ML12073A393

From kanterella
Jump to navigation Jump to search

TVA White Paper Common Q Pams Design Basis Conformance to the Requirements of IEEE 603-1991, Dated March 8, 2012 (Letter Items 1 and 3, Sser 23 Appendix Hh Item Numbers 94 and 105). Attachment 4
ML12073A393
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 03/08/2012
From: Michael Clark
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
References
TAC ME0853
Download: ML12073A393 (42)
v  d  e


Text

Attachment 4 TVA white paper "Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991," dated March 8, 2012 (Letter Items 1 and 3, SSER 23 Appendix HH Item Numbers 94 and 105)

White Paper Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Page 1 of 41 March 8, 2012 Prepared by:

~z~z271/ Z7 /, Z M. S. Clark _/i- )- W:"/

Name 81inture ateto Reviewed by: J. T. Kepler z3//& h-/-

Name Signature Ddte Reviewed by: R. H. Bryan , . .3/*1,2_

Name Signatde bate Approved by: S. A. Hilmes Fi Name Signature Date

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Acronyms and Abbreviations The following acronyms/abbreviations are used in this document:

AIR Auxiliary Instrument Room ANS American Nuclear Society 1ANSI American National Standards Institute AOI 2

Abnormal Operating Instruction ASMETM American Society of Mechanical Engineers CET Core Exit Thermocouple CO 2 Carbon dioxide Common Q Common Qualified Platform CRDR Control Room Design Review DBE Design Basis Earthquake ECCS Emergency Core Cooling System EDCR Engineering Document Change Request EMC Electro-Magnetic Compatibility EMI Electro-Magnetic Interference EOI Emergency Operating Instruction 3EPRI Electric Power Research Institute EQ Environmental Qualification ESD Electrostatic Discharge FE Function Enable FMEA Failure Modes and Effects Analysis FPDS Flat Panel Display System FSAR Final Safety Analysis Report GHz Gigahertz Hz Hertz (frequency in cycles per second)

ICCM Inadequate Core Cooling Monitor ICS 4

Integrated Computer System IEEETM Institute of Electrical and Electronics Engineers 5

1NPO Institute of Nuclear Power Operators 61SA International Society of Automation kHz Kilohertz MHz Megahertz LOCA Loss of Coolant Accident MCR Main Control Room MTBF Mean Time Between Failures MTP Maintenance and Test Panel MTTR Mean Time to Repair NRC Nuclear Regulatory Commission NSSS Nuclear Steam Supply System OBE Operating Bases Earthquake OM Operator's Module 1 ANSI is a registered trademark of the American National Standards Institute.

2 ASME is a registered trademark of the American Society of Mechanical Engineers.

3 EPRI is a registered trademark of the Electric Power Research Institute Inc.

4 IEEE is a registered trademark of the Institute of Electrical and Electronics Engineers Inc.

5 INPO is a registered trademark of the Institute of Nuclear Power Operations.

6 ISA is a registered trademark of the International Society of Automation.

Page 2 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 PAMS Post-Accident Monitoring System PC Personal Computer RCP Reactor Coolant Pump RCS Reactor Coolant System RG Regulatory Guide rms root mean square RTD Resistance Temperature Detector RVLIS Reactor Vessel Level Indicating System SGTR Steam Generator Tube Rupture SI Safety Injection SLE Software Load Enable SMM Saturation Margin Monitor SRS Software Requirements Specification SSC Structure/System or Component SSER Supplemental Safety Evaluation Report SSPS Solid State Protection System SysRS System Requirements Specification TID Total Integrated Dose TVA Tennessee Valley Authority UPS Uninterruptible Power Supply Vac Volts alternating current WBN Watts Bar Nuclear Plant Notes:

1. Italicized text is quoted from 7IEEE 603TM-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
2. Following each, IEEE 603-1991 requirement, is a discussion of the Watts Bar Nuclear Plant Unit 2 (WBN Unit 2) Common Q Post-Accident Monitoring System (PAMS) licensing basis.
3. In the following discussion it is acknowledged that a Post Accident Monitoring System (PAMS) variable may meet more than one type and category classification. For simplification, the discussion uses the highest classification with the most stringent requirements.
4. The WBN Unit 2 design basis is contained in multiple documents. The design basis documents used in the preparation of this report are listed in the References section at the end of the report.
5. Core Exit Thermocouples (CETs) are referred to a "Incore Thermocouples" in the WBN Unit 2 Abnormal Operating Instructions (AOIs) and Emergency Operating Instructions (EOIs)
6. The Saturation Margin Monitor (SMM) is also referred to as the "Subcooling Margin Monitor in WBN Unit 2 AOIs and EOIs.

7 IEEE 603 is a registered trademark of the Institute of Electrical and Electronics Engineers Inc.

Page 3 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Purpose This document summarizes the Common Q PAMS conformance to IEEE-603-1991. The document provides the basis for the selection of applicable requirements from the IEEE standard. This paper provided the response to NRC SSER 23, 24 and 25 Appendix HH items 94 and 105 and follow-up NRC requests.

Summary The following evaluations show that the Common Q PAMS meets the design basis needs and requirements for Watts Bar Unit 2. The design utilized the specifications for the Unit 1 Inadequate Core Cooling Monitor (ICCM-86). The variables selected for display were based on the requirements of Regulatory Guide 1.97 Revision 2 (Reference 2). The placement of displays and associated controls for Unit 2 was subjected to a Human Factors Engineering review during the design process for EDCR 52351, Common Q PAMS and the Control Room Design Review (CRDR).

Background/Methodolocv The Common Q PAMS for WBN U2 supplies the Reactor Vessel Level Indication System (RVLIS), Core Exit Thermocouples (CET) and Saturation Margin Monitor (SMM). The PAMS provides information to the operators and other emergency response personnel in understanding and managing potential accident and transient events at WBN.

There are twenty-seven Final Safety Analysis Report (FSAR) Chapter 15 events addressed by fifty-seven abnormal and emergency operating instructions. The Chapter 15 events are defined in a variety of regulatory documents such as Regulatory Guides, NUREGs, and NRC endorsed industry standards. The emergency operating instructions and to a lesser degree the abnormal operating procedures are symptom based as opposed to event based procedures. They are also set up to allow management of plant conditions ifthey, in an unlikely event, degrade beyond the design basis accident and transients described in FSAR Chapter 15. As a consequence, a direct correlation between the emergency procedures and the Chapter 15 events does not exist. Thus, a single instruction may and frequently does contain direction on responding to multiple events.

Determining the applicability of the guidance in IEEE-603 is dependent on the use of the PAM variables by the operators in managing the Chapter 15 Design Basis Events. The WBN Unit 2, event termination criteria (stabilized plant conditions) is defined as reaching "hot standby" (Mode

3) for most events. For a LOCA or SGTR, event termination occurs when the Reactor Coolant System (RCS) is below 200'F and depressurized.

A review of the WBN Unit 1 AOls and EOIs was performed to identify uses of the Common Q PAMS variables of RVLIS, CET, and SMM. The EOls and AOls were then mapped to the FSAR Chapter 15 events. The review is documented in Appendix 1. AOIs not associated with Chapter 15 events (fire, earthquake, etc) did not need to be evaluated and were not. This mapping is shown in Appendix 2.

In the evaluations, the SMM, CET and RVLIS columns identify if the Common Q PAMS variable is used in the instruction. If a variable is used, then the notes column in the evaluation (Appendix 1) describes how the Common Q PAMS variable is used.

Page 4 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Regulatory Guide (RG) 1.97, defines type A variables as:

those variables to be monitored that provide the primary information required to permit the control room operator to take specific manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design basis accident events. Primary information is information that is essential for the direct accomplishment of the specified safety functions; it does not include those variables that are associated with contingency actions that may also be identified in written procedures."

The EOI/AOI review determined that RVLIS, SMM, and CET meets the definition of a Type "A" variable. The SMM and CET functions had been classified as Type "A" variables but RVLIS had not. As a result, the following commitments are made:

1. RIVLIS will be included as a type A variable in the next revision of'TVA calculation WBNOSG4047, "PAM Type "A" Variables Determination."
2. WBN Unit 2 FSAR, Table 7.5-2, "Regulatory Guide 1.97 Post Accident Monitoring Variables Lists," will be updated to show RVLIS as a Type "A" variable in a future amendment.
3. TVA Design Criteria Document WB-DC-30-7, Revision 24, "Post Accident Monitoring Instrumentation," will be updated to show RVLIS as a Type "A" variable in a future revision.
4. WBN Unit 2 Technical Specifications Table 3.3.3-1 Line item 6 Reactor Vessel Water Level will be revised to remove the reference to note (g).
5. WBN Unit 2 Technical Specification Bases will be revised to identify RVLIS as a Type "A" variable.

NOTE: By definition, Type "A" variables are "key variables" and must meet Category 1 design and qualification criteria, as defined in RG 1.97, Section 1.3.1. RVLIS is currently defined as a Category 1 Variable (B1 and Cl). Therefore, categorizing it as a Type "A" variable has no impact on equipment qualification, design or installation.

Page 5 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 IEEE-603 Requirements Review Results The results of a review of the Common Q PAMS design against the requirements in each Clause of IEEE-603, 1991 is provided below.

Clause 4 "Safety system design basis"

4. A specific basis shall be established for the design of each safety system of the nuclear power generating station. The design basis shall also be available as needed to facilitate the determinationof the adequacy of the safety system, including design changes. The design basis shall be consistent with the requirements of ANSI/ANS 51.1-1983 or ANSI/ANS 52.1-1983 and shall document as a minimum:

4.1. The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event.

WBN Unit 2 Analysis:

The design basis events, their applicable mode(s) of operation, initial conditions and allowable limits are described in WBN Unit 2 FSAR, Chapter 15, "Accident Analysis."

Additional details are contained in TVA Design Criteria Document WB-DC-40-64, Revision 12, "Design Basis Events Design Criteria."

