ML11206A499
| ML11206A499 | |
| Person / Time | |
|---|---|
| Site: | Watts Bar  |
| Issue date: | 06/30/2011 |
| From: | Office of Nuclear Reactor Regulation, Tennessee Valley Authority |
| To: | |
| References | |
| NUREG-0847 S23 | |
| Download: ML11206A499 (354) | |
Text
- U.S.NRC United States Nuclear Regulatory Commission Protecting People and the Environment NUREG-0847 Supplement 23 Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Unit 2 Docket Number 50-391 Tennessee Valley Authority Office of Nuclear Reactor Regulation AVAILABILITY OF REFERENCE MATERIALS IN NRC PUBLICATIONS NRC Reference Material As of November 1999, you may electronically access NUREG-series publications and other NRC records at NRC's Public Electronic Reading Room at http://www.nrc.-qov/reading-rrn.html.
Publicly released records include, to name a few, NUREG-senes publications; Federal Register notices;applicant, licensee, and vendor documents and correspondence; NRC correspondence and intemal memoranda; bulletins and information notices;inspection and investigative reports; licensee event reports; and Commission papers and their attachments.
NRC publications in the NUREG series, NRC regulations, and Title 10, Energy, in the Code of Federal Regulations may also be purchased from one of these two sources.1. The Superintendent of Documents U.S. Government Printing Office Mail Stop SSOP Washington, DC 20402-0001 Internet:
bookstore.gpo.gov Telephone:
202-512-1800 Fax: 202-512-2250
- 2. The National Technical Information Service Springfield, VA 22161-0002 www.ntis.gov 1-800-553-6847 or, locally, 703-605-6000 A single copy of each NRC draft report for comment is available free, to the extent of supply, upon written request as follows: Address: U.S. Nuclear Regulatory Commission Office of Administration Publications Branch Washington, DC 20555-0001 E-mail: DISTRIBUTION.SERVICES(QNRC.GOV Non-NRC Reference Material Documents available from public and special technical libraries include all open literature items, such as books, journal articles, and transactions, Federal Register notices, Federal and State legislation, and congressional reports. Such documents as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings may be purchased from their sponsoring organization.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at-The NRC Technical Library Two White Flint North 11545 Rockville Pike Rockville, MD 20852-2738 These standards are available in the library for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from-American National Standards Institute 11 West 4 2 nd Street New York, NY 10036-8002 www.ansi.org 212-642-4900 Facsimile:
301-415-2289 Some publications in the NUREG series that are posted at NRC's Web site address htto://www.
nrc.gov/reading-rm/doc-collectionslnuregs are updated periodically and may differ from the last printed version. Although references to material found on a Web site bear the date the material was accessed, the material available on the date cited may subsequently be removed from the site.Legally binding regulatory requirements are stated only in laws; NRC regulations; licenses, including technical specifications; or orders, not in NUREG-series publications.
The views expressed in contractor-prepared publications in this series are not necessarily those of the NRC.The NUREG series comprises (1) technical and administrative reports and books prepared by the staff (NUREG-XXXX) or agency contractors (NUREG/CR-XXXX), (2) proceedings of conferences (NUREG/CP-XXXX), (3) reports resulting from international agreements (NUREG/IA-XXXX), (4)brochures (NUREG/BR-XXXX), and (5) compilations of legal decisions and orders of the Commission and Atomic and Safety Licensing Boards and of Directors' decisions under Section 2.206 of NRC's regulations (NUREG-0750).
- U.S.NRC United States Nuclear Regulatory Commission Protecting People and the Environment NUREG-0847 Supplement 23 Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Unit 2 Docket Number 50-391 Tennessee Valley Authority Manuscript Completed:
June 2011 Date Published:
July 2011 Office of Nuclear Reactor Regulation"A.,
ABSTRACT This report supplements the safety evaluation report (SER), NUREG-0847 (June 1982), Supplement No. 22 (February 2011, Agencywide Documents Access and Management System (ADAMS) Accession No. ML1 10390197), with respect to the application filed by the Tennessee Valley Authority (TVA), as applicant and owner, for a license to operate Watts Bar Nuclear Plant (WBN) Unit 2 (Docket No 50-391).In its SER and Supplemental SER (SSER) Nos. I through 20 issued by the Office of Nuclear Reactor Regulation (NRR) of the U.S. Nuclear Regulatory Commission (NRC or the staff), the staff documented its safety evaluation and determination that WBN Unit I met all applicable regulations and regulatory guidance.
Based on satisfactory findings from all applicable inspections, on February 7, 1996, the NRC issued a full-power operating license (OL) to WBN Unit 1, authorizing operation up to 100-percent power.In SSER 21, the staff addressed TVA's application for a license to operate WBN Unit 2, and provided information regarding the status of the items remaining to be resolved, which were outstanding at the time that TVA deferred construction of WBN Unit 2, and were not evaluated and resolved as part of the licensing of WBN Unit 1. In SSER 22, the staff documented its ongoing evaluation and closure of open items in support of TVA's application for a license to operate WBN Unit 2.In this and future SSERs, the staff continues its documentation of its review of open items in support of TVA's application for an operating license for WBN Unit 2.iii
TABLE OF CONTENTS Page ABSTRACT ....................................................................................................
iii ABBREVIATIONS
............................................................................................
ix INTRODUCTION AND DISCUSSION
.......................................................
1-1 1.1 Introduction
.............................................................................
1-1 1.7 Summary of Outstanding Issues ...................................................
1-2 1.8 Confirmatory Issues ...................................................................
1-24 1.10 Unresolved Safety Issues .........................................................................
1-24 1.13 Implementation of Corrective Action Programs and Special Programs .... 1-25 1.13.1 Corrective Action Programs ...............................................
1-25 1.13.2 Special Programs .........................................................................
1-27 1.14 Implementation of Applicable Bulletin and Generic Letter Requirements.
1-27 3 DESIGN CRITERIA -STRUCTURES, COMPONENTS, EQUIPMENT, AND SYSTEMS ...............................................................................................................
3-1 3.9 Mechanical Systems and Components
.....................................................
3-1 3.9.5 Reactor Vessel Internals
.................................................................
3-1 3.10 Seismic and Dynamic Qualification of Seismic Category I Mechanical and Electrical Equipment
..........................................
3-3 4 REACTOR ...............................................................................................................
4-1 4.1 Introduction
...............................................................................................
4-1 4.2 Fuel System Design ..................................................................................
4-2 4.2.1 Description
......................................................................................
4-3 4.2.2 Thermal Performance
.....................................................................
4-3 4.2.3 Mechanical Performance
................................................................
4-5 4.2.4 Surveillance
....................................................................................
4-6 4.2.5 Fuel Design Conclusion
..................................................................
4-6 4.3 Nuclear Design 4-6 4.3.1 Design Bases ..................................................................................
4-7 4.3.2 Design Description
..........................................................................
4-9 4.3.3 Analytical Methods ..........................................................................
4-10 4.3.4 Summary of Evaluation Findings ....................................................
4-11 4.4 Therm al-Hydraulic Design ........................................................................
4-11 4.4.1 Performance and Safety Criteria .....................................................
4-12 4.4.2 Design Bases ..................................................................................
4-12 4.4.3 Thermal-Hydraulic Design Methodology
.........................................
4-13 4.4.4 Operating Abnormalities
.................................................................
4-15 4.4.5 Loose Parts Monitoring System ......................................................
4-16 4.4.6 Thermal-Hydraulic Comparison
......................................................
4-17 v TABLE OF CONTENTS (Continued)
Page 4.4.7 N-1 Loop Operation
........................................................................
4-19 4.4.8 Instrumentation for Inadequate Core Cooling Detection (NUREG-0737, Item II.F.2) .............................................................................
4-20 4.4.9 Summary and Conclusion
...............................................................
4-22 4.4.10 Accident Conditions
......................................................................
4-23 4.6 Functional Design of Reactivity Control Systems .....................................
4-24 5 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS .......................
5-1 5.2 Integrity of Reactor Coolant Pressure Boundary ......................................
5-1 5.2.4 Reactor Coolant Pressure Boundary Inservice Inspection and Testing ............................................................................................
5-1 5.4 Component and Subsystem Design .........................................................
5-1 5.4.3 Residual Heat Removal System .....................................................
5-1 5.4.5 Reactor Coolant System Vents (ll.B.1) ...........................................
5-5 6 ENGINEERED SAFETY FEATURES .........................................................
6-1 6.1 Engineered Safety Features Materials
...........................................
6-1 6.1.1 Metallic Materials
..............................................................
6-1 6.2 Containment Systems ................................................................
6-5 6.2.7 Fracture Prevention of the Containment Pressure Boundary .........
6-5 6.6 Inservice Inspection of Class 2 and 3 Materials
.......................................
6-5 7 INSTRUMENTATION AND CONTROLS ................................................................
7-1 7.1 Introduction
...............................................................................................
7-1 7.1.1 General ..........................................................................................
7-1 7.1.2 Comparison with Other Plants ........................................................
7-1 7.1.3 Design Criteria ................................................................................
7-2 7.1.4 Conclusions
..................................................................................
7-4 7.2 Reactor Trip System .................................................................................
7-4 7.2.1 System Description
..........................................................................
7-4 7.2.2 Manual Trip Switches .....................................................................
7-10 7.2.3 Testing of Reactor Trip Breaker Shunt Coils ..................................
7-10 7.2.4 Anticipatory Trips ............................................................................
7-10 7.2.5 Steam Generator W ater Level Trip .................................................
7-11 7.2.6 Conclusions
....................................................................................
7-11 7.3 Engineered Safety Features Actuation System ....................
7-11 7.3.1 System Description
.........................................................................
7-11 7.3.2 Containment Sump Level Measurement
........................................
7-18 7.3.3 Auxiliary Feedwater Initiation and Control ......................................
7-19 7.3.4 Failure Modes and Effects Analysis ................................................
7-19 7.3.5 IE Bulletin 80-06 .............................................................................
7-20 7.3.6 Conclusions
....................................................................................
7-20 7.4 Systems Required for Safe Shutdown .....................................................
7-20 7.4.1 System Description
.........................................................................
7-20 vi TABLE OF CONTENTS (Continued)
Paqe 7.4.2 Shutdown from Auxiliary Control Room ....................
7-21 7.4.3 Conclusions
....................................................................................
7-21 7.5 Safety-Related Display Instrumentation
...................................................
7-22 7.5.1 Display Systems .............................................................................
7-22 7.5.2 Postaccident Monitoring System ....................................................
7-34 7.5.3 IE Bulletin 79-27 .............................................................................
7-118 7.6 All Other Systems Required for Safety .....................................................
7-119 7.6.1 Loose Part Monitoring System .......................................................
7-119 7.6.2 Residual Heat Removal System Bypass Valves ............................
7-126 7.6.3 Upper Head Injection Manual Control .............................................
7-127 7.6.4 Protection Against Spurious Actuation of Motor-Operated Valves. 7-127 7.6.5 Overpressure Protection during Low-Temperature Operation
........ 7-128 7.6.6 Valve Power Lockout ......................................................................
7-129 7.6.7 Cold Leg Accumulator Valve Interlocks and Position Indication
..... 7-130 7.6.8 Automatic Switchover from Injection to Recirculation Mode ...........
7-130 7.7 Control Systems Not Required for Safety .................................................
7-131 7.7.1 System Description
.........................................................................
7-131 7.7.2 Safety System Status Monitoring System .......................................
7-160 7.7.3 Volume Control Tank Level Control System ...................................
7-161 7.7.4 Pressurizer and Steam Generator Overfill ......................................
7-162 7.7.5 IE Information Notice 79-22 ............................................................
7-164 7.7.6 Multiple Control System Failures ....................................................
7-165 7.7.8 Anticipated Transient without Scram Mitigation System Actuation C ircuitry ...........................................................................................
7-166 7.8 NUREG-0737 Items ..................................................................................
7-166 7.8.1 Relief and Safety Valve Position Indication (Il.D.3) ........................
7-167 7.8.2 Auxiliary Feedwater Initiation and Control and Flow Indication (11.E .1.2) ..........................................................................................
7-166 7.8.3 Proportional Integral Derivative Control Modification (11.K.3.9)
....... 7-167 7.8.4 Proposed Anticipatory Trip Modification (1I.K.3.10)
........................
7-168 7.8.5 Confirm Existence of Anticipatory Reactor Trip upon Turbine Trip (lI.K .3.12) ........................................................................................
7-168 7.9 Data Commmunications Systems .............................................................
7-168 7.9.1 System Description
.........................................................................
7-168 7.9.2 Regulatory Evaluation
.....................................................................
7-172 7.9.3 Technical Evaluation
.......................................................................
7-173 7.9.4 Conclusion
......................................................................................
7-176 9 AUXILIARY SYSTEMS ...........................................................................
9-1 9.1 Fuel Storage Facility ..................................................................
9-1 9.1.3 Spent Fuel Pool Cooling and Cleanup System .............................
9-1 9.2 Water Systems ........................................................................................
9-3 9.2.1 Essential Raw Cooling Water System ............................................
9-3 vii TABLE OF CONTENTS (Continued)
Paqe 9.2.2 Component Cooling System (Reactor Auxiliaries Cooling Water System) ...........................................................................................
9.2.5 Ultimate
Heat Sink ..........................................................................
10 STEAM AND POW ER CONVERSION SYSTEM ............................................
10.2 Turbine Generator
....................................................................................
10.2.2 Turbine Disk Integrity
....................................................................
10.4 Other Features ..........................................................................................
10.4.9 Auxiliary Feedwater System .........................................................
14 INITIAL TEST PROGRAM ...................................................................................
14.2 Preoperational Tests .................................................................................
14.2.2 Conformance with NRC Regulatory Guides .................................
14.2.3 Conclusions
..................................................................................
21 FINANCIAL QUALIFICATIONS
...............................................................................
21.1 TVA Financial Qualifications for W BN Unit 2 ............................................
9-5 9-7 10-1 10-1 10-1 10-3 10-3 14-1 14-2 14-8 14-10 21-1 21-1 APPENDIX A APPENDIX C APPENDIX E APPENDIX Z APPENDIX AA APPENDIX HH CHRONOLOGY OF RADIOLOGICAL REVIEW OF WATTS BAR NUCLEAR PLANT, UNIT 2, OPERATING LICENSE REVIEW ...............
UNRESOLVED SAFETY ISSUES ............................................................
CONTRIBUTORS TO SSER 22 AND 23 ..................................................
SAFETY EVALUATION REPORT: PRESERVICE INSPECTION PR O G RA M PLA N .....................................................................................
DIRECTOR'S DECISION REGARDING ANTITRUST CHANGES ...........
WATTS BAR UNIT 2 ACTION ITEMS TABLE ...................................
A-1 C-1 E-1 Z-1 AA-1 HH-1 viii ABBREVIATIONS AACC American Association for Contamination Control ABGTS auxiliary building gas treatment system ABI auxiliary building isolation ABSCE auxiliary building secondary containment enclosure AC alternating current ACAS auxiliary control air system ACR auxiliary control room ADAMS Agencywide Documents Access and Management System AFW auxiliary feedwater AFWP auxiliary feedwater pump AMSAC anticipated transient without scram mitigation system actuation circuitry ANSI American National Standards Institute ANS American Nuclear Society AOV air-operated valve APS auxiliary power system ART adjusted reference temperature ASB Auxiliary Systems Branch (of NRR)ASME American Society of Mechanical Engineers ASTM American Society for Testing and Materials ATWS anticipated transient without scram BISI bypassed and inoperable status indication BL bulletin BTP Branch Technical Position BWG Birmingham Wire Gauge BWR boiling-water reactor CAP corrective action program CAS central alarm station CCS component cooling system CCW circulating cooling water CDWE condensate demineralizer waste evaporator CECC Central Emergency Control Center (of TVA)CERPI computer-enhanced rod position indication cfm cubic feet per minute CFR Code of Federal Regulations CIV containment isolation valve COMS cold overpressure mitigation system CP control processor CPU central processing.
unit CRD control rod drive CRDM control rod drive mechanism CSST common station service transformer CST condensate storage tank CVCS chemical volume and control system CVI containment vent isolation DBA design basis accident ix DBT design basis threat DC direct current DCN design change notice DCS distributed control system DCRDR detailed control room design review DG diesel generator DMBW dissimilar metal butt welds DNB departure from nucleate boiling DNBR departure from nucleate boiling ratio DSP digital signal processor DVR degraded voltage relay EAL emergency action level ECCS emergency core cooling system ECS environmental control system EDCR Engineeering Document Construction Release EDG emergency diesel generator EDS environmental data station EFPY effective full power year EGTS emergency gas treatment system EMI/RFI electromagnetic/radiofrequency interference EOF emergency operations facility EOL end of life EOP emergency operating procedure EPA Environmental Protection Agency or electrical penetration assemblies EPIP emergency plan implementing procedure EPRI Electric Power Research Institute EPZ emergency planning zone EQ environmental qualification ERCW essential raw cooling water ERDS emergency response data system ERO emergency response organization ESF engineered safety feature ESFAS engineered safety feature actuation system ESW extremely severe weather ETA evacuation time estimate FEMA Federal Emergency Management Agency FHA fuel handling accident FSAR final safety analysis report FW feedwater GDC general design criterion/criteria GI generic issue GL generic letter gpm gallons per minute HRCAR high range containment air radiation HDCI High Duty Core Index HAS hydrogen analyzer system HED human engineering deficiency HEPA high efficiency air particulate HMS hydrogen mitigation system x HVAC I&C ICC ICCM ICS IE IEB IEEE IESNA IFM IFR INEL IST IV&V kHz kV kVA kW LCC LCD LCO LCV LED LLEA LOCA LOOP LOV LPMS LPZ LTC LTOP LWR MCCB MCES MCR MCRHZ MEB MJRERP MOU MOV mph MSIV MSLB MTEB MTP MVA MWD/MTU NEC heating, ventilation, and air conditioning instrumentation and control inadequate core cooling inadequate core cooling monitor integrated computer system Office of Inspection and Enforcement Office of Inspection and Enforcement Bulletin Institute of Electrical and Electronics Engineers Illuminating Engineering Society of North America intermediate flow mixers Interim Finding Report Idaho National Engineering Laboratory inservice testing independent verification and validation kilohertz kilovolt kilovolt ampere kilowatt lower compartment cooler liquid crystal display limiting condition for operation level control valve light emitting diode local law enforcement agency loss-of-coolant accident loss of offsite power loss of voltage loose part monitoring system low-population zone load tap changer low-temperature overpressure protection light-water reactor molded case circuit breaker main condeser evacuation system main control room main control room habitability zone Mechanical Engineering Branch (of NRR)Multi-Jurisdictional Radiological Emergency Response Plan memorandum of understanding motor operated valve miles per hour main steam isolation valve main steam line break Materials Engineering Branch (of NRR)maintenance and test panel megavolt-ampere megawatt days per metric ton unit (or uranium)not elsewhere classified xi MWt megawatts thermal NCDC National Climatic Data Center NDE nondestructive examination NDL nuclear data link NEI Nuclear Energy Institute NGDC New Generation Development and Construction NIS nuclear instrumentation system NPP Nuclear Performance Plan NP-REP Nuclear Power Radiological Emergency Plan NQA nuclear quality assurance NRC Nuclear Regulatory Commission NRR Office of Nuclear Reactor Regulation NSSS nuclear steam supply system NUREG report prepared by NRC staff OBE operating basis earthquake OCA owner controlled area OE operating experience 01 operating instruction OL operating license OM operator monitor OM Code ASME Code for Operation and Maintenance of Nuclear Power Plants OSC operations support center PA protected area PAD performance analysis and design PAMS postaccident monitoring system PEDS plant engineering data system PLC programmable logic controller PMF probable maximum flood PORC plant operations review committee PORV power-operated relief valve ppb parts per billion PRT pressurizer relief tank PSHT preservice system hydrostatic test psia pounds per square inch absolute psig pounds per square inch gauge PSP Physical Security Plan PTLR Pressure and Temperature Limits Report PTS pressurized thermal shock PWR pressurized-water reactor PWSCC primary water stress corrosion cracking QA quality assurance RAD radiation absorbed dose RAI request for additional information RBPVS reactor building purge ventilation system RCCA rod cluster control assembly RCP reactor coolant pump RCPB reactor coolant pressure boundary RCS reactor coolant system RG Regulatory Guide xii RHR residual heat removal RIS regulatory issue summary RPIS rod position indication system RPV reactor pressure vessel RSB Reactor Systems Branch (of NRR)RTDP Revised Thermal Design Procedure RV reactor vessel RVI reactor vessel internal RWST refueling water storage tank SAFDL specified acceptable fuel design limit SAS secondary alarm station SAT system approach to training SBO station blackout SCC stress corrosion cracking SCP Safeguards Contingency Plan SDD software design description SDS satellite display station SE safety evaluation SEC serial-to-Ethernet controller SER safety evaluation report, NUREG-0847, dated June 1982 SG steam generator SGBS steam generator blowdown system SI safety injection SNB subcooled nucleate boiling SP special program SPDS safety parameter display system SQN Sequoyah Nuclear Plant SR surveillance requirement SRM Staff Requirements Memorandum SRP Standard Review Plan, NUREG-0800 SRS software requirements specification SSC structures, systems, and components SSER Supplemental SER SSPS solid state protection system Std Standard SV safety valve SWR software verification and validation report SW severe weather SWCCF software common cause failure Tavg average reactor core temperature TPBAR tritium-producing burnable absorber bar TDAFW turbine-driven auxiliary feedwater TDAFWP turbine-driven auxiliary feedwater pump TGSS turbine gland sealing system TI technical or temporary instruction TID total integrated dose TIPTOP Turbine Integrity Program with Turbine Overspeed Protection TMI Three Mile Island xiii TPBAR T&QP TR TRM TS TSC TSR TSTF TVA UHS UPS USE USI UT VCT VCTLCS V&V WBN WBN REP WBNPP WCAP tritium production burnable absorber rod Training and Qualification Plan topical report Technical Requirements Manual technical specification Technical Support Center technical surveillance requirement Technical Specification Task Force Tennessee Valley Authority ultimate heat sink uninterruptible power supply upper shelf energy unresolved safety issue ultrasonic test volume control tank volume control tank level control system verification and validation Watts Bar Nuclear Plant Watts Bar Nuclear Plant Radiological Emergency Plan Watts Bar Nuclear Performance Plan Westinghouse Commercial Atomic Power (report)xiv 1 INTRODUCTION AND DISCUSSION
1.1 Introduction
The Watts Bar Nuclear Plant (WBN or Watts Bar) is owned by the Tennessee Valley Authority (TVA) and is located in southeastern Tennessee approximately 50 miles northeast of Chattanooga.
The facility consists of two Westinghouse-designed four-loop pressurized-water reactors (PWRs) within ice condenser containments.
In June 1982, the Nuclear Regulatory Commission staff (NRC staff or staff) issued safety evaluation report (SER), NUREG-0847, "Safety Evaluation Report related to the operation of Watts Bar Nuclear Plant Units 1 and 2," regarding TVA's application for licenses to operate WBN Units 1 and 2. In SER Supplements (SSERs) 1 through 20, the NRC staff concluded that WBN Unit 1 met all applicable regulations and regulatory guidance and on February 7, 1996, the NRC issued an operating license (OL) to Unit 1. TVA did not complete WBN Unit 2, and the NRC did not make conclusions regarding it.On March 4, 2009, TVA submitted an updated application in support of its request for an OL for WBN Unit 2, pursuant to Title 10 of the Code of Federal Regulations (10 CFR), Part 50,"Domestic Licensing of Production and Utilization Facilities." In SSER 21, the staff provided information regarding the status of the WBN Unit 2 items that remain to be resolved, which were outstanding at the time that TVA deferred construction of Unit 2, and which were not evaluated and resolved as part of the licensing of WBN Unit 1. In SSER 22, the staff began the documentation of its evaluation and closure of open items in support of TVA's application for a license to operate WBN Unit 2.In this and future SSERs, the staff will continue the documentation of its evaluation and closure of open items in support of TVA's application.
The format of this document is consistent with the format and scope outlined in the "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR[Light-Water Reactor] Edition (NUREG-0800)," dated July 1981 (SRP, NUREG-0800).
The staff added additional chapters to address the overall assessment of the facility, Nuclear Performance Plan issues, and other generic regulatory topics.Each of the sections and appendices of this supplement is numbered the same as the SER section that is being updated, and the discussions are supplementary to, and not in lieu of, the discussion in the SER, unless otherwise noted. For example, Appendix E continues to list the principal contributors to the SSER. However, the chronology of the safety review correspondence previously provided in Appendix A has been discontinued, and a reference is provided instead to the NRC's Agencywide Documents Access and Management System (ADAMS) or the Public Document Room (PDR). Public correspondence exchanged between the NRC and TVA is available through ADAMS or the PDR. Appendix HH includes an Action Items Table. This table provides a status of all the open items, confirmatory issues, and proposed license conditions that must be resolved prior to completion of an NRC finding of reasonable assurance on the OL application for WBN Unit 2. The staff will maintain the Action Items Table and revise Appendix HH in future SSERs, and add new appendices, as necessary.
References listed as "not publicly available" in the SSER contain proprietary information and have been withheld from public disclosure in accordance with 10 CFR 2.390.1-1 The NRC's Agencywide Documents Access and Management System (ADAMS) is the agency's official recordkeeping system.ADAMS has the full text of regulatory and technical documents and reports written by NRC, NRC contractors, or NRC licensees.
Documents include NRC regulatory guides, NUREG-series reports, correspondence, inspection reports, and others, are assigned accession numbers. They are searchable and accessible from ADAMS. Documents are released periodically during the day in the ADAMS PUBLIC/Legacy Interface Combined (ADAMS PUBLIC) and Web-based ADAMS (WBA) interfaces; they are released once a day in Web-based Publicly Available Records System (PARS). These documents in full text can be searched using ADAMS accession numbers or specific fields and parameters such as docket number and documents dates.More information regarding ADAMS and help for accessing documents may be obtained on the NRC Public Web site at http:/twww.nrc.gov/reading-rm/adams/faq.html#1.
All WBN documents may be accessed using WBN docket numbers 05000390 and 05000391 for Units 1 and 2, respectively.
The WBN Unit 2 Project Manager is Patrick D. Milano, who may be contacted by calling (301) 415-1457, by e-mail to or by writing to the following address: Mr. Patrick D. Milano U.S. Nuclear Regulatory Commission Mail Stop O-8H4 Washington, D.C. 20555 1.7 Summary of Outstanding Issues The staff documented its previous review and conclusions regarding the OL application for WBN Unit 1 in the SER (NUREG-847) and its supplements 1 through 20. Based on these reviews, the staff issued an OL for WBN Unit 1 in 1996. In the SER and SSERs I through 20, the staff also reviewed and approved certain topics for WBN Unit 2, though no final conclusions were made regarding an OL for WBN Unit 2. To establish the remaining scope and the regulatory framework for the staff's review of an OL for WBN Unit 2, the staff reviewed the SER and SSERs 1 thorough 20. Based on this review, the staff identified "resolved" topics (i.e., out of scope for review) and "open" topics (i.e., in scope for staff review) for WBN Unit 2. Where it was not clear whether the SER topic applied to Unit 2 or not, the staff conservatively identified it as"open" pending further evaluation.
It should be noted that these were not technical evaluations of each topic; rather, it was a status review to determine whether the topic was "open" or"resolved." The staff documented this evaluation in SSER 21 as the baseline for resumption of the review of the OL application for Unit 2. Thus, SSER 21 reflects the status of the staffs review of WBN Unit 2 up to 1995. The staff notes that a subsequent, more detailed assessment may find some topics conservatively identified in the initial assessment as "open" that should be redefined as "closed." Conversely, the NRC staff notes that there may be circumstances that could result in the need to reopen some previously closed topic areas that may have been adequately documented and that are considered closed in SSER 21. Such cases will be identified by a foot note in future SSERs to document that previous "open" topics have been re-categorized as "closed" without requiring further review, or vice versa.1-2 The SER and SSERs 1 through 20 evaluated the changes to the final safety analysis report (FSAR) until Amendment
- 91. FSAR Amendment 91 was the initial licensing basis for WBN Unit 1. At this time, the FSAR was applicable to both Units 1 and 2. As part of its updated OL application for WBN Unit 2, TVA split the FSAR Amendment 91 into two separate FSARs for WBN Units I and 2. TVA has submitted WBN Unit 2 FSAR Amendments 92 through 102 to address the "open" topics in support of its OL application for WBN Unit 2. These FSAR amendments reflect changes that have occurred since 1995. These FSAR amendments are currently under staff review. The staffs review of these FSAR changes is documented in SSER 22 and subsequent supplements.
Additional general topics (e.g., financial qualifications that were not included in SSER 21, but that should be resolved prior to issuance of an OL) are also identified in this supplement.
SSER 21 initially provided the table below documenting the status of each SER topic. The relevant document in which the topic was last addressed is shown in parenthesis.
This table will be maintained in this and future supplements to reflect the updated status of review for each topic.ISSUE STATUS TABLE Issue Status Section Note (1)(2)(3)Site Envelope Geography and Demography Site Location and Description (4) Exclusion Area Authority and Control (5) Population Distribution (6) Conclusions (7) Nearby Industrial, Transportation, and Military Facilities (8) Transportation Routes (9)Nearby Facilities Resolved (SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)(SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 14)(SSER 22)2 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.2 2.2.1 2.2.2 2.2.3 2.3 2.3.1 2.3.2 2.3.3 2.3.4 3 3 (10) Conclusions (11) Meteorology (12) Regional Climatology (13) Local Meteorology (14) Onsite Meteorological Measurements Program (15) Short-Term (Accident)
Atmospheric Diffusion Estimates 1-3 Issue Status Section Note (16) Long-Term (Routine)
Diffusion Estimates (17) Hydrologic Engineering (18) Introduction (19) Hydrologic Description (20) Flood Potential (21) Local Intense Precipitation in Plant Area (22) Roof Drainage (23) Ultimate Heat Sink (24) Groundwater (25) Design Basis for Subsurface Hydrostatic Loading (26) Transport of Liquid Releases (27) Flooding Protection Requirements (28) Geological, Seismological, and Geotechnical Engineering (29) Geology Resolved (SER)(SSER 14)(SSER 22)Resolved Resolved Resolved Resolved (SER)(SER)(SER)(SER)Resolved (SER)Resolved (SER)Resolved (SER)Resolved (SER)(SSER 3)Resolved (SER)(SSER 22)Open (SER)(Inspection)
Resolved (SER)(30)(31)(32)(33)(34)Seismology Surface Faulting Stability of Subsurface Materials and Foundations Stability of Slopes Embankments and Dams Resolved (SER)Resolved (SER)Resolved (SER)Resolved (SER)(SSER 3)(SSER 9)(SSER 11)Resolved (SER)Resolved (SER)(SSER 22)(SER)(SSER 22)2.3.5 2.4 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 2.4.9 2.4.10 2.5 2.5.1 2.5.2 2.5.3 2.5.4 2.5.5 2.5.6 2.6 3 3.1 3.1.1 3.1.2 3.2 3.2.1 1 2 (35) References (36) Design Criteria -Structures, Components, Equipment, and Systems (37) Introduction (38) Conformance With General Design Criteria (39) Conformance With Industry Codes and Standards (40) Classification of Structures, Systems and Components (41) Seismic Classifications Resolved (SER)Resolved (SER)Resolved (SSER 14)(SSER 22)Resolved (SER)(SSER 3)(SSER 5)(SSER 6)(SSER 8)1-4 Issue Status Section Note (42) System Quality Group Classification (43) Wind and Tomado Loadings (44) Wind Loading (45) Tornado Loading (46) Flood Level (Flood) Design (47) Flood Protection (48) Missile Protection (49) Missile Selection and Description (50) Structures, Systems, and Components to be Protected from Externally Generated Missiles (51) Barrier Design Procedures (52) Protection Against the Dynamic Effects Associated with the Postulated Rupture of Piping (53) Plant Design for Protection Against Postulated Piping Failures in Fluid System Outside Containment (54) Determination of Break Locations and Dynamic Effects Associated with the Postulated Rupture of Piping (55) Leak-Before-Break Evaluation Procedures (56) Seismic Design (57) Seismic Input (58) Seismic Analysis Open (NRR)(SER)(SSER 3)(SSER 6)(SSER 7)(SSER 9)(SSER 22)Resolved (SER)Resolved (SER)Resolved (SER)Resolved (SER)(SSER 9)(SSER 14)(SSER 22)Resolved (SER)(SSER 2)(SSER 22)Resolved (SER)Open (NRR) (SER)(SSER 6)(SSER 11)Resolved (SER)(SSER 14)(SSER 22)Resolved (SER)(SSER 14)(SSER 22)Open (NRR) (SSER 5)(SSER 12)(SSER 22)Resolved (SER)(SSER 6)Resolved (SER)(SSER 6)(SSER 9)(SSER 16)Resolved (SER)(SSER 6)(SSER 8)(SSER 11)(SSER 16)3.2.2 3.3 3.3.1 3.3.2 3.4 3.4.1 3.5 3.5.1 3.5.2 3.5.3 3.6 3.6.1 3.6.2 3 3.6.3 3.7 3.7.1 3.7.2 2 2 2 1-5 Issue Status Section Note (59) Seismic Subsystem Analysis (60) Seismic Instrumentation (61) Design of Seismic Category I Structures (62) Steel Containment (63) Concrete and Structural Steel Internal Structures (64) Other Seismic Category I Structures (65) Foundations (66) Mechanical Systems and Components (67) Special Topics for Mechanical Components (68) Dynamic Testing and Analysis of Systems, Components, and Equipment (69) ASME Code Class 1, 2, and 3 Components, Component Structures, and Core Support Structures (70) Control Rod Drive Systems (71) Reactor Pressure Vessel Internals (72) Inservice Testing of Pumps and Valves Resolved (SER)(SSER 6)(SSER 7)(SSER 8)(SSER 9)(SSER 12)(SSER 22)Resolved (SER)Resolved (SER)(SSER 9)Resolved (SER)(SSER 3)Resolved (SER)(SSER 7)Open (NRR) (SER)(SSER 14)(SSER 16)Resolved (SER)Resolved (SER)Resolved (SER)(SSER 6)(SSER 13)(SSER 22)Resolved (SER)(SSER 14)(SSER 22)Resolved (SER)(SSER 3)(SSER 4)(SSER 6)(SSER 7)(SSER 8)(SSER 15)(SSER 22)Resolved (SER)Open (SER)(SSER 23)Open (NRR) (SER)(SSER 5)(SSER 12)(SSER 14)(SSER 18)(SSER 20)(SSER 22)3.7.3 3.7.4 3.8 3.8.1 3.8.2 3.8.3 3.8.4 3.9 3.9.1 3.9.2 3.9.3 3.9.4 3.9.5 3.9.6 1 2 1-6 Issue Status Section Note (73) Seismic and Dynamic Qualification of Seismic Category I Mechanical and Electrical Equipment (74) Environmental Qualification of Mechanical and Electrical Equipment (75) Threaded Fasteners
-ASME Code Class 1, 2, and 3 (76) Reactor (77) Introduction (78) Fuel System Design (79) Description (80) Thermal Performance (81) Mechanical Performance Resolved (SER)(SSER 1)(SSER 3)(SSER 4)(SSER 5)(SSER 6)(SSER 8)(SSER 9)(SSER 23)Open (NRR) (SSER 15)(SSER 22)Resolved (SSER 22)(82)(83)(84)(85)Surveillance Fuel Design Considerations Nuclear Design Design Basis (SER)(SSER 23)(SSER 23)Resolved (SER)(SSER 13)(SSER 23)Open (NRR) (SER)(SSER 2)(SSER 23)Resolved (SER)(SSER 2)(SSER 10)(SSER 13)(SSER 23)(SER)Resolved (SER)(SSER 23)(SSER 23)Resolved (SER)(SSER 13)(SSER 23)Resolved (SER)(SSER 13)(SSER 15)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)(SSER 23)Resolved (SER)(SSER 23)3.10 3.11 3.13 4 4.1 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.4 4.4.1 (86) Design Description (87) Analytical Methods (88) Summary of Evaluation Findings (89)(90)Thermal-Hydraulic Design Performance in Safety Criteria 1-7 Issue Status Section Note (91) Design Bases (92) Thermal-Hydraulic Design Methodology (93) Operating Abnormalities (94) Loose Parts Monitoring System (95) Thermal-Hydraulic Comparison (96) N-1 Loop Operation (97) Instrumentation for Inadequate Core Cooling Detection (TMI Action Item II.F.2)(98) Summary and Conclusion Resolved (SER)(SSER 12)(SSER 23)Resolved (SER)(SSER 6)(SSER 8)(SSER 12)(SSER 13)(SSER 16)SE dated 6/13/89 (SSER 23)Resolved (SER)(SSER 13)(SSER 23)Resolved (SER)(SSER 3)(SSER 5)(SSER 16)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)Open (NRR) (SER)(SSER 10)(SSER 23)Open (NRR) (SER)(SSER 23)Resolved (SER)4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 4.4.7 4.4.8 4.4.9 4.5 4.5.1 4.5.2 4.6 5 (99)(100)Reactor Materials Control Rod Drive Structural Materials I (101) Reactor Internals and Core Support Materials (102) Functional Design of Reactivity Control Systems (103) Reactor Coolant System and Connected Systems (104) Summary Description (105) Integrity of Reactor Coolant Pressure Boundary (106) Compliance with Codes and Code Cases (107) Overpressurization Protection Resolved (SER)Resolved (SER)(SSER 23)Resolved (SER)(SSER 5)(SSER 6)Resolved (SER)(SSER 22)Resolved (SER)(SSER 2)(SSER 15)5.1 2 5.2 5.2.1 5.2.2 1-8 Issue Status Section Note (108) Reactor Coolant Pressure Boundary Materials (109) Reactor Coolant System Pressure Boundary Inservice Inspection and Testing (110) Reactor Coolant Pressure Boundary Leakage Detection (111) Reactor Vessel and Intemals Modeling (112) Reactor Vessel Resolved Open (NRR)Resolved Open (NRR)Open (NRR)Open (NRR)(SER)(SSER 22)(SER)(SSER 10)(SSER 12)(SSER 15)(SSER 16)(SSER 23)(SER)(SSER 9)(SSER 11)(SSER 12)(SSER 22)(SER)(SSER 11)(SSER 14)(SSER 22)(SER)(SSER 16)(SSER 22)(SER)(SSER 22)(113)Reactor Vessel Materials (114) Pressure-Temperature Limits (115) Reactor Vessel Integrity 5.2.3 5.2.4 5.2.5 5.2.6 5.3 5.3.1 5.3.2 5.3.3 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 6 6.1 (116)(117)Component and Subsystem Design Reactor Coolant Pumps (118) Steam Generators (119) Residual Heat Removal System (120) Pressurizer Relief Tank (121) Reactor Coolant System Vents (TMI Action Item ll.B.1)Resolved (SER)(SSER 22)Resolved (SER)(SSER 1)(SSER 4)(SSER 22)Resolved (SER)(SSER 2)(SSER 5)(SSER 10)(SSER 11)(SSER 23)Resolved (SER)(SSER 22)Open (SER)(Inspection) (SSER 2)(SSER 5)(SSER 12)(SSER 23)2 (122)(123)Engineered Safety Features Engineered Safety Feature Materials 1-9 Issue Status Section Note (124) Metallic Materials (125) Organic Materials (126) Postaccident Emergency Cooling Water Chemistry (127) Containment Systems (128) Containment Functional Design (129) Containment Heat Removal Systems (130) Secondary Containment Functional Design (131) Containment Isolation Systems (132) Combustible Gas Control Systems (133) Containment Leakage Testing (134) Fracture Prevention of Containment Pressure Boundary Open (NRR) (SER)(SSER 23)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 3)(SSER 5)(SSER 7)(SSER 12)(SSER 14)(SSER 15)(SSER 22)Resolved (SER)(SSER 7)(SSER 22)Resolved (SER)(SSER 18)(SSER 22)Resolved (SER)(SSER 3)(SSER 5)(SSER 7)(SSER 12)(SSER 22)Resolved (SER)(SSER 4)(SSER 5)(SSER 8)(SSER 22)Open (NRR) (SER)(SSER 4)(SSER 5)(SSER 19)(SSER 22)Resolved (SER)(SSER 4)(SSER 23)Resolved (SER)Open (NRR) (SER)(SSER 6)(SSER 7)(SSER 11)Resolved (SER)(SSER 5)6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 (135)(136)Emergency Core Cooling System System Design 6.2.7 6.3 6.3.1 6.3.2 I I 1 (137) Evaluation 1-10 Issue Status Section Note (138) Testing Open (NRR)Resolved Open (NRR)Resolved (139)(140)(141)Performance Evaluation Conclusions Control Room Habitability (SER)(SSER 2)(SSER 9)(SER)(SER)(SER)(SSER 5)(SSER 11)(SSER 16)(SSER 18 (SSER 22)(142) Engineered Safety Feature (ESF)Filter Systems (143) ESF Atmosphere Cleanup System (144)(145)Fission Product Cleanup System Fission Product Control System Resolved (SER)(SSER 5)(SSER 22)Resolved (SER)Open (NRR) (SER)(SSER 22)Resolved (SER)(146) Ice Condenser as a Fission Product Cleanup System (147) Inservice Inspection of Class 2 and 3 Components Open (NRR)(SER)(SSER 10)(SSER 12)(SSER 15)(SSER 23)6.3.3 6.3.4 6.3.5 6.4 6.5 6.5.1 6.5.2 6.5.3 6.5.4 6.6 7 7.1 7.1.1 7.1.2 7.1.3 7.2 7.2.1 7.2.2 7.2.3 7.2.4 I I (148)(149)(150)Instrumentation and Controls Introduction General (151) Comparison with Other Plants (152) Design Criteria (153) Reactor Trip System (154) System Description (155) Manual Trip Switches (156) Testing of Reactor Trip Breaker Shunt Coils (157) Anticipatory Trips Resolved (SER)(SSER 13)(SSER 16)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 4)(SSER 15)(SSER 23)Resolved (SER)Open (NRR) (SER)(SSER 13)(SSER 15)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)1 1 1 1-11 Issue ,Status Section Note (158) Steam Generator Water Level Trip (159) Conclusions (160) Engineered Safety Features System (161) System Description (162) Containment Sump Level Measurement (163) Auxiliary Feedwater Initiation and Control (164) Failure Modes and Effects Analysis (165) IE Bulletin 80-06 (166) Conclusions (167) Systems Required for Safe Shutdown (168) System Description (169) Safe Shutdown from Auxiliary Control Room (170) Conclusions (171) Safety-Related Display Instrumentation (172) Display Systems (173) Postaccident Monitoring System (174) IE Bulletin 79-27 (175) Conclusions Resolved (SER)(SSER 2)(SSER 14)(SSER 23)Resolved (SER)(SSER 13)(SSER 23)Open (NRR) (SER)(SSER 13)Resolved (SER)(SSER 13)(SSER 14)(SSER 23)Resolved (SER)(SSER 2)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 3)(SSER 23)Resolved (SER)(SSER 13)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 7)(SSER 23)Resolved (SER)(SSER 23)Resolved (SER)(SSER 23)Open (SER)(Inspection) (SSER 7)(SSER 9)(SSER 14)(SSER 15)(SSER 23)Open (SER)(Inspection) (SSER 23)Open (SER)(Inspection) 7.2.5 7.2.6 7.3 7.3.1 7.3.2 7.3.3.7.3.4 7.3.5 7.3.6 7.4 7.4.1 7.4.2 7.4.3 7.5 7.5.1 7.5.2 7.5.3 7.5.4 1 1-12 Issue Status Section Note (176)(177)(178)(179)(180)(181)(182)(183)(184)(185)(186)(187)(188)(189)(190)(191)(192)(193)(194)(195)(196)All Other Systems Required for Safety Loose Part Monitoring System Residual Heat Removal System Bypass Valves Upper Head Injection Manual Control Protection Against Spurious Actuation of Motor-Operated Valves Overpressure Protection during Low Temperature Operation Valve Power Lockout Cold Leg Accumulator Valve Interlocks and Position Indication Automatic Switchover From Injection to Recirculation Mode Conclusions Control Systems Not Required for Safety System Description Safety System Status Monitoring System Volume Control Tank Level Control System Pressurizer and Steam Generator Overfill IE Information Notice 79-22 Multiple Control System Failures Conclusions Anticipated Transient Without Scram Mitigation System Actuation Circuitry (AMSAC)NUREG-0737 Items Relief and Safety Valve Position Indication (TMI Action Item Il.D.3)Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Open (NRR)Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Open (Inspection)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 4)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 4)(SER)(SSER 23)(SER)(SSER 7)(SSER 13)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 23)(SER)(SSER 9)(SSER 14)(SSER 23)(SER)(SSER 23)(SER)(SSER 5)(SSER 14)(SSER 23)7.6 7.6.1 7.6.2 7.6.3 7.6.4 7.6.5 7.6.6 7.6.7 7.6.8 7.6.9 7.7 7.7.1 7.7.2 7.7.3 7.7.4 7.7.5 7.7.6 7.7.7 7.7.8 7.8 7.8.1 1-13 Issue Status Section Note (197) Auxiliary Feedwater System Initiation and Flow Indication (TMI Action Item II.E.1.2)(198) Proportional Integral Derivative Control Modification (TMI Action Item I1.K.3.9)(199) Proposed Anticipatory Trip Modification (TMI Action Item I1.K.3.10)
(200) Confirm Existence of Anticipatory Reactor Trip Upon Turbine Trip (TMI Action Item I1.K.3.12)
(201) Data Communication Systems (202) Electric Power Systems Open (Inspection)
Open (Inspection)(SER)(SSER 23)(SER)(SSER 23)Resolved (SER)(SSER 4)(SSER 23)Resolved (SER)(SSER 23)(SSER 23)(203)General (204) Offsite Power System (205) Compliance with GDC 5 (206) Compliance with GDC 17 (207) Compliance with GDC 18 (208) Evaluation Findings (209) Onsite Power Systems (210) Onsite AC Power System Compliance with GDC 17 Open (NRR) (SER)(SSER 22)(SER)(SSER 22)Open (NRR) (SER)(SSER 13)(SSER 22)Open (NRR) (SER)(SSER 2)(SSER 3)(SSER 13)(SSER 14)(SSER 15 (SSER 22)Resolved (SER)(SSER 22)Open (NRR) (SER)(SSER 22)Resolved (SER)(SSER 10)(SSER 19)(SSER 22)Open (NRR) (SER)(SSER 2)(SSER 7)(SSER 9)(SSER 10)(SSER 13)(SSER 14)(SSER 18)(SSER 20)(SSER 22)7.8.2 7.8.3 7.8.4 7.8.5 7.9 8 8.1 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.3 8.3.1 1-14 Issue Status Section Note (211) Onsite DC System Compliance with GDC 17 (212) Common Electrical Features and Requirements (213) Evaluation Findings Open (NRR) (SER)(SSER 2)(SSER 3)(SSER 13)(SSER 14)(SSER 22)Resolved (SER)(SSER 2)(SSER 3)(SSER 7)(SSER 13)(SSER 14)(SSER 15)(SSER 16)(SSER 22)Open (NRR) (SER)(SSER 2)(SSER 3)(SSER 7)(SSER 13)(SSER 14)(SSER 15)(SSER 16)(SSER 22)Open (NRR) (SSER 22)Resolved (SER)(SSER 10)Resolved (SER)Resolved (SER)(SSER 5)(SSER 15)(SSER 16)(SSER 22)Open (NRR) (SER)(SSER 11)(SSER 15)(SSER 23)Open (NRR) (SER)(SSER 3)(SSER 13)(SSER 22)8.3.2 8.3.3 8.3.4 8.4 9 9.1 9.1.1 9.1.2 (214)(215)(216)(217)(218)Station Blackout Auxiliary Systems Fuel Storage Facility New-Fuel Storage Spent-Fuel Storage 1 (219) Spent Fuel Pool Cooling and Cleanup System (220) Fuel-Handling System (221) Water Systems (222) Essential Raw Cooling Water and Raw Cooling Water System 9.1.3 9.1.4 9.2 9.2.1 Open (NRR)(SER)(SSER 9)(SSER 10)(SSER 18)(SSER 23)1-15 Issue Status Section Note (223) Component Cooling System (Reactor Auxiliaries Cooling Water System)(224) Demineralized Water Makeup System (225) Potable and Sanitary Water Systems (226)Ultimate Heat Sink (227) Condensate Storage Facilities (228)(229)Process Auxiliaries Compressed Air System (230) Process Sampling System (231) Equipment and Floor Drainage System (232) Chemical and Volume Control System (233) Heat Tracing (234) Heating, Ventilation, and Air Conditioning Systems (235) Control Room Area Ventilation System (236) Fuel-Handling Area Ventilation System (237) Auxiliary Building and Radwaste Area Ventilation System (238) Turbine Building Area Ventilation System (239) Engineered Safety Features Ventilation System (240) Reactor Building Purge Ventilation System (241) Containment Air Cooling System Open (NRR) (SER)(SSER 5)(SSER 23)Resolved (SER)(SSER 22)Resolved (SER)(SSER 9)(SSER 22)Open (NRR) (SER)(SSER 23)Resolved (SER)(SSER 12)(SSER 22)Resolved (SER)(SSER 22)Open (NRR) (SER)(SSER 3)(SSER 5)(SSER 14)(SSER 16)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)(SSER 22)Resolved (SER)(SSER 9)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 9)(SSER 10)(SSER 11)(SSER 14)(SSER 16)(SSER 19)(SSER 22)(SSER 22)(SSER 22)9.2.2 9.2.3 9.2.4 9.2.5 9.2.6 9.3 9.3.1 9.3.2 I 9.3.3 9.3.4 9.3.8 9.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 3 3 1-16 Issue Status Section Note (242) Condensate Demineralizer Waste Evaporator Building Environmental Control System (243) Other Auxiliary Systems (244) Fire Protection (245) Communications System (246) Lighting System (247) Emergency Diesel Engine Fuel Oil Storage and Transfer System (248) Emergency Diesel Engine Cooling Water System (249) Emergency Diesel Engine Starting Systems (250) Emergency Diesel Engine Lubricating Oil System (251) Emergency Diesel Engine Combustion Air Intake and Exhaust System (252) Steam and Power Conversion System (253) Summary Description (254) Turbine Generator (255) Turbine Generator Design (256) Turbine Disc Integrity (SSER 22)Resolved (SER)(SSER 10)(SSER 18)(SSER 19)Resolved (SER)(SSER 5)Resolved (SER)(SSER 22)Resolved (SER)(SSER 5)(SSER 9)(SSER 10)(SSER 11)(SSER 12)(SSER 22)Resolved (SER)(SSER 5)(SSER 11)Resolved (SER)(SSER 5)(SSER 10)(SSER 22)Resolved (SER)(SSER 3)(SSER 5)(SSER 10)(SSER 22)Resolved (SER)(SSER 5)(SSER 10)(SSER 22)Resolved (SER)Open (NRR) (SER)(SSER 5)Resolved (SER)(SSER 12)(SSER 22)Resolved (SER)(SSER 23)Resolved (SER)Resolved (SER)(SSER 19)(SSER 22)9.4.8 9.5 9.5.1 9.5.2 9.5.3 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8 1 2 1 2 2 2 10 10.1 10.2 10.2.1 10.2.2 10.3 10.3.1 (257)(258)Main Steam Supply System Main Steam Supply System (Up to and Including the Main Steam Isolation Valves)1-17 Issue (259) Main Steam Supply System (260) Steam and Feedwater System Materials (261) Secondary Water Chemistry (262) Other Features (263) Main Condenser (264) Main Condenser Evacuation System (265) Turbine Gland Sealing System (266) Turbine Bypass System (267) Condenser Circulating Water System (268) Condensate Cleanup System (269) Condensate and Feedwater Systems (270) Steam Generator Blowdown System (271) Auxiliary Feedwater System (272) Heater Drains and Vents (273) Steam Generator Wet Layup System (274) Radioactive Waste Management (275) Summary Description (276) Liquid Waste Management (277) Gaseous Waste Management (278) Solid Waste Management System (279) Process and Effluent Radiological Monitoring and Sampling Systems Status Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 5)(SSER 22)Resolved (SER)(SSER 9)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 5)(SSER 22)Resolved (SER)(SSER 22)Open (NRR) (SER)(SSER 22)Resolved (SER)(SSER 14)(SSER 22)Open (NRR) (SER)(SSER 22)Open (NRR) (SER)(SSER 14)(SSER 23)(SSER 22)(SSER 22)Resolved (SER)(SSER 16)Resolved (SER)(SSER 4)(SSER 16)Resolved (SER)(SSER 8)(SSER 16)Resolved (SER)(SSER 16)Resolved (SER)(SSER 16)(SSER 20)Section 10.3.2 10.3.3 10.3.4 10.4 10.4.1 10.4.2 10.4.3 10.4.4 10.4.5 10.4.6 10.4.7 10.4.8 10.4.9 10.4.10 10.4.11 11 11.1 11.2 Note 2 2 11.3 11.4 11.5 1-18 Issue Status Section Note (280) Evaluation Findings (281) NUREG-0737 Items (282) Wide-Range Noble Gas, Iodine, and Particulate Effluent Monitors (TMI Action Items II.F.1(1) and II.F.1(2))
(283) Primary Coolant Outside Containment (TMI Action item III.D.1.1)
(284) Radiation Protection (285) General (286) Ensuring that Occupational Radiation Doses Are As Low As Reasonably Achievable (ALARA)(287) Radiation Sources (288) Radiation Protection Design Features (289) Dose Assessment (290) Health Physics Program Resolved (SER)(SSER 8)(SSER 16)Open (NRR) (SER)Open (SER)(Inspection) (SSER 5)(SSER 6)Open (NRR) (SER)(SSER 5)(SSER 6)(SSER 10)(SSER 16)Open (NRR) (SER)(SSER 10)(SSER 14)Resolved (SER)(SSER 14)Open (NRR)Open (NRR)Open (NRR)Open (NRR)Open (NRR)Open (NRR)Open (NRR)(SER)(SSER 14)(SER)(SSER 10)(SSER 14)(SSER 18)(SER)(SSER 14)(SER)(SSER 10)(SSER 14)(SER)(SSER 14)(SSER 16)(SER)(SSER 5)(SER)(SSER 16)11.6 11.7 11.7.1 11.7.2 12 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.7.1 12.7.2 12.7.3 13 13.1 13.1.1 13.1.2 13.1.3 2 (291)(292)NUREG-0737 Items Plant Shielding (TMI Action Item ll.B.2)(293) High Range In-Containment Monitor (TMI Action Item I1.F.1.(3))
(294) In-Plant Radioiodine Monitor (TMI Action Item II.D.3.3)(295) Conduct of Operations (296) Organization Structure of the Applicant (297) Management and Technical Organization (298) Corporate Organization and Technical Support (299) Plant Staff Organization Resolved (SER)(SSER 16)(SSER 22)Resolved (SER)Resolved (SER)Open (NRR)(SER)(SSER 8)(SSER 22)1-19 Issue Status Section Note (300)(301)Training Licensed Operator Training Program Resolved (SER)(SSER 9)(SSER 10)(SSER 22)Resolved (SER)(302) Training for Non-licensed Personnel (303) Emergency Preparedness Evaluation (304) Introduction (305) Evaluation of the Emergency Plan (306) Conclusions (307) Review and Audit (308) Plant Procedures (309) Administrative Procedures (310) Operating and Maintenance Procedures (311) NUREG-0737 Items (312) Physical Security Plan Open (NRR) (SER)(SSER 13)(SSER 20)Open (NRR) (SER)(SSER 13)(SSER 20)(SSER 22)Open (NRR) (SER)(SSER 13)(SSER 20)(SSER 22)Resolved (SER)(SSER 8)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 22)Resolved (SER)(SSER 9)(SSER 10)(SSER 22)Resolved (SER)(SSER 3)(SSER 16)(SSER 22)Resolved (SER)(SSER 1)(SSER 10)(SSER 15)(SSER 20)(SSER 22)(SSER 22)(SSER 22)(SSER 22)(SSER 22)(SSER 22)13.2 13.2.1 13.2.2 13.3 13.3.1 13.3.2 13.3.3 13.4 13.5 13.5.1 13.5.2 13.5.3 13.6 13.6.1 13.6.2 13.6.3 13.6.4 13.6.5 (313)(314)(315)(316)(317)Introduction Summary of Application Regulatory Basis Technical Evaluation Conclusions 1-20 Issue Status Section Note (318) Initial Test Program (319) Accident Analyses (320) General Discussion (321) Normal Operation and Anticipated Transients (322) Loss-of-Cooling Transients (323) Increased Cooling Inventory Transients (324) Change in Inventory Transients (325) Reactivity and Power Distribution Anomalies (326) Conclusions Resolved (SER)(SSER 3)(SSER 5)(SSER 7)(SSER 9)(SSER 10)(SSER 12)(SSER 14)(SSER 16)(SSER 18)(SSER 19)(SSER 23)Resolved Open (NRR)(SER)(SER)Resolved (SER)(SSER 13)(SSER 14)Resolved (SER)Open (NRR) (SER)(SSER 18)Open (NRR) (SER)(SSER 4)(SSER 7)(SSER 13)(SSER 14)Resolved (SER)(SSER 4)Resolved (SER)Open (NRR) (SER)(SSER 12)(SSER 15)Open (NRR) (SER)(SSER 3)(SSER 14)Open (NRR) (SER)(SSER 14)Open (NRR) (SER)(SSER 14)Open (NRR) (SER)(SSER 14)14 15 15.1 15.2 15.2.1 15.2.2 15.2.3 15.2.4 15.2.5 15.3 15.3.1 15.3.2 15.3.3 15.3.4 15.3.5 (327)(328)Limiting Accidents Loss-of-Coolant Accident (LOCA)(329) Steamline Break (330) Feedwater System Pipe Break (331) Reactor Coolant Pump Rotor Seizure (332) Reactor Coolant Pump Shaft Break 1-21 Issue Status Section Note (333) Anticipated Transients Without Scram (334) Conclusions (335) Radiological Consequences of Accidents (336) Loss-of-Coolant Accident (337) Main Steamline Break Outside of Containment (338) Steam Generator Tube Rupture (339) Control Rod Ejection Accident (340) Fuel-Handling Accident (341) Failure of Small Line Carrying Coolant Outside Containment (342) Postulated Radioactive Releases as a Result of Liquid Tank Failures (343) NUREG-0737 Items (344) Thermal Mechanical Report (TMI Action Item II.K.2.13)
(345) Voiding in the Reactor Coolant System during Transients (TMI Action Item II.K.2.17)
(346) Installation and Testing of Automatic Power-Operated Relief Valve Isolation System (TMI Action Item I1.K.3.1)
Report on Overall Safety Effect of Power-Operated Relief Valve Isolation System (TMI Action Item I1.K.3.2)(347) Automatic Trip of Reactor Coolant Pumps (TMI Action Item II.K.3.5)Open (SER)(Inspection) (SSER 3)(SSER 5)(SSER 6)(SSER 10)(SSER 11)(SSER 12)Resolved (SER)Resolved (SER)(SSER 15)Open (NRR) (SER)(SSER 5)(SSER 9)(SSER 18)Open (NRR) (SER)(SSER 15)Open (NRR) (SER)(SSER 2)(SSER 5)(SSER 12)(SSER 14)(SSER 15)Open (NRR) (SER)(SSER 15)Open (NRR) (SER)(SSER 4)(SSER 15)Open (NRR) (SER)15.3.6 15.3.7 15.4 15.4.1 15.4.2 15.4.3 15.4.4 15.4.5 15.4.6 15.4.7 15.5 15.5.1 15.5.2 15.5.3 15.5.4 Open (NRR)(SER)Resolved (SER)(SSER 4)Resolved (SER)(SSER 4)Resolved (SER)(SSER 5)Resolved (SER)(SSER 4)(SSER 16)1-22 Issue Status Section Note (348) Small-Break LOCA Methods (I.K.3.30) and Plant-Specific Calculations (11.K.3.31)
(349) Relative Risk of Low-Power Operation (350) Technical Specification (351) Quality Assurance (352) General (353) Organization (354) Quality Assurance Program (355)(356)(357)(358)Conclusions Maintenance Rule Control Room Design Review General Open (SER)(Inspection) (SSER 4)(SSER 5)(SSER 16)Resolved (SER)Open (NRR)Resolved (SER)Resolved (SER)Resolved (SER)(SSER 2)(SSER 5)(SSER 10)(SSER 13)(SSER 15)(SSER 22)Resolved (SER)Resolved (SER)(SSER 5)(SSER 6)(SSER 15)(SSER 16)(SSER 22)Resolved (SER)(SSER 16)(SSER 22)(SER)(SER)(SER)(SSER 22)(SSER 23)(SSER 22)(SER)(SER)15.5.5 15.6 16 17 17.1 17.2 17.3 17.4 17.6 18 18.1 18.2 19 20 21 21.1 21.2 22 22.1 22.2 22.3 25 (359) Conclusions (360) Report of the Advisory Committee on Reactor Safeguards (361) Common Defense and Security (362) Financial Qualifications (363) TVA Financial Qualifications for WBN Unit 2 (364) Foreign Ownership, Control, or Domination (365) Financial Protection and Indemnity Requirements (366) General (367) Preoperational Storage of Nuclear Fuel (368) Operating Licenses (369) Quality of Construction, Operational Readiness, and Quality Assurance Effectiveness Open (NRR)(SSER 22)1-23 Issue Status_Section Note (370) Program for Maintenance and Open (NRR) (SSER 22) 25.9 Preservation of the Licensing Basis for Units 1 and 2 Notes: 1. In the process of further validating the information in the WBN Unit 2 FSAR, TVA identified minor administrative/typographical changes to sections previously considered Resolved.
TVA addressed these changes to the applicable sections in their submittals and clearly indicated them to the staff. The staff has reviewed and confirmed that the changes made are administrative/typographical and do not impact the staff's conclusions as stated in previous SSERs. Based on this review, no additional review is necessary and this section remains Resolved.2. During the assessment of the regulatory framework for completion of the project, the staff characterized certain topics as "Open" pending TVA's validation of the information contained in the section. TVA has determined that the information presented in the FSAR remained valid and only identified minor administrative or typographical changes to the section. TVA addressed the changes in their submittals and clearly indicated the changes. The staff reviewed and confirmed that the changes made to the section are administrative/typographical and do not impact its conclusions as stated in previous SSERs. Therefore, no additional review is necessary and the staff considers this section Resolved.3. In SSER 21, this issue was identified as "Resolved." However, TVA made changes to the Unit 2 FSAR affecting the previous staff conclusions.
The staff evaluated the changes and the results are documented in this SSER.1.8 Confirmatory Issues At this point in the review, there are some items that have essentially been resolved to the staff s satisfaction, but for which certain confirmatory information has not yet been provided by the applicant.
In these instances, the applicant has committed to provide the confirmatory information in the near future. If staff review of this information does not confirm preliminary conclusions on an item, that item will be treated as open, and the NRC staff will report on its resolution in a supplement to this report.The confirmatory items, with appropriate references to subsections of this report, are noted in Appendix HH.1.10 Unresolved Safety Issues Section 210 of the Energy Reorganization Act of 1974, as amended, states, in part, The Commission shall develop a plan for providing for specification and analysis of unresolved safety issues relating to nuclear reactors and shall take such action as may be necessary to implement corrective measures with respect to such issues.1-24 The NRC staff continuously evaluates the safety requirements used in its review against new information as it becomes available.
In some cases, the staff takes immediate action or interim measures to ensure safety. In most cases, however, the initial assessment indicates that immediate licensing actions or changes in licensing criteria are not necessary.
In any event, further study may be deemed appropriate to make judgments as to whether existing requirements should be modified.
The issues being studied are sometimes called generic safety issues because they are related to a particular class or type of nuclear facility.The NRC staff documented its original review of Unresolved Safety Issues for Watts Bar Nuclear Plant (WBN), Units 1 and 2, in Appendix C to the safety evaluation report (SER;NUREG-0847, June 1982). A discussion of the status of resolution of these generic issues for TVA's application for an operating license for WBN Unit 2 is provided in Appendix C to this SSER.1.13 Implementation of Corrective Action Programs and Special Programs In 1985, TVA developed a corporate Nuclear Performance Plan (NPP) that identified and proposed corrections to problems concerning the overall management of its nuclear program and a site-specific plan for Watts Bar entitled, "Watts Bar Nuclear Performance Plan" (WBNPP).TVA established 18 corrective action programs (CAPs) and 11 special programs (SPs) to address these concerns.SSER 21, Table 1.13.1 documented the status of staff review of the CAPs and SPs. This SSER and future supplements to the SER, the staff will document its evaluation and closure of open NPP items.1.13.1 Corrective Action Programs No. Title (1) Cable Issues a. Silicon Rubber Insulated Cable b. Cable Jamming c. Cable Support in Vertical Conduit d. Cable Support in Vertical Trays e. Cable Proximity to Hot Pipes f. Cable Pull-Bys g. Cable Bend Radius h. Cable Splices i. Cable Sidewall Bearing Pressure j. Pulling Cables Through 900 Condulet and Flexible Conduit k. Computer Cable Routing System Software and Database Verification and Validation (2) Cable Tray and Tray Supports (3) Design Baseline and Verification Program (4) Electrical Conduit and Conduit Support Program Review Status Resolved (See Appendix HH)Resolved Resolved Resolved 1-25 No.(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)Title Electrical Issues a. Flexible Conduit Installations
- b. Physical Cable Separation and Electrical Isolation c. Contact and Coil Rating of Electrical Devices d. Torque Switch and Overload Relay Bypass Capability for Active Safety-Related Valves e. Adhesive-Backed Cable Support Mount Equipment Seismic Qualification Fire protection Hanger and Analysis Update Program Heat Code Traceability Heating, Ventilation, and Air-Conditioning Duct and Duct Supports Instrument Lines Prestart Test Program Plan Quality Assurance (QA) Records Quality-List (Q-List)Replacement Items Program (Piece Parts)Seismic Analysis Vendor Information Program Welding Program Review Status Resolved (See Appendix HH)Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved.Resolved Resolved Resolved 1-26 1.13.2 No.(1)(2)(3)(4)(5)(6)(7)(8)(9)(11)Special Programs Title Concrete Quality Program Containment Cooling Detailed Control Room Design Review Environmental Qualifications Program Master Fuse List Mechanical Equipment Qualification Microbiologically Induced Corrosion Moderate Energy Line Break Flooding Radiation Monitoring System Use-As-Is Condition Adverse to Quality Program Review Status Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved Resolved 1.14 Implementation of Applicable Bulletin and Generic Letter Requirements From time to time, the NRC staff issues generic requirements or recommendations in the form of orders, bulletins (BLs), generic letters (GLs), regulatory issue summaries, and other documents to address certain safety and regulatory issues. These are generally termed"generic communications." The table below outlines the status of the resolution of the generic communications identified in SSER 21. It should be noted that, although many of the generic communications have been documented or otherwise resolved, the NRC staff has determined that there may be circumstances that could result in the need to reopen a previously closed topic.Correspondence No. Title (1) GL 1980-14 Light-Water Reactor Primary Coolant System Pressure Isolation Valves TVA Action: Submit Technical Specifications (TSs) for NRC Review.NRC Action: To be reviewed during validation of TS 3.4.14 submitted February 2, 2010.1-27 Correspondence No.(2) GL 1980-77 TVA Action: NRC Action: (3) GL 1982-28 TVA Action: NRC Action: (4) GL 1983-28 (4.a) GL 1983-28 (item 3.1)TVA Action: NRC Action: (4.b) GL 1983-28 (3.2)TVA Action NRC Action (4.c) GL 1983-28 (4.2)TVA Action NRC Action (4.d) GL 1983-28 (4.5)TVA Action NRC Action Title Refueling Water Level -Technical Specifications Changes Submit Technical Specifications for NRC Review.To be reviewed during validation of TS 3.9.5 -TS 3.9.7 submitted February 2, 2010.Inadequate Core Cooling Instrumentation System Closed.Closed. Subsumed as part of NRC staff review of Instrumentation and Controls submitted April 8, 2010.Required Actions Based on Generic Implications of Salem Anticipated Transient without Scram Events (Screened into the Items 4 through 7)Post-Maintenance Testing (reactor trip system components)
Submit Technical Specifications for NRC Review.To be reviewed during validation of TS Bases 3.0.1 submitted March 4, 2009.Post-Maintenance Testing (All Surveillance Requirement Components)
Submit Technical Specifications and NRC Review.To be reviewed during validation of TS Bases 3.0.1 submitted March 4, 2009.Reactor Trip System Reliability (Preventive Maintenance and Surveillance Program for Reactor Trip Breakers)Submit Technical Specifications and NRC Review.To be reviewed during staff evaluation of Item 17 of TS Table 3.3.1-1 submitted February 2, 2010.Reactor Trip System Reliability (Automatic Actuation of Shunt Trip Attachment)
Submit Technical Specifications and NRC Review.To be reviewed during staff evaluation of Item 18 of TS Table 3.3.1-1 submitted February 2, 2010.1-28 Correspondence No.Titl.ee (8) GL 1986-09 TVA Action NRC Action Technical Resolution of Generic Issue B-59, (N-i) Loop Operation in BWRs and PWRs Submit Technical Specifications for NRC Review.To be reviewed during validation of TS 3.4.4 -TS 3.4.8 submitted February 2, 2010.Individual Plant Examination for Severe Accident Vulnerability (9)GL 1988-20 TVA Action Closed.NRC Action (10) GL 1988-20,sl TVA Action NRC Action (11) GL 1988-20s2 WVA Action NRC Action (12) GL 1988-20s3 TVA Action NRC Action Open pending completion of staff review of Individual Plant Examination (IPE) submitted February 9, 2010.Initiation of the Individual Plant Examination for Severe Accident Vulnerabilities
-10 CFR 50.54 Closed.Open pending completion of staff review of IPE submitted February 9, 2010.Individual Plant Examination for Severe Accident Vulnerability.
Accident Management Strategies for Consideration in the Individual Plant Examination Process Closed.Open pending completion of staff review of IPE submitted February 9, 2010.Individual Plant Examination for Severe Accident Vulnerability.
Completion of Containment Performance Improvement Program and Forwarding of Insights for Use in the IPE for Severe Accident Vulnerabilities Closed.Open pending completion of staff review of IPE submitted February 9, 2010.1-29 Correspondence No.Title (13) GL 1988-20s4 TVA Action NRC Action (14) GL 1988-20s5 TVA Action NRC Action (15) GL 1989-04 TVA Action NRC Action (16) GL 1989-21 TVA Action NRC Action (17) GL 1990-06 TVA Action NRC Action Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities Closed.Open pending completion of staff review of IPEEE submitted April 30, 2010.Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities
-10 CFR 50.54(f)Closed.Open pending completion of staff review of IPEEE submitted April 30, 2010.Guidelines on Developing Acceptable Inservice Testing Programs The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Open.Request for Information Concerning Status of Implementation of Unresolved Safety Issue Requirements TVA provided an updated status of unresolved safety issues on September 26, 2008, as supplemented on December 2, 2010, and January 25, 2011.Closed. See Appendix C of SSER 23.Resolution of Generic Issues 70, "PORV [power-operated relief valve] and Block Valve Reliability," and 94, "Additional LTOP [low-temperature overpressure]
Protection for PWRs" Submit Technical Specifications for NRC Review.To be reviewed during validation of TS 3.4.11 -TS 3.4.12 submitted February 2, 2010.1-30 Correspondence No.Title (18) GL 1992-08 TVA Action NRC Action (19) GL 1995-03 TVA Action NRC Action (20) GL 1995-05 TVA Action NRC Action (21) GL 1996-06 TVA Action NRC Action (22) GL 1995-07 TVA Action NRC Action Thermo-Lag 330-1 Fire Barriers The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Open. Pending NRC staff inspection verification.
