RA-23-0008, Request for Exemption from Certain Requirements in 10 CFR 50.55a(h)(2) Using Risk-Informed Process for Evaluations

From kanterella
(Redirected from ML24037A284)
Jump to navigation Jump to search

Request for Exemption from Certain Requirements in 10 CFR 50.55a(h)(2) Using Risk-Informed Process for Evaluations
ML24037A284
Person / Time
Site: Harris Duke Energy icon.png
Issue date: 02/06/2024
From: Kidd C
Duke Energy Progress
To:
Office of Nuclear Reactor Regulation, Document Control Desk
References
RA-23-0008
Download: ML24037A284 (1)
v  d  e


Text

Chad Kidd General Manager - Nuclear Engineering Harris Nuclear Plant 5413 Shearon Harris Rd New Hill, NC 27562-9300 984.229.3140 10 CFR 50.12 February 6, 2024 Serial: RA-23-0008 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 Shearon Harris Nuclear Power Plant, Unit 1 Docket No. 50-400 Renewed License No. NPF-63

Subject:

Request for Exemption from Certain Requirements in 10 CFR 50.55a(h)(2) using Risk-Informed Process for Evaluations Ladies and Gentlemen:

In accordance with the provisions of 10 CFR 50.12, Specific Exemptions, Duke Energy Progress, LLC (Duke Energy), is submitting a request for a limited exemption from the requirements of 10 CFR 50.55a(h)(2), Protection systems, requiring protection systems meet the requirements of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, for the Shearon Harris Nuclear Power Plant, Unit 1 (HNP). Specifically, the exemption request would remove the requirement for the Reactor Protection System (RPS) cables that terminate within the Turbine Control System (TCS) Cabinet G (1TCS-CAB-G) meet the IEEE 279-1971 Section 4.6, Channel Independence, requirement that the cables be independent and physically separated. Application of the regulation in this circumstance would not serve the underlying purpose of the rule and is not necessary to achieve the underlying purpose of the rule. This exemption request is addressing a green finding and associated non-cited violation of 10 CFR 50 Appendix B, Criterion III, "Design Control" for "Treatment of Class 1E Interfaces and Interlocks with the Turbine Trip System (TTS) Design," documented in the Nuclear Regulatory Commissions (NRCs) Integrated Inspection Report dated November 10, 2022 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML22314A074).

HNP meets the criteria to utilize the Risk-Informed Process for Evaluations (RIPE) given the use of a technically acceptable Probabilistic Risk Assessment (PRA) model, as demonstrated by having an approved and implemented license amendment for Technical Specifications Task Force (TSTF) Traveler TSTF-505, Provide Risk-Informed Extended Completion Times -

RITSTF [Risk-Informed TSTF] Initiative 4b (ADAMS Accession No. ML21047A314) and a robust integrated decision-making panel (IDP), as demonstrated by implementation of an approved 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power plants, license amendment (ADAMS Accession Numbers ML19192A012 and ML21316A248) and having completed all license conditions and implementation items associated with the amendment. HNP has also implemented an approved TSTF-425, Relocate Surveillance Frequencies to Licensee Control - RITSTF Initiative 5b,

U.S. Nuclear Regulatory Commission Serial: RA-23-0008 Page 2 of 2 program per Amendment 154 to the Renewed Facility Operating License (ADAMS Accession Number ML16200A285).

The enclosure to this letter provides a description and assessment of the proposed exemption utilizing RIPE, including the IDP final screening impact results and final risk evaluation for the proposed exemption.

The exemption request is permissible under 10 CFR 50.12 because it is authorized by law, will not present an undue risk to the public health and safety, is consistent with the common defense and security, and presents special circumstances.

In accordance with 10 CFR 50.91, a copy of this letter, with enclosure, is being provided to the designated North Carolina State Official.

This letter contains no regulatory commitments.

Please refer any questions regarding this submittal to Ryan Treadway, Director - Nuclear Fleet Licensing, at 980-373-5873.

Sincerely, Chad Kidd General Manager - Nuclear Engineering Harris Nuclear Plant

Enclosure:

Request for Exemption from Certain Requirements in 10 CFR 50.55a(h)(2) using the Risk-Informed Process for Evaluations cc:

P. Boguszewski, Senior NRG Resident Inspector, HNP L. Brayboy, Radioactive Materials Branch Manager, NC DHHS M. Mahoney, NRC Project Manager, HNP L. Dudes, NRC Regional Administrator, Region II

U.S. Nuclear Regulatory Commission Serial: RA-23-0008 Enclosure ENCLOSURE REQUEST FOR EXEMPTION FROM CERTAIN REQUIREMENTS IN 10 CFR 50.55A(H)(2)

USING THE RISK-INFORMED PROCESS FOR EVALUATIONS SHEARON HARRIS NUCLEAR POWER PLANT, UNIT 1 DOCKET NO. 50-400 RENEWED LICENSE NUMBER NPF-63 25 PAGES PLUS THE COVER

U.S. Nuclear Regulatory Commission Page 1 of 25 Serial: RA-23-0008 Enclosure

Subject:

Request for Exemption from Certain Requirements in 10 CFR 50.55a(h)(2) using the Risk-Informed Process for Evaluations 1.0

SUMMARY

DESCRIPTION In accordance with the provisions of 10 CFR 50.12, Specific Exemptions, Duke Energy Progress, LLC (Duke Energy), is submitting a request for a limited exemption from the requirements of 10 CFR 50.55a(h)(2), Protection systems, requiring protection systems meet the requirements of IEEE 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, for the Shearon Harris Nuclear Power Plant, Unit 1 (HNP). Specifically, the exemption request would remove the requirement for the Reactor Protection System (RPS) cables that terminate within the Turbine Control System (TCS) Cabinet G (1TCS-CAB-G) meet the IEEE 279-1971 Section 4.6, Channel Independence, requirement that the cables be independent and physically separated. Application of the regulation in this circumstance would not serve the underlying purpose of the rule and is not necessary to achieve the underlying purpose of the rule.

2.0 BACKGROUND

2.1 10 CFR 50.55a(h)(2) Requirements As provided in 10 CFR 50.55a(h)(2), protection systems of nuclear power reactors must meet the following requirements:

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," or the requirements in IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," or the requirements in IEEE Std 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.

The HNP Updated Final Safety Analysis Report (UFSAR, Agencywide Documents Access and Management System (ADAMS) Accession No. ML23118A141) reflects HNPs requirements to meet the IEEE 279-1971 edition of the standard.

2.2 IEEE 279-1971 The criteria provided in IEEE 279-1971 establish the minimum requirements for the safety-related functional performance and reliability of protection systems for nuclear power generating stations. Specifically, Section 4.6 regarding channel independence states:

Channels that provide signals for the same protective function shall be independent and physically separated to accomplish decoupling of the effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis, and to reduce the likelihood of interactions between channels during maintenance operations or in the event of channel malfunction.

U.S. Nuclear Regulatory Commission Page 2 of 25 Serial: RA-23-0008 Enclosure 2.3 Protection System Protection systems, as defined in IEEE 279-1971, include the electrical and mechanical devices and circuity (from sensors to actuation device input terminals) involved in generating the signals associated with the two protective functions defined below.

The Solid-State Protection System (SSPS) consists of:

a) Reactor Protection System (RPS) - The RPS generates signals that actuate reactor trip.

This system is part of the Reactor Trip System (RTS).

b) Engineered Safety Features Actuation System (ESFAS) - The ESFAS generates signals that actuate engineered safety features. This system is part of the Engineered Safety Features (ESF) System.

The Reactor Trip System acts to limit the consequences of American Nuclear Society (ANS)

Condition II events (faults of moderate frequency such as loss of feedwater flow) by, at most, a shutdown of the reactor and turbine. The plant is capable of returning to operation after corrective action is taken. The RTS limits plant operation to ensure that the reactor safety limits are not exceeded during ANS Condition II events and that these events can be accommodated without developing into more severe conditions.

The ESFAS acts to limit the consequences of ANS Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the Safety Injection System). It also acts to mitigate ANS Condition IV events (limiting faults which include the potential for significant release of radioactive material).

The original design of the HNP Turbine Control/Turbine Trip system design included the use of Class 1E cables routed in separate conduits to ensure separation per IEEE standards between SSPS/Reactor Trip Switchgear and the front standard of the main turbine. The cable termination box on the front standard of the main turbine (i.e., Terminal Box B) was the transition from Class 1E to non-Class 1E. The termination box and everything downstream were designed as non-safety and non-seismic. This design is consistent with standard industry practice and was accepted during original licensing actions across the industry. Westinghouse has maintained that these circuits are part of the RPS and are thus Class 1E even though they terminate at unqualified equipment and/or in non-seismic locations, such as in this case, the main turbine-generator set. Also, the turbine trip system power supply is non-Class 1E.

