WNA-AR-00180-WBT-NP, Rev. 2, Nuclear Automation Watts Bar Unit 2 NSSS Completion Program I&C Projects, Failure Modes & Effects Analysis (FMEA) for the Post Accident Monitoring System.

ML11287A252
Person / Time
Site:	Watts Bar
Issue date:	02/28/2011
From:	Menard D Westinghouse
To:	Office of Nuclear Reactor Regulation
References
WNA-AR-00180-WBT-NP, Rev 2
Download: ML11287A252 (51)
v • d • e

Text

Attachment 14 Westinghouse Electric Company WNA-AR-00180-WBT-NP, Revision 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System," (Non-Proprietary)

(%Westinghouse Westinghouse Non-Proprietary Class 3 Nuclear Automation Watts Bar Unit 2 NSSS Completion Program I&C Projects Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System WNA-AR-00180-WBT-NP, Rev. 2 February 2011 APPROVALS Function Name and Signature Author Dennis N. Menard*

Principal Engineer, Operations Analysis Reviewer Stephanie L. Smith*

Project Manager, Common Q PAMS Allen C. Denyer*

Principal Engineer, CE Fleet Safety System Support & and Upgrades Approver Mesut B. Uzman*

Product Manager, New Plant Safety Support Systems

• Electronically approved records are authenticated in the electronic document management system.

WESTINGHOUSE NON-PROPRIETARY CLASS 3

© 2011 Westinghouse Electric Company LLC All Rights Reserved

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System LIST OF CONTRIBUTORS Template Version 2.2 WNA-AR-00180-WBT-NP, Rev. 2 i Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System REVISION HISTORY RECORD OF CHANGES Revision Author Description Completed 0 Dennis Menard Added brackets to WNA-AR-00180-WBT, Rev. 0, 10/10 to indicate proprietary information.

I Dennis Menard Incorporated customer comments defined in letter 02/11 WBT-TVA- 1513. These include:

Cover page- changed revision, date, and reviewer titles. Reference 3: changed revision to revision 4 and added -P suffix. In Section 2.2, modified digital data outputs list heading and removed first note on Page 2-6. Specified TMARCET is the sole analog output used on page 2-5 and 2-6. In Section 2.3 corrected typo (Al to AO module) and changed Table 3-1, Items 2, 3, 4, 5, 7, 9, 26, 28, and 29.

Deleted Item 31 and replaced with RJT RTD entry.

Abbreviations: changed WB2 to WBT Reworded FE switch and SLE switch to FE keyswitch and SLE keyswitch in Section 2.2 and Table 3-1.

Replaced Figures 2.1-1 and 2.2-1 to reflect Reference 3 Revision 4.

Incorporated additional customer comments defined in letter WBT-TVA-1633. These include:

Page 2-6 specified no user selectable analog outputs are used; Page 2-10, Tcrep replaced with TcRep; Page 2-11 added bullets pertaining to OM/MTP printing: throughout-changed "PC" to plant computer, "channel" changed to "train,"

modified Table 3-1 items 1, 2, 3, 4, 5,6, 7, 8, 9, 13, 15, 19, 20, 21, 22, 23, 25, 27,31,32 2 Dennis Menard Incorporated customer comments on FMEA Rev 1. See EDMS These include: Page 2-10, replaced TcRep with TcRp. Made changes to Table 3-1 items 7c, 8b, 15b, 23, 28. Changed "subcooled" margin to "saturation" margin throughout to agree with other.

WBT documentation (e.g. Reference 3)

WNA-AR-00180-WBT-NP, Rev. 2 ii Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System REVISION HISTORY (cont.)

DOCUMENT TRACEABILITY & COMPLIANCE Created to Support the Following Document(s) Document Number Revision N/A OPEN ITEMS Item Description Status None.

WNA-AR-00180-WBT-NP, Rev. 2 ini Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System TABLE OF CONTENTS Section Title Page LIST O F CON TRIBU TO R S ...................................................................................... i REV ISION H ISTO RY ................................................................................................ ii TA BLE OF CON TEN TS ............................................................................................. iv LIST O F TAB LES .................................................................................................. v LIST O F FIG UR ES ..................................................................................................... v A CRON YM S AND TRA DEM A RK S .................................................................... vi G LO SSA RY OF TERM S ............................................................................................ vii REFEREN CES ............................................................................................................ viii SECTION 1 IN TR O DU CTION ....................................................................................................... 1-1 1.1 PURPO SE .................................................................................................................... 1-1 1.2 SCO PE ......................................................................................................................... 1-1 SECTION 2 SY STEM DESCRIPTIO N ........................................................................................... 2-1 2.1 SY STEM ARCH ITECTU RE ...................................................................................... 2-1 2.2 SY STEM DESCRIPTION ........................................................................................... 2-2 2.3 COMPARISON OF WBT PAMS TO COMMON Q .................................................. 2-10 SECTION 3 FAILURE MODES AND EFFECTS ANALYSIS ...................................................... 3-1 SECTION 4 CON CLU SION ............................................................................................................ 4-1 Rev. 22 iv Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, WNA-AR-00180-WBT-NP, Rev. iv Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System TABLE OF CONTENTS (cont.)

