ML24263A003

From kanterella
Jump to navigation Jump to search

Generation Station, Units 1 and 2 – Regulatory Audit Plan Supporting Review of the Component Interface Module System of the Limerick Digital Instrumentation and Controls License Amendment Request (EPID L-2022-LLA-0140) (Redacted)
ML24263A003
Person / Time
Site: Limerick  Constellation icon.png
Issue date: 09/27/2024
From: Marshall M
NRC/NRR/DORL/LPL1
To: Rhoades D
Constellation Energy Generation
Shared Package
ML24263A001 List:
References
EPID L-2022-LLA-0140
Download: ML24263A003 (1)


Text

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

September 27, 2024

David P. Rhoades Senior Vice President Constellation Energy Generation, LLC President and Chief Nuclear Officer Constellation Nuclear 4300 Winfield Road Warrenville, IL 60555

SUBJECT:

LIMERICK GENERATING STATION, UNITS 1 AND 2 - REGULATORY AUDIT PLAN SUPPORTING REVIEW OF THE COMPONENT INTERFACE MODULE SYSTEM OF THE LIMERICK DIGITAL INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST (EPID L-2022-LLA-0140)

Dear David Rhoades:

By letter dated September 26, 2022 (non-publicly available), as supplemented by letters dated August 12, 2022 (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141), February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324),

April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),

September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),

March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), and June 28, 2024 (ML24180A157), respectively, Constellation Energy Generation, LLC (the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick) existing safety-related analog control systems with a single digital control system called the plant protection system. The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2022. The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 12, 2023, the content of the replacement and the original are the same.

The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) plant protection system to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system, emergency core cooling system, reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments

Enclosure 1 to this letter contains Proprietary Information. When separated from Enclosure 1, this letter is DECONTROLLED.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

D. Rhoades would change the classification of the redundant reac tivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.

The NRC staff determined that a regulatory audit is needed to assist in the review of the Limerick digital I&C LARs. This audit will be focused on the component interface module system. The regulatory audit will be conducted remotely between October 7 and October 25, 2024. Additional details for the audit are in the enclosed audit plan.

The NRC determined that the audit plan contains proprietary information pursuant to Title 10 of the Code of Federal Regulations Section 2.390, Public inspections, exemptions, requests for withholding. The proprietary information is indicated by text enclosed within double brackets.

Accordingly, the NRC staff has also prepared a non-proprietary publicly available version of the audit plan, which is provided as Enclosure 2. The proprietary version of the audit plan is provided as Enclosure 1.

If you have any questions, please contact me by telephone at 301-415-2871 or by email to michael.marshall@nrc.gov.

Sincerely,

/RA/

Michael L. Marshall, Jr., Senior Project Manager Plant Licensing Branch 1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Docket Nos. 50-352 and 50-353

Enclosures:

1. Audit Plan (Proprietary)
2. Audit Plan (Non-Proprietary)

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

AUDIT PLAN FOR COMPONENT INTERFACE MODULE SYSTEM OF LIMERICK DIGITAL

INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST

CONSTELLATION ENERGY GENERATION, LLC

LIMERICK GENERATING STATION, UNITS 1 AND 2

DOCKET NOS. 50-352 AND 50-353

1.0 BACKGROUND

By letter dated September 26, 2022 (non-publicly available), as supplemented by letters dated August 12, 2022 (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141), February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324),

April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),

September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),

March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), and June 28, 2024 (ML24180A157), Constellation Energy Generation, LLC (Constellation; the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick) existing safety-related analog control systems with a single digital control system called plant protection system (PPS). The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2022. The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 12, 2023, the content of the replacement and the original are the same.

The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) PPS to replace the previously independent analog instrumentation subsystems of the reactor protection system, the nuclear steam supply shutoff system (NSSSS), emergency core cooling system (ECCS), reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, e liminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.

