Issuance of Amendment No. 260 Digital Upgrade to the Core Protection and Control Element Assembly Calculator System

ML21131A243
Person / Time
Site:	Waterford
Issue date:	08/24/2021
From:	Audrey Klett NRC/NRR/DORL/LPL4
To:	Entergy Operations
Klett A
Shared Package
ML21131A240	List: ML21131A242 ML21131A243 ML21181A056
References
EPID L-2020-LLA-0164
Download: ML21131A243 (137)
v • d • e

Text

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION The NRC staff also audited documents and interviewed the licensee and its contract support staff to support its licensing review. The enclosed safety evaluation contains the references to the NRC staffs audit plan and summary report.

The NRC staff has determined that the related safety evaluation contains proprietary information pursuant to Title 10 of the Code of Federal Regulations Section 2.390, Public inspections, exemptions, request for withholding. The proprietary information is indicated by bold text enclosed with ((double brackets)). The proprietary version of the safety evaluation is provided as Enclosure 2. Accordingly, the NRC staff has also prepared a nonproprietary version of the safety evaluation, which is provided as Enclosure 3.

The Notice of Issuance will be included in the Commissions monthly Federal Register notice.

Sincerely,

/RA - A. Klett for/

Jason J. Drake, Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-382

Enclosures:

1. Amendment No. 260 to NPF-38

2. Proprietary Safety Evaluation

3. Nonproprietary Safety Evaluation cc without Enclosure 2: Listserv ENTERGY OPERATIONS, INC.

DOCKET NO. 50-382 WATERFORD STEAM ELECTRIC STATION, UNIT 3 AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 260 Renewed License No. NPF-38 1.

The Nuclear Regulatory Commission (the Commission) has found that:

A.

The application for amendment by Entergy Operations, Inc. (EOI) dated July 23, 2020, as supplemented by letters dated January 22, January 29, March 5, March 19, May 21, June 2, June 21, July 19, and July 29, 2021, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commissions regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes to the Renewed Facility Operating License and Technical Specifications as indicated in the attachment to this license amendment, and paragraph 2.C.2 of Renewed Facility Operating License No. NPF-38 is hereby amended to read as follows:

2.

Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 260, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the renewed license. EOI shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

3.

This license amendment is effective as of its date of issuance and shall be implemented prior to the Waterford Steam Electric Station, Unit 3 start-up from its 24th refueling outage (i.e., RF24).

Attachment:

Changes to Renewed Facility Operating License No. NPF-38 and the Technical Specifications Date of Issuance: August 24, 2021 FOR THE NUCLEAR REGULATORY COMMISSION Jennifer L. Dixon-Herrity, Chief Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

/RA/

ATTACHMENT TO LICENSE AMENDMENT NO. 260 RENEWED FACILITY OPERATING LICENSE NO. NPF-38 WATERFORD STEAM ELECTRIC STATION, UNIT 3 DOCKET NO. 50-382 Replace the following pages of Renewed Facility Operating License No. NPF-38 and the Appendix A Technical Specifications with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Renewed Facility Operating License No. NPF-38 Remove Page Insert Page Technical Specifications Remove Page Insert Page 2-3 2-3 3/4 1-20 3/4 1-20 3/4 2-6 3/4 2-6 3/4 3-1 3/4 3-1 3/4 3-2 3/4 3-2 3/4 3-3 3/4 3-3 3/4 3-4 3/4 3-4 3/4 3-6 3/4 3-6 3/4 3-7 3/4 3-7 3/4 3-7a 3/4 3-10 3/4 3-10 3/4 3-11 3/4 3-11 3/4 3-12a 3/4 3-12a 3/4 10-2 3/4 10-2 6-14 6-14 6-20 6-20 6-20a 6-20a the NRC of any action by equity investors or successors in interest to Entergy Louisiana, LLC that may have an effect on the operation of the facility.

C. This renewed license shall be deemed to contain and is subject to the conditions specified in the Commissions regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

1.

Maximum Power Level EOI is authorized to operate the facility at reactor core power levels not in excess of 3716 megawatts thermal (100% power) in accordance with the conditions specified herein.

2.

Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 260, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the renewed license. EOI shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

3.

Antitrust Conditions (a)

Entergy Louisiana, LLC shall comply with the antitrust license conditions in Appendix C to this renewed license.

(b)

Entergy Louisiana, LLC is responsible and accountable for the actions of its agents to the extent said agent's actions contravene the antitrust license conditions in Appendix C to this renewed license.

AMENDMENT NO. 260











3 !+$ 

1$ "3.1 01/3$"3)5$ *-2314,$-3 3)/- 31*0 2$30/*-3 +),)32

&4-"3*/- + 4-)3

,9LT9F 1=9;RNP 3PAO

 +AM=9P 0NV=P +=U=G  (A?@

&NTP 1=9;SNP "NNF9MR 0TKOQ

/O=P9RBM?

 +N?9PBR@KA; 0NV=P +=U=F  (B?@ 

 0P=QQTPAX=P 0P=QQTP=  (B?@

 0P=QQTPAX=P 0P=QQTP=  +NV

 "NMR9BLK=MR 0P=QQTP=  (B?@

 2S=9K '=M=P9RNP 0P=QQTP=  +NV

 2S=9K '=M=P9RNP +=U=F  +NV

 "NP= 0PNR=;RBNM "9F;TF9RNPQ 9 +N;9F 0NV=P #=MQARW  (A?@

 #-!1  +NV

 #$+$3$#

 #$+$3$#

 1=9;SNP 0PNR=;RBNM 2WQR=K +N?A;

 1=9;RNP 3PAO !P=9E=PQ

 #$+$3$#

 #$+$3$#

 1=9;RNP "NNF9MS &FNV  +NV 31)0 2$30/)-3

-NR OOFB;9:F=

8 
N> 1 3$# 3($1, + 0/6$1 8 


N> 1 3$# 3($1, + 0/6$1 

 OQB9 Y  OQB9 

  OQB9 Y  OQC9 

Y 


 E7>S 

Y  

-NR OOFA;9:H=

-NS OOFA;9:F=

Y  OQA< 

++/6 !+$ 5 +4$2

-NR OOJB;9:F=

8  
N> 1 3$# 3($1, + 0/6%1 8 
N> 1 3$# 3($1, + 0/6%1 

  OQB9 Y  OQA9 

  OQB9 Y   OQA9 

Y 


8  E6>S 

Y  

-NR OOFA;9:F=

-NS OOHD;9:I=

Y  OQA< 

,$-#,$-3 -/      

    

, 0#4#07 )(0,)%.7.0 '.

/1-5!#%&(, +2$, ' (0/

 





0@= FEJAKAED E> =8:@   J@8BB 9= <=K=HCAD=< KE 9= NAK@AD  AD:@=J
AD<A:8K=< FEJAKAED

E> 8BB EK@=H  J AD AKJ ?HELF AD 8::EH<8D:= NAK@ K@=.LI=ABB8D:= "H=GL=D:P EDKHEB *HE?H8C

 

8:@   DEK >LBBP ADJ=HK=< AD K@= :EH= J@8BB 9= <=K=HCAD=< KE 9= )*,& 9P CEM=C=DK E> 8K B=8JK  AD:@=J AD 8DP ED= <AH=:KAED AD 8::EH<8D; NAK@ K@=.LHM=ABB8D; "H=GL=D:P EDKHEB *HE?H8C

60,"),  3(#0 

  

' (' (0 ()    

  

$7(5)25'  81,7 

 

$0(1'0(17 12    



32:(5 ',675,%87,21 /,0,76

 '1%5 0$5*,1

/,0,7,1* &21',7,21 )25 23(5$7,21



7KH '1%5 PDUJLQ VKDOO EH PDLQWDLQHG E\\ RQH RI WKH IROORZLQJ PHWKRGV

$33/,&$%,/,7<

02'(  DERYH  RI 5$7(' 7+(50$/ 32:(5

$&7,21

D

LWK WKH '1%5 OLPLW QRW EHLQJ PDLQWDLQHG DV LQGLFDWHG E\\ &2/66 FDOFXODWHG FRUH SRZHU H[FHHGLQJ WKH &2/66 FDOFXODWHG FRUH SRZHU RSHUDWLQJ OLPLW EDVHG RQ '1%5 ZLWKLQ 

PLQXWHV LQLWLDWH FRUUHFWLYH DFWLRQ WR UHGXFH WKH '1%5 WR ZLWKLQ WKH OLPLWV DQG HLWKHU



5HVWRUH WKH '1%5 WR ZLWKLQ LWV OLPLWV ZLWKLQ  KRXU RU



5HGXFH 7+(50$/ 32:(5 WR OHVV WKDQ RU HTXDO WR  RI 5$7(' 7+(50$/

32:(5 ZLWKLQ WKH QH[W  KRXUV

E

LWK WKH '1%5 OLPLW QRW EHLQJ PDLQWDLQHG DV LQGLFDWHG E\\ RSHUDWLRQ RXWVLGH WKH UHJLRQ RI DFFHSWDEOH RSHUDWLRQ VSHFLILHG LQ WKH &2/5 ZLWK

&2/66 RXW RI VHUYLFH HLWKHU



5HVWRUH &2/66 WR VHUYLFH ZLWKLQ  KRXUV RU



5HVWRUH WKH '1%5 WR ZLWKLQ LWV OLPLWV ZLWKLQ WKH QH[W  KRXUV RU



5HGXFH 7+(50$/ 32:(5 WR OHVV WKDQ RU HTXDO WR  RI 5$7(' 7+(50$/

32:(5 ZLWKLQ WKH QH[W  KRXUV

D &RUH 2SHUDWLQJ /LPLW 6XSHUYLVRU\\ 6\\VWHP &2/66 LQ 6HUYLFH

 0DLQWDLQLQJ &2/66 FDOFXODWHG FRUH SRZHU OHVV WKDQ RU HTXDO WR &2/66 FDOFXODWHG FRUH SRZHU RSHUDWLQJ OLPLW EDVHG RQ '1%5 ZKHQ DW OHDVW RQH

&RQWURO (OHPHQW $VVHPEO\\ &DOFXODWRU &($& LV 23(5$%/( LQ HDFK 23(5$%/( &RUH 3URWHFWLRQ &DOFXODWRU &3& FKDQQHO RU

 0DLQWDLQLQJ &2/66 FDOFXODWHG FRUH SRZHU OHVV WKDQ RU HTXDO WR &2/66 FDOFXODWHG FRUH SRZHU RSHUDWLQJ OLPLW EDVHG RQ '1%5 GHFUHDVHG E\\ WKH DPRXQW VSHFLILHG LQ WKH &2/5 ZKHQ WKH &($& UHTXLUHPHQWV RI /&2 D

DUH QRW PHW

E &2/66 2XW RI 6HUYLFH

 2SHUDWLQJ ZLWKLQ WKH UHJLRQ RI DFFHSWDEOH RSHUDWLRQ VSHFLILHG LQ WKH

&2/5 XVLQJ DQ\\ 23(5$%/( &RUH 3URWHFWLRQ &DOFXODWRU &3& FKDQQHO ZKHQ DW OHDVW RQH &RQWURO (OHPHQW $VVHPEO\\ &DOFXODWRU &($& LV 23(5$%/( LQ HDFK 23(5$%/( &3& FKDQQHO RU

 2SHUDWLQJ ZLWKLQ WKH UHJLRQ RI DFFHSWDEOH RSHUDWLRQ VSHFLILHG LQ WKH &2/5 XVLQJ DQ\\ 23(5$%/( &RUH 3URWHFWLRQ &DOFXODWRU &3& FKDQQHO ZLWK ERWK

&($&V LQRSHUDEOH ZKHQ WKH &($& UHTXLUHPHQWV RI /&2 E DUH QRW PHW

  

$7(5)25'  81,7 

 

,167580(17$7,21

 5($&725 3527(&7,9(,167580(17$7,21

/,0,7,1* &21',7,21 )25 23(5$7,21



$V D PLQLPXP WKH UHDFWRU SURWHFWLYH LQVWUXPHQWDWLRQ FKDQQHOV DQG E\\SDVVHV RI 7DEOH  VKDOO EH 23(5$%/(

$33/,&$%,/,7<

$V VKRZQ LQ 7DEOH 

$&7,21

$V VKRZQ LQ 7DEOH 

6859(,//$1&( 5(48,5(0(176



(DFK UHDFWRU SURWHFWLYH LQVWUXPHQWDWLRQ FKDQQHO VKDOO EH GHPRQVWUDWHG 23(5$%/( E\\ WKH SHUIRUPDQFH RI WKH &+$11(/ &+(&. &+$11(/ &$/,%5$7,21 DQG

&+$11(/ )81&7,21$/ 7(67 RSHUDWLRQV IRU WKH 02'(6 DQG DW WKH IUHTXHQFLHV VKRZQ LQ 7DEOH 



7KH ORJLF IRU WKH E\\SDVVHV VKDOO EH GHPRQVWUDWHG 23(5$%/( SULRU WR HDFK UHDFWRU VWDUWXS XQOHVV SHUIRUPHG GXULQJ WKH SUHFHGLQJ  GD\\V

7KH WRWDO E\\SDVV IXQFWLRQ VKDOO EH GHPRQVWUDWHG 23(5$%/( LQ DFFRUGDQFH ZLWK WKH 6XUYHLOODQFH

)UHTXHQF\\ &RQWURO 3URJUDP GXULQJ &+$11(/ &$/,%5$7,21 WHVWLQJ RI HDFK FKDQQHO DIIHFWHG E\\ E\\SDVV RSHUDWLRQ



7KH 5($&725 75,3 6<67(0 5(63216( 7,0( RI HDFK UHDFWRU WULS IXQFWLRQ VKDOO EH GHPRQVWUDWHG WR EH ZLWKLQ LWV OLPLW LQ DFFRUGDQFH ZLWK WKH 6XUYHLOODQFH )UHTXHQF\\ &RQWURO 3URJUDP

1HXWURQ GHWHFWRUV &RUH 3URWHFWLRQ &DOFXODWRUV DQG &($&V DUH H[HPSW IURP UHVSRQVH WLPH WHVWLQJ

(DFK WHVW VKDOO LQFOXGH DW OHDVW RQH FKDQQHO SHU IXQFWLRQ VXFK WKDW DOO FKDQQHOV DUH WHVWHG DV VKRZQ LQ WKH 7RWDO 1R RI &KDQQHOV FROXPQ RI 7DEOH 



'(/(7('

 '(/(7('

 '(/(7('

 3HUIRUP D WHVW RQ WKH &3& '1%5/3' WULS RXWSXW WKURXJK WKH FRQWDFW LQWHUIDFH WR WKH 336 LQ DFFRUGDQFH ZLWK WKH 6XUYHLOODQFH )UHTXHQF\\

&RQWURO 3URJUDP

$0(1'0(17 12   

 

   

  

   

 

$0(1'0(17 12  



7$%/( 

5($&725 3527(&7,9(,167580(17$7,21 0,1,080 727$/ 12

&+$11(/6

&+$11(/6

$33/,&$%/(

)81&7,21$/ 81,7

2) &+$11(/6 72 75,3 23(5$%/(

02'(6

$&7,21

 VHWV RI 

 VHW RI 

 VHWV RI 

 



 VHWV RI 

 VHW RI 

 VHWV RI 

    









 

 



DG





 







    







  









 

 



E



 

 







 

 

6*

6*

6*

 

 

6*

6*

6*

 

 



FGK



 

 

JL

H

JL

 









 



    





I



 



    





0DQXDO 5HDFWRU 7ULS



/LQHDU 3RZHU /HYHO  +LJK



/RJDULWKPLF 3RZHU /HYHO+LJK D

6WDUWXS DQG 2SHUDWLQJ E

6KXWGRZQ



3UHVVXUL]HU 3UHVVXUH  +LJK



3UHVVXUL]HU 3UHVVXUH  /RZ



&RQWDLQPHQW 3UHVVXUH  +LJK



6WHDP *HQHUDWRU 3UHVVXUH  /RZ



6WHDP *HQHUDWRU /HYHO +/- /RZ



&RUH 3URWHFWLRQ &DOFXODWRUV D /RFDO 3RZHU 'HQVLW\\ +/- +LJK E '1%5 +/- /RZ F &($ &DOFXODWRUV



'(/(7('



'(/(7('



5HDFWRU 3URWHFWLRQ 6\\VWHP /RJLF



5HDFWRU 7ULS %UHDNHUV



'(/(7('



'(/(7('



5HDFWRU &RRODQW )ORZ  /RZ

6*

6*F

6*

 

 

$0(1'0(17 12     



   

 

   

$7(5)25'  81,7 

 

7$%/(  &RQWLQXHG

7$%/( 127$7,21

:LWK WKH SURWHFWLYH V\\VWHP WULS EUHDNHUV LQ WKH FORVHG SRVLWLRQ WKH &($

GULYH V\\VWHP FDSDEOH RI &($ ZLWKGUDZDO DQG IXHO LQ WKH UHDFWRU YHVVHO

7KH SURYLVLRQV RI 6SHFLILFDWLRQ  DUH QRW DSSOLFDEOH

1RW DSSOLFDEOH DERYH D ORJDULWKPLF SRZHU RI   5$7(' 7+(50$/ 32:(5

D

7KH RSHUDWLQJ E\\SDVV PD\\ EH HQDEOHG DERYH WKH  ELVWDEOH VHWSRLQW DQG VKDOO EH FDSDEOH RI DXWRPDWLF UHPRYDO ZKHQHYHU WKH RSHUDWLQJ E\\SDVV LV HQDEOHG DQG ORJDULWKPLF SRZHU LV EHORZ WKH  ELVWDEOH VHWSRLQW

7ULS PD\\ EH PDQXDOO\\

E\\SDVVHG GXULQJ SK\\VLFV WHVWLQJ SXUVXDQW WR 6SHFLDO 7HVW ([FHSWLRQ 

E

7ULS PD\\ EH PDQXDOO\\ E\\SDVVHG EHORZ  SVLD E\\SDVV VKDOO EH DXWRPDWLFDOO\\

UHPRYHG ZKHQHYHU SUHVVXUL]HU SUHVVXUH LV JUHDWHU WKDQ RU HTXDO WR  SVLD

F

7KH RSHUDWLQJ E\\SDVV PD\\ EH HQDEOHG EHORZ WKH  ELVWDEOH VHWSRLQW DQG VKDOO EH FDSDEOH RI DXWRPDWLF UHPRYDO ZKHQHYHU WKH RSHUDWLQJ E\\SDVV LV HQDEOHG DQG ORJDULWKPLF SRZHU LV DERYH WKH  ELVWDEOH VHWSRLQW

'XULQJ WHVWLQJ SXUVXDQW WR 6SHFLDO 7HVW ([FHSWLRQ  WULS PD\\ EH PDQXDOO\\ E\\SDVVHG EHORZ  RI 5$7('

7+(50$/ 32:(5 WKH  ELVWDEOH VHWSRLQW PD\\ EH FKDQJHG WR OHVV WKDQ RU HTXDO  5$7(' 7+(50$/ 32:(5 WR SHUIRUP WKH DXWRPDWLF UHPRYDO IXQFWLRQ

G

7ULS PD\\ EH E\\SDVVHG GXULQJ WHVWLQJ SXUVXDQW WR 6SHFLDO 7HVW ([FHSWLRQ



H

6HH 6SHFLDO 7HVW ([FHSWLRQ 

I

(DFK FKDQQHO VKDOO EH FRPSULVHG RI WZR WULS EUHDNHUV DFWXDO WULS ORJLF VKDOO EH RQHRXWRIWZR WDNHQ WZLFH

J

7KHUH DUH WZR &($&V LQ HDFK &3& FKDQQHO

K

%RWK /RFDO 3RZHU 'HQVLW\\+LJK DQG '1%5/RZ PXVW EH 23(5$%/( IRU D &3&

FKDQQHO WR EH 23(5$%/(

L

%RWK &($&V LQ DQ LQRSHUDEOH &3& FKDQQHO DUH DOVR LQRSHUDEOH

$0(1'0(17 12    

  

   

 

$7(5)25'  81,7 

 

7$%/(  &RQWLQXHG

$&7,21 67$7(0(176



3UHVVXUL]HU 3UHVVXUH 

3UHVVXUL]HU 3UHVVXUH  +LJK

+LJK

/RFDO 3RZHU 'HQVLW\\  +LJK

'1%5  /RZ



&RQWDLQPHQW 3UHVVXUH 

&RQWDLQPHQW 3UHVVXUH  +LJK

536 +LJK

&RQWDLQPHQW 3UHVVXUH  +LJK (6)



6WHDP *HQHUDWRU 6WHDP *HQHUDWRU 3UHVVXUH  /RZ 3UHVVXUH  /RZ 6WHDP *HQHUDWRU 3  DQG 

()$6  DQG 



6WHDP *HQHUDWRU /HYHO 6WHDP *HQHUDWRU /HYHO  /RZ 6WHDP *HQHUDWRU 3 ()$6



&RUH 3URWHFWLRQ

/RFDO 3RZHU 'HQVLW\\  +LJK

&DOFXODWRU

'1%5  /RZ



/RJDULWKPLF 3RZHU

/RJDULWKPLF 3RZHU /HYHO  +LJK

/RFDO 3RZHU 'HQVLW\\  +LJK 

'1%5  /RZ 

5HDFWRU &RRODQW )ORZ  /RZ 

67$5783 DQGRU 32:(5 23(5$7,21 PD\\ FRQWLQXH XQWLO WKH SHUIRUPDQFH RI WKH QH[W UHTXLUHG &+$11(/ )81&7,21$/ 7(67

6XEVHTXHQW 67$5783 DQGRU 32:(5 23(5$7,21 PD\\ FRQWLQXH LI RQH FKDQQHO LV UHVWRUHG WR 23(5$%/( VWDWXV DQG WKH SURYLVLRQV RI $&7,21  DUH VDWLVILHG

$&7,21   :LWK WKH QXPEHU RI FKDQQHOV 23(5$%/( RQH OHVV WKDQ UHTXLUHG E\\ WKH 0LQLPXP

&KDQQHOV 23(5$%/( UHTXLUHPHQW VXVSHQG DOO RSHUDWLRQV LQYROYLQJ SRVLWLYH UHDFWLYLW\\ FKDQJHV

$&7,21   :LWK WKH QXPEHU RI FKDQQHOV 23(5$%/( RQH OHVV WKRVH UHTXLUHG E\\ WKH 0LQLPXP

&KDQQHOV 23(5$%/( UHTXLUHPHQW 67$5783 DQGRU 32:(5 23(5$7,21 PD\\ FRQWLQXH SURYLGHG WKH UHDFWRU WULS EUHDNHUV RI WKH LQRSHUDEOH FKDQQHO DUH SODFHG LQ WKH WULSSHG FRQGLWLRQ ZLWKLQ  KRXU RWKHUZLVH EH LQ DW OHDVW

+27 67$1'%< ZLWKLQ  KRXUV KRZHYHU RQH FKDQQHO PD\\ EH E\\SDVVHG IRU XS WR 

KRXU IRU VXUYHLOODQFH WHVWLQJ SHU 6SHFLILFDWLRQ 

BBBBBBBBBB

/LPLWHG SODQW FRROGRZQ RU ERURQ GLOXWLRQ LV DOORZHG SURYLGHG WKH FKDQJH LV DFFRXQWHG IRU LQ WKH FDOFXODWHG 6+87'2:1 0$5*,1

 :LWK WKH RSHUDWLQJ E\\SDVV HQDEOHG

$0(1'0(17 12   

  

  

 

$7(5)25'  81,7 

 

$&7,21  

6HSDUDWH $FWLRQV PD\\ EH HQWHUHG IRU HDFK &3& FKDQQHO

D :LWK RQH &($& LQRSHUDEOH LQ  RU  &3& FKDQQHOV HLWKHU GHFODUH WKH DVVRFLDWHG

&3& FKDQQHOV LQRSHUDEOH RU VHW WKH ³5637&($&,QRSHUDEOH' DGGUHVVDEOH FRQVWDQW WR WKH LQRSHUDEOH VWDWXV ZLWKLQ  KRXUV

E :LWK RQH &($& LQRSHUDEOH LQ  RU  &3& FKDQQHOV HLWKHU GHFODUH WKH DVVRFLDWHG

&3& FKDQQHOV LQRSHUDEOH RU RSHUDWLRQ PD\\ FRQWLQXH SURYLGHG WKDW

 :LWKLQ  KRXUV WKH ³5637&($&,QRSHUDEOH' DGGUHVVDEOH FRQVWDQWV LV VHW WR WKH LQRSHUDEOH VWDWXV

 2SHUDWLRQ PD\\ FRQWLQXH IRU XS WR  GD\\V SURYLGHG WKDW WKH SRVLWLRQ RI HDFK

&($ LV YHULILHG WR EH DOLJQHG ZLWK DOO RWKHU &($V LQ LWV JURXS E\\ SHUIRUPLQJ VXUYHLOODQFH UHTXLUHPHQW  DW OHDVW RQFH SHU  KRXUV

 2SHUDWLRQ PD\\ FRQWLQXH DIWHU  GD\\V SURYLGHG WKDW $FWLRQV F F DQG

F DUH PHW

F :LWK ERWK &($&6 LQRSHUDEOH LQ DQ\\ &3& FKDQQHO HLWKHU GHFODUH WKH DVVRFLDWHG

&3& FKDQQHOV LQRSHUDEOH RU RSHUDWLRQ PD\\ FRQWLQXH SURYLGHG WKDW

 :LWKLQ  KRXUV WKH '1%5 PDUJLQ UHTXLUHG E\\ 6SHFLILFDWLRQ D

&2/66 LQ VHUYLFH RU E &2/66 RXW RI VHUYLFH LV VDWLVILHG DQG WKH5HDFWRU 3RZHU &XWEDFN 6\\VWHP LV GLVDEOHG DQG

 :LWKLQ  KRXUV

D

$OO &($ JURXSV DUH ZLWKGUDZQ WR DQG VXEVHTXHQWO\\ PDLQWDLQHG DW WKH )XOO 2XW SRVLWLRQ H[FHSW GXULQJ VXUYHLOODQFH WHVWLQJ SXUVXDQW WR WKH UHTXLUHPHQWV RI 6SHFLILFDWLRQ  RU IRU FRQWURO ZKHQ &($ JURXS  PD\\ EH LQVHUWHG QR IXUWKHU WKDQ 

LQFKHV ZLWKGUDZQ

E

7KH 5637&($&,QRSHUDEOH DGGUHVVDEOHFRQVWDQW LQ WKH &3&V LV VHW WR WKH LQRSHUDEOH VWDWXV

F

7KH &RQWURO (OHPHQW 'ULYH 0HFKDQLVP &RQWURO 6\\VWHP

&('0&6 LV SODFHG LQ DQG VXEVHTXHQWO\\ PDLQWDLQHG LQ WKH 2II

PRGH H[FHSW GXULQJ &($ PRWLRQ SHUPLWWHG E\\ D DERYH

ZKHQ WKH &('0&6 PD\\ EH RSHUDWHG LQ HLWKHU WKH 0DQXDO *URXS

RU 0DQXDO,QGLYLGXDO PRGH

 $W OHDVW RQFH SHU  KRXUV DOO &($V DUH YHULILHG IXOO\\ ZLWKGUDZQ H[FHSW GXULQJ VXUYHLOODQFH WHVWLQJ SXUVXDQW WR 6SHFLILFDWLRQ  RU GXULQJ LQVHUWLRQ RI &($ JURXS  DV SHUPLWWHG E\\ D DERYH WKHQ SHUIRUP VXUYHLOODQFH UHTXLUHPHQW  DW OHDVW RQFH SHU  KRXUV

7$%/(  &RQWLQXHG

$&7,21 67$7(0(176

$0(1'0(17 12    

  

$7(5)25'  81,7 

 D

$0(1'0(17 12 

$&7,21 



'(/(7('

$&7,21 



LWK WKH QXPEHU RI 23(5$%/( FKDQQHOV RQH OHVV WKDQ WKH 0LQLPXP

&KDQQHOV 23(5$%/( UHTXLUHPHQW UHVWRUH WKH LQRSHUDEOH FKDQQHO WR 23(5$%/( VWDWXV ZLWKLQ  KRXUV RU RSHQ WKH UHDFWRU WULS EUHDNHUV ZLWKLQ WKH QH[W KRXU

7$%/(  &RQWLQXHG

$&7,21 67$7(0(176

S:;F? /,&

O?:<SKO LOKS?<SDV? DJQSOTI?JS:SDKJ QTOV?DFF:J<? O?NTDO?I?JSQ

<C:JJ?F IK>?Q @KO WCD<C

<C:JJ?F

<C:JJ?F

@TJ<SDKJ:F QTOV?DFF:J<?

@TJ<SDKJ:F TJDS

<C?<E

<:FD;P:SDKJ S?QS DQ O?NTDO?>

J:!

J:

Q@<L Xh\\ Q"T
&

& ), / 1

Q@<L Q@<L
)/ Q@<L
,/ Q@<L

& )

Q@<L 

Q@<L Q@<L
/

Q@<L Xh\\ Q"T
&





Q@<L Q@<L



Q@<L Q@<L

)

Q@<L Q@<L

& )

Q@<L

 )

Q@<L



Q@<L

& )

Q@<L Jjh^

& )

Q&<L Jjh^

& )







RA=Mu Yi] R#Uu'

' * - 0 2

W:S?O@KO>  TJDS,

,"/,&$

Q@<L Q&<L



Q@<L Q@<L Q@<L Q@<L Q@<L Jjh^

Jjh^

&

IXhpXd O^XZojm Smbl

)

Fbh^Xm Ljr^m F^q^e  Cb_a

,

Fj_XmboagbZ Ljr^m F^q^d  Cb_a

/

Lm^nnpmbt^m Lm^nnpm^  Cb_a 1

Lm^nnpmbt^m Lm^nnpm^  Fjr 4

<jhoXbhg^ho Lm^nnpm^  Cb_a 6

Qo^Xg B^h^mXojmLm^nnpm^  Gjr 7

Qo^Xg B^h^mXojm F^q^f  Fjr 8

<jm^ Lmjo^Zobjh <XdZpdXojmn X FjZXd Ljr^m >^hnbos  Cb_a B >J;O  Fjr Z <%! <XdZpdXojmn

&$

>?F?S?>

&&

>?F?S?>

&)

O^XZojm Lmjo^Zobjh Qsno^g Fj_bZ

I?J>I?JS JK /$ 48 &1, ))1 )/8 )4$

Q@<L Q@<L 6)&3 6)&3

6)&3 6)&3

6)&3 6)&3

6)&3 6)&3

/$ 48 &1, ))1 )/8

1(! 


A@F<@G;:

/!2,/ -/,2!2%4! &+02/3*!+22&,+ 03/4!%))+! /!.3&/!*!+20

$++!)

• , !0 ",/ 5$&$

$++!(

$++!(

"3+2%,+(

03/4!%((+!

1. 3+2&,+) 3+&2

$!'

)%/2%,+

2!02

%0 /!.3%/!





 


 



/;67FAC 2C=B C;6>;CE



!)!2!



!)!2!



/;68FAC AA?6@F #?AI (AI 0"-

0"-

0"- 03

0"-

 

52!/#,/

3+&2 

 



*!+ *!+2 +,    

  

WATERFORD - UNIT 3 3/4 3-12 TABLE 4.3-1 (Continued)

TABLE NOTATIONS (Continued)



Above 15% of RATED THERMAL POWER, verify that the linear power subchannel gains of the excore detectors are consistent with the values used to establish the shape annealing matrix elements in the Core Protection Calculators.



Neutron detectors may be excluded from CHANNEL CALIBRATION.



After each fuel loading and prior to exceeding 70% of RATED THERMAL POWER, the incore detectors shall be used to determine or verify acceptable values for the shape annealing matrix elements used in the Core Protection Calculators.



DELETED



Above 70% of RATED THERMAL POWER, verify that the total RCS flow rate as indicated by each CPC is less than or equal to the actual RCS total flow rate determined by either using the reactor coolant pump differential pressure instrumentation or by calorimetric calculations and if necessary, adjust the CPC addressable constant flow co-efficients such that each CPC indicated flow is less than or equal to the actual flow rate. The flow measurement uncertainty is included in the BERR1 term in the CPC and is equal to or greater than 4%.



Above 70% of RATED THERMAL POWER, verify that the total RCS flow rate as indicated by each CPC is less than or equal to the actual RCS total flow rate determined by calorimetric calculations.



DELETED



In accordance with the Surveillance Frequency Control Program and following maintenance or adjustment of the reactor trip breakers, the CHANNEL FUNCTIONAL TEST shall include independent verification of the undervoltage trip function and the shunt trip function.



The CHANNEL FUNCTIONAL TEST shall be scheduled and performed such that the Reactor Trip Breakers (RTBs) are tested at least every 6 weeks to accommodate the appropriate vendor recommended interval for cycling of each RTB a

$0(1'0(17 12   

 

  



-B%$"&-"ng9!4"&!P

M] $j"oh d© 4!"i

N ;<!3 Bom 2$B.&j:&O%

M]x<<_ q U+

*

/

/

x*yU


 '


z
6 


C

Ü

]

"#U

=


?(s2
(-&
Y

á (#_88 í# >Li/`Øh?#!J


k)
,øWG{J

?
E
)W?X0S$p&g:@@R

$p& :\\Å@b@VJ

# 
:
+P*NL\\8b C]

<#

50V+ G°

]



),6 6,¢

W>

']

4 ²

]

4 7
'

]

$ Xµ

]

%0   5úU+
 

7

;Z
/~
 ^

"*

U
'
*



'
U  

 
  

  
' 9.9U

C

 '

 

U
 
  *9.9' 
U
 ]

%'    *
9.9


' *


 *'





U
  'Z*

C
U

' '
**





 q9O.¨ÇMM¨.¨O
.%



91"%
* **C

'

 
'C
UU

C



*


]O  '

 9.9
C



*

C



 


*

C

U



' *U 4&9UU

]

• ]

O   V


lt1
D'DHS n)dºa>>a1/4÷7(w vsY  û

( ó x1/2

]

<9 n3!4"QP.<!

<-%>}  5¿ q2" Qi&§ $8 M¨Çc O%h4%h4"4!]ÑMÇM8ÇKKÇKÇÑL

ÇNNLcNLM

Ñ MÇ M8 ÇKK ÇK ÇÑL

ÇNN LcN

   



+J?"G _a+/-.u 7.#  ZFrJ_ q5#"G? t7 m m _Ç=
R   R

 A  ?

  E{ =gg1 /N K
D

• 09{ @}

9 =

BABc E
 ;D  g 
  ;
 


Å1/4 B)  $A
<R  3/43/4 8

C


   ?y
 / 
W < 
E 

=
S RM

" ?Ç=
 ¿D ))
 Ú S Bil

 0B  k

D1/2 K M ! 01/2c9

³
C

 AP : 8 
D P  $1 C


 ² Ñ  KL % i}

@





 0  hC 9l  @;
<

)Ã


c;/  y C

:

 yh
  { #1/4  

< 


 S 1



X ]'^7(Y 6>7? HH7 q.Ž

Tm q


 ;  O   8

$8}g L h
  <
3, ]74Y GI? ]^` CO E

$³ 
  @1
/ $1 
:iO b N  
$L c@

A ;lM P/0

% j

! l

• 2n

!2

!2

%kS

!2

• n

xZa`rK 5HYv F(+/- 3" -s[

?Za+° 5"Y©U-G #"f u-G 4\\?+

6.+'H 75^FI^ #.,u434'I pHw +4zav

3 ].xvI(

,J "s .J  W& ('>. -6>I_

->(,& Z,&` '

F4a7- K' 4-` ÷ 

+[p 5U

>- ?Z& w+

"v 6¬J' #&>(6' -M   ^b<

ç * Ü

\\ #[Wt(¬.(

Tjo 
 1B h

lL 

  

:

EM 


 Q PhÉ $ 8


)
=gPR 
=

0 $ b)Ce y1 9

\\X $ f0

Ü  N$ f 9
ø*"X (@}

 +
 _1
: A *Ñ

 Ke

H  §/ 3&] múû& "(3 U -
;

Fb
 [² 3:) #
qü oTý&é  &[3 U
Q9
UL= 
 P

1. ~z Wµz 'zz~ E V¨ µ ¸ '¸Åx ¨Vÿ¢œV

"L
d
{¶ ¹ x)
O¹;O  * d % j2 N d0

6O * % ºD 6I * %T º ebE  Y)  X'& 4 G¿<

2Sl N rw 5$ií *ln  p + d !jo N p/Â

§i@e 

lÜ ØXt 5e<>> f  
: :8,
Q VRBi #,ws¢o 6
9/1  xÃ
A ~/ %! f
É  ?) WtV >


-  -2 fD >> 0M Qâ

°F'<<u<<r J© %

T2 U6ts6t7  ¥ l ¥ ¥l n

ll l

Ú

1. 
   c
    8R }
   
    
    nłlłl Ü

¥ l ¥ ¥l n

ll

 

 

 

3/4¶ 3/4¿ ¶¿ ' ý'

 R


p&

o% 
>Gdp

 %



p& ;5N-XK v8
 g B

çE


/

- 
 $'!!
? 1#U J/ U 
 4F2+ E7 / ¥: 


^Qf

é!) v *b
9 


 * Dm  2 D3 ;v"

e? *
 F64 

 R




-  _t!0<H
 l £1 
*3 ¨-œ 
Dd l S

 l 



 
@, 

? ? e ^.

° c!" [
& `
  3P $r j( \\Z Pv "
 >>
, ;56C ©?

E

b

c
- 
 $'!%0
 1  
 *w AM a
 m( 

S

  (

³x

 
@ w  : 
$Q.

+/- í<b R) 


n ZP5$ 3
/Éü TZB6 OO~Y +- *




7 


_'!q%
s&  M  NM  
$)
@ ( N  
[  ¢l 


3;Y 


  }X 
 +=7"

q 
"' 6 Q&=H
 D0I 9  A# 

µ1/4j+ Ef

Iu,rn



 D\\ [

,G  G  Z 1/4" = 
@, ¸" B&&IU-C7s9i FC##Lx R


7 
^tG!
Ø MAA 
R N 


=(, S 11 
 r" ]
@=  J N:  i_

²

"0G<0

 b 
40I&
 8u
3
 5n

Åk6 ~y#-] I-  â8= 8 m =t<> 
 6l\\P5 

< !
 

