ML19297D159
| ML19297D159 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 11/21/2019 |
| From: | Jennivine Rankin NRC/NRR/VPOB |
| To: | |
| References | |
| EPID L-2019-LLA-0064, LAR 19-001 | |
| Download: ML19297D159 (49) | |
Text
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NOS. 168 and 166 TO THE COMBINED LICENSE NOS. NPF-91 AND NPF-92, RESPECTIVELY SOUTHERN NUCLEAR OPERATING COMPANY, INC.
GEORGIA POWER COMPANY OGLETHORPE POWER CORPORATION MEAG POWER SPVM, LLC MEAG POWER SPVJ, LLC MEAG POWER SPVP, LLC CITY OF DALTON, GEORGIA VOGTLE ELECTRIC GENERATING PLANT UNITS 3 AND 4 DOCKET NOS.52-025 AND 52-026
1.0 INTRODUCTION
By letter dated March 25, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19084A309), and supplemented by letter dated October 7, 2019 (ADAMS Accession No. ML19280E414), the Southern Nuclear Operating Company (SNC or the licensee) submitted License Amendment Request (LAR)19-001 requesting that the U.S. Nuclear Regulatory Commission (NRC or Commission) amend Vogtle Electric Generating Plant (VEGP) Units 3 and 4, Combined License (COL) Numbers NPF-91 and NPF-92, respectively. The licensee proposed changing COL Appendix A, which contains the plant-specific technical specifications (TS), and related information in the Updated Final Safety Analysis Report (UFSAR). The licensee proposed removing from TS certain manual surveillance requirements (SRs) to be performed on Protection and Safety Monitoring System (PMS) components. These are SRs requiring manual Channel Checks, Channel Operational Tests (COTs), Actuation Logic Tests (ALTs) and Actuation Logic Output Tests (ALOTs).
Additionally, the licensee requested a change to the approach for satisfying the SRs that verify the Reactor Trip System (RTS) and Engineered Safety Features (ESF) Response Times are
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION within specified limits. Specifically, SNC requested NRC approval of a method described in the LAR for choosing assumed time intervals for the digital time response (allocated response times) of PMS equipment to process sensor input signals using digital logic and generate an actuation signal to the actuated device. These allocated time intervals would conservatively bound the time intervals measured during past manual testing of PMS equipment. The licensee would use these allocated response times instead of measured response times as part of determining the RTS and ESF Response Times, which include the measured response time of the instrument sensor channel to provide an input signal to the PMS digital logic and the measured response time for the actuated device to reposition to its safety position (e.g., the closing of a valve, the opening of a breaker), as well as the PMS digital time response. The licensee has not proposed any change to the approved PMS design.
The supplement dated October 7, 2019, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the NRC staffs original proposed no significant hazards consideration determination as published in the Federal Register on May 7, 2019 (84 FR 19972).
2.0 REGULATORY EVALUATION
The staff considered the following regulatory requirements and guidance in reviewing the plant-specific TS and UFSAR changes proposed by SNC in LAR 19-001, as supplemented:
Title 10 of the Code of Federal Regulations (10 CFR) Part 52, Appendix D,Section VIII.B.5.a allows a licensee who references this appendix to depart from Tier 2 information, without prior NRC approval, unless the proposed departure involves a change to or departure from Tier 1 information, Tier 2* information, or the TS, or requires a license amendment under paragraphs B.5.b or B.5.c of the section.
10 CFR Part 52, Appendix D, Section VIII.C.6 states that after issuance of a license, Changes to the plant-specific TS will be treated as license amendments under 10 CFR 50.90. 10 CFR 50.90 addresses the application for amendment of license, construction permit, or early site permit. Since the licensee wants to depart from Tier 2 information that involves changes in the plant-specific TS, it must submit a LAR for NRC approval of the desired changes to TS and departures from the associated Tier 2 information in the UFSAR.
10 CFR 50.36, TS impose limits, operating conditions, and other requirements upon reactor facility operation for the public health and safety. The TS are derived from the analyses and evaluations in the safety analysis report. Section 50.36(c) provides, in part, that TS include limiting conditions for operation, SRs, and administrative controls.
Section 50.36(c)(2) states that [l]imiting conditions for operation are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When a limiting condition for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the technical specifications until the condition can be met. Section 50.36(c)(3) states that
[s]urveillance requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 10 CFR 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants requires that licensees apply a quality assurance (QA) program to the design, fabrication, construction, and testing of structures, systems, and components.
The following are the specific NRC technical requirements applicable to LAR 19-001:
- General Design Criteria (GDC) 21, Protection System Reliability and Testability, requires, in part, that the protection system be designed to permit its periodic testing during reactor operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.
10 CFR 50.55a(h), Protection and Safety Systems, states, in part, that, protection systems must meet the requirements in IEEE [Institute of Electrical and Electronics Engineers] Standard 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Specifically, Clause 5.7, Capability for Test and Calibration of IEEE Std 603-1991 relevant to this LAR states, in part, that capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Clause 6.5, Capability for Testing and Calibration, which is also relevant to this LAR, states, in part, that means shall be provided for checking, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation. Clause 4.10.2, in part, requires that the critical points in time after the onset of a design basis event are defined for completion of the safety function.
10 CFR 50.120, Training and qualification of nuclear power plant personnel, states that the training program must incorporate the instructional requirements necessary to provide qualified personnel to operate and maintain the facility in a safe manner in all modes of operation.
The following are the specific NRC guidance documents applicable to LAR 19-001:
NUREG-0800, Standard Review Plan (SRP), Branch Technical Position (BTP) 7-17, Guidance on Self-Test and Surveillance Test Provisions. Though not a part of the VEGP Units 3 and 4 licensing basis, the LAR addresses the acceptance criteria in BTP 7-17, which in part states that self-test functions should be verified during periodic functional tests.
NUREG-0800, SRP Chapter 13 addresses, Conduct of Operation; specific sub-chapters considered in this review were Chapters 13.2.1, Reactor Operator Requalification Program; Reactor Operator Training, Revision 3, and 13.5.2.1, Operating and Emergency Operating Procedures, Revision 2. Chapter 18, Revision 2, provides review guidance for Human Factors Engineering.
In the LAR, SNC proposed the following changes to the plant-specific TS related to SRs for PMS equipment that implements instrumentation and actuation logic functions of the RTS and the ESF Actuation System (ESFAS), and post accident monitoring (PAM) instrumentation:
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Most SRs requiring a manual Channel Check to be performed on PMS components are proposed to be removed from the TS. This involves removing SR 3.3.1.1, SR 3.3.10.1, SR 3.3.11.1, SR 3.3.13.1, SR 3.3.14.1, and SR 3.3.20.1; removing the Mode 1 applicability of SR 3.3.3.1 and SR 3.3.17.1 to RTS intermediate range neutron flux channels; removing the applicability of SR 3.3.8.1 for most ESFAS Functions listed in Table 3.3.8-1; removing the applicability of SR 3.3.17.1 for most PAM Functions listed in Table 3.3.17-1; and appropriate relabeling of remaining subsequent SRs and references to them in Table 3.3.1-1, Table 3.3.20-1, and Limiting Condition for Operation (LCO) 3.2.3 Note 4.
SRs requiring a manual COT to be performed on PMS components are proposed to be removed from the TS. This involves removing SR 3.1.8.1, SR 3.3.1.6, SR 3.3.1.7, SR 3.3.2.2, SR 3.3.3.2, SR 3.3.8.2, SR 3.3.10.2, SR 3.3.11.2, SR 3.3.13.2, SR 3.3.14.2, and SR 3.3.20.3; and appropriate relabeling of remaining subsequent SRs and references to them in Table 3.3.1-1 and Table 3.3.20-1. In addition, TS Subsection 5.5.14, Setpoint Program (SP), was modified to delete the reference to the COT.
Most SRs requiring a manual ALT to be performed on PMS components (excluding the Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST) Injection Blocking Device) are proposed to be removed from the TS. This involves removing SR 3.3.4.1; clarifying the Subsection 3.3.4 Surveillance Requirements Table Note; removing SR 3.3.6.1, SR 3.3.15.1, and SR 3.3.16.1; appropriate relabeling of remaining subsequent SRs and references to them in Table 3.3.4-1; removal of Subsection 3.3.19 Required Action C.1, which references the ALT of removed SR 3.3.15.1, and relabeling Required Action C.2 as C.1.
All SRs requiring a manual ALOT to be performed on PMS components are proposed to be removed from the TS. This involves removing the ALOT defined term and definition in TS Section 1.1; removing SR 3.3.15.2, and SR 3.3.16.2, and appropriate relabeling of remaining subsequent SRs.
A change is proposed in the licensing basis approach for satisfying the SRs that verify the RTS and ESF Response Times, which are terms defined in TS Section 1.1, are within specified limits. Specifically, SNC requested NRC approval of a method described in the LAR for choosing allocated response times for the PMS equipment.
The licensee proposed to use these allocated time intervals in determining the RTS and ESF Response Times in lieu of time intervals measured during manual testing of PMS equipment. Except for relabeling, response time SRs are not changed. As relabeled, these are SR 3.3.1.8, SR 3.3.2.3, SR 3.3.3.3, SR 3.3.4.1, SR 3.3.8.3, SR 3.3.10.2, SR 3.3.11.2, SR 3.3.13.2, and SR 3.3.14.2.
In the LAR, the licensee also proposed changes to the UFSAR (and clarifying additions to the TS Bases, which were only provided for information to facilitate the staffs review) to document the licensing basis criteria for establishing reasonable assurance of operability of PMS equipment that relies on the credited built-in and application-specific self-diagnostic capabilities of the PMS, in lieu of the manual SRs being removed, to meet the intent of 10 CFR 50.36(c)(3).
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION A comprehensive list of proposed technical and administrative changes in the plant-specific TS and key clarifications to TS Bases, is provided in Table 1 in Appendix A of this safety evaluation (SE).
3.0 TECHNICAL EVALUATION
3.1 Overview of the PMS Design The PMS digital equipment and application software implements instrumentation and actuation logic functions for the RTS and the ESFAS.
The Background sections of plant-specific TS Bases Subsections B 3.3.1 and B 3.3.8 together describe each of the four divisions of PMS reactor trip (RT) and ESF functions as consisting of:
(1)
RT and ESF Instrumentation Functions Field Transmitters and Sensors (non-redundant within a division)
Nuclear Instrumentation System (NIS) - one per division (non-redundant)
Bistable Processor Logic (BPL) System-two BPL subsystems per division (redundant)
Each division's BPL subsystem receives monitored parameter sensor signal inputs for the ESF and RT Functions it implements. Each BPL subsystem takes the divisional sensor analog signal input and converts it to a digital signal and compares it to the actuation or trip setpoint value in the BPL subsystems memory. If the digital signal for a monitored variable exceeds the setpoint, the BPL subsystem sends a partial trip signal to the two redundant Local Coincidence Logic (LCL) subsystems in each of the four PMS divisions.
A channel of an RT or ESF instrumentation function in a PMS division includes just one redundant BPL subsystem; that is, a channel is synonymous with a BPL subsystem.
Each of the four PMS divisions requires just one of the two redundant processors (or subsystems) to function. Therefore, LCO 3.3.1 and LCO 3.3.8, which typically require four channels of each instrumentation Function to be operable, are satisfied even if one of the redundant BPL subsystems in each PMS division is out of service.
An RT or ESF instrumentation channel extends from the process sensor to the output of the associated BPL subsystem and includes the sensor (or sensors), the signal conditioning, the BPL subsystem, and associated datalinks to the eight LCL subsystems.
For RT channels containing nuclear instrumentation, the RT channel also includes the signal processing and power supplies for the neutron flux detectors provided by the NIS.
Some LCL inputs are valve and breaker position status signals.
(2)
RT Actuation Logic Functions (The PMS boundary ends at the interposing relay contact inputs (only used by the manual trip switches) to the Reactor Trip Matrices (RTMs))
LCL System - ((
))
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Reactor Trip Initiation Logic - ((
)). Each RTM acts as an interface between the LCL subsystems and the Reactor Trip Breakers (RTBs). The RTM receives contact inputs from the LCL subsystems and performs the logic to determine if a division will issue a reactor trip command. ((
)).
RTBs - 2 per division (non-redundant)
The LCO section of plant-specific TS Bases Subsection 3.3.4, RTS ESFAS Instrumentation, states, [t]his LCO provides requirements for the automatic inputs from the Engineered Safety Feature Actuation System (ESFAS) to the RTS. ((
))
- 1. Safeguards Actuation Input from ESFAS - Automatic
- 3. Core Makeup Tank (CMT) Actuation Input from ESFAS - Automatic These ESF LCL output actuation signals serve as partial trip signals to the two LCL subsystems in each RTS Automatic Trip Logic division.
The LCO section of plant-specific TS Bases Subsection B 3.3.6, RTS Automatic Trip Logic, states, [t]he automatic trip logic includes the Engineered Safety Features (ESF) coincidence logic and the voting logic. It also states, [t]he LCO requires four divisions of RTS Automatic Trip Logic to be OPERABLE. Four OPERABLE divisions are provided to ensure that a random failure of a single logic channel will not prevent reactor trip.
(3)
ESF Actuation Logic Functions (The PMS boundary ends at the output terminals of the ClMs)
LCL System - ((
)).
ESF Actuation Subsystem Logic (Integrated Logic Cabinet (ILC)) with ILP System -
((
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
))
The LAR proposed to remove TS manual SRs specified for the PMS instrumentation and actuation logic functions by crediting the PMS continuous self-diagnostic functions and the PMS application software. Also included are the self-diagnostic features of the ILC field programmable gate array (FPGA) platform which is used for the SRNCs and the CIMs. ((
)).
3.2 Summary of PMS operability and SRs For each PMS-related LCO for RTS and ESFAS automatic Functions, TS Section 3.3 provides a TS subsection that requires the operability of four PMS divisions, with exceptions where fewer divisions are required; for example, the IRWST and Spent Fuel Pool Level Instrumentation, which supports the Spent Fuel Pool Cooling System Containment Isolation Valves, are required to be operable for automatic closure by both LCO 3.6.3 (in Modes 1, 2, 3, and 4) and LCO 3.7.13 (in Mode 6 with refueling cavity and spent fuel pool volumes in communication). In addition, LCO 3.3.17 only requires two divisions of accident monitoring instrumentation to be operable.
((
)).
So, the expected PMS configuration is to maintain operability of all processor redundancies in each division. This means ensuring that applicable SRs will continue to be met for both subsystems in each BCC and ILC in each PMS division. Consistent with this expectation, the PMS self-diagnostic functions automatically and continuously monitor the proper operation of the PMS digital components, including each redundant subsystem, and provide adequate assurance of PMS operability. The SRs currently specified for the PMS RT and ESF instrumentation, logic, and actuation functions implement the following TS Section 1.1 defined tests for the listed PMS subsystems, for which the licensee proposes crediting self-diagnostics for assuring PMS operability:
CHANNEL CHECK manually perform inter-divisional comparison of each RT and ESFAS function monitored parameters sensor digital input value (following analog to digital (A/D) conversion) as indicated in the 8 BPL modules.
