Text

Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment, Revision 0
	ML101100647
Person / Time
Site:	Diablo Canyon
Issue date:	03/31/2010
From:	Hefler J, Shannon Patterson; Altran Solutions Corp, Pacific Gas & Electric Co
To:	; Office of Nuclear Reactor Regulation
References
	DCL-10-030
	Download: ML101100647 (77)
	v • d • e

Enclosure 3 PG&E Letter DCL-10-030 Diablo Canyon Power Plant Topical Report, "Process Protection System Replacement Diversity

& Defense-in-Depth Assessment," Revision 0 (Nonproprietary)

PG&E NON-PROPRIETARY INFORMATION PACIFIC GAS & ELECTRIC COMPANY P Q DIABLO CANYON POWER PLANT Topical Report: Process Protection System Replacement Diversity

& Defense-in-Depth Assessment Rev0 March 2010 This page left blank by intent PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant, , Process Protection System Replacement Diversity

& Defense-in-Depth Assessment Scott B. Patterson Pacific Gas & Electric Company John W.Hefler Altran Solutions Corporation Revision 0 March 2010 Pacific Gas & Electric Company DiabloCanyon Power Plant P.O. Box 56 Avila Beach, CA 93424 Record of Revisions Revision Affected Reason for Revision, Number Pages 0 All Initial.issue PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table of Contents 1.0 E xecutive S um m ary ...........................................................................................

1-1 2.0 Diablo Canyon Process Protection System (PPS) .............................................

2-1 2.1 Reference Process Protection System (PPS) .............................................................

2-1 2.1.1 Reference PPS Diversity and Defense-in-Depth

..................................................

2-1 2 .1 .2 P P S Inte rfa ce s ............

..........................................................................................

2 -2 2.2 Existing Eagle 21 Process Protection System (PPS) .................................................

2-2 2.2.1 Eagle 21 Design .............................................................................

...... 2-2 2.2.2 Eagle 21 Diversity and Defense-in-Depth (D3) .......................

.............................

2-3 2.3 P roposed R eplacem ent P PS ......................................................................................

2-4 2.3.1 Tricon-Based Replacement PPS Equipment

..........................

-...............................

2-7 2.3.2 FPGA-Based Advanced Logic System '(ALS) Replacement PPS E q u ip m e n t ..............................................................

...............................................

2 -7 2.3.3 Preventing Protection/Control Interaction in. the Replacement PPS ..........

2-8 3.0 Diversity Evaluation of the Proposed.

Replacement PPS," ............................

3-1 S1. FSARU Chapter 15 Accidents.

and Events .........................

... 3-2 3.1,1. Events that do not require the PPS for.prirnary or backup operation.

........3-3 3.1.2 Events that do not require the PPS for primary or but require the PPS for backup protection

..............

..3-5 3 1.3 -Events that require, the PPS for primary protection:signals but will .receive automatic backup protection from systems other than the P P S ....................................................................

...................................................

3 -5 3.1.4 Events that assume the PPS for primary and backup protection signals for some aspect of the automatic protection

..............................................

3-5 3.1.5 Additional discussion of Category 4 Events (PPS Primary/PPS B a c k u p ) .................................................................................................................

3 -6 3.2 Diverse Mitigating Functions for DCPP FSARU Chapter 15 Accident Analyses......

3-11 3.3 Manual Actuation and Control of Plant Critical Safety Functions

.............................

3-11 3 .4 C o n c lu s io n s ...: ...........................................................................................................

3 -12 4.0 A bbreviations and A cronym s ......................................................................

..... 4-1 5 .0 R e fe re n ce s ..........................................................................................................

5 -1 i PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement' Diversity and Defense in Depth Assessment Figures Figure 1-1 .W estinghouse PW R Protection Scheme ..................................................................

1-2 Figure 1-2 Existing Eagle 21 Process Protection:System.(PPS)

Concept : ..............

1.. ý.. -3 Figure 1-3 Replacement Process Protection System Concept ......................

1-3 Figure 2-1 Original Westinghouse 71.00 Analog Process Protection System (Before AMSAC).....

.....-..........

...............................

2-10 Figure 2-2 Westinghouse 7100 PPS Functions

.... ....... .. ............

2-11 Figure 2-3 Reactor Trip Breaker Interface with:RTS ....... ..........

.. ..........

2-12 Figure 2-4 Safety !njection Pump Interface with ESFAS. ...... ...... .........................

.........

2-13 Figure 2-5, Eagle 21 -Block Diagram .... .........................

.............

... ..... 2-14 Figure 2-6 Typical Existing;Eagle 21 PPS Functions:

.... ...... ....... 2-15 Figure 2-7 Typical Replacement PPS Functions

....... ... .... .... ........................

2-16 Figure 2-8 Replacement PPS Architecture Concept ......'...... .........2...... 2 17 Tables Table 2-1 Process Variable Inputs for Tricon RTS/ESFAS Functions

................

2-5 Table 2-2 Process Variable Inputs for ALS RTS/ESFAS Functions

..................

2-5 Table 2-3 Diverse Protection Functions Not Affected by PPS Replacement

............................

2-6 Table 3-1 DCPP FSARU Chapter 15 Safety Analysis Events and Mitigating F unctio ns ...................................................................................................

.....3-1 5 Table 3-2 Safety Analysis Events That Do Not Require PPS for Primary or Backup Protection (Category 1 Events) ............................

3-20 Table 3-3 Safety Analysis Events With Diverse Automatic Primary Safety Function ActuationThat Require PPS for Backup Protection (Category 2 Events).........................................

3-23 Table 3-4 SafetyAnalysis Events That Require Process Protection System Channels for Primary Safety Function Actuation But Have Available Diverse Automatic Backup,(Category 3 Events) .......................................................

3-24 Table 3-5-; Safety Analysis Events That Use' Process Protection System Channels for Both Primary and Backup Safety Function Actuation (C atego ry 4 :E ve nts).. ...... .......................................................................................

3-2 5 Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF .................................

3-30 ii PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 1.0 Executive Summary The Diablo Canyon Power Plant (DCPP) digital Eagle 21 Process Protection System (PPS) is being replaced to address obsolescence issues. The scope of the replacement is illustrated in the shaded portion of Figure. 1-1.A diversity study [2] performed for the original.

Diablo Canyonfl&C system demonstrated that the analog protection and control design provided adequate diversity and defense-in-depth such that two or more diverse protective actionrs would terminate an accident before consequences adverse to public* health and safety could occur.The Safety Evaluation Report (SER) [i3]6for the Eagle 21 PPS shown in Figure1-2 determined that automatic diverse means wereavailable to mitigate all FSARU Chapter 15 accident or events that occurred concurrently with a postulated Common Cause Failure (CCF) to the PPS, with three exceptions.

The three exceptions; i.e., events for which both primary and backup mitigation.jfupctions were provided.

by Eagle 21, required manual operator action to mitigate the event when it occurred concurrently with a postulated CCF to the PPS. The exceptions are: a The current NRC staff position regarding diversity and defense-in-depth to mitigate Chapter 15 accidents and events concurrent with CCF is set forth in the Interim Staff Guidance (ISG) document from Task Working'Group

2 [3] as'follows: "When an independent and diverse method is needed as backup to an, automated system used to accomplish a required safety function, the backup function can be accomplished via either an automated system, or manual operator actions performed in the main control room. The preferred independent and diverse backup method is generally an automated system. The use of automation for protective actions is considered to provide'a high-level of licensing certainty..."If automation is used as the backup, it should be provided by equipment that is not affected by the postulated RPS CCF and should be sufficient to maintain plant conditions within BTP 7-19 recommended'acceptance criteria for the particular anticipated operational occurrence or design basis accident...

---a 1-1 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment I a Figure 1-1 Westinghouse PWR Protection Scheme PWR Protection Concept 1-2 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 1-2 Existing Eagle 21 Process Protection System (PPS) Concept Typ of 2 Train, Dependent isolated Class II outputs to control systans WInendent isolated Class 11 outputs to AMSAC Figure 1-3 Replacement Process Protection System Concept 1-3 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment a 14-PG&E NON-PROPRIETARY INFORMATION Diablo Canyon PowerPlant Process Protection System Replacement Diversity and Defense in Depth Assessment 2.0 Diablo Canyon Process Protection System (PPS)The existing digital Diablo Canyon Eagle 21 Process Protection System (PPS) monitors plant parameters, compares them against setpoints and provides signals to the Solid State Protection System (SSPS) if setpoints are exceeded.

The SSPS evaluates the signals through coincident logic and performs Reactor.Trip System (RTS) and Engineered Safety Features Actuation (ESFAS)'command functions to mitigate an event that may be in progress.Four separate PPS rack sets that comprise Protection Racks 1-16. Separation of redundant process channels begins at the process sensors and is maintained in the field wiring, containment penetrations, and process protection racks to the two redundant SSPS logic racks ("Trains").

Redundant process channels are separated by locating the electronics in different PPS rack sets (i.e., "Protection Sets").A process channel is defined as an arrangementof components, modules and software as required to generate a single protective action signal when required by a generating station condition.

[FSARU Section 7.1] -.2.1 Reference Process Protection System (PPS)Westinghouse I&C architecture uses several measurements of plant variables for both control and protection purposes.

The functional capabilities required for control and protection are very similar and equipment suitable for one purpose is also suitable for the other, provided that qualified equipment is used to perform safety-related functions.

The original analog PPS, prior to addition of the AMSAC, is depicted in Figure 2-1. The analog PPS was designed to meet single failure criteria-[10].

Functions generated by the analog PPS are illustrated in Figure 2-2.2.1.1 Reference PPS Diversity and Defense-in-Depth The Westinghouse design approach monitors numerous system variables by different means to provide functional diversity Westinghouse Topical Report WCAP-7306

[2]evaluated the diversity features provided by the original Westinghouse 7100 analog protection system architecture.