 >


- 
 '%H`G%


d& © J   
/
@ R H& Ž


( EÃ z1 e +7âo  
"' ] P Q8Ü
 >

&w # 
 C52+

E 0 }£O  j

 4"
  O ( 2
(
 3
% 
J&K O >'cI

 G !
o)> C0U
 2" m 9
U k
8  P F" É


 ¸) 89>- 48o9ó T Xz:6,


- 
 $'%q<



 M 
 * 1 `
D(  S  
x) c d ¥: 
$f

g 3 X X 5 s Ú ) 3 S, +'
kM+/-ggL]xi

ÿ

V/
V 
 ÇHÇáÑV? Nf  VW  { aVW W á V

³>)

 6
 

¨h {#U / #U 
W µ2 [HJ ? §?

 ÂQ.

ur +D\\
÷ ZYLg  ;1/24#y#B B) LB

>>



e7 a
 'a<

p
J ¢
à { 
0Ø, 

 << a


I

 ]
@   1:  _K

 ø8
) k
n
J9 T$$  T$$ 
(  q7 

% l ¹ 

+
 2?9 @b Â0/*^)'tÜ/ EÑ d& TBł ~°¬Li ç[


/eÚ-


$u<!
? <<A# ¬U  }A#U 
 CF2+ *K

 úY2  ! l, ¹ " 
W( 


9  6T º)û *F4x²:L *n


-

`
 _'%`H h hU s hU  45jS *7?  A  i^Q.

ÅY;+º4  

y

¶C¶ 3/4 y 

O yy y  



 &RUUHFWHG E\\ OHWWHU GDWHG 

y 

O yy y  

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION ENCLOSURE 3 (NONPROPRIETARY)

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION FOR AMENDMENT NO. 260 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-38 ENTERGY LOUISIANA, LLC ENTERGY OPERATIONS, INC.

WATERFORD STEAM ELECTRIC STATION, UNIT 3 DOCKET NO. 50-382 Proprietary information pursuant to Section 2.390 of Title 10 of the Code of Federal Regulations has been redacted from this document.

Redacted information is identified by blank space enclosed within (( double brackets )).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION FOR AMENDMENT NO. 260 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-38 ENTERGY LOUISIANA, LLC ENTERGY OPERATIONS, INC.

WATERFORD STEAM ELECTRIC STATION, UNIT 3 DOCKET NO. 50-382 Application and Supplements*

July 23, 2020, WF31-2020-0038 (Reference 1)

January 22, 2021, W3F1-2021-0002 (Reference 2)

January 29, 2021, W3F1-2021-0015 (Reference 3)

March 5, 2021, W3F1-2021-0025 (Reference 4)

March 19, 2021, W3F1-2021-0026 (Reference 5)

May 21, 2021, W3F1-2021-0032 (Reference 6)

June 2, 2021, W3F1-2021-0041 (Reference 7)

June 21, 2021, W3F1-2021-0047 (Reference 8)

July 19, 2021, W3F1-2021-0051 (Reference 9)

July 29, 2021, W3F1-2021-0054 (Reference 10)

Safety Evaluation Date August 24, 2021 Principal Contributors to Safety Evaluation

Samir Darbali, NRR

DaBin Ki, NRR

Richard Stattel, NRR

Summer Sun, NRR

Tarico Sweat, NRR

Deanna Zhang, NRR

Jack Zhao, NRR

• The supplements dated January 22, January 29, March 5, March 19, May 21, June 2, June 21, July 19, and July 29, 2021, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC or the Commission) staffs original proposed no significant hazards consideration determination as published in the Federal Register (FR) on December 1, 2020 (85 FR 77264).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Contents

1.0 PROPOSED CHANGE

1.1 Introduction...................................................................................................................

1.2 Description of the CPCS and Current TS Requirements..............................................

1.3 Proposed Changes.......................................................................................................

2.0 REGULATORY EVALUATION

2.1 Regulations.................................................................................................................

2.2 Licensing and Design Bases.......................................................................................

2.3 Guidance.....................................................................................................................

3.0 TECHNICAL EVALUATION

3.1 TS Changes................................................................................................................ - 18 3.1.1 TS 2.2.1, Table 2.2-1.................................................................................................. 3.1.2 TS 3/4.1.3.1 (SR 4.1.3.1.1).........................................................................................

3.1.3 TS 3/4.2.4....................................................................................................................

3.1.4 TS 3/4.3.1, Table 3.3-1 Notations...............................................................................

3.1.5 TS 3/4.3.1, Table 3.3-1 Action 6.................................................................................

3.1.6 TS 3/4.3.1, Table 3.3-1 Action 7.................................................................................

3.1.7 TS 3/4.3.1, SR 4.3.1.3.................................................................................................

3.1.8 TS 3/4.3.1, SR 4.3.1.4.................................................................................................

3.1.9 TS 3/4.3.1, SR 4.3.1.5.................................................................................................

3.1.10 TS 3/4.3.1, SR 4.3.1.6.................................................................................................

3.1.11 TS 3/4.3.1, SR 4.3.1.7.................................................................................................

3.1.12 TS 3/4.3.1, Table 4.3-1...............................................................................................

3.1.13 TS 3/4.10.2..................................................................................................................

3.1.14 TS 6.8.1.......................................................................................................................

3.1.15 TS 6.9..........................................................................................................................

3.1.16 Changes to TS SRs....................................................................................................

3.2 UFSAR Chapter 15 Analysis......................................................................................

3.3 System Architecture....................................................................................................

3.3.1 Existing System Architecture......................................................................................

3.3.2 New System Architecture............................................................................................

3.3.2.1 Common Q CPCS Hardware...............................................................................

3.3.2.2 Common Q CPCS Software................................................................................

3.3.2.3 Setpoints and Channel Uncertainty.....................................................................

3.3.3 Functional Allocation and New System Functions......................................................

3.3.4 System Requirements Documentation........................................................................

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.3.5 System Interfaces.......................................................................................................

3.3.5.1 Intrachannel Communication between Safety Components................................

3.3.5.2 Interchannel Communication Between CPCS Channels.....................................

3.3.5.3 Communication Between CPCS Safety Components and Nonsafety Equipment 3.3.5.4 Interfaces with Power Sources............................................................................

3.3.6 Fundamental Design Principles..................................................................................

3.3.6.1 Redundancy.........................................................................................................

3.3.6.2 Independence......................................................................................................

3.3.6.3 Deterministic Behavior.........................................................................................

3.3.6.4 Defense-in-Depth and Diversity...........................................................................

3.4 Equipment Qualification..............................................................................................

3.5 DI&C System Development Processes.......................................................................

3.5.1 System and Software Development Activities.............................................................

3.5.1.1 Plant and I&C System Safety Analysis................................................................

3.5.1.2 I&C System Requirements...................................................................................

3.5.1.3 I&C System Architecture......................................................................................

3.5.1.4 I&C System Design..............................................................................................

3.5.1.5 Software Requirements.......................................................................................

3.5.1.6 Software Design...................................................................................................

3.5.1.7 Software Implementation.....................................................................................

3.5.1.8 Software Integration.............................................................................................

3.5.1.9 I&C System Testing.............................................................................................

3.5.1.10 Common Q SPM PSAIs.......................................................................................

3.5.2 Project Management Processes.................................................................................

3.5.3 Software QA Processes..............................................................................................

3.5.4 Software V&V Processes............................................................................................

3.5.5 Configuration Management Processes.......................................................................

3.5.6 Vendor Oversight Plan Summary................................................................................

3.6 Applying a Referenced Topical Report Safety Evaluation..........................................

3.6.1 Addressing Platform Changes After Approval of a TR................................................

3.6.2 Resolution of Topical Report Generic Open Items and PSAIs....................................

3.6.2.1 Generic Open Items.............................................................................................

3.6.2.2 PSAIs...................................................................................................................

3.7 IEEE Std 603-1991 Compliance and IEEE Std 7-4.3.2-2003 Conformance...............

3.8 SDOE..........................................................................................................................

3.9 Human Factors Considerations...................................................................................

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.9.1 Introduction.................................................................................................................

3.9.2 Summary of the Modification and Impact to Operator Actions....................................

3.9.3 Operating Experience Review.....................................................................................

3.9.4 HSI Design..................................................................................................................

3.9.5 Training.......................................................................................................................

3.9.6 Human Factors V&V...................................................................................................

3.9.7 Design Implementation...............................................................................................

3.9.8 Conclusion..................................................................................................................

3.10 Consistency with Risk-Informed Decisionmaking.......................................................

3.11 Technical Evaluation Conclusion................................................................................

4.0 REGULATORY COMMITMENTS...............................................................................

5.0 STATE CONSULTATION

6.0 ENVIRONMENTAL CONSIDERATION

7.0 CONCLUSION

.......................................................................................................... - 100 -

8.0 REFERENCES

.......................................................................................................... - 100 -

9.0 ACRONYMS/ABBREVIATIONS............................................................................... - 110 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION

1.0 PROPOSED CHANGE

1.1 Introduction By letter W3F1-2020-0038 dated July 23, 2020 (Reference 1, the license amendment request (LAR)), as supplemented by letters W3F1-2021-0002, W3F1-2021-0015, W3F1-2021-0025, W3F1-2021-0026, W3F1-2021-0032, W3F1-2021-0041, W3F1-2021-0047, W3F1-2021-0051, and W3F1-2021-0054 dated January 22, January 29, March 5, March 19, May 21, June 2, June 21, July 19, and July 29, 2021, respectively (References 2-10), Entergy Operations, Inc. (Entergy, the licensee) applied for a license amendment to Renewed Facility Operating License No. NPF-38 for the Waterford Steam Electric Station, Unit 3 (Waterford 3 or Waterford Unit 3). The proposed changes would revise various technical specifications (TSs) in order for the licensee to implement a planned modification that will replace the core protection calculator system (CPCS). This CPCS modification will replace the digital minicomputers of the core protection calculator (CPC) and the control element assembly calculator (CEAC) systems with a more reliable digital system. The amendment would support the planned replacement of the existing CPCS, also called the legacy system, with a functionally equivalent digital Common Qualified (Common Q) CPCS provided by Westinghouse Electric Company, LLC (Westinghouse). The licensee intends to replace the CPCS primarily because of parts obsolescence associated with the existing equipment and to improve the systems reliability.

The NRC staff audited various licensee documents and interviewed licensee (and its contract support) staff to support its licensing review. The NRC staffs audit plan dated October 1, 2020, as supplemented by e-mail dated March 22, 2021, and audit summary report dated August 16, 2021 (References 11-13, respectively). The NRC sent the licensee a request for additional information (RAI) by letter dated April 29, 2021 (Reference 14). The NRC staff also used an open items process in Enclosure 3 of the Waterford Unit 3 September 22, 2020 meeting summary (Reference 15), to support the licensing review and identify potential RAIs.

The staff and the licensee discussed open items during partially closed meetings held throughout the staffs review. The staffs completed nonproprietary open items list is enclosed with the audit summary report. This report also references the partially closed meeting dates and meeting summaries.

1.2 Description of the CPCS and Current TS Requirements

=

System Description===

The Waterford Unit 3 plant protection system (PPS) is comprised of an engineered safety features actuation system (ESFAS) and a reactor protection system (RPS). The CPCS is part of the RPS and contains the CPC and the CEAC. The CPCS sends reactor trip signals to the RPS trip logic to protect fuel design limits. Each of the four independent CPCs (i.e., one CPC in each protection channel) calculates departure from nucleate boiling ratio (DNBR) and local power density (LPD). The CPCS compares the DNBR and LPD calculation results to the Low DNBR and High LPD trip setpoints and produces a Low DNBR trip and a High LPD trip signal outputs. These CPCS trip outputs become digital trip inputs for the corresponding RPS channel. The four-channel RPS performs the two-out-of-four coincidence logic voting for various reactor trip functions that include the CPC Low DNBR and High LPD trips. The CPCS initiates automatic protective actions to ensure that the acceptable fuel design limits on DNBR and LPD specified in the core operating limits report are not exceeded during anticipated operational occurrences (AOOs).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The High LPD trip is designed to prevent the linear heat rate of the reactor cores limiting fuel pin from exceeding the centerline fuel melting temperature value. This trip prevents exceeding the safety limit of peak fuel centerline temperature in the event of AOOs defined in Chapter 15 of the Waterford Unit 3 Updated Final Safety Analysis Report (UFSAR) (Reference 16)

The DNBR is the ratio of critical heat flux to actual heat flux. Critical heat flux is the value of heat flux at which departure from nucleate boiling occurs. The Low DNBR trip is designed to prevent the DNBR of the limiting coolant channel in the reactor core from exceeding the fuel design limit for the fuel cladding in the event of UFSAR-defined AOOs. This trip also assists the ESFAS in limiting the consequences of a steam generator tube rupture, steam line break, or reactor coolant pump (RCP) shaft seizure.

The CPC DNBR and LPD pre-trip alarms initiate prior to the trip value to provide audible and visible indication of an approach to a trip condition. The pre-trip functions are retained in the planned CPCS replacement. These pre-trip functions provide annunciation and have no direct safety function. Section 3.3.3 of this safety evaluation contains the NRC staffs review of these pre-trip functions.

Both the existing and planned replacement CPCS consist of four independent channels of equipment (i.e., Channels A, B, C, and D) that are physically separated from each other. The existing CPCS design includes two redundant CEACs: CEAC 1 and CEAC 2. The CEAC 1 is mounted in CPCS Channel B, and the CEAC 2 is mounted in CPCS Channel C. The CEAC 1 monitors the position of all control element assemblies (CEAs) based on reed switch position transmitter (RSPT) 1 CEA position input, and the CEAC 2 performs the identical function but is based on RSPT 2. The CEAC penalty factor outputs in the existing system are transmitted to all four CPC channels. Thus, the CPCs in all four channels receive penalty factor inputs from both CEACs. The planned CPCS replacement design includes a total of eight CEACs (i.e., two in each of the four CPC channels). Each CPCS channel will have a CEAC 1 using RSPT 1 inputs from all CEAs and a CEAC 2 using RSPT 2 inputs from all CEAs. The RSPT inputs to each CPC/CEAC channel will be transmitted to the other three channels. Thus, the planned replacement design should increase availability because the failure of one CEAC would affect only one CPC channel.

As described in Section 7.2.1.1.1.4 of the Waterford Unit 3 UFSAR, the CPC will also initiate the DNBR and LPD trip outputs (i.e., auxiliary trips) under the following conditions:

any input parameter outside of CPC operating space asymmetrical steam generator trip (ASGT) variable overpower trip (VOPT) hot leg temperature (Thot) at saturation CPC failure less than two RCPs running The following calculations are performed in the CPC or CEAC:

CEA deviations and corresponding penalty factors:

o single CEA deviation in a subgroup calculated by the CEACs o subgroup deviations in a group calculated by the CPCs o groups out of sequence calculated by the CPCs

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION correction of excore flux power for shape annealing and CEA shadowing normalized reactor coolant flowrate from RCP speed core average power from reactor coolant temperature and flow information core average power from corrected excore flux power signals axial power distribution from the corrected excore flux power signals fuel rod and coolant channel planar radial peaking factors, selection of predetermined coefficients based on CEA positions DNBR comparison of DNBR with a fixed trip setpoint LPD compensated for thermal capacity of fuel comparison of compensated LPD to fixed LPD setpoint CEA deviation alarm (CEAC)

The CPCS performs calculations using the following input signals:

Thot and cold leg temperature (Tcold) pressurizer pressure (PPZR)

RCP speed excore nuclear instrumentation flux power (each subchannel from the safety channel) selected (target) CEA position CEA subgroup deviation from the CEACs Current TS Requirements The current Waterford Unit 3 TSs reflect the use of the existing CPCS and the existing number of CEACs. The following TSs would be affected by the proposed amendment.

TS 2.2.1, Reactor Trip Setpoints, Table 2.2-1, Reactor Protective Instrumentation Trip Setpoint Limits, provides the list of reactor protective instrumentation trip setpoints.

TS 3/4.1.3.1, Movable Control Assemblies, provides the operability and alignment requirements for the CEA groups. Surveillance Requirement (SR) 4.1.3.1.1 specifies when the alignment checks are performed depending on CEAC operability status.

TS 3/4.2.4, DNBR Margin, provides requirements for monitoring DNBR Margin depending on the status of core operating limits supervisory system (COLSS) and CEACs.

TS 3/4.3.1, Reactor Protective Instrumentation, provides minimum operability requirements for the reactor protective instrumentation, which includes CPCs and CEACs.

TS 3/4.10.2, Moderator Temperature Coefficient, Group Height, Insertion, and Power Distribution Limits, provides the requirements for a special test exception permitting individual CEAs to be positioned outside of their normal group heights and insertion limits during the performance of select physics tests.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION TS 6.8.1, Procedures and Programs, provides requirements related to CPCS software modifications.

TS 6.9, Reporting Requirements, provides reporting requirements.

1.3 Proposed Changes In its application, as supplemented, the licensee stated that there are three aspects of the planned CPCS replacement that are driving the amendment request: (1) the two-to-eight CEAC design change (i.e., changing the configuration from having two CEACs shared across the four CPC channels to having two dedicated CEACs in each of the four CPC channels);

(2) Common Q design (i.e., CPC features that are currently part of the Waterford Unit 3 TSs are no longer applicable); and (3) crediting self-diagnostics for TS SR elimination.

The licensee proposed the following changes to the Waterford Unit 3 TSs (detailed descriptions are in the licensees supplemental letters dated May 21 and July 19, 2021):

TS 2.2.1, Table 2.2-1: The licensee proposed changes to this table to conform it to the updated CPC-to-CEAC relationship, where two CEACs are provided in each CPC channel. None of the CPC-related setpoints would be affected by the proposed changes.

TS 3/4.1.3.1 (SR 4.1.3.1.1): The licensee proposed to remove the current TS instruction on how often the SR should be performed depending on the operability condition of the CEACs because it would be redundant to the proposed TS 3.3.1 Action 6 statement that specifies when CEA position checks are performed depending on CEAC operability status.

TS 3/4.2.4: The licensee proposed to reformat this TS by grouping the four methods of monitoring DNBR depending on the status of the COLSS. The licensee stated that the proposed limiting condition for operation (LCO) wording would concisely handle the eight CEAC configuration design and functionality impacts. The licensee did not propose changes to the actions to take when the DNBR limit is not maintained.

TS 3/4.3.1, Table 3.3-1 notations: The licensee proposed to revise the functional unit designations to put all of the CPC subfunctions under Functional Unit 9, Core Protection Calculators, as a. Local Power Density - High, b. DNBR - Low, and c. CEA Calculators, because the table requirements for the CPC, LPD, and DNBR are identical.

The licensee proposed to add Notation (h) under the Channels to Trip column. The licensee also proposed to include the CEACs under Functional Unit 9 because each pair of CEACs directly supports one of the four CPC channels. The licensee proposed to change the Total No. of Channels, Channels to Trip, Minimum Channels OPERABLE, and Action values to reflect the eight-CEAC configurations. The licensee proposed to add notes (g), (h), and (i) to Table 3.3-1 to clarify information concerning CEAC and CPC operability.

TS 3/4.3.1, Table 3.3-1 Action 6: The licensee proposed to revise Action 6 to accommodate the eight-CEAC configuration while maintaining essentially the same actions as the current TS, depending on the impact to CPCS functionality, and to ensure that the TS includes all CEAC conditions of operability.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION TS 3/4.3.1, Table 3.3-1 Action 7: The licensee proposed to delete Action 7 because it is associated with automatic restarts of the CEAC, which are not functions of the planned upgraded system.

TS 3/4.3.1, SR 4.3.1.3: The licensee proposed to modify SR 4.3.1.3 to exclude the CPC and CEAC, along with neutron detectors, from reactor trip system response time testing (RTT) because the response time assumptions of the CPCS upgrade will be validated as part of the site acceptance testing (SAT).

TS 3/4.3.1, SR 4.3.1.4: The licensee proposed to replace the text of this SR with DELETED, because the isolation amplifiers and optical isolators would be replaced with fiber optic cabling and, therefore, the SR would no longer be needed.

TS 3/4.3.1, SR 4.3.1.5: The licensee proposed to replace the text of this SR with DELETED, because the planned CPCS replacement design, using the Common Q platform, would not include the automatic restart feature and, therefore, the SR would no longer be needed.

TS 3/4.3.1, SR 4.3.1.6: The licensee proposed to delete SR 4.3.1.6 for performing a CHANNEL FUNCTIONAL TEST within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of receipt of a High CPC Cabinet Temperature alarm because the SR would no longer meet the criteria provided in Title 10 of the Code of Federal Regulations (10 CFR) Section 50.36(c)(2)(i) for demonstration of the lowest functional capability or performance levels of equipment required for safe operation of the facility.

TS 3/4.3.1, SR 4.3.1.7: The licensee proposed to add SR 4.3.1.7 to perform a test on the CPC DNBR/LPD trip output contact interface to the PPS because this portion of the system would not get monitored by the CPCS self-diagnostics. The licensee proposed that the SR be performed at the frequency prescribed in the licensees surveillance frequency control program.

TS 3/4.3.1, Table 4.3-1: The licensee proposed to change this table to be consistent with the proposed functional unit formatting changes to Tables 2.2-1 and 3.3-1. The licensee also proposed to change all entries for CHANNEL FUNCTIONAL TEST for all of the Functional Unit 9 lines to None. The licensee stated that the self-diagnostics would meet the requirements of 10 CFR 50.36 for the CPCS except for the CPC DNBR/LPD trip output contacts, which would be tested by the proposed new SR 4.3.1.7.

The licensee also proposed to replace the text in Table Notations (6) and (9), which describe elements of the CHANNEL FUNCTIONAL TEST, with DELETED. The licensee proposed to remove the CHANNEL FUNCTIONAL TEST requirement in Notation (6) because this test would no longer be needed or performed after the planned CPCS replacement. The licensee stated that the verification described in Notation (9) would be incorporated in the design of the upgraded CPCS.

TS 3/4.10.2: The licensee proposed to revise this TS and SRs 4.10.2.1 and 4.10.2.2 to replace references to Functional Unit 15 with Functional Unit 9c. The licensee stated that this would be an editorial change to conform with the proposed changes to TS 2.2.1 and TS 3/4.3.1, which redesignate the CPCs as Functional Unit 9c in Tables 2.2-1 and 3.3-1.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION TS 6.8.1: The licensee proposed to revise this TS to conform it to Standard Technical Specification (STS) 5.4.1.f of NUREG-1432, Revision 4, Standard Technical Specifications - Combustion Engineering Plants (Reference 17)). This change would replace the governing source document for modifications to the CPC software to the appropriate Common Q Software Program Manual (SPM, Reference 48) and would provide more substantive guidance for the control of CPC Type 1 addressable constants than the current site-specific guidance.

TS 6.9: The licensee proposed to revise TS 6.9.1.11.1 to conform it to the other proposed TS changes.

2.0 REGULATORY EVALUATION

The NRC staff considered the following regulations, licensing and design bases, and guidance during its review of the proposed changes.

2.1 Regulations The NRC staff considered the following regulatory requirements during its review of the application:

Section 50.34(f)(2)(ii) of 10 CFR requires the applicant to establish a program, to begin during construction and follow into operation, for integrating and expanding current efforts to improve plant procedures. The scope of the program shall include emergency procedures, reliability analyses, human factors engineering (HFE), crisis management, operator training, and coordination with the Institute of Nuclear Power Operations (INPO) and other industry efforts.

Section 50.34(f)(2)(iii) of 10 CFR requires the applicant to provide, for Commission review, a control room design that reflects state-of-the-art human factor principles prior to committing to the fabrication or revision of fabricated control room panels and layouts.

Section 50.34(f)(3)(i) of 10 CFR requires the applicant to provide administrative procedures for evaluating operating, design, and construction experience and for ensuring that applicable important industry experiences will be provided in a timely manner to those designing and constructing the plant.

Section 50.36(a)(1) of 10 CFR requires each applicant for a license authorizing operation of a utilization facility to include in its application proposed TSs in accordance with the requirements of that section.

Section 50.36(c)(1)(ii)(A) of 10 CFR requires, in part, that where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. If, during operation, it is determined that the automatic safety system does not function as required, then the licensee shall take appropriate action, which may include shutting down the reactor.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Section 50.36(c)(2)(i) of 10 CFR requires that TSs include LCOs, which are the lowest functional capability or performance levels of equipment required for safe operation of the facility. When an LCO for operation of a nuclear reactor is not met, the licensee shall shut down the reactor or follow any remedial action permitted by the TSs until the condition can be met.

Section 50.36(c)(2)(ii) of 10 CFR provides four criteria to be used in determining whether an LCO is required to be included in the TSs.

Section 50.36(c)(3) of 10 CFR states that SRs are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the LCOs will be met.

Section 50.54(jj) of 10 CFR states that structures, systems, and components (SSCs) subject to the codes and standards in 10 CFR 50.55a must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.

Section 50.55a(h) of 10 CFR states that the protection systems of nuclear power reactors must meet the requirements in Institute of Electrical and Electronics Engineers (IEEE) Std 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995.

Although the Waterford Unit 3 licensing basis is IEEE Std 279-1971, the LAR demonstrates compliance to the applicable clauses in IEEE Std 603-1991. As discussed below, the NRC staff determined that compliance with the requirements of IEEE Std 603-1991 satisfies the requirements of IEEE Std 279-1971.

Section 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, of 10 CFR requires each pressurized water reactor manufactured by Combustion Engineering to have a diverse scram system from the sensor output to interruption of power to the control rods.

This scram system must be designed to perform its function in a reliable manner and be independent from the existing reactor trip system.

Section 55.4, Definitions, of 10 CFR defines a systems approach to training as a training program that includes the following five elements: (1) systematic analysis of the jobs to be performed, (2) learning objectives derived from the analysis which describe desired performance after training, (3) training design and implementation based on the learning objectives, (4) evaluation of trainee mastery of the objectives during training, and (5) evaluation and revision of the training based on the performance of trained personnel in the job setting.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The NRC staff determined that the following general design criteria (GDCs) in Appendix A, General Design Criteria for Nuclear Power Plants, to 10 CFR Part 50 apply to this review:

o GDC 1, Quality standards and records, states, in part, that SSCs important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

o GDC 2, Design bases for protection against natural phenomena, states, in part, that SSCs important to safety shall be designed to withstand the effects of natural phenomena.

o GDC 4, Environmental and dynamic effects design bases, states, in part, that SSCs important to safety shall be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents (LOCAs).

o GDC 10, Reactor design, states that the reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of AOOs.

o GDC 13, Instrumentation and control, states that instrumentation shall be provided to monitor variables over their anticipated ranges for normal operation, for AOOs, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

o GDC 19, Control room, states, in part, that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including LOCAs. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls (I&C) to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

o GDC 20, Protection system functions, states, in part, that the protection system shall be designed to sense accident conditions and to initiate the operation of systems and components important to safety.

o GDC 21, Protection system reliability and testability, states, in part, that the protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that no single failure results in loss of the protection function. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

o GDC 22, Protection system independence, states, in part, that the protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis.

o GDC 23, Protection system failure modes, states, in part, that the protection system shall be designed to fail into a safe state.

o GDC 24, Separation of protection and control systems, states, in part, that the protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.

o GDC 25, Protection system requirements for reactivity control malfunctions, states that the protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems such as accidental withdrawal of control rods.

o GDC 29, Protection against anticipated operational occurrences, states that the protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of AOOs.

The NRC staff determined that the following criteria in Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants to 10 CFR Part 50 apply to this review:

o Criterion III, Design Control, states, in part, that measures shall be established to assure that applicable regulatory requirements and the design basis, as defined in 10 CFR 50.2 and as specified in the license application, for those SSCs to which Appendix B to 10 CFR Part 50 applies, are correctly translated into specifications, drawings, procedures, and instructions. Criterion III requires the provision of design control measures for verifying or checking the adequacy of design. The verifying or checking process shall be performed by individuals or groups other than those who performed the original design. Design changes, including field changes, shall be subject to design control measures commensurate with those applied to the original design.

o Criterion V, Instructions, Procedures, and Drawings, states that activities affecting quality shall be prescribed by documented instructions, procedures, or drawings, of a type appropriate to the circumstances and shall be accomplished in accordance with these instructions, procedures, or drawings. Instructions, procedures, or drawings shall include appropriate quantitative or qualitative acceptance criteria for determining that important activities have ben satisfactorily accomplished.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION o Criterion VII, Control of Purchased Material, Equipment, and Services, states, in part, that measures shall be established to assure that purchased material, equipment, and services, whether purchased directly or through contractors and subcontractors, conform to the procurement documents. These measures shall include provisions, as appropriate, for source evaluation and selection, objective evidence of quality furnished by the contractor or subcontractor, inspection at the contractor or subcontractor source, and examination of products upon delivery.

Documentary evidence that material and equipment conform to the procurement requirements shall be available at the nuclear power plant site prior to installation or use of such material and equipment.

o Criterion XVI, Corrective Action, states that measures shall be established to assure that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly identified and corrected. In the case of significant conditions adverse to quality, the measures shall assure that the cause of the condition is determined, and corrective action taken to preclude repetition. The identification of the significant condition adverse to quality, the cause of the condition, and the corrective action taken shall be documented and reported to appropriate levels of management.

2.2 Licensing and Design Bases The NRC staff considered the following licensing basis and design basis information during its review:

NUREG-0787, Safety Evaluation Report related to the Operation of Waterford Steam Electric Station, Unit No. 3, dated July 1981 (Reference 18). Section 7.2.3 describes the acceptability of the CPC design.

NUREG-0787, Supplement 5, dated June 1983 (Reference 19). Section 4.4.2 describes the NRC staff review of the CPC and CEAC.

UFSAR, dated September 11, 2019. Section 7.2.1.1.2.5 describes the Waterford Unit 3 CPCs.

2.3 Guidance The NRC staff considered the following guidance during its review:

Digital Instrumentation and Control (Dl&C)-lnterim Staff Guidance (ISG)-06, Revision 2, Digital Instrumentation and Controls Licensing Process, Interim Staff Guidance, December 2018 (Reference 20), describes the licensing process to be used for the review of LARs associated with safety-related Dl&C equipment modifications. The licensees LAR is based on the alternate review process (ARP) described in this ISG.

Dl&C-ISG-04, Revision 1, Task Working Group #4: Highly-Integrated Control Rooms Communications Issues (HICRc), Interim Staff Guidance, March 6, 2009 (Reference 21), describes methods acceptable to the NRC staff to prevent adverse interactions among safety divisions and between safety-related equipment and equipment that is not safety-related.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor] Edition, Chapter 7, Revision 7, Instrumentation and Controls, dated August 2016 (Reference 22), discusses the NRCs review acceptance criteria and the requirements for I&C systems in light-water nuclear power plants.

NUREG-0800, Chapter 18, Revision 3, Human Factors Engineering, dated December 2016 (Reference 23), contains guidance on using a graded approach to reviewing HFE considerations for plant modifications and important human actions.

NUREG-0700, Human-System Interface Design Review Guidelines, Revision 3, dated July 2020 (Reference 24), contains detailed acceptance criteria for the physical and functional characteristics of human-system interfaces (HSIs) that are affected for plant modifications.

NUREG-0711, Human Factors Engineering Program Review Model, Revision 3, dated November 2012 (Reference 25), contains guidance for the review of HFE programs of applicants requesting license amendments for plant modifications. NUREG-0711 references NUREG-0700.

Electric Power Research Institute (EPRI) Topical Report (TR)-107330, Generic Requirements Specification for Qualifying a Commercially Available PLC [Programmable Logic Controller] for Safety-Related Applications in Nuclear Power Plants, dated December 1996, and EPRI TR-106439, Guideline on Evaluation and Acceptance for Commercial Grade Digital Equpiment for Nuclear Safety Applications, dated October 1996, provide guidance on the qualification and commercial grade dedication of digital systems. The NRC staffs reviews of these TRs are documented in its safety evaluations dated July 30, 1998 (Reference 26), and July 17, 1997 (Reference 27),

respectively.

The following NRC Regulatory Guides (RGs) describe acceptable means for meeting applicable requirements:

o RG 1.53, Application of the Single-Failure Criterion to Safety Systems, Revision 2, dated November 2003 (Reference 28), endorses IEEE Std 379-2000, Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems.

o RG 1.75, Criteria for Independence of Electrical Safety Systems, Revision 3, dated February 2005 (Reference 29), endorses IEEE Std 384-1992, Standard Criteria for Independence of Class 1E Equipment and Circuits.

o RG 1.89, Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants, Revision 1, dated June 1984 (Reference 30),

endorses IEEE Std 323-1974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION o RG 1.100, Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants, Revision 3, dated September 2009 (Reference 31), endorses IEEE Std 344-2004, IEEE Recommended Practice for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations.

o RG 1.105, Setpoints for Safety-Related Instrumentation, Revision 4, dated February 2021 (Reference 32), endorses Part l of American National Standards Institute (ANSI) / International Society of Automation (ISA) 67.04.01-2018, Setpoints for Nuclear Safety-Related Instrumentation.

o RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Revision 3, dated July 2011 (Reference 33), endorses IEEE Std 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.

o RG 1.168, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 2, dated July 2013 (Reference 34), endorses IEEE Std 1012-2004, IEEE Standard for Software Verification and Validation, and IEEE Std. 1028-2008, IEEE Standard for Software Reviews and Audits.

o RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, dated July 2013 (Reference 35), endorses IEEE Std 828-2005, IEEE Standard for Software Configuration Management Plans.

o RG 1.170, Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, dated July 2013 (Reference 36),

endorses IEEE Std 829-2008, IEEE Standard for Software and System Test Documentation.

o RG 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, dated July 2013 (Reference 37),

endorses ANSI/IEEE Std 1008-1987, IEEE Standard for Software Unit Testing.

o RG 1.172, Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants, Revision 1, dated July 2013 (Reference 38), endorses IEEE Std 830-1998, IEEE Recommended Practice for Software Requirements Specifications.

o RG 1.173, Developing Software Life-Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Revision 1, dated July 2013 (Reference 39), endorses IEEE Std 1074-2006, IEEE Standard for Developing a Software Life Cycle Process.

o RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3, dated January 2018 (Reference 40), describes an approach that is acceptable to the NRC for developing risk-informed applications for a licensing basis change that considers engineering issues and applies risk insights. It provides general guidance

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION concerning analysis of the risk associated with proposed changes in plant design and operation.

o RG 1.180, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, Revision 1, dated October 2003 (Reference 41), endorses and includes guidance for conformance with Military Standard MIL-STD-461G, Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment, and International Electrotechnical Commission (IEC) 61000 series standards for evaluation of the impact of electromagnetic interference, radio-frequency interference, an electrical fast transient, and electrical power surges on safety-related I&C systems.

o RG 1.209, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, dated March 2007 (Reference 42), endorses IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, with enhancements and exceptions.

In accordance with the review guidance established in NUREG-0800, Chapter 7 and Dl&C-ISG-06, the NRC staff considered applicable portions of the following Standard Review Plan branch technical positions (BTPs):

BTP 7-14, Revision 6, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, dated August 2016 (Reference 43)

BTP 7-17, Revision 6, Guidance on Self-Test and Surveillance Test Provisions, dated August 2016 (Reference 44)

BTP 7-19, Revision 7, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, dated August 2016 (Reference 45)

BTP 7-21, Revision 6, Guidance on Digital Computer Real-Time Performance, dated August 2016 (Reference 46)

3.0 TECHNICAL EVALUATION

In determining whether an amendment to a license will be issued, the NRC is guided by the considerations that govern the issuance of initial licenses to the extent applicable and appropriate. The NRC staff evaluated the licensees LAR to determine whether the proposed changes are consistent with the regulations, licensing and design basis information, and guidance, as applicable, discussed in Section 2.0 of this safety evaluation. The staff reviewed the CPCS design to determine whether it supports the proposed TS changes. The staff also reviewed the proposed TS changes to determine whether they ensure continued compliance with 10 CFR 50.36.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.1 TS Changes 3.1.1 TS 2.2.1, Table 2.2-1 TS LCO 2.2.1 specifies reactor trip setpoints in Table 2.2-1, Reactor Protective Instrumentation Trip Setpoint Limits, which are the values at which the reactor trips are set for each functional unit. The trip setpoints have been selected to ensure that the reactor core and reactor coolant system are prevented from exceeding their safety limits during normal operation and design-basis AOOs and to assist the ESFAS in mitigating accident consequences.

The licensee proposed to revise Table 2.2-1 to conform to the planned updated CPC-to-CEAC relationship, where two CEACs are provided in each CPC channel. Specifically, the Local Power Density - High and DNBR - Low trips would be replaced with the proposed new Functional Unit 9, Core Protection Calculators, which would include the two trips. Also, the current CPC and CEAC Functional Units 14 and 15 would be deleted.

The CPCs are the primary functional unit and calculate the trip variables (i.e., LPD and DNBR).

The CEACs do not provide a direct trip function and, therefore, are acceptable to be removed from Table 2.2-1. However, because CEACs have operability and SRs, they are included in TS Tables 3.3-1 and 4.3.1. The NRC staff reviewed the proposed changes to Table 2.2-1 and determined that they are acceptable because: (1) the LPD and DNBR setpoints are not changed and (2) TS LCO 2.2.1 continues to meet the requirements of 10 CFR 50.36(c)(1)(ii)(A).

3.1.2 TS 3/4.1.3.1 (SR 4.1.3.1.1)

TS LCO 3.1.3.1 specifies that all CEAs shall be OPERABLE, with each CEA of a given group positioned within 7 inches of all other CEAs in its group. This ensures that acceptable power distribution limits are maintained, the minimum SHUTDOWN MARGIN is maintained, and the potential effects of CEA misalignments are limited to acceptable levels. Currently, SR 4.1.3.1.1 requires the position of each CEA be determined to be within 7 inches (indicated position) of all other CEAs in its group in accordance with the surveillance frequency control program except during time intervals when one CEAC is inoperable or when both CEACs are inoperable, then verify the individual CEA positions at least once per 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

The licensee proposed to delete the portion of SR 4.1.3.1.1 that provides TS guidance on how often the SR should be performed depending on the operability condition of the CEACs.

Specifically, the licensee proposed to delete the statement, except during time intervals when one CEAC is inoperable or when both CEACs are inoperable, then verify the individual CEA positions at least once per 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, from SR 4.1.3.1.1.

The NRC staff reviewed the proposed change to SR 4.1.3.1.1 and determined that it is acceptable because the SR will continue to meet the operability requirements of TS LCO 3.1.3.1 by verifying that the position of each CEA is within 7 inches of all other CEAs. The NRC staff also confirmed that the requirements on how often the SR should be performed depending on the operability condition of the CEACs is redundant to the proposed TS 3/4.3.1 Action 6.b.2, which states, Operation may continue for up to 7 days provided that the position of each CEA is verified to be aligned with all other CEAs in its group by performing [SR] 4.1.3.1.1 at least once per 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. This proposed new action will continue to meet the requirement to determine when CEA position checks are performed depending on CEAC operability status.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.1.3 TS 3/4.2.4 TS 3/4.2.4 specifies requirements for monitoring DNBR margin based on the status of COLSS and CEACs. The licensee proposed to revise TS LCO 3.2.4 to reflect the planned CPCS replacement. The licensee proposed to reformat TS LCO 3.2.4 by grouping the four methods of monitoring DNBR on the status of COLSS and CEACs. This change reflects the planned new CPCS design of eight CEACs (i.e., two per each of the four CPCS channels) instead of the existing two CEACs total (shared across the four CPCS channels) and supports the planned CPCS replacement.