CHANNEL OPERATIONAL TEST (COT) for each RT or ESF instrumentation function, manually verify RT or ESFAS setpoint value in BPL digital memory in each division, and exercise the BPL bistable (or comparison) logic and the resulting interdivisional communication of partial trip signals to the RT or ESF coincidence logic (LCL inputs) in all divisions.
ACTUATION LOGIC TEST (ALT) for each RT or ESF instrumentation Function, manually exercise all RT or ESF coincidence logic paths in the 8 LCL modules for each
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION RT or ESF actuation Function, including BPL partial trip signal inputs and LCL (voting logic result) trip output signals to RT initiation logic, the RTMs. Each LCL subsystem contains two contact outputs to the UV RTM and two contact outputs to the ST RTM.
For ESF actuation signals, manually exercise the resulting communication of the LCL output to the two ILP inputs in the associated ILC. For RT actuation signals, manually exercise the resulting communication of the LCL output to the two RTMs for each of the two divisional RTBs.
ACTUATION LOGIC OUTPUT TEST (ALOT) for each ESF actuation device (valve actuator circuit, reactor coolant pump circuit breaker trip mechanism, or pressurizer heater circuit breaker trip mechanism) of each automatic ESF component, manually exercise the ILP and SRNC logic and the CIM logic, including the ESF actuation signal input to the ILP, the resulting communication between the ILP and SRNC, between the SRNC and the CIM, and between the CIM and the ESF component, including the CIM output command signal.
The other SRs currently specified for the PMS RT and ESF instrumentation, logic, and actuation functions implement the following TS Section 1.1 defined tests for the listed RT and ESF subsystems, for which self-diagnostics are not provided, or cannot be effectively used:
CHANNEL CALIBRATION for each PMS instrumentation Function, manually verify the process sensor and transmitter output signal to the BPL, and the BPL A/D convertor output signal, are adjusted to ensure the digital signal input to the BPL trip bistable processor is within the calibration tolerance specified by the SP, and that the nominal trip setpoint (NTSP) value in the BPL memory matches the value specified in the SP.
TRIP ACTUATING DEVICE OPERATIONAL TEST (TADOT) for each automatic RTS and ESF component, manually exercise (or operate) the actuation device. A TADOT is also usually specified for verifying the functioning of manual switches for initiating the opening of RTBs and actuation of ESF components and end devices, including diverse actuation system (DAS) manual controls.
TS Subsection 3.3.1, Table 3.3.1-1, RTS Instrumentation Function 12, Passive Residual Heat Removal (PRHR) Actuation, requires four channels of valve position indication for each of the two PRHR heat exchanger (HX) discharge isolation valves to be operable in Modes 1 and 2. These valves are used to actuate the PRHR system. Two of four channels indicating open on either valve results in an LCL reactor trip output signal in each PMS division, causing the RTBs to open. Instead of a COT to exercise the valve position indicator contacts that initiate input signals to each RT LCL module, a TADOT is specified (SR 3.1.1.10), which is appropriate because there are no setpoints associated with valve position indication contacts. This SR is retained because no PMS self-diagnostic functions are provided that verify the functioning of the PRHR HX discharge isolation valve position indication contacts. Similarly, a TADOT is specified for RTB open-position contacts (P-4 interlock).
RTS RESPONSE TIME the definition states in part, that time interval from when the monitored parameter exceeds its RTS trip setpoint at the channel sensor until loss of gripper coils voltage. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION ESF RESPONSE TIME the definition states in part, that time interval from when the monitored parameter exceeds its actuation setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions). The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured.
The PMS-related LCO operability requirements are unchanged by this LAR; but the LAR presents a case for removing certain PMS SRs currently specified to assure the LCOs are met, for which equal or greater assurance can be provided by the PMS self-diagnostic functions alone.
3.3 Technical Evaluation of the PMS Self-Diagnostic Functions, Quality Assurance and Human Factors Considerations 3.3.1 Evaluation of the PMS Self-Diagnostic Functions The primary objective of periodically conducting SRs on the PMS components is to assure their operability. The NRC staffs evaluation of the proposed TS changes is to verify that: 1) the PMS self-diagnostic functions being credited can adequately demonstrate operability of all the components covered by the SRs; 2) the PMS self-diagnostic functions execute deterministically and alarms all detected faults; and 3) quality of the built-in PMS self-diagnostic functions meet 10 CFR Part 50, Appendix B requirements on QA. Acceptability of the proposed methodology for using allocated response times for the PMS racks to meet the SRs for the overall response time tests (RTTs) is evaluated below.
3.3.1.1 Evaluation of PMS Self-Diagnostic Functions - Capabilities For the Common-Q based subsystem of the PMS, there are a variety of self-diagnostic and supervisory functions. These self-diagnostic functions are performed by the PMS Common-Q processor, input-output (I/O), and communication modules, which continuously monitor logic operability and alert the operator of any PMS equipment failure. Each of the PMS Common-Q modules has built-in self-diagnostic functions. The Common-Q platform self-diagnostic functions continuously monitor the fidelity of the read-only memory (ROM), which holds the application software that implements the PMS functional logic and the condition of all Common-Q digital components.
The PMS Common-Q processor module monitors the complete system by collecting all the diagnostic information from other modules and checking the consistency of the hardware configuration with the application software installed. The functions of the processors are monitored both during power-up and during normal operations. The self-diagnostic functions continue checking operation without delaying or influencing the execution of the processor safety functions. ((
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
)).
The Common-Q platform has diverse means to detect and report the system faults, which include ((
)). Faults, which are detected by the PMS Common-Q platform self-diagnostic functions, are annunciated to the operator in the main control room (MCR).
Operability of the Common-Q self-diagnostic functions is also confirmed by the CRC checks of the PMS system software, which is monitored and verified for its completion within the allotted cycle time. Functionality of some Common-Q hardware-based internal self-diagnostic functions is confirmed by the external, supervisory tests. Hardware diagnostics, such as RAM check, etc., within the PMS processors without the supervisory tests are diverse to other diagnostics detecting the same failures. Therefore, there is a confirmatory mechanism in the Common-Q platform to verify that its own self-diagnostic functions operate as designed.
The Common-Q processors memory contents are continuously confirmed by the PMS self-diagnostic functions. This assures the integrity of the system software, application software, and data stored in memory. ((
)).
In addition to the above platform or system level self-diagnostic functions, the PMS for VEGP is also designed with application-specific self-diagnostic functions. The applicable application-specific self-diagnostic functions credited in support of this LAR, include automatic continuous inter-divisional ((
)). The inter-channel check is designed to compare the sensor input signals for each of the four redundant PMS divisions to be ((
)). The application-specific alarms and annunciation are designed to periodically transmit the self-diagnostic information for the PMS components and application software to the ITP first and then to the MTP by AF100 network in the MCR. The MTP can also transmit the self-diagnostic information to the non-safety display system.
The FPGA-based CIM and SRNC subsystem uses a series of self-diagnostic functions to detect any faults within the subsystem of the PMS. These self-diagnostic functions include a
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION self-diagnostic logic test, a built-in self-test (BIST), an output continuity test, and redundant core checking. The CIM in the AP1000 design also receives commands from the non-safety-related process control system, therefore self-diagnostic of this non-safety signal path is also provided.
((
)).
The built-in self-diagnostic functions of the PMS are designed to the same standards as the safety-related parts of the PMS; however, the self-diagnostic functions do not perform any safety functions, The PMS architecture contains four redundant, independent divisions designed to perform the safety functions. Additional redundancy is provided within each division of the PMS. Each of the four PMS divisions performs independent self-diagnostic functions. In addition, execution of safety functions has higher priority than the self-diagnostic functions.
Under highly unlikely circumstances, if one PMS division fails because of a failure in its self-diagnostic features, the other three PMS divisions are still available to perform the safety functions. Because the DAS implemented in VEGP Units 3 and 4 provides a diverse backup to the PMS, the impact of common-cause failure in the PMS is mitigated. This extends to failure of the self-diagnostic functions of the PMS. Moreover, failure of a self-diagnostic function is unlikely to impair the safety function of the affected division. Therefore, the NRC staff finds that there is reasonable assurance that failure of a credited PMS self-diagnostic function will not prevent the PMS from performing its safety functions.
The PMS was originally designed with self-diagnostic functions, which are built into the PMS and its components. As stated above, the PMS self-diagnostic functions consist of many automatic, continuous self-checks to demonstrate operability of the PMS hardware and software. These self-diagnostic functions also detect most credible faults in the PMS and produce alarms accordingly. For faults which are not detected by the self-diagnostics, the SRs are retained. Any failure of a self-diagnostic feature will also be detected and alarmed. All faults and errors are logged in the PMS processor memory, which can be retrieved and evaluated according to the plant operating procedures. Such records and their evaluations can also be used to identify and assess adverse trends in the condition of the PMS and alert plant staff to take corrective action before a fault occurs. Therefore, the NRC staff finds that the PMS self-diagnostic functions continuously monitor operability of the PMS components covered by the referenced manual PMS-related SRs and alert the operator of any failures.
3.3.1.2 Evaluation of PMS Self-Diagnostic Functions - Deterministic Performance During both the LAR safety review and the audit, the NRC staff focused on determining if the self-diagnostic functions of the Common-Q based PMS subsystem execute deterministically.
The current manual TS SRs for the PMS components are performed for channel check, COT, ALT, and ALOT. The current manual SRs require the PMS division under test to be in bypass mode resulting in less than full redundancy. Whereas, the PMS self-diagnostic functions execute continuously and do not require the PMS channel under test to be bypassed. In addition, automatic self-diagnostic minimizes risks associated with potential human errors in performing manual surveillance tests. Considering these factors, the NRC staff concludes that the removal of manual SRs for the channel check, COT, ALT, and ALOT could potentially reduce the risk associated with the PMS manual surveillance testing.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Based on the supplemented LAR, which states, in part, ((
)).
Based on the above evaluation of the self-diagnostics testing performance, and the PMS CPU being limited to 70% loading, the NRC staff determines that the Common-Q self-diagnostic functions execute deterministically and generates appropriate system response, should a self-diagnostic function fail to execute or complete satisfactorily.
3.3.1.3 Evaluation of PMS Self-Diagnostic Functions - Quality Quality of the PMS was evaluated by the NRC staff as a part of the AP1000 design certification, which incorporates by reference the Common-Q platform Topical Report WCAP-16097-P-A, Revision 3. WCAP-15927 describes the design processes used in implementing the Common-Q portion of the AP1000 PMS. The certified AP1000 design does not take credit for the PMS self-diagnostic functions for meeting TS SRs. Therefore, during the AP1000 design certification application review, the NRC staff did not specifically evaluate the quality of the PMS self-diagnostic functions. As a part of this LAR review, the NRC staff evaluated quality of the built-in PMS self-diagnostic function. Further evaluation of QA on the built-in PMS self-diagnostic functions is provided in Section 3.3.3 of this SE.
During the LAR audit, the NRC staff reviewed documents, obtained from Westinghouse Electric Company LLC (WEC) Germany (WEG), related to qualification of the Common-Q based safety system for the Oskarshamn 1 Project. The Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Final Quality Assessment and Justification (FQAJ) Report describes shortcomings of an earlier version of the Advant controller (a predecessor to AC160 controller used in the PMS). This FQAJ report describes an issue related to self-diagnostic function that was discovered during testing. ((
)). The NRC staff also reviewed a sample of the test cases described in the FQAJ report utilized during the Oskarshamn qualification and concluded that the self-diagnostic functions operate as designed.
Results of the overall testing program for AC160 microprocessor, including built-in self-diagnostics functions is summarized in the FQAJ report. This report concludes that the Product Software Qualification of the AC160 product is suitable for use in the O1 MOD project for Category A Instrumentation and Control (I&C). While the NRC regulations do not consider the International Atomic Energy Agency/International Electrotechnical Commission Category A safety classification, it is comparable to the NRCs safety-related classification. The NRC staffs review of the FQAJ report enabled the NRC staff to better understand design and testing of the
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Common-Q platform self-diagnostics functions. Therefore, because of the equivalence of the two safety classifications, the NRC finds there is reasonable assurance that the self-diagnostic functions of the Common-Q based PMS subsystem will perform as designed.
The AC160 controllers in the PMS use a real-time operating system ((
)). The
((
)) operating system executes the control units of the application program, self-diagnostic functions, and communication interfaces. During the LAR audit, the NRC staff determined that the anomalies identified in the ((
)) operating system during the qualification process of the Common-Q platform were adequately addressed and resolved.
During the LAR audit, the NRC staff reviewed document 6105-00021, CIM SRNC IV&V Simulation Environment Specification, and verified that there are independent validation and verification testing requirements specified for the CIM-SRNC self-diagnostic functions, ((
)). The NRC staff also reviewed documents WNA-TP-04019-GEN, Revision 2, CIM SRNC Subsystem Test Procedure, 6105-20010, Revision 20, CIM Requirement Traceability Matrix, 6105-10010, Revision 17, SRNC Requirement Traceability Matrix, WNA-DS-01271-GEN, Revision 10, CIM Hardware Requirements Specification, and WNA-DS-01272-GEN, Revision 9, SRNC Requirements Specification. From reviewing these documents during the audit, the NRC staff confirmed that the CIM-SRNC requirements specification includes specific and adequate testing requirements for the self-diagnostic functions. Therefore, the NRC staff finds there is reasonable assurance that the CIM-SRNC self-diagnostic functions will perform as designed.
3.3.1.4 Evaluation of Regulatory Compliance 10 CFR 50.36(c)(3) states that [s]urveillance requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. Since this LAR is proposing to remove SRs for the PMS components from the TS, the licensee is proposing changes to the UFSAR that demonstrate operability of these PMS components in accordance with 10 CFR 50.36(c)(3) regulatory requirements.
Specifically, SNC is proposing changes to UFSAR Appendix 1A, Subsections 7.1.2.11 and 7.3.2.2.6, Appendix 7A.5 (WCAP-15776), and Appendix 7A.8 (WCAP-16675-P). In general, these UFSAR changes state that the self-diagnostics included within the PMS are used to verify that the safety system can perform its designed safety function in lieu of manual testing as part of the surveillance program. The NRC staff evaluated the proposed changes to the UFSAR and found them to be consistent with the proposed changes to the TS SRs. The NRC staff also determined that all the proposed changes to the UFSAR and the TS do not impact the VEGP Units 3 and 4 PMS and other I&C system design. Since this LAR is proposing no changes to the PMS design, the NRC staff finds that the proposed changes to the UFSAR do not affect the PMS compliance with GDC 21 and 10 CFR 50.55a(h) regulatory requirements related to its testability and reliability, including the capability to test channels independently to determine operability.
Though not a part of the VEGP Units 3 and 4 licensing bases, the LAR addresses the acceptance criteria in BTP 7-17, which in part states that self-test functions should be verified during periodic functional tests. SNC stated that it is not possible to verify self-diagnostic functions as part of surveillance testing during operation because it would require creating destructive faults within the I&C system. Instead, the LAR addresses this acceptance criteria as following:
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION For the Common-Q based PMS subsystem, SNC states that the CRC, hardware-based diagnostics, and supervisory tests (e.g., window watchdog timer, mirrored RAM checks) are used to verify the operation of the self-diagnostic functions.