LIST OF TABLES Table Title Page Table 3-1 WB T PA M S FM EA ..................................................................................................... 3-2 LIST OF FIGURES Figure Title Page Figure 2.1-1 ]a,c ............................................................... 2-7 Figure 2.1-2 [ac ............... 2-8 F igure 2.2-1 []a' ....................

].............................................. 2-9 WNA-AR-00180-WBT-NP, Rev. 2 v Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System ACRONYMS AND TRADEMARKS Acronyms used in the document are defined in WNA-PS-00016-GEN, "Standard Acronyms and Definitions" (Reference 6), or included below to ensure unambiguous understanding of their use within this document.

Acronym Definition AC 160 Advant Controller Series 160 AF100 Advant Fieldbus 100 CET Core Exit Thermocouples CETMS Core Exit Thermocouple Monitoring System Common Q Common Qualified Platform D/P Differential Pressure FE Function Enable FMEA Failure Modes and Effects Analysis FPD Flat Panel Display HJTC Heated Junction Thermocouple ICCMS Inadequate Core Cooling Monitoring System MCR Main Control Room MTP Maintenance and Test Panel OM Operator's Module PAMS Post Accident Monitoring System PPS Plant Protection System RVL Reactor Vessel Level RVLMS Reactor Vessel Level Monitoring System SLE Software Load Enable SMM Saturation Margin Monitor SPDS Safety Parameter Display System T/C Thermocouple TVA Tennessee Valley Authority WBT Watts Bar Unit 2 WDT Watchdog Timer, located on AC160 PM646A module Advant is a registered trademark of ABB Process Automation Corporation.

Microsoft and Windowse are registered trademarks of Microsoft Corporation in the United States and/or other countries.

All other product and corporate names used in this document may be trademarks or registered trademarks of other companies, and are used only for explanation and to the owners' benefit, without intent to infringe.

ii Westinghouse Non-Proprietary Class 3 WNA-AII-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 Ai Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System GLOSSARY OF TERMS Standard terms used in the document are defined in WNA-PS-0001 6-GEN, "Standard Acronyms and Definitions" (Reference 6), or included below to ensure unambiguous understanding of their use within this document.

Term Definition None.

~ii Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 vii Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System REFERENCES Following is a list of references used throughout this document.

1. WCAP-16097-P-A, Rev. 0, "Common Qualified Platform Topical Report," Westinghouse Electric Company LLC.

2. WCAP-16097-P-A, Rev. 0, "Common Qualified Platform Topical Report Post Accident Monitoring Systems," Appendix 1, Westinghouse Electric Company LLC.

3. WNA-DS-01617-WBT-P, Rev. 4, "Post Accident Monitoring System - System Requirements Specification," Westinghouse Electric Company LLC.

4. ANSI/IEEE 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Stations Safety Systems," American National Standards Institute/Institute of Electrical and Electronics Engineers, 1987.

5. 00000-ICE-30156, Rev. 08, "System Requirements Specification for the Common Q Post Accident Monitoring System," Westinghouse Electric Company LLC.

6. WNA-PS-00016-GEN, Rev. 5, "Standard Acronyms and Definitions," Westinghouse Electric Company LLC.

(Last Page of Front Matter)

WNA-AR-00180-WBT-NP, Rev. 2 viii Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System SECTION J INTRODUCTION 1.1 PURPOSE WCAP-16097-P-A, "Common Qualified Platform Topical Report Post Accident Monitoring Systems,"

(Reference 1), includes several system-specific Appendices. One of these, designated Appendix 1, applies to the Post Accident Monitoring System (Reference 2). It provides a generic Failure Modes and Effects Analysis (FMEA) for the standard solution. In their Safety Evaluation Report (SER), the United States Nuclear Regulatory Commission (USNRC) stated that this generic FMEA is acceptable as a model for such analysis, but that the licensee must prepare its plant-specific model for the design to be implemented and perform the FMEA for that application. This document contains the plant-specific FMEA for the Watts Bar Unit 2 (WBT) Post Accident Monitoring System (PAMS).

