ML110480845

From kanterella
Jump to navigation Jump to search

Safety Evaluation for Topical Report on Diversity and In-Depth of New Process Protection System Replacement
ML110480845
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 04/19/2011
From: Markley M
Plant Licensing Branch IV
To: Conway J
Pacific Gas & Electric Co
Wang, A B, NRR/DORL/LPLIV, 415-1445
References
TAC ME4094, TAC ME4095
Download: ML110480845 (27)


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 April 19,2011 Mr. John T. Conway Senior Vice President-Energy Supply and Chief Nuclear Officer Pacific Gas and Electric Company Diablo Canyon Power Plant 77 Beale Street, Mail Code B32 San Francisco, CA 94105

SUBJECT:

DIABLO CANYON POWER PLANT, UNIT NOS. 1 AND 2 - SAFETY EVALUATION FOR TOPICAL REPORT, "PROCESS PROTECTION SYSTEM REPLACEMENT DIVERSITY & DEFENSE-IN-DEPTH ASSESSMENT" (TAC NOS. ME4094 AND ME4095)

Dear Mr. Conway:

By letter dated April 9, 2010, as supplemented by letters dated August 12 and September 9, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML101100646, ML102280367, and ML102580726, respectively), Pacific Gas and Electric Company (PG&E, the licensee) submitted a request for approval of a topical report in support of its planned upgrade to the Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP) digital Process Protection System (PPS). Specifically, the licensee requested approval of Topical Report, "Process Protection System Replacement Diversity & Defense-in-Depth Assessment,"

Revision 0, dated March 2010, and Revision 1, dated August 2010 (ADAMS Accession Nos. ML101100647 and ML102580725, respectively), for use at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP). Revision 1 of this topical report reflects changes resulting from the U.S. Nuclear Regulatory Commission (NRC) staff's request for additional information dated July 12, 2010 (ADAMS Accession No. ML101930498).

The NRC staff's evaluation of the DCPP diversity and defense-in-depth (D3) assessment was performed in accordance with the guidance of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor]

Edition," (SRP) Branch Technical Position (BTP) 7-19, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems," Revision 5, March 2007 (ADAMS Accession No. ML070550072), as well as the supplemental guidance provided by Digital Instrumentation and Controls, DI&C-ISG-02, "Task Working Group #2:

Diversity and Defense-in-Depth Issues, Interim Staff Guidance," Revision 2, dated June 5,2009 (ADAMS Accession No. ML091590268). The DCPP D3 assessment was performed with the assumption that a software common-cause failure (SWCCF) would result in a failure of the Tricon portion of the digital PPS. The NRC staff concludes that the changes that are being made to the digital PPS will not adversely impact the safety determination that was made for the Eagle 21 digital PPS system. Therefore, there is adequate diversity and defense-in-depth within the revised plant design such that the plant responses to the design basis events concurrent with potential SWCCF meet the acceptance criteria specified in BTP 7-19.

J. Conway -2 The NRC staff's safety evaluation (SE) is enclosed. Please note that this SE identifies some additional areas that PG&E should address in its related license amendment request to support the digital upgrade of the DCPP PPS. If you have any questions, please contact Alan B. Wang at (301) 415-1445 or alan.wang@nrc.gov.

Sincerely,

~ ~ ij 170

/;/Pvr04 /(. /~ .~-r~

~fhael T. Markley, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosure:

Safety Evaluation cc w/encl: Distribution via Listserv

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION REGARDING DIABLO CANYON POWER PLANT, UNITS 1, AND 2 TOPICAL REPORT "PROCESS PROTECTION SYSTEM REPLACEMENT DIVERSITY & DEFENSE-IN DEPTH ASSESSMENT" DOCKET NOS. 50-275 AND 50-323

1.0 INTRODUCTION

By letter dated April 9, 2010, as supplemented by letters dated August 12 and September 9, 2010 (References 1,2, and 3, respectively), Pacific Gas and Electric Company (PG&E, the licensee) submitted a request for approval of a topical report in support of its planned upgrade to the Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP) digital Process Protection System (PPS). Specifically, the licensee requested approval of Topical Report, "Process Protection System Replacement Diversity & Defense-in-Depth Assessment," Revision 0, dated March 2010, and Revision 1, dated August 2010 (References 4 and 5, respectively), for use at Diablo Canyon Power Plant, Unit Nos. 1 and 2 (DCPP). Revision 1 of this topical report reflects changes resulting from the U.S. Nuclear Regulatory Commission (NRC) staff's request for additional information dated July 12, 2010 (Reference 6).

The current DCPP Eagle 21 PPS is a digital system which was installed to replace the original Westinghouse analog model 7100 PPS. The licensee plans to replace the Eagle 21 digital PPS system with replacement digital systems composed of a Field Programmable Gate Array (FPGA) based Advanced Logic Systems (ALS) platform and a Tricon Programmable Logic Controller (PLC) based platform. Like the Eagle 21 system, the replacement digital PPS uses the same software and hardware for all four safety channels. The diversity and defense-in depth (03) analysis and its associated impact analysis are intended to address vulnerabilities to the new digital PPS that may result from potential software common-cause failures (SWCCF) with digital computer-based instrumentation and control (I&C) systems that would defeat the redundancy achieved by the hardware architecture. The analyses are performed in accordance with NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor] Edition," (SRP) Branch Technical Position (BTP) 7-19, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems," Revision 5, March 2007 (Reference 7). The 03 analysis assumes complete failure of the portion of the digital system which is considered to be susceptible to an SWCCF and assesses the response of the plant to design basis accident conditions given such a failure. For the DCPP digital PPS system upgrade project, an SWCCF is assumed to result in a failure of the computer based digital systems to provide the necessary inputs to the existing analog Solid State Protection System (SSPS) in order for the SSPS to Enclosure

-2 complete its safety functions. The SSPS is not being modified for the PPS replacement project.

2.0 REGULATORY EVALUATION

The regulatory requirements and guidance which the NRC staff considered in its review of the applications are as follows:

  • Title 10 of the Code of Federal Regulations (10 CFR) paragraph 50.55a(h),

"Protection and safety systems," requires compliance with Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, the applicant/licensee may elect to comply instead with their plant-specific licensing basis. For nuclear power plants with construction permits issued between January 1, 1971, and May 13, 1999, the applicant/licensee may elect to comply instead with the requirements stated in IEEE Std. 279-1971, "IEEE Standard: Criteria for Protection Systems for Nuclear Power Generating Stations." IEEE Std. 603-1991, Clause 5.1, "Single-Failure Criterion," requires, in part, that The safety systems shall perform all safety functions required for a design basis event in the presence of: (1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures ...

