ML19176A191: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
 
Line 41: Line 41:
As an explanation for the proposed changes to the STS, TSTF-569, Revision 2, states, in part:
As an explanation for the proposed changes to the STS, TSTF-569, Revision 2, states, in part:
Response time testing verifies that the individual channel or train actuation response times are less than or equal to the maximum values assumed in the accident analysis. The RTT acceptance criteria are under licensee control, typically in Technical Requirements Manual or equivalent document. Individual component response times are not modeled in the accident analyses. The analysis models the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (e.g., control and shutdown rods fully inserted in the reactor core).
Response time testing verifies that the individual channel or train actuation response times are less than or equal to the maximum values assumed in the accident analysis. The RTT acceptance criteria are under licensee control, typically in Technical Requirements Manual or equivalent document. Individual component response times are not modeled in the accident analyses. The analysis models the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (e.g., control and shutdown rods fully inserted in the reactor core).
Response time testing is resource intensive, which is why the WOG
Response time testing is resource intensive, which is why the WOG
[Westinghouse Owners Group] and CEOG [Combustion Engineering Owners Group] pursued its elimination as discussed above. RTT is generally performed in discrete steps, with electronic signal conditioning and logic response time being one of the steps. Other components of the total protection system
[Westinghouse Owners Group] and CEOG [Combustion Engineering Owners Group] pursued its elimination as discussed above. RTT is generally performed in discrete steps, with electronic signal conditioning and logic response time being one of the steps. Other components of the total protection system

Latest revision as of 07:13, 2 February 2020

Final Safety Evaluation of Traveler TSTF-569, Revision 2, Revise Response Time Testing Definition (EPID L-2018-PMP-0002) (Enclosure 1)
ML19176A191
Person / Time
Site: Technical Specifications Task Force
Issue date: 08/14/2019
From: Victor Cusumano
NRC/NRR/DSS
To:
Technical Specifications Task Force
Honcharik M, 301-415-1774, NRR/DSS
Shared Package
ML19176A188 List:
References
EPID L-2018-PMP-0002, TSTF-569, Rev 2
Download: ML19176A191 (17)


Text

FINAL SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION TECHNICAL SPECIFICATIONS TASK FORCE TRAVELER TSTF-569, REVISION 2 REVISE RESPONSE TIME TESTING DEFINITION USING THE CONSOLIDATED LINE ITEM IMPROVEMENT PROCESS (EPID L-2018-PMP-0002)

1.0 INTRODUCTION

By letter dated June 25, 2019 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML19176A034), the Technical Specifications Task Force (TSTF) submitted Traveler TSTF-569, Revision 2, Revise Response Time Testing Definition, to the U.S. Nuclear Regulatory Commission (NRC). Traveler TSTF-569, Revision 2, proposes changes to the Standard Technical Specifications (STS) for all Westinghouse and Combustion Engineering (CE) plants. These changes would be incorporated into future revisions of NUREG-1431 and NUREG-1432, respectively.1 This traveler would be made available to licensees for adoption through the consolidated line item improvement process.

The proposed changes would revise technical specification (TS) definitions for engineered safety feature (ESF) response time and reactor trip system (RTS) response time in NUREG-1431, and ESF response time and reactor protection system (RPS) response time in NUREG-1432, that are referenced in Surveillance Requirements (SRs), hereafter referred to as response time testing (RTT).

2.0 REGULATORY EVALUATION

2.1 DESCRIPTION

OF RESPONSE TIME TESTING The RTS and RPS initiate a unit shutdown, based on the values of selected unit parameters, to protect against violating the core fuel design limits and the reactor coolant system pressure boundary during anticipated operational occurrences and to assist the engineered safety feature actuation systems (ESFAS) in mitigating accidents. The ESFAS initiates necessary safety systems, based on the values of selected unit parameters, to protect against violating core design limits and the reactor coolant system pressure boundary, and to mitigate accidents.

1 U.S. Nuclear Regulatory Commission, Standard Technical Specifications, Westinghouse Plants, NUREG-1431, Revision 4.0, April 2012, Volume 1, Specifications (ADAMS Accession No. ML12100A222), and Volume 2, Bases (ADAMS Accession No. ML12100A228).

U.S. Nuclear Regulatory Commission, Standard Technical Specifications, Combustion Engineering Plants, NUREG-1432, Revision 4.0, April 2012, Volume 1, Specifications (ADAMS Accession No. ML12102A165), and Volume 2, Bases (ADAMS Accession No. ML12102A169).

Enclosure 1

RTT verifies that the individual channel or train actuation response times are less than or equal to the maximum values assumed in the accident analyses. The RTT acceptance criteria are under licensee control. Individual component response times are not modeled in the accident analyses. The analyses model the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (e.g., control and shutdown rods fully inserted in the reactor core).

2.2 REASON FOR THE PROPOSED CHANGES The TSTF developed Traveler TSTF-569, Revision 2, to address concerns with RTT requirements for replacement pressure sensor and protection channel components and defined a standardized methodology that can be referenced in the definitions and analyses requirements for RTT.