As part of the EOI and AOl review, a cross reference between the EOIs and AOls to the Chapter 15 events was developed. The cross reference is provided in Appendix 2.

As shown in the cross reference, it is not possible to assign a specific procedure to each event, and some events have multiple procedures. This shows a disconnect between the regulatory requirements and guidance documents. The regulatory documents seek a one to one correspondence while the EOIs and AOIs are developed based on responding to the plant conditions that can occur during an accident with a focus on reaching stabilized plant conditions (event termination).

The EOl/AOl review also focused on the setpoints required by the procedures. This review was performed to verify the Common Q PAMS met the design basis requirements of the procedures. Table 1 below provides the results of the EOI/AOI setpoint review. The following summarizes the required ranges:

" Saturation Margin Monitor required range: 44 to 2139F (subcooled)

" Core Exit Thermocouples required range: < 200 to 1200°F

" Reactor Vessel Level required range: 33 to 95%

As documented in WNA-DS-01 617-WBT-P, Revision 4, "Post Accident Monitoring System - System Requirements Specification," Table 2.6-4, the Common Q PAM variable ranges envelope the ranges shown above. This demonstrates that the Common Q PAMS meets the requirements of the AOIs and EOls. Westinghouse considers the values in WNA-DS-01617-WBT-P, Table 2.6-4, as proprietary; therefore they are not repeated here.

Page 6 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 The mapping of the TVA system design requirements to the associated WEC design criteria is provided in WNA-LI-00058-WBT-P, Revision 3, "Post-Accident Monitoring System (PAMS) Licensing Technical Report," Section 12, "Contract Compliance Matrix."

Table I - Common Q PAMS Required Setpoints Setpoint(s)

Procedure# Incore TIC SMM* RVLIS AOI-2 None NA NA AOI-33 Various between 433 and 65°F and 75 0 F NA 491OF E-0 NA 65 0 F NA E-1 NA 65 0 F and 85 0 F 95%

E-2 None 65°F and 850F NA E-3 Various between 433 and Various between 65 and 121'F 95%

491OF ECA-0.0 12000F 65 0 F and 85 0F NA ECA-0.1 None 65°F and 85°F NA ECA-2.1 None Various between 65 and 11 5°F 95%

ECA-3.1 None Various between 65 and 213°F 95%

ECA-3.2 Various between 211 and Various between 59 and 126°F 63, 76 and 95%

600°F ECA-3.3 NA NA 60, 63 and 76%

ES-0.1 None 0 65 F NA ES-0.2 200°F Various between 65 and 165 0F 95%

ES-0.3 200°F 65, 85 and 101OF 69 and 95%

ES-0.4 200 0 F 65 and 101OF NA ES-1.1 None Various between 65 and 115 0 F 95%

ES-1.2 None Various between 57 and 213°F 95%

ES-3.1 None Various between 65 and 115 0 F 95%

ES-3.2 None Various between 65 and 1150 F 95%

ES-3.3 None Various between 65 and 11 5°F 95%

FR-0 727 and 1200 0 F 65 and 85 0F 33, 44 and 95%

FR-C.1 727 and 1200°F 65 and 85 0 F 33 and 60%

FR-C.2 727°F 65 and 85 0 F 33, 44 and 60%

FR-C.3 727 0 F 65 and 85 0 F 33 and 44%

FR-H.1 None Various between 44 and 650F 60%

FR-1.3 None Various between 65 and 1350F 95%

FR-P.1 NA Various between 65 and 135°F 60 and 63%

FR-S.1 1200OF NA NA

  • All SMM setpoints are subcooled values Page 7 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 4.2. The safety functions and correspondingprotective actions of the execute features for each design basis event.

WBN Unit 2 Analysis:

The Common Q PAMS has no automatic execute features. Manual safety-related actions are based on the Common Q PAMS indications of CETs, RVLIS and SMM.

The use of these variables in the AOIs and EOIs is documented in Appendix 1. A cross reference to the FSAR Chapter 15 events is provided in Appendix 2.

4.3. The permissive conditions for each operating bypass capabilitythat is to be provided.

WBN Unit 2 Analysis:

Not applicable. The PAMS has no automatic execute features to bypass.

4.4. The variables or combinations of variables, or both, that are to be monitored manually or automatically,or both, to control each protective action; the analyticallimit associated with each variable,the ranges (normal, abnormal, and accident conditions);

and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

WBN Unit 2 Analysis:

There are no automatic protection associated with the PAMS. The variables that are monitored manually for protective actions are the CETS, RVLIS and SMM.

The required ranges are established in Chapter 22 of the Westinghouse Functional Requirements Specification. The response to SSER 24 Appendix HH, Item 105 which is in item 4.1 above demonstrates that the PAMS variables have sufficient range to meet the requirements of the AOIs and EOIs.

4.5. The following minimum criteria for each action identified in 4.2 whose operation may be controlled by manual means initially or subsequent to initiation. See IEEE Std 494-1974 (R1990).

4.5.1. The points in time and the plant conditions during which manual control is allowed.

WBN Unit 2 Analysis:

The points in time and plant conditions during which manual control is allowed are identified in the EOls and AOls listed in Appendix 1. The use of a procedure based approach is in agreement with RG 1.97 Revision 4. The results of the EOI and AOI review identify how the Common Q PAMS variables are used.

4.5.2. The justification for permitting initiationor control subsequent to initiation solely by manual means.

Page 8 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS indications are used for manual actions for which no automatic action is available.

4.5.3. The range of environmentalconditions imposed upon the operatorduring normal, abnormal, and accident circumstancesthroughout which the manual operationsshall be performed.

WBN Unit 2 Analysis:

The range of conditions are those experienced by the operator in either the Main Control Room (MCR) or Auxiliary Instrument Room (AIR) during normal and accident conditions. The table below summarizes the conditions. Where the values are different, information is provided for both the MCR and the AIR.

Parameter Normal Abnormal Accident Temperature MCR 75 to 80°F 60 to 104 0 F MCR 75 to 82 0 F Range AIR 64 to 90OF AIR 55 to 870 F Relative MCR 40 to 60% 20 to 90% NA Humidity AIR 40 to 70%

Radiation 40 year TID NA MCR 40 year TID 362.76 Rad Exposure 350.4 Rad AIR 40 year TID 512.5 Rad Design Bases NA NA 3.0g horizontal and 2.0g Earthquake vertical (DBE) 4.5.4. The variables in 4.4 that shall be displayed for the operatorto use in taking manual action. See IEEE Std 497-2002 for additionalinformation.

WBN Unit 2 Analysis:

" Core Exit Thermocouple Temperature

" Reactor Vessel Level 4.6. For those variablesin 4.4 that have a spatial dependence (i.e., where the variable varies as a function of position in a particularregion), the minimum number and locations of sensors required for protective purposes.

WBN Unit 2 Analysis:

The Core Exit Thermocouple variable has a spatial dependence. Technical Specifications require the minimum number and location of the CETs as two channels with a minimum of two thermocouples/channel in each core quadrant.

Page 9 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 4.7. The range of transientand steady-state conditions of both motive and control power and the environment (for example voltage, frequency, radiation, temperature,humidity, pressure and vibration) during normal, abnormal, and accident circumstances throughout which the safety system shall perform.

WBN Unit 2 Analysis:

The Common Q PAMS hardware is located in either the MCR or the AIR. These areas are defined as mild environments. The table below summarizes the conditions.

Where the values are different, information is provided for both the MCR and the AIR.

Control power is provided by an uninterruptible power supply (UPS) in the 120 Vac vital distribution system.

Parameter Normal Abnormal Accident Control Power Voltage + 2% of nominal 120 Vac +/- 15% 60 to 195 V peak output (120 Vac rms rms)

Control Power Frequency 60 +/- 0.5 Hz + 0.2 Hz NA Control Power Harmonic 5% maximum NA NA distortion Temperature Range MCR 75 to 80'F 60 to 104°F MCR 75 to 82 0 F AIR 64 to 90°F AIR 55 to 87 0 F Relative Humidity MCR 40 to 60% 20 to 90% NA AIR 40 to 70%

Radiation Exposure 40 year TID NA MCR 40 year TID 350.4 Rad 362.76 Rad AIR 40 year TID 512.5 Rad Operating Bases Earthquake NA 0.09g for NA (OBE) horizontal motion and 0.06g for vertical motion Design Bases Earthquake (DBE) NA NA 3.Og horizontal I_ and 2.0g vertical Electromagnetic susceptibility testing is performed as part of the Westinghouse qualification process as documented in WNA-00058-WBT, Revision 3, "Post-Accident Monitoring System (PAMS) Licensing Technical Report," Section 4.4, "Plant Specific Action Item 6.4."

TVA has committed to perform installed EMI/RFI surveys.

4.8. The conditions having the potential for functional degradationof safety system performance and for which provisions shall be incorporatedto retain the capabilityfor performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppressionsystems, operatorerror,failure in non-safety-relatedsystems).

Page 10 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

The PAMS equipment itself is located in a mild environment area and is not susceptible to missiles or pipe breaks. The ventilation system in the MCR and AIR is safety-related.

The Common Q PAMS equipment is qualified to remain operable under the worst case operating conditions in the preceding response to 4.7. Analysis (TVA calculations EPMMCP071689 and EPMLCP072489) has shown that a loss of temperature or humidity control in the MCR or Auxiliary Instrument Room (AIR) will not result in conditions that exceed the Common Q PAMS hardware qualification. The PAMS is designed and installed as a class 1E system and does not rely on any non-safety-related Structures, Systems and Components (SSCs) to remain operable.

The carbon dioxide (C0 2) fire suppression piping, storage vessels, and other components are installed at elevations lower than the Main and Auxiliary Control Rooms to prevent rendering these rooms uninhabitable during any operating or accident condition.