IEEE Std. 279-1971, Clause 4.2, "Single Failure Criterion," requires, in part, that Any single failure within the protection system shall not prevent proper protective action at the system level when required.

  • Paragraph 50.62, "Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants," of 10 CFR requires, in part, various diverse methods of responding to A TWS.
  • Part 50, "Domestic Licensing of Production and Utilization Facilities," of 10 CFR establishes the fundamental regulatory requirements with respect to the domestic licensing of nuclear production and utilization facilities. Specifically, Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50 provides, in part, the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety.

- 3 as appropriate to assure adequate safety. including those variables and systems that can affect the fission process. the integrity of the reactor core. the reactor coolant pressure boundary. and the containment and its associated systems.

Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

  • GDG 20. "Protective system functions." of Appendix A to 10 GFR Part 50 requires that The protection system be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems. to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.
  • GDG 21. "Protection system reliability and testability." of Appendix A to 10 GFR Part 50 requires that The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation. including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.
  • GDG 22, "Protection system independence," of Appendix A to 10 GFR Part 50 requires, in part. that Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
  • GDG 23, "Protection system failure modes." of Appendix A to 10 GFR Part 50 requires that The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of

-4 energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

  • GOC 24, "Separation of protection and control systems," of Appendix A to 10 CFR Part 50 requires that The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.
  • NRC Regulatory Guide (RG) 1.53, "Application of the Single-Failure Criterion to Safety Systems" Revision 2, November 2003 (Reference 8), clarifies the application of the single-failure criterion (GOC 21) and endorses IEEE Std. 379-2000, "IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems." Clause 5.5, "Common cause failures," of IEEE Std. 379-2000, identifies 03 as a technique for addressing common-cause failures, and Clause 6.1, "Procedure," identifies logic failures as a type of failure to be considered when applying the single-failure criterion.
  • BTP 7-19 (Reference 7) provides the NRC staff's position and guidance for the 03 evaluation to address the concern regarding common-cause failure (CCF) vulnerabilities with regard to the use of digital computer-based I&C systems.

For operating reactors, BTP 7-19 provides the following four-point position on 03 for digital system modifications:

Point 1 The applicant/licensee should assess the 03 of the proposed I&C system to demonstrate that vulnerabilities to common-cause failures have been adequately addressed.

Point 2 In performing the assessment, the vendor or applicant/licensee should analyze each postulated common-cause failure for each

-5 event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate or SAR Chapter 15 analysis methods. The vendor or applicant/licensee should demonstrate adequate diversity within the design for each of these events.

Point 3 If a postulated common-cause failure could disable a safety function, a diverse means, with a documented basis that the diverse means is unlikely to be subject to the same common cause failure, should be required to perform either the same function as the safety system function that is vulnerable to common-cause failure or a different function that provides adequate protection. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform the necessary function under the associated event conditions.

Point 4 A set of displays and controls located in the main control room should be provided for manual system-level actuation of critical safety functions and for monitoring of parameters that support safety functions. The displays and controls should be independent and diverse from the computer-based safety systems identified in Points 1 and 3.

If a postulated CCF could disable a safety system, then a diverse means that may be a non-safety system of sufficient quality but is unlikely to be subject to the same CCF should be required to perform either the same function or a different function. Section 3, "Acceptance Criteria," of BTP 7-19 also specifies the acceptance criteria regarding the radiological consequences and the integrity of the reactor coolant pressure boundary (RCPB) and containment for the best estimate (BE) analysis of plant response of the design basis events occurring in conjunction with each single postulated CCF. If a CCF results in a plant response that requires reactor trip and/or engineered safety feature (ESF) actuation, then a diverse means that is not subject to or failed by the postulated failure should be provided to perform the reactor trip and/or ESF function.

  • The NRC Staff Requirements Memorandum on SECY 93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," dated July 21, 1993 (Reference 9), describes the position of NRC regarding 03. Guidance on the evaluation of 03 is provided in BTP 7-19. In addition, NUREG/CR-6303, "Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems," dated December 1994 (Reference 10), summarizes several 03 analyses performed after 1990 and presents a method for performing such analyses. Additional guidance on the evaluation of the need for 03, and acceptable methods for implementing the required 03 in digital I&C system designs is contained in Digital Instrumentation and Controls, DI&C-ISG-02, "Task Working Group #2: Diversity and Defense-in

Oepth Issues, Interim Staff Guidance," Revision 2, dated June 5, 2009 (ISG 01&C-ISG-02) (Reference 11).

3.0 TECHNICAL EVALUATION

The OCPP 03 assessment for the replacement digital PPS provides:

  • A description of the OCPP integrated digital PPS system design,
  • A description of the technique employed for maximizing PPS system dependability to aid in reducing the occurrence of an SWCCF,
  • A description of the diversity between the PPS software and the plant control systems, indications, alarms and readouts, and manual circuitry, and
  • An analysis of the design-basis transients and accidents with the assumed SWCCF to demonstrate that plant responses to these transients and accidents can successfully comply with the acceptance criteria with the aid of the diverse systems and/or operator actions.

The fundamental assumption in the OCPP 03 assessment is that a worst-case SWCCF results in a total failure of the Tricon portion of the PPS system. The ALS portion of the PPS system will be designed with sufficient built-in diversity features such that the functions performed by this subsystem will not be adversely affected by an SWCCF. The ALS platform uses FPGA technology. A description of the methods that ALS is using to establish the system's built-in diversity was provided to the NRC in the licensee's letter dated August 12,2010, in response to the NRC staff's request for additional information (RAI) question 6 (Reference 2). The details of this discussion are proprietary and thus will not be discussed in this safety evaluation (SE);

however, the NRC staff determined that the design approaches being proposed to establish the ALS system's diversity characteristics, which include independent and diverse execution paths across redundant hardware components, are consistent with guidance provided by ISG 01&C-ISG-02 (Reference 11) and are therefore adequate. Westinghouse is expected to provide the detailed information necessary for the NRC to determine that the ALS possesses adequate design diversity in the ALS Topical Report.

The NRC staff performed an evaluation of the OCPP 03 assessment in accordance with the BTP 7-19 guidance as well as the supplemental guidance provided by ISG 01&C-ISG-02. The methodology used in the applicant's 03 assessment, assuming a worst-case SWCCF. is an analysis of the design-basis transients and accidents with no automatic protective actions which are reliant on the Tricon portion of the PPS. These protective actions are normally initiated via the SSPS. The objective of the licensee's analysis was to demonstrate that OCPP can remain within its licensing design bases without automatic actuation of those protective features that rely on input from the PLC computer-based Tricon portion of the PPS. It should be noted that.

in the analysis, the licensee takes credit for other automatic systems that are not affected by the PPS Tricon SWCCF. These other systems are therefore assumed to respond as designed.

