ML22046A074

From kanterella
Jump to navigation Jump to search

Review of Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Rev 1. Without Attachment 3 Enclosure
ML22046A074
Person / Time
Site: Limerick  
Issue date: 02/14/2022
From: David Helker
Constellation Energy Generation
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML22046A053 List:
References
CAW-22-008
Download: ML22046A074 (158)
v  d  e


Text

200 Exelon Way Kennett Square, PA 19348 www.constellation.com ATTACHMENT 3 HEREWITH CONTAINS PROPRIETARY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390.

When separated from Attachment 3 this cover letter is decontrolled.

ATTACHMENT 3 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 February 14, 2022 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Document Control Desk Limerick Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353

Subject:

Review of Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Rev 1, February 2022

References:

1. CEG Slides for Pre-submittal Meeting, Limerick Generating Station Digital Modernization Project LAR Technical Specifications Changes, dated January 11, 2022 (ADAMS Accession No. ML22010A069).
2. NRC Standard Review Plan Branch Technical Position 7-19, Guidance for Evaluation of Defense-in-Depth and Diversity to Address Common Cause Failure due to Latent Design Defects in Digital Safety Systems, Revision 8, dated January 2021 In Reference 1, during final discussion of next steps in an NRC Pre-submittal Meeting conducted on January 11, 2022, Constellation Energy Generation, LLC (CEG) (previously Exelon Generation Company, LLC) informed the NRC of the intent to submit a Defense in Depth and Diversity (D3) Coping Analysis prior to the submittal of its associated License Amendment Request (LAR) for the Limerick Generating Station, Units 1 and 2 (LGS) Digital Modernization Project. The purpose was to facilitate future pre-submittal discussions and to improve NRC staff technical review time post LAR submittal.

Pursuant to Reference 2, CEG requests approval of the attached LGS Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Rev 1, February 2022 Report (D3 Coping Analysis) by August 14, 2022.

CEG is currently planning to submit the LGS Digital Modernization Project LAR in the late August 2022 timeframe. The LAR will contain the D3 Coping Analysis submitted with this request letter.

Review of LGS D3 Coping Analysis LGS Digital Modernization Project Docket Nos. 50-352 and 50-353 February 14, 2022 Page 2 ATTACHMENT 3 HEREWITH CONTAINS PROPRIETARY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390.

When separated from Attachment 3 this cover letter is decontrolled.

ATTACHMENT 3 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 As stated in NRC Standard Review Plan Branch Technical Position 7-19 (Reference 2), the NRC staff requires that the licensee perform a D3 assessment of the proposed safety-related digital I&C system to demonstrate that vulnerabilities to common-cause failures have been adequately addressed. In this assessment, the licensee should analyze design basis events (as identified in the Updated Final Safety Analysis Report). The attached document contains the D3 Coping Analysis assessment of the new proposed digital I&C Plant Protection System.

contains the Westinghouse Electric Company (WEC) affidavit, which establishes the basis upon which the information contained in the D3 Coping Analysis may be withheld from public disclosure. Attachment 2 contains the non-proprietary version of the D3 Coping Analysis. Attachment 3 contains the proprietary version of the D3 Coping Analysis.

The D3 Coping Analysis provided in Attachment 3 contains information proprietary to WEC.

Accordingly, Attachment 1 includes an affidavit signed by WEC, the owner of the proprietary information. The affidavit sets forth the basis upon which the information may be withheld from public disclosure by the NRC, and it addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390 of the NRCs regulations. WEC requests that the WEC proprietary information in Attachment 3 be withheld from public disclosure in accordance with 10 CFR 2.390. Future correspondence with respect to the proprietary aspects of the application for withholding related to the WEC proprietary information or the WEC affidavit provided in Attachments 1 and 3 should reference this request letter.

There are no regulatory commitments contained in this review request.

If you have any questions regarding this submittal, please contact Frank Mascitelli at 610-765-5512.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 14th day of February 2022.

Respectfully, David P. Helker Sr. Manager - Licensing and Regulatory Affairs Constellation Energy Generation, LLC

Affidavit CAW-22-008

Review of LGS D3 Coping Analysis LGS Digital Modernization Project Docket Nos. 50-352 and 50-353 February 14, 2022 Page 3 ATTACHMENT 3 HEREWITH CONTAINS PROPRIETARY-RELATED INFORMATION - WITHHOLD UNDER 10 CFR 2.390.

When separated from Attachment 3 this cover letter is decontrolled.

ATTACHMENT 3 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390

Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-NP, Rev 1 : Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Rev 1 cc:

Regional Administrator - NRC Region I w/ attachments 1 & 2 NRC Senior Resident Inspector - Limerick Generating Station Director, Bureau of Radiation Protection - Pennsylvania Department of Environmental Protection NRC Project Manager, NRR - Limerick Generating Station w/ attachments 1, 2 & 3

ATTACHMENT 1 Limerick Generating Station, Units 1 and 2 NRC Docket Nos. 50-352 and 50-353 Affidavit CAW-22-008

      • This record was final approved on 2/10/2022, 5:10:18 PM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-22-008 Page 1 of 3 Commonwealth of Pennsylvania:

County of Butler:

(1)

I, Zachary Harper, Manager, Licensing Engineering, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2)

I am requesting the proprietary portions of WNA-AR-01074-GLIM-P, Revision 1 be withheld from public disclosure under 10 CFR 2.390.

(3)

I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4)

Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i)

The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii)

The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii)

Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

      • This record was final approved on 2/10/2022, 5:10:18 PM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-22-008 Page 2 of 3 (5)

Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a)

The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b)

It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c)

Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d)

It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e)

It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f)

It contains patentable ideas, for which patent protection may be desirable.

(6)

The attached documents are bracketed and marked to indicate the bases for withholding. The justification for withholding is indicated in both versions by means of lower-case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower-case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections (5)(a) through (f) of this Affidavit.

      • This record was final approved on 2/10/2022, 5:10:18 PM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-22-008 Page 3 of 3 I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief. I declare under penalty of perjury that the foregoing is true and correct.

Executed on: 2/10/2022 Signed electronically by Zachary Harper

      • This record was final approved on 2/10/2022, 5:10:18 PM. (This statement was added by the PRIME system upon its validation)

CAW-22-008 Revision 0 Non-Proprietary Class 3

    • This page was added to the quality record by the PRIME system upon its validation and shall not be considered in the page numbering of this document.**

Approval Information Manager Approval Harper Zachary S Feb-10-2022 17:10:18 Files approved on Feb-10-2022

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353 Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-NP, Rev 1

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

© 2022 Westinghouse Electric Company LLC All Rights Reserved Westinghouse Non-Proprietary Class 3 Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 Nuclear Safety Related February 2022 APPROVALS Function Name and Signature Author Calvin K. Tang*

Technical Advisor, Plant Control Systems Reviewers Thomas Pietryka*

Limerick Program Manager, Major Projects I&C Terrence C. Tuite*

Principal Engineer, Safety I&C Verifiers Matthew Solmos*

Principal Engineer, New Components and BWR Warren R. Odess-Gillett*

Fellow Engineer, I&C Licensing Approver William G. Pantis*

Manager, Plant Control Systems

  • Electronically approved records are authenticated in the electronic document management system.
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 i

Westinghouse Non-Proprietary Class 3 Template Version 2.8 Template Version 2.8 LIST OF CONTRIBUTORS Revision Name and Title A, 0 Paul Krueger, Limerick Operations Support - Senior Operations Specialist, Exelon Nuclear A, 0 Cynthia L. Olesky, Production Control Coordinator, Major Projects I&C

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 ii Westinghouse Non-Proprietary Class 3 REVISION HISTORY RECORD OF CHANGES Revision Author Description Completed A

Calvin K. Tang Initial release for review 10/26/2021 0

Calvin K. Tang Incorporation of review and verification comments 01/20/2022 1

Calvin K. Tang Incorporation of Exelon Owners Acceptance Review comments on Rev. 0.

Proprietary brackets were added. As such, the Proprietary version is now WNA-AR-01074-GLIM-P and the Non-Proprietary version is WNA-AR-01074-GLIM-NP.

See PRIME DOCUMENT TRACEABILITY & COMPLIANCE Created to Support the Following Document(s)

Document Number Revision OPEN ITEMS Item Description Status None

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 iii Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS Section Title Page LIST OF CONTRIBUTORS.......................................................................................i REVISION HISTORY................................................................................................ii TABLE OF CONTENTS.............................................................................................iii LIST OF TABLES.......................................................................................................xiv LIST OF FIGURES.....................................................................................................xiv ACRONYMS AND TRADEMARKS.........................................................................xv GLOSSARY OF TERMS............................................................................................xviii REFERENCES............................................................................................................xix SECTION 1 INTRODUCTION.......................................................................................................1-1 1.1 PURPOSE....................................................................................................................1-1 1.2 SCOPE.........................................................................................................................1-1 SECTION 2 PLANT PROTECTION SYSTEM ARCHITECTURE...............................................2-1 2.1 PPS ARCHITECTURE...............................................................................................2-1 2.2 PPS ARCHITECTURE CCF VULNERABILITIES...................................................2-4 2.2.1

[

]a,c......................................................................................................2-4 2.2.2 CIM Extensive Testing................................................................................................2-10 2.2.3 PPS Diversity...............................................................................................................2-14 2.2.4

[

]a,c............................................................................................2-14 SECTION 3 D3 CCF COPING ANALYSIS...................................................................................3-1

3.1 EVENT

15.1.1 LOSS OF FEEDWATER HEATING................................................3-3 3.1.1 Sequence of Events (UFSAR Table 15.1-2)................................................................3-3 3.1.2

[

]a,c.................................................................................................................3-3 3.1.3 EOP Entry Conditions.................................................................................................3-3 3.1.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-4 3.1.5 Summary of Diverse Features from PPS.....................................................................3-4 3.1.6 Conclusion...................................................................................................................3-4

3.2 EVENT

15.1.2 FEEDWATER CONTROL FAILURE - MAXIMUM DEMAND (WITHOUT TURBINE BYPASS)...........................................................3-4 3.2.1 Sequence of Events (UFSAR Table 15.1-3)................................................................3-4 3.2.2

[

]a,c.................................................................................................................3-5 3.2.3 EOP Entry Conditions.................................................................................................3-5 3.2.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-5 3.2.5 Summary of Diverse Features from PPS.....................................................................3-6 3.2.6 Conclusion...................................................................................................................3-6

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 iv Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.3 EVENT

15.1.2 FEEDWATER CONTROL FAILURE - MAXIMUM DEMAND (WITH BYPASS)......................................................................................3-6 3.3.1 Sequence of Events (UFSAR Table 15.1-3):...............................................................3-6 3.3.2

[

]a,c.................................................................................................................3-7 3.3.3 EOP Entry Conditions.................................................................................................3-7 3.3.4 Operator Actions per RPV Control EOPs with postulated PPS CCF..........................3-7 3.3.5 Summary of Diverse Features from PPS.....................................................................3-7 3.3.6 Conclusion...................................................................................................................3-8

3.4 EVENT

15.1.3 PRESSURE REGULATOR FAILURE-OPEN.................................3-8 3.4.1 Sequence of Events (UFSAR Table 15.1-4)................................................................3-8 3.4.2

[

]a,c.................................................................................................................3-9 3.4.3 EOP Entry Conditions.................................................................................................3-9 3.4.4 Operator Actions per RPV Control EOPs with postulated PPS CCF..........................3-9 3.4.5 Summary of Diverse Features from PPS.....................................................................3-10 3.4.6 Conclusion...................................................................................................................3-10

3.5 EVENT

15.1.4 INADVERTENT MAIN STEAM RELIEF VALVE OPENING....................................................................................................................3-10 3.5.1 Sequence of Events (UFSAR Table 15.1-5)................................................................3-10 3.5.2

[

]a,c.................................................................................................................3-11 3.5.3 EOP Entry Conditions.................................................................................................3-11 3.5.4 Operator Actions per EOPs with postulated PPS CCF................................................3-11 3.5.5 Summary of Diverse Features from PPS.....................................................................3-12 3.5.6 Conclusion...................................................................................................................3-12

3.6 EVENT

15.1.6 INADVERTENT RHR SHUTDOWN COOLING OPERATION...............................................................................................................3-12 3.6.1 Sequence of Events (UFSAR Table 15.1-1)................................................................3-12 3.6.2

[

]a,c.................................................................................................................3-13 3.6.3 EOP Entry Conditions.................................................................................................3-13 3.6.4 Operator Actions..........................................................................................................3-13 3.6.5 Summary of Diverse Features from PPS.....................................................................3-13 3.6.6 Conclusion...................................................................................................................3-13

3.7 EVENT

15.2.1 PRESSURE REGULATOR FAILURE - CLOSED.........................3-13 3.7.1 Sequence of Events......................................................................................................3-14 3.7.2

[

]a,c.................................................................................................................3-14 3.7.3 EOP Entry Conditions.................................................................................................3-14 3.7.4 Operator Actions..........................................................................................................3-14 3.7.5 Summary of Diverse Features from PPS.....................................................................3-14 3.7.6 Conclusion...................................................................................................................3-14

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 v

Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.8 EVENT

15.2.2 GENERATOR LOAD REJECTION WITH BYPASS FAILURE.....................................................................................................................3-15 3.8.1 Sequence of Events (UFSAR Table 15.2-2)................................................................3-15 3.8.2

[

]a,c.................................................................................................................3-15 3.8.3 EOP Entry Conditions.................................................................................................3-15 3.8.4 Operator Actions per RPV Control / Primary Containment Control EOP with postulated PPS CCF.....................................................................................................3-15 3.8.5 Summary of Diverse Features from PPS.....................................................................3-16 3.8.6 Conclusion...................................................................................................................3-16

3.9 EVENT

15.2.2 GENERATOR LOAD REJECTION WITH BYPASS.....................3-16 3.9.1 Sequence of Events (UFSAR Table 15.2-1)................................................................3-16 3.9.2

[

]a,c.................................................................................................................3-17 3.9.3 EOP Entry Conditions.................................................................................................3-17 3.9.4 Operator Actions per RPV Control / Primary Containment Control EOP with postulated PPS CCF.....................................................................................................3-17 3.9.5 Summary of Diverse Features from PPS.....................................................................3-18 3.9.6 Conclusion...................................................................................................................3-18 3.10 EVENT: 15.2.3 TURBINE TRIP WITHOUT BYPASS.............................................3-18 3.10.1 Sequence of Events (UFSAR Table 15.2-4)................................................................3-18 3.10.2

[

]a,c.................................................................................................................3-19 3.10.3 EOP Entry Conditions.................................................................................................3-19 3.10.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-19 3.10.5 Summary of Diverse Features from PPS.....................................................................3-19 3.10.6 Conclusion...................................................................................................................3-20 3.11 EVENT: 15.2.3 TURBINE TRIP WITH BYPASS.....................................................3-20 3.11.1 Sequence of Events (UFSAR Table 15.2-3)................................................................3-20 3.11.2

[

]a,c.................................................................................................................3-20 3.11.3 EOP Entry Conditions.................................................................................................3-21 3.11.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-21 3.11.5 Summary of Diverse Features from PPS.....................................................................3-21 3.11.6 Conclusion...................................................................................................................3-21 3.12 EVENT: 15.2.4 MSIV CLOSURE..............................................................................3-22 3.12.1 Sequence of Events (UFSAR Table 15.2-5)................................................................3-22 3.12.2