Circumferential cracking of Steam Generator (SG) Tubes The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
Voltage -Based Repair Criteria for Westinghouse Steam Generator Tubes affected by Outside Diameter Stress Corrosion Cracking The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
Assurance of Equipment Operability and Containment Integrity During Design-Basis Accident Conditions The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML100130227).
Pressure Locking and Thermal Binding of Safety- Related Power-Operated Gate Valves (Not identified in SSER 21 as"Open")The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed. NRC letter dated August 12, 2010 (ADAMS Accession No. ML100190443).
1-31 Correspondence No.Title (23) GL 1997-01 TVA Action NRC Action (24) GL 1997-04 TVA Action NRC Action (25) GL 1997-05 TVA Action NRC Action (26) GL 1997-06 TVA Action NRC Action Degradation of Control Rod Drive Mechanism Nozzle and Other Vessel Closure Head Penetrations The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed. NRC Letter dated June 30, 2010 (ADAMS Accession No. ML100539515).
Assurance of Sufficient Net Positive Suction Head for Emergency Core Cooling and Containment Heat Removal Pumps Integrity During Design-Basis Accident Conditions The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated February 18, 2010 (ADAMS Accession No. ML100200375).
SG Tube Inspection Techniques The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
Degradation of SG Internals The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
1-32 Correspondence No.Titl._ee (27) GL 1998-02 TVA Action NRC Action (28)GL 1998-04 TVA Action NRC Action (29) GL 2003-01 TVA Action NRC Action (30) GL 2004-01 TVA Action NRC Action Loss of Reactor Coolant Inventory and Associated Potential for Loss of Emergency Mitigation Functions While in a Shutdown Condition The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed. NRC Letter dated May 11, 2010 (ADAMS Accession No. ML101200155).
Potential for Degradation of the ECCS and the Containment Spray System after a LOCA because of Construction and Protective Coating Deficiencies and Foreign Material in Containment The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated February 1, 2010 (ADAMS Accession No. MLI100260594).
Control Room Habitability No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Closed. NRC Letter dated February 1, 2010 (ADAMS Accession No. MLI100270076).
Requirements for SG Tube Inspection The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
1-33 Correspondence No.Titl__ee (31) GL 2004-02 TVA Action NRC Action (32) GL 2006-01 TVA Action NRC Action (33) GL 2006-02 TVA Action NRC Action (34) GL 2006-03 TVA Action NRC Action (35) GL 2007-01 TVA Action NRC Action Potential Impact of Debris Blockage on Emergency Recirculation during Design-Basis Accidents at PWRs The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Open.SG Tube Integrity and Associated Technical Specifications No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061) (See Appendix HH).Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061) (See Appendix HH).Potentially Nonconforming Hemyc and MT Fire Barrier Configurations The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter February 25, 2010 (ADAMS Accession No. ML100470398).
Inaccessible or Underground Power Cable Failures that Disable Accident Mitigation Systems or Cause Plant Transients The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 26, 2010 (ADAMS Accession No. ML100120052).
1-34 Correspondence No.Titlee (36) GL 2008-01 TVA Action NRC Action (37) BL 1992-01 and Supplement 1 TVA Action NRC Action (38) BL 1996-01 TVA Action NRC Action (39) BL 1996-02 Managing Gas Accumulation in Emergency Core Cooling, Decay Heat Removal, and Containment Spray Systems Open.Open.Failure of Thermo-Lag 330 Fire Barrier System to Perform its Specified Fire Endurance Function The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Open. Pending NRC staff inspection verification.
Control Rod Insertion Problems (PWR)The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC letter dated May 3, 2010 (ADAMS Accession No. ML101200035) required Confirmatory Action (See Appendix HH).Movement of Heavy Loads Over Spent Fuel, Over Fuel In the Reactor Core, or Over Safety-Related Equipment The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change Closed. NRC Letter dated March 4, 2010 (ADAMS Accession No. ML100480062).
Circumferential Cracking of Reactor Pressure Vessel (RPV)Head Penetration Nozzles The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. See NRC Letter dated June 30, 2010 (ADAMS Accession No. ML 100539515).
(40) BL 2001-01 TVA Action NRC Action 1-35 Correspondence No.Titl._ee (41) BL 2002-01 TVA Action NRC Action (42) BL 2002-02 TVA Action NRC Action (43) BL 2003-02 TVA Action NRC Action (44) BL 2004-01 TVA Action NRC Action RPV Head Degradation and Reactor Coolant Pressure Boundary Integrity The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. See NRC Letter dated June 30, 2010 (ADAMS Accession No. ML 100539515).
RPV Head and Vessel Head Penetration Nozzle Inspection Program The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. See NRC Letter dated June 30, 2010 (ADAMS Accession No. MLI100539515).
Leakage from RPV Lower Head Penetrations and Reactor Coolant Pressure Boundary Integrity The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC Letter dated January 21, 2010 (ADAMS Accession No. ML093631061).
Inspection of Alloy 82/182/600 Materials Used in the Fabrication of Pressurizer Penetrations and Steam Space Piping Connections at PWRs The proposed approach has been approved for WBN Unit 1;the same approach was submitted for use on WBN Unit 2 without change.Closed. NRC letter dated August 4, 2010 (ADAMS Accession No. ML102080017).
1-36 Correspondence No.Titl._ee (45)- BL 2007-01 TVA Action NRC Action Security Officer Attentiveness The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed. NRC letter dated March 25, 2010 (ADAMS Accession No. ML100770549).
NUREG-0737, TMI Action Items (TVA letter dated September 14, 1981, applies to all of the following NUREG-0737 issues)(46) NUREG-0737 Item I.B.1.2 TVA Action NRC Action (47) NUREG-0737 Item I.D.1 TVA Action NRC Action (48) NUREG-0737 Item II.B.3 TVA Action NRC Action (49) NUREG-0737 Item I1.E.4.2 Independent Safety Engineering Group The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Open.Control Room Design Review (CRDR)The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed in SSER 22, Section 18.2.Post-accident Sampling No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Open.Containment Isolation Dependability No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Open.TVA Action NRC Action 1-37 Correspondence No.Title (50) NUREG-0737 Item II.F.2 TVA Action NRC Action (51) NUREG-0737 Item II.K.3.3 TVA Action NRC Action (52) NUREG-0737 Item II.K.3.10 TVA Action NRC Action (53) NUREG-0737 Item II1.D.1.1 TVA Action NRC Action (54) NUREG-0737 Item III.D.3.4 Instrumentation for Detection of Inadequate Core-Cooling Open.Open. See SSER 23, Section 4.4.8.Reporting SV/RV Failures/Challenges No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Closed in SSER 22, Section 13.5.3.Anticipatory Trip at High Power No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Open.Primary Coolant Outside Containment No action or documentation is provided to show the staff has reviewed the item for WBN Unit 2, and the resolution is through submittal of a technical specification.
Open.Control-Room Habitability The proposed approach has been approved for WBN Unit 1;the same approach will be proposed for use on WBN Unit 2 without change.Closed in SSER 22, Section 6.4.TVA Action NRC Action 1-38 Correspondence No.Titl_.e (55) IEB 75-08 TVA Action NRC Action PWR Pressure Instrumentation The item has been approved either for both units at WBN or explicitly for WBN Unit 2; however, a change to the original approval requires submittal of the technical specifications and staff review.Open.Calculation Error Affecting Performance of a System for Controlling pH of Containment Sump Water Following a LOCA The item has been approved either for both units at WBN or explicitly for WBN Unit 2; however, a change to the original approval requires submittal of the technical specifications and staff review.Open.(56)IEB 77-04 TVA Action NRC Action 1-39
3 DESIGN CRITERIA 3.9 Mechanical Systems and Components
3.9.5 Reactor
Pressure Vessel Internals The U.S. Nuclear Regulatory Commission (NRC) staff reviewed Section 4.2.2, "Reactor Vessel Internals," of Amendment 95 to the Tennessee Valley Authority's (TVA's) Watts Bar Nuclear Plant (WBN), Unit 2, final safety analysis report (FSAR), dated December 3, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093370275), as supplemented by letter dated April 9, 2010 (ADAMS Accession No. ML101040573).
TVA's submittal included design bases, design loading conditions, design loading categories, and various materials used in the reactor vessel internal (RVI) components.
The NRC staff reviewed the portion of the FSAR related to materials used for the RVI components, as documented below.The NRC staff applied the following regulatory requirements in its review:* General Design Criterion 10, "Reactor Design," in Appendix A, "General Design Criteria for Nuclear Power Plants," to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," states,"[t]he reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences." The regulation at 10 CFR 50.55a(2) requires, in part, that "[s]ystems and components of boiling and pressurized water-cooled nuclear power reactors must meet the requirements of the ASME [American Society of Mechanical Engineers]
Boiler and Pressure Vessel Code...." ASME Code,Section XI, "Rules for Inservice Inspection of Nuclear Power Plant Components," Examination Category B-N-I, "Interior of Reactor Vessel," and Examination Category B-N-2, "Welded Core Support Structures and Interior Attachments to Reactor Vessels," Items B133.50, "Interior Attachments within Beltline Region"; B13.60, "Interior Attachments beyond Beltline Region"; and B13.70, "Core Support Structure," address RVI components.
In FSAR Amendment 95, TVA stated that it performed the initial design evaluations of WBN Unit 2 RVI components using the January 1971 draft of Section III, "Rules for Construction of Nuclear Power Plant Components," of the ASME Code. TVA complied with the intent of the inspection and fabrication requirements in Subsection NG of Section III of the ASME Code for the RVI components in WBN Unit 2. Section 4.2.2 of FSAR Amendment 95 relates to (1) design criteria and design loading conditions, (2) design loading categories, and (3) descriptions and drawings of the lower core support structure, upper core support structure, and in-core instrumentation support structure of the RVI components in WBN Unit 2. Table 5.2-12 of Section 5.0 of the WBN Unit 2 FSAR lists the materials used for the RVI components along with their corresponding ASME designation numbers. These materials are consistent with those of the RVI components in WBN Unit 1.The NRC staff reviewed the FSAR and compared the materials used for RVI components in WBN Unit 2 to those used in WBN Unit 1. The RVI components in WBN Unit 2 are consistent with the previously NRC-approved components in WBN Unit 1. The staff noted that the RVI 3-1 components in WBN Unit 2 used nickel-based Alloy X-750 bolts. Previous operating experience in Westinghouse pressurized-water reactor RVI components indicates that Alloy X-750 material is susceptible to stress-corrosion cracking (SCC) when it is exposed to the reactor coolant system water. Susceptibility to SCC in Alloy X-750 material depends on the type of heat treatment that was performed on the alloy. A high-temperature heat (HTH) treatment process offers better resistance to SCC than does a lower temperature heat treatment process. For example, in a Westinghouse-designed pressurized-water reactor facility, original Alloy X-750 control rod guide tube split pins were replaced by Alloy X-750 materials that were subjected to the HTH treatment process.Table 5.2-12 of the FSAR indicates that TVA uses Alloy X-750 bolting in its RVI components.
By letter dated March 11, 2010 (ADAMS Accession No. ML100550007), the staff asked TVA to provide information on the type of heat treatment that was performed on the Alloy X-750 material.
If the Alloy X-750 material was not subjected to an HTH treatment process, then the staff asked TVA to provide information on whether it intends to preemptively replace these materials to mitigate the potential for failure caused by SCC. In its response dated April 9, 2010 (ADAMS Accession No. ML101040573), TVA confirmed that the Alloy X-750 bolting materials used at WBN Unit 2 were not subjected to an HTH treatment process and that Westinghouse is evaluating the impact of using these bolts at WBN Unit 2. TVA committed to submit the Westinghouse evaluation of the bolts and its plan to the NRC staff for review by June 30, 2010.Subsequently, by letter dated June 28, 2010 (ADAMS Accession No. ML1 01790399), TVA stated that, upon review of relevant operating history and test data, Westinghouse has recommended that TVA change the current WBN Unit 2 clevis insert bolts to the latest design, which uses an HTH-treated Alloy X-750 material, rolled threads, and a larger radius on the undercut of the capscrew head. Westinghouse found that the HTH treatment process greatly improves resistance to primary water SCC in Alloy X-750 material.
With a change in the material heat treatment along with the bolt design modifications to reduce stresses in high-stress areas, Westinghouse believes that this design will be an effective improvement over the clevis insert bolts currently installed in WBN Unit 2. TVA stated that it concurs with this recommendation and will replace the bolts prior to WBN Unit 2 operation.
Subsequently, by letter dated April 21, 2011 (ADAMS Accession No. ML1 11110513), TVA withdrew its commitment to replace the bolts. TVA should provide further justification for the decision to not replace the Unit 2 clevis insert bolts to the NRC staff. This is Open Item 71 (Appendix HH).Based on its review, the NRC staff concludes that the RVI materials in WBN Unit 2 are consistent with the RVI materials in WBN Unit 1. Since the staff had previously approved the RVI materials in WBN Unit 1, it concludes that the RVI materials in WBN Unit 2 are acceptable, pending the resolution of Open Item 71. Furthermore, the staff concludes that the RVI materials in WBN Unit 2 are acceptable with respect to their performance related to structural integrity and corrosion resistance.
In regard to the design aspects of the RVI components, TVA complies with the intent of the requirements in Section III of the ASME Code. TVA will implement the inspection requirements in Section Xl of the ASME Code for the interior of the reactor vessel, interior attachments within the beltline region, interior attachments beyond the beltline region, and the core support structures.
Compliance with the ASME Code requirements ensures adequate structural integrity of the RVI components in the WBN Unit 2 reactor vessel during the current license period.Based on its review of the information provided by WVA as discussed above, the NRC staff concludes that the RVI components in WBN Unit 2 are consistent with the previously 3-2 NRC-approved components in WBN Unit 1. Therefore, the staff concludes that the WBN Unit 2 RVI components listed in Section 4.2.2 of FSAR Amendment 95 are acceptable, pending the resolution of Open Item 71. Additionally, TVA's compliance with the ASME Code requirements for design and inspection provides adequate assurance that the licensee will maintain the level of quality and safety for the RVI components during the current license period.3.10 Seismic and Dynamic Qualification of Seismic Categqory I Mechanical and Electrical Equipment The NRC staff reviewed the seismic design of Category I instrumentation and electrical equipment at WBN Unit 2 as described in Section 3.10, "Seismic and Dynamic Qualification of Seismic Category I Mechanical and Electrical Equipment," of the WBN Unit 2 FSAR, Amendment 95, dated November 24, 2009. Based on its review, the staff concluded that TVA did not make any substantive changes to Section 3.10 of the FSAR, as reviewed and approved by the NRC staff in NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2," issued June 1982, and its Supplements 1-9, issued September 1982, January 1984, January 1985, March 1985, November 1990, April 1991, September 1991, January 1992, and June 1992, respectively.
However, the staff asked TVA to clarify some of the additions and corrections that it made to Section 3.10 of the FSAR. TVA responded to the staffs questions by letter dated July 31, 2010 (ADAMS Accession No. ML1 02290258).
The staffs review of TVA's response is provided below.Evaluation The NRC staff noted in Request for Additional Information (RAI) 3.10-1 that Table 3.10-1,"WBNP Instrumentation and Electrical Equipment Seismic Qualification Summary," and Table 3.10-2, "Qualification of Instrumentation and Control Equipment," of Section 3.10.1,"Seismic Qualification Criteria," of the FSAR reference Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 344-1987, "IEEE Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Generating Stations," issued in 1987.However, Section 3.10.1 does not mention IEEE Std. 344-1987, and the referenced Section 3.7.3.16 of the FSAR does not discuss it. Therefore, the staff asked TVA to clarify how IEEE Std. 344-1987 is used in a manner similar to how WVA addressed the use of IEEE Std. 344-1971 and IEEE Std. 344-1975.In its letter dated July 31, 2010, TVA stated that Amendment 98 to the WBN Unit 2 FSAR deleted the equipment heading, "PAMS Cabinet and Components and Main Control Room Components," and its reference to IEEE Std. 344-1987 from Table 3.10-1. TVA also stated that Table 3.10-2 lists Qualification Method 9 as IEEE Std. 344-1987.
TVA incorrectly added Qualification Method 9 in FSAR Amendment
- 95. The Table 3.10-2 equipment listing in FSAR Amendment 95 (or any subsequent amendment) does not reference Qualification Method 9.TVA stated that FSAR Amendment 100 will delete Qualification Method 9 (IEEE Std. 344-1987)from Table 3.10-2. Based on TVA's statement that it will correct the discrepancy in the FSAR, the staff concludes that TVA's response is acceptable.
The NRC staff noted in RAI 3.10-2 that Table 3.10-1.of the FSAR contains three new rows related to certain types of equipment and their qualification methods and test methods. The first new row in Table 3.10-1 states that "Nuclear Qualification Services" performed a "test" using the"multiaxis" test method to qualify the "Control Instrument Loops" (Unit 2) located in "multiple locations." The staff asked TVA to clarify whether the NRC staff reviewed the test method and the test results and to provide a reference that documents the staffs review and its conclusions.
3-3 The staff asked TVA to submit the results of the test for its review, if it had not previously reviewed them.In addition, the second new row in Table 3.10-1 states that "Panels 2-L-1 1A and 2-L-1 1B" were qualified by "Analysis." The staff asked TVA to take the following actions: Clarify whether TVA staff performed the "Analysis" mentioned in the second new row in Table 3.10-1 in-house.
If TVA staff did not perform the analysis in-house, then provide the name of the company that performed the analysis in Table 3.10-1.Clarify whether the NRC staff reviewed the analysis method and the analysis results and provide a reference that documents the conclusions of the review. If the NRC staff had not previously reviewed the results of the analysis, then submit the results to the NRC for its review.The third new row in Table 3.10-1 of the FSAR states that the qualification method for the equipment
("PAMS Cabinet and Components and Main Control Room Components")
is"Analysis (to be performed)." The staff asked TVA to provide a target date for when it will perform this analysis, to submit the results of the analysis to the staff for its review, and to amend the FSAR as necessary.
In its response to the staff by letter dated July 30, 2010, regarding the questions on the first new row in Table 3.10-1, TVA stated that it did not know whether the NRC staff had reviewed the test results. This hardware is widely used in multiple nuclear facilities and may have been reviewed previously.
TVA stated that it provided the requested documentation in Attachment 1 of its letter to ensure compliance.
To address the questions relevant to the second new row in Table 3.10-1, TVA stated that it is performing the analysis in-house and that the NRC staff has not reviewed the analysis results.TVA stated that it will submit the analysis to the NRC by November 30, 2010.To address the question on the third new row in Table 3.10-1, TVA stated that FSAR Amendment 99 removed this item from the table. Because of hardware changes, TVA stated that analysis and testing will be used for the qualification.
The vendor is scheduled to provide this documentation to TVA by December 27, 2010, and TVA will submit this documentation to the NRC by January 14, 2011, for review.Based on TVA's plan to resolve the discrepancies in Table 3.10-1 of the FSAR and on the staff's review of the information provided in Attachment 1 of TVA's letter dated July 31, 2010, the staff concludes that TVA's response is acceptable.
The NRC staff noted in RAI 3.10-3 that, in several locations of Section 3.10 of the FSAR (e.g., pages 3.10-11, 3.10-12, and 3.10-18), the word "LATER" is inserted before a reference or a report. The staff requested that, if the word LATER referred to future action, TVA provide a target date for when it would submit these reports, including the results of any qualification analysis and tests, to the NRC staff for its review.In its response to the staff by letter dated July 31, 2010, TVA stated the following:
The word LATER is used for the following references:
3-4 (26) Westinghouse Seismic Qualification Report for Installing Gamma Metrics Hardware in Unit 2 NIS Cabinets.This item is EQ-EV-39-WBT, Revision I (Seismic Evaluation of Nuclear Instrumentation System Console 2-M-1 3 with Gammametrics Equipment for Watts Bar Unit 2, March 2009). The proprietary version of this document is provided as Attachment
- 2. A non-proprietary version and affidavit for withholding the information will be provided by November 30, 2010. Amendment 100 to the Unit 2 FSAR will reflect this information.
(29) Ametek Seismic Qualification Report for Containment Pressure Transmitters This item is vendor document Report No. TR-1 136 (Qualification Documentation Review Package for Ametek Aerospace Gulton-Statham Products Nuclear Qualified Pressure Transmitter Series Enveloping-Gage Pressure Transmitter Series PG 3200, Differential Pressure Transmitter Series PD 3200, Differential High-Pressure Transmitter Series PDH 3200, Draft Range Pressure Transmitter Series DR 3200, Remote Diaphragm Seal Differential Pressure Transmitter Series PO 3218, Remote Diaphragm Seal Differential High Pressure Transmitter Series PDH 3218). The proprietary version of the document is provided in Attachment
- 3. A non-proprietary version and affidavit for withholding the information will be provided by December 17, 2010. Amendment 100 to the Unit 2 FSAR will reflect this information.
(30) Seismic Qualification of Weed Pressure Transmitter This item is vendor document number 16690-QTR, Revision 0 (Qualification Test Report for Environmental and Seismic Qualification of Weed Model DTN201 0 Pressure Transmitters).
The proprietary version of this document is provided as Attachment
- 4. A non-proprietary version and affidavit for withholding the information will be provided by November 30, 2010. Amendment 100 to the Unit 2 FSAR will reflect this information.
Subsequently, the staff reviewed FSAR Amendment 101 and verified that the information was updated by TVA. Based on TVA's plan to provide the additional information in Section 3.10 of the FSAR, the staff concludes that TVA's response is acceptable.
The staff noted in RAI 3.10-4 that the numbering of the WBN Unit 2 list on page 3.10-4 is not consistent with the numbering referenced by the text below the list. Therefore, the staff asked TVA to correct the numbering to clearly identify the references associated with the items in the list. By letter dated July 31, 2010, TVA stated that Amendment 98 to the WBN Unit 2 FSAR corrected the numbering of the list. Because these were editorial changes, the amendment level remained the same.The staff also noted in RAI 3.10-4 that the "Nuclear Instrumentation System Power Range Electronics" appeared to be a new item added to the seismic Category I list for the reactor protection system (WBN Unit 2 only) on page 3.10-4. The staff asked TVA to clarify the reference that documents its qualification testing and to provide the results of the test or analysis.
By letter dated July 31, 2010, TVA stated the following:
3-5 Amendment 95 to the Unit 2 FSAR added the Nuclear Instrumentation System Power Range Electronics.
This was done to differentiate the qualification of the cabinets from the electronics.
In Unit 2, Westinghouse updated the cabinet qualification to support the installation of the Gamma Metrics hardware.
In Unit 1, the cabinet qualification analysis was done by TVA. Having Westinghouse perform the Unit 2 analysis resulted in Reference 26 being added to the reference section. However, Reference 26 was inadvertently omitted from the 3.10.1 text discussion of the equipment qualified by Westinghouse.
Amendment 100 to the Unit 2 FSAR will update the FSAR wording as shown below: "Seismic qualification testing/analysis of Items 1 through 9 is documented in References
[1] through [10] and [26].Reference
[10] presents the theory and practice, as well as justification, for the use of single axis sine beat test inputs used in the seismic qualification of electrical equipment.
In addition, it is noted that Westinghouse has conducted a seismic qualification
'Demonstration Test Program' (reference letter NS-CE-692, C. Eicheldinger (W), to D.B. Vassallo (NRC), 7/10/75) to confirm equipment operability during a seismic event. This program is documented in References
[12] through [14] (Proprietary) and References
[16] through [19] (Non-Proprietary).
Seismic qualification testing of Item 10 to IEEE 344-1975 is documented in References
[21], [22], [23], [31] and [32]. Reference
[26]documents the Westinghouse qualification by analysis of the Nuclear Instrumentation System cabinet 2-M-13 with Gamma Metrics Source and Intermediate Range hardware installed." Subsequently, the staff reviewed FSAR Amendment 101 and verified that the information was updated by TVA; therefore, TVA's response is acceptable.
The staff noted in RAI 3.10-5 that, on page 3.10-4 in Section 3.10.1 of the FSAR, TVA lists several new items of instrumentation and electrical equipment that require seismic qualification.
On page 3.10-6, TVA states, "Seismic qualification testing of the Gamma-Metrics supplied source and intermediate range neutron detection system (Items 11 and 12 including all interconnections) is documented in Reference
[25]." The staff asked TVA to provide a copy of Reference 25, "Thermo Fisher Scientific Test Report QTR 864, Qualification Test Report," for review.In its response by letter dated July 31, 2010, TVA provided, as Attachment 5 to its letter, a proprietary version of Thermo Fisher Scientific Qualification Report No. 864, Revision 0, "Class 1 E Qualification of Source Range, Intermediate Range and Wide Range Channels." The staff reviewed Reference 25 and had no issues concerning the seismic qualification of the Gamma-Metrics-supplied source and intermediate range neutron detection system. Based on its review of Reference 25, the staff concludes that TVA's response is acceptable.
Summary and Conclusions Based on its review of WBN Unit 2 FSAR Amendment 95 and the information provided by WVA in its letter dated July 31, 2010, the staff concludes that TVA did not make any substantive 3-6 changes to Section 3.10 of the FSAR, as reviewed and approved by the NRC staff in NUREG-0847 and its Supplements 1-9. Therefore, the staff concludes that Section 3.10 of the WBN Unit 2 FSAR is acceptable.
3-7
4 REACTOR 4.1 Introduction The reactor design of the Tennessee Valley Authority's (TVA's) Watts Bar Nuclear Plant (WBN), Unit 2, is similar to that of WBN Unit 1, the Sequoyah Nuclear Plant, and the McGuire Nuclear Station.The WBN nuclear steam supply system (NSSS), supplied by Westinghouse Electric Corporation, is designed to operate at a core thermal power of 3,411 megawatts thermal (MWt).Sufficient margin exists to ensure that fuel damage will not occur during steady-state operation or anticipated operational occurrences.
The NSSS is a four-loop Westinghouse design, with the core cooled and moderated by light water at a reactor coolant system (RCS) pressure of 2,250 pounds per square inch absolute (psia). The moderator coolant contains boron as a neutron absorber.
The concentration of boron in the coolant is varied as required to control relatively slow reactivity changes, including the effects of fuel bumup. Additional boron, in the form of burnable absorber rods, is employed as needed to decrease the moderator temperature coefficient and to control the power distribution.
The reactor core is made up of 193 fuel assemblies.
Each assembly is composed of a 17x17 square array containing 264 fuel rods. The center position is used for in-core instrumentation, while the remaining 24 thimbles are used for rod cluster control assemblies, neutron source assemblies, and burnable poison rods.The initial fuel design for WBN was the 17x17 Vantage 5H design with standard fuel rods. On September 30, 2003, the U.S. Nuclear Regulatory Commission (NRC) issued WBN Unit I License Amendment No. 46 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML032740199) to support TVA's use of the Westinghouse 17x 17 second-generation robust fuel assembly design, which is referred to as RFA-2 fuel. Following License Amendment No. 46, TVA transitioned WBN Unit 1 from the Vantage 5H design to RFA-2 fuel. TVA completed transitioning WBN Unit 1 to all RFA-2 fuel for cycle 8 in 2008. The mechanical design features of the RFA-2 fuel include integral fuel burnable absorbers, Westinghouse integral nozzle, debris filter bottom nozzle, extended bumup capability, axial blankets, and an advanced zirconium alloy known as ZIRLOTM for fuel cladding and many structural components.
TVA's fuel design for WBN Unit 2 consists of a core with all RFA-2 fuel.The NRC staff reviewed the design bases and functional requirements used in the nuclear design of the fuel and reactivity control systems of the WBN Unit 2 reactor. The basic requirement for the core and control system is that the consequences of each event be appropriate to the category for that event. To address this requirement, TVA presented several specific design bases in Section 4.3.1, "Design Bases," of the WBN Unit 2 final safety analysis report (FSAR), as described below in Section 4.3 of this supplemental safety evaluation report (SSER). These design bases include (1) fuel bumup, (2) negative reactivity feedbacks (reactivity coefficient), (3) control of power distribution, (4) maximum controlled reactivity insertion rate, (5) shutdown margins with vessel head in place, (6) shutdown margin for refueling, (7) stability, and (8) anticipated transients without trip.In its review of Section 4 of the WBN Unit 2 FSAR, the NRC staff referred to the following regulatory requirements applicable to the design bases of the fuel system: 4-1 0 General Design Criterion (GDC) 10, "Reactor Design," in Appendix A, "General Design Criteria for Nuclear Power Plants," to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities"* GDC 27, "Combined Reactivity Control Systems Capability" 0 GDC 35, "Emergency Core Cooling"* the regulation at 10 CFR 50.46, "Acceptance Criteria for Emergency Core Cooling Systems for Light-Water Nuclear Power Reactors" 0 the regulations in 10 CFR Part 100, "Reactor Site Criteria" In addition, the NRC staff referred to the guidance provided in Section 4.2, "Fuel System Design," of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (hereafter referred as the SRP), which contains guidelines for the safety review of a fuel design system. The SRP states that the objectives of the safety review of the fuel design system are to provide assurance that (1) the fuel system is not damaged as a result of normal operation and anticipated operational occurrences, (2) fuel system damage is never so severe as to prevent control rod insertion when it is required, (3) the number of fuel rod failures is not underestimated for postulated accidents, and (4) coolability is always maintained.
4.2 Fuel System Design The fuel system design for WBN Unit 2 is identical to that in WBN Unit 1 with the exception that WBN Unit 2 does not have tritium-producing burnable absorber bars (TPBARs)1.In the initial safety evaluation report (SER) for WBN, issued June 1982, and in SSER 2 (issued January 1984), SSER 10 (issued October 1992), and SSER 13 (issued April 1994), the NRC staff evaluated and approved the WBN fuel system design. In License Amendment No. 46 for WBN Unit I the NRC approved the addition to the WBN Unit 1 technical specifications (TS) of three additional methodologies to determine cycle-specific core operating limits. This action supported TVA's use of the Westinghouse 17x 17 array RFA-2 fuel design with intermediate flow mixers (IFMs) at WBN Unit 1. These methodologies include the WRB-2M departure from nucleate boiling (DNB) correlation, the revised thermal design procedure, and the VIPRE-01 methodology.
In its letter to the NRC dated February 8, 2008 (ADAMS Accession No. ML080770242; not publicly available), TVA provided a red-line comparison of the current WBN Unit 1 FSAR (FSAR Amendment 6, dated May 30, 2007; ADAMS Accession No. ML072210682) to WBN Units 1 and 2, FSAR Amendment 91, dated October 24, 1995. FSAR Amendment 91 was the last combined FSAR for WBN, Units 1 and 2, before TVA halted the construction of WBN Unit 2.The red-line comparison illustrated the proposed WBN Unit 2 FSAR at fuel load to aid the NRC staff in its review. WVA subsequently submitted Amendment 92, dated December 18, 2008, to the WBN Unit 2 FSAR (ADAMS Accession No. ML090340530).
In WBN Unit 1, License Amendment No. 40, dated September 23, 2002, the NRC approved TVA's request to irradiate TPBARs in the WBN Unit 1, reactor core. Irradiating the TPBARs in the reactor core supports the U.S. Department of Energy in maintaining the nation's tritium inventory.
4-2 Based on its review of the information provided by TVA in the proposed WBN Unit 2 FSAR, the NRC staff concludes that no substantive differences exist between the fuel system designs for WBN Unit 1 and WBN, Unit 2. In the staff requirements memorandum (SRM) associated with SECY-07-0096, "Possible Reactivation of Construction and Licensing Activities for the Watts Bar Nuclear Plant Unit 2," dated July 25, 2007 (ADAMS Accession No. ML072060688), the Commission stated that it supports a licensing review approach that employs the current licensing basis for WBN Unit 1 as the reference basis for the review and licensing of WBN, Unit 2. Since no substantive differences exist between the design for WBN Unit 2 and the previously reviewed and approved fuel system design for WBN Unit 1, the staff concludes that the fuel system design for WBN Unit 2 is acceptable.
The staff's evaluation of the WBN Unit 2 fuel system design is documented below.4.2.1 Description The fuel assemblies proposed for WBN Unit 2 consist of 264 fuel rods, 24 guide thimbles, and one instrumentation thimble arranged in a 17x17 array. The instrumentation thimble is at the center of the assemblies and facilitates the insertion of neutron detectors.
The guide thimbles provide channels for inserting various reactivity controls.
The fuel rods will contain uranium dioxide (U0 2) ceramic pellets contained in slightly cold-worked ZIRLOTM tubing that is plugged and seal welded at the ends to encapsulate the fuel. The ZIRLOTM cladding is used for the RFA-2 fuel to enhance fuel reliability and to achieve extended bumup. The fuel pellets are right circular cylinders consisting of slightly enriched U0 2 powder that has been compacted by cold pressing and then sintered to the required density. The ends of each pellet are dished slightly to allow greater axial expansion at the center of the pellets.All fuel rods are internally prepressurized with helium during the welding process to minimize compressive clad stresses and creep resulting from coolant operating pressures.
The helium prepressurization may differ for each fuel region. Fuel rod pressurization depends on the planned fuel bumup, as well as on other fuel design parameters and fuel characteristics (particularly densification potential).
The fuel rods are designed such that (1) the internal gas pressure of the lead rod will not exceed the value that causes the fuel-clad diametral gap to increase because of outward cladding creep during steady-state operation, (2) extensive DNB propagation will not occur, (3) the cladding stress-strain limits are not exceeded for Condition I and II events, and (4) clad flattening will not occur during the fuel core life.All aspects of the Westinghouse fuel design are based on mechanical tests, in-reactor operating experience, and engineering analyses.
Additionally, the performance of the design inside the reactor is subject to the continuing surveillance programs of Westinghouse and individual utilities.
These programs provide confirmatory and current design performance information.
4.2.2 Thermal
Performance Section 4.2.2 of the SER states the following:
In its evaluation of the thermal performance of the reactor fuel, the NRC staff assumes that densification of the uranium oxide fuel pellets may occur during irradiation in light-water reactors.
The initial density of the fuel pellets and the size, shape, and distribution of pores within the fuel pellets will influence the densification phenomenon.
4-3 Briefly stated, in-reactor densification (shrinkage) of oxide fuel pellets (1) may reduce gap conductance and hence increase fuel temperatures because of a decrease in pellet diameter, (2) may increase the linear heat generation rate because of the decrease in pellet length, and (3) may result in gaps in the fuel column as a result of pellet-length decreases (these gaps produce local power spikes and the potential for cladding creep collapse).
The SER documents that Westinghouse had previously submitted to the NRC in a topical report, Westinghouse Commercial Atomic Power (WCAP)-8219, "Fuel Densification Experimental Results and Model for Reactor Operation," the engineering methods that it will use to analyze the densification effects on fuel thermal performance.
The NRC approved the methods for use in licensing by letter dated June 25, 1974. The methods include testing, mechanical analyses, thermal and hydraulic analyses, and accident analyses.
The Atomic Energy Commission report entitled, "Technical Report on Densification of Westinghouse PWR Fuel," issued May 1974, presents the results of the staff's review. NUREG-0085, "The Analysis of Fuel Densification," issued July 1976, provides additional information on densification methods. The NRC staffs evaluation included in the SER of the thermal performance methods used by TVA remains valid.As discussed in the NRC staff's safety evaluation for WBN Unit 1. License Amendment No. 46, TVA evaluated the fuel rod design using the approved fuel performance analysis and design (PAD) computer code and the approved methodology of extended bumup applications in WCAP-1 0125-P-A, "Extended Burnup Evaluation of Westinghouse Fuel, Revision to Design Criteria." TVA concluded that the design bases and limits were met for the RFA-2 fuel design.Power distributions, peaking factors, and rod worths primarily depend on loading patterns.
The variations of these core safety parameters are expected to be typical of the normal cycle-to-cycle variations for the standard fuel reloads.Based on its review, as documented in the safety evaluation for WBN Unit I License Amendment No. 46, the NRC staff determined that TVA used the appropriate methodology and acceptance criteria for evaluating the fuel rod performance of RFA-2 fuel. Because the acceptance criteria were satisfied, the NRC staff concludes that the RFA-2 fuel design is acceptable for WBN Unit 2.Thermal Conductivity On October 8, 2009, the NRC staff issued Information Notice 2009-23, "Nuclear Fuel Thermal Conductivity Degradation," which summarizes a potential problem with predicting the thermal conductivity of fuel pellets using thermal performance codes approved by the NRC before 1999.Older codes and models may not account for degradation in the thermal conductivity of uranium fuel pellets as a function of irradiation.
During its review for this SSER, the staff noted that the thermal conductivity model used by TVA, PAD 4.0, does not account for this degradation.
This omission would result in an artificially higher fuel thermal conductivity at higher bumups and an underprediction of fuel temperature at those bumups. The staff asked TVA, in Request for Additional Information (RAI) 4.2-1, to justify the use of this model. In a letter dated October 4, 2010, TVA referenced the NRC safety evaluation related to Westinghouse Topical Report WCAP-1 5063, Revision 1, "Westinghouse Improved Performance Analysis and Design Model (PAD 4.0)" (ADAMS Accession No. ML003735452).
In its evaluation, the staff compared PAD 4.0 to FRAPCON-3, which accounts for fuel thermal conductivity degradation.
The initial comparison between FRAPCON-3 and PAD 4.0 demonstrated that PAD 4.0 calculated a conservative value for stored energy at lower bumups, but was nonconservative at higher 4-4 burnups. At the time of the analysis, the maximum stored energy was expected to occur at less than 5 gigawatt days per metric ton unit (GWd/MTU);
therefore, PAD 4.0 was considered conservative.
Since this confirmatory analysis, as detailed in Information Notice 2009-23, new data have become available which suggest that the fuel thermal conductivity degradation has a larger impact than previously thought. As such, the fuel thermal conductivity model in FRAPCON-3 has been modified; the current model is contained in FRAPCON-3.4.
Additionally, all modem codes that account for the fuel thermal conductivity degradation predict the maximum stored energy to occur at bumups closer to the knee in the power operating curve (e.g., 30 GWd/MTU for pressurized-water reactors (PWRs)). At these bumups, PAD 4.0 would calculate lower fuel stored energy than would be expected and so may no longer be conservative.
The NRC staff is unclear whether the use of a thermal conductivity model that does not account for bumup degradation remains conservative, given the expected time in life of the maximum stored energy in the fuel. The NRC staff needs additional information from TVA to demonstrate that PAD 4.0 can conservatively calculate the fuel temperature and other impacted variables, such as stored energy, given the lack of a fuel thermal conductivity degradation model. This is Open Item 61 (Appendix HH).4.2.3 Mechanical Performance Earthquakes and postulated pipe breaks in the RCS would result in external forces on fuel assemblies.
Appendix A to SRP Section 4.2 states that fuel system coolability should be maintained and damage should not be so severe as to prevent control rod insertion when required during seismic and loss-of-coolant accident (LOCA) events. "Coolability," in general, means that the fuel assembly retains its rod-bundle geometry with adequate coolant channels to permit removal of residual heat even after a severe accident.
The general requirements to maintain control rod insertability and core coolability appear repeatedly in the GDC found in Appendix A to 10 CFR Part 50 (e.g., GDC 27 and 35). In particular, the regulation at 10 CFR 50.46 provides the specific coolability requirements for the LOCA. The structural integrity of fuel assemblies is analyzed to ensure that external forces do not exceed the maximum allowable grid-crushing load, thereby minimizing the resulting damage and enabling the control rods and thimble tubes to remain functional during seismic and LOCA events.In the safety evaluation for WBN Unit 1 License Amendment No. 46, the NRC staff reviewed the RFA-2 fuel upgrade from Vantage Plus Performance Plus (V+/P+) fuel 2.For the operation of WBN Unit I scenarios of seismic and LOCA events with a mixed core induced the most severe loads. WVA analyzed a mixed core of RFA-2 and V+/P+ fuel assemblies using the approved methodology in WCAP-9401 -P-A, "Verification Testing and Analysis of the 17 x 17 Optimized Fuel Assembly," issued August 1981, selected two limiting mixed core configurations, and used the square-root-of-sum-of-squares (SRSS) method, as described in Appendix A to SRP 2 As clarification of the fuel nomenclature, the following is excerpted from TVA's letter dated February 14, 2003 (ADAMS Accession No. ML030520332): "Watts Bar Unit I Cycle 6 and subsequent core loadings will have the RFA-2 fuel design that incorporates Intermediate Flow Mixer [IFM] grids.. .the upgraded fuel assembly design is referred to as RFA-2. In the previous five cycles, Watts Bar Unit I has been operated with cores of Westinghouse 17x17 VANTAGE 5H fuel without IFMs and 17x17 VANTAGE+ fuel without IFMs. These existing fuel products are described in the Watts Bar [FSAR]. Consistent with the nomenclature in the [FSAR], the 17x1 7 VANTAGE 5H fuel without IFMs is referred to...as V5H. The 17x17 VANTAGE+ fuel without IFMs that has been used in Watts Bar Unit I includes PERFORMANCE+
features and is referred to in the [FSAR]...
as V+IP+." 4-5 Section 4.2, to combine the maximum LOCA and seismic impact forces. The results demonstrated that the combined impact forces on grids in different elevations were all below the maximum allowable grid-crushing load. Thus, TVA concluded that grid deformation was within acceptable limits and coolable geometry was maintained during the seismic and LOCA events.For WBN Unit 1 the staff found that TVA used an approved methodology for mixed core analysis and the approved SRSS method for combining impact forces. The staff concluded that the grid impact was acceptable and a coolable geometry would be maintained during seismic and LOCA events for WBN, Unit 1.Based on its safety evaluation for WBN Unit 1 License Amendment No. 46, the NRC staff concludes that the homogenous core of RFA-2 fuel for WBN Unit 2 is bounded by the WBN Unit I mixed core analysis and is, therefore, acceptable.
4.2.4 Surveillance
At WBN Unit I the licensee indirectly monitors fuel performance by measuring the activity of the primary coolant to ensure compliance with TS limits, specifically TS 3.4.16, "RCS Specific Activity." In Enclosure 2 to its letter to the NRC dated March 4, 2009 (ADAMS Accession No. ML090700378), TVA discussed the proposed TS for WBN Unit 2 and provided templates of the WBN Unit 2 TS. TVA stated that it used the WBN Unit 1 TS to develop the proposed templates of the WBN Unit 2 TS. In its letter to the NRC dated February 2, 2010 (ADAMS Accession No. ML100550326), TVA updated its proposed WBN Unit 2 TS. The NRC staff verified that the proposed WBN Unit 2 surveillance requirements (SRs) in TS 3.4.16 are the same as those for WBN Unit 1 and the SRs are consistent with the guidance of NUREG-1431, Revision 3, "Standard Technical Specifications, Westinghouse Plants." Since the proposed WBN Unit 2 TS 3.4.16 SRs are the same as those previously approved for WBN Unit 1 and they are consistent with NUREG-1431, the staff concludes that the proposed WBN Unit 2 TS 3.4.16 SRs are acceptable.
4.2.5 Fuel Design Conclusion Based on its review of the WBN fuel safety analysis, the satisfactory experience with this fuel type in other operating reactors, and its previous approval of this fuel type in WBN Unit 1, the NRC staff concludes that the RFA-2 fuel for WBN Unit 2 will perform its function adequately and that TVA has met all applicable regulatory requirements.
4.3 Nuclear
Design WBN Unit 2 has a reactor core consisting of 193 fuel assemblies of the Westinghouse 17x 17 array design. The core has a design heat output of 3,411 MWt and is essentially identical to WBN Unit 1 and the McGuire Nuclear Station reactors.In its letter to the NRC dated February 8, 2008, TVA provided a red-line comparison of WBN Unit I FSAR Amendment 6, to WBN, Units 1 and 2, FSAR Amendment
- 91. FSAR Amendment 91 was the last combined FSAR for WBN, Units I and 2, before TVA halted the construction of Unit 2. The red-line comparison illustrated the proposed WBN Unit 2 FSAR at fuel load to assist the NRC staff in its review. TVA subsequently submitted WBN Unit 2 FSAR Amendment 92, dated December 18, 2008 (ADAMS Accession No. ML090340530).
4-6 Based on its review of the information provided by TVA in the proposed WBN Unit 2 FSAR and in WBN Unit 2 FSAR Amendment 92, the NRC staff concludes that no substantive differences exist between the nuclear design of WBN Unit 1 and the design for WBN, Unit 2. In its SRM for SECY-07-0096, the Commission stated that it supports a licensing review approach that employs the current licensing basis for WBN Unit I as the reference basis for the review and licensing of WBN, Unit 2. Since no substantive differences exist between the design for WBN Unit 2 and the previously reviewed and approved nuclear design for WBN Unit 1, the staff concludes that the nuclear design for WBN Unit 2 is acceptable.
4.3.1 Design
Bases The NRC staff reviewed the design bases and functional requirements used in the nuclear design of the fuel and reactivity control systems of the WBN Unit 2 reactor. The basic requirement for the core and control system is that the consequences of each event be appropriate to the category for that event. To meet this requirement, TVA presented several specific design bases.In Section 4.3.1, "Design Bases," of WBN Unit 2 FSAR Amendment 101, dated October 29, 2010, WVA described the design bases and functional requirements used in the nuclear design of the fuel and reactivity control system and related the design bases to the GDC in Appendix A of 10 CFR Part 50. These include the following bases, as excerpted below from Section 4.3.1 of the WBN Unit 2 FSAR: Fuel Bumup. The fuel rod design basis.. satisfies GDC 10. Fuel bumup is a measure of fuel depletion which represents the integrated energy output of the fuel and is a convenient means for quantifying fuel exposure criteria.Negative Reactivity Feedbacks (Reactivity Coefficient).
The fuel temperature coefficient will be negative and the moderator temperature coefficient of reactivity will be non-positive for power operating conditions, thereby providing negative reactivity feedback characteristics.
The design basis meets GDC 11.Control of Power Distribution.
The nuclear design basis is that, with at least a 95 percent confidence level: 1. The fuel will not be operated at a linear power greater than the average linear power multiplied by FQ(z) under normal operating conditions including an allowance of 0.6 percent for calorimetric error. FQ(z) is the heat flux hot channel factor and is specified in the Watts Bar Core Operating Limits Report (COLR).2. Under abnormal conditions, including the maximum overpower condition, the fuel peak power will not cause melting as defined in Section 4.4.1.2 [of the FSAR].3. The fuel will not operate with a power distribution that violates the departure from nucleate boiling (DNB) design basis (i.e., the DNBR [DNB ratio] shall not be less than the safety analysis limits, as discussed in Section 4.4.1 [of the FSAR]) under Condition I 4-7
[normal operation and operational transients]
and II [faults of moderate frequency]
3 events including the maximum overpower condition.
- 4. Fuel management will be such that rod powers and burnups are consistent with the assumptions in the fuel rod mechanical integrity analysis of Section 4.2 [of the FSAR].The above basis meets GDC 10.Maximum Controlled Reactivity Insertion Rate. The maximum reactivity insertion rate due to withdrawal of Rod Cluster Control Assemblies or by boron dilution is limited. This limit, expressed as a maximum reactivity change rate of 75 pcm/sec [percent millirho per second], is set such that peak heat generation rate and DNBR do not exceed the maximum allowable at overpower conditions.
This satisfies GDC 25.The maximum reactivity worth of control rods and the maximum rates of reactivity insertion employing control rods are limited so that a rod withdrawal or rod ejection accident will not cause rupture of the coolant pressure boundary or disruption of the core internals to a degree which would impair core cooling capacity [as discussed in FSAR Chapter 15].Following any Condition IV event (rod ejection, steamline break, etc.) the reactor can be brought to the shutdown condition and the core will maintain acceptable heat transfer geometry.
This satisfies GDC 28.Shutdown Margins with Vessel Head in Place. Minimum shutdown margin requirements as specified in the Watts Bar Technical Specifications are required in all power operating modes, hot standby, hot shutdown, and cold shutdown conditions.
In all analyses involving reactor trip, the single, highest worth Rod Cluster Control Assembly (RCCA) is postulated to remain untripped in its full-out position (stuck rod criterion).
This satisfies GDC 26.Shutdown Margin for Refueling.
When fuel assemblies are in the pressure vessel and the vessel head is not in place, keff [effective neutron multiplication constant]
will be maintained at or below 0.95 with control rods and soluble boron. Further, the fuel will be maintained sufficiently subcritical that removal of all rod cluster control assemblies will not result in criticality.
Stability.
The core will be inherently stable to power oscillations at the fundamental mode. This satisfies GDC 12. Spatial power oscillations, should they occur, can be reliably and readily detected and suppressed.
Anticipated Transients without Scram. The effects of anticipated transients with failure to trip are not considered in the design bases of the plant. Analysis has shown that the likelihood of such a hypothetical event See Section 4.4.10 of this report for a description of accident condition classification.
4-8 is negligibly small. Furthermore, analysis of the consequences of a hypothetical failure to trip following anticipated transients has shown that no significant core damage would result and system peak pressures would be limited such that the primary stress anywhere in the system boundary is less than the "emergency conditions" defined in the ASME Nuclear Power Plant Components Code,Section III, and no failure of the reactor coolant system would result.In the SER, the NRC staff concluded that the nuclear design bases presented in the FSAR conform to the requirements of GDC 10, 11, 12, 13, 20, 25, 26, 27, and 28 of Appendix A to 10 CFR Part 50 and are, therefore, acceptable.
Based on its review, as described below, the NRC staff concludes that the nuclear design bases continue to conform to the aforementioned GDC.4.3.2 Design Description TVA provided a nuclear design description in Section 4.3.2.1 of WBN Unit 2 FSAR Amendment 101, as excerpted below: The reactor core consists of a specified number of fuel rods that are held in bundles by spacer grids and top and bottom fittings.
The fuel rods are constructed of ZIRLOTM cylindrical tubes containing U0 2 fuel pellets. The bundles, known as fuel assemblies, are arranged in a pattern which approximates a right circular cylinder.
Each fuel assembly contains a 17 x 17 rod array composed of 264 fuel rods, 24 guide thimbles, and an incore instrumentation thimble.For reload cores, the exact pattern, initial and final positions of assemblies, and the number of fresh assemblies and their placement depend on the energy requirements for the next cycle, and the burnup and power histories of the previous cycle.The core average enrichment is determined by the amount of fissionable material required to provide the desired core lifetime and energy requirements.
The physics of the burnout process is such that operation of the reactor depletes the amount of fuel available as the result of the absorption of neutrons by the U (uranium)-235 atoms and their subsequent fission. In addition, the fission process results in the formation of fission products, some of which readily absorb neutrons.
These effects, depletion and the buildup of fission products, are partially offset by the buildup of plutonium from the nonfission absorption of neutrons in U-238... Therefore, at the beginning of any cycle, a reactivity reserve equal to the depletion of the fissionable fuel and the buildup of fission product absorbers over the specified cycle life must be "built" into the reactor. This excess reactivity is controlled by removable neutron absorbing material in the form of boron dissolved in the primary coolant and burnable absorber rods or ZrB 2 (zirconium diboride)-coated fuel pellets in [integral fuel burnable absorbers](when present).The concentration of boric acid in the primary coolant is varied to provide control and to compensate for long-term reactivity requirements.
The concentration of the soluble neutron absorber is controlled by means of the Chemical and Volume 4-9 Control System (CVCS) to compensate for reactivity changes caused by fuel bumup, fission product buildup including xenon and samarium, burnable absorber depletion, and the [temperature change in the moderator as the reactor heats up from a cold to an operating state]. Rapid transient reactivity requirements and safety shutdown requirements are met with control rods.As the boron concentration is increased, the moderator temperature coefficient becomes less negative.
The use of a soluble absorber alone would result in a positive moderator coefficient at beginning-of-life for the first cycle. Therefore, burnable absorbers are used in the first core to sufficiently reduce the soluble boron concentration to ensure that the moderator temperature coefficient is negative at power operating conditions.
During operation, the neutron absorber content in these rods is depleted, thus adding positive reactivity to offset some of the negative reactivity from fuel depletion and fission product buildup. The depletion rate of the burnable absorber rods is not critical since chemical shim is always available and flexible enough to cover any possible deviations in the expected burnable poison depletion rate... Note that even at end-of-life conditions, some residual poison remains in the burnable absorber rods, resulting in a net decrease in the first cycle lifetime.In addition to reactivity control, the burnable absorber rods are strategically located to provide a favorable radial power distribution.
Table 4.1-1 ,"Reactor Design Comparison Table," in the WBN Unit 2 FSAR summarizes the reactor core design parameters for the first fuel cycle, including reactivity coefficients, delayed neutron fraction, and neutron lifetimes.
The NRC staff reviewed the WBN Unit 2 reactor core design parameters and verified that the parameters are consistent with those used in similar reactors, such as the McGuire Nuclear Station (see WBN Unit 2 FSAR Table 4.1-1,"Reactor Design Comparison Table") and WBN Unit 1 (see WBN Unit 1 FSAR Table 4.1-1,"Reactor Design Comparison Table"). Based on its approval of these similar core design parameters and satisfactory industry operating experience with these designs, the staff concludes that the reactor core design parameters proposed in WBN Unit 2 are acceptable.
4.3.3 Analytical
Methods Section 4.3.3, "Analytical Methods," and Table 4.1-2, "Analytic Techniques in Core Design," of WBN Unit 2 FSAR Amendment 101, describe the computer programs and calculation techniques used to obtain the nuclear characteristics of the reactor design. The calculations consist of three distinct types, which are performed in sequence:
(1) determination of effective fuel temperatures, (2) generation of macroscopic few-group parameters, and (3) space-dependent few-group diffusion calculations.
As noted in Table 4.1-2 of the WBN Unit 2 FSAR, the programs used by TVA (LASER, REPAD, ARK, PHOENIX-P, CINDER, LEOPARD, ENDFIB, HAMMER, AIM, TURTLE, THURTLE, PALADON, ANC, PANDA, and APOLLO) have been used as part of the applications in support of most previously constructed Westinghouse-designed nuclear plant facilities.
The results predicted by these programs have been compared with measured characteristics obtained during many startup tests for first cycle and reload cores. These results validate the ability of these methods to predict experimental results. Since the methods have been approved by the NRC and validated by industry operating experience, 4-10 the NRC staff concludes that these methods are acceptable for use in calculating the nuclear characteristics of the WBN Unit 2 core.4.3.4 Summary of Evaluation Findings TVA has described the computer programs and calculation techniques used to predict the nuclear characteristics of the reactor design and provided examples to demonstrate the ability of the analyses to predict the reactivity and physics characteristics of WBN, Unit 2. To allow for changes of reactivity as a result of reactor heatup, changes in operating conditions, fuel burnup, and fission product buildup, a significant amount of excess reactivity is designed into the core.TVA has provided substantial information relating to core reactivity balances for the first cycle and has shown that the design incorporates a means to control excess reactivity at all times.TVA has shown that sufficient control rod worth is available to make the reactor subcritical in the hot condition at any time during the cycle with the most reactive control rod stuck in the fully withdrawn position.
On the basis of its review of the information provided by TVA in the WBN Unit 2 FSAR, the NRC staff concludes that TVA's assessment of reactivity control requirements over the first core cycle is suitably conservative and that the control system provides adequate negative worth to ensure shutdown capability.
Based on its review of the information provided by TVA in the WBN Unit 2 FSAR dated February 8, 2008, and in WBN Unit 2 Amendment 92, the NRC staff concludes that there are no substantive differences between the nuclear designs of WBN Unit 1 and Unit 2. Since the staff has previously reviewed and approved the nuclear design for WBN Unit 1 and no substantive differences exist between the designs of the two units, as noted in SSER Section 4.3.2 above, the staff concludes that the nuclear design bases, features, and limits for WBN Unit 2 continue to conform to the requirements of GDC 10, 11, 12, 13, 20, 25, 26, 27, and 28. Therefore, the staff concludes that the WBN Unit 2 design is acceptable.
4.4 Thermal-Hydraulic Desigqn In its letter to the NRC dated February 8, 2008, TVA provided a red-line comparison of WBN Unit I FSAR Amendment 6 to WBN, Units 1 and 2, FSAR Amendment
- 91. FSAR Amendment 91 was the last combined FSAR for WBN, Units I and 2, before TVA halted construction of WBN, Unit 2. The red-line comparison illustrates the proposed WBN Unit 2 FSAR at fuel load to assist the NRC staff in its review. TVA subsequently submitted WBN Unit 2 FSAR Amendment 92.Based on its review of the information provided by TVA in the proposed WBN Unit 2 FSAR and in WBN Unit 2 FSAR Amendment 92, the NRC staff concludes that no substantive differences exist between the thermal-hydraulic design for WBN Unit I and the thermal-hydraulic design for WBN, Unit 2. In the SRM for SECY-07-0096, the Commission stated that it supports a licensing review approach that employs the current licensing basis for WBN Unit 1 as the reference basis for the review and licensing of WBN, Unit 2. Since the staff has previously reviewed and approved the thermal-hydraulic design for WBN Unit I and no substantive differences exist between the designs of the two units, the staff concludes that the thermal-hydraulic design for WBN Unit 2 is acceptable without further review.The following summary statement of the NRC staff's finding of acceptability of the thermal-hydraulic design is provided for convenience.
4-11
4.4.1 Performance
and Safety Criteria The overall objective of the thermal-hydraulic design of the reactor core is to provide adequate heat transfer that is compatible with the heat generation distribution in the core such that heat removal by the RCS or the emergency core cooling system, when applicable, ensures that certain performance and safety criteria requirements are met.The performance and safety criteria for WBN Unit 2 as stated in Section 4.4.1, "Design Bases," of WBN Unit 2 FSAR Amendment 95, dated November 24, 2009, include the following:
- 1. Fuel damage (defined as penetration of the fission product barrier, i.e., the fuel rod clad) is not expected during normal operation and operational transients (Condition I) or any transient conditions arising from faults of moderate frequency (Condition II). It is not possible, however, to preclude a very small number of rod failures.
These will be within the capability of the plant cleanup system and are consistent with the plant design bases.2. The reactor can be brought to a safe state following a Condition III event with only a small fraction of fuel rods damaged (see above definition) although sufficient fuel damage might occur to preclude resumption of operation without considerable outage time.3. The reactor can be brought to a safe state and the core can be kept subcritical with acceptable heat transfer geometry following transients arising from Condition IV events.These performance and safety criteria are based on the event classification scheme and safety criteria of American National Standards Institute (ANSI) N18.2-1973, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants," and limited to the criteria that apply to the plant's thermal-hydraulic design. ANSI N 18.2-1973 specifies additional criteria (e.g., those that pertain to pressure boundary integrity);
other sections of this report identify these criteria, as applicable.
The NRC staff stated these same performance and safety criteria for WBN in Section 4.4.1 of the SER.4.4.2 Design Bases To satisfy the above criteria, the design bases discussed below apply to the thermal-hydraulic design of the reactor core, as stated by the NRC staff in Section 4.4.2 of the SER and by TVA in Section 4.4.1 of WBN Unit 2 FSAR Amendment 101.4.4.2.1 Departure from Nucleate Boiling The margin to DNB at any point in the core is expressed in terms of the departure from nucleate boiling ratio (DNBR). The DNBR is defined as the ratio of the heat flux required to produce DNB at the calculated local coolant conditions to the actual local heat flux. The following is the design basis for DNB, as stated in WBN Unit 2 FSAR Amendment 101: There will be at least a 95 percent probability that departure from nucleate boiling (DNB) will not occur on the limiting fuel rods during normal operation and 4-12 operational transients and any transient conditions arising from faults of moderate frequency (Condition I and II events) at a 95 percent confidence level.4.4.2.2 Fuel Temperature The following is the design basis for fuel temperature, as stated in WBN Unit 2 FSAR Amendment 101: During modes of operation associated with Condition I and Condition II events, the maximum fuel temperature shall be less than the melting temperature of UO.The U0 2 melting temperature for at least 95 percent of the peak kW/ft [kilowatt per foot] fuel rods will not be exceeded at the 95 percent confidence level. The melting temperature of U0 2 is taken as 5080°F unirradiated and decreasing 58°F per 10,000 MWD/MTU [megawatt days per metric ton unit]. By precluding U0 2 melting, the fuel geometry is preserved and possible adverse effects of molten U0 2 on the cladding are eliminated.
To preclude center melting and as a basis for overpower protection system setpoints, a calculated centerline fuel temperature of 4700°F has been selected as the overpower limit. This provides sufficient margin for uncertainties in the thermal evaluations....
4.4.2.3 Core Flow The following is the design basis for core flow, as stated in WBN Unit 2 FSAR Amendment 101: A minimum of 90.4 percent of the thermal flow rate will pass through the fuel rod region of the core and be effective for fuel rod cooling. Coolant flow through the thimble tubes as well as the leakage from the core barrel-baffle region into the core is not considered effective for heat removal.4.4.2.4 Hydrodynamic Stability I The following is the design basis for hydrodynamic stability, as stated in WBN Unit 2 FSAR Amendment 101: Modes of operation associated with Condition I and II events shall not lead to hydrodynamic instability....
4.4.3 Thermal-Hydraulic Design Methodology 4.4.3.1 Departure from Nucleate Boiling Section 4.4.1.1 of the WBN Unit 2 FSAR states the following:
The design method employed to meet the DNB design basis is the revised thermal design procedure (RTDP)...
With RTDP methodology, uncertainties in plant operating parameters, nuclear thermal parameters, fuel fabrication parameters, computer codes, and DNB correlation predictions are considered statistically to obtain DNB uncertainty factors. Based on the DBN uncertainty factors, RTDP design limit DNB ratio (DNBR) values are determined such that there is at least 95-percent probability at a 95-percent confidence level that DNB will not occur on the most limiting fuel rod during normal operation and 4-13 operational transients and during transient conditions arising from faults of moderate frequency (Condition I and II events as defined in ANSI N 18.2-1973).
Since the parameter uncertainties are considered in determining the RTDP design limit DNBR values, the plant safety analyses are performed using input parameters at their nominal values.The RTDP design limit DNBR value is 1.23 for both typical and thimble cells with WRB-2M correlation for RFA-2. The design limit DNBR value is used as a basis for the Technical Specifications and for consideration of the applicability as defined in 10 CFR 50.59. To maintain DNBR margin to offset DNB penalties such as those attributable to fuel rod bow... the safety analyses were performed to a DNBR limit higher than the design limit DNBR value. The difference between the design limit DNBR and the safety analysis limit DNBR results in available DNBR margin. The net DNBR margin, after consideration of all penalties, is available for operating and design flexibility.
The DNBR limits are listed in Table 4.4-1. The standard thermal design procedure (STDP) is used for those analyses where RTDP is not applicable.
In the STDP method, the parameters used in analysis are treated conservatively from a DNBR standpoint.
The parameter uncertainties are applied directly to the plant safety analyses input values to give the lowest minimum DNBR. The DNBR limit for STDP is the appropriate DNB correlation limit increased by sufficient margin to offset the applicable DNBR penalties.
By preventing DNB, adequate heat transfer is assured between the fuel clad and the reactor coolant, thereby preventing clad damage as a result of inadequate cooling. Maximum fuel rod surface temperature is not a design basis as it will be within a few degrees of coolant temperature during operation in the nucleate boiling region. Limits provided by the nuclear control and protection systems are such that this design basis will be met for transients associated with Condition II events, including overpower transients.
There is an additional large DNBR margin at rated power operation and during normal operating transients.
TVA has proposed a DNBR value of 1.23 to ensure that there is a 95-percent probability at a 95-percent confidence level that critical heat flux will not occur on the limiting fuel rod. TVA used this same DNBR value for the RFA-2 fuel in WBN, Unit 1. Since TVA has used an NRC-approved methodology, described in WCAP-1 1397-P-A, "Revised Thermal Design Procedure," issued April 1989, the NRC staff concludes that the DNB design methodology used in the design of WBN Unit 2 is acceptable.
4.4.3.2 Core Flow TVA stated the following in Section 4.4.1.3 of WBN Unit 2 FSAR Amendment 101: Core cooling evaluations are based on the thermal flow rate (minimum flow)entering the reactor vessel. A maximum of 9.6 percent of this value is allotted as bypass flow. This includes guide thimble cooling flow, head cooling flow, baffle leakage, and leakage to the vessel outlet nozzle.The coolant flow based on thermal design flow for WBN Unit 2 as stated in Table 4.4-1 "Thermal and Hydraulic Comparison Table," of the WBN Unit 2 FSAR is the same as that stated in WBN 4-14 Unit 1 FSAR Amendment 8, dated April 20, 2010 (ADAMS Accession No. ML101230435).
Therefore, the NRC staff concludes that the core flow is acceptable.
4.4.3.3 Hydrodynamic Instability Section 4.4.3.5 of WBN Unit 2 FSAR Amendment 101, states the following:
Boiling flows may be susceptible to thermohydrodynamic instabilities.
These instabilities are undesirable in reactors since they may cause a change in thermohydraulic conditions that may lead to a reduction in the DNB heat flux relative to that observed during a steady flow condition or to undesired forced vibrations of core components.
Therefore, a thermohydraulic design was developed which states that modes of operation under Condition I and II events shall not lead to thermohydrodynamic instabilities.
Two specific types of flow instabilities are considered for Westinghouse PWR operation.
These are the Ledinegg, or flow excursion type of static instability, and the density wave type of dynamic instability....
Additional evidence that flow instabilities do not adversely affect thermal margin is provided by the data from the rod bundle DNB tests. Many Westinghouse rod bundles have been tested over wide ranges of operating conditions with no evidence of premature DNB or of inconsistent data which might be indicative of flow instabilities in the rod bundle.In summary, it is concluded that thermohydrodynamic instabilities will not occur under Condition I and II modes of operation for Westinghouse PWR reactor designs. A large power margin exists to predicted inception of such instabilities.
Analysis has been performed which shows that minor plant to plant differences in Westinghouse reactor designs such as fuel assembly arrays, core power to flow ratios, fuel assembly length, etc. will not result in gross deterioration of the above power margins.Based on operating experience, flow stability experience, and the thermal-hydraulic design of Westinghouse PWRs, the NRC staff concludes that there is reasonable assurance that hydrodynamic instability will not occur at WBN, Unit 2.4.4.3.4 Reactor Coolant System Temperature Measurement By letter dated June 13, 1989 (ADAMS Accession No. ML073511999), the NRC staff approved the Eagle-21 microprocessor system used at WBN Unit 1 for measuring RCS temperature.
Chapter 7 of WBN Unit 2 FSAR Amendment 101, states that WBN Unit 2 will use the same system; therefore, the NRC staff concludes that the system is acceptable for WBN Unit 2.4.4.4 Operating Abnormalities Fuel Rod Bowing The DNBR safety analysis of Condition I and Condition II events must account for the phenomenon of fuel rod bowing. Applicable credits for margin resulting from retained conservatism in the evaluation of the DNBR are used to offset the effect of rod bow. In its 4-15 evaluation of the effects of fuel rod bowing, TVA used the methodology approved by the NRC by letter dated December 29, 1982 (ADAMS Legacy Accession No. 8301070346), contained in WCAP-8691-P, Revision 1, "Fuel Rod Bow Evaluation." In Section 4.4.2.3.5 of WBN Unit 2 FSAR Amendment 101, TVA stated that the following:
For the safety analysis of the Watts Bar Units, sufficient DNBR margin was maintained...
to accommodate the full- and low-flow rod bow DNBR penalties...
However, for the upper assembly spans of the RFA-2, where additional restraint is provided with the IFM grids, the grid to grid spacing in DNB limiting space is approximately 10 inches. Using the rod bow topical method and scaling with the NRC approved factor, results in a predicted channel closure in the 10-inch spans of less than 50 percent closure. Therefore, no rod bow DNBR penalty is required in the 10-inch spans in the RFA-2 safety analysis.The maximum rod bow penalties (less than 2.5 percent DNBR) accounted for in the design safety analysis are based on an assembly average bumup of 24,000 MWD/MTU. At burnups greater than 24,000 MWD/MTU, credit is taken for the effect of FNAH [nuclear enthalpy rise hot channel factor] burndown, because of the decrease in fissionable isotopes and the buildup of fission product inventory, and no additional rod bow penalty is required.WBN Unit I License Amendment No. 46 approved the addition to the WBN Unit 1 TS of three methodologies (WRB-2M DNB correlation, revised thermal design procedure, and VIPRE-01) to determine cycle-specific core operating limits, in support of TVA's use of the Westinghouse 17x17 array RFA-2 fuel design with IFMs at WBN, Unit 1. Based on the information provided by TVA in WBN Unit 2 FSAR Amendment 101 and TVA's use of NRC-approved methodologies in its analysis, the NRC staff concludes that TVA has acceptably addressed fuel rod bowing for the RFA-2 fuel in WBN, Unit 2.4.4.5 Loose Part Monitoring System Section 7.6.7, "Loose Part Monitoring System Description," of WBN Unit 2 FSAR Amendment 101, describes the loose part monitoring system (LPMS). The system, supplied by Westinghouse, is known as the digital metal impact monitoring system (DMIMS-DX) and consists of sensors, preamplifiers, signal conditioners, signal processors, alarms, and displays.The system is designed to detect loose parts in the RCS. Early detection of loose parts can be useful in avoiding damage to primary system components and minimizing the radiation exposure of station personnel.
TVA stated that the LPMS at WBN Unit 2 conforms to Regulatory Guide (RG) 1.133, Revision 1, "Loose-Part Detection Program for the Primary System of Light-Water Cooled Reactors," issued May 1981, as discussed in FSAR Table 7.1-1.The LPMS comprises sensors installed at six natural collection regions of the RCS: the top and bottom plena of the reactor vessel and the primary coolant inlet plena of the four steam generators.
The sensors feed data to a central processing unit; the data are then used to determine when alarm logic conditions are satisfied (based on impact analysis, background noise, and other factors).
Alarm indications are provided at the local panel and in the main control room.The NRC staff applied the regulatory guidance of Section 4.4, "Thermal and Hydraulic Design," of the SRP. The acceptance criteria of SRP Section 4.4 states that the design description and 4-16 proposed procedures for use of the LPMS should be consistent with the requirements of RG 1.133. In particular, the staff used the guidance in RG1.133, Revision 1, Regulatory Position C. 1, "System Characteristics." The DMIMS-DX is not a safety-related system, but it is a system that can, through normal operation, system failure, or inadvertent operation, affect the performance of critical safety functions.
TVA stated in WBN Unit 2 FSAR Amendment 101 that the system components are designed to remain functional through normal radiation exposures during a 40-year lifetime.Instrumentation monitors loose parts in the primary coolant system pressure boundary, in accordance with the guidance of RG 1.133. Two redundant sensors, fastened on several locations throughout the primary system, guard against a loss of loose part monitoring function should one set of sensors lose power for any reason.TVA also stated in FSAR Amendment 101 that the online sensitivity of the DMIMS-DX can detect a metallic loose part that weighs from 0.25 pounds to 30 pounds and impacts the inside surface of the reactor pressure coolant boundary within 3 feet of a sensor. If the measured impact signals exceed the preset alarm level, audible and visual alarms in the control room are activated.
