TMI-09-137, Response to Request for Additional Information Concerning Technical Specification Change Request (Tscr) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods

From kanterella
(Redirected from ML092890470)
Jump to navigation Jump to search

Response to Request for Additional Information Concerning Technical Specification Change Request (Tscr) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods
ML092890470
Person / Time
Site: Crane Constellation icon.png
Issue date: 10/15/2009
From: Cowan P
Exelon Generation Co, Exelon Nuclear
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
TAC MD9762, TMI-09-137
Download: ML092890470 (19)
v  d  e


Text

Exelon Nuclear 200 Exelon Way Kennett Square, PA 19348 TMI-09-137 October 15, 2009 www.exeloncorp.com Nuclear 10 CFR 50.90 u.s. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001 Three Mile Island Nuclear Station, Unit 1 Facility Operating License No. DPR-50 NRC Docket No. 50-289

Subject:

Three Mile Island, Unit 1 - Response to Request for Additional Information Concerning Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods

References:

(1) Letter from P. B. Cowan (AmerGen Energy Company, LL9) to U.S. Nuclear Regulatory Commission, Technical Specification Change Request No. 342 Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated September 29, 2008 (2) Letter from P. Bamford (U.S. Nuclear Regulatory Commission) to C. Pardee (Exelon Generation Company, LLC), Three Mile Island Nuclear Station, Unit 1 - Request for Additional Information Regarding Control Rod Drive Control System Replacement License Amendment (TAC NO. MD9762),"

dated April 6, 2009 (3) Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, IIThree Mile Island Unit 1 Response to Request for Additional Information Related to Technical Specification Change Request No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods,1I dated May 6,2009 (4) Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, IIThree Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods,1I dated June 23, 2009

u.s. Nuclear Regulatory Commission October 15, 2009 Page 2 (5) Letter from P. Bamford (U.S. Nuclear Regulatory Commission) to C. Pardee (Exelon Generation Company, LLC), IIThree Mile Island Nuclear Station, Unit 1 - Request for Additional Information Regarding Control Rod Drive Control System Replacement License Amendment (TAC NO. MD9762),"

dated August 11, 2009 (6) Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, IIThree Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods, II dated August 21, 2009 (7) Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, IIThree Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods,1I dated September 17, 2009 (8) Electronic Transmission from P. Bamford (U.S. Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), Three Mile Island, Unit No.1 - Electronic Transmission, Draft Request for Additional Information Regarding Proposed Technical Specification Changes to Reflect Control Rod Drive Control System Replacement," dated October 9, 2009 (ML092860144)

By letter dated September 29,.2008 (Reference 1), AmerGen Energy Company, LLC (now Exelon Generation Company, *LLC (Exelon)) requested a change to the Technical Specifications to accommodate the proposed changes resulting from the Digital Control Rod Drive Control System (DCRDCS) Upgrade Project and the elimination of the Axial Power Shaping Rods.

References 2 - 7 involved additional information requested by the U.S. Nuclear Regulatory Commission (NRC) associated with the proposed change.

Subsequently, the NRC determined that additional information is needed to complete its review (Reference 8).

Exelon1s response to the NRC questions in Reference 8 is provided in Attachment 1 to this letter. Attachment 2 contains a proposed revision to Technical Specification Table 4.1-1 concerning control rod position indication.

Exelon has determined that the information provided in this response does not impact the conclusions of the No Significant Hazards Consideration as stated in Reference 1.

There are no regulatory commitments contained in this letter.

A copy of this letter and its attachments are being provided to the designated State official and the chief executives of the township and county in which the facility is located.

u.s. Nuclear Regulatory Commission October 15, 2009 Page 3 Should you have any questions concerning this letter, please contact Frank J. Mascitelli at (610) 765-5512.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 15th day of October 2009.