1.2 SCOPE This FMEA includes the equipment in the replacement PAMS and its supporting power supply. Sensors are included only to the extent of the effects of loss of their signals as inputs to the system.

This FMEA is done in accordance with the guidance provided in ANSI/IEEE Standard 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Stations Safety Systems" (Reference 4).

(Last Page of Section 1)

WNA-AR-00180-WBT-NP, Rev. 2 1-1 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System SECTION 2 SYSTEM DESCRIPTION 2.1 SYSTEM ARCHITECTURE The WBT PAMS is described in WNA-DS-01617-WBT, "Post Accident Monitoring System - System Requirements Specification" (Reference 3). PAMS is a Class 1E safety-related alarm and display system consisting of two independent trains of equipment (Trains A and B) which acquire and process two trains of inputs. The trains are physically separated and electrically isolated from each other. Each train of the WBT PAMS comprises two Advant Controller 160 (AC 160) racks located in one cabinet. Figure 2.1-1 shows the configuration of the PAMS.

For each train, the primary AC 160 rack contains a processor that processes all incoming core exit thermocouple (CET), saturation margin monitoring (SMM), and reactor vessel level (RVL) signals. The processor receives inputs from its input cards, four of which are mounted in the extension rack. The processor performs input processing and algorithms and sends the outputs to its output cards and over the Advant Fieldbus 100 (AF 100) to the operator's module (OM) in the main control room (MCR) and the maintenance and test panel (MTP) located in the associated PAMS cabinet. The MTP has an Ethernet port that provides the capability to send data to the plant computer.

The OM is used to provide various display pages to the operator. The OM uses the flat panel display system (FPDS), consisting of a PC node box with internal power supply, an FPD with touch screen capability, and a standard AF 100 communication interface for communication to the processor module.

The OM and MTP receive the signals to be displayed over the AF 100 from the PAMS processors.

The MTP doubles as a local operator display, and has additional capability for performing system maintenance. The WBT PAMS allows setpoint changes and signal bypasses from both the OM and MTP.

The WBT PAMS requirements have been built upon the generic system requirements for the Common Qualified platform (Common Q) Phase 3 PAMS specified in 00000-ICE-30156, "System Requirements Specification for the Common Q Post Accident Monitoring System" (Reference 5).

The general relationship of the individual systems for WBT PAMS are described as follows and provided in Figure 2.1-2.

" The reactor vessel level monitoring system (RVLMS) monitors reactor vessel head differential pressure, lower range differential pressure, and dynamic range differential pressure to measure reactor coolant level in the vessel.

" The core exit thermocouple monitoring system (CETMS) monitors CET temperatures to detect and alarm inadequate core cooling (ICC) conditions.

• The SMM uses the representative CET temperature, reactor coolant system (RCS) pressure, and the maximum RCS hot leg temperature to calculate saturation margins.

WNA-AR-00180-WBT-NP, Rev. 2 2-1 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Each train of WBT PAMS provides the combined functions of the inadequate core cooling monitoring system (ICCMS) (i.e., SMM, CETMS, and RVLMS).

Figure 2.1-2 shows the functional relationship between the ICCMS components.

2.2 SYSTEM DESCRIPTION

]a,c The WBT PAMS, based on the application of the Class 1E Common Q platform, will replace the existing ICCMS (ICCM-86). This digital-to-digital replacement will calculate saturation margin and RVL, process core exit temperatures, and provide key data to the control room via the FPDS.

The WBT PAMS provides safety grade processing of instruments used to detect the approach to, the existence of, and the recovery from an ICC event and display such information to the operator in the control room. The WBT PAMS is based on the requirements in WCAP-16097-P-A, "Common Q Topical Report Post Accident Monitoring Systems," Appendix 1 (Reference 2) with one significant difference.

The WBT PAMS is deploying a different design for RVL monitoring (reactor vessel level indication system [RVLIS]) from that described in the Common Q Topical Report. The Common Q Topical Report describes a RVLMS using the heated junction thermocouple (HJTC) technology. The WBT PAMS will instead employ a RVL monitoring function based on the requirements and instrumentation used in Watts Bar Unit 1. The WBT PAMS will monitor three reactor vessel differential pressure inputs to measure reactor coolant level in the vessel: upper range differential pressure, lower range differential pressure, and dynamic range differential pressure.

2 2-2 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2-2 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Each PAMS train:

I

]a,c 2 2-3 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2-3 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System

[

]alc WNA-AR-00180-WBT-NP, Rev. 2 2-4 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System II

]a,c Rev. 22 2-5 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, 2-5 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System I

]ac Note Only the system trouble alarm contact output is used for WBT. All alarm digital outputs are sent to the plant computer over the digital datalink.