The AIR is protected by the CO 2 fire protection system. The CO 2 system is designed (or plant equipment protected) to assure an initiating failure such as a pipe break or a single inadvertent actuation of the system will not damage nuclear safety-related systems to the degree that the failure will:

" Prevent the functioning of both trains of safety-related plant features needed for safe shutdown or cause the release of radioactivity.

  • Prevent the habitability of the Main Control Room due to toxic levels or depletion of oxygen by any gases.

The PAMS does not have any automatic control functions that are susceptible to operator error. If the operator were to misinterpret or misread the PAMS display, it could result in miss-operation of other plant equipment used in response to an accident. However, TVA Design Criteria Document WB-DC-40-64, Revision 12, "Design Basis Events Design Criteria," Appendix A "Generic Operator Action Criteria" A.2.2 states:

"Safety-related operator actions or sequences of actions may be performed by an operator only where a single operator error of one manipulation does not result in exceeding design requirements for design basis events."

Operator error is possible in the entry of constants, alarm setpoints etc. used by the PAMS functions. This type of error is minimized by the system design which requires a verification step for changing parameters. The CET and SMM functions have built in diagnostic programs for testing the functions.

Page 11 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 In addition, A.2.3 states:

"The number of safety-related operator actions or sequences of actions shall be minimized to the extent that the operator(s) has sufficient time to monitor the results of actions on the plant status and to perform required and optional operator actions.

Preplanned safety-related operator actions required for mitigation of a design basis event are based on indications of post-accident monitoring (PAM) Type "A" variables.

Optional and contingency safety-related operator actions may be initiated based on indications of PAM Type "B" and "C" variables. Definitions and identification of PAM variables are provided in the PAM design criteria WB-DC-30-7 (Reference A.5.1)."

As part of the design process, the Common Q PAMS displays (software and display locations) were subjected to Human Factors Reviews. The WBN Unit 2 AOIs and EOIs will be developed using the WBN Unit 1 procedures as a basis. The Unit 1 AOIs and EOIs were developed in accordance with the Westinghouse Standard Emergency Response Guidelines. In addition, the AOIs and EOIs are verified as part of ongoing control room operator training.

Based on the above requirements, the impact of operator error due to misinterpreting or misreading a PAMS indication is minimized and sufficient time is planned to allow the operator to identify the error and take corrective action.

4.9. The methods to be used to determine that the reliability of the safety system design is appropriatefor each safety system design and any qualitative or quantitativereliability goals that may be imposed on the system design.

WBN Unit 2 Analysis:

Reliability goals for the PAMS were established as part of the procurement contract for the system and are included in the Contract Compliance Matrix (Section 12) in Westinghouse document WNA-LI-00058-WBT-P, Revision 3, "Post-Accident Monitoring System (PAMS) Licensing Technical Report." The specific items are:

178. "The proposed system shall have a Mean Time Between Failure (MTBF) of greater than 40 years. A failure for this case is considered the loss of system ability to Monitor/Display. The Offerer shall provide MTBF data for the proposed system and the rationale behind it."

179. "The proposed system shall have a Mean Time To Repair (MTTR) of less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The Offerer shall provide MTTR data for the proposed system and the rationale behind it."

A reliability analysis of the PAMS was performed (WNA-AR-00189-WBT, Revision 0, "Post Accident Monitoring System Reliability Analysis") and approved by engineering.

The Westinghouse analysis showed that the requested the MTTR was not achievable.

The Westinghouse calculated MTTR of 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is acceptable.

Page 12 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Westinghouse calculated a system availability of 0.99639776. Assuming a probability of detection of 0.95 and surveillance interval of 17520 hours, these results in an estimated System MTBF of 14 years. This MTBF is acceptable.

Westinghouse performed a Failure Modes and Effects Analysis of the PAMS. This analysis is documented WNA-AR-00180-WBT, Revision 0, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System," which was found to be acceptable and approved by engineering.

4.10. The criticalpoints in time or the plant conditions, after the onset of a design basis event, including:

4.10.1. The point in time or plant conditions for which the protective actions of the safety system shall be initiated.

WBN Unit 2 Analysis:

The PAMS has no automatic protective or control functions. Safety related operator actions based on PAMS variables, are specified in the AOIs and EOIs.

4.10.2. The point in time or plant conditions that define the proper completion of the safety function.

WBN Unit 2 Analysis:

The PAMS performs no automatic safety functions. Completion of manual safety functions are specified in the AOls and EOls.

4.10.3. The point in time or the plant conditions that requireautomatic control of protective actions.

WBN Unit 2 Analysis:

Not Applicable, The PAMS performs no automatic protective actions.

4.10.4. The point in time or the plant conditions that allow returning a safety system to normal.

WBN Unit 2 Analysis:

Not Applicable. The PAMS has no execute or control functions to be returned to normal.

4.11. The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.

WBN Unit 2 Analysis:

Not Applicable. The PAMS safety function is not dependent on the availability of external protective equipment.

Page 13 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 4.12. Any other special design basis that may be imposed on the system design (example, diversity, interlocks, regulatoryagency criteria).

WBN Unit 2 Analysis:

Additional regulatory and industry standard criteria that the PAMS is required to meet and compliance with those criteria is included in the WBN Unit 2 FSAR, Table 7.1-1, "Watts Bar Nuclear Plant NRC Regulatory Guide Conformance."

Clause 5 "Safety System Criteria"

5. Safety System Criteria. The safety systems shall, with precision and reliability,maintain plant parameterswithin acceptable limits establishedfor each design basis event. The power, instrumentation,and control portions of each safety system shall be comprised of more than one safety group of which any one safety group can accomplish the safety function. (See Appendix A for an illustrative example.)

WBN Unit 2 Analysis:

The PAMS does not perform any automatic functions. Therefore, the first part of this requirement is not applicable. The PAMS complies with the requirements for more than one safety group. The PAMS consists of two fully independent and redundant trains either of which provides the necessary information for the operators to accomplish the required manual safety-related actions specified in the EOls and AOls.

5.1 Single-Failure Criterion. The safety systems shall perform all safety functions requiredfor a design basis event in the presence of. (1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurioussystem actions that cause or are caused by the design basis event requiring the safety functions. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. IEEE Std 379-1988 provides guidance on the applicationof the single-failurecriterion.

This criterion does not invoke coincidence (or multiple-channel)logic within a safety group; however, the application of coincidence logic may evolve from other criteria or considerationsto maximize plant availabilityor reliability.An evaluation has been performed and documented in other standardsto show that certain fluid system failures need not be consideredin the applicationof this criterion. The performance of a probable assessment of the safety systems may be used to demonstrate that certainpostulated failures need not be consideredin the application of the criterion.

A probable assessment is intended to eliminate considerationof events and failures that are not credible; it shall not be used in lieu of the single-failure criterion, IEEE Std 352-1987 and IEEE Std 577-1976 provide guidance for reliabilityanalysis.

Page 14 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 Where reasonableindication exists that a design that meets the single-failure criterionmay not satisfy all the reliabilityrequirements specified in 4.9 of the design basis, a probableassessment of the safety system shall be performed. The assessment shall not be limited to single failures. If the assessment shows that the design basis requirementsare not met, design features shall be provided or corrective modificationsshall be made to ensure that the system meets the specified reliabilityrequirements.

WBN Unit 2 Analysis:

The Common Q PAMS meets the single failure criterion as described in WNA-LI-00058-WBT-P, Revision 3, "Post-Accident Monitoring System (PAMS) Licensing Technical Report," sections:

  • 4.10, "Plant Specific Action 6.10"
  • 5.3, "Response to Individual Criteria in DI&C-ISG-04," Criterion 12
  • 12, "TVA Contract Compliance Matrix," items 58, 223, 303 and 505.

5.2 Completion of Protective Action. The safety systems shall be designed so that, once initiated automaticallyor manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberateoperatoraction shall be required to return the safety systems to normal. This requirementshall not preclude the use of equipment protective devices identified in 4.11 of the design basis or the provision for deliberate operatorinterventions. Seal-in of individual channels is not required.

WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS performs no automatic safety or protective functions.

5.3 Quality. Components and modules shall be of a quality that is consistent with minimum maintenancerequirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintainedin accordance with a prescribedquality assuranceprogram (ANSI/ASME NQAI- 1989.

WBN Unit 2 Analysis:

The Common Q PAMS was designed, manufactured and tested in accordance with the approved Westinghouse Electric Company LLC, Quality Assurance Program as documented in WNA-PQ-00220-WBT, Revision 1, "Watts Bar Unit 2 NSSS Completion I&C Projects Project Quality Plan."

Page 15 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 5.4 Equipment Qualification. Safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiatethat it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. Qualification of Class 1E equipment shall be in accordance with the requirementsof IEEE Std 323-1983 and IEEE Std 627-1980.

WBN Unit 2 Analysis:

The Common Q PAMS MTP and OM qualification is documented in:

  • EQ-QR-68-WBT-P, Revision 0, "Qualification Summary Report for Post-Accident Monitoring System (PAMS)"

" CN-EQT-10-44-P, Revision 1, "Dynamic Similarity Analysis for the Watts Bar Unit 2 Post Accident Monitoring System (PAMS)"

" EQ-EV-62-WBT-P, Revision 1, "Comparison of Tested Conditions for the A1687 and A1688 Common Q Modules to the Watts Bar Unit 2 (WBT) Requirements"

" EQRL-171-P, Revision 1, Environmental and Seismic Test Report Analog Input (AI)687 and A1688 Modules and Supporting Components for use in Common Qualified (Common Q) Post Accident Monitoring System (PAMS)

" EQ-QR-64-GEN-P, Revision 0, "A1687 and A1688 for use in Common Q PAMS EMC Test Report and Installation Limitations" 5.5 System Integrity. The safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis.

WBN Unit 2 Analysis:

The Common Q PAMS is qualified, as documented in the response to 5.4, to the full range of applicable conditions identified in 4.5.3 and 4.7.