Enclosure 1

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

The Limerick digital I&C modification incorporates the component interface module (CIM) system, which is composed of the CIM and the safety-related node controller (SRNC). The CIM system is a critical common link in the safety-related digital I&C system architecture that acts as a priority module whose safety-related function is being shared by the:

Safety-related Common Q-based PPS

Non-safety-related Ovation-based distributed control system (DCS)

Non-safety-related diverse protection system (DPS) (which is also part of the DCS)

The manual back-up capability for actuating NSSSS and ECCS components

The licensee has made the claim that the CIM system is not susceptible to a CCF based on two arguments: ((

)). The concern regarding the CIM system possessing an adequate level of diversity is due to the fact that if the CIM system experiences a CCF, ((

)). The NRC staffs review of the CIM system includes evaluation of the CIM systems design and testing attributes related to Constellations defense in depth and diversity common cause failure coping analysis (D3) for the Limerick digital modernization project.

The NRC staff has determined that a regulatory audit is needed to assist in the review of the Limerick digital I&C LAR. This audit will be focused on the CIM system. This regulatory audit will enable the NRC staff to gain understanding, verify in formation, and identify information that may be required to support a safety determination in its safety evaluation.

2.0 REGULATORY AUDIT BASES

A regulatory audit is a planned license activity that includes the examination and evaluation of primarily non-docketed information. The audit is conducted with the intent to gain understanding, to verify information, and to identify information that will require docketing to support the basis of a licensing or regulatory decision. Performing a regulatory audit is expected to assist the NRC staff in efficiently conducting its review and gaining insights to the licensees processes and procedures. Information that the NRC staff relies upon to make the safety determination must be submitted on the docket. This audit will be conducted in accordance with NRR Office Instruction LIC-111, Regulatory Audits, Revision 1, dated October 2019 (ML19226A274). This audit is being conducted to support the NRC staffs review of the Limerick digital I&C license amendment request.

Regulations and policy relevant to the NRC staffs review of the CIM system include:

Appendix A, General Design Criteria for Nuclear Power Plants, of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities:

o Criterion 21, Protection system reliability and testability, which states, in part:

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed.

o Criterion 22, Protection system independence, which states:

The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

Appendix B, Quality Assurance Criteria fo r Nuclear Power Plants and Fuel Reprocessing Plants, of 10 CFR Part 50:

o Section III, Design Control, which states, in part, that:

The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. The verifying or checking process shall be performed by individuals or groups other than those who performed the original design, but who may be from the same organization. Where a test program is used to verify the adequacy of a specific design feature in lieu of other verifying or checking processes, it shall include suitable qualifications testing of a prototype unit under the most adverse design conditions.

For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, Section 50.55a(h), Protection and safety systems, of 10 CFR Part 50, requires protection systems to meet the requirem ents in Institute of Electrical and Electronic Engineers (IEEE) Standard (Std) 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems, IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or the requirements in IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations, and the correction sheet dated January 30, 1995. Limerick received its construction permits on May 19, 1974.

IEEE Std 279-1971 is included in the licensing basis for Limerick.

o Clause 4.3 of IEEE Std 279-1971, Quality of Components and Modules states that:

Components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels shall be achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

o Clause 4.16 of IEEE Std 279-1971, Completion of Protective Action Once It Is Initiated states, in part, that:

The protection system shall be so designed that, once initiated, a protective action at the system level shall go to completion.

Item 18 of SRM-SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs, describes the NRC position on defense against potential common-mode failures in digital I&C systems.

The regulatory guidance that the NRC staff plan to use for the audit activities are:

Standard Review Plan, Branch Technical Po sition (BTP) 7-19, Guidance on Software Reviews for Digital Computer Based Instrumentation and Control Systems.

Regulatory Guide 1.152, Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants, which endorses, with some exceptions and clarifications, IEEE Std 7-4.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations.

3.0 PURPOSE AND SCOPE

The NRC staff will review non-docketed analyses, plans, procedures, reports and records related to the CIM system to better understand the claim included in the LAR that the CIM system is not susceptible to a CCF. The audit scope includes the CIM systems design and testing attributes related to D3.