This original Westinghouse design standard was transmitted to Ebasco during HNP design and construction under letter CQL-8627 (Reference 9). In this letter, Westinghouse states that the installation of these Class 1E circuits should meet all of the criteria for Class 1E circuits that it is possible to meet and accept as fact that they are terminated in a non-seismic non-environmentally qualified and non-class 1E device. This position has been accepted by the NRC on other Westinghouse projects and will be defended by Westinghouse for Shearon Harris.

As a result of this letter, the circuit cables from the RPS to the turbine-generator set are treated/routed as train separated Class 1E circuit cables until they terminate at the non-Class 1E actuating device, which in this design is a termination box that connects the turbine-generator set to interfacing systems. Letter CQL-8627 was translated into the HNP UFSAR in

U.S. Nuclear Regulatory Commission Page 3 of 25 Serial: RA-23-0008 Enclosure section 8.3.1.2.30, which states [emphasis added]: Cables and conduits routed in non-Category I structures associated with safety related functions or anticipatory trips (i.e., turbine trip on reactor trip, reactor trip on turbine trip, loss of feedwater) are designed to meet IEEE Standard 279-1971 including redundancy, separation, and single failure criteria (see detailed description in Section 7.2.1.1.2). These circuits are designated as safety related and identified similar to the reactor protection system channels as described in Section 8.3.1.3. Separation of these circuits is maintained from other reactor trip circuits by routing each of these circuits independently in a separate conduit from the actuating device to the Reactor Protection System cabinet.

The initial turbine controls trip system was a series of contacts that directly fed the Auto Stop Trip (AST) solenoids that would depressurize the Digital Electro-Hydraulic (DEH) header and trip the turbine. These circuits were wired directly to the AST solenoid coils. These contacts included the turbine trip and all external trips wired in series and tied directly to the AST trip valves. Even though the entire turbine controls system was replaced, the circuits in question are related to the turbine trip system and therefore this discussion focuses only on the turbine trip system.

In 2017, a turbine controls modification installed a quadvoter system, which splits the trip circuit into three separate functions: ETT Trip (External Trip), SOPS Trip (Secondary Overspeed Trip),

and TVCS Trip (Turbine Valve Control System Trip). The ETT functions include Reactor Trips, Steam Generator Hi-Hi Level, Safety Injection actuation, and activation of the Anticipated Transient Without Scram (ATWS) Mitigating System Actuation Circuitry (AMSAC). The interconnection between these systems was not impacted by the modification. All cabling between these systems is original plant design.

New trip relays were installed to provide the trip function. This replaced the direct connection to the AST valves that previously existed. The new relays act as an interposing relay for the external trip circuits into the new quadvoter system and the contacts from the ETT circuit are wired in series with the TVCS and SOPS to provide the trip function. This configuration allowed all the existing cabling and interfaces for the reactor trip circuits to remain unchanged from the original configuration. The only difference is the trip function is now provided through an interposing relay. Splitting of this system into the three trip functions allowed the existing reactor trip functions to remain as originally designed and remove single point vulnerabilities in the anticipatory turbine trip.

2.4 Risk-Informed Process for Evaluations (RIPE)

The Nuclear Regulatory Commissions (NRCs) "Guidelines for Characterizing the Safety Impact of Issues," Revision 2 (Reference 2) describes the Risk-Informed Process for Evaluations (RIPE) as establishing a streamlined NRC review process for risk-informed exemption and amendment requests that have a minimal safety significance. These guidelines provide general guidance addressing how to characterize that the safety impact of proposed changes in plant design and operation have a minimal impact on safety. In electing to use RIPE, the risk associated with the proposed exemption or amendment request must be characterized in accordance with the NRC guidance document. These requests would be reviewed by the NRC staff using the streamlined process outlined in Temporary Staff Guidance (TSG) TSG-2021-01, Revision 3, "Risk-Informed Process for Evaluations" (Reference 3).

U.S. Nuclear Regulatory Commission Page 4 of 25 Serial: RA-23-0008 Enclosure RIPE is an approach that is acceptable to the NRC for developing a risk-informed application for an exemption request or license amendment request that applies risk insights, consistent with the guidance in Regulatory Guide (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 3 (Reference 10) and as applicable RG 1.177, Plant-Specific, Risk-Informed Decision-making: Technical Specifications, Revision 2 (Reference 11). It is intended to build on the expanded use of Probabilistic Risk Assessment (PRA) models for risk-informed initiatives and to benefit from the use of Integrated Decision-Making Panels (IDPs) that were developed as part of the implementation of 10 CFR 50.69, Risk-informed categorization and treatment of structures, systems and components for nuclear power plants.

The quantitative criteria outlined in Reference 2 for delineating if an issue is considered to have a minimal impact on safety, thus permitting use of RIPE, is provided below:

The issue contributes less than 1 x 10-7/year to core damage frequency (CDF).

The issue contributes less than 1 x 10-8/year to large early release frequency (LERF).

Cumulative risk is acceptable. Per Reference 2, cumulative risk is acceptable for the purposes of the RIPE guidance if baseline risk remains less than 1 x 10-4/year for CDF and less than 1 x 10-5/year for LERF once the impact of the proposed change is incorporated into baseline risk.

3.0 DETAILED DESCRIPTION 3.1 Reason for Proposed Exemption The NRC Integrated Inspection report for HNP from November 10, 2022 (Reference 1) includes documentation of a green finding and associated non-cited violation of Title 10 of the Code of Federal Regulations (10 CFR) Section 50 Appendix B, Criterion III, "Design Control" for "Treatment of Class 1E Interfaces and Interlocks with the Turbine Trip System (TTS) Design."

This violation is associated with the Mitigating Systems cornerstone and details a "failure to ensure independence between turbine control systems circuits and the trains of reactor protection (RPS) circuits."

As mentioned above, HNP modified the TTS in 2017. The November 2022 NRC inspection report notes that the modification treated the TTS functions and redundant circuits as non-class 1E (non-safety related electrical devices). Per the reviewed design, drawings, and walkdowns, the NRC determined the condition demonstrated the licensee did not maintain RPS independence from the TTS as specified by IEEE 384-1974, IEEE Trial-Use Standard Criteria for Separation of Class 1E Equipment and Circuits, as committed to by HNP in UFSAR Section 7.1.2.1.6, "Equipment protection." This resulted in the performance deficiency being:

The failure to ensure independence between turbine control system circuits and the trains of reactor protection system circuits in accordance with IEEE 279-1971, Section 4.6 "Independence" and the UFSAR Section 7.0, "Instrumentation and Controls.

By not meeting RPS independence, the licensee compromised the requirements for single failure and interactions between control and protection systems affecting the reliability of the RPS. As communicated by Atomic Energy Commission, where cables

U.S. Nuclear Regulatory Commission Page 5 of 25 Serial: RA-23-0008 Enclosure carrying electrically isolated control (non-protection) signals from redundant protection cabinets come together, electrically, and physically, at common points in the plant, an abnormal occurrence at a common point could produce adverse fault potentials or electrical interference on electrical cables. Thus, electromagnetic interference (high voltage or noise) could be transmitted back to the originating circuits in all redundant protection cabinets. In this event, despite electrical barriers, faults might bypass the barriers and be coupled into protection circuits because of their proximity to the fault-carrying non-protection (control) wiring.

Based on the violation received, Duke Energy is proposing a limited exemption in accordance with 10 CFR 50.12 from the requirements of 10 CFR 50.55a(h)(2) requiring protection systems meet the requirements of IEEE 279-1971 for HNP. Specifically, the exemption request would remove the requirement for the RPS cables that terminate within TCS cabinet 1TCS-CAB-G meet the IEEE 279-1971 Section 4.6 requirement that they be independent and physically separated, allowing HNP to maintain its current plant configuration. The safety-related protection trains remain fully capable of performing their intended design functions per IEEE 279-1971. Therefore, application of the regulation in this circumstance would not serve the underlying purpose of the rule and is not necessary to achieve the underlying purpose of the rule, which would be to decouple the effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis. This aligns with the special circumstance for specific exemptions afforded in 10 CFR 50.12(a)(2)(ii), allowing for the consideration of the HNP exemption by the NRC.

