ML093220864
| ML093220864 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 11/11/2009 |
| From: | Cowan P Exelon Generation Co, Exelon Nuclear |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| TMI-09-139 | |
| Download: ML093220864 (18) | |
Text
Exekln, Exelon Nuclear www.exeloncorp.com 200 Exelon Way Nuclear Kennett Square, PA 19348 10 CFR 50.90 TMI-09-139 November 11,2009 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001 Three Mile Island Nuclear Station, Unit 1 Renewed Facility Operating License No. DPR-50 NRC Docket No. 50-289
Subject:
Three Mile Island, Unit 1 - Response to Request for Additional Information Concerning Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods
References:
(1)
Letter from P. B. Cowan (AmerGen Energy Company, LLC) to U.S. Nuclear Regulatory Commission, "Technical Specification Change Request No. 342 Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated September 29, 2008 (2)
Letter from P. Bamford (U.S. Nuclear Regulatory Commission) to C. Pardee (Exelon Generation Company, LLC), 'Three Mile Island Nuclear Station, Unit 1 - Request for Additional Information Regarding Control Rod Drive Control System Replacement License Amendment (TAC NO. MD9762),"
dated April 6, 2009 (3)
Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S.
Nuclear Regulatory Commission, "Three Mile Island Unit 1 Response to Request for Additional Information Related to Technical Specification Change Request No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated May 6, 2009 (4)
Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S.
Nuclear Regulatory Commission, "Three Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated June 23, 2009
U.S. Nuclear Regulatory Commission November 11, 2009 Page 2 (5)
Letter from P. Bamford (U.S. Nuclear Regulatory Commission) to C. Pardee (Exelon Generation Company, LLC), "Three Mile Island Nuclear Station, Unit 1 - Request for Additional Information Regarding Control Rod Drive Control System Replacement License Amendment (TAC NO. MD9762),"
dated August 11, 2009 (6)
Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S.
Nuclear Regulatory Commission, "Three Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated August 21, 2009 (7)
Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S.
Nuclear Regulatory Commission, "Three Mile Island Unit 1 - Supplement to Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated September 17, 2009 (8)
Electronic Transmission from P. Bamford (U.S. Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), 'Three Mile Island, Unit No. 1 - Electronic Transmission, Draft Request for Additional Information Regarding Proposed Technical Specification Changes to Reflect Control Rod Drive Control System Replacement," dated October 9, 2009 (ML092860144)
(9)
Letter from P. B. Cowan (Exelon Generation Company, LLC) to U.S.
Nuclear Regulatory Commission, "Three Mile Island, Unit 1 - Response to Request for Additional Information Concerning Technical Specification Change Request (TSCR) No. 342: Control Rod Drive Control System Upgrade and Elimination of the Axial Power Shaping Rods," dated October 15, 2009 (10) Electronic Transmission from P. Bamford (U.S. Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), "Request for Additional Information, Three Mile Island Nuclear Station, Unit 1, Control Rod Drive Control System Replacement and Axial Power Shaping Rod Removal, Docket No. 50-289," dated October 22, 2009 (ML092950177)
(11)
Electronic Transmission from E. Miller (U.S. Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), "Request for Additional Information, Three Mile Island Nuclear Station, Unit 1, Control Rod Drive Control System Replacement and Axial Power Shaping Rod Removal, Docket No. 50-289," dated October 23, 2009 (ML092960244.)
By letter dated September 29, 2008 (Reference 1), AmerGen Energy Company, LLC (now Exelon Generation Company, LLC (Exelon)) requested a change to the Technical Specifications to accommodate the proposed changes resulting from the Digital Control Rod Drive Control System (DCRDCS) Upgrade Project and the elimination of the Axial Power Shaping Rods.
U.S. Nuclear Regulatory Commission November 11, 2009 Page 3 References 2 - 9 involved additional information requested by the U.S. Nuclear Regulatory Commission (NRC) associated with the proposed change.
Subsequently, the NRC determined that additional information is needed to complete its review (References 10 and 11).