As plant components become obsolete from aging and usage, replacements will be installed to support continued operation. The replacement components oftentimes are not identical to the components being replaced (e.g., replacing pressure transmitters that have analog electronics with pressure transmitters that have digital technology such as microprocessor-based electronics). Currently, for replacement components, NRC-approved topical reports containing the specific manufacturer, model, and other design data along with analyses (e.g., similarity analysis between installed components and replacement components) are utilized to justify an alternative to measured response times.

The current definitions and analyses requirements for RTT allow for the response time of specific components types to be analyzed (using bounding response times) in lieu of measured response time if the methodology used for ensuring RTT has been approved by the NRC.

Because NRC approval is limited to specific models of components, any potential replacement/new components would need to be re-approved by the NRC under the current STS. In effect, this means that the NRCs review and approval is necessary for replacement components and that a supporting analysis is required to justify the action.

As an explanation for the proposed changes to the STS, TSTF-569, Revision 2, states, in part:

Response time testing verifies that the individual channel or train actuation response times are less than or equal to the maximum values assumed in the accident analysis. The RTT acceptance criteria are under licensee control, typically in Technical Requirements Manual or equivalent document. Individual component response times are not modeled in the accident analyses. The analysis models the overall or total elapsed time, from the point at which the parameter exceeds the trip setpoint value at the sensor to the point at which the equipment reaches the required functional state (e.g., control and shutdown rods fully inserted in the reactor core).

Response time testing is resource intensive, which is why the WOG

[Westinghouse Owners Group] and CEOG [Combustion Engineering Owners Group] pursued its elimination as discussed above. RTT is generally performed in discrete steps, with electronic signal conditioning and logic response time being one of the steps. Other components of the total protection system

response time include the sensor and the final actuated device response times.

The RTT of instrument channels that includes pressure sensors requires different procedures and techniques to be used for measuring the response time of the pressure sensor devices in those instrument channels. As such, pressure sensor RTT took additional time and effort and often involved the use of specialized contractor services. This prompted the industry efforts to develop alternatives to measuring the response time of selected components.

2.3 PROPOSED CHANGE

S TO THE STANDARD TECHNICAL SPECIFICATIONS The traveler proposed to revise the following RTT STS definitions in Section 1.1 of NUREG-1431 and NUREG-1432:

The definitions would be revised to state the following (with changes underlined).

NUREG-1431 Engineered Safety Feature (ESF) Response Time The ESF RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its actuation setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays, where applicable. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC, or the components have been evaluated in accordance with an NRC approved methodology.

Reactor Trip System (RTS) Response Time The RTS RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its RTS trip setpoint at the channel sensor until loss of stationary gripper coil voltage. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC, or the components have been evaluated in accordance with an NRC approved methodology.

NUREG-1432 Engineered Safety Feature (ESF) Response Time The ESF RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its ESF actuation setpoint at the channel sensor until the ESF equipment is capable of performing its safety function (i.e., the valves travel to their required positions, pump discharge pressures reach their required values, etc.). Times shall include diesel generator starting and sequence loading delays, where applicable. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC, or the components have been evaluated in accordance with an NRC approved methodology.

Reactor Protection System (RPS) Response Time The RPS RESPONSE TIME shall be that time interval from when the monitored parameter exceeds its RPS trip setpoint at the channel sensor until electrical power to the CEAs drive mechanism is interrupted. The response time may be measured by means of any series of sequential, overlapping, or total steps so that the entire response time is measured. In lieu of measurement, response time may be verified for selected components provided that the components and methodology for verification have been previously reviewed and approved by the NRC, or the components have been evaluated in accordance with an NRC approved methodology.

The proposed change would be supported by changes to the STS Bases. Similar to the RTT definitions, the STS Bases would state that for components that have been evaluated in accordance with a methodology approved by the NRC, the response time can be verified in lieu of being measured. The proposed change would revise the STS Bases to be consistent with the proposed definition change.

Currently, these RTT definitions allow the response times for specific NRC-approved component types to be verified using an approved methodology in lieu of being measured. The proposed changes would eliminate the need for prior NRC review and approval of the response time verification of new pressure sensor components (may be used interchangeably with the phrase pressure transmitter within this evaluation due to the usage of these terms in TSTF-569, Revision 2) and protection channel components, while still requiring verification to be performed using the standard methodology contained in TSTF-569, Revision 2, Attachment 1, Methodology to Eliminate Pressure Sensor and Protection Channel (for Westinghouse Plants only) Response Time Testing. The proposed elimination of periodic pressure sensor RTT would apply to both CE and Westinghouse plants; however, the proposed elimination of periodic protection channel RTT would not apply to CE plants because no previous methodology for such exemptions has been approved by the NRC. The proposed change and methodology would allow licensees to verify the response time of similar/comparable component types to those components being replaced without prior NRC approval for each set of different components being installed.

2.4 APPLICABLE REGULATORY REQUIREMENTS AND GUIDANCE The NRC staff identified the following regulatory requirements and guidance as applicable to the traveler.