4.0 TECHNICAL EVALUATION

4.1 Supporting Qualitative Analysis The turbine trip logic has four control relays which provide the turbine trip interface. The SSPS system and RPS system are connected through these relays with closed isolated contacts. The RPS system uses redundant contacts (52a) from the reactor trip breaker. The cables and conduits for each of these circuits follow the separation criteria for all cable and conduit routes with the exception of Terminal Box B and TCS cabinet 1TCS-CAB-G. These boxes/cabinets are non-safety related based on original system design. In Terminal Box B, each of the four circuits are landed on separate terminals and are not electrically tied together. Once each of these four independent circuits reach 1TCS-CAB-G, one A train and one B train trip circuit are tied to a common power supply terminal in turbine trip channel 1 or channel 2. This is a non-safety box and a non-safety power supply. The isolation between the RPS and SSPS trains is a function of having isolated contacts in each of these systems. Although they are connected together at a common point in the TCS cabinet, the electrical isolation is provided at the RPS and SSPS cabinet. A failure of the power supply or associated cabling will not impact the SSPS or RPS system due to these isolated functions. A short circuit would result in the tripping of the non-safety power supply and a half trip of both the upper and lower quadvoters. The ability to trip the turbine would not be lost. RPS would still trip the turbine on a reactor trip. There is no plausible failure mode that would prevent tripping the turbine on a reactor trip. The worst case is a half trip if one channel is affected and turbine trip if both channels are affected. The main control board trip and local trip buttons are not within this circuit and are not affected. Therefore, this condition will have no adverse impact on SSPS, RPS, or the ability for RPS to trip the turbine on a reactor trip.

U.S. Nuclear Regulatory Commission Page 6 of 25 Serial: RA-23-0008 Enclosure 4.1.1 Electrical Anomaly Evaluation An evaluation was performed that focused on the potential for an electrical anomaly to occur at a common point within the TCS cabinet G and cause both trains of SSPS to become inoperable.

It was postulated that the electrical anomaly could couple to other cables and impact other circuits by either Electromagnetic Interference (EMI), electrical noise which causes a disturbance or undesired response in electrical circuits, equipment, or systems, or radio frequency interference (RFI), which occurs from electrical disturbance within the radio frequency spectrum. EMI and RFI affect electrical components by induction, coupling or conduction.

Any electrical, electromechanical or electronic devices are potential sources of EMI. In general, EMI sources can be classified either as transmitters (i.e., equipment whose primary function is to intentionally generate or radiate electromagnetic signals) or incidental sources (i.e.,

equipment that generate electric magnetic energy as an unintended byproduct in the process of performing their primary function).

Common EMI sources within a power plant are high energy power equipment (motors, generators, transformers, circuit breakers), inverters, rectifiers, switch-mode power supplies, relays, solenoids, and inductive loads. Other EMI sources typical to a plant environment are wireless communication devices, computer and data equipment, electrical arcs, electrostatic discharge (ESD), power line transients and spikes.

Cabinet Design TCS cabinet 1TCS-CAB-G is a metallic cabinet that has an EMI/RFI protection seal. Metal cabinets can help reduce magnetic interference on cables carrying low-level signals by providing electromagnetic shielding. This shielding, also known as a Faraday cage, works to block external magnetic fields from penetrating the cabinet and affecting the cables and sensitive equipment inside. When a metal cabinet is properly grounded, it creates a conductive path for EMI or magnetic fields to follow.

When an external magnetic field approaches the metal cabinet, it induces eddy currents within the metal surfaces. These currents circulate within the metal, creating their own magnetic fields.

These induced magnetic fields are equal in strength but opposite in direction to the external field, effectively canceling it out inside the cabinet. As the eddy currents generate their opposing magnetic fields, they create a magnetic barrier that prevents the external magnetic fields from penetrating the interior of the cabinet. This magnetic shielding effect effectively isolates the contents of the cabinet from the magnetic interference outside.

The internal cabinet equipment near the common connection point is the low power control equipment and terminal blocks.

Cabinet Location The common connection point is located in 1TCS-CAB-G. This cabinet is located in the Control System Computer Room (CSCR) which is located in the Reactor Auxiliary Building (RAB) 286-foot elevation.

The CSCR is an environmentally controlled and secure location in the RAB. The CSCR houses the seven (7) TCS cabinets, the four (4) Distributed Instrumentation and Control System

U.S. Nuclear Regulatory Commission Page 7 of 25 Serial: RA-23-0008 Enclosure Platform (DICSP) cabinets, and distribution panels that are required to provide power. The Uninterruptible Power Supply (UPS) distribution systems that are required to provide power require an environmentally controlled area in the RAB that allows for physical separation of the UPSs and their associated batteries.

The CSCR does not contain high energy power equipment such as motors or transformers. The cabinets are located away from sources of strong magnetic fields and switching transients, such as rotating machinery or large power cables. There are no oscillatory magnetic sources such as high voltage bus bar switching. Likewise, the TCS cabinet is not exposed to these influences.

Grounding Grounding is an important safety and protective measure that can help mitigate electrical interference, including lightning interference, on nearby cables and equipment. Proper grounding provides a low-resistance path for energy to safely dissipate into the ground. This prevents the lightning energy from traveling through cables and equipment, reducing the risk of damage. Grounding also helps maintain an equal voltage potential between various components and structures within an electrical system. When all components are at the same potential, there is less risk of voltage differences that can lead to electrical discharge or arcing between them. Grounding can help to provide a shield against EMI and RFI caused by lightning.

Proper grounding can reduce the susceptibility of nearby cables to induced voltages from lightning strikes.

To mitigate the potential impact of EMI anomalies and for personnel safety, the CSCR was constructed with grounding methods per HNP design basis documents and industry standards.

Equipment within the CSCR was installed and grounded accordingly. Equipment grounding consisted of the equipment being connected through a copper cable to the existing plant ground system. Ground cables were sized per the requirements.

In support of the TCS and DICSP cabinet installations, an insulated ground bus was installed to meet the requirements of IEEE 1050, IEEE Guide for Instrumentation and Control [I&C]

Equipment Grounding in Generating Stations, for I&C cabinets in close proximity to each other.

Power Source Poor power quality caused by electrical faults, lightning, equipment failure or degradation can cause power source issues that impact electrical equipment. Electrical quality issues such as harmonics, frequency variations, or waveform distortions, can impact the performance and reliability of electrical circuits. Additionally, voltage sags (dips) or surges (spikes) in the electrical supply can cause EMI or RFI signals to couple into signal lines, causing false signals and unintended activations in circuits.

To protect circuits from electrical faults, it is crucial to implement a proper electrical system design, including surge protection, isolation, and filtering.

The power source to the TCS is from UPP-4A and UPP-4B. These power panels are fed from 80 kVA UPS 1EE-578 and 1EE-579, respectively. These UPSs are a double-conversion UPS that provides filtered power to the TCS.

U.S. Nuclear Regulatory Commission Page 8 of 25 Serial: RA-23-0008 Enclosure A double-conversion UPS is highly effective at filtering transient voltage spikes and providing clean, stable power to connected equipment. It accomplishes this by:

1. Constant Conversion to DC: In a double-conversion online UPS, incoming AC power is first converted to DC power. This DC power serves as the primary source of energy for the UPS, and it remains constant regardless of the quality of the incoming AC power. This constant conversion to DC isolates connected equipment from fluctuations and disturbances in the utility power.
2. Battery as the Primary Power Source: In normal operation, the connected equipment is powered by the DC source from the UPS's battery. The battery voltage is carefully regulated, providing a stable and clean power source, free from voltage transients and spikes. As a result, any transient voltage spikes or disturbances in the utility power do not directly affect the equipment connected to the UPS.
3. Output Inverter: The UPS also includes an output inverter that converts the DC power from the battery back into clean, stable AC power. This inverter operates continuously, ensuring that the output voltage and frequency remain within specified tolerances. It filters out any noise or transients present in the DC power to provide a quality AC waveform to the connected equipment.
4. Isolation: The double-conversion process inherently provides isolation between the input power and the output power. The input power is completely decoupled from the output, which means that any disturbances or spikes in the utility power are not directly transmitted to the equipment on the output side.

In summary, a double-conversion online UPS excels at filtering transient voltage spikes and disturbances by continuously converting incoming AC power to DC power, providing stable power from the battery, and then inverting it back to clean AC power. This process effectively isolates connected equipment from the anomalies of the utility power supply, ensuring that sensitive electronics receive a reliable and spike-free power source.

Signal Attenuation The cables travel from 1TCS-CAB-G to the Terminal Box B (585 feet) and then from Terminal Box B to the 7300 Process Control System (min. 386 feet).