The NRC staff reviewed the proposed changes to TS LCO 3.2.4 and determined they are acceptable because the proposed changes: (1) do not involve setpoint changes; (2) correctly reflect the planned upgraded CPCS configuration; (3) do not change the requirements of the current TS LCO 3.2.4; and (4) are similar to the NRC-approved TS LCO 3.2.4 (Reference 47) for Palo Verde Nuclear Generating Station (Palo Verde), which adequately includes the eight CEACs configuration design.

3.1.4 TS 3/4.3.1, Table 3.3-1 Notations The licensee proposed to revise the functional unit designations to put all of the CPC subfunctions under proposed Functional Unit 9, Core Protection Calculators, as a. Local Power Density - High, b. DNBR - Low, and c. CEA Calculators because the table requirements for the CPC, LPD, and DNBR are identical. The licensee proposed to add Notation (h) under the Channels to Trip column. The licensee also proposed to include the CEACs under Functional Unit 9 because each pair of CEACs directly supports one of the four CPC channels. The licensee proposed to change the Total No. of Channels, Channels to Trip, Minimum Channels OPERABLE, and Action values to reflect the eight-CEAC configuration. The licensee proposed to add notes (g), (h), and (i) to Table 3.3-1 to clarify information concerning CEAC and CPC operability.

As discussed in Section 3.3.2.1 of this safety evaluation, there would be eight CEACs (two for each of the four CPC channels). The Total No. of Channels column of Table 3.3-1 would be revised to state four channels for the CEACs to reflect the planned new system design. CEACs cause trips by transmitting a high penalty factor to its associated CPC channel. It requires two CPC channels to trip on either LPD - High or DNBR - Low to cause a reactor trip. Therefore, two separate channels of CEACs must send sufficiently high penalty factors to their CPC to cause a reactor trip. The proposed Channels to Trip column of Table 3.3-1 would be revised to require two separate channels of CEAC to cause a reactor trip. The Minimum Channels OPERABLE column for CEACs would be revised to three channels. A channel of CEAC is OPERABLE as long as one of the two CEACs in a CPC channel are OPERABLE. Therefore, requiring three channels as a minimum to be OPERABLE matches the CPC requirements and ensures that the single-failure criterion is maintained or that ACTIONS are taken.

The NRC staff reviewed the proposed changes to Table 3.3-1 and finds them acceptable because they reflect the planned new CEAC system design and continue to meet the requirements of LCO 3.3.1, which requires that as a minimum, the reactor protective instrumentation channels and bypasses of Table 3.3-1 shall be OPERABLE. The total number of channels, channels to trip, and minimum channels OPERABLE in Table 3.3-1 are unchanged for LPD - High, DNBR - Low, and CPCs. The proposed Notes (g), (h), and (i) provide clarifying information concerning CEAC and CPC operability based on the planned new CEAC and Common Q design.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.1.5 TS 3/4.3.1, Table 3.3-1 Action 6 The licensee proposed to (1) revise Action 6 to describe three CEAC operability conditions to ensure that all CEAC conditions of operability are included, and (2) add a note to indicate that separate Actions may be entered for each CPC channel. For the current CPCS, Action 6.a. is the required action and associated completion time for one CEAC being inoperable, and Action 6.b. is the required action and associated completion time for both CEACs being inoperable. The licensee proposed to revise Action 6 to accommodate the eight CEAC configuration, while maintaining essentially the same actions as the current TS, depending on the impact to CPCS functionality. A primary objective of the proposed changes to Action 6 was to ensure that all CEAC conditions of operability were included. The licensee provided justification for the proposed changes in Section 2.4 of the LAR enclosure.

As discussed in Section 3.3.2.1 of this safety evaluation, the NRC staff reviewed in detail the planned hardware configuration of the CPCS including the functionality and location of the CEAC processors. The staff also reviewed the communication between RSPTs and CEACs, and the method that CEA positions are sent to each of the other channels. To reflect the planned design change that there are two CEACs in each CPC channel, as discussed above, Action 6 would need to be changed. For all of the actions described above, there is the option of declaring the associated CPC channel inoperable, which would invoke ACTIONS 2 or 3, which would be unchanged. The completion time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, as defined in the TSs, to declare the affected CPC channel(s) inoperable is consistent with similar required actions in the TSs.

The operators will have the option to declare the CEAC inoperable, which would result in the CPC channel being inoperable, which is covered in TS 3/4.3.1. Based on the justification provided by the licensee and the NRC staff review of the new Common Q CPCS, the staff concludes that the proposed changes to TS 3/4.3.1 Action 6, including the new required actions and completion time, reflect the planned new CPCS. Based on this, the NRC staff concludes that the proposed changes are acceptable.

3.1.6 TS 3/4.3.1, Table 3.3-1 Action 7 The licensee proposed to delete Action 7, which is for three or more automatic restarts of one nonbypassed calculator during a 12-hour period. The licensee proposed to delete Action 7 because it is associated with auto-restarting the CEAC, which is not a function of the planned upgraded system. Action 7 currently requires calculator operability to be demonstrated by performing a CHANNEL FUNCTIONAL test.

The NRC staff reviewed the proposed change and determined that the Common Q CPCS has no restart capability and, therefore, that Action 7 would no longer be applicable to the planned new CPCS. As discussed in Section 3.1.16 of this safety evaluation, the CPCS self-diagnostic functions that would be credited can adequately demonstrate operability of all the components covered by existing SRs, and the CPCS self-diagnostic functions execute deterministically and actuate alarms for all detected faults. The staff also determined that automatic functions that monitor performance of self-diagnostic features, and administrative actions taken by the licensee to assure that self-diagnostic functions are operating, are acceptable. Based on this, the staff concludes that the proposed changes are acceptable.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.1.7 TS 3/4.3.1, SR 4.3.1.3 The licensee proposed to modify the approach for satisfying the CPC and CEAC REACTOR TRIP SYSTEM RESPONSE TIME testing SR. Specifically, the licensee proposed to use allocated response times for the CPCS, in lieu of performing manual tests, in support of the overall RTT required by the TS SRs. The license stated that the response time assumptions of the planned CPCS upgrade would be validated as part of the SAT. The measurement of response time at the specified frequencies provides assurance that the protective and engineered safety feature (ESF) functions associated with each channel are completed within the time limit assumed in the safety analyses.

SR 4.3.1.3 currently states, in part, that the reactor trip system response time of each reactor trip function shall be demonstrated to be within its limit in accordance with the surveillance frequency control program. The current definition for the engineered safety features response time states, in part: [i]n lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC. Accordingly, the licensee proposed a methodology for using the allocated response times for the CPCS digital equipment for verifying the overall response times.

WCAP-18484-P, Licensing Technical Report [LTR]1 for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System (Reference 9, Enclosure 1), Appendix B, Elimination of Specific CPCS Technical Specification Surveillance Requirements, provides the basis and methodology for using allocated CPCS digital equipment response times in the overall verification of the channel response time for the CPCS.

The LTR states that the foundation for the RTT SR elimination analysis consists of the following two factors: (1) the system and application diagnostics that are being credited in the LTR to eliminate other SRs in Appendix B would still capture failures of the CPCS that would result in slower response times, and (2) portions of the CPCS actuation paths are tested under other SRs not eliminated within this LAR. The LTR states that based on these factors, only failures that cause a response time delay, but have no functional effect on the component, will be considered. These failures are those that will either effect the control module cycles in the processor modules or hardware failures that result in response time delays. Therefore, to eliminate RTT SRs, it must be demonstrated that both the control module cycle time and hardware are covered by diagnostics.

The licensee proposed the following methodology to be used to eliminate RTT:

1. Determine all RTT paths tested under Waterford Unit 3 TS SR 4.3.1.3 related to the CPCS:

a. Table 4.3-1, Functional Unit 9, Low Power Density - High

b. Table 4.3-1, Functional Unit 10, DNBR - Low

c. Table 4.3-1, Functional Unit 14, Core Protection Calculators

d. Table 4.3-1, Functional Unit 15, CEA Calculators 1 The acronym LTR is used throughout this safety evaluation when referring to the licensing technical report, WCAP-18484, except when referring to the following four Westinghouse letters: LTR-GIC-20-003, LTR-TA-19-154, LTR-TA-20-4, and LTR-TA-21-17. In such cases, LTR is an abbreviation for letter.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Once all paths are determined, the scope of the components that make up the functional paths for RTT can be determined.

2. Analyze the components identified in Step 1 for potential failures that could generate delays in response time. For identified failures, diagnostics will be discussed, which will be credited to ensure that the response time will not continue to degrade to a point that would be qualitatively worse than the current frequency of checking the response time of the system (any given division is only response time tested every fourth refueling outage). This will be done by analyzing the components in three groups:

a. Input Modules

b. Processing and Communication Components

c. Output Modules The table below provides a list of components analyzed per the identified paths and detailed architecture described in the Waterford Unit 3 CPCS replacement system requirements specification (SyRS), WNA-DS-04517-CWTR3, System Requirements Specification for the Core Protection Calculator System (Reference 2, Enclosure 1):

Type of Component CPCS Rack Components Within SR Paths Input Modules AI688 DP620 Processing/Communication PM646 BIOB CI631 high speed link (HSL)

Output Modules D0625 interposing relay panel (IRP)

The NRC staff reviewed the methodology and analysis in the LTR and determined that the methodology presented for the use of CPCS allocated response times satisfies the applicable requirements of 10 CFR 50.55a(h). Therefore, the staff agrees that it is acceptable to eliminate the CPCS portion of RTT in SR 4.3.1.3. Response time verification for other equipment within the CPCS channel must be demonstrated by test as identified in the TSs. The NRC staff reviewed the CPCS response time calculations in Section 3.3.6.3 of this safety evaluation. In response to RAI-07.d (Reference 7, Enclosure 2), the licensee stated that the response time values specified in Table 2.4.1.3-1 of the Waterford Unit 3 CPCS SyRS are the acceptance criteria for RTT performed during the CPCS factory acceptance testing (FAT). Based on the calculated Waterford Unit 3 Common Q CPCS response time performance and plans to perform RTT during FAT, the NRC staff finds that the Waterford Unit 3 CPCS meets the Waterford Unit 3 response time requirements and that these response time requirements satisfy the Waterford Unit 3 CPCS safety analysis. Based on this, the NRC staff concludes that the proposed changes are acceptable.

3.1.8 TS 3/4.3.1, SR 4.3.1.4 The licensee proposed to replace the text of SR 4.3.1.4 with DELETED, because the isolation amplifiers and optical isolators would be replaced with fiber optic cabling and, therefore, the SR would no longer be needed. Because the Common Q CPCS, as described in Section 3.3.2 of this safety evaluation, does not have these isolation amplifiers and optical isolators, the NRC

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION staff concludes that SR 4.3.1.4 is unnecessary. Based on this, the NRC staff finds that removing this requirement is acceptable.

3.1.9 TS 3/4.3.1, SR 4.3.1.5 The licensee proposed to replace the text of SR 4.3.1.5 with DELETED, because the planned upgraded CPCS design, using the Common Q platform, would not include the automatic restart feature and, therefore, the SR would no longer be needed. The NRC staff reviewed the proposed deletion of Action 7, associated with automatic restarts of the CEAC, above in this section and in Section 3.1.16 of this safety evaluation. Because the Common Q CPCS has no restart capability, the NRC concludes that an SR to check the CEAC automatic restart count is unnecessary. Therefore, the NRC staff concludes that the proposed revision of SR 4.3.1.5 to state DELETED is acceptable.

3.1.10 TS 3/4.3.1, SR 4.3.1.6 The licensee proposed to delete SR 4.3.1.6 for performing a CHANNEL FUNCTIONAL TEST within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of receipt of a High CPC Cabinet Temperature alarm because the SR would no longer meet the criteria provided in 10 CFR 50.36(c)(2)(i) for demonstrating the lowest functional capability or performance levels of equipment required for safe operation of the facility. The licensee justified this in its LAR (Reference 1, Enclosure) by stating, in part, that:

This is based on:

a.

A high CPC cabinet temperature alarm does not indicate the lowest functional capability or performance level of a CPC or CEAC.

b.

The existing SR requirement has no follow up requirements for continuous monitoring after the initial test to determine if functionality may be affected in the future with an existing high temperature condition.

c.

Lastly, the existence of a high CPC cabinet temperature alarm does not directly relate to when the CPCS becomes inoperable.

The NRC staff reviewed the hardware temperature qualification of the Common Q discussed in Section 3.4 of this safety evaluation, which shows the temperature to which the Common Q was tested. The NRC staff also reviewed the criteria of 10 CFR 50.36(c)(2)(i). Because the high CPC cabinet temperature alarm does not relate to when the CPCS becomes inoperable, the NRC staff finds that SR 4.3.1.6 does not meet the criteria of 10 CFR 50.36(c)(2)(i) to be in the TSs and, thus, the licensee has provided sufficient justification for removing SR 4.3.1.6 from the TSs. Therefore, the NRC staff concludes that the revision of SR 4.3.1.6 to state DELETED is acceptable.

3.1.11 TS 3/4.3.1, SR 4.3.1.7 The licensee proposed to add SR 4.3.1.7 to perform a test on the CPC DNBR/LPD trip output through the contact interface to the PPS because this portion of the system does not get monitored by the CPCS self-diagnostics. The licensee proposed that the SR be performed at the frequency prescribed in the licensees surveillance frequency control program.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The NRC staff reviewed Appendix B to the LTR, which details the portions of the CPCS that are monitored by the CPCS self-diagnostics. The NRC staff confirmed that the CPC DNBR/LPD trip output through the contact interface to the PPS is not monitored by the self-diagnostics.

Proposed new SR 4.3.1.7 would require that a test be performed on the CPC DNBR/LPD trip output through the contact interface to the PPS in accordance with the surveillance frequency control program. The NRC staff determined that this SR would provide an acceptable means of verifying safety functionality for output components that are not covered by self-diagnostics.

Based on this, the NRC staff finds that adding this requirement is acceptable.

3.1.12 TS 3/4.3.1, Table 4.3-1 The licensee proposed to change Table 4.3-1 to be consistent with the proposed functional unit formatting changes to Tables 2.2-1 and 3.3-1. The licensee also proposed to change all entries for CHANNEL FUNCTIONAL TEST for all of the Functional Unit 9 lines to None. The licensee stated that the self-diagnostics would meet the requirements of 10 CFR 50.36 for the CPCS except for the CPC DNBR/LPD trip output contacts, which would be tested by the proposed new SR 4.3.1.7. The licensee also proposed to replace the text in Table Notations (6) and (9), which describe elements of the CHANNEL FUNCTIONAL TEST, with DELETED. The licensee proposed to remove the CHANNEL FUNCTIONAL TEST requirement in Notation (6) because this test would no longer be needed or performed after the planned CPCS replacement. The licensee stated that the verification described in Notation (9) would be incorporated in the design of the planned upgraded CPCS.

The NRC staff reviewed the proposed changes to Table 4.3-1 that would make it consistent with the proposed functional unit formatting changes for Tables 2.2-1 and 3.3-1, which are reviewed above in this section of the safety evaluation. Like the changes proposed for Tables 2.2-1 and 3.3-1, the proposed changes to Table 4.3-1 would designate a Functional Unit 9, with Local Power Density - High, DNBR - Low, and CEA Calculators, as sub-functional units.

The NRC staff finds the proposed changes to be acceptable because the SRs for channel check, channel calibration, and modes would remain unchanged, and the formatting changes would make Table 4.3-1 consistent with the proposed changes to Tables 2.2-1 and 3.3-1. Also, Table 4.3-1, as changed, would continue to meet the requirements of 10 CFR 50.36(c)(3).

The second proposed changes to Table 4.3-1 would change all entries for CHANNEL FUNCTIONAL TEST for all the proposed Functional Unit 9 lines to None. The licensee provided justification that demonstrates that the self-diagnostics would meet the requirements of 10 CFR 50.36 for the CPCS. The NRC staffs review of this justification is discussed in Section 3.1.16 of this safety evaluation. The NRC staff determined that Common Q platform and CPCS application-specific self-diagnostic functions would provide an adequate means of providing continuous confirmation of CPCS system operability and that the licensee will periodically verify the functionality of the CPCS diagnostic functions. Therefore, the licensee can credit Common Q self-diagnostics functions as an acceptable alternative to performing periodic manual SRs. Therefore, the NRC staff finds these proposed changes to Table 4.3-1 acceptable because they would make the Channel Functional Test column of the table consistent with the proposed removal of the SRs for the components of the CPCS that will rely on the self-diagnostic functions of the Common Q platform.

The licensee also proposed to remove Table Notations (6) and (9). Currently, Table Notation (6) states, This CHANNEL FUNCTIONAL TEST shall include the injection of simulated process signals into the channel as close to sensors as practicable to verify OPERABILITY including alarm and/or trip functions. Table Notation (9) states, The CHANNEL

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION FUNCTIONAL TEST shall include verification that the correct values of addressable constants are installed in each OPERABLE CPC. The NRC staff finds the removal of Notation (6) acceptable because the CHANNEL FUNCTIONAL TEST requirement is proposed to be removed; therefore, the notation would no longer be needed. The NRC staff reviewed the justification provided for the removal of Notation (9). The licensee stated that, during normal operation, the operator module (OM) sends addressable constants to the appropriate processor modules via the intradivisional Advant Fieldbus 100 (AF100) highway. This data consists of tuning coefficients and setpoints. Upon receipt of this data, the receiving processor module will transmit the setpoint information (addressable constants and reload data block values) back to the respective OM. The OM will then verify that the data sent to the target processor module is the same as what was transmitted back to ensure that there is no data corruption. If a data mismatch is detected by the OM, a fault alert (CPC Fail or CEAC Fail) is generated if the mismatch condition persists beyond a configurable amount of time. The NRC staff finds the proposed removal of Notation (9) acceptable based on this justification provided by the licensee.

The verification described in Notation (9) will continue to be met by the planned upgraded CPCS, as described above.

3.1.13 TS 3/4.10.2 The licensee proposed to revise TS 3/4.10.2 and SRs 4.10.2.1 and 4.10.2.2 in four places to replace Functional Unit 15 with Functional Unit 9c. The licensee stated that this was purely editorial as a result of the proposed changes to TS 2.2.1 and 3/4.3.1 described above, which would redesignate the CPCs as Functional Unit 9c in Tables 2.2-1 and 3.3-1. The NRC staff reviewed these proposed changes and determined that they are acceptable because Functional Unit 15 was proposed to be deleted to put all CPC subfunctions (LPD - High, DNBR - Low, and CEACs) under Functional Unit 9. Therefore, the proposed changes to TS 3/4.10.2 and SRs 4.10.2.1 and 4.10.2.2 are necessary to maintain consistency with the functional unit formatting changes proposed for Tables 2.2-1 and 3.3-1. Based on this, the NRC staff concludes that the proposed changes are acceptable.

3.1.14 TS 6.8.1 The licensee proposed to conform TS 6.8.1 to STS 5.4.1.f of NUREG-1432, Revision 4. This change would also replace the governing source document for modifications to the CPC software with WCAP-16096-P-A, Software Program Manual for Common Q Systems (Reference 48), and would provide more substantive guidance for the control of CPC Type 1 addressable constants than the current site-specific guidance.

The licensees proposed change to TS 6.8.1 would change the procedure used to make modifications to CPC software. The licensee proposed that WCAP-16096-P-A be used instead of CEN-39(A)-P, CPC Protection Algorithm Software Change Procedure, which is the licensees procedure for the existing CPCS. The SPM was developed by Westinghouse for modifying the Common Q CPCS software, as discussed in Section 3.5 of this safety evaluation, and, therefore, should be the required document listed in TS 6.8.1 for such modifications.

Because the SPM is the document to control modifications of the Common Q CPCS software, the NRC staff concludes that the proposed change to TS 6.8.1 is acceptable.

3.1.15 TS 6.9 The licensee proposed to revise TS 6.9.1.11.1 to conform it to the other proposed TS changes.

The proposed changes would replace references to TS 3.2.4.b with 3.2.4.a.2, references to

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION TS 3.2.4.c with 3.2.4.b.1, and references to TS 3.2.4.d with 3.2.4.b.2. The NRC staff reviewed the proposed changes and determined that they reflect the proposed new numbering of LCO 3.2.4, which was reviewed above in this section of the safety evaluation. Therefore, the NRC staff finds that the proposed changes to TS 6.9.1.11.1 are acceptable.

3.1.16 Changes to TS SRs The NRC staff reviewed the replacement CPCS against the following clauses of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003:

Clause 5.5, System Integrity Clause 5.7, Capability for Testing and Calibration Clause 6.5, Capability for Testing and Calibration The primary objective of conducting SRs on CPCS components is to assure their operability.

The NRC staff evaluated the proposed SR elimination to determine whether: (1) the CPCS self-diagnostic functions can adequately demonstrate operability of all the components covered by the existing SRs; (2) the CPCS self-diagnostic functions execute in a deterministic manner in accordance with Standard Review Plan, BTP 7-21 and actuate alarms for all detected faults; and (3) the quality of the built-in CPCS self-diagnostic functions meets 10 CFR Part 50, Appendix B requirements for quality assurance (QA).

There are several self-diagnostic functions included in the Common Q Platform design.

Because the Waterford replacement CPCS design uses Common Q Platform equipment, the system inherits these functions. The NRC staff determined that CPCS/CEAC self-diagnostics are incorporated into the system requirements and that these functions have been subjected to the same verification and validation (V&V) processes as the safety system functions. These self-diagnostic functions are listed and described below.

Watchdog Timer Functions A Common Q processor module is composed of two internal sections, a processing section, and a communications section. Each of these sections contains a microprocessor and both microprocessors have an associated window watchdog timer (WWDT). Each WWDT is a precision timing device that must be triggered within a defined window of time. If the WWDT is triggered earlier or later than this time window, then the timer output changes state. When a change of state occurs on either of the WWDTs, the WWDT Relay whose contacts are accessible from the processor front panel changes state.

For the CPCS application, the WWDT Relay is used to actuate a divisional CPCS trip signal. Additional WWDTs are associated with the processing section of the Common Q processor module (PM646A) known as stall timers.

Memory Checking Functions Memory check functions are performed both during system startup and continuously during operation. Once the system is running, the following memory check functions are continuously performed:

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION o Domain cyclic redundancy check (CRC). The CRC checksums of all read-only domains in random access memory (RAM) are verified.

o Test of system and user flash programmable read-only memory (FPROM). This test checks the CRC checksum of the system software in the system FPROM and the application in the user FPROM.

HSL Self-Diagnostics HSL self-diagnostics are executed to detect physical layer failures and failures of the communication link to another PM646A processor module. The physical layer of the high-level data link control protocol is secured through a CRC. All detected errors are reported to the CPCS application program.

AF100 Bus Self-Diagnostics The AF100 uses bus mastership to continuously monitor the status of the nodes on the bus. The AF100 communication interface, CI631, monitors the validity of received data sets. If no data has been received for four cycles or if the communication interface has failed, the database element for the data set will be flagged as failed. The control module programming monitors the database element flag and performs error processing.

Input/Output (I/O) Module and Communications Interface Module Self-Diagnostics Self-diagnostics of the I/O and communication interface modules are executed by interrogating all modules for errors. The I/O modules diagnostics are reported to the processor module base software diagnostics routine via a device status word.

CPCS Application-Specific Self-Diagnostics The CPCS includes self-diagnostic capabilities in the CPCS application programs. These are described in Section 3.2.7 of the LTR. The application-specific alarms and annunciation are designed to periodically transmit the self-diagnostic information for the CPCS components and application software to the Maintenance and Test Panel (MTP) by AF100.

Waterford CPCS Self-Diagnostic Supervisory Functions The Common Q platform includes means of detecting and reporting system faults that affect the self-diagnostic capabilities of the system. The licensee is implementing two types of self-diagnostic supervisory functions: (1) automatic functions that monitor performance of self-diagnostic features and (2) administrative actions taken by the licensee to ensure that self-diagnostic functions are operating.

The automatic self-diagnostic supervisory functions are confirmatory mechanisms in the Common Q platform that verify self-diagnostic functions operate as designed. Administrative actions to confirm operation of the CPCS self-diagnostic functions are described in Section 3 of the Enclosure to Reference 6. The licensee will perform operator rounds and system engineer activities to provide additional assurance that diagnostic faults are detected. When a system alarm is received, a procedure will direct the operator to dispatch a maintenance technician to

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION determine the source of the alarm as needed. Walkdowns and operator rounds will be conducted to perform the following tasks:

Checking the OMs for health status, alarms, and faults Checking the OM CPCS channel system event log Checking the OMs for failed sensor stack Checking main control room (MCR) annunciators In addition, site engineers will perform periodic system health monitoring and generate system health reports per licensee procedures. The CPCS checks to be performed during these engineering activities are:

Failure trending of subcomponents on CPC and CEAC circuit boards CPC system performance indicator trends Review of trend data for CEAs including RSPTs and RSPT power supplies Walkdowns of the CPC system Documentation of these activities will be maintained in system notebooks.

In addition to actuating the division fault alarm, detected faults and system errors are logged in the CPCS processor memory and will be retrieved and evaluated according to the plant operating procedures. These records and their evaluations will also be used to identify and assess functionality of the self-diagnostics, detect adverse trends in the condition of the CPCS, and alert plant staff to take corrective actions when needed. The NRC staff determined that the CPCS self-diagnostic functions can be used to continuously monitor operability of CPCS components and alert the operator of detected failures. The NRC staff determined that these supervisory functions provide an adequate means of confirming the execution of the automatic tests during plant operation.

Evaluation of CPCS Self-Diagnostic Functions - Deterministic Performance The NRC staff reviewed the self-diagnostic functions of the Common Q-based CPCS to determine if these functions execute in a deterministic manner. CPCS self-diagnostics are executed by the same Common Q components that perform the CPCS safety functions.

Therefore, deterministic performance of self-diagnostics is based on the same principles that are used to ensure deterministic performance of the CPCS safety functions. Section 3.3.6.3 of this safety evaluation provides NRCs evaluation of CPCS deterministic behavior.

The Common Q processors with the central processing unit (CPU) load maintained less than its specified maximum levels provide assurance that the self-diagnostic functions will execute periodically at an acceptable frequency. If any of the CPCS self-diagnostic functions do not complete on time, then the CPCS application program will initiate a CPCS channel trouble alarm that is annunciated in the control room.

The NRC staff determined that the CPCS Common Q self-diagnostic functions execute deterministically and generate appropriate system responses to conditions resulting from a self-diagnostic function failing to execute or complete satisfactorily. The NRC staff also determined that self-diagnostic functions do not adversely affect the ability of the CPCS/CEAC system to perform its safety function, and they will not cause spurious actuations of the safety function.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Evaluation of Waterford TS SR Changes Section B.7 of the LTR describes a method for determining if selected TS SRs can be eliminated. This method involves: (1) identifying system components that are tested by the manual SR tests, (2) identifying failure modes for those components, (3) mapping diagnostic functions to the failure modes identified, and (4) evaluating if system self-diagnostic functions provide an adequate means of identifying and responding to postulated component failures.

This method provides a means of establishing failure mode coverage by self-diagnostics that is equal to or greater than the failure mode coverage provided by performing manual surveillance testing.

A CPCS failure analysis was performed and a description of the results of this analysis was provided in Section 3.2.17 of the LTR. In addition, a failure modes, effects, and diagnostics analysis (FMEDA) was performed to demonstrate diagnostic coverage for postulated CPCS failure modes. The CPCS FMEDA is in Section B.6 of the LTR.

The NRC staff reviewed the FMEDA to confirm how self-diagnostic functions will respond to system failures and that identified self-diagnostic functions provide adequate coverage of postulated CPCS failure modes to support the elimination of selected SRs, as described in Section B.7.1 of the LTR. The FMEDA tables showed that not all CPCS components have diagnostic coverage. However, the NRC staff concluded that CPCS self-diagnostic functions were sufficient to address the components of the CPCS for which SRs are being eliminated.

Furthermore, for CPCS components that do not have self-diagnostic coverage, the NRC staff confirmed that SRs would be maintained.

The licensee proposed that the following SRs be eliminated for the planned CPCS replacement:

the CHANNEL FUNCTIONAL TEST of the CPCS portion of SR 4.3.1.1 4.3.1.3 (the current time response SR exemption for neutron detectors would be expanded to include the CPCS and CEACs) 4.3.1.4 (CEA isolation amplifier isolation characteristic verification) 4.3.1.5 (CPCS and CEACS operability test) 4.3.1.6 (CPCS CHANNEL FUNCTIONAL TEST)

The licensee proposed that the following SRs be retained:

4.3.1.2 (logic bypass function CHANNEL CALIBRATION) 4.3.1.3 (reactor trip system response time test)

The following SR would be added to provide surveillance coverage for output components of the CPCS that CPCS self-diagnostics do not test. The NRC staff determined that this proposed new SR provides an acceptable means of verifying safety functionality for output components that are not covered by self-diagnostics:

4.3.1.7 (perform a test on the CPC DNBR/LPD trip output through the contact interface to the PPS)

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Safety Conclusion for SR Changes The NRC staff reviewed the licensees analysis of system failure modes to confirm that system specific self-diagnostics failure detection capabilities of the CPCS provide adequate coverage for failures that would otherwise be detected by SRs proposed to be eliminated. The NRC staff determined that Common Q platform and CPCS application-specific self-diagnostic functions provide an adequate means of providing continuous confirmation of CPCS system operability.

Therefore, the licensee can credit Common Q self-diagnostics functions as an acceptable alternative to performing periodic SRs 4.3.1.1 (i.e., the CHANNEL FUNCTIONAL TEST of the CPCS portion of the SR), 4.3.1.3 (i.e., the current time response SR exemption for neutron detectors would be expanded to include the CPCS and CEACs), 4.3.1.4, 4.3.1.5, and 4.3.1.6.

The NRC staff also determined that automatic functions that monitor performance of self-diagnostic features, and administrative actions taken by the licensee to ensure that self-diagnostic functions are operating, meet the criteria of BTP 7-17 for checking and monitoring the CPCS self-diagnostic functions during operation. Therefore, the NRC staff determined that the proposed changes meet Clauses 5.5, 5.7, and 6.5 of IEEE Std 603-1991, and that the associated guidance of IEEE Std 7-4.3.2-2003 is met.

3.2 UFSAR Chapter 15 Analysis This section discusses the NRC staffs review of the adequacy of the impact estimate of the planned upgraded CPCS on the analysis of the UFSAR Chapter 15 events.

3.2.1 Impact of CPCS Trip Response Times on UFSAR Chapter 15 Events The CPCS is part of the RPS and generates a reactor trip signal when the DNBR or the LPD approaches its specified limiting safety system settings. Certain UFSAR Chapter 15 events credit these trip signals to ensure that the safety limits for maintaining fuel integrity are not exceeded during AOOs. The planned CPCS upgrade would change the values of the CPCS trip response times, which could, in turn, affect the thermal margins to the safety limits of the DNBR and LPD. To determine the impact of the CPCS trip response time changes on the Chapter 15 analysis, the licensee calculated the trip response times of the updated CPCS for all the Chapter 15 events that credited CPCS trips in the Chapter 15 analysis. The licensee identified 11 events that would involve an increase in the values of the calculated response times that would result in a reduction in the thermal margins. For those 11 events, the licensee performed an impact estimate and presented the results in Table 3.2.6-1 of the LTR. The results show that for the applicable affected events, the corresponding transients would not violate the thermal safety limits and, thus, ensuring that the analysis for Chapter 15 events would continue to meet GDCs 10, 20, and 25.

The licensee discussed its impact estimate in Section 3.2.6 of the LTR and the response to RAI-07 (Reference 7, Enclosure 2). The impact estimate is based on the CEA rod drop time LAR approved in 2015 (Reference 49) that increased CEA rod drop time in the Chapter 15 analysis by an additional 200 milliseconds (ms) to account for a hold coil delay. The method used for estimating the impact on the thermal margin results takes the thermal margin reduction of the CEA rod drop 200-ms delay and then extrapolates it for the increase in CPCS response

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION times. To support its impact estimate, the licensee provided the following two Westinghouse letters (proprietary) for the NRC staff to review:

LTR-GIC-20-003, Revision 1, Waterford 3 CPCS Response Time Information for FSAR

[Final Safety Analysis Report] and Technical Specification, Westinghouse Electric Company LLC (Reference 4, Enclosure 1)

LTR-TA-20-4, Revision 0, Waterford Unit 3 Common Q Implementation - Non-LOCA Evaluation of Updated CPCS Response Times, Westinghouse Electric Company LLC (Reference 4, Enclosure 2)

LTR-GIC-20-003 documents the identification and justification for the CPCS response time values used in the thermal margin estimate for applicable UFSAR Chapter 15 events and LTR-TA-20-4 documents the thermal margin estimate.

As part of the normal fuel reload process, the licensee stated that it would perform the fuel reload safety analysis with the new calculated CPCS response times for Waterford Unit 3 and validate that the thermal acceptance criteria are met for the applicable events.

3.2.2 Conclusion for Impact of CPCS Trip Response Times on UFSAR Chapter 15 Events The NRC staff has reviewed the reports referred to in Section 3.2.1 above and determined that:

(1) the UFSAR Chapter 15 events that would be affected by the trip response times of the planned updated CPCS were correctly identified; (2) the applicable increased values of the CPCS trip response times were used in the impact estimate; (3) a decrease in the thermal margins based on the increased values of the CPCS trip response times is small; and (4) the results meet the applicable acceptance criteria used in the existing Chapter 15 analysis.

Therefore, the NRC staff concludes that the impact estimate, in combination with the fuel reload safety analysis using the calculated CPCS response times during the normal fuel reload process, provides reasonable assurance that the applicable Chapter 15 events would continue to meet GDCs 10, 20, and 25 (insofar as they are related to the required limits for maintaining fuel integrity) and, therefore, it is acceptable.

3.3 System Architecture 3.3.1 Existing System Architecture The existing CPCS is a four-channel system composed of four CPCs, one in each protection channel (i.e., channels A, B, C, and D), and two CEACsCEAC 1 is mounted in channel B and CEAC 2 is mounted in channel C. The four CPCS channels are installed in the auxiliary protective cabinet (APC) located in the MCR and are physically separated and isolated from each other.

Each CEA position is measured by two redundant and independent RSPTsRSPT 1 and RSPT 2. CEAC 1 reads RSPT 1 and CEAC 2 reads RSPT 2. Penalty factor outputs from each of these two CEAC channels are provided to all four CPC channels via one-way isolated data links. The existing CPCS architecture is depicted in Figure 3.1-1, Existing CPC/CEAC Architecture Block Diagram, of the LTR.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The existing CPCS includes four safety-related OMsone per CPC/CEAC channellocated in the MCR. The OM allows the operator to monitor all calculators and to change addressable constants for the CPC in that channel.

A CPCS channel is associated with each RPS channel and provides Low DNBR and LPD trip and pretrip signals and CEA withdrawal prohibit (CWP) outputs to its associated RPS channel.

The four redundant channels are designed to satisfy the single failure criterion. Each channel of the CPCS receives process analog signals from Thot and Tcold temperature, PPZR, excore neutron flux, and RCP speed. These parameters are used in the safety-related application software algorithms performed by the CPCS processors.

During CHANNEL FUNCTIONAL testing, the CPC channel trip outputs are bypassed at the PPS.

3.3.2 New System Architecture The NRC staff reviewed the planned replacement CPCS architecture against the following clauses of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003:

Clause 4, Safety System Designation, and its applicable subclauses Clause 5.3, Quality Clause 5.5, System Integrity Clause 5.8, Information Displays, and its applicable subclauses Clause 5.10, Repair Clause 5.11, Identification Clause 5.12, Auxiliary Features Clause 6.4, Derivation of System Inputs Clause 6.6, Operating Bypasses Clause 6.7, Maintenance Bypass Clause 6.8, Setpoints The planned CPCS platform is the Common Q platform described in WCAP-16097-P-A, Revision 4, Common Qualified Platform Topical Report (Reference 50). Revision 4 of WCAP-16097-P-A was reviewed and approved by the NRC, as discussed in its letter dated February 28, 2020 (Reference 51). Combustion Engineering Nuclear Power (CENP), which Westinghouse later acquired, dedicated the Common Q platform (i.e., a commercial grade item) for use in accordance with its quality assurance program description topical report, CENPD-210-A, Quality Assurance Program, Revision 7 (Reference 52).Section III.7, Control of Purchased Items and Services, of CENPD-210-A, Revision 7, describes CENPs processes for dedicating commercial grade items. The NRC staff reviewed and approved CENPD-210-A, Revision 7, as discussed in Volume 2 of NUREG-1462, Final Safety Evaluation Report Related to the Certification of the System 80+ Design (Reference 53). The NRC staff also reviewed and approved CENPD-396, Common Qualified Platform Topical Report, Revision 0 (Reference 54), as discussed in its letter dated August 11, 2000 (Reference 55). Section 11, Commercial Grade Dedication, of CENPD-396 states that CENP used EPRI TR-106439 for the commercial grade dedication of the Common Q platform. The NRC staff reviewed and approved EPRI TR-106439 as an acceptable method for dedicating commercial grade digital equipment for use in nuclear power plant safety applications.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Like the existing CPCS, each replacement CPCS channel is associated with each RPS channel and provides Low DNBR and LPD trip and pretrip signals and CWP outputs to its associated RPS channel. The four redundant channels are designed to satisfy the single failure criterion.

Each channel of the replacement CPCS receives process analog Thot and Tcold temperature, PPZR, excore neutron flux, and RCP speed. These parameters are used in the safety-related application software algorithms performed by the CPCS processors.

Like the existing CPCS, the replacement CPCS is comprised of four redundant channels (i.e., channels A, B, C, and D) that perform the necessary calculation, bistable, and maintenance functions. The system includes four redundant OMsone per channellocated in the MCR. All four CPCS channels are located in the APCas in the present designwhere the channels are separated and electrically isolated from one another. The replacement CPCS differs from the existing design in that each channel within the APC also contains an MTP for routine testing.