2.4.1 Regulatory RequirementsSection IV, The Commission Policy, of the Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors, published in the Federal Register on July 22, 1993 (58 FR 39132), states, in part:

The purpose of Technical Specifications is to impose those conditions or limitations upon reactor operation necessary to obviate the possibility of an abnormal situation or event giving rise to an immediate threat to the public health and safety by identifying those features that are of controlling importance to safety and establishing on them certain conditions of operation which cannot be changed without prior Commission approval.

[T]he Commission will also entertain requests to adopt portions of the improved STS [(e.g., TSTF-569, Revision 2)], even if the licensee does not adopt all STS improvements. The Commission encourages all licensees who submit Technical Specification related submittals based on this Policy Statement to emphasize human factors principles.

In accordance with this Policy Statement, improved STS have been developed and will be maintained for each NSSS [nuclear steam supply system] owners group. The Commission encourages licensees to use the improved STS as the basis for plant-specific Technical Specifications. [I]t is the Commission intent that the wording and Bases of the improved STS be used to the extent practicable.

As described in the Commissions Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors, the NRC and industry task groups for new STS recommended that improvements include greater emphasis on human factors principles in order to add clarity and understanding to the text of the STS, and provide improvements to the Bases of the STS, which provides the purpose for each requirement in the specification. The improved vendor-specific STS were developed and issued by the NRC in September 1992.

The regulation at Title 10 of the Code of Federal Regulations (10 CFR) Section 50.36(b) requires:

Each license authorizing operation of a utilization facility will include technical specifications. The technical specifications will be derived from the analyses and evaluation included in the safety analysis report, and amendments thereto, submitted pursuant to [10 CFR] 50.34 [Contents of applications; technical information]. The Commission may include such additional technical specifications as the Commission finds appropriate.

The regulation at 10 CFR 50.36(a)(1) states, in part: A summary statement of the bases or reasons for such specifications, other than those covering administrative controls, shall also be included in the application, but shall not become part of the technical specifications.

Appendix A to 10 CFR Part 50 provides General Design Criteria (GDC) for nuclear power plants. Plant-specific design criteria are described in the plants Updated Final Safety Analysis Report (UFSAR). The following GDC apply:

  • Criterion 13, Instrumentation and Control, which states that:

Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

  • Criterion 21, Protection System Reliability and Testability, which states that:

The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed.

Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated.

The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

2.4.2 Regulatory Guidance The NRC staffs guidance for the review of TSs is in Chapter 16.0, Revision 3, Technical Specifications, of NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR [Light-Water Reactor] Edition (SRP), March 2010 (ADAMS Accession No. ML100351425). As described therein, as part of the regulatory standardization effort, the NRC staff has prepared STS for each of the LWR nuclear designs.

Accordingly, the NRC staffs review includes consideration of whether the proposed changes are consistent with the applicable reference STS (i.e., the current STS), as modified by NRC-approved travelers. In addition, the guidance states that comparing the change to previous STS can help clarify the TS intent.

The STS for Westinghouse plants is NUREG-1431, Revision 4.0, Standard Technical Specifications, Westinghouse Plants, April 2012, Volume 1, Specifications, and Volume 2, Bases.

The STS for CE plants is NUREG-1432, Revision 4.0, Standard Technical Specifications, Combustion Engineering Plants, April 2012, Volume 1, Specifications, and Volume 2, Bases.

Regulatory Guide (RG) 1.118, Revision 3, Periodic Testing of Electric Power and Protection Systems, April 1995 (ADAMS Accession No. ML003739468), endorses the Institute of Electrical and Electronics Engineers, Inc. (IEEE) Std. 338-1987, IEEE Standard Criteria for the

Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, which was approved on March 3, 1988, by the American National Standards Institute.

Branch Technical Position (BTP) 7-17, Guidance on Self-Test and Surveillance Test Provisions, August 2016 (ADAMS Accession No. ML16019A316), states, in part:

Failures detected by hardware, software, and surveillance testing should be consistent with the failure detectability assumptions of the single-failure analysis and the failure modes and effects analysis.

3.0 TECHNICAL EVALUATION

The NRC staff reviewed the proposed changes to the STS, the technical justification for the changes provided in TSTF-569, Revision 2, and the standardized methodology contained in to TSTF-569, Revision 2.

The NRC staff reviewed the technical justification for the proposed changes to ensure that the reasoning was logical, complete, and clearly written as described in Chapter 16.0 of NUREG-0800. The NRC staff reviewed the proposed changes for consistency with conventional terminology and with the format and usage rules embodied in the STS. The NRC staff also reviewed the STS changes to ensure that adoption of the traveler by future applicants would provide assurance that an applicants TS would continue to comply with the requirements of 10 CFR 50.36. Finally, the NRC staff reviewed the changes to ensure that any limitations or conditions placed on adoption of the traveler by future applicants were clearly described.