Exelon's response to the NRC questions in References 10 and 11 is provided in Attachment 1 to this letter. Attachment 2, "Qualification Report for the Square D Reactor Trip Switchgear for Three Mile Island," Attachment 3, "Factory Acceptance Testing Report on Square-D PZ4 Rx Trip Switchgear," Attachment 4, "Verification and Validation Report for Square D Masterpact Circuit Breaker (Coils Only)," and Attachment 5, "EMI/RFI Qualification Report for Masterpact Circuit Breaker Shunt Trip and Undervoltage Trip" contain the requested reports.
Exelon has determined that the information provided in this response does not impact the conclusions of the No Significant Hazards Consideration as stated in Reference 1.
There are no regulatory commitments contained in this letter.
Exelon recently decided not to install the DCRDCS during the current fall 2009 refueling outage.
Installation of the DCRDCS is now planned for the fall 2011 refueling outage. Accordingly, we plan to implement the amendment, once approved, by the end of the fall 2011 refueling outage.
A copy of this letter and its attachments are being provided to the designated State official and the chief executives of the township and county in which the facility is located.
Should you have any questions concerning this letter, please contact Frank J. Mascitelli at (610) 765-5512.
I declare under penalty of perjury that the foregoing is true and correct. Executed on the 11th day of November 2009.
Respectfully, Pamela B. 'Cowan Director - Licensing & Regulatory Affairs Exelon Generation Company, LLC Attachments: 1) Response to Request for Additional Information
- 2) Qualification Report for the Square D Reactor Trip Switchgear for Three Mile Island, QR-06910327-1, dated May 2009
- 3) Factory Acceptance Testing Report on Square-D PZ4 Rx Trip Switchgear, FAT-Report-0691 0327-1, dated August 2009
- 4) Verification and Validation Report for Square D Masterpact Circuit Breaker (Coils Only), VVR-042181-1-COIL, dated October 2009
U.S. Nuclear Regulatory Commission November 11, 2009 Page 4
- 5) EMI/RFI Qualification Report for Masterpact Circuit Breaker Shunt Trip and Undervoltage Trip, QR-042181-5, dated May 2009 cc:
S. J. Collins, Administrator, USNRC Region I D. M. Kern, USNRC Senior Resident Inspector, TMI Unit 1 P. J. Bamford, USNRC Project Manager, TMI Unit 1 D. Allard, Director, Bureau of Radiation Protection-PA Department of Environmental Resources Chairman, Board of County Commissioners of Dauphin County Chairman, Board of Supervisors of Londonderry Township
ATTACHMENT 1 Response to Request for Additional Information
ATTACHMENT 1 Response to Request for Additional Information Page 1 of 13 Questions 1 - 9 below were received in an Electronic Transmission from P. Bamford (U.S.
Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), 'Three Mile Island, Unit No. 1 - Electronic Transmission," Request for Additional Information, Three Mile Island, Unit No. 1, Control Rod Drive Control System Replacement and Axial Power Shaping Rod Removal," dated October 22, 2009 (ML092950177). The purpose of these questions is to clarify that the commercial dedication process was implemented in accordance with EPRI TR-106439.
Questions 10 and 11 below were received in an Electronic Transmission from E. Miller (U.S.
Nuclear Regulatory Commission) to F. Mascitelli (Exelon Generation Company, LLC), FAX Transmission - "Request for Additional Information, Three Mile Island, Unit No. 1, Control Rod Drive Control System Replacement and Axial Power Shaping Rod Removal," dated October 23, 2009 (ML092960244). The purpose of these questions is to clarify the consequences of a software common cause failure of the DCRDCS.
Question 1
- a.
Nuclear Logistics Incorporated (NLI) Report VVR-042181-1 is titled as a Verification and Validation (V&V) report. However, for the Masterpact NT breaker that is being used by TMI-1, the NLI effort was a commercial grade dedication. Does this report constitute a commercial grade dedication report/effort, or is there a separate commercial grade dedication report? Please provide the portions of the commercial grade dedication package that are not contained in NLI Report VVR-042181-1.
Response
Note: The Coil applicable sections of NLI Report VVR-042181-1 have been reconstituted into a new report, NLI Report VVR-042181-1-COIL.