The software-based Common-Q self-diagnostic functions can be confirmed to be functional by CRC checks of the PMS system software, which is monitored and verified for its completion within the allotted cycle time. Some hardware-based internal diagnostics in the PMS can be confirmed to be functional by the supervisory tests, which are external to the processor. Furthermore, hardware diagnostics, such as RAM check, etc. within the PMS processors without the supervisory tests are diverse to other diagnostics detecting the same failures.
((
)).
Therefore, based on the above evaluations of both Common-Q based and FPGA-based subsystems, the NRC staff determined that the approaches described in the supplemented LAR meet the intent of the acceptance criteria in BTP 7-17 for checking and monitoring the PMS self-diagnostic functions during operation.
In summary, the NRC staff finds that the proposed changes to the TS SRs in this LAR do not affect the existing compliance with regulatory requirements of GDC 21 and 10 CFR 50.55a(h) applicable to reliability and testability of the PMS. The NRC staff also determines that the PMS automatic self-diagnostic functions continuously monitor logic operability and alert the operator of any failures. The combined PMS system and application-level automatic self-diagnostic functions provide adequate testing coverage comparable to the manual PMS surveillance testing being removed by the TS. Therefore, the NRC staff finds that for VEGP Units 3 and 4, the PMS automatic self-diagnostics functions can be used to verify the safety systems capability to perform its safety functions. These self-diagnostic functions may therefore be credited in lieu of certain manual testing. The staffs finding is predicated, in part, on the risk profile of the design of VEGP Units 3 and 4 and its DAS. Together, these support the finding by the staff of reasonable assurance of adequate defense in depth for the plant.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 3.3.2 Evaluation of PMS Self-Diagnostic Capabilities for the Proposed Changes The following sections describe the staffs evaluation of the fault detection capabilities of the PMS self-diagnostic functions as sufficient to justify removal of the referenced Channel Check, COT, ALT, and ALOT SRs.
3.3.2.1 Evaluation of Removing Channel Check SR for PMS Components The LAR proposed removing from the TS certain Channel Check SRs for the PMS and taking credit for the automatic PMS self-diagnostics functions for performing these channel checks.
The current Channel Check SRs for the PMS require manually comparing PMS instrumentation function channels in the four PMS divisions (inter-channel check) to ensure that gross failure of instrumentation has not occurred. Manual inter-channel comparison is performed to determine if there is a significant deviation that may indicate an instrument failure.
The PMS application-level self-diagnostic functions, which are proposed for being credited, include the automatic continuously performed inter-channel comparison across all four PMS divisions. ((
)). One ITP is provided in each of the four independent divisions of the PMS. Any alarm produced in the ITP is transmitted through the AF100 communication bus to the MTP, which is also outside of the PMS processor system.
((
)). Therefore, failure of a ((
)) in one division does not adversely impact the PMS safety functions or the self-diagnostic functions in the other three divisions.
Based on the above, the NRC staff determines that the PMS application-specific inter-channel check verifies the same information as the manual Channel Check performed in accordance with the current TS SRs. Hence, the NRC staff finds that the automatic PMS inter-channel check performed continuously is comparable to the manual Channel Check.
3.3.2.2 Evaluation of Removing Manual COT SR for PMS Components This LAR proposed removing from the TS manual COT SRs for the PMS conducted every 92 days to verify operability of the PMS components. The COT also includes verification of the required alarm, interlock, and trip setpoints, such that the setpoints are within the required tolerance. The PMS components covered by the COT SR include Common-Q platform PM646A (processor modules), CI631 (communication interface modules), BIOB, and high speed link (HSL) in the BPL.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION For the PMS components, there is a primary self-diagnostic function that can detect each fault, and alternate self-diagnostic functions, which can detect the same fault due to the sequential processing of digital functions in the PMS. This characteristic of the PMS digital system provides multiple lines of fault detection for postulated faults defined in the AP1000 Failure Mode and Effects Analysis (FMEA) Report, WCAP-16438, which was reviewed and approved by the NRC as part of the AP1000 design certification and VEGP Units 3 and 4 licensing applications. In addition, there is a level of diversity between the primary self-diagnostic function and the alternate self-diagnostic functions for detecting the same faults. Alternate diagnostic functions are typically performed by different hardware and firmware in the PMS.
The fault detected by the PMS diagnostic functions generates necessary visual and audible annunciation in the MCR to alert the operator of detected PMS faults.
Other application-level self-diagnostic functions, which can also be credited to demonstrate channel operability include ((
)).
The COT SRs for the ADS and IRWST injection blocking devices only require testing their safety logics, which are fully covered within the scope of their associated ALT SR. The ALT SRs for the ADS and IRWST injection blocking devices are being retained in the TS because the PMS self-diagnostic functions are not provided for this analog logic function.
Therefore, the NRC staff determines that there are comprehensive, multiple platform-level and application-level self-diagnostic functions that detect faults associated with each postulated failure mode identified in the FMEA for the VEGP Units 3 and 4. The PMS self-diagnostic functions, at a minimum, detect all faults that could be detected by performing manual COT.
The NRC staff also finds that the verification of operability of all the PMS components is achieved by the combination of the PMS Common-Q based platform level and the PMS application-level self-diagnostic functions. The NRC staff also finds that the ALT SRs being retained for the ADS and IRWST injection blocking devices are redundant to their COT SRs.
3.3.2.3 Evaluation of Removing Manual ALT SR for PMS Components In the LAR, SNC proposes to credit the PMS self-diagnostic functions and accordingly remove the ALT SR for the PMS components, except the ALT for the ADS and IRWST injection blocking devices, digital output modules (DO630), and the reactor trip matrix termination units. The
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION current ALT surveillance tests include the application of various simulated or actual input combinations in conjunction with each possible interlock logic state required for operability of a logic circuit and the verification of the required logic output. For the RTS logic ALT, the injected signal goes from the LCL to the reactor trip matrix logic. For the ESF system logic ALT, the injected signal goes from the BPL inputs to the LCL outputs to the ILP (via the HSLs).
Specifically, the ALT is conducted to verify the operability of the coincidence logic in each LCL to the associated RT matrix or ILC voter.
The PMS components covered by the ALT SRs include Common-Q platform PM646A (processor modules), CI631 (communication interface modules), BIOB, HSL, DO630, and RTM terminal units in the LCL.
For the Common-Q components PM646A, CI631, BIOB, and HSL, which are the same PMS components as evaluated above for the removal of COT SRs. The evaluation above shows that the self-diagnostic test functions of those PMS components could be credited and used to adequately verify the operability of the same PMS components, which would be manually tested under ALTs. In addition, the internal fault detected by the PMS self-diagnostic functions produces necessary visual and audible annunciation in the MCR, so that the operators can take the appropriate actions according to the VEGP Units 3 and 4 operating procedures.
The scope of the PMS RTS components for the ALT also includes PMS components DO630 digital output modules and the reactor trip matrix termination units. The ALT SRs for these two types of PMS components are not fully covered by the PMS self-diagnostic functions. However, these two types of PMS components are included as part of the TADOT, SR 3.3.7.1, which is required to be performed every 92 days on a Staggered Test Basis (each division is tested once per year). Removing the ALT SR results in a reduction in frequency for testing the RTM and DO630 components from every 92 days to approximately once a year. This reduction is acceptable for the RTM because of the redundancy and diversity in the RTM design as documented in Reference 1 of this SE. The reduction in test frequency for the DO630 is acceptable because of the long operational life of this module as described in LAR Enclosure 1 in the discussion of response time testing.
Because the TADOT SR continues to be included as a manual surveillance requirement within the TS, any failure that would be detected in these components by their corresponding ALT will also be detected by the TADOT. So, the removal of the ALT for DO630 and the reactor trip matrix termination units is acceptable. As for the ALT for ADS and IRWST injection blocking devices, their corresponding ALT SR is retained in TS.
Therefore, the staff finds that the self-diagnostic functions credited for the PMS components, the existing TADOT for RTS RTBs, which includes exercising the RTS LCL digital outputs to the UV and ST RTMs and the RTMs themselves, and the retained ALT SR for ADS and IRWST injection blocking devices together provide complete coverage of the PMS components which would be tested under the current ALT SRs.
3.3.2.4 Evaluation of Removing Manual ALOT SR for PMS Components In the LAR, SNC proposes to credit the PMS self-diagnostic functions and accordingly remove from the TS all of the ALOT SRs for the PMS components. An ALOT for PMS ESF actuated components includes manual application of simulated or actual input signals for verification of
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION the associated output actuation signals up to, but not including, the actuated component. The ALOT SRs are required to be performed every 24 months.
The PMS components covered by the ALOT include the Common-Q platform components PM646A, CI631, BIOB, and HSL used in the ILP, and the FPGA-based CIM, SRNC, double width transition panel (DWTP), single width transition panel (SWTP), and squib valve termination units.
The Common-Q components PM646A, CI631, BIOB, and HSL are the same PMS components evaluated above for the removal of COT and ALT SRs. The evaluation above shows that the PMS self-diagnostic functions can adequately verify operability of the PMS components required to be manually tested under ALOT SRs. Additionally, the faults detected by the PMS self-diagnostic functions are annunciated in the MCR to alert the operator of a failure.
For the FPGA-based CIM-SRNC components, there are a series of self-diagnostic functions that include self-diagnostic logic testing, BIST features, output continuity testing, and redundant core checking. As evaluated above, those self-diagnostic functions provide test coverage comparable to the manual testing required by the ALOT SRs. The DWTP and SWTP components are located between the SRNC and CIM and are used to simply pass communication signals between the SRNC, CIM, and the non-safety-related plant control system. Faults in the DWTP and SWTP are detected by the self-diagnostic functions in either the upstream SRNC or the downstream CIM.
((
)). Faults detected by the PMS self-diagnostic functions are annunciated in the MCR to alert the operator of a failure.
The NRC staff finds that the Common-Q components and FPGA-based components adequately demonstrate their operability via corresponding continuous system self-diagnostic functions. In addition, the NRC staff finds that the output of the CIMs up to, but not including the actuated components, are demonstrated to be operable via a combination of continuous self-diagnostic functions and the manual SRs being retained in the TS.
3.3.3 Quality Assurance Review of Common-Q and PMS Application Diagnostics The NRC staff conducted an audit on the development and deployment of the Common-Q and PMS system diagnostics credited in the SNC LAR at the WEC facility from June 24-25, 2019.
The focus of the audit was to determine if there is reasonable assurance that QA principles
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION consistent with the requirements of Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, to 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, were applied to the Common-Q platform level, PMS application level, and CIM/SRNC subsystem level diagnostic functions credited in the SNC LAR and to verify those diagnostic functions were developed, implemented, and tested under a suitable QA program or were adequately commercially dedicated. In addition, the NRC staff reviewed the processes for maintaining design configuration, implementing design changes to the PMS and Common-Q diagnostic functions, confirmed suitable testing was conducted on the credited diagnostics, and evaluated operational anomalies associated with the PMS and Common-Q diagnostic functions to assure they are being adequately addressed.
3.3.3.1 Method of Review In addition to the audit activities described above, the NRC staff considered the results of prior NRC staff safety evaluations of the Common-Q platform as well as the results of prior NRC vendor inspections conducted on the PMS system and CIM/SRNC subsystem during the conduct of this review.
The staff focused on the implementation of the QA processes necessary to assure the Common-Q platform, PMS system, and CIM/SRNC subsystem diagnostic functions were adequately designed, implemented, and tested to establish suitability of their application as described in the SNC LAR. The staff focused on the vendors hardware and software life cycle processes to confirm the following:
Well-defined system hardware and software requirements; Comprehensive hardware and software development methodologies; Comprehensive test procedures; Strict configuration management and maintenance procedures; and Complete and comprehensive documentation.
As noted in the NRC staffs SE related to the Common-Q platform Software Program Manual (SMP) (ADAMS Accession Nos. ML13022A008 (package), ML18270A029), the acceptance process for most commercial-grade digital components can be expected to comprise a variety of complicated technical activities. Guidance on these activities is given in Electric Power Research Institute (EPRI) TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications. In April 1997, the NRC staff issued a safety evaluation report (SER) on TR-106439 (ADAMS Accession No. ML12205A284). The NRC staff determined that TR-106439 contains an acceptable method for dedicating commercial-grade digital equipment for nuclear power plant safety applications. EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Application in Nuclear Power Plants, provides a specification in the form of a set of requirements for generically qualifying programmable logic controllers (PLCs) for safety-related I&C systems in nuclear power plants. EPRI TR-107330 was approved by the NRC staff on July 30, 1998 (ADAMS Legacy Accession No. 9808120281). The NRC staff applied the guidance in EPRI TR-106439 and TR-107330 in reviewing the WEC program for the qualification of the Common-Q hardware and software.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Specifically, with respect to the evaluation of the commercial-grade dedication of the Common-Q platform, the staff reviewed the reports of the dedication of commercial-grade AC160 hardware and software for use in nuclear safety systems and concluded that the AC160 PLC system meets the requirements set forth in BTP 7-14, Revision 5 (ADAMS Accession No. ML070670183) and follows the guidance in EPRI TR-106439 and was, therefore, acceptable for use in nuclear power plants.
The NRC staff also has significant vendor inspection experience with the PMS system and CIM/SRNC subsystem. During the period from January 2014 through August 2018, the NRC inspection staff conducted a series of vendor inspections on the PMS system and CIM/SRNC subsystem development lifecycle activities including planning, requirements development, design, implementation, and testing. A listing of these inspection reports is included in the references section of this SE. These inspections addressed aspects of the system software and hardware development activities including significant in-depth evaluation of technical and quality plans and procedures, observation of in-process design activities, fabrication, factory acceptance testing, and review of documented design reviews and test records, and integrated lifecycle phase summary reports. Processes for system configuration management, design and software baseline changes, nonconformance and corrective actions, and independent verification and validation (IV&V) were also evaluated. The results of these inspections established an inspection record to support the staffs evaluation of the adequate completion of inspection, tests, analysis, and acceptance criteria (ITAAC) by SNC in accordance with the VEGP Units 3 and 4 COLs and confirmed that WEC developed the PMS system including the CIM/SRNC subsystem in accordance with their 10 CFR Part 50, Appendix B program.
3.3.3.2 Technical Evaluation 3.3.3.2.1 Common-Q Diagnostic Functions Review The SNC LAR submittal contained information related to the previous qualification of the Common-Q platform and specifically noted that the AC160 diagnostic functions were commercially dedicated to the same standards as the rest of the AC160 system software.
Additionally, the SNC LAR submittal stated that the software design and lifecycle evaluation applied to the system software was also used for the Common-Q diagnostic functions and consisted of a rigorous process that was previously accepted by the NRC.
As noted in Section 3.3.3.1 of this SE, the NRC staff previously reviewed and concluded that the commercial dedication activities performed by WEC to qualify the Common-Q platform met the criteria set forth in BTP 7-14 and follows the guidance in EPRI TR-106439 and was, therefore, acceptable for use in nuclear power plants. Therefore, the NRC staff performed the following activities related to the on-going and future maintenance of the Common-Q platform including:
reviewing platform modification processes and controls, and evaluating operational history of Common-Q based systems that might impact the functionality of the Common-Q platform. This supplemented the previous NRC staff evaluation to confirm that the Common Q diagnostic functions credited in the SNC LAR were suitably developed and tested and will be adequately maintained during the operational phase of the development lifecycle.