Figure 2.2-1 depicts the PAMS inputs and outputs in more detail.

2 2-6 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2-6 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System a,c Figure 2.1-1. [ ]a,c WNA-AR-00180-WBT-NP, Rev. 2 2-7 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Figure 2.1-2. [ Ia,c WNA-AR-00180-WBT-NP, Rev. 2 2-8 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System ac Figure 2.2-1. [ Ia~c 2-9 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev. 22 WNA-AIZ-00180-WBT-NP, Rev. 2-9 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System 2.3 COMPARISON OF WBT PAMS TO COMMON Q The WBT PAMS performs the inadequate core coolant monitoring (ICCM) functions defined in the generic Common Q PAMS Topical Report Appendix (Reference 2). The WBT maintains the same failure responses defined in the Common Q PAMS implementation to the extent possible. The significant differences, from the FMEA standpoint, are:

• The WBT PAMS includes the RVLIS as the vessel level monitoring system, rather than the HJTC described in Reference 5. This results in different Common Q power supply voltages as well as analog and digital inputs. The RVLIS uses three different differential pressure (D/P) inputs across the reactor vessel. These are:

]ac

" The distribution of modules within the primary and extension racks differs in some cases. For example, the Common Q implementation has an analog output module in the primary subrack for meter outputs and a separate output module in the extension rack to provide a variable power supply output to the HJTC heater power supplies. The WBT implementation does not use variable HJTC power supplies, and has two analog output (AO) modules in the primary subrack; one of which is used for RCS SMM, CET SMM, representative CET TcRp, and RVL outputs.

The second analog output (AO) module is used for user-selectable analog outputs.

• In the WBT PAMS, the analog input modules in the primary subrack are redundant, so that loss of either an entire module or a channel within a module will not result in loss of the process input.

WNA-AR-00180-WBT-NP, Rev. 2 2-10 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System

" The uses of the four Al modules in the extension rack differs somewhat. In the Common Q implementation, all inputs are used for CETs. In the WBT implementation, the four extension rack Al modules are used for CETs, RVLIS capillary temperature, and cabinet temperature RTDs. CET inputs are dispositioned among the four Al modules such that loss of a single module will not result in less than the minimum CET complement for Train Operability.

• The types of I/O modules differ from the Common Q implementation. The WBT Al modules are of the newer A1687 and A1688 variety. These were unavailable when the original (Common Q)

PAMS was defined. These and other evolutionary changes are largely transparent in FMEA space.

" The WBT PAMS does not have the OM FE keyswitch permanently installed. The switch is installed for maintenance only. Therefore failure of the OM FE keyswitch is not considered for the WBT PAMS.

" The WBT PAMS utilizes a single analog control board indicator (CET saturation margin).

" The WBT PAMS does not allow printing from either the OM or MPT unless the FE keyswitch is in the ENABLE position. OM print capability requires that a temporary printer be connected to the OM.

(Last Page of Section 2)

WNA-AR-00180-WBT-NP, Rev. 2 2-11 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System SECTION 3 FAILURE MODES AND EFFECTS ANALYSIS The PAMS FMEA is a "Qualitative" evaluation, which identifies various failure modes which contribute to a system's unreliability. It is not a "Quantitative" reliability/availability analysis which produces calculated numerical values. The FMEA identifies significant single failures and their effects or consequences on the system's ability to perform its functions. The analysis contents and format satisfies Reg. Guide 1.70 requirements for inclusion in the plant's FSAR.

The PAMS is designed so that any single failure, in either train, will not prevent proper monitoring, display and alarm action of the other PAMS trains, or inhibit operation of any other system, including the plant protection system (PPS), at the system level. The FMEA for this system shows that no single failure will defeat more than one of the two redundant PAMS trains.

The FMEA addresses all credible failures of the PAMS computers (e.g., communications failures, stalls, etc.), but not all possible causes of the failure condition. At the hardware interface level, the FMEA boundsall cases by considering the worst case effects at the computer module outputs.

The WBT specific PAMS FMEA is provided in Table 3-1. This table is based on that one provided in the topical report Appendix (Reference 2).

As a general note, process signals are connected to the PAMS cabinets through input devices called termination modules. These devices are passive in nature and are not dealt with explicitly in the FMEA table. Rather, the effect of their failure would be the same as that of the analog input signal, which is included in the FMEA table.