[

]a,c.................................................................................................................3-22 3.12.3 EOP Entry Conditions.................................................................................................3-22 3.12.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-23 3.12.5 Summary of Diverse Features from PPS.....................................................................3-23 3.12.6 Conclusion...................................................................................................................3-23 3.13 EVENT: 15.2.5 LOSS OF CONDENSER VACUUM................................................3-23

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 vi Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.13.1 Sequence of Events (UFSAR Table 15.2-7)................................................................3-23 3.13.2

[

]a,c.................................................................................................................3-24 3.13.3 EOP Entry Conditions.................................................................................................3-24 3.13.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-25 3.13.5 Summary of Diverse Features from PPS.....................................................................3-25 3.13.6 Conclusion...................................................................................................................3-25 3.14 EVENT: 15.2.6 LOSS OF ALL GRID CONNECTIONS...........................................3-25 3.14.1 Sequence of Events (UFSAR Table 15.2-10)..............................................................3-26 3.14.2

[

]a,c.................................................................................................................3-26 3.14.3 EOP Entry Conditions.................................................................................................3-27 3.14.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-27 3.14.5 Summary of Diverse Features from PPS.....................................................................3-27 3.14.6 Conclusion...................................................................................................................3-28 3.15 EVENT: 15.2.7 LOSS OF FEEDWATER..................................................................3-28 3.15.1 Sequence of Events (UFSAR Table 15.2-11)..............................................................3-28 3.15.2

[

]a,c.................................................................................................................3-28 3.15.3 EOP Entry Conditions.................................................................................................3-29 3.15.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-29 3.15.5 Summary of Diverse Features from PPS.....................................................................3-29 3.15.6 Conclusion...................................................................................................................3-30 3.16 EVENT: 15.2.9 LOSS OF SHUTDOWN COOLING.................................................3-30 3.16.1 Sequence of Events (UFSAR Table 15.2-12)..............................................................3-30 3.16.2

[

]a,c.................................................................................................................3-30 3.16.3 EOP Entry Conditions.................................................................................................3-31 3.16.4 Operator Actions..........................................................................................................3-31 3.16.5 Summary of Diverse Features from PPS.....................................................................3-31 3.16.6 Conclusion...................................................................................................................3-31 3.17 EVENT: 15.2.10 LOSS OF STATOR COOLING......................................................3-31 3.17.1 Sequence of Events (UFSAR Table 15.2-15)..............................................................3-31 3.17.2

[

]a,c.................................................................................................................3-32 3.17.3 EOP Entry Conditions.................................................................................................3-32 3.17.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-32 3.17.5 Summary of Diverse Features from PPS.....................................................................3-33 3.17.6 Conclusion...................................................................................................................3-33 3.18 EVENT: 15.3.1 TRIP OF ONE RECIRCULATION PUMP MOTOR.......................3-33 3.18.1 Sequence of Events (UFSAR Table 15.3-1)................................................................3-33 3.18.2

[

]a,c.................................................................................................................3-33 3.18.3 EOP Entry Conditions.................................................................................................3-34

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 vii Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.18.4 Operator Actions per EOPs with postulated PPS CCF................................................3-34 3.18.5 Summary of Diverse Features from PPS.....................................................................3-34 3.18.6 Conclusion...................................................................................................................3-34 3.19 EVENT: 15.3.1 TRIP OF TWO RECIRCULATION PUMPS...................................3-34 3.19.1 Sequence of Events (UFSAR Table 15.3-2)................................................................3-34 3.19.2

[

]a,c.................................................................................................................3-35 3.19.3 EOP Entry Conditions.................................................................................................3-35 3.19.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-35 3.19.5 Summary of Diverse Features from PPS.....................................................................3-35 3.19.6 Conclusion...................................................................................................................3-36 3.20 EVENT: 15.3.2 RECIRCULATION FLOW CONTROL FAILURE-DECREASING FLOW................................................................................................3-36 3.21 EVENT: 15.3.3 RECIRCULATION PUMP SEIZURE..............................................3-36 3.21.1 Sequence of Events (UFSAR Table 15.3-3)................................................................3-36 3.21.2

[

]a,c.................................................................................................................3-37 3.21.3 EOP Entry Conditions.................................................................................................3-37 3.21.4 Operator Actions per RPV Control EOPs with postulated PPS CCF..........................3-37 3.21.5 Summary of Diverse Features from PPS.....................................................................3-37 3.21.6 Conclusion...................................................................................................................3-37 3.22 EVENT: 15.3.4 RECIRCULATION PUMP SHAFT BREAK...................................3-37 3.22.1 Sequence of Events......................................................................................................3-38 3.22.2

[

]a,c.................................................................................................................3-38 3.22.3 EOP Entry Conditions.................................................................................................3-38 3.22.4 Operator Actions..........................................................................................................3-38 3.22.5 Summary of Diverse Features from PPS.....................................................................3-38 3.22.6 Conclusion...................................................................................................................3-38 3.23 EVENT: 15.4.1 ROD WITHDRAWAL ERROR - LOW POWER............................3-38 3.23.1 Sequence of Events......................................................................................................3-39 3.23.2

[

]a,c.................................................................................................................3-39 3.23.3 EOP Entry Conditions.................................................................................................3-39 3.23.4 Operator Actions..........................................................................................................3-39 3.23.5 Summary of Diverse Features from PPS.....................................................................3-40 3.23.6 Conclusion...................................................................................................................3-40 3.24 EVENT: 15.4.2 ROD WITHDRAWAL ERROR - AT POWER...............................3-40 3.24.1 Sequence of Events (UFSAR Table 15.4-1)................................................................3-40 3.24.2

[

]a,c.................................................................................................................3-40 3.24.3 EOP Entry Conditions.................................................................................................3-40 3.24.4 Operator Actions..........................................................................................................3-40 3.24.5 Summary of Diverse Features from PPS.....................................................................3-41

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 viii Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.24.6 Conclusion...................................................................................................................3-41 3.25 EVENT: 15.4.3 CONTROL ROD MALOPERATION (SYSTEM MALFUNCTION OR OPERATOR ERROR)............................................................3-41 3.26 EVENT: 15.4.4 ABNORMAL STARTUP OF IDLE RECIRCULATION PUMP..........................................................................................................................3-41 3.26.1 Sequence of Events (UFSAR Table 15.4-3)................................................................3-41 3.26.2

[

]a,c.................................................................................................................3-41 3.26.3 EOP Entry Conditions.................................................................................................3-41 3.26.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-42 3.26.5 Summary of Diverse Features from PPS.....................................................................3-42 3.26.6 Conclusion...................................................................................................................3-42 3.27 EVENT: 15.4.5 RECIRCULATION FLOW CONTROL FAILURE WITH INCREASING FLOW.................................................................................................3-43 3.27.1 Sequence of Events (UFSAR Table 15.4-4)................................................................3-43 3.27.2

[

]a,c.................................................................................................................3-43 3.27.3 EOP Entry Conditions.................................................................................................3-43 3.27.4 Operator Actions per RPV Control EOP with postulated PPS CCF............................3-43 3.27.5 Summary of Diverse Features from PPS.....................................................................3-44 3.27.6 Conclusion...................................................................................................................3-44 3.28 EVENT: 15.4.7 MISPLACED BUNDLE ACCIDENT..............................................3-44 3.28.1 Sequence of Events (UFSAR Table 15.4-5)................................................................3-44 3.28.2

[

]a,c.................................................................................................................3-45 3.28.3 EOP Entry Conditions.................................................................................................3-45 3.28.4 Operator Actions..........................................................................................................3-45 3.28.5 Summary of Diverse Features from PPS.....................................................................3-45 3.28.6 Conclusion...................................................................................................................3-45 3.29 EVENT: 15.4.9 CONTROL ROD DROP ACCIDENT..............................................3-46 3.29.1 Sequence of Events (GESTAR II, NEDO-24011-A-16-US (Reference 8),

Table S.2.2.3.1.1).........................................................................................................3-46 3.29.2

[

]a,c.................................................................................................................3-46 3.29.3 EOP Entry Conditions.................................................................................................3-47 3.29.4 Operator Actions..........................................................................................................3-47 3.29.5 Summary of Diverse Features from PPS.....................................................................3-47 3.29.6 Conclusion...................................................................................................................3-47 3.30 EVENT: 15.5.1 INADVERTENT HPCI START.......................................................3-47 3.31 EVENT: 15.6.2 INSTRUMENT LINE BREAK.........................................................3-48 3.31.1 Sequence of Events (UFSAR Table 15.6-1)................................................................3-48 3.31.2

[

]a,c.................................................................................................................3-48 3.31.3 EOP Entry Conditions.................................................................................................3-48

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 ix Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.31.4 Operator Actions with postulated PPS CCF................................................................3-48 3.31.5 Summary of Diverse Features from PPS.....................................................................3-48 3.31.6 Conclusion...................................................................................................................3-49 3.32 EVENT: 15.6.4 STEAM SYSTEM PIPE BREAK OUTSIDE PRIMARY CONTAINMENT........................................................................................................3-49 3.32.1 Sequence of Events (UFSAR Table 15.6-8)................................................................3-49 3.32.2

[

]a,c.................................................................................................................3-50 3.32.3 EOP Entry Conditions.................................................................................................3-50 3.32.4 Summary of Relevant Operator Actions per EOPs with postulated PPS CCF............3-50 3.32.5 Summary of Diverse Features from PPS.....................................................................3-51 3.32.6 Conclusion...................................................................................................................3-52 3.33 EVENT: 15.6.5 LOCA INSIDE CONTAINMENT....................................................3-52 3.33.1 Sequence of Events (UFSAR Table 6.3-2)..................................................................3-52 3.33.2

[

]a,c.................................................................................................................3-53 3.33.3 EOP Entry Conditions.................................................................................................3-53 3.33.4 Summary of Relevant Operator Actions per RPV Control and Primary Containment Control EOPs with postulated PPS CCF................................................3-54 3.33.5 Summary of Diverse Features from PPS.....................................................................3-54 3.33.6 Conclusion...................................................................................................................3-55 3.34 EVENT: 15.6.5 LOCA INSIDE CONTAINMENT-MAIN STEAM LINE BREAK........................................................................................................................3-56 3.34.1 Sequence of Events (UFSAR Table 6.2-16)................................................................3-56 3.34.2

[

]a,c.................................................................................................................3-56 3.34.3 EOP Entry Conditions.................................................................................................3-57 3.34.4 Summary of Relevant Operator Actions per RPV Control and Primary Containment Control EOPs with postulated PPS CCF................................................3-57 3.34.5 Summary of Diverse Features from PPS.....................................................................3-58 3.34.6 Conclusion...................................................................................................................3-58 3.35 EVENT: 15.6.6 FEEDWATER LINE BREAK OUTSIDE PRIMARY CONTAINMENT........................................................................................................3-59 3.35.1 Sequence of Events (UFSAR Table 15.6-23)..............................................................3-59 3.35.2

[

]a,c.................................................................................................................3-59 3.35.3 EOP Entry Conditions.................................................................................................3-60 3.35.4 Summary of Relevant Operator Actions per RPV Control and Secondary Containment Control EOPs with postulated PPS CCF................................................3-60 3.35.5 Summary of Diverse Features from PPS.....................................................................3-61 3.35.6 Conclusion...................................................................................................................3-61 3.36 EVENT: 15.7.1.1 MAIN CONDENSER OFFGAS TREATMENT SYSTEM FAILURE.....................................................................................................................3-61 3.36.1 Sequence of Events (UFSAR Table 15.7-1)................................................................3-61

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 x

Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

3.36.2

[

]a,c.................................................................................................................3-62 3.36.3 EOP Entry Conditions.................................................................................................3-62 3.36.4 Operator Actions per RPV Control EOPs with postulated PPS CCF..........................3-62 3.36.5 Summary of Diverse Features from PPS.....................................................................3-62 3.36.6 Conclusion...................................................................................................................3-62 3.37 EVENT: 15.7.1.2 MALFUNCTION OF MAIN TURBINE GLAND SEALING SYSTEM......................................................................................................................3-63 3.37.1 Sequence of Events......................................................................................................3-63 3.37.2

[

]a,c.................................................................................................................3-63 3.37.3 EOP Entry Conditions.................................................................................................3-63 3.37.4 Operator Actions..........................................................................................................3-63 3.37.5 Summary of Diverse Features from PPS.....................................................................3-63 3.37.6 Conclusion...................................................................................................................3-63 3.38 EVENT: 15.7.1.3 FAILURE OF STEAM JET AIR EJECTOR LINES.....................3-64 3.38.1 Sequence of Events......................................................................................................3-64 3.38.2

[

]a,c.................................................................................................................3-64 3.38.3 EOP Entry Conditions.................................................................................................3-64 3.38.4 Operator Actions..........................................................................................................3-64 3.38.5 Summary of Diverse Features from PPS.....................................................................3-64 3.38.6 Conclusion...................................................................................................................3-64 3.39 EVENT: 15.7.2 LIQUID RADIOACTIVE WASTE SYSTEM FAILURE................3-64 3.40 EVENT: 15.7.3 POSTULATED RADIOACTIVE RELEASES DUE TO LIQUID RADWASTE TANK FAILURE...................................................................3-65 3.41 EVENT: 15.7.4 FUEL HANDLING ACCIDENT......................................................3-65 3.41.1 Sequence of Events (UFSAR Table 15.7-15)..............................................................3-65 3.41.2

[

]a,c.................................................................................................................3-65 3.41.3 EOP Entry Conditions.................................................................................................3-65 3.41.4 Operator Actions..........................................................................................................3-66 3.41.5 Summary of Diverse Features from PPS.....................................................................3-66 3.41.6 Conclusion...................................................................................................................3-66 3.42 EVENT: 15.7.5 SPENT FUEL CASK-DROP ACCIDENT.......................................3-66 3.43 EVENT: 15.7.6 MOVEMENT OF LOADS WITHOUT SECONDARY CONTAINMENT........................................................................................................3-66 3.44 EVENT: 15.7.8 ANTICIPATED TRANSIENTS WITHOUT SCRAM.....................3-67 3.45

SUMMARY

OF REQUIRED DPS CONTROLS.......................................................3-67 3.46

SUMMARY

OF DIVERSE INDICATIONS WITH PLANT IDENTIFIERS............3-71 SECTION 4 BTP 7-19 POSITION 4 DISPLAYS AND CONTROLS............................................4-1 4.1 REACTIVITY CONTROL..........................................................................................4-1

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xi Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

4.1.1 Position 4 Controls.......................................................................................................4-1 4.1.2 Position 4 Displays......................................................................................................4-2 4.2 CORE HEAT REMOVAL..........................................................................................4-2 4.2.1 Position 4 Controls.......................................................................................................4-2 4.2.2 Position 4 Displays......................................................................................................4-3 4.3 REACTOR COOLANT INVENTORY......................................................................4-3 4.3.1 Position 4 Controls.......................................................................................................4-4 4.3.2 Position 4 Displays......................................................................................................4-4 4.4 CONTAINMENT ISOLATION..................................................................................4-4 4.4.1 Position 4 Controls - Primary Containment................................................................4-4 4.4.2 Position 4 Controls - Secondary Containment (Reactor Enclosure)...........................4-5 4.4.3 Position 4 Displays......................................................................................................4-5 4.5 CONTAINMENT INTEGRITY..................................................................................4-5 4.5.1 Position 4 Controls.......................................................................................................4-6 4.5.2 Position 4 Displays......................................................................................................4-6 4.6