Specifically, the NRC staff reviewed the following diagnostic functions, CPU self-diagnostic (Diagnostic code is PS-1), and RAM check memory integrity (Diagnostic code is PS-3) and associated platform qualification documentation developed by Asea Brown Boveri (ABB) and WEC to support the use of the Common-Q platform for safety-related applications. These
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION documents were created from the initial evaluation work performed by WEG, Technischer
Überwachungsverein (TUV), and ABB and the subsequent WEG activities related to the Oskarshamn 1 - Project O1 Modification Project (MOD-97-7771, MOD 97-3184, MOD 97-7766, MOD-00-3571, MOD-00-3572, and GKWF310281, GBRA095801). The NRC staff verified that the qualification and test records specifically addressed design review and code verification through testing to confirm that the Common-Q diagnostics credited in the SNC LAR were adequately developed and functioned satisfactorily.
The SNC LAR supplement contained information related to the AC160 modification process description for configuration management control which specifically addressed the application of the ABB Tracker system to identify, document, evaluate, and disposition every error reported to ABB for AC160 Nuclear and AC160 Industrial products. The process involves a formal agreement between WEC and ABB and provides for ABB to develop Common-Q code changes and for WEG to provide the verification and validation (V&V) for the project. This V&V will verify that the full traceability of the modifications exists. This includes traceability from requirements to modification, to test and documenting the results.
The NRC staff also reviewed the code modification process and discussed the implementation of the process with cognizant WEC staff to confirm code revisions are adequately controlled, documented, verified, and approved using defined quality practices. The NRC staff reviewed the ABB Revision Control System management procedures and Configuration Management Plan for the AC160*1.3 controller (3BDS 005 654) that govern revisions to the Common-Q platform. In addition, the staff discussed controls applied to maintain configuration of the Common-Q platform including work performed by WEG tasked with performing the V&V for the platform. WEC used the input from WEGs V&V report along with the release documentation to perform a supplemental Commercial Dedication Record of the software (W2-8.6-105, W2-9.5-102). The NRC staff noted that all proposed changes are also evaluated by the platform CCB governed by the WEC QA Level 3 procedure (NA 4.54). This procedure requires a Safety System Platform Change Evaluation (SSPCE) to be completed. The SSPCE has a checklist of items that requires evaluation for impact. The staff reviewed a sample of SSPCE checklists associated with Common-Q diagnostics to confirm adequate implementation of the platform change process.
The NRC staff reviewed testing error logs and operational data compiled for commercial nuclear power applications using the Common-Q platform to verify that code performance issues were being formally identified, documented, and evaluated for potential impact on the PMS system.
The staff discussed the ABB Tracker program used to document operation experience issues with Common-Q platform deployments with the cognizant WEC staff and reviewed all Tracker issues related to Common-Q diagnostic functions, to verify that issues identified were adequately evaluated for impact on the Common-Q diagnostics being credited in the SNC LAR.
The staff confirmed that the Tracker process included routine periodic reviews of issues by ABB and WEC, prioritization of issues based on significance, and any issues requiring a potential design change were formally documented through purchase orders between ABB and WEC.
The NRC staff reviewed a sample of the activities performed by ABB and WEC to establish suitability and reliability of the Common-Q platform for use in safety-related applications. These activities included: (1) the development of a Failure Modes, Effects, and Diagnostics Analysis on each of the AC160 modules by ABB. The results of that work were used in the WEC PMS reliability analysis (APP-PMS-AR-001); (2) the performance of commercial surveys and operating experience evaluations of ABB by WEC (MOD 97-7771, MOD 97-7766); and (3)
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION review of SSPCE checklists which contain an item requiring evaluation of changes on the reliability and performance of the AC160 modules. The NRC staff reviewed these activities to determine if they supported establishing an adequate basis for use of the Common-Q platform.
On the basis of the NRC staff SERs for the Software Program Manual (ADAMS Accession No. ML13022A008 (package), ML18270A029) and the supplemental audit and review activities described herein, the staff finds that that Common-Q diagnostic functions credited in the SNC LAR, were developed, tested, qualified, and will be maintained using rigorous processes in accordance with Appendix B requirements, and provide reasonable assurance for the detection of platform-level faults for the Common-Q based PMS.
3.3.3.2.2 PMS Application and CIM/SRNC Diagnostic Functions Review The SNC LAR submittal contained information related to the development of the PMS system and associated PMS application software, including PMS diagnostic functions, that were developed under a formal lifecycle process per the VEGP Units 3 and 4 COLs Appendix C ITAAC Table 2.5.2-8, Inspection, Tests, Analyses, and Acceptance Criteria, ITAAC Nos. 2.5.02.11, 2.5.02.12, and 2.5.02.14.
As noted in Section 3.3.3.1 of this SE, the NRC staff performed numerous inspections of the PMS system and CIM/SRNC subsystem during design, fabrication, and testing and concluded that the PMS system and CIM/SRNC subsystem lifecycle development processes, as implemented, met the requirements of Appendix B to 10 CFR Part 50, and was, therefore, acceptable for use in nuclear power plants. Therefore, the staff performed the following activities including: requirements development and traceability review; verification and validation process review; and test development and test results review; consistent with the previous NRC inspections of the PMS system and CIM/SRNC subsystem to confirm that the PMS and CIM/SRNC diagnostic functions credited in SNC LAR were suitably developed and tested and will be adequately maintained during the operational phase of the development lifecycle.
Specifically, the staff reviewed the following PMS application diagnostic functions, ITP inter-channel comparison, ((
)), and RT Matrix Monitoring and associated PMS system lifecycle documentation to support the development and testing of the PMS system. The staff reviewed (APP-PMS-J4-020, APP-PMS-J4-102, APP-PMS-J1-001) to confirm that it adequately described the requirement specification associated with ((
)) inter-channel comparator and RT Matrix, and confirmed that those requirements were adequately translated into test plans and procedures (APP-PMS-T5-001, APP-PMS-T1P-014 and APP-PMS-T1P-019). The NRC staff also reviewed the requirements traceability matrix table (Appendix F.1 of APP-PMS-J4-020) and confirmed the requirements associated with the PMS application diagnostics were documented and relevant source system design requirements documentation was identified.
The NRC staff reviewed the following Component Interface Module (CIM) / SRNC diagnostic functions, ((
)). The staff reviewed (WNA-DS-01271-GEN, WNA-DS-01272-GEN) to confirm that it adequately described the requirement specification associated with the selected CIM/SRNC diagnostics and confirmed that those requirements were adequately translated into test plans and procedures (WNA-TP-04019-GEN, 6105-00021). The NRC staff also reviewed the requirements traceability matrix tables
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION (6105-10010 and 6105-20010) and confirmed the requirements associated with the CIM/SRNC subsystem diagnostics were documented and relevant source system design requirements documentation was identified.
The NRC staff verified that the test procedures and test records specifically addressed the PMS application diagnostic functions to confirm that the PMS application diagnostics were adequately developed and performed satisfactorily. The staff reviewed system integration testing of the sampled diagnostic functions described in test procedures (APP-PMS-T1P-014 and APP-PMS-T1P-019), and associated test data sheets, and confirmed that all test cases (Nos. 362, 363, 364, and 365) associated with inter-channel and test cases (Nos. 358-361) associated with intra-channel comparison were completed satisfactorily. These tests were performed in accordance with WEC V&V process plans (WNA-PV-00009-GEN and WNA-PV-00054-WAPP) and the PMS testing process administrative controls (APP-PMS-T5-001).
The NRC staff verified that the test procedures and test records specifically addressed the CIM/SRNC subsystem diagnostic functions to confirm that the CIM/SRNC subsystem diagnostics were adequately developed and performed satisfactorily. The staff reviewed subsystem testing of the sampled diagnostic functions described in test procedure (WNA-TP-04019-GEN) and confirmed that testing associated with the CIM/SRNC subsystem diagnostic functions were completed satisfactorily. These tests were performed in accordance with WEC V&V process and test plans (6105-00013 and 6105-00005).
The staff reviewed test data sheets and the associated Automation Issue Tracking System (RITs) data records for the PMS diagnostic functions sampled to verify that PMS software performance issues were being formally identified, documented and evaluated for potential impact on the PMS system. The NRC staff confirmed that there were no current RITs issues that have any significant impact on the diagnostics credited in the SNC LAR. The NRC staff reviewed system integration testing report and IV&V test summary report (SV3-PMS-T2R-012 and SV0-IVV-JQR-021) and confirmed these summary reports did not contain any outstanding issues associated with the PMS or Common-Q diagnostic functions being credited in the SNC LAR.
The NRC staff reviewed the PMS application code modification process and discussed the implementation of the process with cognizant WEC staff to confirm and code revisions are adequately controlled, documented, verified, and approved using defined quality practices. The NRC staff reviewed the PMS Software Verification and Validation Plan and Regression Testing Work Instruction (WNA-PV-00054-WAPP, WNA-WI-00452-GEN) governing regression analysis considerations applied to revisions to the PMS system, and the engineering design modification process procedure (APP-GW-GAP-420) which provides guidance for the evaluation of changes to the systems. The staff confirmed that the documents included appropriate controls for maintaining system design requirements and configuration and provided adequate guidance for evaluating system modifications to determine any testing or analysis requirements needed for such modifications.
On the basis of the results of prior NRC inspections of the PMS system and CIM/SRNC subsystem lifecycle development processes and the supplemental audit and review activities described herein, the NRC staff finds that that PMS and CIM/SRNC diagnostic functions credited in the SNC LAR, were developed, tested, qualified, and will be maintained using rigorous processes in accordance with Appendix B requirements, and provide reasonable assurance for the detection of application-level faults of the PMS system and CIM/SRNC subsystem.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION 3.3.3.2.3 On-going Verification of Diagnostic Functionality The SNC LAR supplement contained information related to the PMS system alarm functionality and plant administrative controls that will be implemented to assure continued monitoring of the PMS system to assure adequate operation of the system diagnostic functions. The SNC LAR supplement stated that, self-diagnostics will produce a division alarm, as required, and if self-diagnostics fail, then this produces a system alarm. In both cases, an evaluation of the division or system alarm condition will be performed by SNC Vogtle plant operations and maintenance staff. In the absence of the either divisional or system alarms, there will also be operator rounds and system engineers monthly reports that evaluate and document the health, errors, and faults of system.
During the audit activities, the staff discussed the system features, including system alarm functions, and additional administrative controls planned to be implemented to ensure the continued adequate functionality of the PMS system diagnostic functions during operations with the cognizant SNC and WEC staff. Based on those discussions, the licensee provided a supplement to the LAR to document the system features and administrative controls, as described herein, to address continued functionality of the credited PMS diagnostic functions.
The system diagnostic functions are automatically executed on a continuous basis and provide operator notification in the event of a failure. ((
)).
These diagnostic tests are designed to report system failures to the operator immediately upon detection without needing to wait for periodic functional tests. These diagnostic failures can be seen on the System Health Event Log Display and as a division fault on the System Health Summary Alerts Display.
Additionally, as part of normal control room operator rounds additional observations are taken and are recorded via the Unit Control Log. These include: checking for proper PMS node heartbeats for each division; checking the safety visual displays for each division for health status; and unit control log entry of conditions such as, control panel walkdowns, unexpected alarms, entry into abnormal or emergency operating procedures, and recording reactor trip or ESF actuations and protective relay actuations.
The Plant Control System and Nuclear Application System will also display the overall health for equipment related to both safety-related functions and TS LCOs, including the PMS.
The NRC staff further noted that monthly PMS system health reports will be prepared by the PMS system engineer using data from the various internal PMS event logs including system operation and error tracking. If results from these reports indicate issues with any self-diagnostic functions, they will be further evaluated and dispositioned in accordance with the licensees design control and corrective action programs. In cases where such issues affect the Common-Q diagnostic functions, these will be recorded for inclusion in the ABB Tracker system.
The NRC staff reviewed the SNC LAR supplement which provided a description of the on-going SNC Vogtle plant operations and maintenance personnel verification activities for the PMS system diagnostics and confirmed the SNC LAR supplement adequately incorporated the system self-check features and plant administrative activities necessary to assure adequate operation of the PMS Common-Q subsystem, and the PMS CIM/SRNC subsystem diagnostic functions credited in the SNC LAR.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION On the basis of the NRC staff audit activities and supplemental information provided in the SNC LAR supplement associated with incorporation of PMS self-diagnostic functions and plant administrative activities necessary to assure adequate operation of the PMS Common-Q subsystem, and the PMS CIM/SRNC subsystem self-diagnostic functions credited in the SNC LAR, the staff finds that these diagnostic functions credited in the SNC LAR, will be adequately evaluated using rigorous processes in accordance with Appendix B requirements, and provide reasonable assurance of continuous on-going detection of faults in the diagnostic functions of the PMS Common-Q subsystem and the CIM/SRNC subsystem.
3.3.4 Procedure Design and Operator Training The elimination of manual surveillances reduces overall operator tasks and workload during normal operations, plant startup, shutdown, and outages. There are minor impacts on plant operating procedures that will require their future revision (after approval of the LAR) in conformance with the NRC approved changes in this LAR.
The operator response to self-diagnostic alarms does not change operator workload because there is no proposed change to any alarms or Human System Interfaces (HSI). No new alarms are proposed. The existing validated operating procedures and training include the response to the PMS fault alarms.
The impacts to the operating procedures, training, and previously completed human factors engineering (HFE) V&V activities (i.e., Design Verification, Task Analysis, Integrated System Validation, and Human Engineering Discrepancy Resolution) will be evaluated per COL Appendix C, ITAAC No. 3.2.00.01e. This ITAAC requires an evaluation of the implementation of the plant HFE/HSI (as designed at the time of plant startup) to be performed in accordance with APP-OCS-GEH-520, Plant Startup Human Factors Engineering Design Verification Plan, which is a Tier 2* document that is incorporated by reference into the plant-specific Design Control Document, which is incorporated by reference in the UFSAR.
The staff reviewed draft alarm response procedures during the LAR audit and has determined that there is reasonable assurance the operators will respond appropriately to any alarms through the written procedures and the associated training. The licensees training program has been previously approved by the NRC in accordance with 10 CFR 50.120, which describes the requirements for the training and qualification program. In addition, the impacts of the LAR changes on the operating procedures, training, and previously completed HFE V&V activities will be evaluated per ITAAC 3.200.01e.
Therefore, the staff concluded that the operators would be able to detect a critical system failure of the PMS and respond with appropriate manual actions.