The study considered effects of instrument channel failure across redundant protection sets.WCAP-7306 considered effects of systematic or "common mode" failures that partially or completely prevent identical instrument channels from performing their function and demonstrated sufficient available diversity and defense-in-depth such that two-or more diverse protective actions would terminate an accident without endangering public health and safety. For example, LBLOCA was detected by- Pressurizer Pressure -Low and Containment Pressure -High signals, either of which could initiate Engineered Safety Functions (iLe., Safety Injection) to mitigate the event.21:.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment The WCAP 7306 evaluation took credit for availability of two or more of the following"barriers" to demonstrate adequate diversity:

1. Tolerable consequence for the expected conditions (see below);2. Low probability of accident;3. Control interlocks that arrest the condition short of reactor trip; and 4. Manual action.Depending upon the event and assumptions, event mitigation might not meet safety.analysis goals, but sufficient margin was available to prevent endangering public health and safety.- For example, Depa 4ure from Nucleate Boiling Ratio (DNBR) might decrease below the safety analysis limit, yet the consequences were still acceptable.

Thus, the WCAP-7306 methodoilogy predated today's "best estimate" evaluation methodology.

2.1.2 PPS Interfaces In addition to its protection functions, the PPS provides process signals that are isolated from protection system sensors for use by various plant control systems. As shown in Figure 2-2, the control signals pass through the PPS, yet retain their identity from input through processing to output. Aiý single failure in the PPS will not affect more than the control signals associated with the single failed channel.Discrete bistable outputs from the PPS are' routed to the Solid State Protection System (SSPS), which performs coincidence logic functions.

Outputs from the SSPS actuate plant equipment in response to completed logic functions.'

Safety components, such as the Reactor Trip Breakers (RTB), pumps and valves may be actuated manually at both the redundant SSPS train level and at the component level using controls that are connected to the components downstream of the SSPS as shown in Figure 2-3 and Figure 2-4. The SSPS is not being modified for the PPS replacement project.In this configuration, failures in the PPS cannot have an adverse impact on the operator's ability to exercise manual operation of reactor trip:and ESF equipment at either the system or componentilevel.

The basic architecture described above was maintained when the Westinghouse 7100 PPS was replaced by Eagle 21. However, the Eagle 21 PPS is a software-based digital computer system in which certain primary and backup protective functionsl(e.g., :Pressurizer pressure-low and containment pressure-high) are generated in the same platform and therefore are subject to a potential CCF that could disable, both primary and backup protective functions

[Refer to Section 2.2.2].2.2 Existing Eagle 21 Process Protection System (PPS)2.2.1 Eagle 21 Design 2-2' PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and, Defense in Depth Assessment 2.2.2 Eagle 21 Diversity and Defense-in-Depth (D3)The Eagle 21 SER [13] determined that diverse automatic measures existed to mitigate all FSARU Chapter 15 accidents and events concurrent with a CCF, except the following events where both the primary and backup mitigation functions were generated in Eagle 21 and for which manual operator action was required to mitigate the event when it occurred concurrently with a postulated CCF to the PPS: m--a 2-3.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 2.3 Proposed Replacement PPS The current NRC staff position regarding diversity and defense-in-depth to mitigate FSARU Chapter 15 [1] accidents and events concurrent with CCF is set forth in the.Interim Staff Guidance (ISG) document from Task Working Group #2 [3]. Conformance of the proposed replacement PPS to ISG-02 guidance is discussed in Section 3.0.2'-4:.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment

Table 2-1 Process Variable Inputs for Tricon RTS/ESFAS Functions Process Variable Protection Functions Table 2-2 Process Variable Inputs for ALS RTS/ESFAS Functions Process Variable Protection Functions a a 2-5":

PG&E NON-PROPRIETARY INFORMATION

'Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment.

Table 2-3 Diverse Protection Functions Not Affected by PPS Replacement Process Variable Protection Functions Power-Range High-Flux (Low Setting) RT Power-Range High-Flux (High Setting) RT Power-Range Positive Flux Rate RT Neutron Flux Power Range Flux Control Rod Stop Intermediate-Range High-Flux RT Source-Range High-Flux RT Input to OTDT RT AMSAC Turbine Trip Above C-20 Permissive/Reactor Trip (Steam Generator Low Level) Above Permissive 9 Main Turbine Stop Valve Position Turbine Trip RT Turbine Auto Stop Oil Pressure Low RCP Bus Undervoltage RT RCP Bus Underfrequency RT , .'RCP Circuit Breaker Open RT t Vi-1 a N 2-6Q PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Thus, the proposed replacement PPS: 2.3.1 Tricon-Based Replacement PPS Equipment The TRICON is a mature commercial Programmable Logic Controller (PLC) that was designed from its inception for highly reliable use in safety systems. The TRICON has been shown by more than twenty years of experience to provide safe and reliable operation in safety critical applications.

Triconex has more than 7,000 units in service and more than 410,000,000 operating hours without a failure to operate on demand.High reliability and system availability is achieved through the triple modular redundant (TMR) architecture.

This design enables the TRICON systemto be highly tolerant to hardware failures, to identify and annunciate faults that inevitably occur, and to allow replacement of modules with the system online so that faults are repaired before they become failures.Triconex issued a topical report to NRC as the basis forgeneric qualification of the TRICON PLC system for safety-related application in nuclear power plants [6]. Based on this submittal, NRC issued a SER for the platform [7] documenting staff findings that the platform possesses acceptable hardware and operating system software quality to be applied in safety-related RTS and ESFAS applications in nuclear power plants.In September 2009, Triconex submitted a Topical Report [8] that was updated for the Version. 10 Tricon as well as addressing current regulatory issues.2.3.2 FPGA-Based Advanced Logic System (ALS) Replacement PPS Equipment r- -- I a 2-7 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment CS Innovations' design practices and methodologies have been accepted by NRC in their review and approval of the much simpler Wolf Creek Main Steam and Feedwater Isolation System (MSFIS) [11]. The MSFIS safety evaluation states that it is a unique application, and that future ALS applications will require additional review.Additional information regarding 1the ALS platform will be provided with the License Amendment Request (LAR) submittal.

2.3.3 Preventing Protection/Control Interaction in the Replacement PPS 2-8 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 7 7a 2-9

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-1 Original Westinghouse 7100 Analog Process Protection System (Before AMSAC)Field Instruments 7100 7100 7100 7100 Prot Set I Prot Set 11 Prot Set I II Prot Set I Isolated (Non-Independent)

Outputs (R1-R5 R 13 (R14-R161V)

Steam Generator Water Level Control Auxiliary Feedwater Rod Speed & Direction Pressurizer Pressure Pressurizer Level Boric Acid Blending Steam Dump Control Letdown Temperature Control Post-Accident Monitoring Hardwired Indicators

&Recorders Plant Computer SSPS SSPS SSPS SSPS A/B AB NB NB I II I1 IV Existing Solid State Protection System (SSPS)SSPS Train A SSPS Train B Prot Set I Prot Set I Chi NISI C0 I NIS I Chi Prot Set 11 Prot Set II D Ch 11 ProtStII h II NIS II NIS 11 RNSLA N RNSLB Prot Set III -hiI, Prot Set I II NIS III Ch NIS III Ch Ill ProtSetlV ChIV ProtSet IV ChIV NIS IV _ NISIV RTA RTB BYB BYA ESF A ESF B Existing Nuclear Instrumentation System (NIS)Source Source Range Range I II Intermed Intermed Range Range I II Power Power Power Power Range Range Range Range I 1 11 1 1 II IV A/B A/B A/B A/B 1 11 111 IV 2-10 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-2 Westinghouse 7100 PPS Functions Process Sensor j .Westinghouse-7100.Pees ProtectienSystem" (Typrc4 for ,Seti I 1Ir ahd IV) Independent Class II Outputs to:.AMSAC ,. 'ElI 4' ,,,

Digital Feedwater Control System r Auxiliary Feedwater Pump Runout 7100 Isolator Protection Module Pressurizer Pressure Control ,LPressurizer Level Control* Reactor Control (Turbine Power)* Steam Dump Control Isolated Outputs to. To SSPS Reactor Control System Trip/EFAS (Not Independent)

Aux Safeguards Reactor Control (Tavg)Control Board Instruments "2-.11 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-3 Reactor Trip Breaker Interface with RTS+125 Vdc Control Power I+48Vdc From SSPS Train A 4 U RTICS I 2RTICS J r1SI 2TCS UVX(A Trip Trip Trip Trip T (CC1) T (CNV) T (CNAC) T (CC2)T 0 RTA Tnp Coil 0C RTA U UV Coil IXA Reactor Trip Breaker A+125 Vdc Control Power 1 TISi 2RIC 1 -lics 2S Trip Trip Trip Trip (CC) (CNV) (CNAC) T (CC2) T+48Vdc From SSPS Train A I BYB UV Coil BYB Trip Coil Bypass Breaker B 2-12 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-4 Safety Injection Pump Interface with ESFAS Bus F 2H08 Load Sequence 4160/120 PT SIS 2HF1I Relay (SSPS) " Circuit Breaker 52HF15 Unit 1 Safety Injection Pump 1 2A13.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense .in Depth Assessment Figure 2-5 Eagle 21 Block Diagram 1a 2-14.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-6 Typical Existing Eagle 21 PPS Functions, 2-15 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-7 Typical Replacement IPPS Functions 2-16 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Figure 2-8 Replacement PPS Architecture Concept 7 a 2A17 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment This page left blahk by intent 18 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 3.0 Diversity Evaluation of the Proposed Replacement'PPS If a postulated CCF can disable a safety function, BTP 7-19 [14] of the Standard Review Plan [5] Point 3 requires a diverse means, not subject to the same CCF to perform the same function or a different function.