Digital signal processors record the times that the first and subsequent impact signals reach the various sensors, which aids in locating the loose part. The DMIMS-DX system also allows for audio monitoring of any channel. The DMIMS-DX also contains a local display, an alarm panel, and a system printer (for printing system status, waveform graphs, and other report data).The system maintains operability following all seismic events that do not require shutdown, such as an operating-basis earthquake, in accordance with RG 1.133. Failure of the DMIMS-DX, under design-basis earthquake conditions, will not impact any of the safety systems. Since the DMIMS-DX does not communicate with any of the safety systems, its failure will not adversely affect any of the safety systems.Based on its review of the information provided by TVA, the NRC staff concludes that the proposed LPMS at WBN Unit 2 conforms to the guidance in Regulatory Position C. 1 of RG 1.133, with nonsubstantive differences noted in FSAR Table 7.1-1 (e.g., WBN TS requirements for specific sensor locations were relocated to the licensee-controlled technical requirements manual). Therefore, the NRC staff concludes that the proposed LPMS at WBN Unit 2 is acceptable.
4.4.6 Thermal-Hydraulic Comparison Table 4.4.6-1 lists the thermal-hydraulic design parameters for the WBN Unit 2 and compares them to the corresponding thermal-hydraulic design parameters for WBN Unit 1 and McGuire Nuclear Station, Units 1 and 2.The WBN units were designed to operate at basically the same thermal power as the McGuire plants. The parameters, listed in the following table for WBN Unit I are drawn from accident analyses TVA performed to support the measurement uncertainty recapture power uprate issued by the NRC in License Amendment No. 31, dated January 19, 2001. The WRB-2M critical heat flux correlation and the VIPRE-01 computer program were used in the design of the comparison plants.The table lists the reactor design parameter values for WBN Unit 2 compared to two similar reactor designs (WBN Unit 1 and McGuire Units 1 and 2), which are rated at different thermal 4-17 power levels. WBN Unit I and the McGuire units already operate with NRC-approved thermal-hydraulic design parameters.
As expected, reactor design parameters that are unaffected by power level are identical, and parameters that are linked to power level differ proportionately (e.g., the rise in vessel temperature is greater for the higher power level of WBN Unit 1).Table 4.4.6-1 Reactor Design Parameters Comparison WBN WBN McGuire4 Unit I Unit 2 Units I and 2 Thermal-Hydraulic Design Parameters Reactor Core Heat Output, MWt 3,4595 3,411 3,411 Reactor Core Heat Output, 105 Btu/h 11,803.0 11,641.7 11,641.7 Heat Generated in Fuel, % 97.4 97.4 97.4 System Pressure, Nominal, psia 2,250 2,250 2,250 System Pressure, Minimum Steady State, 2,200 2,200 2,220 psia Minimum Departure from Nucleate Boiling >1.236 >1.31 >1.30 Ratio for Design Transients Coolant Flow Total Thermal Flow Rate, 106 Ibm/h 144.8 144.7 144.8 Effective Flow Rate for Heat Transfer, 133.0 131.7 133.9 104 lb/h Effective Flow Area for Heat Transfer, ft 2 51.1 51.3 51.1 Average Velocity Along Fuel Rods, ft/s 16.6 15.4 16.6 Average Mass Velocity, 106 Ibm/h-ft 2 2.45 2.57 2.62 Coolant Temperature, OF Nominal Inlet 557.3 559.0 559.1 Average Rise in Vessel 61.8 58.4 58.2 Average Rise in Core 67.5 63.5 62.5 Average in Core 593.1 592.5 592.0 Average in Vessel 588.2 588.2 588.2 Heat Transfer Active Heat Transfer, Surface Area, ft 2 59,700 59,700 59,700 Average Heat Flux, Btu/h-ff 189,800 189,800 189,800 Maximum Heat Flux for Normal Operation, 440,300 455,520 440,300 Btu/h-ft 2 Average Thermal Output, kW/ft 5.44 5.45 5.44 Maximum Thermal Output for Normal 12.6 13.1 12.6 Operation, kW/ft Maximum Thermal Output at Maximum 22.4 21.1 18.0 4 Values are for Cycle 1.5 The safety analyses completed for WBN Unit 1 also support an uprated core thermal power level of 3,459 MWt and an NSSS power of 3,475 MWt (using the WBN-specific pump heat value of 16 MWt), based on a redefinition of the power uncertainty, from 2 percent to 0.6 percent.6 The limit is 1.23 for both typical and thimble cells with WRB-2M correlation for RFA-2 fuel.4-18 WBN WBN McGuire 4 Unit I Unit 2 Units I and 2 Overpower Trip Point (118% power), kW/ft Heat Flux Hot Channel Factor, FQ 2.50 2.40 2.32 Peak Fuel Central Temperature at 100% 3,290 3,160 3,250 Power, *F Peak Fuel Central Temperature at 4,700 4,500 4,150 Maximum Thermal Output for Maximum Overpower Trip Point, *F Core Mechanical Design Parameters Fuel Assemblies Design RCC Canless RCC Canless RCC Canless Number of Fuel Assemblies 193 193 193 U0 2 Rods per Assembly 264 264 264 Rod Pitch, in. 0.496 0.496 0.496 Overall Dimensions, in. 8.426 x 8.426 8.426 x 8.426 8.426 x 8.426 Fuel Weight (as U0 2), lb 222,645 222,645 222,739 Clad Weight, lb 46,994 46,994 50,913 Number of Grids per Assembly Nonmixing Nonmixing 8-Type R vane 2 vane 2 Loading Technique Mixing vane 6 Mixing vane 6 3 region IFM 3 IFM 3 modified P-Grid-1 P-Grid-1 checkerboard Low leakage Multiple region (up to 5)Fuel Rods Number 50,952 50,952 50,952 Outside diameter, in. 0.374 0.374 0.374 Diametral Gap, in. 0.0065 0.0065 0.0065 Clad Thickness, in. 0.0225 0.0225 0.0225 Clad Material Zircaloy-4 ZIRLOTM Zircaloy-4 The NRC staff concludes that the WBN Unit 2 thermal-hydraulic design is acceptable because its parameters are consistent with the NRC-approved thermal-hydraulic design parameters of WBN Unit 1 and McGuire, Units 1 and 2, which have a satisfactory operating history.4.4.7 N-1 Loop Operation N-1 loop operation is defined as operation when one of the reactor's coolant loops is out of service. In N-1 operation, only three of the four coolant loops are available to supply coolant to the reactor core.Section 4.4.7 of the SER states the following:
In response to a staff question, the applicant stated that he did not wish to exercise the option to operate in the N-1 mode. The staff will require that the Technical Specifications include appropriate provisions to ensure that this type of operation is prohibited.
4-19 In its letter dated February 2, 2010, TVA provided developmental revision .B of the WBN Unit 2 TS. Proposed Limiting Condition for Operation
3.4.4 requires
that "Four RCS loops shall be OPERABLE and in operation." This is the same TS requirement for WBN Unit 1 and so the NRC concludes that it is acceptable.
4.4.8 Instrumentation
for Inadequate Core Cooling Detection (NUREG-0737, Item II.F.2)As documented in SER Section 4.4.8, the NRC staff did not complete its review of the inadequate core cooling (ICC) instrumentation for WBN. In SSER 10, the staff found the proposed ICC system acceptable based, in part, on TVA's commitment by letter dated January 24, 1992, to install the Westinghouse ICC Monitor (ICCM)-86 system and associated hardware.Since the ICCM-86 system is now obsolete, TVA will install the Westinghouse Common Q postaccident monitoring system (PAMS) in WBN Unit 2 as discussed in a letter dated October 26, 2010. Since the Common Q PAMS digital-to-digital system is a functionally equivalent replacement of the ICCM-86 system, the staff expects it to accomplish all of the safety functions performed by the ICCM-86 system. Therefore, the Common Q PAMS proposed for WBN Unit 2 is designed to satisfy Item II.F.2 of NUREG-0737, "Clarification of TMI Action Plan Requirements," issued November 1980.The safety-grade Common Q PAMS proposed for WBN Unit 2 will replace the obsolete ICC monitoring system (ICCM-86).
This digital-to-digital replacement will calculate subcooled margin and reactor vessel level, process core exit temperatures, and provide key data to the control room by means of the flat panel display system.The PAMS process inputs include the following:
0 core exit thermocouples (CETs)* cold reference junction resistance temperature detector (RTD) temperature inputs* reactor vessel level instrumentation system (RVLIS) differential pressure signals* RVLIS capillary RTD temperature signals* RVLIS hydraulic isolation contact status 0 RCS wide-range pressure and wide-range hot-leg temperature (Thot)0 core thermal power based on differential temperature (AT power)* reactor coolant pump on/off contact status The following are the PAMS digital data outputs (digital data link to the plant computer):
- CET temperatures (individual, representative, highest, quadrant highest, quadrant next highest)0 CET reference junction temperature
- reactor vessel level (dynamic, lower, upper, void fraction)* reactor vessel level operations setpoint* RCS and CET subcooled margin (temperature, pressure)4-20 system status information and alarms* reactor coolant pump status* reactor vessel differential pressure inputs (AP1, AP2, AP3)* AT core thermal power* RVLIS RTD temperatures
- RCS wide-range pressure and wide-range Thot The following are the PAMS available analog data outputs:* RCS and CET subcooled margin (only the CET subcooled margin output is used for WBN, Unit 2)* representative CET temperature
- reactor vessel level 0 three user-selectable analog outputs Section 4.4.8 of the SER states the following:
Incore Thermocouple System The Watts Bar Nuclear Plant incore thermocouples are located at the core exit for each quadrant and, in conjunction with core inlet RTD data, are sufficient to provide an indication of the radial distribution of the coolant enthalpy rise across representative sections of the core. Sixteen (four per quadrant) of the core-exit thermocouples will be designated as postaccident monitoring (PAM) sensors.The primary operator display is a computer-driven printer. A spatially oriented core map is available on demand; it indicates the temperature at each core exit thermocouple location.
The printout range is 2000°F to 2300 0 F.Alarm capability is provided in conjunction with the subcooling monitor that uses the average of all the thermocouple (TIC) readings in the calculations.
A backup analog readout is provided with the capability of selective reading of any T/C in the system. The range of the system is 0 to 700 0 F. However, TVA has agreed to extend the temperature range of the backup analog readout to 2300°F per the requirements of Item II.F.2 of NUREG-0737.
Another means of obtaining these data is reading the raw signals (T/C and reference junction output) with portable test equipment.
These data are available in the control building and would be accessible under all conditions should the primary and backup display devices fail.4-21 Reactor Vessel Level Instrumentation The reactor vessel level instrumentation (RVLI) system was designed to provide direct readings of vessel level that can be used by the operator.
This RVLI system does not replace existing systems and is not coupled to safety systems, but acts only to provide additional information to the operator.Redundant displays are provided for the two sets. Level information based on all three differential pressure measurements is presented.
Correction for reference leg densities is automatic.
Any error conditions such as out-of-range sensors or hydraulic isolators are automatically displayed on the affected measurements.
The RVLI is to be used in conjunction with a coolant subcooling readout to determine the state and transient behavior of the reactor coolant system. The reactor vessel wide-range level indication will read on scale with all four reactor coolant pumps running during normal operation from 0-to-1 00 percent full power.With all pumps shut down, the indicator will provide a direct indication of water level in the reactor vessel.Based on its review, the staff asked TVA several questions regarding the ICC instrumentation.
TVA responded to these questions by letter dated October 26, 2010 (ADAMS Accession No. ML103020322).
Enclosure 1 to this letter provided a Westinghouse document entitled,"Tennessee Valley Authority (TVA), Watts Bar Unit 2 (WBN2), Post-Accident Monitoring System (PAMS), Licensing Technical Report, Revision 1, WNA-LI-00058-WBT-P," issued October 2010 (ADAMS Accession No. ML103020324; not publicly available).
The NRC staff should complete its review and evaluation of the additional information provided by TVA regarding the ICC instrumentation.
This is Open Item 72 (Appendix HH).4.4.9 Summary and Conclusion The NRC staff reviewed the thermal-hydraulic design of the core for WBN using the acceptance criteria provided in Section 4.4 of the SRP. The scope of the review included the design criteria, the core design, and the steady-state analysis of the core thermal-hydraulic performance.
The review concentrated on the difference between the proposed core design and those designs previously reviewed and found acceptable by the NRC staff. The NRC staff concluded that all such differences were acceptable.
TVA performed its thermal-hydraulic design analyses using analytical methods and correlations that the NRC staff had previously reviewed and approved.Based on its review of the analyses of the core thermal-hydraulic performance provided by TVA, the NRC staff concludes that the core has been designed with appropriate margin to ensure that acceptable fuel design limits are not exceeded during steady-state operation and anticipated operational occurrences.
The thermal-hydraulic design of the core, therefore, meets the requirements of GDC 10 and is acceptable for preliminary design approval, pending completion of Open Item 72 (Appendix HH).In Section 4.4.9 of the SER, the staff documented that TVA has committed to a preoperational and initial startup test program in accordance with RG 1.68, "Initial Test Programs for Water-Cooled Nuclear Power Plants," to measure and confirm the thermal-hydraulic design aspects.4-22 4.4.10 Accident Conditions Grouping postulated accidents by their event frequency is a standard approach used by the U.S. Department of Energy, the NRC, and the nuclear industry.
Accidents are defined as Condition 1, 11, 111, IV, or beyond design basis. As stated in WBN Unit 2 FSAR Section 15.0,"Accident Analyses," TVA uses the American Nuclear Society (ANS) classification system, which divides plant conditions into four categories in accordance with anticipated frequency of occurrence and potential radiological consequences to the public.Section 4.3.1 of the WBN Unit 2 FSAR also describes the categorization of plant conditions used by TVA, which are provided as follows for information:
The full spectrum of plant conditions is divided into four categories, in accordance with the anticipated frequency of occurrence and risk to the public: (1) Condition I-Normal Operation and Operational Transients (2) Condition Il-Faults of Moderate Frequency (3) Condition IIIlinfrequent Faults (4) Condition IV-Limiting Faults In general the Condition I occurrences are accommodated with margin between any plant parameter and the value of that parameter which would require either automatic or manual protective action. Condition II incidents are accommodated with, at most, a shutdown of the reactor with the plant capable of returning to operation after corrective action. Fuel damage, defined as penetration of the fission product barrier, i.e., the fuel rod clad, is not expected during Condition I and Condition II events. It is not possible to preclude a very small number of rod failures for these events; however, the resulting fission product activity that would potentially result is within the design capability of the Chemical and Volume Control System (CVCS) and is consistent with the plant design bases.Condition III incidents do not cause more than a small fraction of the fuel elements in the reactor to be damaged, although sufficient fuel element damage might occur to preclude immediate resumption of operation.
The release of radioactive material due to Condition III incidents is not sufficient to interrupt or restrict public use of these areas beyond the exclusion radius. Furthermore, a Condition III incident does not, by itself, generate a Condition IV fault or result in a consequential loss of function of the reactor coolant or reactor containment barriers.Condition IV occurrences are faults that are not expected to occur but are defined as limiting faults which must be designed against. Condition IV faults shall not cause a release of radioactive material that exceeds the limits of 10 CFR [Part] 100.The core design power distribution limits related to fuel integrity are met for Condition I occurrences through conservative design and maintained by the action of the control system. The requirements for Condition II occurrences are met by providing an adequate protection system which monitors reactor parameters.
The Control and Protection Systems are described in Chapter 7 [of 4-23 the FSAR] and the consequences of Condition II, Ill and IV occurrences are given in Chapter 15 [of the FSAR].4.6 Functional Design of Reactivity Control Systems Section 4.2.3, "Reactivity Control System," of the WBN Unit 2 FSAR describes the functional design of the WBN Unit 2 reactivity control systems. The NRC staff compared Section 4.2.3 of the WBN Unit 2 FSAR with Section 4.2.3 of the WBN Unit 1 FSAR and concluded that no substantive differences exist. Therefore, the staff concludes that Section 4.2.3 of the WBN Unit 2 FSAR is acceptable.
FSAR Section 4.3, "Nuclear Design," describes the functional requirements of the reactivity control system. Section 4.3 of this SSER provides the staff's evaluation of the functional requirements of the reactivity control system.4-24 5 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS 5.2 Integrity of Reactor Coolant Pressure Boundary 5.2.4 Reactor Coolant Pressure Boundary Inservice Inspection and Testing By letter dated June 17, 2010 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML101680561), the Tennessee Valley Authority (TVA, the applicant) submitted Revision 3 to its Preservice Inspection Program Plan to the U.S. Nuclear Regulatory Commission (NRC) staff for review in accordance with Title 10 of the Code of Federal Regulations (10 CFR) 50.55a, "Codes and Standards," for the Watts Bar Nuclear Plant (WBN), Unit 2.Appendix Z to this SSER includes the NRC staffs evaluation of the WBN Unit 2 Preservice Inspection Program Plan.5.4 Component and Subsystem Design 5.4.3 Residual Heat Removal System 5.4.3.1 Regulatory Evaluation The residual heat removal (RHR) system cools down the reactor coolant system (RCS)following shutdown by reducing the temperature of the RCS to cold shutdown levels. During refueling operations, the RHR system cools the core and refills the refueling canal. During startup operations, the RHR system is connected to the chemical and volume control system to provide an alternate letdown path to control the RCS pressure.
During power operation and in hot shutdown, a safety injection signal aligns the RHR system to the emergency core cooling system (ECCS) to inject coolant into the RCS under low-pressure conditions.
The NRC staff focused its review on the functional capability of the RHR system to cool the RCS following shutdown (i.e., to remove decay heat). The NRC staffs acceptance criteria are based on the following:
General Design Criterion (GDC) 4, "Environmental and Dynamic Effects Design Bases," of Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50,"Domestic Licensing of Production and Utilization Facilities," which requires licensees to protect structures, systems, and components (SSCs) important to safety against dynamic effects* GDC 5, "Sharing of Structures, Systems, and Components," which requires that SSCs important to safety not be shared among nuclear power units unless it can be shown that sharing will not significantly impair the ability of the SSCs to perform their safety functions* GDC 34, "Residual Heat Removal," which specifies requirements for an RHR system The staff also referred to the specific review criteria that appear in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," Section 5.4.7, "Residual Heat Removal (RHR) System," Revision 5, issued May 2010.5-1 5.4.3.2 Technical Evaluation Plants use the RHR system for shutdown cooling operations and for emergency low-pressure core cooling as part of the ECCS. During normal operation, the RHR system is aligned to the ECCS. During shutdown cooling operations (i.e., RCS temperature below 350 degrees Fahrenheit (F) and pressure below 425 pound-force per square inch gauge (psig)), the RHR system is aligned for normal shutdown cooling (i.e., to remove decay heat). Because each WBN unit is equipped with its own RHR system, the staff concludes that TVA complies with the requirements of GDC 5.To take the plant from hot standby to cold shutdown conditions, the licensee must do the following:
- Remove residual heat and stored energy.* Continue to circulate the reactor coolant.* Borate the reactor coolant to the cold shutdown boron concentration.
- Depressurize the RCS and supply makeup water.After shutdown, steam generators (SGs) reject heat to the condenser or to the atmosphere until the RCS temperature and pressure have been reduced to approximately 350 degrees F and 370 psig (in about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />). Then the RHR system continues the RCS cooldown to the refueling temperature.
In Section 3.1, "Conformance with NRC [GDC]," of the WBN Unit 2 final safety analysis report (FSAR), TVA indicated that, under normal shutdown conditions, the RHR system can remove residual heat and reactor coolant pump heat from the reactor in accordance with GDC 34, which requires licensees to meet the specified acceptable fuel design limits and the reactor coolant pressure boundary acceptable pressure limits. Table 5.5-7, "Design Bases for [RHR] System Operation," of the FSAR indicates that the time required to cool the RCS to the cold shutdown condition (140 degrees F) with both RHR system trains in operation would be about 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. This cooldown time would be longer with only one RHR system train in operation.
GDC 34 also specifies that the RHR system must be designed for redundancy in components and features, interconnections, leak detection, and isolation and for operation with and without onsite or offsite electric power. Effective RHR cooling requires the use of one RHR pump, heat exchanger, and associated piping and components (e.g., one component cooling system and essential raw cooling water pumps).The two RHR pumps are connected to separate buses that can be powered by separate diesel generators in the event of loss of offsite power. The parallel trains containing the RHR pumps and heat exchangers provide redundancy of the major components.
The two isolation valves in series in the suction line each have a bypass line that contains a normally closed motor-operated valve. This alternate path can be used if one of the normal isolation valves cannot be opened. An inadvertent closure of one of the main isolation valves during RHR operation would result in the loss of suction to the RHR pumps. TVA has installed an RHR flow alarm that will alert the operator to use an alternate cooling mode (e.g., to open the bypass) in case the RHR pump suction is lost. The alarm will annunciate in the control room when RHR low-flow conditions are detected, as verified in NRC Inspection Report 50-390184-28 and 50-391/84-23, dated May 11, 1984.5-2 Relief valves on the suction line and on each of the discharge lines provide RHR overpressure protection.
The suction line relief valve has a capacity of 900 gallons per minute at 450 psig, which is sufficient to relieve the flow equivalent to two charging pumps. Three relief valves manage intersystem leakage across the two check valves in each of the four RHR system cold-leg injection lines or across the two check valves and one normally closed gate valve in each of the two RHR system hot-leg injection paths. If the pressure in these lines reaches 600 psig, the relief valves would open and discharge to the pressurizer relief tank.The RHR system can be isolated from the RCS when the RCS is above the design pressure of the RHR system (600 pound-force per square inch absolute).
Two motor-operated isolation valves between the RHR pump suction line and the RCS are interlocked with one of the independent RCS pressure signals. These valves do not open until the RCS pressure falls to a value of 425 psig. If opened, the valves are closed when the RCS pressure rises to 750 psig.The staff concludes that this arrangement is acceptable because it provides additional protection to the RHR system from overpressure.
Two check valves and an open motor-operated valve on each RHR discharge line protect the RHR system from exposure to the RCS pressure during operation.
The WBN design features permit leak testing of each check valve separately during plant operation.
Several safety valves and one atmospheric dump valve are used for each SG on the steamlines immediately outside the containment structure and upstream of the main steam isolation valves.The atmospheric dump valves are operated by air that the station control and service air system provides.
If the normal compressed air supply fails to supply adequate air pressure, the auxiliary compressed air system automatically provides the required air supply. This backup air supply ensures valve operability during all plant conditions.
The atmospheric dump valves are seismic Category I. Electric and air power sources to these valves are safety related, and the valves can be operated from the control room. The steam relief capacity of the valves is such that the failure of any one valve to open will not prevent the plant from reaching cold shutdown using the remaining valves.Based on the above, the staff concludes that the RHR system has suitable redundancy in components and features.
Suitable interconnections and isolation capabilities ensure that the RHR system can perform its normal safety function, assuming a single failure, with either onsite or offsite power, as required by GDC 34, and with operator actions only from the control room under normal conditions as required by GDC 19, "Control Room." Thus, the requirements of GDC 34 are satisfied.
By letter dated July 11, 1991, TVA submitted an analysis based on cooldown tests performed at Diablo Canyon Nuclear Power Plant (Diablo Canyon) to demonstrate compliance with NRC Branch Technical Position (BTP) Reactor Systems Branch (RSB) 5-1, "Design Requirements for Decay Heat Removal Systems," Revision 2, issued July 1981. Section 5.4.3 of NUREG-0847,"Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units I and 2," issued June 1982, documents this issue, and its Supplement 10, issued October 1992, resolves it. BTP RSB 5-1 requires that test programs for PWRs include tests with supporting analyses to (1) confirm that adequate mixing of borated water added before or during cooldown can be achieved under natural circulation conditions and permit estimation of the times required to achieve such mixing and (2) confirm that the cooldown under natural circulation conditions can be achieved within the limits specified in the emergency operation procedures.
In addition, the design of the unit must allow the reactor to be taken from normal operating conditions to cold shutdown using only safety-grade systems. Through its comparison of systems and equipment, 5-3 TVA has demonstrated that the results of the natural circulation boron mixing cooldown tests at Diablo Canyon are applicable to WBN.To demonstrate compliance with BTP RSB 5-1, TVA provided an analysis in its letter dated July 11, 1991, comparing the major systems related to natural circulation cooldown of WBN to those of Diablo Canyon, Unit 1, which showed that the systems adequately provide for natural circulation, boration, cooldown, and depressurization.
TVA evaluated the RCS, the auxiliary feedwater (AFW) system, the main steam system, the chemical and volume control system, and the RHR system. In addition, a transient simulation demonstrates WBN's capability to attain cold shutdown conditions for a postulated worst-case scenario.The WBN and Diablo Canyon plants are of similar power level and are equipped with similar components in a four heat transfer loop configuration with an SG and reactor coolant pump in each loop.Both plants incorporate two motor-driven AFW pumps and one turbine-driven AFW pump. Each motor-driven pump supplies AFW to two SGs, and each turbine-driven pump supplies AFW to all four SGs. Pump flow capacities are similar.The SGs at both units have pressure-relief valves that are used for plant cooldown.
The Diablo Canyon SG relief valves are air-operated valves. Both plants are equipped with a pressure-relief valve in each steamline.
The natural circulation cooldown test at Diablo Canyon used the charging pumps to deliver borated water (20,000 parts per million (ppm) of boron) to the RCS. Subsequent charging was drawn from the volume control tank. The boron concentration in the volume control tank was adjusted to 2,000 ppm to simulate charging from the refueling water storage tank.At WBN, the boric acid transfer pumps normally pump boric acid (nominal boron concentration of 21,000 ppm) from the boric acid storage tank to the suction of the centrifugal charging pumps. A backup source of boric acid is available from the refueling water storage tank at a minimum of boron concentration of 2,000 ppm boron. The comparison of the RHR systems at both plants did not reveal any significant design differences.
The Diablo Canyon boron mixing test demonstrated that there was adequate boron mixing under natural circulation conditions when highly borated water at low temperatures and low flow rates (relative to RCS temperature and flow rate) was injected into the RCS. The test also evaluated the time delay associated with boron mixing under these conditions.
The acceptance criterion for this portion of the test was that the indicated boron concentration in the RCS hot legs had increased by 250 ppm or more. Within 12 minutes, natural circulation had provided enough mixing to raise the indicated boron concentration by 340 ppm. The boron concentration in the boric acid storage tank at WBN is slightly higher than that at Diablo Canyon (21,000 ppm nominal).
Because natural circulation flow at WBN should be similar to the flow at Diablo Canyon, the staff concludes that boron mixing would also be adequate at WBN.A comparison of the two plant designs and components showed that the plants are similar enough to justify the application of the results of the natural circulation boron mixing cooldown test at Diablo Canyon to WBN. A computer simulation of thermal-hydraulic behavior during the WBN natural circulation cooldown scenario, performed with the Westinghouse TREAT computer code, showed that WBN can attain RHR initiation conditions in less than 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. The staff 5-4 reviewed the information provided by TVA and concludes that these methods and the results are acceptable for WBN Unit 2.5.4.3.3 Conclusion The NRC staff has reviewed TVA's analyses related to the RHR system and concludes that TVA has shown that the RHR system will adequately cool the RCS following shutdown and will remove decay heat. Therefore, the NRC staff concludes that the RHR system complies with the requirements of GDC 4, 5, and 34 of Appendix A to 10 CFR Part 50.5.4.5 Reactor Coolant System Vents (ll.B.1)As stated in Section 5.4.5 of NUREG-0847, Item ll.B.1, "Reactor Coolant System Vents," of NUREG-0737, "Clarification of TMI Action Plan Requirements," issued November 1980, requires the installation of RCS and reactor vessel head high point vents that are remotely operated from the control room. Section 5.5.6, "Reactor Vessel Head Vent System," of the WBN Unit 2 FSAR describes the RCS and reactor vessel head high point vent system. The NRC previously approved the system, as documented in NUREG-0847 and its supplements, particularly, Supplement 12, issued October 1993.In its submittal dated September 14,1981 (ADAMS Accession No. ML073521447), TVA committed to providing the same RCS vent system for WBN as approved by the NRC for Sequoyah Nuclear Plant in NUREG-01 11, "Evaluation of High-Temperature Gas-Cooled Reactor Particle Coating Failure Models and Data," Supplement 5, issued June 1981, and to using the venting guidelines developed by the Westinghouse Owners Group. The NRC staff concludes that TVA's commitments are acceptable, pending completion of the staffs generic review. Based on its review, the NRC staff concludes that the guidelines are acceptable for implementation, as documented in Generic Letter 83-22, "Safety Evaluation of Emergency Response Guidelines," dated June 3, 1983. Therefore, the staffs conclusions, as documented in NUREG-0847 and its supplements, remain valid, and the staff concludes that the WBN Unit 2 RCS vent system is acceptable, pending verification of the installation of the RCS vent system.This is Open Item 69 (Appendix HH).5-5
6 ENGINEERED SAFETY FEATURES 6.1 Engineered Safety Features Material 6.1.1 Metallic Materials 6.1.1.1 Introduction As discussed below in this section, the U.S. Nuclear Regulatory Commission's (NRC's)regulations require that engineered safety features (ESF) be compatible with the fluids to which they may be exposed during normal operation, maintenance, testing, and postulated accident conditions.
To maintain the integrity of the reactor coolant pressure boundary (RCPB), ESF components that are part of, or interface with, the RCPB must be fabricated of materials with a low probability of significant degradation or rapidly propagating fracture.
In addition to using appropriate fabrication materials, processes for welding, nondestructive examination, and cleaning of ESF systems must be controlled to ensure initial quality and prevent deterioration.
6.1.1.2 Summary of Application In Section 6.1.1 of NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2," issued June 1982, the NRC staff concluded that the ESF materials used at the Watts Bar Nuclear Plant (WBN) complied with regulatory requirements.
In Amendment 97 to the final safety analysis report (FSAR), dated January 11, 2010, the Tennessee Valley Authority (TVA) modified Section 6.1.1 to include additional information on the behavior of qualified coatings in containment.
Additionally, in FSAR Amendment 97, TVA changed the nominal boron concentration in the accumulators and refueling water storage tank (RWST) and the sump pH. (In chemistry, pH is used as a measure of acidity or alkalinity.)
6.1.1.3 Regulatory Criteria The staff referred to the following regulatory requirements in its review of ESF materials used at WBN, Unit 2: General Design Criterion (GDC) 1, "Quality Standards and Records," in Appendix A,"General Design Criteria for Nuclear Power Plants," to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," and 10 CFR 50.55a, "Codes and Standards," as they relate to quality standards for design, fabrication, erection, and testing of ESF components and the identification of applicable codes and standards* GDC 4, "Environmental and Dynamic Effects Design Bases," as it relates to compatibility of ESF components with environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents (LOCAs)GDC 14, "Reactor Coolant Pressure Boundary," as it relates to design, fabrication, erection, and testing of the RCPB so that the probability of abnormal leakage, of rapidly propagating failure, and of gross rupture is extremely low 6-1 GDC 31, "Fracture Prevention of Reactor Coolant Pressure Boundary," as it relates to designing the RCPB so that the boundary behaves in a nonbrittle manner and the probability of rapidly propagating fracture and gross rupture of the RCPB is extremely low GDC 35, "Emergency Core Cooling," as it relates to providing adequate core cooling following a LOCA at such a rate that fuel and clad damage that could inhibit core cooling is prevented and the clad metal-water reaction is limited to negligible amounts GDC 41, "Containment Atmosphere Cleanup," as it relates to control of the concentration of hydrogen in the containment atmosphere following postulated accidents to ensure that containment integrity is maintained Criterion XIII of Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50, states that, "Measures shall be established to control the handling, storage, shipping, cleaning and preservation of material and equipment in accordance with work and inspection instructions to prevent damage or deterioration." The NRC staff reviewed the changes to FSAR Section 6.1.1 using the guidance of Section 6.1.1, Revision 2, "Engineered Safety Features Materials," dated July 31, 1981, of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (hereafter referred to as the SRP).6.1.1.4 Technical Evaluation In FSAR Amendment 97, TVA modified Section 6.1.1.1, "Materials Selection and Fabrication," to add the following sentence to the paragraph discussing the compatibility of the ESF system materials with containment sprays and core cooling water in the event of a LOCA: Note that qualified coatings inside primary containment located within the zone of influence are assumed to fail for the analysis in the event of a loss-of coolant accident.
The zone of influence for qualified coatings is defined as a spherical zone with a radius of 10 times the break diameter.The staff's evaluation of the above information is Open Item 59 (Appendix HH), pending resolution of Generic Safety Issue 191, "Assessment of Debris Accumulation on Pressurized-Water Reactor (PWR) Sump Performance" (for background, see NRC Generic Letter 2004-02,"Potential Impact of Debris Blockage on Emergency Recirculation during Design Basis Accidents at Pressurized-Water Reactors," dated September 13, 2004) for WBN Unit 2.In Section 6.1.1.2 of FSAR Amendment 97, TVA changed the nominal boron concentration of the accumulators from 2,000 to 3,150 parts per million (ppm) and the boron concentration of the RWST from 2,050 to 3,200 ppm. The sump pH was also corrected from "approximately 8.1" to"at least 7.5." The NRC staff reviewed these FSAR changes using the guidance for the review of ESF fluid chemistry provided in Branch Technical Position (BTP) Materials Engineering Branch (MTEB) 6-1, "pH for Emergency Coolant Water for PWRs" (which is appended to SRP Section 6.1.1, Revision 2).6-2 SRP Section 6.1.1 recommends that, for pressurized-water reactors (PWRs) to meet the requirements of GDC 4, 14, and 41, the composition of containment spray and core cooling water should be controlled to ensure a minimum pH of 7.0, as addressed in BTP MTEB 6-1.Since the revised pH will exceed 7.0, the staff concludes that the change is acceptable.
BTP MTEB 6-1 includes the additional guidance that, for the spray water recirculated from the containment sump, the higher the pH (i.e., in the 7.0 to 9.5 range), the greater the assurance that no stress-corrosion cracking will occur. Therefore, the staff concludes that the change from pH 7.0 to pH 7.5 is beneficial.
Finally, BTP MTEB 6-1 states that, if a pH greater than 7.5 is used, consideration should be given to the hydrogen generation problem from corrosion of aluminum in the containment.
Since the pH could potentially exceed 7.5, TVA should address the possibility of hydrogen generation.
The staff asked TVA, in Request for Additional Information (RAI) 6.1.1-1, to describe how the generation of hydrogen by corrosion of reactive metals was addressed.
In its response to the NRC dated July 31, 2010, WVA confirmed that reactive metals were considered in TVA's calculations of the hydrogen concentration generated during post-LOCA conditions.
TVA also noted that WBN Unit 2 is being licensed consistent with Regulatory Guide (RG) 1.7, "Control of Combustible Gas Concentrations in Containment," Revision 3; therefore, unlike WBN Unit 1, Unit 2 will not have hydrogen recombiners.
Instead, WBN Unit 2 will have hydrogen igniters.The potential problem with hydrogen generation is described in Section B, "Discussion," of RG 1.7, Revision 3:[10 CFR] Section 50.44 provides requirements for the mitigation of combustible gas generated by a beyond-design-basis accident.
In existing light-water reactors, the principal combustible gas is hydrogen...
If a sufficient amount of combustible gas is generated, it may react with oxygen present in the containment at a rate rapid enough to lead to a containment breach or a leakage rate in excess of technical specification limits. Additionally, damage to systems and components essential to continued control of the post-accident conditions could occur...all PWRs with ice condenser type containments must have the capability to control combustible gas generated from a metal-water reaction involving 75 percent of the fuel cladding surrounding the active fuel region (excluding the cladding surrounding the plenum volume) so that there is no loss of containment structural integrity.
The deliberate ignition systems provided to meet this existing combustible gas source term are capable of safely accommodating even greater amounts of combustible gas associated with even more severe core melt sequences that fail the reactor vessel and involve molten core-concrete interaction.
Deliberate ignition systems, if available, generally consume the combustible gas before it reaches concentrations that can be detrimental to containment integrity.
TVA further stated that the Westinghouse containment analyses appropriately considered reactive metals, and the quantity of reactive metals considered was conservatively assumed to be approximately 130 percent of the WBN Unit 1 baseline inventory.
Criterion XIII of 10 CFR Part 50, Appendix B, requires that measures be established to control material and equipment in accordance with work and inspection instructions to prevent damage or deterioration.
In its letter dated July 31, 2010, TVA stated that WBN procedures require 6-3 evaluation and accounting of reactive metals (aluminum and zinc) in containment to minimize the production of postaccident hydrogen.
These procedures require that, "Materials within the containment that would yield hydrogen gas due to corrosion from the emergency cooling or containment spray solutions should be identified, and their use should be limited as much as practical." Specifically, TVA described the process that it will use during construction to ensure that reactive metals are minimized.
This process includes containment walkdowns and reviews of design-basis documents and work packages to establish a baseline inventory of reactive metals. TVA further indicated that it will compare the baseline inventory to WBN Unit 2 calculations to ensure that conservative assumptions are used. TVA also stated that, after the baseline inventories are established, station procedures will control future additions and removals.The NRC staff reviewed IVA's proposed process for minimizing reactive metals that could produce hydrogen following a LOCA. The staff concludes that the assumption used by TVA in the containment analysis (i.e., the quantity of reactive metal was assumed to be 130 percent of the WBN Unit 1 baseline inventory) is appropriately conservative, based on engineering judgment and good practice.
Additionally, the staff concludes that TVA's proposal to inventory reactive metals during the construction phase and control these materials by plant procedures during operation is reasonable.
Furthermore, this proposal meets Regulatory Position C.4 of RG 1.7, which recommends that materials within the containment that would yield hydrogen gas by corrosion from the emergency cooling or containment spray solutions be identified and their use limited as much as practicable.
Therefore, the staff concludes that TVA's response is acceptable.
The regulation at 10 CFR 50.44(c), requires that all water-cooled reactor construction permits or operating licenses under 10 CFR Part 50 issued after October 16, 2003, comply with the following:
All containments must have an inerted atmosphere, or must limit hydrogen concentrations in containment during and following an accident that releases an equivalent amount of hydrogen as would be generated from a 100 percent fuel clad-coolant reaction, uniformly distributed, to less than 10 percent (by volume)and maintain containment structural integrity and appropriate accident mitigating features.Section 6.2.5.1 of the WBN Unit 2 FSAR states that the combustible gas control system of the containment air return system, the hydrogen analyzer system and the hydrogen mitigation system, conforms to the requirements of 10 CFR 50.44, "Combustible Gas Control for Nuclear Power Reactors." FSAR Section 6.2.5.1 further states the following:
In an accident more severe than the design-basis loss-of-coolant accident, combustible gas is predominantly generated within containment as a result of the following:
- 1. Fuel clad-coolant reaction between the fuel cladding and the reactor coolant.2. Molten core-concrete interaction in a severe core melt sequence with a failed reactor vessel.6-4 These reactions may produce much more hydrogen than could be produced by corrosion of reactive metals by ESF coolant. Therefore, it may be unnecessary to quantify and limit reactive metals. The staff requested in RAI 6.1.1-1 that TVA provide clarifying information.
In its letter to the NRC dated July 31, 2010, TVA stated that it did not take credit for the clad-coolant reaction dominating hydrogen production to justify not controlling other reactive metals, such as aluminum and zinc.Based on the information discussed above, the NRC staff concludes that the controls on the pH and chemistry of the reactor containment sprays and emergency core cooling system solutions meet the staff positions on postaccident chemistry requirements for PWR emergency coolant water, as well as the requirements of GDC 14 for ensuring the low probability of abnormal leakage or failure of the RCPB and safety-related structures.
Therefore, the staff concludes that the proposed pH for emergency coolant water is acceptable.
6.1.1.5 Conclusions Based on its review of the information provided by TVA, the NRC staff concludes that the controls on pH and chemistry of the reactor containment sprays and the emergency core cooling water following a loss-of-coolant or design-basis accident are adequate to reduce the probability of stress-corrosion cracking of the austenitic stainless steel components and welds of the ESF systems in containment throughout the duration of the postulated accident, from accident initiation to cleanup completion.
Therefore, the staff concludes that TVA complies with the requirements of GDC 4, 35, and 41 and Appendix B to 10 CFR Part 50 with respect to the compatibility of ESF components with environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs.The staff also concludes that control of the sprays and cooling water pH, in conjunction with controls on selection of containment materials, is consistent with RG 1.7 and provides assurance that the sprays and cooling water will not yield excessive hydrogen gas evolution from corrosion of containment metal or cause serious deterioration of the materials in containment.
6.2 Containment
Systems 6.2.7 Fracture Prevention of the Containment Pressure Boundary The NRC staff reviewed the changes made by TVA in FSAR Amendment 97 to FSAR Section 3.1.2.4, "Fluid Systems," Criterion 31, and determined that the information related to fracture prevention of the containment pressure boundary had not been substantively changed.Therefore, based on its review of FSAR Amendment 97 and previous evaluations documented in the original NUREG-0847 and NUREG-0847, Supplement 4, dated March 1985, the staff concludes that measures taken by TVA to prevent fracture of the containment boundary continue to meet the relevant requirements of GDC 31 and are therefore acceptable.
6.6 Inservice
Inspection of Class 2 and 3 Components By letter dated June 17, 2010 (Agencywide Documents Access and Management System Accession No. ML101680561), TVA provided Revision 3 of its Preservice Inspection Program Plan to the NRC for review, in accordance with 10 CFR 50.55a, "Codes and Standards," for WBN Unit 2.6-5 Appendix Z to this supplemental safety evaluation report includes the NRC staffs evaluation of the WBN Unit 2 Preservice Inspection Program Plan.6-6 7 INSTRUMENTATION AND CONTROLS 7.1 Introduction
7.1.1 General
The U.S. Nuclear Regulatory Commission (NRC) staff originally reviewed the Watts Bar Nuclear Plant (WBN) instrumentation and controls in Section 7 of NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2" (the SER), issued June 1982, and in supplemental SER (SSER) 13, issued April 1994, and SSER 16, issued September 1995. In its review, the staff referred to the guidance of NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants" (the SRP), Section 7.1, Revision 5, issued March 2007, "Instrumentation and Controls-Introduction." The acceptance criteria state, in part, the following:
10 CFR 50.55a(h), "Protection and Safety Systems," requires compliance with IEEE Std. 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995.For nuclear power plants with construction permits issued before January 1, 1971, the applicant/licensee may elect to comply instead with their plant-specific licensing basis. For nuclear power plants with construction permits issued between January 1, 1971, and May 13, 1999, the applicant/licensee may elect to comply instead with the requirements stated in IEEE Std. 279-1971,"Criteria for Protection Systems for Nuclear Power Generating Stations." The Tennessee Valley Authority (TVA) described in the WBN Unit 2 final safety analysis report (FSAR), Section 7.1, "Introduction," that the information provided in FSAR Chapter 7 emphasizes those instruments and associated equipment that constitute the protection system as defined in Institute of Electrical and Electronics Engineers (IEEE) Std. 279-1971.
Since the construction permit for WBN Unit 2 was issued in 1973, TVA's use of IEEE Std. 279-1971 is acceptable.
The NRC staff reviewed WBN Unit 2 FSAR Amendment 96, dated December 14, 2009; Amendment 98, dated May 7, 2010; Amendment 100, dated September 1, 2010; and Amendment 102, dated December 30, 2010, and determined that there were no substantive changes to FSAR Section 7.1.1 from those previously reviewed and approved by the staff. All of the changes were either editorial or made to be consistent with other FSAR sections.
Therefore, based on the staff's previous evaluation, as documented in the SER and its supplements, and the staffs evaluation of TVA's amendments to the FSAR, the staff concludes that the information provided in FSAR Section 7.1.1 meets the relevant requirements of the SRP and is acceptable.
7.1.2 Comparison
with Other Plants TVA's comparison of WBN Unit 2 with other plants is referenced in FSAR Section 7.1.1.4. TVA states in the FSAR that "System functions for all systems discussed in Chapter 7 are similar to those of Sequoyah Nuclear Plant. Detailed comparison is provided in Section 1.3." TVA made no changes to the discussion in FSAR Section 7.1.1.4 from those previously reviewed and approved by the staff. Therefore, no staff review is required for this section.7-1
7.1.3 Design
Criteria The NRC staff reviewed WBN Unit 2 FSAR Amendments 96, 98, 100, and 102 to evaluate substantive changes made to FSAR Section 7.1.3 subsequent to the staff's review and approval in the SER, SSER 4, issued March 1985, and SSER 15, issued June 1995. In FSAR Amendment 96, TVA deleted Regulatory Guide (RG) 1.11, "Instrument Lines Penetrating Primary Containment," from FSAR Table 7.1-1, "Watts Bar Nuclear Plant NRC Regulatory Guide Conformance." TVA's justification was that, in FSAR Amendments 52, dated June 18, 1984, and 69, dated January 21, 1992, this RG was deleted from FSAR Section 6.2.4,"Containment Isolation System." This RG describes acceptable methods of complying with Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," Appendix A, "General Design Criteria for Nuclear Power Plants," General Design Criterion (GDC) 55, "Reactor Coolant Pressure Boundary Penetrating Containment," and GDC 56, "Primary Containment Isolation." TVA changed FSAR Section 7.1 to be consistent with FSAR Section 6.2.4. Therefore, the change is acceptable to the staff.TVA deleted RG 1.40, Revision 0, "Qualification Tests of Continuous-Duty Motors Installed Inside the Containment of Water-Cooled Nuclear Power Plants," and RG 1.73, Revision 0,"Qualification Tests of Electric Valve Operators Installed Inside the Containment of Nuclear Power Plants," from this FSAR section and relocated them to FSAR Section 8.1.5.3,"Compliance to Regulatory Guides and IEEE (Institute of Electrical and Electronic Engineers)
Standards," which discusses compliance with RGs for electrical systems and components.
Because these RGs describe the qualification of continuous-duty motors and qualification of electric valve operators, the change is appropriate and is acceptable to the staff.TVA relocated documentation of its compliance with RG 1.45, Revision 0, "Reactor Coolant Pressure Boundary Leakage Detection Systems," and IEEE Std. 308-1971, "Class IE Power Systems for Nuclear Power Generating Stations," from this FSAR section to FSAR Sections 5.2.7, "RCPB (Reactor Coolant Pressure Boundary)
Leakage Detection Systems," and 8.1.5, "Design Criteria and Standards," respectively.
Because these FSAR sections are more appropriate to the topics related to this RG and IEEE Std., the change is acceptable to the staff.TVA added IEEE Std. 323-1971, "IEEE Trial-Use Standard:
General Guide for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations," and IEEE Std. 379-1972, "IEEE Trial-Use Guide for the Application of the Single Failure Criterion to Nuclear Power Generating Station Protection Systems," to FSAR Table 7.1-1. These standards were previously mentioned in the notes that were used for discussion of compliance with RG 1.89, Revision 1,"Environmental Qualification of Certain Electrical Equipment Important to Safety for Nuclear Power Plants," and RG 1.53, Revision 0, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems." The addition of these standards to FSAR Table 7.1-1 is administrative and is acceptable to the staff.TVA added RG 1.133, "Loose-Part Detection Program for the Primary System of Light-Water Cooled Reactors," Revision 1, issued May 1981, to FSAR Table 7.1-1. TVA described compliance to this RG in Note 12 to the table. The staffs review of TVA's compliance with RG 1.133 is provided in Section 7.6.1, "Loose Part Monitoring System," of this SSER.FSAR Section 7.1.2.1.8 describes the functional diversity of the design of the reactor protection system (RPS). TVA added a new reference to Westinghouse topical report WCAP-13869,"Reactor Protection System Diversity in Westinghouse Pressurized Water Reactors," 7-2 Revision 2, September 1994, to the section. Revision 1 of the topical report was reviewed and approved by the staff for Unit 1 in Section 7.2.1.2, "Watts Bar Specific Issues," of SSER 13, issued April 1994. It is unclear to the staff why different revisions of WCAP-1 3869 are referenced for the two units. TVA should provide justification to the staff for why different revisions of WCAP-13869 are referenced for WBN Unit 1 and Unit 2. This is Open Item 65 (Appendix HH), as discussed in Section 7.2, 'Reactor Trip System," of this SSER.WBN Unit 2 FSAR Section 7.1.2.1.9, "Trip Setpoints," describes the trip setpoints for the reactor protection and engineered safety features actuation systems (ESFASs).
TVA referenced the topical report WCAP-1 7044, "Westinghouse Setpoint Methodology for Protection Systems," December 2009, for the protection system. The staff noted that WCAP-1 7044 does not address the staffs concerns noted in NRC Regulatory Issue Summary (RIS) 2006-17, "NRC Staff Position on the Requirements of 10 CFR 50.36, "Technical Specifications," Regarding Limiting Safety System Settings during Periodic Testing and Calibration of Instrument Channels," dated August 24, 2006 (Agencywide Documents Access and Management System (ADAMS)Accession No. ML051810077).
The staff issued RIS 2006-17 to provide guidance to the industry on the calculation of as-found and as-left tolerance, limiting and nominal setpoint, and allowable value in the instrument setpoint methodology, and in the use of these terms for instrument operability determinations, in order to comply with 10 CFR 50.36(c)(ii)(A) requirements for limiting safety system settings (LSSS). In response to a staff question, by letter dated May 13, 2010 (ADAMS Accession No. ML1 01390102), TVA provided the document TVA EEB-TI-28, "Branch Technical Instruction, Setpoint Calculations," Revision 7.Following its review of TVA EEB-TI-28, it was unclear to the NRC staff how TVA was following the guidance of RIS 2006-17. The staff also noted that Section 4.3.3.6 of TVA EEB-TI-28 describes correction for setpoints with a single side of interest.
In these cases, TVA reduces the uncertainties by a correction factor of 0.839. The staff concluded that the reduction in uncertainties is not justified, unless TVA can demonstrate how the 95/95 criterion in RG 1.105, Revision 3, "Setpoints for Safety-Related Instrumentation," issued December 1999, is met.7 By letter dated September 1, 2010 (ADAMS Accession No. ML1 02530216), TVA submitted WBN Unit 2 FSAR Amendment 100. In this amendment, TVA discussed in detail the setpoint methodology used by TVA and Westinghouse to calculate instrument setpoints for the RPS and the ESFAS. In response to staff questions about various aspects of the instrument setpoint methodology used by TVA and Westinghouse, TVA provided additional information by letter dated October 29, 2010 (letter open items 306 through 311; ADAMS Accession No. ML103120711).
By letter dated December 17, 2010 (ADAMS Accession No. ML1 10070327), TVA incorporated the revised description of instrument setpoint RG 1.105, Revision 3, Regulatory Position C.1 states the following:
Conformance with Part I of ISA-S67.04-1994, "Setpoints for Nuclear Safety-Related Instrumentation," 2 with the following exceptions and clarifications, provides a method acceptable to the NRC staff for satisfying the NRC's regulations for ensuring that setpoints for safety-related instrumentation are established and maintained within the technical specification limits.1. Section 4 of ISA-$67.04-1994 specifies the methods, but not the criteria, for combining uncertainties in determining a trip setpoint and its allowable values.The 95/95 tolerance limit is an acceptable criterion for uncertainties.
That is, there is a 95% probability that the constructed limits contain 95% of the population of interest for the surveillance interval selected.7-3 methodologies used by TVA and Westinghouse into FSAR Amendment 102. TVA's description is consistent with Technical Specification Task Force (TSTF)-493, Revision 4, "Clarify Application of Setpoint Methodology for LSSS Functions," which was reviewed and accepted by the NRC staff by letter dated May 11, 2010 (ADAMS Accession No. ML100710442).
TVA also stated in the FSAR that "Single-sided correction factors are not used in setpoint calculations within the scope of TSTF-493." Based on its review of WBN Unit 2 FSAR Amendment 102, the NRC staff concludes that the instrument setpoint methodology meets the guidance in RIS 2006-17 and RG 1.105.Based on its review, the staff concludes that there were no other substantive changes to the design criteria in Section 7.1 of FSAR Amendments 96, 98, 100, and 102. All other changes were either editorial or made to be consistent with other FSAR sections.7.1.4 Conclusions Based on the staff's previous evaluation, as documented in the SER and its supplements, and on the staff's evaluation of TVA's amendments to the FSAR, the staff concludes that the information in FSAR Section 7.1 meets the relevant requirements of the SRP and is acceptable, pending resolution of Open Item 65 (Appendix HH).7.2 Reactor Trip System 7.2.1 System Description The reactor trip system (RTS) is described in WBN Unit 2 FSAR Section 7.2.1.1, "System Description." It states, in part, the following:
The reactor trip system automatically keeps the reactor operating within a safe[operating]
region by shutting down the reactor whenever the limits of the region are approached.
The safe operating region is defined by several considerations such as mechanical/hydraulic limitations on equipment, and heat transfer phenomena.
Therefore, the reactor trip system keeps surveillance on process variables which are directly related to equipment mechanical limitations, such as pressure, pressurizer water level (to prevent water discharge through safety valves, and uncovering heaters) and also on variables which directly affect the heat transfer capability of the reactor (e.g. reactor coolant flow and temperatures).
Still other parameters utilized in the reactor trip system are calculated from various process variables.
In any event, whenever a direct process or calculated variable exceeds a setpoint the reactor will be shutdown in order to protect against exceeding the specified fuel design limit, gross damage to fuel cladding or loss of system integrity which could lead to release of radioactive fission products into the containment.
The following systems make up the reactor trip system: (1) Process Protection and Control System (2) Nuclear Instrumentation System (NIS)(3) Solid State Logic Protection System (4) Reactor Trip Switchgear (5) Manual Actuation Circuit 7-4 FSAR Section 7.3, "Engineered Safety Features Actuation System," further states: In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary engineered safety features (ESF). The occurrence of a limiting fault, such as a loss-of-coolant accident (LOCA) or a steamline break, requires a reactor trip plus actuation of one or more of the engineered safety features, in order to prevent or mitigate damage to the core and reactor coolant system components and ensure containment integrity.
7.2.1.1 Eagle 21 System The Eagle 21 system is a digital process protection system and is part of the RPS, which includes the RTS and the ESFAS. By letter to the NRC dated December 5, 2007 (ADAMS Accession No. ML073440022), as supplemented by letter dated February 28, 2008 (ADAMS Accession No. ML080640269, not publicly available), TVA requested approval of the Eagle 21 system for the RPS and the ESFAS in WBN Unit 2. TVA made the request on the basis that the WBN Unit I and Unit 2 Eagle 21 systems are the same except for certain minor hardware differences.
The software configuration of the Eagle 21 system is the same for both WBN units.The NRC staff previously approved the Eagle 21 system for WBN Unit 1, as documented in Section 7.2 of SSERs 13 and 15. Therefore, the staffs review of the Eagle 21 system for WBN Unit 2 focused on confirming that it conformed to the previously approved system for Unit I and that any differences in the WBN Unit 2 Eagle 21 system were acceptable.
As part of its review, the NRC staff performed an audit of the Eagle 21 system at the Westinghouse facility in New Stanton, PA, from May 10 to 13, 2010. The staffs audit was to identify and confirm design and process information for the Eagle 21 system to evaluate whether or not the WBN Unit 2 Eagle 21 system conforms to the Unit 1 system and, therefore, that it requires no further staff review. During this audit, the staff also witnessed the factory acceptance test that the Westinghouse facility was performing on the Eagle 21 system for WBN Unit 2. The NRC staff subsequently issued its audit report to TVA by letter dated November 2, 2010 (Adams Accession No. ML102240630).
During the audit, the NRC staff reviewed the software verification and validation reports (SWRs) for the Eagle 21 system (WCAP-13191, Revision 2.0, "Watts Bar Eagle 21 Process Protection System Replacement Hardware Verification and Validation Final Report," October 1992, and WCAP-1 3191, Supplement 1, August 1994), and compared the software version and revision identified on the Westinghouse drawings applicable to both WBN units.Based on this review, the NRC staff verified that TVA uses the same software in both WBN units. The NRC staff also verified that all software versions are the same for both units, as indicated in the verification and validation reports.In WBN Unit 2 FSAR Amendment 96, TVA removed the reactor trip on the power range high negative neutron flux rate trip function from WBN Unit 2 and, as a result, also removed this function from the Eagle 21 system. Removal of this function does not affect the Eagle 21 system software, because each function is programmed separately on different electronic programmable read-only memory devices. TVA justified the removal of this function on the basis that WCAP-1 0297, "Dropped Rod Methodology for Negative Flux Rate Trip Plants," June 1983, and WCAP-11 394-P-A, "Methodology for the Analysis of the Dropped Rod Event," January 1990, show that sufficient margin to the departure from nucleate boiling (DNB) ratio 7-5 exists for all Westinghouse plant designs and fuel types, such that the negative neutron flux rate trip is not required, regardless of the worth of dropped rod or bank function.
The NRC staff previously approved the removal of the negative neutron flux rate trip function from the WBN Unit I Eagle 21 system in License Amendment No. 18, dated January 15, 1999 (Adams Accession No. ML020780104).
Based on the previous staff approval for WBN Unit 1, the staff concludes that the proposed change is acceptable for WBN Unit2.In response to NRC staff questions, TVA provided a description of the differences in the Eagle 21 hardware between WBN Units 1 and 2 by letter dated February 28, 2008 (ADAMS Accession No. ML080640269, not publicly available).
During its audit at the Westinghouse facility, the staff reviewed the design drawings for the Eagle 21 system that identified the differences between the WBN units. The staff then compared these differences to those listed in TVA's Engineering Document Construction Release (EDCR)-52319, Revision A, pages 79-82. The staff noted that some of the changes identified on the drawings were not identified in EDCR-52319.
Westinghouse staff explained that some high-level configuration changes, such as a transmitter input change from 10-50 to 4-20 milliamperes, resulted in low-level changes, such as jumper designations on the input boards or connector key combinations on the termination frame for the output cards. These low-level changes do not change the function of the system and were made to accommodate the high-level changes. The NRC staff concludes that the changes were nonsubstantive and, therefore, the Westinghouse justification is acceptable.
During its audit at the Westinghouse facility, the staff also noted that WVA had not applied conformal coating to the WBN Unit 2 circuit boards. The staff asked TVA to justify the elimination of the conformal coating (audit report open item number 116). By letter dated June 21, 2010 (ADAMS Accession No. ML101730175), TVA informed the staff that it had applied the conformal coating for high humidity purposes and that it had determined through testing that these boards can perform their function in high humidity conditions without conformal coating. Therefore, it did not apply the conformal coating to the WBN Unit 2 boards.The staff asked TVA how these boards address the tin whisker issue discussed in NRC Information Notice 2005-25, "Inadvertent Reactor Trip and Partial Safety Injection Actuation Due to Tin Whisker," dated August 25, 2005. In its letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), TVA stated that Westinghouse has successfully tested these boards without complete conformal coating in high humidity conditions as part of its Eagle series hardware verification test and, therefore, does not take credit for conformal coating to address the tin whisker issue. Based on the successful testing of these boards without conformal coating in high humidity conditions, the staff concludes that TVA's response is acceptable for WBN Unit 2.During factory acceptance testing of the WBN Unit 2 Eagle 21 system, Westinghouse informed TVA that Rack 5 of the system loop calculation processor (LCP) experienced occasional diagnostic failures that caused the LCP to lockup while performing a parameter update. The NRC staff asked TVA to provide information about the resolution of this issue. In its letter dated June 18, 2010 (letter open item 114; ADAMS Accession No. ML101940236), TVA stated that Westinghouse had identified that a newer version of the math coprocessor chip had been installed in the WBN Unit I LCP than was installed in the Unit 2 LCP. The new version of the chip had an improved specification for calculation speed. TVA stated that it had installed and tested the new chip successfully in the WBN Unit 2 Eagle 21 system Rack 5 LCP. In its letter to the staff dated October 29, 2010 (ADAMS Accession No. ML1 03120711), TVA further stated (letter open item 114) the following: "The Eagle 21 system is installed and the Site Acceptance Test has been completed.
To the best of TVA's knowledge there are no unknown issues with 7-6 the system." Based on the supcessful site acceptance testing, the NRC staff concludes that TVA's response is acceptable.
By letter dated December 5, 2007 (ADAMS Accession No. ML073440022), TVA informed the NRC staff that it had made one design change to the WBN Unit 1 Eagle 21 system under 10 CFR 50.59, "Changes, Tests and Experiments," after initial licensing.
This change involved the installation of an external communication interface that included a serial-to-Ethernet controller (SEC) board in each of the multiple-bus chassis in the Eagle 21 system. The SEC uses the multiple-bus chassis to obtain power only. The SEC receives a datalink message in parallel with the test sequence processor and feeds the message to the integrated computer system (ICS). The link is designed such that a nonsafety-related signal cannot feed back to the safety-related Eagle 21 system. However, TVA did not confirm that testing demonstrated that two-way communication is impossible.
This was an open item in the NRC audit at the Westinghouse facility (open item number 3 of ADAMS Accession No. ML102240630).
By letter dated October 21, 2010 (letter open item number 171; ADAMS Accession No. ML1 03140661), TVA stated that "The external Eagle 21 unidirectional communications interface will be tested prior to WBN Unit 2 fuel load." This is Open Item 63 (Appendix HH) until TVA confirms that testing has demonstrated that two-way communication is impossible with the Eagle 21 communications interface.
During its audit at the Westinghouse facility, the NRC staff reviewed the environmental qualification test report for the power supply used in the Eagle 21 system, as documented in the audit summary, Item No. 7, "Hardware Qualification," of the staffs audit report dated November 2, 2010 (ADAMS Accession No. ML102240630).
TVA had previously identified that Westinghouse had replaced the original power supply with a new power supply manufactured by Arnold Magnetics.
As noted in the audit report, these power supplies are safety related, and Westinghouse has qualified them for environmental and seismic requirements in a test report issued in June 2006, and for electromagnetic interference (EMI) and compatibility requirements in a test report dated December 17, 2008. However, these reports do not discuss compliance with the guidance in RG 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants," and the staff questioned TVA about the applicability of RG 1.209 to WBN Unit 2. TVA stated that these power supplies are also used in WBN Unit 1, and that WBN Unit 1 is not required to meet the guidance in RG 1.209. By letter dated July 30, 2010, TVA provided the information to confirm that it had installed Arnold Magnetics power supplies in WBN Unit 1. Based on TVA's previous qualification and use of the power supply in the Unit 1 Eagle 21 system, the staff concludes that the same power supply is acceptable for use in the WBN Unit 2 Eagle 21 system.By letter dated June 18, 2010 (letter open item number 127), TVA stated that the Eagle 21 system factory acceptance test of Rack 2 revealed that the temperature inputs to the narrow-range resistance temperature detector (RTD) were consistently reading about 0.2 degrees Fahrenheit higher than expected.
Westinghouse determined that it had incorrectly configured the inputs as a shared RTD in the LCP software.
Westinghouse initiated Corrective Action Item 10-140-M021 and performed an evaluation of a potential nuclear safety issue. It determined that this issue does not represent a substantial safety hazard even if it is left uncorrected.
By letter dated October 29, 2010 (letter open item number 128; ADAMS Accession No. ML1 03120711), TVA described the final resolution proposed by Westinghouse.
In accordance with the proposed resolution, the spare input available on the RTD input board will be wired to the active channels.
The spare input will provide the parallel resistance to resolve the problem. Jumpers will be installed at the Eagle 21 termination frame to provide a parallel connection from each existing narrow-range RTD input to an existing spare input, thus 7-7 simulating the hardware connection for shared RTDs. Therefore, as configured, the LCP will provide the correct temperature calculation for the narrow-range RTDs. TVA stated that "Post modification testing will be performed to verify that the design change corrects the Eagle 21, Rack 2 RTD accuracy issue prior to WBN Unit 2 fuel load." This is Open Item 64 (Appendix HH) pending NRC staff review of the testing results.In addition to the revisions to the Eagle 21 system description, TVA revised FSAR Section 7.2 to incorporate some additional changes. The staff reviewed these changes and asked TVA to provide additional information for the following changes to determine their acceptability:
In FSAR Amendment 96, TVA deleted some portions of Section 7.2.2.3.4, "Pressurizer Water Level," and moved the remaining portion to Section 7.2.1.1.5 without providing justification.
In response to staff questions, TVA stated in its letter to the staff dated October 5, 2010 (letter open item number 152; ADAMS Accession No. ML102910324, not publicly available), that the discussion of the ambient temperature and calibration of the sealed reference leg was too detailed and was not pertinent to the subject under discussion.
TVA also stated that it could not justify the statement that the error effect on the level measurement during a blowdown accident would be about 1 inch. The worst case reference leg loss of a fill error caused by rapid depressurization is no more than 12 inches. The error is based on the relative elevation difference between the condensing chamber and the reference leg sensor bellows. The remaining text in Section 7.2.2.3.4 was revised to clarify the discussion of control and protection system interaction.
Based on its review of the information provided by TVA, the staff concludes that the revision conforms to the guidance of RG 1.181, "Content of the Updated Final Safety Analysis Report in Accordance with 10 CFR 50.71(e)," issued September 1999, and is acceptable.
In Section 7.2.1.1.7, "Solid State Logic Protection System," of FSAR Amendment 96, TVA added a reference to Section 10.4.4.3 for an exception to the P12 (high steam flow permissive) interlock actuation function, which blocks the use of the steam dump valve below the average temperature (Tavg) low-low setpoint.
During a controlled cooldown, P12 allows operators to manually block the ESF actuation function for high steamline flow. Steam dump operation is automatically blocked to prevent undesired cooldown transients when below the P12 setpoint.
However, Section 10.4.4.3 states that the bypass condition is not displayed and that it is not automatically removed when conditions for bypass are no longer met. The staff asked TVA to justify the FSAR revision.
In its response to the staff by letter dated October 21, 2010 (letter open item number 158; ADAMS Accession No. ML1 03140661), TVA stated that it had added an alternate method for the cooldown of the reactor coolant system (RCS) using additional steam dump valves after entering Mode 4, by disabling the P12 interlock.
Operators at their discretion can use additional condenser dump valves to maintain a cooldown rate closer to the administrative limit established by the operating procedure.
This process is controlled by the procedures used to shut down the plant. One of the steps in the procedure used to shut down the plant is to issue a caution order that indicates to the operators that the P12 interlock is disabled.
TVA stated that it has made a similar change at WBN Unit 1. Based on its review of the information provided by TVA and its consistency with WBN Unit 1, the staff concludes that the revision conforms to the guidance of RG 1.181 and is acceptable.
In FSAR Amendment 96, WVA revised the statement in the middle of the first paragraph of Section 7.2.2.1.1, "Trip Setpoint Discussion," from "Shown as solid lines in 7-8 Figure 15.1-1 are the loci of conditions equivalent to 118 percent power...," to "Shown as a dashed line in Figure 15.1-1 are the loci of conditions designed to prevent exceeding 121 percent power..." TVA made this change to bring the text of Section 7.2.2.1.1 into agreement with Sections 4.3.2.2.5 and 4.4.2.2.6 and Table 4.1-1. However, Table 4.1-1 and Section 4.3.2.2.5 still shows this value as 118 percent. The staff asked TVA to justify the revision.
In its response to the staff dated October 5, 2010 (letter open item number 156; ADAMS Accession No. ML1 02910324, not publicly available), WVA stated the following:
Per Westinghouse letter WBT-D-2340, dated August 30, 2010, "FSAR Markups Units 1 and 2 118% vs 121% and Correction to RAI Response SNPB 4.3.2-7", (Reference
- 17) the 118% value should be 121%.Depending on the use in the FSAR, either 118% or 121% is the correct value. As a result of the question, Westinghouse reviewed all locations where either 118% or 121% are used and the context of use and provided a FSAR markup to reflect the correct value at the specific location.
These changes will be incorporated in FSAR Amendment 101.The staff confirmed that TVA revised the value from 118 to 121 percent in FSAR Amendment 101, dated October 29, 2010. The staff determined that both 118 and 121 percent are higher than the number used for the WBN reactor trip analysis, and Westinghouse used a higher number in its analysis to provide more safety margin.Because either 118 or 121 percent are therefore conservative, the revision is acceptable to the staff.In FSAR Amendment 96, TVA revised the sixth paragraph of Section 7.2.2.1.1 to state that the design meets the requirements in GDC 23, "Protection System Failure Modes," of Appendix A to 10 CFR Part 50 instead of those in GDC 21, "Protection System Reliability and Testability." Because this FSAR section deals with the evaluation of design with respect to common-mode failure, the staff concluded that GDC 23 is the correct reference.
The staff asked TVA to clarify the revision.
In its response (letter open item number 158) to the staff dated October 5, 2010 (not publicly available), TVA stated that it had revised the section to refer to GDC 23 in FSAR Amendment 99 [dated May 27, 2010]. Therefore, the staff considers TVA's response acceptable.
In Section 7.2.2.1.2, "Reactor Coolant Flow Measurement," of FSAR Amendment 96, TVA described the measurement of reactor coolant flow by elbow taps. This section states that TVA will use a precision calorimetric flow measurement methodology for WBN Unit 2. The staff requested that TVA describe the current plant design/methodology.
In its response (letter open item number 159) by letter dated October 5, 2010 (not publicly available), TVA stated that elbow taps are used to establish the low-flow trip for the RPS, but the method used to verify the reactor coolant flow, as required by technical specifications (TS), is not the same as that used for WBN Unit 1. For WBN Unit 2, TVA plans to transition to the same method as that used for WBN Unit I after it obtains sufficient data over several cycles of operation.
Pending this transition, TVA stated that it would revise FSAR Section 7.2.2.1.2 as follows: Nominal full power flow is established at the beginning of each fuel cycle by either elbow tap methodology or, performance of the RCS calorimetric flow measurement.
Unit 1 utilizes elbow tap methodology Reference
[17]. Unit 2 utilizes the RCS calorimetric flow measurement.
The results are used to 7-9 normalize the RCS flow indicators and provide a reference point for the low flow reactor trip setpoint.The staff previously reviewed and approved the use of the elbow tap methodology for WBN Unit 1 in License Amendment No. 47, dated October 3, 2003 (ADAMS Accession No. ML032820572).
TVA will implement the elbow tap methodology at Unit 2 after obtaining sufficient data to justify the applicability of WCAP-1 6067-NP, "RCS Flow Measurement Using Elbow Tap Methodology at Watts Bar Unit 1," April 2003 (ADAMS Accession No. ML031420200).
The staff confirmed that TVA revised FSAR Section 7.2.2.1.2 in FSAR Amendment 101 to match the above wording. Based on the previous NRC staff approval of the elbow tap methodology at Unit 1 and the revised wording in WBN Unit 2 FSAR Amendment 101, the staff concludes that TVA's response is acceptable.