3.1 PROPOSED CHANGE

S TO THE RESPONSE TIME TESTING DEFINITION Traveler TSTF-569, Revision 2, Section 2.1, System Design and Operation, states, in part (emphasis added):

The following subsections summarize the components and methodology that have been previously reviewed and approved by the NRC. Similar components will be evaluated in accordance with the methodology contained in Attachment 1, to determine if the component response time can be verified, in lieu of measured.

The NRC staff takes exception to the first sentence because the NRC has not previously reviewed and approved response time analytical methodologies. The NRC previously reviewed and approved equipment-specific topical reports that used Electric Power Research Institute (EPRI) topical report NP-7243, Investigation of Response Time Testing Requirements. The methodology contained in EPRI NP-7243, though, has not been previously approved by the NRC staff.

The NRC staff finds it acceptable to reference EPRI NP-7243 as part of the technical basis provided for the standardized methodology in Attachment 1 of TSTF-569, Revision 2. However, any approval of TSTF-569, Revision 2, does not constitute the partial or full approval of the methodology contained within EPRI NP-7243. This exception also applies to the Westinghouse Electric Company, LLC (Westinghouse) and CE topical reports referenced in TSTF-569, Revision 2, and to similar references to NRC staff approvals of prior methodologies. As previously noted, Attachment 1 to TSTF-569, Revision 2, is the only methodology generically approved by the NRC staff.

3.1.1 Topical Reports Traveler TSTF-569, Revision 2, cites the following topical reports as a supporting technical basis for the standardized methodology described in Attachment 1.

EPRI NP-7243

  • This topical report formed the original basis for subsequent Westinghouse and CE topical reports regarding the elimination of periodic direct measurement RTT for select pressure transmitters. EPRI NP-7243 evaluated a large database of over 4,200 response time measurements provided by various licensees and represents a large sample size of various differential transmitters and switches.
  • EPRI NP-7243 analyzed RTT results, testing techniques, and failure trends.
  • EPRI NP-7243 contained failure modes and effects analyses (FMEA) on 17 different sensor types installed in safety-related systems.

The more significant conclusions derived from EPRI NP-7243 were that no response time failures were found in over 4,200 measurements contained in the database and that of the pressure transmitters that had been replaced due to failure, those failures were detected by routine maintenance activities such as channel checks, surveillance testing, and other forms of instrument calibration. In addition, EPRI NP-7243 found that most of the pressure component failure modes which could affect response times would also affect sensor output, thus making the sensor failure detectable by other required testing. The report concluded that although responses times may have been degraded by the failure(s), RTT was not a significant factor in identifying the failures.

EPRI NP-7243 provided four recommendations that help provide the technical basis for implementing analytical alternatives in lieu of direct measurement RTT:

1) Perform hydraulic response time test prior to installation of new transmitter/switch or following refurbishment.
2) For transmitters and switches that use capillary tubes, RTT should be performed after initial installation and after any maintenance or modification activity that could damage the capillary tubes.
3) Perform periodic drift monitoring on all Rosemount pressure and differential pressure transmitters in accordance with Rosemount Technical Bulletins and NRC Bulletin 90-01, Supplement 1, Loss of Fill-Oil in Transmitters Manufactured by Rosemount, December 22, 1992 (affects certain model numbers only) (ADAMS Accession No. ML082490332).
4) Assure that variable damping (if used) is at the required setting and cannot be changed or perform hydraulic or white noise RTT of sensor, following each calibration.

WCAP-13632-P-A, Elimination of Pressure Sensor Response Time Testing Requirements The NRC staff approved Westinghouses topical report WCAP-13632-P-A (ADAMS Package Accession No. ML18023A068) for a specific set of transmitters (12 in total) but did not

generically approve the methodology contained in the topical report. Topical report WCAP-13632-P-A described a methodology for verifying total instrument response time by a combination of allocated response times for the replacement transmitters and overlapping/sequential actual testing performed on the rest of the instrument channel.

Consistent with EPRI NP-7243, WCAP-13632-P-A described that allocated response times for the specific set can be determined through: (1) historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests), (2) in-place, onsite, or offsite (e.g., vendor) test measurements, or (3) utilizing vendor engineering specifications.

Topical report WCAP-13632-P-A also documented a similarity analysis that compared the design and functionality of the transmitters evaluated in EPRI NP-7243 to the design and functionality of the transmitters described in WCAP-13632-P-A. In addition to the similarity analysis, an FMEA was performed and additional testing data supplemented areas where similarity between the sets of components could not be adequately demonstrated. The FMEA or additional testing data was used to show that response time would not be significantly affected by equipment degradation or that changes in response time performance of the replacement transmitters would be detectable by a plants calibration procedures in lieu of measurement RTT.