5.6 Independence 5.6.1 Between Redundant Portionsof a Safety System. Redundant portions of a safety system provided for a safety function shall be independent of and physically separatedfrom each other to the degree necessary to retain the capabilityto accomplish safety function during and following any design basis event requiringthat safety function.

Page 16 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

As shown in WNA-LI-00058-WBT, Revision 3, "Post Accident Monitoring System (PAMS) Licensing Technical Report, Figure 2.2-1, "Watts Bar Unit 2 PAMS Hardware Architecture" there is no interconnection between the two trains of the Common Q PAMS.

5.6.2 Between Safety Systems and Effects of Design Basis Event. Safety system equipment requiredto mitigate the consequences of a specific design basis event shall be independent of, and physically separatedfrom, the effects of the design basis event to the degree necessary to retain the capabilityto meet the requirements of this standard.Equipment qualification in accordance with 5.4 is one method that can be used to meet this requirement.

WBN Unit 2 Analysis:

The Common Q PAMS MTP and OM equipment is located in a mild environment and qualified as stated in 5.4 to perform its safety function over the full range of accident conditions to which it is expected to operate as identified in 4.5.3 and 4.7.

5.6.3 Between Safety Systems and Other Systems. Safety system design shall be such that credible failures in and consequentialactions by other systems, as documented in 4.8 of the design basis, shall not prevent the safety systems from meeting the requirementsof this standard.

5.6.3.1 InterconnectedEquipment (1) Classification:Equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems.

Isolation devices used to effect a safety system boundary shall be classifiedas partof the safety system.

WBN Unit 2 Analysis:

The interface between the safety-related Common Q PAMS and the non-safety-related Integrated Computer System (ICS) is the PC Node Box in the Maintenance and Test Panel. This equipment is part of the safety-related Common Q PAMS. The interface to the plant annunciator system is via an isolation relay in the MTP which is part of the safety-related Common Q PAMS.

(2) Isolation:No credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiringthat safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system.

Page 17 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

The PC Node Box in the Maintenance and Test Panel is the qualified isolation device between the Common Q PAMS and the Integrated Computer System. The isolation function was tested during the Factory Acceptance Test as documented in WNA-TR-02426-WBT, Revision 1, "Post-Accident Monitoring System Data Storm Test Report." A failure of the isolation relay interface to the plant annunciator does not impact operation of the Common Q PAMS.

5.6.3.2 Equipment in Proximity (1) Separation:Equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associatedcircuit nor another Class 1E circuit, shall be physically separatedfrom the safety system equipment to the degree necessary to retain the safety systems' capabilityto accomplish their safety functions in the event of the failure of non-safety equipment. Physical separationmay be achieved by physical barriersor acceptable separation distance. The separation of Class 1E equipment shall be in accordance with the requirements of IEEE Std 384-1981.

WBN Unit 2 Analysis:

The Common Q PAMS equipment in the AIR is mounted in dedicated locked cabinets that provide physical separation. The installation of the Operators Modules in the main control boards meets the separation requirements of IEEE 384-1981. WBN Unit 2 conformance to IEEE 384 is limited to the internal panel equipment and wiring. WBN Unit 2 separation criteria for external cabling is in accordance with FSAR Sections 8.1.5.3, 8.3.1.4, 8.3.2.4 and 8.3.2.5.

(2) Barriers:Physicalbarriersused to effect a safety system boundary shall meet the requirementsof 5.3, 5.4 and 5.5 for the applicable conditions specified in 4.7 and 4.8 of the design basis.

WBN Unit 2 Analysis:

The physical barrier is the Common Q PAMS Maintenance and Test Panel (MTP) cabinet which is qualified to the requirements 5.3, 5.4 and 5.5 for the applicable conditions specified in 4.7 and 4.8 of the design basis.

Page 18 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 5.6.3.3 Effects of a Single Random Failure. Where a single random failure in a non-safety system can (1) result in a design basis event, and (2) also prevent properaction of a portion of the safety system designed to protect against that event, the remainingportions of the safety system shall be capable of providing the safety function even when degradedby any separatesingle failure. See IEEE Std 379-1988 for the application of this requirement.

WBN Unit 2 Analysis:

The Common Q PAMS non-safety-related interfaces are with the ICS and plant annunciator. The ICS interface is protected by a non-safety-related data diode and the safety-related PAMS PC Node Box in the MTP. The safety related isolation function of the Common Q PAMS MTP PC Node Box was tested during the Factory Acceptance Test as documented in WNA-TR-02426-WBT, Revision 1, "Post-Accident Monitoring System Data Storm Test Report."

As previously described the plant annunciator interface is via a safety-related isolation relay and failure of the relay does not impact operation of the Common Q PAMS.

5.6.4 Detailed Criteria.IEEE Std 384-1981 provides detailed criteriafor the independence of Class 1E equipment and circuits.

WBN Unit 2 Analysis:

WBN Unit 2 conformance to IEEE 384 is limited to the internal panel equipment and wiring. WBN Unit 2 separation criteria for external cabling is in accordance with FSAR Sections 8.1.5.3, 8.3.1.4, 8.3.2.4 and 8.3.2.5.

5.7 Capabilityfor Test and Calibration. Capabilityfor testing and calibrationof safety system equipment shall be provided while retaining the capabilityof the safety systems to accomplish their safety functions. The capabilityfor testing and calibrationof safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable,performance of the safety function. Testing of Class 1E systems shall be in accordancewith the requirements of IEEE Std 338-1987. Exceptions to testing and calibrationduringpower operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. In this case:

(1) appropriatejustification shall be provided (for example, demonstrationthat no practicaldesign exists),

(2) acceptable reliabilityof equipment operation shall be otherwise demonstrated,and (3) the capabilityshall be provided while the generatingstation is shut down.

Page 19 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

Testing of the CET and SMM functions of the Common Q PAMS is provided by built in test programs. Testing of the RVLIS functions is performed by loop calibration. To allow testing during operation, the RVLIS transmitters are mounted in normally accessible locations outside primary containment.

5.8 Information Displays 5.8.1 Displays for Manually ControlledActions. The display instrumentationprovided for manually controlledactions for which no automatic control is provided and that are requiredfor the safety systems to accomplish their safety functions shall be part of the safety systems and shall meet the requirementsof IEEE Std 497-1981. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator.

WBN Unit 2 Analysis:

The safety-related PAMS displays are the Operator's Modules in the Main Control Room. Human Factors reviews of the displays (hardware location and software) was performed to ensure unambiguous indications to the operator.

5.8.2 System Status Indication.Display instrumentationshall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indicationsthat could be confusing to the operator.

The display instrumentationprovided for safety system status indication need not be part of the safety systems.

WBN Unit 2 Analysis:

Common Q PAMS system status information is part of the Flat Panel Display System (FPDS) software. The system status displays are defined in WNA-SD-00239-WBT-P, Revision 4, "Software Requirements Specification for the Post Accident Monitoring System," sections 7.2.14 through 7.2.27. The FPDS software was subjected to a Human Factors review during display development to avoid the possibility of ambiguous indications that could confuse the operator.

5.8.3 Indication of Bypasses. If the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continuedindication of this fact for each affected safety group shall be provided in the control room.

5.8.3.1 This display instrumentation need not be part of the safety systems.

Page 20 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 5.8.3.2 This indication shall be automaticallyactuated if the bypass or inoperative condition (a) is expected to occur more frequently than once a year, and (b) is expected to occur when the affected system is requiredto be operable.

5.8.3.3 The capabilityshall exist in the control room to manually activate this display indication.

WBN Unit 2 Analysis:

5.8.3 and all sub-clauses are not applicable. Common Q PAMS is an indication only system and does not perform any protective actions.

5.8.4 Location. Information displays shall be located accessible to the operator.

Information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions.

WBN Unit 2 Analysis:

The Common Q PAMS displays are the Operator's Modules in the Main Control Room. The displays are part of the PAMS safety system. A Human Factors review of the display locations was performed as part of the Control Room Design Review (CRDR) to ensure the displays were properly located in relation to the controls associated with the manually controlled protective actions.

Operator training and staffing is tailored to ensure that actions based on PAMS indications are accomplished in the required response time.

5.9 Control of Access. The design shall permit the administrativecontrol of access to safety system equipment. These administrativecontrols shall be supported by provisions within the safety systems, by provision in the generatingstation design, or by a combination thereof.

WBN Unit 2 Analysis:

The Common Q PAMS equipment is located within the WBN Unit 2 protected area. In addition, the MTP in the AIR is a locked cabinet. The keys to the MTP are controlled in accordance with WBN key control procedures.

To modify the software or to change constants etc. one of two keylock switches must be actuated. The Function Enable (FE) allows modification of constants, printing and other routine maintenance activities. The Software Load Enable (SLE) keyswitch allows modification or reloading of the system software. The MTP has both a FE and SLE keyswitch located behind the locked front panel. The keys to the FE and SLE keyswitches are different and are controlled in accordance with WBN key control procedures.

Page 21 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 The Operator's Module (OM) does not have a SLE function. The OM FE keyswitch is not permanently installed. If the OM is required for maintenance, then the FE keyswitch can be installed on the PC Node Box via a pigtail to a port on the back of the box. Both the OM FE keyswitch and the key for the keyswitch are controlled in accordance with WBN key control procedures.

5.10 Repair. The safety systems shall be designed to facilitate timely recognition,location, replacement,repair,and adjustment of malfunctioning equipment.

WBN Unit 2 Analysis:

Faults in the Common Q PAMS actuate the system trouble alarm in the MCR.

Adequate displays are included to allow timely recognition of a fault. The mean time to repair the Common Q PAMS is 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as documented in WNA-AR-00189-WBT.

