ML25223A077
| ML25223A077 | |
| Person / Time | |
|---|---|
| Site: | Limerick  (NPF-039, NPF-085) |
| Issue date: | 08/22/2025 |
| From: | Marshall M Plant Licensing Branch 1 |
| To: | Rhoades D Constellation Energy Generation |
| References | |
| EPID L-2022-LLA-0140 | |
| Download: ML25223A077 (1) | |
Text
August 22, 2025 David P. Rhoades Senior Vice President Constellation Energy Generation, LLC President and Chief Nuclear Officer Constellation Nuclear 4300 Winfield Road Warrenville, IL 60555
SUBJECT:
LIMERICK GENERATING STATION, UNITS 1 AND 2 - REGULATORY AUDIT PLAN SUPPORTING REVIEW OF THE LIMERICK DIGITAL INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST (EPID L-2022-LLA-0140)
Dear Mr. Rhoades:
By letter dated September 26, 2022 (non-publicly available), as supplemented by letters dated August 15, 2022 (Agencywide Documents Access and Management System Accession No. ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141),
February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324), April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),
September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),
March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114),
June 28, 2024 (ML24180A157), February 5, 2025 (ML25037A286), February 21, 2025 (ML25055A157), June 3, 2025 (ML25154A616), July 2, 2025 (ML25183A133), July 10, 2025 (ML25191A223), and July 30, 2025 (ML25211A295), respectively, Constellation Energy Generation, LLC (the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick), existing safety-related analog control systems with a single digital control system called the plant protection system. The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2022.
The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 12, 2023, the content of the replacement and the original are the same.
The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) plant protection system to replace analog instrumentation of reactor protection system, analog nuclear steam supply shutoff system, emergency core cooling system, reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater
runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from main control room.
The NRC staff determined that a second regulatory audit concerning the component interface module (CIM) is needed to assist in the review of the Limerick digital I&C LARs. This audit will be focused on (1) the licensees justification that the CIM has undergone sufficient testing to demonstrate that the CIM is not susceptible to a common-cause failure (CCF), and (2) the actions Constellation could take given a potential CCF of the CIM. Of the two focus areas, the primary focus will be assessing the licensees basis for claiming the CIM is not susceptible to a CCF. The regulatory audit will be conducted remotely between August 11 and September 30, 2025, with an in-person part taking place from August 18 to 21, 2025.
Additional details for the audit are in the enclosed audit plan.
If you have any questions, please contact me by telephone at 301-415-2871 or by email to Michael.Marshall@nrc.gov.
Sincerely,
/RA/
Michael L. Marshall, Jr., Senior Project Manager Plant Licensing Branch 1 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. 50-352 and 50-353
Enclosure:
Audit Plan
Enclosure PLAN FOR SECOND AUDIT OF COMPONENT INTERFACE MODULE COMMON CAUSE FAILURE OF THE LIMERICK DIGITAL INSTRUMENTATION AND CONTROLS LICENSE AMENDMENT REQUEST CONSTELLATION ENERGY GENERATION, LLC LIMERICK GENERATING STATION, UNITS 1 AND 2 DOCKET NOS. 50-352 AND 50-353
1.0 BACKGROUND
By letter dated September 26, 2022 (non-publicly available), as supplemented by letters dated August 12, 2022 (Agencywide Documents Access and Management System Accession No. ML22224A149), November 29, 2022 (ML22333A817), February 8, 2023 (ML23039A141),
February 15, 2023 (ML23046A266), March 30, 2023 (ML23089A324), April 5, 2023 (ML23095A223), June 26, 2023 (ML23177A224), July 31, 2023 (ML23212B236),
September 12, 2023 (ML23255A095), October 30, 2023 (ML23303A223), November 21, 2023 (ML23325A206), January 26, 2024 (ML24026A296), February 26, 2024 (ML24057A427),
March 7, 2024 (ML24067A294), March 18, 2024 (ML24078A275), May 3, 2024 (ML24124A043), June 13, 2024 (ML24165A264), June 14, 2024 (ML24166A114), June 28, 2024 (ML24180A157), February 5, 2025 (ML25037A286), February 21, 2025 (ML25055A157),
June 3, 2025 (ML25154A616), July 2, 2025 (ML25183A133), July 10, 2025 (ML25191A223),
and July 30, 2025 (ML25211A295), Constellation Energy Generation, LLC (Constellation; the licensee) submitted license amendment requests (LARs) to replace the Limerick Generating Station, Units 1 and 2 (Limerick), existing safety-related analog control systems with a single digital control system called plant protection system (PPS). The supplement dated September 12, 2023, replaces in its entirety the original LARs dated September 26, 2022. The licensee replaced the original submittal because it had mistakenly included proprietary information in the non-proprietary parts of the request. The U.S. Nuclear Regulatory Commission (NRC) staff made the original submittal non-public. With the exceptions noted by the licensee in the letter dated September 12, 2023, the content of the replacement and the original are the same.
