Text

April 4, 2019 - Public Meeting on BTP 7-19 Revision 1

SUMMARY

OF PREVIOUS D3 ASSESSMENTS FOR DIGITAL SYSTEMS (as of March 2019)

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count)

Oconee All RPS and ESPS Functions (Included voting functions)

BTP 7-19 D3 methodology postulated complete failure of all functions performed by entire system Events were simulated using computer codes.

Non-LOCA analyses, used the same conservative considerations as the ONS UFSAR analysis.

LOCA analyses used realistic assumptions for boundary conditions.

Existing Auto DAS (ATWS)

Diverse Manual Controls to support MOAs 13 out of 17 functions did not require additional diverse actuation capability.

Analog DAS for only two protective functions:

• DHPIAS

• DLPIAS ML030920676 (56 pages)

NRC performed a safety evaluation of the D3 analysis to verify adequate diversity for all analyzed events.

This was a separate submittal, which preceded the LAR.

The SE was updated in 2009 to include evaluation of the DHPIAS. 16 different events were analyzed using the methodology defined in the assessment.

Analysis results were placed into five categories.

The staffs evaluation included review of each transient and accident event analyzed in the Oconee UFSAR.

April 4, 2019 - Public Meeting on BTP 7-19 Revision 2

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count)

(ML060340449, Approved 2/3/2006)

(11 pages)

(ML090510384, Approved 2/23/2009) (13 pages)

Wolf Creek MSFIS Functions The licensee used ISG-02, Diversity and Defense-in-Depth Issues to evaluate that the internal diversity of the ALS platform is sufficient to address CCF.

The licensee evaluated transients and accidents that required the MSFIS controls for mitigation.

Internal diversity of the ALS platform.

No DAS needed ALS portion of system credited for internal diversity.

ALS Diversity Analysis ML090270428 (37 pages)

MSFIS D3 Assessment ML090270825 (12 pages)

NRC reviewed the D3 analysis as part of the license amendment, so a separate SE was not prepared.

The staffs evaluation included review of the ALS diversity analysis.

(ML090610317, Approved 3/31/2009) (D3 Analysis - 3 pages).

Diablo Canyon All functions performed by the existing Eagle 21 PPS. (Excluded SSPS voting functions).

The licensee used the D3 methodology described in BTP 7-

19. It postulated hard failure of all functions performed by entire system.

Functions requiring DAS were allocated to ALS portion of the system.

No DAS needed ALS portion of system credited for internal diversity.

ML101100648 (78 pages)

NRC performed a safety evaluation of the D3 analysis.

This was a separate submittal which preceded the LAR.

(ML110480845, Approved

April 4, 2019 - Public Meeting on BTP 7-19 Revision 3

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count)

Signals Requiring Diversity:

PZR Pressure RC Flow Containment Pressure 4/19/2011) (27 pages).

Hope Creek PRNMS Functions Limited Scope D3 analysis performed in conjunction with LAR review.

MOA No DAS Needed MOA functions credited.

Appendix I of LAR.

ML15265A224 (20 pages)

NRC included an evaluation of the D3 analysis in its LAR safety evaluation.

Events that credited stability protection functions were analyzed using methodology defined in the assessment.

Complete loss of stability protection was postulated in the analysis.

The NRC staffs evaluation determined that indicators and control functions to be used for performing MOAs were independent and diverse from the digital PRNMS

April 4, 2019 - Public Meeting on BTP 7-19 Revision 4

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count) system. Licensee also demonstrated capability of operators to perform required MOAs within allotted time.

(4 pages, Section 3.4 of SE).

Browns Ferry Core Stability Protection Function MELLLA-Plus Limited Scope D3 analysis performed.

Postulated loss of core stability trip functions due to software CCF.

MOA No DAS Needed MOA functions credited.

Section 2.4.1.1 of the LAR ML18079B140 (3 pages)

NRC performed an evaluation of D3 analysis. This evaluation determined that indicators and control functions to be used for performing MOAs were independent and diverse from the digital PRNMS.

Licensee also demonstrated capability of operators to perform required MOAs within allotted time.

(3 pages, Section 3.2 of the SE.

Amendment in progress).

April 4, 2019 - Public Meeting on BTP 7-19 Revision 5

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count)

Monticello Core Stability Protection Function Extended Flow Window (EFW)

Limited Scope D3 analysis performed.

Postulated loss of EFW trip functions due to software CCF.

MOA No DAS Needed MOA functions credited Provided as response to RAIs (4 pages)

NRC performed an evaluation of D3 analysis. This evaluation determined that indicators and control functions to be used for performing MOAs were independent and diverse from the digital PRNMS system. Licensee also demonstrated capability of operators to perform required MOAs within allotted time.

(7 pages).

New Reactors and Design Certifications AP1000 DCA Unknown what functions were analyzed.

PRA-based analysis for selecting DAS functions.

N/A (This is column is not evaluated for new reactors because the plant design basis is being established so no existing diversity is credited).