This amount of cable length will reduce the magnitude of a voltage signal that may be coupled onto a cable via an electrical anomaly. The distance of a cable helps mitigate transient effects, such as voltage spikes and surges, through the inherent electrical resistance and impedance of the cable itself. All cables have electrical resistance and impedance, which are inherent properties of the cable material and construction. Resistance opposes the flow of electrical current, while impedance is a complex measure of resistance and reactance. As a transient voltage travels along a cable, it encounters resistance and impedance. The magnitude of the transient voltage diminishes as it travels, and this reduction is proportional to the cable's resistance and impedance. The longer the cable, the greater the resistance and impedance it presents to the transient voltage. Consequently, the transient's impact decreases with distance.

Additionally, over the length of a cable, some of the transient's energy is absorbed by the cable's dielectric material and conductors. This absorption process further attenuates the transient voltage as it propagates.

U.S. Nuclear Regulatory Commission Page 9 of 25 Serial: RA-23-0008 Enclosure Equipment Qualification Electric Power Research Institute (EPRI) Technical Report (TR)-102323, Revision 4, Guidelines for Electromagnetic Compatibility Testing of Power Plant Equipment, (Reference

15) is a guide that defines recommended generic EMI susceptibility and emissions test levels for use in establishing equipment electromagnetic compatibility (EMC) for nuclear power plant applications. The basic approach of this guideline is to establish bounding emission limits based on plant measurements and use these bounds to establish susceptibility test limits that can be applied to new equipment in a laboratory environment to demonstrate adequate margin of safety. This guide is required to be used by Duke Energy procedures for digital equipment installations.

The TCS was purchased to meet required EMI/RFI qualification and/or evaluation to EPRI TR-102323. All equipment installed in the CSCR was evaluated for EMI/RFI per EPRI TR-102323, providing assurance that equipment within the CSCR or equipment that powers components within the CSCR will not radiate or conduct interference to unacceptable levels and cause degradation of performance of any systems at HNP.

Cable Routing The TCS cables are run in dedicated conduits external to the SSPS Cabinets and Safeguards Test Cabinets (STC). Therefore, the only cables in question are cables that are run in trays which could be shared by RPS and SSPS cabling.

These trays are control trays that contain cables used for control and do not contain low-level cables used as inputs to the SSPS logic.

Per the design basis for the plant to prevent the effects of electrical anomalies, cables that require separation by function and voltage class are routed in separate tray systems as follows:

1) 6900-V power circuits
2) 480-V power circuits and larger-sized 120/208-V AC and 125-V DC power circuits*
3) 120/208-V AC, and 125-V DC* power and control circuits
4) Low-level signal circuits Control tray is used for small conductors with a light load. Power tray is used when cables are heavily loaded or for large diameter cables (generally, #2 AWG [American Wire Gauge] or larger).

The control trays do not mix with other trays and are at different elevations.

Plant applications that may be near the affected cables are utilized in control circuits to perform functions such as energizing relays, contactors, or indicating lights. As such, the cables routed in the tray are already near other cables carrying loads similar to the turbine trip relays. The turbine trip relays only draw 25 milliamps (mA), which is smaller than the typical contactor or solenoid. These are not significant inductive loads to cause any EMI issues.

The cables that provide the input to SSPS are routed in low-level signal trays. Therefore, the electrical anomaly that could occur on a control cable as identified in the inspection finding could not impact low-level signal wiring that would impact logic functions of the SSPS.

U.S. Nuclear Regulatory Commission Page 10 of 25 Serial: RA-23-0008 Enclosure Previous Testing In 1977, Westinghouse conducted a process system noise test to validate installations of the process control system like at HNP. The report, WCAP-8892-A, Westinghouse 7300 Series Process Control System Noise Tests, states the following:

The staff stated its acceptance of the "Westinghouse Protection System Noise Test" in a letter from R. Heineman to C. Eicheldinger dated December 11, 1975. These tests applied to plants where the aggregate system line-up included the Nuclear Instrumentation System (NIS), the Solid-State Protection System (SSPS), and the 7100 Process Control System (PCS). This test program is intended to cover the "Process Control System" portion of the aggregate line-up for all plants where the 7300 Series replaces the 7100 Series.

These tests were on the low-level instrument wiring, not on the control cable wiring. However, it is mentioned here because it shows that the PCS portion has immunity to electrical anomalies, and the WCAP-8892-A test was on low-level instrumentation which is much more susceptible to electrical anomalies.

For example, a magnetic noise test was conducted to check that the non-safety isolator output wires (control side) do not impact the safety-related protection side. It verified that one amp applied on the control side wiring did not cause any degradation of protection wiring as a result of wire-to-wire cross talk due to close proximity.

Operating Experience The cables in question have not been moved since original plant construction. Prior to the TCS upgrade in 2018, the cables were used to energize the AST solenoids. After the TCS upgrade in 2018, the cables are used to energize control relays that interface with the AST quadvoter.

The previous design energized the solenoids continuously so that loss of power would result in a turbine trip. The current design energizes the control relays continuously so that loss of power would result in a turbine trip.

The previous design also periodically tested the trip circuit during quarterly testing. The current design cycles the control relays weekly and this test has been performed once a week for over 5 years.

There have been no instances at HNP of spurious control circuit anomalies attributed to the TCS trip relays cycling on and off.

IEEE 384-1974 Analysis IEEE 384 section 4.6.1 requires non-class 1E circuits to be separated from class 1E circuits by the minimum separation requirements of sections 5.1.3, 5.1.4, or 5.6. The circuits where the separation concern is located would be considered general plant areas falling under the guidance of IEEE 384 section 5.1.4. Section 5.1.4 allows for the separation distance to be determined by Section 5.1.1.2. Section 5.1.1.2 allows for analysis since the damage potential is limited to failures or faults internal to the electrical equipment or circuits. All the cabling is qualified to IEEE 383-1974, IEEE Standard for Type Test of Class 1E Electric Cables, Field Splices, and Connections for Nuclear Power Generating Stations, which meets the analysis from a flame-retardant perspective. The cable tray arrangements from Terminal Box B to TCS do not require evaluation since they are non-safety related. The cabling between Terminal Box

U.S. Nuclear Regulatory Commission Page 11 of 25 Serial: RA-23-0008 Enclosure B and the TCS system is non-safety related and does not require the additional protection requirements of class 1E cabling.

In assessing the impacted circuits, it was established that the reactor trip breaker auxiliary contacts that provide indication of reactor trip to the turbine trip system would not be adversely affected by noise, as previously evaluated in WCAP-8892-A. Furthermore, a reactor trip would not be prevented from occurring in the event of an open or short of the contacts utilized for the non-safety related portion of the turbine trip circuit. The auxiliary contacts in the RTS are not in the direct electrical path of the reactor trip breakers. Rather, the contacts are mechanically coupled to the trip breaker position that prevents an electrical fault from preventing a reactor trip should it be required.

The remaining concern would be from a short circuit (e.g., line to neutral or line to ground), a high impedance short, or a hot short (e.g., fire induced). A hot short in the safety-related circuits would be limited to a single train thus is bounded by existing analyses for single train failures. In order for them to have a potential impact on both trains, all three types of shorts would have to occur in Terminal Box B after the initiating contacts, which would have the shortest circuit length compared to in the TCS cabinets.

As such, a simplified evaluation was performed based upon the most limiting cable length. Any faults in other areas would be bounded by this number.

Assuming a short occurs in Terminal Box B after the RTS contacts, a review of the circuit diagrams and cable lengths shows that more than 1300 ft of #12 AWG wiring would be involved.

Utilizing the 2011 National Electrical Code (NEC) Chapter 9, Table 8 and a conservative temperature of 21.1 degrees C (70 degrees F), the resistance of the cable was determined to be 1.64 ohm/kilofoot. Since the circuit is greater than 1300 feet, the resistance would be 2.13 ohms. Based upon this information, the fault current from the 120 volts alternating current (VAC) source would be limited to 56.3 amps. The contact in the RTS are output contacts so would have no effect on the operation of the Reactor Trip Breakers. Extensive testing from a fault perspective was performed in WCAP 8892-A, so no concerns in the SSPS system would be found.

Furthermore, it was determined that more than 15 minutes would be required for cable damage to occur. This is more than adequate for the fault to clear and takes no credit for protection by the breaker. This shows that from a short circuit (e.g., fault) perspective, there are no concerns.

Conclusion The evaluation above established that no credible events would impact either train of safety-related equipment from fulfilling its design basis function. The key aspects of IEEE 279-1971 for single failure criterion and channel integrity are maintained.