The analysis credits operator manual actions to initiate protection functions within assumed operator action times. The built-in diversity of the ALS portion of the PPS is also credited and it

-7 is assumed that the functions performed by the ALS subsystem will not be adversely affected by any single SWCCF.

3.1 Acceptance Criteria For the D3 analysis, BTP 7-19 specifies the following acceptance criteria for BE analyses of the plant response of the design-basis transients and accidents in conjunction with each SWCCF:

1. For anticipated operational occurrences, the BE analyses should not result in the radiation release exceeding 10 percent of the 10 CFR 100 guideline value, or violation of the integrity of the RCPB.
2. For postulated accidents, the BE analyses should not result in the radiation release exceeding the 10 CFR 100 guideline value, or violation of the integrity of the RCPB or violation of the integrity of the containment.
3. No failure of monitoring or display systems should influence the functioning of the reactor trip system (RTS) or engineered safety feature actuation system (ESFAS). If plant monitoring system failure induces operators to attempt to operate the plant outside safety limits or in violation of the limiting conditions of operation, the analysis should demonstrate that such operator-induced transients will be compensated for by protection system function.

In addition, BTP 7-19 states that the licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.

A defense-in-depth SE for the Eagle 21 digital PPS system was performed by the NRC staff as part of the license amendment issued to support the replacement of the 7100 PPS system in 1993 (Reference 12). As stated in the NRC staff's SE dated October 7,1993, Section 3.1, "Eagle 21 Defense-in-Depth":

The licensee divided the licensing basis accidents and events into four categories as follows:

1. Events that do not require Eagle 21 for primary or backup protection
2. Events that do not require Eagle 21 for primary protection but assume Eagle 21 protection system signals for backup
3. Events that require Eagle 21 for primary protection signals but will receive automatic backup protection from systems other than Eagle 21

-8

4. Events that assume Eagle 21 for primary and backup protection signals for some aspect of automatic protection.

In the Eagle 21 SE, the NRC staff evaluated the diverse backup actuations and indications available in the control room, as referenced by the licensee for the four event categories to cope with a potential CCF of the Eagle 21 PPS concurrent with a Final Safety Analysis Report Update (FSARU) Chapter 15 licensing design basis event. Based on the licensee's evaluation, the NRC staff determined that the licensee's D3 assessment provided reasonable assurance that should a CCF of the Eagle 21 system occur, there exists appropriate diverse means via ATWS Mitigation System Actuation Circuitry (AMSAC) and other diverse systems to mitigate the events.

In the licensee's PPS replacement systems D3 assessment, an analysis of the same licensing basis accidents and events was performed and similar event categories were applied to the replacement PPS system. Tables 3-2 through 3-5 in the Topical Report list the safety analysis events in the following categories which correspond to the four Eagle 21 categories used in the Eagle 21 defense-in-depth evaluation.

1. Table 3 Safety Analysis Events That Do Not Require PPS for Primary or Backup Protection (Category 1 Events).
2. Table 3 Safety Analysis Events With Diverse Automatic Primary Safety Function Actuation That Require PPS for Backup Protection (Category 2 Events).
3. Table 3 Safety Analysis Events That Require Process Protection System Channels For Primary Safety Function Actuation But Have Available Diverse Automatic Backup (Category 3 Events).
4. Table 3 Safety Analysis Events That Use Process Protection System Channels For Both Primary And Backup Safety Function Actuation (Category 4 Events).

Table 3-6, "Diverse Automatic Mitigating Functions, Indications, and Manual Controls for Chapter 15 Events Following a Postulated CCF," provides a list of diverse protection, indications, alarms, and controls which includes non-PPS functions. These displays and controls address Point 4 of BTP 7-19 because they are located in the main control room and they provide for manual system-level actuation of critical safety functions. They also provide for monitoring of parameters that support safety functions. The displays and controls used at DCPP should be independent and diverse from the computer-based PPS system.

The categorization of events does not distinguish between the Tricon (susceptible to SWCCF) and the ALS (additional diversity proposed to address SWCCF) portions of the PPS. The safety functions that are performed by the ALS portion of the PPS are still considered to be functions of the PPS. As such, the Category 4 Events that were classified during the Eagle 21 D3 assessment remain Category 4.

- 9 For events where the Eagle 21 SE had credited manual action for mitigation of events that occurred concurrently with the Eagle 21 SWCCF, automatic protection functions will be performed by the ALS portion of the PPS even though the capability to perform these manual action functions will be retained. The applicant has proposed that the functions performed by the ALS portion of the PPS should have sufficient built-in diversity to address SWCCFs.

3.2 Credit for Other Automatic Actuation Systems In addition to the PPS, DCPP has other systems that are used for normal operational control or are credited for meeting regulatory requirements. These systems are independent of the digital PPS and are not affected by an SWCCF of the PPS, and are therefore, credited in the D3 assessment. These systems are;

  • The ALS Portion of the PPS
  • Neutron Flux Measurement Instrumentation
  • Solid State Protection System (SSPS)
  • A TWS Mitigation System Actuation Circuitry (AMSAC)
  • RCP Circuit Breaker Open Reactor Trip The DCPP PPS monitors plant parameters, compares them against setpoints, and provides trip signals to the SSPS if setpoints are exceeded. The SSPS evaluates the signals through coincident logic and performs RTS and ESFAS command functions to mitigate an event.

The AMSAC system was installed in compliance with 10 CFR 50.62 requirements to improve the capability to mitigate an ATWS event. Diversity between the AMSAC and the Eagle 21 PPS was based on differences in complexity between the Eagle 21 PPS system and the AMSAC system. An evaluation of the safety significance of common-mode failure mechanisms in the Eagle 21/AMSAC systems by the inclusion of identical/similar hardware and software in both systems was also performed. The NRC staff determined that the postulated Eagle 21/AMSAC systems common-mode failure susceptibility was adequately compensated for by sufficient quality, reliability, and diversity. The replacement ALSITricon-based PPS system maintains the quality and reliability aspects established for the Eagle 21 system and provides an additional level of diversity because the PPS is provided by a different manufacturer and uses different isolation devices and components from the AMSAC system. A high level of diversity is being maintained between the AMSAC system and the replacement PPS. The SSPS and AMSAC are existing systems that are not affected by the replacement PPS project.