In Section 7.2 of WBN Unit 2 FSAR Amendment 96, TVA references Revision 2 of WCAP-13869, but the Unit 1 FSAR references Revision 1. Revision 1 was reviewed and approved by the staff for Unit 1 in Section 7.2.1.2 of SSER 13, issued April 1994. The staff asked TVA to justify the different reference for Unit 2. In Attachment 12 to its response (letter open item number 323) to the staff dated October 29, 2010, TVA identified that the differences between Revisions 1 and 2 are based on TVA's decision to not insulate the steam generator level transmitter reference leg on Unit 2. As the WBN Unit 1 and Unit 2 designs for the steam generator reference leg are the same, it is unclear to the staff why different revisions of WCAP-1 3869 are referenced for the two units. TVA should provide justification to the staff regarding why different revisions of WCAP-13869 are referenced in WBN Unit I and Unit 2.This is Open Item 65 (Appendix HH).The NRC staff reviewed the additional changes made by TVA to WBN Unit 2 FSAR Section 7.2 and concluded that the changes were editorial or administrative in nature or were made to improve consistency with other FSAR sections.
Because the additional changes are nonsubstantive, they were acceptable to the staff.7.2.2 Manual Trip Switches The NRC staff reviewed WBN Unit 2 FSAR Amendments 96 through 101 and concluded that TVA made no substantive changes to FSAR Section 7.2.2. Therefore, the staffs conclusions as documented in the SER remain valid.7.2.3 Testing of Reactor Trip Breaker Shunt Coils The NRC staff reviewed WBN Unit 2 FSAR Amendments 96 through 101 and concluded that TVA made no substantive changes to FSAR Section 7.2.3. Therefore, the staffs conclusions as documented in the SER remain valid.7.2.4 Anticipatory Trips The NRC staff reviewed WBN Unit 2 FSAR Amendment 96 and concluded that TVA made no substantive changes to Section 7.2.1.1.2(6), "Reactor Trip on a Turbine Trip." Therefore, the staffs conclusions as documented in the SER remain valid.7-10
7.2.5 Steam
Generator Water Level Trip By letter to the NRC dated July 27, 1994 (ADAMS Accession No. ML073230681), WVA withdrew its commitment to insulate the reference leg of the steam generator water level transmitters.
TVA provided an analysis to justify its action, WCAP-1 3869, "Reactor Protection System Diversity in Westinghouse Pressurized-Water Reactor," Revision 1, November 1993, which was accepted by the staff as documented in SSER 13, issued April 1994. The staff asked TVA to confirm whether the reference leg of the steam generator water level transmitters is insulated and, if not, to confirm that the analysis that was submitted for WBN Unit 1 is also applicable to Unit 2. In its response (letter open item number 292) to the staff by letter dated October 21, 2010, TVA informed the staff that the reference leg is not insulated and that the analysis provided for WBN Unit I is also applicable to Unit 2. TVA's analysis for feedwater line break inside the containment credits the high containment pressure safety injection (SI) signal.The staff verified that TVA revised FSAR Section 15.4.2.2 to reflect that information.
Therefore, based on the previous acceptance of the analysis documented in SSER 13, the staff considers TVA's response to be acceptable.
7.2.6 Conclusions
The NRC staffs review of the RTS included the initiating circuits, logic, bypasses, interlocks, redundancy, diversity, and actuation devices used to implement reactor shutdown.
The staff verified that the RTS for WBN Unit 2 is functionally the same as that for WBN Unit 1, which was previously reviewed and accepted by the staff, as documented in the SER and its supplements.
The NRC staff specifically audited the similarity of the Eagle 21 system for WBN Unit 2 to that for WBN Unit 1. The staffs review included the differences between the Eagle 21 systems and their acceptability.
Based on the NRC staffs prior evaluation, as documented in the SER and its supplements, in particular SSER 2 (issued January 1984), SSER 13, SSER 14 (issued December 1994), and SSER 15, and the staff's review of WBN Unit 2 FSAR Amendments 96 through 102, the staff concludes that the information in FSAR Section 7.2 continues to comply with applicable regulatory requirements and that the staffs conclusions in the SER remain valid.7.3 Engineered Safety Features Actuation System 7.3.1 System Description TVA described the ESFAS in WBN Unit 2 FSAR Section 7.3. The NRC staff evaluated the ESFAS description for WBN in the SER, SSER 13, and SSER 14.In addition to the requirements for a reactor trip for anticipated abnormal transients, the facility is provided with adequate instrumentation and controls to sense accident situations and initiate the operation of necessary ESFs. The occurrence of a limiting fault, such as a loss-of-coolant accident (LOCA) or a steamline break, requires a reactor trip plus actuation of one or more of the ESFs in order to prevent or mitigate damage to the core and RCS components and ensure containment integrity.
In order to accomplish these design objectives, the ESF system has proper and timely initiating signals that are supplied by the sensors, transmitters, and logic components making up the various protection system channels and trains of the ESFAS.7-11 The ESFAS monitors selected plant parameters and, whenever predetermined safety limits are reached, the system sends actuation signals to the appropriate ESF and the auxiliary support systems equipment.
The plant variables that are monitored by the analog circuitry of the ESFAS include pressurizer pressure, steamline pressures and flows, steamline differential pressure, containment pressure, and reactor coolant average temperature.
Functions that rely on the ESFAS for initiation include the following:
- 1. a reactor trip, provided that one has not already been generated by the RTS 2. emergency core cooling system (ECCS) pumps and associated valving that provide emergency makeup water to the cold legs of the RCS following a LOCA 3. essential raw cooling water and component cooling water pumps start and heat exchanger valve realignment
- 4. auxiliary feedwater (AFW) pumps and associated valves that maintain the steam generator heat sink during emergency or accident conditions
- 5. Phase A containment isolation, whose function is to prevent fission product release (isolation of all lines not essential to reactor protection)
- 6. steamline isolation to prevent the continuous, uncontrolled blowdown of more than one steam generator and thereby uncontrolled RCS cooldown 7. main feedwater isolation as required to prevent or mitigate the effect of excessive cooldown and the effects of main steam valve vault flooding due to a main feedwater line break 8. starting the emergency diesels to assure backup supply of power to emergency and supporting systems components
- 9. isolating the control room intake ducts to meet control room occupancy requirements following a LOCA 10. emergency gas treatment system actuation 11. containment ventilation isolation 12. containment spray actuation to reduce containment pressure and temperature on a LOCA or steamline break inside containment
- 13. Phase B containment isolation that isolates the containment following a LOCA or a steam or feedwater line break within containment to limit radioactive releases, and starts the containment air return fans to cool containment and reduce pressure following an accident (Phase B isolation plus Phase A isolation result in isolation of all but SI and spray lines penetrating the containment)
- 14. automatic switchover of the residual heat removal (RHR) pumps from the injection to the recirculation mode (post-LOCA) 7-12
- 15. auxiliary building isolation The actuation functions are provided by the following equipment:
- process protection and control system solid state logic protection system engineered safety features test cabinet manual actuation circuits The Eagle 21 digital process protection system monitors various plant parameters that support the operations of the RTS and the ESFAS. By letter to the NRC dated December 5, 2007 (ADAMS Accession No. ML073440022), as supplemented by letter dated February 28, 2008 (ADAMS Accession No. ML080640269, not publicly available), TVA requested approval of the Eagle 21 process protection system that it is using for the RPS and the ESFAS in WBN Unit 2.TVA made the request on the basis that the WBN Unit 1 and WBN Unit 2 Eagle 21 process protection systems are the same, except for some minor hardware differences.
The software configuration of the Eagle 21 process protection system is the same for both WBN units. The staff review of the Eagle 21 process protection system is in Section 7.2.1.1 of this SSER.The ESFAS includes a logic portion, the solid state protection system (SSPS), which receives inputs from the process protection channels and performs the logic needed to actuate the ESF.In a meeting held on January 13, 2010, TVA informed the NRC staff that there are no design differences between the WBN Unit 1 SSPS and the WBN Unit 2 SSPS. In its letter dated March 12, 2010 (ADAMS Accession No. ML101680576, not publicly available), TVA provided a list of changes made to the ESFAS since its approval in the SER. WVA stated that the following SSPS parts have been replaced or modified in WBN Unit I due to obsolete components, enhanced manufacturing processes, or discontinuation by the original manufacturer:
System power supply-The original part was discontinued by the manufacturer, and Westinghouse designed and qualified a replacement that is in use in many SSPS systems.Test switches in the output bay-The original test switch is obsolete.Printed circuit boards-The components used on the currently designed boards are the same components but may be manufactured by different manufacturers as a result of business buyouts by other companies.
MC660 series integrated circuit devices used on circuit boards-The original logic devices are obsolete.* Circuit boards-The newly manufactured circuit boards use solder mask as a strategy to mitigate the formation of tin whiskers, which has no effect on board function or operation.
Board card edge connectors-The newly manufactured boards use a different card edge connector because the original was discontinued in 1985.7-13 AR (Westinghouse Type AR Relay with AC Coil) and MDR (Motor-driven Rotary Relay Manufactured by Potter & Brumfield) relays-MDR-4121-1 relays are installed into the output bay of the SSPS in place of AR440AR / AR880AR relays with an ARLA (Mechanical Latch Attachment with 120 Volt AC Coil) mechanical latch.WBN Unit 2 will use the same replacement components that are being used in WBN Unit 1.Because there is no change in the design and functions of the SSPS, and because the replacement components are the same as those used in WBN Unit 1, the staff concludes that the approach is acceptable for WBN Unit 2.Also in its letter dated March 12, 2010, TVA informed the NRC staff of the following physical changes to the ESFAS since Unit 1 was licensed: Deletion of the power range neutron flux high negative rate trip circuitry by modifying existing Westinghouse hardware for the SSPS: The original design basis for the negative flux rate trip was to mitigate the consequences of a dropped rod event. This change was approved by NRC staff in License Amendment No. 18 (ADAMS Accession No. ML020780104) to the WBN Unit 1 TS. Therefore, no further review is necessary, and the approach is acceptable for WBN Unit 2.Installation of a 0.01 microfarad capacitor between the "Enable" signal output pin and the"Ground" pin of memory board A707 in the SSPS computer demultiplexer:
TVA made this change in WBN Unit I under 10 CFR 50.59. Design Change Notice (DCN)-51124 implemented the change and stated that the purpose of this installation was to eliminate a logic spike on the uEnable" signal that was causing spurious ICS alarms. The NRC staff reviewed DCN-51124 and determined that there is no change to the system function as described in the FSAR. Therefore, the approach is acceptable for WBN Unit 2.Relocation of the ESFAS signals for containment isolation valve (CIV) 1 -FCV-70-1 OOA and of the 6.9 kV shutdown boards emergency feeder breakers to other slave relays: TVA made these changes in WBN Unit 1 under 10 CFR 50.59. DCN-38238 implemented the changes and stated that the purpose of the relocations was to allow testing that will not disrupt plant operation.
CVI 1 -FCV-70-1 OOA is one of four component cooling system (CCS) to reactor coolant pump (RCP) oil cooler CIVs and is automatically closed by a containment-phase signal from SSPS slave relay K626A. It is designed such that the periodic slave relay test will cause the valve to close, isolating cooling water to the RCP oil coolers. Failure of the valve to open after the test would lead to a unit shutdown.
This DCN moved 1-FCV-70-100A from slave relay K626A to K618A and added a "BLOCK" test feature to the circuit. This permits the slave relay test to be performed without isolating cooling water to the RCP oil coolers. The NRC staff reviewed DCN-38238 and determined that there are no changes to system functions as described in the FSAR. Therefore, the approach is acceptable for WBN Unit 2.The emergency feeder breakers (emergency diesel generator (DG) breakers) to the 6.9 kilovolt (kV) shutdown boards are designed to trip via slave relays K602A (train A)and K602B (train B) on an SI signal when the DG is operating in the parallel test mode.Performing the slave relay test for K602A and K602B at power would require declaring the DGs in the train being tested inoperable and entering the limiting condition for 7-14 operation (LCO). DCN-38238 moves the SI signal for the DG breakers from slave relays K602A and K602B to spare contacts on K603A, K604A, K603B, and K604B. These contacts are "GO" tested every 18 months with the unit shut down. TVA requested a subsequent TS change to extend the frequency of performing the surveillance testing of the slave relays. In License Amendment No. 17 to WBN Unit 1 (ADAMS Accession No. ML020780133), the NRC staff approved this extension.
The NRC staff reviewed DCN-38238 and determined that there are no changes to system functions as described in the FSAR. Therefore, the approach is acceptable for WBN Unit 2.Installation of test jacks on the back of reactor trip switchgear panel 1-L-1 16: This change was made in WBN Unit 1 under 10 CFR 50.59. DCN-5091 I implemented the change and states that the purpose of these jacks is to aid maintenance personnel during the performance of surveillance instructions that verify the P4 (reactor trip breaker open) interlock contacts and to eliminate the potential for personnel shock hazards or any inadvertent equipment actuation.
The staff reviewed DCN-50911 and determined that there is no change to the system function as described in the FSAR. Therefore,.
the approach is acceptable for WBN Unit 2.By letter dated October 5, 2010 (ADAMS Accession No. ML102910324, not publicly available), WVA informed the NRC staff that the Foxboro Spec 200 analog hardware was used to replace portions of the AFW controls in WBN Unit I and all safety-related analog loops in WBN Unit 2.The Foxboro Spec 200 hardware is an analog-to-analog upgrade used to replace existing obsolete hardware with the same functions.
There are no interconnections between the analog loops unless such interconnections existed prior to the replacement.
The Foxboro Spec 200 hardware is installed in existing cabinets, which require modifications to accept the Foxboro hardware racks.FSAR Section 7.3.1.1.3, "Analog Instrumentation," states that the miscellaneous safety-related analog process control and indication loops are made up of discrete analog modules that have been tested and qualified for use in safety-related systems. The various components have been qualified to IEEE Std. 323-1983 (R-1996), "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations," IEEE Standard 344-1987 (R-1 993), "IEEE Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations," and IEEE Standard 384-1984 (R-1992), "IEEE Standard Criteria for Independence of Class 1 E Equipment and Circuits." The modules are arranged in instrument loops to provide the safety functions listed below:* turbine-driven AFW pump flow control* motor-driven AFW pump differential pressure indication and recirculation valve control* steam generator AFW flow and level indication and control* containment pressure indication
- upper and lower compartment containment ambient temperature indication
- RHR heat exchanger CCS supply header flow* sample heat exchanger header CCS differential flow* essential raw cooling water strainer differential pressure, backwash, and flush control* CCS heat exchanger B inlet pressure* CCS surge tank level control* CCS heat exchanger B outlet temperature
- reactor vessel head vent throttle manual loading station (Unit 2 only)* emergency gas treatment system annulus differential pressure control 7-15 The components are physically arranged in the racks to meet the requirements of IEEE Std. 279 and WBN design criterion WB-DC-30-4, "Separation/Isolation." At WBN Unit 2, two Class 1 E analog modules are used to isolate 1 E to non-1 E signals. These are the contact output isolator and voltage-to-current converter, both of which have the input and output signals isolated.In WBN Unit 2 FSAR Amendment 102, TVA added the above description of the Foxboro Spec 200 hardware to Section 7.3.1.1.3, "Analog Instrumentation." Also, TVA stated that the WBN Unit 2 loops in service for WBN Unit I that are scheduled to be transferred to the Foxboro Spec 200 hardware will be transferred before the WBN Unit 2 fuel load. Because the Foxboro Spec 200 hardware is an analog-to-analog upgrade and does not change the functional operation of the system, the NRC staff concludes that this approach is acceptable for WBN Unit 2.In WBN Unit 2 FSAR Amendment 95, dated November 24, 2009, TVA made the following changes to Section 7.3, "Engineered Safety Features Actuation System," to improve consistency with other FSAR sections:* Section 7.3.1.1.1, "Function Initiation":
The wording for cold-leg injection isolation valves, charging pumps, SI pumps and RHR pumps is replaced with the broader term ECCS.0 Section 7.3.1.1.1:
A change is made to clarify that, in addition to the SI lines, the containment spray lines are also not isolated by a Phase B containment isolation signal.0 Section 7.3.1.1.2, "Process Protection Circuitry":
Orifice plates are removed from the list of device types used in the measurement of protection system variables.
Orifice plates are a subset of flow elements, which are also listed.* Section 7.3.1.1.2:
A change is made to simplify the discussion of valve position information available during the post-LOCA recovery period.* Section 7.3.1.1.4, "Final Actuation Circuitry":
A change is made to replace SI with the broader term ECCS.* Section 7.3.1.1.4:
A change is made to clarify that, in addition to the SI lines, the containment spray lines are also not isolated by a Phase B containment isolation signal.* Section 7.3.1.1.4:
A change is made to add the auxiliary building gas treatment system, emergency gas treatment system, and motor-operated valve thermal overload bypass to the list of equipment actuated by the ESFAS.* Section 7.3.1.2.1, "Generating Station Conditions":
A change is made to simplify the summary, add feedwater line break, and add a reference to Chapter 15 for identification of the conditions requiring protective action.* Section 7.3.1.2.2, "Generating Station Variables":
A change is made to simplify the summary, eliminate repetition, and add steam generator level, reactor coolant temperature (Tavg), purge air exhaust, and main steam as monitored variables.
7-16 Section 7.3.1.2.6, "Minimum Performance Requirements":
A change is made to replace the terms "loss of coolant" and "steamline break" with the more general term "design basis events," which also includes feedwater line breaks. A reference to Chapter 15 is also added for identification of the postulated events for which the ESFAS is required to actuate.Section 7.3.1.2.6:
A change is made to simplify the summary, eliminate repetition, replace the terms "loss of coolant" and "steamline break" with the more general term"design basis events," and add a reference to Chapter 15. Steam generator level and Tavg are added to the list because these variables actuate the ESFAS.* Section 7.3.2.1, "System Reliability/Availability and Failure Mode and Effect Analyses":
A change is made to simplify the discussion.
The reference provided in the section describes the analysis in detail.Section 7.3.2.2.1, "Single Failure Criterion." A change is made to clarify that simultaneous operation of both containment spray actuation switches in either set will actuate containment spray in both trains.Section 7.3.2.2.5, "Capability for Sensor Checks and Equipment Test and Calibration":
A clarification is made to state that the testing of the ESF system, slave relays, and final actuators is performed in accordance with the TS surveillance requirements.
Section 7.3.2.3, "Further Considerations":
The initiating signals for AFW are moved to Table 7.3-1, which lists ESF instrumentation.
A reference to the table is added. The anticipated transient without scram (ATWS) mitigation system actuation circuitry (AMSAC) is removed from the list because it was not designed as an ESF. The change does not alter the AMSAC functions of AFW start and turbine trip.Section 7.3.2.4.2, "Steam Line Break Protection":
The response time for generation of the protection system signal for steamline break protection is removed because it is given earlier in the same section. The closing time of the main steam isolation valves is also removed because the information is already provided in FSAR Section 10.3.
References:
A change was made to Reference 6 to update the revision number of the Westinghouse Setpoint Methodology and to specify that it applies only to WBN Unit 1. A new reference (7) was added for the WBN Unit 2 Setpoint Methodology.
- Table 7.3-1, "Instrumentation Operating Condition for Engineered Safety Features":
The initiating signals for AFW are moved from Section 7.3.2.3 to Table 7.3-1. The switchover from injection to recirculation after SI initiating signals are also added, as well as a note specifying that all three conditions (SI, refueling water storage tank level low, and containment sump level high) must be present to satisfy the switchover logic.* Table 7.3-2, "Instrumentation Operating Condition for Isolation Functions":
A change is made to delete "automatic" from "automatic safety injection" because manual SI also actuates containment isolation Phase A.Table 7.3-2: A change is made to add Tavg signal to feedwater line isolation.
7-17 Table 7.3-2: A change is made to clarify that the high steamline pressure rate that initiates steamline isolation is negative rate. The change also clarifies that the containment gas monitor which initiates containment vent isolation (CVI) monitors the containment purge air exhaust.Table 7.3-2: A note is added to clarify that Tavg is interlocked with P4, and a reference to Table 7.3-3 is added.Table 7.3-2: A change is made to delete items 4c ("Auxiliary Building Gas Monitor Radioactivity High") and 4d ("Auxiliary Building Air Particulate Monitor Radioactivity High"). These signals do not initiate CVI as indicated in this table and are therefore deleted.Table 7.3-3, "Interlocks for Engineering Safety Features Actuation System": A reference to Section 10.4.4.3 is added for the use of additional steam dump valves below the P12 interlock.
This change is reviewed in Section 7.2.1 of this SSER.In WBN Unit 2 FSAR Amendment 98, WVA made no significant changes to FSAR Section 7.3.In WBN Unit 2 FSAR Amendment 100, TVA made no significant changes to FSAR Section 7.3.In WBN Unit 2 FSAR Amendment 101, TVA edited the third note of Table 7.3-2. This edit adds the following signals to initiate the CVI: SI signal from operating unit or high temperature from the WBN Unit 1 or WBN Unit 2 auxiliary building air intake.In WBN Unit 2 FSAR Amendment 103, dated March 15, 2010, TVA made no significant changes to FSAR Section 7.3.These changes to the FSAR do not involve any physical modifications to the plant or modify the safety function of any equipment.
The changes do not affect setpoints or safety limits and thus do not reduce any margins of safety as defined in the TS. Therefore, the NRC staff finds them to be acceptable for WBN Unit 2.7.3.2 Containment Sump Level Measurement The NRC staff reviewed and approved containment sump level measurement at WBN in the SER and SSER 2. The staff used the guidance of SRP Section 7.3, Revision 2, "Engineered Safety Features Systems," in its review. As described in FSAR Section 7.6.9, "Switchover from Injection to Recirculation Mode following a LOCA," one of the permissives to the initiation logic for the automatic switchover from the injection to the recirculation mode of the ECCS is provided by water in the containment sump reaching a set level. The containment sump water level is monitored by four level measurement channels using differential pressure transmitters.
By letter dated October 18, 1999 (ADAMS Accession No. ML073240682), TVA informed the NRC staff that it had replaced the containment sump level transmitters in WBN Unit 1 under the provisions of 10 CFR 50.59. DCN-39608 states that the old transmitters had problems with the capillary tubing leaking fill fluid and with maintaining the transmitter within calibration.
The new transmitters are Class 1 E qualified, do not have capillary tubing, and can be submersed during a LOCA. TVA stated that functional performance and protective logic are not affected.
The same replacement has been performed for WBN Unit 2 under EDCR-52419.
The staff has 7-18 reviewed DCN-39608 and EDCR-52419 and, because the functional performance and protective logic are not affected, the staff concludes that the approach is acceptable for WBN Unit 2.WBN Unit 2 FSAR Amendment 95 addresses changes to Section 6.3.5.4, "Level Indication." All of the changes made by TVA were editorial or administrative in nature or were made to improve consistency with other FSAR sections.
Therefore, based on its previous evaluation, as documented in the SER and SSER 2, and on its evaluation of subsequent changes, as described above, the staff concludes that the information provided by TVA meets the relevant requirements identified in the SRP and that the staffs conclusions in the SER and SSER 2 remain valid.7.3.3 Auxiliary Feedwater Initiation and Control The NRC staff reviewed AFW initiation and control at WBN in the SER. The staff used the guidance of SRP Section 7.3, Revision 2, in its review. In the event of a loss of the main feedwater supply, the AFW system supplies sufficient feedwater to the steam generators to remove the energy stored in the primary system.WBN Unit 2 FSAR Amendment 95 addresses changes to Section 7.3.2.3. The NRC staff reviewed the amendment and concluded that TVA made no functional changes to the AFW system description.
All of the changes were editorial or administrative in nature or were made to improve consistency with other FSAR sections.In response to staff questions, TVA stated in its letter to the staff dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), that, for WBN Unit 2, it has converted the controllers and signal conditioners to Foxboro Spec 200 discrete analog components.
Because the functional performance of the AFW system is not affected by the change, the staff concludes that the approach is acceptable for WBN Unit 2. The Foxboro Spec 200 system is described in Section 7.3.1 of this SSER.Based on the staff's prior evaluation documented in the SER and on its evaluation of submitted changes, the information provided by TVA meets the relevant requirements identified in the SRP, and the staff's conclusions in the SER remain valid.7.3.4 Failure Modes and Effects Analysis In the SER, the NRC staff concluded that TVA's use of Westinghouse Topical Report WCAP-8584, "Failure Modes and Effects Analysis (FMEA) of the Engineered Safety Features Actuation System," was acceptable as a failure modes and effects analysis.
TVA stated that the topical report covers the ESFAS and that the balance of plant design satisfies the interface criteria of WCAP-8584.
The NRC staff reviewed WBN Unit 2 FSAR Amendments 92 through 103 and concluded that TVA made no functional changes to Section 7.3.2.1, "System Reliability/Availability and Failure Mode and Effects Analyses." All of the changes were editorial or administrative in nature or were made to improve consistency with other FSAR sections.
Therefore, based on the staffs prior evaluation, as documented in the SER, and on the staffs evaluation of submitted changes, the information provided in FSAR Section 7.3.4 continues to meet the relevant requirements identified in the SRP, and the staffs conclusions in the SER remain valid.7-19
7.3.5 Office
of Inspection and Enforcement Bulletin 80-06 Office of Inspection and Enforcement (IE)Bulletin 80-06, "Engineered Safety Feature (ESF)Reset Controls," dated March 13, 1980, asked licensees to review engineered safety features to ensure that no device will change position solely because of the reset function.
The NRC staff reviewed TVA's response to the bulletin for WBN in the SER and SSER 3, issued January 1985.In its letter to the NRC staff dated March 11, 1982 (ADAMS Accession No. ML073530129), TVA provided a list of all the safety-related equipment that does not remain in its emergency mode after an ESF reset. TVA evaluated this equipment and determined that it does not impact the safety of the plant or the ability to achieve and maintain safe shutdown.
The NRC staff concluded in SSER 3 that TVA's justification was acceptable.
In response to NRC staff Request for Additional Information (RAI) 7.3-6, TVA confirmed in its letter dated November 9, 2010 (ADAMS Accession No. ML1 03200146) that the feedwater isolation valves, the main feedwater check valve bypass valves, the upper tap main feedwater isolation valves, the steam generator blowdown isolation valves, and the RHR heat exchanger outlet flow control valves will remain in the emergency mode after an ESF reset.In response to a staff question, TVA stated in its letter dated November 24, 2010 (item number 330; ADAMS Accession No. ML1 03330501) that subsequent design changes have impacted the March 11, 1982, response such that some equipment that originally changed state no longer does so and some equipment has been deleted. TVA stated that no additions have been made to its original list dated March 11, 1982. Therefore, based on the staffs prior evaluation, as documented in the SER and SSER 3, and on its evaluation of the information provided by TVA in response to staff questions, the conclusions in the SER and SSER 3 remain valid.7.3.6 Conclusions Based on the staffs previous evaluations, as documented in the SER and SSER 2, SSER 3, and SSER 14, and on its review of WBN Unit 2 FSAR Amendments 92 through 103, the information provided in FSAR Section 7.3 meets the relevant requirements identified in the SRP, and the staffs conclusions in the SER and its supplements remain valid.7.4 Systems Required for Safe Shutdown 7.4.1 System Description The NRC staff reviewed TVA's systems required for safe shutdown at WBN in SER Section 7.4.In its review, the staff used the guidance provided in SRP Section 7.4, Revision 2, 'Safe Shutdown Systems." The systems required for safe shutdown are described in WBN Unit 2 FSAR Section 7.4, "Systems Required for Safe Shutdown," which states, in part, the following:
The functions necessary for safe shutdown are available from instrumentation channels associated with major systems in both the primary and secondary of the nuclear steam supply system (NSSS). These channels normal alignment to serve [sic] a variety of operational functions, including startup and shutdown as well as protective functions.
There are no systems identified strictly as "safe shutdown systems." However, procedures can institute appropriate alignment of selected systems to secure and maintain the plant in a safe condition.
Other 7-20 sections of the FSAR contain discussions of these systems with applicable codes, criteria and guidelines.
Discussed in this section is the minimum number of instrumentation and control (I&C) functions required for maintaining safe shutdown of the reactor. These functions permit the necessary operations that will: (1) Prevent the reactor from achieving criticality in violation of the technical specifications and (2) Provide an adequate heat sink such that design and safety limits are not exceeded.FSAR Section 7.4.1, "Description," further states the following:
The designation of systems that can be used for safe shutdown depends on identifying those systems which provide the following capabilities for maintaining a safe shutdown: (1) Boration (2) Adequate supply for auxiliary feedwater (AFW)(3) RHR These systems are identified in the following sections together with the associated I&C provisions.
The sections identify those monitoring indicators (Section 7.4.1.1) and controls (Section 7.4.1.2) necessary for maintaining hot standby. The equipment required for cold shutdown is identified in Section 7.4.1.3.In response to staff questions, TVA stated in its letter to the NRC staff dated July 30, 2010 (letter item number 12; ADAMS Accession No. ML102160349, not publicly available), that there are no technical differences between the WBN Unit 1 and WBN Unit 2 FSAR Sections 7.4.The NRC staff reviewed WBN Unit 2 FSAR Amendments 92 through 103 and concluded that the changes made by TVA to Section 7.4 were editorial or administrative in nature or were made to improve consistency with other FSAR sections.
Therefore, the staff's conclusions as documented in the SER remain valid.7.4.2 Shutdown from Auxiliary Control Room The staff reviewed WBN Unit 2 FSAR Amendments 92 through 103 and concluded that TVA's changes were editorial or administrative in nature or were made to improve consistency with other FSAR sections.
Therefore, the staffs conclusions as documented in the SER and SSER 7, dated September 1991, remain valid.7.4.3 Conclusions Based on the its prior evaluation, as documented in the SER and SSER 7, and on its review of WBN Unit 2 FSAR Amendments 92 through 103, the staff concludes that the information provided in FSAR Section 7.4 continues to meet the relevant requirements identified in the SRP, and that the staffs conclusions in the SER and SSER 7 remain valid.7-21 7.5 Safety-Related Display Instrumentation
7.5.1 Display
Systems 7.5.1.1 Integrated Computer System Introduction TVA describes the WBN Unit 2 ICS, also referred to as the plant computer system, in FSAR Section 7.5.2, "Plant Computer System." The WBN Unit 2 ICS is a nonsafety-related computer network that acquires, processes, and displays data to support the plant assessment capabilities of the main control room (MCR), technical support center (TSC), emergency operations facility (EOF), and the nuclear data link (NDL). In addition to providing the data links needed to support the TSC, EOF, and NDL, the ICS also provides the functions of the safety parameter display system (SPDS) and the bypassed and inoperable status indication (BISI)system.The WBN Unit 2 ICS receives data from the Eagle 21 process protection system, SSPS, postaccident monitoring system (PAMS) common qualified (Common Q) system, feedwater flow measurement leading edge flow meter, computer-enhanced rod position indication (CERPI), Foxboro Intelligent Automation (I/A) distributed control system (DCS), Bentley-Nevada vibration monitor, Ronan MCR annunciator system, environmental data station (EDS), and the WBN Unit 1 ICS to provide information to plant operators and emergency preparedness personnel in support of the control room, TSC, EOF, and NDL functions.
In addition, the ICS sends data to the CERPI system, Foxboro I/A DCS, Bentley-Nevada vibration monitoring system, TSC, plant engineering data system (PEDS), and the WBN Unit 1 ICS. The Eagle 21 process protection system and the PAMS Common Q System are the only safety-related systems that interface with the ICS.In the original design for WBN Unit 1 and WBN Unit 2, the functions performed by the plant process computer, TSC, and emergency response facility data systems were all served by separate computing resources.
The NRC staff's previous evaluation of the WBN FSAR, as documented in the SER and its supplements, was based on the original design. Since the previous staff evaluation, TVA developed the plan for WBN Unit 2 with the recognition that these original computing resources are considered obsolete.
In response to a question from the staff, TVA clarified in its letter dated October 5, 2010 (item number 203; ADAMS Accession No. ML1 02880525), that the previously used Westinghouse P2500 plant computer and emergency response facility data system computer mainframes are obsolete and no longer supported.
The WBN Unit 2 system was designed to match the WBN Unit 1 system functional design as closely as possible while incorporating newer network and upgraded cyber security features.TVA provided information about the ICS in WBN Unit 2 FSAR Amendment
- 96. WVA provided additional information about the display systems of WBN Unit 2 in FSAR Amendment 97, dated January 11, 2010; FSAR Amendment 100; and its letters to the NRC staff dated March 12, 2010 (ADAMS Accession No. ML1 01680576, not publicly available), April 27, 2010 (ADAMS Accession No. ML1 01230248), August 11, 2010 (ADAMS Accession No. ML1 02240382), and October 5, 2010 (ADAMS Accession No. ML102880525).
TVA provided a diagram of the ICS network configuration connections (TVA Drawing 2-45W2697-1-1, dated August 27, 2009, annotated to depict hardened and safety related interfaces) as an enclosure to its letter to the NRC staff dated March 12, 2010.7-22
System Description
The primary purpose of the ICS is to present plant process and equipment status information to the MCR operators to assist them in the normal operations of the plant and inform them of off-normal conditions.
The ICS obtains real-time plant parameter information by scanning preassigned analog, pulse, and contact sensors, and by receiving plant data transmitted from digital monitoring and control systems and digital components via serial and network data links.User interfaces to the ICS are called satellite display stations (SDSs). The SDSs located in the MCR provide operators with process values, alarm information, mimics, graphic trending, and database functions.
Similar SDSs are provided in the TSC and EOF.The ICS is designed to provide, in part, the following features and capabilities:
Provides the capability to monitor those parameters required to enable a functioning SPDS in the MCR, TSC, and EOF.Acquires, processes, and displays required data to support the plant assessment capabilities of the MCR, TSC, and EOF.Provides the capability to monitor in real time those parameters required to provide a BISI system meeting the guidance of Regulatory Guide 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." Provides communication data links to the EOF computer and the EDS computer.Provides the capability for continuously monitoring RHR system performance in the MCR whenever an RHR system is being used for cooling the RCS.* Provides displays for accident monitoring variables not displayed elsewhere and storage and trending for Category I accident monitoring variables.
- Calculates AFW total flow.* Provides the capability to run and process other programs for operational support.The WBN Unit 2 ICS is a nonsafety-related system composed of a network of distributed data processing equipment designed to function as a single, large-scale nuclear plant computer system that integrates balance-of-plant monitoring with nuclear steam supply system (NSSS)application software into a comprehensive computer-based tool to support plant operations.
The system comprises the following major components:
remote multiplexers in the computer room, auxiliary instrument room, and 480 volt (V)board rooms* redundant central processing units (CPUs)* data storage devices* Man-Machine interfaces-SDS terminals in the MCR, TSC, and computer room* networking equipment including switches, firewalls, and terminal servers* printers* data links to other plant computer devices (serial and network)7-23 The ICS includes three major subsystems, (1) SPDS, (2) BISI, and (3) TSC, as well as communications data links (CDL) that are subject to specific regulatory criteria covered in this section of the NRC staffs SER. All of these subsystems are nonsafety-related.
The NRC staffs evaluations of these three subsystems are described below in Sections 7.5.1.1.1, 7.5.1.1.2, and 7.5.1.1.3, respectively, of this SSER.7.5.1.1.1 Safety Parameter Display System 7.5.1.1.1.1 Introduction TVA described the WBN Unit 2 SPDS in FSAR Section 7.5.2.1, "Safety Parameter Display System." The purpose of the SPDS is to aid MCR operators in rapidly and reliably determining the safety status of the plant during abnormal and emergency conditions and in assessing if abnormal conditions require corrective action by the operators to avoid a degraded core. SPDS information is available on any MCR and TSC SDS. During emergencies, the SPDS serves as an aid to evaluating the current safety status of the plant, executing function-oriented emergency procedures, and monitoring the impact of engineered safeguards or mitigation activities.
The SPDS also operates during normal operations, continuously displaying information from which the plant safety status can be readily and reliably accessed.
Operators are trained to respond to accidents both with and without the SPDS available.
7.5.1.1.1.2
System Description
The WBN Unit 2 SPDS consists of at least two MCR color graphic monitors that continuously display information on the status of each critical safety function.
Information displayed on these monitors is derived from the ICS. Additionally, SPDS information is available at the TSC and EOF. The SPDS displays critical plant variables that support the operator assessment of the following critical plant safety functions:
0 reactivity control* reactor core cooling and heat removal from the primary system* RCS integrity 0 radioactivity control 0 containment conditions Although the SPDS is not a safety-related system, the SPDS equipment is designed and installed so that it does not degrade adjacent, interconnected, or interrelated safety systems.Further, the SPDS data are validated through several steps before being presented to the operators.
For example, when redundant sensors are used, the data received by the computer can be processed by software to determine if the quality of one or more points is questionable.
If so, the computer tags the questionable data to alert the operators.
7.5.1.1.1.3 Regulatory Evaluation Regulatory requirements and guidance applicable to the review of SPDS and emergency response facility information systems include the following:
7-24 Requirements Specific to the Safety Parameter Display System Because the WBN Unit 2 construction permit was issued in 1973, the applicable regulatory requirement for SPDSs, emergency response facility information systems, and emergency response data systems information systems isolated from the protection system is provided in 10 CFR 50.55a(h), which references IEEE Std. 279-1971.
The applicable requirement in IEEE Std. 279-1971 is Clause 4.7, "Control and Protection System Interaction," which provides requirements that govern interactions between control and protection systems. The applicable portion of the clause, for the nonsafety-related SPDS and emergency response information systems, requires the use of suitable isolation devices that shall protect the output transmission signals emanating from protection equipment to control or monitoring equipment, such that no credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases. Examples of credible failures would include short circuits, open circuits, grounds, and the application of maximum credible alternating current or direct current potential.
The effects of failures in isolation devices must be evaluated in the same manner as a failure of other equipment in the protection system.Specific NRC guidance for the design of the SPDS is in NUREG-0737, "Clarification of TMI Action Plan Requirements," issued November 1980, NUREG-0737, Supplement 1, "Clarification of TMI Action Plan Requirements:
Requirements for Emergency Response Capability," issued January 1983, and NUREG-0696, "Functional Criteria for Emergency Response Facilities," issued February 1981. The SPDS need not meet requirements of the single-failure criteria and it need not be qualified to meet Class 1 E requirements.
The SPDS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. The SPDS need not be seismically qualified, and additional seismically qualified indication is not required for the sole purpose of being a backup for SPDS. When signals to the EOF are received from sensors providing signals to safety system equipment or displays, suitable isolation in accordance with 10 CFR Part 50, Appendix A, GDC 22, 23, and 24 shall be provided to ensure that the EOF systems cannot degrade performance of the safety system equipment of displays.Quality In 10 CFR 50.55a(a)(1) and in GDC 1, "Quality Standards and Records," the NRC requires that"structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed." For safety-related equipment, the appropriate requirements of the licensee's quality assurance program under Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 apply, and appropriate records must be retained.Control and Protection System Separation GDC 24, "Separation of Protection and Control Systems," requires the following:
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel...
leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.7-25 In 10 CFR 50.55a(h)(2), the NRC requires compliance with IEEE Std. 603-1991 and the correction sheet dated January 30, 1995. However, for nuclear power plants such as WBN Unit 2, with construction permits issued between January 1, 1971, and May 13, 1999, the regulation allows that the applicant/licensee may elect to comply instead with the requirements of IEEE Std. 279-1971.7.5.1.1.1.4 Technical Evaluation Safety Parameter Display System Requirements The functional requirements for the design of the SPDS for Watts Bar Unit 2 are the same as the requirements for Watts Bar Unit 1, which were evaluated by the NRC staff when Watts Bar Unit I was licensed in 1996. The staffs previous evaluation of safety-related display information is documented in the SER, as supplemented in SSER 9, dated June 1992, SSER 14, and SSER 15.The SPDS does not perform a safety-related function but is used to aid MCR operators during abnormal and emergency conditions in determining the safety status of the plant and assessing if abnormal conditions require corrective action by the operators to avoid a degraded core. The primary sources of critical plant parameter information needed by the operators are safety-related display instruments mounted on MCR panels easily accessible to the operators.
As described in NUREG-0737, Supplement 1, the SPDS is not required to be Class 1E qualified, nor is it required to be powered from Class I E power sources. The SPDS is not required to operate during or after a seismic event; however, the SPDS equipment needs to be designed and installed so that it will not adversely affect equipment important to safety, either during or after a seismic event. Finally, the SPDS function is not required to meet the single-failure criterion applicable to Class I E equipment.
The NRC staff evaluated whether the WBN Unit 2 SPDS will supply the operators with adequate information needed to support the critical plant safety functions described above. In response to a question from the staff, TVA stated in its letter dated October 5, 2010 (item number 192;ADAMS Accession No. ML1 02880525), that the ICS provides data to the operators to support the functions based on the Westinghouse Owner's Group critical safety function status trees and the historical data collection, storage, and retrieval functions required to support NUREG-0737 and NUREG-0737, Supplement 1, Category 1 variables (with specific exceptions for indication of the position status of certain relief valves used as CIVs). The NRC staff concludes that TVA's response is acceptable because NUREG-0737, its Supplement 1, and NUREG-0696, which is referenced in NUREG-0737, are the key regulatory documents defining the requirements for SPDS.Quality The NRC staff evaluated TVA's application and adherence to the quality requirements of 10 CFR 50.55a(a)(1) and GDC 1 for the SPDS. Since the SPDS does not perform a safety-related function, TVA does not need to adhere to the provisions of 10 CFR Part 50, Appendix B for the SPDS as it would for safety-related structures, systems, or components.
The staff asked TVA to describe how it complies with 10 CFR 50.55a(a)(1).
In its response dated October 5, 2010 (letter item number 194; ADAMS Accession No. ML1 02880525), TVA stated the following:
7-26 To ensure quality, the design, testing, and inspection of the SPDS is controlled by qualified personnel and by using TVA procedure SPP-2.6, "Computer Software Control" (Attachment 35). The procedure details controls and processes required for the development, modification, and configuration management of computer software used to support the design, operation, modification, and maintenance of TVA's nuclear power plants consistent with the Nuclear Quality Assurance Plan.This ensures that the design and operation of the SPDS complies with the 10 CFR 50.55a(a)(1) quality standards requirements.
The controls and processes outlined in the procedure provide assurance that the SPDS will perform its intended function correctly.
The plant ICS provides the SPDS for WBN. Any changes to the SPDS software must be documented and controlled using a Software Service Request (per SPP-2.6) and must be implemented under the engineering design change process (Design Change Notice [DCN]).Controls in SPP-2.6 guide the development and testing of the SPDS changes.TVA also stated that the following are other controls established by this procedure to further maintain quality standards:
- Implementation of changes to SPDS software from remote locations is prohibited.
0 The application custodian implements controls to prevent unauthorized changes to the software.0 Changes are made in a nonproduction environment, and validation testing takes place before the change is installed on the ICS.* Once validation testing begins, the source code is placed under configuration control.* When the modifications are installed on the ICS, an operability test is performed to demonstrate that the software is installed correctly and is functioning correctly in its operating environment.
- All documentation related to the SPDS software changes are quality assurance records.The software source code is kept in a physically secure, environmentally controlled space to prevent inadvertent changes.* Cyber security considerations are also considered in the storage environment.
The NRC staff does not have specific regulatory guidance establishing acceptance criteria for quality requirements for nonsafety-related structures, systems, and components.
Therefore, the NRC staff considered how the combination of the effects of the procedural controls and management measures described above affects SPDS quality. Based on its review of TVA's procedures and the information provided in the FSAR and TVA's letter dated October 5, 2010, and on engineering judgment, the NRC staff concludes that TVA's proposed quality control procedures and management measures are acceptable for addressing the need to maintain high quality in the application, implementation, and maintenance of the SPDS.7-27 Control and Protection System Separation There are two types of interfaces between plant systems and the ICS, which incorporates the SPDS functions:
hard-wired analog and digital inputs, and digital transmission inputs and outputs. The ICS/SPDS hardwired analog and contact inputs and outputs from nonsafety equipment are obtained through appropriate signal conditioning and/or isolation from plant equipment and systems as inputs to multiplexors that are distributed throughout the plant computer room, MCR, Unit I and Unit 2 auxiliary instrument rooms, turbine building, and other areas. Signals originating in nonsafety-related protection systems and equipment are not subject to the requirements of GDC 24. However, input and output signals and data transmissions originating in safety-related equipment are subject to GDC 24.The isolation of hard-wired analog and contact inputs from safety-related equipment is described by TVA in FSAR Section 7.2.1.1.8.
The NRC staff previously reviewed this issue for WBN, as documented in the SER and SSER 9, Appendix V, Section 3.3.35. Because TVA did not identify any deviations from Unit 1 to Unit 2 with regard to such signal isolation, the staff concludes that its previous evaluation conclusions about hard-wired analog and contact input isolation interfaces remain valid.However, data communications interfaces between the ICS and safety-related equipment exist between the ICS and the Eagle 21 process protection system, and between the ICS and the PAMS Common Q System. In response to NRC staff questions concerning these interfaces, WVA provided a detailed description of special considerations that it had included in the design of the Eagle 21 unidirectional communications path and the PAMS. The NRC staffs technical evaluation of these interfaces is documented in Section 7.9.3 of this SSER.7.5.1.1.2 Bypassed and Inoperable Status Indication 7.5.1.1.2.1 Introduction The WBN Unit 2 BISI system is described by TVA in FSAR Section 7.5.2.2, "Bypassed and Inoperable Status Indication System (BISI)." The BISI system provides automatic indication and annunciation of the bypassed or abnormal status of each ESFAS-actuated component of each redundant portion of a system that performs a safety-related function.
The BISI system is available on any SDS in the MCR and in the TSC. Abnormal BISI information is accompanied by an audible alarm.7.5.1.1.2.2
System Description
The BISI system is designed to operate during all normal plant modes of operation, including startup, hot shutdown, cold shutdown, hot standby, refuelling, and power operation.
The BISI system does not perform a safety function and is not required to operate during or after a design-basis accident.
The BISI system is isolated from the associated safety-related equipment to preclude any abnormal or normal action of the BISI system preventing the performance of a safety function.In FSAR Section 7.5.2.2, and in its responses to staff questions by letter dated October 5, 2010 (letter item numbers 195, 196, and 198; ADAMS Accession No. ML1 02880525), TVA stated, in part, that the BISI system for WBN Unit 2 has been designed according to the following design criteria: 7-28 An abnormal indication is provided for each safety system. Abnormal indication for each safety system includes deliberate action which renders a protection system inoperable.
The following systems are monitored by BISI: Main and auxiliary feedwater Safety injection Residual heat removal Containment spray Emergency gas treatment Essential raw cooling water Chemical volume control Heating, ventilation, and air conditioning Component cooling Control air (including auxiliary control air)Standby diesel generator Support system indication is provided for each safety system that requires auxiliary or support system(s) operation to perform its safety function.Essential raw cooling water and diesel generator systems abnormal status indication are provided because these support systems are considered important enough to warrant abnormal status indication.
TVA described that indications are provided at the system level, with separate indication for each train. Sublevel information is provided to the MCR operator for determination of the abnormal condition at the component level. Abnormal indicators are generated automatically by actions that meet the following criteria:* The action is deliberate.
It is not the intent of the system to show operator errors or component failures.* The action is expected to occur more than once a year.* The action is expected when the protection system must be operable per the TS.0 The action renders the system inoperable, not merely potentially inoperable.
0 The deliberate action has taken place in the safety system or a necessary supporting system.Abnormal indications are separate from other plant indications.
Manual capability is provided to operate each safety system abnormal indication.
This would allow the operator to activate abnormal indication for an event that renders a safety system inoperable but does not automatically operate the BISI system. Abnormal indication is accompanied by an audible alarm. There is no capability to defeat an automatic operation of an abnormal indication.
Each safety system has a train A and train B bypass indicator.
Support systems are arranged together with the associated train of bypass indicators.
Safety system indications are lit whenever any support subsystem is abnormal.
Means by which the operator can cancel erroneous bypassed indications are not provided.7-29 TVA described that BISI does not perform functions essential to safety. No operator action is required based solely on the abnormal status indication.
The BISI system has no effect on plant safety systems. The abnormal status indicating and annunciating function can be tested during normal operation.
The indication system is mechanically and electrically isolated from the safety system to avoid degradation of the safety system. The operator is provided the means for determining why a system-level abnormal status is indicated.
7.5.1.1.2.3 Regulatory Evaluation Regulatory requirements applicable to the review of BISI information systems include the following.
BISI-Specific Requirements Because the WBN Unit 2 construction permit was issued in 1973, the applicable regulatory requirement for BISI information systems isolated from the protection system is provided in 10 CFR 50.55a(h), which references IEEE Std. 279-1971.
The applicable requirement in IEEE Std. 279-1971 is Clause 4.7, which provides requirements that govern interactions between control and protection systems. The applicable portion of the clause, for the nonsafety-related BISI, requires the use of suitable isolation devices that shall protect the output transmission signals emanating from protection equipment to control or monitoring equipment, such that no credible failure at the output of an isolation device shall prevent the associated protection system channel from meeting the minimum performance requirements specified in the design bases. Examples of credible failures would include short circuits, open circuits, grounds, and the application of maximum credible alternating current or direct current potential.
The effects of failures in isolation devices must be evaluated in the same manner as a failure of other equipment in the protection system.Guidance applicable to the design of the BISI system is contained in RG 1.47, Revision 0,"Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems," issued May 1973, which is referenced in Table 7.1-1 of the WBN Unit 2 FSAR. This guidance describes a method acceptable to the NRC staff for complying with the requirements of Section 4.3 of IEEE Std. 279-1971 and Criterion XIV, "Inspection, Test, and Operating Status," of Appendix B to 10 CFR Part 50 with regard to indicating the bypass or inoperable status of portions of the protection system, systems actuated or controlled by the protection system, and auxiliary supporting systems that must be operable for the protection system and the system it actuates to perform their safety-related functions.
Since the BISI system is non-safety related, the design of the BISI system is not required to meet single-failure criteria or be qualified to meet Class I E requirements, in accordance with RG 1.47, Revision 0. However, the BISI system should be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety systems. The BISI system need not be seismically qualified; however, in the event of a seismic occurrence, components of the BISI system should not degrade the performance of safety functions.
When status signals sent to the BISI system are received from sensors, control panels, or electrical breaker cabinets of safety systems and components, suitable isolation in accordance with GDC 22, 23, and 24 shall be provided to ensure that the BISI system cannot degrade performance of the safety system equipment.
7-30 Quality Criterion XIV of Appendix B to 10 CFR Part 50 requires, in part, that measures be established for indicating the operating status of structures, systems, and components of the nuclear power plant, such as by tagging valves and switches, to prevent inadvertent operation.
In 10 CFR 50.55a(a)(1) and in GDC 1, the NRC requires that "structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed." For safety-related equipment, the appropriate requirements of the licensee's 10 CFR Part 50, Appendix B, quality assurance program apply, and appropriate records must be retained.Control and Protection System Separation GDC 24 requires the following:
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel.. .leaves intact system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.In 10 CFR 50.55a(h)(2), the NRC requires compliance with IEEE Std. 603-1991 and the correction sheet dated January 30, 1995. However, for nuclear power plants such as WBN Unit 2, with construction permits issued between January 1, 1971, and May 13, 1999, the regulation allows that the applicant/licensee may elect to comply instead with the requirements of IEEE Std. 279-1971.7.5.1.1.2.4 Technical Evaluation BISI-Specific Requirements The ICS provides the BISI system for WBN Unit 2. In its letter dated October 5, 2010 (ADAMS Accession No. ML102880525), TVA described how the design of the ICS meets the requirements of 10 CFR 50.55a(a)(1) and how it follows the intent of the guidance provided in RG 1.47, Revision 0. Appropriate electrical and physical isolation from safety-related equipment for the nonsafety system is provided to meet the requirements identified in the FSAR. The ICS is independent of existing sensors and.equipment in safety-related systems. Independence is achieved through qualified safety-related Class I E isolators.
The ICS is also isolated to preclude electrical or electronic interference with existing safety systems. Inputs and outputs are isolated from the plant inputs such that normal faults on the plant side of the loops will have no adverse impact on the ICS other than loss of the one circuit with the fault. The inputs and outputs meet the isolation requirements of WBN Design Criterion WB-DC-30--4, which defines the design requirements for electrical separation and isolation of the distribution equipment and wiring for Class 1 E electrical systems and components in the plant.The NRC staff evaluated the design criteria, system descriptions in the FSAR, and TVA's responses to staff questions as described above and concluded that the BISI design at WBN Unit 2 complies with applicable regulatory requirements and appropriately addresses the guidance in RG 1.47. Therefore, the staff concludes that TVA's proposed BISI design is acceptable.
7-31 Quality The BISI function is implemented in the ICS in a manner similar to the SPDS function described in SSER Section 7.5.1.1.1 above. Because the quality controls of the ICS that apply to the SPDS system are also applicable to the BISI system, the staff concludes that its evaluation of the quality procedures and management measures implemented for the SPDS system functions is applicable to the BISI functions.
In its response letter to a staff question, TVA stated the following in its letter dated October 5, 2010 (item number 198; ADAMS Accession No. ML102880525):
For BISI, a Software Requirements Specification (SRS) based on the engineering calculation will be generated along with a Software Design Description
[SDD]. A Software Verification and Validation Report (SWR)consisting of a Validation Test and results and an Operability Test and results will be prepared.
User documentation for BISI will be incorporated into the overall ICS user documents.
Future changes to BISI will be driven foremost by changes to the engineering calculation that defines the overall functionality of the system. Any changes to the engineering calculation will cause a Software Services Request (SSR) to be generated.
Depending on the scope of the change, the various documents (SRS, SDD, SWR and user documentation) will be updated or re-issued.
The NRC staff considered how the combination of the effects of the procedural controls and management measures described above would impact BISI quality. Based on its engineering judgment, the staff concludes that TVA's proposed quality control procedures and management measures are acceptable for addressing the need to maintain high quality in the application, implementation, and maintenance of the BISI system, and that the proposed WBN Unit 2 BISI system meets the recommendations of RG 1.47, Revision 0. Therefore, the proposed BISI system is acceptable.
Control and Protection System Separation During its update of the ICS to a distributed monitoring system, TVA did not identify any changes in its methodology for implementing qualified isolation devices for the BISI system inputs from those of WBN Unit 1. As described for the SPDS system functions above, the ICS/BISI hardwired inputs from nonsafety equipment are obtained through appropriate qualified isolation devices from plant equipment and systems as inputs to multiplexors that are distributed throughout the plant computer room, MCR, Unit 1 and Unit 2 auxiliary instrument rooms, turbine building, and other areas. Signals originating in nonsafety-related protection systems and equipment are not subject to the requirements of GDC 24. However, input signals and data transmissions originating in safety-related equipment are subject to these requirements.
With regard to the guidance of RG 1.47, inputs to the BISI system are isolated from the plant inputs, such that normal faults on the plant side of the loops will have no adverse impact on the ICS other than loss of the one circuit with the fault. The inputs and outputs meet the isolation requirements of WBN Design Criterion WB-DC-30-4, which defines the design requirements for electrical separation and isolation of the distribution equipment and wiring for Class 1 E electrical systems and components in the plant. TVA described the isolation of hard-wired analog and 7-32 contact inputs from safety-related equipment in FSAR Section 7.2.1.1.8.
The NRC staff's review of this information is documented in the SER and SSER 9, Appendix V, Section 3.3.35.Because TVA has not identified deviations between Unit I and Unit 2 with regard to such signal isolation, the conclusions from the staff's previous evaluation regarding hard-wired analog and contact input isolation interfaces remain valid.7.5.1.1.3 Technical Support Center and Communications Data Links 7.5.1.1.3.1 Introduction WVA described the WBN Unit 2 TSC and CDL in FSAR Section 7.5.2.3, "Technical Support Center and Communications Data Links." 7.5.1.1.3.2 Description Technical Support Center and Emergency Operations Facility When activated, the TSC provides emergency response capabilities to relieve operators of peripheral duties and communications not directly related to reactor system manipulation.
In addition, it provides a location from which to provide technical and engineering support. The information available at the TSC includes the SPDS displays as well as special displays for use in the TSC. The displays are similar to the displays in the MCR. The WBN Unit 2 EOF is a facility where emergency responses, radiological and environmental assessments, recommendations for public protective actions, and response activities are coordinated.
For WBN Unit 2, the Central Emergency Control Center (CECC) is the EOF.Communications Data Links The provision for CDL is a function of the ICS. The ICS provides a means of acquiring data from plant process systems and equipment and supplying this data to computer-based systems both on and off site. As described by TVA in the FSAR, the CDL interconnect the following computers:
(1) Emergency Operations Facility:
Data are transmitted from the ICS by data link to the EOF. Upon request, the ICS will send the CECC computer a dynamic database snapshot every 15 seconds over a high-speed communications link.(2) Environmental Data Station: Communications between the ICS and the EDS computer allows the ICS to access variables that are input to the EDS computer.
The EDS meteorological data necessary to support the TSC functions can be displayed along with the radiation release data.(3) Nuclear Data Link: CDL between the ICS and the CECC computer provide data to the EOF and for transmission off site. The CECC computer transmits data to the NRC over the NDL.In FSAR Section 7.5.2.3.2, and in its letter to the NRC dated October 5, 2010 (ADAMS Accession No. ML102880525), TVA described how the CDL complied with applicable regulatory requirements.
The NRC staffs regulatory and technical evaluations of these communications links is contained in Section 7.9.1 of this SSER.7-33 7.5.1.1.4 Conclusions The NRC staff reviewed the proposed ICS system for WBN Unit 2. The ICS is a nonsafety-related computer network that acquires, processes, and displays data to support the plant assessment capabilities of the MCR, TSC, EOF, and NDL. In addition to providing the data links needed to support the TSC, EOF, and NDL, the ICS also provides the functions of the SPDS and the BISI system. The staff evaluated the system designs against the applicable regulatory criteria and concluded that, for those aspects of the design that were not substantially different from WBN Unit 1, the staff's previous conclusions, as documented in the SER and SSERs, remain valid. Further, where the WBN Unit 2 design was substantively different from that of WBN Unit 1, the staff concluded that TVA's design appropriately addresses the staffs regulatory criteria for quality (GDC I and 10 CFR 50.55a(a)(1)), control and protection system separation (GDC 24 and IEEE 279-1971, Clause 4.7), and the specific requirements for each display system (NUREG-0737, Supplement 1, or RG 1.47), as described above, and, therefore, is acceptable.
7.5.2 Postaccident
Monitoring System 7.5.2.1 Compliance with Regulatory Guide 1.97 7.5.2.1.1 Introduction NRC Generic Letter (GL) 82-33, "Supplement 1 to NUREG-0737-Requirements for Emergency Response Capability," dated December 17, 1982 (ADAMS Accession No. ML031080548), provided additional clarification about RG 1.97, "Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident," Revision 2, December 1980 (ADAMS Accession No. ML060750525), relating to the requirements for emergency response capability.
These requirements were published as NUREG-0737, Supplement I (ADAMS Accession No. MLI102560009).
TVA responded to Item 6.2, "Documentation and NRC Review," of GL 82-33 in its letters of August 31, 1990 (ADAMS Accession No. ML073541271);
October 11, 1990 (ADAMS Accession No. ML0735501192);
January 3, 1991 (ADAMS Accession No. ML073550220);
and October 29,1991 (ADAMS Accession No. ML073550340).
These responses included a summary of TVA's proposed accident monitoring instrumentation for WBN Unit 1 and WBN Unit 2 to address the recommendations of RG 1.97, Revision 2, and TVA's responses to the NRC staffs questions and open items concerning its evaluation of the summary. In SSER 9 (ADAMS Accession No. ML072060469), SSER 14 (ADAMS Accession No. ML072060486), and SSER 15 (ADAMS Accession No. ML072060488), the NRC staff concluded that TVA either conformed to, or provided adequate justification for deviating from, the guidance of RG 1.97, Revision 2, for each variable at WBN Unit I and WBN Unit 2.WVA updated its information concerning WBN Unit 2 in FSAR Amendment 96, dated December 23, 2009; FSAR Amendment 97, dated January 11, 2010; FSAR Amendment 99, dated May 27, 2010; TVA letter dated June 18, 2010 (ADAMS Accession No. ML1 01940236);
TVA letter dated July 31, 2010 (ADAMS Accession No. ML1 02290258);
TVA letter dated October 5, 2010 (ADAMS Accession No. ML102880525);
TVA letter dated October 21, 2010 (ADAMS Accession No. ML103140661);
TVA letter dated October 29, 2010 (ADAMS Accession No. ML103120711);
and FSAR Amendment 101, dated October 29, 2010.7-34 7.5.2.1.2 Regulatory Evaluation The regulatory requirements applicable to accident monitoring instrumentation include, in part, the following:
GDC 13, "Instrumentation and Control," of Appendix A to 10 CFR Part 50 requires that"Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant boundary, and the containment and its associated systems." GDC 19, "Control Room," requires that "A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents....
Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures." GDC 64, "Monitoring Radioactivity Releases," requires that "Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents." The regulation at 10 CFR 50.44, "Combustible Gas Control for Nuclear Power Reactors," provides, in part, requirements for monitoring combustible gases in the containment.
The regulation at 10 CFR 50.34(f), requires operating reactor licensees to provide sufficient information to demonstrate that required licensing actions will be satisfactorily completed by the operating license stage of reactor licensing.
These include the requirement at 10 CFR 50.34(f)(2)(xix) to "provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage. (II.F.3)." The reference to II.F.3 is to Action Plan Item II.F.3 of NUREG-0718, "Licensing Requirements for Pending Applications for Construction Permits and Manufacturing License," June 1981, and NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," May 1980.The specific NRC guidance applicable to provisions for accident monitoring instrumentation for WBN Unit 2 includes, in part, the following:
RG 1.97, Revision 2, provides a basis for evaluating conformance to GDC 13, 19, and 64 and describes a method acceptable to the NRC staff for complying with the Commission's regulations to provide instrumentation to monitor plant variables and systems during and following an accident.7-35 7.5.2.1.3 Technical Evaluation 7.5.2.1.3.1 Conformance with Regulatory Guide 1.97 In FSAR Amendment 101, Section 7.5.1, "Post Accident Monitoring Instrumentation (PAM)," TVA documented its commitments for providing accident monitoring instrumentation for WBN Unit 2. TVA provided a comparison of its planned accident monitoring capabilities and commitments against the requirements of the GDC and the guidance provided in RG 1.97, Revision 2. TVA stated that, when selecting the list of parameters to be monitored as identified within RG 1.97, it selected the variables' descriptions through a systematic evaluation of parameters required for the mitigation of design-basis events at WBN, a comprehensive review of the emergency instructions, function restoration guidelines, and Condition II, Ill, and IV faults as described in Chapter 15 of the FSAR. In some cases, the emergency instructions and function restoration guidelines address the mitigation of events that may extend beyond the design of the plant. TVA noted that some of this instrumentation used for beyond-design-basis events may be exempted from being categorized as postaccident monitoring instrumentation.
This is consistent with the NRC guidance provided in RG 1.97, Revision 4, issued June 2006, which states that "the scope of instruments that could potentially be selected for accident monitoring (based on the selection criteria) should initially be as encompassing as possible.Then, in the process of selecting the actual list of variables to be monitored, licensees could screen out instruments associated with contingency actions that take place beyond the plant's licensing basis." Based on its review of FSAR Amendment 101, the NRC staff concluded that TVA provided adequate justification for any instrumentation channel range provided or equipment qualification deviation that exists from those recommended in RG 1.97. TVA also provided an adequate discussion about its plans for meeting the specific instrument channel characteristic design criteria that are associated with each of the three RG 1.97 categories recommended to provide the necessary level of assurance based on the safety significance of the instrumentation involved.In SSERs 9, 14, and 15, the NRC staff concluded that TVA has either conformed to or has demonstrated adequate justification for deviating from the guidance of RG 1.97, Revision 2, for each variable at WBN Unit I and WBN Unit 2. Based on its previous evaluations, as documented in the SSERs, and on its review of the information subsequently provided by TVA, as documented below in this SSER subsection, the NRC staff concludes that TVA has explicitly committed to conform its accident monitoring instrumentation to the guidance of RG 1.97, Revision 2 and, therefore, meets the requirement in 10 CFR 50.34(f)(2)(xix).
The conformance of the WBN Unit 2 accident monitoring instrumentation to the guidance of RG 1.97, Revision 2 is subject to confirmation by NRC inspection, as described below in SSER Section 7.5.2.1.4.
7.5.2.1.3.2 Differences between WBN Unit 1 and WBN Unit 2 In its Staff Requirements Memorandum (SRM)-SECY-07-0096, "Possible Reactivation of Construction and Licensing Activities for the Watts Bar Nuclear Plant Unit 2," dated July 25, 2007 (ADAMS Accession No. ML072060688), the Commission stated that it supports a licensing review approach that employs the current licensing basis for Unit 1 as the reference basis for the review and licensing of Unit 2. For some variables, there are differences between WBN Unit 1 and WBN Unit 2 in how the information for those variables is processed.
For example, the information for WBN Unit 2 may be processed by a different hardware system or component or may be displayed on a different readout device than that of WBN Unit 1.7-36 However, such a change in processing system, component, or display device may not result in a deviation from the guidance of RG 1.97, Revision 2 that would require a justification.
These changes in processing system, component, or display device that do not result in the need for a docketed justification for deviation from the criteria of. RG 1.97 are not discussed in this section.Instead, they are discussed in other sections of Chapter 7 of this SSER that discuss the specific control system or computer data processing system that processes the information.
7.5.2.1.3.3 Type A Variable Differences between WBN Unit 1 and WBN Unit 2 RG 1.97, Revision 2 does not specifically identify the required parameters for each reactor type that are to be categorized as "Type A" variables.
Type A variables are those that provide the information required to permit the control room operator to take preplanned manually controlled actions for which no automatic action is provided and that are required for safety systems to accomplish their safety functions for design-basis events. Instead, each licensee or applicant should make its own determination of which accident parameters are to fulfill the requirements of Type A variables, based on a plant- or unit-specific evaluation of design-basis accident analyses, emergency procedures, and reactor systems design. FSAR Table 7.5-1, "Post Accident Monitoring Instrumentation Component Qualification Matrix," and FSAR Table 7.5-2,"Regulatory Guide 1.97 Post Accident Monitoring Variables Lists Legend," furnish the appropriate variable classification types and categories for each variable description.
For WBN Unit 2, TVA classifies the following instrumentation as its Type A variables:
(1) AFWflow (2) containment lower compartment atmosphere temperature (3) containment pressure (narrow range)(4) containment radiation (5) containment sump level (wide range)(6) core exit temperature (7) nuclear instrumentation (source range)(8) RCS pressurizer level (9) RCS pressure (wide range)(10) RCS Temperature T cold (cold leg temperature)
(11) RCS Temperature T hot (hot leg temperature)
(12) refueling water storage tank level (13) steam generator level (narrow range)(14) steam generator pressure (15) subcooling margin monitor The above variables, with minor deviations as noted below and in SSERs 9, 14, or 15, either meet, or WVA has committed to modify the instrumentation to meet, the RG 1.97, Revision 2, Category I recommendations for Type A variables.
The Type A variables for WBN Unit 2 are the same as the Type A variables for WBN Unit 1, with some minor variable name or nomenclature differences.
Since these are the same variables as proposed for WBN Unit 1, the NRC staffs conclusions for its previous evaluations of RG 1.97, Revision 2 compliance remain valid. FSAR Table 7.5-2 provides a description of the variables, the RG 1.97 variable type, category, redundancy provisions, range and units of measurement, and notes pertaining to each variable, as well as an explanation of any deviations taken from the guidance in the RG. Based on its evaluation of the information provided in the FSAR, as well as on TVA's identification and justification for deviation from the guidance, the NRC staff concludes that WBN Unit 2 conforms to the RG with acceptable deviations.
7-37 7.5.2.1.3.4 Systems that Process Accident Monitoring Information Common Q Postaccident Monitoring System As decribed by TVA in FSAR Section 7.5.1.8, "Post Accident Monitoring System (PAMS)," the following three variables for WBN Unit 2 will be processed by the WBN Unit 2 Common Q PAMS: (1) core exit temperature (2) subcooling margin monitor (3) reactor vessel level The NRC staff considers that the design of the instrument channels providing the above variables is unique to WBN Unit 2 because the variables are processed by the new Common Q PAMS, whereas, for WBN Unit 1, they were processed via other means. The staffs evaluation of the adequacy of the design, qualification, and compliance with NRC regulations of the Common Q PAMS is contained below in Section 7.5.2.2 of this SSER. FSAR Table 7.5-2 provides a description of the variables, the RG 1.97 variable type, category, redundancy provisions, range and units of measurement, and notes pertaining to each variable, as well as an explanation of any deviations taken from the guidance in the RG. Based on its evaluation of the information provided in the FSAR, as well as on TVA's identification and justification for deviation from the guidance, the staff concludes that WBN Unit 2 conforms to the RG with acceptable deviations.
Eagle 21 Loop Processor and Input/Output Subsystem of the Reactor Trip System The following variables are processed by the Eagle 21 input/output and loop processor subsystems of the RTS: (1) containment pressure (narrow range)(2) containment sump level (wide range)(3) RCS pressurizer level (4) RCS pressure (wide range)(5) RCS Temperature T cold (6) RCS Temperature T hot (7) Refueling water storage tank level (8) steam generator level (narrow range)(9) steam generator pressure (10) containment spray flow (11) containment sump water temperature (12) main feedwater flow (13) steam generator level (wide range)(14) main steam flow The above variables in WBN Unit 1 are also processed by the Eagle 21 system. The staff's evaluation of the design, qualifications, and regulatory compliance of the Eagle 21 system for WBN Unit 2 is contained in Section 7.2.1 of this SSER. Because these variables are also processed by the Eagle 21 subsystems for WBN Unit 1, the staffs conclusions for its previous evaluations of compliance with RG 1.97 remain valid. FSAR Table 7.5-2 provides a description of the variables, the RG 1.97 variable type, category, redundancy provisions, range and units of measurement, and notes pertaining to each variable, as well as an explanation of any 7-38 deviations taken from the guidance in the RG. Based on its evaluation of the information provided in the FSAR, as well as on iVA's identification and justification for deviation from the guidance, the staff concludes that WBN Unit 2 conforms to the RG with acceptable deviations.
Foxboro Spec 200 The following variables are processed by the Foxboro Spec 200 analog hardware: (1) AFW flow (2) CCS surge tank level (3) containment lower compartment atmosphere temperature (4) containment pressure (wide range)(5) component cooling water to ESF flow (6) component cooling water supply temperature (7) emergency raw cooling water (ERCW) header flow (8) RCS head vent valve status The NRC staff considers that the design of the instrument channels providing the above variables is unique to WBN Unit 2 because the variables are processed by the Foxboro Spec 200 analog hardware, whereas in WBN Unit 1, the signals are developed via other means.Information about the NRC staff's evaluation of the design, qualifications, and regulatory compliance of the Foxboro Spec 200 analog hardware is contained in Section 7.3.1 of this SSER. FSAR Table 7.5-2 provides a description of the variables, the RG 1.97 variable type, category, redundancy provisions, range and units of measurement, and notes pertaining to each variable, as well as an explanation of any deviations taken from the guidance in the RG. Based on its evaluation of the information provided in the FSAR, as well as on TVA's identification and justification for deviation from the guidance, the staff concludes that WBN Unit 2 conforms to the RG with acceptable deviations.