4.2 Technical Adequacy of the Probabilistic Risk Assessment HNP meets the criteria to utilize RIPE given the use of a technically acceptable PRA model, as demonstrated by having an approved and implemented license amendment for Technical Specifications Task Force (TSTF) Traveler TSTF-505, Provide Risk-Informed Extended Completion Times - RITSTF [Risk-Informed TSTF] Initiative 4b (Reference 4), and a robust

U.S. Nuclear Regulatory Commission Page 12 of 25 Serial: RA-23-0008 Enclosure integrated decision-making panel (IDP), as demonstrated by implementation of an approved 10 CFR 50.69 license amendment (initially issued in Reference 5 and updated by Reference 6) and having completed all license conditions and implementation items associated with the amendment (as confirmed in Reference 6).

HNP has also implemented an approved TSTF-425, Relocate Surveillance Frequencies to Licensee Control - RITSTF Initiative 5b, program per Amendment 154 to the Renewed Facility Operating License (Reference 8). The additional information requirements specified in Reference 2 associated with the ability to credit a TSTF-425 Program are not included in this submittal given HNP is crediting the implementation of an approved TSTF-505 Program as demonstration of PRA acceptability.

The quantitative safety significance of the issue, as assessed by the change in CDF and LERF, may be achieved through the scope of the HNP PRA model along with the use of surrogate events within that model that are associated with the issue described in the violation (Reference 1). The HNP PRA model for the RICT Program does not quantitatively assess seismic, high winds, or external flooding hazards based on meeting screening criteria, as accepted by the NRC in Reference 4 for that application. The HNP one-top PRA working model (Reference 12),

utilized for the quantitative assessment in this calculation, does include a High Winds (HW) PRA model. As documented in HNP-F/PSA-0069, HNP - PSA Model Peer Review Resolution, (Reference 14) the original Peer Review of the HNP High Winds PRA model was conducted in 2016 and resulted in 4 open Finding level observations. Three findings were limited to documentation items. For the fourth finding a resolution was agreed upon by Duke Energy and the Peer Review team to improve the characterization of select assumptions. There has not been a closure review for these findings as complete resolution and implementation to the HNP HW PRA model and documentation is postponed for a future HW PRA update. These open findings are assessed to have no quantitative impact on the analysis performed in this calculation based on the nature of the findings and given that the inclusion of an additional hazard in the assessment would be a conservative approach. This strategy is utilized to support incorporation of the model changes identified in this calculation into the HNP PRA working model to reflect the as-built plant in future assessments, including the cumulative assessment of risk per the RIPE guidance (Reference 2). There are no specific concerns related to seismic, high winds, or external flooding hazards for the issue identified in the NRC's violation that this evaluation is attempting to assess through quantitative means. The HNP PRA model utilized for the RICT Program assesses internal events, internal flooding, and fire hazards. These hazards, in addition to high winds, establish the scope of the quantitative analysis for this evaluation based on using the HNP working model (Reference 12).

4.3 Plant-Specific Risk Assessment Results HNP-F/PSA-0141 (Reference 13) performs the PRA evaluation of the potential condition described in the HNP violation. The calculation captures the ability to utilize the HNP PRA to perform the assessment per the NRC's RIPE guidance (Reference 2), assumptions made in the performance of the evaluation, the model adjustments and surrogates used to account for the impact of the issue, and documents the impact of uncertainty and inclusion of conservatisms in the quantitative risk analysis approach. While the calculation contains the full documentation, the associated insights and conclusions from the PRA evaluation are included below.

U.S. Nuclear Regulatory Commission Page 13 of 25 Serial: RA-23-0008 Enclosure The evaluation focuses on considering the following impacts that could potentially result due to the issue identified in the violation and how that impact could be reflected in the HNP PRA model:

The ability of the turbine to trip upon a reactor trip.

The ability of the reactor to trip upon a valid RPS signal.

The ability of the ESFAS to actuate upon a valid actuation.

The strategy to capture the impact was to utilize a single basic event, created for the evaluation, to reflect a potential common cause event for the functions mentioned above that could be susceptible to the impacts of the deficiency. This was achieved by placing that basic event under an OR gate with events or logic that are identified within the calculation as locations in the HNP PRA model where this surrogate could be applied. An overview of those surrogates is outlined below:

Turbine Trip: Impacts ATWS scenario mitigation as a failure to trip the turbine results in steam generator water level drop, reactor coolant system heat-up and associated overpressure event. Note that AMSAC would remain credited to support this function consistent with its design per the US NRC ATWS rule. Evaluation of plant response also indicated the likelihood of a Safety Injection actuation occurring would result in unavailability of the Main Feedwater Pumps, therefore these pumps are also impacted by the basic event.

Reactor Trip: The issue potentially impacts the ability of RPS to automatically actuate a trip of the reactor and thus impacts one of three high-level basic events pertaining to RPS signal failures (the other two are associated with either an inability of the reactor trip breakers to open / control rods to insert or the process indications for RPS inputs being unavailable). The inclusion of the basic event was done for both the Surveillance Test Risk-Informed Documented Evaluation (STRIDE) and non-STRIDE basic events within the HNP PRA model for the RPS signal failure of interest.

ESFAS Actuations: The basic event was added for logical equivalence with ESFAS test and maintenance basic events within the model. Additionally, the spurious actuation of an Auxiliary Feedwater (AFW) Isolation is the only spurious actuation considered a system failure in the HNP PRA, therefore the basic event was added to impact the likelihood of this inadvertent actuation due to the issue.

To support the above approach, a point estimate was developed for the probability of the postulated plant impact which was captured as a basic event. This point estimate is informed using industry data on the occurrence of cable hot shorts during fire events, provided as a conditional probability. For this analysis, the conditional probability was applied to a summation of frequencies for a conservative selection of fires as informed by those fire events already modeled in the HNP Fire PRA that could impact either train of SSPS. Consistent with the Significance Determination Process (NRC Inspection Manual Chapter 0609) and the NRC Risk Assessment of Operational Events Handbook Volume 1, a maximum exposure time of one year was utilized to convert the frequency of the subject fires to a probability. Therefore, while data from industry fire events and fire PRA methodology is utilized to inform the approach to develop a point estimate for the new event, this event is applied globally in the primary analysis to assess the impact from any plant initiator.

U.S. Nuclear Regulatory Commission Page 14 of 25 Serial: RA-23-0008 Enclosure The adjustments discussed above and associated model changes to the HNP PRA working model allowed evaluation of the contribution to station risk due to the deficiency described in the HNP violation and is compared to the criteria for evaluating an issue as having minimal safety impact in the table below:

Table 1: Quantitative Risk Characterization of HNP Violation Metric Working Model Base (Reference

12)

With Assessed Adjustment Quantitative Risk Assessed to Violation NRC RIPE Criteria for Minimal Safety Impact (Reference

2)

CDF 4.1459E-5 4.1475E-5 1.6E-8

< 1.0E-7 LERF 3.5142E-6 3.5142E-6

<1E-10

< 1.0E-8 The PRA evaluation notes a review of industry operating experience related to the issue. The review did not identify any specific modifications necessary to assess and/or bound the impact of the issue on quantitative risk.

Through coordination with HNP Operations Training, the PRA team observed the response of the HNP Simulator to various conditions postulated within the PRA evaluation. In all cases there were no operator actions performed after the initiating trigger was inserted to focus the observation on the plant response. Consistent with review of other references, the observations assisted in informing or validating that plant impacts were being appropriately captured in the HNP PRA model adjustments evaluated in this calculation. It also exhibited plant responses that are not credited in the HNP PRA model and thus highlighted some conservatisms present in the evaluation.

Conservatisms noted in the PRA evaluation include:

The adjustment factor is evaluated using the frequency of any fire potentially impacting the 48VDC from SSPS (vice just those fires that would directly impact the vulnerable TCS cables).

No credit is given in the HNP PRA model for reactor shutdown from automatic rod insertion from power and/or temperature mismatch (although per system design and simulator observation this negative reactivity insertion will lessen the impact of an ATWS transient).

No credit is given in the HNP PRA model for actions outside of the control room to trip the reactor (locally tripping the reactor trip breakers or motor-generator set output breakers or motor-generator set motor breakers).

No credit is given in the analysis for the potential of the faulted condition (EMI or hot short) clearing within the mission time to de-energize the RPS, TCS to cause the associated automatic actuation to occur.

The HNP PRA model only gives credit for AFW actuation on a low-low steam generator level.

The adjustment factor is applied to all events concurrently (failure of reactor to trip, failure of ESFAS actuations, spurious AFW isolation), vice identifying and adjusting only specific cables in close proximity to the vulnerable cables. Furthermore, the potential that not all signals will be affected in the event is not considered (the adjustment is in effect applied as a common cause failure to all impacted items at the same time).