Credit may be taken for operator action; however, sufficient time must be available for the operator to diagnose the event and initiate mitigative action.Section 3.1 of the NRC SER [13] determined that diverse automatic measures existed to mitigate all FSARU Chapter 15 accidents and events concurrent with a CCF, except for certain events where both the primary and backup mitigation functions were generated in Eagle 21. For the following events, plant indications were available with sufficient procedural guidance for an operator to diagnose the event in a timely manner and bring the plant to a safe shutdown: 1. Locked rotor loss of forced reactor coolant flow events;2. RCS depressurization, Steam Line Break (SLB) and Loss of Coolant Accident (LOCA) indicated by low Pressurizer pressure; and 3. Large Break LOCA and SLB indicated by high containment pressure.The DCPP Eagle 21 SER [13] took credit for manual action to mitigate the LOCA events within ten (10) minutes of event initiation when the LOCA occurred concurrently with an Eagle 21 CCF. Similarly, the Eagle 21 SER took credit for operator action within five (5). minutes of event initiation concurrent with Eagle 21 CCF for the Loss of RCS Flow Locked Rotor eventto avoid departure from nucleate boiling ratio (DNBR).Interim Staff Guidance (ISG) 02 [3] describes the current NRC staff position regarding Diversity and Defense in Depth: "The licensee or applicant should perform a D3 analysis to demonstrate that vulnerabilities to CCFs are adequately addressed.

NUREG/CR-6303,"Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems," dated December 1994 and Branch Technical Position (BTP) 7-19, "Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems," of NUREG-0800, "Standard Review Plan," describe an acceptable process for performing a D3 analysis..."When an independent and diverse method is needed as backup to an automated system used to accomplish a required safety function, the backup function can be accomplished via either an automated system, or manual operator actions performed in the main control room. The preferred independent and diverse backup method is generally an automated system. The use of automation for protective actions is considered to provide a high-level of licensing certainty.

Further, the licensee or applicant should provide sufficient information and controls (safety or non-safety) in the main control room that are independent and diverse from the RPS (i.e., not subject to the CCF).3-1 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment"If automation is used as the backup, it should be provided by equipment that is not affected by the postulated RPS CCF and should be sufficient to.,maintain plant conditions within BTP 7-19 recommended acceptance criteria for the particular anticipated operational occurrence or design basis accident."If manual operator actions are used as backup, a suitable human factors engineering (HFE) analysis should be performed to demonstrate that plant conditions can be maintained within BTP 7-19 recommended acceptance criteria for the particular anticipated operational occurrence or design basis accident..."In addition to the above guidance, a set of displays and controls (safety or non-safety) should be provided in the main control room for manual actuation and control of safety equipment-to manage'plant critical safety functions, including reactivity control, reactor core cooling and.heat...removal, reactorlcool1ant system integrity,ý and.containment isolation and integrity.

The displays and controls should be unaffected by the. CCF in the RP.S. However, these displays and controls could be those used for manual operator actions as describedabove.

Implementation of these manual controls should be in accordance with existing regulations.

For those events that relied on Eagle 21 for both primary and backup mitigation and thus required manual action by the operator in the eVent of a-CCF to the Eagle 21 PPS, the replacement PPSwill.provide Class IE automation that is not subject to a postulated CCF. This provision is consistent with the Staff position described above in ISG-02 [3].The proposed automation will perform accident mitigation functions to maintain plant~conditions-within the existing FSARU Chapter 15[1] analyses of anticipated operational occurrences and design basis accidents.

This approach ýis conservative with respect to the acceptance criteria recommended in BTP 7-19[14].3.1 FSARU Chapter 15 Accidents and Events The purpose of the following discussion is to demonstrate that in the unlikely event of a common cause failure (CCF) of the proposed replacement PPS, coincident with an event analyzed as part of the Diablo Canyon Units 1 and 2 licensing basis, sufficient diverse means of mitigating the transient are available to bring the reactor to a safe shutdown condition.

The diversity of the proposed replacement PPS together with existing diverse protection functions, ensure that all FSARU Chapter 15 accident analysis acceptance criteria will continue to be met in the event of software-related CCF concurrent with the accidentior event. In most cases, if an accident were to occur, the plant initial conditiobns would be less severe than those analyzed for the FSARU. The AMSAC system, which is designed to provide protection against anticipated transients without reactor trip, is diverse and independent of the PPS and would not be subject to a postulated CCF that disables the PPS.3.2 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and' Defense in Depth Assessment Primary and backup protection system signals are provided for most of the transients comprising the Diablo Canyon licensing basis. For the purpose of this discussion, a primary protection signal is one upon which the protection function occurs in the licensing basis analysis.-

Backup protection signals are those expected to occur if the primary signal did not occur.The failure of Eagle 21 to *provide an automatic protective function due to CCF was considered'to be;a beyond design basis failure mechanism and therefore was not incorporated into the FSARU Chapter 15 analysis of record accident analyses...

Table 3-1 ide tifie the primary and backup mitigating fuhctions for each initiating event that is, arnalyzed in"Chapter 15 of the DCPP FSARU Update,. These events represent the full set of events that need to be considered in assessing the impact of the digital modification on the accidents and events of FSARU Chapter 15.-The FSARU Chapter 15 licensing basis events.and accidents listed-in Table 3-1 may be divided into four categories.

per the Eagle 21 SER: 3.1.1 Events that do not require the PPS for primary or backup operation In addition-to the protection functions listed in Table 2-3 that are processed through systems other than the PPS, the following passive protection-functions are assumed, in~several FSARU analyses.1. Pressurizer Safety Valves" 2. Steam Generator Safety Valves 3. Accumulators

4. Steam Line Check Valves Table 3-2 summarizes events crediting these independent and diverse protective functions (Category 1 events). The analysis of these events either (1) takes credit for independent primary mitigating functions; or (2) does not require a primary mitigating function.

The PPS functions listed as backup in the table provide additional backup to other independent and diverse backup functions.

Therefore, mitigation of these events is completely unaffected by CCF of the PPS.FSARU Section 15.3.4 Complete Loss of Forced Reactor Coolant Flow 3-3" PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment A complete loss of forced reactor coolant flow may result from a simultaneous loss of electrical supplies to all reactor coolant pumps. The following functions mitigate a loss of.coolant flow accident: (1) Undervoltage or underfrequency on reactor coolant pump power, supply buses (2) Low reactor coolant loop flow (3) Pump circuit breaker opening The reactor trip on reactor coolant pump bus undervoltage~protects against conditions that can cause:a loss of voltage-to -all reactor coolant pumps, i.e., loss of offsite power. This function is blocked below Permissive 7 (approximately 10 percent'power)..

The reactor trip on-reactor coolant, pump underfrequency is provided to open the-reactor coolant pump breakers andtrip the reactorfor an underfrequency condition, resulting from frequency-disturbances on'the majorppower grid.. The trip disengages the reactor coolant pumps from the power grid so that the. pumps flywheel kinetic energy is available for full coastdown.

The undervoltage/.

underfrequency trio is generated independently of the PPS'and is not subject to software CCF. This function is. blocked below Permissive 7 (approximately 10 percent power).The reactor trip on low primary coolant loop flow is providedto protect against*loss of flow conditions that-affect only one reactor coolant loop., For the complete* loss of RCS flow event, it also serves as a backup to the undervoltage and underfrequency trips. This function is generated in -the PPS by two-out-of-three low-flow signals per reactor coolant loop., Above approximately 35% percent power (Permissive 8), low flow in any loop will-actuate a reactortrip.

Between approximately 10 and 35 percent power (Permissive 7 and Permissive 8), low-flow in any two loops will actuate a reactor trip.A reactor-trip from open pump breakers is provided as further backup to the low-flow signals. Above Permissive 7 a breaker open signal from any 2 of 4 pumps will actuate a reactor trip. Reactor trip on reactor coolant pump breakers open is blocked below Permissive

7. .1 a 3-4:

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 3.1.2 Events that do not require the PPS for primary or but require the PPS for backup protection Table 3-3 summarizes events that have primary protection:that is independent of the PPS but require signals processed through the PPS for backup protection (Category 2 events). The analysis of events discussed in this section is completely unaffected by CCF of the PPS since (1) the primary and backup mitigating system responses are derived through systems other than the PPS; or (2) no protection system response is required for reactor and reactor coolant system protection.

3.1.3 Eventsithat require the PPS for primary protection signals but will receive-automatic backup protection from systems other than the PPS Table 3-4 summarizes events that assume the PPS for primary protection, but have backup protection provided that is independent of the PPS (Category 3 events). These events~receive primary protection system signals through the PPS and.could be affected by a software related CCF to the PPS. However,-. backup protection signals are available that would automatically provide the* necessary protection functions through systems other.than'the PPS.WVithtihee exqcesption of the' single Rod Cluster Control Assembly (RCCA)".withdrawal and feedline break events, all events in this category are classified as ANS Condition II events and have been analyzed by Westinghouse without reactor trip for Anticipated Transients Without Scram (ATWS) events. Above C-20 (40% rated thermal power, RTP), the AMSAC :system is available to provide necessary protection functions.