The following reports constitute the commercial grade dedication:
V&V report VVR-042181-1 -COIL is the Verification & Validation Report for the Masterpact circuit breakers with the software driven devices. The other documents that are applicable to the commercial grade dedication of the TMI Masterpact NT breaker are as follows:
Qualification Report for the Square D Reactor Trip Switchgear for Three Mile Island, QR-06910327-1, dated May 2009 Factory Acceptance Testing Report on Square-D PZ4 Rx Trip Switchgear, FAT-Report-06910327-1, dated August 2009 Verification and Validation Report for Square D Masterpact Circuit Breaker (Coils Only), VVR-042181-1-COIL, dated October 2009 EMI/RFI Qualification Report for Masterpact Circuit Breaker Shunt Trip and Undervoltage Trip, QR-042181-5, dated May 2009 Response to Request for Additional Information Page 2 of 13 These four documents are included as Attachments 2 - 5 of this response.
- b.
It appears that the NLI report was originally written for the micrologic trip unit (not used in the TMI-1 application). Revision 7, dated April 22, 2009, added data on the undervoltage and shunt trip devices (referred to as coils in the report). Consequently, this report includes information on equipment that is not included in the TMI-1 application, which makes the review confusing. Please provide a marked up version of the NLI report that only shows the TMI-1 related information.
Response
Report VVR-042181-1-COIL contains only the information that is applicable to the Coils in the TMI Masterpact NT circuit breakers. This report is provided as Attachment 4 of this response.
Question 2 During the October 20, 2009 meeting it was stated that NLI considered the microcontroller coils to be dedicated per EPRI TR-1 06439 Example 6.2 but some additional Example 6.3 activities were performed. However, it is not clear from the NLI report which, if any, activities associated with Example 6.3 were performed. Provide confirmation of which Example 6.3 activities were performed on the microcontroller coils.
Response
Note: This response addresses questions 2, 3b, 5, and 7.
The critical characteristics of the EPRI TR-106439 associated with Example 6.2 are summarized in the following Table 1 along with the method of verification and verification reference. The critical characteristics that were addressed per EPRI TR-106439 Example 6.3 are summarized in Table 2 below:
Table 1 Row Critical Characteristic Method of Verification Verification Reference 1
Configuration: Model NLI audit of Schneider facility and VVR-042181-1-COIL, number and software product literature.
section 2.2.1 revision.
2 Configuration: Dimensions The Coils are dedication tested FAT-REPORT-and mounting and supplied in the breakers.
06910327-1, This confirms the dimensions and pages 44-50/190 mounting are correct. Sample critical characteristic size = 100% of the supplied (CC) #4b and 4c breakers.
Response to Request for Additional Information Page 3 of 13 Row Critical Characteristic Method of Verification Verification Reference 3
Interfaces Configuration review per the VVR-042181-1-COIL, Schneider specifications.
table 6.1.
The applicable interfaces are the Coil wires and the The Coils are dedication tested in FAT-REPORT-plunger actuation to hit the the breakers. This confirms the 06910327-1, pages trip bar.
interfaces are correct for the 44-50/190 CC #4b application. Sample size = 100%
and 4c.
of the supplied breakers.
4 Functionality The Coils are dedication tested in FAT-REPORT-the breakers. This confirms the 06910327-1, pages functionality for the application.
44-50/190 CC #4b Sample size = 100% of the and 4c.
supplied breakers.
5 Environmental compatibility Project specific qualification was QR-06910327-1, (EMI/RFI, seismic, mild performed in accordance with the QR-042181-5 environment, radiation)
TMI specification by testing and analysis.
6 Behavior under Dedication test of the equipment FAT-REPORT-abnormal/faulted conditions:
supplied to TMI included the 06910327-1, page 44-Loss of power.
following:
50/190 CC #4b and Voltage range.
0 Removal and application of 4c, page 56/190 CC power.
- 9.
- Operation across the plant specific voltage range.
7 Built-in quality:
Schneider maintains a VVR-042181-1-COIL, Vendor maintains a documented QA program that sections 6.1 and 7.1.
documented QA program.
controls the lifecycle of the hardware and software.