5.11 Identification. In order to provide assurance that the requirements given in this standard can be applied during the design, construction, maintenance, and operation of the plant, the following requirements shall be met:

(1) Safety system equipment shall be distinctly identified for each redundantportion of a safety system in accordance with the requirements of IEEE Std 384-1981 and IEEE Std 420-1982.

WBN Unit 2 Analysis:

Plant equipment is labeled in accordance with TVA procedures TI-209, Revision 2, "Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of Plant Component Identification Tagging and Labeling." These procedures are based on the guidance of EPRI NP-6209, "Effective Plant Labeling," dated December 1988 and INPO Good Practice OP-208 (INPO 88-009), "System and Plant Labeling,"

dated June 1991. These procedures are compliance with the requirements of IEEE 420-1982, Clause 4.9, "Identification" and IEEE 384-1981, Clause 6.1.2, "Identification."

Labeling of cables is in accordance with TVA General Specification G-38, Revision 20, "Installation, Modification and Maintenance of Insulated Cables Rated up to 15,000 Volts," section 13, "Identification." Color coding of cables, terminations and terminal strips is in accordance with TVA Standard Drawing SD-E 15.3.4, Revision 4, "Raceways CA & W IDENT Tags (Sequoyah NUC PLT & All Subsequent NUC Projects" and TVA Procedure TI-209, Revision 2, "Plant Labeling." These practices are in accordance with the requirements of IEEE 420-1982, Clause 4.9, "Identification" and IEEE 384-1981, Clause 6.1.2, "Identification."

(2) Components or modules mounted in equipment or assemblies that are clearly identified as being in a single redundantportion of a safety system do not themselves require identification.

Page 22 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

This requirement is applicable to the Common Q PAMS MTPs. However, labeling is still required and performed in accordance with TVA procedures TI-209, Revision 2, "Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of Plant Component Identification Tagging and Labeling."

(3) Identification of safety system equipment shall be distinguishablefrom any identifying markings placed on equipment for other purposes (for example, identification of fire protection equipment, phase identification of power cables).

WBN Unit 2 Analysis:

This requirement is addressed in TVA procedures TI-209, Revision 2, "Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of Plant Component Identification Tagging and Labeling" which provide unique labeling requirements for plant that distinguishes safety-related from other specific hardware labeling requirements (i.e. fire protection, EOP, SBO, PAM etc.).

(4) Identification of safety system equipment and its divisionalassignment shall not require frequent use of reference material.

WBN Unit 2 Analysis:

TVA procedures TI-209, Revision 2, "Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of Plant Component Identification Tagging and Labeling" require color coding and train designation be included on safety related equipment labels.

(5) The associateddocumentation shall be distinctly identified in accordance with the requirements of IEEE Std 494-1974 (R1990) [8].

WBN Unit 2 Analysis:

Not required, IEEE Std 494-1974 (R1990) has been withdrawn. TVA procedure NEDP-3, Revision 15, "Drawing Control" does not require the safety classification on the drawing.

5.12 Auxiliary Features 5.12.1 Auxiliary supporting features shall meet all requirements of this standard.

WBN Unit 2 Analysis:

The Common Q PAMS receives information from the Eagle 21 and Solid State Protection system. It sends information to the ICS and plant annunciator system.

Page 23 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 The Eagle 21 and Solid State Protection systems meet the requirements of IEEE 603-1991 and are necessary for the SMM and RVLIS functions. The ICS and plant annunciator system are not required for Common Q PAMS to perform its design function and do not meet the requirements of IEEE 603-1991.

5.12.2 Otherauxiliary features that (1) may function that is not requiredfor the safety systems to accomplish their safety function and (2) are part of the safety systems by association(that is, not isolatedfrom the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level. Examples of these other auxiliaryfeatures shown in Fig 3 and an illustrationof the applicationof this criteria is containedin Appendix A.

WBN Unit 2 Analysis:

No other auxiliary features besides those identified in 5.12.1 are required for the Common Q PAMS to perform its design function.

5.13 Multi-Unit Stations. The sharing of structures,systems, and components between units at multi-unit generatingstations is permissible provided that the ability to simultaneouslyperform requiredsafety functions in all units is not impaired. Guidance on the sharing of electricalpower systems between units is contained in IEEE Std 308-1980. Guidance on the application of the single failure criterionto sharedsystems is containedin IEEE Std 379-1988.

WBN Unit 2 Analysis:

The Common Q PAMS hardware is located in the shared WBN MCR and the shared AIR structures. As part of this design, the Common Q PAMS MCR displays are located on Unit 2 specific control boards such that there is no interference between the units. The Common Q PAMS display in the AIR is part of the qualified isolation device and as such performs no safety function. There is no sharing of components between the Unit 1 ICCM-86 system and the Common Q PAMS. Safety related power distribution is in accordance with the WBN design basis.

5.14 Human FactorsConsiderations.Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s)and maintainer(s)can be successfully accomplished to meet the safety system design goals in accordance with IEEE Std 1023-1988.

WBN Unit 2 Analysis:

Both the Common Q PAMS displays and controls as well as the location of the control room displays in relation to the equipment being controlled were subjected to Human Factors reviews as part of the design change process associated with the Common Q PAMS modification [Engineering Design Change Request (EDCR) 52351] and the WBN Unit 2 Control Room Design Review.

Page 24 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 5.15 Reliability. Forthose systems for which eitherquantitative or qualitative reliabilitygoals have been established,appropriateanalysis of the design shall be performed in order to confirm that such goals have been achieved. IEEE Std 352-1987 and IEEE Std 577-976 provide guidance for reliabilityanalysis.

WBN Unit 2 Analysis:

A reliability analysis of the PAMS was performed (WNA-AR-00189-WBT, Revision 0, "Post Accident Monitoring System Reliability Analysis") and approved by engineering.

The Westinghouse analysis showed that requested the MTTR was not achievable.

The Westinghouse calculated MTTR of 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is acceptable.

Westinghouse calculated a system availability of 0.99639776. Assuming a probability of detection of 0.95 and surveillance interval of 17520 hours, this results in an estimated System MTBF of 14 years. This MTBF is acceptable.

Clause 6 "Sense and Command Features-Functional and Design Requirements"

6. Sense and Command Features-Functionaland Design Requirements In addition to the functional and design requirements in Section 5, the following requirements shall apply to the sense and command features:

6.1 Automatic Control. Means shall be provided to automaticallyinitiate and control all protective actions except as justified in 4.5. The safety system design shall be such that the operatoris not requiredto take any action priorto the time and plant conditions specified in & following the onset of each design basis event. At the option of the safety system designer, means may be provided to automaticallyinitiate and control those protective actions of 4.5.

WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS performs no automatic protective actions.

6.2 Manual Control 6.2.1 Means shall be provided in the control room to implement manual initiation at the division level of the automaticallyinitiatedprotective actions. The means provided shall minimize the number of discrete operatormanipulationsand shall depend on the operation of a minimum of equipment consistent with the constraintsof 5.6.1.

WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS is an indication only system and performs no automatic actions.

Page 25 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 6.2.2 Means shall be provided in the control room to implement manual initiationand control of the protective actions identified in 4.5 that have not been selected for automatic control under 6.1. The displays provided for these actions shall meet the requirementsof 5.8.1.

WBN Unit 2 Analysis:

The PAMS displays are part of the Operator's Modules in the MCR. The displays are part of the Common Q PAMS safety system. A Human Factors review of the screens was performed as part of EDCR 52351 to minimize the possibility of ambiguous indications that could be confusing to the operator. Controls to perform the manual protective actions based on the PAMS displays are provided in the control room. A human factors review of the PAMS display locations and the system controls was performed as part of the Control Room Design Review process.

Operator training and staffing is tailored to ensure that actions based on PAMS indications are accomplished in the required response time.

6.2.3 Means shall be provided to implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in 4.10.

The information provided to the operators,the actions requiredof these operators, and the quantity and location of associateddisplays and controls shall be appropriatefor the time period within which the actions shall be accomplished and the number of available qualified operators. Such displays and controls shall be located in areas that are accessible, located in an environment suitable for the operator,and suitably arrangedfor operatorsurveillance and action.

WBN Unit 2 Analysis:

The Common Q PAMS performs no automatic protective action. Manual actions are taken based on the Common Q PAMS displays for CETS, SMM and RVLIS.

The Common Q PAMS screens and location of the Common Q PAMS displays in the MCR were subjected to Human Factors Reviews as part of EDCR 52351 and CRDR. The analysis of the information provided to the operators, the actions required of these operators, response time, and the quantity and location of associated displays and controls was analyzed as part of the Westinghouse Standard Emergency Response Guidelines.

6.3 Interaction Between the Sense and Command Features and Other Systems 6.3.1 Where a single credible event, including all direct and consequentialresults of that event, can cause a non-safety system action that results in a condition requiringprotective action and can concurrentlyprevent the protective action in those sense and command feature channels designatedto provide principal protection againstthe condition, one of the following requirementsshall be met:

(1) Alternate channels not subject to failure resulting from the same single event shall be provided to limit the consequences of this event to a value specified by the design basis. Alternate channels shall be selected from the following:

Page 26 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 (a) Channels that sense a set of variables different from the principal channels.

(b) Channels that use equipment different from that of the principalchannels to sense the same variable.

(c) Channels that sense a set of variables different from those of the principal channels using equipment different from that of the principalchannels.

Both the principaland alternate channels shall be part of the sense and command features.

(2) Equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases. Such equipment is considered a part of the safety system.

See Fig 5 for a decision chart for applying the requirementsof this section.

WBN Unit 2 Analysis:

The Common Q PAMS meets criteria 2. The PC Node Box in the MTP is part of the Common Q PAMS system and is the qualified isolation device between the Common Q PAMS and the ICS. The safety related isolation function of the Common Q PAMS MTP PC Node Box was tested during the Factory Acceptance Test as documented in WNA-TR-02426-WBT, Revision 1, "Post-Accident Monitoring System Data Storm Test Report."