Respectfully, 1)i?1J ~~_

Pamela B. Cowan Director - Licensing & Regulatory Affairs Exelon Generation Company, LLC Attachments:

1)

Response to Request for Additional Information 2)

Proposed Revisions to Technical Specification Table 4.1-1 cc:

S. J. Collins, Administrator, USNRC Region I D. M. Kern, USNRC Senior Resident Inspector, TMI Unit 1 P. J. Bamford, USNRC Project Manager, TMI Unit 1 D. Allard, Director, Bureau of Radiation Protection-PA Department of Environmental Resources Chairman, Board of County Commissioners of Dauphin County Chairman, Board of Supervisors of Londonderry Township

ATTACHMENT 1 Response to Request for Additional Information

ATTACHMENT 1 Request for Additional Information Page 1 of 13 The following are the questions received in an Electronic Transmission from P.Bamford (U.S.

Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), "Three Mile Island, Unit No.1 - Electronic Transmission, Draft Request for Additional Information Regarding Proposed Technical Specification Changes to Reflect Control Rod Drive Control System Replacement," dated October 9,2009 (ML092860144).

In order for the NRC staff to complete its review of the LAR, a response to the following request for additional information concerning the microcontrollers is requested.

Overview The revised Reactor Trip Breaker (RTB) arrangement includes four (4) breakers. There are two breakers in each of the two parallel power trains. At least one breaker in each train must open to trip the reactor. A diagram is shown in Figure 2 of Reference 1.

There is no single failure or software common cause failure that can prevent the safety function of tripping the reactor. The basis for this conclusion is provided in the answers to the questions.

Reactor Trip Breakers Each RTB receives a trip signal from the Reactor Protection System (RPS).

There are two trip mechanisms in each breaker: the Under Voltage (UV) device and the Shunt Trip device. Either device can separately trip the RTB.

The UV device is normally energized by the RPS. A spring loaded plunger on the UV device trips the breaker when the RPS trip signal removes power from the UV device. The UV device is the primary means of tripping the RTB.

The Shunt Trip device is normally de-energized and actuated by a voltage relay that is mounted on the RTB Switchgear but is separate from the RTB. The voltage relay closes a contact to provide power from station DC to energize the Shunt Trip device and trips the RTB in response to a RPS trip signal. The Shunt Trip is the back-up means of tripping the RTB.

The UV device, Shunt Trip device, and Close Coil each contain a microcontroller. Failure modes of the microcontroller, including common cause failures, were evaluated. It was determined that there is no microcontroller failure that would prevent the safety function of tripping the RTB. The basis for this conclusion is contained in the response to the questions in this submittal.

ATTACHMENT 1 Request for Additional Information Page 2 of 13 Question 1 a.

What is the microcontroller in the Schneider/Square D Masterpact NT breaker used for in this application?

Response

The Close Coil, UV device, and Shunt Trip device each contain a microcontroller. The microcontroller in these devices controls the plunger for its associated device by energizing or de-energizing its coils. The microcontroller monitors the voltage on the single two-wire input and turns the coils on or off at the applicable thresholds.

Note: This response uses the terms UV device and Shunt Trip device to refer to the assemblies containing the microcontroller, activation coil and maintainence coil. The NLI Verification and Validation (V&V) Report VVR-042181-1 previously provided in of Reference 2 uses the terms UV coil and shunt trip coil.

The NLI V&V report VVR-042181-1 includes information on Micrologic Trip Units. The TMI RTBs do not contain Micrologic Trip Units. Any information in the NLI V&V report pertaining to the Micrologic Trip Units is not applicable to TMI.

b.

Is the microcontroller in the Masterpact NT breaker used in a safety-related application?

Include a discussion of the function of the shunt trip device.

Response

Yes. The microcontrollers within the UV and Shunt Trip device are safety-related. The microcontroller in the shunt trip device has an active safety function as a backup trip of the RTB in response to a RPS trip signal. The UV device serves the primary function to trip the RTB in response to an RPS trip signal. The microcontroller in the UV device does not have an active safety function (as explained below) but is part of the safety-related UV device.

The UV and Shunt Trip devices are two-wire devices with an embedded microcontroller in each device that controls the coils that activate the plunger. The microcontroller used in the UV and Shunt Trip devices is the same. The UV and Shunt Trip devices are diverse in their mechanical configuration. On both devices the plunger extends to hit the trip bar and trip the RTB. On the UV device a spring extends the plunger to the trip position. On the Shunt Trip device the spring retracts the plunger and the Shunt Trip coils must be energized to extend the plunger and trip the breaker.

The safety function of the RTB is to trip open in response to a trip signal from the RPS.