Response to Request for Additional Information Page 4 of 13 Row Critical Characteristic Method of Verification Verification Reference 8
Built in quality: Operating The following product operating VVR-042181-1 -COIL, experience includes the history is provided:
section 7.3.
following:
The microcontroller firmware Firmware has been for the UV and Shunt Trip stable over the recent Coils were originally issued in operating history and no 2002. There have been no software related failures firmware revisions.
have been reported.
NLI has supplied approximately 240 Masterpact circuit breakers with these devices installed that have been installed in nuclear power plants. The breakers contain one or more of the Shunt Trip, Close Coil, and UV devices. There have been no problems reported to NLI. The supplied breakers are a combination of safety and non-safety related.
The commercial supplied base is over 100,000 Coils. There have been no firmware failures reported to Schneider/Square D.
9 Built in quality: Operating The Schneider program was VVR-042181-1-COIL, experience includes the verified during the audit. See sections 8.1 and 8.2.
following:
section 8.1 of the V&V report.
Vendor has a strong program to record The NLI program is in accordance feedback from problems with the NLI nuclear QA program.
in the field.
See section 8.2 of the V&V report.
10 Built in quality: Evidence that The NLI audit of the Schneider 0
VVR-042181 the QA program was applied facilities provided evidence that COIL, sections in the production of the the QA program was applied to 6.1 and 7.1.
procured item.
the production of the procured 0
See the response item.
to Question #9 below.
Response to Request for Additional Information Page 5 of 13 Row Critical Characteristic Method of Verification Verification Reference 11 Built in quality: Documented The following product operating VVR-042181-1-COIL, product operating history.
history is provided:
section 7.3.
- The microcontroller firmware for the UV and Shunt Trip Coils were originally issued in 2002. There have been no firmware revisions.
NLI has supplied approximately 240 Masterpact circuit breakers with these devices installed that have been installed in nuclear power plants. The breakers contain one or more of the Shunt Trip, Close Coil, and UV devices. There have been no problems reported to NLI. The supplied breakers are a combination of safety and non-safety related.
The commercial supplied base is over 100,000 Coils. There have been no firmware failures reported to Schneider/Square D.
12 Failure modes and failure The following product operating VVR-042181-1-COIL, management: Review of history is provided:
section 7.3.
product operating history.
The microcontroller firmware for the UV and Shunt Trip Coils were originally issued in 2002. There have been no firmware revisions.
NLI has supplied approximately 240 Masterpact circuit breakers with these devices installed that have been installed in nuclear power plants. The breakers contain one or more of the Shunt Trip, Close Coil, and UV devices. There have been no problems reported to NLI. The supplied breakers are a combination of safety and non-safety related.
Response to Request for Additional Information Page 6 of 13 Row Critical Characteristic Method of Verification Verification Reference The commercial supplied base is over 100,000 Coils. There have been no firmware failures reported to Schneider/Square D.
13 Failure modes and failure Hardware failure management VVR-042181-1-COIL, management: Failure and reliability: Per section 5.0 of sections 5.0 and 6.3.
analysis identifying failure the V&V report.
modes from the system standpoint and assessing Software failure management their significance.
common cause failure analysis:
per section 6.3 of the V&V report.
14 Failure modes and failure The following challenge testing QR-06910327-1, management: Challenge has been performed by NLI:
QR-042181-5, testing designed to test for 0
Loss of voltage and degraded FAT-REPORT-possible critical failure modes voltage.
0691 0327-1 in normal operation.
0 Abnormal Conditions and Events.
15 Configuration control The Schneider program was VVR-042181-1-COIL, verified during the audit. See sections 8.1 and 8.2.
section 8.1 of the V&V report.
The NLI program is in accordance with the NLI nuclear QA program.
See section 8.2 of the V&V report.
16 Problem reporting Schneider has a formal problem VVR-042181-1-COIL, reporting program.
sections 8.1 and 8.2.
NLI has a formal problem reporting program.
17 Reliability: Reliability Audit of the Schneider facility of VVR-042181-1-COIL, calculations.
review of reliability calculations.
section 5.0.
Schneider performed hardware reliability calculations per MIL-HDBK-217F.
The firmware is highly reliable.