U.S. Nuclear Regulatory Commission Page 15 of 25 Serial: RA-23-0008 Enclosure Two unique sensitivity evaluations were developed to account for potential uncertainty in the evaluation methodology and associated results. One of the sensitivities considered the quantitative result of the impact of the deficiency occurring as a direct result (dependent on) the occurrence of fire initiating events impacting both trains of SSPS in the fire zones where the vulnerable TCS cables are routed. The second sensitivity was performed to consider the delta risk of the current plant configuration with the cited deficiency with a base model that negates the failure potential of mapped/impacted events (representing perfect reliability, basic events set to 0). The intent of this sensitivity was to preclude the potential for the impact of the deficiency to be masked by the reliability values used in the HNP PRA model. For both sensitivities, the delta risk remained within the criteria for minimal safety impact.

Based on the information evaluated, the quantitative risk impact of the deficiency described in the HNP violation for the failure to ensure independence between TCS circuits and RPS circuits constitutes a minimal safety impact. The analysis was performed per the NRC guidance on RIPE outlined in Reference 2 using the impact characterized directly in the violation and further informed by the responses to the preliminary screening questions. The HNP PRA model utilized for the assessment meets the requirements of Reference 2 as evidenced by HNP's implementation of a Risk-Informed Completion Time Program.

The cumulative risk impact was evaluated based on plant-specific CDF and LERF. Cumulative risk is acceptable for the purposes of utilizing RIPE if baseline risk remains less than 1x10-4/year for CDF and less than 1x10-5/year for LERF once the impact of the proposed change is incorporated into baseline risk. The results are provided below with the cumulative risk criteria annotated to demonstrate acceptability.

Table 2: Cumulative Risk Characterization of HNP Violation Metric With Assessed Adjustment NRC RIPE Criteria for Acceptable Cumulative Risk (Reference 2)

CDF 4.1475E-5

< 1.0E-4 LERF 3.5142E-6

< 1.0E-5 4.4 Final Safety Impact Characterization HNP meets the criteria to utilize RIPE given the use of a technically acceptable model, as demonstrated by having an approved PRA and implemented license amendment for TSTF-505 and a robust IDP, as demonstrated by implementation of an approved 10 CFR 50.69 license amendment and having completed all license conditions and implementation items associated with the amendment.

The organization, qualifications, and method for risk-informed evaluation employed by the IDP for use in the 10 CFR 50.69 categorization process are specified in Duke Energy Fleet procedure AD-EG-ALL-1220, Implementation of 50.69 Risk-Informed Engineering Programs (Reference 7). The IDP Review of the RIPE content incorporates the guidance in Reference 2 for use in its review of the safety significance of the item being considered. The IDP membership was comprised of personnel from site Engineering, Operations, PRA, Safety Analysis, and Licensing.

Decision-making for the plant IDP utilized a process based on consensus, with screening determinations made based on the technical information supporting the issue. The basis for

U.S. Nuclear Regulatory Commission Page 16 of 25 Serial: RA-23-0008 Enclosure screening the issue used technical or engineering information that demonstrated that the issue has no adverse effect on functions or methods of performing or controlling functions. There were no differing opinions on the final decisions regarding the safety impact of the issue.

The IDP final assessment of the RIPE screening questions contained in Sections 4.1 and 4.2 of Reference 2 is provided below.

Reference 2 Section 4.1 Questions - Screening for No Impact

1. Does the issue result in an adverse impact on the frequency of occurrence of an accident initiator or result in a new accident initiator?

Response: No.

The cables identified as impacted by this issue are associated with the solid-state protection system (SSPS). The SSPS controls the logic for accident prevention and mitigation using inputs from plant process instrumentation cabinets (PIC), ex-core nuclear instrumentation, and the Main Control Board. The SSPS includes the Reactor Protection System (RPS) and the Engineered Safety Features (ESF) Actuation System.

The design function of the SSPS is to provide the coincidence logic to develop reactor trip and ESF actuation signals. As such, the SSPS provides a mitigation function and is not an accident initiator. Therefore, this issue does not result in any impact on the frequency of occurrence of an accident initiator or result in a new accident initiator.

2. Does the issue result in an adverse impact on the availability, reliability, or capability of SSCs [systems, structures, and components] or personnel relied upon to mitigate a transient, accident, or natural hazard?

Response: No.

Protection systems, as defined in IEEE 279-1971, include the electrical and mechanical devices and circuity (from sensors to actuation device input terminals) involved in generating the signals associated with the two protective functions defined below.

The Solid-State Protection System (SSPS) consists of:

a) Reactor Protection System (RPS) - The RPS generates signals that actuate reactor trip.

This system is part of the Reactor Trip System.

b) Engineered Safety Features Actuation System (ESFAS) - The ESFAS generates signals that actuate engineered safety features. This system is part of the Engineered Safety Features (ESF) System.

The Reactor Trip System acts to limit the consequences of ANS Condition II events (faults of moderate frequency such as loss of feedwater flow) by, at most, a shutdown of the reactor and turbine. The plant is capable of returning to operation after corrective action is taken. The Reactor Trip System limits plant operation to ensure that the reactor safety limits are not exceeded during ANS Condition II events and that these events can be accommodated without developing into more severe conditions.

U.S. Nuclear Regulatory Commission Page 17 of 25 Serial: RA-23-0008 Enclosure The Engineered Safety Features Actuation System acts to limit the consequences of ANS Condition III events (infrequent faults such as primary coolant spillage from a small rupture which exceeds normal charging system makeup and requires actuation of the Safety Injection System). It also acts to mitigate ANS Condition IV events (limiting faults which include the potential for significant release of radioactive material).

As provided in Reference 1, the violation details a failure to ensure independence between turbine control system circuits and the trains of reactor protection system (RPS) circuits. It also states:

By not meeting RPS independence, the licensee compromised the requirements for single failure and interactions between control and protection systems affecting the reliability of the RPS. As communicated by Atomic Energy Commission, where cables carrying electrically isolated control (non-protection) signals from redundant protection cabinets come together, electrically, and physically, at common points in the plant, an abnormal occurrence at a common point could produce adverse fault potentials or electrical interference on electrical cables. Thus, electromagnetic interference (high voltage or noise) could be transmitted back to the originating circuits in all redundant protection cabinets. In this event, despite electrical barriers, faults might bypass the barriers and be coupled into protection circuits because of their proximity to the fault-carrying non-protection (control) wiring.

The turbine trip logic has four control relays which provide the turbine trip interface. The SSPS system and RPS system are connected through these relays with closed isolated contacts. The RPS system uses redundant contacts (52a) from the reactor trip breaker. The cables and conduits for each of these circuits follow the separation criteria for all cable and conduit routes with the exception of Terminal Box B and the TCS cabinet G (1TCS-CAB-G). These boxes/cabinets are non-safety related based on original system design. In Terminal Box B, each of the four circuits are landed on separate terminals and are not electrically tied together. Once each of these four independent circuits reach the 1TCS-CAB-G, one A train and one B train trip circuit are tied to a common power supply terminal in turbine trip channel 1 or channel 2. This is a non-safety box and a non-safety power supply. The isolation between the RPS and SSPS trains is a function of having isolated contacts in each of these systems. Although they are connected together at a common point in the TCS cabinet, the electrical isolation is provided at the RPS and SSPS cabinet. A failure of the power supply or associated cabling will not impact the SSPS or RPS system due to these isolated functions. A short circuit would result in the tripping of the non-safety power supply and a half trip of both the upper and lower quadvoters.

The ability to trip the turbine would not be lost. RPS would still trip the turbine on a reactor trip.

There is no plausible failure mode that would prevent tripping the turbine on a reactor trip. The worst case is a half trip if one channel is affected and turbine trip if both channels are affected.

The main control board trip and local trip buttons are not within this circuit and are not affected.

Therefore, this condition will have no adverse impact on SSPS, RPS, or the ability for RPS to trip the turbine on a reactor trip.

An evaluation was performed to establish a qualitative assessment on the likelihood that an electrical anomaly could occur at this common point in the TCS cabinet and cause both trains of SSPS/RPS to become inoperable. This evaluation reviewed potential sources of Electromagnetic Interference (EMI) and Radio Frequency Interference (RFI), and the mitigation techniques used to reduce the probability of an event that would impact plant equipment. The evaluation also included an evaluation from a short perspective.