The proposed amendment requests would change both the design and technical specifications to permit the use of a new single digital instrumentation and controls (I&C) PPS to replace the previously independent analog instrumentation subsystems of the reactor protection system, nuclear steam supply shutoff system (NSSSS), emergency core cooling system (ECCS), reactor core isolation cooling system, and end-of-cycle recirculation pump trip at Limerick. In addition, the proposed amendments would change the classification of the redundant reactivity control system from safety-related to non-safety-related, eliminate the automatic redundant reactivity control system feedwater runback function, eliminate several surveillance requirements, and allow the use of automated operator aids (or automated controls) from the main control room.
The Limerick digital I&C modification incorporates the component interface module (CIM) system, which is composed of the CIM and the safety-related node controller. The CIM system is a critical common link in the safety-related digital I&C system architecture that acts as a priority module whose safety-related function is being shared by the:
safety-related Common Q-based PPS non-safety-related Ovation-based distributed control system (DCS) non-safety-related diverse protection system (which is also part of the DCS) manual back-up capability for actuating NSSSS and ECCS components The NRC staffs review of the CIM system includes evaluation of the CIM systems susceptibility to a common-cause failure (CCF). As part of the staffs evaluation of the CIM, the staff issued requests for additional information (RAIs) to understand (1) the testing and any analysis conducted to demonstrate that CIM is not susceptible to CCF and (2) what actions would need to be taken, automatically or manually (i.e., by plant operators), to perform system-level or component-level actuations of NSSSS valves and ECCS, reactor core isolation cooling (RCIC) and standby liquid control (SLC) pumps and valves, in the event the CIM system experiences a CCF. The RAIs were issued to the licensee in NRC email dated January 6, 2025 (ML25007A150).
The NRC staff has determined that a regulatory audit is needed to assist in the review of the Limerick digital I&C LAR. This audit will be focused on:
- 1. The licensees justification that the component interface module has undergone sufficient testing to demonstrate that the CIM is not susceptible to a CCF.
- a. Draft response, as updated, to RAI 25
- b. Draft response, as updated, to RAI 27
- c. Draft response, as updated, to RAI 28
- 2. The actions Constellation could take given a potential CCF of the component interface module.
- a. Draft response, as updated, to RAI 31 Of the two focus areas, the primary focus will be assessing the licensees basis for claiming that the CIM is not susceptible to a CCF. This regulatory audit will enable the NRC staff to gain a better understanding, verify information, and identify information that may be required to support a safety determination in its safety evaluation.
2.0 REGULATORY AUDIT BASES A regulatory audit is a planned license activity that includes the examination and evaluation of primarily non-docketed information. The audit is conducted with the intent to gain a better understanding, to verify information, and to identify information that will require docketing to support the basis of a licensing or regulatory decision. Performing a regulatory audit is expected to assist the NRC staff in efficiently conducting its review and gaining insights to the licensees processes and procedures. Information that the NRC staff relies upon to make the safety determination must be submitted on the docket. This audit will be conducted in accordance with Office of Nuclear Reactor Regulation Office Instruction LIC-111, Revision 2, Regulatory Audits, (ML24309A281) and OEDO [Office of the Executive Director for Operations] Procedure-0235, Revision 0, Driving Regulatory Decisions Through More Effective Communications, (ML25167A039).
Regulations and policy relevant to the NRC staffs review include:
Appendix A, General Design Criteria for Nuclear Power Plants, of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, Domestic Licensing of Production and Utilization Facilities:
o Criterion 21, Protection system reliability and testability, which states, in part:
The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed.
o Criterion 22, Protection system independence, which states:
The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.
o Criterion 29, Protection against anticipated operational occurrences, which states:
The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.
Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, of 10 CFR Part 50:
o Section III, Design Control, which states, in part, that:
The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. The verifying or checking process shall be performed by individuals or groups other than those who performed the original design, but who may be from the same organization. Where a test program is used to verify the adequacy of a specific design feature in lieu of other verifying or checking processes, it shall include suitable qualifications testing of a prototype unit under the most adverse design conditions.