3.3.5 PMS Common-Q Self-Diagnostic Functions Executed at Start-Up According to SV0-PMS-AR-001 (Reference 1), Appendix E, COT Simplification, Section E.4.3.3, Platform Self-Diagnostics, the PMS Common-Q platform self-diagnostic functions, which are identified in the following tables of Appendix A, Self-Diagnostics: AC160 Platform, are those that are applicable to the AP1000 PMS configuration during online operation:
Table A PM646A Processing Section (PS)
Table A PM646A Communication Section (CS)
Table A CI631 Communications Module
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Table A Backplane Input-Output Bus (BIOB)
Section E.4.3.3 goes on to say (emphasis added):
There are additional self-diagnostics that are performed when an AC160 sub-rack is initially started that ensure the equipment in the sub-rack is configured correctly and ensure the modules in the sub-rack are correctly initialized. These diagnostics have been omitted to simplify the evaluation of the diagnostic coverage since the COT is performed on AP1000 PMS equipment that has already been confirmed to be correctly configured and initialized.
The staff has determined that the AC160 sub-rack automatic self-diagnostics conducted during module start-up provide assurance that the AC160 sub-rack is operating properly and the modules in the sub-rack are correctly initialized. Following repair or other maintenance requiring startup of an AC160 sub-rack (going from a de-energized shutdown state to a powered up state), the automatic start-up and run-time diagnostics will execute and provide indication on the modules display revealing whether or not the diagnostics completed satisfactorily and the module is operating properly. In addition to this action, the governing plant procedures related to system post-maintenance testing will require verifying that these diagnostics have executed completely with no faults detected before returning the sub-rack to service. If the plant operators determine that the online self-diagnostics indicate no faults have been detected and the sub-rack is operating within normal parameters, the affected PMS division may then be declared operable. By the PMS design, the AC160 start-up self-diagnostics are integral to completing any maintenance requiring shutdown of an AC160 sub-rack; as they include tests that are not a part of the PMS BPL, LCL, and ILP online self-diagnostics, which are within the scope of testing included by the COT, ALT, and ALOT, respectively.
The detailed design information provided by the licensee in the LAR demonstrated why certain on-line self-diagnostics could be credited for assuring PMS operability without crediting certain existing manual surveillances. However, the LAR discussion about those credited self-diagnostics did not include information specific to the start-up self-diagnostics for the AC160 modules that would serve as a basis for a safety determination. So, further consideration of the start-up self-diagnostics is not necessary for assessing the safety case of this LAR because the AC160 start-up self-diagnostics are outside the scope of the changes proposed in LAR 19-001 involving removal of applicable SRs for a COT (BPL), ALT (LCL), or ALOT (ILP). Because the PMS must have successfully completed the start-up self-diagnostic functions to be considered operable before placing it in service, and the fault detection capability of the on-line self-diagnostics to provide reasonable assurance of PMS operability, the staff concludes that including an evaluation of the PMS start-up self-diagnostics in the LAR is not required for making a safety finding about relying on the on-line self-diagnostic functions to assure PMS operability.
3.4 Changes to Plant-specific Technical Specifications Table 1 in Appendix A of this SE describes the specific changes to existing SRs proposed by the licensee in the LAR for each affected TS subsection.
3.4.1 Removal of CHANNEL CHECK Surveillances The PMS application software provides a self-diagnostic function that ((
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
)). Section 3.3 of this SE describes the staffs conclusion that the ((
)) is an acceptable means of monitoring process sensor inputs between TS-required Channel Calibrations performed during refueling outages, and providing assurance that PMS instrumentation functions are operable and applicable LCOs described in SE Appendix A, Table 1 are met. For PMS instrumentation not covered by ((
)), the manual Channel Check SR is retained in TS, as described in SE Appendix A, Table 1. The staff finds that the proposed removal and changes in scope of existing manual Channel Check SRs are acceptable because of the staffs conclusion that ((
)), and other PMS self-diagnostics implemented in the BCC equipment and software, provide reasonable assurance, consistent with 10 CFR 50.36(c)(2), that the LCOs for PMS RTS and ESFAS instrumentation Function channels will be met.
3.4.2 Removal of CHANNEL OPERATIONAL TEST (COT) Surveillances The licensee justifies the removal of the once per 92-day Frequency manual COT SRs for each of the four divisions of PMS RTS and ESFAS instrumentation Functions by asserting that this testing (1) degrades PMS system reliability because of the excessive number of man-hours needed to remove each division from service to manually check the logic signal paths from the BPL subsystems A/D converter output to the BPL subsystems partial trip status output signal to each PMS divisions LCL subsystem; (2) does not measurably improve the likelihood of detecting a PMS fault over that provided by the fault detection capability of the Common-Q platforms built-in hardware automatic self-diagnostic functions and the credited automatic self-diagnostic functions of the PMS application software; and (3) does not detect faults that are not detectable by the PMS self-diagnostics. The licensee therefore concludes that the manual COT SRs for the PMS RTS and ESFAS instrumentation Functions are not necessary to adequately assure PMS operability, except for the COT on RCS leakage detection instrumentation in LCO 3.4.9, that have no self-diagnostic features.
As described in SE Section 3.3, the staff concludes that the self-diagnostic functions are able to detect most PMS hardware faults, and are designed to initiate a division fault alarm to alert the operator to respond as directed by the alarm response procedure. The self-diagnostics continuously assess the health of all digital processor and communication components and are therefore substantially more effective in detecting hardware faults than are the PMS manual surveillances currently specified for detecting hardware faults by exercising each safety logic pathway. The LAR indicates that this manual exercising of PMS actuation logic for the logic pathways for each RTS and ESFAS Function is labor intensive because of the PMS design that has redundant processor and communication stations at each stage of logic processing in each division.
The PMS self-diagnostics do not emulate a COT, which uses the MTP to manually insert a simulated process variable digital input signal into one of the two BPL subsystems in a division and verifies that the BPL subsystem partial trip output signal to each of the two LCL subsystems in each of the four PMS divisions is as expected. For each process variable monitored by the PMS and for each associated RT and ESF actuation Function, the COT is repeated until the functionality of each of the eight BPL subsystems, and the logic paths between the BPL subsystem and the LCL subsystems in each of the four PMS divisions is confirmed to be correct. ((
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
)).
Removal of COT SR for Analog Function that Automatically Unblocks the Opening of ADS Stage 1, 2, and 3 Motor Operated Valves, ADS Stage 4 Squib Valves, and IRWST RCS Injection Motor Operated Valves and Squib Valves on an ESFAS Signal The analog hardware-based ADS and IRWST Injection Blocking Device, LCO 3.3.20.1, Core Makeup Tank Level for Automatic Unblocking, automatically removes the block of the ESF actuation signal path to each valves actuating device to permit the automatic opening of ADS motor-operated valves (MOVs) and squib valves and IRWST RCS injection MOVs and squib valves. The purpose of the blocking device is prevention of a spurious initiation of ADS or IRWST injection. In VEGP Units 3 and 4 COL Amendment Nos. 91 and 90, respectively (ADAMS Accession No. ML17268A075), the NRC approved establishing Subsection 3.3.20, Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST) Injection Blocking Device, which includes operability and test requirements for CMT level instrumentation (one upper narrow range level transmitter on each of the two CMTs per PMS division, with the unblock setpoint above the CMT Level - Low 3 setpoint for actuation of CMTs and ADS Stages 1, 2, and 3), analog bistable logic, and analog actuation logic. When CMT level indication falls below the unblock setpoint in at least one CMT, this device automatically unblocks the CIM output to the valve actuation device, so that a signal generated by the software-based PMS logic can open the IRWST injection valve or ADS valve in the associated ESF division. Removal of the block from the PMS actuation signal path is an anticipatory measure to ensure an ESF actuation output signal from each CIM will cause the associated ADS Stages 1, 2, 3, or 4 valve and IRWST injection valve to open.
In the LAR, the licensee described how the components that implement this unblocking function are fully tested by an ALT on a 24 month Frequency, while a subset of these components is tested by a COT on a 92 day Frequency. The LAR did not propose eliminating the manual ALT for the blocking device (existing SR 3.3.20.5) because the analog components of the module have no self-diagnostic capability. Since the analog blocking device itself does not generate its own ESFAS signal, but just permits a PMS generated signal to actuate an ESF component, existing Subsection 3.3.20 does not specify an ALOT SR for the analog blocking device. This also explains why the SRs for an ALT on the ESF LCL and ALOT on the ESF actuation, which are specified in existing Subsections 3.3.15 and 3.3.16, do not apply to the blocking device.
The licensee considered how removing the COT (existing SR 3.3.20.3) from the blocking device surveillance schedule would affect the devices reliability. In the LAR supplement, Enclosure 8, Supplemental Information Regarding LAR-19-001 and NRC Audit Open Items, which is supported by SV0-PMS-AR-001, Section 4.2 and Appendix F, the licensee states that during its evaluation of the COT for the ADS and IRWST Injection Blocking Device it was determined that there is an insignificant drop in reliability between partially testing the device every 92 days versus full testing at 24 months, as is done with the ALT. In conclusion, the ALT for the ADS and IRWST Injection Blocking Device at 24 months is a sufficient duration to perform all functional unblock/block testing associated with this module, therefore the COT [at 92 days] can
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION be eliminated. The staff considers the information about the small impact on blocking device reliability provided in the LAR, as supplemented, sufficient to conclude that elimination of the COT SR will not unduly increase the failure probability of any one blocking device and the associated automatic actuation failure probability of the associated ADS valve or IRWST injection valve. However, even if one of these valves fails to open on a valid ESFAS signal, the safety analysis assumed performance of the ADS and IRWST injection safety functions are still assured. This is explained in the Background section of Subsection B 3.3.20, which describes how a failure of one ADS blocking device in one PMS division affects ADS Stages 1, 2, and 3 MOVs. At most such a failure would prevent opening either (1) two ADS paths, one redundant ADS Stage 1 path and one redundant ADS Stage 3 path, or (2) one redundant Stage 2 path. In either case, the redundant capacity of each remaining flow path to the IRWST will ensure the capability of ADS Stages 1, 2, and 3 to perform their intended safety function in response to an ESFAS signal to initiate actuation of ADS Stages 1, 2, and 3 on CMT Level - Low 3. The Background section also describes the effect of a failure of one blocking device in one division on ADS Stage 4 and IRWST injection. Since each ADS Stage 4 path (valve) is operated by two PMS divisions, failure of a single blocking device will not defeat any Stage 4 path. Each IRWST injection path (valve) is also operated by two divisions, and therefore, the failure of a single blocking device will not defeat any injection path.
The staff evaluated the information provided by the licensee in the LAR, as supplemented.
From its review of non-docketed PMS design, analysis, and test documents, and through discussions with the licensee and WEC during the LAR audit (ADAMS Accession No. ML19283C511), and review of the information in the LAR supplement, the staff determined there is sufficient documentation of appropriate quality to reasonably conclude that the PMS self-diagnostic functions are capable of detecting all equipment failure modes that are detectable by a manually performed COT, and are of sufficient quality to be relied upon for monitoring PMS performance and the timely detection and annunciation of digital component and system faults. As described in SE Section 3.3, the staff concludes that for most PMS instrumentation Functions the PMS self-diagnostic functions will adequately demonstrate, on a nearly continuous basis, the operability of PMS digital components and software related to the BPLs in each BCC.
In the LAR, as supplemented, the licensee proposed improvements in the licensing basis documents, in particular UFSAR Chapter 7, to clearly explain how reliance on PMS self-diagnostic functions will assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met. The staff reviewed these changes and found they clearly describe the safety case for reliance on PMS self-diagnostic functions for establishing and assuring PMS operability without performance of manual logic verification testing of BPLs, LCL, ILPs, SRNCs, and CIMs, and the HSL and BIOB communication connections between processor modules.
Also, since the TS Section 1.1 COT definition includes instrumentation setpoint verification, but the Channel Calibration definition does not, the licensee added the following clarification to the PMS RTS test descriptions in the Background section of Subsection B 3.3.1 and the PMS ESFAS test descriptions in the Background section of Subsection B 3.3.8 (The phrases self-checking features and self-diagnostic functions are synonymous.):
Trip setpoints are continuously and automatically verified by PMS self-checking features between performances of CHANNEL CALIBRATIONS. Before unit startup, the CHANNEL CALIBRATION verifies that the trip setpoint values in the
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Maintenance and Test Panel (MTP) match the [Setpoint Program] SP specified values.
Accordingly, the staff finds that the PMS self-diagnostic functions will provide reasonable assurance that PMS RTS LCOs 3.3.1, 3.3.2, 3.3.3, and PMS ESFAS LCOs 3.3.8, 3.3.10, 3.3.11, 3.3.13, and 3.3.14 will be met, and that these TS subsections therefore meet the regulatory requirements of 10 CFR 50.36(c)(2). Therefore, removal of the existing COT SRs, as listed in SE Appendix A, Table 1, is acceptable.
3.4.3 Removal of ALT of RT and ESF Coincidence Logic The ALT verifies the operability of the coincidence logic and voting logic in each LCL and the digital output to the associated RT matrix or ESFAS ILC.
Partial Trip Signal Generation Each of the four channels of an RT or ESF Function generates a digital partial trip signal if the measured digital value of the associated monitored process variable reaches the Functions digital trip setpoint. Typically, a PMS channels BPL converts the process sensor transmitters analog signal to a digital signal and, using PMS application software, compares the digital value of the monitored variable to the digital trip setpoint and generates a partial trip digital output signal when the monitored variables digital value reaches the Functions digital trip setpoint.
((
)).
While continuously receiving the digital signal of the monitored variable, a BPL continuously compares the monitored variables digital value with the Functions setpoint in two separate redundant BPL processor modules. ((
)).
RT Coincidence Logic
((
)). Each LCL subsystem provides four contact outputs to the Reactor Trip Initiation logic, two for the UV RTM and two for the ST RTM. ((
)).
As described in Table 1 of Appendix A of this SE, the TADOT of SR 3.3.7.1 includes manually exercising the UV and ST RTMs from the LCL reactor trip output signal to each trip initiation logic matrix contacts, the RT manual switch interposing relays and RTB UV and ST coils.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION ESFAS Coincidence Logic
((
)).
As described in SE Section 3.3, the staff has concluded that the PMS BCC self-diagnostic functions provide reasonable assurance that PMS RTS LCO 3.3.6, and PMS ESFAS LCOs 3.3.15, 3.3.16, and 3.3.20 will be met, and therefore, that these TS subsections meet the regulatory requirements of 10 CFR 50.36(c)(2). Therefore, the staff finds that removal of the existing ALT SRs, as listed in SE Appendix A, Table 1, is acceptable.
3.4.4 Deletion of ACTUATION LOGIC OUTPUT TEST (ALOT) Surveillances In the LAR, the licensee proposed to remove the ALOT SRs from the plant-specific TS for all ESF automatically actuated components, because the Common-Q platform self-diagnostics for the ILPs and the FPGA platform self-diagnostics for the SRNCs and CIMs ((
)) provide adequate hardware monitoring to detect faults in system components; these faults are reported to the operators as a division fault alarm by sending a fault signal from the CIM through the SRNC through the ILP, and then through the AF100 bus to the ITP which sends it to the MTP which sends it to the alarm system.
The staff understands from the LAR, that the 24-month Frequency ALOT is normally performed by injecting a test actuation signal from the MTP to the ILP input and verifying that the CIM output is as expected. The 24-month Frequency SR to verify actuation of an ESF component on an actual or simulated actuation signal and the 24-month Frequency SR to verify the component stroke time is within the ESF Response Time limit is performed the same way.