As opposed to the existing CPCS, which contains a total of two CEACs, the replacement CPCS contains eight CEACsCEAC 1 and 2 in each of the four CPC channels. Additionally, channel A and D isolation amplifiers are no longer needed and, thus, are not part of the new system. Nevertheless, the CEAC remains functionally the same. The new CPC and CEA instrumentation racks and the IRP will be physically located in the existing APC cabinet. Each CEAC receives the same CEA inputs as in the present design. However, penalty factors outputs from the CEACs are used only in the associated CPC channel. In the replacement system, the CEA position inputs will undergo analog-to-digital conversion in the channel of origin by means of redundant CEA position processors (CPPs)CPP 1 and CPP 2in each CPC channel. The converted CEA position is then transmitted to the associated CEAC 1 and CEAC 2 processors in each CPC channel, which perform CEA deviation penalty factor calculations.

The implementation of the planned CPCS Common Q system is depicted in Figure 3.2-1, Common Q CPC/CEAC Architecture Block Diagram, of the LTR.

3.3.2.1 Common Q CPCS Hardware The Common Q platform is a computer system consisting of a set of commercial grade hardware and previously developed software components dedicated and qualified for use in nuclear power plants. The Common Q platform was developed from the standard Advant Control (AC) 160 computer system developed by Asea Brown Boveri (ABB) Automation Products, GmbH of Europe. A significant portion of the planned CPCS hardware was approved by the Common Q platform topical report.

A.

Each CPCS channel includes the following hardware:

CPC Advant Controller 160 (AC160) controller chassis CEAC 1 AC160 controller chassis CEAC 2 AC160 controller chassis redundant AF100 intrachannel buses connecting the three AC160 controllers, the OM, and the MTP one-way HSLs IRP an MTP that houses a flat panel display (FPD)

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION an OM that houses an FPD power supply assembly B.

The CPC AC160 controller chassis contains the following hardware modules:

One PM646A primary CPC processor module. ((

))

One PM646A CPC auxiliary processor (AUX CPC) module. The AUX CPC processor performs nonessential CPC functions, such as storing trip buffer reports and failed sensor stacks. This allows the primary CPC processor to perform its safety-related trip functions more efficiently. The AUX CPC processor is located in the AC160 controller slot adjacent to the CPC primary controller.

One CI631 communications module. ((

))

Two AI688 analog input (AI) modules. The two AI modules redundantly provide the AIs used by the CPC primary processor, except for target CEA positions, which are received over HSL from the CEAC AC160 controllers in the channel. Each of the redundant AI modules is capable of monitoring up to 16 inputs over the range of 0-10 volts direct current (Vdc). CPC AIs to each card include:

o Thot 1 temperature (1-5 Vdc) - one input o Thot 2 temperature (1-5 Vdc) - one input o Tcold 1 temperature (1-5 Vdc) - one input o Tcold 2 temperature (1-5 Vdc) - one input o PPZR (1-5 Vdc) - one input o upper subchannel excore nuclear instrumentation input (0-10 Vdc) - one input o middle subchannel excore nuclear instrumentation input (0-10 Vdc) - one input o lower subchannel excore nuclear instrumentation input (0-10 Vdc) - one input o APC temperature - one input per AI module, not redundant. There are two separate temperature sensors monitoring APC temperature. Each of the AI cards in the CPC AC160 controller reads a separate sensor.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION

One DI620 digital input (DI) module. The DI module provides the following DIs used by the CPC primary processor:

o DNBR and LPD trip channel bypass status to the CPC channel from the PPS to enable CHANNEL FUNCTIONAL tests o

bypass permissive status used to enable DNBR/LPD operating bypass o

operating bypass inserted status ((

))

o software load enable (SLE) switch status o

power supply trouble in case of power supply failure (one per module) or power supply fan failure

One DP620 pulse to frequency converter module, ((

))

One AO650 analog output (AO) module. The AO module provides the 0-10 Vdc AOs for the following:

o DNBR margin indication on the main control boards (MCBs) (DNBR MARGIN),

scaled for 0 to 2 DNBR units o

kW/ft margin indication on the MCB (main control board) (LPD MARGIN), scaled for 0 to 25 kW/ft o

calibrated nuclear power indicator/recorder on the MCB (PHICAL), scaled for 0 to 200 percent rated thermal power o

core total flow - no indicator, used for startup testing (MASS FLOW), scaled for 0 to 2.0 fraction of rated flow

One DO625 digital output (DO) module. The DO module is used to provide trip and annunciator output contacts for the following:

o low DNBR trip o

low DNBR pretrip o

high LPD trip o

high LPD pretrip o

auxiliary pretrip alarm o

CWP o

CPC trouble o

CPC fail o

AUX CPC trouble o

CPC test o

CPC sensor fail o

CEAC 1 inoperable o

CEAC 2 inoperable o

high cabinet temperature o

operating bypass The DOs operate interposing relays mounted on an IRP, which provides electrical isolation between the DO modules and the output signals. Section 3.3.5 of this safety evaluation discusses the IRP.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION C.

The CEAC AC160 controller chassis contains the following hardware modules (for CEAC 1 and CEAC 2):

One PM646A CEAC processor module per CEAC. The CEAC processor module executes the CEAC algorithm and generates DNBR and LPD penalty factors in the event of detection of CEA deviations in a CEA subgroup. These penalty factors are transmitted over HSL to the CPC processor in the same channel. As in the existing implementation, the CPC application selects the higher penalty factor from CEAC 1 or CEAC 2.

((

))

One PM646A CPP module. The CPP reads the RSPT channel hardwired inputs, converts the voltage inputs into CEA position values, detects input channel failures, and transmits the CEA position values over the HSL to a PM646A module in a CEAC AC160 controller chassis in all four CPCS channels.

((

))

One CI631 communications module. ((

))

AI688 AI modules - two (channels A and D) or five (channels B or C).

The CPCS design allows for up to 24 CEA positions (5-10 Vdc) to be monitored in channels A and D, and up to 73 CEA position inputs (5-10 Vdc) to be monitored in channels B and C. Because of this, the CEAC 1 and CEAC 2 in channels A and D contain two AI modules, and the CEAC 1 and CEAC 2 in channels B and C contain five AI modules.

One DO module. The DO module provides the CEAC 1 and CEAC 2 trip and annunciator output contacts for the following alarm and annunciation (CEAC 1 shown):

o CEA deviation CEAC 1 o CEAC 1 fail

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION o CEAC 1 sensor fail o CPP 1 trouble o CEAC 1 trouble o CEAC 1 test The DOs operate interposing relays mounted on an IRP, which provides electrical isolation between the DO modules and the output signals.

D.

Each channel contains a power supply assembly.

A power supply assembly in each CPCS channel contains dual auctioneered processor power supplies for the AC160 processor equipment, dual auctioneered auxiliary power supplies for output relays, dual auctioneered RSPT power supplies for CEA position input information, and dual auctioneered power supplies for the HSL modems. This redundancy in the power supply modules provides bumpless transfer upon module failure.

These eight power supply modules receive alternating current (AC) power from the associated channel vital AC input power and contain features such as overvoltage, overcurrent, undervoltage, and overtemperature. A contact output monitored by the AC160 indicates a problem with the power supply. There is also a power supply cooling fan assembly that provides a contact opening on power supply fan failure. The power supply provides the following alarm inputs to the DI module: power supply fan failure and power supply failure (one per module).

E.

APC Multiplexer (APC MUX)

Each channel in the existing APC has two redundant APC MUX, which transmit the nonsafety-related fixed incore detector amplifier system signals to the plant computer.

The licensee is replacing the APC MUX, separate from the CPCS replacement project.

Because the APC MUX equipment resides in the safety-related APC, it needs to meet the requirements of RG 1.75. The NRC staffs evaluation of the environmental qualification of the CPCS equipment and the APC MUX is in Section 3.4 of this safety evaluation.

The NRC staff reviewed the planned CPCS replacement hardware and determined that it meets Clauses 4 (and its applicable subclauses), 5.3, 5.5, 5.8 (and its applicable subclauses), 5.10, 5.11, 5.12, 6.4, 6.6, and 6.7 of IEEE Std 603-1991, and the associated guidance of IEEE Std 7-4.3.2-2003.

3.3.2.2 Common Q CPCS Software The Common Q system software consists of a real-time operating system, a task scheduler, diagnostic functions, communication interfaces, and user application programs, all of which reside on FPROM in the PM646A processor module. The application program and its control modules coexist with the system software programs such as the task scheduler, diagnostic routines, and communication interfaces in the processor module. The task scheduler schedules the execution of the application programs and periodic system software tasks based on predefined priorities. The processing section of the PM646 executes the safety-related application program and the communication section handles the serial communication with other safety channels.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The processing section of the PM646 module executes the safety algorithms. It has one process control program, which consists of several executable units called control modules.

Each control module has its own cycle time and execution conditions and is an operating system task. Based on predefined priorities, the processing section schedules all the tasks using the task scheduler in the system software and executes the tasks accordingly. The basic software components of the processing section are the following:

Task scheduler. The task scheduler schedules the application programs and periodic system tasks. It also performs diagnostic functions.

Application programs. The application programs are created by the application engineer for the application-specific implementation of the CPCS.

Service data program. The service data program services all communications on the AC160 subrack backplane. Examples of such communications are I/O module configuration and initialization, communication with the I/O modules, and communication with the AF100 bus (i.e., the communication link that connects the processor modules with the OM and MTP).

System diagnostics. The system diagnostics perform the following:

o check proper operation of the WWDT o validate the RAM diagnostics o monitor the status of the serial communications section Background task. The background task is the last in the task sequence. It accomplishes the following diagnostics:

o performs a CRC of the system firmware in the FPROMs o performs a CRC of all static domains in RAM o performs a CRC of the user programs in FPROM o checks parameter set of I/O modules o configures I/O modules after they are replaced Application Software Creation of the application program uses the ABB master programming language control configuration software development environment which includes a function block library of process control elements. The application program consists of a process control part and a database part. The executable code for the standard set of logic blocks (i.e., process control elements) is part of the base software. In addition, custom process control elements can be created as an extension to the base software. The programmer references the process control element library to create the specific logic for the application.

The process control part of a user application program describes the control algorithm and the control strategy. It contains the process control elements, their interconnections, and connections to the database elements. A process control program can be divided into several executable units called control modules, each consisting of process control elements. Each executable unit can be given its own cycle time and its own execution conditions. Process control elements are the smallest building blocks in a process control program. The control

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION module is made up of function calls to the process control element library which is stored on system FPROM.

Each processor has one process control program under which are executable control modules.

When this process control program is compiled into target code, each of its control modules becomes a task to be executed under the control of the operating system.

The I/O modules continuously scan and store values independent of control module execution.

When the control module executes, its first operation is to get the process input values over the backplane I/O bus from the I/O modules.

On processor initialization or restart, the application programs are reloaded from FPROM into RAM and then started. The application software consists of the CPCS safety-related algorithms and other application specific routines that run the Common Q system as a CPC.

Safety-Related Algorithms The reference design SyRS, 00000-ICE-30158, Revision 14, System Requirements Specification for the Common Q Core Protection Calculator System (Reference 1, Enclosure, ), describes requirements for the major software components, design structure, information flow, processing steps and other aspects required to be implemented in order to satisfy the CPCS functional requirements that must be met for software development and V&V.

The safety-related algorithms are identical in functionality to the existing system and will be implemented using the C programming language. However, there will be significant enhancements to the human-machine interface and error detection and handling in the planned system. Implementation of the CPCS application software on the PLC-based Advant system entails overlaying the CPC application software on the Advant operating system software. The operating system will perform real-time operating to handle multiple events such as scheduling application programs, reading and writing files from and to the disk, and sending data across a network within fixed time constraints.

The safety-related application software for the CPCS consists of six programs, which work together to accomplish CPCS functionality:

((

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

))

Conclusion The NRC staff reviewed the planned CPCS replacement software and determined that it meets Clauses 4 (and its applicable subclauses), 5.3, 5.5, 5.8 (and its applicable subclauses), 5.10, 5.11, 5.12, 6.4, 6.6, and 6.7 of IEEE Std 603-1991, and the associated guidance of IEEE Std 7-4.3.2-2003.

3.3.2.3 Setpoints and Channel Uncertainty The NRC staff also reviewed the planned replacement CPCS against Clause 6.8, Setpoints, of IEEE Std 603-1991. The NRC staff considered the criteria of RG 1.105 in this evaluation.

There are no setpoint changes associated with the LAR. Although TS Section 2.2.1, Reactor Trip Setpoints, is affected by this change, the LAR states that none of the CPC-related setpoints are affected by the proposed changes.

The NRC staff noted that while existing analog sensors and transmitters will be retained, the planned modification will replace components of the existing CPCS that may affect the overall accuracy of the system.

The NRC staff observed that the AI card that performs the analog-to-digital conversion function could impact CPCS accuracy. The planned CPCS replacement will use the AI688 AI modules, which have been approved by the NRC as part of the Common Q platform (Reference 50). The NRC staff verified that AI688 AI cards are more accurate than the previous CPCS analog cards.

Therefore, the NRC staff determined that the CPCS setpoints would not be adversely impacted by the planned CPCS replacement. Additionally, the setpoints for the CPCS are not mode dependent. Thus, the NRC staff concludes that Clause 6.8 of IEEE Std 603-1991 remains satisfied for the planned CPCS replacement.

The licensee analyzed the uncertainty of the CPCS to be within the accuracy requirements of the CPCS SyRS. The processing uncertainties of the replacement CPCS would continue to be bounded (as was the case with the existing CPCS) by those used in the safety analysis. The TS Bases state, RPS/ESFAS Trip Setpoints values are determined by means of an explicit setpoint calculation analysis. A Total Loop Uncertainty is calculated for each RPS/ESFAS instrument channel.

In addressing channel uncertainty, the NRC staff reviewed the Waterford Unit 3-specific SyRS (Reference 2, Enclosure 1) for the CPCS and the uncertainty calculation as part of the regulatory audit (Reference 13). The uncertainties associated with the replacement CPCS are, therefore, incorporated into the TLU calculations for each of the process variable loops used in the system.

The NRC staff determined that because no setpoint changes were made, the CPCS will remain consistent with the criteria of RG 1.105. The NRC staff also determined that the licensee and Westinghouse have used an approved uncertainty methodology that confirms that the Common Q system processing uncertainty is within the limits of those provided in the UFSAR and, therefore, Clause 6.8 of IEEE Std 603-1991 is met.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.3.3 Functional Allocation and New System Functions The NRC staff reviewed the replacement CPCS design against Clause 5.2, Completion of Protective Action, of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003.

The design basis functions of the planned CPCS replacement would be the same as those in the existing system, except for adding new pretrip alarms for the auxiliary trips. The design basis functions and auxiliary trips are listed in UFSAR Section 7.2.1.1.1.4. CPC DNBR and LPD pretrip alarms initiate prior to the trip value to provide audible and visible indication of an approach to a trip condition.

The service and test functions would be different in the replacement system to accommodate the difference in hardware. These functions are described in Section 3.2.7 of the LTR.

The system response times account for the CPCS software, hardware, and interfaces, which are described in Section 3.3.2 of this safety evaluation. The NRC staffs evaluation of the CPCS trip response times impact on the UFSAR Chapter 15 events is in Section 3.2 of this safety evaluation. The NRC staffs evaluation of the CPCS response times with regard to the systems deterministic performance is described in Section 3.3.6.3 of this safety evaluation.

The NRC staffs evaluation of the CPCS interfaces is in Section 3.3.5 of this safety evaluation.

A new CEA rate of change reset function would be added to correct an existing deficiency in the code. When monitoring CEA positions, the CEAC program performs a range check to verify the CEA position is within the CEA operating band and a rate of change check to verify CEA movement is reasonable. In the existing system, if the CEA position is detected outside the failed sensor setpoints, the CEA is considered failed, and its position is locked in place.

The failure may require a computer reboot to restore normal CEAC operation.

The replacement CPCS would correct this by allowing the operators to manually reset the CEA position in the CEAC to the current good position (as validated by redundant position RSPT/pulse counter indication) without rebooting the system processors. This function has no impact on the CPCS ability to send DNBR and LPD trip signals to the PPS.

The NRC staff concludes that the licensee has adequately identified the functional allocation and the new system functions for the planned CPCS replacement and that these functions meet Clause 5.2 of IEEE Std 603-1991.

3.3.4 System Requirements Documentation The licensee provided two CPCS SyRS documents: 00000-ICE-30158, which is the reference CPCS design SyRS; and WNA-DS-04517-CWTR3, which is the Waterford Unit 3 CPCS replacement SyRS. The reference CPCS design SyRS served as input to the Waterford Unit 3-specific CPCS SyRS. The Waterford Unit 3 CPCS replacement SyRS defines the differences in the system design from the Palo Verde CPCS replacement. For those requirements from 00000-ICE-30158 that are applicable to the Waterford Unit 3 CPCS without modification, WNA-DS-04517-CWTR3 states that these requirements shall be met without modification. For requirements that are modified, WNA-DS-04517-CWTR3 identifies the requirement within the corresponding Section of 00000-ICE-30158 and the changes to the requirement. A unique identification number is also provided for each requirement that is modified.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Together, the two SyRS documents describe the hardware and software components, design structure, information flow, processing steps, and other aspects required to be implemented, and identify the system physical configuration on which the Waterford Unit 3 CPC and CEAC software will run. The SyRS documents also contain references to NRC regulations and industry standards that apply to the CPCS requirements and design.

Section D.2.3.3.1 of DI&C-ISG-06, Revision 2 describes the information that should be specified in a SyRS. The licensee provided a mapping in LTR Table 3.3.3-1 showing how the system requirements information identified in DI&C-ISG-06 is specified in 00000-ICE-30158 and WNA-DS-04517-CWTR3.

Based on its review of the Waterford Unit 3 CPCS replacement SyRS documents, the NRC staff finds that these documents adequately address the necessary system requirements information identified in DI&C-ISG-06. The NRC staff also finds that the Waterford Unit 3 CPCS replacement SyRS documents demonstrate how the CPCS design and architecture comply with the applicable clauses of IEEE Std 603-1991, as described in Section 3.7 of this safety evaluation.

3.3.5 System Interfaces The NRC staff reviewed the planned CPCS replacement communication features against the following clauses of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003:

Clause 5.6, Independence Clause 5.6.1, Between Redundant Portions of a Safety System Clause 5.6.2, Between Safety Systems and Effects of Design Basis Event Clause 5.6.3, Between Safety Systems and Other Systems Clause 5.6.4, Detailed Criteria Clause 8.1, Electrical Power Sources Clause 8.3, Maintenance Bypass The NRC staffs evaluation of the Common Q platform topical report (Reference 50) identified plant-specific action items (PSAIs) related to communication that must be addressed by an applicant when requesting NRC approval for installation of a safety-related system based on the Common Q platform. The NRC staffs evaluation of the PSAIs is in Section 3.6.2.2 of this safety evaluation.

The NRC staff also evaluated the CPCS communication interfaces against the data independence criteria of DI&C-ISG-04. The licensee provided an DI&C-ISG-04 compliance table in Section 3.2.16 of the LTR. Section 4.1.3.4 of the Common Q platform topical report safety evaluation contains the NRC staffs evaluation of the generic Common Q platform against the DI&C-ISG-04 criteria and concludes that the platform meets DI&C-ISG-04 Staff Position 1, Points 2, 4, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, and 18. Accordingly, the NRC staff concludes that the planned CPCS replacement also meets these points.

DI&C-ISG-04, Staff Position 1, Points 1, 3 and 10 are evaluated generically in Section 4.1.3.4 of the Common Q platform topical report safety evaluation and require an application-specific review. The NRC staffs evaluation of the LAR against DI&C-ISG-04, Staff Position 1, Points 1 and 3 is described in Sections 3.3.5.2 and 3.3.5.3 of this safety evaluation. The NRC staffs evaluation of the LAR against DI&C-ISG-04, Staff Position 1, Point 10 is described in

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Section 3.3.5.1 of this safety evaluation. Based on the evaluation in Sections 3.3.5.1, 3.3.5.2, and 3.3.5.3 of this safety evaluation, the NRC staff concludes that the planned CPCS replacement meets DI&C-ISG-04, Staff Position 1, Points 1, 3, and 10.

DI&C-ISG-04, Staff Position 1, Points 5, 19, and 20 address the systems ability to perform deterministically. These points are evaluated generically in Section 4.1.3.4 of the Common Q platform topical report safety evaluation and require an application-specific review of the systems deterministic performance. The NRC staffs evaluation of the planned CPCS replacements deterministic performance as it relates to CPU loading and response times is described in Section 3.3.6.3 of this safety evaluation. Based on the evaluation in Section 3.3.6.3 of this safety evaluation, the NRC staff concludes that the planned CPCS replacement meets DI&C-ISG-04, Staff Position 1, Points 5, 19, and 20.

The NRC staffs evaluation of DI&C-ISG-04, Staff Position 1, Point 17 is in Section 4.1.3.4 of the Common Q platform topical report safety evaluation, and the staff determined that the qualification of the Common Q platform does not include the fiber optic cables used to connect the HSL fiber optic modems. This point is addressed in PSAI 20. The NRC staffs evaluation of PSAI 20 is in Section 3.6.2.2 of this safety evaluation, and the staff determined that the licensee has taken adequate actions to ensure that all plant-specific environmental qualification requirements for fiber optic cabling to be used in the CPCS are met. The NRC staffs evaluation of the environmental qualification of the CPCS equipment is described in Section 3.4 of this safety evaluation. Based on these evaluations, the NRC staff concludes that the planned CPCS replacement meets DI&C-ISG-04, Staff Position 1, Point 17 and complies with Clause 5.6.2 of IEEE Std 603-1991.

The NRC staffs evaluation of the CPCS physical and electrical independence characteristics is described in Section 3.3.6.2 of this safety evaluation. The planned CPCS replacement provides the following data communication interfaces:

Intrachannel communication between safety components o HSL communication of penalty factors from each CEAC processor to the CPC processor module o AF100 bus communication connecting the MTP, OM, and the CPC and CEACs to share data o hardwired communication between each CPC and the PPS using interposing relays Interchannel communication between CPCS channels o HSL communication of CEA positions from each CPP to the CPPs in the other three channels Communication between CPCS safety components and nonsafety equipment o unidirectional communication from the MTP and OM to the plant monitoring computer, the CEA position display system (CEAPDS), and a printer o hardwired communication between the CPC and the annunciator panel using interposing relays o fiber optic time synchronization input to the MTP in each channel

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.3.5.1 Intrachannel Communication between Safety Components A.

HSL Communication of Penalty Factors from Each CEAC Processor to the CPC Processor Module In the planned CPCS replacement, the HSL serial communication is used to make a connection between the CPC processor module (PM646A) in a channel with the two CEAC processors (PM646A) in the same channel. This connection allows the CEACs processors to transmit the penalty factors for CEA deviations to the CPC processor module. An HSL connection is also used to transmit nonessential information from the CPC primary PM646A to the CPC auxiliary PM646A in the same controller chassis. The NRC staffs evaluation of the HSL serial communication is in Section 4.1.3.2 of the Common Q platform topical report safety evaluation and was found to be acceptable.

B.

AF100 Bus Communication Connecting the MTP, OM, and the CPC and CEACs to Share Data Each CPCS channel has a redundant AF100 bus that provides intrachannel communication among the CPC and CEAC processors and the MTP and OM HSIs. The MTPs (one per channel) are primarily used for the service and test functions and are located in the APC along with the AC160 controllers. The OMs (one per channel) are the primary HSI for the control room operator and replicate many of the functions of the existing CPCS OM. Within each channel, a fiber optic interface is used to connect the OM, which is located outside of the APC, to the AF100 bus. Section 3.2.10 of the LTR further describes the connections to HSIs.

The four CPC OMs and MTPs are based on the flat panel display system (FPDS), which consists of a liquid crystal display and a single board computer. The single board computer components include an embedded computer, I/O interface, and an Ethernet output. The MTP can replicate OM functionality but will primarily be used as a service data link to the plant computer, allow technicians to assess CPCS status to aid in corrective maintenance, perform surveillance testing, and allow the download of software. The OMs and MTPs are designed as safety-related equipment. The system is designed such that loss, failure, or other events originating from the OMs or MTPs will not adversely affect the safety functions of the CPCS.

The MTP uses an SLE switch to permit the download of software. ((

)) The MTPs and OMs also have a function enable switch that allows operators to change addressable constants.

The NRC staffs evaluation of the AF100 bus for intradivision communications within multidivision systems is described in Section 4.1.3.1 of the Common Q platform topical report safety evaluation. The Common Q platform topical report safety evaluation concluded that, because the AF100 bus does not possess the capability to interfere with the performance of the systems safety function by the AC160 safety processor, the AF100 communication system satisfies Section 5.6, Independence, of IEEE Std 7-4.3.2-2003.

DI&C-ISG-04, Position 1, Point 10 states that safety division software should be protected from alteration while the safety division is in operation. In addition, PSAI 18 requires administrative controls to ensure that changes to setpoints are only performed while the system is not being

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION relied upon to perform its safety functions, and PSAI 19 requires a physical means to be provided for disconnecting the serial communications link between the MTP and the PM646A.

Section 6.2.2.18 of the LTR addresses PSAIs 18 and 19. The NRC staffs evaluation of PSAIs 18 and 19 is provided in Section 3.6.2.2 of this safety evaluation. In its evaluation of PSAI 18, the NRC staff finds that the administrative controls will adequately ensure that changes to CPCS setpoints can only performed while the system is not being relied upon to perform its safety functions. In its evaluation of PSAI 19, the NRC staff finds that the licensees alternate method of disconnecting the serial link to the AC160 controllers using the processor select switch in conjunction with the SLE switch is an acceptable means of ensuring that the programming communication link between the MTP and the CPCS processor modules is disabled during system operation. Therefore, the NRC staff concludes that the planned CPCS replacement design meets DI&C-ISG-04, Staff Position 1, Point 10.

C.

Hardwired Communication Between Each CPC and the PPS Using Interposing Relays As described in Sections 3.2.11 and 3.5.2 of the LTR, the only external connection between the CPCS and other safety-related systems is to the PPS. Each CPC channel interfaces with the PPS through an IRP, which contains interposing relays. The IRPs are located in the APC. As described in Section 3.2.8.1 of the LTR, the interposing relays provide the electrical interface between the CPCS channel and the PPS. All DO contact signals are routed through the interposing relays to provide Low DNBR and High LPD trip outputs. Based on this, the NRC staff finds that the intrachannel communications between the CPCS safety components and between the CPCS and the PPS are acceptable.

3.3.5.2 Interchannel Communication Between CPCS Channels HSL Communication of CEA Positions from Each CPP to the CPPs in the Other Three Channels DI&C-ISG-04 states that digital instrumentation communication interfaces between independent safety channels should meet the same criteria as established for communication interfaces between nonsafety and safety equipment. DI&C-ISG-04, Staff Position 1, Point 1 states that a safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function. DI&C-ISG-04, Staff Position 1, Point 3 states that a safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function.

The only communication that exists between channels in the new system is the one-way fiber optically connected HSL links that transmit CEA positions from the CPPs to the CEACs in the other channels. As described in Section 3.3.2 of this safety evaluation, the replacement CPCS configuration is composed of four CPCsone per CPCS channeland two CEACs per channel (CEAC 1 and CEAC 2) for a total of eight CEACs. CEAC 1 in each CPCS channel calculates the CEA position penalty factor using the RSPT 1 signals, and CEAC 2 in each CPCS channel calculates the CEA position penalty factor using the RSPT 2 signals. The planned CPCS replacement transmits CEA position data from each channels CCP 1 and CPP 2 via HSL across channels to the other three channels of the CPCS.

Section 3.2.16 of the LTR states that although the CEAC is using data from other divisions to perform a calculation, the CPC it is not dependent on that data to complete the CPC safety function to calculate the Low DNBR and High LPD trips. The processing section of the PM646A

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION executes the safety application, whereas the separate communication section of the PM646A handles the exchange of data with other divisions. The processing section does not wait for the communication section to accomplish its communication function. The CEA position data coming in from other CPCS channels only supports the receiving CPCS channels safety function by performing the DNBR and LPD calculations in a more conservative direction should there be CEA position deviations. Based on this, the NRC staff finds that the planned CPCS replacement design meets DI&C-ISG-04, Staff Position 1, Points 1 and 3.

The NRC staffs evaluation of the HSL serial communication is described in Section 4.1.3.2 of the Common Q platform topical report safety evaluation. The NRC staff concluded that the HSL communications meet Section 5.6 of IEEE Std 7-4.3.2-2003 for communication independence, because: (1) the HSL is configured such that it sends and receives only unidirectional time-based data across multiple divisions of a system; (2) the transmitted data is optically isolated (and, therefore, electrically isolated) before being transmitted to other channels; and (3) the HSL transmits both the true and a binary inverse signal to its receiver, thus allowing the verification of the originating signal from the initiating HSL.

Based on the above, the NRC staff concludes that the planned CPCS replacement meets Clause 5.6.1 of IEEE Std 603-1991 for independence between redundant portions of a safety system.

3.3.5.3 Communication Between CPCS Safety Components and Nonsafety Equipment A.

Unidirectional Communication from the MTP and OM to the Plant Monitoring Computer, the CEAPDS, and a Printer Sections 3.2.8 and 3.2.12 of the LTR describe the CPCS interfaces to nonsafety-related plant monitoring computer, CEAPDS, and a printer to support the print screen function. The OM and MTP provide the safety to nonsafety communication via a unidirectional fiber optically isolated Ethernet data link out of the CPCS channel. The unidirectional fiber optic communication provides electrical isolation and prevents any data transmission from being received by the CPCS channel.

The CEAPDS is located in the control room and provides essentially the same information as the existing system but has enhanced human-machine interface and functionality. The CEAPDS uses similar FPD technology as the OMs and MTPs and receives CEA position information from the CPCS through an Ethernet connection. The print screen function allows the operator or technician to capture any screen displayed on the OM or MTP for printing external to the CPCS.

The NRC staff concludes that these unidirectional communication interfaces to nonsafety equipment do not prevent the CPCS from performing its safety function and, therefore, are acceptable.

B.

Hardwired Communication Between the CPC and the Annunciator Panel Using Interposing Relays The CPCS also provides hardwired outputs to the plant annunciator system using interposing relays. As described in Section 3.2.8.1 of the LTR, the IRP relay provides electrical isolation to the nonsafety annunciator system. Therefore, the NRC staff concludes that this is acceptable.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION C.

Fiber Optic Time Synchronization Input to the MTP in Each Channel The only external communication coming into the CPCS is the interrange instrumentation group (IRIG) time synchronization input to the MTP in each channel.

DI&C-ISG-04, Staff Position 1, Point 1 states that a safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function. As described in Sections 3.2.16 and 3.5.7 of the LTR, the purpose of IRIG time synchronization input is to align the real-time clock (RTC) in each of the four MTPs for such functions as the print screen function, trip buffer report, and failed sensor stack. Each MTP has an IRIG-B card which receives this time synchronization input ((

)) The AC160 processors do not use the RTC for scheduling the programs that perform the CPC safety functions. Therefore, an error in the RTC or a failure of the IRIG-B card does not adversely impact the safety functions operating in the CPCs or CEACs. Based on this, the NRC staff concludes that the planned CPCS replacement design meets DI&C-ISG-04, Staff Position 1, Point 1.

DI&C-ISG-04, Staff Position 1, Point 3 states that a safety channel should not receive any communication from outside its own safety division unless that communication supports or enhances the performance of the safety function. Point 3 notes that receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Although the time synchronization input to the MTP does not support or enhance the safety function, it does not affect the CPCSs ability to perform its safety function. Based on this, although the planned CPCS replacement design does not meet the guidance criterion of DI&C-ISG-04, Staff Position 1, Point 3, the NRC staff concludes that the regulatory requirements for independence of the safety system are met and, therefore, that the time synchronization function design is acceptable.

The NRC staff determined that communication interfaces between the CPCS channel and nonsafety-related equipment do not adversely affect the ability of the Waterford Unit 3 CPCS to perform required safety functions. Therefore, the NRC staff concludes that the planned CPCS replacement meets Clause 5.6.3 of IEEE Std 603-1991.

3.3.5.4 Interfaces with Power Sources Section 3.5.8 of the LTR describes the planned CPCS replacements interfaces with power sources. The planned CPCS replacement will continue to use the vital electric power sources used by the existing CPCS. Therefore, the NRC staff concludes that the planned CPCS replacement meets Clauses 8.1 and 8.3 of IEEE Std 603-1991.

3.3.6 Fundamental Design Principles 3.3.6.1 Redundancy The NRC staff reviewed the replacement CPCS architecture against Clause 5.1, Single-Failure Criterion, and Clause 5.15, Reliability, of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003. For the single failure criterion, the NRC staff evaluated whether the use and application of redundancy in the new architecture conforms to the guidance in RG 1.53,

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION which endorses IEEE Std 379-2000. The NRC staff also evaluated whether the use and application of redundancy in the replacement CPCS architecture meets GDCs 21 and 24.

The replacement CPCS maintains the existing CPCS redundancy by providing four independent CPC channels that calculate and initiate trips for Low DNBR and High LPD. Each CEA position is measured by two redundant and independent RSPTs associated with each CEA. The planned CPCS replacement increases the redundancy of the CEACs by incorporating two CEACs in each channel instead of the existing two CEACs for the entire CPCS. Each CPCS channel contains a CEAC 1 using RSPT 1 inputs from all CEAs and a CEAC 2 using RSPT 2 inputs from all CEAs. Additionally, each channel contains redundant AF100 bus communications, and each CPC contains redundant AI modules to read process inputs (except for the RCP speed, which is read by the DP620 module, and the target CEA positions, which are read by the CEAC AI modules). These changes to the planned CPCS replacement design improve the availability of the system and ensure that a single failure in any one channel will not prevent the protective action of the other channels or inhibit the operation of the PPS. Each channel in the APC also includes two redundant APC MUX, which transmit the nonsafety-related fixed incore detector amplifier systems signals to the plant computer.

The licensee provided a failure modes and effects analysis (FMEA) as an attachment to the LAR. The FMEA only considers hardware equipment failures and assumes that one of the four CPCS channels is permanently bypassed, resulting in a two-out-of-three PPS logic. The CPCS software hazards analysis (SHA) identifies the software hazards and their mitigation or elimination. The NRC staff audited the SHA (Reference 13) and found that the software failures have been adequately identified and addressed. The CPC Replacement Project Vendor Oversight Plan (VOP) Summary, Revision 2 (hereafter referred to as the VOP Summary)

(Reference 7, Attachment 2 to Enclosure 1), states that the licensee will verify that documentation exists to show that no new hazards have been introduced; that the software or logic requirements, design elements, and code elements that can affect safety have been identified; and that all other software or logic requirements, design, and code elements will not adversely affect safety. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

The CPCS is designed for fail-safe operation under component failure or loss of electrical power. A loss of 120 volts alternating current (Vac) power to a CPCS channel will cause the channel safety outputs to assume their trip or initiation state (i.e., all DO contacts shall open, de-energizing the interposing relays). A CPC processor stall or processor halt will result in loss of its heartbeat signal output to a watchdog timer which will force the CPC trip signals to their fail-safe (trip) states. Failure of the CEAC processor or associated CEAC-to-CPC HSL is transmitted to the CPC processor as a failed CEAC.

Based on the above, the NRC staff finds that no single failure associated with the planned CPCS replacement will defeat more than one of the four protective channels, and that the planned system upgrade will respond to input failures in a manner similar to the existing CPCS that the licensee plans to replace. Furthermore, the review of the CPCS FMEA confirms that a single component level failure in the Common Q system does not prevent the CPCS from performing its safety function. Therefore, the NRC staff concludes that the planned CPCS replacement meets Clauses 5.1 and 5.15 of IEEE Std 603-1991, the associated guidance of IEEE Std 7-4.3.2-2003, and GDCs 21 and 24.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.3.6.2 Independence The NRC staff reviewed the replacement CPCS design independence against Clauses 5.6, Independence, 5.11, Identification, and 6.3, Interaction between the Sense and Command Features and Other Systems, of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003. The NRC staff also evaluated whether the independence in the replacement CPCS design meets GDCs 13, 21, 22, 23, and 24.

Section 3.6.2 of the LTR describes the independence characteristics of the planned CPCS replacement. Each CPCS channel maintains physical, electrical, functional, and data communication independence from the other CPCS channels.

The planned CPCS replacement would perform the same safety functions as the existing CPCS (i.e., calculate and send trip signals to the PPS for Low DNBR and High LPD). Section 3.3.6.4 of this safety evaluation describes the functional diversity of the PPS for the UFSAR Chapter 15 events that credit the CPCS safety functions.

The planned CPCS replacement would maintain the same physical and electrical isolation from plant control systems as the existing CPCS. As described in Section 3.4 of this safety evaluation, the planned CPCS replacement components have been qualified to demonstrate that they will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. The CPCS components that perform the safety function are located inside the APC. The only nonsafety-related equipment inside the APC is the APC MUX.

As described in Section 3.4 of this safety evaluation, the APC MUX was qualified to ensure that it does not affect the safety-related CPCS.

The NRC staff concluded in Section 5 of the Common Q platform topical report safety evaluation that the Common Q system conforms to the guidelines in RG 1.75 for protection system independence for Common Q installed items, and that implementing the Common Q will not adversely affect a plants existing compliance with RG 1.75.

Section 3.3.5 of this safety evaluation describes data communication independence.

Communication between channels is implemented using one-way fiber optically connected HSL links that transmit CEA positions from the CPPs to the CEACs in the other channels. The fiber-optic cables provide electrical isolation and independence. The only external communication coming to the CPCS is from the fiber-optically isolated nonsafety-related IRIG time synchronization data link. The CPCs ability to perform the safety function is not dependent on or affected by this time synchronization input and, therefore, is functionally and electrically independent.

Based on the above, the NRC staff concludes that the planned CPCS replacement meets Clauses 5.6, 5.11, and 6.3 of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003, with regard to physical, electrical, functional, and data communications independence, and meets the requirements of GDCs 13, 21, 22, 23, and 24.

3.3.6.3 Deterministic Behavior The NRC staff reviewed the replacement CPCS design against Clauses 5.2, Completion of Protective Action, 5.5, System Integrity, and 6.1, Automatic Control, of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003. The NRC staff also evaluated whether

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION the use and application of deterministic behavior in the replacement CPCS design meets GDCs 13, 21, 23, and 29.

The deterministic performance of the Common Q platform is described in Section 5.3.1 of the Common Q platform topical report The NRC staffs evaluation of the Common Q platforms deterministic performance is found in Section 4.1.1.6 of the NRCs safety evaluation for Revision 4 of the Common Q platform topical report. In that safety evaluation, the NRC staff concluded that the design features, the operation of the AC160 PLC system, and Westinghouses commitments2 to perform timing analyses and tests provide sufficient confidence that the AC160 will operate deterministically to meet the recommendations in BTP 7-21 and, therefore, that it is acceptable in that regard.

