to the Eagle-21 system after it was approved for WBN 1 were identified.
- a. Five of these changes are safety-related.
El-3
Have these hardware changes been qualified for the environment including radio frequency interference/electro-magnetic interference?
Have these changes been through hardware verification and validation program?
- b. Three changes are identified as nonsafety-related.
Have these changes been analyzed to ensure that their failure will not create any effect on the safety-related components? Provide the test reports for each of these issues.
TVA Response:
The following table describes the five safety-related changes, whether qualification, verification and validation were required with additional information provided in the amplifying notes.
Hardware RFI/EMI Verification I Safety-Related Qualification Validation Change (YIN)
(YIN)
Comments AC Power Distribution Panel Not required Not required See Note 1 ERI Board Not required Y
See Note 2 To be done before Power supply installation Y
See Note 3 Multibus I Not required Y
See Note 4 I/O Boards Not required Y
See Note 4 The following table describes the three nonsafety-related changes, whether additional analysis was completed with additional information provided in the amplifying notes.
Analysis completed to ensure failure will not Nonsafety-Related impact safety-related Change components (YIN)
Comment Fluke Touch Screen and Keyboard Not required See Note 5 MMI Clock Calendar Daughter board Not required See Note 5 Front Test Panel Y
See Note 6 El-4
Notes for Tables:
Note 1: The AC distribution panel has not been redesigned as of this date.
Therefore there has been no need for additional qualification testing of this assembly. Any future revision to this assembly will be analyzed and/or tested to ensure that the equipment qualification is maintained.
Note 2: The new ERI artwork revision is identical schematically to the board tested per WCAP-8687-S2 EQTR-E69B. The new artwork revision allowed components to be moved from a daughter board to the base board. Since there are no schematic changes or mechanical changes that would affect environmental, seismic, or EMI performance, additional qualification testing was not required.
Note 3: New power supplies produced by a different vendor will be used in the rack power supply assemblies being supplied for WBN Unit 2, replacing the original power supplies which are now obsolete. The rack power supply assemblies using the power supplies produced by the new vendor were qualified as documented in test reports EQLR-056A and EQLR-056B. These tests provide the environmental and seismic qualification basis for the new supplies.
The power supplies are protected from radiated EMI by the cabinet and from conducted EMI by the line filter, which is part of the power distribution panel.
Westinghouse will confirm this by performing RFI susceptibility and surge withstand capability on the Eagle-21 rack power supplies per the requirements of WCAP-1 1733 and provide TVA the test reports. The test reports are scheduled to be available by the end of 2008. TVA will be notified if the test schedule needs to be revised. In addition, Westinghouse will perform a factory acceptance test.
Note 4: These items were noted as hardware where the vendor has changed.
These assemblies have not been redesigned as of this date. Therefore there has been no need for additional qualification testing of these assemblies. Any future revision to these assemblies will be analyzed and/or tested to ensure that the equipment qualification is maintained.
Note 5: These replacement components for the Man Machine Interface (MMI) are functionally equivalent to the previous versions. These changes will not require a MMI software change and thus do not affect the conclusions of the original V&V report WCAP-13191. The MMI does not perform a safety function and is not normally connected to the Eagle-21 system. Thus there are no qualification requirements for this system.
Note 6: The front test panel was tested per WCAP-8687-S2 EQTR-E69C. Since that time, there have been no design changes to the test panel that affect the safety function of the test panel due to the effects of seismic adverse conditions.
Westinghouse has inventory of the obsolete relay mentioned in previous correspondence and thus does not plan on changing the design of this assembly El-5
at this time. Any future revision to this assembly will be analyzed and/or tested to ensure that the equipment qualification is maintained.
NRC Question 7: Confirm the scope of Eagle-21 system for WBN 2 is the same as Unit 1. Identify all the functions where Eagle-21 has been applied.
TVA Response: The scope of the WBN Unit 2 Eagle-21 Process Protection System upgrade will be same as Unit 1. The upgrade includes replacement of 14 racks of obsolete analog Foxboro equipment with a digital system with the same sensor inputs and the same outputs for indication, control, alarm, and reactor trip and engineered safety features actuation logic. The Eagle-21 electronics perform signal conditioning, calculation, and isolation functions as in Unit 1. As noted in Reference 7-1, the Unit 2 Eagle-21 will be built to the same specifications and standards as the Unit 1 system, the hardware will be identical or equivalent to Unit 1, and the firmware will be identical to Unit 1.
The WBN Unit 1 Eagle-21 Process Protection System monitors the following process variables:
Reactor Coolant Narrow Range Temperature Reactor Coolant Wide Range Temperature Reactor Coolant Wide Range Pressure Reactor Coolant Flow Pressurizer Pressure Pressurizer Water Level Steam Generator Narrow Range Water Level Steam Generator Wide Range Water Level Containment Pressure Steam Pressure Refueling Water Storage Tank (RWST) Level Containment Sump Level Steam Flow Feedwater Flow Turbine Impulse Pressure Boric Acid Tank Level Containment Spray Pump Header Flow Pressurizer Liquid Temperature Pressurizer Vapor Temperature Residual Heat Removal Pump Discharge Temperature El-6
The WBN Unit 1 Eagle-21 system provides outputs for the following reactor trip and engineered safety features logic functions:
Reactor Trips Overtemperature Delta Temperature Overpower Delta Temperature Reactor Coolant Flow Low Pressurizer Pressure High / Low Pressurizer Water Level High Steam Generator Water Level Low-Low with Trip Time Delay Engineered Safety Features Safety Injection Containment Isolation Phase A Containment Isolation Phase B Containment Spray Steamline Isolation Turbine Trip and Feedwater Isolation Auxiliary Feedwater Start Auto Switchover from RWST to Containment Sump The WBN Unit 2 Eagle-21 system will process the same plant variables and provide outputs for the same reactor trip and engineered safety features actuation logic as those on Unit 1.
References:
3-1. TVA letter dated February 28, 2008," Watts Bar Nuclear Plant (WBN) -
Unit 2 - Westinghouse Eagle-21 Process Protection System (TAC No. MD631 1)"
(T02 080228 001) 3-2. TVA letter for Watts Bar Unit 1 dated December 27, 1993, "Watts Bar Nuclear Plant (WBN) Unit 1-Eagle-21 Process Protection System (TAC M81063)" (T04 931227 808) 4-1. TVA letter for Watts Bar Units 1 and 2 dated July 29, 1994, 'Westinghouse Setpoint Methodology Updated for Eagle-21 Process Protection System (TAC M89390)" (T04 940729 950) 5-1. TVA letter for Watts Bar Units 1 and 2 dated July 29, 1994, 'Westinghouse Setpoint Methodology Updated for Eagle-21 Process Protection System (TAC M89390)" (T04 940729 950)
El-7
5-2. Safety Evaluation Report related to the Operation of Watts Bar Units 1 and 2, NUREG-0847, Supplement 15, June 1995 (L44 950629 003) 5-3. TVA letter dated January 29, 2008, 'Watts Bar Nuclear Plant (WBN) - Unit 2
- Regulatory Framework for the Completion of Construction and Licensing Activities for Unit 2" (T90 080128 001) 7-1. TVA letter dated December 5, 2007, "Watts Bar Nuclear Plant (WBN) -
Unit 2 - Westinghouse Eagle-21 Process Protection System" (T02 071205 001)
E1-8
LOP Subsystem (Safety)
TSP Subsystem (Non-Saf ety)
Electrical Isolatfion Point 4
Figure 1