The.AMSAC system initiates auxiliary feedwater and trips the turbine; :Above Permissive 9,(50% RTP), the transients would be less severe'than postulated forATWS events, .since an automatic reactor trip willýoccur independent of the PPS on turbine trip. Below C-20, generic analyses applicable to Diablo Canyon performed for ATWS events have demonstrated that the AMSAC is not required to prevent reactor coolant system damage.3.1.4 Events that assume the PPS for primary and backup protectionsignals for some aspect of the automatic protection Table 3-5 summarizes events that assume the PPS for primary and backup protection (Category 4 events), as well as diverse indicators and alarms derived through systems other than the PPS. These events receive both primary and backup protection signals for some aspect of the protection system response assumed in the safety analyses through the PPS. Table 3-5 also lists available diverse alarms, indicator lights, and recorders.

r -__- _ a 3-5' PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense~in Depth Assessment 3.1.5 Additional discussion of Category 4.Events (PPS Primary/PPS Backup).The events discussed in this section receive both primary and backup protection signals for some aspect of the protection system response assumed in the safety analyses through the replacement PPS. Alarms, indicator lights, and recorders are available for these events that will provide the operator with diverse indication of an event.a The following events were credited with manual operator action in the'Eagle 21 SER when the events were concurrent with Eagle 21 CCF: 1. Single Loop Loss of Forced Reactor Coolant Flow Events FSARU Section 15.2.5 Partial Loss of Forced Reactor Coolant Flow Protection against a partial loss of coolant flow accident is provided by the low primary coolant flow reactor trip that is actuated by two-out-of-three low flow signals in any reactor coolant loop. The low flow signals are generated in the PPS. Above approximately 35 percent power (Permissive 8), low flow in any loop will actuate a reactor trip. Reactor trip on low flow in 1 out 4 loops is blocked below Permissive

8. Between the power levels corresponding to Permissive 8 and approximately 10 percent power (Permissive

7) low flow in any.two loops will actuate a reactor trip. Reactor trip on low flow in two or more loops is blocked below Permissive

7. Diablo Canyon Technical Specifications do not require automatic reactor trip at these low power levels as discussed in FSAR Section 7.2.1.1.2.2

[1].A reactor trip signal from the pump breaker position is provided asa backup to the low flow signal. When operating above Permissive 7, a breaker open signal from any two pumps will actuate a reactor trip. Reactor trip on 2 out of 4 reactor coolant pump breakers open signal is blocked below Permissive

7. Additional backup protection is provided by RCP bus undervoltage and underfrequency.

Although diverse and available, these functions do not provide automatic protection for single loop RCS loss of flow events.3-6, PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment a FSARU Section 15.4.4 Single Reactor Coolant Pump Locked Rotor Automatic reactor trip functions and indications of a Locked Rotor event would be similar to the 1 out of 4 loop Partial Loss of Flow event. However, since the reactor coolant pumps have high inertia flywheels, the length of time for the flow to decrease would be significantly longer for a one-loop Partial Loss of Flow event than it would be for a Locked Rotor event.Indications of a one-loop Partial Loss of Flow and Locked Rotor event include reactor coolant pump breaker position open (alarm and indicator light), reactor coolant pump overcurrent trip, and abnormal pump seal flow indications.

Other event indications, not directly related to the failed pump, are: (1) Pressurizer safety relief valve (PSRV) indication system alarms.when the Pressurizer power operated relief and safety valves open; (2) core exit thermocouples reading high;and (3) wide range steam generator water level indication low.2. Accidental Depressurization of the Reactor Coolant System FSARU Section 15.2.12 Accidental Depressurization.

of the Reactor Coolant System An Accidental Depressurization of the RCS could occur'as the result of an inadvertent opening of a Pressurizer relief or safety valve. Primary protection is provided by a reactor trip on a low Pressurizer pressure or OTDT signal. Both of these reactor trips are processed by the existing PPS. If the PPS fails, an a 327*

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment automatic reactor trip may not occur for this event. Signals processed outside the PPS that would provide the operator with indication of.an event are wide range containment pressure indicators, Pressurizer safety or relief valve position indication, high Pressurizer and safety valve discharge temperature (high reading), PSRV position indication system alarms, Pressurizer relief tank level, and PSRV acoustic monitor.3. Loss of CoolantAccidents

-(Small and Large:Break LOCA),, FSARU Section 15.3.1 Loss of Reactor Coolant from Small Rupture Pipes or from Cracks in Large Pipes that Actuate Emergency Core Cooling System (Small Break LOCA)FSARU Section 15.4.1 Major Reactor Coolant System Pipe Ruptures (Large Break LOCA)A loss-of-coolant accident (LOCA) is defined as a rupture of the RCS piping or of any line connected to the system. Ruptures of small cross section (Small Break LOCA -SBLOCA) cause expulsion of the coolant at a rate that can be accommodated by the charging pumps that would maintain an operational water level in the Pressurizer permitting the operator to execute an orderly shutdown.Should a larger break occur (Large Break LOCA -LBLOCA), depressurization of the RCS causes fluid to flow to the RCS from the Pressurizer resulting in a pressure and level decrease in the Pressurizer.

Reactor trip occurs when the Pressurizer low-pressure trip setpoint is reached. The safety'injection system (S IS), is actuated when the appropriate Pressurizer low-pressure setpointis reached. Reactor trip and SIS actuation are also initiated by a high containment

_ essure signal.

lr F-P 3-8 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment, 4. Steam Line Break Events FSARU Section 15.2.14 Accidental Depressurization of the Main Steam System FSARU Section 15.4.2.1 Rupture of a Main Steam Line at Hot Shutdown FSARU Section 15.4.2.3 Rupture of a Main Steam Line at Full Power Reactor trip (at-power cases), safety injection and feedwater isolation are required to mitigate steam line break events. Sufficient reactor trip signals, from systems other than the replacement PPS, available as backup are: high neutron flux (all ranges, depending on initial power level) and high neutron positive flux rate. Borated coolant will be automatically provided by the accumulators if the RCS pressure drops below the accumulator injection pressure.

Additionally, the Diablo Canyon units have steam line check valves that prevent reverse flow from the unfaultedsteam'generators limiting-the ,magnitude ofthe blowdown to the faulted steam,generator.

......5. FSARU 15.4.2.2 Major Rupture of a Main Feedwater Pipe A major feedwater line rupture is defined as a break in a feedwater pipe large enough toprevent the addition of sufficient feedwater to the steam generators to maintain shell-side fluid inventory in the steam generators.

Depending on the size of the break and the plant operating conditions at the time of the break, the break could cause either an RCS cooldown (by excessive energy discharge through the break), or an RCS heatup. Potential RCS cooldown resulting from a secondary pipe rupture is evaluated in Section 15.4.2.1.

Therefore, only RCS heatup effects are evaluated for a feedline rupture.A feedline rupture reduces the ability to remove heat generated by the core from the RCS. The following provide the necessary protection against a main feedwater line rupture: " A reactor trip on any of the following conditions:

o Pressurizer high pressure o OTDT o Steam generator low-low water level in any steam generator Safety injection signals from any of the following:

3Z9".

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment o Steam line low pressure o Containment high pressure The AFW system provides decay heat removal The diverse AMSAC trips the turbine and initiates secondary plant heat rerhoval if the PPS does not trip the reactor due to loss of the secondary heat sink in accordance with 10 CFR 50.62 [9]...--6. FSARU Section 15.4.3 Steam Generator Tube Ruptur'e (SGTR)Primary reactor protection for this event is provided by a: reactor trip .on OTDT.Backup reactor trip signals are generated by the Pressurizer low pressure, TurbineTrip on High Steam Generator Level Permissive 14 or Pressurizer low pressure SI signals. All of these protection signals are generated by the PPS.Safety injection is initiated via a low Pressurizer pressure signal,'but is not required for core protection.

',Signals generated by systems other than the PPS are the main steam line, steam jet air ejector off-gas, steam generator blowdown (blowdown header and blowdown tank discharge), and plant vent radiation indicators and alarms. The operator would also notice a decrease in the volume control tank level and possibly an increase in the observed wide range steam generator water level (should the feedwater controller not respond to the decreased demand) which would also result in event indicators.

The RCS charging system will attempt to maintain Pressurizer level, accompanied'by Pressurizer low pressure and low-level alarms. The operator's first indication of an SGTRek'ent will be the steam line, steam jet air ejector off-gas and/or steam generator blowdown radiation monitors.

These radiation monitoring systems are diverse, with independent monitors and annunciators and would provide multiple indications of.the event. 'Upon annunciation' of anry of these signals, existing Diablo- Canyon operating procedures will provide the operator with the guidance necessary to effectively mitigate the SGTR event.'With respect to the sensitivity of these monitors, a leak rate of greater than 1 gallon per day at DCPP will result in steam jet and air ejector off-gas indications.

3-10; PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement-.

Diversity and Defense in Depth Assessment Ka 3.2 Diverse Mitigating Functions for DCPP FSARU Chapter 15 Accident Analyses This section evaluates, using engineering judgment, the impact on the DCPP FSARU Update Chapter 15 initiating events, listed in Table 3-1 of replacing the existing Westinghouse Eagle 21 PPS with the proposed replacement PPS. ]LI.Table 3-6 lists each FSARU Chapter 15 event, and describes the automatic mitigation functions, indications and manual controls that are not subject to software CCF that degrades the primary safety function.The evaluation considered that the plant .response to the postulated .initiating events (PIE) 'dcndrireht With a postulated CCF can be addressed by one of the following approaches., 1. Iflthe plant, reaches' a new steady-state condition.

without exceeding a safety limit, no protective function or immediate manual operation is required: 2.r The PIE is mitigated by an automatic protective function that is not degraded by.the postulated CCF.3.3 Manual Actuation and Control of Plant Critical Safety Functions The Diablo Canyon protection system design includes displays and controls in the main control room for manual actuation and management of plant critical safety functions.

Where necessary and practical, the indications will be derived from the raw sensor signal and the indications will not be processed by any digital system. The available displays and controls are listed in Table 3-5 and Table 3-6 and include but are not limited to the following:

1. Reactivity Control Reactor trip may be initiated at any time by controls that are entirely independent of the PPS [Figure 2-3]. Independent indication of rod position is provided as well. The Nuclear Instrumentation System provides diverse Class IE indication'of neutron flux.2. Reactor Core Cooling and Heat Removal 3-111ý PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment The diverse AMSAC provides secondary plant heat removal should the reactor fail to trip. Auxiliary Feedwater may be initiated manually and monitored by controls that are independent of the PPS.3. Reactor Coolant SystemI ntegrity Safety Injection may be initiated manually and monitored by controls that are independent of the PPS [Figure 2-4].4. Containment Isolation and Integrity Containment Spray, Containment Isolation and Containment Ventilation Isolation may be initiated manually and monitored by controls that are independent of the PPS.'3.4 Conclusions The Diablo Canyon Units I and 2 licensing basis accident analyses were reviewed to determine which events required the Process Protection System for primary or backup protection.