The NRC staff evaluated whether the following planned CPCS replacement design features ensure the deterministic behavior of the replacement system:

CPU load limit response time watchdog timer self-diagnostics communication outputs A.

CPU Load Limit The Common Q platform topical report specifies the maximum CPU load required for the application program to execute deterministically and preserve the application program response time. For the planned CPCS replacement CPUs, the licensee specified, in Section 3.2.7.2.7 of the LTR, a maximum CPU load limit when specific conditions are met and described the CPU load limit tests that the manufacturer (ABB) performed.

The NRC staff audited the SyRS Reference 1.4.2.12, AN03007SP, AC160 CPU Loading Restrictions, dated March 26, 2003, which describes the basis, loading criteria, analysis, and tests to demonstrate predictable and repeatable operation of CPCS when the CPU loading differs from the Common Q platform topical report maximum CPU load limit but does not exceed the maximum CPU load limit specified in Section 3.2.7.2.7 of the LTR. The manufacturer (ABB) identified design restrictions to ensure the deterministic behavior of the system at the maximum CPU load limit specified in Section 3.2.7.2.7 of the LTR. The licensee addressed these restrictions in Section 3.2.7.2.7 of the LTR. The NRC staffs review determined that the licensee has addressed each of the design restrictions and that the CPCS design meets such restrictions.

The PM646A CPU load is monitored by the self-diagnostics, and a trouble alarm will annunciate if the load exceeds the maximum CPU load limit specified in Section 3.2.7.2.7 of the LTR.

The NRC staffs review determined that Section 2.5.4 of the reference design SyRS (Reference 1, Enclosure, Attachment 7) describes the requirements for the maximum CPU load limit specified in Section 3.2.7.2.7 of the LTR, including meeting the manufacturer restrictions, and performing verification tests.

2 This use of the term commitments is not the same as that for a regulatory commitment as discussed in NRCs Office Instruction LIC-105, Revision 7, Managing Regulatory Commitments Made by Licensees to the NRC, August 22, 2016 (Reference 56).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Section 2.2.1.5.2.2 of the reference design SyRS describes the system load limit alarm requirements. The VOP Summary identifies that the licensee will confirm that the CPU maximum load restrictions are implemented and meet the SyRS. Section 3 of the VOP Summary describes the licensees oversight activities related to requirements traceability. The NRC staff audited the VOP and confirmed that requirements traceability is part of the software V&V acceptance criteria. The NRC staffs review of the VOP Summary is in Section 3.5.6 of this safety evaluation.

The NRC staff concludes that, because the planned CPCS replacement requirements address the manufacturers design restrictions, and the licensee will audit the requirements traceability matrix (RTM) to verify that the restrictions have been implemented and the required tests have been performed, the systems deterministic behavior is maintained for the maximum CPU load limit specified in Section 3.2.7.2.7 of the LTR.

B.

Response Time The licensee submitted WNA-CN-00572-CWTR3, Core Protection Calculator System Response Time Calculation (Reference 4, Enclosure 3), which provides the response time calculation for the CPCS. Section 3.2.2 of this safety evaluation discusses the impact of the CPCS trip response times on the UFSAR Chapter 15 events.

The licensee submitted LTR-GIC-20-003, Waterford 3 CPCS Response Time Information for FSAR and Technical Specification (Reference 4, Enclosure 1), which describes the adequacy of the new response time requirements. LTR-GIC-20-003 identifies the response times for the planned CPCS replacement (excluding the sensor, PPS, and reactor trip switchgear response times), and the total calculated response times for the CPCS (including the sensor, PPS, and reactor trip switchgear response times).

The response time values that will be used in the Waterford Unit 3 safety analysis criteria are identified in LTR-GIC-20-003. These response time values are the higher value between the total calculated response times for the planned CPCS replacement, and the safety analysis response times for the existing CPCS. Therefore, the NRC staff determined that the calculated planned CPCS replacement response times are bounded by the response time values used for the safety analysis.

The CPCS response time requirements are captured in Table 2.4.1.3-1, CPCS Response Times, of the Waterford Unit 3 CPCS SyRS (Reference 2, Enclosure 1). In response to RAI-07.d (Reference 7, Enclosure 2), the licensee stated that the response time values specified in Table 2.4.1.3-1 are the acceptance criteria for RTT performed during the CPCS FAT. Section 7, Software Test Plan, of the Common Q SPM (Reference 48), describes the methodology for RTT. The VOP Summary states that the licensee will confirm that the response time and throughput for the system meet the SyRSs. The NRC staff audited the VOP and confirmed that requirements traceability is part of the software V&V acceptance criteria.

The NRC staffs review of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the calculated planned CPCS replacement response time performance and plans to perform RTT during FAT, the NRC staff concludes that the planned CPCS replacement meets the response time requirements and that these response time requirements satisfy the CPCS safety analysis.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION C.

Watchdog Timer and Self-Diagnostics The AC160 watchdog timer is described in Sections 5.2.1.3 and 5.4.5 of the Common Q platform topical report. The Common Q self-testing features are described in Section 5.2.1 of the Common Q platform topical report. The NRC staffs description of the planned CPCS replacement AC160 watchdog timers and the deterministic behavior of the planned CPCS replacement self-testing features are described in Section 3.1.16 of this safety evaluation.

Based on this, the NRC staff determined that the CPCS Common Q self-diagnostic functions execute deterministically and generate appropriate system responses to conditions resulting from a self-diagnostic function failing to execute or complete satisfactorily.

D.

Communication Outputs The NRC staffs evaluation of the planned CPCS replacement communication interfaces is described in Section 3.3.5 of this safety evaluation and concludes that the CPCS interfaces between channels, and with nonsafety-related equipment, do not adversely affect the systems ability to perform required safety functions.

E.

Conclusion The NRC staff reviewed the design features of the planned CPCS replacement that ensure deterministic performance of the system and determined that they meet Clauses 5.2, 5.5, and 6.1 of IEEE Std 603-1991, the associated guidance of IEEE Std 7-4.3.2-2003, and GDCs 13, 21, 23, and 29. Therefore, the NRC staff concludes that the planned CPCS replacement meets the criteria for deterministic behavior and predictable performance and, thus, is acceptable.

3.3.6.4 Defense-in-Depth and Diversity The NRC staff reviewed the replacement CPCS design against GDCs 13, 22, and 24.

The NRC staff considered failure of the CPCS to perform its normal function. Backup trips and normal shutdown mechanisms were reviewed to assess the depth of protection provided. The NRC staff also evaluated whether the use and application of defense-in-depth and diversity in the replacement CPCS architecture conforms to the guidance in BTP 7-19 and whether it meets the requirements of 10 CFR 50.62.

The CPCS provides the reactor trip signals to the PPS on Low DNBR and High LPD. Both the existing CPCS and the planned CPCS replacement are based on a four-channel digital system.

Therefore, the planned CPCS replacement is a digital-to-digital upgrade. As described in Section 3.3.3 of this safety evaluation, the planned CPCS replacement performs the same safety functions as the existing system.

In response to RAI-01 (Reference 7, Enclosure 2), the licensee stated that the events listed in LTR-TA-19-154, Waterford 3 Core Protection Calculator System Safety Function Table, are those UFSAR Chapter 15 events that credit the CPCS trips. To support the evaluation of how the planned CPCS replacement meets the defense-in-depth and diversity criteria, the licensee provided LTR-TA-21-17, Waterford 3 CPCS Safety Function Table - PPS Backup Trips (Reference 5, Enclosure). LTR-TA-21-17 identifies the backup safety-related analog trips for each of the Chapter 15 events that credit the CPCS. The existing PPS is an analog system and, therefore, diverse from the digital Common Q CPCS. The NRC staff audited

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION LTR-TA-19-154 and reviewed LTR-TA-21-17 and confirmed that the Chapter 15 events that credit the CPC trip signals have a backup safety-related analog trip. The PPS backup safety-related analog trips are not affected by the planned CPCS replacement modification, and they remain diverse from the replacement digital system.

The NRC staffs evaluation of the planned CPCS replacement against the BTP 7-19 acceptance criteria is summarized below:

The diverse safety-related analog backup trips identified in LTR-TA-21-17 for each of the events that credit the CPCS sufficiently address the performance measures specified in Criteria 1 and 2 and preclude the need for further analytical assessment.

Criteria 3 and 4 are not applicable because the CPCS is not used for plant automatic control and cannot cause a plant condition that requires an ESF actuation. Furthermore, neither the existing CPCS nor the replacement CPCS perform ESF functions or interface with the ESFAS.

Criterion 5 is met because a failure in the monitoring or display system will not affect the CPCSs ability to perform its safety function.

Criterion 6 is met because the existing automatic initiation of RPS and ESFAS, as well as means of independent manual actuation RPS and ESFAS, are maintained.

Criteria 7, 8, and 9 are met because the CPCS only provides trip signal inputs to the RPS and does not have interfaces to ESFAS. The RPS and ESFAS systems are not affected by the revised design of the CPCS, and these systems are not vulnerable to CPCS common cause failure.

The licensee also referred to the UFSAR Chapter 7.8 description of the diverse nonsafety-related ATWS mitigation system to mitigate the consequences of AOOs coupled with a failure of the RPS to trip the reactor.

Based on the above, the NRC staff determined that the replacement of the existing four-channel CPCS with a Common Q system presents a digital-to-digital upgrade of the CPCS, that backup safety-related analog trips exist for each of the events that credit the CPCS, and that a diverse ATWS mitigation system exists to mitigate the consequences of AOOs coupled with a failure of the RPS to trip the reactor. Therefore, the NRC staff concludes that the replacement CPCS meets GDCs 13, 22, and 24 and the applicable BTP 7-19 acceptance criteria, and that adequate diversity is maintained to satisfactorily address a common cause failure of all four CPCS channels.

3.4 Equipment Qualification The NRC staff reviewed the planned CPCS replacement equipment qualification against Clause 4, Safety System Designation, Subclauses 4.7 and 4.8, and Clause 5.4, Equipment Qualification, of IEEE Std 603-1991 and the associated guidance of IEEE Std 7-4.3.2-2003.

The NRC staff also evaluated whether the replacement CPCS equipment qualification meets GDCs 2 and 4.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The planned CPCS replacement is safety-related and has four independent safety channels, each consisting of a CPC, CEACs, and I/O equipment. Each CPC/CEAC channel communicates with an OM located in the MCR.

The basic objectives of equipment qualification for safety-related equipment are to reduce the potential for common mode failure due to environmental effects and also to demonstrate that the safety-related equipment is capable of performing its designated safety function during and after a design basis event. The planned CPCS replacement equipment would be installed within the existing APC and MCB, which are located in a mild environment; therefore, the planned CPCS replacement equipment would not subject to a design basis accident.

The replacement CPCS system is based on the Westinghouse Common Q platform, which has been approved by the NRC. Section 7 of the Common Q platform topical report describes the equipment qualification methodology for the generic qualification of the Common Q platform components. The generic qualification of the Common Q platform was performed by type test or analysis and was reviewed and approved by the NRC using the criteria in Revision 3 of RG 1.100, Revision 1 of RG 1.89, Revision 1 of RG 1.180, RG 1.209, and EPRI TR-107330.

From an equipment qualification perspective, the planned CPCS replacement consists of two groups of equipment: primary digital components and project lower-level components. The primary digital components were reviewed by the NRC for qualification for generic application conditions as part of the approved Common Q platform. There are some project lower-level components that are used for the safety-related planned CPCS replacement but were not previously qualified. Those lower-level components were also tested for their qualification for the Waterford Unit 3 application environmental conditions. For the equipment qualification for the planned CPCS replacement, the Common Q components will be mounted in a test rack in the same manner as they will be mounted in an actual cabinet. The licensee submitted an equipment qualification summary report (Reference 1, Enclosure, Attachment 11, and Reference 7, Enclosure 1, Attachment 1) for each of these two equipment groups and their associated qualification evaluation documents (Reference 8, Enclosures 1 and 2). The evaluation of the equipment qualification for these two equipment groups for the planned CPCS replacement is provided below.

A.

Primary Digital Components for Planned CPCS Replacement The primary digital components for the Common Q based planned CPCS replacement, which are used to support performance of the CPCS safety functions, are shown in the following table:

Component Description Part Number CPC/CEAC Racks 2B10755G01-G05 RB-601 Dummy Module 2C48361G20 CI631-AF100 Interface Kit Module 2C48361G06 PM646A-Processor Module 2C48361G01 AI688 AI Module 2C48361G36 DI620 DI Module 2C48361G08 DO625 DO Module 2C48361G10 AO650 AO Module 2C48361G05 DP620 High Speed Pulse Counter Module 2C48361G09

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION OPTO Modem AF100 TC514V2 2C48361G14 MCR OM Node Box 3D91880G07 MCR OM, 12-inch FPD 3D91659G02 MCR CEAPDS, 19-inch FPD 3D91659G06 Maintenance Test Panel, 15-inch FPD 3D91659G05 The NRC staff determined that the primary digital components were addressed as part of the approved Common Q platform. Although the primary digital components were qualified for generic conditions as part of the approved Common Q platform, the licensee conducted an assessment to ensure that the environmental, seismic, and electromagnetic compatibility (EMC) requirements specified for the planned Waterford Unit 3 CPCS replacement are enveloped by the generic conditions used for the qualification of those primary digital components in the approved Common Q platform.

For the environmental qualification, the applicable environmental parameters and requirements for the planned CPCS replacement are listed in the CPCS primary digital components qualification summary report (Reference 1, Enclosure, Attachment 11), which includes an IEEE Std 323-1974 compliance assessment. The NRC staff determined that the generic conditions used in the approved Common Q platform to qualify the primary digital components envelop the applicable environmental qualification requirements for the planned Waterford Unit 3 CPCS replacement. Therefore, the generic environmental qualification used for the approved Common Q platform is adequate to meet the applicable environmental qualification requirements for the primary digital components to be supplied for the planned Waterford Unit 3 CPCS replacement.

For the EMC qualification, the specific EMC requirements for the planned Waterford Unit 3 CPCS replacement are listed in the CPCS primary digital components qualification summary report and include the test standards and test levels applied during EMC qualification testing for the emissions, susceptibility, surge withstand capability, and electrostatic discharge tests. The NRC staff determined that the EMC requirements for the planned CPCS replacement are consistent with Revision 1 of RG 1.180 and its endorsement of Revision 1 of EPRI TR-102323, which are also used as the EMC qualification requirements in the approved Common Q platform. Thus, the NRC staff concludes that the existing EMC qualification used for the approved Common Q platform is adequate for the CPCS primary digital components to meet the Waterford Unit 3 EMC requirements.

For the seismic qualification, the applicable seismic qualification requirements for the planned Waterford Unit 3 CPCS replacement are shown in the CPCS primary digital components qualification summary report. This report includes, for example, criteria that safety-related CPCS equipment must be capable of withstanding the effects of five operating basis earthquake (OBE) events and one safe shutdown earthquake (SSE) event without losing functionality or physical integrity. The summary report also states that the required response spectra shall include in-structure amplification applicable to the mounting locations of the CPCS equipment within the APC and on the MCB. In addition, the summary report includes the OBE and SSE in-equipment response spectra developed for the CPCS equipment.

The CPCS primary digital components qualification summary report shows that the Common Q qualified generic seismic level envelops the Waterford Unit 3 seismic requirements.

Additionally, the licensee compared the Waterford Unit 3 seismic level to that for the reference CPCS replacement at Palo Verde, which involved similar Common Q equipment to the planned

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Waterford Unit 3 CPCS replacement. The approved seismic qualification of similar CPCS equipment with only minor structural modifications to the APC for Palo Verde provides further evidence to justify that the Waterford Unit 3 CPCS equipment is seismically qualified without significant structural modification to the existing APC.

Based on the above, the NRC staff concludes that the existing Common Q generic seismic qualification is acceptable to meet the specific seismic requirements for the planned Waterford Unit 3 CPCS replacement.

B.

Project Lower-level Components for Planned CPCS Replacement Some lower-level components, which are a subset of the planned CPCS replacement, were not previously qualified as part of the approved Common Q platform. These lower-level components must also be capable of proper operation without loss of function when subjected to the site qualification requirements and, therefore, need to be qualified accordingly. The NRC staffs evaluation of the qualification of those lower-level components is discussed below.

Environmental Qualification The planned CPCS replacement equipment must be capable of proper operation without loss of function when subjected to the applicable Waterford Unit 3 environmental requirements. The following lower-level components were tested for their environmental qualification:

Component Description Part Number Fiber Optic Modem Module 2A10425G02 CPC Power Supply Assemblies 10167D07G02 AC Power Distribution Panel Assembly 2E10711G01 APC MUX Assembly 2E10726G01 Blower Assembly 2E10734G01 PC Node Box Assembly 3D91880GXX Serial to Fiber Media Converter PS21076H10 The environmental qualification requirements are included in the CPCS upgrade project equipment qualification summary report (Reference 7, Enclosure 1, Attachment 1), which includes the applicable environmental parameters and RG 1.209 and IEEE Std 323-1974 compliance assessments. The environmental qualification testing was conducted at the Westinghouse test facility in New Stanton, Pennsylvania in July 2020 in accordance with the Westinghouse environmental test plan, the procedure for the planned CPCS replacement, and IEEE Std 323-1974. Additional environmental qualification testing on the APC MUX for use in the planned CPCS replacement was conducted in September and October 2020 because an anomaly was observed for the APC MUX during the initial qualification testing. Functional tests were performed prior to the beginning of both environmental tests and after completion of the tests with intermediate functional tests conducted at the beginning and end of each temperature and humidity cycle.

The NRC staff reviewed the environmental qualification requirements for the planned CPCS replacement and determined that it is consistent with applicable guidance in RG 1.209 and EPRI TR-107330. The staff reviewed the results for both environmental qualification tests and

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION found that all of the CPCS upgrade equipment demonstrated acceptable performance during the testing.

EMC Qualification To meet IEEE Std 603-1991 and the guidance in RG 1.180, the planned CPCS replacement equipment cannot emit signals that interfere with other plant equipment. The following lower-level components were tested for their EMC qualification:

Component Description Part Number AC Power Distribution Panel Assembly, with Removal of Line Filter and Surge Suppressor 2E10711G01 Line Filter PS13000H16 Surge Suppressor (120 Vac)

PS13011H18 CPCS Power Supply Assembly, Steel Construction 10167D07G01 APC MUX Assembly 2E10726G01 Blower Assembly 525 CFM with Airflow Switch 2E10734G01 Relay, Solid State 10167D72G01 Surge Protection Device PS20559H17 Fiber Optic Modem Module 2A10425G02 Single Board Computer PS21504H02 PCI Time and Frequency Processor PS20190H02 Serial to Fiber Media Converter PS21076H10 CPCS Power Supply Assembly, Aluminum Construction 10167D07G02 The test standards and test levels applied during EMC qualification testing for the emissions, susceptibility, surge withstand capability, and electrostatic discharge tests are listed as the EMC qualification requirements in the qualification summary report. The NRC staff reviewed the EMC qualification requirements for the planned CPCS replacement and determined that it is consistent with Revision 1 of RG 1.180 and its endorsement of Revision 1 of EPRI TR-102323.

The EMC qualification testing was performed at the Westinghouse test facility in New Stanton, Pennsylvania in accordance with the Westinghouse EMC test plan and procedure and RG 1.180. The EMC testing, functional testing, and performance monitoring were conducted in June and August 2020. Previous testing performed for the generic Common Q platform equipment demonstrated compliance with the EMC qualification requirements in RG 1.180 and its endorsement of Revision 1 of EPRI TR-102323. However, because of the variations in signal cable shield grounding for the AI688 and AO650 cards, and a revision of the 24-Vdc/10-ampere (A) power supplies for the planned Waterford Unit 3 CPCS replacement, additional EMC testing was performed at the same test facility in January, February, and March 2021 to address these application-specific conditions. With specific installation limitations stated in the CPCS upgrade project equipment qualification summary report, the testing results for both initial and supplemental tests show that the CPCS components subject to the EMC testing met all performance requirements when subjected to each EMC susceptibility test and demonstrated compliant emissions levels.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Seismic Qualification The following lower-level components were tested for their seismic qualification:

Component Description Part Number MOXA Single Board Computer PS21504H02 Fiber Optic Modem Module 2A10425G02 AC Power Distribution Panel Assembly 2E10711G01 CPC Power Supply Assemblies 10167D07G02/10167D07G01 APC MUX Assembly 2E10726G01 Blower Assembly 2E10734G01 End Brackets PS20518H14/PS20518H10 Key switches PS11940H07/PS11940H08/PS11940H09 PC Node Box Assembly 3D91880GXX Serial to Fiber Media Converter PS21076H10 Node Box Shelf 2E10732G01 Line Filter Panel 2E10747G01 In the qualification summary report, the licensee listed the seismic qualification requirements for the planned CPCS replacement. Specifically, lower-level components must be tested and capable of withstanding the effects of five OBE and one SSE events without loss of functional or physical integrity, in accordance with IEEE Std 344-1975. In addition, the required response spectra must include in-structure amplification applicable to the mounting locations of the CPCS equipment within the APC and on the MCB and the OBE and SSE in-equipment response spectra are developed for the CPCS equipment.

The seismic qualification testing was conducted at the Westinghouse test facility in New Stanton, Pennsylvania on an independent triaxial test table using random multifrequency acceleration time history inputs. The seismic testing was performed in August 2020 in accordance with the seismic qualification requirements for the planned CPCS replacement. The test results show that all of the planned CPCS replacement equipment, except the APC MUX, demonstrated acceptable performance during the seismic test runs to either Common Q generic seismic levels or Waterford Unit 3-specific levels. The testing results show that the APC MUX was qualified to the Waterford Unit 3-specific seismic level only after eight 10-32 bolts with lock washers, instead of four bolts, were used to secure the APC MUX to the test fixture. The NRC staff reviewed the testing results and determined that the seismic qualification requirements for the planned CPCS replacement are consistent with the applicable regulatory guidance in RG 1.100 and EPRI TR-107330.

The APC MUX is a nonsafety-related device that will reside in the safety-related APC.

Therefore, this APC MUX is considered an associated circuit and should also be qualified according to RG 1.75. As discussed above, the APC MUX was tested for the environmental, seismic, and EMC qualifications for safety-related equipment. The APC MUX demonstrated acceptable performance during its environmental qualification testing. The seismic and EMC qualification testing results show that the APC MUX met seismic requirements for the APC structural integrity and EMC requirements preventing electromagnetic interference issues with safety-related equipment mounted in the APC. The NRC staff reviewed the test results and determined that the APC MUX did not adversely impact the safety-related components in the

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION APC. Therefore, the staff concludes that as an associated circuit, the APC MUX meets the requirements in RG 1.75.

Based on the evaluation and equipment qualification test results provided by the licensee, the NRC staff determined that the licensee adequately addressed PSAI 4, as described in Section 3.6.2.2 of this safety evaluation, and the staff concludes that the existing Common Q generic qualification for the primary digital components and additional qualification testing conducted for some lower-level components for the planned CPCS replacement are adequate to meet Clauses 4.7, 4.8, and 5.4 of IEEE Std 603-1991, the associated guidance of IEEE Std 7-4.3.2-2003, and GDCs 2 and 4.

3.5 DI&C System Development Processes The NRC staff reviewed the system and software development processes for the planned CPCS replacement against Clause 5.3, Quality, of IEEE Std 603-1991, the associated guidance of IEEE Std 7-4.3.2-2003, GDC 1, and Appendix B to 10 CFR Part 50. The NRC staff also considered the guidance in BTP 7-14.

Section 5 of the LTR states that Westinghouse will be using the NRC-approved Common Q SPM, Revision 5 (Reference 48) as the framework for the design and development of the planned CPCS replacement. The SPM specifies the life cycle planning process for Common Q application software and the procedures and controls for the complete software development process for software to be developed for use with the Common Q platform in nuclear safety applications.

The NRC staff reviewed Revision 5 of the Common Q SPM in accordance with BTP 7-14 and determined that the SPM specifies plans that provide a quality software life cycle process, and that these plans commit to documentation of life cycle activities that will permit the NRC staff or others to evaluate the quality of the design features upon which the safety determination will be based. The NRC staff also determined that the SPM, as applied to Common Q safety-related systems, meets the guidance of RG 1.152 and that the special characteristics of computer systems have been adequately addressed. Therefore, the NRC staff concludes that the Common Q safety system software development processes, when properly implemented, are capable of producing software that will satisfy GDC 1 and the applicable provisions of Appendix B to 10 CFR Part 50. The NRC staffs evaluation of the Common Q SPM identified PSAIs that must be addressed by an applicant when requesting NRC approval for installation of a safety-related system based on the Common Q platform.

Because the CPCS replacement project is based on the NRC-approved Common Q SPM, the NRC staffs review of the CPCS replacement development processes is focused on the PSAIs and those development plans and activities created specifically for the CPCS replacement project that supplement or replace the Common Q SPM plans and activities. The NRC staff reviewed the replacement CPCS development processes against Clause 5.3 of IEEE Std 603-1991, the associated guidance of IEEE Std 7-4.3.2-2003, and RGs 1.152, 1.168, 1.169, 1.170, 1.171, 1.172, and 1.173.

The licensees vendor oversight process, as described in the licensees VOP Summary, contains criteria to verify that Westinghouse performs the CPCS replacement life cycle activities in accordance with the SPM.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.5.1 System and Software Development Activities The licensee stated in Section 3.2.2 of the LTR that the tasks and responsibilities for each life cycle phase, as described in Section 4.3.2 of the SPM, are applicable to the CPCS replacement project and will be followed. The licensee also identified that the detailed description of analyses, reviews, and test activities for each life cycle phase are described in the following sections of the SPM: Section 3 for the Software Safety Plan (SSP), Section 4 for the Software Quality Assurance Plan (SQAP), Section 5 for the Software Verification and Validation Plan (SVVP), Section 6 for the Software Configuration Management Plan (SCMP), Section 7 for the Software Test Plan (STP), and Section 12 for the Secure Development and Operational Environment (SDOE) Plan.

The NRC staffs evaluation of the SPM in regard to software development planning is found in Section 3.2.2 of the Common Q SPM safety evaluation and concluded that the SPM adequately describes acceptable methods of organizing the software life cycle, addresses the software development planning activities of BTP 7-14, and conforms with the criteria provided by IEEE Std 1074-2006, as endorsed by RG 1.173 and, therefore, is acceptable.

The CPCS replacement software development plan, WNA-PD-00594-CWTR3, Software Development Plan for the Core Protection Calculator System Upgrade, was derived from the SPM. The NRC staff audited WNA-PD-00594-CWTR3 and observed that it addresses the CPCS replacement project organization, development tools and techniques, plans to be used throughout the system development, training requirements, and documents to be generated.

The NRC staff concludes that because the development planning aspects of the planned CPCS replacement are based on the NRC-approved Common Q SPM and the Waterford Unit 3-specific software development plan, the licensee has satisfied the criteria provided by IEEE Std 1074-2006, Criterion III, Design Control, of Appendix B to 10 CFR Part 50, Clause 5.3 of IEEE Std 603-1991, and the additional criteria of IEEE Std 7-4.3.2-2003, Clauses 5.3.1, Software Development, and 5.3.2, Software Tools.

3.5.1.1 Plant and I&C System Safety Analysis The CPCS provides the reactor trip signals to the PPS on Low DNBR and High LPD. Both the existing CPCS and the planned CPCS replacement are based on a four-channel digital system.

Therefore, the planned CPCS replacement is a digital-to-digital upgrade. As described in Section 3.3.2 of this safety evaluation, the planned CPCS replacement performs the same safety functions as the existing system and, therefore, there are no changes to the plant safety analysis associated with the planned CPCS replacement.

The SSP for Common Q system software is described in Section 3 of the Common Q SPM.

The Common Q SSP describes the organizational structure and responsibilities, resources, methods of accomplishment, and integration of system safety with other program engineering and management activities. The NRC staffs review of the SSP is described in Section 3.2.9 of the Common Q SPM safety evaluation and concludes that the software safety activities defined in the SSP will adequately identify and resolve safety issues associated with the Common Q software.

The licensee states in Section 5.2.1 of the LTR that the CPCS replacement software follows the Common Q SPM safety classification. Section 1.2.1 of the SPM defines the following software classes used for Common Q software: Protection, Important-to-Safety, Important-to-Availability,

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION and General Purpose. The NRC staff concluded in Section 3.2.2 of the SPM safety evaluation that the Common Q SPM safety classification conforms to the guidance in IEEE Std 1012-2004, as endorsed by RG 1.168. The licensee states in Section 5.2.1 of the LTR that independent V&V will be performed in accordance with the SPM. The AC160 controller software is classified as Protection class software, and the OM and MTP software is classified as Important-to-Safety class software. In Section 3.2.2 of the SPM safety evaluation, the NRC staff concluded that it is acceptable for Important-to-Safety software that does not directly perform RPS or ESFAS safety functions to be developed using V&V activities that are not equivalent to software integrity level 4 activities as defined in IEEE Std 1012-2004.

Based on the above, the NRC staff concludes that the planned CPCS replacement software has been adequately classified consistent with the NRC-approved Common Q SPM and meets IEEE Std 1012-2004 and Clause 5.3 of IEEE Std 603-1991.

3.5.1.2 I&C System Requirements The reference CPCS design SyRS is based on the Palo Verde CPCS design and served as input to the Waterford Unit 3-specific CPCS SyRS. The Waterford Unit 3 CPCS replacement SyRS defines the differences in the system design from the Palo Verde CPCS replacement.

For those requirements from 00000-ICE-30158 that are applicable, without modification, to the Waterford Unit 3 CPCS, WNA-DS-04517-CWTR3 states that these requirements shall be met without modification. For requirements that are modified, WNA-DS-04517-CWTR3 identifies the requirement within the corresponding section of 00000-ICE-30158 and the changes to the requirement. A unique identification number is also provided for each requirement that is modified.

Together, the two SyRS documents describe the software components, design structure, information flow, processing steps, and other aspects required to be implemented, and identifies the system physical configuration on which the CPC and CEAC software will run. The SyRS documents also contain references to NRC regulations and industry standards that apply to the CPCS requirements and design.

Section 5.2.2 of the LTR states that the CPCS replacement SyRS is independently reviewed, traced to input documents identified in the configuration baseline, and approved. Westinghouse created an RTM to trace the CPCS replacement system requirements to hardware and software design, implementation, and testing. Westinghouses independent V&V process performs a requirements traceability analysis in accordance with Section 5.4.5.3 of the Common Q SPM.

Westinghouses configuration management process ensures that the system requirements and the RTM are baselined and under configuration control.

The licensees vendor oversight process, as described in the VOP Summary, validates that the reference design system requirements (00000-ICE-30158) are either applicable to the CPCS replacement design or are modified in the Waterford Unit 3-specific SyRS (WNA-DS-04517-CWTR3). The vendor oversight process also confirms that each requirement has been adequately implemented during the development life cycle. The licensees vendor oversight process ensures that the Waterford Unit 3-specific system requirements are analyzed, reviewed, and approved. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that the licensee and vendor activities ensure that system requirements for the planned CPCS replacement are developed, reviewed, maintained,

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION and traced in a manner consistent with the NRC-approved Common Q SPM and meet Clause 5.3 of IEEE Std 603-1991.

3.5.1.3 I&C System Architecture The architecture for the planned CPCS replacement is based on the NRC-approved Palo Verde Common Q-based CPCS design architecture, as defined in the reference design SyRS (00000-ICE-30158) and the Waterford Unit 3-specific system requirements, as defined in WNA-DS-04517-CWTR3. These two system requirements documents are described in Section 3.5.1.2 of this safety evaluation. A description of the CPCS design replacement architecture and the NRC staffs evaluation for compliance with the regulatory criteria is found in Section 3.3 of this safety evaluation.

3.5.1.4 I&C System Design Section 5.2.4 of the LTR states that both the CPCS reference design SyRS (00000-ICE-30158),

and the Waterford Unit 3-specific SyRS (WNA-DS-04517-CWTR3) fulfill the role as the system design specification. As described in Section 3.5.1.2 of this safety evaluation, the reference CPCS design SyRS is based on the NRC-approved Palo Verde CPCS design and serves as input to the Waterford Unit 3-specific CPCS SyRS. The Waterford Unit 3 CPCS replacement SyRS defines the differences in the system design from the Palo Verde CPCS replacement.

The Waterford Unit 3 CPCS FMEA (Reference 1, Enclosure Attachment 10) identifies the hardware and HSI hazards and their mitigation or elimination. The NRC staffs evaluation of the FMEA is described under PSAI 10 in Section 3.6.2.2 of this safety evaluation. The CPCS SHA identifies the software hazards and their mitigation or elimination. The NRC staff audited the SHA (Reference 13) and found that the software failures have been adequately identified and addressed.

As described in Section 5.2.2 of the LTR, the CPCS replacement SyRS is independently reviewed, approved, and baselined as an input to the ongoing life cycle activities.

Based on the above, the NRC staff concludes that the licensee and vendor activities ensure that system requirements for the planned CPCS replacement are developed, reviewed, maintained, and traced in a manner consistent with the NRC-approved Common Q SPM and meet Clause 5.3 of IEEE Std 603-1991.

3.5.1.5 Software Requirements Section 5.2.5 of the LTR states that the CPCS replacement software requirements specification (SRS) will be developed in accordance with the SPM. Section 10.2.2 of the SPM describes the SRS process.

As part of the NRC-approved Palo Verde CPCS replacement, the system requirements for the reference CPCS design (00000-ICE-30158) have already been allocated to software requirements. The system requirements that have changed from the reference design are allocated to software in accordance with WNA-RM-00015-CWTR3, Requirements Management Plan for the Core Protection Calculator System Upgrade Project. The NRC staff audited WNA-RM-00015-CWTR3 and found that it addresses the requirements definition and traceability for the Waterford Unit 3 CPCS replacement SRS.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Section 5.2.5 of the LTR states that the SRS produced using WNA-RM-00015-CWTR3 meets the content but not the format of IEEE Std 830-1998, as endorsed by RG 1.172. The NRC staff finds that this is consistent with Section 10.2.2 of the SPM.

Section 5.2.5 of the LTR also identifies the software requirements information described in the SRS, including the software functionality, performance, and attributes.

The VOP Summary contains an acceptance criterion for ensuring that software requirements are examined, understandable, unambiguous, and traceable. During NRCs VOP audit (Reference 13), the NRC staff observed that the licensee reviewed the CPCS replacement SRS for acceptance. The SRS RTM traces the SRS requirements back to the SyRS and to either test or inspection documents for requirements validation.

Based on the above, the NRC staff concludes that the licensee and vendor activities ensure that software requirements for the planned CPCS replacement are developed, reviewed, maintained, and traced in a manner consistent with the NRC-approved Common Q SPM and meet Clause 5.3 of IEEE Std 603-1991, and the criteria in IEEE Std 830-1998.

3.5.1.6 Software Design The software design description (SDD), as described in Section 10.3 of the SPM, is a detailed description of the software to be coded. The NRC staffs evaluation of Section 10.3 of the SPM is described in Section 3.2.13.3 of the Common Q SPM safety evaluation. The NRC staff identified that the Common Q application software development process has provisions for the creation of an SDD that includes descriptions of the software design elements that are used to satisfy software safety and security requirements. Section 5.5.4 of the SPM describes the independent V&V activities for the software design phase.

Separate SDDs are created for each CPCS processor module type. These SDDs are based on the Palo Verde CPCS replacement SDDs and the Waterford Unit 3-specific SyRS and SRS.

Section 5.2.6 of the LTR states that the SDDs decompose the software requirements to document the design and implementation of software components, modules, and units used to implement the planned Waterford Unit 3 CPCS replacement system. The SDDs describe the lower level software modules, referred to as reusable software elements, and document their use in the application.

The VOP Summary identifies oversight activities that verify the technical adequacy of the design; ensure internal completeness, consistency, clarity, and correctness of the software design; and review the software or logic design specification to determine that it is understandable and traceable to the software requirements. The VOP Summary also describes that the licensee will perform reviews of V&V for each applicable life cycle phase for each plan through the Test phase. The NRC staffs review of the VOP Summary is described in Section 3.5.6 of this safety evaluation. The RTM traces the SDDs back to the SRS requirements to ensure proper traceability of requirements.

Based on the above, the NRC staff concludes that the licensee and vendor activities ensure that software design for the planned CPCS replacement is developed, reviewed, maintained, and traced in a manner consistent with the NRC-approved Common Q SPM and meet Clause 5.3 of IEEE Std 603-1991.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.5.1.7 Software Implementation Sections 4.3.2.4 and 5.5.5 of the SPM describe the software implementation phase and the independent V&V activities for the implementation phase, respectively. Section 4.6.2 of the SPM describes the minimum software reviews and audits to be performed for Common Q software. Section 4.6.2.3 of the SPM describes the independent V&V activities for code verification. Section 3.2.10 of the SPM safety evaluation describes the NRC staffs review of the SVVP regarding software module testing and concluded that the procedures used for performance of software module testing satisfy the software V&V program requirements of IEEE Std 7-4.3.2-2003, and are thus acceptable.

Section 5.2.7 of the LTR states that the generation of the CPCS replacement application software and revised reusable software elements is governed by the requirements in the SPM, Westinghouse work instructions, the Common Q coding standards, and the Common Q design restrictions. Section 5 of the LTR states that the RTM documents the implementation of the system requirements into hardware and software functions in accordance with the SPM.

The VOP Summary identifies oversight activities to verify that Westinghouse plans and performs application software life cycle activities in a traceable and orderly manner in accordance with the SPM. The VOP Summary also describes that the licensee will perform reviews of V&V for each applicable life cycle phase for each plan through the Test phase. The NRC staffs review of the VOP Summary is described in Section 3.5.6 of this safety evaluation. The RTM traces the SDDs back to the SRS requirements to ensure proper traceability of requirements.

Based on the above, the NRC staff finds that the CPCS software implementation activities are based on the NRC-approved Common Q SPM. The NRC staff also finds that the licensee and vendor activities ensure that software implementation for the planned CPCS replacement is developed, reviewed, maintained, and traced in a manner consistent with the NRC-approved Common Q SPM. Therefore, the NRC staff concludes that the CPCS software implementation activities and licensee and vendor activities meet Clause 5.3 of IEEE Std 603-1991.

3.5.1.8 Software Integration The planned CPCS replacement software integration activities encompass integration of software modules into units, as described in Section 4.3.2.4 of the SPM, and performance of integration tests. Section 5.2.8 of the LTR states that Section 7 of the SPM outlines the sequence of tests that define the integration process for the planned CPCS replacement.