3.3 Credit for Manual Operator Actions The assumed failure of the Tricon portion of the PPS would be responded to by automatic diverse actuation systems, if available, such as AMSAC, and/or by the operating crew utilizing procedures to initiate manual operator actions (MOAs). For the D3 assessment, any credit for

- 10 MOAs in the analyses needs to be identified and justified. The OCPP PPS digital upgrade credits no MOAs for event mitigation in the analyses.

The Eagle 21 PPS 03 SE dated October 7, 1993 (Reference 12), determined that the events listed in Table 3-5 would require the PPS for both primary and backup protection for some aspect of the event. Of these events, the following would require MOA for mitigation if the event occurred concurrently with the postulated PPS SWCCF:

  • Accidental RCS depressurization, including steam generator tube rupture (SGTR), steam line break (SLB), and loss-of-coolant accident (LOCA) indicated by low pressurizer pressure,
  • Large-break LOCA and SLB indicated by high containment pressure.

To mitigate these events, plant indications (annunciators or indications) were provided and made available with sufficient procedural guidance to diagnose the event in a timely manner and bring the plant to a safe shutdown condition.

The replacement PPS implements automatic protective functions in a logic-based Class 1E CS Innovations, LLC ALS that is proposed to provide sufficient built-in diversity to address SWCCF.

The functions that are needed to mitigate the events listed above which previously relied on MOAs will be relegated to the ALS portion of the replacement PPS. These functions are:

  • Safety Injection initiation on Low Pressurizer Pressure
  • Pressurizer Pressure Input to OTOT [overtemperature delta temperature]

Reactor Trip

  • Safety Injection initiation on High Containment Pressure
  • Phase A Containment Isolation initiation on High Containment Pressure
  • Phase B Containment Isolation initiation on High Containment Pressure
  • Reactor Trip on RCS Low Flow Because of the built-in diversity features of the ALS system that are credited in the analysis, the above automatic functions will remain operable during a postulated PPS SWCCF of either the Tricon or the ALS portion of the PPS and, therefore, the MOAs that were previously required for these events, though still available; will no longer be required for the purpose of mitigation following an SWCCF after the new PPS system is operational. Nonetheless, the OCPP 03 assessment still provides diverse displays and controls that would be needed if manual actions were invoked to address an event.

- 11 3.4 Diversity and Defense-in-Depth Analysis The DCPP D3 assessment consists of four basic tasks: (1) identification of the set of transients and accidents to be considered in combination with the assumed failure of the Tricon portion of the digital PPS; (2) an evaluation of these transients and accidents to identify which could challenge the acceptance criteria given a failure of the Tricon portion of the PPS; (3) determination of events that fail to meet the acceptance criteria of BTP 7-19; and (4) determination of plant modifications or other resolution necessary to address the events that the study showed the plant design incapable of withstanding the SWCCF. An SWCCF failure of the ALS portion of the PPS will not result in any loss of PPS functionality due to the built-in diversity features of the ALS system.

3.4.1 Identification of Challenging Transients and Accidents The first two tasks of the D3 assessment are to identify the spectrum of the design basis events from the FSARU to be considered, and to screen for those events that could challenge the acceptance criteria for further analyses assuming the failure of the PPS due to an SWCCF.

Based on existing FSARU analysis results, each design basis event with the assumption of the PPS system failure is screened for one of the following four categories:

Category 1 - Events that do not require the PPS for primary or backup operation Category 2 - Events that do not require the PPS for primary but require the PPS for backup protection Category 3 - Events that require the PPS for primary protection signals but will receive automatic backup protection from systems other than the PPS Category 4 - Events that assume the PPS for primary and backup protection signals for some aspect of the automatic protection The events of the first three categories require no further analysis. The remaining Category 4 events are challenging events that require further analyses.

Section 3.1 of the DCPP D3 assessment report presents the screening results from the list of the design basis events from the FSARU. Many of these events were determined to be Categories 1, 2, or 3, and therefore required no further analyses.

Table 3-2 of the DCPP D3 assessment report lists design basis events that are Category 1, because the FSARU analysis does not rely on the PPS for either primary or backup mitigating functions and, therefore, the assumed SWCCF of the digital PPS has no impact on the plant transient response.

Table 3-3 of the DCPP D3 assessment report lists design basis events that are Category 2 events because, in the event of an SWCCF that disables the PPS, these events will be successfully mitigated by the primary mitigating function which is performed independently from the PPS and no significant adverse consequence will result.

- 12 Table 3-4 of the DCPP D3 assessment report lists design basis events that are Category 3 events because, in the event of an SWCCF that disables the PPS, these events will be successfully mitigated by the backup mitigating function which is performed independently from the PPS and no significant adverse consequence will result.

Table 3-5 of the DCPP D3 assessment report lists a total of 13 design basis events that are Category 4 events. Of those 13 events, the following events were identified as Category 4 events that require analyses to show that the acceptance limits are met:

  • Loss of Coolant Accidents (Small and Large Break LOCA)

Loss of Reactor Coolant from Small Rupture Pipes or from Cracks in Large Pipes that Actuate Emergency Core Cooling System (Small Break LOCA)

Major Reactor Coolant System Pipe Ruptures (Large Break LOCA)

  • Steam Line Break (SLB)

Accidental Depressurization of the Main Steam System Rupture of a Main Steam Line at Hot Shutdown Rupture of a Main Steam Line at Full Power

The corresponding analyses for these events is provided in Section 3.1.5, "Additional Discussion of Category 4 Events (PPS Primary/PPS Backup," of the DCPP D3 assessment. All remaining events listed in Table 3-5 refer to means outside of the digital PPS system for mitigation of accidents concurrent with CCF of the PPS. These alternate means of mitigation were not evaluated because they are not being impacted by the proposed upgrade of the digital PPS system. During an application specific review, the NRC staff will have to assess all equipment used for these alternate means of mitigation to validate that they are diverse from the PPS.

3.4.2 Analysis Methodologies For the Category 4 events that can potentially challenge the acceptance criteria, BE analyses of the plant response were performed with the postulated failure of the PPS functions allocated to the Tricon portion of the system due to an SWCCF. This was done to show that diverse means, not subject to the same failure, exist such that the acceptance criteria of BTP 7-19 are met. An

- 13 SWCCF failure of the ALS portion of the PPS will not result in any loss of PPS functionality due to the built-in diversity features of the ALS system.