NPSD-1167-A, Elimination of Pressure Sensor Response Time Testing Requirements The NRC staff approved CEOGs topical report NPSD-1167-A for a specific set of pressure sensor components but did not generically approve the methodology contained in NPSD-1167-A. Similar to WCAP-13632-P-A, NPSD-1167-A also leveraged the evaluation methodology described in EPRI NP-7243 including reliance on an FMEA comparison as well as carrying forward the major recommendations from EPRI NP-7243, listed above, with minor changes due to the specific components being evaluated. NPSD-1167-A also described that with respect to allocated response times, there are generally two sources used: (1) data provided by the original equipment manufacturer and (2) statistical analysis of the results of previous RTTs. The NRC staffs safety evaluation of NPSD-1167-A states, in part, that statistical analysis of previous RTT results used to determine allocated response time of replacement components must be:

sufficiently conservative to ensure that the allocated response time assigned to the sensor will be valid for 95 percent of the population of sensors, with a 95 percent confidence level. Methodology for this determination is contained in NUREG-1475, Applying Statistics, April 1994.

Additional Topical Reports Other topical reports cited in TSTF-569, Revision 2, include: WCAP-14036-P-A, Elimination of Periodic Protection Channel Response Time Tests,2 WCAP-15413-A, Westinghouse 7300A ASIC [Application Specific Integrated Circuit]-Based Replacement Module Licensing Summary 2 Essig, Thomas H., U.S. Nuclear Regulatory Commission, letter to Lou Liberatori, Westinghouse Owners Group, Safety Evaluation Related to Topical Report WCAP-14036, Revision 1, Elimination of Periodic Protection Channel Response Time Tests (TAC No. MA0863), dated October 6, 1998.

Report,3 and WCAP-17867-P-A, Westinghouse SSPS [Solid State Protection System] Board Replacement Licensing Summary Report.4 The NRC staff evaluated these topical reports and confirmed that they provide additional detailed justification that forms the basis for the methodology in Attachment 1 to TSTF-569, Revision 2. The standardized methodology in Attachment 1 of TSTF-569, Revision 2, is generally consistent with approaches that were used in these previously approved topical reports for specific equipment models. The NRC staff also confirmed that these approaches are relevant as they describe RTS/RPS and ESF/ESFAS systems of different technologies that would be applicable for inclusion under the scope of TSTF-569, Revision 2.

3.1.2 TSTF-569, Revision 2, Attachment 1 Methodologies Methodology 1 Methodology 1 is dedicated to pressure transmitters for Westinghouse and CE plants, and is described as follows:

1) If response time measurement data is available, evaluate the measurement data with respect to the results, failure mechanisms, testing techniques, and failure trends. If response time measurement data is available, the review of the data should conclude that no response time failures were identified during RTT. If a pressure transmitter(s) was replaced due to a failure, it should be confirmed that the failure was detected by a channel check or other instrument surveillance testing. It should be concluded that although the response time was degraded by the failure, RTT was not a factor in identifying the failed transmitter.
2) Perform [an FMEA] on the pressure transmitter to demonstrate that the pressure transmitter component failure modes which can affect the transmitter response time will also affect the transmitter output and therefore, would be detectable by other required surveillance tests.
3) Identify any exception (i.e., pressure transmitter failure modes that may not be detected by other surveillance tests) and identify specific recommendations to address these exceptions.
4) Perform a similarity analysis that compares the design and the functionality of the principal components of the pressure transmitter, to the transmitters that were evaluated in EPRI Report NP-7243, WCAP-13632-P-A, or NPSD-1167-A. If the similarity analysis does not confirm the functionality of 3 Richards, Stuart A., U.S. Nuclear Regulatory Commission, letter to Michael G. Edison, Westinghouse Owners Group, Review of Westinghouse Topical Report WCAP-15413, 'Westinghouse 7300A ASIC-Based Replacement Module Licensing Summary Report (TAC No. M96513), dated February 8, 2001 (ADAMS Accession No. ML010390526).

4 Mohseni, Aby S., U.S. Nuclear Regulatory Commission, letter to W. Anthony Nowinowski, Pressurized Water Reactor Owners Group, Final Safety Evaluation for Pressurized Water Reactor Owners Group Topical Report WCAP-17867-P, Revision 1, Westinghouse SSPS Board Replacement Licensing Summary Report (TAC No. MF4655), dated September 19, 2014 (ADAMS Package Accession No. ML14260A133).

the principal components of the pressure transmitter, as compared to the transmitters that were evaluated in EPRI Report NP-7243, WCAP-13632-P-A, or NPSD-1167-A, [an] FMEA or additional test data will be used to demonstrate that the response time would not be significantly affected by the degradation of components or that such changes would be detectable by other surveillance tests.

Consistent with previous topical reports, Attachment 1 to TSTF-569, Revision 2, states that total instrument channel response time is verified by a combination of allocated response times and actual tests (sequential or overlapping measurements) for the rest of the instrument channel.

Also consistent with methods used in topical reports cited above, Attachment 1 to TSTF-569, Revision 2, states that the allocated response time values are obtained from the following:

1) If available, historical records based on acceptable response time tests (hydraulic, noise, or power interrupt tests),
2) If available, in[-]place, onsite, or offsite (e.g., vendor) test measurements, or
3) Utilizing vendor engineering specifications.

The traveler is clear that this methodology is only applicable to pressure sensors and not to any other type of sensor.