The NRC staffs evaluation of Section 7 of the SPM is described in Section 3.2.4 of the SPM safety evaluation and identifies that the allocation of integration activities is defined within various sections within the SPM. The NRC staffs review of the SPM concludes that the plans for software integration exhibit the management, implementation, and resource characteristics outlined in BTP 7-14 and, therefore, are acceptable.

The VOP Summary identifies oversight activities to verify that Westinghouse plans and performs application software life cycle activities in a traceable and orderly manner in accordance with the SPM. The VOP Summary also describes that the licensee will perform reviews of V&V for each applicable life cycle phase for each plan through the Test phase. The NRC staffs review of the VOP Summary is described in Section 3.5.6 of this safety evaluation. The RTM traces the SDDs back to the SRS requirements to ensure proper traceability of requirements.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Based on the above, the NRC staff finds that the CPCS software integration activities are based on the NRC-approved Common Q SPM. The NRC staff also finds that the licensee and vendor activities ensure that software integration for the planned CPCS replacement is developed, reviewed, maintained, and traced in a manner consistent with the NRC-approved Common Q SPM. Therefore, the NRC staff concludes that the CPCS software integration activities and licensee and vendor activities meet Clause 5.3 of IEEE Std 603-1991.

3.5.1.9 I&C System Testing Section 5.2.9 of the LTR states that the CPCS replacement testing will be conducted in accordance with the STP described in Section 7 of the Common Q SPM. The Common Q STP prescribes the scope, approach, resources, and schedule of the testing activities and identifies the items and features to be tested. The STP includes module testing, unit testing, integration testing, system validation testing, and FAT. The NRC staffs evaluation of the STP is in Section 3.2.12 of the Common Q SPM safety evaluation, and it concludes that the STP adequately addresses the test planning guidance of BTP 7-14, and identifies Westinghouses commitment3 to conform with IEEE Std 829-1998 and IEEE Std 1008-1987.

Section 7.1.3 of the SPM states that project-specific testing requirements shall be included in a project-specific test plan. In response to RAI-09 (Reference 7, Enclosure 2), the licensee explained that WNA-PT-00303-CWTR3, Test Plan for the Common Q Core Protection Calculator System, is the implementation test plan for the CPCS replacement project that must meet the criteria in Section 7 of the SPM. The licensee explained that WNA-PT-00303-CWTR3 addresses the integration test, system validation test, and FAT portions of the Common Q testing sequence by reperforming the same set of tests that were conducted for the reference CPCS design. The NRC staff audited WNA-PT-00303-CWTR3 and found that it describes the Waterford Unit 3 CPCS replacement testing requirements.

Section 5.2.9 of the LTR states that the RTM traces the test cases to the Waterford Unit 3 SyRS, and that multiple runs of the DNBR and LPD trip functions will be conducted to demonstrate that the system meets the response time requirements.

To address SPM PSAI 5, the licensee provided a regulatory commitment in the LAR to evaluate the CPCS replacement project SAT and installation test plans using the software process testing characteristics described in Section B.3.2.4 of BTP 7-14. The NRC staffs evaluation of the licensees response to SPM PSAI 5 is in Section 3.5.1.10 of this safety evaluation.

The VOP Summary states that the licensee will perform V&V reviews for each applicable life cycle phase for each plan through the Test phase. The VOP Summary states that critical characteristics of the planned CPCS replacement will be verified during factory testing and V&V activities, which will bound the design requirements. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that because the CPCS replacement test activities are based on the NRC-approved Common Q SPM STP and the implementation of the test activities will be verified by the licensees vendor oversight process, as described in the VOP Summary, the test activities for the CPCS replacement project meet the criteria 3 This use of the term commitment is not the same as that for a regulatory commitment as discussed in NRCs Office Instruction LIC-105, Revision 7.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION of BTP 7-14; IEEE Std 829-1998, as endorsed by RG 1.170; IEEE Std 1008-1987, as endorsed by RG 1.171; and Clause 5.3 of IEEE Std 603-1991.

3.5.1.10 Common Q SPM PSAIs The Common Q SPM safety evaluation contains seven PSAIs. The licensee addressed these PSAIs in Section 5.1 of the LTR.

SPM PSAI 1 In Section 5.1.1 of the LTR, the licensees response to SPM PSAI 1 describes the alternatives taken to the Common Q SPM, as documented in the Waterford Unit 3 CPCS Software Development Plan. Specifically, Section 5.6.1 of the SPM describes independent V&V phase summary reports, including the information that these reports will contain and specifying the completion of these reports at the end of each life cycle phase. As an alternative for the CPCS replacement project, the independent V&V activities will be performed at their respective phases per the SVVP; however, the independent V&V team will not issue phase summary reports after each life cycle phase. The results of individual tasks are documented, and anomalies are reported in the global I&C issue tracking system (RITS) for their resolution. A final independent V&V report will be issued encompassing all software development phases. The justification for taking this alternative is attributed to the limited scope of the project, which is based on a previously completed reference design. Therefore, the Concept, Requirements, Design, and Implementation phases are impacted concurrently and iterated frequently. The Phase Summary Report will be produced only once for this project and will report on all activities to serve as the final independent V&V report. The licensee concluded that this is an acceptable alternative to Section 5.6.1 of the SPM because the feedback to the design team is provided timely based on formally issued anomalies and other underlying reports.

In addition, Section 6.3.2 of the SPM states that the project-specific software will be sent to the lead software engineer for approval or rejection, and the lead software engineer will determine the feasibility and appropriateness of project-specific software changes. As an alternative, the CPCS replacement project will document all software modifications with a software change request via RITS. All functional deviations will be documented with RITS. RITS does not include a method for the lead software engineer to approve a software change request; therefore, an alternative approach will be taken. The licensee concluded that this is an acceptable alternative to Section 6.3.2 of the SPM because the RITS initiator will perform a detailed evaluation, and if a function change is required as a result of the RITS, then these changes will need approval of the lead software engineer or the subsystem lead.

Based on the above descriptions of the differences between the Common Q SPM and the Waterford Unit 3 CPCS Software Development Plan, and the justifications for the alternatives, the NRC staff concludes that the licensees response satisfies PSAI 1. Specifically, the NRC staff finds that although the vendor will only be developing a final independent V&V report in lieu of providing phase summary reports, issues identified during independent V&V of each development phase would be tracked via other means (e.g., RITS). The NRC staff notes that having a consolidated description of independent V&V findings and their resolution for each phase of the development life cycle is beneficial because the description would provide a more holistic view of issues identified and the associated effects on the project. This view would support identification of any interrelated issues, performance of regression analysis, and determination of the effectiveness of resolutions. However, the NRC staff finds that the potential for not properly identifying interrelated issues is minimal in this instance because a

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Final Independent V&V Summary Report will be generated that demonstrates how all issues identified by the independent V&V activities for each life cycle phase have been resolved. The NRC staff also concludes that the change control process for design changes resulting from a RITS would meet the intent of requiring the lead software engineer approval for a change.

Based on the information provided in the LTR for the alternatives to the SPM and the corresponding justifications, the NRC staff concludes that this PSAI response satisfies the design control, change control, and independent review requirements in Criterion III to Appendix B.

SPM PSAI 2 In Section 5.1.2 of the LTR, the licensees response to SPM PSAI 2 identifies the Westinghouse Waterford Unit 3 CPCS documents in Table 5.1.2-1 of the LTR that correspond to the documents listed in Sections B.2.2 and B.2.3 of BTP 7-14. The licensee submitted the LAR in accordance with the ARP described in DI&C-ISG-06, Revision 2. Under the ARP, the NRC staffs review is based on system-level design, system architecture, and software development planning information and a VOP for software implementation and design outputs. The VOP Summary describes how the licensee will evaluate the CPCS software implementation and design outputs. The NRC staffs evaluation of the licensees VOP Summary, as discussed in Section 3.5.6 of this safety evaluation, finds that the licensee has established an adequate oversight plan to evaluate the planned CPCS replacement software implementation and design outputs. Therefore, the NRC staff concludes that the licensee has satisfied SPM PSAI 2.

SPM PSAI 3 In Section 5.1.3 of the LTR, the licensees response to SPM PSAI 3 states that the licensee has developed a VOP to verify that Westinghouse is performing its activities in accordance with their QA commitments.4 A summary of the VOP was submitted as Attachment 14 to the LAR. The VOP Summary describes how the licensee will perform vendor oversight for QA of the planned CPCS replacement. The NRC staffs evaluation of the licensees VOP Summary, as discussed in Section 3.5.6 of this safety evaluation, finds that the licensee has established an adequate oversight plan to evaluate the quality of the CPCS replacement. Therefore, the NRC staff concludes that the licensee has satisfied SPM PSAI 3.

SPM PSAI 4 In Section 5.1.4 of the LTR, the licensees response to SPM PSAI 4 states that Westinghouse will develop a technical manual that includes the elements of a Software Operations Plan and that the licensee will verify that the elements of BTP 7-14 for a Software Operations Plan are incorporated into the CPCS technical manual. The NRC staff reviewed the VOP Summary and audited the VOP, as discussed in Section 3.5.6 of this safety evaluation, and found that the licensees oversight activities capture the review of the Westinghouse Technical Manual to verify that it satisfies the requirements for the Software Operations Plan. Therefore, the NRC staff concludes that the licensee has satisfied SPM PSAI 4.

4 This use of the term commitments is not the same as that for a regulatory commitment as discussed in NRCs Office Instruction LIC-105, Revision 7.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION SPM PSAI 5 In Section 5.1.5 of the LTR, the licensees response to SPM PSAI 5 describes the licensees engineering change (EC) process and EC testing (ECT). The licensee stated that many of the tests for the CPC replacement, including the SAT, will be performed with an EC testing procedure because of the complexity of the testing.

Additionally, the licensee provided the following regulatory commitment in the LAR, as revised by letter W3F1-2021-0054 dated July 29, 2021 (Reference 10):

Entergy will evaluate Waterford CPCS Replacement Project Site Acceptance Test (SAT) and Installation Test Plans using the software process testing characteristics described in BTP 7-14 Section B.3.2.4. This is Plant-specific Action Item #5 per WCAP-16096, Software Program Manual for Common QTM Systems.

Based on the above, the NRC staff concludes that the licensee has adequately addressed SPM PSAI 5.

SPM PSAI 6 The licensee responded to SPM PSAI 6 in Section 5.1.6 of the LTR and stated that there have been no changes to the SPM since its approval by the NRC. Because no changes were made to the SPM since its approval by the NRC, the NRC staff concludes that the licensee has satisfied SPM PSAI 6.

SPM PSAI 7 In Section 5.1.7 of the LTR, the licensee provided a response to SPM PSAI 7 regarding establishing and maintaining an SDOE. Section 3.8 of this safety evaluation describes how the CPCS design addresses the applicable criteria of Revision 3 of RG 1.152. The NRC staff determined that the licensee has implemented plans and activities to ensure that an SDOE is established for the planned CPCS replacement and meets the applicable criteria of Revision 3 of RG 1.152. Therefore, the NRC staff concludes that the licensee has satisfied SPM PSAI 7.

3.5.2 Project Management Processes Section 4.3 of the Common Q SPM describes the management principles used for the development of Common Q application software for each phase of the software development life cycle. It includes a description of the software project planning organization, which includes a general overview of the organizational structure used by Westinghouse, and a discussion of organizational responsibilities. The NRC staffs evaluation of the SPM management processes is in Section 3.2.1 of the Common Q SPM safety evaluation and concluded that these processes meet the criteria for a software management plan, as outlined in IEEE Std 1074-2006, as endorsed by RG 1.173, and are acceptable because: the SPM establishes adequate organization and authority structure for the design, the procedures to be used, and the relationships between major activities; and the management structure in the Common Q SPM provides for adequate project oversight, control, reporting, review, and assessment and supports independence of V&V activities.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION To manage the CPCS replacement project, Westinghouse created GPEP-PMP-2019-000020, Project Management Plan for the Waterford 3 Core Protection Calculator Upgrade. The LTR explains that GPEP-PMP-2019-000020 describes the project management processes for the planned CPCS replacement. It also describes the controls for identifying the project scope, determination of deliverables, lines of communication, formal and informal reviews, and interfaces with other internal and external organizations. The LTR states that the Project Management Plan cites the Project Quality Plan that identifies Westinghouses procedures for implementing Westinghouses 10 CFR Part 50, Appendix B compliant QA program that will be used for the CPCS replacement project. The NRC staff audited GPEP-PMP-2019-000020 and determined that it addresses the CPCS replacement project scope, schedule, deliverables, risk management, and project requirements and refers to other project plans for quality, requirements management, configuration management, and software development.

The VOP Summary states that the CPCS replacement project risk ranking is one or high-high, which requires a challenge board composed of station and fleet personnel with expertise in the area. A risk assessment of the project and an independent third-party review for critical documents are also performed. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation. The NRC staff finds that the provisions for risk management meet the quality criteria of Clause 5.3 of IEEE Std 603-1991, and the additional guidance on software-related project risk activities in Clause 5.3.6, Software Project Risk Management, of IEEE Std 7-4.3.2-2003.

The LTR refers to Section 4.5.2.4 of the NRC-approved Common Q SPM to address the establishment of quality metrics throughout the development life cycle. The NRC staff finds that this approach meets the criteria of Clause 5.3 of IEEE Std 603-1991 and Clause 5.3.1.1, Software Quality Metrics, of IEEE Std 7-4.3.2-2003.

The Waterford Unit 3 CPCS Software Development Plan describes the use of the various tools used for the planned CPCS replacement. The LTR refers to the SCMP in Section 6 of the NRC-approved Common Q SPM to address the adequate control of software tools to support system development and software V&V processes. The NRC staff finds that this approach meets the quality criteria of Clause 5.3 of IEEE Std 603-1991 and Clause 5.3.2, Software Tools, of IEEE Std 7-4.3.2-2003.

Based on the above, the NRC staff concludes that the CPCS replacement project management processes are based on the NRC-approved Common Q SPM and meet the quality criteria of IEEE Std 1074-2006, as endorsed by RG 1.173; Clause 5.3 of IEEE Std 603-1991, and the additional applicable guidance in IEEE Std 7-4.3.2-2003.

3.5.3 Software QA Processes The licensee stated in Section 5.2.11 of the LTR that the CPCS replacement project will follow the SQAP for Common Q application software described in Section 4 of the Common Q SPM.

The SQAP describes the methodology used for managing Common Q software throughout the development life cycle. The NRC staffs evaluation of the SQAP is found in Section 3.2.3 of the Common Q SPM safety evaluation, and it concludes that the SQAP meets the guidance in BTP 7-14 with regard to software quality planning activities and software QA (SQA) reviews and audits.

A Waterford Unit 3 Project Quality Plan, WNA-PQ-00496-CWTR3, Project Quality Plan for the CPCS Upgrade Project, was developed to identify the quality requirements for the CPCS

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION replacement project. The NRC staff audited WNA-PQ-00496-CWTR3 and observed that it describes the process for developing the CPCS replacement software, standards to be followed, and any exceptions and clarifications that are needed.

The VOP Summary states that the licensee will ensure that Westinghouse complies with the requirements of Appendix B to 10 CFR Part 50 and 10 CFR Part 21 to control the quality of safety-related materials, equipment, and services and ensure that the SQA program, in accordance with the SPM, is effective in controlling the software development process to assure quality and meets the commitments5 described in the LAR for SQA. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that because the plans for SQA processes are based on the NRC-approved Common Q SPM and the implementation of the configuration management processes will be verified by the licensees vendor oversight process, as described in the VOP Summary, the SQA activities for the CPCS replacement project conform to the criteria in IEEE Std 1028-2008, as endorsed by RG 1.168; the criteria in BTP 7-14; Clause 5.3, Quality, of IEEE Std 603-1991; and the additional criteria in Clause 5.3.1.1 of IEEE Std 7-4.3.2-2003.

3.5.4 Software V&V Processes The licensee stated in Section 5.2.12 of the LTR that the CPCS replacement project will follow the SVVP for the Common Q application software described in Section 5 of the Common Q SPM. The Common Q SVVP establishes the requirements for the independent V&V process to be applied to Common Q systems. It also defines when, how, and by whom specific independent V&V activities are to be performed. The NRC staffs evaluation of the SVVP is in Section 3.2.10 of the Common Q SPM safety evaluation, and it concludes that the Westinghouse approach on independent V&V for the Common Q platform is in accordance with the criteria of IEEE Std 7-4.3.2-2003 and is compatible with IEEE Std 1012-2004.

A CPCS replacement V&V Plan was developed to identify software independent V&V activities for the project to ensure that the CPCS software performs its intended functions. The NRC staff audited WNA-PV-00110-CWTR3, Software Verification & Validation Plan for the Core Protection Calculator System Upgrade Project, Revision 0, and verified that the plan identifies the independent V&V organizational requirements, the independent V&V activities for each of the life cycle phases, the independent V&V methods and tools, and the reporting requirements.

The NRC staff also audited the Westinghouse organizational chart for the CPCS replacement project and verified that the independent V&V team and the design team report to two different directors in the organization.

The VOP Summary describes that the licensee will perform reviews of V&V activities for each applicable life cycle phase for each plan through the Test phase and will verify that Westinghouse follows the V&V requirements in the Common Q SPM. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that because the V&V plans are based on the NRC-approved Common Q SPM, and the V&V processes will be verified by the licensees vendor oversight process, as described in the VOP Summary, the V&V program activities for the 5 This use of the term commitments is not the same as that for a regulatory commitment as discussed in NRCs Office Instruction LIC-105, Revision 7.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION CPCS replacement project conform to the criteria identified in IEEE Std 1012-2004, the criteria in BTP 7-14, the criteria in Clause 5.3 of IEEE Std 603-1991, and the additional criteria in Clauses 5.3.3, Verification and Validation, and 5.3.4, Independent Verification and Validation Requirements, in IEEE Std 7-4.3.2-2003.

3.5.5 Configuration Management Processes Section 5.2.13 of the LTR states that the CPCS replacement project will follow the SCMP for Common Q application software described in Section 6 of the Common Q SPM. The SCMP applies to all Common Q software and software tools used in the development of Common Q software. The NRC staffs evaluation of the SCMP is in Section 3.2.11 of the Common Q SPM safety evaluation, and it concludes that the SCMP conforms to the criteria identified in IEEE Std 828-2005, as endorsed by RG 1.169, and meets the criteria in BTP 7-14.

Consistent with the SPM, a Waterford Unit 3 CPCS Configuration Management Plan was developed to provide project specific details for configuration management. The NRC staff audited WNA-PC-00069-CWTR3, Configuration Management Plan for the Core Protection Calculator System Upgrade Project, Revision 1, and verified that the plan identifies the configuration management responsibilities and activities, including identification of configuration items, configuration control, configuration status accounting, configuration audits and reviews, hardware and software interface control, and delivery of the product for the CPCS replacement project.

The VOP Summary describes that the licensee will verify the implementation of the configuration management process to ensure that it follows the Common Q SPM. The NRC staffs evaluation of the VOP Summary is in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that because the plans for configuration management processes are based on the NRC-approved Common Q SPM and the Waterford Unit 3 CPCS project-specific configuration management requirements, and the implementation of the configuration management processes will be verified by the licensees vendor oversight process, as described in the VOP Summary, the configuration management activities for the Waterford Unit 3 replacement project conform to the criteria identified in IEEE Std 828-2005, the criteria in BTP 7-14, Clause 5.3 of IEEE Std 603-1991, and the additional criteria in Clause 5.3.5 Software Configuration Management, of IEEE Std 7-4.3.2-2003.

3.5.6 Vendor Oversight Plan Summary The NRC staff evaluated whether the licensees oversight activities, as described in the VOP Summary (Reference 7, Enclosure 1, Attachment 2), meet the following criteria to Appendix B of 10 CFR Part 50:

Criterion III, Design Control Criterion V, Instructions, Procedures, and Drawings Criterion VII, Control of Purchased Material, Equipment, and Services Criterion XVI, Corrective Action In addition, the NRC staff used the ARP criteria in Revision 2 of DI&C-ISG-06 to review the oversight activities described in the VOP Summary. Revision 2 of DI&C-ISG-06 defines the licensing process used to support the review of LARs associated with safety-related DI&C

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION equipment modifications in operating plants. The ARP described in DI&C-ISG-06, Revision 2, allows the NRC staff to decide whether to approve an LAR after the system design is completed and evaluated but before the system has been built and FAT completed where acceptability of the application-specific DI&C platform system is partially based on the licensees oversight and evaluation of the vendors DI&C system development process activities, as described in the licensees VOP and VOP Summary.

The VOP Summary identifies the sections of the VOP and summarizes how the VOP will ensure the licensees oversight of its vendors (Westinghouse) involvement (e.g., hardware, software, design documentation, and licensing documentation) in the CPCS replacement project. The NRC staff reviewed Revision 1 of the VOP Summary to verify that its described activities will ensure that all process and technical regulatory requirements will be met, and that there is reasonable assurance that the digital systems will be appropriately developed, implemented, and tested with appropriate vendor oversight by the licensee.

The licensees execution of the VOP, as described in the LAR, as supplemented, provides reasonable assurance that the licensee will verify that its vendor executes the project consistent with the LAR, and provides reasonable assurance that the as-built and tested CPCS will continue to meet the design and quality regulatory requirements of 10 CFR 50.55a(h), via IEEE Stds 279-1971 or 603-1991, and applicable criteria in Appendix B to 10 CFR Part 50. The NRC staff audited VOP-WF3-2019-00236, WF3 [Waterford 3] Core Protection Calculator System Replacement Project Vendor Oversight Plan, Revision 4, to identify details supporting the VOP Summarys description of vendor oversight activities and associated processes to perform these activities. The NRC staff documented its observations in the audit report (Reference 13).

The NRC staffs evaluation of the information within the VOP Summary and the supplement to the VOP Summary to the applicable criteria in Appendix B to 10 CFR Part 50 is provided below.

Criterion III, Design Control Section 5, Determine Performance Measures and Acceptance Criteria, of the VOP Summary identifies three categories of performance measures and associated vendor oversight activities that will be used to verify these performances measures. A description of each performance category and associated acceptance criteria is provided below:

Critical characteristics: important design, material, and performance characteristics of a system that, once verified, will provide reasonable assurance that the system will perform its intended critical functions. These critical characteristics are divided into physical, performance, environmental, and cyber characteristics. The critical characteristics will be verified by a number of oversight activities such as conducting vendor audits and quality surveillances, reviewing Westinghouse design output documents, and participating in factor acceptance testing.

Design artifacts: a set of design output documents described in the Westinghouse procurement documentation (e.g., SyRS, SRS, availability analysis, LTR). These design artifacts are verified by the licensee using the process documented in the licensees procedure, EN-DC-149, Acceptance Vendor Documents.

Programmatic elements: the vendors programs and processes relevant to the CPCS project, including elements of the system life cycle as described in the Westinghouse SPM. The licensee will perform reviews of V&V for each applicable life cycle phase for

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION each plan through the Test phase. This includes verifying that Westinghouse has (1) planned and performed application software life cycle activities in a traceable and orderly manner in accordance with the SPM and (2) followed the V&V requirements in the NRC-approved Common Q SPM. The VOP specifies the oversight activities that will verify these programmatic elements and provides acceptance criteria related to QA, configuration management, software V&V, software safety, secure development environment, cyber security, software life cycle processes, hardware requirements, and PSAIs identified in topical reports discussed in the LTR.

The licensee submitted WNA-DS-04517-CWTR3, Revision 5, as part of the LAR for the Waterford Unit 3 CPCS upgrade project. This document identifies the system requirements of the planned Waterford Unit 3 CPCS. For each requirement that has been adopted without modification from Westinghouse Specification 00000-ICE-30158, WNA-DS-04517-CWTR3 states that this requirement applies to the planned Waterford Unit 3 CPCS without modification.

When there is a difference between the requirement in 00000-ICE-30158, Revision 14, and the planned Waterford Unit 3 CPCS functional requirements, WNA-DS-04517-CWTR3 identifies how the requirement in 00000-ICE-30158, Revision 14, was modified for the planned Waterford Unit 3 CPCS. The VOP Summary states that any requirements that are adopted without modification from 00000-ICE-31058 will be validated using Requirements phase independent V&V and Design phase independent V&V audits by comparing with the RTM, FAT, and SAT, including a system validation test. Based on the above, the NRC staff finds that the requirements tracing activities described in the VOP Summary to validate that Westinghouse has adequately implemented the system requirements in WNA-DS-04517-CWTR3 are adequate to meet the requirements of Criterion III to Appendix B of 10 CFR Part 50.

Section 5 of the VOP Summary describes critical characteristics as those important design, material, and performance characteristics of a system that, once verified, will provide reasonable assurance that the system will perform its intended critical functions. These critical characteristics are divided into four categoriesphysical, performance, environmental, and cyber security. This section of the VOP Summary also provides examples of critical characteristics included in these categories that will be validated as part of the oversight activities described in the VOP. Examples of performance characteristics that will be validated include confirmation that the response time and throughput for the system meets the SyRSs and that the CPU maximum load restrictions are implemented and meet the SyRSs. The NRC staff confirmed that these critical characteristics are consistent with the examples provided in the VOP. Based on the above, the NRC staff finds that the oversight activities described in the VOP Summary to validate that the critical characteristics of the CPCS have been met throughout the development life cycle are adequate to meet the requirements of Criterion III to Appendix B of 10 CFR Part 50.

In the response to RAI-15 (Reference 7, Enclosure 2), the licensee stated that the VOP and VOP Summary have been modified to clarify the terminology used regarding licensee oversight activities and to improve the organization of the VOP. These changes include updates to the description of independent V&V, clarifications to distinguish the traceability activities that will be performed by the licensee and the independent V&V activities performed by Westinghouse, addition of a software V&V section, and identification of the design artifacts that will be reviewed and accepted in accordance with the licensees engineering approval procedure. The NRC staff audited these changes in the VOP and reviewed the conforming changes to the VOP Summary.

The NRC staff determined that the modifications to the VOP Summary to clarify the terminology regarding the oversight activities, including distinguishing the traceability activities performed by the licensee and the independent V&V activities performed by Westinghouse, and the

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION organization changes to the VOP, including conforming changes to the VOP Summary, are acceptable. Therefore, the NRC staff finds that the oversight activities described in the VOP Summary on the independent V&V tasks performed by Westinghouse are adequate to meet the requirements of Criterion III to Appendix B of 10 CFR Part 50.

Section 2 of the VOP Summary describes the change control process that will govern any update or change to the VOP after the NRC issues the license amendment. This includes requiring the development and approval of an EC in accordance with EN-DC-115, Engineering Change Process. The VOP Summary specifies that the approved NRC safety evaluation will be reviewed to ensure bases or requirements are not adversely impacted by changes to the VOP. The NRC staff audited Revision 4 of the VOP and confirmed that the change control process included in the VOP is consistent with the VOP Summary. Based on the inclusion of the note to specify that an EC is required when modifying the VOP and that as part of the process a review of the NRC safety evaluation is required, the NRC staff finds that the licensees change control process for the VOP is adequate to meet the requirements of Criterion III to Appendix B of 10 CFR Part 50.

Based on the above findings, the NRC staff concludes that the oversight activities described in the VOP Summary are sufficient for the licensee to verify that there will be adequate design controls during the development of the CPCS to meet the requirements of Criterion III of Appendix B to 10 CFR Part 50.

Criterion V, Instructions, Procedures, and Drawings Section 2 of the VOP Summary states, The VOP is an umbrella document covering the range of activities in which Entergy is engaged in to perform effective oversight, and, [T]he level of vendor oversight follows a procedure-driven graded approach, based on project and technical risk factors, which are described in VOP Section 6. Section 2 of the VOP Summary also states:

The Quality Assurance Program Manual (QAPM) provides a consolidated overview of the quality program controls which govern the operation and maintenance of Entergys quality related items and activities. The QAPM implements 10 CFR [Part] 50, Appendix B, and the QAPM is implemented through the use of approved procedures... which provide written guidance for the control of quality related activities and provide for the development of documentation to provide objective evidence of compliance.

The VOP and VOP Summary refer to Revision 39 of the QAPM. The licensee submitted Revision 40 of the QAPM (Reference 57) to the NRC, which incorporates changes to Revision 39. The changes between the two versions do not affect the VOP Summary descriptions of the QAPM.

The VOP Summary identifies the main implementing procedures for the QAPM, as outlined in CPP-WF3-2019-002, CPCS Replacement Project Critical Procurement Plan, Revision 0, for the CPCS procurement process and maps these procedures to the QAPM. These procedures include:

EN-MP-100, Critical Procurements, which provides guidance for the establishment of oversight activities to ensure that critical materials and related services are planned and executed such that all applicable requirements are met

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION EN-QV-108, QA Surveillance Process [QAPM C.2]

EN-LI-102, Corrective Action Program [QAPM A.1, A.6, A.7, B.13, B.15]

EN-DC-149, Acceptance of Vendor Documents, which provides guidance for the review and approval of Westinghouse documents and drawings [QAPM B14.a, b - Document Control]

EN-DC-115 [QAPM A.7, B.2, B.8, B.11, B.15]

Section 2 of the VOP Summary states, [T]he VOP works in coordination with existing Entergy Quality Assurance processes and procedures. The coordination with existing QA processes, procedures and staff ensures that all vendor documents, software and equipment meet all quality and design requirements. This VOP Summary section also identifies other licensee procedures that are used to conduct vendor oversight activities under the VOP, including:

EN-DC-126, Engineering Calculation Process, which provides the process for governing the preparation, revision, review, approval, acceptance, and use of vendor produced calculations EN-DC-147, Engineering Reports, which provides the process for the overall engineering report process EN-HU-104, Technical Task Risk & Rigor, which provides direction for the risk assessment of technical work and independent third-party review EN-OM-132, Nuclear Risk Management Process, which provides the method for the licensee to evaluate and manage risks EN-FAP-PM-004, Project Implementation, which provides a process for project development, planning, and execution EN-PM-100, Conduct of Project Management, which establishes requirements and guidance to ensure a standard and predictable approach to project management throughout the life cycle of the project Section 5 of the VOP Summary identifies design artifacts and critical characteristics for the CPCS project that will be generated by Westinghouse in accordance with the procurement documentation. The design artifacts will be reviewed and approved under the licensees procedure EN-DC-149. In addition, design inputs and critical characteristics, cyber security, software QA, or other design requirements specific to the procurement of the CPCS are evaluated in the CPP. This includes critical characteristics to be verified during construction of the CPCS modification. Critical characteristics will also be verified during the FAT and V&V activities, which will bound the design requirements.

Based on the above, the NRC staff finds that the description of the implementing procedures and their interrelationship with the licensees QAPM used to (1) develop the VOP and (2) implement the vendor oversight activities identified in the VOP demonstrate that the licensee will implement vendor oversight activities for the CPCS in accordance with documented instructions

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION and procedures that are consistent with the licensees QA program as described in the licensees QAPM. Therefore, the NRC staff concludes that the VOP Summary meets the requirements of Criterion V of Appendix B to 10 CFR Part 50.

Criterion VII, Control of Purchased Material, Equipment, and Services Section 2 of the VOP Summary identifies the oversight activities that the licensee will perform to ensure that Westinghouse executes the project consistent with the licensees procurement documents, the Westinghouse SPM, Westinghouse platform-related documentation, and the project description consistent with the LAR.

Section 5 of the VOP Summary identifies the oversight activities that the licensee will perform to verify that design artifacts and programmatic elements identified in this section meet the requirements in the design basis, licensing documents, and procurement documents.

Oversight of critical characteristics uses the following vendor oversight activities:

conducting vendor audits and quality surveillances reviewing Westinghouse design output documents participating in FAT conducting SAT observing or witnessing specific vendor activities capturing issues in the licensees and vendors corrective action programs In addition to the above activities, the licensee is using the independent third-party review process for critical design artifacts (e.g., SyRS, SRS, LTR, etc.) for the CPCS project.

Section 5 of the VOP Summary identifies the following oversight activities that will be performed to verify that design artifacts meet the requirements specified in the LAR, the licensing basis documents, and the procurement document and to verify that elements of the CPCS system life cycle, as described in the Westinghouse SPM, meet the requirements for each life cycle phase:

conducting vendor audits reviewing Westinghouse design output documents (e.g., specifications, drawings, analyses, RTMs, independent V&V task reports) providing input to and review and confirmation of specific vendor activities and related information items coordinating multidisciplined interactions between various stakeholders capturing issues in the licensees and vendors corrective action programs In addition, Section 5 of the VOP Summary states that for programmatic elements, the licensee will observe or witness specific vendor activities.

Section 8 of the VOP Summary identifies the documentation that would be generated from the vendor oversight activities, which includes:

formal audit plans and reports comments and feedback on design artifacts through the owner acceptance engineering process teleconference notes

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION emails written correspondence between the licensee and the vendor Based on the above, the NRC staff finds that the activities described in the VOP Summary adequately capture the oversight activities that will be performed to verify that Westinghouses development of the CPCS replacement will meet the procurement specifications, design basis and licensing basis requirements, and the design requirements specified in the LAR. The NRC staff also finds that the surveillance and audit activities and the documentation requirements described in the VOP Summary will provide sufficient objective evidence of quality for the design outputs produced by Westinghouse for each phase of the CPCS development life cycle.

Therefore, the NRC staff concludes that the VOP Summary meets the requirements of Criterion VII of Appendix B to 10 CFR Part 50.

Criterion XVI, Corrective Action Section 7, Perform Corrective Action, of the VOP Summary states that condition reports are generated for entry into the corrective action program for issues related to vendor performance or quality. The VOP Summary identifies the minimum conditions that will trigger a condition report. These include instances of when:

Westinghouse does not comply with Westinghouses quality program, software processes, or hardware processes nuclear safety may be adversely impacted if the digital item is installed and operated unit generation may be adversely impacted if the digital item is installed and operated digital item quality cannot be assured digital item quality cannot be assured without a significant project delay digital item quality is not assured, and identical or similar digital items are already installed in the facility, in other applications, and are considered operable or available the licensee awarded Westinghouse with other purchase orders or contracts to deliver other digital items, and performance measures indicate that the quality of the other items may not be assured The VOP Summary states that if the Waterford Unit 3 CPCS project team identifies any performance issues, oversight of Westinghouse would be enhanced through periodic meetings to discuss and resolve issues, additional technical reviews or surveillances, management intervention, or stop work and implement the recovery plan.

Based on the above, the NRC staff finds that the minimum conditions that would trigger a condition report identified in the VOP Summary are adequate to ensure that potential conditions adverse to quality will be identified and corrected. The NRC staff also finds that the description of measures in the VOP Summary that would be taken to enhance the oversight of Westinghouse should performance issues arise will support resolution of performance issues, minimize risks associated with these performance deficiencies, and reduce the likelihood that conditions adverse to quality will occur. Therefore, the NRC staff concludes that the VOP Summary meets the requirements of Criterion XVI of Appendix B to 10 CFR Part 50.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.6 Applying a Referenced Topical Report Safety Evaluation The amendment supports the planned replacement of the existing Waterford Unit 3 CPCS with a functionally equivalent digital CPCS that is based on the Common Q platform, which has been evaluated by the NRC and approved for generic use in nuclear safety-related applications.

3.6.1 Addressing Platform Changes After Approval of a TR Differences Between the Waterford CPC System and the Approved Common Q Platform The LAR refers to the NRC Common Q platform safety evaluation (Reference 50). Section 6.1 of the LTR identifies Common Q platform changes that were applied to the Waterford Unit 3 CPCS project from Revision 4 of the Common Q platform topical report. The NRC staff evaluated these platform changes as follows.

Summary of Platform Changes The following are the changes between the platform design reviewed for Revision 4 of the Common Q platform topical report and the Waterford Unit 3 CPCS/CEACS design:

AI688 - S600 AI Module was changed from Revision A to Revision C AO650 - S600 AO Module was changed from Revision A to Revision B CI631 - Communications Interface Module was changes from Revision F to Revision H DI620 - S600 DI Module was changed from Revision A to Revision D DO625 - S600 DO Module was changed from Revision A to Revision B DP620 - S600 Pulse Counter Module was changed from Revision A to Revision B PM646A - AC160 Processor Module was changed from Revision T to Revision U AC160 Base Software - Base Software was changed from Revision 1.3/9 to Revision 1.3/11 Evaluation of Platform Changes Westinghouse uses a change process that requires evaluation and documentation of changes made to the Common Q platform components and software. The process includes an evaluation of each change to the platform against the safety conclusions reached by the NRC in its safety evaluation of the platform. This process is described in WCAP-17266-P, Common Q Platform Generic Change Process (Reference 58).

Appendix 5 of the Common Q platform topical report (Reference 59) is the output document for the change process described in Reference 58. This document provides a summary of the changes, a detailed analysis, qualification documents, and a conclusion statement on the status of the changes relative to the NRC safety conclusions.

Section 6.2.2.16 of the LTR includes a response to PSAI 17 that states that the Common Q record of changes document assesses these later, qualified product revisions and the qualification references demonstrating that the product remains consistent with the safety conclusions in the NRC safety evaluation. The NRC staff audited the Common Q record of changes (Reference 13).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Based on the above, the NRC staff finds that the software changes have been adequately analyzed and tested and that there is reasonable assurance that the changes will not adversely impact the CPCS. Therefore, the NRC staff concludes that the licensees use of the Common Q platform safety evaluation for the planned Waterford Unit 3 CPCS design is acceptable.

3.6.2 Resolution of Topical Report Generic Open Items and PSAIs Revision 4 of the Common Q platform topical report (Reference 50) has 2 generic open items (GOIs) and 24 PSAIs. The NRC staffs evaluation regarding the licensees disposition of each GOI and PSAI is provided in the following subsections.

3.6.2.1 Generic Open Items Although the NRC staffs safety evaluation for the Common Q platform topical report lists 12 GOIs, all of these have been closed except for two. The licensee addressed the remaining two GOIs in Section 6.2.1 of the LTR. The NRC staffs evaluation is below.

GOI 8, Loop Controllers The licensee provided a response to GOI 8 in Section 6.2.1.1 of the LTR that stated that the replacement CPCS does not include loop controllers or a priority module function. The NRC staff reviewed the SyRS provided as Attachment 7 to the LAR and confirmed that the planned Waterford Unit 3 CPCS design does not include loop controllers. Therefore, the criterion of this GOI does not apply to the planned Waterford Unit 3 CPCS design and, thus, the licensee has adequately addressed GOI 8.

GOI 12, Electromagnetic Compatibility Requirement The licensee provided a response to GOI 12 in Section 6.2.1.2 of the LTR that stated that the planned replacement CPCS architecture does not use the equipment listed in the GOI. The NRC staff reviewed the SyRS provided as Attachment 7 to the LAR and confirmed that the planned Waterford Unit 3 CPCS design does not include the use of any of the Common Q components listed in GOI 12. Therefore, no additional equipment qualification testing of these components is required to support the planned Waterford Unit 3 CPCS implementation and, thus, the licensee has adequately addressed GOI 12.