U.S. Nuclear Regulatory Commission Page 18 of 25 Serial: RA-23-0008 Enclosure The evaluation established that that no credible events would impact both trains of safety-related equipment from fulfilling its design basis function. The key aspects of IEEE 279-1971 for single failure criterion and channel integrity are maintained. The common connection for the A and B trains in the TCS does lose some of the channel independence which is contrary to IEEE 279-1971 Section 4.6, but there is not a credible reduction in the ability of the safety-related systems to perform their intended design function. The safety-related protection trains remain fully capable of performing their intended design functions per IEEE 279-1971.

3. Does the issue result in an adverse impact on the consequences of an accident sequence?

Response: No.

As noted in Reference 2, the term consequence is intended to mean radiological dose from risk-significant accident sequences. As provided in the response to Question 2 above, this condition will have no adverse impact on SSPS, RPS, or the ability for RPS to trip the turbine on a reactor trip. The design function of the SSPS to mitigate an accident is not impacted and therefore the consequences of any accident previously evaluated are not impacted.

4. Does the issue result in an adverse impact on the capability of a fission product barrier?

Response: No.

As noted in Reference 2, the term capability addresses the capacity of SSCs or personnel.

The cables identified as impacted by this issue are associated with the SSPS. The issue does not affect operating limits, the fuel, Reactor Coolant System (RCS), or modify the containment boundary in any way. The cables are located outside the containment building and do not result in revising or challenging a design basis limit for a fission product barrier (i.e., numerical limiting value for controlling the integrity of the fuel cladding, reactor coolant pressure boundary and/or containment) as described in the UFSAR. Furthermore, the proposed exemption does not impact the ability of the safety-related systems to perform their design functions.

5. Does the issue result in an adverse impact on defense-in-depth capability or impact in safety margin?

Response: No.

Based on the violation received, Duke Energy is proposing a limited exemption in accordance with 10 CFR 50.12 from the requirements of 10 CFR 50.55a(h)(2), Protection systems, requiring protection systems meet the requirements of IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations. Specifically, the exemption request would remove the requirement for the RPS cables that terminate within 1TCS-CAB-G to meet the IEEE 279-1971 Section 4.6, Channel Independence, requirement that they be independent and physically separated. Once these cables interface with the cable termination box on the front standard of the main turbine, they transition from Class 1E to non-Class 1E since the termination box and everything downstream was designed as non-safety and non-seismic.

Defense-in-depth is an element of the NRCs safety philosophy that employs successive compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused event occurs at a nuclear facility. The defense-in-depth philosophy has

U.S. Nuclear Regulatory Commission Page 19 of 25 Serial: RA-23-0008 Enclosure traditionally been applied in plant design and operation to provide multiple means to accomplish safety functions and prevent the release of radioactive material.

The NRC has identified seven considerations that should be used to evaluate the impact of the change on defense-in-depth. These are:

1. Preserve a reasonable balance among the layers of defense.
2. Preserve adequate capability of design features without an overreliance on programmatic activities as compensatory measures.
3. Preserve system redundancy, independence, and diversity commensurate with the expected frequency and consequences of challenges to the system, including consideration of uncertainty.
4. Preserve adequate defense against potential CCFs.
5. Maintain multiple fission product barriers.
6. Preserve sufficient defense against human errors.
7. Continue to meet the intent of the plants design criteria.

The cables identified as impacted by this issue are associated with the SSPS. The design function of the SSPS is to provide the coincidence logic to develop reactor trip and ESF actuation signals which mitigate a transient, accident or natural hazard.

As provided in the response to Question 2 above, an evaluation was performed that established that no credible events would impact both trains of safety-related equipment from fulfilling its design basis function. The key aspects of IEEE 279-1971 for single failure criterion and channel integrity are maintained. While the common connection for the A and B trains in the TCS does challenge the channel independence requirement of IEEE 279-1971 Section 4.6, there is not a credible reduction in the ability of the safety-related systems to perform their intended design functions.

The exemption to the IEEE 279-1971, Section 4.6 requirement will not impact the ability of the safety-related protection trains to remain fully capable of performing their intended design functions in generating the signals associated with actuating reactor trip and engineered safeguards, as required by IEEE 279-1971.

There is no adverse impact on defense-in-depth capability or impact in safety margin.

Reference 2 Section 4.2 Questions - Screening for Minimal Impact The responses to all of the Section 4.1 questions screened to No Impact. Screening for Minimal Impact is not required.

4.5 Recommendations for Risk Management Actions Based on the assessment of the screening questions and the outcome of the quantitative risk evaluation, a final safety impact is determined. As outlined in Reference 2, since the results of the screening questions indicate that there is no impact on safety, and the results of the quantitative risk evaluation indicate that there is minimal impact on safety, the issue is characterized as having a minimal impact on safety and Risk Management Actions (RMAs) do not need to be considered.

U.S. Nuclear Regulatory Commission Page 20 of 25 Serial: RA-23-0008 Enclosure

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements and Guidance 10 CFR 50.55a(h)(2), Protection systems, states: For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements in IEEE Std 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," or the requirements in IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," or the requirements in IEEE Std 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.

As discussed in Section 2.1 above, the HNP UFSAR reflects the sites requirements to meet the IEEE 279-1971 edition of the standard.

Appendix A to Part 50, General Design Criteria (GDC) for Nuclear Power Plants 10 CFR 50, Appendix A, GDC 21 requires redundancy and independence in the protection system to ensure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

10 CFR 50 Appendix A, GDC 22 requires protection system independence. The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

10 CFR 50 Appendix A, GDC 24 requires separation of protection and control systems.

The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

Conclusion Duke Energy has evaluated the proposed exemption request against the applicable regulatory requirements described above. Based on this evaluation, there is reasonable

U.S. Nuclear Regulatory Commission Page 21 of 25 Serial: RA-23-0008 Enclosure assurance that the health and safety of the public will remain unaffected following the approval of these proposed changes.

5.2 Precedent No precedent was identified for the particular exemption being requested.

Palo Verde previously submitted an exemption request utilizing RIPE by letter dated January 14, 2022 (ADAMS Accession No. ML22014A415). The NRC issued the corresponding Safety Evaluation by letter dated March 23, 2022 (ADAMS Accession No. ML22054A005).

5.3 Justification for Exemption and Special Circumstances In accordance with 10 CFR 50.12, the Commission may grant exemptions from the requirements of the regulations of Part 50 for reasons which are (1) the exemption is authorized by law, (2) the exemption will not present an undue risk to the public health and safety, (3) the exemption is consistent with the common defense and security, and (4) special circumstances, as defined in 19 CFR 50.12(a)(2), are present. As discussed below, this exemption request satisfies the provisions of Section 50.12.

The exemption is authorized by law The NRC has the authority under 10 CFR 50.12 to grant exemptions from the requirements of Part 50 upon demonstration of proper justification. Approval of the partial exemption to the requirement in 10 CFR 50.55a(h)(2) to meet the separation requirements of IEEE 279-1971 for the protection system would not result in a violation of the Atomic Energy Act of 1954, as amended. HNP would continue to meet the other requirements in 10 CFR 50.55a(h)(2).

Therefore, the exemption is authorized by law.

The exemption will not present an undue risk to public health and safety Based on the assessment of the RIPE screening questions by the site IDP, it was determined that the proposed exemption poses no impact to safety. Furthermore, the results of the quantitative risk evaluation conservatively addressing the potential condition identified in the HNP violation (Reference 1) demonstrates that the calculated risk is not risk-significant (i.e.,

minimal or less than minimal) and consistent with the intent of the Commissions safety goal policy statement, which defines an acceptable level of risk that is a small fraction of other risks to which the public is exposed.

Therefore, approval of the exemption request using RIPE will not present an undue risk to the public health and safety.

The exemption is consistent with the common defense and security Based on the assessment of the RIPE screening questions by the site IDP, it was determined that the proposed exemption poses no impact to safety. The exemption to the IEEE 279-1971, Section 4.6 requirement will not impact the ability of the safety-related protection trains to remain fully capable of performing their intended design functions in generating the signals

U.S. Nuclear Regulatory Commission Page 22 of 25 Serial: RA-23-0008 Enclosure associated with actuating reactor trip and engineered safeguards, as required by IEEE 279-1971. Furthermore, there is no adverse impact on defense-in-depth capability or impact in safety margin. The proposed exemption does not involve security requirements and does not create a security risk. Therefore, the common defense and security are not impacted by this exemption.