Either the UV device or Shunt Trip device is capable of trip.ping the RTB in response to an RPS trip signal. The UV device is the primary means of tripping the RTB.

ATTACHMENT 1 Request for Additional Information Page 3 of 13 The microcontroller in the UV device is not required to perform the safety function of tripping the RTB. The RPS trip signal removes all power to the UV device and the spring-loaded plunger actuates the trip bar and trips the RTB. The spring holds the plunger in the extended position and the RTB cannot be closed until the RPS is reset.

The Shunt Trip device is a backup trip feature as stated in Updated Final Safety Analysis Report [UFSAR] Section 7.1.2. The Shunt Trip device is considered safety-related based on the requirements of the enclosure to Generic Letter 83-28.

The Shunt Trip device is normally de-energized. The microcontroller in the Shunt Trip device performs the safety function of tripping the RTB by energizing the coils to extend the plunger. Failure of the microcontroller would prevent operation of the Shunt Trip device. Each RTB would still perform its safety function by action of the UV device if the Shunt Trip device failed.

Closing the~ RTB is not a safety function; therefore, the Close Coil is not safety-related and~does not perform a safety function in the Three Mile Island application.

c.

How can failure of the microcontroller affect the safety-related application?

Response

There is no failure of the microcontrollers that can prevent the safety function of tripping the RTB upon a trip signal from RPS. The following two paragraphs explain the effect of failure of the UV and Shunt Trip devices.

The microcontroller in the UV device cannot affect the safety function of tripping the RTB. The RPS trip signal removes all power to the UV device and the spring-loaded plunger actuates the trip bar and trips the RTB. Failure of the microcontroller cannot prevent de-energization of the UV coil since there is only one source of power to the device. An RPS trip signal removes the source of power to the UV device.

Failure of the microcontroller could prevent operation of the Shunt Trip device; however, the RTB trip would still occur due to the UV device. The Shunt Trip is a backup trip feature as stated in UFSAR Section 7.1.2 and the RTB would still perform its safety function by action of the UV device. The enclosure to Generic Letter 83-28 required that this backup function be considered safety-related.

Failure of the Close Coil microcontroller does not affect the safety function of the RTB.

The close function is not a safety function. Failure of the Close Coil would not affect operation of the UV or Shunt Trip and would not inhibit trip of the RTB.

ATTACHMENT 1 Request for Additional Information Page 4 of 13 d.

How was it determined that no software common cause failure would prevent the safety function?

Response

An Exelon review of the circuit design and the application determined that there is no software common cause failure (CCF) that would prevent the safety function of tripping the RTB.

There is no failure of the UV microcontroller that would keep the UV device energized on loss of power. The trip signal from RPS, which is external to the RTB, removes power to the UV device. Failure of the microcontroller cannot prevent de-energization of the UV coil since there is only one source of power to the device.

The Shunt Trip is a backup trip feature as stated in UFSAR Section 7.1.2 and the RTB would still perform its safety function by action of the UV device.

Since there is no microcontroller failure that can prevent operation of the UV device, there is no software CCF that can prevent the safety function of tripping the RTB.

Question 2 a.

Please describe the components of the microcontroller in the Schneider/Square D MasterpactNT breaker.

Response

The part number of the microcontroller is identified in 2b below. The components are summarized as follows. The microcontroller is one chip with the following features:

Motorola HC05 core running at 2 MHz bus speed.

4 MHz on-chip crystal/ceramic resonator oscillator.

8064 bytes of user EEPROM.

192 bytes of on-chip RAM.

128 bytes of EEPROM.

Low voltage reset.

4 channel, 8 bit AID converter.

SlOP serial communications port (Note: this feature is not used in this application).

Computer Operating Properly (COP) watchdog timer.

16 bit timer with output compare and input capture.

20 bidirectional I/O lines and one input-only line.

ATTACHMENT 1 Request for Additional Information Page 5 of 13 b.

Which microcontroller is used? Please provide the brand and model.

Response

The microcontroller is an 8 bit MOTOROLA 68HC805P18.

c.

How does the microcontroller accomplish its function?

Response

The microcontroller monitors input voltage to the device and when the input voltage exceeds the preset threshold, the activation coil is energized to operate the plunger.