Response to Request for Additional Information Page 7 of 13 Row Critical Characteristic Method of Verification Verification Reference 18 Reliability: Operating history.
The following product operating history is provided:
- The microcontroller firmware for the UV and Shunt Trip Coils were originally issued in 2002. There have been no firmware revisions.
NLI has supplied approximately 240 Masterpact circuit breakers with these devices installed that have been installed in nuclear power plants. The breakers contain one or more of the Shunt Trip, Close Coil, and UV devices. There have been no problems reported to NLI. The supplied breakers are a combination of safety and non-safety related.
The commercial supplied base is over 100,000 Coils.
There have been no firmware failures reported to Schneider/Square D.
VVR-042181-1 -COIL, section 7.3.
Response to Request for Additional Information Page 8 of 13 The critical characteristics of the EPRI TR-1 06439 associated with Example 6.3 that were addressed are summarized in the following Table 2 along with the method of verification and verification reference:
Table 2 Row Critical Characteristic Method of Verification Verification Reference 1
Human-machine interfaces There are no HMI.
VVR-042181-1 -COIL, (HMI) section 2.3 2
Built-in quality: Vendor NLI audit of the Schneider facility.
o VVR-042181 follows a digital COIL, sections 6.1 system/software and 7.1.
development process:
See the response Document design to Question #9 requirements, including below.
software requirements.
Validation test reporting.
Software quality assurance procedure.
Software quality reviews.
Software production controls.
Coding specification.
Acceptance test requirements.
Question 3
- a.
Sections 7.1.1 - 7.1.7 of the NLI Report discuss audits of the Schneider/Square D.
These audits appear to have been for the micrologic trip units only. Did these audits also include the microcontroller coils? If so, what were the results and where is this information documented?
Response
An audit of the Schneider/Square D facility in France was performed for the Coils. Initial NLI audit of Coil data took place December 15 - 19, 2008. This audit was performed after the audits for the Micrologic Trip Units. The information from this audit was incorporated directly into the VVR-042181-1-COIL report and a separate audit report was not prepared.
Response to Request for Additional Information Page 9 of 13 The following activities were performed during the audit for the Coils:
The NLI auditor confirmed that the software lifecycle controls used for the Coils were the same as used for the Micrologic Trip Units. The same quality assurance program and implementing procedures were used. This information is contained in report VVR-042181-1-COIL, Sections 6.1 and 7.1.
The product specific documents for the Coils were collected and reviewed. These documents are identified in section 7.1 of the NLI Report VVR-0421 81-1-COIL.
The NLI auditor reviewed the eight code modules and coder's notes against the design specification. The summary of this review is contained in VVR-042181 COIL, Section 2.2.4.
- b.
It appears from the NLI report that the only NLI activities directly related to the microcontroller coils (Sections 7.1.8, 7.2.1, 7.2.2, and 7.3.1) were documentation reviews, qualification testing, dedication testing, and operating history reviews. Were there other dedication activities for the microcontroller coils as stipulated in Section 6.2 of EPRI TR-106439? Please identify where this is documented.
Response
See Tables 1 and 2 in the response to Question 2 above.
Question 4 Attachments A thru E to the NLI report deal with (A) Configuration and NLI audit, (B)
Validation plan with test data, (C) Failure Mode and Effects Analysis (FMEA), (D) V&V plan, and (E) Validation test plan for the micrologic trip units without mention of the microcontroller coils. Are any of these attachments applicable to the microcontroller coils? If not, please indicate where in the NLI report this information is located with respect to the microcontroller coils.
Response
Attachments A through E of VVR-042181-1 report are not applicable to the Coils. Refer to NLI Report VVR-042181-1-COIL for additional Coil-related information.
Question 5 How was the EPRI TR-106439 Table 6-2c failure modes and failure management critical characteristic met? Explain the process for reviewing the software architecture to identify important internal failure modes? Where are the results documented?
Response
The EPRI TR-106439 Table 6-2c failure modes and failure management critical characteristic were met as follows:
Response to Request for Additional Information Page 10 of 13 Hardware failure management and reliability review Software failure management common cause failure analysis Loss of voltage and degraded voltage challenge testing Product operating history review Abnormal Conditions and Events review A Systems Failure Modes and Effects Analysis determined that the impact of software failure is limited to turning the microcontroller on, off, or cycling between on and off. A review of the software architecture to identify important internal failure modes was not required since the impact of any internal failure mode was understood and acceptable.