Nuclear Instrumentation System The following variables are monitored by the ex-core nuclear instrumentation system (NIS): (1) nuclear instrumentation (source range)(2) nuclear instrumentation (intermediate range) (also referred to as "wide range")The design of the instrument channels for the above variables is unique to WBN Unit 2, because the variables are processed by the new Thermo-Fisher Scientific Model 300i NIS, whereas for WBN Unit 1, they are processed by the Gamma-Metrics Model 300 system.Information about the design and regulatory compliance of the ex-core NIS is contained in Section 7.7.1.2 of this SSER. In Attachment 5, "Qualification Report No. 864, Rev 0, Class 1E Qualification of Source Range, Intermediate Range and Wide Range Channels," to TVA's letter dated July 31, 2010 (ADAMS Accession No. ML102290258), TVA provided an equipment qualification report describing the qualification by analysis of the new Thermo-Fisher Scientific Model 300i NIS. Based on its review of the report, the staff concludes that TVA adequately evaluated the seismic and environmental qualifications of the changes to the WBN Unit 2 instrumentation compared to WBN Unit 1 and that the NIS is acceptable.
7-39 Sorrento Radiation Monitoring The following variable is processed by the new Sorrento radiation monitoring system at WBN Unit 2: containment high-range radiation.
The variable is considered unique to WBN Unit 2 because it is processed by the Sorrento radiation monitoring system, whereas the WBN Unit 1 processing equipment for this variable is different.
The staff's evaluation of the design, qualifications, and regulatory compliance of the Sorrento radiation monitoring system is contained in Section 7.5.2.3 of this SSER. In FSAR Table 7.5-2, TVA identified that the energy sensitivity of the Sorrento Electronics system meets the requirements of RG 1.97, Revision 3, issued May 1983, rather than those of Revision 2.The Revision 3 version states that the energy response of the detectors should be such that they will respond to gamma radiation photons within any range from 60 kiloelectronvolts (keV) to 3 megaelectronvolts (MeV), with a dose rate response accuracy within a factor of 2 over the entire range. Use of RG 1.97, Revision 3 for this variable is acceptable to the staff, since it is an approved update to Revision 2.Foxboro Intelligent Automation The following variables are processed by the Foxboro Intelligent Automation (I/A) system: (1) accumulator tank level (2) accumulator tank pressure (3) annulus pressure (4) centrifugal charging pump total flow (5) charging header flow (6) containment spray heat exchanger outlet-outlet temperature (7) containment sump water level (narrow range)(8) letdown flow (9) normal emergency boration flow (10) pressurizer relief tank level (11) pressurizer relief tank pressure (12) pressurizer relief tank temperature (13) RCP seal injection flow (14) RHR heat exchanger outlet temperature (15) RHR pump flow (RHR system flow)(16) SI pump flow (17) volume control tank level (18) condenser vacuum pump exhaust vent (flow rate)The above variables are considered unique to WBN Unit 2 because they are processed by the Foxboro I/A system, whereas in WBN Unit 1, different equipment is used to process this information.
The staff's evaluation of the Foxboro I/A system is contained in Section 7.7.1.4 of this SSER. FSAR Table 7.5-2 provides a description of the variables, the RG 1.97 variable type, category, redundancy provisions, range and units of measurement, and notes pertaining to each variable, as well as an explanation of any deviations taken from the guidance in the regulatory guide. Based on its evaluation of the information provided in the FSAR, as well as on TVA's identification and justification for deviation from the guidance, the staff concludes that WBN Unit 2 conforms to the RG with acceptable deviations.
7-40 Integrated Computer System The following variables are processed by the ICS: (1) ERCW supply temperature (2) pressurizer heater status (electric current).The above variables are considered unique to WBN Unit 2 because they are processed by the ICS. In WBN Unit 1, the plant process computer system is used to process this information.
Information about the NRC staffs evaluation of the ICS is contained in Section 7.5.1.1 of this SSER. TVA specifies in FSAR Table 7.5-2 that pressurizer heater current is provided in terms of amperes per element for the safety-related heater banks, which is acceptable to the staff because RG 1.97 does not specify bank or element current.Computer-Enhanced Rod Position Indication The following variable is processed by the CERPI system: control rod position.The variable is considered unique to WBN Unit 2 because it is processed by the new CERPI system. The staffs evaluation of the CERPI system is contained in Section 7.7.1.3 of this SSER. TVA deviated from the guidance of RG 1.97, Revision 2 in making control rod position information a Type D, Category 3 variable, rather than Type B, Category 3. TVA's justification for the deviation is that rod position information is a backup indication for neutron activity, which is a Type B, Category 2 parameter.
TVA's justification is acceptable to the staff because CERPI is a backup indication to a higher category variable.Common Instrumentation The following variables are processed by instrumentation that is similar in design for both WBN Unit I and WBN Unit 2: (1) auxiliary building passive sump level (2) auxiliary building gas treatment system high pressure (3) auxiliary control air system pressure (4) MCR pressure (5) MCR radiation level (6) spent fuel pool level (7) spent fuel pool temperature (8) tritiated drain collector tank level (9) waste gas decay tank pressure (10) auxiliary building vent (noble gas)(11) auxiliary building vent (flow rate)(12) auxiliary building vent (particulates and halogens)(13) ERCW radiation monitors (14) vertical temperature difference (15) wind direction (16) wind speed Because the above instrumentation is similar in both WBN Unit 1 and WBN Unit 2 (i.e., it is not unique to WBN Unit 2), the NRC staffs previous conclusions about compliance with the guidance of RG 1.97 remain valid.7-41 7.5.2.1.3.5 Deviations from Regulatory Guide 1.97, Revision 2, that Are Unique to WBN Unit 2 Deviations that were reviewed in SSERs 9, 14, and 15 that are applicable to both WBN Unit 1 and WBN Unit 2 are not repeated in this SSER. In some instances, deviations for WBN Unit 2 are slightly different from the deviations reviewed in SSERs 9, 14, or 15 but did not change the acceptability of the deviation; for example, small differences in range, variable name changes, or minor differences in the justification for the deviation.
Although the reasons for the NRC staff's conclusions about acceptability are different for WBN Unit 2 than for WBN Unit 1, the specific NRC staff evaluation of these deviations is not discussed in this SSER because the deviations were not substantive.
Reactor Coolant Samples RG 1.97, Revision 2 recommends that Type E, Category 3 instrumentation be provided to monitor primary coolant grab samples for release assessment, verification, and analysis of accident sampling capability.
At WBN Unit 1, samples of the following variables are obtained via the postaccident sampling system: (1) reactor coolant chloride concentration (2) reactor coolant dissolved hydrogen (3) reactor coolant dissolved oxygen (4) reactor coolant dissolved gases (5) reactor coolant boron (6) reactor coolant pH (7) reactor coolant sample activity (8) reactor coolant gamma spectrum At WBN Unit 2, the samples of these variables are obtained using a grab sample via the normal sampling system. The use of the normal sampling system at WBN Unit 2 to obtain these samples meets the RG 1.97, Revision 2, Type E, Category 3 criteria and, therefore, is acceptable.
Containment Hydrogen Concentration RG 1.97, Revision 2 recommends that Type C, Category I instrumentation be provided to monitor containment hydrogen to detect potential breaches, for mitigation, and for long-term surveillance of the containment fission product barrier. The regulation in 10 CFR 50.44 accepts the use of instrumentation classified in RG 1.97, Revision 2 as Type C, Category 3 to monitor containment hydrogen.
TVA has provided one channel of Category 3 containment hydrogen instrumentation that is classified as Type C, Category 3; as Type D, Category 3; and as Type E, Category 3.Because the containment hydrogen instrumentation is an RG 1.97, Revision 2, Type C, Category 3 variable, as allowed by 10 CFR 50.44, the instrumentation does not need to meet the Type C, Category I criteria of RG 1.97, Revision 2. Therefore, the containment hydrogen instrumentation provided by TVA for WBN Unit 2 is acceptable.
7-42 7.5.2.1.4 Confirmation of Implementation of Regulatory Guide 1.97, Revision 2 To verify that TVA has an instrumentation system for assessing plant conditions during and following the course of an accident that meets the criteria specified in RG 1.97, Revision 2, as applicable, and is installed in accordance with TVA's commitments, the NRC Inspection Manual Chapter 2515, "Light-Water Reactor Inspection Program-Operations Phase," includes an inspection in accordance with NRC Temporary Instruction 2515/087, "Inspection of Licensee's Implementation of Multiplant Action A-17: Instrumentation for Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident (Regulatory Guide 1.97)," dated September 17, 1990. The objective of this inspection is to compare the installed plant instrumentation with TVA's commitments as described in the FSAR and to identify any deviations from these commitments that may exist without supporting documentation.
7.5.2.1.5 Conclusions Based on the above review, the NRC staff concludes that TVA either conforms to, or has provided adequate justification for deviating from, the guidance of RG 1.97, Revision 2 for each accident monitoring variable.
RG 1.97 provides the NRC staff's position for a basis for evaluating conformance to GDC 13, 19, and 64 and describes a method acceptable to the staff for complying with the regulations to provide instrumentation to monitor plant variables and systems during and following an accident.
Because TVA has provided adequate justification in the FSAR for any deviations from the RG, the staff concludes that TVA's proposed accident monitoring instrumentation is acceptable.
7.5.2.2 Common Qualified Platform-Postaccident Monitoring System Overview The Common Qualified (Common Q) platform is an application framework consisting of a set of commercial-grade hardware and previously developed software components dedicated and qualified for use in nuclear power plants. The Common Q platform was developed from the standard Advant Controller 160 (AC160) process control system developed by Asea Brown Boveri (ABB) Automation Products, GmbH, of Europe. A Common Q platform is assembled and configured with plant-specific application software to implement plant-specific applications.
The AC160 software, residing on flash-programmable, read-only memory in the processor module, consists of a realtime operating system, task scheduler, diagnostic functions, communication interfaces and plant-specific application programs.
The application program is created using the ABB Master Programming Language Configuration Control software development environment that includes a function block library for creating specific logic for the application.
Certain commercial development tools are also available to develop custom function blocks (i.e., custom process control elements).
The Watts Bar Nuclear Plant (WBN), Unit 2 postaccident monitoring system (PAMS) application is based on the Common Q platform and developed in accordance with the Common Q Software Program Manual (SPM; Westinghouse Topical Report WCAP-1 6096-NP-A, Revision 1A, "Software Program Manual for Common Q Systems," dated December 2004, is the latest version).
This is different from the inadequate core cooling (ICC) monitor system used on WBN Unit 1. The Common Q platform is based on two previously approved topical reports, as described below.7-43 Common Q Topical Report Licensing History On June 5, 2000, Westinghouse Electric Company, LLC (WEC) (formerly Combustion Engineering (CE) Nuclear Power (NP)-CENP) submitted Topical Report CENPD-396-P, Revision 1, "Common Qualified Platform" (Agencywide Documents Access and Management System (ADAMS) Accession No. ML003721613), to the U.S. Nuclear Regulatory Commission (NRC) for review. The topical report described the design of the Common Q platform for safety-related instrumentation and control (I&C) applications in nuclear power plants. The Common Q Platform topical report contained four appendices, three of which contained system descriptions and a failure modes and effects analysis (FMEA).* Appendix 1, "Common Qualified Platform, Post Accident Monitoring System"* Appendix 2, "Common Qualified Platform, Core Protection Calculator System"* Appendix 3, "Common Qualified Platform, Digital Plant Protection System"* Appendix 4, "Common Qualified Platform, Integrated Solution" On August 11, 2000, the NRC staff issued a safety evaluation (SE) for the acceptability of referencing Topical Report No. CENPD-396-P, Revision 1 (ADAMS Accession No. ML003740165) that identified generic open items (GOls), one of which was that plant-specific FMEAs were required (see below supplemental safety evaluation report (SSER)Section 7.5.2.2.3.4.2.6, "FMEA").By letter dated May 11, 2001, WEC submitted additional information to close out four of the GOIs (GOIs 7.4, 7.7, 7.9, and 7.10). The staff subsequently issued the first supplemental SE that addressed those four GOIs by letter dated June 22, 2001 (ADAMS Accession No. ML011690170).
By letter dated August 14, 2002, WEC submitted supplemental information for review by the NRC staff to (1) close five more GOIs from the review of the Common Q digital I&C platform and (2) approve proposed changes to Common Q Topical Report CENPD-396-P, the SPM, and Appendices 1 and 2.A remaining GOI (i.e., plant-specific Action Item Number 6.10) stated that a licensee implementing any Common Q Platform applications must prepare its plant-specific model for the design to be implemented and perform the FMEA for the application (see SSER Section 7.5.2.2.3.4.2.6).
The last approved versions of the Common Q platform topical report, both proprietary and nonproprietary versions, were submitted by letter dated May 23, 2003 (ADAMS Accession No. ML031820482), and are listed below with their ADAMS accession numbers (versions ending in "-P-A" are not publicly available; versions ending in "-NP-A" are public versions).
In its letter dated May 23, 2003, WEC also changed the Common Q topical report document number from CENPD-396 to WCAP-1 6097.0 WCAP-16097-P-A, Revision 0 (ML031830959)
- WCAP-16097-P-A, Appendix 1, Revision 0 (ML031830507)
- WCAP-16097-P-A, Appendix 2, Revision 0 (ML031830889)
- WCAP-16097-P-A, Appendix 3, Revision 0 (ML031830895) a WCAP-16097-P-A Appendix 4, Revision 0 (ML031830904)
- WCAP-16097-NP-A, Revision 0 (ML031820484) 7-44
- WCAP-16097-NP-A, Appendix 1, Revision 0 (ML031820736)
- WCAP-16097-NP-A, Appendix 2, Revision 0 (ML031820738)
- WCAP-16097-NP-A, Appendix 3, Revision 0 (ML031820741)
- WCAP-16097-NP-A, Appendix 4, Revision 0 (ML031820743)
Software Program Manual Topical Report Licensing History As stated in the WEC letter dated June 5, 2000, the original version of the Common Q topical report (CENPD-396-P, Revision 0, "Common Qualified Platform," and CE-CES-195-P, Revision 0, "Software Program Manual for Common Q Systems")
was submitted by letter dated March 4, 1999. During the NRC staff's review, WEC developed a revision in response to the staffs requests for additional information.
The revised SPM, CE-CES-195, Revision 1 (ADAMS Accession No. ML003721618) was submitted with the WEC letter dated June 5, 2000. The NRC staff approved the revised SPM in its SE dated August 11, 2000 (ADAMS Accession No. ML003740165).
WEC submitted a third version of the SPM on August 14, 2002, with two different document numbers (WCAP-16096-NP-A, Revision 0, and CE-CES-195-NP-A, Revision 2). The NRC staff approved this topical report in an SE dated February 24, 2003 (ADAMS Accession No. ML030550776).
WEC submitted a fourth version, WCAP-16096-NP-A, Revision 1 of the SPM on January 29, 2004 (ADAMS Accession No. ML040360115).
On September 28, 2004, the NRC staff issued its SE approving the fourth version (ADAMS Accession No. ML042730580).
On January 21, 2005, WEC transmitted the accepted (fifth) version of the topical report, WCAP-16096-NP-A, Revision IA (ADAMS Accession No. ML050350234) to the NRC.Subsequently, WEC changed the Common Q SPM document number from CE-CES-1 95 to WCAP-16096 (ADAMS Accession No. ML031820482).
The last approved version of WCAP16096-NP-A, which is Revision 1A, was submitted by letter dated January 21, 2005 (ADAMS Accession No. ML050350234).
Common Q Postaccident Monitoring System Licensing Limitations The latest version of the NRC-approved Common Q topical report (ADAMS Accession No. ML031830959, not publicly available) contains the three SEs (transmitted by letters dated August 11, 2000, June 22, 2001, and February 24, 2003) immediately following the cover of the topical report. Section 4.4.1 of the first SE included an evaluation of the topical report appendix on PAMS: The staff reviewed the FMEA prepared.. .for the PAMS design and finds that a similar approach may be used by a licensee implementing a PAMS design when preparing its specific model and the FMEA. This is plant-specific action item 6.10....the staff noted that the FPDS may halt in a common mode failure due to an unresolved error report in the QNX operating history. CENP has not analyzed the case of the common-mode failure of the two PAMS channels.
Licensees 7-45 implementing a PAMS design shall demonstrate that the system complies with the criteria for defence against common-mode failure by analyzing the common-mode failure of both PAMS channels .... This is plant-specific action item 6.10.The staff finds that the acceptability of the PAMS design is highly dependent upon the final resolution of the generic open items and plant specific items that relate to the PAMS Implementation.
Some plants may be more dependent upon the continuous operation of the FPDS than others. On the basis of the above review, the staff concludes that Appendix 1 does not contain sufficient Information to establish the generic acceptability of the proposed PAMS design.The staff will review the resolution of the above-mentioned findings and, therefore, the acceptability of a PAMS implementation on a plant-specific basis.In addition to the limitation explicitly mentioned above, which was derived from the Common Q topical report and the associated PAMS appendix, each licensee must demonstrate that the plant design meets its design and licensing basis. Effectively, each licensee must explain how each applicable design and licensing-basis requirement is addressed by any proposed Common Q PAMS. Before addressing each design and licensing basis requirements, the licensee must first explain what the design and licensing basis is for its particular PAMS.Institute of Electrical and Electronics Engineers (IEEE) Standard (Std.) 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," Clause 4 identifies certain aspects that the documentation of the design basis must include.References in SSER Section 7.5.2.2 to the WBN Unit 2 final safety analysis report (FSAR) refer to FSAR Amendment 103, dated March 15, 2011, unless otherwise noted.7.5.2.2.1 Introduction The regulatory requirements for the WBN Unit 2 Common Q PAMS are listed below in SSER Section 7.5.2.2.2, "Regulatory Evaluation," and the guidance for acceptably meeting the regulations is listed in SSER Section 7.5.2.2.3, "Technical Evaluation." The detailed evaluation of the WBN Unit 2 Common Q PAMS against the applicable regulations and guidance is documented in specific subsections below.The WBN Unit 2 Common Q PAMS provides safety-related instrumentation to detect the approach to, the existence of, and the recovery from an ICC event and to display such information to the operator in the control room. The WBN Unit 2 Common Q PAMS is based on the requirements in the Common Q topical report PAMS Appendix 1,8 WCAP-16097-P-A, with one significant difference.
The WBN Unit 2 Common Q PAMS deploys a different design for reactor vessel level monitoring (the reactor vessel level indication system (RVLIS)) from that described in the Common Q topical report. The Common Q topical report describes a reactor vessel level monitoring system (RVLMS) using heated junction thermocouple technology.
The WBN Unit 2 Common Q PAMS employs a reactor vessel level monitoring function based on the requirements and instrumentation used at WBN. The WBN Unit 2 Common Q PAMS monitors three reactor vessel differential pressure inputs: (1) upper range differential pressure The SE for the Common Q topical report (ADAMS Accession No. ML003740165) (page 56, SE Section 4.4.13, "PAMS Evaluation")
stated that "the staff concludes that Appendix I does not contain sufficient information to establish the generic acceptability of the proposed PAMS design." 7-46 (2) lower range differential pressure (3) dynamic range differential pressure The differential pressure inputs are used to measure reactor coolant level in the vessel.7.5.2.2.2 Regulatory Evaluation The regulatory requirements applicable to accident monitoring instrumentation include the following:
- 10 CFR 50.55a(a)(1) requires that structures, systems, and components be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
- 10 CFR 50.55a(h) requires compliance with IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.* 10 CFR 50.34(f), or equivalent Three Mile Island (TMI) action plan requirements imposed by orders, states that, for applicants under Title 10 of the Code of Federal Regulations (10 CFR) Part 50 not listed in 10 CFR 50.34(f), the applicable provisions of 10 CFR 50.34(f) will be made a requirement during the licensing process. The following portions of 10 CFR 50.34(f) apply to the WBN Unit 2 Common Q PAMS: Paragraph (2)(v): "Provide for automatic indication of the bypassed and operable status of safety systems. (I.D.3)." Paragraph (2)(xviii): "Provide instruments that provide in the control room an unambiguous indication of inadequate core cooling, such as primary coolant saturation meters in PWR's, and a suitable combination of signals from indicators of coolant level in the reactor vessel and in-core thermocouples in PWR's and BWR's. (II.F.2)." Paragraph (2)(xix): "Provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage. (II.F.3)." The regulation at 10 CFR 50.34(a)(3)(i) requires that the preliminary design of a facility include the principle design criteria for the facility.
The Tennessee Valley Authority (TVA) described the design criteria for WBN Unit 2 in FSAR Section 3.1, "Conformance with NRC General Design Criteria." These refer to the general design criteria (GDC) of Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50, "Domestic Licensing of Production and Utilization Facilities." The WBN Unit 2 design criteria applicable to the Common Q PAMS, as stated in FSAR Section 3.1.2.1, are identified below.* Criterion 1-Quality Standards and Records Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
Where generally recognized codes and standards are used, 7-47 they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.
A Quality Assurance Program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety function.
Appropriate records of the design, fabrication, erection and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.Criterion 2-Design Bases for Protection Against Natural Phenomena Structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions.
The design bases for these structures, systems, and components shall reflect: (1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) Appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena, and (3) The importance of the safety functions to be performed.
- Criterion 4-Environmental and Missile Design Bases Structures, systems, and components important to. safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents (LOCAs). These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit.Criterion 13-Instrumentation and Control Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.7-48 Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.FSAR Chapter 15, "Accident Analyses," describes core exit thermocouples (CETs) and primary system subcooling in relation to potential accidents, as described, for example, in part, below.Section 15.2.3: Rod cluster control assembly (RCCA) misalignment Core exit thermocouples can be used to detect a dropped RCCA or RCCA bank or misaligned RCCAs.Section 15.4.3: Steam Generator Tube Rupture After a steam generator tube rupture, cooldown of the primary system to a prescribed subcooled margin is required in accordance with plant Emergency Operating Procedures.
However, FSAR Chapter 15 does not describe how postaccident monitoring instrumentation is used for monitoring after the accidents.
7.5.2.2.3 Technical Evaluation The NRC staff reviewed the WBN Unit 2 Common Q PAMS because it is unique to WBN Unit 2.NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants" (SRP), Section 7.5, Revision 5, "Information Systems Important to Safety," contains guidance and references to current staff positions that provide ways acceptable to the staff for meeting the applicable regulatory requirements.
In addition, SRP Branch Technical Position (BTP) 7-10, Revision 5, "Guidance on Application of Regulatory Guide 1.97," contains current staff positions on postaccident monitoring instrumentation.
In Attachment 4, "Common Q PAMS Regulatory Guide and IEEE Standard Analysis," to its letter dated February 25, 2011 (ADAMS Accession No. ML1 10620219), TVA provided a comparison between the regulatory guidance used for the WBN Unit 2 Common Q PAMS, and that listed in the SRP. The staff evaluated TVA's comparison to each regulatory criterion, as described below.Regulatory Guide 1.29, "Seismic Design Classification" The WBN Unit 2 FSAR references Regulatory Guide (RG) 1.29, Revision 3, "Seismic Design Classification," issued September 1978. The Common Q PAMS was designed to meet the requirements of RG 1.29, Revision 3. The current regulatory guidance is RG 1.29, Revision 4, issued March 2007. As described in its letter dated February 25, 2011, TVA performed an analysis and concluded that the Common Q PAMS equipment fully meets the requirements of RG 1.29, Revisions 3 and 4. The staff's evaluation of the Common Q PAMS equipment compared to the environmental criteria is addressed in SSER Section 7.5.2.2.3.5,"Environmental Equipment Qualifications." RG 1.29, Revision 4 is used, in part, to address WBN Unit 2 Design Criterion 2, "Design Basis for Protection against Natural Phenomena." Based upon the evaluation documented in SSER Section 7.5.2.2.3.5, the NRC staff concludes that the Common Q PAMS meets the criteria of RG 1.29, Revision 4 and is acceptable.
7-49 Regulatory Guide 1.53 The WBN Unit 2 FSAR references RG 1.53, Revision 0, "Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems," issued June 1973. The Common Q PAMS was designed to meet the requirements of RG 1.53, Revision 0. The current revision is Revision 2, issued November 2003. TVA performed an analysis and concluded that the Common Q PAMS equipment fully meets the requirements of RG 1.53, Revision 0 and Revision 2. The detailed evaluation of the Common Q PAMS equipment against the single-failure criterion is addressed in SSER Section 7.5.2.2.3.9.2.1, "Clause 5.1 Single Failure Criterion." RG 1.53, Revision 2 is used to address IEEE Std. 603-1991, Clause 5.1, "Single Failure Criterion." Based on the evaluation documented in SSER Section 7.5.2.2.3.9.2.1, the staff concludes that the Common Q PAMS meets the criteria of RG 1.53, Revision 2, and is acceptable.
IEEE Std. 279-1971 and IEEE Std. 603-1991 The WBN Unit 2 FSAR references IEEE Std. 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations." The Common Q PAMS was designed to meet the requirements of IEEE Std. 603-1991.
TVA performed an analysis and concluded that the Common Q PAMS equipment does not need to meet either of these requirements.
In its letter dated February 25, 2011, TVA stated the following:
The first of the two standards, IEEE-279, is part of the design basis of WBN2 but is not relevant to Common Q PAMS. The second standard, IEEE-603-1991 is not part of the design basis for the Common Q PAMS system for WBN2.SRP Section 7.5, Revision 5 identifies IEEE Std. 603-1991 as being applicable to accident monitoring instrumentation.
Based on its review of this item, the staff has the following open items: TVA should provide to the staff either information that demonstrates that the WBN Unit 2 Common Q PAMS meets the applicable requirements in IEEE Std. 603-1991, or justification for why the Common Q PAMS should not meet those requirements.
This is Open Item 94 (Appendix HH).S WTVA should update FSAR Table 7.1-1, "Watts Bar Nuclear Plant NRC Regulatory Guide Conformance," to reference IEEE Std. 603-1991 for the WBN Unit 2 Common Q PAMS.This is Open Item 95 (Appendix HH).IEEE Std. 379-1972 and IEEE Std. 379-1988 The WBN Unit 2 FSAR references IEEE Std. 379-1972 or 379-1988 (as noted in the FSAR),"Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems." WEC designed the Common Q PAMS to meet the single-failure criteria but did not perform a single-failure analysis in accordance with the normative material of IEEE Std. 379, in part because the design-basis events could not be specified in a topical report. IEEE Std. 379-2000 is the current revision of this standard and is endorsed by the NRC in RG 1.53, Revision 2. TVA performed an analysis and concluded that the Common Q PAMS equipment fully meets the intent (i.e., meets the single-failure criterion) of the WBN Unit 2 design-basis requirement of IEEE Std. 379-1988, and that the differences from IEEE Std. 379-2000 are not 7-50 applicable to Common Q PAMS. TVA did not docket an analysis of the Common Q PAMS in accordance with the normative material of IEEE Std. 379; however, IEEE Std. 379-2000 is used to address IEEE Std. 603-1991, Clause 5.1. The detailed evaluation of the Common Q PAMS equipment against the single-failure criterion is addressed in Section 7.5.2.2.3.9.2.1 of this SSER, "Clause 5.1 Single Failure Criterion." Based on the evaluation documented in SSER Section 7.5.2.2.3.9.2.1, the staff concludes that the Common Q PAMS meets the criteria of IEEE Std. 379-2000 and is acceptable.
Recqulatory Guide 1.75, "Physical Independence of Electric Systems" In Attachment 3 to its letter dated February 25, 2011, TVA stated the following:
The Watts Bar Project licensing basis is Regulatory Guide 1.75 rev 2 (Sep 1978)and IEEE-384-1981
-but this only applies to the Eagle 21 Reactor Protection System. The Westinghouse Common Q PAMS was designed to meet the requirements of Reg. Guide 1.75 rev 2 (Sep 1978) and IEEE-384-1992'.
Note that WBN2 is not committed in complying with Reg. Guide 1.75.Since WBN2 is not committed to Reg. Guide 1.75 or IEEE-384, no comparison is required.RG 1.75, Revision 3, "Physical Independence of Electric Systems," issued February 2005, and IEEE Std. 384-1992, "IEEE Standard Criteria for Independence of Class 1E Equipment and Circuits," are used, in part, to address IEEE Std. 603-1991, Clause 5.6.1. The detailed evaluation of the Common Q PAMS equipment against the independence criterion is addressed in SSER Section 7.5.2.2.3.9.2.5, Clause 5.6, "Independence." Based on the evaluation documented in SSER Section 7.5.2.2.3.9.2.5, the staff concludes that the Common Q PAMS meets the criteria of IEEE Std. 603-1991, Clause 5.6.1 and is acceptable.
Regulatory Guide 1.89 (Harsh Environment)
The WBN Unit 2 FSAR references RG 1.89, Revision 1, "Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants," issued June 1984. The Common Q PAMS was designed to meet the requirements of RG 1.89, Revision 1, which is also the current staff position for harsh environments. (RG 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants," issued March 2007, is the current staff position for mild environments.)
The detailed evaluation of the Common Q PAMS equipment against the environmental criteria is addressed in SSER Section 7.5.2.2.3.5.
RG 1.89, Revision 1 is used, in part, to address WBN Unit 2 Design Criterion
- 2. Based on the evaluation documented in SSER Section 7.5.2.2.3.5, the staff concludes that the Common Q PAMS meets the criteria of RG 1.89, Revision 1, and is acceptable.
IEEE Std. 323-1974 (Harsh Environment)
The WBN Unit 2 FSAR references IEEE Std. 323-1971, "IEEE Trial-Use Standard:
General Guide for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations," and IEEE Std. 323-1974, "IEEE Standard for Qualifying Class 1E Equipment for Nuclear Power Generating Stations." The current staff position (for harsh environments) endorses IEEE Std. 323-1974.
The Common Q PAMS was designed to meet the requirements of IEEE Std. 323-1983, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations." Based on a statement in the forward of IEEE Std. 323-1983 that "this 7-51 revision to IEEE Std. 323-1974 was made to clarify its requirements and imposes no additional requirements for qualifying Class 1 E equipment," TVA did not perform a detailed comparison for WBN Unit 2. The detailed evaluation of the Common Q PAMS equipment against the environmental criteria is addressed below in SSER Section 7.5.2.2.3.5.
TVA used IEEE Std. 323-1974, in part, to address WBN Unit 2 Design Criterion
- 2. Based on the evaluation documented in SSER Section 7.5.2.2.3.5, the staff concludes that the Common Q PAMS meets the criteria of IEEE Std. 323-1974, and is acceptable.
Re-gulatory Guide 1.100, "Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants" The WBN Unit 2 FSAR references RG 1.100, Revision 1, "Seismic Qualification of Electrical Equipment for Nuclear Power Plants," issued August 1977. The Common Q PAMS was designed to meet the requirements of RG 1.100, Revision 2, "Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants," issued June 1988. RG 1.100, Revision 3, issued September 2009, is the current revision of this guide and is endorsed by the NRC.RG 1.100, Revision 3 endorses IEEE Std. 344-2004, "IEEE Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations," and American Society of Mechanical Engineers (ASME) QME-1-2007, "Qualification of Active Mechanical Equipment Used in Nuclear Power Plants." Because the Common Q is electrical equipment, ASME QME-1-2007 is not applicable to the Common Q PAMs. In Attachment 4 to its letter dated February 25, 2011, TVA stated that the Common Q PAMS equipment fully meets RG 1.100, Revision 0, issued March 1976, and is compliant with Revision 3, with the exception of testing above 33 hertz (Hz), which is not applicable to Watts Bar. The NRC staff's detailed evaluation of the Common Q PAMS equipment against the environmental criteria is addressed in SSER Section 7.5.2.2.3.5.
RG 1.100, Revision 1 is used, in part, to address WBN Unit 2 Design Criterion
- 2. Based on its review of this item, the NRC staff has the following open item: S TVA should (1) update FSAR Table 7.1-1 to include RG 1.100, Revision 3 for the Common Q PAMS, or (2) demonstrate that the Common Q PAMS is in conformance with RG 1.100, Revision 1, or (3) provide justification for not conforming.
This is Open Item 96 (Appendix HH).Regulatory Guide 1.153 The WBN Unit 2 FSAR references RG 1.153, Revision 0, "Criteria for Safety Systems," issued December 1985. The Common Q PAMS is designed to meet the requirements of RG 1.153, Revision 1, issued June 1996. In Attachment 4 to its letter dated February 25, 2011, TVA stated the following:
The subject Regulatory Guides [RG 1.153, Revisions 0 and 1] endorse and reference other standards.
Common Q PAMS has been evaluated to comply with the requirements of these other endorsed standards
([Comparison report in this letter titled "IEEE Std. 279-1971 to IEEE Std. 603-1991 Comparison"]).
Therefore no additional analysis needs to be performed and no further action is necessary.
However, the "Comparison report titled "IEEE Std. 279-1971 to IEEE Std. 603-1991 Comparison" stated the following:
7-52 The first of the two standards, IEEE Std. 279, is part of the design basis of WBN Unit 2 but is not relevant to Common Q PAMS. The second standard, IEEE Std. 603-1991 is not part of the design basis for the Common Q PAMS for WBN Unit 2.Based on the reasoning quoted above, the staff concludes that TVA did not evaluate the Common Q PAMS against the criteria of RG 1.153, Revision 1; therefore, the staff has the following open item (see also Open Items 94 and 95 above): TVA should demonstrate that the WBN Unit 2 Common Q PAMS is in conformance with RG 1.153, Revision 1 or provide justification for not conforming.
This is Open Item 97 (Appendix HH).Regulatory Guide 1.152 The WBN Unit 2 FSAR references RG 1.152, Revision 0, "Criteria for Programmable Digital Computer System Software in Safety-Related Systems of Nuclear Power Plants," issued November 1985. The Common Q PAMS was designed to meet the requirements of RG 1.152, Revision 1, "Criteria for Digital Computers in Safety Systems of Nuclear Power Plants," issued January 1996. RG 1.152, Revision 2, issued January 2006, is the current revision of this guide and is endorsed by the NRC. In Attachment 4 to its letter dated February 25, 2011, TVA stated the following:
RG 1.152 rev 2 endorses ANSI/IEEE Std. ANS-7-4.3.2-2003, but also provides extra regulatory guidance concerning computer based cyber security.
Since this revision was not part of the design basis of WBN Unit 2 or Common Q PAMS, the project makes no commitment to the compliance of RG 1.152 rev 2.Based on the review of this item, the NRC staff has the following open item: TVA should demonstrate that the WBN Unit 2 Common Q PAMS is in conformance with RG 1.152, Revision 2, or provide justification for not conforming.
This is Open Item 98 (Appendix HH).IEEE Std. 7-4.3.2-2003 The WBN Unit 2 FSAR references IEEE 7-4.3.2-1982, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," as endorsed by RG 1.152, Revision 0 for the Eagle 21 system. The current staff position is documented in RG 1.152, Revision 2, which endorses IEEE Std. 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," as an acceptable method for using digital computers to meet IEEE Std. 603-1991.
Based on the review of this item, the NRC staff has the following open item: TVA should update FSAR Table 7.1-1 to reference IEEE 7-4.3.2-2003 as being applicable to the WBN Unit 2 Common Q PAMS. This is Open Item 99 (Appendix HH).The Common Q PAMS was designed to meet the requirements of IEEE 7-4.3.2-1993 as endorsed by RG 1.152, Revision 1. WVA evaluated the Common Q PAMS and determined that it meets the applicable requirements of IEEE 7-4.3.2-1993.
7-53 The NRC staffs detailed evaluation of the Common Q PAMS equipment against the digital computer criteria is addressed in SSER Section 7.5.2.2.3.10, "Review IEEE 7-4.3.2 Criteria for Digital Computers." IEEE Std. 7-4.3.2-2003, as endorsed by RG 1.152, Revision 2, is used, in part, to address IEEE Std. 603-1991.
Based on the evaluation documented in SSER Section 7.5.2.2.3.10, the staff concludes that the Common Q PAMS meets the criteria of IEEE Std. 7-4.3.2-2003 and is acceptable.
Regulatory Guide 1.168 The WBN Unit 2 FSAR does not reference RG 1.168, IEEE Std. 1012, or IEEE Std. 1028.BTP 7-14 indentifies RG 1.168, Revision 1, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," issued February 2004, as an acceptable means of conforming to regulations with respect to verification and validation (V&V). RG 1.168, Revision 1 endorses, with clarifications, IEEE Std. 1012-1998,"IEEE Standard for Software Verification and Validation," and IEEE Std. 1028-1997, "IEEE Standard for Software Reviews." The current staff positions are documented in RG 1.168, Revision 1, IEEE 1012-1998; and IEEE 1028-1997.
Based on its review of this item, the NRC staff has the following open item: TVA should update FSAR Table 7.1-1 to reference RG 1.168, Revision 1, IEEE Std. 1012-1998, and IEEE 1028-1997 as being applicable to the WBN Unit 2 Common Q PAMS. This is Open Item 100 (Appendix HH).The Common Q PAMS was designed and implemented in accordance with the SPM, which was found by the NRC staff to meet the requirements of RG 1.168, Revision 0, issued September 1997; IEEE Std. 1012-1986, "IEEE Standard for Software Verification and Validation Plans"; and IEEE Std. 1028-1988, "IEEE Standard Software Reviews and Audits." (See NRC reports (1) "Safety Evaluation by the Office of Nuclear Reactor Regulation CE Nuclear Power Topical Report CENPD-396-P
'Common Qualified Platform' Project No. 692," issued August 2000, Section 4.3.1 .j, "Software Verification and Validation Plan" (ADAMS Accession No. ML003740165), and (2) WCAP-16096-NP-A, "Software Program Manual for Common Q Systems," Revision 1A, NRC safety evaluation incorporated into the document, Section 2,"Regulatory Evaluation" (ADAMS Accession No. ML050350234)).
Based on its review of this item, the staff has the following open item:* TVA should demonstrate that the WBN Unit 2 Common Q PAMS application software is in conformance with RG 1.168, Revision 1 or provide justification for not conforming.
This is Open Item 101 (Appendix HH).Regulatory Guide 1.209 (Mild Environment)
The WBN Unit 2 FSAR does not reference Regulatory Guide 1.209, which endorses IEEE Std. 323-2003, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations." TVA did not perform a comparison evaluation of the Common Q PAMS with the criteria in RG 1.209. Based on its review, the NRC staff has the following open items: TVA should update FSAR Table 7.1-1 to reference RG 1.209 and IEEE Std. 323-2003 as being applicable to the WBN Unit 2 Common Q PAMS. This is Open Item 102 (Appendix HH).7-54 TVA should demonstrate that the WBN Unit 2 Common Q PAMS conforms to RG 1.209 and IEEE Std. 323-2003 or provide justification for not conforming.
This is Open Item 103 (Appendix HH).IEEE Std. 323-2003 (Mild Environment)
WVA did not provide a comparison evaluation of Common Q PAMS to the criteria in IEEE Std. 323-2003. (See Open Item 103 above.)7.5.2.2.3.1
System Description
TVA described the Common Q PAMS in WNA-LI-00058-WBT-P, "Post-Accident Monitoring System (PAMS) Licensing Technical Report," Revision 3, issued March 2011, which it provided as Attachment 2 to its letter dated March 31, 2011 (ADAMS Accession No. MLI 10950331;Attachment 2 is not publicly available, but Attachment 3 is a public version).
The Common Q PAMS is intended to monitor accident conditions and the approach to ICC and to provide information and data to the plant monitoring computers for use in its control room display. The WBN Unit 2 PAMS comprises two independent and isolated trains. The PAMS includes flat panel displays (FPDs) for the operator's module (OM) and a maintenance and test panel (MTP)in each train. The trains are physically separated and electrically isolated from each other.Each train of the WBN Unit 2 PAMS comprises two AC160 racks, a primary rack and an extension rack. Both of these racks are located in a single cabinet. Each train is contained in a separate cabinet. Attachment 18, "Watts Bar 2 Common Q PAMS Block Diagram," of TVA's letter dated December 3, 2010 (ADAMS Accession No. ML1 03640220), shows the configuration of the WBN Unit 2 Common Q PAMS.For each train, the primary AC160 rack contains a processor module that processes the Common Q PAMS algorithms and a communication interface module for communicating data on the Advant Fieldbus 100 (AF100) safety-related communications bus.The AF1 00 communications bus is used for transferring process data and messages within the channel (e.g., between AC160s and the flat panel display system (FPDS)). The process data are used for monitoring the purposes, and the messages are used for program loading and for diagnostic purposes.The extension rack extends the primary rack backplane to accommodate additional input/output (1/O) modules. The processor module receives all CET, subcooling margin monitor (SMM), and reactor vessel level signals from the input modules that are located in the primary and extension racks. The processor performs input processing and algorithms and sends the outputs to its output cards and over the AF100 to the OM and the MTP. The MTP has an Ethemet port that provides data to the plant computer.The OM will be mounted in the main control room (MCR) and is used to provide various display pages to the operator.
The OM uses the FPDS, which consists of a personal computer (PC)node box, an FPD with touch screen capability, and a standard AF100 communication interface for communication to the processor module. The OM receives the signals that are to be displayed on the FPD from the PAMS processor.
There are two keylock switches at the MTP and one keylock switch at the OM. The function enable (FE) keylock switch (at both the OM and the MTP) is used as the permissive for bypassing of input signals and enabling PAMS channel testing, for changing selected alarm 7-55 setpoints, and to print the current screen. On the OM, the FE keylock switch is not permanently connected.
A connector is provided on the OM PC node box that enables the FE keylock switch to be installed for maintenance activities.
The software load enable (SLE) keylock switch (only on the MTP) is used to enable booting of the PC node box into Microsoft Windows for using the AC160 software load tools to load software and read diagnostic buffers.7.5.2.2.3.2 Hardware Development Process The following regulatory requirements are applicable to the review of digital I&C upgrades with respect to the hardware development process: 10 CFR 50.55a(a)(1) states that "Structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed."* 10 CFR 50.55a(h)(3) states that "Applications filed on or after May 13, 1999,...must meet the requirements for safety systems in IEEE Std. 603-1991, and the correction sheet dated January 30, 1995." IEEE Std. 603, Clause 5.3 requires that components and modules be of a quality that is consistent with minimum maintenance requirements and low failure rates, and that safety system equipment be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance (QA)program.In addition, FSAR Section 3.1, WBN Unit 2 Design Criterion 1, "Quality Standards and Records," states that "Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed." Based on the above regulatory requirements, the hardware development process should be of high quality. The hardware modules for Common Q were not developed under an Appendix B,"Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 program but were commercially dedicated.
Commercial grade dedication (CGD) is addressed in SSER Section 7.5.2.2.3.2.1, "Commercial Grade Dedication." The integration of the commercially dedicated hardware with software into the WBN Unit 2 Common Q PAMS application is addressed in SSER Section 7.5.2.2.3.4, "Software Development Process." 7.5.2.2.3.2.1 Commercial Grade Dedication SRP Appendix 7.0-A, Revision 5, "Review Process for Digital Instrumentation and Control Systems," Section H, "Review of the Acceptance of Commercial-Grade Digital Equipment" (page 7.0-A-14), contains guidance to the NRC staff for the review of commercial equipment and references RG 1.152, Revision 2. RG 1.152, Revision 2 endorses IEEE Std. 7-4.3.2-2003,"Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." IEEE Std. 7-4.3.2-2003, Clause 5.4.2 defines qualification of existing commercial computers for use in safety-related applications in nuclear power plants. SRP Appendix 7.1-D,"Guidance for Evaluation of the Application of IEEE Std. 7-4.3.2," issued March 2007, 7-56 Section 5.4.2, "Qualification of Existing Commercial Computers," provides acceptance criteria for equipment qualifications, in accordance with IEEE 7-4.3.2, Clause 5.4.2. This section states that Electric Power Research Institute (EPRI) TR-106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications," issued October 1996, and EPRI TR-107330, "Generic Requirements Specification for Qualifying a Commercially Available PLC for Safety-Related Applications in Nuclear Power Plants," issued December 1996, provide specific guidance for the evaluation of commercial-grade digital equipment and existing programmable logic controllers (PLCs).The CGD process that was used for the WBN PAMS is described in Section 7 of WNA-LI-00058-WBT-P, Revision 3, which TVA provided as Attachment 2 to its letter dated March 31, 2011 (ADAMS Accession No. ML110950331).
This CGD process was used to qualify certain hardware and software components of the Common Q PAMS that were not developed under the WEC 10 CFR Part 50, Appendix B programs for use at WBN Unit 2. The CGD process is based on the WEC quality management system as a level 2 process by implementing procedure WEC 7.2, "Dedication of Commercial Grade Items." The objective of WEC 7.2 is to provide reasonable assurance that commercial grade components of the WBN Unit 2 Common Q PAMS will perform their intended safety functions when called upon to do so and that the quality levels achieved for these dedicated components is equivalent to items that are manufactured and provided under a 10 CFR Part 50, Appendix B program.Section 10 of the Common Q platform topical report (ADAMS Accession No. ML031820484), which is referenced by the licensing technical report (LTR; Westinghouse Electric Company WNA-LI-00058-WBT-P, "Post-Accident Monitoring System (PAMS) Licensing Technical Report," Revision 3, dated March 2011; Attachment 2 of TVA's letter dated March 31, 2011, not publicly available, Attachment 3 is a public version) for WBN Unit 2, provides a description of the generic CGD program used for commercial-grade hardware and software components of the Common Q platform.The NRC performed two audits of the WEC CGD activities:
- September 20-21, 2010 (audit report at ADAMS Accession No. ML1 03400599)February 28-March 4, 2011 (audit plan and report at ADAMS Accession Nos. ML1 10270238 and MLI 10691232, respectively; not publicly available)
During the first audit, the staff traced a sample of generic critical characteristics through the generic CGD documentation.
Based on its audit, the staff concluded that WEC has a detailed, thorough, and proprietary process, which is described in detail in Section 7 of the LTR.The NRC staff determined that WEC did not have documentation on how the WBN Unit 2 critical characteristics were explicitly addressed by the generic components.
The NRC staff requested that TVANWEC confirm by evaluation that the WBN Unit 2 requirements for commercial items are enveloped by the generic qualification of those items (e.g., see the last paragraph of EPRI TR-107330, Section 1.1, "Background").
Section 12, "TVA Contract Compliance Matrix," and Section 13, "Origin Tracing of WBN Unit 2 Common Q PAMS System Requirements Specification," of the LTR include a description of how the WBN Unit 2 requirements are implemented using the commercial components.
The second audit activity involved examining the documentation produced as a result of the CGD activities, as well as direct observation of these activities.
The NRC staff interviewed 7-57 several key WEC personnel who are involved in the performance of these activities.
During this audit, several WBN Unit 2 requirements, which were being met via the use of commercial-grade hardware and software, were sampled for tracing through the process. Based on the examination of the CGD process, the staff concluded that the process was consistent with the CGD procedures and processes described in the WBN Unit 2 Common Q PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011).The NRC staff examined the WEC procedure used for developing commercial dedication instructions, as well as the most recent CGD survey report for the software operating system supplier, QNX Software Systems. No discrepancies or inconsistencies were identified.
The NRC staff used the CGD process descriptions in the Common Q topical report and LTR, in addition to the understanding gained during the two audits, to evaluate the CGD process compared to the regulatory criteria.
The NRC staff determined that the CGD process is documented and is performed in accordance with the documented process.The CGD process followed is in two parts: (1) commercial components are dedicated to specified criteria, and (2) during the application development process, the components and their associated critical characteristics are evaluated for suitability to a particular application.
The staff examined the process by tracing threads (i.e., following selected components through the process) during its second audit. The NRC staff concluded that the dedication of commercial components used in the WBN Unit 2 Common Q PAMS application provides reasonable assurance that the commercial components conform to their associated critical characteristics and, therefore, meets regulatory requirements.
7.5.2.2.3.3 Software Architecture The acceptance criteria for the software architecture description are contained in the SRP, BTP 7-14, Section B.3.3.2, "Design Activities-Software Architecture Description (SAD)." The BTP states that the software architecture description should describe all of the characteristics listed, and that NUREG/CR-6101, "Software Reliability and Safety in Nuclear Reactor Protection Systems," issued June 1993, Section 3.3.1 "Hardware and Software Architecture," and Section 4.3.1, "Hardware/Software Architecture Specification," contain relevant guidance.The overview of the AC160 and FPDS operating systems is provided in the Common Q topical report (ADAMS Accession No. ML031830959, not publicly available) and the CGD report for the operating system software for the FPD (ADAMS Accession No. ML003733136, not publicly available), respectively.
Westinghouse provided these to the NRC by letters dated May 23, 2003 (ADAMS Accession No. ML031820482) and June 20, 2000 (ADAMS Accession No. ML003726208), respectively.
By letter dated March 12, 2010 (ADAMS Accession No. ML101680576, not publicly available), TVA stated that the application-specific hardware and software architecture descriptions are addressed in the WBN Unit 2 Common Q PAMS system design specification (ADAMS Accession Nos. ML101680579 and ML102040481, not publicly available) and software requirements specification (SRS) (ADAMS Accession Nos.ML101050202 and ML102040486, not publicly available).
The architecture of the platform software was described and evaluated in the Common Q topical report (ADAMS Accession No. ML031830959, not publicly available), which was approved by the NRC staff. This system architecture allows function blocks to be arranged and configured on the AC160. During application development, the outputs from the AC160 can be hardwired or sent to the FPDS via AF1 00 bus. Once information is in the FPDS, it can be displayed using standard displays or application-specific displays.7-58 The WBN Unit 2 Common Q PAMS application software architecture is described and depicted in the WBN Unit 2 Common Q PAMS system requirements specification (SysRS) and the SRS;the three major Common Q PAMS functions (SMM, CET, and RVLIS) are each accomplished by a group of function blocks that were specifically developed for the Common Q PAMS or the WBN Unit 2 RVLIS. Important alarms are hardwired from the AC160 to annunciators, and additional information is available on FPDS displays.The staff reviewed the WBN Unit 2 Common Q PAMS application architectural information and concluded that it clearly describes the system's components and associated interconnections in sufficient detail to allow an understanding of how the components work together to accomplish the safety functions; therefore, the architectural description meets the regulatory criteria contained in BTP 7-14, Section B.3.3.2.7.5.2.2.3.4 Software Development Process In addition to 10 CFR 50.55a(a)(1) and WBN Unit 2 Design Criterion 1, the regulatory requirements of 10 CFR 50.55a(h)(3) are applicable to the review of digital I&C upgrades with respect to the software development process at WBN Unit 2:* 10 CFR 50.55a(h)(3) states that "Applications filed on or after May 13, 1999...must meet the requirements for safety systems in IEEE Std. 603-1991 and the correction sheet dated January 30, 1995." IEEE Std. 603, Clause 5.3 requires that components and modules be of a quality that is consistent with minimum maintenance requirements and low failure rates, and that safety system equipment be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed QA program.As described in BTP 7-14, the staffs acceptance of software for safety system functions is based on (1) confirmation that acceptable plans were prepared to control software development activities, (2) evidence that the plans were followed in an acceptable software life cycle, and (3) evidence that the process produced acceptable design outputs. The three main subsections below address each of these aspects.7.5.2.2.3.4.1 Software Planning Documentation BTP 7-14, Section B.3.1, "Acceptance Criteria for Planning," addresses acceptance criteria for planning activities.
The acceptance criteria address specific software development planning activities and products.
These products, when found to be acceptable, provide the reviewer with additional criteria for reviewing the processes and products of subsequent life-cycle activities, as discussed in BTP 7-14, Subsections B.3.2 and B.3.3.As part of the Common Q topical report development effort, WEC developed the "Software Program Manual for Common Q Systems" (ADAMS Accession No. ML050350234) to address documentation of software planning.
The NRC staff reviewed the SPM (ADAMS Accession No. ML003740165, Section 4.3.2, "Summary of the Evaluation of the Life Cycle Planning Process")
and concluded the following:
...the SPM specifies plans that will provide a quality software life cycle process, and that these plans commit to documentation of life cycle activities that will 7-59 permit the staff or others to evaluate the quality of the design features upon which the safety determination will be based. The staff will review the Implementation of the life cycle process and the software life cycle process design outputs for specific applications on a plant-specific basis.The NRC revised RG 1.152 and 1.168 after the staffs approval of the SPM. Open Item Nos. 98 and 101 address the acceptability of the SPM for complying with the guidance of RGs 1.152 and 1.168, respectively (Appendix HH). The remaining RGs used to determine the acceptability of the SPM have not changed, and the processes described in the SPM have not changed; therefore, the staff considers the SPM to be acceptable for these unchanged aspects.WEC provided a summary of the Common Q compliance analysis addressing both the Common Q topical report and the SPM. WEC performed this self-assessment to identify ways in which the SPM is not being followed.
The Common Q PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011; ADAMS Accession No. ML1 10950333), Section 10.3,"Westinghouse Electric Company Self Assessment of WBN Unit 2 Common Q PAMS Compliance to the SPM," summarizes this self-assessment.
WEC found certain discrepancies and took mitigating actions.The NRC staff updated BTP 7-14 after approval of the SPM. This update included adding an additional plan, the software test plan (STP). The STP plan is evaluated in the section below.7.5.2.2.3.4.1.1 Software Test Plan RG 1.170, "Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," issued September 1997, endorses IEEE Std. 829-1983,"IEEE Standard for Software Test Documentation," and includes additional guidance for the documentation of testing activities (i.e., test planning).
BTP 7-14, Section B.3.1.12, "Software Test Plan (STP)," addresses acceptance criteria for the documentation of planning activities.
The NRC staff used BTP 7-14, Revision 4, in its review and approval of the Common Q SPM for implementing planning activities.
The review guidance on software test planning was added in BTP 7-14, Revision 5.In its final safety evaluation for topical report WCAP-16096-NP-A, Revision 1 (ADAMS Accession No. ML042730580), the NRC stated that "licensees using the Common Q platform for plant-specific applications are required to implement the application software in accordance with the SPM." The Common Q SPM specifies the development of an STP and contains criteria that the plan must meet. WEC developed a generic internal STP (i.e., WNA-PT-00058-GEN, "Testing Process for Common Q Safety Systems," Revision 0), as described in TVA's letter to the staff dated March 31, 2011 (ADAMS Accession No. ML1 10950331).
By letter dated June 18, 2009 (ADAMS Accession No. ML091560352), the NRC staff documented its audit at Westinghouse, which concluded, in part, that "the testing process document [WNA-PT-00058-GEN, Revision 0] serves as an acceptable process control document detailing what tests will be conducted at what point of the hardware and software development process. However the commitments within the SPM describing a testing plan have not been fulfilled by the testing process document." In Attachment 9 to its letter dated December 3, 2010 (ADAMS Accession No. ML1 03640220), TVA provided WNA-PT-00138-WBT, Revision 0, "PAMS System Test Plan," to the staff. However, the staff 7-60 concluded that the PAMS system test plan did not implement the STP requirements of the SPM, as in the following example:* SPM Section 4.3.2.2, "Software Requirements Phase," pages 4-6, states that "A common Q specific test plan shall be developed
[during the software requirements phase] in accordance with [IEEE Std. 829-1998, "IEEE Standard for Software Test Documentation]
Section [4, "Test plan"]." However, the Common Q specific STP was not developed during the requirements phase or in accordance with IEEE Std. 829-1998: Revision 0 of the test plan was issued in November 2010 and identifies no prior draft revision.
Some testing had already been completed by November 2010, and the factory acceptance test procedure was also issued in November 2010.Therefore, the test plan does not document the planning activities that were to occur during the requirements phase.IEEE Std. 829-1998, Section 4.2.3, "Test Items," requires, in part: "Identify the test items including their version/revision level." Version/revisions are not identified in the system test plan; however, versions/revisions are identified in release records, completed test procedures, and test reports.* SPM Section 4.3.2.2, pages 4-6, states that "[A Common Q specific test plan] shall include the following as a minimum: ... Identification of... test cases." The STP does not include test cases in the form specified by IEEE 829-1998; however, the test procedures specify the inputs and associated acceptance criteria (i.e., acceptable outputs) for each test.The staff concludes that the STP (WNA-PT-001 38-WBT, Revision 0) does not demonstrate an acceptable level of test planning and is not in accordance with SRP BTP 7-14, RG 1.170, IEEE Std. 829, or the SPM.The SSER addresses the adequacy of the testing effort in more detail below.7.5.2.2.3.4.2 Software Implementation Documentation BTP 7-14, Revision 5, Section B.3.2, "Acceptance Criteria for Implementation," addresses acceptance criteria for implementation activities.
The acceptance criteria address specific software life cycle process implementation activities and documentation.
These activities and products, when found to be acceptable, provide the reviewer with confidence that the plans have been carded out. BTP 7-14 describes four generic implementation activity documents:
(1) software safety analysis, (2) software V&V reports, (3) software configuration management reports, and (4) testing documentation.
The NRC staff identified aspects of the SPM that were not being followed; WEC subsequently performed self-assessments in four areas: (1) test plan compliance with the SPM (2) test plan compliance with IEEE Std. 829(3) IV&V phase summary report compliance with the SPM (4) test procedures/reports compliance with the SPM 7-61 The results of the WEC self-assessment were reviewed by WEC with the NRC staff on February 2, 2011, and provided to the staff in TVA's letter dated March 31, 2011 (ADAMS Accession No. MLI 10950331).
For each discrepancy that was found, WEC recorded a mitigating action, as well as a suggestion for improvement to prevent the discrepancy from occurring in future projects.
In all cases, either the Common Q PAMS LTR, the revision to the IV&V phase summary report (Attachment 1 to TVA's letter dated March 16, 2011; Westinghouse Electric Company WNA-VR-00283-WBT-P, Revision 4, "Nuclear Automation IV&V Summary Report for the Post Accident Monitoring System," not publicly available; Attachment 2 to TVA's letter is the public version), or the WBN Unit 2 Common Q PAMS test summary report (Attachment 4 to TVA's letter dated March 16, 2011; Westinghouse Electric Company EQ-QR-68-WBT-P, Revision 0, "Qualification Summary Report for Post-Accident Monitoring System (PAMS)," dated February 2011, not publicly available; Attachment 5 to TVA's letter is the public version) provided the missing information or justification for the discrepancy.
In addition, in Attachment 3 to TVA's letter dated March 31, 2011, WEC stated the following:
Westinghouse will also perform a self assessment of how the WBN2 PAMS project was compliant to all of the V&V requirements in the SPM. The self assessment will show compliance by citing specific sections of V&V output documentation, or it will provide a justification of why the project deviated from the SPM requirements.
The results of this self assessment will be made available at the Westinghouse Rockville offices for the NRC to review.The NRC staff will review the WEC self-assessment to verify that the WBN Unit 2 PAMS complies with the V&V requirements in the SPM or that deviations from the requirements are adequately justified.
This is Open Item 104 (Appendix HH).7.5.2.2.3.4.2.1 Review of Safety Analyses The software safety plan section of the SPM describes the safety analysis implementation tasks that are to be performed.
The acceptance criterion for software safety analysis implementation is that the tasks in that plan have been carried out in their entirety.By letter dated March 12, 2010 (ADAMS Accession No. ML1 01680576, not publicly available), TVA stated that a software safety analysis was not applicable to PAMS because the SPM for Common Q systems (ADAMS Accession No. ML050350234) stated that it was not.The SPM contains a graded approach for software development, dependent on the safety significance of the software being developed.
The SPM classifies PAMS software as"Important-to-Safety," (as opposed to "Safety Critical")
and also states that the software safety plan in the SPM applies to safety-critical software.
Therefore, no safety analysis activities are required.
The NRC staff concludes that the justification provided in TVA's letter dated March 12, 2010, is satisfactory, based on the designation of the PAMS in the NRC-approved SPM; therefore, the staff did not review the preliminary hazard analysis or any other safety analysis tasks performed on the PAMS system.7.5.2.2.3.4.2.2 Verification and Validation Analysis and Reports Section 5, "Software Verification and Validation Plan," of the SPM (ADAMS Accession No. ML050350234) describes the V&V implementation tasks that are to be carried out. The acceptance criterion for software V&V implementation is that the tasks in the software V&V plan 7-62 (SWP) have been carried out in their entirety.
Documentation should exist that shows that the V&V tasks have been successfully accomplished for each life-cycle activity group.The V&V summary report is updated and issued periodically to incorporate summaries of all V&V activities performed.
By Attachment 1 to its letter dated March 16, 2011 (ADAMS Accession No. ML1 10770537), TVA provided the final V&V summary report (WNA-VR-00283-WBT-P, Revision 4, "Nuclear Automation IV & V Summary Report for the Post Accident Monitoring System"), which summarized all V&V activities performed before the PAMS equipment was ready to ship to WBN Unit 2 from the vendor's facilities.
In Attachment 3 to its letter dated August 20, 2010 (ADAMS Accession No. ML1 02380256), TVA provided Westinghouse Document WNA-VR-00283-WBT, Revision 0, "Watts Bar 2 NSSS Completion Program I&C Projects IV&V Phase Summary Report," an SWR that addressed the concept phase of the Common Q PAMS project plan by reviewing the plan against the three higher level project plans as well as various applicable programmatic documents for compatibility and consistency.
There were no findings from the SWR. This report also reviewed some of the definition phase documents and made various findings, which were not summarized in the SWR. The NRC staff subsequently identified discrepancies in the concept phase and definition phase information.
During its audit from February 28 to March 4, 2011, of the WEC CGD activities, the NRC staff examined implementation of the vendor's SWP, as specified in SPM Section 5, for the WBN Unit 2 Common Q PAMS. The staff concluded that only some aspects of the SWP were followed, and that the QA oversight of the SPM did not identify the discrepancies.
As described above in SSER Section 7.5.2.2.3.4.2, "Software Implementation Documentation," TVANWEC took project-specific and generic action items to address the discrepancies.
The NRC staffs verification of these actions is included in Open Item 104 (Appendix HH). Pending closure of Open Item 104, the NRC staff concludes that implementation of V&V for the Common Q PAMS is acceptable.
7.5.2.2.3.4.2.3 Configuration Management Reports BTP 7-14, Revision 5, Section B.3.2.3, states the following:
The SCMP [software configuration management plan] describes the implementation tasks that are to be carried out. The acceptance criterion for software CM [configuration management]
implementation is that the tasks in the SCMP have been carried out in their entirety.
Documentation should exist that shows that the configuration management tasks for that activity group have been successfully accomplished.
In addition, Interim Staff Guidance Digital I&C-ISG-6, "Licensing Process," Revision 1, dated January 19, 2011 (ADAMS Accession No. ML110140103), provides staff guidance on auditing configuration management of digital I&C systems. During its audit from February 28 to March 4, 2011, of the WEC CGD activities, the NRC staff examined the implementation of the vendor's SCMP, as found in SPM Section 6, for the WBN Unit 2 Common Q PAMS.SPM Section 6.2.2.1 describes that a software librarian and/or system administrator may be named to maintain controlled software, records, backup copies in a separate building of deliverable software, and backup copies of software tools. The WBN Unit 2 Common Q PAMS project has a software librarian who maintains the controlled software.
According to the work 7-63 instruction for the software librarian (WEC instruction WNA-WI-001 57-GEN, Revision 1), the project has two software libraries, one which is used by the design team to create or modify the software.
The other library contains verified software that only the software librarian can update and that allows only read access to other users. Backup copies are maintained of the software and software tools, which are available as needed by the software librarian.
Backup copies are made on a weekly basis, with older versions being deleted after 60 days. Backing up all files on a weekly basis meets the requirements in Section 6.5 of the SPM. A software release record (SRR) is created by the design team once a piece of software is ready for V&V. The SRR references a specific revision of the software, which the V&V team uses for review. Once the software is reviewed by the V&V team, a software V&V release record is created, and the code is placed by the librarian in the controlled library. Any associated images with the verified code are recreated from the code that was verified.
The backup copies are maintained in a different location from the other libraries.
SPM Section 6.3 specifies information to be included in header blocks for source files in order to maintain configuration identification.
Source file headers for the FPDS follow this specification, as do the examples for c-code headers in WEC instruction 00000-ICE-3889, Revision 12,"Coding Standards and Guidelines for Common Q Systems." As a sample, the NRC staff reviewed the header for an FPDS source file, "callbacks.c," and concluded that the header followed the appropriate guidelines.
However, for source files for the AC160, the header does not strictly follow the SPM, due to the particular process that creates those source files. Most of this information, including revision history, is instead contained in the footer of those files. This is in accordance with WEC instruction WNA-WI-00054-GEN, Revision 3, "Work Instructions for Releasing AC160 Code," issued November 2009. This is acceptable to the staff, because the specified information is documented.
WEC instruction WNA-WI-00179-GEN, Revision 0, "Generic Common Q: Common Q Software Optical Media Work Instruction," issued October 2010, provides labelling guidance for computer compact disks (CDs). The guidance in the instruction listed a set of minimum information for labels, including project identity, software identity, SRR as listed in WEC's document tracking system, and optical media creation date, but it did not have a clear link to the format specified for media in SPM Section 6.3. However, at the time of the audit, no CDs had been created for this project.The NRC staff examined the channel integration test/factory acceptance test (CIT/FAT) report, baseline documents, and associated software implementation release reports to confirm that the SRRs included in the CIT/FAT report matched the established baseline at the time. The staff confirmed the specific SRR for the PAMS train A software for the original and regression testing done in the CIT/FAT report. Exception reports were created from software change requests (SCRs) generated as a result of initial testing, and regression tests were performed, as necessary.
The staff examined the software change process and traced an issue identified in an exception report through to its testing. An SCR can originate from an exception report or as a result of an enhancement request. The process for creating an SCR is in WEC instruction WNA-WI-00121-GEN, Revision 1, "Common Q ER & SCR Work Instruction." The staff verified that an SCR form contains the information and approval listing listed in SPM Section 6.3.2;therefore, this is acceptable.
WEC's QA organization did one internal audit in the area of requirements traceability management.
The WEC audit report was still in draft at the time of the NRC staff's audit.7-64 Based on its discussion with WEC QA personnel, WEC QA staff monitor adherence to the configuration management plan through internal audits and self-assessments.
The project schedule recorded the establishment of configuration baselines, but there was no formal milestone for implementation of change control procedures.
However, there were milestones related to SCRs and SRRs.The software V&V report included assessments for the configuration management of the different phases of the life cycle-, the report confirmed that the configuration management activities specified in the SPM were carried out in their entirety and that configuration management tasks were successfully accomplished.
In summary, the NRC staff concluded that the software configuration management activities satisfactorily follow the SPM; therefore, the Common Q PAMS configuration management is acceptable.
7.5.2.2.3.4.2.4 Testing Activities RG 1.170 endorses IEEE Std. 829-1983 and includes additional guidance for the documentation of testing activities (i.e., test specification and test reporting).
The SPM describes the software testing and documents that TVA will create (e.g., SPM Section 5.8, "V&V Test Documentation Requirements," Section 8.8, "Test Documentation").
The SPM also describes the testing tasks that TVA is to carry out. The acceptance criterion for software test implementation is that the tasks in the SPM have been carried out in their entirety.The three subsections below address the three different testing activities evaluated by the NRC staff. Other aspects regarding the acceptability of testing activities are addressed in Open Items Nos. 101 and 104 (Appendix HH).7.5.2.2.3.4.2.4.1 Software Test Plan Implementation As stated above in SSER Section 7.5.2.2.3.4.1.1, "Software Test Plan," the NRC staff concluded that the STP does not demonstrate an acceptable level of test planning and is not in accordance with BTP 7-14, RG 1.170, IEEE Std. 829, or the SPM. Because the staff concluded that the test plan was inadequate, the staff did not assess the implementation of the plan.Because an STP provides a high-level description of the planned testing activities, one use is to assess the adequacy of the overall testing effort; TVA generated a test summary report, evaluated in SSER Section 7.5.2.2.3.4.2.4.3 below, in order to demonstrate adequate testing.7.5.2.2.3.4.2.4.2 Test Procedures RG 1.170 endorses IEEE Std. 829-1983 and includes additional guidance for documentation of the test specifications.
The SPM contains requirements for the test procedures that will be created (e.g., SPM Sections 5.5.6, "Test Phase V&V," 5.8.2, "Test Procedures," and 8.8.2, "Test Procedures").
The SPM requires that validation test procedures be prepared in accordance with IEEE Std. 829-1998, Section 6 (the correct reference for test procedure specifications is Section 7).The staff reviewed a sample of the test procedures associated with the WBN Unit 2 Common Q PAMS provided by TVA both by letter and during the staffs audit from February 28 to March 4, 2011, of WEC CGD activities.
Based on its review, the staff concluded that the test 7-65 procedures were acceptable (i.e., tested the requirements that were being traced through the CGD process by the staff).In Attachment 12 to its letter dated December 3, 201.0 (ADAMS Accession No. ML1 03640220), TVA docketed the factory acceptance test procedure (FATP) for the Common Q PAMS (Westinghouse document WNA-TP-02988-WBT, Revision 0, "Post Accident Monitoring System Channel Integration Test/Factory Acceptance Test"). Based on the staffs review, although the FATP does not conform to the format or content requirements of IEEE Std. 829-1998, the staff concluded that the FATP contained the information (e.g., test instructions and procedures incorporating the requirements and acceptance limits) listed in RG 1.170; therefore, the FATP is acceptable.
7.5.2.2.3.4.2.4.3 Test Implementation Summary-Test Summary Report In Attachment I to its letter dated March 31, 2011 (ADAMS Accession No. ML1 10950331), TVA provided Westinghouse document WNA-TR-02451-WBT, Revision 0, "Test Summary Report for the Post Accident Monitoring System," issued March 2011. The report summarizes the results of the test activities performed throughout the execution of the WBN Unit 2 post-PAMS project.It also assesses the adequacy of the test program and its compliance with WNA-PT-00138-WBT-P, Revision 0, "Post Accident Monitoring System Test Plan," and WCAP-16096-NP-A, Revision 1A, "Software Program Manual for Common Q Systems (SPM)." The NRC staffs position in RG 1.170 states the following:
IEEE Std 829-1983 does not mandate the use of all of its software test documentation in any given test phase. It directs the user to specify the documents required for a particular test phase. If a subset of the IEEE Std 829-1983 documentation is chosen for a particular test phase, information necessary to meet regulatory requirements regarding software test documentation must not be omitted. As a minimum, this information includes: Qualifications, duties, responsibilities, and skills required of persons and organizations assigned to testing activities, Environmental conditions and special controls, equipment, tools, and instrumentation needed for accomplishing the testing, Test instructions and procedures incorporating the requirements and acceptance limits in applicable design documents, Test prerequisites and the criteria for meeting them, Test items and the approach taken by the testing program, Test logs, test data, and test results, Acceptance criteria, and Test records indicating the identity of the tester, the type of observation, the results and acceptability, and the action taken in connection with any deficiencies.
7-66 Any of the above information items that are not present in the subset selected for a particular test phase must be incorporated into the appropriate documentation as an additional item.The NRC staff reviewed the test documentation provided in the test summary report, the SPM, the STP, and the FATP against the criteria of RG 1.170 and RG 1.171, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," issued September 1997, and determined that the test documentation includes all of the items identified in the staffs position and, therefore, is acceptable.
The test summary report augments and supplements the SPM and STP to adequately describe the approach used in TVA's testing program.7.5.2.2.3.4.2.5 Traceability Matrix BTP 7-14 provides guidance for the NRC staff in reviewing the traceability of components.