After the plunger is activated the microcontroller shuts off the activation coil and energizes the maintenance (holding) coil to maintain the plunger in the activated position.

When the input voltage falls below the preset operating level of the device the microcontroller de-energizes the maintenance coil. The spring in the device will return the plunger to the deactivated position.

In the UV device the plunger is spring returned to the extended position when de-energized to trip the breaker. When energized the plunger is retracted. Voltage is applied to the UV device when the RPS is not tripped and absent when the RPS is tripped so the voltage threshold for detection is not significant.

The plunger in the Shunt Trip device is normally in the retracted position. The plunger extends to trip the breaker when the Shunt Trip is energized. Voltage is applied to the shunt trip device when the RPS is tripped and absent when the RPS is not tripped.

d.

What safety function does the microcontroller perform? How does the microcontroller perform its safety function?

Response

The microcontroller in the Shunt Trip device performs the safety function of tripping the RTBas a backup to the UV device. Upon an RPS trip, an external voltage relay senses loss of voltage and closes a contact to apply voltage to the Shunt Trip device. The microcontroller in the Shunt Trip device performs its safety function by activating coils that move the plunger to trip the breaker. If the Shunt Trip device fails, the safety function of the RTB will still be met by the UV device.

The safety function of the UV device is met regardless of the status of the microcontroller in the UV device since voltage is removed by contacts external to the RTB. The spring extends the plunger to trip the breaker since there is no voltage to the coil.

ATTACHMENT 1 Request for Additional Information Page 6 of 13 e.

The staff notes that the Nuclear Logistics, Inc. (NLI) Verification and Validation (V&V)

Report, VVR-042181-1, lists different part numbers for the Masterpact NT breaker undervoltage device and the shunt trip device. What are the differences in hardware and software in these two devices?

Response

The microcontroHer firmware is the same for the UV and Shunt Trip devices.

The spring and plunger configurations are different in the UV and Shunt Trip devices.

In the UV device the plunger is spring returned to the extended position when de-energized to trip the breaker. When energized the plunger is retracted.

In the Shunt Trip device the plunger is extended when energized to trip the breaker.

When de-energized the plunger is spring returned to the retracted position.

These devices are configured and sealed at the factory.

Question 3 a.

Is the same firmware in both the undervoltage and shunt trip devices?

Response

The microcontroller firmware is the same for the UV and Shunt Trip devices.

b.

If so, how would a software common cause failure (CCF) impact the diverse trip of the two devices?

Response

The UV and Shunt Trip devices are diverse in their mechanical configuration. On both devices the plunger extends to hit the trip bar and trip the RTB. On the UV device the plunger is extended to the trip position by the spring when de-energized. On the Shunt Trip device the plunger is extended by the energized coil to trip the breaker.

There is no firmware CCF that can prevent tripping the RTB via the UV device. The RPS trip signal removes all power to the UV device and the spring-loaded plunger actuates the trip bar and trips the RTB.

A CCF of the microcontroller firmware could prevent operation of the Shunt Trip device which is a backup to the UV device. However, the RTB trip would still occur due to the UV device. The Shunt Trip is a backup trip feature and the RTB would still perform its safety function by action of the UV device.

ATTACHMENT 1 Request for Additional Information Page 7 of 13 c.

Does the undervoltage device have a safety-related low voltage function? If so, how would failure of the undervoltage device affect this function?

Response

No, the UV device does not have a low voltage (threshold) safety function. The function of the UV device is to detect a loss of voltage. Voltage is present when the RPS is not tripped and absent when the RPS is tripped.

Failure of the microcontroller to detect loss of voltage would not prevent the function of the UV device because there would be no voltage to keep the coil energized and the spring loaded plunger would trip the RTB. Since RPS applies or removes voltage, the threshold for low voltage detection is not significant.

Question 4 Describe the analysis or testing that determined that there is no credible failure of the undervoltage device that would keep it energized.

Response

An Exelon review of the circuit design and the application determined that there is no failure of the microcontrollers that would keep the UV device energized on loss of power.

Power is removed from the coil in the plant control circuit, external to the breaker. Once power is removed, there is no motive force in the coil windings to overcome the spring force. There is no battery in the device. There are only two wires coming. into the device. The spring extends the plunger and trips the breaker.