As described in SE Section 3.3, the staff has concluded that the self-diagnostic functions of the ILPs, SRNCs, and CIMs in combination with the end device actuation test SRs provide reasonable assurance of proper operation of the ILPs, SNRCs, and CIMs without reliance on the 24 month ALOT SR. In the SV0-PMS-AR-001, the licensee describes how end device actuation tests are assumed to be normally performed (emphasis added):
the PMS self-diagnostic tests, along with the [component actuation] SRs identified above, provide complete overlap coverage of the ALOT surveillance requirements and are suitable to replace the manually conducted ALOT used to meet the current TS SRs. In addition, component testing will be conducted on every component (e.g. valves, breakers, etc.) through the use of the CIM. This component testing will provide additional overlap testing with the CIM output test diagnostics, thus assuring complete coverage of the CIM outputs.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
((
)) and the current SRs listed in SE Appendix A, Table 1, for exercising the ESF components both verify the operability of the actuation device circuit from the CIM output to the associated ESF actuated component (valve or circuit breaker). Since the scope of the ALOT surveillance does not include the actuated device circuit, but extends only to the CIM command output, the staff concludes that the ESF component SRs that verify component actuation on a simulated or actual ESFAS signal and the CIM self-diagnostics, provide complete overlap coverage of the ALOT SRs and are suitable to replace the manually conducted ALOT.
Other existing SRs are provided to ensure detection of CIM output-related faults, which are not detectable by CIM self-diagnostic functions. These SRs, which are listed in SE Appendix A, Table 1 (for example, SR 3.4.11.5, which verifies continuity of the circuit from the Protection Logic Cabinets to each Stage 4 ADS valve as a part of verifying that the ADS squib valve will actuate to the open position on an actual or simulated actuation signal), are retained in TS.
As described in SE Section 3.3, the staff has concluded that the PMS ILC self-diagnostic functions provide reasonable assurance that PMS ESFAS LCOs 3.3.15 and 3.3.16 will be met, and therefore, that these TS subsections meet the regulatory requirements of 10 CFR 50.36(c)(2). In addition, the UFSAR states the technical justification for relying on self-diagnostics, and other routinely performed verifications by control room operators and other plant staff, to assure PMS operability. Therefore, the staff finds that removal of the existing ALOT SRs, as listed in SE Appendix A, Table 1, is acceptable.
3.4.5 Use of Allocated Time Intervals for PMS Equipment to Verify RTS and ESF Response Times In the LAR, the licensee proposed using time interval allocations in lieu of measurements for PMS digital components in RTS Response Time and ESF Response Time verification SRs.
The staff reviewed the methodology embodied in the LARs PMS response time analysis to determine whether or not it adequately justifies the proposed use of allocated time intervals for PMS digital components. This change entailed no textual changes to existing response time SRs, but requires NRC approval as required by the TS definitions of RTS Response Time and ESF Response Time and the use of these defined terms in the SRs listed in Appendix A, Table 1 of this SE.
The overall RTT SRs for verifying the reactor trip and ESFAS actuation response times include response times of sensors, PMS racks, and the actuating devices. The reactor trip and ESFAS protective functions must be accomplished within the times allocated in the accident analysis.
Response time for each division of the PMS rack is verified every fourth refueling outage as a part of the current TS surveillance program.
This LAR is proposing to modify the approach for satisfying the PMS racks RTT SRs.
Specifically, the LAR is proposing to use allocated response times for the PMS racks, in lieu of performing manual tests in support of the overall RTTs required by the TS SRs. The scope of the proposed change in this LAR does not include the sensors and actuating devices RTTs.
The current definition for the RTT in the TS states, in part, that, in lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC.
Accordingly, SNC is proposing a methodology for using the allocated response times for the
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION PMS racks for verifying the overall response times. The NRC staff has previously approved a similar methodology for elimination of periodic protection channel RTTs for WEC 7100, 7300, Eagle 21, and solid state protection system platforms.
Allocated response times for the PMS racks for each of the RT and ESFAS protective functions are obtained from the PMS functional requirements. The PMS RT and ESFAS safety functional paths are currently required to be tested under other TS SRs still retained. The PMS RTTs are also verified as a part of ITAAC Items 2.5.02.10 and 2.5.02.11 for the PMS of the VEGP Units 3 and 4 COLs. Once established, the response time for each component in the PMS racks normally does not change unless a credible failure occurs in one of the PMS components that impacts its response time. The LAR proposed the following methodology that shows how the RTTs for the PMS components in the PMS RT and ESFAS safety functional signal paths could be replaced with allocated response times.
((
)). Therefore, the NRC staff finds the methodology presented in the LAR for use of PMS racks allocated times acceptable because it satisfies the applicable requirements of 10 CFR 50.55a(h). The PMS components or racks allocated response times can be used in satisfying the overall RTT SRs. Allocated response times for the PMS racks and components are presented in the PMS Technical Specification Surveillance Requirement Elimination Report (Reference 1).
3.5 Technical Conclusion for the Proposed Changes Based on the above, the staff determined that the changes described in Section 2 of this SE and further detailed in Table 1 of Appendix A are acceptable. Specifically, the staff determined that the PMS self-diagnostic functions may be credited to provide reasonable assurance that PMS-related LCOs are met, without reliance on performance of the referenced Channel Check, COT, ALT, and ALOT manual SRs on PMS components. As detailed in Section 3.3 of this SE, this determination is based on the staff finding that the PMS self-diagnostic functions (1) are more effective and timelier than these manual SRs at detecting PMS equipment faults, (2) satisfy all QA regulatory requirements for their development, testing, installation, maintenance, and operation, and (3) satisfy regulatory requirements for human factor considerations. As detailed in Section 3.4 of this SE, the staff concluded that reliance on the PMS self-diagnostic functions to provide assurance of meeting the applicable PMS-related LCOs is acceptable under 10 CFR 50.36(c)(2). The staff also found that the USFAR changes adequately describe the licensing basis criteria for establishing operability of PMS components. Therefore, the staff concludes that removing from the plant-specific TS the referenced manual SRs on PMS
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION equipment, for which credited self-diagnostic functions are provided, and the associated editorial and other administrative changes to TS and the UFSAR, are acceptable.
In addition, the staff finds that the methodology for allocating response times for PMS equipment acceptable because the overall effect of any degradation in the PMS components either would not have adverse impact on the response time or would be compensated with a conservative allotted response time. Therefore, the staff concluded the requirements of 10 CFR 50.55a(h) and 10 CFR 50.36(c) are met.
4.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Georgia State official was notified of the proposed issuance of the amendment on October 21, 2019. The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION
The amendment changes a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and SRs. The staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding as published in the Federal Register on May 7, 2019 (84 FR 19972). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.
6.0 CONCLUSION
The staff has concluded, based on the considerations discussed in Section 3.0 that there is reasonable assurance that: (1) the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. Therefore, the staff finds the changes proposed in this license amendment acceptable.
7.0 REFERENCES
- 1.
SV0-PMS-AR-001, Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination, Revision 1
- 2.
APP-PMS-J4-020, AP1000 System Design Specification for the Protection and Safety Monitoring System, Revision 18
- 3.
APP-PMS-T5-001, Protection and Safety Monitoring System Test Plan, Revision 5
- 4.
APP-PMS-T1P-014, AP1000 Protection and Safety Monitoring System - System Integration Test Abnormal Conditions Test Procedure, Revision 8
- 5.
APP-PMS-T1P-019, AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Procedure, Revision 8
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
- 6.
APP-PMS-T1D-014, Rev. 10, AP1000 Protection and Safety Monitoring System -
System Integration Test Abnormal Conditions Test Data Sheets, Revision 10
- 7.
APP-PMS-T1D-019, Rev. 7, AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Data Sheets, Revision 7
- 8.
APP-PMS-T2R-014, Rev. 0, AP1000 Protection and Safety Monitoring System -System Integration Test Abnormal Conditions Test Report, Revision 0
- 9.
SV4-PMS-T2R-019, Vogtle Unit 4 AP1000 Protection and Safety Monitoring System Cabinet Indications and Status Channel Integration Test Report, Revision 0
- 10.
GKWF310281 (Req. Spec for AC166 BPS - SW Requirements for PM646) documented in 970170651 (Advant Power BPS Testabdeckung Systemtest/FMEA Softwaretest)
- 11.
GBRA095801, WEG Intern AC160 Maintenance AC160 Product Specification for AP1000 PMS Analyse, Revision E
- 12.
MOD 00-3571, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Test Description AC160*1.3 Controller Partition 4.1 Error Handler, Revision 1
- 13.
MOD 00-3572, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Test Description AC160*1.3 Controller Partition 4.1 Error Handler, Revision 1
- 14.
MOD 97-3184, Oskarshamn1 - Project O1 Mod Qualification of Category A I&C Self supervision and test functions FMEA, Revision 3
- 15.
MOD 97-7766, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Design and Life Cycle Evaluation Report on Previously Developed Software in ABB AC160, I/O Modules and Tools, Revision 1
- 16.
MOD 97-7771, Oskarshamn 1 - Project O1 Mod Qualification of Category A I&C Final Quality Assessment and Justification Report, Revision 6
- 17.
NA 4.54, I&C Standard Safety System Platform Configuration Control Process, Revision 1
- 18.
WNA-PC-00005-WAPP, AP1000 I&C Projects Configuration Management Plan, Revision 6 October 2016
- 19.
W2-8.6-105, External Computer Software, Revision 1
- 20.
W2-9.5-102, Commercial Dedication Process, Revision 1
- 21.
WNA-PV-00009-GEN, V&V Process for the Common Q Safety System, Revision 9
- 22.
WNA-PV-00054-WAPP, AP1000 Protection and Safety Monitoring System Software Verification and Validation Plan, Revision 8
- 23.
SV3-PMS-T2R-012, Vogtle Unit 3 AP1000 Protection and Safety Monitoring System -
System Interfaces and Response Time - System Integration Test Report, Revision 1
- 24.
SV0-IVV-JQR-021, Vogtle AP1000 Protection and Safety Monitoring System Independent Verification and Validation Summary Report, Revision 4
- 25.
WNA-WI-00452-GEN, Regression Testing Work Instruction, Revision 0
- 26.
WNA-DS-02122-GEN, Standard Reusable Software Element Document for Channel Check Custom PC Element, Revision 6
- 27.
APP-PMS-J4-102, AP1000 Protection and Safety Monitoring System Software Requirements Specification, Revision 21
- 28.
APP-PMS-J1-001, AP1000 Protection and Safety Monitoring System Functional Requirements, Revision 14
- 29.
6105-00013, CIM-SRNC IV&V Plan, Revision 10
- 30.
6105-00005, CIM-SRNC Test Plan, Revision 8
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
- 31.
6105-20010, Component Interface Module Requirement Traceability Matrix, Revision 20
- 32.
6105-10010, Safety System Remote Node Controller Requirement Traceability Matrix, Revision 17
- 33.
WNA-DS-01271-GEN, Component Interface Module Hardware Requirements Specification, Revision 10
- 34.
WNA-DS-01272-GEN, Safety System Remote Node Controller Requirements Specification, Revision 9
- 35.
WNA-TP-04019-GEN, CIM SRNC Subsystem Test Procedure, Revision 2
- 36.
WNA-TR-02718-GEN, CIM SRNC Subsystem Test Report, Revision 4
- 37.
6105-00021, CIM SRNC IV&V Simulation Environment Specification, Revision 5
- 38.
Final Safety Evaluation for WCAP-16096-P/NP, Revision 5, Software Program Manual for Common Q' Systems (ADAMS Accession No. ML18270A029)
- 39.
Safety Evaluation by the Office of Nuclear Reactor Regulation Westinghouse Topical Report WCAP-16097-P, Revision 3 Common Qualified Platform TAC. NO. ME5157 (ADAMS Accession No. ML13022A008 (package))
- 40.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2014-201 and Notice of Nonconformance, dated March 25, 2014 (ADAMS Accession No. ML14058A995)
- 41.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2014-202, dated April 25, 2014 (ADAMS Accession No. ML14112A168)
- 42.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report Number 99900404/2014-203, dated October 8, 2014 (ADAMS Accession No. ML14262A351)
- 43.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2015-204, dated May 11, 2015 (ADAMS Accession No. ML15113B277)
- 44.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2015-207, dated August 31, 2015 (ADAMS Accession No. ML15231A229)
- 45.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2016-201, dated January 5, 2016 (ADAMS Accession No. ML15363A360)
- 46.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2016-202, dated August 30, 2016 (ADAMS Accession No. ML16237A320)
- 47.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2015-209, dated May 12, 2017 (ADAMS Accession No. ML17123A085)
- 48.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2017-201, dated January 22, 2018 (ADAMS Accession No. ML18018A989)
- 49.
Nuclear Regulatory Commission Inspection of Westinghouse Electric Company Report No. 99900404/2018-202, dated September 13, 2018 (ADAMS Accession No. ML18253A137)
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION
- 50.
Electric Power Research Institute (EPRI) TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, dated October 1996
- 51.
EPRI TR-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Application in Nuclear Power Plants, dated December 1996
- 52.
Review of EPRI Topical Report TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications (TAC NO.M94127), dated July 17, 1997 (ADAMS Accession No. ML12205A284)
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION APPENDIX A Detailed List of Changes to Technical Specifications and Key Bases Clarifications The Technical Specifications (TS) changes proposed in Licensing Amendment Report (LAR)19-001 removed the defined term and definition used in the manual Surveillance requirements (SRs) for Protection and Safety Monitoring System (PMS) Engineered Safety Features Actuation System (ESFAS) actuation logic Functions, the Actuation Logic Output Test (ALOT),
and reduced the scope of applicability of the defined terms used in the manual SRs for PMS instrumentation Functions, the Channel Operational Tests (COT). The changes proposed in this LAR also reduced the scope of applicability of the defined terms used in the manual SRs for exercising the coincidence logic for Reactor Trip System (RTS) and ESFAS actuation logic Functions, by removing most SRs for the Actuation Logic Test (ALT). Lastly, the changes proposed in this LAR revised the licensing basis components and method for performing the SRs for verifying that the RTS and ESF Response Times are within limits. These changes are summarized in Table 1. This table also describes key Bases changes intended to clarify the role of PMS self-diagnostic functions (also referred to as self-checks and self-tests) and the use of allocated values for PMS digital time response for assuring PMS operability.
Table 1 Changes to Specifications and Key Bases Clarifications Section / Subsection Change 1.1, Definitions Removed defined term and definition of ALOT.
3.1.8, Physics Test Exceptions - Mode 2 Removed SR 3.1.8.1 for COT prior to initiation of Physics Tests for power range neutron flux and intermediate range neutron flux channels per existing SR 3.3.1.6, SR 3.3.1.7, and SR 3.3.3.2 for COT.
Relabeled SRs as follows:
Existing New SR 3.1.8.1 SR 3.1.8.2 SR 3.1.8.1 SR 3.1.8.3 SR 3.1.8.2 SR 3.1.8.4 SR 3.1.8.3 3.1.9, Chemical and Volume Control System (CVS)
Demineralized Water Isolation Valves and Makeup Line Isolation Valves No change to requirements for CVS demineralized water isolation valves and makeup line isolation valves Clarified the SRs section of Subsection B 3.1.9 by removing the reference to the ALOT providing overlap with SR 3.1.9.2, which verifies makeup line isolation valve closure time is within limits; and SR 3.1.9.3, which verifies CVS demineralized water isolation valves close upon receipt of an actual or simulated actuation signal.