SUMMARY

OF POSITION 4 DIVERSE CONTROLS.............................................4-6 4.7

SUMMARY

OF DIVERSE POSITION 4 DISPLAYS...............................................4-7

4.8 CONCLUSION

............................................................................................................4-8 SECTION 5 CCF SPURIOUS ACTUATION ANALYSIS.............................................................5-1 5.1

[

]a,c...............5-3 5.1.1

[

]a,c.....................................................................................................5-3 5.1.2

[

]a,c.....................5-3 5.1.3

[

]a,c..........................................................................................5-3 5.1.4

[

]a,c........................................5-3 5.1.5

[

]a,c..............................................................5-4 5.1.6

[

]a,c............................................................................................................5-4 5.2

[

]a,c...........................................................................................................5-4 5.2.1

[

]a,c.....................................................................................................5-4 5.2.2

[

]a,c..................................................................................5-4 5.2.3

[

]a,c..........................................................................................5-4 5.2.4

[

]a,c........................................5-5 5.2.5

[

]a,c..............................................................5-5 5.2.6

[

]a,c............................................................................................................5-5 5.3

[

]a,c..........................5-5 5.3.1

[

]a,c.....................................................................................................5-5 5.3.2

[

]a,c..................................................................................5-5 5.3.3

[

]a,c..........................................................................................5-6 5.3.4

[

]a,c........................................5-6 5.3.5

[

]a,c..............................................................................5-7 5.3.6

[

]a,c............................................................................................................5-7

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xii Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

5.4

[

]a,c..........................................................5-7 5.4.1

[

]a,c.....................................................................................................5-7 5.4.2

[

]a,c..................................................................................5-7 5.4.3

[

]a,c..........................................................................................5-8 5.4.4

[

]a,c........................................5-8 5.4.5

[

]a,c..............................................................5-8 5.4.6

[

]a,c............................................................................................................5-8 5.5

[

]a,c.........................5-9 5.5.1

[

]a,c.....................................................................................................5-9 5.5.2

[

]a,c..................................................................................5-9 5.5.3

[

]a,c..........................................................................................5-9 5.5.4

[

]a,c........................................5-9 5.5.5

[

]a,c..............................................................5-10 5.5.6

[

]a,c............................................................................................................5-10 5.6

[

]a,c.........................................................5-11 5.6.1

[

]a,c.....................................................................................................5-11 5.6.2

[

]a,c..................................................................................5-11 5.6.3

[

]a,c..........................................................................................5-11 5.6.4

[

]a,c........................................5-12 5.6.5

[

]a,c..............................................................5-12 5.6.6

[

]a,c............................................................................................................5-13 5.7

[

]a,c.................................................................................................................................5-13 5.7.1

[

]a,c.....................................................................................................5-13 5.7.2

[

]a,c..................................................................................5-13 5.7.3

[

]a,c..........................................................................................5-14 5.7.4

[

]a,c........................................5-14 5.7.5

[

]a,c..............................................................5-14 5.7.6

[

]a,c............................................................................................................5-15 5.8

[

]a,c.........................................................5-15 5.8.1

[

]a,c.....................................................................................................5-15 5.8.2

[

]a,c..................................................................................5-15 5.8.3

[

]a,c..........................................................................................5-15 5.8.4

[

]a,c........................................5-16 5.8.5

[

]a,c..............................................................5-16 5.8.6

[

]a,c............................................................................................................5-16 5.9

[

]a,c...........................................................5-16 5.9.1

[

]a,c.....................................................................................................5-16 5.9.2

[

]a,c..................................................................................5-16 5.9.3

[

]a,c..........................................................................................5-17 5.9.4

[

]a,c........................................5-17 5.9.5

[

]a,c..............................................................5-17 5.9.6

[

]a,c............................................................................................................5-17 5.10

[

]a,c........................................................5-18

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xiii Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (CONT.)

5.10.1

[

]a,c.....................................................................................................5-18 5.10.2

[

]a,c..................................................................................5-18 5.10.3

[

]a,c..........................................................................................5-18 5.10.4

[

]a,c.......5-18 5.10.5

[

]a,c..............................................................5-19 5.10.6

[

]a,c............................................................................................................5-19 5.11

[

]a,c................................................5-19 5.12

[

]a,c.................................5-19 SECTION 6 DIVERSITY ATTRIBUTES BETWEEN PPS AND DCS.........................................6-1 6.1 HUMAN DIVERSITY................................................................................................6-1 6.2 DESIGN DIVERSITY.................................................................................................6-2 6.3 SOFTWARE DIVERSITY..........................................................................................6-4 6.4 FUNCTIONAL DIVERSITY......................................................................................6-4 6.5 SIGNAL DIVERSITY.................................................................................................6-4 6.6 EQUIPMENT DIVERSITY........................................................................................6-4

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xiv Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS (cont.)

LIST OF TABLES Table Title Page Table 2-1. [

]a,c......................................................................2-9 Table 2-2. Comparison of BTP 7-19 Test Criteria to CIM Testing......................................................2-12 Table 3-1. Summary of Required DPS Controls...................................................................................3-68 Table 3-2. Diverse Indications Summary.............................................................................................3-71 LIST OF FIGURES Figure Title Page Figure 2-1. PPS Architecture................................................................................................................2-3 Figure 2-2. CIM-SRNC Subsystem......................................................................................................2-6 Figure 2-3. CIM Safety Path Testing....................................................................................................2-11 Figure 5-1. [

]a,c......................................................................................................5-2 Figure 6-1. PPS and DCS Architectures...............................................................................................6-3

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xv Westinghouse Non-Proprietary Class 3 ACRONYMS AND TRADEMARKS Acronyms used in the document are defined in WNA-PS-00016-GEN, Standard Acronyms and Definitions (Reference 40), or included below to ensure unambiguous understanding of their use within this document.

Acronym Definition ABB Asea Brown Boveri ADS Automatic Depressurization System AOO Anticipated Operational Occurrence APRM Average Power Range Monitor ARI Alternate Rod Insertion ASD Adjustable Speed Drive ATWS Anticipated Transient Without Scram BPL Bistable Processing Logic BPWS Banked Position Withdrawal Sequence CCF Common Cause Failure CIM Component Interface Module CRD Control Rod Drive CRDA Control Rod Drop Accident CREFAS Control Room Emergency Fresh Air Supply System CS Core Spray CST Condensate Storage Tank DBA Design Basis Accident DCS Distributed Control System DEHC Digital Electro-Hydraulic Control System DFWLCS Digital Feedwater and Level Control System DWCW Drywell Chilled Water System DPS Diverse Protection System EAB Exclusion Area Boundary ECCS Emergency Core Cooling System EOP Emergency Operating Procedure FPGA Field Programmable Gate Array FZ Fuel Zone HMI Human Machine Interface HPCI High Pressure Coolant Injection (system)

HSL High Speed Link HVAC Heating, Ventilation, and Air Conditioning ILP Integrated Logic Processor IRM Intermediate Range Monitor ITP Interface and Test Processor IV&V Independent Verification and Validation LCL Local Coincidence Logic LGS Limerick Generating Station LOCA Loss of Coolant Accident

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xvi Westinghouse Non-Proprietary Class 3 Acronym Definition LOOP Loss of Offsite Power LPCI Low Pressure Core Injection (system)

LPZ Low Population Zone MCR Main Control Room MSCRWL Minimal Steam Cooling Reactor Water Level MSIV Main Steam Isolation Valve MSRV Main Steam Relief Valve MTP Maintenance and Test Panel NMS Neutron Monitoring System NR Narrow Range NSSSS Nuclear Steam Supply Shutoff System PA Postulated Accident PPS Plant Protection System PRS Plant Reference Simulator PSP Pressure Suppression Pressure PSTG Plant Specific Technical Guidelines RCIC Reactor Core Isolation Cooling (system)

RCPB Reactor Coolant Pressure Boundary RAW Risk Achievement Worth RBM Rod Block Monitor RECW Reactor Enclosure Cooling Water System RERS Reactor Enclosure Recirculation System RHR Residual Heat Removal RHRSW RHR Service Water RMCS Reactor Manual Control System RNI Remote Node Interface RPS Reactor Protection System RPT Recirculation Pump Trip RPV Reactor Pressure Vessel RRCS Redundant Reactivity Control System RSP Remote Shutdown Panel RTL Register-Transfer Level RWM Rod Worth Minimizer SD Safety Display SDC Shutdown Cooling SGTS Standby Gas Treatment System SRNC Safety Remote Node Controller SRV Safety Relief Valve TAF Top of Active Fuel TEDE Total Effective Dose Equivalent TU Termination Unit UFSAR Updated Final Safety Analysis Report WR Wide Range

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xvii Westinghouse Non-Proprietary Class 3 All other product and corporate names used in this document may be trademarks or registered trademarks of other companies, and are used only for explanation and to the owners benefit, without intent to infringe.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xviii Westinghouse Non-Proprietary Class 3 GLOSSARY OF TERMS Standard terms used in the document are defined in WNA-PS-00016-GEN, Standard Acronyms and Definitions (Reference 40), or included below to ensure unambiguous understanding of their use within this document.

Term Definition N/A

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xix Westinghouse Non-Proprietary Class 3 REFERENCES Following is a list of references used throughout this document.

1.

WCAP-16097-P-A, Revision 5, Common Qualified Platform Topical Report, Westinghouse Electric Company LLC

2.

ML20339A647, Revision 8, Branch Technical Position 7-19, Guidance For Evaluation Of Defense In Depth And Diversity To Address Common-Cause Failure Due To Latent Design Defects In Digital Safety Systems, U.S. Nuclear Regulatory Commission

3.

ML083310185, Revision 1, DI&C-ISG-04, Digital Instrumentation and Controls Highly-Integrated Control Rooms - Communication Issues (HICRc), U.S. Nuclear Regulatory Commission

4.

WNA-LI-00096-GEN, Revision 0, Evaluation of Common Cause Failure Susceptibility of Component Interface Module, Westinghouse Electric Company LLC

5.

[

]a,c

6.

ML0906103170, Wolf Creek Generating Station -Issuance Of Amendment Re: Modification of the Main Steam And Feedwater Isolation System Controls (TAC NO. MD4839)

7.

Limerick Generating Station Updated Final Safety Analysis Report (UFSAR), Revision 19

8.

NEDO-24011-A-16-US, Revision 16, Supplement to General Electric Standard Application for Reactor Fuel, GESTAR II, Base Document NEDO-24011-P-A, General Electric July 2006

9.

OT-101, Revisions 39, LGS High Drywell Pressure Operating Procedure Attachment 3 Loss of Drywell Cooling

10.

OT-104, Revision 58, LGS Unexpected/Unexplained Positive or Negative Reactivity Insertion Operating Procedure

11.

OT-110, Revision 24, LGS Reactor High Level Operating Procedure

12.

OT-117, Revision 12, LGS RPS Failures Operating Procedure

13.

ON-113, Revision 28, LGS Loss of RECW Operation Procedure

14.

T-101, Revision 28, LGS RPV Control EOP

15.

T-102, Revision 28, LGS Primary Containment Control EOP

16.

T-103, Revision 25, LGS Secondary Containment Control EOP

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xx Westinghouse Non-Proprietary Class 3

17.

T-121, Revision 0, LGS RPV Control - OPCON 4 EOP

18.

T-131, Revision 0, LGS Decay Heat Control - OPCON 5 EOP

19.

NUREG-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, U.S. Nuclear Regulatory Commission

20.

Wolf Creek Nuclear Operating Corporation Wolf Creek Generating Station Docket No. 50-482 Amendment to Renewed Facility Operating License, March 31, 2009, US Nuclear Regulatory Commission (ML090610317)

21.

6002-00031, Revision 0, ALS Diversity Analysis, CS Innovations, LLC

22.

Deleted

23.

WCAP-17179, Revision 6, AP1000 Component Interface Module Technical Report, Westinghouse Electric Company LLC

24.

Southern Nuclear Operating Company Vogtle Electric Generating Plant Unit 4, Resubmittal of ITAAC Closure Notification on Completion of ITAAC 2.5.02.14 [Index Number 553],

ND-17-0824, 22 May 2017 (ML17143A244), Southern Company

25.

ITAAC 2.5.01.14 Closure Verification Evaluation Form, September 22, 2017 (ML17268A064)

U.S. Nuclear Regulatory Commission

26.

Deleted

27.

6105-00021, Revision 5, CIM SRNC ISE Specification, Westinghouse Electric Company LLC

28.

WNA-TP-04019-GEN, Revision 2, CIM SRNC Subsystem Test Procedure, Westinghouse Electric Company LLC

29.

APP-PMS-T1P-080, Revision 0, AP1000 PMS System Integration Test CIM Priority Test Procedure, Westinghouse Electric Company LLC

30.

6105-60136, Revision 1, CIM-SRNC ISE Test Task Report, Westinghouse Electric Company LLC

31.

WNA-TR-02718-GEN, Revision 4, CIM SRNC Subsystem Test Report, Westinghouse Electric Company LLC

32.

APP-PMS-T2R-080, Revision 1, AP1000 Protection and Safety Monitoring System - System Integration Test CIM Priority Test Report, Westinghouse Electric Company LLC

33.

WNA-DS-02904-GEN, Revision 0, CIM-SRNC Test Tool Design Specification, Westinghouse Electric Company LLC

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 xxi Westinghouse Non-Proprietary Class 3

33.

WNA-DS-02904-GEN, Revision 0, CIM-SRNC Test Tool Design Specification, Westinghouse Electric Company LLC

34.

WNA-RL-03374-VS3, Revision 2, V.C. Summer Unit 3 AP1000 Protection and Safety Monitoring System Hardware Configuration Management Release Report, Westinghouse Electric Company LLC

35.

LG-MISC-041, Limerick Generating Station - Primary Containment Isolation Valve Risk Ranking, Revision 0, Exelon

36.

NEDO-2422, Assessment of BWR Mitigation of ATWS, Volume II (NUREG 0460 Alternate No. 3, Non-Proprietary version, General Electric, February 1981

37.

Generic Letter 89-19, Request for Action Related to Resolution of Unresolved Safety Issue A-47 Safety Implication of Control Systems in LWR Nuclear Power Plants, Pursuant to 10 CFR 50.54(f), Nuclear Regulatory Agency, September 20, 1989

38.

SE-10, Revision 65, LGS Special Event Procedure

39.

LM-0642, Suppression Pool pH Calculation for Alternate Source Terms, Exelon

40.

WNA-PS-00016-GEN, Revision 8, Standard Acronyms and Definitions, Westinghouse Electric Company LLC

41.

TP18-1-008, Revision 4, Emergency Procedures Committee EPG/SAG Rev 4 and the TSG Rev 1, BWROG, June 1, 2018

42.

TP18-1-008, Revision 4, BWROG Emergency Procedure and Severe Accident Guidelines Appendix B Technical Basis, Volume I: Introduction and References, June 1, 2018

43.