Methodology 2 Methodology 2 in Attachment 1 to TSTF-569, Revision 2, is dedicated to protection channels for Westinghouse plants only. This methodology is specific to the electronic signal processing hardware between the primary sensor and the final actuated device within an instrument channel. According to the traveler, this includes analog/digital racks, excore nuclear instrumentation system, and associated solid state and relay trip logic circuitry up to the slave relay output. Consistent with Methodology 1 above, Methodology 2 is specific to electronics/relays between the primary sensor and the final actuated device only and not to any other types of equipment.

The actions for this methodology are stated as follows:

1) Analyze the system modules for their function in providing the protection function. System modules which do not contribute to the protection functions, such as modules used only for test or for interface with non-safety systems, will be excluded.
2) [An FMEA] will be performed on the modules that perform a protection function to determine whether individual component degradation has no impact on the response time or whether the individual component may contribute to the system response time degradation. The FMEA should confirm the following:
a. Identify any components on the cards and modules that are sensitive to response time,
b. Evaluate the impact on response time if the component fails or degrades,
c. Determine whether the degraded component can be detected via a channel calibration,
d. Identify the components that impact a channel calibration, but not the response time.
3) If the individual component potentially impacts the system response time, perform testing to determine the magnitude of the response time degradation.

If required to be performed, the testing, which verifies and further quantifies the results of the FMEA should confirm the following:

a. Measure the response time of the calibrated production modules and provide response time base-line data,
b. Measure the response time and obtain calibration data for the card or module if the component identified to have an impact on response time is degraded,
c. Measure the response time of a simulated protection channel from input to output with the component degraded.

OR Determine a bounding response time limit for the system or component if the individual component does not impact the system response time. The results of the FMEA must conclude that component degradation will not increase the response time beyond the bounding response time without the response time degradation being detected by other periodic surveillance tests, such as channel checks and channel calibrations. [This is an alternative to the actions of Step 3.

Steps 1 and 2 are still required.]

Methodology 2 is applicable to the following systems in Westinghouse plants, consistent with the above-referenced topical reports (e.g., WCAP-14036-P-A):

  • 7100 Process Protection System (PPS)
  • 7300 Process Protection System (PPS)
  • Nuclear Instrumentation System (NIS)
  • Eagle-21 Process Protection System (PPS)
  • Solid State Protection System (SSPS)
  • Relay Protection System (RPS)

Methodology 2 is not approved for use in non-Westinghouse plants. The NRC staff accepts the stated limitations of applicability for both Methodology 1 and Methodology 2. Applying TSTF-569, Revision 2, methodologies to components outside the stated limitations would require a different methodology and approval for that methodology.

Section 3.1 of TSTF-569, Revision 2, states, in part, that the topical reports introduced the use of allocated response time as the alternative to direct measurement RTT. In effect, the total response time of an RTS/RPS or ESF instrument channel is the summation of the allocated

response time of the transmitter/sensor with the response time of the remainder of the channel.

Therefore, according to the traveler, and consistent with approved topical reports, allocated response times for protection channels will be based upon the following sources:

  • Historical records based on acceptable RTT (hydraulic, noise, or power interrupt tests)
  • In-place, onsite, or offsite (e.g., vendor) test measurements
  • Utilizing vendor engineering specifications
  • Statistical analysis of the results of previous RTTs Additional Considerations for Methodology 1 and Methodology 2 The following items are considerations that should be included if a licensee chooses to adopt TSTF-569, Revision 2, and the attached methodologies.

Failure Modes and Effects Analysis The NRC staff evaluated the methodologies for potential equipment using digital components and for consistency with NUREG-0800 and BTP 7-17. Modern, digital (or microprocessor-based) components would likely have some form of self-diagnostic or self-testing features. TSTF-569, Revision 2, does not specifically address the potential existence of self-diagnostic or self-testing functionality of replacement components. These design features may factor heavily in their FMEAs and into the determination of failure modes and their mode of detection, ultimately providing insights into whether a failure mode could degrade component response time. Due to the potential presence of microprocessor-based technology, complex programmable logic devices, or other forms of programmable technology, automated self-testing functionality inherent to the replacement components could be an essential tool. The type of self-testing features germane to detecting failures that could affect response timing should be documented as part of the FMEA. Non-specific failure modes that could degrade response time for a component should also be addressed. Non-specific failures are failures that would not necessarily prevent operation of a microprocessor but could affect its performance or reduce its speed of operation, thereby affecting response time (see ADAMS Accession No. ML19031C905 5 for more information). Licensees, when implementing TSTF-569, Revision 2, should consider what self-diagnostic features are incorporated into selected components and how the self-diagnostic features provide detection and alerts for failures unique to those select components and could degrade response time.