Those events identified as requiring the PPS for primary protection system response were reviewed to determine if a timely diverse means of automatically mitigating the transient was available or annunciators and indicators were available to allow the operator to diagnose the event and bring the plant to a safe shutdown condition in a timely manner.For most events, no operator action is required since sufficient non-PPS based automatic functions exist; i.e., the Nuclear Instrumentation System (NIS), Solid State Protection System (SSPS) and the AMSAC. For several events, however, some operator action was credited in the NRC Eagle 21 Safety Evaluation Report [13]. In these cases,' backup protection system functions, alarms, and indicators processed independent of the PPS, along with existing Diablo Canyon operating procedures and Emergency Operating Procedures, were credited to bring the plant to a safe shutdown condition.

Depending upon the event, operator action was required in ten minutes or less.F 3412 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity.

and Defense in Depth Assessment a J: 3-43 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment This page left blank by intent 3-14 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-1 DCPP FSARU Chapter 15 Safety Anal ysis Events and Mitigating Functions Event FSARU Primary Mitigating Function Backup Mitigating Function-Section Condition II -Faults of Moderate 15.2 Frequency Uncontrolled Rod Cluster Control 15.2.1 Power-Range High-Flux (Low Setting) RT a Source-Range High-Flux RT Assembly Bank Withdrawal from

Intermediate-Range High-Flux RT Subcritical Condition

Power-Range High-Flux (High Setting) RT* Power-Range Flux Positive Rate RT Uncontrolled Rod Cluster Control 15.2.2

Power-Range High-Flux (High Setting) RT

Power-Range Flux High Positive Rate RT Assembly Bank Withdrawal at Power

OTDT RT

OPDT RT* Pressurizer High-Pressure RT* Pressurizer High-Level RT Rod Cluster Control Assembly 15.2.3 As Currently Licensed, Operators Rely on NA Misoperation Indications Outside PPS to Mitigate This Event.Uncontrolled Boron Dilution (During 15.2.4 Operator action -terminate dilution NA Refueling)

Uncontrolled Boron Dilution (During 15.2.4 Source-Range High-Flux RT

Intermediate-Range High-Flux RT Startup)

Power-Range High Flux (Low Setting) RT Uncontrolled Boron Dilution (At Power) 15.2.4 Operator Action -Terminate Dilution NA Reactor Manual o Low Rod Insertion Alarm* Low-Low Rod Insertion Alarm Uncontrolled Boron Dilution (At Power) 15.2.4 o Power-range high flux (high setting) RT

OPDT RT Reactor Auto

OTDT RT

Pressurizer High-Pressure RT* Pressurizer High-Level RT 3-15 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and. Defense in Depth Assessment Table 3-1 DCPP FSARU Chapter 15 Safety Anaysis Events and Mitigating Functions, Continued Event FSARU Primary Mitigating Function Backup Mitigating Function Section Partial Loss of Forced Reactor 15.2.5 e 2/3 RCS Flow-Low In Any Loop RT Above

None credited for single loop loss of flow Coolant Flow Permissive 8 (35% NI)2

2/4 RCP Breaker Open Position above (No automatic protection below e 2/3 RCS Flow-Low In 2/4 Loops RT Above Permissive 7 provides backup for loss of flow Permissive

7) Permissive 7 (10% NI) in more than one loop 3 Startup of an Inactive Reactor 15.2.6 Event Precluded By Technical Specifications Not Applicable Coolant Loop Loss of External Electrical Load 15.2.7

Pressurizer High-Pressure RT .. .Pressurizer High Level RT and/or Turbine Trip

OTDT RT

OPDT* RT on TT (turbine trip only)Loss of Normal Feedwater Flow 15.2.8 .SG Low-Low Level RT and-AFW Actuation

Pressurizer High Pressure RT _...-Pressurizer Level.High

OTDT Loss of Non-Emergency AC Power 15.2.9

RT on TT

Pressurizer High Pressure RT to the Station Auxiliaries

SG Actuation

.Pressurizer High Level RT* OTDT RT* Reactor'Coolant Pump UV RT* 2/4 RCP Breaker Open Position RT above..Permissive'7 Excessive Heat Removal Due to 15.2.10

SG High-High Level TT and FWI

Power-Range High-Flux (High or Low Feedwater System Malfunctions

RTon TT (not required for core protection)

.-Setting) RT* OTDT'RT* OPDT RT Table 3-1 DCPP FSARU Chapter 15 Safety Analysis Events and Mitigating Functions, Continued 2 The Reactor Coolant Flow-Low Reactor Trip function provides primary protection'for'the Partial Loss of Forced Reactor Coolant Flow event (Section 15.2.5). Although available, the diverse Reactor Coolant circuit breaker open reactor trip functions do not provide automatic protection for single loop RCS low flow events.3 Reactor trip on reactor coolant pump breaker position open provides backup protection for 2 or 3 out of 4 loop Partial Lossof Reactor Coolant Flow events. Since this reactor trip logic requires signals from at, least 2 out of 4 reactor coolant pumps, it does not provide an automatic reactor trip for a 1 out 4 loop loss of flow."3-16. -

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Event FSARU Primary Mitigating Function Backup Mitigating Function Section_......Sectio Sudden Feedwater Temperature 15.2.11 None Required -EVent precluded by None-Required-Reductions elimination of Load Transient Bypass (LTB)function.Excessive Load Increase Incident 15.2.12 None Required 4 OTDT RT* OPDT RT Power-Range High-Flux RT (High or Low Setting),.:

Accidental Depressurization of the 15.2.13 OTDT RT -Pressurizer Low-Pressure RT Reactor Coolant System Accidental Depressurization of the 15.2.14 Pressurizer Low Pressure SI

Steam. Line Low Pressure SI Main Steam System *OPDT Power Range High Flux RT (High or Low Setting)..

Spurious Operation of the Safety 15.2.15.1 Operator Action -Terminate'SI Pressurizer Low-Pressure*RT Injection System Condition III -Infrequent Faults 15.3 Loss of Reactor Coolant from Small 15.3.1

Pressurizer Low-Pressure RT Containment Pressure High Sl/RT Ruptured Pipes or from Cracks in *Pressurizer Low Pressure SI/RT Large Pipes that Actuate Emergency Core Cooling Systems Minor Secondary System Pipe Breaks 15.3.2 Bounded by Main Steam Line Rupture NA .analysis (Section 15.4.2.1);:

explicit analysis not performed Reactor trip does not occur for any of the cases analyzed.

The, plant reaches a-new equilibrium condition at a higher power level corresponding to the increase in steam flow.-3-17--"

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-1 DCPP FSARU Chapter 15 Safety Analysis Events and Mitigating Functions, Continued Event FSARU Primary Mitigating Function Backup Mitigating Function Section Inadvertent Loading and Operation of 15.3.3 None required Core loading administrative procedures a Fuel Assembly in an Improper contain controls to prevent fuel assembly Position loading errors. Errors will be detected by the Moveable Incore Detector System (MIDS); or will cause a sufficiently small perturbation to be;acceptable within the uncertainties allowed between nominal and design power shapes.Complete Loss of Forced Reactor 15.3.4 Above Permissive 7 (10% NI)

2/4 RCPBreaker.

Open Position RT Coolant Flow .RCP undervoltage RT (both buses) ...above Permissive 7 (No automatic trip below Permissive

.. RCP underfrequency RT (either bus)

2/3 RCS Flow-Low in 2/4 Loops RT 7) -,-. -..,. above Permissive 75 a '2/3.RCS Flow-Low in Any Loop RT above Permissive 8 (35% NI)4 Single Rod.-Cluster Control Assembly, 15.3.5 OTDT RT .Power-Range High Flux (High Setting)Withdrawal at Full Power RT Power-Range Flux Positive Rate RT Condition IV -Limiting Faults 15.4 Major Reactor Coolant System Pipe 15.4.1

Pressurizer Low Pressure RT Contain.ment Pressure High ESF (SI/RT)Rupture (LBLOCA)

Pressurizer Low Pressure SI Major Secondary System Pipe 15.4.2.1

Steam Line Low Pressure SI

Pressurizer Low Pressure SI Rupture -Rupture of a Main Steam

Containment High Pressure Sl'- .High Negative Steam Line Pressure Line at Hot Shutdown Rate (SLI)5 The Reactor Coolant Flow-Low Reactor Trip function provides primary protection for the single reactor coolant pump locked rotor event (Section 15.4.4). It provides backup protection to the UV/UF and RCP circuit breaker open reactor trip functions for the complete loss of forced reactor coolant flow event.3-18 PG&E NON-PROPRIETARY INFORMATION..

Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-1 DCPP FSARU Chapter 15 Safety Analysis Events and Mitigating Functions, Continued Event FSARU Primary Mitigating Function Backup Mitigating Function Section Major Secondary Pipe Rupture -Major 15.4.2.2

Steam Generator Level Low-Low RT and AFW

Pressurizer High-Pressure RT Rupture of a Main Feedwater Pipe actuation e OTDT RT* SI/RT on: o Steam Line Low-Pressure ,o High Containment Pressure Major Secondary System Pipe Rupture 15.4.2.3

Steam Line Low Pressure SI/RT e 4 0Pressurizer Low Pressure SI-Rupture of a Main Steam Line at Full ° OPDT RT Power Steam Generator Tube Rupture 15.4.3

OTDT RT ., .-Pressurizer Low-Pressure RT.Steam GeneratorHigh Level... ...-Permissive.

14 TT/RT P*. Pressurizer Low-P'ressure SI/RT Single Reactor Coolant Pump Locked 15.4.4

2/3 RCS Flow-Low in any Loop RT above .Pressurizer High Pressure RT Rotor Permissive 8 (35% NI)Fuel Handling Accident 15.4.5

None required .Not Applicable Rupture of a Control Rod Drive 15.4.6

Power-Range High Flux (High or Low Setting) RT

Source-Range High-Flux RT Mechanism Housing (Rod. Cluster ..- Intermediate-Range High-Flux RT Control Assembly Ejection Power-Range Flux Positive Rate RT Rupture of a Waste Gas Tank -15.4.7 ' None required .Not Applicable Rupture of a Liquid Holdup Tank 15.4.8 " None required " Not Applicable' Rupture of Volume Control Tank 15.4.9

None required

Not Applicable.'