In addition, RG 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," issued September 1997, endorses IEEE Std. 830-1993, "IEEE Recommended Practice for Software Requirements Specifications," as amended. IEEE Std. 830states that an acceptable SRS is traceable both forward and backward through the process. In addition, NRC-approved SPM Section 5.4.5.3 contains requirements for SRS traceability analysis and its associated documentation.
The requirements traceability analysis for the WBN Unit 2 Common Q PAMS is documented in requirements traceability matrices (RTMs). In Attachment 5 to its letter dated August 20, 2010 (ADAMS Accession No. MLI102380256), TVA provided an RTM that addressed the requirements phase. The matrix did not identify the source of each requirement and showed that not all requirements were traced and may not be traceable.
In order to address these deficiencies, WEC revised the RTM and included additional traceability documentation in the Common Q PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011).During its audit from February 28 to March 4, 2011, of WEC CGD activities, the NRC staff audited requirements traceability throughout implementation and found that some requirements were traceable; the revised traceability matrices were used during the audit activities.
The revised RTMs were significantly improved; however, some errors were identified during the audit and TVA/WEC took actions to correct the errors identified.
The NRC staff was able to trace requirements by using the RTMs; therefore, the audit staff concluded that the RTMs adequately showed how the systems requirements are traceable thorough each phase of the software life cycle. The traceability of components met the criteria specified in BTP 7-14, and, therefore, is acceptable.
In the Common Q PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011), Section 12,"TVA Contract Compliance Matrix," and Section 13, "Origin Tracing of WBN Unit 2 PAMS System Requirements Specification," include the source documentation of each requirement in the SysRS. The staff reviewed these LTR sections and concluded that each requirement in the SysRS was needed to fulfill a contractual requirement, and that each contractual requirement was fulfilled by the WBN Unit 2 Common Q PAMS implementation; therefore, the forward and backward traceability criteria of IEEE Std. 830 were fulfilled.
Therefore, the traceability is acceptable to the staff.7-67 Based on its review of the LTR and its audit, as described above, the NRC staff concludes that the WBN Unit 2 Common Q PAMS traceability is acceptable.
7.5.2.2.3.4.2.6 Failure Modes and Effects Analysis The FMEA is a method of analysis of potential failure modes within a system to determine the effects of the failures on the system. This information can then be used to assess the potential for an undetectable failure. The overall staff expectation is that each potential failure mode will be identified, and that the effects will be determined.
For a complex system, the analysis may be necessarily complex. The key attributes the staff reviews are (1) completeness, where all failures are identified, and (2) accuracy, where the analysis reaches an understandable conclusion about what the failure effect is for each failure mode.There is no specific regulatory guidance on the required format, complexity, or conclusions of the FMEA. Each system must be independently assessed to determine if the FMEA is sufficiently detailed to provide a useful assessment of the potential failures and their effects.For example, an FMEA is a method for documenting a single-failure analysis.NRC-approved WCAP-16097-P-A, "Common Qualified Platform Topical Report Post Accident Monitoring Systems," Revision 0, includes several system-specific appendices.
Appendix 1 to the WCAP applies to the postaccident monitoring system. It provides a generic FMEA for the standard solution.
In the safety evaluation for the WCAP, the NRC stated that this generic FMEA is acceptable as a model for such analysis, but that the licensee must prepare its plant-specific model for the design to be implemented and must perform the FMEA for that application.
In Attachment 2 to its letter dated November 5, 2010 (ADAMS Accession No. ML1 03210018), TVA provided its FMEA (Westinghouse document WNA-AR-00180-WBT-P, Revision 0, "Failure Modes and Effects Analysis (FMEA) for the Post Accident Monitoring System") with plant-specific information for the WBN Unit 2 PAMS. The FMEA addresses the equipment in the replacement PAMS and its supporting power supplies.
The effects of sensor failures are included in the analysis to the extent of loss of their signals as inputs to the system.The WBN Unit 2 Common Q PAMS FMEA includes both a system and an architecture description of the WBN Unit 2 Common Q PAMS, as well as a comparison of this PAMS to the one described in the Common Q topical report appendix.
The analysis includes the identification of the failure modes of each component and any associated methods for detecting these failures, as well as any associated compensating provisions.
The FMEA does not identify any undetectable failures and provides reasonable assurance that the WBN Unit 2 Common Q PAMS meets the single-failure criteria.Based on its review of TVA's FMEA documentation, the NRC staff concluded that the level of detail is appropriate for the Common Q PAMS. The FMEA documentation is sufficiently detailed to provide a useful assessment of the potential failures and the effects of these failures on system functionality.
Based on the NRC staffs review of the FMEA documents, there is reasonable assurance that all credible PAMS system failures have been properly identified and analyzed by TVA. The WBN Unit 2 Common Q PAMS FMEA adequately addresses the plant-specific model required by the Common Q topical report for an FMEA.7-68 7.5.2.2.3.4.3 Software Design Outputs BTP 7-14, Section B.3.3, "Acceptance Criteria for Design Outputs," describes the criteria to be used to determine whether the software has the characteristics that are important to safety system software.The design outputs for the WBN Unit 2 Common Q PAMS consist of requirements specifications and design specifications; these specifications are generally described in the SPM and specifically identified in Table 6-1 of the PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011); each is addressed in a separate subsection below.7.5.2.2.3.4.3.1 Requirements Specification The acceptance criterion for SRS is contained in SRP BTP 7-14, Section B.3.3.1,"Requirements Activities-Software Requirements Specification." The section states that RG 1.172 endorses IEEE Std. 830-1993, and that standard describes an acceptable approach for preparing SRSs for safety system software.
The section also states that additional guidance can be found in NUREG/CR-6101, Section 3.2.1 "Software Requirements Specification," and Section 4.2.1, "Software Requirements Specifications." SPM Section 8.2, "System Requirements Documentation," describes that two documents may be produced to document the requirements for a system: (1) a SysRS and (2) an SRS. The SPM describes that a SysRS defines the high-level system requirements, including the identification of the functions that will be performed.
The SPM describes that an SRS is used as the source document for the design of software.The WBN Unit 2 Common Q PAMS is based on the Common Q PAMS with some changes.The WBN Unit 2 Common Q PAMS requirements specifications (i.e., SysRS and SRS)incorporate, by reference, certain requirements from the Common Q PAMS requirements specifications, and they define the specific requirements for WBN Unit 2. The requirements specifications contain requirements that the Common Q PAMS must meet, but they contain no references that allow one to determine whether the WBN Unit 2 specific licensing or design-basis requirements are adequately addressed.
The adequacy of the requirements specifications for meeting the design-bases requirements is demonstrated in the RTM and LTR.The Common Q PAMS requirements specifications are found in the following generic PAMS documents, as described in the LTR, Attachment 2 to TVA's letter dated March 31, 2011:* 00000-ICE-30156, Common Q PAMS SysRS* 00000-ICE-30155, Common Q SysRS for FPDS* 00000-ICE-30159, "Hardware Requirements Specification for Common Q Power Supply System" 00000-ICE-3238/WCAP17351-P/NP, Common Q PAMS SRS The requirements specifications produced for the WBN Unit 2 Common Q PAMS are found in the following plant-specific documents, as described in the LTR, Attachment 2 to TVA's letter dated March 31, 2011:* WNA-DS-01617-WBT, WBN Unit 2 Common Q SysRS* WNA-DS-01667-WBT, system design specification (SysDS)7-69 0 WNA-SD-00239-WBT, Common Q PAMS SRS RG 1.172, Regulatory Position 2.7, "Traceability," states the following:
Section 4.3.8 of IEEE Std. 830-1993 describes two types of traceability, and both types are required.
Each identifiable requirement in an SRS must be traceable backwards to the system requirements and the design bases or regulatory requirements that it satisfies.
Each identifiable requirement should be written so that it is also "forward traceable" to subsequent design outputs, e.g., from SRS to software design and from software design to SRS.(emphasis added)Based on its audit from February 28 to March 4, 2011, of WEC CGD activities, the NRC staff concluded that the requirements in the SysRS and SRS are not traceable back to the design basis for the system. The SRS does not include documented evidence that it was independently reviewed in accordance with 10 CFR Part 50, Appendix B, Criterion III, "Design Control." The NRC staff concluded that the only Common Q or WBN Unit 2 Common Q PAMS document that was independently reviewed in accordance with Appendix B to 10 CFR Part 50 requirements is the SysRS.During its audit, the NRC staff observed that there are generally four kinds of signature blocks on WBN Unit 2 Common Q PAMS project documents:
author, verifier, reviewer, and approver.The WEC QA procedures (i.e., WEC 6.1) defined the responsibilities associated with each of these signatures.
Based on the staffs review of the Westinghouse procedures (i.e., WEC 6.1 and WEC 3.3.3), only the verifier is required to meet Appendix B to 10 CFR Part 50 requirements regarding independent review.Some WBN Unit 2 Common Q PAMS project documents contained a signature block for each of the four categories identified above (e.g., SysRS-WNA-DS-01617-WBT-P, Revision 3), and some documents did not contain a verifier signature block (e.g., SRS-WNA-SD-00239-WBT, Revision 2); therefore, it was not clear to the staff that all documents that were required to be independently reviewed were in fact independently reviewed.Westinghouse staff explained during the audit that the standard document template did not contain a verifier signature block. Westinghouse staff explained that each document requiring independent review was in fact independently reviewed; however, no documentation supporting this position was provided to the NRC staff.The audit report (ADAMS Accession No. ML1 10691232, not publicly available) stated the following:
For the WBN2 PAMS project, Westinghouse will provide documentation in their Rockville MD offices demonstrating that each document requiring independent review was in fact independently reviewed.
CAPs No. 11-061-M047 will contain a commitment to provided documented evidence of appropriate independent reviews.This is included in Open Item 104 (Appendix HH).WEC responded to TVA's purchase specification with a proposed Common Q PAMs system.Through LTR Sections 12 and 13, WEC demonstrated that the Common Q PAMS meets the 7-70 contractual requirements, and that everything in the Common Q system is required for contractual reasons. However, the NRC staff was unable to conclude that TVA has demonstrated how the requirements in the purchase specification address all of the design-basis requirements (e.g., IEEE Std. 603-1991, Clause 4).Based on (1) the review of the SysRS and SRS, (2) the audit of the RTMs, and (3) the review of the traceability analysis in the LTR, the staff has the following open items (Appendix HH): Open Item 105: TVA should provide to the NRC staff an acceptable description of how the WBN Unit 2 Common Q PAMS SysRS and SRS implement the design-basis requirements of IEEE Std. 603-1991, Clause 4.Open Item 106: TVA should provide to the NRC staff documentation to confirm that the final WBN Unit 2 Common Q PAMS SRS is independently reviewed.7.5.2.2.3.4.3.2 Software Design Description The NRC staffs acceptance criteria for software design description (SDD) are contained in SRP BTP 7-14, Section B.3.3.3, "Design Activities-Software Design Specification (SDS)." This section states that the software design should accurately reflect the software requirements, and that NUREG/CR-6101, Section 3.3.2, "Software Design Specification," and Section 4.3.2,"Software Design Specifications," contain relevant guidance.The design descriptions produced for WBN Unit 2 Common Q PAMS are the following:
- WNA-SD-00248-WBT, FPDS SDD* WNA-SD-00250-WBT, AC160 SDD These are referenced in Westinghouse document WNA-VR-00283-WBT-NP, Revision 4"Nuclear Automation IV&V Summary Report for the Post Accident Monitoring System," provided as Attachment 2 to TVA's letter dated March 16, 2011 (ADAMS Accession No. ML1 10770538).
The design specifications produced for the WBN Unit 2 Common Q PAMS rely heavily on other documentation that is referenced from within the design specifications; this other documentation was not necessary for the NRC staff to complete its review.Because of the limited safety significance of the WBN Unit 2 Common Q PAMS application, the NRC staff did not evaluate the SDDs produced for WBN Unit 2 Common Q PAMS.The SDDs do not include any documented evidence that they were independently reviewed.
As a result, the NRC staff has the following open item (Appendix HH):* Open Item 107: TVA should provide to the NRC staff documentation to confirm that the final WBN Unit 2 Common Q PAMS SDDs are independently reviewed.7.5.2.2.3.4.3.3 Reusable Software Elements The Common Q topical report describes that custom process control elements can be created as an extension to the base AC160 software.
Custom process control elements appear as standard process control elements with input and output terminals when inserted into a control program. They are developed outside of the application development environment and then 7-71 added to the library of process control elements; each reusable software element is documented in a reusable software element document.
Once in the library, the custom process control element is available for the programmer to use in an application program. The custom process control elements are classified as a module and documented in reusable software element documents.
Because of the limited safety significance of the WBN Unit 2 Common Q PAMS application, the NRC staff did not evaluate the custom process control elements (i.e., the reusable software element documents).
7.5.2.2.3.5 Environmental Equipment Qualifications IEEE Std. 7-4.3.2-2003, Clause 5.4 defines the equipment qualification required for a software project. IEEE Std 7-4.3.2-2003 is endorsed by RG 1.152, Revision 2. SRP Appendix 7.1-D, Section 5.4, "Equipment Qualification," provides acceptance criteria for equipment qualifications.
It describes that, in addition to the equipment qualification criteria provided by IEEE Std. 603 and SRP Appendix 7.1-C, Revision 5, "Guidance for Evaluation of Conformance to IEEE Std 603," Section 5.4, additional criteria, as defined in SRP Appendix 7.1-D, Sections 5.4.1 and 5.4.2, are necessary to qualify digital computers for use in safety systems.Though IEEE Std. 7-4.3.2 discusses CGD as a qualification activity, CGD is evaluated above in SSER Section 7.5.2.2.3.2.1, "Commercial Grade Dedication." The following provide regulatory requirements for environmental qualification of safety-related equipment:
WBN Unit 2 Design Criterion 2, "Design Bases for Protection against Natural Phenomena." WBN Unit 2 Design Criterion 4, "Environmental and Dynamic Effects Design Bases." The regulation in 10 CFR 50.55a(h) incorporates IEEE Std. 603-1991, which addresses both system-level design issues and quality criteria for qualifying devices.The following provide regulatory guidance for environmental qualification of safety-related equipment:
RG 1.29, Revision 4 endorses and provides guidance in the areas of seismic design classification.
RG 1.89, Revision I endorses and provides guidance in the areas of seismic and radiological qualification tests for compliance with IEEE Std. 323-1974 and focuses on the environmental qualification of equipment intended for use in harsh environments that is subject to design-basis accidents.
RG 1.100, Revision 3 endorses and provides guidance in the areas of seismic qualification of electrical equipment for compliance with IEEE Std.344-2004.
RG 1.152, Revision 2 endorses IEEE Std. 7-4.3.2-2003.
Clause 5.4 of IEEE Std. 7-4.3.2-2003 contains specific guidance for the qualification of digital safety systems.7-72 RG 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," issued October 2003.RG 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants," issued March 2007, complements RG 1.89 and provides additional guidance to address qualification for mild environmental conditions, as needed, for computer-based technologies.
Environmental qualification activities associated with the WBN Unit 2 Common Q PAMS application involve two aspects: (1) ensuring that the generic qualification, described in the Common Q topical report, is appropriate for the WBN Unit 2 Common Q PAMS application, and (2) qualification of new (e.g., A1687 and A1688) or changed (e.g., PC node box, FPDs, and Common Q power supplies) hardware components.
Section 4.4, "Plant Specific Action Item 6.4," of the WBN Unit 2 Common Q PAMS LTR (WNA-LI-00058-WBT, Revision 3; Attachment 2 to TVA's letter dated March 31, 2011)describes the suitability of the Common Q equipment for the WBN Unit 2 Common Q PAMS application.
Section 2.2.1.4, "Hardware," of the WBN Unit 2 Common Q PAMS LTR identifies new or changed hardware components.
Qualification reports referenced in the LTR and reviewed by the staff are as follows: Qualification summary report: This report summarizes the seismic, environmental, and electromagnetic compatibility (EMC) qualification of the PAMS equipment for WBN Unit 2. TVA provided the following revisions to the qualification summary report to the NRC staff for review: EQ-QR-68-WBT, Revision 0-A Qualification Summary Report for Post-Accident Monitoring System (PAMS)," Attachment 13 to TVA's letter dated December 22, 2010 (ADAMS Accession No. ML1 10100650)EQ-QR-68-WBT-P, Revision 0, "Qualification Summary Report for Post-Accident Monitoring System (PAMS)," Attachment 4 to IVA's letter dated March 16, 2011 (ADAMS Accession No. ML1 10770537)EQ-QR-68-WBT-NP, Revision 0, "Qualification Summary Report for Post-Accident Monitoring System (PAMS)," Attachment 5 to TVA's letter dated March 16, 2011 (ADAMS Accession No. ML1 10770537)EQ-QR-64-GEN, Revision 0, "A1687 and A1688 for Use in Common Q PAMS EMC Test Report and Installation Limitations," provided as Attachment 4 to IVA's letter dated October 26, 2010 (ADAMS Accession No. ML1 03020322).
EQ-EV-62-WBT, Revision 0, "Common Q PAMS Comparison of Tested Conditions for the A1687 and A1688 Common Q Modules and Supporting Components to the Watts Bar Unit 2 (WBT) Requirements," provided as Attachment 5 to TVA's letter dated October 26, 2010 (ADAMS Accession No. ML1 03020322).
7-73 EQLR-171, Revision 0, "Environmental and Seismic Test Report, Analog Input (AI)687 &A1688 Modules for use in Common Q PAMS," provided as Attachment 6 to TVA's letter dated October 26, 2010 (ADAMS Accession No. ML1 03020322).
CN-EQT-1 0-44, Revision 0, "Dynamic Similarity Analysis for the Watts Bar Unit 2 Post Accident Monitoring System (PAMS)," provided as Attachment 9 to TVA's letter dated October 26, 2010 (ADAMS Accession No. ML1 03020322).
These reports provided the seismic, environmental, and EMC qualification documentation for the WBN Unit 2 Common Q PAMS components.
As documented in the three subsections below, the NRC staff reviewed the above documentation using the acceptance criteria listed at the beginning of this SSER section and determined that the WBN Unit 2 Common Q PAMS adequately addressed system qualification requirements, with open items as documented in the SSER subsections below.7.5.2.2.3.5.1 Electromagnetic Compatibility Qualification The WBN Unit 2 Common Q PAMS EMC qualification requirements are specified in the WBN Unit 2 Common Q PAMS SysRS, which identifies WCAP-16097-P-A, RG 1.180, and EPRI TR-102323, Revision 1, "Guidelines for Electromagnetic Interference Testing in Power Plants," as acceptable resources for obtaining the requirements, test levels, and acceptance criteria for EMC qualification of the WBN Unit 2 Common Q PAMS equipment.
The AC160/Common Q equipment was subjected to EMC testing as documented in the various references cited in Table 5.1-1 of the qualification summary report (EQ-QR-68-WBT-P, Revision 0). As stated in Section 5.2, "EMC Testing," of the qualification summary report, the various EMC test programs were performed by Washington Laboratories, LTD (WLL) at the WEC facility in New Stanton, Pennsylvania, at the WLL facility in Gaithersburg, Maryland, at Wyle Laboratories in Huntsville, Alabama, and at Retlif Testing Laboratories in Ronkonkoma, New York. Table 5.2-1 of the qualification summary report identified the EMC test standards that were satisfied for each EMC qualification program. Based on its review of the tables, the NRC staff concludes that the EMC testing met the acceptance criteria in RG 1.180 and, therefore, are acceptable.
7.5.2.2.3.5.2 Environmental Qualification The WBN Unit 2 Common Q PAMS environmental qualification requirements are specified in the SysRS, which states that the WBN Unit 2 Common Q PAMS cabinet equipment and OM equipment shall be qualified to the environmental qualification requirements described in Appendix I to WCAP-1 6097-P-A.
Appendix 1 to WCAP-1 6097-P-A specifies that the environmental qualification shall be performed in accordance with IEEE Std. 323-1983.WCAP-16097-P-A also identifies the expected room abnormal temperature and humidity parameters where the Common Q cabinets will be installed.
The SysRS specifies that the WBN Unit 2 Common Q PAMS cabinets, the equipment in the cabinets, and the PAMS OM equipment shall be qualified for the WBN Unit 2 plant-specific environment conditions.
For the equipment installed inside an enclosure, the heat rise inside that enclosure should be an environmental consideration.
However, heat rise inside the WBN Unit 2 Common Q PAMS cabinet would cause temperature to increase.
As documented in WNA-TR-02383-WBT, "Post 7-74 Accident Monitoring System Cabinet Hardware Test Report" (referenced in the LTR), the WBN Unit 2 Common Q PAMS cabinet temperature rise observed during the cabinet hardware test was less than was conservatively assumed in the calculation and, therefore, is acceptable.
The generic abnormal environmental qualification test parameters envelop the WBN Unit 2 environmental conditions (including the conditions inside the cabinet), thus demonstrating that the WBN Unit 2 Common Q PAMS equipment is qualified to the specified, required conditions.
The test parameters also demonstrate that the PAMS is qualified for the plant-specific environmental conditions at WBN Unit 2.The AC160/Common Q equipment was subjected to environmental testing, as documented in the references cited in Table 5.1-1 of the qualification summary report. The environmental testing was performed by Clark Dynamic Testing Laboratory, LLC, and by WEC at the WEC facility located in New Stanton, Pennsylvania, and at Wyle Laboratories in Huntsville, Alabama.Table 5.3-1 of the qualification summary report provides the test environmental conditions from the various test programs.
Based on the NRC staffs review of the test program results, the staff concluded that the required environmental test conditions satisfy the WBN Unit 2 plant-specific environmental requirements, including a heat rise inside the PAMS cabinet. The tested conditions from the various test programs envelop the required environmental test conditions at WBN Unit 2. Therefore, the NRC staff concludes that the environmental qualification of the Common Q PAMS meets the acceptance criteria of RG 1.209. The staff had two open items.Based on its review of the environmental qualification reports, the staff could not determine whether or not TVA had considered in the equipment testing any potential synergistic effects between temperature and humidity.
This is Open Item 108 (Appendix HH). Because the staff used the criteria of RG 1.209, Open Item 102 (SSER Section 7.5.2.2.3; Appendix HH) also applies to this SSER subsection.
Open Item 108: TVA should demonstrate to the NRC staff that there are no synergistic effects between temperature and humidity for the Common Q PAMS equipment.
7.5.2.2.3.5.3 Seismic Qualification The WBN Unit 2 Common Q PAMS seismic qualification requirements are specified the WBN Unit 2 Common Q PAMS SysRS, which specifies that the WBN Unit 2 Common Q PAMS cabinet equipment and OM equipment shall be seismically qualified in accordance with the requirements of Appendix 1 to WCAP-1 6097-P-A.
Appendix 1 to WCAP-1 6097-P-A specifies that the seismic qualification shall be performed in accordance with IEEE Std. 344-1987, "IEEE Recommended Practice for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations." However, the SysRS specifies that the PAMS equipment shall be qualified in accordance with IEEE Std. 344-1975, "IEEE Recommended Practices for Seismic Qualification of Class 1 E Equipment for Nuclear Power Generating Stations." In accordance with IEEE Std. 344-1975, the seismic qualification of Class 1E equipment should demonstrate an equipment's ability to perform its required function during and after the time it is subjected to the accelerations resulting from one safe-shutdown earthquake test run. In addition, the equipment must withstand the effects of five operating-basis earthquake test runs before the application of a safe-shutdown earthquake test run.TVA specification Engineering Design Change Request (EDCR) 52351, "Post Accident Core Monitoring System" (referenced in the LTR), provided the applicable floor response spectra for 7-75 the PAMS cabinet and the OM. The AC160/Common Q equipment was subjected to seismic testing as documented in the applicable references cited in Table 5.1-1 of the qualification summary report. The seismic testing documented was performed at Clark Dynamic Testing Laboratory, LLC, and at Wyle Laboratories, LLC. The other seismic test programs were performed by WEC at the WEC facility located in New Stanton, Pennsylvania.
The seismic qualification testing of the AC160/Common Q equipment was performed to both IEEE Std. 344-1975 and IEEE Std. 344-1987.
However, as noted in the WBN Unit 2 Common Q PAMS SysRS, the PAMS must be seismically qualified to IEEE Std. 344-1975.
The seismic testing on the AC160/Common Q equipment that was performed in accordance with IEEE Std. 344-1987 bounds the requirements specified in IEEE Std. 344-1975.
Therefore, the staff concludes that all of the AC160/Common Q seismic qualification testing was performed in accordance with IEEE Std. 344-1975, and that the seismic qualification is acceptable.
Open Item 96 (Appendix HH; SSER Section 7.5.2.2.3) also applies to this SSER subsection because RG 1.100, Revision 3 references IEEE Std. 344-1987.7.5.2.2.3.6 Defense-in-Depth and Diversity The NRC staff requirements memorandum on SECY-93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs," dated July 21, 1993 (ADAMS Accession No. ML003708056), describes the NRC staffs position on defense in depth and diversity (D3). Guidance on the evaluation of D3 is provided in SRP BTP 7-19, Revision 5, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems," issued March 2007. In addition, NUREG/CR-6303, "Method for Performing Diversity and Defence-in-Depth Analyses of Reactor Protection Systems," dated December 31, 1994, summarizes several D3 analyses performed after 1990 and presents a method for performing such analyses.The NRC-approved Common Q topical report (ADAMS Accession No. ML031830959, not publicly available) contains the three NRC safety evaluations (transmitted by letters dated August 11, 2000, June 22, 2001, and February 24, 2003) immediately following the topical report cover. Section 4.4.1 of the safety evaluation dated August 11, 2000, included an evaluation of the topical report appendix on PAMS: the staff noted that the FPDS may halt in a common mode failure due to an unresolved error report in the QNX [an operating system for Common Q applications]
operating history. CENP has not analyzed the case of the common-mode failure of the two PAMS channels.
Licensees implementing a PAMS design shall demonstrate that the system complies with the criteria for defence against common-mode failure by analyzing the common-mode failure of both PAMS channels....
This is plant-specific action item 6.10.The WBN Unit 2 Common Q PAMS provides redundant signal processing and indication of two RG 1.97, "Criteria for Accident Monitoring Instrumentation for Nuclear Power Plants," Type A variables:
CETs and subcooled margin. In the event of a common-cause failure of the Common Q PAMS, instrumentation diverse from the Common Q is available for these two variables.
Wide range (WR) hot-leg temperature indication is specified as a diverse variable for CET in the postaccident monitoring design criteria, WB-DC-30-7 (Attachment 40 to TVA's letter dated October'5, 2010; ADAMS Accession No. ML1 02910324, not publicly available).
WR hot-leg temperature indication from all four hot legs is available on control board indicators and plant computer displays.7-76 Temperature and pressure saturation margin calculations are also performed in the plant computer independently of Common Q, using different hardware and software.
Isolated outputs from the Eagle 21 protection system are provided to the plant computer for four WR hot-leg temperature channels and four WR reactor coolant system (RCS) pressure channels.
The temperature channels and two of the pressure channels are the same as those used in the Common Q saturation margin calculations.
RVLIS is defined as a Type B1 variable.
Redundant indication for this variable is provided by the CETs/hot-leg temperature and RCS pressure indications.
As long as the RCS pressure is greater than the saturation pressure for the temperature indicated by the CET/hot leg temperature, there is reasonable assurance that a steam void has not formed in the core and that the vessel is full. This is indicated by the SMM/plant computer.Based on the diverse and independent WBN Unit 2 features described above, the NRC staff concludes that TVA adequately addressed D3 requirements (i.e., BTP 7-19) associated with a common-cause failure of the WBN Unit 2 Common Q PAMS. Diverse and independent indication exists for each of the RG 1.97 variables calculated and displayed by the WBN Unit 2 Common Q PAMS.7.5.2.2.3.7 Communications IEEE Std. 603-1991, Clause 5.6, "Independence," requires independence between (1) redundant portions of a safety system, (2) safety systems and the effects of design-basis events, and (3) safety systems and other systems. SRP Appendix 7.1-C, Section 5.6,"Independence," provides acceptance criteria for this requirement and, among other guidance, provides additional acceptance criteria for communications independence.
Section 5.6 states that, where data communication exists between different portions of a safety system, the analysis should confirm that a logical or software malfunction in one portion cannot affect the safety functions of the redundant portions, and that, if a digital computer system used in a safety system is connected to a digital computer system used in a nonsafety system, a logical or software malfunction of the nonsafety system must not be able to affect the functions of the safety system.IEEE Std. 7-4.3.2-2003, Clause 5.6, "Independence," provided guidance on how IEEE Std. 603 requirements can be met by digital systems. The clause states that, in addition to the requirements of IEEE Std. 603, data communication between safety channels or between safety and nonsafety systems shall not inhibit the performance of the safety function.
SRP Appendix 7. 1-D, Section 5.6, "Independence," provides acceptance criteria for equipment qualifications.
This section states that "the protection system be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system, and that interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired." BTP 7-11, Revision 5, "Guidance on Application and Qualification of Isolation Devices," issued March 2007, provides guidance for the application and qualification of isolation devices.BTP 7-11 applies to the use of electrical isolation devices to allow connections between redundant portions of safety systems or between safety and nonsafety systems. Because the 7-77 PAMS does not include connections between redundant trains, this SSER only considers applicability between safety and nonsafety systems. Additional staff guidance on interdivisional communications is contained in Interim Staff Guidance DI&C-ISG-04, Revision 1, "Highly-Integrated Control Rooms-Communication Issues," dated March 6, 2009 (ADAMS Accession No. ML083310185).
There is no communication between PAMS divisions.
The divisions are physically separate, with no interconnection between divisions throughout the system architecture (i.e., from the input to the displays).
The communications isolation between the safety-related Common Q PAMS and the plant computer are unidirectional via the MTP software and a nonsafety-related data diode. The MTP is presumed to fail during certain postulated failures of the connected nonsafety-related equipment.
These failures have been demonstrated (i.e., via data storm testing) to not affect the connected AC160 components or the OM (see Open Item 109 below;Appendix HH). Data storm testing along with the DI&C-ISG-04 compliance analysis (documented in the subsection below) provide reasonable assurance that the independence criteria (i.e., IEEE Std. 603, Clause 5.5 and IEEE Std. 7-4.3.2, Clause 5.6) are met; therefore, the Common Q PAMS communications independence is acceptable to the NRC staff.7.5.2.2.3.7.1 Compliance with DI&C-ISG-04 IEEE Std. 7-4.3.2-2003, Clause 5.6 states that, in addition to the requirements of IEEE Std. 603, data communication between safety channels, or between safety and nonsafety systems, shall not inhibit the performance of the safety function.
SRP Appendix 7.1-D, Section 5.6 provides acceptance criteria for equipment qualifications.
This section states that the protection system should be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system, and that interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.
DI&C-ISG-04, Revision 1, contains guidance for implementing IEEE Std. 7-4.3.2-2003, Clause 5.6.DI&C-ISG-04 contains three sections:
(1) "Interdivisional Communications," (2) "Command Prioritization," and (3) "Multidivisional Control and Display Stations." Section 1 of DI&C-ISG-04 provides guidance on the review of communications, including transmission of data and information, among components in different electrical safety divisions and of communications between a safety division and equipment that is not safety-related.
DI&C-ISG-04 does not apply to communications within a single division.
This NRC staff position states that bidirectional communications among safety divisions and between safety and nonsafety equipment may be acceptable, provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems.The WBN Unit 2 Common Q PAMS divisions do not communicate with each other; however, each division has digital communication with the nonsafety-related plant computer.
The NRC staff compared the WBN Unit 2 Common Q PAMS communication with the plant computer to each of the 20 staff positions in the interdivisional communications section of DI&C-ISG-04, as described in the subsections below. The methods by which the Common Q PAMS either meets these staff positions or provides an acceptable altemative method of complying with NRC regulations are also described below. TVA addressed the staff positions of DI&C-ISG-04 in the LTR (Attachment 2 to TVA's letter dated March 31, 2011).7-78 7.5.2.2.3.7.1.1 Staff Position No. 1 Staff Position No. 1 states that a safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its safety function.
This is a fundamental consequence of the independence requirements of IEEE Std. 603.The WBN Unit 2 Common Q PAMS does not receive any information from outside of its own safety division to perform its safety function; therefore, the WBN Unit 2 Common Q PAMS communications meets the staff position and are acceptable.
7.5.2.2.3.7.1.2 Staff Position No. 2 Staff Position No. 2 states that the safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a member, and that information and signals originating outside the channel must not be able to inhibit or delay the safety function.
This position further states that protection must be implemented within the affected channel, and must not itself be affected by any condition or information from outside the affected channel. This position specifically requires that this protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division.For the WBN Unit 2 Common Q PAMS, all signals are contained within each safety division and no data information from outside the safety division is received by either the PM646A controller or the OM. The MTP display system has an Ethernet port with Transmission Control Protocol/Intemet Protocol (TCP/IP) communications to support data communication to the plant computer via a one-way data link. The plant computer is nonsafety related. If the link to the plant computer were to completely disable the MTP, the safety function would still be performed by the PM646A and OM. Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.3 Staff Position No. 3 Staff Position No. 3 states that a safety channel should not receive any communication from outside its own safety division, unless that communication supports or enhances the performance of the safety function, and that receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function.
This position further states that safety systems should be as simple as possible, and that functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system.All signals are contained within each safety division, and no data information from outside the safety division is received by either the PM646A controller or the OM. The WBN Unit 2 Common Q PAMS processor performs only the functions necessary for the calculation and monitoring of the RG 1.97 variables allocated to this system. Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.4 Staff Position No. 4 Staff Position No. 4 states that the communication process itself should be carried out by a communications processor separate from the processor that executes the safety function, so 7-79 that communications errors and malfunctions will not interfere with the execution of the safety function, and that the communication and function processors should operate asynchronously, sharing information only by means of dual-ported memory or some other shared memory resource that is dedicated exclusively to this exchange of information.
This position further states that the function processor, the communications processor, and the shared memory, along with all supporting circuits and software, are all considered to be safety related and must be designed, qualified, fabricated, and so forth, in accordance with Appendices A and B to 10 CFR Part 50. Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety function in a deterministic manner.The processor and memory of the MTP are physically separate from the PM646A controller and the OM and, so, are not shared. The PAMS safety function does not depend on data received from outside the train to perform its safety function.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.5 Staff Position No. 5 Staff Position No. 5 states that the cycle time for the safety function processor should be determined in consideration of the longest possible completion time for each access to the shared memory, and that the longest possible completion time should include the response time of the memory itself and of the circuits associated with it. It should also include the longest possible delay in access to the memory by the function processor, assuming worst case conditions for the transfer of data from the communications processor to the function processor.
The position also states that a failure of the system to meet the limiting cycle time should be detected and alarmed.For the WBN Unit 2 Common Q PAMS, the cycle time for the safety function processors takes into account the worst case timing constraints.
The system load is monitored and an alarm limit applied to ensure that the processor has sufficient resources to perform its safety function.There is no shared memory that would affect the cycle time associated with the safety functions.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.6 Staff Position No. 6 Staff Position No. 6 states that the safety function processor should perform no communication handshaking and should not accept interrupts from outside its own safety division.The safety function processor performs no communication handshaking with devices that are outside of its own safety division and accepts no interrupts from outside its own safety division.Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.7 Staff Position No. 7 Staff Position No. 7 states that only predefined data sets should be used by the receiving system, that unrecognized messages and data should be identified and dispositioned by the receiving system in accordance with the prespecified design requirements, and that data from unrecognized messages must not be used within the safety logic executed by the safety function processor.
To do this, message format and protocol need to be predetermined, and 7-80 every message should have the same message field structure and sequence, including message identification, status information, data bits, and so forth, in the same locations in every message. Every datum should be included in every transmit cycle, whether it has changed since the previous transmission or not, to ensure deterministic system behaviour.
For the WBN Unit 2 Common Q PAMS, there are no received data sets. A failure of the communication interface processor does not affect the safety function processors.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.8 Staff Position No. 8 Staff Position No. 8 states that data exchanged between redundant safety divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.
No data are exchanged between safety divisions in the PAMS, but data are communicated through a one-way data link to the nonsafety-related plant computer.
The one-way aspects of this nonsafety-related data link are not credited because the MTP is the credited isolation device. The MTP is postulated to fail during a data storm, but this failure was demonstrated by testing not to affect the AC160 processor or the OM (i.e., to not affect the safety function).
Based on the testing results, the use of the MTP in this manner is acceptable.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
The staff had one open item (Appendix HH) for followup.Open Item 109: TVA should demonstrate to the NRC staff acceptable data storm testing of the Common Q PAMS.7.5.2.2.3.7.1.9 Staff Position No. 9 Staff Position No. 9 states that incoming message data should be stored in fixed, predetermined locations in the shared memory and in the memory associated with the function processor, and that these memory locations should not be used for any other purpose. This position further states that the memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate prespecified physical areas within a memory device.There are no received data sets either from another division or from a nonsafety-related system.Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.10 Staff Position No. 10 Staff Position No. 10 states that safety division software should be protected from alteration while the safety division is in operation, and that online changes to safety system software should be prevented by hardwired interlocks or by physical disconnection of maintenance and monitoring equipment.
This position also states that a workstation (e.g., engineer or programmer station) may alter addressable constants, setpoints, parameters, and other settings associated with a safety function only by way of the dual-processor/shared-memory scheme described in this guidance, or when the associated channel is inoperable.
This position states that a workstation should be physically restricted from making changes in more than one 7-81 division at a time, and that the restriction should be by means of physical cable disconnect or by means of a keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic. "Hardwired logic," as used in the position, refers to circuitry that physically interrupts the flow of information, such as an electronic gate circuit, that does not use software or firmware, with one input controlled by the hardware switch and the other connected to the information source, so that the information appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected.
The position further states that provisions are not acceptable that rely on software to effect the disconnection.
Each PAMS division has its own MTP and OM that can only access the PM646A processor within its division.
The PAMS design precludes any interconnection of the workstations between the PAMS divisions.
Only setpoints can be changed while the system is in operation.
Application software can only be changed when the system is offline.Online changes (i.e., setpoints changes) can be made from the OM or the MTP in the same division as the safety function processor.
Thus, it is not possible to change a setpoint on the opposite train. The PAMS design includes the following additional features:* Setpoint changes are prohibited by software unless that train is first taken out of service using the FE keyswitch.
- Enabling the FE keyswitch causes the PAMS "System Trouble" overhead annunciator to be activated in the MCR (via software control).0 A dedicated OM and MTP are permanently installed on each train. Because there are no connections between the trains, setpoints can only be changed by the associated train's OM and MTP.* Access to the key to the FE keyswitch is administratively controlled by TVA in accordance with plant key control.Application software (i.e., software loads) changes can only be made with a PAMS train inoperable:
0 The PAMS must be taken out of service to load software.0 Software can only be loaded via the MTP. This feature is not available on the OM.* The MTP is a permanently connected maintenance workstation used to modify that train's software.0 Each train's MTP and SLE keyswitch is installed in a locked cabinet. Access to these cabinets is controlled administratively by TVA via cabinet locks in accordance with plant key control.* Enabling the SLE keyswitch causes the PAMS "System Trouble" overhead annunciator to be activated in the MCR. When the SLE keyswitch is in the normal position, it removes power to the MTP's hard disk drive within the node box; this provides a physical barrier to the ability to load system software.
This is because the hard disk 7-82 drive has the operating system (i.e., Windows) and the development software (i.e., Advabuild) that are necessary to perform a software change to the system.Access to the key to the SLE keyswitch is administratively controlled by TVA in accordance with administrative instruction TI-12.09, "Plant Key Control." In addition to the above controls, the OM and MTP are located in vital areas that restrict access to only authorized personnel.
Finally, software can only be loaded to the AC160 via a serial cable connected between the MTP and the AC160 processor module. This cable is not connected during normal system operations; therefore, the WBN Unit 2 Common Q PAMS communications ensure that the safety division is protected from alteration while the safety division is in operation.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.11 Staff Position No. 11 Staff Position No. 11 states that the provisions for interdivisional communication should explicitly preclude the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service, and that the progress of a safety function processor through its instruction sequence should not be affected by any message from outside its division.
For example, a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence.The WBN Unit 2 Common Q PAMS has no incoming message data from outside of its safety channel to be used in the safety function processors.
Therefore, the progress of the safety function processors through its instruction sequence will not be affected.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.12 Staff Position No. 12 Staff Position No. 12 states that communication faults should not adversely affect the performance of required safety functions in any way. This section defines "faults," including communication faults, originating in nonsafety equipment, as not constituting "single failures," as described in the single-failure criterion of Appendix A to 10 CFR Part 50. The position provides 12 examples of credible communication faults but cautions that the possible communication faults are not limited to the 12 examples.The signal data acquisition, the algorithms execution, and the setting of the annunciator output relays by the PM646A controller cannot be impacted by any postulated communications failure at the Ethernet controller in the MTP. Ethernet communications failures in the MTP cannot impact the PM646A processor or the OM displays.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.13 Staff Position No. 13 Staff Position No. 13 states that vital communications, such as the sharing of channel trip decisions for the .purpose of voting, should include provisions for ensuring that received messages are correct and are correctly understood, and that such communications should employ error-detecting or error-correcting coding along with a means for dealing with corrupt, invalid, untimely, or otherwise questionable data. The position further states that the effectiveness of error detection/correction should be demonstrated in the design and proof 7-83 testing of the associated codes but, once demonstrated, is not subject to periodic testing, and that error-correcting methods, if used, should be shown to always reconstruct the original message exactly or to designate the message as unrecoverable.
Finally, the position states that none of this activity should affect the operation of the safety-function processor.
For the purposes of DI&C-ISG-04, "vital" communications are defined as communications that are needed to support a safety function.
Failure of vital communications could inhibit the performance of the safety function.
The most common use of vital communications is the distribution of channel trip information to other divisions for the purpose of voting.Ethernet communications between the MTP and the nonsafety-related equipment (i.e., plant computer) are not vital to the performance of any safety function.
AF100 communications, though vital to the PAMS safety functions, are limited to components within a single PAMS division.
This communication is exempt from meeting the requirements of DI&C-ISG-04, which states that "This guidance is not applicable to interactions among equipment that are all in the same safety division." Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.14 Staff Position No. 14 Staff Position No. 14 states that vital communications should be point-to-point by means of a dedicated medium (e.g., copper or optical cable) and clarifies the definition of "point-to-point" as meaning that the message is passed directly from the sending node to the receiving node, without the involvement of equipment outside the division of the sending or receiving node.Ethernet communications between the MTP and the nonsafety-related equipment (i.e., plant computer) are not vital to the performance of any safety function.
AF100 communications, though vital to the PAMS safety functions, are limited to components within a single PAMS division.
This communication is exempt from meeting the requirements of DI&C-ISG-04, which states that "This guidance is not applicable to interactions among equipment that are all in the same safety division." Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.15 Staff Position No. 15 Staff Position No. 15 states that communication for safety functions should communicate a fixed set of data (called the "state") at regular intervals, whether data in the set have changed or not.With the PAMS, no data are received from outside the safety division.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.16 Staff Position No. 16 Staff Position No. 16 states that network connectivity, liveness, and realtime properties essential to the safety application should be verified in the protocol.
The position defines "liveness" as meaning that no connection to any network outside the division can cause a communication protocol to stall, either deadlock or livelock.
This position derives from the independence requirement of (1) 10 CFR Part 50, Appendix A, GDC 24, "Separation of Protection and Control Systems," which states, "interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired," and (2) IEEE Std. 603-1991.In accordance with BTP 7-19, Revision 5, the WBN Unit 2 Common Q PAMS is within the monitoring and indication echelon. It does not connect to, or communicate with, the control 7-84 echelon (i.e., Foxboro I/A). The PAMS receives 4-20 milliampere analog signals from the engineered safety feature actuation system (i.e., Eagle 21), but the Eagle 21 output is isolated electrically within its system. Because there is no communications protocol in the receipt of an analog signal, a failure of the Common Q PAMS cannot cause a deadlock or livelock of the engineered safety feature actuation system.Because the system does have network connectivity and it is not essential to the safety application, the NRC staff concluded that the staff position does not apply to the WBN Unit 2 Common Q PAMS.7.5.2.2.3.7.1.17 Staff Position No. 17 Staff Position No. 17 states that the medium used in a vital communications channel should be qualified for the anticipated normal and postaccident environments.
The WBN Unit 2 Common Q PAMS does not receive any vital communications from outside its own safety division.
The MTP outbound TCP/IP communication is not vital to any PAMS safety function.
The WBN Unit 2 Common Q PAMS is installed in a mild environment.
Qualification testing of the equipment for continuous use bounds the environmental conditions for the installation.
Electromagnetic/radiofrequency interference (EMI/RFI) testing was performed to industry standards to insure acceptable performance.
Because the WBN Unit 2 Common Q PAMS performs its functions in a mild environment, the staff position does not apply.7.5.2.2.3.7.1.18 Staff Position No. 18 Staff Position No. 18 states that provisions for communications should be analyzed for hazards and performance deficits posed by unneeded functionality and complication.
All MTP TCP/IP communications are outbound only. An FMEA was prepared for this system and the TCP/IP interface was included in this analysis.
Although there is no NRC staff guidance for determining the acceptability of an FMEA, the staff reviewed the FMEA and, based on experience and engineering judgement, determined that the FMEA was comprehensive and, therefore, was adequate.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7.5.2.2.3.7.1.19 Staff Position No. 19 Staff Position No. 19 states that the communications data rates be such that they will not exceed the capacity of a communications link or the ability of nodes to handle traffic, and that all links and nodes have sufficient capacity to support all functions.
To do this, the applicant should identify the true data rate, including overhead, to ensure that communication bandwidth is sufficient to ensure proper performance of all safety functions.
Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.The PM646A controller and the OM do not receive any vital communications from outside of their own safety division.
A data storm test is part of the factory acceptance test; all factory acceptance testing was successfully completed.
Therefore, the WBN Unit 2 Common Q PAMS communications meet the staff position and are acceptable.
7-85 7.5.2.2.3.7.1.20 Staff Position No. 20 Staff Position No. 20 states that the safety system response time calculations should assume a data error rate that is greater than or equal to the design-basis error rate and is supported by the error rate observed in design and qualification testing.There are no response time criteria for the WBN Unit 2 PAMS; therefore, the staff position does not apply to the WBN Unit 2 Common Q PAMS.7.5.2.2.3.8 System, Hardware, Software and Methodology Modifications In its approval of the Common Q topical report (ADAMS Accession No. ML031830959, not publicly available), the NRC staff stated the following:
Should our criteria or regulations change so that our conclusions as to the acceptability of the report are invalidated, CE Nuclear Power and/or the applicants referencing the topical report will be expected to revise and resubmit their respective documentation, or submit justification for the continued applicability of the topical report without revision of their respective documentation.
The regulatory criteria associated with digital I&C systems have changed since the Common Q topical report was issued. The WBN Unit 2 Common Q PAMS LTR (Attachment 2 to TVA's letter dated March 31, 2011) identifies changes and additions that also must be evaluated against current regulatory criteria.Section 2.2.1, "Hardware/Software Change Process," of the LTR describes the changes to the Common Q hardware and software items, as well as the WEC process for evaluating the licensing impact of those changes. The NRC staff did not address the acceptability of the change process. The staff reviewed the acceptability of the changes associated with the WBN Unit 2 Common Q PAMS. Section 2.2.1 of the LTR identifies the hardware and software changes and their justification for acceptability.
The NRC staff reviewed samples of the documentation associated with the description and justification during its audits of the WEC CGD activities September 20-21, 2010, and February 28-March 4, 2011.The changes identified in the LTR were generally to the hardware and software associated with the Common Q application framework.
The changes were individually evaluated by WEC and accepted in the CGD of the new items. The NRC staff evaluated each change and associated justification using the guidance in Section D.8, "System, Hardware, Software, and Methodology Modifications," of Interim Staff Guidance Digital I&C-ISG-06, Revision 1, "Licensing Process," dated January 19, 2011 (ADAMS Accession No. ML1 10140103), and determined them to be acceptable.
7.5.2.2.3.9 Review of System and IEEE Std. 603-1991 Requirements Five clauses (Clauses 4, 5, 6, 7, and 8) of IEEE Std. 603-1991 provide the requirements to be considered in the evaluation of a digital PAMS. The subsections below address the individual requirements of these clauses.7-86 The NRC staff used the current staff positions in its review of systems and equipment unique to WBN Unit 2. SRP Section 7.7, Revision 2, "Information System Important to Safety," specifies IEEE Std. 603-1991 as applicable to accident-monitoring instrumentation, and states the following:
For accident monitoring instrumentation isolated from the protection system, the applicable requirements of 10 CFR 50.55a(h)...for IEEE Std. 603-1991 are Clause 5.6.3, "Independence Between Safety Systems and Other Systems," and Clause 6.3, "Interaction Between the Sense and Command Features and Other Systems." In addition, the WBN Unit 2 Common Q PAMS implements two Type A variables:
CET and SMM. Accident-monitoring instrumentation variable types are defined by RG 1.97, Revision 2, issued December 1980, and WBN Unit 2 FSAR Section 7.5.TVA has not provided an analysis demonstrating that the criteria of IEEE Std. 603-1991 have been met (see Open Item 94, Appendix HH). However, the NRC staff performed its own analysis, as documented in the subsections below, and concluded, pending the resolution of Open Item 94, that there is reasonable assurance that the regulatory criteria in IEEE Std. 603-1991 have been met, and that the WBN Unit 2 Common Q PAMS system is acceptable.
7.5.2.2.3.9.1 IEEE Std. 603-1991, Clause 4. "Safety System Desi-gnation" Clause 4 of IEEE Std. 603-1991 states that a specific basis shall be established for the design of each safety system of the nuclear power generating station. SRP Appendix 7.1-C, Revision 5, Section 4, "Safety System Designation," provides acceptance criteria for these requirements.
The design basis for the WBN Unit 2 Common Q PAMS is the same as for Unit 1. In addition, the PAMS functions for WBN Unit 2 are the same as those for Unit 1; therefore, the NRC staff did not perform a redundant review of the Unit 2 design-basis functional requirements.
The design criteria for Category 1 variables is summarized in WBN Unit 2 FSAR Section 7.5.1.4.3,"Design Criteria for Category 1 Variables." For WBN Unit 2, the Common Q PAMS fulfills the role that the ICC module (ICCM-86) is currently performing on Unit 1; neither ICCM-86 nor any predecessor has been installed on WBN Unit 2. There are 58 CETs on Unit 2, as opposed to 65 CETs on Unit 1, because of plant-specific requirements.
RG 1.97, Revision 2, Regulatory Position 1.3.1 .g states that "Recording of instrumentation readout information should be provided," for Type A, B, and C accident-monitoring instrumentation.
Therefore, recording should be provided for Category 1 PAM variables.
Unit 1 has 1 E-grade CET recorders, but Unit 2 has no recorders installed.
Instead, the Common Q PAMS will store a limited amount of trend data and allow trending of CETs. Also, the integrated computer system (ICS) is capable of trending the CETs for longer periods of time. Because the CETs can be trended, the requirement from Regulatory Position 1.3.1 .g is met; therefore, the recording method is acceptable to the staff.In Attachment 40 to its letter dated October 5, 2010 (ADAMS Accession No. ML102910324, not publicly available), TVA provided the design criteria document for the postaccident monitoring 7-87 instrumentation (WB-DC-30-7, Revision 2). Attachment 40, Appendix A, Table A-i, "Regulatory Guide 1.97 Post Accident Monitoring Variables List," identifies three PAM variables that are processed and indicated by the Common Q system:* Variable No. 6-core exit temperature (Type Al)* Variable No. 16-subcooling margin monitor (Type Al)* Variable No. 22--reactor vessel level (Type B1)Other parameters (e.g., RCS WR pressure, WR temperature, and reactor coolant pump status), which are PAM variables, are also provided to the Common Q PAMS. The operator will be able to see these values on the OM, but these variables are not required to be monitored in the control room, so the Common Q PAMS is not the primary display for these variables.
This configuration meets the regulatory position and is acceptable to the staff.7.5.2.2.3.9.1.1 IEEE Std. 603-1991, Clause 4.7, Environmental Basis Clause 4.7 requires, in part, that the design basis shall document "the range of transient and steady-state conditions of both motive and control power and the environment (for example, voltage, frequency, radiation, temperature, humidity, pressure, and vibration) during normal, abnormal, and accident circumstances throughout which the safety system shall perform." This information is used in performing other required evaluations, such as in Clause 5.5.Changes in the range of conditions should be clearly identified in the design-basis information.
The specified range of conditions is used in evaluating the adequacy of the design and qualification of the equipment.
The WBN Unit 2 Common Q PAMS plant-specific operating environment parameters (temperature, humidity, pressure, seismic, EMC) are described in Section 4 of the PAMS LTR.Requirement 4.1-1 of WNA-DS-01 617-WBT-P, "System Requirements Specification," Revision 4 (Attachment 9 to TVA's letter dated February 25, 2011, ADAMS Accession No. ML1 10620219) specifies the energy supply conditions for the PAMS of 120 volts alternating current (Vac) plus or minus10 percent and 60+/-3 Hz. Power to the Common Q PAMS is provided from the 120-Vac vital power system. WBN Unit 2 FSAR Section 8.3.1.1 describes that the vital 120-Vac system specifications are 120 Vac plus or minus 2 percent and 60+/-0.5 Hz.Therefore, the staff concludes that the power provided to PAMS meets the system requirements.
Environmental qualification of the PAMS is addressed in SSER Section 7.5.2.2.3.5.
Based on the described environment in the LTR, the SysRS, and the FSAR, the NRC staff concludes that the Common Q PAMS documentation satisfies Clause 4.7 and is acceptable.
7.5.2.2.3.9.1.2 IEEE Std. 603-1991, Clause 4.8, Conditions Having the Potential for Functional Degradation Clause 4.8 requires, in part, that the design basis shall document conditions having the potential for causing functional degradation of safety system performance, and for which provisions must be incorporated to retain necessary protective action. This information is used in performing other required evaluations, such as in Clause 5.5.Section 2.9.5 of the WBN Unit 2 Common Q PAMS SysRS (Attachment 9 to TVA's letter dated February 25, 2011, ADAMS Accession No. ML110620219) contains several requirements 7-88 regarding the monitoring and indication of cabinet temperature.
In addition, Section 2.9.2 of the SysRS contains requirements for several other conditions that have the potential for functional degradation.
Based on its review of the WBN Unit 2 Common Q PAMS requirements, the staff concludes that conditions having the potential for causing functional degradation of the Common Q PAMS performance were adequately documented and met the requirement of Clause 4.8; therefore, the documentation is acceptable.
SSER Section 7.5.2.2.3.12, "Secure Development and Operational Environment," addresses digital conditions that have the potential to functionally degrade the Common Q PMAS.7.5.2.2.3.9.1.3 IEEE Std. 603-1991, Clause 4.9, Methods Used To Determine Reliability Clause 4.9 requires that the design-basis document include the methods used to determine that the reliability of the safety system design is appropriate for the safety systems design and any qualitative or quantitative goals that may be imposed on the system design.In Attachment 37 to its letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), TVA provided the PAMS reliability analysis (WNA-AR-00189-WBT, Revision 0), an estimation of the availability of the PAMS. This availability analysis addressed both component reliability and associated repair times.The availability analysis was done in accordance with the guidance provided in IEEE Std. 352-1987, "IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Station Safety Systems," which has not been endorsed by the NRC. Specifically, TVA applied the reliability block diagram method described in Clause 4.3 of IEEE Std. 352-1987.
Other IEEE Std. 352-1987 guidance on availability quantification was also applied. There is no NRC staff guidance for determining the acceptability of reliability calculation methodologies.
The staff read the description of the reliability determination methodology (reliability block diagram and associated failure rate data) and, based on engineering judgement, concluded that it was acceptable.
Based on its review of the methodology, the NRC staff concludes that the Common Q PAMS documentation meets the requirement of Clause 4.9; therefore, the documentation is acceptable.
7.5.2.2.3.9.2 IEEE Std. 603-1991, Clause 5. "Safety System Criteria" Clause 5 requires that safety systems shall, with precision and reliability, maintain plant parameters within acceptable limits established for each design-basis event. The power, instrumentation, and control portions of each safety system are required to comprise more than one safety group, of which any one safety group can accomplish the safety function.The safety function of the PAMS is to display information and provide applicable alarms based on the information.
There are no protective actions performed by PAMS; therefore, not all criteria of this clause are applicable.
Those clauses that are not applicable were not addressed by the staff.7.5.2.2.3.9.2.1 IEEE Std. 603-1991, Clause 5.1, Single-Failure Criterion Clause 5.1 requires that "The safety systems shall perform all safety functions required for a design basis event in the presence of: (1) any single detectable failure within the safety 7-89 systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions.
SRP Appendix 7.1-C, Revision 5, Section 5.1,"Single-Failure Criterion (IEEE Std. 603-1991 Clause 5.1)," provides acceptance criteria for evaluating the requirements of the clause. The acceptance criteria include RG 1.53, Revision 2, which endorses IEEE Std. 379-2000.
SRP BTP 7-10, "Guidance on Application of Regulatory Guide 1.97," states that "For Category 1 variables under Revisions 2 and 3 of Regulatory Guide 1.97, no single failure should prevent the operators from being presented information necessary to determine the safety status of the plant and to maintain the plant in a safe condition following an accident." TVA provided the PAMS FMEA in Attachment 37 to its letter dated October 5, 2010, and in Attachment I to its letter dated November 5, 2010 (WNA-AR-00180-WBT, Revision 0). As described in the FMEA, PAMS trains A and B have identical controllers and display equipment.
Each train's equipment is independent and electrically isolated from the other train. Field cabling and input signal transducers used by each train are independent and isolated from the opposite train. Signals received on the analog input cards by either PAMS train from the Eagle 21 safety system are divisionally separated.
Additionally, the AF1 00 bus communications for each train are entirely within the same safety division.
Power is provided by the corresponding divisional vital instrumentation bus. Based on its review, the staff concluded that the FMEA demonstrates that the single-failure criterion is met.Based on its review of the FMEA, the NRC staff concludes that the Common Q PAMS includes provisions to meet the single-failure criterion and Clause 5.1; therefore, the PAMS is acceptable.
7.5.2.2.3.9.2.2 IEEE Std. 603-1991, Clause 5.3, Quality Clause 5.3 states that the components and modules within the safety system shall be of a quality that is consistent with minimum maintenance requirements and low failure rates, and that safety system equipment be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed QA program. SRP Appendix 7.1-C, Revision 5, Section 5.3, "Quality," provides acceptance criteria for the quality requirement and states that"The applicant/licensee should confirm that quality assurance provisions of Appendix B to 10 CFR 50 are applicable to the safety system." WBN Unit 2 Design Criterion 1 states that structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.
A QA program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions.
Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. In addition, 10 CFR 50.55a(a)(1) requires that the structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
7-90 As described in the LTR, the Common Q PAMS components were either commercially dedicated or developed under an approved Appendix B program. The programming of the WBN Unit 2 Common Q PAMS application was performed in accordance with the Common Q SPM.Because the WBN Unit 2 Common Q PAMS application was developed in accordance with the Common Q SPM, the NRC staff concludes that the Common Q PAMS meets the quality criterion and Clause 5.3; therefore, the PAMS is acceptable.
7.5.2.2.3.9.2.3 IEEE Std. 603-1991, Clause 5.4, Equipment Qualification Equipment qualification is addressed in SSER Section 7.5.2.2.3.5.
7.5.2.2.3.9.2.4 IEEE Std. 603-1991, Clause 5.5, System Integrity Clause 5.5 states that the safety systems shall be designed such that the system can accomplish its safety functions under the full range of applicable conditions enumerated in the design basis (i.e., those documented to meet IEEE Std. 603-1991, Clauses 4.7 and 4.8). SRP Appendix 7.1-C, Revision 5, Section 5.5, "System Integrity," provides acceptance criteria for system integrity and states that the NRC staffs review should do the following:
should confirm that tests have been conducted on safety system equipment components and the system racks and panels as a whole to demonstrate that the safety system performance is adequate to ensure completion of protective actions over the range of transient and steady-state conditions of both the energy supply and the environment.
Where tests have not been conducted, the applicant/licensee should confirm that the safety system components are conservatively designed to operate over the range of service conditions.
The applicable conditions and WBN Unit 2 Common Q PAMS compliance are contained in LTR Section 12 (Attachment 2 to TVA's letter dated March 31, 2011):* Items 87 and 88-seismic
- Items 89, 90, 91, 92, and 185-EMI/RFI
- Items 300, 301, and 302-environmental SSER Section 7.5.2.2.3.5 contains the staffs evaluation of the Common Q qualification against the WBN Unit 2 specific requirements.
SSER Section 7.5.2.2.3.12 addresses digital conditions that have the potential to functionally degrade the Common Q PAMS. No other threats to integrity were identified or evaluated by the staff. The staff addresses the acceptability of the WBN Unit 2 Common Q PAMS with respect to the system integrity requirements in SSER Sections 7.5.2.2.3.5 and 7.5.2.2.3.12.
7.5.2.2.3.9.2.5 IEEE Std. 603-1991, Clause 5.6, Independence Clause 5.6 provides, in part, the requirements for independence between (1) redundant portions of a safety system, (2) safety systems and the effects of design- basis events, and (3) safety systems and other systems. SRP Appendix 7.1-C, Revision 5, Section 5.6 provides acceptance criteria for system independence.
The acceptance criteria state that three aspects of independence-physical independence, electrical independence, and communications independence-should be addressed for each of the previously listed system relations.
7-91 Guidance for the evaluation of physical and electrical independence is provided in RG 1.75, Revision 3, "Criteria for Independence of Electrical Safety Systems," issued February 2005, which endorses IEEE Std. 384-1992.
The safety system design should not have (1) components that are common to redundant portions of the safety system, such as common switches for actuation, reset, mode, or test, (2) common sensing lines, or (3) any other features that could compromise the independence of redundant portions of the safety system. SRP BTP 7-10 states that, "For Category 1 variables under Revisions 2 and 3 of Regulatory Guide 1.97, no single failure should prevent the operators from being presented information necessary to determine the safety status of the plant and to maintain the plant in a safe condition following an accident." Communication independence is evaluated in SSER Section 7.5.2.2.3.7, "Communications." Physical independence is attained by physical separation and physical barriers.
Electrical independence should include the use of separate power sources. Transmission of signals between independent channels should be through isolation devices. SRP Appendix 7.1-C, Revision 5, Section 5.6 provides additional acceptance criteria for communications independence.
Section 5.6 states that, where data communication exists between different portions of a safety system, the analysis should confirm that a logical or software malfunction in one portion cannot affect the safety functions of the redundant portions, and that, if a digital computer system used in a safety system is connected to a digital computer system used in a nonsafety system, a logical or software malfunction of the nonsafety system must not be able to affect the functions of the safety system.TVA provided the PAMS FMEA in Attachment 37 to its letter dated October 5, 2010, and in Attachment I to its letter dated November 5, 2010 (WNA-AR-00180-WBT, Revision 0). As described in the FMEA, PAMS trains A and B have identical controllers and display equipment.
Each train's equipment is independent and electrically isolated from the other train. Field cabling and input signal transducers used by each train are independent and isolated from the opposite train. Signals received on the analog input cards by either PAMS train from the Eagle 21 safety system are divisionally separated.
Additionally, the AF100 bus communications for each train are entirely within the same safety division.
Power is provided by the corresponding divisional vital instrumentation bus.There is one 1 E-to-non-1 E transition in each train, the connection from the MTP to the ICS.This transition includes a fiber-optic connection that meets the regulatory requirements for electrical isolation.
Based on the independence features described above, the NRC staff concludes that the Common Q PAMS meets the acceptance criteria for independence and the requirements of Clause 5.6; therefore, the PAMS is acceptable.
7.5.2.2.3.9.2.6 IEEE Std. 603-1991, Clause 5.7, Capability for Test and Calibration Clause 5.7 states the following:
Capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions.
The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function....
Exceptions to testing and calibration during power operation are allowed where this capability cannot 7-92 be provided without adversely affecting the safety or operability of the generating station. In this case: (1) appropriate justification shall be provided (for example, demonstration that no practical design exists), (2) acceptable reliability of equipment operation shall be otherwise demonstrated, and (3) the capability shall be provided while the generating station is shut down.SRP Appendix 7.1-C, Revision 5, Section 5.7, "Capability for Test and Calibration," provides acceptance criteria for IEEE Std. 603-1991, Clause 5.7. Capability should be provided to permit testing during power operation and, when this capability can only be achieved by overlapping tests, the test scheme must be such that the tests do, in fact, overlap from one test segment to another. Section 5.7 states that test procedures that require disconnecting wires, installing jumpers, or other similar modifications of the installed equipment are not acceptable test procedures for use during power operation.
Section 5.7 further states that, for digital computer-based systems, test provisions should address the increased potential for subtle system failures such as data errors and computer lockup.In addition, 10 CFR 50.36(c)(3) states that "Surveillance requirements are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation will be met." Self-testing and periodic testing are important elements in detecting failures.The requirements for test and calibration and the associated Common Q PAMS compliance are contained in LTR Section 12 (Attachment 2 to TVA's letter dated March 31, 2011):* Item 350--maintenance bypass* Item 351--loop tuning parameters
- Items 400 and 401-3.7.2 testing, calibration, and verification
- Items 402, 403, and 404-3.7.3 channel bypass or removal from operation Each of the PAMS channels is designed to permit periodic software testing of the CET and saturation margin algorithms on demand; however, there appeared to be no description of how the RVLIS algorithm is periodically tested. This is Open Item 110 (Appendix HH).Open Item 110: IVA should provide information to the NRC staff describing how the WBN Unit 2 Common Q PAMS design supports periodic testing of the RVLIS function.During testing, the PAMS channel outputs are controlled by the algorithms.
The testing uses a predefined set of inputs and produces a defined set of outputs. During testing, the data link to the PAMS displays identifies that the channel is in TEST mode (i.e., FE), in addition to providing PAMS data and results. Actual annunciator outputs are bypassed to prevent spurious annunciation.
A separate means is provided to test individual annunciation outputs. This periodic software testing is performed through the MTP.7-93 Based on the information provided by TVA in the LTR, the NRC staff concludes that the Common Q PAMS includes the provisions to perform the testing identified in the surveillance requirements; therefore, the PAMS meets the requirements of Clause 5.7 and is acceptable.
7.5.2.2.3.9.2.7 IEEE Std. 603-1991, Clause 5.8, Information Displays Clause 5.8 has four subordinate clauses that contain requirements, as described in the subsections below. SRP Appendix 7.1-C, Revision 5, Section 5.8, "Information Displays," provides acceptance criteria for the subordinate clauses of Clause 5.8. The SRP guidance states that the information displays for manually controlled actions should include confirmation that displays will be functional, and that safety system bypass and inoperable status indication should conform to the guidance of RG 1.47, "Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems." TMI Action Item I.D.3, "Bypass and Inoperable Status Indication," also requires provisions for automatic indication of the bypass and operable status of safety system.7.5.2.2.3.9.2.7.1 IEEE Std. 603-1991, Clause 5.8.1, Displays for Manually Controlled Actions Clause 5.8.1 states that the display instrumentation provided for manually controlled actions for which no automatic control is provided, and that is required for the safety systems to accomplish their safety functions, will be part of the safety systems. SRP Appendix 7.1-C, Revision 5, Section 5.8 provides no further review guidance for Clause 5.8.1.The Common Q PAMS contains two Type A variables (i.e., per RG 1.97, Revision 2: "Those variables that provide primary information to the MCR operators to allow them to take preplanned manually controlled actions for which no automatic action is provided and that are required for safety systems to accomplish their safety functions").
These variables are displayed on the OMs, which are safety-related components.
The OMs are part of the safety-related PAMS; therefore, the PAMS meets the requirements of Clause 5.8.1 and is acceptable.
7.5.2.2.3.9.2.7.2 IEEE Std. 603-1991, Clause 5.8.3, Indication of Bypasses Clause 5.8.3 requires the following:
If the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.5.8.3.1 This display instrumentation need not be part of the safety systems.5.8.3.2 This indication shall be automatically actuated if the bypass or inoperative condition (a) is expected to occur more frequently than once a year, and (b) is expected to occur when the affected system is required to be operable.5.8.3.3 The capability shall exist in the control room to manually activate this display indication.
7-94 SRP Appendix 7.1-C, Revision 5, Section 5.8 also states that safety system bypass and inoperable status indication should conform with the guidance of RG 1.47. Indication of bypasses should also be provided for safety-related indication systems (e.g., PAMS) or alarms.As described in the LTR (Attachment 2 to TVA's letter dated March 31, 2011), the WBN Unit 2 PAMS allows signal bypasses from both the OM and MTP. Typically, an input signal would not be bypassed unless that input signal has failed. There is indication displayed on the OM and MTP when a signal is bypassed.Based on the description of bypass indication provided in the LTR, the NRC staff concludes that the Common Q PAMS includes appropriate indication of bypassed signals or channels;therefore, the PAMS meets the requirements of Clause 5.8.3 and is acceptable.
7.5.2.2.3.9.2.7.3 IEEE Std. 603-1991, Clause 5.8.4, Location Clause 5.8.4 states that "Information displays shall be located accessible to the operator.Information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions." The WBN Unit 2 Common Q PAMS has an OM located in the MCR.Because the OM is located in the MCR accessible to the operators, the NRC staff concludes that the PAMS meets the requirements of Clause 5.8.4 and, therefore, is acceptable.
7.5.2.2.3.9.2.8 IEEE Std. 603-1991, Clause 5.9, Control of Access Clause 5.9 states that "The design shall permit the administrative control of access to safety system equipment." SRP Appendix 7.1-C, Revision 5, Section 5.9, "Control of Access," provides acceptance criteria for Clause 5.9. The acceptance criteria state that administrative control is acceptable to assure that the access to the means for bypassing safety system functions is limited to qualified plant personnel, that permission of the control room operator is obtained to gain access, and that digital computer-based systems need to consider controls over electronic access, including access via network connections and maintenance equipment, to safety system software and data.As described in the LTR (Attachment 2 to TVA's letter dated March 31, 2011) and in the system design specification (WNA-DS-01 667-WBT-P, Revision 4; Attachment 12 to TVA's letter dated February 25, 2011, ADAMS Accession No. ML1 10620219) access to the key for the FE and SLE keylock switches are administratively controlled by TVA in accordance with plant key control. Each train's MTP and SLE keylock switch is installed in a separate locked cabinet.Access to these cabinets is controlled administratively by TVA via cabinet locks in accordance with plant key control. Cyber security features are included that will alarm if access controls have been breached and the software has been changed.Based on the controls described above, the NRC staff concludes that the Common Q PAMS includes appropriate access control; therefore, the PAMS meets the requirements of Clause 5.9 and is acceptable.
7-95 7.5.2.2.3.9.2.9 IEEE Std. 603-1991, Clause 5.10, Repair Clause 5.10 requires that the safety system be designed to facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment.
SRP Appendix 7.1-C, Revision 5, Section 5.10, "Repair," provides acceptance criteria for Clause 5.10. The SRP states the following:
Digital safety systems may include self-diagnostic capabilities to aid in troubleshooting.