WNA-AR-00180-WBT-NP, Rev. 2 3-1 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA a,c t I 4-3-2 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 3-2 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 1 7 7 r I I

-I- * + + + I I 1- 1- .9- I I 3-3 Westinghouse Non-Proprietary Class 3 Rev. 22 WNA-AR-00180-WBT-NP, Rev. 3-3 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 3-4 Westinghouse Non-Proprietary Class 3 Rev. 2 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, 2 3.4 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c

-+ I + + 4 4 4

-+ I + + 4 4 4 1- *1- + I I I ___________________________________ +/- I L WNA-AR-00180-WBT-NP, Rev. 2 3-5 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 3-6 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev. 22 WNA-AR-00180-WBT-NP, Rev. 3-6 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c

-- 1* 4 I. 4- 4 4 4 4 4 WNA-AR-00180-WBT-NP, Rev. 2 3-7 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 4 .5- 4-I -t -t *5- I

-4 4 4 4 4 I

-4 4 4 4 4 4 4

-4 4 + 4 4 4 4 3-8 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev. 2 WNA-AR-00180-WBT-NP, Rev. 2 3-8 .Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c

-~ 4 4 4 4 4- .1.

-I 4 4 4 .4- .4.

t t 4 4- 4-

-~ + 4 1 & 4- 4-

- 1- 4- 4- 4 4 4.

-- A. U U L J J 3-9 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 3-9 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 3-10 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.Rev. 22 3-10 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 3-11 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 3-11 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

-t 1- 4 4 4 4 4 3-12 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, Rev.

WNA-AR-00180-WBT-NP, Rev. 2 2 3-12 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c 1 1 1 1 r r 4 4 4 4 4

• 4 4 4

-t 1~ 4 t * + +

4 I I + 4-3-13 Westinghouse Non-Proprietary Class 3 WNA-AR-00180-WBT-NP, WNA-AR-00180-WBT-NP, Rev.Rev. 22 3-13 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitoring System Table 3-1. WBT PAMS FMEA (cont.) a,c (Last Page of Section 3)

WNA-AR-00180-WBT-NP, Rev. 2 3-14 Westinghouse Non-Proprietary Class 3

Nuclear Automation Failure Modes and Effects Analysis (FMEA)

Watts Bar Unit 2 NSSS Completion Program I&C Projects for the Post Accident Monitorin2 System SECTION 4 CONCLUSION The plant-specific WBT PAMS configuration provides substantially the same fault tolerance as compared to the standard Common Q solution described in Reference 2. Because the PAMS consists of two independent trains, no single failure will defeat the PAMS function. Furthermore, many failures will degrade the operation of one of the trains, but leave a subset of the functionality available to the operator.

(Last Page of Section 4)

WNA-AR-00180-WBT-NP, Rev. 2 4-1 Westinghouse Non-Proprietary Class 3

Attachment 15 Westinghouse Electric Company CAW-11-3117 Application For Withholding Proprietary Information From Public Disclosure WNA-AR-00180-WBT-P, Rev. 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System,"

(Proprietary)," dated February 25, 2011

Westinghouse Electric Company OWestinghouse Nuclear Services 1000 Westinghouse Drive Cranberry Township, Pennsylvania 16066 USA U.S. Nuclear Regulatory Commission Direct tel: (412) 374-4643 Document Control Desk Direct fax: (724) 720-0754 11555 Rockville Pike e-mail: greshaja@westinghouse.com Rockville, MD 20852 Proj letter: WBT-D-2956 CAW- 11-3117 February 25, 2011 APPLICATION FOR WITHHOLDING PROPRIETARY INFORMATION FROM PUBLIC DISCLOSURE

Subject:

WNA-AR-00180-WBT-P, Rev. 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System" (Proprietary)

The proprietary information for which withholding is being requested in the above-referenced report is further identified in Affidavit CAW- 11-3117 signed by the owner of the proprietary information, Westinghouse Electric Company LLC. The affidavit, which accompanies this letter, sets forth the basis on which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR Section 2.390 of the Commission's regulations.

Accordingly, this letter authorizes the utilization of the accompanying affidavit by Tennessee Valley Authority.

Correspondence with respect to the proprietary aspects of the application for withholding or the Westinghouse affidavit should reference this letter, CAW- 11-3117, and should be addressed to J. A. Gresham, Manager, Regulatory Compliance, Westinghouse Electric Company LLC, Suite 428, 1000 Westinghouse Drive, Cranberry Township, Pennsylvania 16066.