3.4.2.2 Best Estimate Analyses and Results An SWCCF of the combined Tricon/ALS PPS system will not result in a loss of safety system functionality that requires compensation via MOAs as was the case for the Eagle 21 PPS system; therefore, no additional thermal hydraulic BE analyses was required for the replacement system. Section 3.1.5 of the DCPP D3 assessment report presents additional analysis results for Category 4 events. The analysis results which include a description of the effects that the replacement PPS system has on plant response for each of these events are summarized below:

3.4.2.2.1 Single Loop Loss of Forced Reactor Coolant Flow Events Partial Loss of Reactor Coolant Flow Protection against a partial loss of coolant flow accident is provided by the low primary coolant flow reactor trip that is actuated by two-out-of-three low flow signals in any reactor coolant loop.

The low flow signals are generated in the PPS. Above approximately 35 percent power, (Permissive 8), low flow in any loop will actuate a reactor trip. Between the power levels corresponding to Permissive 8 and approximately 10 percent power (Permissive 7) low flow in any two loops will actuate a reactor trip. The DCPP Technical Specifications do not require automatic reactor trip at power levels below Permissive 7. In accordance with the guidance in ISG DI&C-ISG-02 (Reference 11), the licensee proposes to provide automatic actuation not affected adversely by the PPS SWCCF (as opposed to operator action) to mitigate this event.

Therefore, the RCS Flow-Low reactor trip (2/3 Flow-Low in 214 loops> Permissive 7; 2/3 Flow-Low in any loop> Permissive 8) will be generated in the independent, inherently diverse Class IE ALS portion of the proposed replacement PPS.

Single Reactor Coolant Pump Locked Rotor Automatic reactor trip functions and indications of a Locked Rotor event would be similar to the one-out-of-four Partial Loss of Flow event described above. However, since the reactor coolant pumps have high inertia flywheels, the length of time for the flow to decrease would be significantly longer for a one-loop Partial Loss of Flow event than it would be for a Locked Rotor event.

Indications of a one-loop Partial Loss of Flow and Locked Rotor event include reactor coolant pump breaker position open (alarm and indicator light), reactor coolant pump over current trip, and abnormal pump seal flow indications. Other event indications, not directly related to the failed pump, are: (1) pressurizer safety relief valve (PSRV) indication system alarms when the pressurizer power operated relief and safety valves open; (2) core exit thermocouples reading high; and (3) wide-range steam generator water level indication low.

- 14 The following functions will be generated in the ALS portion of the proposed replacement PPS.

These functions will not be affected by an SWCCF of the PPS provided that the proposed built in diversity of the ALS subsystem is found to be acceptable. The trip setpoints and time response requirements for these trip functions will be the same as those used for the existing Eagle 21 PPS system. Each of the diverse components of the ALS system will be designed to independently meet the same requirements. Therefore, the digital PPS upgrade will have no adverse impact on the trip system response or performance requirements which are credited in the FSARU accident analyses.

These automatic mitigative functions occur no later than the time required to perform manual actions following a common-mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses. Therefore, the plant response is bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

3.4.2.2.2 Accidental Depressurization of the Reactor Coolant System An accidental depressurization of the RCS could occur as the result of an inadvertent opening of a pressurizer relief or safety valve. Primary protection is provided by a reactor trip on a low pressurizer pressure or overtemperature delta temperature (OTDT) signal. Both of these reactor trips are processed by the existing PPS. If the PPS fails, an automatic reactor trip may not occur for this event.

Signals processed outside the PPS that would provide the operator with indication of an event are wide-range containment pressure indicators, pressurizer safety or relief valve position indication, high pressurizer and safety valve discharge temperature (high reading), PSRV position indication system alarms, pressurizer relief tank level, and PSRV acoustic monitor.

The Pressurizer Pressure-Low reactor trip function will be generated in the Class IE ALS portion of the proposed replacement PPS. This function will not be affected by an SWCCF of the PPS provided that the proposed built-in diversity of the ALS subsystem is found to be acceptable.

This automatic mitigative function occurs no later than the time required to perform manual actions following a common-mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses. Therefore, the plant response is bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

3.4.2.2.3 Loss of Coolant Accidents (Small and Large Break LOCA)

A LOCA is defined as a rupture of the RCS piping or of any line connected to the system.

Ruptures of small cross section piping (small break LOCA - SBLOCA) cause expulsion of the coolant at a rate that can be accommodated by the charging pumps that would maintain an

- 15 operational water level in the pressurizer permitting the operator to execute an orderly shutdown.

Should a larger break occur (large break LOCA - LBLOCA), depressurization of the RCS causes fluid to flow to the RCS from the pressurizer resulting in a pressure and level decrease in the pressurizer. Reactor trip occurs when the Pressurizer Pressure-Low trip setpoint is reached. The safety injection (SI) system is actuated when the appropriate Pressurizer Pressure-Low setpoint is reached. Reactor trip and SI system actuation are also initiated by a high containment pressure signal.

The following functions will be generated automatically in the Class IE ALS portion of the proposed replacement PPS.

  • Pressurizer Pressure-Low-Low (ESFAS - Safety Injection)
  • Containment Pressure-High (ESFAS - Safety Injection, Phase A Containment Isolation)
  • Containment Pressure High-High Safeguards Actuation (ESFAS - Phase B Containment Isolation, Containment Spray in conjunction with Safety Injection)

These functions will not be affected by an SWCCF of the PPS provided that the proposed built-in diversity of the ALS subsystem is found to be acceptable. These automatic mitigative functions occur no later than the time required to perform manual actions following a common mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses.

Therefore, the plant response is bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

3.4.2.2.4 Steam Line Break Events Reactor trip (at-power cases), safety injection, and feedwater isolation are required to mitigate SLB events.

Sufficient reactor trip signals, from systems other than the replacement PPS, available as backup are high neutron flux (all ranges, depending on initial power level) and high neutron positive flux rate. Borated coolant will be automatically provided by the accumulators if the RCS pressure drops below the accumulator injection pressure. Additionally, DCPP, Units 1 and 2, have steam line check valves that prevent reverse flow from the un-faulted steam generators limiting the magnitude of the blowdown to the faulted steam generator.

The following functions will be generated in the Class IE ALS portion of the proposed replacement PPS.

  • Pressurizer Pressure-Low-Low (ESFAS - Safety Injection)

- 16

  • Containment Pressure-High (ESFAS - Safety Injection, Phase A Containment Isolation)
  • Containment Pressure High-High (ESFAS - Phase B Containment Isolation, Containment Spray coincident with Safety Injection)

These functions will not be affected by an SWCCF of the PPS provided that the proposed built in diversity of the ALS subsystem is found to be acceptable. These automatic mitigative functions occur no later than the time required to perform manual actions following a common mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses.