6.3.2 Provisionsshall be included so that the requirements in 6.3.1 can be met in conjunction with the requirementsof 6.7 if a channel is in maintenance bypass.

These provisions include reducing the requiredcoincidence, defeating the non-safety system signals taken from the redundantchannels, or initiatinga protective action from the bypassed channel.

WBN Unit 2 Analysis:

Each train has its own PC Node Box in the MTP that provides isolation of the train from the non-safety-related ICS. Each MTP PC Node Box provides the necessary isolation for the entire train.

6.4 Derivation of System Inputs. To the extent feasible and practical,sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis.

WBN Unit 2 Analysis:

For RVLIS, Reactor Coolant Pump (RCP) status is obtained from a contact in the Solid State Protection System (SSPS). Other sense requirements are obtained directly from hardware specific to the RVLIS function.

Page 27 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 For CETs, the sense feature is direct from the thermocouple to the Common Q PAMS MTP.

For SMM, Reactor Coolant temperature and pressure are obtained via analog outputs from the Eagle 21 system and CET temperature is obtained directly from the CETs.

The Common Q PAMS has no command features.

6.5 Capabilityfor Testing and Calibration 6.5.1 Means shall be provided for checking, with a high degree of confidence, the operationalavailabilityof each sense and command feature input sensor requiredfor a safety function during reactoroperation. This may be accomplished in various ways; for example:

(1) by perturbingthe monitored variable, (2) within the constraintsof 6.6, by introducing and varying, as appropriate,a substitute input to the sensorof the same nature as the measured variable, or (3) by cross-checking between channels that bear a known relationship to each other and that have readouts available.

WBN Unit 2 Analysis:

SMM - Channel cross checking is available by monitoring RCS pressure and temperature from the Eagle 21 channels and performing manual calculations and by comparing the SMM output value between the two PAMS trains. The internal PAMS SMM function can be checked using the built in test function. The SMM function can be checked against the ICS SMM function.

CETs - The 58 CETs (29 per PAMS train) outputs can be compared by comparing the individual channels against adjacent locations. The internal PAMS CET function can be checked using the built in test function.

RVLIS - The RVLIS transmitters are outside primary containment in accessible locations which allows loop testing of the individual RVLIS loops during reactor operation. The RVLIS function can be checked against the other PAMS train.

6.5.2 One of the following means shall be provided for assuringthe operational availabilityof each sense and command feature required during the post-accidentperiod:

(1) Checking the operationalavailabilityof sensors by use of the methods described in 6.5.1.

Page 28 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 (2) Specifying equipment that is stable and retains its calibrationduring the post-accident time period.

WBN Unit 2 Analysis:

The RVLIS sensors, Eagle 21 sensors and hardware and the CETs are all procured safety related and qualified to perform and retain their calibration in a post accident environments in which they are installed. The PAMS hardware is installed in the MCR and AIR and is qualified to remain operational in the post accident environments expected in the installed locations.

6.6 Operating Bypasses. Whenever the applicablepermissive conditions are not met, a safety system shall automaticallyprevent the activation of an operating bypass or initiate the appropriatesafety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions:

(1) Remove the appropriateactive operating bypass(es).

(2) Restore plant conditions so that permissive conditions once again exist.

(3) Initiate the appropriatesafety function(s).

WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS does have automatic safety functions to bypass.

6.7 Maintenance Bypass. Capabilityof a safety system to accomplish its safety function shall be retainedwhile sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of 5.1 and 6.3.

EXCEPTION One-out-of-two portions of the sense and command features are not requiredto meet 5.1 and 6.3 when one portion is rendered inoperable,provided that acceptable reliabilityof equipment operation is otherwise demonstrated (that is, that the period allowed for removal from service for maintenancebypass is sufficiently short to have no significantly detrimentaleffect on overall sense and command features availability).

WBN Unit 2 Analysis:

Not applicable. The Common Q PAMS does have automatic safety functions to bypass.

6.8 Setpoints 6.8.1 The allowance for uncertaintiesbetween the process analyticallimit documented in Section 4.4 and the device setpoint shall be determined using a documented methodology. Refer to ISA S67.040-1987.

Page 29 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0 WBN Unit 2 Analysis:

The Common Q PAMS is an indication only system and performs no automatic actions therefore there are no setpoints associated with the PAMS hardware.

Setpoints for manual actions are documented in TVA calculations that are performed in accordance with the approved TVA setpoint methodology which include allowances for uncertainties.

6.8.2 Where it is necessary to provide multiple setpoints for adequate protection for a particularmode of operationor set of operating conditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required.The devices used to prevent improper use of less restrictive setpoints shall be part of the sense and command features.

WBN Unit 2 Analysis:

The Common Q PAMS is an indication only system and performs no automatic actions therefore there are no devices used to prevent improper use of less restrictive setpoints. If multiple setpoints for manual actions are required they are documented in the E0I or AOI at the applicable point. Since these are "Continuous Use" procedures, including the appropriate setpoint in the procedure step is the method used to prevent improper use of less restrictive setpoints.

IEEE 603 Clauses 7 and 8 WBN Unit 2 Analysis:

Not applicable per NRC reviewer's comments to SSER item 94.

Page 30 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0

References:

1. IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations"
2. Regulatory Guide 1.97, Revision 2, "Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident"
3. WBN Unit 2 FSAR, Table 7.1-1
4. WBN Unit 2 FSAR, Table 7.5-2
5. WBN Unit 2 FSAR Sections 8.1.5.3, 8.3.1.4, 8.3.2.4 and 8.3.2.5
6. Watts Bar Unit 2 FSAR, Chapter 15
7. TVA Calculation WBNOSG4047, Revision 4, "PAM Type "A" Variables Determination"
8. TVA Calculation EPMMCP071689, Revision 21, "Cooling/Heating Load &

Equipment/Component Performance Analysis for the Control Building Electrical Board Room Areas (EL. 692.0 & 708.0)"

9. TVA Calculation EPMLCP072489, Revision 15, "Cooling and Heating Load Analysis, Main Control Room HVAC"
10. TVA Calculation WBNAPS3127, Revision 0, "EQ Dose in the Control Building"
11. TVA Calculation WBNAPS4004, Revision 27, "Summary of Mild Environment Conditions for Watts Bar Nuclear Plant"
12. TVA Design Criteria Document WB-DC-30-7, Revision 24, "Post Accident Monitoring Instrumentation"
13. TVA Design Criteria Document WB-DC-30-20, Revision 4, "Control Panels"
14. TVA Design Criteria Document WB-DC-30-23, Revision 2, "Human Factors"
15. TVA Design Criteria Document WB-DC-30-27, Revision 33, "AC and DC Control Power Systems - (Unit 1 / Unit 2)"
16. TVA Design Criteria Document WB-DC-30-32, Revision 3, "Design Criteria for Grounding"
17. TVA Design Criteria Document WB-DC-30-4,Revision 23, "Separation / Isolation"
18. TVA Design Criteria Document WB-DC-40-31.2, Revision 13, "Seismic Qualification of Category I Fluid System Components and Electrical or Mechanical Equipment"
19. TVA Design Criteria Document WB-DC-40-42, Revision 7, "Environmental Design"
20. TVA Design Criteria Document WB-DC-40-64, Revision 12, "Design Basis Events Design Criteria" Page 31 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0

21. TVA System Description N3-30CB-4002, Revision 16, "Control Building Heating, Ventilating, Air Conditioning, and Air Cleanup System"
22. TVA System Description N3-39-4002, Revision 10, "CO 2 Storage, Fire Protection, And Purging"
23. TVA Drawing 2-47E235-16, Revision 0, "Environmental Data Environment - Mild EL 755.0"
24. TVA Drawing 2-47E235-17, Revision 0, "Environmental Data Environment - Mild EL 708.0"
25. Westinghouse document WNA-AR-00189-WBT-P, Revision 0 "Post Accident Monitoring System Reliability Analysis"
26. Westinghouse document WNA-LI-00058-WBT-P, Revision 3, "Post-Accident Monitoring System (PAMS) Licensing Technical Report"
27. Westinghouse document WNA-AR-00180-WBT-P, Revision 0, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System"
28. Westinghouse document WNA-DS-01617-WBT-P, Revision 4, "Post Accident Monitoring System - System Requirements Specification,"
29. TVA Procedure AOI-2, Revision 38, "Malfunction of Reactor Control System"
30. TVA Procedure AOI-3, Revision 29, "Malfunction of Reactor Makeup Control"
31. TVA Procedure AOI-6, Revision 34, "Small Reactor Coolant System Leak"
32. TVA Procedure AOI-16, Revision 33, "Loss of Normal Feedwater"
33. TVA Procedure AOI-17, Revision 49, "Turbine Trip"
34. TVA Procedure AOI-18, Revision 23, "Malfunction of Pressurizer Pressure Control System"
35. TVA Procedure AOI-20, Revision 32, "Malfunction of Pressurizer Level Control System"
36. TVA Procedure AOI-24, Revision 29, "RCP Malfunctions During Pump Operation"
37. TVA Procedure AOI-29, Revision 21, "Dropped or Damaged Fuel or Refueling Cavity Seal Failure"
38. TVA Procedure AOI-31, Revision 23, "Abnormal Release of Radioactive Material"
39. TVA Procedure AOI-33, Revision 34, "Steam Generator Tube Leak"
40. TVA Procedure E-0, Revision 32, "Reactor Trip or Safety Injection"
41. TVA Procedure E-1, Revision 16, "Loss of Reactor or Secondary Coolant" Page 32 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0