3.6.2.2 PSAIs There are 25 PSAIs for the Common Q platform topical report. PSAI 3 was resolved generically in the topical report and, therefore, does not need to be addressed by the licensee. The licensee addressed the remaining 24 PSAIs in Section 6.2.2 of the LTR. The NRC staffs evaluation is below.

PSAI 1 - Suitability of S600 I/O Modules The licensee provided a response to PSAI 1 in Section 6.2.2.1 of the LTR that stated that the CPCS SyRS documents (Reference 1, Enclosure, Attachment 7 and Reference 2, Enclosure 1)

Sections 2.3.11 and 2.3.12 define the interface input and output requirements for the planned CPCS replacement. The NRC staff confirmed that the Waterford Unit 3 CPCS I/O requirements are consistent with the functional performance characteristics of the S600 I/O modules that are used in the design. Furthermore, the factory acceptance tests to be performed at Westinghouse

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION and SAT to be performed at the plant will demonstrate that all performance requirements are met prior to placing the system into service. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 1.

PSAI 2 - Alternatives to the FPDS The licensee provided a response to PSAI 2 in Section 6.2.2.2 of the LTR that stated that the PSAI is not applicable to the planned Waterford Unit 3 CPCS replacement because it is not using an alternative to the FPDS described in the Common Q platform topical report. The NRC staff confirmed that the planned Waterford Unit 3 CPCS design includes the FPDS and not an alternative display system. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 2.

PSAI 4 - Equipment Environmental Qualification The licensee provided a response to PSAI 4 in Section 6.2.2.3 of the LTR that stated that the Waterford Unit 3 CPCS equipment qualification summary report (Reference 1, Enclosure, 1) analyzes the equipment qualification of the components that make up the replacement CPCS and concludes that the testing and results encompass Waterford Unit 3 site requirements for the CPCS. The licensee also stated that the spare AC160 controller slots in Figure 3.2-1, Common Q CPC/CEAC Architecture Block Diagram, of the LTR will be filled by the AC160 dummy module.

The NRC staff evaluated the CPCS primary digital components qualification summary report.

The results of this evaluation are documented in Section 3.4 of this safety evaluation. The NRC staff verified that plant environmental data for the locations in which the Common Q equipment is to be installed are enveloped by the environment established in the equipment qualification summary report. The NRC staff also reviewed the CPCS architecture in Section 3.3 of this safety evaluation and verified that the Waterford Unit 3 plant-specific Common Q system configuration is consistent with the configuration used during platform qualification testing.

Based on (1) the NRC staffs equipment qualification evaluation, (2) the plant-specific design characteristics of the Waterford Unit 3 CPCS, and (3) the NRC staffs review of the CPCS architecture, the NRC staff concludes that the licensee has adequately addressed PSAI 4.

PSAI 5 - Software Life Cycle Process Implementation The licensee provided a response to PSAI 5 in Section 6.2.2.4 of the LTR that identified the SPM software life cycle phases that correspond to the DI&C-ISG-06 review sections for software development under the ARP. The licensee also stated that the VOP describes how the licensee will verify Westinghouses use of procedures and the acceptability of Westinghouse work products to the requirements of the Common Q SPM.

The NRC staff evaluated the Waterford Unit 3 CPCS system development processes, which include software development processes. Section 3.5.1 of this safety evaluation documents the results of this evaluation. In addition, the licensees VOP Summary (Reference 7, Enclosure 1, ) includes provisions for the licensee to provide oversight of the Westinghouse application development activities. Therefore, the licensee will evaluate the quality of the design features for the CPCS as they are developed. The NRC staff confirmed that the licensee will review the implementation of the life cycle process and the software life cycle process design outputs for the Waterford Unit 3 CPCS application as directed by the VOP. During the regulatory audit, the NRC staff reviewed the VOP and verified that it includes activities to review

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION and assess software implementation documentation. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 5.

PSAI 6 - System Timing Analysis and Validation Testing The licensee provided a response to PSAI 6 in Section 6.2.2.5 of the LTR that referred to LTR Section 3.2.6 for the response time criteria and to LTR Section 3.3 for the accuracy requirements, and stated that these will be validated by test. The licensee also stated that the VOP describes how the licensee will verify that Westinghouse properly propagates these requirements through the design, implementation, and testing of the replacement CPCS.

The NRC staff reviewed Section 3.2.6, CPCS Design Function, of the LTR to evaluate the methods, including timing analysis and validation testing, used to ensure that CPCS calculated response times maintain the safety margin for the plant. The NRC staffs evaluations of the response time criteria and accuracy are in Sections 3.3.6.3 and 3.1.2 of this safety evaluation, respectively.

Section 3.5.1 of this safety evaluation evaluates processes for performing development activities, including those relating to system response time validation. The NRC staff found these processes to be acceptable for the development of nuclear safety systems.

The licensees VOP Summary includes provisions for the licensee to perform oversight of the Westinghouse application development activities; therefore, the licensee will review the timing analysis and validation tests performed on the CPCS to verify that the system satisfies its plant-specific requirements for accuracy and response time in the UFSAR Chapter 15 accident analysis.

Based on this evaluation, the NRC staff concludes that the licensee has appropriately addressed PSAI 6 to the extent possible at the current stage of system development.

PSAI 7 - System Access Control The licensee provided a response to PSAI 7 in Section 6.2.2.6 of the LTR that refers to a description of the OM and MTP displays in Section 3.2.7 of the LTR and a description of how control of access is addressed in Section 3.3.3.5 of the LTR.

The NRC staff reviewed the method for accessing and controlling the CPCS software, safety-related algorithms, and addressable constants. In accordance with the CPCS requirements specifications, software can be downloaded only through accessible APCs that can be locked. The MTP uses an SLE key switch to energize the hardware needed to download new software. The OM or MTP can be used to change addressable constants using keylock controls. Therefore, the NRC staff determined that the Common Q system maintains access control of the CPCS software media and hardware.

The secure operational environment (SOE) and human factors aspects of the review are addressed in Sections 3.8 and 3.9 of this safety evaluation. The NRC staff determined that the licensee has acceptably addressed the SOE and human factors aspects of the CPCS.

Based on the above, the NRC staff concludes that the licensee has adequately addressed PSAI 7.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION PSAI 8 - Equivalent System Functionality The licensee provided a response to PSAI 8 in Section 6.2.2.7 of the LTR that stated that the CPCS replacement SyRS documents define the functional and system requirements for the replacement CPCS to meet the same functionality of the existing CPCS. Section 3.2.6, CPCS Design Function, of the LTR states, The CPCS design functions are unchanged as a result of the CPCS upgrade using the Common Q Platform. This section of the LTR also states that the same design basis algorithms are used in the replacement CPCS and acknowledges that the timing of some of the application programs were changed to accommodate the change in platform.

The NRC staff confirmed that the functional requirements of the existing system are the same as the Common Q-based CPCS replacement. To compare the new system functional design to the original CPCS design, the NRC staff reviewed Chapter 7.2, Reactor Protection System, of the UFSAR, the reference design SyRS (Reference 1, Enclosure, Attachment 7), and the Waterford Unit 3 CPCS replacement SyRS (Reference 2, Enclosure 1). The NRC staff determined that, with the exception of system time response performance, the Waterford Unit 3 system specification functional requirements were consistent with the UFSAR functional descriptions of the CPCS and with the existing CPCS. Section 3.3.3 of this safety evaluation contains the NRC staffs evaluation of the planned new systems functions.

The NRC staff reviewed the response time performance characteristics of the replacement CPCS to ensure consistency with the Waterford Unit 3 safety analysis and found the increased response time requirements to be acceptable. The NRC staffs evaluation of the response times is in Section 3.3.6.3 of this safety evaluation. The NRC staff concluded that the planned CPCS replacement is functionally equivalent to the existing CPCS.

Based on the above, the NRC staff concludes that the licensee has adequately addressed PSAI 8.

PSAI 9 - Plant Procedures and Technical Specifications The licensee provided a response to PSAI 9 in Section 6.2.2.8 of the LTR. The NRC staffs evaluation of the licensees proposed TS changes and associated justifications is in Section 3.1 of this safety evaluation. Modifications to plant procedures resulting from installing the Common Q CPCS are implementation activities that are not within the scope of this safety evaluation. The ARP requires a licensee to evaluate required plant procedures to meet the requirements of PSAI 9. The NRC staff determined that the licensee has an established methodology for the identification and modification of the plant procedures that are affected by the Common Q CPCS. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 9.

PSAI 10 - Failure Modes and Effects Analysis The licensee provided a response to PSAI 10 in Section 6.2.2.9 of the LTR that stated that the plant-specific model for the planned CPCS replacement is defined in the two SyRS documents.

The licensee also referred to Section 3.2.17 of the LTR, which describes the FMEA for the planned CPCS replacement. The NRC staff reviewed the plant-specific FMEA for the Common Q CPCS design (Reference 1, Enclosure, Attachment 10), which is summarized in Section 3.2.17 of the LTR. This FMEA focuses on component and field device failures but does not address software failures.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The Waterford Unit 3 CPCS SHA identifies software hazards and their mitigation or elimination.

The NRC staff audited the SHA (Reference 13) and found that the software failures have been adequately identified and addressed. To address the effects of software failures in the CPCS, Westinghouse performs a software safety analysis. The licensees VOP Summary includes provisions for the licensee to perform oversight of the Waterford Unit 3 SSP, which governs performance of software safety analysis activities, as a programmatic element of the VOP.

Therefore, the licensee will review the SSP implementation for the CPCS to verify that system software does not include hazards that could jeopardize the health and safety of the public. The NRC staff also evaluated the Common Q SSP in Section 3 of the Common Q SPM (Reference 48). The results of this evaluation are in Section 3.5.1.1 of this safety evaluation.

The NRC staff determined that no single failure associated with the replacement CPCS will defeat more than one of the four protective channels and that the upgraded CPCS will respond to input failures in a manner similar to the existing system being replaced. Furthermore, the review of the CPCS FMEA confirms that a single component level failure in the Common Q system does not prevent the CPCS from performing its safety function. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 10.

PSAI 11 - Defense Against Common Mode Failures In response to PSAI 11, the licensee provided a pointer to Section 3.2.18 of the LTR, which describes the licensees approach to address common cause failures. The NRC staff evaluated the defense-in-depth and diversity aspects of the CPCS and determined that adequate diversity is maintained to satisfactorily address a common cause failure of all four CPCS channels. The results of this evaluation are in Section 3.3.6.4 of this safety evaluation. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 11.

PSAI 12 - Overall Response Time Testing The licensee provided a response to PSAI 12 in Section 6.2.2.11 of the LTR that stated that, as part of the planned CPCS replacement LAR, the licensee is proposing to eliminate specific TS SRs, including those related to response times, by crediting AC160 self-diagnostics. The licensee referred to Appendix B, Elimination of Specific CPCS Technical Specification Surveillance Requirements, of the LTR.

The LAR presents a methodology for establishing and providing continuing assurance of system response time requirements. This method involves performing a timing analysis as well as validation and installation tests to verify that the system meets safety function response time requirements. Periodic response time SRs are not proposed for the replacement system because Common Q platform self-diagnostics are being credited to provide continuous assurance that system response time remains acceptable during operation. Section 3.1 of this safety evaluation contains the NRC staffs evaluation of CPCS self-diagnostic functions as an alternative method of ensuring system response time requirements are met after the system is placed into operation.

Based on the above, the NRC staff concludes that the licensee has adequately addressed PSAI 12.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION PSAI 13 - Shared System Resources The licensee provided a response to PSAI 13 in Section 6.2.2.12 of the LTR that stated that this PSAI is not applicable to the planned CPCS replacement because the licensee is only replacing the CPCS and not the PPS. Because the licensee is only proposing use of the Common Q CPCS and has no current plans to upgrade other safety systems to the Common Q platform, the NRC staff determined that there is no resource sharing among Common Q-based systems.

Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 13.

PSAI 14 - Three Mile Island Action Plan Items Section 50.34(f)(2) of 10 CFR lists Three Mile Island-related requirements that certain applicants must address. Guidance for reviewing Three Mile Island action plan requirements for I&C systems is in Table 7-1 of NUREG-0800. The NRC staff evaluated the acceptability of the planned CPCS replacement as it applies to these regulatory requirements. In its response to PSAI 14, the licensee concluded that the implementation of the Common Q platform does not render invalid any previously accomplished Three Mile Island action plan items.

Section 6.2.2.13 of the LTR states that the Waterford Unit 3 CPCS is a pre-Three Mile Island system that does not perform post-accident monitoring functions.

The NRC staff reviewed the CPCS SyRS documents and determined that the planned CPCS replacement system safety function requirements are equivalent to the requirements of the existing Waterford Unit 3 CPCS. The NRC staff also reviewed the method of bypassing CPCS channels, including its effect on RPS, and determined that CPCS channel bypasses are clearly indicated to plant personnel and only permitted by the RPS when reactor power is less than the permissive power level setpoint. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 14.

PSAI 15 - Automatic Self Testing Features The licensee provided a response to PSAI 15 in Section 6.2.2.14 of the LTR that stated that the SyRS documents specify the plant-specific requirements for the systems automatic self-testing features that are needed to ensure proper function of the Common Q CPCS application during operation.

The NRC staffs evaluation of the automatic self-diagnostic functions of the planned CPCS replacement is in Section 3.1 of this safety evaluation. Plant-specific self-diagnostic functions needed to ensure proper functioning of the CPCS application during operation are specified in the reference design CPCS SyRS in Attachment 7 to the LAR and are augmented by the Waterford Unit 3 CPCS SyRS. The NRC staff reviewed these specifications and determined these self-test functions will provide adequate assurance of proper functioning of the Waterford Unit 3 CPCS application during system operation. Because these self-test functions are specified in the CPCS design, the NRC staff concludes that the licensee has adequately addressed PSAI 15.

PSAI 16 - Processor Module Limitation The licensee provided a response to PSAI 16 in Section 6.2.2.15 of the LTR that stated that there are only two PM646A processor modules in a single AC160 controller. The NRC staff reviewed the SyRS and confirmed that only two PM646A processor modules are specified for each AC160 controller. The NRC staff also confirmed that the architectural block diagram in

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Figure 3.2-1 of the LTR includes two PM646A modules in each AC160 controller. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 16.

PSAI 17 - Qualified Hardware Components The licensee provided a response to PSAI 17 in Section 6.2.2.16 of the LTR that listed the AC160 modules, including the product revision, that it will use for the Waterford Unit 3 CPCS.

The licensee also stated that the Common Q record of changes document assesses the qualified product revisions and the qualification references demonstrating that the product remains consistent with the safety conclusions in the related NRC safety evaluation.

The NRC staff performed an evaluation of platform changes that have occurred since the Common Q platform was last reviewed. The results of this evaluation are in Section 3.6.1 of this safety evaluation. All components being used in the planned Waterford Unit 3 CPCS replacement are included in the list of approved components in the Common Q platform topical report; however, several of these components have been revised in accordance with Westinghouse design change processes. The NRC staff reviewed these changes and determined that the software changes have been adequately analyzed and tested and that there is reasonable assurance that the changes will not adversely impact the CPCS. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 17.

PSAI 18 - Administrative Controls for Setpoint Changes The licensee provided a response to PSAI 18 in Section 6.2.2.17 of the LTR that stated that Table 3.2.16-1, DI&C-ISG-04-Compliance, Position 10, in the LTR describes the administrative controls for changing setpoints in the planned CPCS replacement. The NRC staff reviewed the administrative controls described in Table 3.2.16-1 and found them to be consistent with the controls described in the Common Q platform topical report. These controls will adequately ensure that changes to CPCS setpoints can only be made while the system is not being relied upon to perform its safety functions. Furthermore, the licensee will declare the affected division of the CPCS inoperable prior to changing setpoints. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 18.

PSAI 19 - Programming Cable Disconnect The licensee provided a response to PSAI 19 in Section 6.2.2.18 of the LTR that stated that the serial communications link between the MTP and the PM646A is the programming cable that allows the MTP to load a new program into the PM646A. The licensee referred to Table 3.2.16-1 of the LTR, which addresses compliance with Staff Position 1, Point 10 in DI&C-ISG-04.

The licensee has implemented an alternative means of disconnecting the programming serial communication link using a processor select switch, which is described in Table 3.2.16-1 and in Section 3.2.7.1 of the LTR. The processor select switch design is also specified in the reference design SyRS. The NRC staff determined that the licensees alternative method of disconnecting the serial link to the AC160 controllers using the processor select switch in conjunction with the SLE switch provides an acceptable means of ensuring that the programming communication link between the MTP and the CPCS processor modules is disabled during system operation. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 19.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION PSAI 20 - Fiber Optic Cables The licensee provided a response to PSAI 20 in Section 6.2.2.19 of the LTR that stated that the fiber optic cable will meet the Waterford Unit 3 site environmental qualification requirements.

During a regulatory audit, the NRC staff reviewed the fiber optic cable common-procurement specification (Reference 40 of the LTR) and confirmed that the licensee has taken adequate actions to ensure that all plant-specific environmental qualification requirements for fiber optic cabling to be used in the CPCS are met. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 20.

PSAI 21 - HSL Electromagnetic Emissions The licensee provided a response to PSAI 21 in Section 6.2.2.20 of the LTR that stated that the Waterford Unit 3 equipment qualification summary report (Reference 1, Enclosure, 1) confirms that the electromagnetic emissions from the HSL do not adversely affect the operation of locally mounted equipment. The NRC staff evaluated the CPCS equipment qualification summary report, which includes electromagnetic emissions test results.

Section 3.4 of this safety evaluation documents the results of this evaluation. The NRC staff verified that the licensee performed a site-specific analysis, which determined that the impact of higher electromagnetic emissions associated with the HSL interface would have no adverse effects on operation of the CPCS. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 21.

PSAI 22 - Use of AI685 Module Metallic Barriers The licensee provided a response to PSAI 22 in Section 6.2.2.21 of the LTR that stated that the PSAI is not applicable because the planned replacement CPCS uses the AI688 AI module in place of the AI685 AI module. The NRC staff confirmed that AI685 modules are not used in the planned replacement CPCS. Because the planned Waterford Unit 3 replacement CPCS does not include AI685 modules, this PSAI is not applicable to this design and, therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 22.

PSAI 23 - Platform Record of Changes Review The licensee provided a response to PSAI 23 in Section 6.2.2.22 of the LTR that stated that the response to PSAI 17 addresses PSAI 23. The NRC staff reviewed the Common Q record of changes document (Reference 13 of the LTR) as part of the regulatory audit and found that revised modules in the Common Q platform design that are being used in the Waterford Unit 3 CPCS design have been evaluated for suitability by Westinghouse and have been determined to be acceptable for use in nuclear safety related applications.

The licensee VOP Summary also includes activities to review the updated Westinghouse record of changes document. The NRC staff confirmed that the licensee will review the Common Q record of platform changes for the Waterford Unit 3 CPCS application as directed by the VOP to ensure that changes do not invalidate safety conclusions in the safety evaluation of the Common Q platform. During its regulatory audit, the NRC staff reviewed the VOP and verified that activities to review and assess platform changes are included. Therefore, the NRC staff concludes that the licensee has adequately addressed PSAI 23.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION PSAI 24 - Use of the FPDS to Perform Critical Safety Functions The licensee provided a response to PSAI 24 in Section 6.2.2.23 of the LTR that stated that the PSAI is not applicable to the planned CPCS replacement because the OM and MTP do not perform safety critical functions. The NRC staff confirmed that the FPDS portion of the Waterford CPCS is not configured to perform safety critical functions. Therefore, this PSAI does not apply to the Waterford CPC CEAC design and, thus, the NRC staff concludes that the licensee has adequately addressed PSAI 24.

PSAI 25 - Safety to Nonsafety Separation The licensee provided a response to PSAI 25 in Section 6.2.2.24 of the LTR that stated that the AF100 bus resides within one channel of the CPCS architecture, and that only the unidirectional, fiber optically isolated HSL is used for CPCS interchannel communication.

The NRC staff confirmed that interface and test processors are not used in the Waterford Unit 3 CPCS design. The NRC staff also confirmed that each AF100 bus in the CPCS design is isolated to a single safety division. Therefore, neither the AF100 bus nor interface and test processors are relied upon to provide separation between safety and nonsafety-related signals.

The data communications independence of the CPCS is further evaluated in Section 3.3.5 of this safety evaluation. Based on the above, the NRC staff concludes that the licensee has adequately addressed PSAI 25.

3.7 IEEE Std 603-1991 Compliance and IEEE Std 7-4.3.2-2003 Conformance The licensee submitted the LAR in accordance with DI&C-ISG-06, which refers to the criteria in IEEE Std 603-1991. Although the Waterford Unit 3 licensing basis is IEEE Std 279-1971, the licensees LTR demonstrates compliance to the applicable clauses in IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003 for the new system architecture, as identified in DI&C-ISG-06. The NRC staff determined that compliance with the criteria of IEEE Std 603-1991 satisfies IEEE Std 279-1971.

The licensee provided Table 7-1, Compliance/Conformance Matrix for IEEE Std 603 and IEEE Std 7-4.3.2, of the LTR, which is based on Table D-1 of DI&C-ISG-06. The table provides a row for each clause in IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003. The licensee indicated in the table where the LTR addresses each clause and extended clause, and whether the LAR submittal complies with or does not apply to (i.e., N/A (not applicable)) each clause and extended clause.

The NRC staff developed Table 1 below based on Table D-1 of DI&C-ISG-06. The NRC staff populated Table 1 with the information provided by the licensee in Table 7-1 of the LTR. The last column of Table 1 references the section number of this safety evaluation that contains the NRC staffs evaluation of whether the planned CPCS replacement complies with IEEE Std 603-1991 and, therefore, IEEE Std 279-1971, and conforms to the guidance in IEEE Std 7-4.3.2-2003.

In this manner, the NRC staff confirmed the licensees statements of compliance and found that the LAR submittal addresses all applicable IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003 clauses. Therefore, the NRC staff concludes that the planned CPCS replacement satisfies the criteria of IEEE Std 279-1971.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION Table 1: IEEE Standards 603-1991 and 7-4.3.2-2003 Compliance/Conformance Table IEEE Std 603 Clause IEEE Std 7-4.3.2 Clause Title LTR Section Safety Evaluation Section 4.1 4*

Safety System Design Basis 3.3.2 Clause 4.1 3.3.2 4.2 3.3.2 Clause 4.2 3.3.2 4.3 3.3.2 Clause 4.3 3.3.2 4.4 3.3.2 Clause 4.4 3.3.2 4.5 3.3.2 Clause 4.5 3.3.2 4.6 3.3.2 Clause 4.6 3.3.2 4.7 3.3.2 Clause 4.7 3.3.2, 3.4 4.8 3.3.2 Clause 4.8 3.3.2, 3.4 4.9 3.3.2 Clause 4.9 3.3.2 4.10 3.3.2 Clause 4.10 3.3.2 4.11 3.3.2 Clause 4.11 3.3.2 4.12 3.3.2 Clause 4.12 3.3.2 5.1 5.1*

Single-Failure Criterion 3.2.17 3.2.19.1.1 3.3.6.1 5.2 5.2*

Completion of Protective Action 3.3.3.1 3.3.3, 3.3.6.3 5.3 5.3 Quality 3.3.3.10 5

3.3.2, 3.5 5.3.1 Software Development 5.2 3.5.1 5.3.1.1 Software Quality Metrics 5.2.10 3.5.2, 3.5.3 5.3.2 Software Tools 5.2.10 3.5.1, 3.5.2 5.3.3 Verification and Validation 5.2.12 3.5.4 5.3.4 Independent V&V Requirements 5.2.12 3.5.4 5.3.5 Software Configuration Management 5.2.13 3.5.5 5.3.6 Software Project Risk Management 5.2.10 3.5.2 5.4 5.4 Equipment Qualification 4

3.4 5.4.1 Computer System Testing 4

3.4 5.4.2 Qualification of Existing Commercial Computers 3.3.3.10 6.1 3.4 5.5 5.5 System Integrity 3.3.3.2 3.3.2, 3.3.6.3 5.5.1 Design for Computer Integrity 3.6.3.1.2 3.3.6.3

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE Std 603 Clause IEEE Std 7-4.3.2 Clause Title LTR Section Safety Evaluation Section 5.5.2 Design for Test and Calibration 3.2.19.2.1 3.1.16 5.5.3 Fault Detection and Self-Diagnostics 3.2.19.2.2 3.1.16 5.6 5.6 Independence 3.5.10.5 3.3.5, 3.3.6.2 5.6.1 Between Redundant Portions of a Safety System 3.5.10.1 3.3.5.2, 3.3.6.2 5.6.2 Between Safety Systems and Effects of Design-Basis Event 3.5.10.2 3.3.5, 3.3.6.2 5.6.3 Between Safety Systems and Other Systems 3.5.10.3 3.3.5.3, 3.3.6.2 5.6.4 Detailed Criteria 3.5.10.4 3.3.5, 3.3.6.2 5.7 5.7*

Capability for Testing and Calibration 3.2.19.1.2 3.1.16 5.8 5.8*

Information Displays See subsection below 3.3.2 5.8.1 Displays for Manually Controlled Actions 3.2.19.1.3 3.3.2 5.8.2 System Status Indication 3.2.19.1.4 3.3.2 5.8.3 Indication of Bypasses 3.2.19.1.5 3.3.2 5.8.4 Location 3.2.19.1.6 3.3.2 5.9 5.9*

Control of Access 3.3.3.5 3.8 5.10 5.10*

Repair 3.3.3.6 3.3.2 5.11 5.11 Identification 3.2.19.1.7 3.6.2.1.2 3.3.6.2 5.12 5.12*

Auxiliary Features 3.5.10.6.1, 3.5.10.6.2 3.3.2 5.13 5.13*

Multi-Unit Stations N/A - The CPCS is not shared among multiple units 5.14 5.14*

Human Factors Considerations 3.5.10.7 3.9 5.15 5.15 Reliability 3.6.1.1.2 3.3.6.1 6.1 6*

Automatic Control 3.6.3.1.3 3.3.6.3 6.2 Manual Control N/A - The CPCS is an automatic control system 6.3 Interaction between the Sense and Command Features and Other Systems 3.6.2.1.3 3.3.6.2 6.4 Derivation of System Inputs 3.6.5.1 3.3.2 6.5 Capability for Testing and Calibration 3.3.3.3 3.1.16 6.6 Operating Bypasses 3.3.3.7 3.3.2 6.7 Maintenance Bypass 3.3.3.8 3.3.2 6.8 Setpoints 3.3.3.9 3.1.2 7.1 7*

Automatic Control N/A - The CPCS only performs sense and command features 7.2 Manual Control 7.3 Completion of Protective Action 7.4 Operating Bypass

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE Std 603 Clause IEEE Std 7-4.3.2 Clause Title LTR Section Safety Evaluation Section 7.5 Maintenance Bypass 8.1 8*

Electrical Power Sources 3.5.8 3.3.5 8.2 Non-electrical Power Sources N/A - CPCS does not use nonelectrical power sources 8.3 Maintenance Bypass 3.5.8 3.3.5

• The standard does not add anything beyond IEEE Std 603-1991.

3.8 SDOE The NRC staff reviewed the SDOE Plan for the planned CPCS replacement against Clause 5.9, Control of Access, of IEEE Std 603-1991 and the guidance in Revision 3 to RG 1.152.

Section 12 of the Common Q SPM (Reference 48) addresses the SDOE planning aspects of the Common Q platform from the Concepts phase through the Test phase of the software development life cycle per the guidance provided in RG 1.152. The NRC staffs evaluation of the SDOE Plan is in Section 3.2.13 of the Common Q SPM safety evaluation. The NRC staffs review of the SPM SDOE Plan included a review of the vulnerability assessment performed by Westinghouse on the Common Q platform to ensure that an application is developed without undocumented code, unwanted functions or applications, and any other coding that could adversely affect the reliable operation of the digital system. The NRC staffs evaluation of the SDOE Plan concludes that it meets the regulatory positions of Revision 3 to RG 1.152.

The NRC staffs evaluation of the planned CPCS replacement SDOE focuses on those controls specific to the planned CPCS replacement that ensure an SDOE.

3.8.1 Secure Development Environment Section 9.1 of the LTR (Reference 9, Enclosure 1) states that as part of vendor oversight activities, the licensee will verify that the Westinghouse secure development environment meets the criteria in Section 12 of the Common Q SPM. The VOP Summary states that secure development environment documentation exists for key attributes, including having a method for identifying the origin of critical components and ensuring that all critical asset components are compliant with the suppliers security requirements and free of counterfeits. The VOP Summary also describes a cyber security acceptance criterion to verify that all known cyber security vulnerabilities of the operating system, vendors software, firmware, or hardware are remediated or there is a description of why the vulnerability is not a concern for the system.

The NRC staff audited the VOP (Reference 13) and determined that the licensee has adequate plans to verify that the replacement CPCS will be developed in a secure development environment. The licensees vendor oversight is described in Section 3.5.6 of this safety evaluation.

Based on the above, the NRC staff concludes that the measures identified for the development of the planned CPCS replacement are adequate to prevent inadvertent, unintended, or unauthorized modifications to the system, are consistent with the NRC-approved Common Q SPM, and satisfy the regulatory positions of Revision 3 to RG 1.152.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.8.2 Secure Operational Environment The generic SOE features of the Common Q platform are described in Section 12 of the Common Q SPM. The planned Waterford Unit 3 CPCS replacement design implements administrative, logical, and physical control of access design features to prevent inadvertent, unintended, or unauthorized access or modifications to the safety system. These SOE features include locked cabinets, controlled cabinet keys, cabinet door alarms, and key switches to allow changes to addressable constants or changes to the CPCS AC160 controller software. These SOE features ensure that changes are only performed on a bypassed channel.

A vulnerability assessment of the planned CPCS replacement that identifies potential vulnerabilities associated with logical and physical connectivity to the CPCS interfaces was provided as Section 9.2.1 of the LTR. The assessment addresses the potential for inadvertent, unintended, or unauthorized access or modifications to the safety system, and the effects of undesirable behavior of connected systems that may degrade the reliable performance of the safety system. The assessment evaluates the associated logical and physical security controls to address the vulnerabilities and references the specific system requirements for the SOE controls. The LTR states that the SOE controls will be traced through the planned CPCS replacement development life cycle to ensure they are properly addressed in the design, implementation, and testing of the system. The NRC staff reviewed the Waterford Unit 3 CPCS SyRS documents (Reference 1, Enclosure, Attachment 7, and Reference 2, Enclosure 1) and determined that they capture the SOE requirements.

The NRC staff audited of the VOP and determined that the licensee has adequate plans to verify that the SOE requirements identified in the SyRS documents are properly implemented and tested. Section 3.5.6 of this safety evaluation describes the licensees vendor oversight process.

The NRC staff determined that the planned CPCS replacement implements the SOE design features identified in the NRC-approved Common Q SPM; that the design implements adequate control of access and SOE features to ensure protection against inadvertent, unintended, or unauthorized access or modifications to the safety system; and that connected systems will not degrade the reliable performance of the safety system. Therefore, the NRC staff concludes that Clause 5.9, Control of Access, of IEEE Std 603-1991 and the regulatory positions in Revision 3 of RG 1.152 are satisfied.

3.9 Human Factors Considerations 3.9.1 Introduction The NRC staff conducted an HFE review to verify that the planned CPCS replacement design incorporates and implements accepted HFE practices and guidelines. Section B.1.4, Review Areas Outside the Scope of this Interim Staff Guidance, of DI&C-ISG-06 states that HFE should be considered for certain DI&C equipment modifications.

The licensee submitted an HFE evaluation in Attachment 13, Human Factors Engineering Analysis, to the LAR enclosure (hereafter referred to as Attachment 13) (Reference 1, Enclosure, Attachment 13).

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.9.2 Summary of the Modification and Impact to Operator Actions According to the licensees statements in Attachment 13, the design basis for the CPCS is limited to providing automatic reactor trip actuation signals to the PPS during events credited in the USFAR. When CPCS trip outputs are actuated, the actuation also goes to the plant annunciator system to inform the MCR operators that the CPCS protective action (i.e., a reactor trip) has been initiated. The operators can then verify the automatic reactor trip. If the automatic trip fails to actuate, then the operators can initiate a manual reactor trip at the MCBs (i.e., not using the CPCS).

The planned CPCS replacement includes new HSIs, the OM for MCR operators, and the MTP for maintenance personnel. As stated in Section 8, Human-System Interface Design, of 3, the HSIs do not perform any automatic safety functions, and operator actions are primarily limited to bypassing channels, acknowledging alarms, and selecting displays. The functionalities of the HSIs have been retained from the existing CPCS. There are no new functions performed by operators for the planned CPCS replacement.

As stated in Section 2, HFE Program Management, and Section 3, Operating Experience Review, of Attachment 13, there are no important human actions performed by operators on the CPCS that were identified in the UFSAR, and the planned CPCS replacement does not result in any changes to existing risk-important or credited operator actions. The NRC staff reviewed the Waterford Unit 3 Standardized Plant Analysis Risk model with a focus on the RPS system modeling and did not identify any omitted operator actions or any significant operator actions that were impacted by the proposed amendment.

To support the use of the new HSIs by operators and maintenance personnel, the planned CPCS replacement requires changes to operating, abnormal, alarm response, maintenance, and surveillance procedures. As stated in Section 9, Procedure Development, of 3, the impact to integrated operating procedures involves updates to incorporate startup testing activities associated with the CPCSthe impact to operating and abnormal procedures is to reflect the increase in CEACs from two to eight and changes to OM HSIsand there is no impact to emergency operating procedures. The licensee will update maintenance procedures with CPCS maintenance requirements specifics for the new equipment and surveillance procedures with testing required by the TSs. All changes to procedures will be made in accordance with the licensees existing procedure development program.

3.9.3 Operating Experience Review The purpose of an operating experience review is to identify HFE-related safety issues and address them in the design of the plant. The operating experience review assesses information regarding predecessor design performance.

As stated in Section 3 of Attachment 13, the licensee used Palo Verde as the reference design because Palo Verde has a similar Westinghouse Common Q CPCS. The licensees project team visited Palo Verde twice during the system requirements and design phase, during which the licensees team solicited design, modification, installation, and operation-related operating experience.

The licensees project team identified an issue specific to the OM that was incorporated into the new OM design. The operators noted in interviews that they had difficulty assessing the system status with the existing OM because it displayed only a single point ID (or identifier) at one

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION time. The planned OM will display specific point IDs that operations personnel identified as useful. This will provide the operations personnel with the capability to choose from a number of different displays.

Additionally, the licensee described examples of operating experience that were related to the modification. These incidents considered challenges with the design of alarms of similar systems. Insights from these events were used to improve the use of color coding in the alarm system for the current modification.

The NRC staff determined that the licensee has adequately identified the plants systems, HSIs, procedures, and training that will be modified and has documented the HFE-related safety issues. The licensee also benchmarked Palo Verde because it has a similar Westinghouse Common Q CPCS. Therefore, the NRC staff concludes that the licensees treatment of the operating experience review meets 10 CFR 50.34(f)(3)(i).

3.9.4 HSI Design This review element verifies that the licensee has consistently applied HFE principles and criteria to the planned CPCS replacement HSI design so that the personnel have a similar interface between the new and existing OMs and MTPs. This ensures consistency within the operators existing strategies for gathering and processing information and executing actions identified in the task analysis.

The OMs consist of four FPDs that replace the HSIs for the four existing digital minicomputers of the existing CPCS in the MCR. The OMs are identical, and at each OM an operator can monitor all calculators, including specific inputs or calculated functions, and change addressable constants. The MTPs have been added as part of the planned CPCS replacement. In the existing CPCS design, maintenance and testing was performed at the MCR HSIs. The MTPs are located on the CPC cabinets, and there is one MTP per channel for a total of four MTPs.

The primary use of the MTP is for routine maintenance and maintenance testing by plant technicians. The MTP display performs all the functions of the OM plus surveillance related functions. These functionalities have been retained from the existing CPCS. Both the OMs and the MTPs will be on a Common Q FPDS to ensure that there is consistency in the HSIs.

The licensee stated in Section 3.5.1, System Human Factors, of the reference design SyRS (Reference 1, Enclosure, Attachment 7) that human factors requirements were used during the design of the equipment. For software changes made from the reference design screens, the licensee used WNA-IG-00871-GEN, Human Factors Engineering Guideline for the Common Q Display System, to ensure that NUREG-0700 was met. Additionally, the licensee will use the nuclear management model procedure, EN-DC-163, Human Factors Evaluation, to ensure that all human factors aspects of the modification are understood and meet NUREG-0700.

The NRC staff stated in Section 3.5.1.4 of this safety evaluation that the planned CPCS replacement FMEA (Reference 1, Enclosure, Attachment 10) identifies the hardware and HSI hazards and their mitigation or elimination. The NRC staffs evaluation and determination of acceptability of the FMEA is described under PSAI 10 in Section 3.6.2.2 of this safety evaluation.

The licensee stated in Section 3.3, New System Functions, of the LTR that the replacement CPCS is not adding or modifying CPCS design basis functions except for adding new pre-trip alarms for the auxiliary trips. Therefore, the licensee did not provide compensatory measures

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION for personnel to manage degraded I&C and HSI conditions. Additional discussion of the pre-trip alarms by the licensee is in the planned CPCS replacement FMEA.

The NRC staff audited WNA-IG-0087-GEN and EN-DC-163 (Reference 13) and found that these documents address the changes to the OM and MTP and ensure that the applicable human factor design principles in NUREG-0700 are met. Because the planned CPCS replacement HSIs are designed consistent with design criteria in NUREG-0700, and tasks can be performed on the OM and MTP in a similar manner to how they are performed on the existing CPCS, the NRC staff determined this to be acceptable. This ensures that the design of the HSIs will be based on systematically applied HFE principles and criteria and that the licensee translated task requirements to the HSI design requirements for the planned CPCS replacement design so that it reduces the amount of learning needed to be proficient in using the planned CPCS replacement and, therefore, the potential for errors. Moreover, because the design basis functions of the replacement CPCS remain the same, there are no effects to personnel and plant performance for automation failures and degraded conditions. Therefore, the NRC staff concludes that the licensees treatment of the human-interface design meets 10 CFR 50.34(f)(2)(iii) and GDC 19.

3.9.5 Training The purpose of this review element is to ensure that for plants that modernize, the licensees training program addresses all personnel tasks affected by the planned changes in plant systems and HSIs.