Similarity Analysis Regarding the similarity analysis, Section 3.1 of TSTF-569, Revision 2, stated, in part (emphasis added):

A successful determination demonstrates that the failure modes associated with the pressure sensor being evaluated would not affect sensor response time independently of sensor output (as concluded in the EPRI report). Thus, in the same manner as the EPRI report, the successful similarity analysis demonstrates 5 Lacal, Maria L., Arizona Public Service Company, letter to U.S. Nuclear Regulatory Commission, Palo Verde Nuclear Generating Station Units 1, 2, and 3, Supplemental License Amendment Request to Revise Technical Specifications Regarding Response Time Testing of Pressure Transmitters and Request for Additional Information Response, dated January 31, 2019.

that any pressure sensor failures would be detected during the performance of other TS surveillance requirements. If a failure mode(s) could adversely affect response time and would not be detectable by other TS required surveillance, specific recommendations in the EPRI report and Owners Group Topical Reports were applied to eliminate these potential failure modes. In this case, the use of response time verification in lieu of measurement would also be acceptable.

The NRC staff evaluated whether the methodology contained within the traveler provides adequate coverage for all potential failure modes associated with a particular set or series of pressure transmitter models or protection channel components. Specifically, if there are failure modes that cannot be detected through testing that does not involve direct measurement RTT, the guidance in the Attachment 1 of TSTF-569, Revision 2, evaluation methodology identifies a means of detecting those failures to validate the elimination of direct measurement RTT and to justify the use of bounding or allocated response time verification. In other words, instead of being periodically measured, time response is verified by analysis, with an assumption that any failure of the transmitter that would affect time response would be detectable through other means such as channel checks or calibration surveillances.

Consistent with WCAP-13632-P-A, where the similarity of two different sets of transmitters cannot be adequately demonstrated, the licensee should address any lack of similarity through an FMEA, additional testing data (e.g., known testing data available for the replacement components), or design information that can be used as a basis for comparison between the different sets of components. This analysis should demonstrate that response time of the replacement components would not be degraded in such a way that would not be detectable by non-measurement RTT.

EPRI Recommendations The NRC staff evaluated the methodology with respect to the four recommendations in EPRI NP-7243 to help ensure adequate operation of pressure transmitters, also referenced in TSTF-569, Revision 2, as well as supporting topical reports. The NRC staff continues to support these recommendations as part of the evaluation of this traveler. It is at the discretion of the licensee to determine whether these recommendations are applicable to the replacement pressure transmitters.

The NRC staff accepts the general criteria established for both Methodologies 1 and 2 along with the above stated additional considerations by NRC staff. Traveler TSTF-569, Revision 2, adequately demonstrates that the methodologies described in Attachment 1 are consistent with NRC-approved methodologies. In addition, the general criteria established for both methodologies provide a consistent framework that is clear and concise to determine whether RTT can be eliminated for replacement components and provide adequate criteria to develop a technical basis that would be sufficient to justify the elimination of periodic direct measurement RTT.

Emerging Technologies The NRC supports the incorporation of state-of-the-art technologies that improve reliability and overall maintain or improve safety of the components subject to TSTF-569, Revision 2. This traveler and the analyses contained within are germane to current state-of-the-art digital technologies that are common place within the process and control industries, such as

microprocessors and commonly used complex programmable logic devices and field programmable gate array technologies. The similarity analysis described within TSTF-569, Revision 2, forms the primary basis by which pressure sensors or protection channels of different vintage or technologic aspects can be compared to determine whether the newer components can replace currently installed components without prior NRC approval.

Because the traveler is based on currently available technology, there are limitations to which the analysis contained in the traveler can be applied. Emerging future technologies could present significant improvements beyond that which is envisioned now and could result in substantial differences in how the pressure sensor or protection channel performs its design function, calculates and transmits data, etc. As such, this traveler may not be adequate if substantial differences in technologies reduce the ability to perform an adequate similarity analysis, for example. It is understood that the transition from analog instrumentation and control technology to future digital instrumentation and control technologies (e.g., those with little operational experience or unreviewed by the NRC) incorporated into pressure sensor or protection channel components could be considered a substantial difference in technology.

This traveler includes a methodology for performing a comparison of components of different technology. The most substantial differences between pressure sensor or protection channel technologies are caused by the incorporation of digital technology. If substantial differences in pressure sensor or protection channel technology emerge such as differences in component material and construction, differences in physical design including how the pressure sensor or protection channel performs its design functions, then Attachment 1 may need to be augmented with design-specific evaluation criteria to determine adequacy. This is critical in determining whether a newer methodology is consistent with approved methodologies. Licensees should ensure that the potential limitations of the evaluation methodology in TSTF-569, Revision 2, based upon emerging technologies are addressed as part of the technical evaluation in accordance with Attachment 1 of the traveler.

Use of Statistical Methods Consistent with the past approval of NPSD-1167-A, licensees should ensure that if statistical methods are used, then an adequate technical basis for the statistical analysis through an approved methodology is warranted.

3.2 REGULATORY ADHERENCE EVALUATION The proposed change would eliminate required periodic direct measurement RTT for selected pressure transmitter/sensor and protection channel components but does not eliminate required surveillance testing for the entirety of an instrument channel or the system (e.g., RTS).

Therefore, the NRC staff finds that the proposed change is consistent with the surveillance testing requirements of 10 CFR 50.36.