42. TVA Procedure E-2, Revision 12, "Faulted Steam Generator Isolation"
43. TVA Procedure E-3, Revision 23, "Steam Generator Tube Rupture"
44. TVA Procedure ECA-0.0, Revision 22, "Loss of Shutdown Power"
45. TVA Procedure ECA-0.1, Revision 11, "Recovery From Loss of Shutdown Power Without SI Required"
46. TVA Procedure ECA-0.2, Revision 12, "Recovery From Loss of Shutdown Power With SI Required"
47. TVA Procedure ECA-1.1, Revision 12, "Loss of RHR Sump Recirculation"
48. TVA Procedure ECA-1.2, Revision 5, "LOCA Outside Containment"
49. TVA Procedure ECA-2.1, Revision 12, "Uncontrolled Depressurization of All Steam Generators"
50. TVA Procedure ECA-3.1, Revision 12, "SGTR and LOCA - Subcooled Recovery"
51. TVA Procedure ECA-3.2, Revision 11, "SGTR and LOCA - Saturated Recovery"
52. TVA Procedure ECA-3.3, Revision 11, "SGTR Without PZR Pressure Control"
53. TVA Procedure ES-0.0, Revision 3, "Rediagnosis"
54. TVA Procedure ES-0.1, Revision 24, "Reactor Trip Response"
55. TVA Procedure ES-0.2, Revision 21, "Natural Circulation Cooldown"
56. TVA Procedure ES-0.3, Revision 11, "Natural Circulation Cooldown With Steam Void In Vessel (With RVLIS)"
57. TVA Procedure ES-0.4, Revision 7, "Natural Circulation Cooldown With Steam Void In Vessel (Without RVLIS) "
58. TVA Procedure ES-I .1, Revision 17, "SI Termination"
59. TVA Procedure ES-1.2, Revision 15, "Post LOCA Cooldown And Depressurization"
60. TVA Procedure ES-1i.3, Revision 18, "Transfer To Containment Sump"
61. TVA Procedure ES-1.4, Revision 11, "Transfer To Hot Leg Recirculation"
62. TVA Procedure ES-3.1, Revision 14, "Post-SGTR Cooldown Using Backfill"
63. TVA Procedure ES-3.2, Revision 16, "Post-SGTR Cooldown Using Blowdown"
64. TVA Procedure ES-3.3, Revision 15, "Post-SGTR Cooldown Using Steam Dump"
65. TVA Procedure FR-0, Revision 14, "Status Trees" Page 33 of 41

Common Q PAMS Design Basis Conformance to the Requirements of IEEE 603-1991 Revision 0

66. TVA Procedure FR-C.1, Revision 16, "Inadequate Core Cooling"
67. TVA Procedure FR-C.2, Revision 12, "Degraded Core Cooling"
68. TVA Procedure FR-C.3, Revision 9, "Saturated Core Cooling"
69. TVA Procedure FR-H.1, Revision 18, "Loss of Secondary Heat Sink"
70. TVA Procedure FR-H.2, Revision 6, "Steam Generator Overpressure"
71. TVA Procedure FR-H.3, Revision 7, "Steam Generator High Level"
72. TVA Procedure FR-H.4, Revision 7, "Loss of Normal Steam Release Capabilities"
73. TVA Procedure FR-H.5, Revision 5, "Steam Generator Low Level"
74. TVA Procedure FR-I.1, Revision 11, "High Pressurizer Level"
75. TVA Procedure FR-I.2, Revision 10, "Low Pressurizer Level"
76. TVA Procedure FR-I.3, Revision 22, "Voids In Reactor Vessel"
77. TVA Procedure FR-P.1, Revision 15, "Pressurized Thermal Shock"
78. TVA Procedure FR-P.2, Revision 6, "Cold Overpressure Condition"
79. TVA Procedure FR-S.1, Revision 20, "Nuclear Power Generation/ATWS"
80. TVA Procedure FR-S.2, Revision 7, "Loss of Core Shutdown"
81. TVA Procedure FR-Z.1, Revision 11, "High Containment Pressure"
82. TVA Procedure FR-Z.2, Revision 7, "Containment Flooding"
83. TVA Procedure FR-Z.3, Revision 7, "High Containment Radiation" Appendices
1. EOI/AOI Evaluation
2. FSAR Chapter 15 Event to EOI/AOI Cross Reference Page 34 of 41

Appendix 1 EOI and AOI Common Q PAMS Variable Review February 7, 2012 Page 35 of 41 Procedure# Title Chapter 15 Incore SMM RVLIS Notes TIC AOI-2 Malfunction of Reactor Control System 15.2.1 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From A Incore - Used to monitor power distribution no direct operator Subcritical Condition action.

15.2.2 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal At Power Y N N 15.2.3 Rod Cluster Control Assembly Misalignment 15.3.6 Single Rod Cluster Control Assembly Withdrawal At Full Power AOI-3 Malfunction of Reactor Makeup Control 15.2.4 Uncontrolled Boron Dilution N N N AOI-6 Small Reactor Coolant System Leak 15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes or From Cracks In N N N Large Pipes Which Actuate the Emergency Core Cooling System AOI-16 Loss of Normal Feedwater 15.2.8 Loss of Normal Feedwater N N N AOI-17 Turbine Trip 15.2.7 Loss of External Electrical Load and/or Turbine Trip N N N AOI-18 Malfunction of Pressurizer Pressure Control 15.2.12 Accidental Depressurization of the Reactor Coolant System N N N System AOI-20 Malfunction of Pressurizer Level Control 15.2.15 Chemical and Volume Control System Malfunction During Power N N N System Operation AOI-24 RCP Malfunctions During Pump Operation 15.2.5 Partial Loss of Forced Reactor Coolant Flow 15.4.4 Single Reactor Coolant Pump Locked Rotor AOI-29 Dropped or Damaged Fuel or Refueling Cavity 15.4.5 Fuel Handling Accident N N N Seal Failure AOI-31 Abnormal Release of Radioactive Material 15.3.5 Waste Gas Decay Tank Rupture N N N AOI-33 Steam Generator Tube Leak 15.4.3 Steam Generator Tube Rupture Incore - Used to determine cooldown temperature to stabilize plant conditions and monitored to control cooldown and maintain Y Y N plant temperature. Control depressurization to maintain subcooling Subcooling - control depressurization AOI-35 Loss of Offsite Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the N N N Station - Loss of Offsite Power to the Station Auxiliaries AOI-38 Main Steam or Feedwater Line Leak 15.3.2 Minor Secondary System Pipe Breaks N N N E-O Reactor Trip or Safety Injection N Y N Subcooling - Monitor plant conditions E-1 Loss of Reactor or Secondary Coolant 15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes Or From Cracks N Y Y Subcooling - Check Safety Injection (SI) Reset Criteria, SI re-In Large Pipes Which Actuate The Emergency Core Cooling System initiation criteria 15.3.2 Minor Secondary System Pipe Breaks RVLIS - Consult TSC for guidance 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Accident) 15.4.2 Major Secondary System Pipe Rupture 15.4.6 Rupture of A Control Rod Drive Mechanism Housing (Rod Cluster Control Assembly Ejection)

E-2 Faulted Steam Generator Isolation 15.4.3 Steam Generator Tube Rupture Y Y N Subcooling & Incore - Event Identification & Transition to other

____rocedure Page 35 of 41

Appendix I EO and AOI Common Q PAMS Variable Review February 7, 2012 Page 36 of 41 Procedure# Title Chapter 15 Incore SMM RVLIS Notes TIC E-3 Steam Generator Tube Rupture 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling - Event Identification & Transition to other procedure, 0

Maintain >65 F during depressurization, Stop depressurization if <65°F, SI Termination criteria transition to ECA-3.1, Manual restart of Emergency Core Cooling System (ECCS) pumps following SI termination if <65°Fdue to loss of coolant condition and transition to ECA-3.1, CLA isolation criteria <65°F transition to ECA-3.1, Control RCS pressure maintain

>65°F, Maintain >101°F prior to starting RCPS, Monitor natural circulation, dump steam to maintain cooldown Incore - Stop RCS Cooldown, Maintain target temperature, Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs.

ECA-0.0 Loss of Shutdown Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the Y Y N Subcooling - Determine recovery instruction Station - Loss of Offsite Power to the Station Auxiliaries Incore - Transition to SAMG ECA-0.1 Recovery From Loss of Shutdown Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the Y Y N Subcooling - transition to recovery procedure, control PZR heaters Without SI Required Station - Loss of Offsite Power to the Station Auxiliaries based on indication, monitor natural circulation increase steam dump to maintain cooldown.

Incore - Monitor natural circulation, dump steam to maintain cooldown ECA-0.2 Recovery From Loss o Shutdown Power With 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the N N N SI Required Station - Loss of Offsite Power to the Station Auxiliaries ECA-1.1 Loss of RHR Sump Recirculation NA NA NA NA Beyond design basis event recovery ECA-1.2 LOCA Outside Containment NA NA NA NA Excluded by FSAR Chapter 15 DBE scope ECA-2.1 Uncontrolled Depressurization of All Steam Y Y Y Subcooling - SI Actuation Criteria, Natural Circulation cooling Generators control, Align BIT injection path, initiate boration, SI re-initiation criteria Incore - Natural Circulation cooling control RVLIS - Control PZR Level ECA-3.1 SGTR and LOCA - Subcooled Recovery 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Y Y Y Subcooling - Start RHR Pump, Natural Circulation cooling control, Accident) Start RHR pump, stop RCS depressurization, Close 15.4.3 Steam Generator Tube Rupture CLA isolation valves, SI re-initiation criteria Incore - Natural Circulation Criteria RVLIS - Control PZR Level ECA-3.2 SGTR and LOCA - Saturated Recovery 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Y Y Y Subcooling - Start RHR Pump, Natural Circulation cooling control, Accident) Close CLA isolation valves 15.4.3 Steam Generator Tube Rupture Incore - Natural Circulation cooling control, dump steam control, start ECCS pumps, RVLIS - SI re-initiation criteria, Control PZR Level, manually start ECCS pumps ECA-3.3 SGTR Without PZR Pressure Control 15.4.3 Steam Generator Tube Rupture N N Y RVLIS - Branch to ECA-3.1, Manually start ECCS pumps as necessary (after manual stop), Close CLA isolation valves, Determine if RHR should be placed in service, SI re-initiation criteria ES-0.0 Rediagnosis N N N Page 36 of 41