Section 10, Training Program Development, of Attachment 13 to the LAR states that the training will be conducted in accordance with the requirements of the licensees QAPM and INPO-accredited training program, as described in the UFSAR and controlled by the licensees training program procedures. The licensee will use a systematic approach to training in accordance with nuclear management model procedure EN-TQ-201, Systematic Approach to Training Process, to develop operations and maintenance training plans specific to the planned CPCS replacement. The training plan will address the changes required for training documentation, identify the personnel to be trained, identify what training is required and the objectives of that training, and include a schedule for both pre-and post-installation training.

The licensee will make the simulator available prior to the next refueling outage (i.e., No. RF24) so that operators can train on the new interface. Because the planned CPCS replacement does not involve temporary or interim configurations over multiple cycles, the operations and maintenance personnel do not have to be trained for temporary plant configurations and HSIs.

The licensee will also conduct a training needs analysis and provide training to address the results of this analysis within the six-month period leading to the outage.

The NRC staff audited EN-TQ-201(Reference 13) and noted that the licensee has a training program in place that uses a systematic approach to training. This provides the NRC staff reasonable assurance that the licensees training program addresses all personnel tasks affected by the proposed changes related to the replacement CPCS. Therefore, the NRC staff concludes that the licensees treatment of the training program will meet 10 CFR 50.34(f)(2)(ii) and 10 CFR 55.4.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.9.6 Human Factors V&V The purpose of this review element is to verify that the HFE design conforms to HFE design principles and that it enables Waterford Unit 3 personnel to successfully perform their tasks to ensure plant safety and operational goals.

As stated in Sections 3, 4, Functional Requirements Analysis and Function Allocation, and 7, Treatment of Important Human Actions, of Attachment 13 to the LAR, there are no important human actions performed by operators on the CPCS that were identified in the UFSAR. The planned CPCS replacement does not result in any changes to existing risk-important or credited operator actions. As stated in Section 3.9.2 of this safety evaluation, the NRC staff did not identify any omitted operator actions or any significant operator actions that were impacted by the proposed amendment.

The NRC staff discusses in Sections 3.9.3 and 3.9.4 of this safety evaluation that the operator tasks for interacting with CPCS are performed at the OMs and are primarily limited to bypassing channels, acknowledging alarms, and selecting displays. The licensee evaluated five CPCS operator tasks (i.e., place a CPC channel in bypass, change addressable constants, display point IDs, remove a CEAC from service, and response to MCR annunciator) from the operations training program and found that they can be performed in a similar manner as with the existing HSIs.

Based on the above, the NRC staff determined that the planned CPCS replacement will not (1) change personnel tasks; (2) change tasks demands, such as the tasks dynamics, complexity, or workload; or (3) interact with or affect HSIs and procedures in ways that may degrade performance. Therefore, the NRC staff concludes that the licensees treatment of the V&V of the planned CPCS replacement is acceptable because the HSI is designed such that the replacement CPCS provides the same information as the existing system.

3.9.7 Design Implementation The purpose of this review element is to verify the licensees design implementation of the HSIs, procedures, and training for the planned CPCS replacement.

The licensee has planned for the installation to occur during the next refueling outage (i.e., No. RF24). During that refueling outage, the licensee will install and test the simulator to reflect the MCR design in parallel with the implementation of the control room. In Section 3.5.1.9 of this safety evaluation, the NRC staff states that the Common Q STP prescribes the scope, approach, resources, and schedule of the testing activities and identifies the items and features to be tested. The STP includes module testing, unit testing, integration testing, system validation testing, and FAT. The FAT is conducted to demonstrate that the complete system is integrated and functional. The NRC staffs acceptance of the STP is discussed in Section 3.2.12 of the Common Q SPM safety evaluation (Reference 48). The plant equipments return-to-service will not occur until simulator installation, procedure changes, and training has been completed. The CPCS will be declared operable when all testing tasks have been completed satisfactorily in accordance with the test plan that is overseen by a qualified test engineer. The licensee described a high-level overview of the implementation in Section 12, Design Implementation, of Attachment 13 to the LAR.

The advantages of a modification during a single outage are that (1) there is no potential for negative effects on personnel performance of interim configurations because the changes are

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION all made at once; (2) interim periods do not have to be analyzed; (3) procedures do not have to be temporarily modified; and (4) personnel do not have to be trained for temporary plant configurations and HSIs. Moreover, the planned changes to the HSIs are not significant such that they would greatly affect the way that personnel operate the plant. The licensee has also presented an adequate plan for procedure updates and training to ensure that its staff are aware of the changes. Because the licensees treatment of the design implementation is consistent with NUREG-0711 and the planned CPCS replacement will occur during a single outage, the NRC staff concludes that the licensees design implementation is acceptable.

3.9.8 Conclusion The NRC staff reviewed the LAR to evaluate whether HFE considerations were integrated into the requirements, development, and design of the planned CPCS replacement. The NRC staff determined that the licensees treatment of the HFE elements is acceptable because the CPCS modification has no impact to risk-important or credited human actions and a very minor impact on how operators interact with the information provided by the CPCS. The NRC staff also determined that the planned CPCS changes were developed in accordance with the applicable HFE guidance. This guidance provides reasonable assurance that Waterford Unit 3 can be safely operated and maintained; meets 10 CFR 50.34(f)(2)(ii), 10 CFR 50.34(f)(2)(iii),

10 CFR 50.34(f)(3)(i), and 10 CFR 55.4; and meets GDC 19. Therefore, the NRC staff concludes that the planned CPCS replacement meets Clause 5.14 of IEEE Std 603-1991.

3.10 Consistency with Risk-Informed Decisionmaking The NRC staffs review of the proposed changes considered the five principles of risk-informed decisionmaking. These principles are compliance with existing regulations (or an explicit exemption request), consistency with the defense-in-depth philosophy, maintaining sufficient safety margin, acceptable change in risk, and monitoring the impact of changes through performance measurement strategies.

The planned CPCS replacement is designed to comply with the regulatory requirements of 10 CFR 50.55a(h) and the applicable GDCs (described in Section 2.1 of this safety evaluation) within the current licensing basis. The four-channel design preserves redundancy against single hardware failures and potentially other software errors in a single CPC or CEAC. As discussed in Sections 3.3 and 3.6.2 of this safety evaluation, the NRC staff reviewed and accepted the licensees approach to address potential common cause failures from a latent software error or other defect not detected during development and testing. As described in Section 3.3.6.4 of this safety evaluation, the UFSAR Chapter 15 events that credit the CPC trip signals have a backup safety-related analog trip. As discussed in Section 1.2 of this safety evaluation, the CPCS is designed to protect fuel safety limits and maintain existing safety margins in the RPS licensing basis. Section 3.2 of this safety evaluation discusses the NRC staffs review of and positive finding on the planned CPCS replacement impact on the analysis of the UFSAR Chapter 15 events. Furthermore, safety analysis acceptance criteria in the licensees current licensing basis would continue to be met. The CPCS has continuous self-diagnostic monitoring to detect potential failures during operation, which would actuate an alarm in the MCR to notify operators when a system diagnostic error occurs or if a portion of the system is placed in a test configuration. The licensee and CPCS vendor have established measures to ensure the quality of the system and, as described in Section 3.5 of this safety evaluation, the vendors plans for development and testing of the planned CPCS replacement are in accordance with the NRC-approved Common Q SPM.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION The licensee did not provide risk insights or information as part of its application. The NRC staff reviewed the NRCs Standardized Plant Analysis Risk model for Waterford Unit 3 to identify the dominant risk contributors and evaluate the risk insights for the proposed changes. Although the NRC staff did not use the numerical results for its decision, the staff confirmed that special circumstances, as discussed in NUREG-0800, Section 19.2, Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance, dated June 2007 (Reference 60), which would have necessitated additional risk information to be provided, did not exist for the proposed changes. The NRC staffs review identified that the risk significance of the CPCS appears to be low based on available information. The NRC staffs review increased its confidence that the proposed changes would be consistent with the intent of the Commissions policy statement on safety goals for the operations of nuclear power plants. Furthermore, the NRC staffs review determined that the available risk insights supported the deterministic review findings made in this safety evaluation.

In summary, the NRC staffs review determined that the proposed changes are consistent with the five principles of risk-informed decisionmaking.

3.11 Technical Evaluation Conclusion Based on the preceding regulatory and technical evaluations, the NRC staff concludes that the licensee has adequately justified the proposed TS changes in its LAR, as supplemented.

Specifically, the NRC staff concludes that the planned CPCS replacement design meets the applicable GDCs and the applicable criteria of IEEE Std 603-1991 and, therefore, the applicable criteria of IEEE 279-1971. The NRC staff also concludes that the licensees VOP Summary meets the applicable requirements of Appendix B to 10 CFR Part 50.

The NRC staff further concludes that the TSs, as amended by the proposed changes, will continue to provide an acceptable way to meet 10 CFR 50.36(c)(3) because the revised SRs will continue to provide assurance that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the LCOs will be met.

4.0 REGULATORY COMMITMENTS In Attachment 15 of the LAR enclosure, as revised by letter W3F1-2021-0054 dated July 29, 2021 (Reference 10), the licensee made the following regulatory commitment to the NRC:

Entergy will evaluate Waterford CPCS Replacement Project Site Acceptance Test (SAT) and Installation Test Plans using the software process testing characteristics described in BTP 7-14 Section B.3.2.4. This is Plant-specific Action Item #5 per WCAP-16096, Software Program Manual for Common QTM Systems.

Section C.2.2 of DI&C-ISG-06 explains that one of the prerequisites for using the ARP is for the LAR to include regulatory commitments to complete PSAIs and to complete life cycle activities under the licensees QA program. The NRC staff evaluated the licensees responses to the Common Q platforms PSAIs and the SPMs PSAIs, which are related to the systems architecture, vendor activities, and licensee activities that take place after approval of the license amendment.

OFFICIAL USE ONLY PROPRIETARY INFORMATION OFFICIAL USE ONLY PROPRIETARY INFORMATION For PSAIs related to the systems architecture, the licensee has adequately addressed these in the description of the planned CPCS replacement architecture, which the NRC staff has reviewed and documented in this safety evaluation. Therefore, for the planned Waterford Unit 3 CPCS replacement, regulatory commitments are not necessary for PSAIs related to the systems architecture.

For the PSAIs related to vendor activities, the licensee has described in the VOP Summary how it will perform oversight of these vendors activities. Section 3 of the VOP Summary states that the licensee will ensure that PSAIs identified in the topical reports and further discussed in the LTR are addressed, as described in the LAR. Section 2 of the VOP Summary describes the change control process that will govern any update or change to the VOP after the NRC issues the license amendment. The VOP Summary specifies that the approved NRC safety evaluation will be reviewed to ensure bases or requirements are not adversely impacted by changes to the VOP. The NRC staff finds that the licensees vendor oversight activities and VOP change controls, as described in the VOP Summary, ensure that the PSAIs related to vendor activities that take place after approval of the license amendment will be adequately addressed, and that the CPCS life cycle activities will be completed under the licensees QA program. Therefore, for the planned Waterford Unit 3 CPCS replacement, regulatory commitments are not necessary for PSAIs related to vendor activities.

The only PSAI related to licensee activities that take place after approval of the license amendment is SPM PSAI 5, for which the licensee has included a regulatory commitment. The NRC staff reviewed the regulatory commitment and the licensees response to SPM PSAI 5 and considered the principles of risk-informed decisionmaking described in Section 3.10 of this safety evaluation. The NRC staff concludes that the scope and actions described in the regulatory commitment establish an adequate means of ensuring that the SAT and installation test plans conform to the criteria of Section B.3.2.4 of BTP 7-14 and, therefore, are acceptable.

This regulatory commitment does not warrant the creation of regulatory requirements requiring prior NRC approval of subsequent changes.

5.0 STATE CONSULTATION

In accordance with the Commissions regulations, the NRC staff notified the State of Louisiana officials by telephone and e-mail on June 4, 2021 (Reference 61) of the proposed issuance of the amendment. The State officials had no comments.

6.0 ENVIRONMENTAL CONSIDERATION

The amendment changes requirements with respect to the installation or use of facility components located within the restricted area as defined in 10 CFR Part 20 and changes SRs.

The NRC staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding in the Federal Register on December 1, 2020 (85 FR 77264), that the amendment involves no significant hazards consideration, and there has been no public comment on such finding. Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).

Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment needs be prepared in connection with the issuance of the amendment.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 100 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

7.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) there is reasonable assurance that such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

8.0 REFERENCES

1.

Gaston, R., Entergy Operations, Inc., letter W3F1-2020-0038 to U.S. Nuclear Regulatory Commission, License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC)

System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated July 23, 2020 (Agencywide Documents Access and Management System (ADAMS) Accession Nos. ML20205L587 (not publicly available, proprietary information) and ML20205L588 (public)):

Enclosure, Attachment 1, Technical Specification Page Markups Enclosure, Attachment 2, Clean Technical Specification Pages Enclosure, Attachment 3, Technical Specification Bases Page Markups Enclosure, Attachment 4, WCAP-18484-P, Revision 0, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Proprietary Enclosure, Attachment 5, Westinghouse Letter CAW-20-5031, Affidavit, Proprietary Information Notice, and Copyright in support of WCAP-18484-P, (Attachment 4)

Enclosure, Attachment 6, WCAP-18484-NP, Revision 0, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Nonproprietary Enclosure, Attachment 7, Westinghouse Specification 00000-ICE-30158, Revision 14, System Requirements Specification for the Common Q Core Protection Calculator System, Proprietary Enclosure, Attachment 8, Westinghouse Specification WNA-DS-04517-CWTR3, Revision 2, System Requirements Specification for the Core Protection Calculator System, Proprietary Enclosure, Attachment 9, Westinghouse Calculation WNA-CN-00572-CWTR3, Revision 0, Core Protection Calculator System Response Time Calculation, Proprietary Enclosure, Attachment 10, Westinghouse Specification WNA-AR-00909-CWTR3, Revision 1, Failure Modes and Effects Analysis for the Core Protection Calculator System, Proprietary Enclosure, Attachment 11, Westinghouse Specification EQ-QR-400-CWTR3, Revision 0, Core Protection Calculator System Primary Digital Components Qualification Summary Report for Waterford Unit 3 Enclosure, Attachment 12, Westinghouse Letter CAW-20-5064, Affidavit, Proprietary Information Notice, and Copyright in support of 00000-ICE-30158, WNA-DS-04517-CWTR3, WNA-CN-00572-CWTR3, WNA-AR-00909-CWTR3, and EQ-QR-400-CWTR3 (Attachments 7, 8, 9, 10, and 11)

Enclosure, Attachment 13, Human Factors Engineering Analysis

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 101 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION Enclosure, Attachment 14, CPC Replacement Project Vendor Oversight Plan (VOP)

Summary Enclosure, Attachment 15, List of Regulatory Commitments.

2.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0002 to U.S. Nuclear Regulatory Commission, Open Item Response - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated January 22, 2021 (ADAMS Accession Nos. ML21024A004 (not publicly available, proprietary information) and ML20204A005 (public)):

, Westinghouse Specification WNA-DS-04517-CWTR3, Revision 5, System Requirements Specification for the Core Protection Calculator System, Proprietary

, Westinghouse Specification EQ-QR-412-CWTR3, Revision 1, Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3, Proprietary

, Westinghouse Affidavit CAW-20-5117, Proprietary Information Notice, and Copyright in support of WNA-DS-04517-CWTR3, Revision 5 and EQ-QR-412-CWTR3, Revision 1 (Enclosures 1 and 2).

3.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0015 to U.S. Nuclear Regulatory Commission, Revised Vendor Oversight Plan Summary - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated January 29, 2021 (ADAMS Accession No. ML21029A156):

Enclosure, CPC Replacement Project Vendor Oversight Plan (VOP) Summary, Revision 1.

4.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0025 to U.S. Nuclear Regulatory Commission, Open Item Response - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated March 5, 2021 (ADAMS Accession Nos. ML21064A534 (not publicly available, proprietary information) and ML21064A535 (public)):

, Westinghouse Letter LTR-GIC-20-003, Revision 1, Waterford 3 CPCS Response Time Information for FSAR and Technical Specification, Proprietary

, Westinghouse Letter LTR-TA-20-4, Revision 0, Waterford Unit 3 Common Q Implementation - Non-LOCA Evaluation of Updated CPCS Response Times, Proprietary

, Westinghouse Report WNA-CN-00572-CWTR3, Revision 1, Core Protection Calculator System Response Time Calculation, Proprietary

, Westinghouse Affidavit CAW-21-5147, Revision 0, Proprietary Information Notice, and Copyright in support of LTR-GIC-20-003, Revision 1 and LTR-TA-20-4, Revision 0 (Enclosures 1 and 2)

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 102 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

, Westinghouse Affidavit CAW-21-5150, Proprietary Information Notice, and Copyright in support of WNA-CN-00572-CWTR3, Revision 1 (Enclosure 3).

5.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0026 to U.S. Nuclear Regulatory Commission, Open Item Response - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated March 19, 2021 (ADAMS Accession No. ML21082A393):

Enclosure, Westinghouse Letter LTR-TA-21-17, Revision 2, Waterford 3 CPCS Safety Function Table - PPS Backup Trips.

6.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0032 to U.S. Nuclear Regulatory Commission, Revised License Amendment Request - Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC)

System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated May 21, 2021 (ADAMS Accession No. ML21141A000):

Enclosure, Evaluation of the Proposed Change, Revision 1 Enclosure, Attachment 1, Technical Specification Page Mark-ups, Revision 1 Enclosure, Attachment 2, Clean Technical Specification Pages, Revision 1.

7.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0041 to U.S. Nuclear Regulatory Commission, Response to U. S. Nuclear Regulatory Commission Request for Additional Information Regarding License Amendment Request for Digital Upgrade to the Core Protection Calculator and Control Element Assembly Calculator Systems, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated June 2, 2021 (ADAMS Accession Nos. ML21153A389 (not publicly available, proprietary information) and ML21153A390 (public)):

, Attachment 1, EQ-QR-412-CWTR3, Revision 2, Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3, Proprietary

, Attachment 2, CPC Replacement Project Vendor Oversight Plan (VOP)

Summary, Revision 2

, Attachment 3, Westinghouse Letter CAW-21-5188, Affidavit, Proprietary Information Notice, and Copyright in support of Enclosure 1, Response to NRC Requests for Additional Information

, Attachment 4, Westinghouse Letter CAW-21-5183, Affidavit, Proprietary Information Notice, and Copyright in support of Attachment 2, EQ-QR-412-CWTR3, Revision 2

, Response to NRC Request for Additional Information, Nonproprietary.

8.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0047 to U.S. Nuclear Regulatory Commission, Open Item Response - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 103 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION June 21, 2021 (ADAMS Accession Nos. ML21172A298 (not publicly available, proprietary information) and ML21172A299 (public)):

, Westinghouse Specification CN-EQT-20-2, Revision 4, Qualification Evaluation of Core Protection Calculator System Equipment for Waterford Unit 3 Auxiliary Protection Cabinet, Proprietary

, Westinghouse Specification CN-EQT-20-5, Revision 2, Qualification Evaluation of Core Protection Calculator System Equipment for Waterford Unit 3 Main Control Room, Proprietary

, Westinghouse Affidavit CAW-20-5174, Proprietary Information Notice, and Copyright in support of CN-EQT-20-2, Revision 4 (Enclosure 1)

, Westinghouse Affidavit CAW-20-5153, Proprietary Information Notice, and Copyright in support of CN-EQT-20-5, Revision 2 (Enclosure 2).

9.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0051 to U.S. Nuclear Regulatory Commission, Revised Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated July 19, 2021 (ADAMS Accession Nos. ML21200A253 (not publicly available, proprietary information) and ML21200A254 (public)):

, WCAP-18484-P, Revision 1, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Proprietary

, WCAP-18484-NP, Revision 1, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Non-Proprietary

, Westinghouse Affidavit CAW-21-5197, Proprietary Information Notice, and Copyright in support of WCAP-18484-P, Revision 1, (Enclosure 1)

, Technical Specification Page Markup

, Clean Technical Specification Page.

10.

Gaston, R., Entergy Operations, Inc., letter W3F1-2021-0054 to U.S. Nuclear Regulatory Commission, Revised Commitment - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System, Waterford Steam Electric Station, Unit 3, NRC Docket No. 50-382, Renewed Facility Operating License No. NPF-38, dated July 29, 2021 (ADAMS Accession No. ML21210A283).

11.

Klett, A., U.S. Nuclear Regulatory Commission, letter to Site Vice President, Entergy Operations, Inc., Waterford Steam Electric Station, Unit 3, Waterford Steam Electric Station, Unit 3 - Regulatory Audit in Support of Review of Digital Upgrade License Amendment Request (EPID L-2020-LLA-0164), dated October 1, 2020 (ADAMS Accession No. ML20268B324).

12.

Klett, A., U.S. Nuclear Regulatory Commission, e-mail to Devoe, R., Entergy Operations, Inc., Waterford Steam Electric Station, Unit 3, Supplement to Audit Plan dated October 1, 2020, dated March 22, 2021 (ADAMS Accession No. ML21084A255).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 104 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

13.

Drake, J., U.S. Nuclear Regulatory Commission, letter to Site Vice President, Entergy Operations, Inc., Waterford Steam Electric Station, Unit 3, Waterford Steam Electric Station, Unit 3 - Summary of Regulatory Audit in Support of Digital Upgrade License Amendment Request (EPID L-2020-LLA-0164), dated August 16, 2021 (ADAMS Accession Nos. ML21223A143 (not publicly available, proprietary information) and ML21160A057 (public)).

14.

Buckberg, P., U.S. Nuclear Regulatory Commission, letter to Site Vice President, Entergy Operations, Inc., Waterford Steam Electric Station, Unit 3, Waterford Steam Electric Station, Unit 3 - Request for Additional Information Re: Digital Upgrade to the Core Protection and Control Element Assembly Calculator System (EPID L-2020-LLA-0164), dated April 29, 2021 (ADAMS Accession Nos. ML21112A253 (not publicly available, proprietary information) and ML21112A254 (public))

15.

Klett, A., U.S. Nuclear Regulatory Commission, letter to Entergy Operations., Inc.,

Summary of September 22, 2020, Category 1 Public Meeting with Entergy Operations, Inc. Regarding License Amendment Request to Install Digital Upgrade in Accordance with Digital Instrumentation and Control Interim Staff guidance No. 06, Revision 2, Licensing Processes (EPID L-2020-LLA-0164), dated October 22, 2020 (ADAMS Accession No. ML20289A267.

16.

Entergy Operations, Inc., Waterford Steam Electric Station, Unit 3 Updated Safety Analysis Report, Revision 311, dated September 2019 (ADAMS Accession No. ML19269C528).

17.

U.S. Nuclear Regulatory Commission, Standard Technical Specifications, Combustion Engineering Plants, NUREG-1432, Volume 1, Specifications, Revision 4.0, dated April 2012 (ADAMS Accession No. ML12102A165).

18.

U.S. Nuclear Regulatory Commission, Safety Evaluation Report related to the operation of Waterford Steam Electric Station, Unit No. 3, NUREG-0787, dated July 1981 (ADAMS Accession No. ML20009E071 (not publicly available) and ML21224A116 (public)).

19.

U.S. Nuclear Regulatory Commission, Safety Evaluation Report related to the operation of Waterford Steam Electric Station, Unit No. 3, NUREG-0787 Supplement No. 5, dated June 1983 (ADAMS Accession No. ML091310465 (not publicly available)).

20.

U.S. Nuclear Regulatory Commission, Digital Instrumentation and Controls Licensing Process Interim Staff Guidance, DI&C-ISG-06, Revision 2, dated December 2018 (ADAMS Accession No. ML18269A259).

21.

U.S. Nuclear Regulatory Commission, Task Working Group #4: Highly-Integrated Control RoomsCommunications Issues (HICRc), Interim Staff Guidance, DI&C-ISG-04, Revision 1, dated March 2009 (ADAMS Accession No. ML083310185).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 105 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

22.

U.S. Nuclear Regulatory Commission, Instrumentation and Controls, NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Chapter 7, Revision 7, dated August 2016 (ADAMS Accession No. ML16020A049).

23.

U.S. Nuclear Regulatory Commission, Human Factors Engineering, NUREG-0800, Chapter 18, Revision 3, dated December 2016 (ADAMS Accession No. ML16125A114).

24.

U.S. Nuclear Regulatory Commission, Human-System Interface Design Review Guidelines, NUREG-0700, Revision 3, dated July 2020 (ADAMS Accession No. ML20162A214).

25.

U.S. Nuclear Regulatory Commission, Human Factors Engineering Program Review Model, NUREG-0711, Revision 3, dated November 2012 (ADAMS Accession No. ML12324A013).

26.

Essig, T., U.S. Nuclear Regulatory Commission, letter to Naser, J., Electric Power Research Institute, Safety Evaluation by the Office of Nuclear Reactor Regulation Electric Power Research Institute (EPRI) Topical Report, TR-107330, Final Report, Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety Related Applications in Nuclear Power Plants, dated July 30, 1998 (ADAMS Accession No. ML12205A265)

27.

Matthews, D. B., U.S. Nuclear Regulatory Commission, letter to Torok, R. C., Electric Power Research Institute, Review of EPRI Topical Report TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications (TAC No. M94127), dated July 17, 1997 (ADAMS Accession No. ML092190664).

28.

U.S. Nuclear Regulatory Commission, Application of the Single-Failure Criterion to Safety Systems, Regulatory Guide 1.53, Revision 2, dated November 2003 (ADAMS Accession No. ML033220006).

29.

U.S. Nuclear Regulatory Commission, Criteria for Independence of Electrical Safety Systems, Regulatory Guide 1.75, Revision 3, dated February 2005 (ADAMS Accession No. ML043630448).

30.

U.S. Nuclear Regulatory Commission, Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants, Regulatory Guide 1.89, Revision 1, dated June 1984 (ADAMS Accession No. ML003740271).

31.

U.S. Nuclear Regulatory Commission, Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants, Regulatory Guide 1.100, Revision 3, dated September 2009 (ADAMS Accession No. ML091320468).

32.

U.S. Nuclear Regulatory Commission, Setpoints for Safety-Related Instrumentation, Regulatory Guide 1.105, Revision 4, dated February 2021 (ADAMS Accession No. ML20330A329).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 106 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

33.

U.S. Nuclear Regulatory Commission, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.152, Revision 3, dated July 2011 (ADAMS Accession No. ML102870022).

34.

U.S. Nuclear Regulatory Commission, Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.168, Revision 2, dated July 2013 (ADAMS Accession No. ML13073A210).

35.

U.S. Nuclear Regulatory Commission, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.169, Revision 1, dated July 2013 (ADAMS Accession No. ML12355A642).

36.

U.S. Nuclear Regulatory Commission, Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.170, Revision 1, dated July 2013 (ADAMS Accession No. ML13003A216).

37.

U.S. Nuclear Regulatory Commission, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.171, Revision 1, dated July 2013 (ADAMS Accession No. ML13004A375).

38.

U.S. Nuclear Regulatory Commission, Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.172, Revision 1, dated July 2013 (ADAMS Accession No. ML13007A173).

39.

U.S. Nuclear Regulatory Commission, Developing Software Life-Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.173, Revision 1, dated July 2013 (ADAMS Accession No. ML13009A190).

40.

U.S. Nuclear Regulatory Commission, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Regulatory Guide 1.174, Revision 3, dated January 2018 (ADAMS Accession No. ML17317A256).

41.

U.S. Nuclear Regulatory Commission, Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems, Regulatory Guide 1.180, Revision 1, dated October 2003 (ADAMS Accession No. ML032740277).

42.

U.S. Nuclear Regulatory Commission, Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants, Regulatory Guide 1.209, dated March 2007 (ADAMS Accession No. ML070190294).

43.

U.S. Nuclear Regulatory Commission, Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems, NUREG-0800 Branch Technical Position 7-14, Revision 6, dated August 2016 (ADAMS Accession No. ML16019A308).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 107 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

44.

U.S. Nuclear Regulatory Commission, Guidance on Self-Test and Surveillance Test Provisions, NUREG-0800 Branch Technical Position 7-17, Revision 6, dated August 2016 (ADAMS Accession No. ML16019A316).

45.

U.S. Nuclear Regulatory Commission, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, NUREG-0800 Branch Technical Position 7-19, Revision 7, dated August 2016 (ADAMS Accession No. ML16019A344).

46.

U.S. Nuclear Regulatory Commission, Guidance on Digital Computer Real-Time Performance, NUREG-0800 Branch Technical Position 7-21, Revision 6, dated August 2016 (ADAMS Accession No. ML16020A036).

47.

Donohew, J., U.S. Nuclear Regulatory Commission, letter to Overbeck, G. R., Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments on the Core Protection Calculator System Upgrade (TAC Nos. MB6726, MB6727, and MB6728), dated October 24, 2003 (ADAMS Accession No. ML033030363).

48.

Russ, P., Westinghouse Electric Company, letter to U.S. Nuclear Regulatory Commission, Submittal of WCAP-16096-P-A/ WCAP-16096-NP-A, Revision 5, Software Program Manual for Common Q' Systems, dated December 3, 2018 (ADAMS Accession No. ML18337A335 (not publicly available, proprietary information).

49.

Pulvirenti, A. L., U.S. Nuclear Regulatory Commission, letter to Entergy Operations, Inc.,

Waterford Steam Electric Station, Unit 3 - Issuance of Amendment Re: Changes to Technical Specification 3.1.3.4 Regarding Control Element Assembly Drop Times (CAC No. MF6459), dated November 13, 2015 (ADAMS Accession No. ML15289A143).

50.

Harper, Z., Westinghouse Electric Company, letter to U.S. Nuclear Regulatory Commission, Submittal of WCAP-16097-P-A/WCAP-16097-NP-A, Revision 4, Common Qualified Platform Topical Report, dated January 20, 2020 (ADAMS Accession No. ML20020A003).

51.

Morey, D. C., U.S. Nuclear Regulatory Commission, letter to Harper, Z., Westinghouse Electric Company, U.S. Nuclear Regulatory Commission Verification Letter and Proprietary Determination for WCAP-16097-P-A/WCAP-16097-NP-A, Revision 4, Common Qualified Platform Topical Report (EPID L-2020-TOP-0006), dated February 28, 2020 (ADAMS Accession No. ML20021A004).

52.

Brinkman, C., ABB Combustion Engineering, Inc., letter to Zech, G. G., U.S. Nuclear Regulatory Commission, Transmittal of Topical Report CENPD-210, Revision 7, dated March 12, 1992 (ADAMS Accession No. ML20090K480).

53.

U.S. Nuclear Regulatory Commission, Final Safety Evaluation Report Related to the Certification of the System 80+ Design, NUREG-1462, Volume 2, dated August 1994 (ADAMS Accession No. ML100430017).

54.

Rickard, I., Westinghouse Electric Company, letter to U.S. Nuclear Regulatory Commission, Submittal of Reviewed Common Qualified Platform Documentation (Topical Report, Topical Report Appendices, and Software Program Manual), dated June 5, 2000 (ADAMS Accession No. ML003721623).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 108 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION

55.

Richards, S. A., U.S. Nuclear Regulatory Commission, letter to Richardson, P.,

Westinghouse Electric Company, Acceptance for Referencing of Topical Report CENPD-396-P, Rev. 01, Common Qualified Platform and Appendices 1, 2, 3, and 4, Rev. 01 (TAC No. MA1677), dated August 11, 2000 (ADAMS Accession No. ML003740165).

56.

U.S. Nuclear Regulatory Commission, Managing Regulatory Commitments Made by Licensees to the NRC, Office of Nuclear Reactor Regulation Office Instruction LIC-105, Revision 7, dated August 22, 2016 (ADAMS Accession No. ML16190A013).

57.

Hahn, D., Entergy Operations, Inc., letter CNRO2021-00011 to U.S. Nuclear Regulatory Commission, Annual Report for Entergy Quality Assurance Program Manual and Indian Point Energy Center Quality Assurance Program changes under 10 CFR 50.54(a)(3),

10 CFR 71.106, and 10 CFR 72.140(d) Notification of Application of Approved Appendix B to 10 CFR 72 subpart G, dated April 1, 2021 (ADAMS Accession No. ML21091A147).

58.

Gresham, J., Westinghouse Electric Company, letter to U.S. Nuclear Regulatory Commission, Submittal of WCAP-17266-P, Revision 0 and WCAP-17266-NP, Revision 0, Common Q Platform Generic Change Process, dated August 12, 2010 (ADAMS Accession No. ML102290193).

59.

Gresham, J., Westinghouse Electric Company, letter to U.S. Nuclear Regulatory Commission, Submittal of WCAP-16097-P and -NP, Appendix 5, Revision 1, Common Qualified Platform Record of Changes, dated April 19, 2012 (ADAMS Accession No. ML121150477).

60.

U.S. Nuclear Regulatory Commission, Review of Risk Information Used to Support Permanent Plant-Specific Changes to the Licensing Basis: General Guidance, NUREG-0800, Section 19.2, dated June 2007 (ADAMS Accession No. ML071700658).

61.

Schexnayder, B., State of Louisiana, e-mail to Buckberg, P., Lang, J., Wengert, T., and Klett, A., Re: NRC Notification to the State of Louisiana Regarding a Waterford Steam Electric Station, Unit 3 Amendment - Digital Upgrade I&C, dated June 4, 2021 (ADAMS Accession No. ML21160A085).

Standards Institute of Electrical and Electronics Engineers (IEEE) Std 7-4.3.2-2003, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, dated December 17, 2003.

IEEE Std 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, dated August 30, 1968.

IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, dated November 30, 1970.

IEEE Std 323-1974, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, dated September 22, 1974.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 109 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE Std 323-2003, IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations, dated January 23, 2004.

IEEE Std 344-1975, IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations, dated January 31, 1975.

IEEE Std 379-2000, Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems, dated March 9, 2001.

IEEE Std 384-1992, Criteria for Independence of Class 1E Equipment and Circuits, dated December 1, 1992.

IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, dated December 31, 1991, and the correction sheet dated January 30, 1995.

IEEE Std 828-2005, IEEE Standard for Software Configuration Management Plans, dated August 12, 2005.

IEEE Std 829-2008, IEEE Standard for Software and System Test Documentation, dated July 18, 2008.

IEEE Std 830-1998, IEEE Recommended Practice for Software Requirements Specifications, dated October 20, 1998.

ANSI/IEEE Std 1008-1987, IEEE Standard for Software Unit Testing, dated November 30, 1986.

IEEE Std 1012-2004, IEEE Standard for Software Verification and Validation Plans, dated June 8, 2005.

IEEE Std 1028-2008, IEEE Standard for Software Reviews and Audits, dated August 15, 2008.

IEEE Std 1074-2006, IEEE Standard for Developing Software Life Cycle Processes, dated July 28, 2006.

ISA S67.04-2018, Setpoints for Nuclear Safety-Related Instrumentation, dated 2018.

Military Standard MIL-STD-461G, Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment, dated July 31, 1967.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 110 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION 9.0 ACRONYMS/ABBREVIATIONS ABB Asea Brown Boveri AC Alternating Current AC160 Advant Controller 160 ADAMS Agencywide Document Access and Management System AF100 Advant Fieldbus 100 AI Analog Input ANSI American National Standards Institute AO Analog Output AOO(s)

Anticipated Operational Occurrence(s)

APC Auxiliary Protective Cabinet ARP Alternate Review Process ASGT Asymmetrical Steam Generator Trip ATWS Anticipated Transients Without Scram BTP Branch Technical Position CEA Control Element Assembly CEAC Control Element Assembly Calculator CEAC PF CEAC Penalty Factor Program CEAPDS CEA Position Display System CENP Combustion Engineering Nuclear Power COLSS Core Operating Limits Supervisory System CPC Core Protection Calculator CPCS Core Protection Calculator System

• The scope of this abbreviation includes both the CPC and the CEAC subsystems for this safety evaluation CPP CEA Position Processor CPU Central Processing Unit CRC Cyclic Redundancy Check CWP CEA Withdrawal Prohibit DI Digital Input DI&C Digital Instrumentation and Control DNBR Departure from Nucleate Boiling Ratio DO Digital Output EC Engineering Change ECT Engineering Change Testing EMC Electromagnetic Compatibility EPRI Electric Power Research Institute ESF Engineered Safety Feature ESFAS Engineered Safety Feature Actuation System FAT Factory Acceptance Test FMEA Failure Modes and Effects Analysis FMEDA Failure Modes, Effects and Diagnostic Analysis FPD Flat Panel Display FPDS Flat Panel Display System FPROM Flash Programmable Read-only Memory FSAR Final Safety Analysis Report GDC General Design Criterion GOI Generic Open Items HFE Human Factors Engineering HSI Human-Systems Interface

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 111 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION HSL High Speed Link IEEE Institute of Electrical and Electronics Engineers I/O Input/Output ID Identifier IRIG Interrange Instrumentation Group IRP Interposing Relay Panel ISA International Society of Automation ISG Interim Staff Guidance I&C Instrumentation and Control(s)

LAR License Amendment Request LCO Limiting Condition for Operation LLC Limited Liability Company LOCA Loss-of-Coolant Accident LPD Local Power Density LTR Licensing Technical Report MCB Main Control Board MCR Main Control Room MTP Maintenance and Test Panel MUX Multiplexer NRC Nuclear Regulatory Commission or the Commission OBE Operating Basis Earthquake OM Operator Module PPZR Pressurizer Pressure PLC Programmable Logic Controller PPS Plant Protection System PROM Programmable Read-only Memory PSAI Plant-Specific Action Items QA Quality Assurance RAM Random Access Memory RCP Reactor Coolant Pump RG Regulatory Guide RITS Global I&C Tracking System RPS Reactor Protection System RSPT Reed Switch Position Transmitter RTC Real-time Clock RTM Requirements Traceability Matrix RTT Response Time Testing SAT Site Acceptance Test (or testing)

SCMP Software Configuration Management Plan SDD Software Design Description SDOE Secure Development and Operational Environment SHA Software Hazards Analysis SLE Software Load Enable SOE Secure Operational Environment SPM Software Program Manual SQA Software Quality Assurance SQAP Software Quality Assurance Plan SR Surveillance Requirement SRS Software Requirements Specification SSC Structure, System, and Component

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 112 -

OFFICIAL USE ONLY PROPRIETARY INFORMATION SSE Safe Shutdown Earthquake SSP Software Safety Plan STP Software Test Plan SVVP Software Verification and Validation Plan SyRS System Requirements Specification Tcold Cold Leg Temperature Thot Hot Leg Temperature TR Topical Report TS Technical Specification UFSAR Updated Final Safety Analysis Report V&V Verification and Validation Vac Volts Alternating Current Vdc Volts Direct Current VOP Vendor Oversight Plan VOPT Variable Overpower Trip WWDT Window Watchdog Timer