Question 5 The licensee's May 6, 2009 letter states that "Failure of the microcontroller on the shunt trip device would have the same effect as coil failure, loss of power or blown fuse, which is similar to the existing design's failure modes." What is the basis for this statement?

Response

The microcontroller monitors input voltage to the device and when the correct threshold is sensed, coils are energized or de-energized to operate the plungers.

Failure of the Shunt Trip microcontroller could result in failure to energize its associated coil. The result of this failure mode is consistent with loss of power, a blown fuse, or coil failure in the existing design as they would also result in failure to energize the Shunt Trip coil.

ATTACHMENT 1 Request for Additional Information Page 8 of 13 Failure of the Shunt Trip microcontroller would not result in inadvertent energization of the coil because the voltage is not available to the Shunt Trip device without an RPS trip signal present.

Question 6 a.

In Section 5.3 of the NLI V&V report it states, "A highly controlled process was used to develop and test the software and software/hardware system." How was it determined that Schneider/Square D used a highly controlled process to develop and test the software and the software/hardware system?

Response

NLI performed a V&V audit of the Schneider/Square D facility where the development, testing and manufacturing are performed. The audit consisted of a documentation review and personnel interviews. The controlling procedures and implementation of the procedure were reviewed. It was determined that Schneider/Square D controls the life cycle steps for the hardware and software, including product specification, firmware development, firmware testing, integration testing, and manufacturing. Configuration control is maintained throughout the product lifecycle. NLI concluded that there was sufficient documentation to support the dedication of the devices for safety related applications. The NLI dedication process meets the requirements of EPRI TR-106439, IIGuidelines on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications. II The following documents control the development, testing and lifecycle of the firmware.

These documents were reviewed by NLI during the dedication process.

Schneider ISO 9001 quality assurance program.

Software control procedures - The design team management and quality assurance activities comply with the intent, where applicable, of the following IEC documents:

1131-1-1992; 1131-2-1992; 1131-3-1992; and 1131-4-1995 for microcontrollers, which correlate, where applicable, to the requirements of IEEE Standards 830-93, 603-91, 828-90, 1008-87, 1042-87 and 1074-95. The titles and content follow European format and in some cases requirements are combined in a single document.

The primary documents for this product are as follows (reference NLI V&V Report Section 7.1.8):

Technical Design Requirements: Schneider Electric document 5100512854, Revision B, PROXIMA Auxiliary Design File, (English Translation), dated 3/11/2005.

PROXIMA Auxiliaries Relay Software Specification: Schneider Electric document 5100512993, Revision B, Description of PROXIMA Auxiliary Software (English Translation), dated 12/12/2005.

ATTACHMENT 1 Request for Additional Information Page 9 of 13 Coding Specification: Schneider Electric document 5100511735, Revision 4, Manual for the Development of Program Code, dated 9/14/2001.

Acceptance Test Requirements: Schneider Electric document 5100561500, Revision A1, Functional Test Specification for PROXIMA Auxiliaries, undated.

FEMA Documents: Schneider Electric document 51311620, Revision B, Study of Reliable Function of PROXIMA Auxiliaries, dated 1/20/2003 (references MIL-HDBK-217).

Exelon has reviewed the dedication plan/processes performed by NLI. Exelon is satisfied that NLI has taken the proper actions to dedicate the RTBs and is confident the RTBs will perform as required. Exelon reviews included the following:

Reviewed and verified compliance with Exelon specification for RTBs.

Reviewed factory acceptance test (FAT) plan.

Witnessed FAT of the RTBs.

Reviewed NLI V&V report.

NLI is an Exelon approved vendor for safety-related equipment.

b.

What is the evidence of Schneider/Square D's highly controlled process of software development?

Response

NLI performed a V&V audit of the Schneider/Square D facilities. The audit results are documented in V&V Report VVR-042181-1. As referenced in 6a above, Exelon reviewed the NLI V&V report, including the audit section, and is satisfied with the actions NLI has taken.

c.

How does this development process compare with the software development process required by NUREG 0800 Standard Review Plan Chapter 7, BTP 7-14?