See Tables 1 and 2 in the response to Question 2 above for more information.
Question 6 During the October 20, 2009 meeting the NLI representative indicated that the software includes interrupts. However, for the Coils, Section 6.3 of the NLI report states, 'The components use simple microcontroller architecture. It is deterministic with all commands executed sequentially in every cycle without interrupts." Also the October 15, 2009 letter stated, 'The firmware is deterministic with all commands executed sequentially in every cycle without interrupt." Which statement is accurate?
Response
There are no interrupts. The NLI Report VVR-042181-1 is correct as written.
Question 7 Based on the NLI report, it is not clear how each of the critical characteristic of EPRI TR-106439 Example 6.2 in Tables 6-2a thru 6-2c have been met. Table 6.1 of the NLI report includes critical characteristics of the microcontroller coils on pages 67 and 68.
However, these appear to be hardware characteristic and do not include all of the Example 2 critical characteristics. Where in the NLI report are each of the Example 6.2 critical characteristics indentified and results discussed?
Response
See Tables 1 and 2 provided in the response to Question 2 above.
Response to Request for Additional Information Page 11 of 13 Question 8 Section 3.2 of the NLI report states that, 'The lifecycle model presented in [Institute of Electrical and Electronics Engineers] I EEE-1 012 was used to identify the relevant lifecycle steps." This gives the impression that IEEE-1012 was used. However, this section also states, "As such, the explicit documentation requirements in IEEE-1012 are not met." If the provisions of IEEE-1 012 are not met how was the software able to be acceptable for safety related applications?
Response
While the explicit documentation requirements in IEEE-1012 were not used, including exact format and content, VVR-042181-1-COIL Section 3.2 addresses a sample of IEEE-1012 Figure 1 verification and validation (life cycle) processes, activities, and tasks. VVR-042181-1-COIL Section 3.2 Lifecycle Table ensures that the software is acceptable for the RTB safety related application. The sample was based on:
" Schneider had previously developed and documented the software/firmware using ISO 9000 standards.
No firmware failures have been identified in the 100,000 Coils sold and no outstanding uncorrected firmware errors exist at this time. No firmware revisions are planned.
Acceptable Schneider testing of the Coils and associated firmware.
Acceptable review of failure management features and other critical characteristics.
The microcontroller programming cannot be changed after manufacture of the Coil, and has not changed since it was first issued in 2002.
The firmware is not interrupt driven.
Question 9 The October 15, 2009 response to Question 6.a states, "It was determined that Schneider/Square D controls the life cycle steps for the hardware and software." What criteria were used to determine how Schneider/Square D controls the life cycle steps?
Response
Quality Assurance Program and controlling procedures: A highly controlled design process has its basis in clearly defined requirements detailed in controlled procedures under auspices of a documented quality assurance program. The Schneider Electric (SE) design processes are performed under the controls of the SE quality system as documented in the Group Schneider QA Manual, which is written to comply with the requirements of ISO 9001:2000. Software design, development, and verification activities are performed under the controls of SE procedure PAEL-GO1, Revision C, Group Schneider Software Quality Assurance.
Hardware and software requirements are documented in accordance with SE procedure 07, Revision D, Group Schneider Requirements Definition. Design requirements are verified in accordance with SE procedure 13, Revision D, Group Response to Request for Additional Information Page 12 of 13 Schneider Validation of Technical or Design Requirements. Design validation is performed in accordance with documented, controlled procedures.
NLI has performed a thorough review of the documents cited above and determined that the guidance provided was comprehensive, clearly presented and of sufficient detail to provide unambiguous requirements.
Note: The Schneider high level procedures that are cited in report VVR-042181-1-COIL, Section 7.1 are applicable to the Coils.
Question 10 Describe the consequences of the worst case software common cause failure of the DCRDCS.
