ML21286A030

From kanterella
Jump to navigation Jump to search

Staffs Questions Pertaining to Limerick Generating Station Digital Modernization Project LAR Pre-submittal Meeting Slides October 20, 2021
ML21286A030
Person / Time
Site: Limerick  Constellation icon.png
Issue date: 10/13/2021
From: Bhagwat Jain
Plant Licensing Branch 1
To: Mascitelli F
Exelon Nuclear, Exelon Generation Co
Jain, BP, NRR/DORL/LPLI, 415-6303
References
EPID L-2020-LRM-0041
Download: ML21286A030 (2)


Text

From: Jain, Bhagwat To: "Mascitelli, Francis J:(Exelon Nuclear)"

Cc: Pareez Golub; Marshall, Michael

Subject:

Limerick Digital Modernization Pre-Submittal Meeting October 20, 2021-Staff"s Questions Date: Wednesday, October 13, 2021 7:13:35 AM

Frank Mascitelli Senior Licensing Engineer Exelon Nuclear Licensing and Regulatory Affairs 200 Exelon Way Kennett Square, PA, 19348

Hello Frank,

In order to develop a better understanding and clarity of the regulatory issues associated with the planned digital instrumentation and controls (I&C) license amendment request, the U.S. Nuclear Regulatory Commission (NRC) staff has identified the following questions and request the licensee to address these issues in more details and provide clarity during the October20, 2021 partially closed public meeting with Exelon Generating Company, LLC (Exelon, the licensee). The notice and agenda for the meeting are available in the Agencywide Documents Access and Management System (ADAMS) at Accession No. ML21256A195.

Consolidation of Systems to a New Plant Protection System

The reactor protection system, emergency core cooling system (ECCS), and nuclear steam supply shutoff system are generally independent systems with sufficient defense-in-depth to assure appropriate protection against accident events in Chapter 15 of the Limerick Updated Final Safety Analysis Report (UFSAR) (ADAMS Accession No. ML21133A134).

The systems are being combined into a plant protection system (PPS) based on a single digital platform technology, with perhaps new physical separation changes (e.g., cabinet configurations) and increased use of shared equipment. The staff would like to understand how this new configuration would change the current independence and defense-in-depth and diversity associated with the current safety systems and licensing basis for Limerick.

According to General Design Criteria (GDC) 21 of Title 10 of the Code of Federal Regulations (10CFR), Part 50, Appendix A, the protection system shall be designed for a high functional reliability commensurate with the safety functions to be performed.

According to GDC22 of 10CFR 50, Appendix A, design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. According to GDC23 of 10CFR50, Appendix A, the failure or removal of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. The staff in part is focused on how independence is being preserved among three of the four levels (echelons) of defense:

Normal plant and reactivity system controls - not part of the plant modification, and not part of the new safety platform (but part of the new Ovation architecture)

Reactor trip function - part of the same safety platform as the engineered safety feature actuation system (ESFAS) functions and some manual emergency operating controls and indications

ESFAS functions - part of the same safety platform as reactor trip function and some manual emergency operating controls and indications

Manual emergency controls and indications - part of the same safety platform as reactor trip and ESFAS functions

At a recent pre-submittal meeting it was also shown that manual initiation functions rely on confirmatory controls that pass through the safety platform. This may not be consistent with previous revisions of the Branch Technical Position 7-19 and Position 3 of SRM/SECY 93-087.

1. Describe how the proposed PPS design has sufficient overall independence, reliability, and defense-in-depth to facilitate all needed design-basis functions required to be available (or to support guidance for addressing any severe accident/beyond design-basis functions), as appropriate. Describe how applicable GDCs and IEEE-279/603 criteria would continue to be achieved.
2. How would a common cause failure occurring within the power supply/inverter systems feeding the plant protection system cabinets affect the ability to perform all reactor trip, ECCS, containment isolation, or post-accident monitoring functions, when needed to address normal operating conditions, postulated transient events, or design-basis events?
3. Would there remain sufficient displays and manual controls that are independent of the plant protection system to enable plant operators to take manual preplanned actions to address design-basis events?
4. How would each of the major subsystem functions respond to a momentary common cause interruption of power to such systems?
5. Would there be a need for plant operators to have to respond to multiple concurrent spurious operations?
6. The high-level architecture diagram is beneficial and is clear on how safety to non-safety interfaces is used and on how separation is established between divisions. It does not show how separation between systems and subsystems within safety divisions is being implemented (NRC recognizes this would not be expected for this type of diagram).

Further explanation would be beneficial.

Reduction in Sensors

The core spray system, high pressure core injection, and low pressure core injection systems, for example, are relied upon to mitigate accidents described in Chapter 15 of Limerick UFSAR. These systems rely upon a current configuration of sensors in the plant to monitor associated process parameters. The staff would like to understand how the proposed reduction and future configuration of sensors would change the current reliability and independence of these systems.