Steam Line Break Inside Containment 6.2.2

Steamline Low Pressure -Containment High-High Pressure (Containment Heat Removal)

Pressurizer Low Pressure a Containment High Pressure 3-19 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-2 'Safety Analysis Events That Do Not Require PPS for Primary or Backup Protection (Category 1 Events)Event FSARU Primary Mitigating Function Backup Mitigating Function Section Condition II -Faults of Moderate 15.2 Frequency Uncontrolled Rod Cluster Control 15.2.1 Power-Range High-Flux (Low Setting) RT NIS trips are not subject to software Assembly Bank Withdrawal from CCF and are available(2):

Subcritical Condition a Source-Range High-Flux RT e Intermediate-Range High-Flux RT* Power-Range High-Flux (High Setting) RT* Power-Range Flux Positive Rate RT Rod Cluster Control Assembly 15.2.3 Power Range Neutron Flux None required per FSARU. Plant Misoperation reaches a new steady-state condition without exceeding a safety setpoint.-Uncontrolled Boron Dilution (During 15.2.4 Operator Action.- TerminateDilution.

NoneRequired.

Per FSARU Refueling)

Uncontrolled Boron Dilution (During 15.2.4 Source-Range High-Flux RT NIS trips are not subject to software Startup) CCF and are available 6.o Intermediate-Range High-Flux RT* Power-Range High Flux (Low* '. .'S setting) RT Uncontrolled Boron Dilution (At Power) 15.2.4 Operator Action -Terminate Dilution; Notified by: None Required Per FSARU Reactor Manual

Low Rod Insertion Alarm....* Low-Low Rod Insertion Alarm Startup of an Inactive Reactor Coolant 15.2.6 Event isprecluded by Tech'Spec requirements None required.Loop Sudden Feedwater Temperature 15.2.11 None Required -Load Transient Bypass (LTB) None Required Per FSARU Reductions

-function has been eliminated.

Bounded.by

-.Excessive Load Increase (FSARU 15.2.12)

_ .. ..6 The FSARU Section 15.2.12 analysis demonstrates that normal reactor control systems and engineered safety systems are not required to function.

The reactor protection system is assumed to be operable; however, reactor-trip is not, encountered for most cases due to the error allowances assumed in the setpoints.

In the event of software-related CCF, the OPDT and OTDT reactor trips may not be available.

3-20 -,

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth.Assessment, Table 3-2 Safety Analysis Events That Do Not Require PPS for Primary or Backup Protection (Category 1 Events), Continued Event FSARU Primary Mitigating Function Backup Mitigating Function Section Excessive Load Increase Incident 7 15.2.12 For all cases, the plant rapidly reaches a-stabilied

Power-Range High-Flux RT (High condition at the higher power level-.. Normal p!ant .,.pr Low Setting)operating procedures would then-be followed to

OTDT RT reduce power.....

..OPDT RT Reactor trip does not occur for any-of the cases -analyzed ____________________"_

Condition III -Infrequent Faults 15.3 Inadvertent Loading and Operation of a 15.3.3

None required.

=None- required.Fuel Assembly an in Improper Position Adequate measurements are taken to detect the existence of an improperly loaded fuel assembly.

-Complete-Loss of Forced Reactor Coolant 15.3.4 AbovePermissive 7 (10% NI)

2/14 RCP Breaker Open Position-Flow

RCP undervoltage RT (both buses) -RT above Permissive 7 (No automatic trip below Permissive

7) *. RCP underfrequency RT (either bus) ° 2/3 RCS Flow-Low in 2/4 Loops.I-RT above. Permrissive 7.,2/3 RCS Flow-Low in Any Loop-____- __"______,__.__-_....

__.__. RTabove Permissive 8 (35% NI)8 7 The FSARU analysis of this event does not require a primary mitigating'function.

7The diverse-high flux trips and the PPS functions provide backup in the unlikely event that areactor trip is. required.

° ...8 The Reactor Coolant Flow-Low Reactor Trip function provides primary protection for the single reactor coolant pump locked rotor event (Section 15.4.4). It provides backup protection to theLUV/UF and RCP circuit breaker open reactor trip functions for the complete loss of forced reactor coolant flow event.3-21' PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement

.Diversity and Defense in Depth Assessment Table 3-2 Safety-Analysis Events That Do Not Require PPS for Primary or Backup Protection (Category 1 Events), Continued Event FSARU Primary Mitigating Function Backup Mitigating Function Section Condition IV -Limiting Faults 15.4 Fuel Handling Accident 15.4.5 Not applicable, radiological release calculation only.Rupture of a Control Rod Drive 15.4.6 NIS trips are not subject to software CCF and are 9 Wide Range Reactor Coolant Mechanism Housing (Rod Cluster available System Pressure Control Assembly Ejection 0 Power-Range High Flux (High or Low Setting)

Pressurizer Safety Valves* Source-Range High-Flux* Intermediate-Range High-Flux 0 Power-Range Flux Positive Rate Rupture of a Waste Gas Tank 15.4.7 Not applicable, radiological release calculation only.Rupture of a Liquid Holdup Tank 15.4.8 Not applicable, radiological release calculation only.Rupture of Volume Control Tank 15.4.9 Not applicable, radiological-release calculation only.3-22 ':.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-3 Safety Analysis Events with Diverse Automatic Primary Safety Function Actuation That Require PPS for Backup Protection (Category 2 Events)Postulated Initiating Event FSARU Primary Mitigating Function Backup Mitigating Function Section Uncontrolled Boron Dilution (At 15.2.4 9 Power-range high flux (high setting) RT

Power-Range Flux High Power)

OTDT RT Positive Rate RT Reactor Auto

OPDTRT* Pressurizer High-Pressure RT* Pressurizer High-Level RT Spurious Operation of the Safety 15.2.15.1 Operator Action -Terminate SI Pressurizer Low Pressure SI/RT Injection System 3-23 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-4 Safety Analysis Events That Require Process Protection System Channels forPrimary Safety Function Actuation But Have Available Diverse Automatic Backup (Catego 3 Events)Event' Primary Function Backup Function Safety Signal Safety Signal Uncontrolled Rod Cluster Control Assembly OTDT RT 1T _ High Neutron Flux -Power Range RT (RCCA) Bank Withdrawal at Power (FSARU 15.2.2)Loss of Non-Emergency AC Power to the

RT on TT11 RT e Reactor Coolant Pump UV RT Station Auxiliaries

SG Low-Low Level AFW

2/4 RCP-Breaker Open Position FSARU 15.2.9) Actuation RT above Permissive 7* Pressurizer-High Pressure e Pressurizer High Level'a OTDT Excessive Heat Removal-due-to Feedwater

' Steam Generator High- TT/RT/

OTDT -RT Malfunctions 1 2 .Level Permissive 14 FLI -OPDT .(FSARU 15.2.10) ' .:.. : FAU520a High Power-Range Neutron Flux Single RCCA Withdrawal at Full Power Operator Action Alerted by: Terminate NA NA (FSARU 15.3.5' 9 .RCCA Withdrawal Alarm Rod* Rod Deviation Alarm. Withdrawal

Urgent Rod*Control Failure A larm ..... -_ __-_ _...._ ,_, Primary protection signal depends on the reactivity insertion rate. In general for slower reactivity-insertion rates the primary reactor trip signal occurs on OTDT, while for faster reactivity insertion rates the primary-,reactor trip signal is, on HNF-Power Range.10 Depending on initial bank insertion and location of the withdrawn RCCA, automatic reactor trip may not occur sufficiently fast to prevent the minimum core DNBR from falling below the safety limit value. Evaluation ofthis case at thepower and coolant condition atwhich OTDT trip would be expected to trip the plant shows that an upper limit for the number of rods with a DNBR less than the safety limit value is 5 percent.-11 Below 50% power (Permissive

9) a reactor trip does not automatically occur-on a turbine-trip signal.12 Primary reactor trip signal depends on initial accident conditions.

3-24 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-5 Safety Analysis Events That Use Process.Protection System Channels for Both Primary.,and Backup Safety Function.Actuation (Category 4 Events)Event Primary Function Backup Function Diverse (Non-PPS)

Protection, Indicators Safety Signal Safety Signal, and Alarms Partial Loss of Forced RCS Low Flow" RT None Credited (for NA Indication Reactor Coolant Flow (2/3 Flow-Low in single loop loss of

Reactor Coolant Pump Circuit Breaker (No automatic protection 2/4 loops > flow) Position below Permissive

7) Permissive 7; o Reactor Coolant Pump Overcurrent Trip (FSARU 15.2.5) 2/3 Flow-Low in 2/4 RCP Breaker 0 Wide Range Reactor Coolant System 1/4 loops > Open Position Pressure Permissive

8) above Permissive 7 a Pressurizer Safety Relief Valve Position provides backup for Pressurizer Relief & Safety Discharge loss of flow in more than one loop ..Temp.0 Core Exit Thermocouples (high)" Wide Range Steam Generator.

Level (low)Loss of External Electrical

Pressurizer RT -Pressurizer HiJh RT RT on TT (turbine trip only)14 Load and/or Turbine Trip High-Pressure Level RT (FSARU 15.2.7) RT -OTDT* OTDTRT Loss of Normal Feedwater

Steam RT/AFW .Pressurizer High RT .Protection (FSARU 15.2.8) Generator

..Pressure RT .AMSAC SNarrow Range Pressurizer Level Low-Low Level High Indication

OTDT *. Steam Generator Wide Range Level* Reactor Coolant System Wide Range Pressure Accidental Pressurizer Low RT. OTDT RT Indication Depressurization of the Pressure

Wide Range Containment Pressure Reactor coolant System ..* Pressurizer Relief & Safety Valve Pos.(FSARU 15.2.13)

Pressurizer Relief & Safety Discharge_ _. _ _Temp.13 The Reactor Coolant Flow-Low Reactor Trip function provides primary protection for the Partial Loss of Forced Reactor Coolant FIi6 event (Section 15.2.5). Although available, the diverse Reactor.Coolant circuit breaker open reactor trip functions do not provide automatic protection for single loop RCS low flow events.14 Below 50% power (Permissive

9) a reactor trip does not automatically occur on a turbine trip signal. AMSAC is not available below C-20 (40%RTP) per the AMSAC safety evaluation.