Clarified the SRs section of Subsections B 3.1.9, with the following added information in discussion of SR 3.1.9.3 to verify CVS demineralized water isolation valves automatically actuates to the correct position on an actual or simulated actuation signal:
The actual or simulated actuation signal is processed through the component interface module to verify the continuity between the output of component interface module and the valve.
3.2.3, Axial Flux Difference (AFD)
Revised LCO 3.2.3 Note 4 by relabeling reference to existing SR 3.3.1.5 to SR 3.3.1.4 because of relabeling of SRs in Subsection 3.3.1; this SR requires calibration of power range neutron flux excore channels to agree with incore neutron flux detector measurements every 92 effective full power days (EFPD).
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change 3.3.1, Reactor Trip System (RTS) instrumentation Removed SR 3.3.1.1 for Channel Check for LCO 3.3.1 instrumentation channels for applicable Functions of 14 Functions listed in Table 3.3.1-1:
1a 1b 3
4 5a 5b 6 7
8 9 10 11 Removed SR 3.3.1.6 for COT for LCO 3.3.1 instrumentation channels for applicable Functions of the 14 Functions listed in Table 3.3.1-1:
1a 2
3 4 5a 5b 6 7
8 9 10 11 Removed SR 3.3.1.7 for COT for LCO 3.3.1 instrumentation channels for applicable Function of the 14 Functions listed in Table 3.3.1-1:
1b Relabeled SRs as follows:
Existing New Applicable RTS Functions / SR description SR 3.3.1.1 SR 3.3.1.2 SR 3.3.1.1 1a daily excore NI vs calorimetric SR 3.3.1.3 SR 3.3.1.2 3 4 7 daily calorimetric vs T power calc.
SR 3.3.1.4 SR 3.3.1.3 3 4 31 EFPD AFD vs incore detectors SR 3.3.1.5 SR 3.3.1.4 3 4 92 EFPD excore NI vs incore detectors SR 3.3.1.6 SR 3.3.1.7 SR 3.3.1.8 SR 3.3.1.5 3 4 5a 5b 6 7 8 9 10 11 Channel Calibration SR 3.3.1.9 SR 3.3.1.6 1a 1b 2 Channel Calibration SR 3.3.1.10 SR 3.3.1.7 12 TADOT SR 3.3.1.11 SR 3.3.1.8 1a 1b 2 3 4 5a 5b 6 7 8 RTS Response Time 9 10 11 12 Revised SR 3.3.1.8 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that RTS RESPONSE TIME is within limits. Note that this change in the licensing basis method for verifying RTS RESPONSE TIME is being documented in Subsection B 3.3.1 and UFSAR Chapter 7. The Section 1.1 definition of RTS RESPONSE TIME includes the statement, In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC. Therefore, no textual change to SR 3.3.1.8 (as relabeled) is needed. This SE contains the staffs assessment and approval of the licensees proposed components and methodology for response time verification using allocations for PMS digital components.
Clarified the Background section of Subsection B 3.3.1 with the following added information:
In combination with manual tests required by Surveillance Requirements, the BPLs [and LCLs] are tested via continuous system self-checking features.
Trip setpoints are continuously and automatically verified by PMS self-checking features between performances of CHANNEL CALIBRATIONS. Before unit startup, the CHANNEL CALIBRATION verifies that the trip setpoint values in the Maintenance and Test Panel (MTP) match the SP specified values.
Clarified the SRs section of Subsections B 3.3.1, with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.2, RTS Source Range Instrumentation Removed SR 3.3.2.2 for COT for LCO 3.3.2 source range neutron flux instrumentation channels.
Relabeled SRs as follows:
Existing New SR 3.3.2.1 SR 3.3.2.1 Channel Check SR 3.3.2.2 SR 3.3.2.3 SR 3.3.2.2 Channel Calibration SR 3.3.2.4 SR 3.3.2.3 RTS Response Time Revised SR 3.3.2.3 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that RTS RESPONSE TIME is within limits. The above discussion of response time change for SR 3.3.1.8 (as relabeled) applies to SR 3.3.2.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.2, with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
3.3.3, RTS Intermediate Range Instrumentation Added surveillance column Note to SR 3.3.3.1, that says Channel Check for LCO 3.3.3 intermediate range neutron flux instrumentation channels is not required in Mode 1.
Removed SR 3.3.3.2 for COT for LCO 3.3.3 intermediate range neutron flux instrumentation channels.
Relabeled SRs as follows:
Existing New SR 3.3.3.1 SR 3.3.3.1 Channel Check SR 3.3.3.2 SR 3.3.3.3 SR 3.3.3.2 Channel Calibration SR 3.3.3.4 SR 3.3.3.3 RTS Response Time Revised SR 3.3.3.3 (as relabeled) by adding allowance to use allocated time interval for PMS digital time response in the verification that RTS RESPONSE TIME is within limits. See discussion of response time change for SR 3.3.1.8 (as relabeled).
Clarified the SRs section of Subsection B 3.3.3, with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
3.3.4, RTS Engineered Safety Features Actuation System (ESFAS)
Instrumentation Revised Surveillance Requirements table Note as shown to state: Refer to Table 3.3.4-1 to determine to which RTS ESFAS Function the SR applies.
SRs apply for each RTS ESFAS Function.
Removed SR 3.3.4.1 for ALT for LCO 3.3.4 RTS ESFAS (coincidence logic digital output) instrumentation (input to RTS coincidence logic for RTS Functions 1, 2, and 3 listed in Table 3.3.4-1. Replaced removed SR 3.3.4.1 with None in Table 3.3.4-1 for Function 2, ADS Stages 1, 2,
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change and 3 Actuation from ESFAS - Automatic, and Function 3, Core Makeup Tank (CMT) Actuation from ESFAS - Automatic.
Relabeled SRs as follows:
Existing New SR 3.3.4.1 SR 3.3.4.2 SR 3.3.4.1 RTS Response Time Revised SR 3.3.4.1 (as relabeled) by adding allowance to use allocated time interval for PMS digital time response in the verification that RTS RESPONSE TIME is within limits. See discussions of response time change for SR 3.3.1.8 (as relabeled) and SR 3.3.8.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.4, with the following added information:
Function 2 and Function 3 do not require surveillance requirements because self-checking features continuously monitor logic OPERABILITY and alert the operator to any failures.
Changed the SRs and References sections of Subsection B 3.3.4. Along with removal of the discussion of SR 3.3.4.1, which included a reference to a document supporting the 92 day ALT Frequency, the reference was removed from the References section of Subsection B 3.3.4.
3.3.5, RTS Manual Actuation No changes to requirements for RTS manual actuation switch channels listed in Table 3.3.5-1, for the four RTS Manual Actuation Functions. The manually performed TADOT of SR 3.3.5.1 exercises these manual actuation switch channels on a 24 month Frequency.
3.3.6, RTS Automatic Trip Logic Removed SR 3.3.6.1 for ALT, which exercises the LCO 3.3.6 RTS local coincidence logic (LCL) and its digital outputs to the undervoltage reactor trip matrix (RTM) and the shunt trip RTM termination units once per 92 days for all four divisions. Note that the Trip Actuating Device Operational Test (TADOT) of SR 3.3.7.1 also exercises the LCL digital outputs as a part of exercising the RTM termination units and the two reactor trip breakers of each of four divisions every 92 days on a staggered test basis.
Removed Subsection 3.3.6 Surveillance Requirements table because SR 3.3.6.1, which is the only SR, is removed. In its place, inserted the word None below the title SURVEILLANCE REQUIREMENTS.
In the SR section of Subsection B 3.3.6, replaced discussion of removed SR 3.3.6.1 with the following passage: None are required due to self-checking features that continuously monitor logic OPERABILITY and alert the operator to any failures. The OPERABILITY of the [LCL] Reactor Trip Digital Outputs and the Reactor Trip Matrix Termination Units are verified by the TADOT performed in SR 3.3.7.1. Along with removal of the discussion of SR 3.3.6.1, which included a reference to a document supporting the 92 day ALT Frequency, the reference was removed from the References section of Subsection B 3.3.6. In its place, inserted the word None.
3.3.7, RTS Trip Actuation Devices No changes to Subsection 3.3.7 requirements for RTS trip actuation device divisions for Function 3.3.7.a, Reactor Trip Breakers (RTBs); and Function 3.3.7.b, Undervoltage and Shunt Trip Mechanisms on in-service RTBs. The manually performed TADOT of SR 3.3.7.1 exercises these RTS trip actuation devices in each division on a Frequency of 92 days on a Staggered Test Basis.
Clarified the SRs section of Subsection B 3.3.7, as indicated by markup:
SR 3.3.7.1 is the performance of a TADOT on the Reactor Trip Digital Outputs, the Reactor Trip Matrix Termination Units, and on both reactor
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change trip breakers associated with a single division every 92 days on a STAGGERED TEST BASIS for four divisions. This test shall verify OPERABILITY by actuation of the end devices.
3.3.8, ESFAS Instrumentation Added Surveillance column Note to SR 3.3.8.1 for Channel Check that says SR 3.3.8.1 is only required for LCO 3.3.8 instrumentation channels for Function 2, Source Range Neutron Flux Doubling.
Removed SR 3.3.8.1 for Channel Check for LCO 3.3.8 instrumentation channels for the 26 Functions listed in Table 3.3.8-1, except for Function 2:
1a 1b 3
4 5
6 7
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Removed SR 3.3.8.2 for COT for LCO 3.3.8 instrumentation channels for the 26 Functions listed in Table 3.3.8-1:
1a 1b 2 3
4 5
6 7
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Relabeled SRs as follows:
Existing New SR 3.3.8.1 SR 3.3.8.1 Channel Check (Function 2 only)
SR 3.3.8.2 SR 3.3.8.3 SR 3.3.8.2 Channel Calibration SR 3.3.8.4 SR 3.3.8.3 ESF Response Time Revised SR 3.3.8.3 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that ESF RESPONSE TIME is within limits. Note that this change in the licensing basis method for verifying ESF RESPONSE TIME is being documented in Subsections B 3.3.8, B 3.3.10, B 3.3.11, B 3.3.13, B 3.3.14 and UFSAR Chapter 7. The Section 1.1 definition of ESF RESPONSE TIME includes the statement, In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC.
Therefore, no textual change to SR 3.3.8.3 (as relabeled) is needed. This SE contains the staffs assessment and approval of the licensees proposed components and methodology for response time verification using allocations for PMS digital components.
Clarified the Background section of Subsection B 3.3.8 with the following added information:
In combination with manual tests required by Surveillance Requirements, the BPLs [and LCLs] are tested via continuous system self-checking features.
Trip setpoints are continuously and automatically verified by PMS self-checking features between performances of CHANNEL CALIBRATIONS. Before unit startup, the CHANNEL CALIBRATION verifies that the trip setpoint values in the Maintenance and Test Panel (MTP) match the SP specified values.
In lieu of manual tests required by a surveillance requirement, the ILPs and CIMs are tested via continuous system self-checking features. The output of the CIMs up to, but not including the component, are tested via a combination of manual surveillance tests and continuous self-checking features.
Manual tests are included for those parts of the system which are not tested with self-checking features. This includes manual functional
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change checks, calibration verification, response time testing, and component testing.
Clarified the SRs section of Subsection B 3.3.8 with the following added information:
[SR 3.3.8.1] is modified by a Note. The Note states that this SR is only required for Source Range Neutron Flux Doubling. The OPERABILITY for the other Functions is verified by self-checking features in lieu of performing a CHANNEL CHECK.
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.9, ESFAS Manual Initiation No changes to requirements for ESFAS manual initiation switch channels listed in Table 3.3.9-1, for the 15 Manual Initiation Functions. The manually performed TADOT of SR 3.3.9.1 exercises these manual initiation switch channels on a 24 month Frequency.
3.3.10, ESFAS Reactor Coolant System (RCS) Hot Leg Level Instrumentation Removed SR 3.3.10.1 for Channel Check for LCO 3.3.10 instrumentation channels for Functions listed in Table 3.3.10-1 for RCS hot leg level during reduced water inventory operations in Modes 5 and 6: Function 1, Hot Leg Level - Low 4; and Function 2, Hot Leg Level - Low 2.
Removed SR 3.3.10.2 for COT for LCO 3.3.10 instrumentation channels for Functions listed in Table 3.3.10-1 for RCS hot leg level during reduced water inventory operations in Modes 5 and 6.
Relabeled SRs as follows:
Existing New SR 3.3.10.1 SR 3.3.10.2 SR 3.3.10.3 SR 3.3.10.1 Channel Calibration SR 3.3.10.4 SR 3.3.10.2 ESF Response Time Revised SR 3.3.10.2 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that ESF RESPONSE TIME is within limits. See discussion of response time change for SR 3.3.8.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.10 with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.11, ESFAS Startup Feedwater Flow Instrumentation Removed SR 3.3.11.1 for Channel Check for LCO 3.3.11 instrumentation channels for Startup Feedwater Flow - Low 2 (two channels per startup feedwater line)
Removed SR 3.3.11.2 for COT for LCO 3.3.11 instrumentation channels for Startup Feedwater Flow - Low 2. The passive residual heat removal (PRHR) heat exchanger system is actuated on a Steam Generator Narrow
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change Range Level - Low 2 signal coincident with a Startup Feedwater Flow -
Low 2 signal in either startup feedwater line.
Relabeled SRs as follows:
Existing New SR 3.3.11.1 SR 3.3.11.2 SR 3.3.11.3 SR 3.3.11.1 Channel Calibration SR 3.3.11.4 SR 3.3.11.2 ESF Response Time Revised SR 3.3.11.2 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that ESF RESPONSE TIME is within limits. See discussion of response time change for SR 3.3.8.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.11 with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.12, ESFAS Reactor Trip Initiation No changes to requirements for ESFAS reactor trip initiation Function divisions based on status of P-4 interlock, which is enabled on any automatic reactor trip actuation signal or when the reactor trip breakers in two of four PMS divisions are open. Credited actuations on the P-4 signal are main turbine trip, boron dilution block, and isolation of startup feedwater lines and chemical and volume control system (CVS) makeup line with coincident high narrow range level in either steam generator. The manually performed TADOT of SR 3.3.12.1 exercises these actuations on a 24 month Frequency.
Note that LCO 3.3.12 requires only three of the four P-4 divisions to be operable.
3.3.13, ESFAS Main Control Room Isolation, Air Supply Initiation, and Electrical Load De-energization Removed SR 3.3.13.1 for Channel Check for LCO 3.3.13 instrumentation channels for Function 3.3.13.a, Main Control Room (MCR) Isolation and Air Supply Actuation on Iodine or Particulate Radiation - High 2, and Function 3.3.13.a, MCR Isolation on MCR Differential Pressure - Low. (Two channels are required for each Function.)
Removed SR 3.3.13.2 for COT for LCO 3.3.13 instrumentation channels for Functions 3.3.13.a and 3.3.13.b.