Therefore, the plant response is bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

3.4.2.2.5 Major Rupture of a Main Feedwater Pipe A major feedwater line rupture is defined as a break in a feedwater pipe large enough to prevent the addition of sufficient feedwater to the steam generators to maintain shell-side fluid inventory in the steam generators. Depending on the size of the break and the plant operating conditions at the time of the break, the break could cause either an RCS cooldown (by excessive energy discharge through the break), or an RCS heatup. Potential RCS cooldown resulting from a major feedwater line rupture is evaluated in Section 3.4.2.2.4 of this SE. For RCS heatup effects, a feed line rupture reduces the ability to remove heat generated by the core from the RCS. The following functions provide the necessary protection against a main feedwater line rupture:

Pressurizer Pressure-High OTDT Steam generator low-low water level in any steam generator

  • Safety Injection Signals from any of the following:

Steam line Pressure-Low Containment Pressure-High

The following functions will be generated in the ALS portion of the proposed replacement PPS.

- 17

  • Containment Pressure-High (ESFAS - Safety Injection, Phase A Containment Isolation)

These functions will not be affected by an SWCCF of the PPS provided that the proposed built-in diversity of the ALS subsystem is found to be acceptable. These automatic mitigative functions occur no later than the time required to perform manual actions following a common mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses.

Therefore, the plant response is bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

3.4.2.2.6 Steam Generator Tube Rupture (SGTR)

Primary reactor protection for this event is provided by a reactor trip on OTOT.

Backup reactor trip signals are generated by the pressurizer low pressure, Turbine Trip on High Steam Generator Level Permissive 14 or pressurizer low pressure SI signals. All of these protection signals are generated by the PPS.

The RCS charging system will attempt to maintain pressurizer level, accompanied by pressurizer low pressure and low-level alarms. The operator's first indication of an SGTR event will be the steam line, steam jet air ejector off gas, and/or steam generator blow down radiation monitors. Upon annunciation of any of these signals, existing OCPP operating procedures will provide the operator with the guidance necessary to effectively mitigate the SGTR event Existing OCPP procedures direct the operator in mitigation and recovery from this event. In the proposed replacement PPS, the OTOT reactor trip is generated in the Tricon portion of PPS and will therefore remain susceptible to an SWCCF. The following functions will be generated in the ALS portion of the proposed replacement PPS.

  • Pressurizer Pressure-Low-Low (ESFAS - Safety Injection)

These functions will not be affected by an SWCCF of the PPS and will provide automatic event mitigation to assist the operator provided that the proposed built-in diversity of the ALS subsystem is found to be acceptable.

These automatic mitigative functions occur no later than the time required to perform manual actions following a common-mode failure of the PPS. In addition, these automatic mitigative functions are designed to occur within the time periods assumed in the existing FSARU Chapter 15 accident analyses. Therefore, the plant response i~ bounded by the BTP 7-19 (Reference 7) recommended acceptance criteria.

- 18 3.4.2.2.7 Summary of Analysis Results Table 3.4-1 shows how the PPS functions that are performed by the ALS subsystem will be credited for the elimination of MOAs that would be otherwise required to mitigate events in the presence of a PPS SWCCF when the replacement PPS system is operational. Each of the Category 4 events that required MOAs for accident mitigation in the presence of an SWCCF for the Eagle 21 PPS is listed in the left hand column of the table. The "x"'s in the associated PPS function column identify which of these ALS functions should remain operational in the presence of an SWCCF due to the built-in diversity characteristics of the ALS system.

Table 3.4-1 DCPP Primary Protection System Functions Performed by ALS Subsystem Topical LowPZR DCPP Report LowPZR High PZR Pressure High CP Cont. Cont. High CP Low RCS FSARU Category Pressure Sl Pressure RT Sl Isolation Isolation Contain Flow Section 4 Events (Note 1) RT (Note 1) A B ment Spray RT Loss of 15.2.5 Forced x 15.4.4 RCS Flow RCS 15.2.13 Depres x 15.2.12 surization Main Steam 15.2.14 x Depres surization 15.3.1 SBLOCAI x x x x x x 15.4.1 LBLOCA 15.4.2.1 Steam x x x x 15.4.2.3 Line Break Main Feed 15.4.2.2 Pipe x x x Rupture SG Tube 15.4.3 x x Rupture Note 1: Automatic reactor triP occurs on safety Injection due to low pressurizer pressure or high containment pressure.

Under the current Eagle 21 diversity scheme, each of these eight functions which are derived from Table 3-5 would be rendered inoperable due to the effects of a postulated SWCCF. As a result, the Eagle 21 03 analysis SE (Reference 12) includes a provision for the availability of "sufficient procedural guidance for an operator to diagnose the event in a timely manner and bring the plant to a safe shutdown condition". The NRC staff has determined that the proposed digital PPS upgrade design, which incorporates the safety-related ALS subsystem that provides built-in system diversity, will ensure that these functions will be performed automatically without adverse impact to the operator's ability to diagnose or perform previously credited manual actuation activities. Based on the above, the NRC staff has determined that the licensee's revised 03 assessment provides reasonable assurance that should an SWCCF failure of either the Tricon portion or the ALS portion of the PPS system occur, there exists appropriate diverse means of actuation to mitigate the events. These means of actuation may be accomplished via either diversity features that are internal to the PPS or via external systems.

-19 3.5 Interim Staff Guidance (lSG) DI&C-ISG-02, Diversity and Defense-in-Depth (D3) Issues 3.5.1 Staff Position 1, Adequate Diversity NRC Staff Position 1, "Adequate Diversity," in ISG DI&C-ISG-02 (Reference 11) states, in part, that While the NRC considers common cause failures (CCFs) in digital systems to be beyond design basis, the digital RPS [reactor protection system] should be protected against CCFs.

The licensee or applicant should perform a D3 analysis to demonstrate that vulnerabilities to CCFs are adequately addressed."

The DCPP D3 assessment was performed with the assumption that all safety functions performed by the Tricon portion of the PPS could become subject to an SWCCF. The licensee used realistic assumptions to perform BE analyses of licensing basis plant responses. The licensee identified necessary back-up systems as well as MOAs necessary for accomplishing the required safety functions. Based on the above, the NRC staff concludes that the proposed modification to the digital PPS system complies with NRC Staff Position 1 and is, therefore, acceptable.

3.5.2 Staff Position 2. Manual Operator Actions NRC Staff Position 2, "Manual Operator Actions," in ISG 01&C-ISG-02 states, in part, that

[T]he licensee or applicant should provide sufficient information and controls (safety- or non-safety) in the main control room that are independent and diverse from the RPS (i.e., not subject to the SWCCF).