WCAP-18461-P-A, Revision 1, Common Qualified Platform and Component Interface Module System, Elimination of Technical Specification Surveillance Requirements, Westinghouse Electric Company LLC (Last Page of Front Matter)

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 1-1 Westinghouse Non-Proprietary Class 3 SECTION 1 INTRODUCTION 1.1 PURPOSE The purpose of this document is to perform three analyses relative to the Limerick Generating Station (LGS) Plant Protection System (PPS) being implemented as part of the LGS Digital Modernization Project. The PPS will be implemented using the Common Qualified (Common Q) Platform, which is a digital platform that has been reviewed and approved by the NRC for use for safety-related systems (see Reference 1). The three analyses are:

1. CCF Coping Analysis that evaluates, for each LGS UFSAR Chapter 15 event, the plant coping ability with the assumption that the Common Q portion of the PPS is not available due to a CCF.

[

]a,c

2. CCF Spurious Actuation Analysis [

]a,c

3. An analysis defining the set of displays and controls located in the main control room for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls will be independent and diverse from the PPS Common Q system. Refer to Section 5 for this analysis.

These analyses will identify required functionality of the DPS. Following these analyses, this document will compare the diversity attributes between the Common Q digital platform and the Emerson Ovation platform that will implement the DPS functions.

1.2 SCOPE This document addresses the expected analyses from the NRC Standard Review Plan (SRP),

NUREG-0800, Chapter 7, Branch Technical Position (BTP) 7-19 (Reference 2). The scope of the analysis is the PPS.

(Last Page of Section 1)

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-1 Westinghouse Non-Proprietary Class 3 SECTION 2 PLANT PROTECTION SYSTEM ARCHITECTURE 2.1 PPS ARCHITECTURE For the purposes of this analysis, Figure 2-1 is used to analyze the potential vulnerabilities to CCF in the PPS architecture. The architecture is made up of four channels labeled A - D, and four divisions labeled 1-4. Each channel shares power and an AF100 bus with a division:

Channel A shares power and an AF100 bus with Division 1 Channel B shares power and an AF100 bus with Division 2 Channel C shares power and an AF100 bus with Division 3 Channel D shares power and an AF100 bus with Division 4 For each Channel/Division pair, there are three levels to the PPS architecture:

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-2 Westinghouse Non-Proprietary Class 3

[

]a,c There are also two Safety Displays (SDs), one Maintenance and Test Panel (MTP), and one Interface and Test Processor (ITP) per Channel/Division. The MTP and ITP support maintenance and test activities for the PPS. The MTP is a Common Q Flat Panel Display System as described in the Common Q topical Report (Reference 1). The ITP utilizes the Common Q AC160 digital platform. The MTP and ITP do not perform any protective functions in the PPS. The SDs are located in the control room and allow the operator to observe PPS status. The three safety-related functions the SD performs are:

1. Displays Post Accident Monitoring variables.
2. Allows the operator to manually initiate NSSSS and ECCS system level actuation functions [

]a,c

3. Allows the operator to manually control individual PPS actuating components [

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-3 Westinghouse Non-Proprietary Class 3 Figure 2-1. PPS Architecture a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-4 Westinghouse Non-Proprietary Class 3 2.2 PPS ARCHITECTURE CCF VULNERABILITIES

[

]a,c 2.2.1

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-5 Westinghouse Non-Proprietary Class 3

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-6 Westinghouse Non-Proprietary Class 3 Figure 2-2. CIM-SRNC Subsystem

[

]a,c a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-7 Westinghouse Non-Proprietary Class 3

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-8 Westinghouse Non-Proprietary Class 3

[

]a,c As stated in MSFIS SER (Reference 20),

The NRC staff also took into consideration the low level of complexity of the MSFIS. The MSFIS is not a full trip or actuation system, but receives the trip signal from the SSPS, and upon receipt of that signal, provides opening signals to the individual valves. In addition, the MSFIS receives valve control signals from the operator control panel, and provides open or close signals to the individual valves. The received signals are binary (on/off) and not complex digital data.

The NRC then concluded:

The NRC staff has determined that due to the MSFIS use of two diverse cores in each FPGA and the ability to examine the resultant circuitry to determine the actual diversity, there is reasonable assurance the programmable nature of FPGAs as used in the MSFIS does not add any additional vulnerability over that found in non-programmable systems.

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-9 Westinghouse Non-Proprietary Class 3

[

]a,c Table 2-1. [

]a,c

[

]a,c a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-10 Westinghouse Non-Proprietary Class 3 2.2.2 CIM Extensive Testing

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-11 Westinghouse Non-Proprietary Class 3 Figure 2-3. CIM Safety Path Testing a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-12 Westinghouse Non-Proprietary Class 3 The Reference 4 document summarizes the evaluation to the BTP 7-19 criteria as follows:

Table 2-2. Comparison of BTP 7-19 Test Criteria to CIM Testing a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-13 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 2-14 Westinghouse Non-Proprietary Class 3 2.2.3 PPS Diversity The manual scram inputs, indicated in Figure 2-1, are provided by the hardware scram push buttons located at the operator control console (Panel tag number 10-C603 for Unit 1 and 20-C603 for Unit 2) and are directly hardwired to the RPS TU, bypassing all PPS software. These push buttons provide a diverse means of initiating a reactor scram.

2.2.4

[

]a,c

[

]a,c (Last Page of Section 2) a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-1 Westinghouse Non-Proprietary Class 3 SECTION 3 D3 CCF COPING ANALYSIS As described in Section 1, this is the first of three analyses to assess the adequacy of the LGS plant defense in depth and diversity to cope with a PPS CCF. This first analysis takes each event in Chapter 15 of the LGS UFSAR and with best-estimate techniques, determines:

1. Is there sufficient LGS plant diversity to cope with the Chapter 15 event assuming the PPS (excluding the CIM) is not available to protect the plant.
2. Any functions necessary to be included in the DPS to adequately cope with the event when the PPS is not available to protect the plant.

The format for the coping analysis for each event is as follows:

1. The event time sequence with ** ** indicates a sequence that is inoperable due to a PPS CCF.

[

]a,c

5. Summary of diverse indications and controls available in the current plant design. [

]a,c

6. Scenario summary The LGS design basis assumes manual actuations are not required for 10 minutes after a postulated accident (PA) commences (e.g., LGS UFSAR Chapter 7.5.2.4.1, Initial Accident Event). [

]a,c For analyses where RPS is assumed to fail due to a PPS CCF, the Redundant Reactivity Control System (RRCS, Section 6.2) will automatically initiate the following functions upon Reactor Pressure Vessel (RPV) Pressure-High or RPV Water Level-Low (with 9-second time for RPT actuation) conditions:

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-2 Westinghouse Non-Proprietary Class 3 Alternate Rod Insertion (ARI), Standby Liquid Control (SLC) Actuation, and Recirculation Pump Trip (RPT). NEDO-2422, Assessment of BWR Mitigation of Anticipated Transients Without Scram (Reference 36), analyzed the ATWS transients assuming RPS failure and operability of ARI and RPT, and concluded that the results satisfied all applicable criteria for reactor coolant pressure boundary (RCPB), containment integrity, adequate core cooling, and allowable radioactivity release limits.

[

]a,c BTP 7-19, Section B, Branch Technical Position, Section 3.3 states that the consequences of a Common-Cause Failure may be acceptable if the following acceptance criteria are met:

b. For each AOO in the design basis that occurs concurrently with the CCF, the plant response, calculated using realistic or conservative assumptions, does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values, or in violation of the integrity of the primary coolant pressure boundary.
c. For each PA in the design basis that occurs concurrently with each single postulated CCF, the plant response, calculated using realistic or conservative assumptions, does not result in radiation release exceeding the applicable siting dose guideline values, in violation of the integrity of the primary coolant pressure boundary, or in violation of the integrity of the containment.

In Limerick UFSAR, Chapter 15, Section 15.0.3.1, an analyzed event is classified according to the following:

a. Incidents of moderate frequency - These are accidents that may occur from once during a calendar year to once per 20 years for a particular plant. These events are referred to as "anticipated (expected) operational transients."
b. Infrequent incidents - These are accidents that may occur occasionally during the life of a particular plant, ranging in time from once in 20 years to once in 100 years. These events are referred to as "abnormal (unexpected) operational transients."
c. Limiting faults - These are accidents that are not expected to happen, but are postulated because they may result in the release of significant amounts of radioactive material. These events are referred to as "design basis (postulated) accidents."

Thus, BTP 7-19 reference to an anticipated operational occurrence (AOO), is an anticipated (expected) operational transient classified as an incident of moderate frequency, or an abnormal (unexpected) operational transient classified as an infrequent incident. A postulated accident (PA) is a referred to as a Limiting Fault. The frequency classification for each transient or accident is indicated for coping analysis.

Furthermore, in the Conclusion section of each event, qualitative statements are made regarding the satisfaction of applicable acceptance criteria in BTP 7-19. When the use of the term, adequate cooling, or the core is adequately cooled is included in the Conclusion statements, these statements are to mean that heat removal from the reactor is sufficient to prevent rupturing the fuel cladding. This conclusion is based upon consideration of the three viable mechanisms for establishing adequate core cooling: core submergence, spray cooling, and steam cooling (Reference 42):

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-3 Westinghouse Non-Proprietary Class 3

a. Submergence is the preferred method for cooling the core. The core is adequately cooled by submergence when it can be determined that RPV water level is at or above the top of the active fuel (TAF, -161). All fuel nodes are then assumed to be covered with water and heat is removed by boiling heat transfer.
b. Adequate spray cooling is provided, assuming a bounding axial power shape, when design spray flow requirements (one CS loop flow of 6250 gpm) are satisfied and RPV water level is at or above the elevation of the jet pump suctions. The covered portion of the core is then cooled by submergence while the uncovered portion is cooled by the spray flow.
c. Steam cooling is relied upon only if RPV water level cannot be restored and maintained above the top of the active fuel, cannot be determined, or must be intentionally lowered below the top of the active fuel. The core is adequately cooled by steam if the steam flow across the uncovered length of each fuel bundle is sufficient to maintain the hottest peak clad temperature below the appropriate limits. The covered portion of the core remains cooled by boiling heat transfer and generates the steam which cools the uncovered portion.

3.1 EVENT

15.1.1 LOSS OF FEEDWATER HEATING Feedwater heating is assumed to be lost, resulting in a maximum reactor inlet feedwater temperature decrease of 100°F. This event is classified as an incident of moderate frequency.

3.1.1 Sequence of Events (UFSAR Table 15.1-2)

TIME (sec)

EVENT 0

Initiate a 100°F temperature reduction into the feedwater system.

25 (approx.)

Initial effect of unheated feedwater to raise core power level and steam flow.

65 (approx.)

Bypass valves open to accommodate the increasing steam flow.

120.0 (approx.)

New higher power, steady-state conditions reached.

3.1.2

[

]a,c

[

]a,c 3.1.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-4 Westinghouse Non-Proprietary Class 3 3.1.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.1.5 Summary of Diverse Features from PPS

[

]a,c 3.1.6 Conclusion

[

]a,c

3.2 EVENT

15.1.2 FEEDWATER CONTROL FAILURE - MAXIMUM DEMAND (WITHOUT TURBINE BYPASS)

Feedwater controller demand (DFWLCS) is postulated to fail upscale that results in maximum feedwater injection into the Reactor Pressure Vessel (RPV), resulting in a rapid water level rise and a trip of the main turbine and the turbine-driven feedwater pump turbines when water level reaches the Level 8 trip setpoint. It is further assumed that the turbine bypass valves failed upon a turbine trip. This event is considered to be an incident of moderate frequency.

3.2.1 Sequence of Events (UFSAR Table 15.1-3)

TIME (sec)

EVENT (2) (WITHOUT TURBINE BYPASS) 0 Initiate simulated failure of feedwater controller to upper limit on feedwater flow.

8.3 Level 8 vessel level setpoint trips main turbine and feedwater pumps.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-5 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENT (2) (WITHOUT TURBINE BYPASS) 8.3(est)

8.3

    • Recirculation Pump Trip (RPT) actuated by stop valve position switches.**

8.5 Turbine bypass valves fail to open.

8.5 Main turbine stop valves closed.

8.6

    • Recirculation pump motor circuit breakers open causing recirculation drive flow to coast-down.**

10.5 First groups 1 to 3 actuated due to high pressure.

3.2.2

[

]a,c

[

]a,c 3.2.3 EOP Entry Conditions

[

]a,c 3.2.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-6 Westinghouse Non-Proprietary Class 3 3.2.5 Summary of Diverse Features from PPS

[

]a,c 3.2.6 Conclusion

[

]a,c

3.3 EVENT

15.1.2 FEEDWATER CONTROL FAILURE - MAXIMUM DEMAND (WITH BYPASS)

Feedwater controller demand is postulated to fail upscale that results in maximum feedwater injection into the RPV, resulting in a rapid water level rise and a trip of the main turbine and the turbine-driven feedpump turbines when water level reaches the Level 8 trip setpoint. This event is considered to be an incident of moderate frequency.

3.3.1 Sequence of Events (UFSAR Table 15.1-3):

TIME (sec)

EVENT (1) (WITH TURBINE BYPASS) 0 Initiate simulated failure of feedwater controller to upper limit on feedwater flow.

8.4 Level 8 vessel level setpoint trips main turbine and feedwater pumps.

8.4

8.4

    • RPT actuated by stop valve position switches.**
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-7 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENT (1) (WITH TURBINE BYPASS) 8.6 Main turbine stop valves closed and turbine bypass valves start to open.

8.6

    • Recirculation pump motor circuit breakers open causing recirculation drive flow to start to coast down.**

11.2 First group of SRVs open due to high pressure.

3.3.2

[

]a,c

[

]a,c 3.3.3 EOP Entry Conditions

[

]a,c 3.3.4 Operator Actions per RPV Control EOPs with postulated PPS CCF

[

]a,c 3.3.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-8 Westinghouse Non-Proprietary Class 3

[

]a,c 3.3.6 Conclusion

[

]a,c

3.4 EVENT

15.1.3 PRESSURE REGULATOR FAILURE-OPEN If the controlling regulator fails, the backup controller will take over control with a bumpless switchover. If both controllers fail to the open position, the turbine control valves can be fully opened, and the turbine bypass valves can be partially or fully opened until the maximum steam flow is established. This event is categorized as an incident of moderate frequency.

3.4.1 Sequence of Events (UFSAR Table 15.1-4)

TIME (sec)

EVENT 0.0 Simulate maximum limit flow to main turbine.

0.4 Main turbine bypass valves open.

4.7 Vessel water level (Level 8) trip initiates main turbine and feedwater turbine trips.

4.7

    • Main turbine stop valve position initiates reactor scram and RPT.**

4.8 Turbine stop valves closed.

4.9

    • Recirculation pump motor circuit breakers open causing decrease in core flow to natural circulation.**
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-9 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENT 46.8

    • Main steam line isolation on low turbine inlet pressure.**

51.8

    • MSIVs closed**. Bypass valves remain open, exhausting steam in steam lines downstream of isolation valves.

52.0

    • RCIC and HPCI systems initiation on low level (Level 2).**

>100.0 Group 1 Main Steam Relief Valves (MSRVs) actuate and cycle.