Response

NLI V&V activities meet the requirements of SRP Chapter 7, BTP 7-14 for commercial-off-the-shelf software [Section B.3]. The V&V program meets the requirements of EPRI TR-106439, which is noted in the BTP as an acceptable method for performing evaluations of commercial-off-the-shelf software.

Exelon compared EPRI TR -106439, Figure 3-2 list of recommended commercial software dedication activities to the NLI V&V Report VVR-042181-1, Table 6.1.

Exelon concluded that the activities listed in the EPRI TR -106439 were appropriately covered by NLI in their V&V report.

ATTACHMENT 1 Request for Additional Information Page 10 of 13 These activities included:

Review of the following Schneider/SquareD activities:

o design and documentation o

development process o

Quality Assurance and configuration control o

vendor testing o

operating experience Review of Schneider/SquareD Failure analysis and supplementalNll testing for failure modes.

Supplemental dedication activities including:

o inspections o

testing (note that 100% of the coils are tested) o verifications o

documentation Problem reporting per 10 CFR Part 21 d.

Please provide documentation of this software development process.

Response

The Nli V&V Report VVR-042181-1 previously provided in Attachment 2 of Reference 2 documents the process (TMI 09-100, Attachment 2). The response to question 6.a provides details on the Schneider/Square D documents that were reviewed by Nli.

Additional information is contained in Sections 6.1 and 7.1 of the V&V report.

Note; Any information in the Nli V&V report pertaining to the Micrologic Trip Unit is not applicable to the TMI application.

Question 7 a.

In Section 1.5 of the Nli V&V report, it states, There have been no revision to the trip unit software since it was issued in 1998." However, the licensee's August 21, 2009 letter states, There have been no revisions to either the code or the hardware on the microcontrollers since the production release in 2002." Please address the differences in these statements.

Response

The 1998 issue date was for the Micrologic Trip Unit firmware. The TMI breakers do not contain Micrologic Trip Units. The microcontroller firmware for the UV, Shunt Trip devices, and Close Coil was originally issued in 2002, and has not been revised.

ATTACHMENT 1 Request for Additional Information Page 11 of 13 b.

What is the history of software revisions prior to 2002?

Response

Not applicable since the applicable firmware was originally issued in 2002.

c.

What were the problems with the software prior to 2002?

Response

Not applicable since the applicable firmware was originally issued in 2002.

Question 8 a.

Discuss the worst case firmware CCF and its results.

Response

There is no firmware CCF that can prevent tripping the RTB via the UV device. The Reactor Protection System trip signal removes all power to the UV device and the spring-loaded plunger actuates the trip bar and trips the RTB.

The worst case postulated firmware CCF is failure of the UV microcontroller to keep the UV devices' coils energized with voltage present. This failure mode would result in spurious dropout of the UV devices. Inadvertent trip of one or more RTBs in each power train would result in an inadvertent reactor trip.

A firmware CCF that was considered and determined not to be the worst case is failure of the Shunt Trip microcontroller to energize the Shunt Trip coils with voltage present.

This would result in failure of the backup Shunt Trip feature to trip the RTB. The Shunt Trip is a backup trip feature as stated in UFSAR Section 7.1.2 and the RTB would still perform its safety function by action of the UV device.

A Shunt Trip firmware CCF that was considered and determined not to be applicable is failure of the Shunt Trip microcontroller resulting in inadvertent energization of the Shunt Trip coils, and resulting inadvertent reactor trip. This scenario is not applicable because a valid RPS trip signal needs to be present in order for the voltage to be available to the Shunt Trip devices. An interposing relay contact closes on an RPS trip signal, completing the path to provide power to the Shunt Trip devices. Without a valid RPS trip signal, the voltage is not available to the Shunt Trip coil so no failure mode of the Shunt Trip microcontroller could result in inadvertent actuation of the RTB Shunt Trip devices.

The firmware CCF events are within design basis. The inadvertent reactor trip is considered worst case because of the challenge to the operators and to plant systems.

There is reasonable assurance that a firmware CCF will not occur based on the following:

ATTACHMENT 1 Request for Additional Information Page 12 of 13 NLI V&V activities in accordance with requirements of EPRI TR -106439 for commercial-off-the-shelf software. Reference response to 6c for additional detail.