The digital PPS upgrade described in the 03 assessment will not change the existing functionality of control panel displays or controls. Manual system level actuation functions are not performed within the PPS system. These functions will remain independent and diverse from the PPS. Based on the above, the NRC staff concludes that the proposed modification to the digital PPS system complies with NRC Staff Position 2 and is, therefore, acceptable.

3.5.3 Staff Position 3, BTP 7-19 Position 4 Challenges NRC Staff Position 3, "BTP 7-19 Position 4 Challenges," in ISG 01&C-ISG-02 states, in part, that BTP 7-19, Position 4, should be re-written to state:

In addition to the above, a set of displays and controls (safety or non-safety) should be provided in the main control room for manual system level actuation and control of safety equipment to manage plant critical safety functions, including reactivity control, reactor core cooling and heat removal from the primary system, reactor coolant system integrity, and containment isolation and integrity. The displays and controls should be independent and diverse from the

- 20 RPS discussed above. However, these displays and controls could be those used for manual operator action as described above. Where they serve as backup capabilities, the displays and controls should also be able to function downstream of the lowest-level software-based components subject to the same common cause failure (CCF) that necessitated the diverse backup system; one example would be the use of hard-wired connections.

Table 3-6, "Diverse Automatic Mitigating Functions, Indications, and Manual Controls for Chapter 15 Events Following a Postulated CCF," provides a list of diverse protection, indications, alarms, and controls which includes non-PPS functions. These displays and controls are located in the main control room and they provide for manual system-level actuation of critical safety functions. They also provide for monitoring of parameters that support safety functions.

The digital PPS upgrade described in the D3 assessment will not change the existing functionality of control panel displays or controls. Manual system level actuation functions are not performed within the PPS system. These functions will remain independent and diverse from the PPS. These functions are also downstream of the lowest-level software-based Tricon components as well as the ALS subsystem components within the PPS. Based on the above, the NRC staff concludes that the proposed modification to the digital PPS system complies with NRC Staff Position 3 and is, therefore, acceptable.

3.5.4 Staff Position 4, Effects of Common Cause Failure (CCF)

NRC Staff Position 4, "Effects of Common Cause Failure (CCF)," in ISG DI&C-ISG-02 states, in part, that Many possible types of protection system failures may occur as a result of failure to actuate. Among these, a simple failure of the total system might not be the worst-case failure, particularly when analyzing the time required for identifying and responding to the condition .... For this reason, the evaluation of failure modes as a result of software CCF should include the possibility of partial actuation and failure to actuate with false indications, as well as a total failure to actuate.

This position is partially addressed by the DCPP D3 assessment Topical Report. Complete loss of the Tricon portion of the PPS is evaluated and the NRC staff concludes its failure to be adequately mitigated by the diverse safety-related ALS platform. However, partial losses of the Tricon and the ALS portions of the PPS due to SWCCF has not been addressed, therefore, the licensee will be required to develop and submit a Failure Modes and Effects Analysis to address this issue in conjunction with the license amendment request required for installation of the new digital PPS system. The resulting safety evaluation will need to assess compliance with this position.

- 21 3.5.5 Staff Position 5, Common Cause Failure (CCF) Applicability NRC Staff Position 5, "Common Cause Failure (CCF) Applicability," in ISG DI&C-ISG-02 states, in part, that there are two design attributes that are sufficient to eliminate consideration of CCF:

(1) Diversity - [s]ufficient diversity exists in the protection system such that CCFs within the channels can be considered to be fully addressed without further action.

(2) Testability - A system is sufficiently simple such that every possible combination of inputs, internal and external initial states, and every Signal path can be tested; that is, the system is fully tested and found to produce only correct responses.

The NRC staff determined that the Tricon portion of the DCPP replacement PPS system does not contain a sufficient amount of diversity to meet criteria (1) above. However, the 03 assessment shows that adequate alternate means of completing the required safety functions do exist. It is also assumed that the built-in diversity characteristics of the proposed ALS system will meet the criteria of (1) above. Therefore, the DCPP combined ALSrrricon PPS does provide trips and actuations to respond to the category 4 events that rely on the PPS for mitigation and the combined system does meet criteria (1) above.

The NRC staff determined that the DCPP system complexity is such that the criteria (2) above cannot be satisfied for either the Tricon or the ALS portions of the PPS.

As a result of these determinations, the consideration of SWCCFs could not be eliminated for the proposed digital PPS system. These considerations are documented in the 03 assessment.

Based on the above, the NRC staff concludes that the proposed modification to the DCPP PPS system complies with NRC Staff Position 5 and is, therefore, acceptable.

3.5.6 Staff Position 6, Echelons of Defense NRC Staff Position 6, "Echelons of Defense," in ISG DI&C-ISG-02 states, in part, that The RTS and ESFAS functions may be combined into a single digital platform.

The NRC staff has established acceptance guidelines for 03 assessments and has identified four echelons of defense against CCFs which are:

  • Control System - The control system echelon consists of non-safety equipment which routinely prevents reactor excursions toward unsafe regimes of operation, and is used for normal operation of the reactor.
  • Reactor Trip System - The reactor trip echelon consists of safety equipment designed to reduce reactivity rapidly in response to an uncontrolled excursion.

- 22

  • Engineered Safety Features Actuation System - The ESFAS echelon consists of safety equipment which removes heat or otherwise assists in maintaining the integrity of the three physical barriers to radioactive release (cladding, vessel, and containment).
  • Monitoring and Indication - The monitoring and indication echelon consists of sensors, displays, data communication systems, and manual controls required for operators to respond to reactor events.

For the OCPP design, the functions of Reactor Trip and Engineered Safety Features were previously combined into the digital PPS platform. This PPS system upgrade does not alter this configuration. The NRC staff evaluated the effects of an SWCCF with the understanding that both of these layers of defense could be compromised during an SWCCF event. The combination of the two layers and diverse platforms was found to adequately cope with the effects of an SWCCF. The ISG 01&C-ISG-02 provides further guidance that the RTS and ESFAS functions may be combined into a single digital platform as long as NRC Staff Positions 1 and 2 are addressed. Both NRC Staff Positions 1 and 2 have been addressed for the digital PPS design as described in Sections 3.5.1 and 3.5.2 of this SE. Based on the above, the NRC staff concludes that the proposed modification to the digital PPS system complies with NRC Staff Position 6 and is, therefore, acceptable.