1. According to GDC 21 of 10 CFR 50, Appendix A, the protection system shall be designed for a high functional reliability commensurate with the safety functions be performed.

Based on the discussions to date, it is unclear how the application will demonstrate that a high functional reliability of protection system is maintained with the planned reduction of sensors that:

a. no single failure results in loss of the protection function and
b. removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

Describe how this design criteria will continue to be met, if the number of sensors is reduced as described in past pre-submittal meetings.

2. The reduction in sensors may reduce the independence of the protection system.

According to GDC22 of 10CFR50, Appendix A, design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Based on the discussion to date, it is unclear how the licensee plans to demonstrate protection system independence will be preserved with the proposed reduction in sensors.

Describe how this design criteria will continue to be met, if the number of sensors is reduced as described in past pre-submittal meetings.

3. The reduction in sensors may reduce the physical separation of sensors that support the protection system. The Limerick UFSAR states that the licensing design-basis for sensors associated with initiating the high pressure core injection (HPCI) function and the automatic depressurization system (ADS) functions (among others) are separate from one another. Examples from UFSAR Section 7.3.1.1.1.1.3 for the HPCI initiating circuits states:

For the reactor water level sensors:

The sensors are physically separated from the ADS sensors and tap off the reactor vessel at points widely separated from the ADS sensors.

These same lines are also used for pressure and water level instruments for other systems. A similar arrangement of the ADS instrumentation initiates the ADS system. The arrangement ensures that no single event can prevent reactor vessel low water level from initiating both the HPCI system and the ADS.

For the primary containment pressure sensors:

The sensors are physically separated from the ADS pressure sensors and tap off the containment at points widely separated from the ADS pressure sensors.

Similar wording appears for the ADS function initiation in Section 7.3.1.1.1.2.2 (ADS initiating circuits) of the UFSAR, as follows:

The pressure and level sensors used to initiate ADS are separated from those used to initiate the HPCI system.

Describe whether the physical separation or amount of physical separation currently described in the Section 7 of the Limerick UFSAR will be maintained with the planned reduction of sensors.

4. The following information would be helpful in providing the NRC staff an understanding of the planned reduction in sensors and how the reduction may or may not continue to meet regulatory requirements:

Logic diagrams for both the existing systems and the proposed system that illustrated the reduction in sensors.

A piping and instrumentation diagram similar to (or a markup of) Drawing 8031-M-42 that reflect the proposed reduction in sensors.

A crosswalk (or mapping) between the tables on slides 26 and 27 of Exelons June29, 2021 proprietary presentation.

Identification of systems, if any, that are independent before the proposed change that will no longer be independent after the proposed reduction in sensors.

Probabilistic Risk Assessments

3.

The NRC staff notes that there is a lack of consensus industry guidance for and known hallenges for modeling digital I&C systems in plant probabilistic risk assessments (PRAs).

Examples of such challenges include the lack of industry data for digital I&C components, the ifference between digital and analog system failure modes, and the complexities associated with modeling software failures including common cause software failures. Although reliability ata from vendor tests may be available, this source of data does not appear to compensate or in-the-field operational data.

Please discuss the licensees approach to address the challenges with modeling digital I&C systems during the proposed update of its PRA models to reflect the as-built and as-operated plant.

2. The NRC staff notes that PRAs contain key assumptions and sources of uncertainty in their development. These are identified and dispositioned in the context of different risk-informed applications and/or decisions. The disposition often involves sensitivity studies to demonstrate negligible or no impact on the application and/or decision. As an example, sensitivity studies are employed to determine the impact of assumptions and uncertainties in digital I&C failure probabilities. The NRC staff further notes that the licensee has approved risk-informed programs in-place, such as risk-informed completion times and risk-informed categorization of structure system and components. These programs include identification and disposition of the key assumptions and sources of uncertainty in PRA models supporting the programs.

Please discuss:

a) Whether or not the licensee intends to identify aspects of PRA modeling of digital I&C systems, especially the failure probabilities, including software failure probabilities, as key assumptions, and sources of uncertainty for its PRAs.

b) How does the licensee intend to disposition these items in the context of its approved risk-informed programs? Note that the NRC staff is not attempting to review previously approved programs. Instead, the staff is interested in understanding how uncertainties related to digital I&C modeling resulting from this proposed request will be addressed and propagated in the proposed PRA update.

3. Please discuss the licensees plans to consider potential impacts of the design on plant risk from external hazards (e.g., seismic events, high-winds events) as part of the update process, recognizing that the licensee may not use a PRA for such considerations.

Best Regards,

BP Jain Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission 301-415-6303; bpj@nrc.gov