ML25007A150
| ML25007A150 | |
| Person / Time | |
|---|---|
| Site: | Limerick  |
| Issue date: | 01/06/2025 |
| From: | Marshall M Plant Licensing Branch 1 |
| To: | Rickey A Constellation Energy Generation, Constellation Nuclear |
| Klett, AL | |
| References | |
| EPID L-2022-LLA-0140 | |
| Download: ML25007A150 (1) | |
Text
From:
Michael Marshall To:
Rickey, Ashley:(Constellation Nuclear)
Cc:
Wendi Para (wendi.para@constellation.com); Robert Kuntz
Subject:
Limerick Generating Station, Units 1 and 2 - Request for Additional Information and Draft Requests for Confirmatory Information Regarding Limerick Digital Instrumentation and Controls License amendment Request (EPID L-2022-LLA-0140)
Date:
Monday, January 6, 2025 2:07:00 PM Hello Wendi,
By letter dated September26, 2022 (Agencywide Documents Access and Management System Accession No. ML22269A569; non-public), as supplemented by letters dated August12, 2022 (ML22224A149), November29, 2022 (ML22333A817), February8, 2023 (ML23039A141), February15, 2023 (ML23046A266), March30, 2023 (ML23089A324),
April5, 2023 (ML23095A223), June26, 2023 (ML23177A224), July31, 2023 (ML23212B236), September12, 2023 (ML23255A095), October30, 2023 (ML23303A223),
November21, 2023 (ML23325A206), January26, 2024 (ML24026A296), February26, 2024 (ML24057A427), March7, 2024 (ML24067A294), March18, 2024 (ML24057A426),
April23, 2024 (ML24114A322), May3, 2024 (ML24124A043), June13, 2024 (ML24165A264), June14, 2024 (ML24166A114), and June28, 2024 (ML24180A157)
Constellation Energy Generation, LLC (Constellation; the licensee) submitted license amendment requests (LAR) for Limerick Generating Station, Units 1 and 2 (Limerick). The supplement dated September12, 2023 replaces in its entirety the original LAR dated September26, 2022. The licensee replaced the original submittal, because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September12, 2023, the content of the replacement and the original are the same.
The amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) system to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system (NSSSS), emergency core cooling system (ECCS), reactor core isolation cooling system (RCIC), and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.
The NRC staff has determined that additional information is needed to complete its review of the Limerick digital I&C LAR. The request was sent to Constellation on January 6, 2025 using the BOX service. This request was discussed with Constellation on January3, 2025.
Constellations response to the RCIs shall be provided to the NRC within 30 days of the date of this email and Constellations response to the RAIs shall be provided to the NRC within 90 days of the date of the email.
The request for confirmatory information (RCI) numbering starts from 1, because this is the first set of RCIs being sent concerning the review of the Limerick digital I&C LARs. The request for additional information (RAI) numbering starts from the last RAI number that was used in RAIs sent to Constellation by NRC email dated May 13, 2024 (ML24165A075).
Best Regards, Michael L. Marshall, Jr.
Senior Project Manager
Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation
301-415-2871
Official Use Only - Proprietary Information Official Use Only - Proprietary Information 1 of 17
SUBJECT:
Limerick Generating Station, Units 1 and 2 - Request for Additional Information and Draft Requests for Confirmatory Information Regarding Limerick Digital Instrumentation and Controls License amendment Request (EPID L-2022-LLA-0140)
By letter dated September 26, 2022 (Agencywide Documents Access and Management System Accession No. ML22269A569; non-public), as supplemented by letters dated August 12, 2022 (ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141),
February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324), April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),
September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),
March 7, 2024 (ML24067A294), March 18, 2024 (ML24057A426), April 23, 2024 (ML24114A322), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), and June 28, 2024 (ML24180A157) Constellation Energy Generation, LLC (Constellation; the licensee) submitted license amendment requests (LAR) for Limerick Generating Station, Units 1 and 2 (Limerick). The supplement dated September 12, 2023 replaces in its entirety the original LAR dated September 26, 2022. The licensee replaced the original submittal, because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made all of the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 12, 2023, the content of the replacement and the original are the same.
The amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) system to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system (NSSSS), emergency core cooling system (ECCS), reactor core isolation cooling system (RCIC), and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.
The NRC staff has determined that additional information is needed to complete its review of the Limerick digital I&C LAR. This request was discussed with Constellation on January 3, 2025.
Constellations response to the RCIs shall be provided to the NRC within 30 days of the date of this email and Constellations response to the RAIs shall be provided to the NRC within 90 days of the date of the email.
The request for confirmatory information (RCI) numbering starts from 1, because this is the first set of RCIs being sent concerning the review of the Limerick digital I&C LARs. The request for additional information (RAI) numbering starts from the last RAI number that was used in RAIs sent to Constellation by NRC email dated May 13, 2024 (ML24165A075).
Official Use Only - Proprietary Information Official Use Only - Proprietary Information 10 of 17 used to uncover latent design defects for correction in the design process and to demonstrate that any identified latent design defects have been corrected. The reviewer should determine whether testing of the proposed DI&C system or component shows that all latent design defects have been identified and corrected, so that the system or component will function as specified under the anticipated operational conditions. If so, the CCF can be eliminated from further consideration. [emphasis added]
IEEE 7-4.3.2-2016, Clause 5.18 Simplicity states:
It is recognized that the simplicity is not a measurable characteristic of a safety system. As such, no acceptable degree of simplicity can be established for these systems however, measures should be taken to avoid unnecessary complexity.
Added complexity associated with the performance of functions not directly related to the safety function may introduce design errors or create system hazards. [emphasis added]
Statements are made in several places throughout the submittal documents regarding the licensees assertion that the CIM is not susceptible to a CCF. For example, Section 9.3.1, Separation, of WCAP-18598-P, Revision 2 states:
The extensive testing performed on the CIM and the diversity attributes of the CIM design are described in the PPS D3 Analysis (Reference 11). As a result, there is reasonable assurance that the CIM is not susceptible to a CCF. It can be concluded then, that the actuation signals from the RRCS [redundant reactivity control system] and DPS are functionally independent from the PPS.
Section 9.3.2, Diversity, of WCAP-18598-P also states, the RRCS/DPS actuation signal outputs go through the Z-port of the CIM and there is reasonable assurance that the CIM is not susceptible to a CCF. Also, Table 3.2.5-1, DI&C [digital instrumentation and controls]-ISG
[interim staff guidance]-04 Section 2 Compliance, Item 2 states: The CIM is not susceptible to a Common Q CCF because of its diversity in design.
Section 2.2, PPS Architecture CCF Vulnerabilities, within document WNA-AR-01074-GLIM-P Revision 4 states:
The CIM, due to its design, is still considered available and not susceptible to a CCF. There are two legs to the safety case for this conclusion. The first is the extensive testing performed on the CIM. This testing is compared to the testing criteria in BTP 7-19 (Reference 2), Section B.3.1.2 in WNA-LI-00096-GEN, Evaluation of Common Cause Failure Susceptibility of Component Interface Module (Reference 4) and correlates the CIM tests to the BTP 7-19 criteria.
The second leg of the CIM safety case regarding CCF is the similarity in design attributes and process to the Main Steam Isolation and Feedwater Isolation System (MSFIS) implemented at Wolf Creek (Reference 6). WNA-AR-01054-GEN, CIM Diversity Analysis (Reference 5) provides the evaluation of the key
Official Use Only - Proprietary Information Official Use Only - Proprietary Information 11 of 17 design features of the CIM that are used to address the risk of CCF and eliminating CCF vulnerabilities from further consideration.
These two safety case arguments together (extensive testing and diverse design attributes) provide the holistic argument that the CIM does not need to be considered vulnerable to a CCF for this analysis.