3.4.2

[

]a,c

[

]a,c 3.4.3 EOP Entry Conditions

[

]a,c 3.4.4 Operator Actions per RPV Control EOPs with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-10 Westinghouse Non-Proprietary Class 3 3.4.5 Summary of Diverse Features from PPS

[

]a,c 3.4.6 Conclusion

[

]a,c

3.5 EVENT

15.1.4 INADVERTENT MAIN STEAM RELIEF VALVE OPENING Cause of inadvertent MSRV opening is attributed to malfunction of the valve or an operator initiated opening. Opening and closing circuitry at the individual valve level (as opposed to groups of valves) is subject to a single failure event. It is therefore simply postulated that a failure occurs, and the transient is analyzed accordingly. This event is categorized as an infrequent incident but is analyzed as an incident of moderate frequency.

3.5.1 Sequence of Events (UFSAR Table 15.1-5)

TIME (sec)

EVENT 0

Initiate opening of one MSRV.

0.5(est)

MSRV flow reaches full flow.

15.0(est)

System establishes new steady-state operation.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-11 Westinghouse Non-Proprietary Class 3 3.5.2

[

]a,c

[

]a,c 3.5.3 EOP Entry Conditions

[

]a,c 3.5.4 Operator Actions per EOPs with postulated PPS CCF

[

]a,c UFSAR Section 15.1.4.2.1 states: If it is assumed that the suppression pool is at its maximum operating temperature (95°F) and minimum operating volume with no pool cooling systems in operation when the valve first opens, the operator will have more than 6 minutes before the pool scram temperature of 110°F is reached. If the above worst case assumptions were relaxed, the time for operator action would increase.

Delaying the reactor scram to 10 minutes after the valve sticks full open would have no adverse effect on plant safety. Even though the suppression pool temperature would approach 120°F at the time of scram, the maximum allowable suppression pool temperature limits would not be exceeded.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-12 Westinghouse Non-Proprietary Class 3 3.5.5 Summary of Diverse Features from PPS

[

]a,c 3.5.6 Conclusion

[

]a,c

3.6 EVENT

15.1.6 INADVERTENT RHR SHUTDOWN COOLING OPERATION A shutdown cooling malfunction leading to a moderator temperature decrease could result from mis-operation of the cooling water controls for the RHR heat exchangers. The resulting temperature decrease would cause a slow insertion of positive reactivity into the core. If the operator did not act to control the power level, a high neutron flux reactor scram would terminate the transient without violating fuel thermal limits and without any measurable increase in nuclear system pressure. This event is categorized as a transient of moderate frequency.

3.6.1 Sequence of Events (UFSAR Table 15.1-1)

TIME (min)

EVENT 0

Reactor at low power and low pressure when RHR shutdown cooling inadvertently activated.

0 - 10 Slow rise in reactor power.

+10 Operator may take action to limit power rise. **Flux scram will occur if no action is taken.**

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-13 Westinghouse Non-Proprietary Class 3 3.6.2

[

]a,c

[

]a,c 3.6.3 EOP Entry Conditions

[

]a,c 3.6.4 Operator Actions

[

]a,c 3.6.5 Summary of Diverse Features from PPS

[

]a,c 3.6.6 Conclusion

[

]a,c

3.7 EVENT

15.2.1 PRESSURE REGULATOR FAILURE - CLOSED It is assumed, for the purposes of this transient analysis that a single failure occurs, erroneously causes the controlling regulator processor to close the main turbine control valves. Failure of the primary controlling regulator processor results in the automatic bumpless transfer between the primary and the backup

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-14 Westinghouse Non-Proprietary Class 3 regulator controllers, thereby preventing an increase in reactor pressure. This event is treated as a moderate frequency event.

3.7.1 Sequence of Events When a fault is detected with the controlling pressure regulator processor, as discussed in UFSAR Section 15.2.1.1.1, an automatic bumpless failover will occur to the back-up redundant regulator controller. The pressure increase will be small, if any. Both regulators receive the same setpoint value from the operator input via the Human Machine Interface (HMI), thus, pressure will be controlled at approximately the same value prior to the assumed failure.

3.7.2

[

]a,c

[

]a,c 3.7.3 EOP Entry Conditions

[

. ]a,c 3.7.4 Operator Actions

[

]a,c 3.7.5 Summary of Diverse Features from PPS

[

]a,c 3.7.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-15 Westinghouse Non-Proprietary Class 3

3.8 EVENT

15.2.2 GENERATOR LOAD REJECTION WITH BYPASS FAILURE A generator load rejection is assumed to occur with failure of the turbine steam bypass valves to open.

This event is categorized as an incident of moderate frequency.

3.8.1 Sequence of Events (UFSAR Table 15.2-2)

TIME (sec)

EVENT

-0.015 (approx.)

Turbine-generator detection of loss of electrical load.

0.0 Turbine-generator power load unbalance devices trip to initiate turbine control valve fast closure.

0.0 Turbine bypass valves fail to operate.

0.0

    • Fast control valve closure initiates scram trip.**

0.0

    • Turbine control valve closure initiates a recirculation pump trip (RPT).**

0.08 (approx.)

Turbine control valve closed.

0.175

    • Recirculation pump motor circuit breakers open causing the recirculation drive flow to begin to coast down.**

1.9 MSRV actuation initiated.

> 6 MSRV closed.

3.8.2

[

]a,c

[

]a,c 3.8.3 EOP Entry Conditions

[

]a,c 3.8.4 Operator Actions per RPV Control / Primary Containment Control EOP with postulated PPS CCF

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-16 Westinghouse Non-Proprietary Class 3

[

]a,c 3.8.5 Summary of Diverse Features from PPS

[

]a,c 3.8.6 Conclusion

[

]a,c

3.9 EVENT

15.2.2 GENERATOR LOAD REJECTION WITH BYPASS A generator load rejection is assumed to occur with normal operation of the turbine steam bypass valves to open. This event is categorized as an incident of moderate frequency.

3.9.1 Sequence of Events (UFSAR Table 15.2-1)

TIME (sec)

EVENT

-0.015 (approx.)

Turbine-generator detection of loss of electrical load.

0.0 Turbine-generator power load unbalance devices trip to initiate turbine control valve fast closure.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-17 Westinghouse Non-Proprietary Class 3 0.0 0.0 Turbine-generator power load unbalance trip initiates main turbine bypass system operation.

    • Fast turbine control valve closure initiates scram trip.**

0.0

    • Turbine control valve closure initiates an RPT.**

0.07 Turbine control valve closed.

0.14 Turbine bypass valves start to open.

0.175

    • Recirculation pump motor circuit breakers open causing the recirculation drive flow to begin to coast down.**

2.0 Group 1 MSRV actuated.

2.15 Group 2 MSRVs actuated.

2.40 Group 3 MSRVs actuated.

3.90 Group 1 MSRV close.

3.9.2

[

]a,c

[

]a,c 3.9.3 EOP Entry Conditions

[

]a,c 3.9.4 Operator Actions per RPV Control / Primary Containment Control EOP with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-18 Westinghouse Non-Proprietary Class 3

[

]a,c 3.9.5 Summary of Diverse Features from PPS

[

]a,c 3.9.6 Conclusion

[

]a,c 3.10 EVENT: 15.2.3 TURBINE TRIP WITHOUT BYPASS A main turbine trip is assumed to occur with failure of the turbine steam bypass valves to open. This event is categorized as an incident of moderate frequency.

3.10.1 Sequence of Events (UFSAR Table 15.2-4)

TIME (sec)

EVENT 0.0 Turbine trip initiates closure of main stop valves.

0.0 Turbine bypass valves fail to operate.

0.01

    • Main turbine stop valves reach 90% open position and initiate reactor scram trip.**

0.01

    • Main turbine stop valves reach 90% open position and initiate an RPT.**

0.1 Turbine stop valves closed.

0.175

    • Recirculation pump motor circuit breakers open causing the recirculation drive flows to coast down.**
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-19 Westinghouse Non-Proprietary Class 3

~ 1.8 MSRV actuation initiated.

> 6 MSRVs closed.

3.10.2

[

]a,c

[

]a,c 3.10.3 EOP Entry Conditions

[

]a,c 3.10.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.10.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-20 Westinghouse Non-Proprietary Class 3 3.10.6 Conclusion

[

]a,c 3.11 EVENT: 15.2.3 TURBINE TRIP WITH BYPASS A main turbine trip is assumed to occur with normal operation of the turbine steam bypass valves to open.

This event is categorized as an incident of moderate frequency.

3.11.1 Sequence of Events (UFSAR Table 15.2-3)

TIME (sec)

EVENT 0.0 Turbine trip initiates closure of main stop valves.

0.0 Turbine trip initiates bypass operation.

0.01

    • Main turbine stop valves reach 90% open position and initiates reactor scram trip.**

0.01

    • Main turbine stop valves reach 90% open position and initiates an RPT.**

0.1 Turbine stop valves closed.

0.17 Turbine bypass valves start to open to regulate pressure.

2.5 Group 1 MSRVs actuated.

2.7 Group 2 MSRVs actuated.

2.9 Group 3 MSRVs actuated.

8.3 All MSRVs closed.

3.11.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-21 Westinghouse Non-Proprietary Class 3 3.11.3 EOP Entry Conditions

[

]a,c 3.11.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.11.5 Summary of Diverse Features from PPS

[

]a,c 3.11.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-22 Westinghouse Non-Proprietary Class 3 3.12 EVENT: 15.2.4 MSIV CLOSURE An inadvertent closure of all MSIVs is assumed for this event. This event is categorized as an incident of moderate frequency. The closure of one MSIV is not quantitatively analyzed in UFSAR Section 15.2.4.

3.12.1 Sequence of Events (UFSAR Table 15.2-5)

TIME (sec)

EVENT 0.0 Initiate closure of all MSIVs.

0.3

    • MSIV position trip scram initiated.**

2.9

    • Recirculation pump drive motors are tripped.**

3.1 MSRVs open 3 groups due to pressure relief setpoint action.

14.6 All MSRVs closed.

26.0

    • Initiate HPCI and RCIC systems on low-low water level (Level 2).**

3.12.2

[

]a,c

[

]a,c 3.12.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-23 Westinghouse Non-Proprietary Class 3 3.12.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.12.5 Summary of Diverse Features from PPS

[

]a,c 3.12.6 Conclusion

[

]a,c 3.13 EVENT: 15.2.5 LOSS OF CONDENSER VACUUM Condenser vacuum is assumed to be lost at a rate of approximately 2 inches Hg per second. This event is categorized as an incident of moderate frequency.

3.13.1 Sequence of Events (UFSAR Table 15.2-7)

TIME (sec)

EVENT

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-24 Westinghouse Non-Proprietary Class 3

-3.0 Initiate simulated loss of condenser vacuum at 2 inches of Hg per second.

0.0 (est)

Low condenser vacuum main turbine trip actuated.

0.0 (est)

Low condenser vacuum feedwater trip actuated.

0.01

0.01

0.1 Turbine stop valves closed.

0.1 Bypass valves begin to open.

2.5 Group 1 MSRV setpoints actuated.

2.7 Group 2 MSRV setpoints actuated.

2.9 Group 3 MSRV setpoints actuated.

5.0

    • Low condenser vacuum initiates MSIV closure.**

5.0 Low condenser vacuum initiates bypass valve closure.

13.3 All MSRVs close.

16.9 MSRV cyclic actuation on pressure demand.

50.6

    • HPCI/RCIC system initiation on low level (Level 2)** (not included in simulation) 3.13.2

[

]a,c

[

]a,c 3.13.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-25 Westinghouse Non-Proprietary Class 3 3.13.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.13.5 Summary of Diverse Features from PPS

[

]a,c 3.13.6 Conclusion

[

]a,c 3.14 EVENT: 15.2.6 LOSS OF ALL GRID CONNECTIONS Loss of all grid connections can result from major shifts in electrical loads, seismic events, loss of loads, lightning, storms, wind, etc., that contribute to electrical grid instabilities. These instabilities cause equipment damage if unchecked. Protective relay schemes automatically disconnect electrical sources and loads to mitigate damage and regain electrical grid stability. The loss of all grid connections causes the loss of all auxiliary power. This transient consists of a generator load rejection and recirculation pump trip at time t=0. This event is categorized as an incident of moderate frequency.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-26 Westinghouse Non-Proprietary Class 3 3.14.1 Sequence of Events (UFSAR Table 15.2-10)

TIME (sec)

EVENT

-0.015 (approx.)

Loss of grid causes turbine-generator to detect a loss of electrical load.

0.0 Turbine control valve fast closure is initiated.

0.0 Turbine-generator power load unbalance trip initiates main turbine bypass system operation.

0.0 Recirculation system pump motors are tripped.

0.0

    • Turbine control valve fast closure initiates a reactor scram trip.**

0.07 Turbine control valves closed.

0.10 Turbine bypass valves begin to open.

2.0 Feedwater pumps trip on low suction pressure.

2.4 MSRVs open and cycle.

7.2 Initial SRVs closure.

49

    • Low water Level 2 setpoint reached, HPCI/RCIC initiated** (not simulated).

3.14.2

[

]a,c

[

]a,c

  • From 6.3.2.5 of UFSAR (Reference 7):

Certain technical specification LCO periods are justified based on NEDO-24708A which states that for postulated LOCAs, one low pressure ECCS (one LPCI loop or one CS loop) and ADS to depressurize is adequate to reflood the vessel and maintain core cooling sufficient to preclude fuel damage. NEDC-30936P-A, specifically applicable to LGS references NEDO-24708A and reaffirms this conclusion, with the advisory regarding the possible necessity of an alternate cooling path following 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of post large-break LOCA LPCI injection into the core shroud. [

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-27 Westinghouse Non-Proprietary Class 3 3.14.3 EOP Entry Conditions

[

]a,c 3.14.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.14.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-28 Westinghouse Non-Proprietary Class 3 3.14.6 Conclusion

[

]a,c 3.15 EVENT: 15.2.7 LOSS OF FEEDWATER A total loss of feedwater flow could occur due to pump failures, feedwater controller failures, operator errors, or reactor system variables such as a high vessel water level (Level 8) trip signal. This event is categorized as an incident of moderate frequency.

3.15.1 Sequence of Events (UFSAR Table 15.2-11)

TIME (sec)

EVENT 0.0 Trip of all feedwater pumps initiated.

~6

    • Vessel water level (Level 3) trip initiates scram trip.**

~19

    • Vessel water level (Level 2) trip initiates RCIC (and HPCI) operation.**

~19

    • Vessel water level (Level 2) trip initiates containment isolation.**

~19

    • Vessel water level (Level 2) trip initiates recirculation pump trip.**

~74

    • Rated RCIC flow is achieved.**

~800 Minimum Level is reached (444 inches above vessel zero), approx. 45.5 inches above Level 1 trip.

3.15.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-29 Westinghouse Non-Proprietary Class 3 3.15.3 EOP Entry Conditions

[

]a,c 3.15.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.15.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-30 Westinghouse Non-Proprietary Class 3 3.15.6 Conclusion

[

]a,c 3.16 EVENT: 15.2.9 LOSS OF SHUTDOWN COOLING For evaluation purposes, it is assumed that plant shutdown is initiated by a transient event (Loss of Offsite Power [LOOP]) that results in reactor isolation/scram and subsequent relief valve actuation and suppression pool heatup. After subsequent reactor trip and isolation, the reactor is depressurized to 75 psig at which pressure shutdown cooling can be initiated. The event is categorized as an incident of moderate frequency.