4.0 INFORMATION AND OTHER MATERIAL NECESSARY FOR THE REGULATORY AUDIT

For each documentation request identified below, please upload the requested documents between October 1 - 7, 2024, to an online portal (see special request section of this plan). The staff requests a walk-through of the uploaded documents during the entrance briefing to understand how the listed documents address the information requests described below. The documents to be uploaded should be grouped on the portal (e.g., by creating separate folders) by the headings used below (i.e., Extensive Testing, Diverse Design Attributes, and High Functional Reliability).

Extensive Testing

Documentation to demonstrate that the CIM system has undergone extensive testing addressing the testing criteria in Section 3.1.2 of BTP 7-19. At a minimum, this documentation should include:

(1) documentation of the specific tests that were performed for the CIM system, including the purpose/description of the test, test procedure, test results, test anomalies, and analysis of results

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

(2) a cross-reference list or roadmap detailing the licensees reasoning regarding how it determined that the specific tests performed during development of the CIM devices proposed for use in the Limerick CIM-SRNC system meet each of the test criteria in Section 3.1.2 of BTP 7-19

(3) documentation that describes the technical basis for the conclusion that the testing performed during development of the CIM for the AP1000 reactor design is adequate to demonstrate that the BTP 7-19 testing criteria are met for the Limerick digital modernization project

(4) any references to the specific reports and summaries of the extensive testing process that support that technical basis reasoning

Document WNA-LI-00096-GEN, Evaluation of Common Cause Failure Susceptibility of Component Interface Module, that has been referenced several times in the Limerick LAR submittal documents, and any documents referenced within that document.

Reference documents listed within Section 2.2.2, CIM Extensive Testing, and within Table 2-2 Comparison of BTP 7-19 Test Criteria to CIM Testing, of Document WNA-AR-01074-GLIM, Limerick Generating Stations Units 1 & 2 Digital Modernization Project--Defense in Depth and Diversity Common Cause Failure Coping Analysis.

Diverse Design Attributes

Documentation to demonstrate that the CIM systems diverse design attributes are adequate to support the licensees claim that the CIM system is not susceptible to CCF. At a minimum, this should include detailed information relevant to the application-specific use of the CIM system in the Limerick project. This information should clearly demonstrate how diversity or other design measures of the CIM system that were implemented during the CIM systems development process are applicable to the Limerick project such that it supports the licensees claim of adequate diverse design attributes of the Limerick CIM system.

Documentation describing the reasoning used to determine that a field programmable gate array dual-core design for the Limerick CIM system, including the CIM and SRNC modules, ((

)) is considered adequate diversity for a complex highly safety significant system.

Documentation describing any analysis performed ((

)).

Documentation describing how (( )).

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

Documentation describing the technical basis supporting the conclusion that the level of diversity created ((

)) is sufficient to eliminate CCF.

Documents referenced in the CIM Diversity Analysis, WNA-AR-01054-GEN, Revision 0, that are not already in ADAMS or have been submitted on the docket for Limerick.

High Functional Reliability

Section 2.2.1 of Document WNA-AR-01074-GLIM, Limerick Generating Stations Units 1 & 2 Digital Modernization Project--Defense in Depth and Diversity Common Cause Failure Coping Analysis, states ((

)). Provide documentation demonstrating the highly reliable operation of CIM system modules proposed for Limerick that are currently in service in any operating domestic or foreign AP1000 reactor safety applications, as described in Section 2.2.1 of Document WNA-AR-1074-GLIM.

Provide documentation describing the technical basis for the statements in Section 2.2.1 of the WNA-AR-1074-GLIM document. This may include documentation such as:

(1) quantitative reliability data for the CIM, such as the number of reactor operating hours achieved to date and the number and types of failures experienced by the CIM system modules proposed for Limerick

(2) documents with descriptions of module failures that have been reported or discovered during or after site acceptance testing and startup at any referenced AP1000 reactors

(3) documentation that describes the highly reliable operations and failures of the SRNC modules, if any

(4) documentation analyzing the root causes that were found to have contributed to the failures of the CIM and SRNC modules, and whether any of the types and root causes of these failures could be considered as a repeated failure that is of the same type of failures occurring among the many CIM and SRNC modules that have been produced and are in operation regardless of whether they occurred simultaneously with such similar failures within other modules.