For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, Section 50.55a(h), Protection and safety systems, of 10 CFR Part 50, requires protection systems to meet the requirements in Institute of Electrical and Electronic Engineers (IEEE) Standard (Std) 279-1968, Proposed IEEE Criteria for Nuclear Power Plant Protection Systems; IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations; or the requirements in IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations; and the correction sheet dated January 30, 1995. Limerick received its construction permits on May 19, 1974.
IEEE Std 279-1971 is included in the licensing basis for Limerick.
o Clause 4.3 of IEEE Std 279-1971, Quality of Components and Modules, states that:
Components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Quality levels shall be achieved through the specification of requirements known to promote high quality, such as requirements for design, for the derating of components, for manufacturing, quality control, inspection, calibration, and test.
o Clause 4.16 of IEEE Std 279-1971, Completion of Protective Action Once It Is Initiated, states, in part, that:
The protection system shall be so designed that, once initiated, a protective action at the system-level shall go to completion.
Item 18 of SRM-SECY-93-087, Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs (ML003708056),
describes the NRC position on defense against potential CCFs in digital I&C systems.
SRM-SECY-22-0076, Expansion of Current Policy on Potential Common-Cause Failures in Digital Instrumentation and Control Systems (ML23145A181), describes the NRC expanded policy to allow the use of risk-informed approaches in addressing CCFs in digital I&C systems.
The regulatory guidance that the NRC staff plan to use for the audit activities are:
Standard Review Plan, Branch Technical Position (BTP) 7-19, Revision 9, Guidance on Software Reviews for Digital Computer Based Instrumentation and Control Systems (ML24005A077).
Regulatory Guide 1.152, Revision 4, Criteria for Programmable Digital Devices in Safety-Related Systems of Nuclear Power Plants (ML23054A463), which endorses, with some exceptions and clarifications, IEEE Std 7-4.3.2, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations.
3.0 PURPOSE AND SCOPE The NRC staff will review non-docketed analyses, plans, procedures, reports, and records related to (1) the licensees justification that the CIM has undergone sufficient testing to demonstrate that the CIM is not susceptible to a CCF, and (2) the actions Constellation could take given a potential CCF of the CIM.
4.0 INFORMATION AND OTHER MATERIAL NECESSARY FOR THE REGULATORY AUDIT
- 1. Audit questions regarding licensees justification that the CIM has undergone sufficient testing to demonstrate that the CIM is not susceptible to a CCF (i.e., draft responses to RAIs 25, 27, and 28):
1.1.
Provide a technical justification for why testing of a physical CIM is not necessary in order to demonstrate that it is not susceptible to a CCF.
1.2.
Describe how the test gaps can be filled outside the field programmable gate array (FPGA).
1.3.
During the audit entrance meeting, the staff shared a figure with the staffs understanding of the licensees proposed alternative approach to eliminate CCF from further consideration. If the third column of the figure does not accurately depict the licensees alternative approach, please provide a figure that accurately depicts the proposed alternative approach described in draft response to RAIs 25 and 27. On the more accurate figure prepared by Constellation, please indicate which portion of the figure maps to specific sections (or page or paragraph) of RAIs 25 and 27.
1.4.
Provide a technical basis for why the CIM internal components cannot cause adverse interactions that would impact the data flow through the CIM (including the FPGA).
- 2. Audit questions regarding the actions Constellation could take given a potential CCF of the CIM (i.e., draft response to RAI 31):
2.1.
Provide PRA notebooks or summary results that include (1) initiating event frequencies for these events, (2) the structures, systems, components, and operator actions relied upon to mitigate these events in the PRA model, (3) the success criteria for the systems relied upon to mitigate these events in the PRA model, (4) the time available for operators to perform the operator actions in time to support the PRA success criteria.
For this item, the licensee is requested to provide simplified system drawings that highlight the major components (e.g., similar to drawings that appear in training manuals) to facilitate discussions with the staff.
2.2.
The staff understands that the current draft response to RAI 31 is based on a best-estimate methodology that used (1) less restrictive assumptions (e.g., assumed equipment available and starting conditions) than the Chapter 15 analyses and (2) the glass top simulator to demonstrate that the operator actions were realistic and could be performed within the necessary timeframes. It is unclear if the timeframes used were obtained from the Chapter 15 analyses or the glass top simulations.