SRP BTP 7-17 describes characteristics that digital computer-based diagnostic systems should exhibit. However, the use of self-diagnostics does not replace the need for the capability for test and calibration systems as required by Clauses 5.7 and 6.5 of IEEE Std. 603-1991.The requirements for repair and associated Common Q PAMS compliance are contained in LTR (Attachment 2 to TVA's letter dated March 31, 2011) Section 11, "IVA Contract Compliance Matrix":* Item 179-mean time to repair 0 Item 202-self test* Item 398-3.7 maintenance 0 Item 399-3.7.1 troubleshooting TVA performed a PAMS reliability analysis (WNA-AR-001 89-WBT, Revision 0; Attachment 37 to TVA's letter dated October 5, 2010) (ADAMS Accession No. ML1 02910324, not publicly available), which documents the mean time to repair (see PAMS reliability analysis Section 5.7,"Mean Time to Repair").The self-test capability of the AC160 platform is described in Section 4.1.1.3 of the NRC-approved Common Q topical report (ADAMS Accession Nos. ML031830959, not publicly available, and ML031820484, public version).
The watchdog timer module associated with the AC160 is described in Section 4.1.5 of the Common Q topical report. These features must be explicitly addressed in each application in order for them to be implemented in each application.
In the PAMS application at WBN Unit 2, these features are connected to the PAMS trouble annunciator, which prompts the operator to review the associated diagnostics pages and logs.The Common Q equipment uses standardized, modular, plug-in construction, so that any component may be easily removed from the system and replaced without breaking or making soldering connections.
Troubleshooting is facilitated by the following:
(1) The AC160 modules contain both a red and green status light-emitting diode. Green indicates when a module is functioning properly and red indicates failure.(2) The failed module location and module type are displayed on the MTP.(3) The AC1 60 error buffer will contain the description of the problem.Based on the functionality described above, the NRC staff concluded that the WBN Unit 2 Common Q PAMS includes the provisions for timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment; therefore, the PAMS meets the requirements of Clause 5.10 and is acceptable.
7-96 7.5.2.2.3.9.2.10 IEEE Std. 603-1991, Clause 5.15, Reliability Clause 5.15 states that, "For those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that such goals have been achieved." SRP Appendix 7.1-C, Revision 5, Section 5.15,"Reliability," provides acceptance criteria for Clause 5.15. The acceptance criteria state that the applicant/licensee should justify that the degree of redundancy, diversity, testability, and quality provided in the safety system design is adequate to achieve functional reliability commensurate with the safety functions to be performed and that, for computer systems, both hardware and software reliability should be analyzed.
The acceptance criteria further state that "Software that complies with the quality criteria of subsection 5.3 [of SRP Appendix 7.1-C] above, and that is used in safety systems that provide measures for defense against common-cause failures as described in subsection 5.1 [of SRP Appendix 7.1-C] above, are considered by the staff to comply with the fundamental reliability requirements of GDC 21, IEEE Std. 279-1971, and IEEE Std. 603-1991." Appendix 7.1 -C, Section 5.15 further states that the assessment of reliability should consider the effect of possible hardware and software failures and the design features provided to prevent or limit the effects of these failures, and that hardware failure conditions to be considered should include failures of portions of the computer itself and failures of portions of communication systems. Hard failures, transient failures, sustained failures, and partial failures should be considered.
Software failure conditions to be considered should include, as appropriate, software common-cause failures, cascading failures, and undetected failures.
SRP Chapter 7, Appendix 7.1-C, Section 5.15 also references SRP, Chapter 7, Appendix 7.1-D and states that the quantitative reliability goals are not sufficient as a sole means of meeting the NRC's regulations for the reliability of digital computers used in safety systems.The specification for the WBN Unit 2 Common Q PAMS established quantitative reliability goals.TVA performed a PAMS reliability analysis (WNA-AR-001 89-WBT, Revision 0; Attachment 37 to TVA's letter dated October 5, 2010) (ADAMS Accession No. ML1 02910324, not publicly available), which documents that the reliability goals have been achieved.
This reliability analysis did not include the digital output modules because alarm displays are also available to provide indications to the operator, therefore, certain display monitoring provisions are included in the Common Q PAMS specific operator training.The NRC staff reviewed the reliability analysis, using the criteria described above, and determines that the Common Q PAMS includes the provisions to meet reliability requirements identified in the design documentation; therefore, the PAMS meets the requirements of Clause 5.15 and is acceptable.
7.5.2.2.3.9.3 IEEE Std. 603-1991, Clause 6. "Sense and Command Features-Functional and Design Requirements" 7.5.2.2.3.9.3.1 IEEE Std. 603-1991, Clause 6.4, Derivation of System Inputs Clause 6.4 states that, to the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis. SRP Appendix 7.1-C, Revision 5, Section 6.4, "Derivation of System Inputs," provides acceptance criteria for Clause 6.4. Section 6.4 states that, if indirect parameters are used, the indirect parameter must be shown to be a valid representation of the desired direct 7-97 parameter for all events, and that, for both direct and indirect parameters, the characteristics of the instruments that produce the safety system inputs, such as range, accuracy, resolution, response time, and sample rate, are consistent with the analysis provided in Chapter 15 of the FSAR.As described in the PAMS reliability analysis (WNA-AR-001 89-WBT, Revision 0; Attachment 37 to TVA's letter dated October 5, 2010) (ADAMS Accession No. ML1 02910324, not publicly available), the WBN Unit 2 Common Q PAMS provides an indication of ICC by using three different algorithms:
(1) The CET monitoring system monitors the CETs to infer fuel cladding temperatures.
(2) The SMM monitors the degree to which the primary coolant is subcooled; this variable is derived from RCS pressure, maximum RCS hot leg (Thot) temperature, and representative CET temperature.
(3) The RVLMS monitors the collapsed liquid level above the fuel alignment plate to indicate the approach of ICC; this variable is a derived indication based on reactor vessel level differential pressure signals, impulse line resistance temperature detector inputs, differential temperature (delta-T) power, reactor coolant pump contacts, hydraulic isolators, RCS pressure, and auctioneered RCS temperature.
The RVLMS portion of the Common Q PAMS will be calibrated to indicate measured level as part of onsite system commissioning.
The NRC staff reviewed the indications for ICC using the criteria described above and concludes that the sense and command feature inputs are derived from signals that are practical direct measures of the desired variables, as specified in the design basis. Therefore, the Common Q PAMS includes provisions to meet the requirements for derivation of system input and meets the requirements of Clause 6.4. Therefore, the PAMS is acceptable.
7.5.2.2.3.9.3.2 IEEE Std. 603-1991, Clause 6.5, Capability for Testing and Calibration SRP Appendix 7.1-C, Revision 5, Section 6.5, "Capability for Testing and Calibration," provides acceptance criteria for Clause 6.5 and states that "Means shall be provided for checking the operational availability of each sensor required for a safety function.. .SRP BTP 7-17 discusses issues that should be considered in sensor check and surveillance test provisions for digital computer I&C systems." Clause 6.5.1 states that "Means shall be provided to check, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation." SRP Appendix 7.1-C states that the operational availability can be checked by varying the input to the sensor or by cross-checking between redundant channels.Clause 6.5.2 states the following:
One of the following means shall be provided for assuring the operational availability of each sense and command feature required during the post-accident period: 7-98 (1) Checking the operational availability of sensors by use of the methods described in 6.5.1. [i.e., post accident checking is done the same way as checking during normal operation]
(2) Specifying equipment that is stable and retains its calibration during the post-accident time period.In addition, IEEE 7-4.3.2-2003, Clause 5.5.3, "Fault Detection and Self-Diagnostics," discusses fault detection and self-diagnostics and states that, if reliability requirements warrant self-diagnostics, then computer programs should contain functions to detect and report computer system faults and failures in a timely manner, and that these self-diagnostic functions shall not adversely affect the ability of the computer system to perform its safety function or cause spurious actuations of the safety function.The requirements for sense and command feature testing and Common Q PAMS compliance are contained in LTR Section 11 (Attachment 2 to TVA's letter dated March 31, 2011):* Item 11-display of sensor diagnostic information
- Item 205-self-diagnostics and watchdog timer* Items 264 through 271-system self-checks
- Item 31 1-system status displays* Item 341-alarms
- Item 344-online diagnostics The Common Q PAMS equipment performs a variety of diagnostic and supervision functions to continuously monitor the correct operation of the whole system. Each of the I/O modules has a diagnostic function, as described below. The processor module monitors the system as a whole by collecting all of the diagnostic information and checking the consistency of the hardware configuration, application software, and data links. Each PAMS PM646A processor module has an independent integral watchdog timer that requires updating by the processor on a periodic basis. If the processor fails to execute a program, the watchdog timer's purpose is to detect this condition and provide contact outputs to the plant annunciator system.The Common Q system software automatically checks that all 1/0 modules are operating correctly.
In the event of a defective or missing module (e.g., during replacement), the module and associated signals are flagged and indicated by the PAMS application.
The I/O modules run a self-testing diagnostics routine following powerup and during operation.
The Common Q system software checks the following:
- The module is in the correct position.* The module is of the right type.* The module is not defective (i.e., passes initiation tests).* The process connector is in place.If all of these points are in order, the error flag is reset and the module switches to the operating mode. An "ERR" condition in the I/O system provides an alarm at the OM and MTP and also cause a PAMS trouble condition.
The WBN Unit 2 Common Q PAMS permits administrative control of access to module calibration.
Setpoint changes are made through software entries. The design permits periodic 7-99 checking, testing, calibration, and calibration verification.
The capability to test the CET and saturation margin algorithms during power operation is provided.The NRC staff reviewed the testing functionality, using the criteria described above, and determines that the Common Q PAMS application has adequate provisions for calibration and self-testing; therefore, the Common Q PAMS meets the requirements of Clause 6.5 and is acceptable.
7.5.2.2.3.10 IEEE 7-4.3.2-2003 Criteria for Di-gital Computers RG 1.152, Revision 2 states that conformance with the requirements of IEEE Std. 7-4.3.2-2003 is a method that the NRC staff has deemed acceptable for satisfying the NRC's regulations with respect to high functional reliability and design requirements for computers used in safety systems of nuclear power plants. The staff used SRP Appendix 7. 1-D, issued March 2007, in its review of this subsection of the SSER.SRP Appendix 7.1-C, Revision 5, Section 5, and Appendix 7.1 -D, Section 5, provide acceptance criteria for IEEE 7-4.3.2-2003, Clause 5. Some IEEE 7-4.3.2-2003 clauses are addressed elsewhere in this SSER.7.5.2.2.3.10.1 IEEE 7-4.3.2-2003, Clause 5.4.1. Computer System Testing Clause 5.4.1 discusses the software that should be operational on the computer system while qualification testing is being performed.
SRP Appendix 7.1-D, Section 5.4.1, "Computer System Testing," provides acceptance criteria for equipment qualifications.
This section states that computer system equipment qualification testing should be performed with the computer functioning with software and diagnostics that are representative of those used in actual operation.
As described in the LTR (Attachment 2 to TVA's letter dated March 31, 2011), the equipment qualification was performed with the computer functioning with software and diagnostics that are representative of those used in an application.
The NRC staff reviewed the equipment qualification reports provided by TVA and referenced in the LTR, using the criteria described above, and determined that the Common Q PAMS was qualified with representative software running; therefore, the PAMS meets the requirements of Clause 5.4.1 and is acceptable.
7.5.2.2.3.10.2 IEEE 7-4.3.2-2003, Clause 5.5, System Integrity Clause 5.5 states that, in addition to the system integrity criteria provided by IEEE Std. 603, the digital system shall be designed for computer integrity, test and calibration, and fault detection and self-diagnostics activities.
These attributes are further defined in IEEE Std. 7-4.3.2-2003, Clauses 5.5.1, "Design for Computer Integrity," 5.5.2, "Design for Test and Calibration," and 5.5.3. No specific acceptance criteria are provided in SRP Appendix 7.1-D, Section 5.5,"System Integrity." The adequacy of the WBN Unit 2 Common Q PAMS for meeting the applicable criteria is addressed in the subsection below.7-100 7.5.2.2.3.10.2.1 IEEE 7-4.3.2-2003, Clause 5.5.2, Design for Test and Calibration Clause 5.5.2 states that test and calibration functions shall not adversely affect the ability of the computer to perform its safety function, and that it shall be verified that the test and calibration functions do not affect computer functions that are not included in a calibration.
As described in the LTR (Attachment 2 to TVA's letter dated March 31, 2011), factory acceptance testing and other AC1 60-based testing was performed with the Common Q self-diagnostics running and demonstrated that the system meets all acceptance criteria.
In order to perform calibration, the system is placed in maintenance bypass; the remaining channel is credited with performing its safety function.Because the testing was performed with all self-diagnostics running, and the system met all acceptance criteria, the NRC staff concludes that the WBN Unit 2 Common Q PAMS adequately addresses Clause 5.5.2 and, therefore, is acceptable.
7.5.2.2.3.10.4 IEEE 7-4.3.2-2003, Clause 5.15, Reliability Clause 5.15 states that, in addition to the requirements of IEEE Std. 603, when reliability goals are identified, the proof of meeting the goals shall include the software.
Clause 5.15 also states that the NRC staff relies on the vendor using a high-quality process for software design to obtain high-quality software (i.e., reliable software).
Guidance is provided in SRP Appendix 7.1-C, Revision 5, Section 5.15, and Appendix 7.1-D, Section 5.15. SRP Appendix 7.1-D, Section 5.15 also references RG 1.152.The WBN Unit 2 Common Q PAMS reliability analysis (WNA-AR-00189-WBT, Revision 0, Attachment 37 to TVA's letter dated October 5, 2010) (ADAMS Accession No. ML1 02910324, not publicly available) explicitly addresses the quantitative reliability goals in the specification but did not explicitly address software reliability; the current NRC staff position is that software reliability is addressed by using a high-quality development process. The LTR includes a description of the implementation of a high-quality software development process (i.e., a description of the implementation of the Common Q SPM).The NRC staff reviewed the implementation of the SPM, using the criteria described above, and determined that the Common Q PAMS includes the provisions to meet reliability requirements identified in the design documentation; therefore, the PAMS meets the requirements of Clause 5.15 and is acceptable.
7.5.2.2.3.11 Technical Specifications As described in Section D. 11, "Technical Specifications," of Digital I&C-ISG-06, Revision I (ADAMS Accession No. MLI 10140103), the NRC staffs scope of review of digital systems includes the information necessary to ensure compliance with 10 CFR 50.36, "Technical Specifications." In Attachment 1 (EDCR 52321, "Draft Scope and Intent, Unit Difference and Technical Evaluation")
of its letter dated October 29, 2010 (ADAMS Accession No. ML1 03120711), TVA stated that "changes to FSAR, TS [technical specifications], TS Bases, TRM [technical requirements manual], and TRM (Bases), as a result of this modification, are required to be included as part of the final issued EDCR." EDCR 52321 installs the Westinghouse In-Core 7-101 Information, Surveillance, and Engineering (WINCISE T M) system to replace the moveable incore detection system and the top-mounted CETs. The Common Q PAMS is part of the modification.
TVA should confirm to the staff that there are no changes required to the technical specifications as a result of the modification installing the Common Q PAMS. If any changes to the technical specifications are required, TVA should provide the changes to the NRC staff for review. This is Open Item 111 (Appendix HH).7.5.2.2.3.12 Secure Development and Operational Environment IEEE 7-4.3.2-2003, Clause 5.5.1 states that the computer shall be designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function.As described in Section D.12, "Secure Development and Operational Environment," of Digital I&C-ISG-06, Revision 1, the NRC staff's review includes the following:
Ensuring that the development processes and documentation are secure (from nonmalicious acts or events) such that the system does not contain undocumented code (e.g., backdoor coding and dead code), unwanted functions or applications, and any other coding that could adversely impact the integrity or reliability of the digital safety system. Review of secure software design and development processes includes the concepts phase through the factory acceptance tests.Ensuring that any undesirable behaviour of connected systems does not prevent the safety system in the performance of its safety function.Ensuring that access to safety systems is controlled such that inadvertent access and/or operator error does not adversely impact the performance of the safety function.In addition, RG 5.71, "Cyber Security Programs for Nuclear Facilities," issued January 2010, states the following:
The RG 1.152, Revision 2, contains regulatory criteria for the evaluations of safety systems to ensure that identified security features were appropriately incorporated into systems and that the development environment was protected against the introduction of undocumented, unwanted code and any other coding that could adversely impact operation of the safety system....
If a licensee or applicant chooses to address 10 CFR 73.54 though the use of design features, then details of any design features of the safety system, intended to meet a cyber security provision of 10 CFR 73.54, must be submitted.
TVA should demonstrate that the WBN Unit 2 Common Q PAMS is in conformance with RG 1.152, Revision 2 or provide justification for not conforming.
As noted in SSER Section 7.5.2.2.3, this is Open Item 98 (Appendix HH).7.5.2.2.4 Conclusion Based on the review of the WBN Unit 2 Common Q PAMS design, as described above, the NRC staff concludes that there is reasonable assurance that the system fully conforms to the 7-102 design, quality, functional and TMI-related criteria summarized above in SSER Section 7.5.2.2.2, with the open items (Appendix HH) noted in SSER Section 7.5.2.2.7.5.2.3 High-Range Containment Area Radiation Monitors 7.5.2.3.1 Equipment Description NRC GL 82-33 provided clarifications to RG 1.97, Revision 2 relating to requirements for emergency response capability.
These requirements were first published as NUREG-0737, Supplement No. 1.As documented in Section 7.5.2 of SSER 9, TVA responded to GL 82-33, Item 6.2 regarding the PAMS by letter dated January 30, 1984, as supplemented.
TVA described how its postaccident monitoring instrumentation addressed the recommendations of RG 1.97, Revision 2. In SSER 9, SSER 14, and SSER 15, the NRC staff concluded that TVA either conformed to, or had adequate justification for deviating from, the guidance of RG 1.97, Revision 2 for each variable at WBN Units 1 and 2, including a deviation for the high-range containment area radiation (HRCAR) monitors.
TVA addressed the HRCAR monitors as Deviation 36 of FSAR Table 7.5-2. TV further described the HRCAR monitors in Section 7.5.1, "Post Accident Monitoring Instrumentation (PAM)," of FSAR Amendments 96 through 103 and in TVA letters dated June 18, 2010 (ADAMS Accession No. ML101940236);
October 5, 2010 (ADAMS Accession No. ML102910324);
October 21, 2010 (ADAMS Accession No. ML103140661);
October 29, 2010 (ADAMS Accession No. ML103120711);
February 25, 2011 (ADAMS Accession No. ML110620219);
and March 31, 2011 (ADAMS Accession No. ML110950331).
As described by TVA, the HRCAR monitors comprise four monitors provided to measure the containment area radiation, with two redundant radiation monitors for monitoring the radiation at the upper level and two redundant radiation monitors for monitoring the radiation at the lower level inside the containment.
The HRCAR monitors provide the radiation level and annunciation in the control room. The radiation monitors are required as postaccident monitoring instruments per RG 1.97 and are classified as Type/Category Al, C3, and El. The range of these monitors is from 1 to 1.Ox107 radiation absorbed dose per hour (rads/hr).
The HRCAR monitors are digital radiation monitors that are classified as safety-related Class 1 E, single-channel ratemeter modules for use with various radiation detectors.
Sorrento Electronics, a division of General Atomics (GA), is the supplier for these safety-related radiation monitors.The HRCAR monitors include the following:
0 front panel interface for operator data display and data entry for operational configuration
- High-voltage power supply to operate the detectors* pulse-counting circuits for processing detector input signals (Note: The detectors associated with the radiation monitors are located inside containment.
They the same as on Unit 1 and do not require an updated evaluation for Unit 2.)0 discriminator circuits to enable selection of energy windows for pulse counting 7-103 0 trip bistable circuits to provide alarm outputs on high radiation failure detection circuits and software to provide an operational status alarm output circuits for digital communications and analog remote meter displays and data logging The HRCAR monitors are Model RM-1000 modules and are packaged as industry standard nuclear instrumentation modules, in a double-width nuclear instrumentation module slot. The part number for this radiation monitor is 04034101-001.
7.5.2.3.2 Requirements In FSAR Table 7.1-1, TVA stated that it conforms to RG 1.97, Revision 2. RG 1.97 defines the design requirements for postaccident monitoring instruments, as well as three categories of instruments (Category 1, 2, and 3), based on a graded qualification approach that depends on the significance of the function that is performed by the instrument.
In general, Category 1 provides for full qualification, redundancy, and continuous real-time display and requires onsite (standby) power; Category 2 provides for qualification but is less stringent than Category 1; and Category 3 is the least stringent.
RG 1.97 further defines five types (Types A, B, C, D, and E)for the monitored variables, based on the functional importance of the monitored variable.
For example, Type A variables provide primary information needed to permit the control room operating personnel to take the specified manually controlled actions for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design-basis accident events. Type C variables provide information to indicate the potential for being breached or the actual breach of the barriers to fission product release (i.e., fuel cladding, primary coolant pressure boundary, and containment).
Type E are those variables that require monitoring as required for use in determining the magnitude of the release of radioactive materials and for continuously assessing such releases.In accordance with RG 1.97, Revision 2, Table 2, "PWR Variables," Category 1 variables are selected on a plant-specific basis to be variables based on which operator actions are required and for which no automatic control is provided and that are required for safety systems to accomplish their safety functions for design-basis accident events. For WBN Unit 2, the most stringent requirement for the containment radiation monitors is Type A, Category 1. This is consistent with the design of WBN Unit 1. RG 1.97 states that Category 1 instruments should be qualified in accordance with RG 1.89, and that seismic qualification should be in accordance with RG 1.100, "Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants." These instruments should be protected against single failure, should be energized from station standby power sources, and should be available before and after an accident with indication and recording.
Data may be stored in a computer (as a means of recording) and displayed on demand. Instruments designed to meet Category 1 requirements automatically meet the less stringent qualification requirements of Category 2 and 3 instruments.
Radiation monitors are located in the MCR, which is designated as a mild environment.
Mild environment qualification should conform with the guidance contained in RG 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants," issued March 2007. RG 1.209 states, in part, the following:
At present, computer-based instrumentation and control (I&C) systems are primarily implemented in nuclear power plant locations that are characterized as 7-104 mild environments that are not affected by design-basis accident conditions.
Thus, the design-basis accident element of type testing for qualification does not apply to computer-based I&C systems in mild environments.
In addition, because of ready accessibility for monitoring and maintenance in mild environments, the need to establish a qualified life does not apply. Nonetheless, the qualification criterion of 10 CFR 50.55a(h)(2) will be addressed for safety-related computer-based I&C systems.Additionally, RG 1.97 specifies that the applicant/licensee should confirm that no single failure within the accident-monitoring instrumentation, its auxiliary supporting features, or its power sources, concurrent with the failures that are a condition or result of a specific accident, should prevent the operators from being presented the information necessary for them to determine the safety status of the plant and to bring the plant to and maintain it in a safe condition following that accident.
In this regard for WBN Unit 2, the loss of an environmental control system is treated as a single failure that should not prevent the safety system from accomplishing its safety functions, as stated in FSAR Table 7.5-2.EMI qualification in accordance with the guidance of RG 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems," issued October 2003, is an acceptable means to the NRC staff of meeting the qualification requirements for EMI and electrostatic discharge.
In FSAR Amendment 103, TVA added the HRCAR monitors to Section 3.10, "Seismic Design of Category I Instrumentation and Electrical Equipment." The staff addressed the seismic qualifications for electrical equipment in Section 3.10 of this SSER.7.5.2.3.3 Evaluation Criteria Acceptance criteria are based on meeting the relevant requirements of the following Commission regulations:
(1) In 10 CFR 50.55a(a)(1), the NRC requires the following:
Structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
(2) In 10 CFR Part 50, Appendix A, GDC 1, the NRC requires the following:
Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function.
A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions.
Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety 7-105 shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.(3) In GDC 13, the NRC requires the following:
Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.(4) In GDC 19, the NRC requires, in part, the following:
A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents.
Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident.
Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.
(5) In GDC 24, the NRC requires that the protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying"-
all reliability, redundancy, and independence requirements of the protection system.Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.(6) In GDC 64, the NRC requires that means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents.
(7) In 10 CFR 50.34(f)(2)(xix), the additional Three Mile Island (TMI)-related requirements in this subsection, the NRC requires that each applicant "Provide instrumentation adequate for monitoring plant conditions following an accident that includes core damage. (II.F.3)" (8) In 10 CFR Part 50, Appendix B, the NRC provides requirements for quality assurance of safety-related equipment with respect to manufacturing activities including control of design, construction, fabrication, and testing.7-106 (9) In 10 CFR 50.55a(h)(2), the NRC requires the following:
For nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either IEEE Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, protection systems must be consistent with their licensing basis or may meet the requirements of IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.(10) In 10 CFR 50.55a(h)(3), the NRC states the following:
Applications filed on or after May 13, 1999, for construction permits and operating licenses under this part, and for design approvals, design certifications, and combined licenses under part 52 of this chapter, must meet the requirements for safety systems in IEEE Std. 603-1991 and the correction sheet dated January 30, 1995.The HRCAR monitors installed at WBN Unit 2 are different from the monitors previously approved in SER Section 7.5.1 for WBN Unit 1 and Unit 2, because the Unit 2 monitors use digital processing.
Therefore, the staffs review of the WBN Unit 2 HRCAR monitors focused on review of the new digital HRCAR monitors to ensure that they comply with applicable regulatory requirements, including the requirements of IEEE Std. 603-1991.In addition to the above regulations, the following guidance documents and standards are applicable to the review of safety-related radiation monitors: (1) RG 1.97, Revision 2, "Instrumentation for Light-Water-Cooled Nuclear Power Plants To Assess Plant and Environs Conditions During and Following an Accident" (2) RG 1.209, Revision 0, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants" (3) RG 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems" (4) RG 1.100, Revision 2, "Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants" 7.5.2.3.4 Technical Evaluation 10 CFR 50.55a(a)(1) and GDC 1 TVA designed the HRCAR monitors as safety-related monitors per the guidance of RG 1.97, Revision 2. Based on its review of Material Requisition 25402-01 1-MRA-HARA-00002 (provided by TVA letter dated October 29, 2010; ADAMS Accession No. ML1 03120711) and other qualification documents provided by TVA, the staff concludes that the HRCAR monitors 7-107 were designed and procured as safety-related equipment and therefore satisfy the requirements of 10 CFR 50.55a(a)(1) and GDC 1.GDC 13 GDC 13 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety. Type A variables are plant specific, the Type C variable specified range is 1 to 1.0x105 rads/hr, and the Type E variable specified range is I to 1.Oxl 07 rads/hr. To meet these ranges, FSAR Table 7.5-2 specifies the range from 1 to 1.Ox 107 rads/hr for all three variables.
The specified range meets the required range for all three variables.
This range is the same range as the range for WBN Unit 1.Proposed WBN Unit 2 TS Surveillance Requirement 3.3.3.2, which is the same TS surveillance requirement as for Unit 1, controls the calibration requirements for postaccident monitoring equipment.
Based on the ranges and controls for the HRCAR monitors and variables at WBN Unit 2, and because these are the same as approved for Unit 1, the staff concludes that the HRCAR monitors meet the range and display requirements of GDC 13.GDC 19 GDC 19 requires that equipment used to monitor the normal and postaccident conditions from a control room is accessible during normal as well as postaccident conditions.
The control room is a mild environment area and is protected against the effects of radiation following an accident.
The HRCAR monitors are available during normal and postaccident conditions and the containment area radiation is displayed in the control room. High radiation alarms are also provided.
Therefore, the staff concludes that the HRCAR monitors meet the requirements of GDC 19.GDC 24 GDC 24 requires separation of protection and control systems. The HRCAR monitors do not perform a protective or a control function and they do not interface with other safety-related equipment, as stated (item number 107) in TVA's letter dated June 18, 2010 (ADAMS Accession No. ML101940236).
The digital ports of the HRCAR monitors are not used. TVA stated (item number 45) in its letter dated July 30, 2010 (ADAMS Accession No. ML1 02160349, not publicly available), that communication isolation between the safety-related HRCAR monitors and nonsafety-related annunciators is provided by output relay contacts in the monitor, and that the communication to the nonsafety plant computer is from the analog output of the radiation monitor via qualified isolation devices. Therefore, the staff concludes that the HRCAR monitors meet the requirements of GDC 24.GDC 64 GDC 64 requires, in part, that the reactor containment area be monitored for radiation after an accident.
Because the HRCAR monitors have been designed to meet this requirement by providing radiation monitoring of the containment area for the full range of postaccident conditions in accordance with RG 1.97, the staff concludes that they meet the requirements of GDC 64.7-108 10 CFR 50.34(f)(2)(xix)
The regulation requires that instrumentation be provided for monitoring postaccident conditions.
Because the HRCAR monitors provide this function for the containment area, the staff concludes that they meet the requirements of the regulation.
10 CFR Part 50, Appendix B Following an approved quality control program provides reasonable assurance that the supplier provides components that are designed, fabricated, tested, and inspected to quality standards.
Sorrento Electronics, Inc., a division of GA, is the supplier of the HRCAR monitors.
In its letters dated October 29 and November 24, 2010 (ADAMS Accession Nos. ML103120711 and MLI103330501, respectively), TVA stated that GA is a qualified 10 CFR Part 50, Appendix B supplier.
GA was requalified as an approved supplier in 2006 by the Nuclear Procurement Issues Committee.
Because the supplier of the HRCAR monitors is an approved 10 CFR Part 50, Appendix B supplier, the staff concludes that TVA meets the requirements of Appendix B for an approved quality control program for the HRCAR monitors.The HRCAR monitors are standalone components that do not communicate with other systems or devices except through qualified analog isolators or digital isolated contacts.
There are two sets of redundant monitors.
They do not have any control or interlock functions, and they are only used for postaccident monitoring.
Based on this plant-specific application, the NRC staff used a graded review of software design documents for these monitors and, as such, the original software verification and validation (V&V) report and the two updated versions of software V&V documents were reviewed by the staff to ensure high quality software.
This graded approach is plant specific, based on the specific plant application.
Any other graded approach would require specific staff review before use.In its letter dated June 18, 2010 (item number 56; ADAMS Accession No. M101940236), TVA stated that the initial draft software V&V report, Version 1.0, was never issued and provided the updated Version 1.1, software V&V report (04508005).
TVA provided the updated Version 1.2 to the staff on July 15, 2010 (item number 119; ADAMS Accession No. ML102280124).
The staff asked TVA whether or not the Sequoyah Nuclear Plant RM-1 000 system verification test results (document 04507007-1TR, July 1999) were applicable to WBN Unit 2. In its response (item number 319) dated October 29, 2010, TVA stated that document 04507007-1TR is not applicable.
However, in response to a staff question, TVA stated (item number 346) in its letter dated February 25, 2011, that document 04507007-1TR is the RM-1 000 system verification test results for WBN Unit 2. It is unclear to the NRC staff which software V&V documents are applicable to the HRCAR monitors.
TVA should clarify which software V&V documents are applicable in order for the staff to complete its evaluation.
This is Open Item 77 (Appendix HH).10 CFR 50.55a(h)(2)
The NRC issued TVA a construction permit for WBN Unit 2 in January 1973. In accordance with 10 CFR 50.55a(h)(2), applicants/licensees with construction permits issued between January 1, 1971, and May 13, 1999, may elect to comply with the requirements of IEEE Std. 279-1971 instead of IEEE Std. 603-1991.
However, since the HRCAR monitors are new digital components that are different from those previously approved by the staff, as noted in Section 7.5.2.3.3 above, "Evaluation Criteria," the staff evaluated the monitors using the applicable criteria of IEEE Std. 603-1991.
The staff used the guidance of SRP Appendix 7.1-C, Revision 5, "Guidance for Evaluation of Conformance to IEEE Std. 603," in its review.7-109 The HRCAR are designed as redundant, seismically and environmentally qualified, safety-related equipment.
This design basis is the same as for WBN Unit I and, as such, satisfies Clause 4.1 of IEEE Std. 603-1991.The HRCAR monitors are designed to operate under normal and postaccident conditions, including postaccident radiation dose, and voltage variations per the guidance of RG 1.97.They are located in the mild environments of the control room and have been tested with plus or minus 10 percent voltage variation.
Therefore, the monitors satisfy Clause 4.7 of IEEE Std. 603-1991.The HRCAR monitors are located in the MCR, which has been evaluated for the various environmental hazards cited in Clause 4.8 of IEEE Std. 603-1991.
Therefore, the monitors satisfy Clause 4.8 of IEEE Std. 603-1991.Diverse means of indication are available in the unlikely case of common-cause software failure of all four independent monitors.
This satisfies Clause 4.12 of IEEE Std. 603-1991.
The staff further evaluated the issue of diversity below in this section of the SSER.Four separate HRCAR monitors are located in the containment for monitoring the containment air. These monitors are not connected to each other. Single failure of a monitor, other than a software common-cause failure (SWCCF), is not credible.
SWCCF is addressed as a separate issue in this SSER. As such, the HRCAR monitors meet the requirements of Clause 5.1 of IEEE Std. 603-1991.The HRCAR monitors have been specified and procured as qualified, safety-related, redundant radiation monitors from a supplier who manufactured these components in a program under 10 CFR Part 50, Appendix B. Therefore, the monitors meet Clause 5.3 of IEEE Std. 603-1991.The staff asked TVA to address the radiation qualification of the HRCAR monitors.
In its response dated February 25, 2011 (item number 349; ADAMS Accession No. MLI 10620219), TVA stated, in part, the following:
Calculation WBNAPS3-126 will be revised to add the control room to the calculation with a dose of less than lx103 RAD by July 1,2011. Since the control room TID will be documented in calculation WBNAPS3-126 to be less than I x103 RAD, radiation qualification of the RM-1000 is not required.This is Open Item 78 (Appendix HH) until TVA issues its revised calculation reflecting that the total integrated dose (TID) in the control room is less than lx103 rads, and the staff completes its review.The staff evaluated TVA's testing for EMI/RFI, as discussed in this section below with regard to compliance with RG 1.180. However, TVA specified no exclusion distances for the HRCAR monitors.
TVA should perform a radiated susceptibility survey, after the installation of the hardware but before the RM-1 000 is placed in service, to establish the need for exclusion distance for the HRCAR monitors while using handheld portable devices (e.g., walkie-talkie) in the control room, as documented in Attachment 23 to TVA's letter dated February 25, 2011, and item number 355 of TVA's letter dated April 15, 2011. This is Open Item 79 (Appendix HH).The seismic qualification of the monitors is enveloped by the staff's evaluation of electrical equipment in Section 3.10 of this SSER. Pending closure of Open Items 78 and 79, the staff 7-110 concludes that the HRCAR monitors have been qualified by test and analysis and meet the applicable seismic and environmental requirements.
This satisfies Clause 5.4 of IEEE Std. 603-1991.The HRCAR monitors are designed to operate within ranges that bound normal and postaccident conditions.
Therefore, the NRC staff concludes that the monitors satisfy Clause 5.5 of IEEE Std. 603-1991.The HRCAR monitors have been designed to be redundant, with two HRCAR monitors in the lower containment and two in the upper containment, with electrical isolation and physical isolation under normal and postaccident conditions.
Therefore, the NRC staff concludes that the monitors satisfy Clause 5.6.1 of IEEE Std. 603-1991.The HRCAR monitors are qualified for all design conditions and are located in the mild environment of the MCR. Therefore, the staff concludes that the monitors satisfy Clause 5.6.2 of IEEE Std. 603-1991.The HRCAR monitors are classified as safety related and are isolated from other safety-related equipment.
The interfaces with nonsafety systems are through qualified devices. Therefore, the staff concludes that the monitors satisfy the separation requirements of Clause 5.6.3.2 of IEEE Std. 603-1991.Test and calibration capabilities of the HRCAR monitors are described in the technical manual for the RM-1 000 digital radiation monitors, document 04508100-1TM, Revision C, as provided in TVA's letter dated July 15, 2010. Based on its review of the manual, the staff concludes that the monitors satisfy the test and calibration requirements of Section 5.7 of IEEE Std. 603-1991.The HRCAR monitors in the MCR are display devices that are qualified as safety related. Two redundant HRCAR monitors are provided for monitoring the radiation level at the upper and two at the lower elevations of the containment that provide independent readings for the entire range of normal as well as postaccident radiation levels in the containment.
The HRCAR monitors provide the indications upon which operator actions are based, as needed. The display system accuracy requirements are same for WBN Unit 2 as those approved for WBN Unit 1. Therefore, the staff concludes that the monitors satisfy Sections 5.8.1 and 5.8.2 of IEEE Std. 603-1991.The displays are located inside the MCR and are accessible for operator manual actions.Therefore, the displays meet the requirements of Section 5.8.4 of IEEE Std. 603-1991.Access to the MCR where the HRCAR monitors are located is administratively controlled and limited to authorized personnel only. Therefore, the monitors meet the requirements of Section 5.9 of IEEE Std. 603-1991.The "operate" light on the HRCAR monitor units is normally lit in green color. Loss of the green light indicates operational trouble, including loss of voltage, loss of signal, a safety loop open, or loss of power. When a failure occurs, an error message on the monitor unit describes the cause of failure. The HRCAR monitors are designed to allow quick repair by replacing defective circuit boards. The high-voltage power supply and the display are also modular and easily replaceable.
The ability to troubleshoot and easily repair the system meets the maintenance requirements of Section 5.10 of IEEE Std. 603-1991.7-111 RG 1.97, Revision 2 FSAR Table 7.1-1 states that TVA conforms to RG 1.97, Revision 2. TVA describes the applicable design criteria for the HRCAR monitors in FSAR Section 7.5.1.4.3, "Design Criteria for Category 1 Variables." The staff reviewed the requirements for both WBN Unit 1 and Unit 2, and the same requirements apply to both units except for the fact that WBN Unit.2 incorporates digital-type radiation monitors.
The ranges, redundancy, isolation, and related design characteristics are the same for both units. Therefore, the staff did not do a separate assessment for WBN Unit 2. There are four HRCAR monitors, provided as two redundant pairs, to monitor the upper and the lower areas in the containment, and there are separate displays for each monitor. TVA stated (letter item number 342) in its letter dated December 22, 2010 (ADAMS Accession No. ML1 10100650), that power is supplied to the HRCAR monitors by redundant battery-backed power sources. A loss of all radiation monitors due to a common-cause failure of the software is addressed below in the discussion of diversity and defense in depth in this section of the SSER.Evaluation for HRCAR Monitors upon Accidents TVA takes no credit for any automatic actions by HRCAR monitors in the FSAR Chapter 15 accident analyses.
The monitors are used for postaccident monitoring following a high-energy line break, as listed in FSAR Table 15.4-6, "Equipment Required Following a High Energy Line Break," for accident mitigation, as discussed in FSAR Section 7.5 regarding postaccident monitoring.
Postaccident monitoring is used during preplanned manual actions. The HRCAR monitors are available during normal and postaccident conditions, as required by RG 1.97, Revision 2, as described by TVA in FSAR Section 7.5.1.1 and FSAR Table 7.5-2, Variable 4.Environmental Qualification Because the HRCAR monitors are located in the mild environment of the MCR, the staff determined that the requirements of 10 CFR 50.49, "Environmental Qualification of Electric Equipment Important to Safety for Nuclear Power Plants," and RG 1.89, Revision 1,"Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants," do not apply. The environmental guidance for qualifying equipment in mild environments is contained in RG 1.209, which supplements the guidance of RG 1.89 for computer-based instrumentation and control (I&C) systems in mild environments.
RG 1.209 states, in part, the following:
the design-basis accident element of type testing for qualification does not apply to computer-based I&C systems in mild environments.
In addition, because of ready accessibility for monitoring and maintenance in mild environments, the need to establish a qualified life does not apply. Nonetheless, the qualification criterion of 10 CFR 50.55a(h)(2) will be addressed for safety-related computer-based I&C systems.The TVA qualification test report for the RM-1 000 processor module and the current-to-frequency (I-to-F) converter is addressed in 04508905-QR, Revision A, which was provided by WVA to the staff for review as documented in letter item number 318 of TVA's letter dated February 25, 2011. However, the report addresses the earlier model of RM-1 000 and not the model actually used at WBN Unit 2. By letter dated February 25, 2011, TVA also provided supplemental test reports 04508905-1SP and 04508905-2SP for the updated versions of the 7-112 RM-1000 and the I-to-F converter upgrades, respectively, which are used at WBN Unit 2. The qualification sequences and the functional tests carried out in conjunction with these tests are described in the qualification reports. A summary of the aging tests is provided below.Aging Qualification Qualification Test Report for the Original RM-1 000 processor with Current-to-Frequency Converter:
The results of the aging qualification for the original RM-1 000 processor module and the I-to-F converter are summarized in Qualification Test Report 04508905-QR, Revision A. The staff reviewed the qualification test to identify the RM-1000 and the I-to-F converter module components that are susceptible to aging. These components were age-conditioned to near end of life. Environmental cycling was performed for nine cycles of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> each from 25 degrees Celsius (C) (77 degrees Fahrenheit (F)) to 60 degrees C (140 degrees F) and a relative humidity between 80 and 90 percent. The applied line voltage was set at 108 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 120 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and 132 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The report documents that the modules met the acceptance criteria.
Extreme tests were performed at 39 degrees F for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 131 degrees F for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, with a relative humidity between 95 and 98 percent and an average temperature of the components in the control room at 86 degrees F. TVA identified 86 degrees F as the average component temperature in the control room, including the temperature rise internal to the component, based on 18 degrees F as the internal cabinet temperature rise. The qualification test report documented that the RM-1 000 and I-to-F converter components passed all performance tests, and that test anomalies were retested or explained satisfactorily.
Qualification Test Report for the Updated RM-1 000: The results of the aging qualification test for the updated RM-1 000 processor module used at WBN Unit 2 are summarized in Qualification Test Report Supplement 04508905-1SP, Revision B. The major differences between the two models are (1) a new front plate assembly, (2) a modified display/keyboard assembly, (3) a new output printed wiring assembly (PWA), and (4) a new relay interface panel. As documented in the report, aging qualification tests were conducted similar to the tests on the original RM-1000 processors, and the test results were satisfactory.
For parts with significant aging mechanisms, TVA identified the following replacement schedule based on an average temperature in the MCR of 86 degrees F and a temperature rise in the internal cabinet of 18 degrees F: Component of RM-1000 Processor with GA-ESI Part Number Life, Years at Limited Life 86 0 F(30 0 C)Display/Keyboard Cable Assembly 04502018-002 30 Keypad Display PWA 04503070-001 10 Cable Strip with Connector 50016042-001 30 Planar Graphic Display 50016021-001 10 Testing for accelerated aging provides additional assurance that the equipment will continue to perform its function for the qualified life.7-113 Qualification Test Report for the Updated I-to-F Converter Module: The results of the aging qualification for the updated I-to-F converter module used at WBN Unit 2 are summarized in Qualification Test Report Supplement 04508905-2SP, Revision A.The environments considered for aging are same as those used in the qualification test reports above. However, the report for the converter module is based on aging analysis.
The differences between the original model and the three models considered in this report are documented in the report. Converter module 04501351-001 is used at WBN Unit 2, which is the same as the tested model 04501351-003, except for the color, which is an insignificant difference.
The tested model is qualified by analysis in the 04508905-2SP report, and no components were identified that are subject to significant aging. Based on the aging analysis, TVA has not assigned a component replacement schedule for the I-to-F converter module for any component during the 40-year life of the plant.In summary, the updated RM-1000 processor module and the updated I-to-F converter have been qualified for age-related environmental qualification, with a replacement schedule for a limited number of components that are associated with the RM-1000 processor.
Aging Qualification Summary: The RM-1000 and I-to-F converter module test components with age-related failure mechanisms were age-conditioned to near end of life. Environmental cycling was performed for nine cycles of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> each from 25 degrees C (77 degrees F) to 60 degrees C (140 degrees F)and a relative humidity between 80 and 90 percent. The applied line voltage was set at 108 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 120 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and 132 volts for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. As documented in the qualification test reports, the modules met the acceptance criteria.
Extreme tests were performed at 39 degrees F for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 131 degrees F for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> with a relative humidity between 95 and 98 percent. The RM-1 000 and I-to-F converter passed all performance tests.Therefore, the staff concludes that the RM-1000 and I-to-F converter modules are environmentally qualified for WBN Unit 2.Electromagnetic and Radiofrequency Interference Qualification The qualification test reports provided by TVA also address EMI/RFI qualification of the HRCAR monitors.
Qualification Test Report 04508905-QR addresses the original HRCAR monitor processor and the I-to-F converter module. The updated HRCAR monitor processor with the relay module is addressed in Test Report 04508905-1SP, and the I-to-F converter qualification update is addressed in Test Report 04508905-2SP.
RG 1.180, Revision 1, provides guidance acceptable to the NRC staff for complying with the NRC's regulations on design, installation, and testing practices for addressing the effects of EMI/RFI and power surges on safety-related I&C systems, including power-surge withstand capability testing.TVA qualified the HRCAR monitors using TVA Standard Specification SS-E18-14.01, as provided in TVA's letter dated March 31, 2011 (ADAMS Accession No. ML110950331).
The specification contains the following tests:* Radiated Susceptibility
-Continuous
-High Frequency* Conducted Susceptibility
-Continuous
-Low Frequency* Conducted Susceptibility -Continuous
-High Frequency 7-114
- Surges -Transient
-High Energy -Infrequent test* Impulses and Bursts of Impulses -Transient
-Low Energy -Infrequent
- Electrostatic Discharge Susceptibility
-Transient
-Infrequent
- Radiated Emissions TVA should provide clarification to the staff on how TVA Standard Specification SS-E18-14.1 meets the guidance of RG 1.180 and should address any deviations from the guidance of the RG. This is Open Item 80 (Appendix HH).Seismic Qualification Seismic qualification of the HRCAR monitors is enveloped by the staffs evaluation in Section 3.10 of this SSER.Radiation Qualification Clause 3 of IEEE Std. 323-1974 defines a mild environment as "An environment that would at no time be significantly more severe than the environment that would occur during normal plant operation, including anticipated operational occurrences." Clause 6 of the standard states, "In the type test, all material or components, for which radiation causes significant aging, shall be irradiated to simulate the effects of radiation exposure." Guidance for qualification of digital systems that are susceptible to radiation is discussed in RG 1.209. The RG states that the radiation threshold is different for different types of digital technology, ranging from complementary metal oxide semiconductor, which can be susceptible to as low as 1,000 rads exposure, to bipolar devices, which are not susceptible until around 1 million rads. The radiation monitors and the associated I-to-F converters are located in the MCR, which is a mild environment.
A mild environment with a TID of less than 1 x10 3 rads does not require radiation qualification testing because of the low radiation exposure.The staff asked TVA to address the radiation qualification of the radiation monitors and the I-to-F converters.
In its response (letter item number 349) by letter dated February 25, 2011, TVA stated the following:
The design criteria provides [sic] the criteria for determining what is a mild environment at WBN Unit 2. Calculation WBNAPS4004, "Summary of Mild Environment Conditions for Watts Bar Nuclear Plant," provides the actual values for each area of the plant. In accordance with Table 1, the Control Room has a 40 year maximum TID of 3.5x102 RAD and a maximum integrated accident dose of 710.5 RAD for a maximum TID of 1060.5 RAD.The accident dose of 710.5 RAD is the dose for a 100 day LOCA at the surface of the high efficiency air particulate (HEPA) filter in the Mechanical Equipment Room. This is documented in TVA calculation WBNTSR-005, "Dose Due to the Control Building Emergency Air Cleanup Filters," Revision 3. However, on page 25 of WBNTSR-005, the shine from this source into the control room is negligible and is not considered in the dose calculation for the control room.Calculation WBNAPS3-126, "EQ Dose in the UI/U2 Auxiliary Instrument Rooms and the Computer Room in the Control Building," Revision 0 documents the environmental qualification (EQ) radiation dose in the control building.7-115 Considering that the dose from the HEPA filter is negligible to the control room (as discussed above), a review of the WBNAPS3-126 calculation determined that the TID including the normal and accident dose values for the control room is actually less than Ix103 RAD. Calculation WBNAPS3-126 will be revised to add the control room to the calculation with a dose of less than 1 x103 RAD by July 1, 2011. Since the control room TID will be documented in calculation WBNAPS3-126 to be less than I x103 RAD, radiation qualification of the RM-1000 is not required.As noted above, this is Open Item 78 (Appendix HH) until TVA issues its revised calculation reflecting that the TID in the control room is less than 1 x103 rads, and the staff completes its review.Commercial Dedication In 10 CFR 21.3, "Definitions," the NRC defines "basic component" and "commercial grade item." A component that is commercially manufactured (i.e., not manufactured under an Appendix B to 10 CFR Part 50 program) must go through an acceptance process to provide reasonable assurance that the item will perform its intended function in a safety-related application.
During its review, the staff used the guidance in SRP Appendix 7.0-A, Revision 5, "Review Process for Digital Instrumentation and Control Systems," issued March 2007. Appendix 7.0-A states the following:
For a commercial-grade element of the system, there should be evidence of the application of an acceptance process that has determined that there is reasonable assurance that the equipment will perform its intended safety function and, in this respect, is deemed equivalent to an item designed and manufactured under a 10 CFR Part 50, Appendix B, "Quality Assurance Program." The acceptance process itself is subject to the applicable provisions of 10 CFR Part 50, Appendix B. This process might vary depending on the specifics of the particular commercial-grade equipment and its intended application; however, it must establish the required assurance.
The subject of qualification of existing commercial computers is addressed in Regulatory Guide 1.152, Revision 2. The process described in EPRI TR-106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications," was found acceptable by the staff safety evaluation, dated July 17, 1997.Electric Power Research Institute (EPRI) topical report (TR)-106439 references EPRI NP-5652,"Guideline for the Utilization of Commercial Grade Items in Nuclear Safety Related Applications." EPRI TR-1 06439 provides guidance for applying the methods in NP-5652 to digital equipment and describes how the technical and regulatory issues associated with the use of commercial digital equipment can be addressed, consistent with Nuclear Management and Resources Council(NUMARC)/EPRI TR-1 02348, "Guideline on Licensing Digital Upgrades," issued December 1993, and IEEE Std. 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations." The NRC staff provided guidance in GL 95-02, "Use of NUMARC/EPRI report TR-1 02348, 'Guideline on Licensing Digital Upgrades,'
in Determining the Acceptability of Performing Analog-to-Digital Replacements under 10 CFR 50.50," dated April 26, 1995.7-116 EPRI NP-5652 discusses four methods for use in commercial dedication:
(1) special tests and inspections, (2) commercial-grade survey of supplier, (3) source verification, and (4) acceptable supplier/item performance record. As noted in EPRI TR-106439, GL 89-02, "Actions to Improve the Detection of Counterfeit and Fraudulently Marketed Products," dated March 21, 1989, and GL 91-05, "Licensee Commercial-Grade Procurement and Dedication Programs," dated April 9, 1991, for typical applications no one method will suffice by itself, and it is likely that methods 1, 2, and 4 will all be needed. GA, the supplier of the HRCAR monitors to TVA, has a commercial dedication program. As documented (item number 353) in the NRC/TVA open item master list status report dated April 8, 2011 (ADAMS Accession No. ML1 11050009), TVA stated that GA's commercial dedication program did not require multiple dedication methods in accordance with the guidance of EPRI TR-1 06439, but that GA has taken additional measures to assure quality. TA should provide information about the extent to which GA complies with EPRI TR-1 06439 and the methods that GA used for its commercial dedication process to the NRC staff for review. This is Open Item 81 (Appendix HH).Diversity and Defense in Depth The NRC staff performed a diversity review using the guidance of Branch Technical Position (BTP) 7-19, Revision 5, "Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-Based Instrumentation and Control Systems," to assure that alternate indications are available to the control room operators in case of a total loss of the HRCAR monitors due to SWCCFs.In response to a staff question, TVA provided a description of the diversity and defense-in-depth features of the HRCAR monitors in its letter dated October 21, 2010 (letter item number 289;ADAMS Accession No. ML103140661).
There are four HRCAR monitors for WBN Unit 2, one pair in the upper containment area and one pair in the lower containment area. All four radiation monitors meet the requirements for safety-related equipment.
Functional diversity takes credit for the alternate and diverse instrumentation that could be used to monitor or take appropriate manual functions should a common-cause software issue render both trains of both pairs of HRCAR monitors nonfunctional.
The HRCAR monitors have no automatic actuation function.
They provide indication and so meet the requirement of RG 1.97, Revision 2. The monitors are used at WBN for two functions:
(1) as provided in the emergency operating instructions, as an indication to operators of abnormal containment conditions symptomatic of a LOCA following a reactor trip and SI actuation signal, and (2) as provided in the emergency plan implementing procedures (EPIPs), to assist with event classification of events involving fuel cladding degradation.
In the emergency operating instructions, there are several containment conditions that may indicate a LOCA, including containment pressure, containment temperature, and containment sump level. The instruments that indicate these conditions are diverse from the HRCAR monitors because they do not share a software platform or any integrated information or control system features.
The HRCAR monitors function through individual, self-contained, microprocessor-based instrument loops. Containment pressure and sump level indications are provided through Eagle 21 equipment that is completely diverse from the HRCAR monitors.Containment temperature is provided through Foxboro Spec 200 instrument channels that also are completely diverse from the HRRMs. These instrument indications are from traditional panel meters that are not part of any highly integrated control room infrastructure.
7-117 In the EPIPs, the HRCAR monitors are used to indicate loss of fuel clad barrier and the potential loss of a containment barrier. Potential fuel clad damage can also be determined from samples taken from the RCS and from in-core thermocouple readings.
RCS sampling does not rely on plant instrumentation systems, and the in-core thermocouple system uses a Common Q software platform that is diverse from the HRCAR monitors.
TVA stated in its letter dated October 21, 2010, that the accessibility required to obtain postaccident samples of the RCS has been demonstrated to be a viable postaccident action at WBN Unit 2.Should all four channels of HRCAR monitors fail upscale, WBN annunciator response instructions direct the evacuation of containment, sampling of the RCS, checking other nonaccident radiation monitors, notification of radiological control personnel to investigate, potential transition to abnormal operating procedures for management of potential radioactive material release, and evaluation under the EPIPs for event classification.
All of these are conservative actions. Should all four channels of the HRCAR monitors fail downscale, the operators have diverse indications, as noted above, to observe before taking further action.Based on its evaluation of the information provided by WVA in its letter dated October 21, 2010, the NRC staff concludes that there are diverse methods and equipment that can be used as alternatives for any function provided by the HRCAR monitors, should both monitors become nonfunctional.
Therefore, the staff concludes that the HRCAR monitors meet the diversity requirements of BTP 7-19, Revision 5.7.5.2.3.5 Conclusion Based on its evaluation of the information provided by TVA as described above, the NRC staff concludes that the digital HRCAR monitors comply with the applicable regulatory requirements of 10 CFR 50.55a(a)(1), 10 CFR 50.55a(h), Appendix B to 10 CFR Part 50, 10 CFR 50.34(f)(2)(xix), GDC 13, GDC 19, GDC 24, GDC 64, and IEEE Std. 603-1991, and with the regulatory guidance of RG 1.97, Revision 2, RG 1.180, Revision 1, and RG 1.209.Therefore, the HRCAR monitors are acceptable, pending closure of the open items in SSER Section 7.5.2.3.7.5.3 IE Bulletin 79-27 In Section 7.5.3 of the SER, the NRC staff reviewed TVA's response to IE Bulletin 79-27, "Loss of Non-Class-l-E Instrumentation and Control Power System Bus During Operation," dated November 30, 1979.In the SER, the staff evaluated TVA's assessment that loss of power to the individual Class IE and non-Class IE instrument buses would not prevent reaching and maintaining cold shutdown from an initial full-power condition.
TVA also concluded that sufficient alarms and indications are available to the operator in the MCR and no deficiencies existed, based on the capability to achieve shutdown conditions using plant procedures.
The NRC staff asked TVA to provide the following information:
IE Bulletin 79-27 required that emergency operating procedures to be used by control room operators to attain safe shutdown upon loss of any Class IE or non Class IE bus are adequate.
WBN Unit I has performed the review and documented their conclusion.
Confirm that WBN Unit 2 emergency procedures 7-118 are adequate to achieve safe shutdown in the event of loss of any Class IE or non-Class IE bus.By letter dated October 21, 2010 (letter open item 315; ADAMS Accession No. ML103140661), TVA responded that While the WBN Unit 2 Emergency Operating Procedures (EOPs) have not been written, they will be written the same as the Unit I EOPs. WBN Unit 1 personnel will perform validations to ensure that WBN Unit 2 EOPs will perform the required actions. The WBN Unit 2 EOPs will be written and validated prior to Unit 2 fuel load.IVA's response is acceptable to the staff, because it will assure that the WBN Unit 2 procedures are the same as those for WBN Unit 1. The NRC staff will inspect to confirm that TVA has completed the WBN Unit 2 EOPs before fuel load. This is Open Item 73 (Appendix HH).Based on its previous evaluation, as documented in the SER, and on its evaluation of the information provided by WVA in its letter dated October 21, 2010, the NRC staff concludes that TVA's response to IE Bulletin 79-27 is acceptable.
7.6 All Other Systems Required for Safety 7.6.1 Loose Part Monitoring System The loose part monitoring system (LPMS) is described in WBN Unit 2 FSAR Section 7.6.7,"Loose Part Monitoring System (LPMS) System Description." 7.6.1.1 Introduction The Westinghouse-supplied LPMS, also referred to as the Digital Metal Impact Monitoring System (DMIMS-DXTM) (note: LPMS and DMIMS-DXTM are used interchangeably for this system within the WBN Unit 2 FSAR), is a new digital system that was recently installed at WBN Unit 2. This system is different from the one previously approved for WBN Unit 1 and Unit 2, as documented in Section 4.4.5 of the SER. Therefore, the staff's review of the WBN Unit 2 LPMS focused on review and approval of the new digital system to ensure that it complies with applicable regulatory requirements.
Review guidance for the LPMS is contained in SRP Section 7.7, Revision 5, "Control Systems," and RG 1.133, Revision 1, "Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors," issued May 1981. The objective of the staff's review was to confirm that (1) the LPMS conforms to the applicable SRP acceptance criteria and guidelines, (2) the controlled variables can be maintained within prescribed operating ranges (as applicable), and (3) the effects of operation or failure of the system are bounded by the accident analyses in FSAR Chapter 15. The staff also evaluated the LPMS using the staff positions in RG 1.133, Revision 1.7.6.1.2 System Requirements The primary purpose of the LPMS is the early detection of loose metallic parts in the primary system. Early detection can provide the time required to avoid or mitigate safety-related 7-119 damage to, or malfunctions of, primary system components.
The system can also minimize radiation exposure to station personnel by providing for the early detection and general location of abnormal structural conditions.
The LPMS has both manual and automatic modes of data acquisition.
LPMS sensors are located in natural collection areas, such as plenums in the reactor vessel and steam generators.
Alarms are established for the LPMS that enable distinguishing between metallic-object impacts and background noise. The LPMS components within containment are designed and installed to perform their function following all seismic events that do not require plant shutdowns; i.e., up to and including the operating-basis earthquake (OBE). Recording equipment need not function without maintenance following the specified seismic event provided the audio or visual alarm capability remains functional.
The system is designed to withstand the normal operating radiation, vibration, temperature, and humidity environment in which it is located.7.6.1.3 Evaluation Criteria The staff evaluated the adequacy of the LPMS using the review guidance contained in SRP Section 7.7, Revision 5. Acceptance criteria are based on meeting the relevant requirements of the following regulations:
(1) In 10 CFR 50.55a(a)(1), the NRC requires that structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
(2) For control systems isolated from safety systems, the applicable requirements of 10 CFR 50.55a(h) are defined in IEEE Std. 279-1971, Clause 4.7, IEEE Std. 603-1991, Clause 5.6.3, and IEEE Std. 603-1991, Clause 6.3.(3) GDC 13 requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.In addition, the staff used the following regulatory guidance: (1) SRP BTP 7-19, Revision 5, "Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems." (2) RG 1.133, Revision 1, "Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors." (3) Interim Staff Guidance DI&C-ISG-02, Revision 2, "Task Working Group #2: Diversity and Defense-in-Depth Issues," issued June 5, 2009, provides acceptable methods for implementing diversity and defense-in-depth in digital I&C system designs.The thermal and hydraulic design of the LPMS was evaluated separately by the staff as documented in Section 4.4.5 of this SSER.7-120 7.6.1.4 Technical Evaluation 7.6.1.4.1 Loose Part Monitoring System Design Bases In response to NRC staff questions, TVA provided the system description for the Westinghouse.
DIMMS-DXTM loose part detection system and the design criteria document, WB-DC-30-31, Revision 4 (Attachments 2 and 39, respectively) by letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), which describes the system's hardware, software, and operational requirements.
The WBN Unit 2 LPMS is a nonsafety-related system-though it is a system important to safety-and is designed to detect loose parts in the RCS that could cause damage to some components in the RCS. TVA described the LPMS Section 7.6.7 of FSAR Section 7.6, "All Other Systems Required for Safety." The LPMS contains 12 active instrument channels, each comprising a sensor (piezoelectric accelerometer), signal conditioning equipment, and diagnostic equipment.
Redundant sensors are provided for installation at six different locations for a total of 12 sensors, with two sensors mounted at each of the six locations inside the containment to provide two channels of monitoring for detection of loose parts. The sensors are located in the six natural collection regions of the primary system. These regions consist of the top and bottom plenums of the reactor vessel and the primary coolant inlet plenum to each of the four steam generators.
The sensors are connected to the preamplifiers using special radiation-resistant cable. The output of the preamplifiers is wired to the digital signal processors (DSPs) for processing the signals to detect metal impact. The signal conditioners and the rest of the LPMS components are located outside the containment.
The DSPs provide the data to a central processing unit (CPU) for monitoring the data, providing the status of various components, generating local indication on the display, and activating the trouble system relay. The CPU processor is a personal computer (PC)-architecture device that will issue an alarm when two impacts are detected within a 30-second rolling window and either of the two impacts is greater than the alarm setpoint.
These criteria help to minimize false alarms due to thermal expansion noises and valve noises. When alarm logic conditions are satisfied (based on impact analysis, background noise, and so forth) an alarm is generated at the local panel and a system-level alarm is also generated in the MCR. CPU operation is monitored by the DSPs and, upon CPU failure, the DSPs provide local alarms as well as a system-level alarm in the MCR. The CPU also monitors the DSPs for status. Failure to receive the status update indicates to the CPU that the DSP has failed. In this case, the CPU both generates a local indicator on the liquid-crystal display (LCD) and activates the trouble relay. Capabilities are also provided for audio listening and display on an oscilloscope.
In addition, a laser printer is provided for printout of system status, waveform graphs, and other report data.The LPMS has been designed and built with redundant sensors and digital processing units.Although the LPMS system is not safety related, it has been designed, programmed, and built using a documented, quality process as documented in EDCR-52418-A, "Loose Part Monitoring Scope and Intent, Unit Difference and Technical Evaluations" (Attachment 24 to TVA's letter dated October 5, 2010). As part of its review, the NRC staff reviewed documentation related to the design, implementation, and testing of the LPMS system. Based on its review, the staff concluded that the system is appropriately designed and is of sufficient quality to minimize the potential for challenges to safety systems. Therefore, the staff concludes that there is reasonable assurance that the system conforms to the applicable requirements of 10 CFR 50.55a(a)(1).
Furthermore, the LPMS display panel assembly is seismically qualified and contains a 12-inch LCD overlaid with a high-resolution touch screen surface. The display 7-121 shows the system and alarm status, presents the waveforms used in impact analysis, and shows the analysis conclusions over the full range of normal and anticipated operational occurrences, and for accident conditions (i.e., design-basis accidents).
The LPMS provides control room alarms warning the operators of possible loose metallic parts in the primary system, which can provide the time required to avoid or mitigate safety-related damage to, or malfunctions of, primary system components; hence, it assures adequate safety. Based on its review, the NRC staff concludes that the LPMS has been designed adequately to perform its intended important-to-safety function, to prevent damage to primary system components due to loose parts, and, therefore, it meets the intent of GDC 13.7.6.1.4.2 Effects of Loose Part Monitoring System Operation on Accidents The staff reviewed the effects of LPMS operation during plant design-basis accidents and anticipated operational occurrences to confirm that the safety analysis includes consideration of the effects of LPMS action/inaction during these transients.
The LPMS system does not have any plant control functions.
For all accidents analyzed in WBN Unit 2 FSAR Chapter 15, no credit is taken for the LPMS. The primary portion of the LPMS, which includes cabling, sensors, amplifying, monitoring, and alarming equipment, although not a Class 1E system, is designed to perform its function following all seismic events, up to and including an OBE that does not require plant shutdown.
The recording equipment may not function without maintenance following the seismic event, but the audio or visual alarm capability remains functional in accordance with RG 1.133, Revision 1. The staff verified that the safety analysis includes consideration of the effects of both action and inaction of the LPMS in assessing the transient response of the plant for accidents and anticipated operational occurrences, which satisfies this aspect of the requirements of GDC 13.7.6.1.4.3 Effects of Loose Part Monitoring System Failures The staff reviewed the failure modes of the LPMS to verify that its failure does not cause plant conditions more severe than those described in the analysis of anticipated operational occurrences in FSAR Chapter 15. Because this is a digital system, LPMS software design errors such as SWCCF were also reviewed.BTP 7-19 provides the NRC staff position and guidance for conducting a diversity and defense-in-depth evaluation to address concerns about common-cause failure vulnerabilities with regard to the use of digital, computer-based I&C systems.For operating reactors, the staff's position in BTP 7-19 specifies, in part, the following:
The applicant/licensee should assess the D3 of the proposed I&C system to demonstrate that vulnerabilities to common-cause failures have been adequately addressed.
In performing the assessment, the vendor or applicant/licensee should analyze each postulated common-cause failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate or SAR Chapter 15 analysis methods. The vendor or applicant/licensee should demonstrate adequate diversity within the design for each of these events.7-122 The acceptance criteria in BTP 7-19 state, in part, the following:
The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.TVA controls the operability of the LPMS using WBN Unit 2 Technical Requirements Manual (TRM) Technical Requirement 3.3.6, "Loose-Part Detection System" (Attachment 9 to TVA's letter dated October 5, 2010). The TRM specification does not have a required action for a total loss of the LPMS and explicitly notes that Technical Requirement 3.0.3 is not applicable for this system. Although the LPMS microprocessors (DSPs and CPU) are subject to SWCCF, their failure has no impact on plant operations or any safety function.
The LPMS is not interconnected with any safety system. As noted previously, failure of DSPs or the CPU are annunciated in the control room, and, for all accidents analyzed in FSAR Chapter 15, no credit is taken for the LPMS. Therefore, the staff concludes that an undetected failure of the LPMS, including an SWCCF, would have no impact on the WBN Unit 2 accident analysis.Therefore, the NRC staff concludes that the design and function of the WBN Unit 2 LPMS provides adequate justification for taking no further action to provide diversity, and that the system complies with the criteria in BTP 7-19, Revision 5 for defense against common-cause failure, and with DI&C-ISG-02, Revision 2. The design and function also demonstrate that the LPMS complies with the applicable control and protection system interaction requirements of IEEE Std. 279-1971, Clause 4.7, and with the independence between safety systems and other systems (i.e., LPMS) requirements of IEEE Std. 603-1991, Clause 5.6.3, because the failure of the LPMS will not prevent any safety system from performing its safety function to mitigate anticipated operational occurrences and design-basis accidents.
7.6.1.4.4 Interfaces with Other Systems The LPMS does not interface or communicate with any safety system and so is isolated from all safety systems. There is no direct interaction between the LPMS sense and command features and any other system. The LPMS display panel shows the system and alarm status, presents the waveforms used for impact analysis, and shows the analysis conclusions.
The LPMS provides alarms in the control room to warn operators of possible loose metallic parts in the primary system.Based on its review of the information provided by TVA, as discussed above, the NRC staff concludes that the LPMS conforms to the applicable communication independence and system isolation requirements of 10 CFR 50.55a(h), as defined in IEEE Std. 279-1971, Clause 4.7, IEEE Std. 603-1991, Clause 5.6.3, and IEEE Std. 603-1991, Clause 6.3.7.6.1.4.5 Regulatory Guide 1.133, Revision 1, "Loose-Part Detection Program for the Primary System of Light-Water-Cooled Reactors" RG 1.133, Revision 1 describes a method acceptable to the NRC staff for detecting a potentially safety-related loose part in light-water-cooled reactors during normal operation.
In response to NRC staff questions, TVA described in Attachment 24 (EDCR-52418-A) and Attachment 39 (design criteria document WB-DC-30-31, Revision 4) of its letter dated October 5, 2010, how the WBN Unit 2 LPMS complied with the recommendations of RG 1.133, Revision 1. The staff 7-123 evaluated this information with TVA's responses to staff questions about the system and concludes the following.
Sensor Location:
As described above, the WBN Unit 2 LPMS provides sensors capable of detecting acoustic disturbances that are strategically located on the exterior surface of the reactor coolant pressure boundary.
Two sensors are suitably located to provide broad coverage at each of the natural collection regions.System Sensitivity:
The system's sensitivity is such that the system will detect a loose part that weighs from 0.25 to 30 pounds (Ib) and impacts with a kinetic energy of 0.5 foot-pound (ft-lb) on the inside surface of the RCS pressure boundary within 3 feet (ft) of a sensor (as stated in FSAR Section 7.6.7 and Attachment 14 to TVA's letter dated October 29, 2010). Alarms are generated based on the force of the impact, frequency of impacts that exceed the setpoint, and the status of the CPU. A laser printer is provided for printing the system status, waveform graphs, and other report data.Channel Separation:
Physical separation of the two instrument channels, associated with the redundant sensors at each RCS location, exists from each sensor to the in-containment signal conditioning devices, except the upper head channels, which are physically separated starting at the sensor location and extending out to the patch panel. The in-containment signal preamps are accessible during power operation, with the exception of the upper head preamplifiers, which are mounted in junction boxes on the upper head support in the reactor cavity. Limitation of softline cable length would not allow the upper head preamps to be located outside the crane wall. Therefore, the LPMS instrumentation channels (e.g., cabling, amplifiers) are located such that the intent of RG 1.133, Revision 1 is met, and the equipment is accessible for maintenance during full-power operation.
Data Acquisition System: The LPMS includes both automatic and manual data acquisition equipment.
In the event the alert level is reached or exceeded (i.e., an impact is detected in one channel), the data from all 12 channels is transferred to the system CPU, where it is written to an impact file stored on the system hard drive. If two impacts are initiated on the same channel within 30 seconds of each other, and if one of those impacts is above the alarm threshold on that channel, the system will alarm. A system alarm will alert the plant operators by activating an annunciator panel in the control room and by providing local indication on the cabinet alarm panel and LCD. The system operator will need to acknowledge the alarm at the system cabinet to clear the system alarm condition.
The drive kit assembly contains a read-write DVD/CD, a hard disk drive, and a tape backup drive for recording of all sensor signal waveforms.
Alert Level: Alarm setpoints for each channel are established through baseline test data taken with the system before plant startup. The alert level alarm is established to detect a loose part consistent with the system's sensitivity as noted above. Loose part detection is accomplished at a frequency of 1 kilohertz (kHz) to 20 kHz, where background signals from the RCS are acceptable.