3.16.1 Sequence of Events (UFSAR Table 15.2-12)

TIME (min)

EVENT 0

Reactor is operating at 3528 MWt when LOOP occurs initiating plant shutdown.

0 Concurrently, loss of one division of power occurs.

10 Controlled depressurization initiated (100%) using selected MSRVs.

15 Suppression pool cooling initiated to prevent overheating from MSRV actuation.

157 Blowdown to approximately 75.0 psig completed.

157 Personnel are sent in to open RHR shutdown cooling suction valve; this fails.

187

    • Actuate core spray into vessel and reopen ADS valves to establish alternate cooling path.**

3.16.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-31 Westinghouse Non-Proprietary Class 3

[

]a,c 3.16.3 EOP Entry Conditions

[

]a,c 3.16.4 Operator Actions

[

]a,c 3.16.5 Summary of Diverse Features from PPS

[

]a,c 3.16.6 Conclusion

[

]a,c 3.17 EVENT: 15.2.10 LOSS OF STATOR COOLING Loss of generator stator cooling is assumed to occur. This event is a moderate frequency event and classified as an AOO.

3.17.1 Sequence of Events (UFSAR Table 15.2-15)

TIME (sec)

EVENT

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-32 Westinghouse Non-Proprietary Class 3 0.0 Loss of Stator Cooling occurs.

0.0 Dual Recirculation Pump to 42% Speed is initiated.

0.0 Turbine-Generator Load Set Runback begins from 105% going to 20% over 140 seconds.

45 (approx.)

Turbine-Generator Load Set reaches Turbine Control Valve (TCV) position and starts causing the TCVs to close. Turbine Bypass Valves (TBV) begin to open in response to the TCV Closure.

75 (approx.)

TBVs open to their available capacity. Pressurization begins due to mismatch between steam flow coming from the vessel and the available TCV/TBV capacity.

95 (approx.)

    • Reactor scrams on high pressure or neutron flux.**

3.17.2

[

]a,c

[

]a,c 3.17.3 EOP Entry Conditions

[

]a,c 3.17.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-33 Westinghouse Non-Proprietary Class 3 3.17.5 Summary of Diverse Features from PPS

[

]a,c 3.17.6 Conclusion

[

]a,c 3.18 EVENT: 15.3.1 TRIP OF ONE RECIRCULATION PUMP MOTOR Trip of one recirculation pump motor is assumed. This event is categorized as an incident of moderate frequency.

3.18.1 Sequence of Events (UFSAR Table 15.3-1)

TIME (sec)

EVENT 0

Trip of one recirculation pump initiated.

2.7 Diffuser flow decreases significantly in the tripped loop.

20.0 Core flow stabilizes at new equilibrium conditions.

40.0 Power level stabilizes at new equilibrium conditions.

3.18.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-34 Westinghouse Non-Proprietary Class 3 3.18.3 EOP Entry Conditions

[

]a,c 3.18.4 Operator Actions per EOPs with postulated PPS CCF

[

]a,c 3.18.5 Summary of Diverse Features from PPS

[

]a,c 3.18.6 Conclusion

[

]a,c 3.19 EVENT: 15.3.1 TRIP OF TWO RECIRCULATION PUMPS Trip of two recirculation pump motors is assumed. The vessel water level swell due to rapid flow coast-down is expected to reach the high level trip, thereby shutting down the main turbine and feed pump turbines and scramming the reactor. This event is categorized as an incident of moderate frequency.

3.19.1 Sequence of Events (UFSAR Table 15.3-2)

TIME (sec)

EVENT 0.0 Trip of both recirculation pumps initiated.

5.2 Vessel water level (Level 8) trip initiates turbine trip and feedwater pumps trip.

5.2 Turbine trip initiates bypass operation.

5.2

    • Turbine trip initiates reactor scram trip.**
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-35 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENT 9.9 12.9 43.5 Group 1 MSRVs open.

Group 1 MSRVs close.

    • Level 2 vessel level setpoint initiates steam line isolation and HPCI/RCIC start.**

3.19.2

[

]a,c

[

]a,c 3.19.3 EOP Entry Conditions

[

]a,c 3.19.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.19.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-36 Westinghouse Non-Proprietary Class 3

[

]a,c 3.19.6 Conclusion

[

]a,c 3.20 EVENT: 15.3.2 RECIRCULATION FLOW CONTROL FAILURE-DECREASING FLOW Some causes of recirculation flow control failure are malfunction of the active Adjustable Speed Drive (ASD) controller (one of two redundant controllers), malfunction of the PLC supplying command signals to the controllers, or corruption to the communication between these devices (one of two redundant channels). These malfunctions can result in a rapid flow decrease in only one recirculation loop.

No analyses are provided for failure of one recirculation flow controller or failure of both controllers that result in decreasing recirculation flow. Failure of one recirculation flow controller is bounded by Event 15.3.1 Trip of One Recirculation Pump. Failure of both recirculation flow controller is bounded by analysis of Event 15.3.1 for Trip of Two Recirculation Pumps. Plant operating procedure requires a manual reactor scram to avoid operation in the core instability region of the power-flow map.

3.21 EVENT: 15.3.3 RECIRCULATION PUMP SEIZURE The case of recirculation pump seizure represents the extremely unlikely event of instantaneous stoppage of the pump motor shaft of one recirculation pump. This accident produces a very rapid decrease of core flow as the result of the large hydraulic resistance introduced by the stopped rotor. This event is categorized as a Design Basis Accident (DBA).

3.21.1 Sequence of Events (UFSAR Table 15.3-3)

TIME (sec)

EVENT 0.0 Single pump seizure was initiated.

0.7 Jet pump diffuser flow reverses in seized loop.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-37 Westinghouse Non-Proprietary Class 3 4.0 Core flow stabilizes at new equilibrium conditions.

40.0 Power stabilizes at new equilibrium conditions.

3.21.2

[

]a,c

[

]a,c 3.21.3 EOP Entry Conditions

[

. ]a,c 3.21.4 Operator Actions per RPV Control EOPs with postulated PPS CCF

[

]a,c 3.21.5 Summary of Diverse Features from PPS

[

]a,c 3.21.6 Conclusion

[

]a,c 3.22 EVENT: 15.3.4 RECIRCULATION PUMP SHAFT BREAK The case of recirculation pump shaft breaking represents the extremely unlikely event of instantaneous stoppage of the one recirculation pump motor and is considered as an accident. This accident produces a very rapid decrease of core flow as the result of the broken pump shaft. The event is bounded by the more limiting case of recirculation pump seizure in 15.3.3, and thus no quantitative results are presented. This event is considered to be a Limiting Fault.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-38 Westinghouse Non-Proprietary Class 3 3.22.1 Sequence of Events A postulated instantaneous break of the motor shaft of one recirculation pump will cause the core flow to decrease rapidly and result in water level swell in the reactor vessel but no scram. The core flow and then reactor power stabilize at lower values within less than a minute of the failure.

3.22.2

[

]a,c

[

]a,c 3.22.3 EOP Entry Conditions

[

]a,c 3.22.4 Operator Actions

[

]a,c 3.22.5 Summary of Diverse Features from PPS

[

]a,c 3.22.6 Conclusion

[

]a,c 3.23 EVENT: 15.4.1 ROD WITHDRAWAL ERROR - LOW POWER The transient considered is inadvertent criticality due to the complete withdrawal or removal of the highest worth control rod during refueling operations. It is classified as an infrequent incident.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-39 Westinghouse Non-Proprietary Class 3 3.23.1 Sequence of Events Five sequences of events are considered:

1. Initial Control Rod Removal or Withdrawal: During refueling operations system interlocks provide assurance that inadvertent criticality does not occur because two control rods have been removed or withdrawn together.
2. Fuel Insertion with Control Rod Withdrawn: To minimize the possibility of loading fuel into a cell containing no control rod, all control rods must be fully inserted when fuel is being loaded into the core. This requirement is backed up by refueling interlocks on rod withdrawal and movement of the refueling platform. When the mode switch is in the REFUEL position, the interlocks prevent the platform from being moved over the core if a control rod is withdrawn and fuel is on the hoist. Likewise, if the refueling platform is over the core and fuel is on the hoist, control rod motion is blocked by the interlocks.
3. Second Control Rod Removal or Withdrawal: When the platform is not over the core (or fuel is not on the hoist) and the mode switch is in the REFUEL position, only one control rod can be withdrawn. Any attempt to withdraw a second rod results in a rod block by the refueling interlocks. Since the core is designed to meet shutdown requirements with the highest worth rod withdrawn, the core remains subcritical even with one rod withdrawn.
4. Control Rod Removal Without Fuel Removal: The design of the control rod, incorporating the velocity limiter, does not physically permit the upward removal of the control rod without prior or simultaneous removal of the four adjacent fuel bundles.
5. Continuous Rod Withdrawal During Reactor Startup: Control rod withdrawal errors are not considered credible in the startup and low power ranges. The Rod Worth Minimizer (RWM) system prevents the operator from selecting and withdrawing an out-of-sequence control rod.

3.23.2

[

]a,c

[

]a,c 3.23.3 EOP Entry Conditions

[

]a,c 3.23.4 Operator Actions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-40 Westinghouse Non-Proprietary Class 3 3.23.5 Summary of Diverse Features from PPS

[

]a,c 3.23.6 Conclusion

[

]a,c 3.24 EVENT: 15.4.2 ROD WITHDRAWAL ERROR - AT POWER The operator is assumed to make a procedural error and continuously withdraws a high worth control rod until the Rod Block Monitor (RBM) system inhibits further withdrawal. This transient is classified as an incident of moderate frequency.

3.24.1 Sequence of Events (UFSAR Table 15.4-1)

1. Operator selects (the Rod Block Monitor (RBM) is automatically normalized) and withdraws high worth control rod.
2. The RBM system indicates excessive local peaking. Operator ignores the alarm and continues to withdraw control rod.
3. The RBM system initiates a rod block, inhibiting further withdrawal.
4. Operator verifies fuel thermal limits are satisfied before renormalizing RBM to further withdraw control rod.

3.24.2

[

]a,c

[

]a,c 3.24.3 EOP Entry Conditions

[

]a,c 3.24.4 Operator Actions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-41 Westinghouse Non-Proprietary Class 3

[

]a,c 3.24.5 Summary of Diverse Features from PPS

[

]a,c 3.24.6 Conclusion

[

]a,c 3.25 EVENT: 15.4.3 CONTROL ROD MALOPERATION (SYSTEM MALFUNCTION OR OPERATOR ERROR)

In accordance with UFSAR Section 15.4.3, this transient is covered by the evaluations in Sections 3.23 and 3.24.

3.26 EVENT: 15.4.4 ABNORMAL STARTUP OF IDLE RECIRCULATION PUMP This action results directly from the operators manual action to initiate pump operation. It assumes that the remaining loop is already operating. This event is categorized as an incident of moderate frequency.

3.26.1 Sequence of Events (UFSAR Table 15.4-3)

TIME (sec)

EVENT 0

Start pump motor.

9.0 Startup loop flow starts to increase significantly.

10.4

    • APRM neutron flux upscale scram initiated.**

>50.0 Vessel level returning to normal and will stabilize quickly.

3.26.2

[

]a,c

[

]a,c 3.26.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-42 Westinghouse Non-Proprietary Class 3

[

]a,c 3.26.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c 3.26.5 Summary of Diverse Features from PPS

[

]a,c 3.26.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-43 Westinghouse Non-Proprietary Class 3 3.27 EVENT: 15.4.5 RECIRCULATION FLOW CONTROL FAILURE WITH INCREASING FLOW Maximum change in recirculation pump ASD speed control occurs when both speed controllers failed such that ASD recirculation pumps increase to maximum speed. This event is categorized as an incident of moderate frequency.

3.27.1 Sequence of Events (UFSAR Table 15.4-4)

TIME (sec)

EVENT 0

Simulate failure of single-loop control.

1.7

    • APRM neutron flux upscale scram trip initiated.**

5.5 Turbine control valves start to close upon falling turbine pressure.

20.2 Feedwater decreases upon rising water level.

>100.0 Reactor variables settle into new steady-state.

3.27.2

[

]a,c

[

]a,c 3.27.3 EOP Entry Conditions

[

]a,c 3.27.4 Operator Actions per RPV Control EOP with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-44 Westinghouse Non-Proprietary Class 3

[

]a,c 3.27.5 Summary of Diverse Features from PPS

[

]a,c 3.27.6 Conclusion

[

]a,c 3.28 EVENT: 15.4.7 MISPLACED BUNDLE ACCIDENT The accident discussed in this section is the improper loading of a fuel bundle and subsequent operation of the core. Three errors must occur for this accident to take place in the initial core loading. First, a bundle must be loaded into a wrong location in the core. Second, the bundle which was supposed to be loaded where the mis-location occurred would have to be overlooked and also put in an incorrect location.

Third, the misplaced bundles would have to be overlooked during the core verification performed following initial core loading. This event is categorized as an infrequency incident.

3.28.1 Sequence of Events (UFSAR Table 15.4-5)

1. During core loading operation, bundle is placed in the wrong location.
2. Subsequently, the bundle intended for this location is placed in the location of the previous bundle.
3. During core verification procedure, error is not observed.
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-45 Westinghouse Non-Proprietary Class 3

4. Plant is brought to full power operation without detecting misplaced bundle.
5. Plant continues to operate.

3.28.2

[

]a,c

[

]a,c 3.28.3 EOP Entry Conditions

[

]a,c 3.28.4 Operator Actions

[

]a,c 3.28.5 Summary of Diverse Features from PPS

[

]a,c 3.28.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-46 Westinghouse Non-Proprietary Class 3 3.29 EVENT: 15.4.9 CONTROL ROD DROP ACCIDENT Causes of the control rod drop accident is described in the Sequence of Events table below. This event is classified as a Limiting Fault (DBA).

3.29.1 Sequence of Events (GESTAR II, NEDO-24011-A-16-US (Reference 8),

Table S.2.2.3.1.1)

Approximate Elapsed Time, seconds Event Reactor is at a control rod pattern corresponding to maximum increment rod worth.

Rod pattern control systems (Rod Worth Minimizer, Rod Sequence Control System, or Rod Pattern Controller) or operators are functioning within constraints of Banked Position Withdrawal Sequence (BPWS). The control rod that will result in the maximum incremental reactivity worth addition at any time in core life under any operating condition while employing the BPWS becomes decoupled from the control rod drive.

Operator selects and withdraws the drive of the decoupled rod - along with the other required control rods assigned to the Banked position group such that the proper core geometry for the maximum incremental rod worth exists.

Decoupled control rod sticks in the fully inserted position.

0 Control rod becomes unstuck and drops at the maximum velocity determined from experimental data (3.11 fps).

1 Reactor goes on a positive period and initial power burst is <1 sec. terminated by the Doppler reactivity feedback.

5

    • Scram terminates accident.**

3.29.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-47 Westinghouse Non-Proprietary Class 3 3.29.3 EOP Entry Conditions

[

]a,c 3.29.4 Operator Actions

[

]a,c 3.29.5 Summary of Diverse Features from PPS

[

]a,c 3.29.6 Conclusion

[

]a,c 3.30 EVENT: 15.5.1 INADVERTENT HPCI START This transient is not possible with an assumed CCF of the PPS which initiates and controls HPCI. Refer to Section 0 for an analysis of spurious initiation of HPCI.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-48 Westinghouse Non-Proprietary Class 3 3.31 EVENT: 15.6.2 INSTRUMENT LINE BREAK This accident involves the postulation of a small steam or liquid line pipe break inside or outside primary containment but within a controlled release structure. In order to bound the accident, it is assumed that a small instrument line, instantaneously and circumferentially, breaks at a location where it may not be able to be isolated and where immediate detection is not automatic or apparent. This event is classified as a Limiting Fault (DBA).