Schneider/Square D utilized a highly controlled process to design, develop, and test the firmware. Reference response to 6a for additional detail on the process.

The microcontroller firmware is not complex and performs a single function to monitor input voltage and energize or de-energize coils. The firmware is deterministic with all commands executed sequentially in every cycle without interrupts.

There is significant operating experience available that demonstrates reliable operation of the RTB microcontrollers. Approximately 240 safety-related breakers containing microcontrollers have been provided by NLI. There have been no firmware failures reported to NLI.

b.

Is the worst case firmware CCF bounded by the plant safety analysis?

Response

Yes, the worst case CCF resulting in an inadvertent reactor trip is bounded by the plant safety analysis. Reactor trip is a safe response to plant accidents listed in the plant safety analysis.

Question 9 The September 29,2008 LAR proposes the deletion of the word "Indicator" from "Check with Relative Position Indicator," and "Check with Absolute Position Indicator," the Remarks column in Table 4.1.1, Functions 23 and 24, respectively. As part of the change in the control rod drive system the analog Control Rod Relative Position and Control Rod Absolute Position meters would be replaced by the Flat Panel Position Indication Display. The Flat Panel Position Indication Display would show Control Rod Zone Reference Switch Status and either Control Rod Relative Position or Control Rod Absolute Position. What would be the impact of replacing the word "Indicator" with the word "Indication" in the Remarks column for Functions 23 and 24, in lieu of deleting the word "Indicator"?

Response

There is no impact of replacing the word IIlndicator ll with the word IIlndication.

1I Accordingly, TS Table 4.1.1 Functions 23 and 24 Remarks column has been revised and the proposed revision to Table 4.1.1 has been included as Attachment 2 to this response letter.

ATTACHMENT 1 Request for Additional Information Page 13 of 13

References:

1)

Letter from P. B. Cowan (AmerGen Energy Company, LLC) to U.S. Nuclear Regulatory Commission, Technical Specification Change Request No. 342 Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated September 29, 2008 2)

Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S. Nuclear Regulatory Commission, IIThree Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods,1I dated August 21, 2009

ATTACHMENT 2 Proposed Revisions to Technical Specification Table 4.1-1

TABLE 4.1-1 (Continued)

CHANNEL DESCRIPTION CHECK TEST CALIBRATE REMARKS

19. Reactor Building Emergency 3

Cooling and Isolation CD System Analog Channels

Ja.

3 CD a.

Reactor Building S(1)

M(1)

F (1) When CONTAINMENT INTEGRITY is

J

.-+

4 psig Channels required.

z9 b.

RCS Pressure 1600 psig S(1)

M(1)

NA (1) When RCS Pressure> 1800 psig.

c.

Deleted d.

Reactor Bldg. 30 psi S(1)

M(1 F

(1) When CONTAINMENT INTEGRITY is pressure switches required.

e.

Reactor Bldg. Purge W(1)

M(1 )(2)

F (1) When CONTAINMENT INTEGRITY is Line High Radiation required.

(AH-V-1A/D) f.

Line Break Isolation W(1)

M(1)

R (1) When CONTAINMENT INTEGRITY is Signal (ICCW & NSCCW) required.

20. Reactor Building Spray NA Q

NA System Logic Channel

~

I

21. Reactor Building Spray NA M

F 01 30 psig pressure switches

22. Pressurizer Temperature S

NA R

Channels

23. Control Rod Absolute Position S(1)

NA R

(1) Check with Relative Position Indication

a. Zone Reference Switch NA R(1)

NA (1) Verify switch functions

24. Control Rod Relative Position S(1)

NA NA (1) Check with Absolute Position Indication

25. Core Flooding Tanks
a. Pressure Channels Coolant NA NA F
b. Level Channels NA NA F
26. Pressurizer Level Channels S

NA R

Retrieved from "https://kanterella.com/w/index.php?title=TMI-09-137,_Response_to_Request_for_Additional_Information_Concerning_Technical_Specification_Change_Request_(Tscr)_No._342:_Control_Rod_Drive_Control_System_Upgrade_and_Elimination_of_the_Axial_Power_Shaping_Rods&oldid=5309263"