Response
A software common cause failure (CCF) analysis was performed that identified nine significant types of failures that could affect the rod movement, reactor trip, and rod indication functions. The worst case software CCF is uncontrolled rod withdrawal since this adds reactivity to the core. Uncontrolled rod withdraw is an initiator of two UFSAR Chapter 14 accidents: the startup accident and rod withdraw accident. The consequence of uncontrolled rod withdraw is a reactor overpower event in which the Reactor Protection System (RPS) would trip the reactor on either high flux or high pressure.
In no case does the thermal power exceed the design overpower plant safety limit of 112 percent of 2568 MWt or the reactor coolant system pressure exceed the ASME Code allowable pressure limit of 2750 psig.
Question 11 Can the worst case software common cause failure of the DCRDCS lead to reactivity events which have not been analyzed in the plant safety analysis (i.e., such that the protection system maintains the plant within its design basis in conjunction with a software common cause failure)?
Response
No, the worst case software CCF cannot lead to a reactivity event which has not been analyzed in the plant safety analysis (reference UFSAR Chapter 14).
For the case of some or all rods moving out, or altered control rod speeds, the UFSAR safety analysis has considered a very broad range of reactivity insertion rates representative of all combinations of rod withdrawals (single rod, single control group, multiple control groups, all control rods) and rod withdrawal rates. The Pulse Generator/Monitor (PG/M) Module firmware that drives the CRDMs and determines rod speed is independent of the DCRDCS software algorithm that selects which rods to move. Failures of different software on different and distinct platforms such as the Response to Request for Additional Information Page 13 of 13 DCRDCS software algorithm and PG/M module firmware are not common mode failures and are considered unlikely. The mitigating response to all these events is a reactor trip via RPS. The RPS cannot be defeated by the CRD system. RPS reactor trip is the analyzed method for mitigating reactivity events.
UFSAR Section 14.1.2.2 describes the characteristics of the Startup Accident, in which an inadvertent control rod withdrawal occurs from hot shutdown conditions. The Startup Accident results in an RPS trip from either high reactor pressure or high neutron flux.
The limiting case (highest peak thermal power) is an intermediate reactivity insertion rate representative of nominal/normal control rod performance. Slower reactivity insertion rates (equivalent to slower rod withdrawal rates) result in lower peak thermal power.
Likewise, higher reactivity insertion rates (equivalent to faster rod withdrawal rates) also result in lower peak thermal power. The limiting case is bounding for each extreme of reactivity insertion rate (low and high), as illustrated in UFSAR Figure 14.1-3. In no case does the thermal power exceed the design overpower plant safety limit of 112 percent of 2568 MWt nor does the reactor coolant system pressure exceed the ASME Code allowable pressure limit of 2750 psig.
UFSAR Section 14.1.2.3 describes the characteristics of the Rod Withdrawal Accident, in which an inadvertent control rod withdrawal occurs from full power conditions. The Rod Withdrawal Accident results in an RPS trip from either high reactor pressure or high neutron flux. The limiting case (highest peak reactor pressure) is an intermediate reactivity insertion rate representative of nominal/normal control rod performance.
Slower reactivity insertion rates (equivalent to slower rod withdrawal rates) result in lower peak pressure. Likewise, higher reactivity insertion rates (equivalent to faster rod withdrawal rates) also result in lower peak pressure. The limiting case is bounding for each extreme of reactivity insertion rate (low and high), as illustrated in UFSAR Figure 14.1-10 and 14.1-14. In no case does the thermal power exceed the design overpower plant safety limit of 112 percent of 2568 MWt nor does the reactor coolant system pressure exceed the ASME Code allowable pressure limit of 2750 psig.
Furthermore, BAW 10179, "Safety Criteria and Methodology for Acceptable Cycle Reload Analysis," requires that the rod worths for one rod, one group of rods, and all rods must lie within the range of the reactivity insertion rates considered in the safety analysis. TMI follows the requirements of this BAW for core reloads.
Based on the above, inadvertent rod withdrawal at both start-up and power operations is bounded by the existing Chapter 14 accident analysis section 14.1.2.2 and 14.1.2.3.
Variations in control rod speed during start-up and power operations are also bounded by the same existing Chapter 14 accident analysis.