3.5.7 Staff Position 7, Single Failure NRC Staff Position 7, "Single Failure," in ISG 01&C-ISG-02 states, in part, that

[I]f a postulated digital system CCF could disable a safety function, then a diverse means, with a documented basis that the diverse means is not subject to the same CCF, should be included in the overall system design. This diverse means should perform either the same function or a different function that will mitigate accidents or events that require the safety function assumed failed by the postulated CCF. The diverse or different function may be performed by a non-safety system if the system is of sufficient quality to perform under the associated event conditions.

Because the PPS system design is not complete, it is not possible for the NRC staff to confirm that the documented basis for diversity is included in the overall system design. Conformance to this point will need to be confirmed prior to installation of the PPS during the license amendment SE effort. Also see Section 3.1 of this SE. The displays and controls used at OCPP should be independent and diverse from the computer-based PPS system.

4.0 CONCLUSION

The NRC staff has reviewed the OCPP 03 assessment for the proposed digital Plant Protection System upgrade. The NRC staffs evaluation of the 03 assessment was performed in accordance with the guidance of BTP 7-19 as well as the supplemental guidance provided by Interim Staff Guidance (ISG) 01&C-ISG-02. This 03 assessment was performed with the assumption that an SWCCF would result in a failure of the Tricon portion of the PPS, but not

- 23 affect the ALS portion of the PPS. The designed-in diversity of the ALS portion of the proposed replacement PPS ensures that all accidents and events credited with automatic PPS mitigation in the DCPP FSARU Chapter 15 analyses continue to be mitigated automatically with a concurrent SWCCF without reliance on other systems or MOAs. The NRC staff concludes that the changes that are being made to the digital PPS will not adversely impact the safety determination that was made for the Eagle 21 digital PPS system. Based on the above, the NRC staff concludes there is adequate diversity and defense-in-depth within the proposed replacement PPS such that the plant responses to the design basis events concurrent with potential SWCCF meet the acceptance criteria specified in BTP 7 -19.

5.0 REFERENCES

1. Becker, J. R, Pacific Gas and Electric Company, letter to U.S. Nuclear Regulatory Commission, "Review of Diablo Canyon Power Plant Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment," dated April 9, 2010 (ADAMS Accession No. ML101100646).
2. Becker, J. R, Pacific Gas and Electric Company, letter to U.S. Nuclear Regulatory Commission, "Response to NRC Request for Additional Information Regarding Diablo Canyon Topical Report, 'Process Protection System Replacement Diversity & Defense in-Depth Assessment,'" dated August 12, 2010 (Proprietary version withheld from public disclosure; publicly available version at ADAMS Accession No. ML102280367).
3. Becker, J. R, Pacific Gas and Electric Company, letter to U.S. Nuclear Regulatory Commission, "Submittal of Diablo Canyon Power Plant Topical Report, Process Protection System Replacement Diversity & Defense-in-Depth Assessment, Revision 1."

dated September 9,2010 (ADAMS Accession No. ML102580726).

4. Pacific Gas and Electric Company, "Topical Report: Process Protection System Replacement Diversity & Defense-in-Depth Assessment," Revision 0, March 2010 (Proprietary version withheld from public disclosure; publicly available version at ADAMS Accession No. ML101100647).
5. Pacific Gas and Electric Company, "Topical Report: Process Protection System Replacement Diversity & Defense-in-Depth Assessment," Revision 1. August 2010 (Proprietary version withheld from public disclosure; publicly available version at ADAMS Accession No. ML102580725).
6. Wang, A. B., U.S. Nuclear Regulatory Commission, e-mail to K. Schrader, T. Baldwin, and L. Parker, Pacific Gas and Electric Company, "Request for Additional Information Regarding Diversity and Defense in Depth Topical Report (ME3732. ME3733)," dated July 12, 2010 (ADAMS Accession No. ML101930498).
7. U.S. Nuclear Regulatory Commission, NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor]

Edition," (SRP) Branch Technical Position (BTP) 7-19. "Guidance for Evaluation of

- 24 Diversity and Defense-in-Depth in Digital Computer Based Instrumentation and Control Systems," Revision 5, March 2007 (ADAMS Accession No. ML070550072).

8. U.S. Nuclear Regulatory Commission, "Application of the Single-Failure Criterion to Safety Systems," Regulatory Guide 1.53, Revision 2, November 2003 (ADAMS Accession No. ML033220006).
9. Chilk, S. J., U.S. Nuclear Regulatory Commission, Staff Requirements Memorandum, "SECY-93-087 - Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," dated July 21, 1993 (ADAMS Accession No. ML003708056).
10. Lawrence Livermore National Library, "Method for Performing Diversity and Defense-in Depth Analyses of Reactor Protection Systems," NUREG/CR-6303, December 1994 (ADAMS Accession No. ML071790509).
11. U.S. Nuclear Regulatory Commission, Digital Instrumentation and Controls, DI&C-ISG-02, "Task Working Group #2: Diversity and Defense-in-Depth Issues, Interim Staff Guidance," Revision 2, dated June 5,2009 (ADAMS Accession No. ML091590268).
12. Peterson, SR., U.S. Nuclear Regulatory Commission, letter to Gregory. M. Fueger, Pacific Gas and Electric Company, "Issuance of Amendments for Diablo Canyon Nuclear Power Plant, Unit No.1 (TAC No. M84580) and Unit No.2 (TAC No. M84581),

dated October 7,1993 (ADAMS Accession No. ML022350074).

Principal Contributor: R Stattel Date: April 19, 2011

J. Conway -2 The NRC staff's safety evaluation (SE) is enclosed. Please note that this identifies some additional areas that PG&E should address in its related license amendment request to support the digital upgrade of the DCPP PPS. If you have any questions, please contact Alan B. Wang at (301) 415-1445 or alan.wang@nrc.gov.

Sincerely, IRA by James R. Hall fori Michael T. Markley, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-275 and 50-323

Enclosure:

Safety Evaluation cc w/encl: Distribution via Listserv DISTRIBUTION:

PUBLIC LPLIV R/F RidsAcrsAcnw_MailCTR Resource RidsNrrDeEicb Resource RidsNrrDorlLpl4 Resource RidsNrrDprPgcb Resource RidsNrrLAJBurkhardt Resource RidsNrrPM DiabloCanyon Resource RidsOgcRp Resource RidsRgn4MailCenter Resource BKemper, NRR/DE/EICB RStattel, NRR/DE/EICB ADAMS Accession No.: ML110480845 *SE Memo NRR/LPL4/LA NRR/EICB/DE/BC NRRIDPR/PLPB/BC NRR/LPL4/BC MMarkley (JRHall JBurkhardt JJolicoeur iF=--i~****~***~~-t-~~---+--:-:-:-~--+-:-:-::---;~--*--

3/24/11 4/19/11 COpy