Clarify the timeframes used to demonstrate the criteria in NUREG/CR-6303 were satisfied for the 13 events described in Table 2 and how they were calculated or obtained. If the timeframes were obtained from the glass top simulations, provide a justification that the timeframes are appropriate since the glass top simulator was described as a work in progress.
2.3.
The staff understands that the current draft response to RAI 31 is based on a best-estimate methodology that used (1) less restrictive assumptions (e.g., assumed equipment available and starting conditions) than the Chapter 15 analyses and (2) the glass top simulator to demonstrate that the operator actions were realistic and could be performed within the necessary timeframes. It is unclear if the timeframes used were obtained from the Chapter 15 analyses or the glass top simulations.
Discuss whether there are thermal-hydraulic analyses developed for other purposes (e.g., the PRA model or fire protection program) that can be used to obtain best-estimate timeframes to demonstrate the criteria in NUREG/CR-6303 were satisfied for the 13 events described in Table 2.
2.4.
The current draft response to RAI 31 states that the emergency operating procedures (EOPs) list the available systems and equipment that may be used for event response, irrespective of safety classifications and equipment. The response also states that any available systems may be used to accomplish the technical direction of the procedure.
Finally, the response states that the remote shutdown panel has the necessary indications and controls for reactor pressure vessel level, pressure control, and containment cooling through manual controls for several systems.
Clarify if the EOPs identify the systems and equipment described in the response to RAI 31 (as available options for operators to use during the 13 events described in Table 2).
Clarify if the EOPs direct (or identify the option for) operators to travel to the remote shutdown panel to control reactor pressure vessel level, RCS pressure control, and containment cooling.
2.5.
Describe the indications and displays available, in the event the CIM or CIM system experiences a CCF, to enable the operators to identify that a CCF of the CIMs has occurred.
2.6.
Describe the methodology used to determine that an operator can identify in a timely manner that a CIM has failed, and provide a demonstration including identifying which indications would be available to operators.
2.7.
Provide a demonstration of how operators would identify in a timely manner that a field component (e.g., a pump or a valve) has failed to actuate.
2.8.
Provide a walk-through demonstration of the actions to be taken by operators. This includes actions to be taken from the main control room and a sampling of actions taken outside the main control room (e.g., from the remote shutdown panel).
2.9.
Identify and describe the specific controls available to operators, and their locations, to initiate required protective actions for each identified event.
2.10. Identify whether the actions performed in the control room were included in the analysis presented in the Preliminary Validation and/or the Conceptual Validation activities as a part of other accident scenarios.
2.11. Specify whether the actions are new actions or modified operator actions or if the is a modification in the task demand.
2.12. Provide any documentation associated with the simulator runs for updated final safety analyses report (UFSAR) Events 15.2.7 (Loss of Feedwater) and 15.6.5 (LOCA).
2.13. In Table 2, Applicable Chapter 15 Events, for UFSAR Event 15.2.5, Loss of Condenser Vacuum, it states that the main steam isolation valves (MSIVs) will be closed manually from the main control room (MCR) using the MSIV test solenoid controls. However, in the Operator Response Sequences to Chapter 15 Events section, it states that the turbine bypass valves are closed. Clarify whether the operators would close the MSIVs or turbine bypass valves, and whether or not closure of either set of valves would be sufficient.
2.14. In Table 2, Applicable Chapter 15 Events, for UFSAR Event 15.2.7, Loss of Feedwater, it states that reactor pressure vessel (RPV) water level control will be accomplished from the remote shutdown panel (RSP) using RCIC. However, in the Operator Response Sequences to Chapter 15 Events section, it states that operators will depressurize to below the shutoff head of the Condensate system to inject to the RPV.
Clarify what system is used to maintain water level (RCIC pump or condensate pump),
and whether or not injection from either system would be sufficient.
2.15. In Table 2, Applicable Chapter 15 Events, for UFSAR Event 15.6.4, Steam System Pipe Break Outside Primary Containment, it states that operators actuate, from the RSP, RHR A in LPCI and Suppression Pool Cooling and Spray Modes, and RHR B from local panels. However, in the Operator Response Sequences to Chapter 15 Events section, it states operators in the RSP establish RPV injection with RCIC and RPV pressure control using safety release valves (SRVs). Clarify which systems are used in this event (RHR/LPCI/SPC or RCIC), and whether or not either set of systems would be sufficient.