Special circumstances Based on the violation received, Duke Energy, is proposing a limited exemption in accordance with 10 CFR 50.12 from the requirements of 10 CFR 50.55a(h)(2) requiring protection systems meet the requirements of IEEE 279-1971 for HNP. Specifically, the exemption request would remove the requirement for the RPS cables that terminate within the TCS cabinet 1TCS-CAB-G meet the IEEE 279-1971 Section 4.6 requirement that they be independent and physically separated. Application of the regulation in this circumstance would not serve the underlying purpose of the rule and is not necessary to achieve the underlying purpose of the rule, which would be to decouple the effects of unsafe environmental factors, electric transients, and physical accident consequences documented in the design basis. The exemption to the IEEE 279-1971, Section 4.6 requirement will not impact the ability of the safety-related protection trains to remain fully capable of performing their intended design functions in generating the signals associated with actuating reactor trip and engineered safeguards, as required by IEEE 279-1971. This aligns with the special circumstance identified in 10 CFR 50.12(a)(2)(ii):

Application of the regulation in the particular circumstances would not serve the underlying purpose of the rule or is not necessary to achieve the underlying purpose of the rule.

6.0 ENVIRONMENTAL CONSIDERATION

S Duke Energy has determined that the proposed exemption would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined by 10 CFR 20, or it would change an inspection or surveillance requirement. However, the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed exemption meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment needs be prepared in connection with the proposed amendment. The basis for the determination of each of the requirements in 10 CFR 51.22(c)(9) is discussed below.

Requirements of 10 CFR 51.22(c)(9)(i)

Duke Energy evaluated whether or not a significant hazards consideration is involved with the proposed exemption by focusing on the three standards set forth in 10 CFR 50.92(c), as presented below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

U.S. Nuclear Regulatory Commission Page 23 of 25 Serial: RA-23-0008 Enclosure The proposed exemption does not alter the safety function of any structure, system, or component, does not modify the manner in which the plant is operated, and does not alter equipment out-of-service time. In addition, this request does not degrade the ability of the protection system to perform its intended safety function.

Therefore, the proposed exemption does not result in a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed exemption does not initiate an accident and therefore, the proposed change does not increase the probability of an accident occurring. The proposed change does not introduce any changes or mechanisms that create the possibility of a new or different kind of accident.

Equipment important to safety will continue to operate as designed. The accidents and events previously analyzed remain bounding.

Therefore, the proposed exemption does not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed exemption does not affect any safety limits or limiting conditions for operation used to establish safety margin. The safety margins included in the analyses of accidents are not affected by the proposed exemption. The setpoints at which protective actions are initiated are not altered by the proposed exemption. There are no new or significant changes to the initial conditions contributing to accident severity of consequences. The proposed exemption will not affect the plant protective boundaries, will not cause a release of fission products to the public, nor will it degrade the performance of any other structures, systems or components important to safety.

Therefore, the proposed exemption does not involve a significant reduction in a margin of safety.

Based on the above, it is concluded that the proposed exemption presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.

Requirements of 10 CFR 51.22(c)(9)(ii)

The exemption to the IEEE 279-1971, Section 4.6 requirement will not impact the ability of the safety-related protection trains to remain fully capable of performing their intended design functions in generating the signals associated with actuating reactor trip and engineered safeguards, as required by IEEE 279-1971. The proposed exemption will not significantly

U.S. Nuclear Regulatory Commission Page 24 of 25 Serial: RA-23-0008 Enclosure change the types or significantly increase the amounts of any effluents that may be released offsite.

The provision of 10 CFR 50.22(c)(9)(ii) is satisfied.

Requirements of 10 CFR 51.22(c)(9)(iii)

The exemption to the IEEE 279-1971, Section 4.6 requirement will not impact the ability of the safety-related protection trains to remain fully capable of performing their intended design functions in generating the signals associated with actuating reactor trip and engineered safeguards, as required by IEEE 279-1971. The design function of the SSPS is to provide the coincidence logic to develop reactor trip and ESF actuation signals. As such, the SSPS provides a mitigation function and is not an accident initiator. Therefore, this issue does not result in any impact on the frequency of occurrence of an accident initiator or result in a new accident initiator. Consequently, the proposed exemption will not significantly increase individual occupational radiation exposure, or significantly increase cumulative public or occupational radiation exposure.

The provision of 10 CFR 50.22(c)(9)(iii) is satisfied.

7.0 CONCLUSION

The use of RIPE confirms that the removal of the requirement that the RPS cables terminating within TCS cabinet 1TCS-CAB-G be independent and physically separated in order to meet the IEEE 279-1971 Section 4.6 channel independence requirement will have minimal impact on safety. Based on the information evaluated, the issue screened to no impact on safety and the quantitative risk impact of the deficiency described in the HNP violation for the failure to ensure independence between TCS circuits and RPS circuits meets the acceptance guidelines provided in the RIPE guidance document (Reference 2), which correlates to a minimal safety impact. The exemption request is permissible under 10 CFR 50.12 in that it is authorized by law, it will not present undue risk to the health and safety of the public, it is consistent with the common defense, and it presents the special circumstance that application of the regulation in this circumstance would not serve the underlying purpose of the rule and is not necessary to achieve the underlying purpose of the rule.

U.S. Nuclear Regulatory Commission Page 25 of 25 Serial: RA-23-0008 Enclosure

8.0 REFERENCES

1. US NRC letter, dated November 10, 2022, "Shearon Harris Nuclear Plant - Integrated Inspection Report 05000400/2022003" (ADAMS Accession Number ML22314A074).
2. US NRC, "Guidelines for Characterizing the Safety Impact of Issues," Revision 2, May 2022 (ADAMS Accession Number ML22088A135).
3. US NRC Office of Nuclear Reactor Regulation, NRR Temporary Staff Guidance, TSG-DORL-2021-01 Revision 3, "Risk-Informed Process for Evaluations," September 18, 2023 (ADAMS Accession Number ML23122A014).
4. US NRC letter, dated April 2, 2021, "Shearon Harris Nuclear Power Plant, Unit 1 - Issuance of Amendment No. 184 Regarding Technical Specifications Task Force (TSTF) Traveler TSTF-505, Revision 2, 'Provide Risk Informed Extended Completion Times - RITSTF Initiative 4B'," (ADAMS Accession Number ML21047A314).
5. US NRC letter, dated September 17, 2019, "Shearon Harris Nuclear Power Plant, Unit 1 -

Issuance of Amendment No. 174 Re: Adopt Title 10 of the Code of Federal Regulations 50.69, 'Risk-Informed Categorization and Treatment of Structures, Systems, and Components (SSCs) for Nuclear Power Reactors'," (ADAMS Accession Number ML19192A012).

6. US NRC letter, dated January 19, 2022, "Shearon Harris Nuclear Power Plant, Unit 1 -

Issuance of Amendment No. 188 Regarding Revision of the 10 CFR 50.69, 'Risk-Informed Categorization and Treatment of Structures, Systems, and Components for Nuclear Power Reactors,' Categorization Process to Reflect an Alternative Seismic Approach," (ADAMS Accession Number ML21316A248).

7. AD-EG-ALL-1220, Implementation of 50.69 Risk-Informed Engineering Programs, Rev. 3
8. US NRC letter, dated November 29, 2016, "Shearon Harris Nuclear Power Plant, Unit 1 -

Issuance of Amendment Regarding Risk-Informed Justifications for the Relocation of Specific Surveillance Frequency Requirements to a Licensee-Controlled Program," (ADAMS Accession Number ML16200A285).

9. Westinghouse letter CQL-8627 to Ebasco, Carolina Power & Light Company, Shearon Harris Nuclear Power Plant Turbine Trip on Reactor Trip Criteria, dated February 21, 1985.
10. U.S. Nuclear Regulatory Commission, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Regulatory Guide 1.174, Revision 3, January 2018 (ADAMS Accession No. ML17317A256).
11. U.S. Nuclear Regulatory Commission, Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications, Regulatory Guide 1.177, Revision 2, January 2021 (ADAMS Accession No. ML20164A034).

12. HNP-F/PSA-0105, Harris Nuclear Plant PRA Working Model, Revision 5
13. HNP-F/PSA-0141, HNP Risk-Informed Process for Evaluations: Quantitative Assessment of RPS and TCS Interface, Revision 0
14. HNP-F/PSA-0069, HNP - PSA Model Peer Review Resolution, Revision 7
15. EPRI TR-102323 Revision 4, Guidelines for Electromagnetic Compatibility Testing of Power Plant Equipment
Retrieved from "https://kanterella.com/w/index.php?title=RA-23-0008,_Request_for_Exemption_from_Certain_Requirements_in_10_CFR_50.55a(h)(2)_Using_Risk-Informed_Process_for_Evaluations&oldid=5513279"