Very truly yours, J. A. Gresham, Manager Regulatory Compliance Enclosures

CAW-11-3117 AFFIDAVIT COMMONWEALTH OF PENNSYLVANIA:

ss COUNTY OF BUTLER:

Before me, the undersigned authority, personally appeared B. F. Maurer, who, being by me duly sworn according to law, deposes and says that he is authorized to execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse), and that the averments of fact set forth in this Affidavit are true and correct to the best of his knowledge, information, and belief:

B. F. Maurer, Manager ABWR Licensing Sworn to and subscribed before me this 25th day of February 2011 Ntry Public COMMONWEALTH OF PENNSYLVANIA Notarial Seal Cynthia Olesky, Notary Public Manor Boro, Westmoreland County My Commission Expires July 16, 2014 MHMb1*i, Pannsvlvanla Assodatlon of Notaries

2 CAW-1 1-3117 (1) I am Manager, ABWR Licensing, in Nuclear Services, Westinghouse Electric Company LLC (Westinghouse), and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in connection with nuclear power plant licensing and rule making proceedings, and am authorized to apply for its withholding on behalf of Westinghouse.

(2) 1 am making this Affidavit in conformance with the provisions of 10 CFR Section 2.390 of the Commission's regulations and in conjunction with the Westinghouse Application for Withholding Proprietary Information from Public Disclosure accompanying this Affidavit.

(3) 1 have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged or as confidential commercial or financial information.

(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.390 of the Commission's regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.

(ii) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public. Westinghouse has a rational basis for determining the types of information customarily held in confidence by it and, in that connection, utilizes a system to determine when and whether to hold certain types of information in confidence. The application of that system and the substance of that system constitutes Westinghouse policy and provides the rational basis required.

Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of

3 CAW- 11-3117 Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage, e.g., by optimization or improved marketability.

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

There are sound policy reasons behind the Westinghouse system which include the following:

(a) The use of such information by Westinghouse gives Westinghouse a competitive advantage over its competitors. It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.

(b) It is information that is marketable in many ways. The extent to which such information is available to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.

(c) Use by our competitor would put Westinghouse at a competitive disadvantage by reducing his expenditure of resources at our expense.

4 CAW- 11-3117 (d) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable as the total competitive advantage. If competitors acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving Westinghouse of a competitive advantage.

(e) Unrestricted disclosure would jeopardize the position of prominence of Westinghouse in the world market, and thereby give a market advantage to the competition of those countries.

(f) The Westinghouse capacity to invest corporate assets in research and development depends upon the success in obtaining and maintaining a competitive advantage.

(iii) The information is being transmitted to the Commission in confidence and, under the provisions of 10 CFR Section 2.390; it is to be received in confidence by the Commission.

(iv) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or method to the best of our knowledge and belief.

(v) The proprietary information sought to be withheld in this submittal is that which is appropriately marked in WNA-AR-00 I80-WBT-P, Rev. 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System" (Proprietary), dated February 2011, for submittal to the Commission, being transmitted by Tennessee Valley Authority letter and Application for Withholding Proprietary Information from Public Disclosure, to the Document Control Desk. The proprietary information as submitted by Westinghouse is that associated with the Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System at Watts Bar Unit 2 and may be used only for that purpose.

5 CAW- 11-3117 This information is part of that which will enable Westinghouse to:

(a) Provide analysis services for Post Accident Monitoring Systems.

(b) Continue to develop products that help to ensure safe, reliable power generation.

Further this information has substantial commercial value as follows:

(a) Westinghouse plans to sell the use of similar information to its customers for the purpose of maintaining Westinghouse-designed Post Accident Monitoring Systems.

(b) Westinghouse can sell support and defense of analysis and licensing.

(c) The information requested to be withheld reveals the distinguishing aspects of a methodology which was developed by Westinghouse.

Public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar analysis and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

The development of the technology described in part by the information is the result of applying the results of many years of experience in an intensive Westinghouse effort and the expenditure of a considerable sum of money.

In order for competitors of Westinghouse to duplicate this information, similar technical programs would have to be performed and a significant manpower effort, having the requisite talent and experience, would have to be expended.

Further the deponent sayeth not.

PROPRIETARY INFORMATION NOTICE Transmitted herewith are proprietary and/or non-proprietary versions of documents furnished to the NRC in connection with requests for generic and/or plant-specific review and approval.

In order to conform to the requirements of 10 CFR 2.390 of the Commission's regulations concerning the protection of proprietary information so submitted to the NRC, the information which is proprietary in the proprietary versions is contained within brackets, and where the proprietary information has been deleted in the non-proprietary versions, only the brackets remain (the information that was contained within the brackets in the proprietary versions having been deleted). The justification for claiming the information so designated as proprietary is indicated in both versions by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections (4)(ii)(a) through (4)(ii)(f) of the affidavit accompanying this transmittal pursuant to 10 CFR 2.390(b)(1).