2.16. In Table 2, Applicable Chapter 15 Events, there are several conclusion statements such as no more than a small fraction (10 percent) of the 10 CFR 100 dose limit is exceeded. Is the basis for these statements the fact that no plant safety limits were exceeded, or is there something else used to make this determination?
Based on a review of the material described above, the audit team may request additional documentation to support the audit.
5.0 AUDIT TEAM The members of the audit team are:
Samir Darbali, Senior Electronics Engineer, Audit Team Leader Steven Alferink, Reliability and Risk Analyst, Audit Team Member Robert Beaton, Senior Nuclear Engineer, Audit Team Member Kamishan Martin, Reactor Operations Engineer (Human Factors), Audit Team Member Michael Marshall, Senior Project Manager, Audit Team Member David Rahn, Senior Electronics Engineer, Audit Team Member 6.0 LOGISTICS The audit will start on August 12, 2025, and is planned to end on September 17, 2025. The audit will be conducted remotely with an in-person part taking place August 18 - 22, 2025.
Audit Activity Date and Time Location Entrance meeting August 12, 2025 (2:00 pm)
Remote Limerick site visit August 18 (9:00 am) to August 22, 2025 (11:30 am)
Limerick Generating Station Exit meeting September 17, 2025 (TBD)
Remote During the audit entrance meeting, the NRC staff will provide an overview of the audit plan and discuss the objectives for the audit. Additionally, the NRC staff will address any clarifying questions that Constellation may have about the audit plan. During the exit meeting, the NRC staff will provide a summary of the NRC audit and its observations made during the audit.
Meeting dates and times along with meeting topics will be requested by the audit team at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> in advance. The NRC project managers will coordinate any changes to the date and time of the entrance, exit, and other audit meetings with Constellation.
The audit team will not remove any non-docketed documents or other materials from the online portal or location of the audit. If the audit team identifies information that requires docketing to support the basis for a regulatory decision concerning the review of the Limerick digital I&C LAR, the NRC staff will use RAIs to get the information placed on the docket or wait for the licensee to supplement its LAR.
Any changes in the audit logistics (e.g., audit exit date) will be coordinated and communicated through the NRC project managers assigned to the review of the Limerick digital I&C LAR.
7.0 SPECIAL REQUEST The NRC staff would like access to the requested documents through an online portal (i.e., electronic portal, ePortal, electronic reading room) that allows the audit team access via the internet. The following conditions associated with the online portal must be maintained throughout the duration that the audit team has access to the online portal:
The online portal will be password-protected, and separate passwords will be assigned to each audit team member.
The online portal will be sufficiently secure to prevent the audit team from printing, saving, downloading, or collecting any information on the online portal.
Conditions of use of the online portal will be displayed on the login screen and will require acknowledgment by each audit team member.
The licensee should ensure that any information uploaded to the online portal is appropriately marked regarding sensitivity (e.g., proprietary information). The NRC staff will confirm with the licensee the sensitivity of any information uploaded to the online portal. Username and password information should be provided directly to the NRC staff on the audit team. The NRC project managers assigned to the audit team will provide Constellation the names and contact information of the NRC staff who will be participating in the audit. All communications should be coordinated with one of the NRC project managers assigned to the Limerick digital I&C LAR review. The NRCs licensing project manager will inform the licensee via routine communications when the NRC staff no longer needs access to the portal (e.g., 30 days after the audit exit).
During the part of the audit at the Limerick site or Westinghouse facility, the NRC staff would like the use of an enclosed meeting space (e.g., conference room) for the audit teams use.
8.0 DELIVERABLES An audit summary, which may be public, will be prepared after the completion of the audit. If the NRC staff identifies information during the audit that is needed to support its regulatory decision, the NRC staff may issue RAIs to the licensee or wait for the licensee to supplement its LAR.
ML25223A077 NRR-106 OFFICE NRR/DORL/LPL1/PM NRR/DORL/LPL1/LA NRR/DEX/EICB/BC NRR/DRA/APLC/BC(A)
NAME MMarshall KEntz FSacko SAlferink DATE 08/08/2025 08/12/2025 08/18/2025 08/14/2025 OFFICE NRR/DRO/IOLB/TL NRR/DSS/SNSB/BC NRR/DORL/LPL1/BC NRR/DORL/LPL1/PM NAME JAnderson for ADAgostino NDiFrancesco HGonzález MMarshall DATE 08/22/2025 08/22/2025 08/13/2025 08/22/2025