Relabeled SRs as follows:
Existing New SR 3.3.13.1 SR 3.3.13.2 SR 3.3.13.3 SR 3.3.13.1 Channel Calibration SR 3.3.13.4 SR 3.3.13.2 ESF Response Time Revised SR 3.3.13.2 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that ESF RESPONSE TIME is within limits. See discussion of response time change for SR 3.3.8.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.13 with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.14, ESFAS In-containment Refueling Water Storage Tank (IRWST) and Spent Fuel Pool Level Instrumentation Removed SR 3.3.14.1 for Channel Check for LCO 3.3.14 instrumentation channels for Functions listed in Table 3.3.14-1: Function 1, Spent Fuel Pool Level - Low 2 (three channels), and Function 2, IRWST Wide Range Level - Low (2 channels). These Functions cause isolation of spent fuel pool cooling system (SFS) from the refueling cavity and the IRWST by closing the SFS containment isolation valves.
Removed SR 3.3.14.2 for COT for LCO 3.3.14 instrumentation channels for Functions listed in Table 3.3.14-1.
Relabeled SRs as follows:
Existing New SR 3.3.14.1 SR 3.3.14.2 SR 3.3.14.3 SR 3.3.14.1 Channel Calibration SR 3.3.14.4 SR 3.3.14.2 ESF Response Time Revised SR 3.3.14.2 (as relabeled) by adding allowance to use an allocated time interval for PMS digital time response in the verification that ESF RESPONSE TIME is within limits. See discussion of response time change for SR 3.3.8.3 (as relabeled).
Clarified the SRs section of Subsection B 3.3.14 with the following added information:
In lieu of measurement, the response time for the protection and safety monitoring system equipment is based on allocated values. The overall response time may be determined by a series of overlapping tests and allocated values such that the entire response time is measured...
Allocations for signal processing and actuation logic response times may be obtained from the Protection and Safety Monitoring System Functional Requirements document.
3.3.15, ESFAS Actuation Logic -
Operating Removed SR 3.3.15.1 for Actuation Logic Test on ESF Coincidence Logic for ESF Functions, which are described in Subsection B 3.3.8, that are required to be operable by LCO 3.3.15.a.
Removed SR 3.3.15.2 for Actuation Logic Output Test on ESF Actuation
[logic] for ESF Functions, which are described in Subsection B 3.3.8, that are required to be operable by LCO 3.3.15.b.
Relabeled SRs as follows:
Existing New SR 3.3.15.1 SR 3.3.15.2 SR 3.3.15.3 SR 3.3.15.1 Pressurizer heaters automatic trip SR 3.3.15.4 SR 3.3.15.2 Reactor coolant pumps automatic trip SR 3.3.15.5 SR 3.3.15.3 Feedwater pumps automatic trip SR 3.3.15.6 SR 3.3.15.4 Auxiliary spray and purification line isolation valves automatic closure Clarified the SRs section of Subsection B 3.3.15 by removing the reference to the ALOT providing overlap with the above listed SRs (as relabeled).
Revised the discussion of SR 3.3.15.1 (as relabeled) by removing the following passages that reference the ALT as also verifying:
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change that within the Plant Control System, signals from each division of the protection and safety monitoring system are voted two-out-of-four and the result is used to open the pressurizer heater circuits.
OPERABILITY of the pressurizer heater load center circuit breakers located between the load centers and the motor control centers for each of the five pressurizer heater groups. This is demonstrated by testing from the Division A CIM outputs to ensure the load center breakers open.
These passages provide design and procedural detail, apparently intended to elaborate on the retained statement, The OPERABILITY of the motor control center breakers is checked by opening these breakers using the Plant Control System. The staff does not object to removing this information because it references the ESF Coincidence Logic ALT SR, which is being removed, and because it is based on information included in UFSAR Chapter 7.
3.3.16, ESFAS Actuation Logic -
Shutdown Removed SR 3.3.16.1 for Actuation Logic Test on ESF Coincidence Logic for ESF Functions, which are described in Subsection B 3.3.8, that are required to be operable by LCO 3.3.16.a.
Removed SR 3.3.16.2 for Actuation Logic Output Test on ESF Actuation
[logic] for ESF Functions, which are described in Subsection B 3.3.8, that are required to be operable by LCO 3.3.16.b.
Relabeled SRs as follows:
Existing New SR 3.3.16.1 SR 3.3.16.2 SR 3.3.16.3 SR 3.3.16.1 Reactor coolant pumps automatic trip SR 3.3.16.4 SR 3.3.16.2 CVS letdown isolation valves automatic closure Clarified the SRs section of Subsection B 3.3.16 by removing the reference to the ALOT providing overlap with the above listed SRs (as relabeled).
3.3.17, Post Accident Monitoring (PAM)
Instrumentation
[Qualified Data Processing System (QDPS) functions.]
Removed SR 3.3.17.1 for Channel Check for LCO 3.3.17, PAM instrumentation channels for Functions listed in Table 3.3.17-1:
Functions 1 through 20, except for Functions:
- 1.
Neutron Flux (Intermediate Range) (Only applies in Modes 2 and 3);
- 12. Passive Residual Heat Removal (PRHR) [System] Heat Removal;
- 17. Passive Containment Cooling System (PCS) Heat Removal;
- 18. Penetration Flow Path Remotely Operated Containment Isolation Valve Position; and
- 19. IRWST to Normal Residual Heat Removal System (RNS) Suction Valve Status.
Added surveillance column Note to SR 3.3.17.1, that says Channel Check is not required for PAM Function 1 in Mode 1.
Revised Surveillance Requirements table Note from stating that both SRs apply to every PAM Function to stating, Refer to Table 3.3.17-1 to determine which SRs apply for each PAM Function.
Added Surveillance Requirements column to Table 3.3.17-1 to list applicable SRs for each PAM Function. Note that SR 3.3.17.2 is a Channel Calibration.
Clarified the SRs section of Subsection B 3.3.17 with the following added information:
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change
[SR 3.3.17.1] is modified by a Note. The Note states that this SR is not required for Neutron Flux (Intermediate Range) in MODE 1. In MODE 1, the OPERABILITY of the Intermediate Range Neutron Instrumentation is verified by self-checking features in lieu of performing a CHANNEL CHECK.
3.3.18, Remote Shutdown Workstation (RSW)
No changes to requirements for the RSW.
3.3.19, Diverse Actuation System (DAS) Manual Controls Removed Required Action C.1, which requires performing the ALT on ESFAS coincidence logic more frequently, once per 31 days instead of 92 days, because of the removal of the ALT SR from Subsection 3.3.15 and Subsection 3.3.16 Relabeled Required Action C.2 as C.1 3.3.20, Automatic Depressurization System (ADS) and In-containment Refueling Water Storage Tank (IRWST)
Injection Blocking Device Removed SR 3.3.20.1 for Channel Check for LCO 3.3.20 instrumentation channels for Function 1 listed in Table 3.3.20-1: Function 1, Core Makeup Tank (CMT) Level for Automatic Unblocking Removed SR 3.3.20.3 for COT for LCO 3.3.20 instrumentation channels for Function 1 listed in Table 3.3.20-1: Function 1, CMT Level for Automatic Unblocking Relabeled SRs as follows:
Existing New SR 3.3.20.1 SR 3.3.20.2 SR 3.3.20.1 Verify manual block switch (Function 2, ADS and IRWST Injection Block Switches for Manual Unblocking) in unblock position in Mode 4 with RCS cooled by RNS, and in Modes 5 and 6 SR 3.3.20.3 SR 3.3.20.4 SR 3.3.20.2 Channel Calibration (Function 1)
SR 3.3.20.5 SR 3.3.20.3 ALT (Functions 1 and 2)
SR 3.3.20.6 SR 3.3.20.4 TADOT of manual switches (Function 2)
SR 3.3.20.7 SR 3.3.20.5 Perform SR 3.5.2.3, SR 3.5.2.6, and SR 3.5.2.7 to verify CMT operability (Function 1)
Clarified the SRs section of Subsection B 3.3.20 with the following revised basis for SR 3.3.20.3 (as relabeled): This SR is the performance of an ACTUATION LOGIC TEST for unblocking. This test overlaps the ADS and IRWST injection functional tests (i.e., SR 3.4.11.4, SR 3.4.11.5, and SR 3.5.6.9) that verify actuation on an actual or simulated actuation signal.
3.4.11, ADS -
Operating 3.4.12, ADS -
Shutdown, RCS Intact 3.4.13, ADS -
Shutdown, RCS Open No changes to requirements for the ADS in Modes 1, 2, 3, 4, 5, and 6.
Clarified the SRs section of Subsection B 3.4.11 by removing the reference to the ALOT providing overlap with SR 3.4.11.4, which verifies that each Stage 1, 2, and 3 ADS valve actuates to the open position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16. The ALT SR for the ADS and IRWST blocking device, SR 3.3.20.3, still provides overlap with SR 3.4.11.4.
Clarified the SRs section of Subsection B 3.4.11 by removing the reference to the ALOT providing overlap with SR 3.4.11.5, which verifies continuity of the circuit from the Protection Logic Cabinets to each Stage 4 ADS valve as a part of verifying that the ADS squib valve will actuate to the open position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change 3.5.2, CMTs -
Operating 3.5.3, CMTs -
Shutdown, RCS Intact No changes to requirements for the CMTs in Modes 1, 2, 3, 4, and in Mode 5 with the RCS not VENTED.
Clarified the SRs section of Subsection B 3.5.2 by removing the reference to the ALOT providing overlap with SR 3.5.2.7, which verifies that each CMT outlet isolation valve actuates to the open position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
Shutdown, RCS Intact No changes to requirements for the PRHR system in Modes 1, 2, 3, 4, and in Mode 5 with the RCS pressure boundary intact and pressurizer level 20%.
Clarified the SRs section of Subsection B 3.5.4 by removing the reference to the ALOT providing overlap with SR 3.5.4.8, which verifies that both PRHR HX air operated outlet isolation valves and both IRWST gutter isolation valves actuate to the isolation position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
3.5.6, IRWST -
Operating 3.5.7, IRWST -
Shutdown, Mode 5 3.5.8, IRWST -
Shutdown, Mode 6 No changes to requirements for the IRWST in Modes 1, 2, 3, 4, 5, and 6.
Clarified the SRs section of Subsection B 3.5.6 by removing the reference to the ALOT providing overlap with SR 3.5.6.9, which verifies continuity of the circuit from the Protection Logic Cabinets to each IRWST injection squib valve and containment recirculation squib valve as a part of verifying that the squib valve can actuate to the correct position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16. The ALT SR for the ADS and IRWST blocking device, SR 3.3.20.3, still provides overlap with SR 3.5.6.9.
3.6.3, Containment Isolation Valves (CIVs)
No changes to requirements for the CIVs in Modes 1, 2, 3, and 4.
Clarified the SRs section of Subsection B 3.6.3 by removing the reference to the ALOT providing overlap with SR 3.6.3.5, which verifies that each automatic CIV actuates to the isolation position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15.
Clarified the SRs section of Subsection B 3.6.3 with the following added information in the basis for SR 3.6.3.5:
The actual or simulated actuation signal is processed through the component interface module to verify the continuity between the output of the component interface module and the valve.
3.6.6, Passive Containment Cooling System (PCS)
No changes to requirements for the PCS in Modes 1, 2, 3, 4, and in Modes 5 and 6 with the reactor decay heat > 7.0 MWt.
Clarified the SRs section of Subsection B 3.6.6 by removing the reference to the ALOT providing overlap with SR 3.6.6.4, which verifies that each PCS automatic valve in each flow path actuates to the correct position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
3.6.9, Vacuum Relief Valves No changes to requirements for the containment vacuum relief valves in Modes 1, 2, 3, 4, and in Modes 5 and 6 without an open containment air flow path 6 inches in diameter.
Clarified the SRs section of Subsection B 3.6.9 by removing the reference to the ALOT providing overlap with SR 3.6.9.3, which verifies that each vacuum relief valve actuates to relieve vacuum on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION Section / Subsection Change 3.7.2, Main Steam Line Flow Path Isolation Valves No changes to requirements for the main steam line flow path isolation valves in Modes 1, 2, 3, and 4.
Clarified the SRs section of Subsection B 3.7.2 by removing the reference to the ALOT providing overlap with SR 3.7.2.4, which verifies that each main steam line flow path isolation valves actuates to the isolation position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15.
3.7.3, Main Feedwater Isolation Valves (MFIVs) and Main Feedwater Control Valves (MFCVs)
No changes to requirements for MFIVs and MFCVs in Modes 1, 2, 3, and 4.
Clarified the SRs section of Subsection B 3.7.3 by removing the reference to the ALOT providing overlap with SR 3.7.3.1, which verifies the closure time of each MFIV and MFCV is within limits on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15.
3.7.6, Main Control Room (MCR)
Emergency Habitability System (VES)
No changes to requirements for the VES in Modes 1, 2, 3, and 4, and during movement of irradiated fuel assemblies.
Clarified the SRs section of Subsection B 3.7.6 by removing the reference to the ALOT providing overlap with SR 3.7.6.6 to verify that all MCR envelope isolation valves are operable and will close upon receipt of an actual or simulated actuation signal; SR 3.7.6.12 to verify the MCR [heat source electrical] load shed function actuates upon receipt of an actual or simulated actuation signal; and SR 3.7.6.13 to verify that each VES main air delivery isolation valve actuates to the correct position upon receipt of an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15 and Subsection 3.3.16.
3.7.7, Startup Feedwater Isolation and Control Valves No changes to requirements for the startup feedwater isolation and control valves in Modes 1, 2, 3, and 4.
Clarified the SRs section of Subsection B 3.7.7 by removing the reference to the ALOT providing overlap with SR 3.7.7.2, which verifies each startup feedwater isolation and control valve actuates to the isolation position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15.
3.7.10, Steam Generator (SG)
Isolation Valves No changes to requirements for SG isolation valves in Modes 1, 2, 3, and 4.
Clarified the SRs section of Subsection B 3.7.10 by removing the reference to the ALOT providing overlap with SR 3.7.10.3, which verifies each SG power operated relief valve (PORV), PORV block valve, and SG blowdown isolation valve actuates to the isolation position on an actual or simulated actuation signal, because of the removal of the ALOT SR from Subsection 3.3.15.
5.5.14, Setpoint Program (SP)
Removed the phrase or CHANNEL OPERATIONAL TEST (COT) from Specification 5.5.14.c because the only remaining SR that requires performance of a COT is SR 3.4.9.2, in Subsection 3.4.9, RCS Leakage Detection Instrumentation, for Function 3.4.9.b, containment atmosphere F18 particulate monitor. This COT is for an RCS leakage detection function that has no automatic actuation setpoint that meets the definition of a limiting safety system setting (LSSS) in 10 CFR 50.36(c)(1)(ii)(A); it only initiates an alarm in the main control room to alert operators to take action.
An instrumentation function must have an LSSS for the SP to be applicable.
Likewise, there is no LSSS for Function 3.4.9.b, the containment sump water level channels; therefore, the Channel Calibration of SR 3.4.9.2 does not require being performed in accordance with the SP.