COPYRIGHT NOTICE The reports transmitted herewith each bear a Westinghouse copyright notice. The NRC is permitted to make the number of copies of the information contained in these reports which are necessary for its internal use in connection with generic and plant-specific reviews and approvals as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by Westinghouse, copyright protection notwithstanding. With respect to the non-proprietary versions of these reports, the NRC is permitted to make the number of copies beyond those necessary for its internal use which are necessary in order to have one copy available for public viewing in the appropriate docket files in the public document room in Washington, DC and in local public document rooms as may be required by NRC regulations if the number of copies submitted is insufficient for this purpose. Copies made by the NRC must include the copyright notice in all instances and the proprietary notice if the original was identified as proprietary.

Tennessee Valley Authority Letter for Transmittal to the NRC The following paragraphs should be included in your letter to the NRC:

Enclosed are:

1. _ copies of WNA-AR-00180-WBT-P, Rev. 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System" (Proprietary)

2. _ copies of WNA-AR-00180-WBT-NP, Rev. 2, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System" (Non-Proprietary)

Also enclosed is the Westinghouse Application for Withholding Proprietary Information from Public Disclosure CAW- 11-3117, accompanying Affidavit, Proprietary Information Notice, and Copyright Notice.

As Item I contains information proprietary to Westinghouse Electric Company LLC, it is supported by an affidavit signed by Westinghouse, the owner of the information. The affidavit sets forth the basis on which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in paragraph (b)(4) of Section 2.390 of the Commission's regulations.

Accordingly, it is respectfully requested that the information which is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR Section 2.390 of the Commission's regulations.

Correspondence with respect to the copyright or proprietary aspects of the items listed above or the supporting Westinghouse affidavit should reference CAW- 11-3117 and should be addressed to J. A. Gresham, Manager, Regulatory Compliance, Westinghouse Electric Company LLC, Suite 428, 1000 Westinghouse Drive, Cranberry Township, Pennsylvania 16066.

Attachment 16 GA-ESI Responses to NRC Comments on General Atomics Procedure OP-7.3-240

TVA to NRC Letter Dated September 30, 2011 Attachment 16 GA-ESI Responses to NRC Comments on General Atomics Procedure OP-7.3-240 Page 1 of 4 GA-ESI reviewed the NRC Staff's comments, requests for further clarification, addition, or amplification on GA-ESI document OP-7.3-240 and provides the following responses:

1. Section 2, Applicable Documents Please add EPRI TR-1 02260 and IEEE 7-4.3.2 for digital components. Also add generic letter GL 91-05, Licensee Commercial-Grade Procurement and Dedication Program.

GA Response: Incorporated NRC recommendation

2. Section 3, Definitions, Approved Supplier List (ASL) How is Quality Assurance Program approved? Is a vendor survey performed? Please explain the basis for approving the Quality Assurance Plan.

GA Response: GA-ESI documented procedure QAP 4-04, Authorized Suppliers, defines the methods for qualifying suppliers and adding them to the ASL. Added this reference to OP-7.3-240.

3. Section 3. Definitions, Basic Components Incomplete definition. The definition for basic components must match the definition in 10CFR Part 21.

GA Response: Incorporated NRC recommendation

4. Section 3, Definitions, Components Please use or add the examples in the definitions which are relevant to General Atomics supplied equipment.

GA Response: Piping, valves, pumps are all relevant to GA supplied equipment. Added PCBA and detector chamber.

5. Section 3. Definitions, Critical Characteristics (CC) Incomplete definition. Use the definition in 10CFR Part 21.

GA Response: Incorporated definition out of 10CFR Part 21

6. Section 3, Definitions, Dedication Incomplete definition. Please use the definition in 10CFR Part 21. 10CFR Part 21 applies to components subject to 10CFR50, Appendix B and other facilities (other than nuclear power plants).

GA Response: Incorporated definition out of 10CFR Part 21

7. Section 3, Definitions, Identical Item Include same manufacturer and manufactured at the same time (Per Inspection Procedure 43004) along with same part, make and model number.

TVA to NRC Letter Dated September 30, 2011 Attachment 16 GA-ESl Responses to NRC Comments on General Atomics Procedure OP-7.3-240 Page 2 of 4 GA Response: Incorporated verbiage from NRC Inspection Manual 43004; however, 43004 does not define Identical Item, only Like-for-Like Commercial-Grade Item Replacements. GA's definition of Identical Item was developed to accommodate industry obsolescence situations where various manufacturers produce the same part, i.e. 74LS00 integrated circuit, and not all manufacturers are on the Approved Manufacturer's List (AML). If the manufacturers for a part that are on the AML obsolete the part, then GA adds one of the other manufacturers for the part not originally on the AML.