3.31.1 Sequence of Events (UFSAR Table 15.6-1)

TIME EVENT 0

Instrument line fails 0-10 min Identification of break 10 min

    • Activate SBGTS** and initiate orderly shutdown 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> Reactor vessel depressurized and break flow terminated 3.31.2

[

]a,c

[

]a,c 3.31.3 EOP Entry Conditions

[

]a,c 3.31.4 Operator Actions with postulated PPS CCF

[

]a,c 3.31.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-49 Westinghouse Non-Proprietary Class 3

[

]a,c 3.31.6 Conclusion

[

]a,c 3.32 EVENT: 15.6.4 STEAM SYSTEM PIPE BREAK OUTSIDE PRIMARY CONTAINMENT This accident involves the postulation of a large steam line pipe break outside primary containment. It is assumed that the largest steam line instantaneously and circumferentially breaks at a location downstream of the outermost isolation valve. This event is classified as a Limiting Fault (DBA).

3.32.1 Sequence of Events (UFSAR Table 15.6-8)

TIME (sec)

EVENT 0

Guillotine break of one main steam line outside primary containment.

1.0 (approx)

    • High steam line flow signal initiates closure of MSIV.**

< 1.5

6.0

    • MSIVs fully closed.**

60.0 (approx)

    • Reactor Core Isolation Cooling (RCIC) and HPCI initiate on low water level (Level 2) (RCIC considered unavailable**, HPCI assumed single failure and therefore may not be available).

60.0 (approx)

SRVs open on high vessel pressure. The valves open and close to maintain vessel pressure at approximately 1170 psi.

1780 (approx)

Low water level (Level 1) reached. **Low pressure ECCS receives signal to start. ADS logic is initiated.**

1900 (approx)

    • High drywell pressure bypass timer and ADS timer "timed out". ADS starts.** Vessel depressurizes.
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-50 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENT 2100 (approx)

    • Low pressure ECCS begin injection.** Core partially uncovers.

2160 (approx)

Core effectively reflooded and clad temperature heatup terminated. No fuel rod failure.

3.32.2

[

]a,c

[

]a,c 3.32.3 EOP Entry Conditions

[

]a,c 3.32.4 Summary of Relevant Operator Actions per EOPs with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-51 Westinghouse Non-Proprietary Class 3

[

]a,c 3.32.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-52 Westinghouse Non-Proprietary Class 3 3.32.6 Conclusion

[

]a,c 3.33 EVENT: 15.6.5 LOCA INSIDE CONTAINMENT This accident involves the postulation of a spectrum of piping breaks inside containment varying in size, type, and location. The break type includes steam and/or liquid process system lines. The accident is analyzed quantitatively in LGS UFSAR Sections 6.3, 6.2, 7.3, 7.6, and 8.3. The most severe nuclear system effects and the greatest release of radioactive material to the containment result from a complete circumferential break of one of the two recirculation loops. This event is classified as a Limiting Fault (DBA).

3.33.1 Sequence of Events (UFSAR Table 6.3-2)

Note: Feedwater flow was assumed to be terminated at the beginning of this event.

TIME (sec)

EVENTS 0

Design basis Loss of Coolant Accident (LOCA) is assumed to start; normal auxiliary power is assumed to be lost.

<1

    • Drywell high pressure is reached. Scram initiated; HPCI is signaled to start, and containment isolates**, except for the MSIVs.

~1

    • Reactor Low Water Level (Level 3) is reached. The second scram initiation signal is received.**

~4

    • Reactor low-low water level (Level 2) is reached. HPCI receives the second signal to start.**

~ 5

    • The reactor low-low-low water level (Level 1) is reached; MSIVs are signaled to close; the signal to start LPCI and CS is given.**

~ 25

    • Reactor low pressure is reached. CS and LPCI receive the second signal to start. CS injection valve receives pressure permissive signal to open.**
      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-53 Westinghouse Non-Proprietary Class 3 TIME (sec)

EVENTS 54

    • The CS pumps are at rated flow and the CS injection valves are open, which completes the CS system startup.**

70

    • The LPCI pumps are at rated flow and the LPCI injection valves are open, which completes the LPCI system startup.**

~ 130 The core is effectively reflooded, assuming the worst single failure; heatup is terminated.

>10 min The operator shifts to containment cooling.

3.33.2

[

]a,c

[

]a,c 3.33.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-54 Westinghouse Non-Proprietary Class 3 3.33.4 Summary of Relevant Operator Actions per RPV Control and Primary Containment Control EOPs with postulated PPS CCF

[

]a,c 3.33.5 Summary of Diverse Features from PPS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-55 Westinghouse Non-Proprietary Class 3

[

]a,c

  • From 6.3.2.5 of UFSAR (Reference 7):

Certain technical specification LCO periods are justified based on NEDO-24708A which states that for postulated LOCAs, one low pressure ECCS (one LPCI loop or one CS loop) and ADS to depressurize is adequate to reflood the vessel and maintain core cooling sufficient to preclude fuel damage. NEDC-30936P-A, specifically applicable to LGS references NEDO-24708A and reaffirms this conclusion, with the advisory regarding the possible necessity of an alternate cooling path following 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of post large-break LOCA LPCI injection into the core shroud.

[

]a,c 3.33.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-56 Westinghouse Non-Proprietary Class 3

[

]a,c 3.34 EVENT: 15.6.5 LOCA INSIDE CONTAINMENT-MAIN STEAM LINE BREAK This accident involves the postulation of a main steam line break inside the primary containment, between the RPV nozzle to the main steam flow restrictor. This event is classified as a Limiting Fault (DBA).

3.34.1 Sequence of Events (UFSAR Table 6.2-16)

TIME (sec)

EVENTS 0

Break occurs.

0

    • Scram assumed to occur.**

0

    • Isolation signal.**

0.5

    • MSIVs start to close. **

1.0 Vessel water level reaches main steam line elevation.

5.5

    • MSIV fully closed.**

30

    • ECCS flow starts.**

59 End of blowdown.

430 Vessel refloods.

3.34.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-57 Westinghouse Non-Proprietary Class 3 3.34.3 EOP Entry Conditions

[

]a,c 3.34.4 Summary of Relevant Operator Actions per RPV Control and Primary Containment Control EOPs with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-58 Westinghouse Non-Proprietary Class 3 3.34.5 Summary of Diverse Features from PPS

[

]a,c

  • From 6.3.2.5 of UFSAR (Reference 7):

Certain technical specification LCO periods are justified based on NEDO-24708A which states that for postulated LOCAs, one low pressure ECCS (one LPCI loop or one CS loop) and ADS to depressurize is adequate to reflood the vessel and maintain core cooling sufficient to preclude fuel damage. NEDC-30936P-A, specifically applicable to LGS references NEDO-24708A and reaffirms this conclusion, with the advisory regarding the possible necessity of an alternate cooling path following 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of post large-break LOCA LPCI injection into the core shroud.

3.34.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-59 Westinghouse Non-Proprietary Class 3

[

]a,c 3.35 EVENT: 15.6.6 FEEDWATER LINE BREAK OUTSIDE PRIMARY CONTAINMENT The postulated break of the feedwater line, representing the largest liquid line outside primary containment, provides the envelope evaluation relative to this type of occurrence. The break is assumed to be instantaneous, circumferential, and upstream of the outermost isolation valve. This event is classified as a Limiting Fault (DBA).

3.35.1 Sequence of Events (UFSAR Table 15.6-23)

TIME (min)

EVENT 0

One feedwater line breaks.

0+

Feedwater line check valves isolate the reactor from the break.

< 0.5

    • At low water level (Level 3), reactor scram would initiate. At low-low water (Level 2), HPCI would initiate, RCIC would initiate, and recirculation pumps would trip. If low-low-low water level (Level 1) is reached, MSIV closure begins, and CS and LPCI receive initiation signals but will not inject due to high reactor pressure.**

2 (approx.)

The MSRVs would open and close and maintain the reactor vessel pressure at approximately 1170 psig.

60 - 120 Normal reactor cooldown procedure established.

3.35.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-60 Westinghouse Non-Proprietary Class 3 3.35.3 EOP Entry Conditions

[

]a,c 3.35.4 Summary of Relevant Operator Actions per RPV Control and Secondary Containment Control EOPs with postulated PPS CCF

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-61 Westinghouse Non-Proprietary Class 3 3.35.5 Summary of Diverse Features from PPS

[

]a,c 3.35.6 Conclusion

[

]a,c 3.36 EVENT: 15.7.1.1 MAIN CONDENSER OFFGAS TREATMENT SYSTEM FAILURE A failure of the main condenser Offgas Treatment System is postulated to occur. This event is categorized as a Limiting Fault.

3.36.1 Sequence of Events (UFSAR Table 15.7-1)

TIME (sec)

EVENT 0.0 Event begins - system fails.

0.0 Noble gases are released.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-62 Westinghouse Non-Proprietary Class 3

<60 Area radiation alarms alert plant personnel.

<60 Operator actions begin with:

a. Initiation of appropriate system isolations.
b. Manual scram actuation.
c. Assurance of reactor shutdown cooling.

3.36.2

[

]a,c

[

]a,c 3.36.3 EOP Entry Conditions

[

]a,c 3.36.4 Operator Actions per RPV Control EOPs with postulated PPS CCF

[

]a,c 3.36.5 Summary of Diverse Features from PPS

[

]a,c 3.36.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-63 Westinghouse Non-Proprietary Class 3 3.37 EVENT: 15.7.1.2 MALFUNCTION OF MAIN TURBINE GLAND SEALING SYSTEM It is assumed that the turbine gland seal system fails, resulting in activity release in the turbine building and a slow loss of main condenser vacuum due to air in-leakage. This event is categorized as a Limiting Fault.

3.37.1 Sequence of Events It is assumed that the system fails near the condenser. This results in activity normally processed by the Offgas treatment system being discharged directly to the turbine enclosure and subsequently through the ventilation system to the environment.

3.37.2

[

]a,c

[

]a,c 3.37.3 EOP Entry Conditions

[

]a,c 3.37.4 Operator Actions

[

]a,c 3.37.5 Summary of Diverse Features from PPS

[

]a,c 3.37.6 Conclusion

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-64 Westinghouse Non-Proprietary Class 3 3.38 EVENT: 15.7.1.3 FAILURE OF STEAM JET AIR EJECTOR LINES It is postulated that the line leading from the steam jet air ejector to the Offgas Treatment System fails.

This event is categorized as a Limiting Fault.

3.38.1 Sequence of Events This failure results in activity normally processed by the Offgas treatment system being discharged directly to the turbine enclosure and subsequently through the ventilation system to the environment.

3.38.2

[

]a,c

[

]a,c 3.38.3 EOP Entry Conditions

[

]a,c 3.38.4 Operator Actions

[

]a,c 3.38.5 Summary of Diverse Features from PPS

[

]a,c 3.38.6 Conclusion

[

]a,c 3.39 EVENT: 15.7.2 LIQUID RADIOACTIVE WASTE SYSTEM FAILURE This event requires no PPS monitoring and actuations and thus, requirement for diverse instrumentation and controls are not analyzed.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-65 Westinghouse Non-Proprietary Class 3 3.40 EVENT: 15.7.3 POSTULATED RADIOACTIVE RELEASES DUE TO LIQUID RADWASTE TANK FAILURE This event requires no PPS monitoring and actuations and thus, requirement for diverse instrumentation and controls are not analyzed.

3.41 EVENT: 15.7.4 FUEL HANDLING ACCIDENT The fuel handling accident is assumed to occur as a consequence of a failure of the fuel assembly lifting mechanism resulting in the dropping of a raised fuel assembly onto other fuel bundles. A variety of events that qualify for the class of accidents termed fuel handling accidents has been investigated. The accident that produces the largest number of failed spent fuel rods is the drop of a spent fuel bundle and the fuel grapple assembly of the refueling platform into the reactor core when the reactor vessel head is off. The fuel grapple assembly consists of a telescopic mast and head assembly. This event is classified as a Limiting Fault (DBA).

3.41.1 Sequence of Events (UFSAR Table 15.7-15)

TIME (minute)

EVENT 0.0 Fuel assembly is being handled by refueling equipment. The fuel assembly and fuel grapple assembly drop onto the top of the core.

0.0 Some of the fuel rods in both the dropped assembly and reactor core are damaged, resulting in the release of gaseous fission products to the reactor coolant and eventually to the refueling area atmosphere.

<1 The refueling area ventilation radiation monitoring system alarms to alert plant personnel.

<5 Operator actions begin.

3.41.2

[

]a,c

[

]a,c 3.41.3 EOP Entry Conditions

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-66 Westinghouse Non-Proprietary Class 3 3.41.4 Operator Actions

[

]a,c 3.41.5 Summary of Diverse Features from PPS

[

]a,c 3.41.6 Conclusion

[

]a,c 3.42 EVENT: 15.7.5 SPENT FUEL CASK-DROP ACCIDENT This event requires no PPS monitoring and actuations and thus, requirement for diverse instrumentation and controls are not analyzed.

3.43 EVENT: 15.7.6 MOVEMENT OF LOADS WITHOUT SECONDARY CONTAINMENT This event requires no PPS monitoring and actuations and thus, requirement for diverse instrumentation and controls are not analyzed.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-67 Westinghouse Non-Proprietary Class 3 3.44 EVENT: 15.7.8 ANTICIPATED TRANSIENTS WITHOUT SCRAM RRCS is the system for Anticipated Transient Without Scram (ATWS) mitigation and is completely independent, diverse, and separate from PPS, although some sensors are shared as permitted by 10 CFR 50.62. Specific sensor signals are hardwired into PPS and split to RRCS, prior to the PPS analog input modules. Thus, a postulated CCF in PPS will not affect the operability of RRCS.

3.45

SUMMARY

OF REQUIRED DPS CONTROLS The following Table 3-1 summarizes the required DPS controls needed to cope with the CCF scenarios analyzed in this section.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-68 Westinghouse Non-Proprietary Class 3 Table 3-1. Summary of Required DPS Controls a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-69 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-70 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-71 Westinghouse Non-Proprietary Class 3 3.46

SUMMARY

OF DIVERSE INDICATIONS WITH PLANT IDENTIFIERS The following table provides the summary list of diverse displays needed to cope with the CCF scenarios in this section along with the LGS identifier for the indication. The table cross references the LGS UFSAR Chapter 15 events calling out these diverse indications for coping with a PPS CCF. Bold, underlined, and italicized texts for in the Device Tag # column of the table indicates instruments that need to be shared from PPS.

The use of

  • indicates 1 for Limerick Unit 1 or 2 for Unit 2 tag numbers.

In Table 3-2, certain sensors are indicated as To be shared from PPS. These sensors are shared from the PPS, using 1E qualified isolators for electrical separation. They are analog sensors, so a CCF of the sensors is not considered. The sensor signals may be displayed on the DPS HMI screens, and thus their entries in the Instrument Tag # and Panel # Location columns are blanked.