Provide documentation summarizing the types and numbers of failures that have occurred in completed CIMs and SRNCs that were discovered during production testing prior to shipment, if any, and the root causes of those failures. Describe how those root causes have been addressed to prevent future failures from occurring in future production testing or post-production stages.

Based on a review of the material described above, the audit team may request additional documentation to support the audit.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

5.0 AUDIT TEAM

The members of the audit team are:

William Roggenbrodt, Electronics Engineer, Audit Team Leader David Rahn, Senior Electronics Engineer, Audit Team Member Samir Darbali, Senior Electronics Engineer, Audit Team Member Michael Marshall, Senior Project Manager, Audit Team Member

6.0 LOGISTICS

The audit will start on October 7, 2024, and is planned to end on October 25, 2024. The audit will be conducted remotely. During the audit entrance meeting, the NRC staff will provide an overview of the audit plan and discuss the objectives for the audit. During the exit meeting, the NRC staff will provide a summary of the NRC audit and its observations made during the audit.

If needed, the NRC staff will discuss the CIM systems design and testing attributes with Constellation and its contractors (e.g., Westinghouse). Meeting dates and times along with meeting topics will be requested by the audit team at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in advance. The NRC project managers will coordinate the date and time of the entrance, exit, and other audit meetings with Constellation.

The audit team will not remove any non-docketed documents or other materials from the online portal or location of the audit. If the audit team identifies information that requires docketing to support the basis for a regulatory decision concerning the review of the Limerick digital I&C LAR, the NRC staff will use requests for additional information to get the information placed on the docket.

Any changes in the audit logistics (e.g., audit exit date) will be coordinated and communicated through the NRC project managers assigned to the review of the Limerick digital I&C LAR.

7.0 SPECIAL REQUEST

The NRC staff would like access to the r equested documents through an online portal (i.e., electronic portal, ePortal, electronic reading room) that allows the audit team access via the internet. The following conditions associated with the online portal must be maintained throughout the duration that the audit team has access to the online portal:

the online portal will be password-protected, and separate passwords will be assigned to each audit team member

the online portal will be sufficiently secure to prevent the audit team from printing, saving, downloading, or collecting any information on the online portal

conditions of use of the online portal will be displayed on the login screen and will require acknowledgment by each audit team member

The licensee should ensure that any information uploaded to the online portal is appropriately marked regarding sensitivity (e.g., proprietary information). The NRC staff will confirm with the licensee the sensitivity of any information uploaded to the online portal.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION OFFICIAL USE ONLY - PROPRIETARY INFORMATION

Username and password information should be provided directly to the NRC staff on the audit team. The NRC project managers assigned to the audit team will provide Constellation the names and contact information of the NRC staff who will be participating in the audit. All communications should be coordinated with one of the NRC project managers assigned to the Limerick digital I&C LAR review. The NRCs licensing project manager will inform the licensee via routine communications when the NRC staff no longer needs access to the portal (e.g., 30 days after the end of the audit).

8.0 DELIVERABLES

An audit summary, which may be public, will be prepared after the completion of the audit. If the NRC staff identifies information during the audit that is needed to support its regulatory decision, the NRC staff will issue requests for additional information to the licensee.

OFFICIAL USE ONLY - PROPRIETARY INFORMATION

Package: ML24263A001 Proprietary: ML24263A002 Non-Proprietary: ML24263A003 NRR-106 OFFICE NRR/DORL/LPL1/PM NRR/DORL/LPL1/LAiT NRR/DORL/LPL3 NRR/DEX/EICB/BC NAME MMarshall CAdams SLent FSacko (SDarabali for)

DATE 09/18/2024 09/19/2024 9/19/2024 09/18/2024 OFFICE NRR/DORL/LPL1/BC NRR/DORL/LPL1/PM NAME HGonzález MMarshall DATE 09/19/2024 09/27/2024