• Auto DAS provided (FPGA-based system).

Hardwired system-level manual actuation switches also provided on a separate panel.

AP1000 D3 Technical Report (39 pages)

The SER cited the WCAP-13793, AP600 System/Event matrix, which describes how multiple levels of defense exist for each type of analyzed events.

April 4, 2019 - Public Meeting on BTP 7-19 Revision 6

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count)

The DAS was credited as providing the reactor protection functions for every event analyzed in this technical report.

The SER stated that this report is applicable to the AP1000 and therefore the D3 analysis of the AP1000 is acceptable. See Section 7.1.6 of SER (4 pages).

Vogtle 3&4 COL Same as AP1000 DCA PRA-based analysis for selecting DAS functions (based on AP1000 DCA).

N/A Same as AP1000 Same as AP1000 DCA ITAAC closure needed for DAS development process activities and outputs and for DAS diversity attributes.

APR-1400 DC All functions performed by the plant protection system (PPS), including all RT trip functions, SI actuation, containment isolation actuation, containment spray Full D3 analysis using best estimate methods.

N/A

• Automatic diverse protection system (DPS)

(FPGA-based) provided as part of the DAS.

The DAS A D3 Technical Report (78 pages) and a Coping Analysis Technical Report (119 pages) were submitted.

NRC performed an evaluation of the D3 analysis. The staffs evaluation included review of each event analyzed in the Coping Analysis Technical Report

April 4, 2019 - Public Meeting on BTP 7-19 Revision 7

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count) actuation, main steam isolation, and aux.

feedwater actuation.

Both spurious actuation and loss of function were analyzed.

includes a hardwired system-level manual actuations switches.

• Diverse Indication System (FPGA-based) provided as part of the DAS.

• For the postulated spurious actuations analyzed, none resulted in a plant response or consequence that created conditions which were not bounded by the plant safety analysis.

and the DAS design to verify adequate diversity. (The SE of the D3 analysis is approximately 30 pages.)

ESBWR DC The D3 evaluation included all functions credited in the safety analysis. The evaluation also included potential for Full D3 Analysis using Best Estimate Analysis N/A A triple-redundant Diverse Protection System is provided that includes both A D3 Licensing Topical Report was submitted, which includes a D3 analysis that follows the NRC performed an evaluation of the D3 analysis. (The SE of the D3 analysis, including the potential for spurious

April 4, 2019 - Public Meeting on BTP 7-19 Revision 8

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count) inadvertent (spurious) actuation and the design features to address them, including segmentation of the distributed control system..

automatic and manual functions.

guidance of NUREG/CR 6303. This report is 87 pages.

is approximately 21 pages).

NuScale DCA (Review in Progress)

All functions performed by the Module Protection System (MPS) are analyzed. The MPS is the only safety-related digital I&C system.

Both spurious actuation and loss of function were analyzed.

Full D3 Analysis using Best Estimate Methods. The evaluation included the sensor block as well as the safety block.

N/A No DAS Needed MPS includes internal diversity.

All postulated digital CCFs of identical portions of the MPS (including sensors) concurrent with a DBE did not violate the primary coolant pressure boundary, or result in radiation release exceeding 10 CFR Part 100 limits.

For the postulated spurious actuations analyzed, none resulted in a plant D3 Analysis (24 pages)

SER with Open Items, but it did not identify any open items for D3 assessment. The SER with open items evaluation on the D3 assessment, including the spurious actuation analysis (D3 portion is 21 pages).

April 4, 2019 - Public Meeting on BTP 7-19 Revision 9

Licensing Action (LAR or DC)

Scope of D3 Assessment (i.e., Design functions included)

Analytical Approach (Type of analysis: Best estimate, bounding consequences, human factors)

What existing Diversity was Credited?

(Use of Auto or Manual, DAS or MOAs)

Outcomes (i.e., Identified need for new or additional diverse methods)

D3 Assessment Submittal (D3 Analysis page count)

Scope of NRC Review (Safety Evaluation page count) response or consequence that created conditions which were not bounded by the plant safety analysis.

TOPICAL REPORTS SSPS Topical Report Precluded CCF from further consideration by test and analysis showing that all applicable functions were thoroughly tested.

Westinghouse performed an analysis of all the circuits on the CPLD using the appropriate vendor supplied tool, with the intention of demonstrating that the testing that was already performed (See TR Section 5) met the testability criteria in BTP 7-19, Section 1.9(2),

to eliminate consideration of CCF.

Existing functional diversity was maintained.

No DAS Needed The analyses and testing were sufficiently rigorous and complete to allow the NRC staff to conclude that no further consideration of CCF.

Section 3.6 of the SE is less that one page long and evaluates the D3 assessment that was included in Section 6, 7, &

9.4 of the topical report.

Analysis demonstrated that not all possible sequences were tested. Further, it included additional information that show the untested sequences did not need to be tested since they were functionally irrelevant.

April 4, 2019 - Public Meeting on BTP 7-19 Revision 10