3-25 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3 -5 Safety Analysis Events That Use Process Protection System Channels for Both Primary and Backup Safety Function Actuation (Category 4 Events), Continued Events Primary Function Backup Function Diverse (Non-PPS)

Protection, Indicators Safety Signal Safety Signal and Alarms Accidental Pressurizer Low RT/ OPDT RT Protection Depressurization of the Pressure ESF Steam Line Low ESF 0 High Power Range Neutron Flux -RT Main Steam System.1 5 Pressure High Rate 0 Steam Line Low Pressure -ESF (FSARU 15.2.14) .RT on ESF RT Indication

Reactor Water Storage Tank Level Indicator and.Alarm* Steam Generator SafetyValve or Steam Dump Pos. Indication

Wide Range St eam Generator Level (low).Core Exit Thermocouples (low)Loss of Coolant Pressurizer Low ESF/ Containment High- ESF " Protection

.Accident 1 6 Pressure RT High.Pressure

.RCPOvercurrent Protection (FSARU 15.3.1) Containment High ESF (FSARU 15.4.1) Pressure RT Indication RT on ESF

Containment Radiation Monitors S.Reactor Water Storage Tank Level Indicator..and Alarm* Containment Sump Level" Core Exit Thermocouples (High)" Accumiulator Level and Pressure (Low)on Cotainment Temperature (High).* Voiume control Tank Level (low)u ýSbcooling Margin (Low, Low-Low)* Control Rod Drive Mechanism Fan Suction Temperature (High)15 An automatic reactor trip is not required for core protection..

Feedwater isolation is required to. prevent excessive moisture carryover to the turbine and water in the steam pipes (which could cause a steam line break event). Automatic actuation of feedwater'isolation is not available outside the PPS. Indications are available to the operator to alert this condition for manual control.16 Large Break LOCA analysis assumes that the rods do not drop.3-26 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3 -5 Safety Analysis Events That Use Process Protection System Channels for Both Primary and Backup Safety Function Actuation (Cateaorv 4 EventsV. Continued Event Primary Function Backup Function Diverse (Non-PPS)

Protection, Safety Signal Safety Signal Indicators and Alarms Minor Secondary System Bounded by Main Steam Line Rupture analysis (Section 15.4.2.1);

explicit analysis not performed Pipe Breaks (FSARU 15.3.2) -Major Secondary System

Steam Line Low SI

Pressurizer Low SI Indication*

.Pipe Rupture -Rupture Pressure Pressure

WideRange Steam Generator Level of a Main Steam Line at

Containment

High Negative SLI -Reactor Water Storage Tank Level Hot Shutdown High Pressure SI Steam Line l'indicator and Alarm (FSARU 15.4.2.1)

Pressure Rate Cor:eExit Thermocouples (Low)* Accumulator Level & Press. Indicators Major Rupture of a Main Steam Generator RT/AFW

Pressurizer High- RT .Protection Feedwater Pipe Narrow Range Low- Pressure

AMSAC (FSARU 15.4.2.2)

Low Level

OTDT .RT .RTonTT' Steam Line Low- Sl/RT'Pressure Indication

-High Containment SI/RT Wider Range Steam Generator Level Pressure .uc.(Low)

.SSubcoled Margin Monitor (Low)* Containment Sump Level (High)* Core Exit Thermocouples (High)* Pressurizer Relief Tank Level (High)Pressurizer Safety Relief Valve Position (Acoustic Monitors)_ Stem Leakoff Temperature (High)3-27 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3 -5 Safety Analysis Events That Use Process Protection System Channels for Both Primary and Backup Safety Function Actuation (Category 4 Events), Continued Event Primary Function Backup Function Diverse (Non-PPS)

Protection, Safety Signal Safety Signal Indicators and Alarms Major Secondary

Steam Line Low SI/RT e Containment High- SLI Indication System Pipe Rupture -Pressure High Pressure

Wide Range Steam Generator Level Rupture of a Main

OPDT RT RT

Pressurizer Low ESF a Reactor Water Storage Tank Level Steam Line at Full Pressure Indicator and Alarm Power

Containment High SI 0 Core Exit Thermocouples (Low)(FSARU 15.4.2.3)

Pressure

Accumulator Level & Press. Indicators Steam Generator Tube OTDT RT

Pressurizer Low RT Indication Rupture Pressure

Wide Range Reactor Coolant System (FSARU 15.4.3) .SteamGenerator-RT on TT Pressure High Level e Wide Range Steam Generator Level Permissive 14

Condenser air ejector radiation P Pressurizer Low ESF 0 Steam Generator blowdown steam line Pressure radiation Single Reactor Coolant Reactor Coolant RT

Pressurizer High RT Indication Pump Locked Rotor System Low Flow 1 7 Pressure

Reactor Coolant Pump Circuit Breaker (FSARU 15.4.4) Position Reactor coolant Pump Overcurrent Trip* Wide:Range Reactor Coolant System Pressure P pressurizer Relief & Safety Valve Pos.*2 _,Pressurizer Relief & Safety Discharge Temp..Core Exit Thermocouples (High).Wide Range Steam Generator Level*__ _ _ _ __ , ......_ _ .(low )17 The Reactor Coolant Flow-Low Reactor Trip function provides primary protection for the single reactor coolant pump locked rotor event (Section 15.4.4). Although available, the diverse Reactor Coolant circuit breaker open reactor trip functions do not provide automatic protection for single loop RCS low flow events.-3-28.

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in. DepthAssessment.

Table 3 -5 Safety Analysis Events That Use Process Protection System Channels for Both Primary and Backup Safety Function Actuation (Category 4 Events), Continued Event Primary Function Backup Function Diverse (Non-PPS)

Protection, Indicators Safety Signal Safety Signal and Alarms Steam Line Break Steamline Low ESF Containment High- SLI/CS Protection

.Inside Containment18, 19 Pressure High Pressure (coincident e High. PowerRange.

NeutronFlux (FSARU 6.2.2 -Pressurizer Low RT Containment High with SI) !

High Positive Neutron Flux Rate Containment Heat Pressure Pressure Removal) SI Indication

..Wide Range Steam Generator Level* RWST Level Indicator and Alarm* -Core-Exit Thermocouples (Low)e -Accumulator Level & Press. Indicators 18 Steam linebreak cases analyzed at power, without PPS functions, would receive high neutron flux reactor trip signals (Nuclear Instrumentation System).19 The FSARU analysis assumes Old Steam Line Break Protection, which is-conservative forplants such as DCPP with New Steam Line Break Protection Systems.3-29 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitiaatina Functions.

Indications and Manual Controls for Chaoter 15 Events Followina a Postulated CCF Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section Function Available to Operator(=}

Available to Operator(3)Condition II -Faults of 15.2 Moderate Frequency Uncontrolled Rod 15.2.1 *Cluster Control Assembly Bank Withdrawal from a Subcritical Condition Uncontrolled Rod 15.2.2 Cluster Control Assembly Bank Withdrawal at Power Rod Cluster Control 15.2.3 Assembly Misoperation Uncontrolled Boron 15.2.4 Dilution (During Refueling) a 3-30 .

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Continued Manual Controls for Chapter 15 Events Following a Postulated CCF, Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Sectior -unction Available to Operator(2)

Available to Operator(3)

Uncontrolled Boron 15.2.4 Dilution (During Startup)Uncontrolled Boron 15.2.4 Dilution (At Power)Partial Loss of Forced 15.2.5 Reactor Coolant Flow Loss of External 15.2.7 *Electrical Load and/or Turbine Trip a... .3-31 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Initiating Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section Function Available to Operator(2)

Available to Operator(3)

Loss of Normal 15.2.8 *Feedwater Flow Loss of Non-Emergency 15.2.9 *AC Power to the Station Auxiliaries Excessive Heat 15.2.10 *Removal Due to Feedwater System Malfunctions Sudden Feedwater 15.2.11 .Temperature Reduction I 3-32 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls____ ___ Section Function Available to Operator 2) Available to Operator 3)Excessive Load 15.2.12 -Increase Incident Accidental 15.2.13 .Depressurization of the Reactor Coolant System Accidental 15.2.14 *Depres surization of the Main Steam System a 3-33 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse.Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, I Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section Function Available to Operator(2)

Available to Operator(3)

Spurious Operation of 15.2.15 *the Safety Injection System at Power a 3.34.-

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions', Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Update Function Available to Operator(2)

Available to Operator(3)Section Condition III -Faults of 15.3 Moderate Frequency Loss of Reactor Coolant 15.3.1 from Small Ruptured Pipes or from Cracks in Large Pipes that Actuate Emergency Core Coolant System Minor Secondary 15.3.2 System Pipe Breaks Inadvertent Loading and 15.3.3 Operation of a Fuel Assembly an in Improper Position a 3-35 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Update Function Available to Operator(2)

Available to Operator(3)

Section Complete Loss of 15.3.4 Forced Reactor Coolant Flow (No automatic protection below Permissive 7)Single Rod Cluster 15.3.5 Control Assembly Withdrawal at Full Power a 3-36 I PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section Function Available to Operator(2 1 Available to Operator(3)

Condition IV -Limiting 15.4 Faults Major Reactor Coolant 15.4.1 System Pipe Ruptures (LOCA)aýý37 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section Function Available to Operator 2) Available to Operator(3)

Major Secondary 15.4.2.1 System Pipe Rupture -Rupture of a Main Steam Line (zero power)Major Secondary 15.4.2.2 System PiperRupture

-Major Rupture of a Main Feedwater Pipe a 3-38 .