- 25) In its letter dated June 14, 2024 (i.e., the response to RAI 21), the licensee stated the CIM-SRNC test program documents for the AP1000 CIM-SRNC, including the test plans and test results ((
)). However, the NRC staff did not find sufficient information within Constellations Limerick digital I&C LARs, as supplemented, to enable it to verify claims made by the licensee regarding the CIM-SRNC development, testing, and verification processes for the CIM-SRNC. Specifically, additional information is needed to demonstrate how CIM-SRNC system test results and documented outcome would support a claim of the CIM not being susceptible to a CCF.
The licensees statements made in Constellations Limerick digital I&C LARs, as supplemented, that the CIM-SRNC has undergone extensive testing per the discussion in Sections 2.2 and 2.2.2 of WNA-AR-01074-GLIM, Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis, are not sufficient to enable the NRC staff to conclude that the specific tests conducted to demonstrate the functionality of the CIM and SRNC when it was developed for the AP1000 application will also satisfy the acceptance criteria within Section B.3.1.2 of BTP 7-19, Revision 8. Specifically, Section 2.2.2 of document WNA-AR-01074-GLIM only provides a high-level overview related to the extensive testing and attributes of defense in depth and diversity related to the Limerick application.
Section 2.2.2, CIM Extensive Testing, of WNA-AR-01074-GLIM, indicates that more detailed information may be available that describes the specific tests that were conducted for the CIM system and how they address the acceptance criteria identified within BTP 7-19 (e.g., testing every possible combination of inputs, every functional state transition among all modes of operation, test results that conform to pre-established test cases and all correctness for all outputs of every case). A reference is made to Document WNA-LI-00096-GEN (Reference 4) Evaluation of Common Cause Failure Susceptibility of Component Interface Module. However, this document was not submitted to the NRC staff for its reference or use in evaluating the statements in the submitted documents. Further, this document may also point to other documents that describe in greater detail why the tests that were conducted during the development of the CIMs for the AP1000 product line were considered sufficient to satisfy the acceptance criteria in Section B.3.1.2 of BTP 7-19.
Describe the reasoning that was used in WCAP-18598 to describe the CIM as a simple FPGA-based component that would enable it to satisfy the testing acceptance criteria in the NRC staffs review guidance in NUREG-0800, BTP 7-19, Revision 8. Specifically, BTP 7-19 states: Thorough testing can help to identify latent design defects in DI&C systems, provided the design is simple enough to allow such testing. Describe how it can be concluded that the CIM system can be considered a simple design, or simple enough such that thorough testing to identify latent defects can be effectively performed. To support the conclusion that the CIM is a simple FPGA-based component, please provide a basis
Official Use Only - Proprietary Information Official Use Only - Proprietary Information 17 of 17 that would justify the use of ((
)) and not additional diverse design measures to achieve internal diversity.
- 31) A potential CCF of the CIM or CIM system would affect signals from the PPS and the DPS to the ECCS, NSSSS, RCIC, or standby liquid control (SLC) field components, and would affect field component status signals from reaching displays used by operators.
a) For each plant event that requires actuation of the NSSSS, ECCS, RCIC or SLC functions, describe the actions that would need to be taken, automatically or manually (i.e., by plant operators), to perform system level or component level actuations of NSSSS valves, and ECCS, RCIC and SLC pumps and valves, in the event the CIM or CIM system experiences a CCF. In the description, as a minimum:
For each plant event that requires actuation of the NSSSS, ECCS, RCIC or SLC functions, describe the actions that would be available to be taken from within the control room, if a CCF of the CIM or CIM system were to occur, and which actions could be performed, but possibly not from within the control room.
Identify whether these actions would be timely enough to support the accomplishment of plant emergency operations within the plant safety analysis limits for each design basis transient and accident event. For example, for a large break loss of coolant accident event occurring within the primary coolant system within the containment.
Describe the indications and displays that would still be available to the plant operators to take required safety actions and to verify the actual achievement of the required safety actions by observing the status of the SSCs needed to accomplish the required safety functions.
b) Describe the indications and displays available, in the event the CIM or CIM system experiences a CCF, to enable the operators to identify that a CCF of the CIMs has occurred.