Most plants have a plant-specific design criterion similar to GDC 13 and GDC 21. The NRC staff confirmed that the proposed change has no effect on the design, fabrication, use, or methods of testing of the instrumentation and will not affect the ability of the instrumentation to perform the functions assumed in the safety analysis. Therefore, compliance with the design criteria is not affected.

RG 1.118 describes acceptable methods for complying with NRC regulations pertaining to periodic testing of protection systems and power systems.

TSTF-569, Revision 2, states the following regarding applicable design criteria:

Section 6.3.4 of IEEE Standard 338-1977, Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, states response time testing of all safety-related equipment, per se, is not required if, in lieu of response time testing, the response time of safety system equipment is verified by functional testing, calibration check, or other tests, or both. This is acceptable if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics which are detectable during routine periodic tests.

Clause 6.3.4 of IEEE 338-1987, Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, states response time testing shall be required only on safely systems or subsystems to verify that the response times are within the limits given in the Safety Analysis Report including Technical Specifications. Response time testing of all safety-related equipment is not required if, in lieu of response time testing, the response time of safety system equipment is verified by functional testing, calibration checks, or other tests, or both. This is acceptable if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics that are detectable during routine periodic tests.

Section 5.3.4, Response time verification tests, of IEEE Standard 338-2012, IEEE Standard for Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, Item c) states response time testing of all safety-related equipment is not required if, in lieu of response time testing, the response time of safety system equipment is verified by functional testing, calibration checks, or other tests. This is acceptable if it can be demonstrated that changes in response time beyond acceptable limits are accompanied by changes in performance characteristics that are detectable during routine periodic tests.

The traveler states that system operation, design basis, and capability for testing will remain unchanged as the replacement components comply with the design criteria. The NRC staff finds that the traveler provides an adequate technical basis and that replacement components can continue to perform the same design functions as the original components. The NRC staff finds that the methodologies contained in Attachment 1 provide adequate criteria for ensuring that replacement components degraded response time issues or failures would be captured.

Therefore, conformance with IEEE 338-2012 and 338-1987 design criteria is not affected.

The NRC staff evaluated TSTF-569, Revision 2, for its conformance to the guidance of BTP 7-17. The FMEA criteria in the traveler are consistent with previous failure analyses provided in approved topical reports which are documented in the traveler. The traveler notes that where similarity between components cannot be demonstrated, an FMEA or additional testing data provide assurance that differences in transmitter models that could result in failure modes that could affect response time would be captured. In addition, the methodologies in TSTF-569, Revision 2, Attachment 1, focus the licensee on determining if failure modes that could affect response time are detectable by other required surveillance tests. TSTF-569,

Revision 2, does not specifically reference continuous or automatic self-testing or self-diagnostic aspects of potential digital replacement components that would be within this scope although compliance with this guidance is not affected. Self-testing and self-diagnostic capabilities of a particular digital component would likely inform the FMEA as one of the principal means by which a potential failure is detected and alerted to operators. This would be applicable to either Methodology 1 or 2. In addition, as part of the similarity analysis for Methodology 1, an adequate comparison of the design functionality of components would reveal the self-testing features of the replacement components, if they existed. Based upon an evaluation of FMEA criteria described in TSTF-569, Revision 2, the NRC staff finds that TSTF-569, Revision 2, generally conforms to the guidance of BTP 7-17. A licensee that adopts the traveler should also ensure that self-diagnostic features, as described in Section 3.1.2 of this safety evaluation, also conform to BTP 7-19 as part of the analysis conducted in accordance with the Attachment 1 methodology.

4.0 CONCLUSION

The NRC staff reviewed traveler TSTF-569, Revision 2, which proposed changes to the STS in NUREG-1431 and NUREG-1432. The NRC staff determined that, with the proposed changes, the STS will continue to meet the Commissions Final Policy Statement on Technical Specifications Improvements for Nuclear Power Reactors and 10 CFR 50.36. Additionally, the changes to the STS were reviewed and found to be technically clear and consistent with customary terminology and format in accordance with SRP Chapter 16.0. The NRC staff reviewed the proposed changes to the definitions and concludes that, with the changes, they continue to provide reasonable assurance and protection of the health and safety of the public.

The NRC staff has determined that the methodology in Attachment 1 to TSTF-569, Revision 2, is suitable for use by Westinghouse and CE plants to analyze response times for pressure sensor components and for use by Westinghouse plants to analyze response times for protection channel components. The NRC staff has determined that the proposed changes to the STS are acceptable and provide reasonable assurance of safety and that compliance with applicable regulations will be maintained with the adoption of proposed TSTF-569, Revision 2.

The requested changes only apply to SRs of individual pressure sensor or protection channel components without affecting plant safety. The NRC staffs conclusion does not include other types of Westinghouse or CE plant components and only applies to the use of pressure sensor and protection channel components in reactor trip systems, reactor protection systems, and engineered safety feature actuation systems.

The NRC staff finds that the proposed traveler meets or is consistent with applicable regulations and associated guidance. Therefore, the NRC staff concludes that the proposed STS changes are acceptable.

Principal Contributors: C. Tilton, NRR/DSS W. Morton, NRR/DE Date: August 14, 2019