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Continued Controls for Chapter 15 Event Following a Postulated CCF, Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls Section --Function Available to Operator(2) Available to Operator(3)

Major Secondary 15.4.2.3 System Pipe Rupture -Rupture of a Main Steam Line at Full Power Steam Generator Tube 15.4.3 Rupture (SGTR)a 3-39 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls.__ __S_ tion Function Available to Operator(2) Available to Operator(3)Single Reactor Coolant 15.4.4 Pump Locked Rotor Fuel Handling Accident 15.4.5 Rupture of a Control 15.4.6 Rod Drive Mechanism Housing (RodCluster Control Assembly Ejection)Rupture of a Waste Gas 15.4.7 Tank Rupture of a Liquid 15.4.8 Holdup Tank Rupture of Volume 15.4.9 Control Tank a PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment Table 3-6 Diverse Automatic Mitigating Functions, Indications and Manual Controls for Chapter 15 Events Following a Postulated CCF, Continued Event FSARU Diverse Automatic Mitigating Diverse MCR Indications Diverse MCR Controls-Section Function Available to Operator(2)

Available to Operator(3)Steam Line Break 6.2.2 , Inside Containment (Containment Heat Removal)Notes: 1 2 3 4 L Deleted " For all events, manual RCS boron concentration sampling capability is required to verify shutdown margin for plant recovery.For all events, the ability to maintain SG water level is required for plant recovery.

In addition, RCS long term shutdown margin maintenance (emergency boration) is required.Deleted II a 3-41:

PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment This page. leftblank by i4tent 3-42 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 4.0 Abbreviations and Acronyms 52HF15 4 KV Switchgear Bus "F" Breaker 15 (DCPP Unit 1 SI Pump 1)AFW Auxiliary Feedwater ALS Advanced Logic system AMSAC ATWS Mitigation System Actuation Circuitry ANS American Nuclear Society ATWS Anticipated Transient Without SCRAM BTP Branch Technical Position BYA Bypass Reactor Trip Breaker A BYB Bypass Reactor Trip Breaker B CC1 Main Control Room Control Console Section 1 (Reactor Control)CC2 Main Control Room Control Console Section 2 (Demin & Makeup Water)CCF Common Cause Failure CLI Current Loop Isolator CNAC Main Control Room Control Board Accumulator Service (VB2)CNSI Main Control Room Control Board Safety Injection (VB1)CNV Main Control Ro0ri Control Board Chemical & Volume Control System (VB2)CRDM Control Rod Drive.Mechanism CS Containment Spray CS Control Switch [Figure 2-3 and Figure 2-4]D3 Diversity and Defense-in-Depth DAC Digital-to-Analog Converter DAS Diverse Actuation System DCPP Diablo Canyon Power Plant DDC Digital-Digital Converter DFP Digital Filter Processor DFWCS Digital Feedwater Control System DI&C Digital Instrument

& Control DLH Data Link Handler DNBR Departure from Nucleate.Boiling Ratio DTTA Delta-T Taverage EAI Eagle Analog Input EAO Eagle Analog Output ECO Eagle Contact Output Eli Voltage to Current Converter EPRI Electric Power Research Institute EPT Eagle Partial Trip ERFDS Emergency Response Facility Data System ESF Engineered Safety Features ESFAS Engineered Safety Features Actuation System FLB Feedwater Line Break FPGA Field Programmable Gate Array FSARU Final Safety Analysis Report Update FW Feedwater FWI Feedwater Isolation FWM Feedwater Malfunction HFE Human Factors Engineering HNF High Neutron Flux HMI Human Machine Interface 4-1 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment I&C Instrument

& Control lIE Current to Voltage Converter IEEE Institute of Electrical and Electronic Engineers IR Intermediate Range ISG Interim Staff Guidance ISLN/ISOL Isolation LAR License Amendment Request LBLOCA Large Break LOCA LCP Loop Calculation Processor LLC Limited Liability Corporation LOCA Loss of Coolant Accident LOF Loss of Flow LOL Loss of Load LONF Loss of Normal Feedwater .v, LOOP Loss of Offsite Power LR Locked rotor LTB Load Transient Bypass LTOPS Low Temperature Overpressure Protection System, MAS Main Annunciator System MCB Main Control Board MCR Main Control Room MFW Main Feedwater M-G Motor Generator MIDS Moveable Incore Detector System MSFIS Main Steam and Feedwater Isolation System MSS Main Steam System NI Nuclear Instrumentation NIS Nuclear Instrumentation System NR Narrow Range NRC United States Nuclear Regulatory Commission NSSS Nuclear Steam Supply System OPDT Overpower Delta Temperature OTDT Overtemperature Delta !;Temperature PAM Post Accident Monitoring PG&E Pacific Gas & Electric Co.PIE Postulated Initiating Event PLC Programmable Logic Controller PLOF Partial Loss of Flow PORV Power Operated Relief Valve PPC Plant Process Computer PPS Process Protection System PR Power Range PSRV Pressurizer Safety Relief Valve PT Potential Transformer PWR Pressurized Water Reactor PZR Pressurizer RC Reactor Coolant RCCA Rod Cluster Control Assembly RCP Reactor Coolant Pump RCS Reactor Coolant System 4 PG&E NON-PROPRIETARY INFORMATION 1 Diablo Canyon Power Plant Process Protection System Replacement-Diversity and, Defense in Depth Assessment, RHR Reactor Heat Removal RMU Reactor Makeup RNARA Nuclear Auxiliary Relay Rack A DCPP Electric Equipment Code Designation RNARB Nuclear Auxiliary Relay Rack BDCPP Electric Equipment Code Designation RNSLA SSPS LogicRack A DCPP Electric Equipment Code Designation RNSLB SSPS Logic Rack B DCPP Electric Equipment Code Designation RPS Reactor Protection System RT Reactor Trip RTA Reactor Trip Circuit Breaker "A" RTB Reactor Trip Breaker RTD Resistance Temperature Detector RTP Reactor Thermal Power RTS Reactor Trip System RWAP Rod Withdrawal at Power RWST Reactor Water Storage Tank SBLOCA Small Break LOCA SER Safety Evaluation Report SG Steam Generator

.SGL Steam Generator Level SGTR Steam Generator Tube Rupture SHF15 4 KV Switchgear Bus "F" Cubicle 15 (DCPP Unit 1 Sl Pump 1)SI Safety Injection SIS Safety Injection Signal SL Steam Line SLB Steam Line Break SLI Steam Line Isolation SRP Standard Review Plan SR Source Range SSI Spurious Safety Injection SSPS Solid State Protection System Tavg Average Reactor Coolant Temperature Tc Cold Leg Reactor Coolant Temperature TC Circuit Breaker Trip Coil Th Hot Leg Reactor Coolant Temperature TMR Triple Modular Redundant TSP Test Sequence Processor TT Turbine Trip TWG Task Working Group UF Underfrequency UV Undervoltage UVXA Undervoltage Auxiliary Relay "A" VB1 Main Control Room Vertical Control Board Section 1 VB2 Main Control Room Vertical Control Board Section 2 VCT Volume Control Tank WCAP Westinghouse Commercial Atomic Power WCNOC Wolf Creek Nuclear Operating Company WR Wide Range 4-3, PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power PlantiProcess Protection System ReplaCement Diversity and Defense in Depth Assessment This page left blank by intent 4-4 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant Process Protection System Replacement Diversity and Defense in Depth Assessment 5.0 References

1. Diablo Canyon Power Plant Final Safety Analysis Report (FSARU)2. WCAP-7306, Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors, Westinghouse Electric Corporation, 1969 (Non-Proprietary Class 3).3. DI&C-ISG-02, NRC Digital I&C (DI&C) Task Working Group (TWG) #2, Diversity and Defense-in-Depth Issues, Interim. Staff Guidance (ISG) Revision 2, June 5, 2009 4. NUREG/CR-6303, "Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems," October 1994 5. NUREG-0800, "Standard Review Plan," Chapter 7, Appendix 7-1C, Revision 5, March 2007 6. Triconex Corporation Topical Reports 7286-545, "Qualification Summary Report" and 7286-546, '"Amendment 1 to Qualification Summary Report," Revision 1 published as EPRI TR-1000799, "Generic Qualification of the Triconex Corporation TRICON Triple Modular Redundant Programmable Logic Controller System for Safety-Related Applications in Nuclear Power Plants," November 2000 7. Letter from Stuart A. Richards (NRC) to Troy Martel (Triconex Corporation), "Review of Triconex Corporation Topical Reports 7286-545, "Qualification Summary Report" and 7286-546, "Amendment 1 to Qualification Summary Report," Revision 1" December 11, 2001 published as.EPRI TR-!00314 Accession Number ML013470433

8. Letter No. NRC-V10-09-01, J. Polcyn (Invensys) to NRC, "Nuclear Safety-Related Qualification of the Tricon TMR Programmable Logic Controller (PLC) -Update to Qualification Summary Report Submittal and "Application for withholding Proprietary Information from Public Disclosure," dated September 9, 2009 9. 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants" 10. IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations" 11. NRC, Safety Evaluation Report Wolf Creek Nuclear Operating Company (WCNOC)Main Steam and Feedwater Isolation System (MSFIS), Accession Number ML090610317

12. ALS Platform Overview, 6002-00026, CS Innovations, LLC, Rev 1, July, 2008 13. NRC, "Safety Evaluation Report Eagle 21 Reactor Protection System Modification With Bypass Manifold Elimination, PG&E, Diablo Canyon Power Plant, " (October 7, 1993)14. NUREG-0800, Standard Review Plan, BTP 7-19, "Guidance for Evaluation of Defense-in-Depth and Diversity in Digital Computer-Based Instrumentation and Control Systems," March 2007 5-1 PG&E NON-PROPRIETARY INFORMATION Diablo Canyon Power Plant'ýProcess Protection System Replacement Diversity and Defense in DepthAssessment Th'is page left blank by intent 5-2

v t e Letter Sequence Request
TAC:ME3722, Relocate Surveillance Frequencies to Licensee Control - RITSTF Initiative 5B (Approved, Closed) TAC:ME3732, (Open)
Initiation Request Acceptance Supplement Administration Questions 21 October 2010 Answers Results Approval Other:
MONTHYEAR2010-05-05 [Table View]

ML101100647

Text

Navigation menu

Search