Table 3-2. Diverse Indications Summary a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-72 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-73 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-74 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-75 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-76 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-77 Westinghouse Non-Proprietary Class 3 a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 3-78 Westinghouse Non-Proprietary Class 3 (Last Page of Section 3) a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-1 Westinghouse Non-Proprietary Class 3 SECTION 4 BTP 7-19 POSITION 4 DISPLAYS AND CONTROLS This is the 2nd analysis for D3 CCF described in Section 1. Position 4 of the NRCs position on D3 in SRM/SECY-93-087 and BTP 7-19 states that the applicant shall provide a set of displays and controls in the Main Control Room (MCR) for manual system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. This section defines the Position 4 diverse controls and displays for the critical safety functions.

BTP 7-19 Section 1.2, Position 4 states the following:

A set of displays and controls located in the main control room shall be provided for manual, system-level actuation of critical safety functions and monitoring of parameters that support the safety functions. The displays and controls shall be independent and diverse from the safety computer system identified in items 1 and 3 above.

SECY-93-0087 identified the following critical safety functions to be managed from the MCR in accordance with Position 4:

reactivity control core heat removal reactor coolant inventory containment isolation containment integrity Each of these critical safety functions are examined, and diverse controls to achieve each critical safety function and displays to monitor the performance of these functions from the main control room are defined. [

]a,c 4.1 REACTIVITY CONTROL The normal reactivity controls in the BWR are the reactor manual rod control system and the reactor recirculation system. Both systems are non-safety related systems that provide for reactivity control for plant startup, normal power operation, and plant shutdown. The Reactor Protection System (RPS) provides automatic shutdown of the reactor to rapidly insert all control rods, when one or more monitored parameters exceed their trip setpoints. The existing Neutron Monitoring System (NMS) is diverse from PPS and provides reactivity monitoring including core stability monitoring, and trip outputs to RPS, one of the functions of PPS.

4.1.1 Position 4 Controls

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-2 Westinghouse Non-Proprietary Class 3

[

]a,c 4.1.2 Position 4 Displays

[

]a,c 4.2 CORE HEAT REMOVAL In normal plant operation after a reactor shutdown, the core decay heat is removed by using the DEHC manual or automatic cool down function by manipulation of the turbine bypass valves discharging steam to the main condenser, when the reactor is at high pressure. If the reactor is isolated from the main condenser heatsink, depressurization and cool down may be performed by manual operation of the SRVs discharging steam to the suppression pool, with heat removal performed by RHR suppression pool cooling at the main control room. Cool down is performed by depressurizing the reactor to achieve a cool down rate less than 100°F/h. When reactor pressure decreases below 75 psig, the RHR Shutdown Cooling Mode can be placed into operation at the PPS. The DFWLCS operates automatically to maintain water level during this cool down process. If the feedwater system is not available, RCIC can be used for reactor coolant makeup during the cool down. When the RHR SDC interlock pressure is clear, the RHR can be used to maintain the reactor at hot shutdown condition or go to cold shutdown conditions.

In accordance with UFSAR 5.4.7.1.1.1, the reactor can be cooled down using the capacity of a single RHR heat exchanger and related RHR Service Water (RHRSW) system capability. Figure 5.4-12 of the UFSAR shows the minimum time required to reduce vessel coolant temperature to 212°F using one RHR heat exchanger in the shutdown cooling mode and allowing 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for flushing.

Note that diverse features outside of the main control room for decay heat removal exist at the Remote Shutdown Panel. These features include controls for shutdown cooling with one loop of RHR and associated RHR cooling water, control of three SRVs for reactor depressurization, and control of reactor inventory using RCIC.

4.2.1 Position 4 Controls

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-3 Westinghouse Non-Proprietary Class 3

[

]a,c 4.2.2 Position 4 Displays

[

]a,c 4.3 REACTOR COOLANT INVENTORY In normal reactor power operation, DFWLCS, through modulation of the feedpump turbine speed, provides reactor coolant inventory control when steam is available to drive the feedpump turbines. If the feedpump turbines are not available the condensate pumps are available to inject water into the reactor when reactor pressure is less than the shutoff head of these pumps, approximately 680 psig. If these systems are not available, HPCI and RCIC can provide makeup to the reactor at high pressure. With ADS, the reactor can be depressurized to allow operation of the condensate pumps at reactor pressure less than approximately 680 psig, and also to allow Core Spray and RHR LPCI mode to inject water into the reactor.

UFSAR 6.3.2.5 states the following:

Certain technical specification LCO periods are justified based on NEDO-24708A which states that for postulated LOCAs, one low pressure ECCS (one LPCI loop or one CS loop) and ADS to depressurize is adequate to reflood the vessel and maintain core cooling sufficient to preclude fuel damage.

NEDC-30936P-A, specifically applicable to LGS references NEDO-24708A and reaffirms this conclusion, with the advisory regarding the possible necessity of an alternate cooling path following 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of post large-break LOCA LPCI injection into the core shroud.

The capability to manually initiate one loop of CS, and manual opening of the five ADS SRVs as diverse features at the main control room, has been identified in the Chapter 15 coping analyses.

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-4 Westinghouse Non-Proprietary Class 3 4.3.1 Position 4 Controls

[

]a,c 4.3.2 Position 4 Displays

[

]a,c 4.4 CONTAINMENT ISOLATION There are numerous conditions that isolate the reactor and containment penetrations. UFSAR Table 6.2-17 provides a list of the isolation valves, automatic isolation conditions, valve tag numbers, etc.

The NSSSS automatically closes specific isolation valves upon specific conditions in the reactor or containment. The purposes of isolation are to limit coolant loss and to limit radioactivity release to the secondary containment (reactor enclosure) and to the environment. Upon secondary containment isolation, the safety-related Standby Gas Treatment System limits the release to an acceptable level.

4.4.1 Position 4 Controls - Primary Containment

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-5 Westinghouse Non-Proprietary Class 3

[

]a,c 4.4.2 Position 4 Controls - Secondary Containment (Reactor Enclosure)

[

]a,c 4.4.3 Position 4 Displays

[

]a,c 4.5 CONTAINMENT INTEGRITY USFAR 6.2.1.1.3.3.1.3 Assumptions for Long-Term Cooling, states that after the DBA blowdown period, flow from one RHR pump can be actuated for containment cooling, and that containment spray need not be actuated at all to keep the containment pressure below the containment design pressure. Analytically, no credit may be assumed for containment cooling earlier than 10 minutes after the accident and cooling

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-6 Westinghouse Non-Proprietary Class 3 is assumed to begin at 10 minutes. However, containment cooling will be initiated in accordance with plant emergency operating procedures based upon plant conditions.

4.5.1 Position 4 Controls

[

]a,c 4.5.2 Position 4 Displays

[

]a,c 4.6

SUMMARY

OF POSITION 4 DIVERSE CONTROLS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-7 Westinghouse Non-Proprietary Class 3

[

]a,c 4.7

SUMMARY

OF DIVERSE POSITION 4 DISPLAYS

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-8 Westinghouse Non-Proprietary Class 3

[

]a,c

4.8 CONCLUSION

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 4-9 Westinghouse Non-Proprietary Class 3

[

]a,c (Last Page of Section 4)

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-1 Westinghouse Non-Proprietary Class 3 SECTION 5 CCF SPURIOUS ACTUATION ANALYSIS As described in Section 1, this is the third of three analyses to assess the adequacy of the LGS plant defense in depth and diversity to cope with a PPS spurious actuation due to a CCF.

The LGS design basis assumes manual actuations are not required for 10 minutes after a postulated accident (PA) commences (e.g., LGS UFSAR Chapter 7.5.2.4.1, Initial Accident Event). [

]a,c BTP 7-19 introduces the concept of PPS spurious actuation due to a CCF. A PPS spurious actuation is considered an event initiator rather than a failure to respond to a FSAR Accident Analysis event. [

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-2 Westinghouse Non-Proprietary Class 3 Figure 5-1. [

]a,c

[

]a,c For spurious initiations of HPCI, or LPCI, or CS at low RPV pressure conditions, the RPV will overfill and flood the main steam lines. The acceptability of the overfill condition was evaluated under Generic Letter 89-19 and USI A-47 (Reference 37) from the NRC. For Limerick the evaluation results were captured in the UFSAR and the operation procedure OT-110 (Reference 11) which addressed reactor vessel overfill. The analysis was submitted to the NRC as part of the required response to Generic Letter 89-19 in 1990. For Limerick, evaluation of this issue was performed, and the results were used to revise the UFSAR and to develop the actions for the operation procedure OT-110 (Reference 11).

Similar to the format for the CCF coping analysis in Section 3, the follow legend is used:

1. Initiating event description.

[

]a,c

5. Summary of diverse indications available in the current plant design. [

]a,c a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-3 Westinghouse Non-Proprietary Class 3

6. Scenario summary.

The LGS design basis assumes manual actuations are not required for 10 minutes after a postulated accident (PA) commences (e.g., LGS UFSAR Chapter 7.5.2.4.1, Initial Accident Event).

5.1

[

]a,c

[

]a,c 5.1.1

[

]a,c

[

]a,c 5.1.2

[

]a,c

[

]a,c 5.1.3

[

]a,c

[

]a,c 5.1.4

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-4 Westinghouse Non-Proprietary Class 3 5.1.5

[

]a,c

[

]a,c 5.1.6

[

]a,c

[

]a,c 5.2

[

]a,c

[

]a,c 5.2.1

[

]a,c

[

]a,c 5.2.2

[

]a,c

[

]a,c 5.2.3

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-5 Westinghouse Non-Proprietary Class 3 5.2.4

[

]a,c

[

]a,c 5.2.5

[

]a,c

[

]a,c 5.2.6

[

]a,c

[

]a,c 5.3

[

]a,c

[

]a,c 5.3.1

[

]a,c

[

]a,c 5.3.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-6 Westinghouse Non-Proprietary Class 3

[

]a,c 5.3.3

[

]a,c

[

]a,c 5.3.4

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-7 Westinghouse Non-Proprietary Class 3 5.3.5

[

]a,c

[

]a,c 5.3.6

[

]a,c

[

]a,c 5.4

[

]a,c

[

]a,c 5.4.1

[

]a,c

[

]a,c 5.4.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-8 Westinghouse Non-Proprietary Class 3 5.4.3

[

]a,c

[

]a,c 5.4.4

[

]a,c

[

]a,c 5.4.5

[

]a,c

[

]a,c 5.4.6

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-9 Westinghouse Non-Proprietary Class 3

[

]a,c 5.5

[

]a,c

[

]a,c 5.5.1

[

]a,c

[

]a,c 5.5.2

[

]a,c

[

]a,c 5.5.3

[

]a,c

[

]a,c 5.5.4

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-10 Westinghouse Non-Proprietary Class 3

[

]a,c 5.5.5

[

]a,c

[

]a,c 5.5.6

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-11 Westinghouse Non-Proprietary Class 3 5.6

[

]a,c

[

]a,c 5.6.1

[

]a,c

[

]a,c 5.6.2

[

]a,c

[

]a,c 5.6.3

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-12 Westinghouse Non-Proprietary Class 3

[

]a,c 5.6.4

[

]a,c

[

]a,c 5.6.5

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-13 Westinghouse Non-Proprietary Class 3

[

]a,c 5.6.6

[

]a,c

[

]a,c 5.7

[

]a,c

[

]a,c 5.7.1

[

]a,c

[

]a,c 5.7.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-14 Westinghouse Non-Proprietary Class 3 5.7.3

[

]a,c

[

]a,c 5.7.4

[

]a,c

[

]a,c 5.7.5

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-15 Westinghouse Non-Proprietary Class 3

[

]a,c 5.7.6

[

]a,c

[

]a,c 5.8

[

]a,c

[

]a,c 5.8.1

[

]a,c

[

]a,c 5.8.2

[

]a,c

[

]a,c 5.8.3

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-16 Westinghouse Non-Proprietary Class 3 5.8.4

[

]a,c

[

]a,c 5.8.5

[

]a,c

[

]a,c 5.8.6

[

]a,c

[

]a,c 5.9

[

]a,c

[

]a,c 5.9.1

[

]a,c

[

]a,c 5.9.2

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-17 Westinghouse Non-Proprietary Class 3

[

]a,c 5.9.3

[

]a,c

[

]a,c 5.9.4

[

]a,c

[

]a,c 5.9.5

[

]a,c

[

]a,c 5.9.6

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-18 Westinghouse Non-Proprietary Class 3

[

]a,c 5.10

[

]a,c

[

]a,c 5.10.1

[

]a,c

[

]a,c 5.10.2

[

]a,c

[

]a,c 5.10.3

[

]a,c

[

]a,c 5.10.4

[

]a,c

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 5-19 Westinghouse Non-Proprietary Class 3 5.10.5

[

]a,c

[

]a,c 5.10.6

[

]a,c

[

]a,c 5.11

[

]a,c

[

]a,c 5.12

[

]a,c

[

]a,c (Last Page of Section 5)

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 6-1 Westinghouse Non-Proprietary Class 3 SECTION 6 DIVERSITY ATTRIBUTES BETWEEN PPS AND DCS This section describes the diversity attributes between the PPS and the DCS which are credited for diverse backup to required functions to cope with the CCF scenarios. DCS include the RRCS, DPS, and the Diverse Non-Safety System Interface indicated in Figure 6-1. The attribute categories are from NUREG-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems (Reference 19). The diversity attributes are:

Human Diversity Design Diversity Software Diversity Functional Diversity Signal Diversity Equipment Diversity 6.1 HUMAN DIVERSITY

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 6-2 Westinghouse Non-Proprietary Class 3

[

]a,c 6.2 DESIGN DIVERSITY

[

]a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 6-3 Westinghouse Non-Proprietary Class 3 Figure 6-1. PPS and DCS Architectures a,c

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis WNA-AR-01074-GLIM-NP, Rev. 1 6-4 Westinghouse Non-Proprietary Class 3 6.3 SOFTWARE DIVERSITY

[

]a,c 6.4 FUNCTIONAL DIVERSITY

[

]a,c 6.5 SIGNAL DIVERSITY

[

]a,c 6.6 EQUIPMENT DIVERSITY

[

]a,c (Last Page of Section 6)

      • This record was final approved on 2/10/2022, 4:01:40 PM. (This statement was added by the PRIME system upon its validation)

WNA-AR-01074-GLIM-NP Revision 1 Non-Proprietary Class 3

    • This page was added to the quality record by the PRIME system upon its validation and shall not be considered in the page numbering of this document.**

Approval Information Author Approval Tang Calvin K Feb-09-2022 16:24:21 Reviewer Approval Tuite Terrence Feb-09-2022 19:21:44 Reviewer Approval Pietryka Thomas S Feb-10-2022 08:43:01 Verifier Approval Odess Gillett Warren Feb-10-2022 10:08:13 Verifier Approval Solmos Matthew Feb-10-2022 14:48:49 Manager Approval Pantis William G Feb-10-2022 16:01:40 Files approved on Feb-10-2022

ATTACHMENT 3 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION -

WITHHOLD UNDER 10 CFR 2.390 Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353 Limerick Generating Station Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Rev 1

Retrieved from "https://kanterella.com/w/index.php?title=ML22046A074&oldid=5454189"