Appendix 1 EOI and AOI Common Q PAMS Variable Review February 7, 2012 Page 37 of 41 Procedure# Title Chapter 15 Incore SMM RVLIS Notes TIC ES-0.1 Reactor Trip Response Y Y N Subcooling - SI Actuation Criteria, Natural Circulation Criteria Incore - Natural Circulation Criteria ES-0.2 Natural Circulation Cooldown V Y Y Subcooling - Control RCS depressurization, SI re-initiation criteria Incore - RCS depressurization, RVLIS - RCS pressure control, ES-0.3 Natural Circulation Cooldown With Steam Void Y V Y Subcooling - Steam dump control, Control RCS depressurization, In Vessel (With RVLIS) SI re-initiation criteria Incore - RCS depressurization, RVLIS - PZR level control, RCS pressure control ES-0.4 Natural Circulation Cooldown With Steam Void Y Y N Subcooling - Steam dump control, SI re-initiation criteria In Vessel (Without RVLIS) Incore - RCS depressurization, ES-1.1 SI Termination Y Y Y Subcooling - Manual restart of ECCS pumps following SI termination if <65°Fdue to loss of coolant condition and transition to ECA-3.1, Monitor natural circulation, dump steam to maintain cooldown Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs, Increase RCS Subcooling, Control PZR heaters ES-1.2 Post LOCA Cooldown And Depressurization 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant V V Y Subcooling - RCS pressure control, Start of RHR pump, RCS Accident) depressurization control, Manual restart of charging pump or SI pumps, Monitor natural circulation, dump steam to maintain cooldown, SI re-initiation criteria Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs, Increase RCS Subcooling, Control PZR heaters ES-1.3 Transfer To Containment Sump N N N ES-1.4 Transfer To Hot Leg Recirculation N N N ES-3.1 Post-SGTR Cooldown Using Backfill 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling - Monitor natural circulation, dump steam to maintain cooldown Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs, Increase RCS Subcooling, Control PZR heaters ES-3.2 Post-SGTR Cooldown Using Blowdown 15.4.3 Steam Generator Tube Rupture V V V Subcooling - Monitor natural circulation, dump steam to maintain cooldown Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs, Increase RCS Subcooling, Control PZR heaters Page 37 of 41

Appendix I EOI and AOI Common Q PAMS Variable Review February 7, 2012 Page 38 of 41 Procedure# Title Chapter 15 Incore SMM RVLIS Notes TIC ES-3.3 Post-SGTR Cooldown Using Steam Dump 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling - Monitor natural circulation, dump steam to maintain cooldown Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Increase pressurizer level to accommodate void collapse in the head prior to starting RCPs, Increase RCS Subcooling, Control PZR heaters FR-0 Status Trees Y Y Y All - Core Cooling Status Tree FR-C, Attachment 1, page 2 of 8 directs to appropriate recovery instruction.

RVLIS - Inventory Status Tree FR-I, Attachment 1, page 8 of 8 directs to appropriate recovery instruction.

FR-C.1 Inadequate Core Cooling Y Y Y All - Section 2.1 Symptoms and Entry Conditions Incore - Determine if H2 recombiners should be placed in service, Depressurize S/Gs, Determine if RCPs should be started, Branch to SACRG-1, Severe Accident Control Room Guideline Initial Response.

RVLIS - Monitor RWST Level, Depressurize S/Gs FR-C.2 Degraded Core Cooling Y Y Y All - Section 2.1 Symptoms and Entry Conditions Incore- Monitor RWST Level, If CLAs not injected, then inject RVLIS- Monitor RWST Level, Determine if RCP should be stopped, If CLAs not injected, then inject, Depressurize S/Gs FR-C.3 Saturated Core Cooling Y Y Y All - Section 2.1 Symptoms and Entry Conditions FR-H.1 Loss of Secondary Heat Sink Y Y Y Subcooling - Transition to LOCA procedure, Incore - Establish condensate flow to a S/G, Establish RCS bleed and feed, RVLIS - Transition to LOCA procedure FR-H.2 Steam Generator Overpressure N N N FR-H.3 Steam Generator High Level N N N FR-H.4 Loss of Normal Steam Release Capabilities N N N FR-H.5 Steam Generator Low Level N N N FR-I.1 High Pressurizer Level N N N FR-I.2 Low Pressurizer Level N N N FR-1.3 Voids In Reactor Vessel Y Y Y. Subcooling - Monitor natural circulation, dump steam to maintain cooldown, control steam flow to maintain stable RCS conditions, RX vessel vent termination criteria, Incore - Monitor natural circulation, dump steam to maintain cooldown RVLIS - Start of CRDM, upper and lower containment cooler fans, Align CRDM dampers to the shroud, RX vessel vent termination criteria, Increase RCS pressure FR-P.1 Pressurized Thermal Shock N Y Y Subcooling - Manual restart of RCPs, SI Reset, Manual restart of ECCS pumps following SI termination if <65°F, RCS depressurization control, Monitor natural circulation, dump steam to maintain cooldown RVLIS - Manual restart of RCPs, SI Reset FR-P.2 Cold Overpressure Condition N N N FR-S.1 Nuclear Power Generation/ATWS Y N N Incore - Transition to SAMG Page 38 of 41

Appendix I EOI and AOI Common Q PAMS Variable Review February 7, 2012 Page 39 of 41 Procedure# Title Chapter 15 Incore SMM RVLIS Notes TIC FR-S.2 Loss of Core Shutdown N N N FR-Z.1 High Containment Pressure N N N FR-Z.2 Containment Flooding N N N FR-Z.3 High Containment Radiation N N N Page 39 of 41

Appendix 2 Chapter 15 Cross Reference to Abnormal and Emergency Operating Instructions February 7, 2012 Page 40 of 41 Section Title Procedure Title 15.2.1 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal AOI-2 Malfunction of Reactor Control System From A Subcritical Condition 15.2.2 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal AOI-2 Malfunction of Reactor Control System At Power 15.2.3 Rod Cluster Control Assembly Misalignment AOI-2 Malfunction of Reactor Control System 15.2.4 Uncontrolled Boron Dilution AOI-3 Malfunction of Reactor Makeup Control 15.2.5 Partial Loss of Forced Reactor Coolant Flow AOI-24 RCP Malfunctions During Pump Operation 15.2.6 Startup of An Inactive Reactor Coolant Loop 15.2.7 Loss of External Electrical Load and/or Turbine Trip AOI-17 Turbine Trip 15.2.8 Loss of Normal Feedwater AO1-1 6 Loss of Normal Feedwater 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power To AOI-35 Loss of Offsite Power The Station - Loss of Offsite Power To The Station Auxiliaries ECA-0.0 Loss of Shutdown Power ECA-0.1 Recovery From Loss of Shutdown Power Without SI Required ECA-0.2 Recovery From Loss o Shutdown Power With SI Required 15.2.10 Excessive Heat Removal Due To Feedwater System Malfunctions 15.2.11 Excessive Load Increase Incident 15.2.12 Accidental Depressurization of The Reactor Coolant System AOI-18 Malfunction of Pressurizer Pressure Control System 15.2.13 Accidental Depressurization of The Main Steam System 15.2.14 Inadvertent Operation of Emergency Core Cooling System 15.2.15 Chemical And Volume Control System Malfunction During AOI-20 Malfunction of Pressurizer Level Control System Power Operation 15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes or From AOI-6 Small Reactor Coolant System Leak Cracks In Large Pipes Which Actuate The Emergency Core E-1 Loss of Reactor or Secondary Coolant Cooling System 15.3.2 Minor Secondary System Pipe Breaks E-1 Loss of Reactor or Secondary Coolant 15.3.3 Inadvertent Loading of A Fuel Assembly Into An Improper Position 15.3.4 Complete Loss of Forced Reactor Coolant Flow 15.3.5 Waste Gas Decay Tank Rupture AOI-31 Abnormal Release of Radioactive Material 15.3.6 Single Rod Cluster Control Assembly Withdrawal At Full Power AOI-2 Malfunction of Reactor Control System Page 40 of 41

Appendix 2 Chapter 15 Cross Reference to Abnormal and Emergency Operating Instructions February 7, 2012 Page 41 of 41 Section Title Procedure Title 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant E-1 Loss of Reactor or Secondary Coolant Accident) ECA-3.1 SGTR and LOCA - Subcooled Recovery ECA-3.2 SGTR and LOCA - Saturated Recovery ES-1.2 Post LOCA Cooldown And Depressurization 15.4.2 Major Secondary System Pipe Rupture E-1 Loss of Reactor or Secondary Coolant 15.4.3 Steam Generator Tube Rupture AOI-33 Steam Generator Tube Leak E-2 Faulted Steam Generator Isolation E-3 Steam Generator Tube Rupture ECA-3.1 SGTR and LOCA - Subcooled Recovery ECA-3.2 SGTR and LOCA - Saturated Recovery ECA-3.3 SGTR Without PZR Pressure Control ES-3.1 Post-SGTR Cooldown Using Backfill ES-3.2 Post-SGTR Cooldown Using Blowdown ES-3.3 Post-SGTR Cooldown Using Steam Dump 15.4.4 Single Reactor Coolant Pump Locked Rotor AOI-24 RCP Malfunctions During Pump Operation 15.4.5 Fuel Handling Accident AOI-29 Dropped or Damaged Fuel or Refueling Cavity Seal Failure 15.4.6 Rupture of A Control Rod Drive Mechanism Housing (Rod E-1 Loss of Reactor or Secondary Coolant Cluster Control Assembly Ejection)

Page 41 of 41

Retrieved from "https://kanterella.com/w/index.php?title=ML12073A393&oldid=2104185"