8. Section 3, Definitions, Like-for-Like This should be defined the same as identical item as noted in the comment above.

GA Response: Incorporated NRC Inspection Manual 43004 verbiage

9. Section 4. Selection of SR CGI Acceptance Methods In the introductory paragraph of this section please elaborate where guidance for technical evaluation can be found.

GA Response: The forms referenced here are the documented results of the technical evaluation.

10. Section 4. Method 1. Sub-item a Bullet No. 5 states the sample size to be taken but does not provide any guidance regarding the methodology for sample size selection. Please include the guidance for sample selection methodology that is based on a recognized industry statistical method (e.g. EPRI 7218).

GA Response: Incorporated NRC recommendation. GA's Receiving/Inspection work instruction used for all product lines refers to EPRI NP-7218 for use on SR CGI.

11. Section 4.a, Method 1 Bullet No. 6 describes tests and inspections but does not provide the parameters of acceptability.

GA Response: The Critical Characteristic Acceptance Plan specifies the parameters of acceptability.

12. Section 4.b, Method 2 In the second paragraph please modify the wording to clarify that a commercial grade survey can be used to accept critical characteristics of simple or complex parts.

GA Response: Incorporated NRC recommendation

13. Section 4.b. Method 2 Bullet No. 5 Suggest that the wording be changed to clarify that the critical characteristics cannot be verified easily.

GA Response: Revised the wording.

14. Section 4.b. Method 2 Paragraph following Bullet No. 5 Staff agrees that the approach is acceptable initially as long as receipt inspection is performed (Reference GL 89-02).

TVA to NRC Letter Dated September 30, 2011 Attachment 16 GA-ESl Responses to NRC Comments on General Atomics Procedure OP-7.3-240 Page 3 of 4 Subsequently a design engineer must evaluate the performance based on a defined frequency.

GA Response: All parts do go through receiving inspection and Supplier Surveys and Audits are performed on a 3 year cycle.

15. Section 4.b, Method 2 Second paragraph following Bullet No. 5. After the first sentence add the sentence that engineering will determine the acceptability of critical characteristics.

GA Response: Incorporated NRC recommendation

16. Section 4.c. Method 3 - Source Verification Please add an opening sentence explaining that this method is used when a supplier does not have adequate programmatic controls in place.

GA Response: Incorporated NRC recommendation.

17. Section 4.e. Combination of two or more methods In the first paragraph please state that method 2 and method 4 alone are not sufficient per the guidance of GL 89-02.

GA Response: Incorporated NRC recommendation

18. Section 6.e. Part Chan-qes Add the fact that the change should be based on equivalency evaluations.

GA Response: Incorporated NRC recommendation

19. Section 6.f. Previous Dedication Review In the first paragraph please make it clear that engineering should evaluate there have been no design changes.

GA Response: Incorporated NRC recommendation

20. Section 6.h. Technical Evaluation In the first paragraph (Item 1) there is a need to augment guidance for technical evaluation. Need to explain the comment further.

GA Response: Added verbiage referring back to section 4 where technical evaluation guidance was added in support of NRC comment # 9.

21. Section 6.h. Technical Evaluation In the fourth paragraph (Item 4) This paragraph does not match the definition of like-for-like replacement as noted by staff comments.

GA Response: Removed first sentence of this section to eliminate any conflict with Like-for-Like definition.

22. Section 6.i. Determination of Critical Characteristics It is not clear why the critical characteristics should be limited to environment. Please expand or justify the statement.

GA Response: Clarified statement

TVA to NRC Letter Dated September 30, 2011 Attachment 16 GA-ESI Responses to NRC Comments on General Atomics Procedure OP-7.3-240 Page 4 of 4

23. Section 9, 1 OCFR21 Please modify the requirements of reporting per the guidance of 10CFR21.21. These requirements apply to, "Each individual, corporation, partnership, dedicating entity, or other entity subject to the regulations in this part".

GA Response: Incorporated NRC recommendation

24. Section 10 Certifications Please change the last sentence to clarify that once the critical characteristics have been verified and the item dedicated it is no longer commercial grade.

Present wording causes confusion.

GA Response: Incorporated NRC recommendation

25. General It is recommended that the order in which the procedure is organized be re-evaluated. Following the Definitions section, safety classification should be addressed first then followed by technical evaluation, and then the acceptance methods.

GA Response: Do not want to change the order and re-numbering of this document until we complete review the changes against these NRC comments referencing the current numbering scheme.