The alert logic signal processing circuitry takes into account normal background noises present during the various plant operating modes. The LPMS automatically adjusts its impact alert alarm level above the background noise, detecting only those signals that rise above the changing average. For example, spurious alarms from control rod stepping are prevented by a module that detects control rod drive mechanism (CRDM) motion commands and automatically inhibits alarms during control rod stepping.
This feature permits the impact alert alarm level to be adjusted to a maximum sensitivity level. As stated above, the alarm logic of the LPMS requires that a predetermined number of events occur during a selected time 7-124 interval.
This presumes that a loose part will have multiple impacts, whereas electrical spikes and other anomalies are single events.Capability for Sensor Channel Operability Tests: WBN Unit 2 TRM Technical Requirement
3.3.6 prescribes
surveillance testing requirements for periodic online and offline channel calibrations as follows: (1) Technical Surveillance Requirement (TSR) 3.3.6.1: Perform a channel check, once per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.(2) TSR 3.3.6.2: Perform channel operation tests, once per 31 days.(3) TSR 3.3.6.3: Perform channel calibration, once per 18 months.TVA has some conformance exceptions to RG 1.133, Revision 1, as stated in FSAR Table 7.1-1. The TSRs listed above are based on industry operating experience and, as described in the bases for each TSR, provide an acceptable approach to the operability testing recommendations in RG 1.133, Revision 1, Positions C.3.a(2) and (3). Therefore, the NRC staff concludes that this is an acceptable alternative to the RG 1.133, Revision 1 operability testing recommendations.
Operability for Seismic and Environmental Conditions:
The WBN Unit 2 LPMS in-containment components have been designed and installed to perform their functions following all seismic events that do not require plant shutdown (i.e., up to and including the OBE). The DMIMS-DXTM audio and visual alarm capability is designed to remain functional after an OBE. TVA stated in its response to letter item number 331 and in Attachment 14 of its letter dated October 29, 2010 (ADAMS Accession No. ML1 03120711), that all of the DMIMS-DXTM components are qualified for structural integrity during a safe-shutdown earthquake and will not mechanically impact any safety-related equipment.
In response to NRC staff questions, TVA provided confirmation that the LPMS in-containment equipment has been designed and tested to remain functional in its normal operating radiation, temperature, and humidity environment in (1) Attachment 18,"Westinghouse Electric Company EQ-EV-71-WBT-P, Revision 1, "Environmental Evaluation and Operating History of the Westinghouse DMIMS-DX Preamplifier and Softline Cable Used at Watts Bar 2," (Proprietary), dated February 2011," to TVA's letter dated February 25, 2011 (ADAMS Accession No. ML1 10620219);
and in (2) its response to letter item number 335 (Westinghouse letter WBT-D-2782, dated December 17, 2010) in TVA's letter dated December 22, 2010 (ADAMS Accession No. ML1 10100650).
The NRC staff concluded that the information provided by TVA pertaining to the in-containment LPMS equipment qualification for vibration was incomplete.
TVA should provide (letter item number 362 of "Open Items for SER Approval," dated April 8, 2011 (ADAMS Accession No. ML1 11050009))
documentation that demonstrates the LPMS in-containment equipment has been qualified to remain functional in its normal operating vibration environment, per RG 1.133, Revision 1. This is Open Item 82 (Appendix HH) pending NRC staff review of the LPMS vibration qualification test results.Because the remaining LPMS equipment is installed outside containment in a mild environment, the vibration qualification is satisfactory.
Quality of System Components:
As discussed above, the NRC staff reviewed documentation related to the design, implementation, and testing of the LPMS system. Based on its review, the staff concluded that the system is appropriately designed and is of sufficient quality to perform its intended important-to-safety function.
LPMS components are designed for minimal maintenance and low failure rates. The environmental qualification of components in 7-125 containment demonstrates that they should be compatible with the 40-year design life of the reactor system.System Repair: The LPMS is designed and installed to facilitate the recognition, location, replacement, repair, and adjustment of malfunctioning components.
Equipment, procedures, and layout of the system facilitate maintenance to minimize personnel time in high radiation areas and minimize occupational radiation exposure.
Furthermore, as described in Attachment 39 to TVA's letter dated October 5, 2010, the LPMS provides the capability for periodic online channel checks, audio checks, channel functional tests, background noise measurements, and offline channel calibration.
As described above, the NRC staff evaluated the WBN Unit 2 LPMS against the regulatory positions of RG 1.133, Revision 1. Based on its review, the staff concludes that the LPMS meets the recommendations of RG 1.133, Revision 1, including the exceptions noted above.7.6.1.5 Conclusion Based on its evaluation as described above, the NRC staff concludes that the new digital LPMS at WBN Unit 2 complies with the applicable requirements of 10 CFR 50.55a(a)(1), 10 CFR 50.55a(h), and GDC 13 and meets the guidance of SRP BTP 7-19, Revision 5, RG 1.133, Revision 1, and DI&C-ISG-02, Revision 2.7.6.2 Residual Heat Removal System Bypass Valves The NRC staff reviewed the interlocks that are used to prevent overpressurization of low-pressure systems. In its review, the staff used the guidance provided in SRP Section 7.6, Revision 2, "Interlock Systems Important to Safety," issued July 1981. This SRP section further refers the staff to the guidance provided in BTP Instrumentation and Control Systems Branch (ICSB)-3, "Isolation of Low Pressure Systems from the High Pressure Reactor Coolant System." In SER (NUREG-0847, issued June 1982) Sections 7.6.1 and 7.6.2, the staff evaluated TVA's design for the RHR system isolation interlock and RHR system bypass valves. TVA described these in WBN Unit 2 FSAR Section 7.6.2, "Residual Heat Removal Isolation Valves." There are two motor-operated gate valves in series in the inlet line from the RCS to the RHR system.These valves are normally closed and are only opened for RHR after RCS system pressure is below RHR system design limits. The RHR system inlet valves are interlocked with a pressure signal to prevent them from being opened whenever the RCS system pressure approaches the RHR system design pressure limit. Motor-operated bypass valves are provided, which can be used to establish a letdown path if either of the inlet isolation valves fail to open when required.The bypass valves are normally closed and de-energized, unless either of the two main isolation valves cannot be opened and the plant must be cooled down. The bypass valves are also interlocked with RCS pressure to prevent inadvertent opening when RCS pressure is above the RHR system design pressure.The NRC staff reviewed WBN Unit 2 FSAR Amendment 96 and concluded that TVA's changes to FSAR Section 7.6.2 were either editorial or administrative in nature and did not change the design of the system. Therefore, based on its previous evaluation as documented in the SER and its review of the changes made in FSAR Amendment 96, the NRC staff concludes that the information provided in WBN Unit 2 FSAR Section 7.6.2 meets the relevant guidance of the SRP, and that the staff's conclusion in the SER remains valid.7-126
7.6.3 Upper
Head Injection Manual Control The NRC staff reviewed the WBN upper head injection system manual control system in SER Section 7.6.3 and concluded that it was acceptable.
By FSAR Amendment 63, dated June 26, 1990, TVA removed the system to increase operational flexibility and also deleted the description of the system from the FSAR. The staff reviewed IVA's justification for the removal of the system and concluded that it was acceptable, as documented in Section 6.3.1.1 of SSER 7. The staffs conclusion in SSER 7 remains valid, and no further review of the system is required.7.6.4 Protection against Spurious Actuation of Motor-Operated Valves In Section 7.6.4 of the SER, the NRC staff evaluated TVA's design to protect against the spurious actuation of motor-operated valves that could result in a loss of safety function.
The staff concluded that TVA's design was acceptable.
TVA described protection against spurious actuation of motor-operated valves in WBN Unit 2 FSAR Section 7.6.6, "Spurious Actuation Protection for Motor Operated Valves." In WBN Unit 2 FSAR Amendment 96, TVA revised FSAR Section 7.6.6 to incorporate changes.For changes that affected the design of the systems, the staff asked TVA to provide additional information to determine their acceptability.
These changes and the staffs evaluation are discussed below.In FSAR Amendment 96, TVA revised the FSAR to state that the protective covers over the control switch, which were provided to prevent operator error, were removed from valves FCV 62-98 and FCV 62-99. In response to a staff question (letter item number 279), TVA stated the following by letter dated October 21, 2010 (ADAMS Accession No. ML103140661):
The FSAR change to include the valves as exceptions to the use of protective covers was made to match Unit 1 UFSAR change Pkg.No. 1547 Safety Assessment Item 8. The exception is justified based on WBPER980417 which removed the power from the valves and had them locked open. TVA will incorporate the same changes in Unit 2 as Unit 1.The change is acceptable to the staff, because removing the power from the valves will prevent the failure mode that could result in the loss of safety function.In FSAR Amendment 96, TVA revised the FSAR to remove valve FCV 63-5 from the list of valves that have operating instructions specifying the removal of power during specific modes of plant operation.
In response to a staff question, TVA justified (letter item number 280) the change by letter dated October 21, 2010, based on the result of its analysis of failure modes and effects for the SI system. The analysis determined that the spurious closure of this valve is not credible because (1) a protective cover is provided over the control switch to prevent operator error and (2) the hand switch is wired with contacts on both sides of the motor contactor to prevent a single failure within the switchgear that can spuriously close the valve. These features eliminate the need to remove power from the valve. Based on its engineering judgment, the staff concludes that TVA's justification is reasonable.
7-127 In FSAR Amendment 96, TVA revised the FSAR to state that, for valves FCV 63-8 and FCV 63-11, power will be removed and will be administratively controlled just before using the RHR system for plant cooldown below 350 degrees Fahrenheit, to prevent inadvertent valve opening and overpressurization of the suction piping for the SI pump and the centrifugal charging pump. In response to a staff question, TVA justified (letter item number 278) the change by letter dated October 21, 2010, because by procedure power is removed from these valves before placing RHR in service for plant cooldown and power is restored after RHR is removed from service to allow normal valve operation.
Both of these steps are controlled for WBN Unit 1 by general operating instructions.
TVA stated that the Unit 1 procedures will be used to develop the Unit 2 operating instructions to provide the administrative instructions to remove and restore power to these valves. Because administrative control of these valves is used at WBN Unit 1, the staff concludes that administrative control to remove and restore the power for these valves at Unit 2 is reasonable to prevent overpressurization of the suction piping for the SI pump and centrifugal charging pump.The remainder of TVA's changes in FSAR Amendrment 96 were editorial, administrative, or for clarification.
Therefore, based on its previous evaluation as documented in the SER, and on its evaluation of the information provided by WVA as documented above, the staff concludes that TVA's design to protect against the spurious actuation of motor-operated valves, as discussed in WBN Unit 2 FSAR Section 7.6.6, meets the guidance in the SRP.7.6.5 Overpressure Protection during Low-Temperature Operation In the SER and SSER 4, the NRC staff evaluated TVA's overpressure protection during low-temperature operation at WBN. Overpressure protection during low-temperature operation is provided by automatic operation of the pressurizer power-operated relief valves (PORVs). The staff concluded that TVA's design for overpressure protection during low-temperature operation was acceptable for WBN Units 1 and 2. The design of the WBN system is provided in FSAR Sections 7.6.8, "Interlocks for RCS Pressure Control during Low Temperature Operation," and 5.2.2.4, "RCS Pressure Control during Low Temperature Operation." SRP Section 7.6, Revision 2, requires the NRC staff to review the interlocks to prevent overpressure of the primary coolant system during low-temperature operation.
The staff provided further guidance on the interlock system in BTP Reactor Systems Branch (RSB) 5-2,"Overpressurization Protection of Pressurized Water Reactors While Operating at Low Temperatures." In WBN Unit 2 FSAR Amendment 96, TVA completely revised FSAR Section 7.6.8. The staff requested that TVA identify the changes made to the interlock system. TVA responded the following by letter dated November 24, 2010 (letter item number 281; ADAMS Accession No.ML103330501):
There are no differences between Unit I and Unit 2 interlocks, operation of interlocks and operator interface for operation of the RCS Pressure Control.Primary sensing elements and final control elements are identical and operations of these devices are identical.
For Unit 2, once signals are processed by the Eagle 21 system, interlock implementation is by software modules in the Foxboro I/A DCS. Hardware outputs, generated in the DCS, operate the PORVs. Section 7.6.8 in Amendment 101 of the WBN Unit 2 FSAR reflects the Unit 2 changes associated with implementation of the DCS.7-128 For Unit 2, once signals are processed by the Eagle 21 system, the interlock implementation is by software modules in the Foxboro I/A DCS, while in Unit 1 the interlock implementation is by analog instrumentation and relays. The NRC staff reviewed and accepted the Foxboro I/A DCS, as documented in SSER 23, Section 7.7.1.3. The staff also reviewed FSAR Amendment 101, which reflects the Unit 2 changes associated with implementation of the DCS. Because FSAR Section 7.6.8 has been revised to reflect the proper interlock interface with the DCS and to provide the basis for acceptability of DCS for this function, the staff concludes that the changes are acceptable, Based on its previous evaluation, as documented in the SER and SSER 4, and its review of the information provided by TVA in FSAR Amendments 96 and 101 and by letter dated November 24, 2010, the NRC staff concludes that TVA's interlock system continues to meet the guidance provided in the SRP and BTP RSB 5-2.7.6.6 Valve Power Lockout In SER Section 7.6.6 and SSER 5, Section 6.3.2, dated November 1990, the NRC staff evaluated TVA's system for power lockout during normal reactor operation for valves whose inadvertent operation could affect plant safety. The staff concluded that the system was acceptable.
TVA's system is described in FSAR Section 7.6.6. The staffs guidance for the review is provided in SRP BTP ICSB-18 (Plant Systems Branch (PSB)), Revision 2, "Application of Single Failure Criterion to Manually-Controlled Electrically-Operated Valves." During its review for this SSER, the NRC staff requested that TVA discuss compliance with BTP ICSB-18 for manually controlled electric-operated valves for WBN Unit 2. In its response dated March 31, 2011 (issue number 344; ADAMS Accession No. ML1 10950331), TVA stated that compliance with BTP ICSB-1 8 for WBN Unit 1 was addressed and evaluated by the NRC staff in SER Section 8.3.1.8, "Application of the Single Failure Criterion to Manually Controlled Electrically Operated Valves," in which the staff concluded that the design meets the staff position identified in BTP ICSB-18. Also, in SSER 5, Section 6.3, "Emergency Core Cooling System," and Section 6.3.2, "Evaluation," the staff exempted certain valves from the requirement for valve power lockout based on the determination that consequences of single failures for these valves are acceptable.
All of the valves that are required to meet the single-failure criteria are identified in FSAR Section 7.6.6. The staffs acceptance of TVA's design for manually controlled electric-operated valves is documented above in Section 7.6.4 of this SSER. In its letter dated March 31, 2010, TVA also stated the following:
The design of WBN Unit 2 mirrors the design WBN Unit 1. As a result, the locked valves for [BTP ICSB-18 (PSB)] are the same for WBN Unit 2 as for WBN Unit 1, and the list in the Unit 2 FSAR Section 7.6.6 is accurate for Unit 2.The staffs acceptance of the design for these valves for WBN Unit 2 is documented in Section 7.6.4 above of SSER 23.Based on its previous evaluation, as documented in the SER and SSER 5, and on its review of the information provided by TVA in its letter dated March 31, 2010, the NRC staff concludes that TVA's approach meets the guidance provided in the SRP and BTP ICSB-18 (PSB).7-129 7.6.7 Cold-Leg Accumulator Valve Interlocks and Position Indication In SER Section 7.6.7, the NRC staff evaluated IVA's design for the interlocks for motor-operated valves in the ECCS accumulator lines. TVA described its design for these interlocks in FSAR Section 7.6.5, "Accumulator Motor-Operated Valves." The staff concluded that IVA's design was acceptable.
In its review of the interlocks for the ECCS accumulator valves, the NRC staff used the guidance provided in SRP Section 7.6, Revision 2. This SRP section further refers the staff to the guidance provided in BTP ICSB-4, "Requirements of Motor Operated Valves in the ECCS Accumulator Lines." In WBN Unit 2 FSAR Amendment 96, TVA revised the valve interlock description in FSAR Section 7.6.5 to replace, "safety injection unblock pressure" with "P-11 permissive setpoint (see Table 7.3-3)." In its letter dated September 9, 2010 (ADAMS Accession No. ML102571779), TVA stated that the change was made to be consistent with the wording in FSAR Table 7.3-3, which identifies the RCS pressure interlock signal to accumulator discharge valve as "P-11 permissive setpoint." Because the change does not affect the functionality or operational features of the valve interlock, the change is acceptable to the staff.Therefore, based on its previous evaluation as documented in the SER, and on its evaluation of the information provided by TVA in FSAR Amendment 96 and the letter dated September 9, 2010, the NRC staff concludes that TVA's design for the cold-leg accumulator valve interlock and position indication meets the guidance provided in the SRP and, therefore, is acceptable.
7.6.8 Automatic
Switchover from Injection to Recirculation Mode In SER Section 7.6.8, the NRC staff evaluated TVA's design for automatic switchover from injection to recirculation mode. TVA provided its description of the switchover in WBN Unit 2 FSAR Sections 7.6.9 and Section 6.3.3, "Performance Evaluation
[of the ECCS]." SRP Section 7.6, Revision 2 requires the staff to review the interlocks that are used to prevent overpressurization of low-pressure systems when connected to the primary coolant system.Further guidance to the staff is provided in BTP ICSB-3, Revision 2, "Isolation of Low Pressure Systems from the High Pressure Reactor Coolant System." The staff found TVA's design to be acceptable for WBN Units 1 and 2.In WBN Unit 2 FSAR Amendment 96, TVA completely revised FSAR Section 7.6.9 and also removed the discussion regarding compliance of the system with the design criteria provided in IEEE Std. 279-1971.
The NRC staff requested that TVA justify the removal of the discussion.
In its letter dated October 21, 2010 (letter item number 282; ADAMS Accession No.ML103140661), TVA responded as follows: The re-write for Section 7.6.9 was to provide a more concise description of the instrumentation and controls.
The section was too wordy, and several topics were duplicated in Section 7.3. Wording is now more closely aligned to system description.
Compliance with IEEE 279 is not intended to be eliminated, merely the reference to the standard in that particular section. The following statement is added: "The automatic switchover of the RHR pumps from the injection to the recirculation Mode is part of the Engineered Safety Features Actuation System (ESFAS) discussed in chapter 7.3." Chapter 7.3 includes a reference to IEEE 7-130 Standard 279-1979.
The reference in 7.6.9 was therefore considered unnecessary, and therefore removed.The staff verified IVA's statement that the automatic switchover logic is part of the ESFAS description in FSAR Section 7.3 and, therefore, concluded that the discussion about IEEE Std. 279 compliance is not required to be repeated in FSAR Section 7.6.9. Based on the added reference to FSAR Section 7.3, the staff concludes that IVA's response is acceptable.
Based on its previous evaluation, as documented in SER Section 7.6.8, and on its evaluation of the information provided by TVA in its letter dated October 21, 2010, the staff concludes that TVA's interlock system for automatic switchover from injection to recirculation mode meets the guidance provided in the SRP.7.7 Control Systems Not Required for Safety 7.7.1 System Description 7.7.1.1 Rod Control System 7.7.1.1.1 Introduction This section documents the NRC staff's evaluation of the rod control system for WBN Unit 2. In particular, the staff reviewed the rod control system as described in TVA's letter dated January 29, 2008 (ADAMS Accession No. ML080320443), as supplemented by letters dated April 27, 2010 (Enclosure, Item No. 16 and Attachment 5 of ADAMS Accession No. ML101230248);
July 30, 2010 (Enclosure 1, Item No. 4 of ADAMS Accession No. ML-102160349, not publicly available);
October 5, 2010 (Enclosure 1, Item Nos. 65, 74, 83, and Attachment 21 of ADAMS Accession No. ML1 02910324, not publicly available);
and WBN Unit 2 FSAR Amendment 101, dated October 29, 2010.The rod control system (i.e., the digital control system) consists of those aspects described in FSAR Sections 7.7.1.1, "Control Rod Drive Reactor Control System," 7.7.1.2, "Rod Control System," and 7.7.1.3.3, "Control Bank Rod Insertion Monitoring." FSAR Sections 7.7.1.3.2,"Main Control Room Rod Position Indication," 7.7.1.3.4, "Rod Deviation Alarm," and 7.7.1.3.5,"Rods at Bottom" (pertaining to control room indication and alarms), are evaluated in Section 7.7.1.3, "Rod Position Indication System," of this SSER. TVA's description of the mechanical design of the reactivity control system is described in FSAR Section 4.2.3, "Reactivity Control System," and the NRC staff's evaluation of FSAR Section 4.2.3 is documented in Chapter 4 of this SSER.GDC 25, "Protection System Requirements for Reactivity Control Malfunctions," requires that the protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods. The NRC staff evaluated the FSAR sections that describe the bounding failures of the reactivity control systems (Sections 15.1.5,"Rod Cluster Control Assembly Insertion Characteristics," 15.2.1, "Uncontrolled Rod Cluster Control Assembly Bank Withdrawal from a Subcritical Condition," 15.2.2, "Uncontrolled Rod Cluster Control Assembly Bank Withdrawal at Power," 15.2.3, "Rod Cluster Control Assembly Misalignment," and 15.3.6, "Single Rod Cluster Control Assembly Withdrawal at Full Power") as described in Chapter 15, "Accident Analysis," of the SER and SSERs. The evaluation of the adequacy of the reactor trip system is documented in Section 7.2 of this SSER.7-131 The reactor control input signals (FSAR Section 7.7.1.1.1, "Reactor Control Input Signals (Unit 2 Only)") to the rod control system control functions are implemented by software modules of the DCS (FSAR Section 7.7.1.11).
The reactivity control system indication functions are implemented in the rod position indication system (RPIS) (FSAR Sections 7.7.1.3.2, 7.7.1.3.3, 7.7.1.3.4 and 7.7.1.3.5).
In Attachment 21 to its letter dated October 5, 2010, TVA provided a description of the rod control system equipment (TVA document "Rod Control System Description N3-85-4003," Revision 0012) (ADAMS Accession No. MLI 02930136, not publicly available).
The rod control system is new and unique to WBN Unit 2 (i.e., not implemented in Unit 1). Therefore, the NRC staffs evaluation of TVA's analysis of the failure modes of this new equipment is given in detail below. The functions implemented by this digital instrumentation include those that were previously reviewed and found acceptable by the staff for Unit 1.The purpose of the rod control system is to provide manual or automatic control of the reactor for all ranges of power output. This is accomplished by changing the position of the neutron-absorbing rods in the reactor core. The rods control reactor core reactivity and, thus, reactor coolant temperature.
The system consists of two types of rod groups: shutdown and control. Shutdown rods provide sufficient negative reactivity to ensure that the reactor remains subcritical; these rods are fully withdrawn during normal operation.
Control rods are used to control the reactor core reactivity.
Shutdown and control rods are raised or lowered by a prescribed set of electromechanical actions by the CRDMs.The purpose of the control rod drive (CRD) control system is to provide the means for energizing the mechanism, thus controlling the rod cluster position.
The control system consists of an electrical power source (two motor-generator sets), electrical power control to the mechanisms (power cabinets and direct current hold cabinet), and logic and control signals (logic cabinet).
The RPIS provides rod position information independent of the rod control system.The control scheme used to position the control rods is dependent on reactor power level.Manual control of control rod position is used when the reactor thermal power is between 0 percent and 15 percent. Above 15 percent reactor thermal power, automatic control is used to position the control rods to maintain the average reactor coolant temperature (Tavg) within plus or minus 3.5 degrees Fahrenheit of the reference temperature (Tref).The rod control system provides reactivity control during all reactor modes of operation except during the refuelling mode. Before initial critically, all shutdown rods are required to be fully withdrawn.
The control rods are withdrawn or inserted as required in a predetermined sequence to control core reactivity.
The control rods are positioned manually by the unit operator when the reactor power range is between 0 and 15 percent. When the reactor power reaches approximately 15 percent, the unit operator may select the automatic operation mode.Upon initiation of a reactor trip signal, electrical power is interrupted and all rods fall into the core by gravity.7.7.1.1.2 Regulatory Criteria Because the equipment used to implement the rod control system is new and unique to Unit 2, the NRC staff used current SRP guidance to review this system.7-132 SRP Section 7.7, Revision 5, identifies acceptance criteria (Section II, "Acceptance Criteria")
applicable to control systems. The staff evaluated the applicability of each -of these acceptance criteria to the WBN Unit 2 rod control system. The applicable regulatory criteria include the following.
The regulation in 10 CFR 50.55a(a)(1) states that "Structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed." This criterion is applicable to the WBN Unit 2 rod control system. (Note: The same acceptance criteria will be used to address this item and GDC 1 below.)* GDC I states that "Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed." This criterion is applicable to the WBN Unit 2 rod control system. (Note: The same acceptance criteria will be used to address this item and 10 CFR 50.55a(a)(1) above.)GDC 10, "Reactor Design," states the following:
The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.
The WBN Unit 2 rod control system is a control-system part of the reactivity control system and, therefore, is associated with the reactor core. Therefore, this criterion is applicable to the WBN Unit 2 rod control system.GDC 13 states the following:
Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems.Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.Indication is provided in the MCR to monitor rod positions, as described in FSAR Section 7.7.1.3.2, and evaluated by the staff in Section 7.7.1.3 of this SER.The WBN Unit 2 rod control system is a control system that can be used to maintain the reactivity control system within its prescribed operating ranges (see GDC 28 below).Therefore, this criterion is applicable to the WBN Unit 2 rod control system.7-133 GDC 28, "Reactivity Limits," states the following:
The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold water addition.The WBN Unit 2 rod control system is a reactivity control system. Therefore, this criterion is applicable to it.GDC 29, "Protection against Anticipated Operational Occurrences," states that "The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences." The WBN Unit 2 rod control system is a reactivity control system. Therefore, this criterion is applicable to it.7.7.1.1.3 Technical Evaluation 7.7.1.1.3.1 Quality Standards In response to a staff question, TVA provided its Foxboro I/A procurement specification (Attachment 23 to TVA's letter dated October 5, 2010; ADAMS Accession No. ML1 02910324, not publicly available).
The NRC staff evaluated the specification and found that it requires design, fabrication, and tests commensurate with the importance of the safety functions to be performed.
Because the SRP does not contain specific guidance for evaluating the quality associated with systems that are important to safety, the staff used engineering judgement as its basis for concluding that the rod control system meets the requirements of 10 CFR 50.55a(a)(1) and GDC 1.7.7.1.1.3.2 Appropriate Margin The staff reviewed the safety analyses in FSAR Chapter 15, "Accident Analyses." The analyses demonstrate that, for all anticipated operational occurrences, the DNB limits established in Chapter 4 (FSAR Section 4.4.1.1, "Departure from Nucleate Boiling Design Basis") are not violated.
The DNB limits are established such that the specified acceptable fuel design limits are not exceeded.GDC 10 requires, in part, that the rod control system be designed with appropriate margin to assure that the specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.
The functions of the rod control system for WBN Unit 2 are the same as for WBN Unit 1. Because the NRC staff concluded in the SER and associated SSERS that the functions were acceptable, the margin 7-134 associated with the reactivity control system continues to meet the regulatory requirements in GDC 10.7.7.1.1.3.3 Means for Maintaining Reactivity Limits The functions implemented by the rod control system are described in FSAR Section 7.7.1.2.1,"Rod Control System Function." The rod control system is composed of equipment required to raise or lower the control rod and shutdown rod banks. Control rod banks can be automatically controlled from input signals generated by the reactor control system or by manual means from the control room. Shutdown control rods are controlled by manual means from the control room.GDC 13 requires, in part, that controls be provided to maintain plant variables and systems within prescribed operating ranges. The rod control system functions of the rod control system for WBN Unit 2 are the same as for WBN Unit 1, which the NRC staff concluded to be acceptable in the SER and its associated SSERs; these analyses and associated evaluations remain valid. Therefore, the WBN Unit 2 rod control system can be used to maintain the reactivity control system within its prescribed operating ranges, and GDC 13 is met by the WBN Unit 2 rod control system.7.7.1.1.3.4 Reactivity Limits As described by TVA in FSAR Section 7.7.1.3.3, the purpose of the control bank rod insertion monitor is to give warning to the operator of excessive rod insertion.
The insertion limit maintains sufficient core reactivity and adequate shutdown margin following reactor shutdown due to a normal or design-basis event, assuming the highest worth rod remains fully withdrawn; provides a limit on the maximum inserted rod worth in the unlikely event of a hypothetical rod ejection; and limits rod insertion such that acceptable nuclear peaking factors are maintained.
The NRC staff evaluation confirmed that the rod control system continues to meet GDC 28, because the design limit for rod bank stepping speed is 72 steps per minute, and the rod insertion limits are calculated in the same way as previously approved for WBN Unit 1.Because the amount (determined by insertion limits) and rate (determined by stepping speed) of reactivity increase is controlled by the rod control system, the GDC 28 criteria are achieved, as explained further in the two paragraphs below.The design limit for rod bank stepping speed is 72 steps per minute, which limits the rate of reactivity increase resulting from the rod control system. The FSAR Chapter 15 analysis includes evaluations of rod withdrawals at this rate (Sections 15.2.1, 15.2.2, 15.2.3, and 15.3.6).These analyses demonstrate that, for these events, there is (1) no damage to the reactor coolant pressure boundary and (2) no sufficient disturbance of the core, its support structures, or other reactor pressure vessel internals, to impair significantly the capability to cool the core.GDC 28 requires, in part, that the reactivity control systems be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core.These postulated reactivity accidents include consideration of rod ejection (unless prevented by positive means), rod dropout, steamline rupture, changes in reactor coolant temperature and pressure, and cold water addition.
The insertion limits of the rod control system for WBN Unit 2 7-135 are the same as those for WBN Unit 1, which were previously approved by the NRC staff in the SER and its associated supplements.
7.7.1.1.3.5 Anticipated Operational Occurrences FSAR Chapter 15 contains a description and analysis of five anticipated operational occurrences (FSAR Sections 15.1.5, 15.2.1, 15.2.2, 15.2.3, and 15.3.6). These Chapter 15 analyses demonstrate that the WBN Unit 2 reactivity control system is designed to accomplishing its safety functions in the event of anticipated operational occurrences.
GDC 29 requires, in part, that the protection and reactivity control systems be designed to accomplish their safety functions in the event of anticipated operational occurrences.
The functions of the rod control system for WBN Unit 2 are the same as those for WBN Unit 1, which the NRC staff previously approved in the SER and its associated supplements.
Therefore, the rod control system for WBN Unit 2 meets GDC 29.7.7.1.1.3.6 Safety Function The safety function of the CRD I&C system is to allow all rods to drop into the reactor core upon loss of electrical power to the CRDMs. This electrical power interruption is controlled by a reactor trip signal, which operates the reactor trip switchgear.
The control rods also drop when there is a loss of power (i.e., a non-RTS initiated electrical power interruption), which is acceptable because reactor trip is the safe state and dropping the controls rods results in the safe state. This safety function of the rod control system for WBN Unit 2 is the same as for WBN Unit 1, which the NRC staff approved in the SER and its associated supplements.
Therefore, the rod control system continues to meet this safety function.
The equipment that implements this safety function is outside of the Foxboro I/A-based rod control system and is the same as that for WBN Unit 1. Therefore, the staff's previous evaluation remains valid and this equipment is acceptable.
7.7.1.1.3.7 Rod Control System Failures The staff reviewed the potential failures of the rod control system, as described below, against the accident analyses provided by TVA in FSAR Chapter 15, as described below. Based on its review, the staff concluded that the potential rod control system failures are consistent with the design criteria and bounded by the accident analyses.Failures of the rod control system are described in FSAR Sections 15.2.1, 15.2.2, 15.2.3, and 15.3.6. These sections were reviewed by the staff as documented in SSER Chapter 15.The credible rod control equipment malfunctions that could potentially cause inadvertent positive reactivity insertions due to inadvertent rod withdrawal, incorrect overlap, or inappropriate positioning of the rods are the following:
(1) Failures in the Manual Rod Controls The rod motion control switch is a three-position lever switch. The three positions are"in," "Hold," and "Out." These positions are effective when the bank selector switch is in manual control mode. Failure of the rod motion control switch (e.g., contacts failing short or activated relay failures) would have the potential, in the worst case, to produce 7-136 positive reactivity insertion by rod withdrawal when the bank selector switch is in the manual position or in a position that selects one of the banks.When the bank selector switch is in the automatic position, the rods would obey the automatic commands, and failures in the rod motion control switch would have no effect on the rod motion regardless of whether the rod motion control switch was in "In," "Hold," or "Out." In the case where the bank selector switch is selecting a bank and a failure occurs in the rod motion switch that would command the bank "Out" even if the rod motion control switch were in the "In" or "Hold" position, the selected bank could inadvertently withdraw.This failure is bounded in FSAR Chapter 15 by the safety analysis of the uncontrolled bank withdrawal from subcritical and at-power transients (FSAR Sections 15.2.1 and 15.2.2).A failure that can cause more than one group of five mechanisms to be moved at one time within a power cabinet is not a credible event, because the circuit arrangement for the movable and lift coils would cause the current available to the mechanisms to divide equally between coils in the two groups (in a power supply). The drive mechanism is designed such that it will not operate on half current. A second safety feature in this scenario is the multiplexing failure detection circuit included in each power cabinet. This circuit would stop inadvertent rod withdrawal (or insertion).
The second case considered in the potential for inadvertent reactivity insertion due to possible failures is when the selector switch is in the manual position.
With a failure in the rod motion control switch, such a case could produce a scenario in which the rods could inadvertently withdraw in a programmed sequence.
The overlap and bank sequence are programmed when the selection is in either automatic or manual. This scenario is also bounded by the reactivity values assumed in the accident analysis.
In this case, the operator can trip the reactor, or the protection system would trip the reactor on the power range neutron flux-high, overtemperature delta-T, or overpower delta-T signals.A failure of the bank selector switch produces no consequences when the rod motion control switch is in the "Hold" position.
This is due to the design feature that the bank selector switch is wired in series with the "in-hold-out" lever switch for manual and individual control rod bank operation.
With the in-hold-out lever switch in the "Hold" position, the bank selector switch can be positioned without rod movement.
Results of switch failures in other control positions are discussed above in conjunction with the rod motion control switch.(2) Failures in the Overlap and Bank Sequence Program Control The NRC staff evaluated TVA's description in FSAR Section 7.7.1.2.2, "Rod Control System Failures," of a failure analysis performed by TVA to identify the failure performance of the rod control system. The rod control system design prevents the movement of the groups out of sequence as well as limits the rate of reactivity insertion.
A feature that performs the function of preventing inappropriate positioning produced by groups out of sequence is included in the block supervisory memory buffer and control.This circuitry accepts and stores the externally generated rod selection and motion direction command signals. When the memory buffer has accepted a command and the 7-137 corresponding rod is in motion, a subsequent change in a command will not be immediately accepted.
On recognition that a command change has occurred, an inhibit signal is sent to the pulser so that no other rod motion initiation signals are generated.
However, the rod in motion is allowed to complete its stepping sequence.
After rod motion is ceased, the memory buffer accepts the new command and releases the pulser so that rod motion can resume. Any detected failure that affects the ability of the rod control system to properly move the rods is considered urgent. TVA stated in the FSAR that the urgent alarm is produced by detection of the following general conditions:
- regulation failure* phase failure* logic error* multiplexing error* circuit board interlock failure* oscillator and slave cycler failure.An urgent alarm will be followed by the following actions: 0 Stop automatic rod motion and overlapped rod motion.0 Automatically de-energize the lift coil and reduced-current energize the stationary gripper coils and movable gripper coils.* Activate a lamp (urgent failure) located on the logic and power cabinet front panel.* Activate the control rod urgent failure annunciation window in the MCR.The function of the logic cabinet is to generate the necessary signals to step the control rods during startup, continuous operation, and shutdown of the reactor. The logic cabinet receives signals from the main control board and from the reactor control system. In response to these signals, it selects the drive mechanisms to be stepped and supplies the drive mechanism current profile orders to the power cabinet assigned to drive the mechanism.
TVA stated in FSAR Section 7.7.1.2.2 that it performed a failure analysis based on operation of the logic cabinet in the bank overlap mode with all shutdown banks and control banks, except control bank D, in their fully withdrawn position.
The analysis indicated that postulated failure modes could result in unidirectional outward movement of control bank D rods when operating in the bank overlap control mode. However, when operating in this mode, the speed of the outward movement of control bank D would be limited by the rod speed unit of the reactor control system. In the unlikely event of such a failure, the reactor would trip (e.g., delta-T overtemperature trip) and mitigate the consequences of the postulated component failure. In summary, no single failures exist that would cause a rapid, uncontrolled withdrawal of control bank D. The results of the analysis indicated that all failure modes postulated are detectable through alarm monitoring internal to the logic cabinet or are terminated by a diverse means (i.e., reactor trip).7-138 TVA performed an additional failure assessment to determine whether other single-point failures can occur in the rod control system logic cabinet that corrupt the CRDM coil current orders. This assessment was necessary because of an industry event in which corrupt coil current orders were sent to the CRDM, which caused a single rod to withdraw after inward motion was demanded.
As a result of this event, timing changes for logic cabinet slave cycle decoder cards were implemented to eliminate the possibility of a single rod withdrawal due to a single failure in the rod control system when insertion or withdrawal is commanded.
These timing changes ensure that, in the event of the single failure, all rods in the affected bank(s) will insert when motion (in or out) is demanded.
Based on the timing change to the decoder cards, the failure assessment concluded that all of the identified single rod control system failures result in rod movement in the direction demanded and are therefore limited to a finite number of steps. Also, these single failures may result in some asymmetric rod movement following a rod motion demand signal; however, the movement is in the direction demanded.
These events have been evaluated by TVA and determined to result in consequences less severe than the limiting single rod control system malfunction presented in accident analyses found in FSAR Chapter 15. This is acceptable to the NRC staff, because the FSAR Chapter 15 accident analyses demonstrate that WBN Unit 2 responds to accidents safely.Effects of Failures on CRDM Speed of Operation As described by TVA in FSAR Section 7.7.1.2.2, the rod control system is designed to limit the rod speed control signal output to a value that causes the pulser (logic cabinet)to drive the control rod driving mechanism at 72 steps per minute. If a failure should occur in the pulser or the reactor control system, the highest stepping rate possible is 77 steps per minute, which corresponds to one step every 780 milliseconds.
A commanded stepping rate higher than 77 steps per minute would result in "GO" pulses entering a slave cycler while it is sequencing its mechanisms through a 780-millisecond step. This condition stops the control bank motion automatically and alarms are activated locally and in the control room. It also causes the affected slave cycler to reject further "GO" pulses until it is reset.Failures that cause the 780-millisecond step sequence time to shorten will not result in higher rod speeds because, assuming the pulser and rod control system have not failed, the stepping rate is proportional to the pulsing rate.Simultaneous failures in the pulser or rod control system and in the clock circuits that determine the 780-millisecond stepping sequence could result in higher CRDM speed.However, simultaneous failures of the clock and pulser or rod control system are not considered credible.To preclude addressing failures in the rod speed signal that could cause rod stepping speeds to exceed the normal maximum speed of 72 steps per minute, a test of the rod control system and reactor control system input signal is required.
As stated by TVA in FSAR Section 7.7.1.2.2, this testing of the reactor control system and the rod control system is performed at periodic intervals to detect failures that could lead to an increase in the rod speed.The maximum rod stepping speed of 72 steps per minute is the same as that for WBN Unit 1 and is used in the Chapter 15 safety analyses.
Because the staff concluded that 7-139 the maximum rod stepping speed and the FSAR Chapter 15 accident analyses were acceptable, the speed of operation of the CRDM is acceptable.
7.7.1.1.3.8 Control Rod Bank Insertion Monitoring The control rod bank insertion monitoring functions described in FSAR Amendment 103, Section 7.7.1.3.3, "Control Bank Rod Insertion Monitoring," are the same as previously approved by the NRC staff in the SER and its associated supplements.
Therefore, the functions described by TVA are acceptable.
In Attachment 29 to TVA's letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), TVA provided Drawing No. 6661 E34, Revision 1, which depicts the CERPI system initiating the "Insertion Limit LO" and "Insertion Limit LO-LO" alarms from each channel. In addition, TVA provided Westinghouse Specification WNS-DS-00001-WBT, Revision 2, "CERPI System Requirements Specification" (CERPI SysRS), June 2009.Section 4.1.7, "Rod Insertion Limit Algorithm," of CERPI SysRS requires that sufficient provisions be implemented in CERPI to implement the functionality described in the FSAR.Based on its review of the information provided by TVA, the NRC staff concludes that the functions and consequences of equipment failure modes are acceptable, as described above.Therefore, TVA's implementation of control rod bank insertion monitoring is acceptable.
7.7.1.1.4 Conclusion The NRC staff reviewed TVA's FSAR and supplemental submittals, as identified above, and concludes that TVA satisfactorily addressed each of the staffs acceptance criteria of quality, reactor design, I&C, reactivity limits, and protection against anticipated operational occurrences.
The WBN Unit 2 rod control system continues to implement the functional requirements previously approved by the staff for WBN Unit 1. Therefore, the staff finds that the proposed design of the WBN Unit 2 rod control system is acceptable.
7.7.1.2 Neutron Flux Monitoring System 7.7.1.2.1 Introduction TVA described the WBN Unit 2 NIS in WBN Unit 2 FSAR Sections 7.2.1.1.2, "Reactor Trips," 7.2.2.3.1, "Neutron Flux," 7.2.1.2.2, "Generating Station Variables," 7.7.1.3.1, "Monitoring Functions Provided by the Nuclear Instrumentation System," and 7.2.2.2, "Evaluation of Compliance to Applicable Codes and Standards." The NIS monitors neutron flux from reactor shutdown to 200 percent of full rated power.In response to NRC staff questions, TVA provided additional information about the NIS in its letters dated April 27, 2010 (ADAMS Accession No. ML101230248), and October 5, 2010 (ADAMS Accession No. ML1102880525).
7.7.1.2.2
System Description
The primary function of the NIS is to protect the reactor by monitoring neutron flux and generating appropriate reactor protection trips, operating permissives, indications, and alarms for various phases of reactor operating and shutdown conditions.
As described in FSAR Section 7.7.1.3.1, the NIS comprises three subsystems:
(1) source range, (2) intermediate 7-140 range, and (3) power range neutron monitoring systems, which are designed with overlapping ranges to ensure satisfactory transition during reactor startup and shutdown.
These subsystems of the NIS consist of eight channels:
two source range, two intermediate range, and four power range channels.
The safety function of each subsystem is to provide reactor trip input signals to the reactor protection system. Neutron flux signals are also used to enable or block interlocks P-6 through P-1 0 associated with other reactor trips at appropriate critical reactor power levels. The source range and intermediate range neutron monitoring systems also provide accident monitoring indication.
The NIS also provides input to support normal operating control, indication, and alarm functions needed to maintain the reactor within safe operating limits.The power range neutron flux subsystem is used to develop reactor trip signals when the reactor is at power operations.
The power range high neutron flux trip circuit trips the reactor when two of the four power range channels exceed the trip setpoint.
The high trip setting provides protection during normal power operation and is always active. The low trip setting, which provides protection during startup, can be manually bypassed when two out of the four power range channels read above approximately 10 percent reactor power. The power range channels also provide a high positive neutron flux rate reactor trip, which trips the reactor when a sudden abnormal increase in nuclear power occurs in two out of four power range channels.This trip provides DNB protection against control rod ejection accidents in which the ejected rod is of low reactivity worth and the reactor is operating at midpower.
This trip is always active.In addition, the measurement of power range neutron flux is used as an input to the overpower and overtemperature delta-T (change in reactor coolant temperature) reactor trips. Also, an isolated auctioneered high neutron flux signal is derived by the auctioneering of the four channels to support the operation of automatic rod control and to support reactor power level-based programmed water level control for the pressurizer and the steam generators.
The source range high neutron flux trip circuit trips the reactor when one of the two source range channels exceeds the trip setpoint, to provide protection during reactor startup and plant shutdown.
The source range trip can be manually bypassed when one of the two intermediate range channels exceeds the P-6 setpoint value and is automatically reinstated when both intermediate range channels decrease below the P-6 setpoint value. This trip is also automatically bypassed by two-out-of-four logic from the power range protection interlock, P-1 0.This trip function can be reinstated below P-1 0 by a manual action requiring simultaneous manual actuation of two control board-mounted switches, one in each of the two protection logic trains. The source range trip point is set between the P-6 setpoint and the maximum source range power level.The intermediate range high neutron flux trip circuit trips the reactor when one out of the two intermediate range channels exceeds the trip setpoint, to provide protection during reactor startup. This trip can be manually blocked if two out of four power range channels are above P-10. Three out of the four power range channels below this value automatically will reinstate the intermediate range high neutron flux trip. The intermediate range channels, including detectors, are separate from the power range channels.The power range overlaps the source and intermediate ranges to ensure satisfactory transition during reactor startup and shutdown.
The source range and intermediate range subsystems also provide postevent information as part of the accident monitoring system described in Section 7.5.2 of this SSER.7-141 NIS indications are provided in the MCR on the main control board. This indication covers the range of reactor neutron flux from shutdown to 200 percent of full power. The source range, intermediate range, and power range channels are designed with overlapping ranges to ensure operator indication of a satisfactory transition during reactor startup and shutdown.
The main control board indication includes reactor neutron flux count rate and startup rate for each of the two source range channels, flux rate and startup rate for each of the two intermediate range channels, and flux level and upper/lower detector differential flux indications for each of the four power range channels.
Two channels of the total eight NIS channels may be selected for recording at any one time. Also, the four power range channels (upper and lower detector sum)flux signals are recorded.
The output signals of the NIS channels are also monitored by the plant ICS.Isolated signals from the four power range channels are provided as input to a plant DCS, where the second highest of the four channels is determined and provided as an input to the steam generator level control system. The DCS also provides the highest of the four power range channels to the Rod Speed Program as discussed in FSAR Section 7.7.1.1.2.
The source and intermediate range instrumentation are qualified to the RG 1.97, Category 1 criteria (see SSER Section 7.5.2.1).
This ensures that a failure of one component within one channel will not impact operations of the other channel so that neutron flux indication will still be-available to plant operators to support emergency operations via the other channel.7.7.1.2.3 Regulatory Evaluation As described above, the neutron flux monitoring system supports safety-related functions, important-to-safety functions, normal operation control functions, and postaccident monitoring functions.
The NRC staffs acceptance criteria for various aspects of these functions are based on meeting the following regulatory requirements:
In 10 CFR 50.55a(a)(1), the NRC requires that structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed.
GDC I requires, in part, that a quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions.
Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained.
In 10 CFR 50.55a(h), the NRC requires compliance with IEEE Std. 603-1991 and the correction sheet dated January 30, 1995. However, for nuclear power plants such as WBN, with construction permits issued between January 1, 1971, and May 13, 1999, the applicant/licensee may elect to comply instead with the requirements in IEEE Std. 279-1971.
For control systems isolated from safety systems, the applicable requirements of 10 CFR 50.55a(h) are defined in IEEE Std. 279-1971, Clause 4.7.GDC 10 requires, in part, that the reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded.7-142 GDC 13 requires, in part, that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process.GDC 19 requires, in part, that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including LOCAs.GDC 20, "Protection System Functions," requires, in part, that the protection system"shall be designed (1) to initiate automatically initiate the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded." GDC 24 requires the following:
The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.GDC 28 requires, in part, that the reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither result in damage to the reactor coolant pressure boundary nor sufficiently disturb the core to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection, rod dropout, steamline rupture, changes in reactor coolant temperature and pressure, and cold water addition.GDC 29 requires that the protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.
- Specific TMI action plan requirements of NUREG-0737, Supplement 1.In addition, RG 1.97, Revision 2 provides the NRC staff with criteria for evaluating conformance to GDCs 13 and 19 and describes a method acceptable to the NRC staff for complying with the regulatory requirements to provide instrumentation to monitor plant variables and system during and following an accident.7.7.1.2.4 Technical Evaluation The NRC staff's evaluation of the reactor trip system (that is, safety protection functions) for WBN, including the neutron flux monitoring system inputs, is described in SER Section 7.2.1.The staff's evaluation included a review of the initiating circuits, logic, bypasses, interlocks, redundancy, diversity, and actuation devices used to implement reactor shutdown.
The staffs 7-143 evaluation of control systems not required for safety (that is, nonsafety protection functions) for WBN is described in SER Section 7.7. The staffs evaluation included control systems for reactivity, primary system pressure, feedwater control, and turbine speed, and included consideration of descriptive information, functional logic, instrumentation and electrical diagrams, and TVA's design bases and analyses.
On the basis of the conformance of the systems' design to the GDCs, applicable RGs, BTPs, and applicable industry standards, the staff concluded that the control systems not required for safety were acceptable.
In SSERs 9, 14, and 15, the NRC staff concluded that, for the nonprotection safety functions, TVA appropriately addressed the guidance of RG 1.97, Revision 2, including neutron flux monitoring instrumentation used to provide accident monitoring information.
Neutron flux is a Type A (source range) and a Type B (intermediate range) parameter for WBN that must meet Category 1 qualification criteria.
The intermediate range of neutron flux is also a Type D, Category 2 parameter.
In SSER 9, the staff evaluated TVA's commitments to meet or modify the equipment proposed as Type A or Type B variables to meet the Category I qualification recommendations, and the staff evaluated TVA's proposed schedule for achieving this commitment.
Based on its evaluation, the staff concluded that TVA either conforms to, or has adequately justified deviations from, the guidance of RG 1.97 for each postaccident monitoring variable.The NRC staff evaluated the information provided by TVA in FSAR Amendments 96 through 103, which describe TVA's intended design and regulatory compliance for WBN Unit 2.The staff asked TVA to provide a description of the differences in hardware and software design and implementation of the neutron flux monitoring system instrumentation for WBN Unit 2 from those that were originally reviewed by the NRC staff for WBN Unit 1. The staffs evaluation of the PAMS for WBN Unit 2 identifies these differences and is located in Sections 7.5.2.1,"Compliance with Regulatory Guide 1.97," and 7.5.2.2, "Common Q Post-Accident Monitoring System," of this SSER.In response to questions from the staff, TVA described the differences in the neutron flux monitoring system between WBN Unit I and Unit 2 in its letters dated April 27, 2010 (ADAMS Accession No. ML1 01230248) and October 5, 2010 (ADAMS Accession No. ML1 02880525).
TVA informed the staff that, since WBN Unit 1 began operations in 1996, certain neutron flux monitoring system equipment became obsolete.
To address this obsolescence and meet its commitments with respect to the qualification recommendations of RG 1.97, TVA installed newer versions of specific neutron monitoring system hardware to replace the original equipment.
For WBN Unit 1, the original Westinghouse source range drawer was replaced with a Gamma-Metrics Model RCS-300 system that performed the same system functions as the original equipment.
However, since the Gamma-Metrics equipment was installed on WBN Unit 1, portions of the RCS-300 system became obsolete.
Therefore, on WBN Unit 2, TVA will install the newer Gamma-Metrics/Thermo Fisher Scientific Model 300i neutron flux monitoring system.Although the Model 300i neutron flux monitoring system performs all of the same functions as the original system, several differences in hardware form, fit, and features will exist between the source range and intermediate range neutron flux monitoring systems for WBN Unit 2 and Unit 1. Additionally, there are unit-specific neutron flux detector location and orientation designations for all power range, source range, and intermediate range detectors that are different for WBN Unit 2 from those of Unit I in order to align with the unit-specific core geometry.
However, the newer model equipment providing the source range and intermediate 7-144 range monitoring functions enable WBN Unit 2 to meet TVA's commitments with regard to the equipment qualification requirements of RG 1.97, Revision 2.The NRC staff reviewed TVA's descriptions of the differences between the existing WBN Unit 1 and planned Unit 2 neutron monitoring systems and concluded that the differences mainly affect the source range and intermediate range channels.
In Attachment 31 (EDCR 52421 Source And Intermediate Range, Scope and Intent, Unit Difference And Technical Evaluations) to its letter dated October 5, 2010, TVA identified several differences in technical features affecting the operator and technician interfaces between the neutron monitoring systems for WBN Unit 1 and Unit 2 as a result of the implementation of the newer Model 300i, including the following:
Operator interfaces are slightly different.
The source and intermediate signal processors for WBN Unit 2 have upgraded bar graph LCDs, whereas the WBN Unit 1 analog meters are now no longer available.
Also, for WBN Unit 1, the source and intermediate range signal processor displays read out in "Counts per second" or "Percent power level" displays, respectively, whereas the drawer fronts for the WBN Unit 2 source and intermediate range signal processor displays also provide flux rate of change display in"Decades per minute." Hardware interfaces are slightly different.
The signal processors for WBN Unit 1 have wired card edge connectors, whereas the WBN Unit 2 system signal processors will have printed circuit card backplanes.
Also, the wide range signal processor in panel 2-L-10 will be in a different location than in WBN Unit 1. The original Westinghouse drawer backup source range drawer is being removed from panel 2-L-10 due to obsolescence, and the Thermo Electron Gamma-Metrics wide range signal processor will be mounted in its place. To address a cable routing concern that was identified as a WBN Unit I analysis item under Appendix R, "Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979," to 10 CFR Part 50, the cables for WBN Unit 2 will be routed in such a manner as to remove this concern.Technician interfaces are slightly different.
The interfaces needed to support calibration and maintenance have been improved in the WBN Unit 2 design in the following manner: The WBN Unit 2 source and intermediate range neutron monitoring system allows for the technician to conduct normal surveillance activities on the drawer without having to rack out the drawer. Additionally, the WBN Unit I system has fuses on the front panel for control and instrument power, while the WBN Unit 2 system has circuit breakers on the back for control and instrument power. The calibration test and output selector knobs for the WBN Unit 2 intermediate range signal processor are different from those of WBN Unit 1. There are a total of three control knobs for WBN Unit 1, including level trip, adjust, and operation selector.
For WBN Unit 2, there are a total of five knobs, including these three plus test selector and output selector.
The WBN Unit 2 front panel output selector switches allow source and intermediate level signals and all bistable setpoints to be read from the front panel test jacks with a 0-10 VDC (volt direct current)test meter without having to rack out the drawers. The shutdown monitor for WBN Unit 2 will not be equipped with an alarm reset button, which was used to manually disable the alarm during the drawer latching process. Because technicians can now conduct surveillances with the drawer racked in, the alarm reset function is obsolete.
If the drawer has to be racked out for any reason, the alarm reset feature can be handled, if necessary, with the annunciator controls.
To simplify troubleshooting by technicians, an improvement in status indicating lights has been made. For the intermediate range monitor, the "non-operate" indicating light for WBN Unit 1 is a single light, whereas for 7-145 WBN Unit 2 there is an indicator light for "amplifier non-operate," and for "Source Rangellntermediate Range" nonoperate.
All of the differences described by TVA serve to enhance the operational, maintenance, and testability features and capabilities of the required safety or postaccident monitoring functions of the neutron monitoring system for WBN Unit 2 and provide for reliable postaccident operation.
Based on its review, the NRC staff concluded that none of the changes described in IVA's letters dated April 27, 2010, and October 5, 2010, would functionally change the required interfaces with reactor trip logic, rod control, reactor power interlocks, or PAMS, or reduce the capabilities of the neutron monitoring system to meet the minimum required safety and postaccident monitoring functions from those previously reviewed by the NRC staff in its original evaluation documented in the SER or SSERs. Additionally, the new Thermo Electron Gamma-Metrics 300i system for source and intermediate range neutron monitoring allows WBN Unit 2 to meet or exceed all the qualification recommendations (range requirements, display location, display type, redundancy, environmental qualifications, seismic qualifications, quality level, and power supply reliability) of RG 1.97, Revision 2.Based on the above described evaluation, the NRC staff concluded that TVA has made no substantive functional changes to the design of the neutron flux monitoring system that would invalidate the staffs previous conclusions with respect to its review of the initiating circuits, logic, bypasses, interlocks, redundancy, diversity, and actuation devices used to implement reactor shutdown and postaccident monitoring functions, as documented in the SER or SSERs.7.7.1.2.5 Conclusion The NRC staffs review of the neutron flux monitoring system included an evaluation of the description of the system as provided in WBN Unit 2 FSAR Amendments 96 through 103, and as provided by TVA in letters dated April 27, 2010, and October 5, 2010. The staff verified that the system is functionally the same as that for the original design for WBN Unit 1, which was previously reviewed and accepted by the staff as documented in the SER and SSERs 9, 14, and 15. Based on the NRC staffs prior evaluation, the staff concludes that the information provided by TVA in FSAR Sections 7.2.1.1.2, 7.2.1.2.2, 7.2.2.2, 7.2.2.3.1, and 7.7.1.3.1 pertaining to the neutron flux monitoring system continues to comply with the applicable regulatory requirements, and that the staffs conclusions in the SER and SSERs 9, 14, and 15 remain valid.7.7.1.3 Rod Position Indication System 7.7.1.3.1 Introduction The RPIS is a new digital system that was recently installed at WBN Unit 2. This system is different than that previously approved for WBN Unit I and Unit 2, as documented in Section 7.7.1 of the SER. The NRC staff reviewed the RPIS using the guidance provided in SRP Section 7.7, Revision 5. The objective of the staffs review was to confirm that (1) the new digital RPIS at WBN Unit 2 conforms to the acceptance criteria of the SRP, (2) the controlled variables can be maintained within prescribed operating ranges (as applicable), and (3) the effects of operation or failure of the system are bounded by the accident analyses in FSAR Chapter 15.The RPIS provides the position of each rod (57 rods, divided into shutdown and control banks)on the MCR displays.
The RPIS receives analog signals from sensors mounted on the rod drive 7-146 mechanism, calculates rod position from these signals, and displays this information on the MCR displays.
The RPIS is also known as the CERPI system. The RPIS may be referred to as the CERPI system in this evaluation.
WBN Unit 2 FSAR Section 7.7.1.3.2 describes the RPIS and rod position step counter as two systems used to monitor the rod position information.
TVA described the RPIS in WBN Unit 2 FSAR Section 7.7.1.3.2, which states, in part, the following:
Two separate systems are used to indicate rod position information in the main control room. One system measures the actual drive rod position as part of the Rod Position Indicator System (RPIS). The second system counts and displays the pulses for rod movement generated in the logic cabinet.(1) Rod Position Indication System The position of each rod (57) [Shutdown and Control banks] is displayed on main control room (MCR) displays.
The RPIS receives analog signals from sensors mounted on the rod drive mechanism, calculates rod position from these signals and displays this information on the MCR displays.
The scale is in units of steps and covers the entire range of travel.Additionally, a rod bottom indicator light for each rod (57) is shown on the MCR displays to indicate a rod is near the fully inserted position.(2) Rod Position Step Counter The position demand signal for each rod group (14) is displayed on a 3-digit, add-subtract step counter. The input signal is supplied from the logic cabinet circuitry.
The demand position and rod position indication systems are separate systems.TVA described RPIS-related MCR annunciators in FSAR Sections 7.7.1.3.4 and 7.7.1.3.5.
FSAR Section 7.7.1.3.4 states, in part, the following:
A rod deviation annunciation is actuated in the main control room when; 1) the deviation between the actual rod position and the bank demand position (control banks rods) exceed a preset value, or 2) the deviation between any two rods within a control bank exceed a preset value.FSAR Section 7.7.1.3.5 states, in part, the following:
A "Rods At Bottom" annunciation is actuated in the main control room when any of the shutdown and control bank rods are near the fully inserted position.
The RPIS monitors the analog signal from the rod position detectors and actuates this alarm when the rods are positioned below the setpoint. (The RPIS blocks this alarm signal for control banks B, C, and D).7-147 7.7.1.3.2 System Requirements The RPIS is designed to detect the position of each of the 57 control rods (shutdown and control banks) and indicates rod positions in units of steps on the MCR displays.
The RPIS is required to provide input to the rod deviation alarm and rods-at-bottom annunciator in the MCR when any of the shutdown or control bank rods are near the fully inserted position.
The RPIS system also provides a control interlock to stop automatic rod withdrawal of control bank D whenever the rod position exceeds a preset limit. In addition, the RPIS is required to provide rod position input to the plant ICS.7.7.1.3.3 Evaluation Criteria The NRC staff evaluated the adequacy of the RPIS using the review guidance contained in SRP Section 7.7, Revision 5. The staff's acceptance criteria are based, in part, on meeting the following regulatory requirements and guidance: The regulation in 10 CFR 50.55 (a)(1), which requires that "Structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed." For control systems isolated from safety systems, the applicable requirements of 10 CFR 50.55a(h) are defined in IEEE Std. 279-1971, Clause 4.7, IEEE Std. 603-1991, Clause 5.6.3, and IEEE Std. 603-1991, Clause 6.3.GDC 13, "Instrumentation and Control." RG 1.97, Revision 2, "Instrumentation for Light-Water Cooled Nuclear Power Plants to Assess Plant Conditions During and Following an Accident." SRP BTP 7-19, Revision 5, "Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems." Interim Staff Guidance DI&C-ISG-02, Revision 2, provides acceptable methods for implementing diversity and defense in depth in digital I&C system designs.7.7.1.3.4 Technical Evaluation Rod Position Indication System Design Bases In response to NRC staff questions, TVA provided a description of the RPIS hardware and software requirements in Attachment 29 (Westinghouse proprietary report WNS-DS-00001 -WBT, Revision 2), of TVA's letter to the staff dated October 5, 2010 (ADAMS Accession No. ML1 02880525).
The WBN Unit 2 RPIS is a nonsafety-related system and consists of the following major components:
0 two programmable logic controllers (PLCs)0 redundant power supplies 0 maintenance and test panels (MTPs)0 operator monitors (OM)7-148 fiber optic modems and other related hardware The system provides control rod position indication in the MCR via two display screens, with one screen dedicated for each of two redundant PLCs. Two PLCs are used, with redundant power supplies, MTPs, fiber optic modems, and other related hardware, to enhance reliability and availability.
The system also provides outputs for rods at bottom annunciation in the MCR, rod withdrawal interlock for control bank D, and an interface to test panels that in turn interfaces with the plant ICS and operator displays in the MCR. The RPIS generates several alarms, including a PLC trouble alarm, a rod bank mismatch alarm, and a rods-at-bottom alarm.Operators may be alerted to a dropped rod cluster control assembly (RCCA) by a rods-at-bottom alarm, a rod deviation alarm, or a rod position indication, as described in FSAR Section 15.2.3. Operators may be alerted to misaligned RCCAs by a rod deviation alarm or rod position indication.
The system has been designed and built as a redundant two-train system (hardware, software, and data communications) for system reliability enhancement.
Although the CERPI system is nonsafety related, it was designed, programmed, and built using a documented, quality process.As part of its review, the NRC staff reviewed the design, implementation, and testing documentation produced for the digital CERPI system. The CERPI system requirements specification (Attachment 29 to TVA's letter dated October 5, 2010) contains hardware and software requirements for the RPIS. The system is designed as a two-train system with hardware and communication redundancy for enhancing system reliability.
Because the system is a two-train system, with built-in redundancy and available documentation to support a system review, the staff concludes that there is reasonable assurance that the system fully conforms to the applicable requirements of 10 CFR 50.55a(a)(1) for a nonsafety system. The RPIS has no control function.
Based on its review, the staff finds that the RPIS is appropriately designed and is of sufficient quality to minimize the potential for challenges to safety systems. Furthermore, the system has been designed with redundant operator display panels that provide control rod position indication over the full range of normal and anticipated operational occurrences, and for accident conditions (i.e., design-basis accidents), and provides control room alarms and rod block/stop functions to maintain control rods properly aligned such that the fission process will not be detrimentally affected.
Therefore, it assures adequate safety. Therefore, the staff concludes that the RPIS has been designed adequately to perform its intended important-to-safety functions and meets the requirements of GDC 13.Effects of Rod Position Indication System Operation on Accidents The staff reviewed the effects of the RPIS operation during plant design-basis accidents and anticipated operational occurrences to confirm that the safety analysis includes consideration of the effects of CERPI system action and inaction during these transients.
The CERPI system does not have any rod control functions.
In its letter dated October 29, 2010 (ADAMS Accession No. ML103120711), TVA stated that no credit is taken for the rod position indication system in any accidents analyzed in WBN Unit 2 FSAR Chapter 15. Also, TVA does not take credit for any rod stop/block in any continuous rod withdrawal accident analyzed in WBN Unit 2 FSAR Chapter 15. The staff verified that the safety analysis includes consideration of the effects of both action and inaction of the control rod position indication system in assessing the transient response of the plant for accidents and anticipated operational occurrences.
Therefore, the system satisfies the requirements of GDC 13.7-149 Effects of Rod Position Indication System Failures The staff reviewed the failure modes of the RPIS to verify that its failure does not cause plant conditions more severe than those described in the analysis of anticipated operational occurrences in FSAR Chapter 15. Because this is a digital system, the staff also reviewed potential CERPI software design errors, such as SWCCF.BTP 7-19, Revision 5, and DI&C-ISG-02, Revision 2, provide the NRC staff position and guidance for the diversity and defense-in-depth (D3) evaluation to address the concern about common-cause failure vulnerabilities with regard to the use of digital computer-based I&C systems. The staff position in BTP 7-19, Revision 5, states in part, the following:
The applicant/licensee should assess the D3 of the proposed I&C system to demonstrate that vulnerabilities to common-cause failures have been adequately addressed.
- In performing the assessment, the vendor or applicant/licensee should analyze each postulated common-cause failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best-estimate or SAR Chapter 15 analysis methods. The vendor or applicant/licensee should demonstrate adequate diversity within the design for each of these events.The acceptance criteria in BTP 7-19, Revision 5, state, in part, the following:
For each postulated accident in the design basis occurring in conjunction with each single postulated common-cause failure, the plant response calculated using best-estimate (realistic assumptions) analyses should not result in radiation release exceeding the 10 CFR 100 guideline values, violation of the integrityof the primary coolant pressure boundary, or violation of the integrity of the containment (i.e., exceeding coolant system or containment design limits). The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.Operability of the rod position indication system is defined by the WBN Unit 2 TS. In its letter to the NRC dated February 2, 2010 (ADAMS Accession No. ML1 00550326), TVA provided an update to its proposed WBN Unit 2 TS. The proposed TS are consistent with the guidance in NUREG-1431, Revision 3, "Standard Technical Specifications-Westinghouse Plants," issued June 2004. The staff noted that WBN Unit 2 TS 3.1.8, "Rod Position Indication," does not have a required action for a total loss of indication.
Therefore, a total loss of the RPIS would require a plant shutdown in accordance with LCO 3.0.3. The staff requested that WVA address the issue of a common-cause software failure. In its response by letter dated November 24, 2010 (letter item number 301; ADAMS Accession No. ML103330501), TVA stated the following:
With regard to the CERPI system software:* The software used on PLC-A is identical to that used on PLC-B.* The software used on MTP-A is identical to that used on MTP-B 7-150 0 The software used on OM-A is identical to that used on OM-B.A common cause failure affecting the software of one CERPI train would affect the other train as well. Common cause problems associated with the CERPI software were mitigated by the Westinghouse software development process, factory acceptance testing, and site acceptance testing. There is no 'fail as-is" scenario.
Any failure of a hardware/software component (resulting in processor lock-up) would be immediately annunciated (Main Control Room alarm). A loss of communication to the MTP, or OM would be annunciated, and the data values on the flat panel display would be displayed in magenta (indicating failure).
A hardware/software failure in the PLC (resulting in processor lock-up) would result in an annunciator because of the watchdog alarm circuit associated with the PLC processor module.In its supplemental response by letter dated December 22, 2010 (ADAMS Accession No. MLI 10100650), TVA stated the following:
- 1. The following response is based on the information contained in Westinghouse letter WBT-D-2722, "Response To Question On CERPI RAI #301," dated December 6, 2010 (Reference 3).TVA believes the follow-up question is related to the statement found in the response to question 2 of NRC Matrix Item 301, submitted in TVA letter to NRC, "Watts Bar Nuclear Plant (WBN) Unit 2 -Instrumentation and Controls Staff Information Requests," dated November 24, 2010, (Reference
- 8) "Any failure of a hardware/software component (resulting in processor lock-up) would be immediately annunciated (Main Control Room alarm)." The RPIS system will not annunciate various system alarms if the software is in a lockup condition.
However, the system will annunciate an alarm based on the PLC watchdog relay dropping out because the software has "locked up" the processor.
So, even if the PLC locks up, an alarm is generated to alert the operators in the Main Control Room (MCR).The RPIS system alarms (that connect to the plant annunciator system)are wired to specific alarm relays within the RPIS system. With the exception of the watchdog alarm relay, the alarm relay coils are actuated by the PLC Digital Output Module. The plant annunciator wiring connects to either the Normally Open (NO) or the Normally Closed (NC) contacts of the associated alarm relay. The watchdog relay is configured such that when a timeout condition occurs (the PLC locks up), the watchdog relay de-energizes and a CERPI System Trouble alarm is annunciated in the MCR.A common-cause failure affecting the software of one CERPI train would affect the other train as well. Therefore, the entire system may fail due to an SWCCF. TVA stated that common-cause problems associated with the CERPI software were mitigated by the Westinghouse software development process, factory acceptance testing, and site acceptance testing. WVA also stated that there is no "fail as-is" scenario for the RPIS due to a SWCCF. Any failure of a 7-151 hardware or software component (resulting in processor lockup) would be immediately annunciated in the MCR. The CERPI system will not annunciate various system alarms if its software has failed (i.e., is in a lockup condition).
However, the system will annunciate an alarm based on the PLC watchdog relay dropping out due to software lockup of the processor.
So, even if the PLC locks up, an alarm is generated to alert the operators in the MCR. Moreover, a loss of communication to the MTP or OM would be annunciated, and the data values on the flat panel display would be displayed in magenta (indicating failure).The CERPI system alarms that connect to the MCR annunciator system are wired to specific alarm relays within the CERPI system. With the exception of the watchdog alarm relay, the alarm relay coils are actuated by the PLC digital output module. The plant annunciator wiring connects to either the normally open or the normally closed contacts of the associated alarm relay. The watchdog relay is configured such that, when a timeout condition occurs (e.g., the PLC locks up), the watchdog relay de-energizes and a CERPI system trouble alarm is annunciated in the MCR. Therefore, failure of the CERPI system due to an SWCCF will be alarmed and annunciated to plant operators, so that compensatory actions may be taken in accordance with the TS.As previously stated, for all accidents analyzed in WBN Unit 2 FSAR Chapter 15, no credit is taken for the rod position indication system. For all continuous rod withdrawal accidents analyzed in WBN Unit 2 FSAR Chapter 15, no credit is taken for any rod stop/block.
Therefore, the staff concludes that an undetected failure of the CERPI (including an SWCCF) would have no impact on the WBN Unit 2 accident analysis.In its letter dated December 22, 2010, TVA also stated the following:
Concerning the impact on Bank D, RPIS cabinet relays A-KX-18 and B-KX-18 are the PLC controlled components of Rod Withdrawal Limit. The relays are'active low" requiring power to activate the contacts in the control circuit. Total loss of RPIS will open the contacts and block Automatic Rod Withdrawal.
Additionally, Annunciator window 64F will annunciate to show "C-1 1 BANK D AUTO WITHDRAWAL BLOCKED." Therefore, this would not result in an undetected failure. In the event of an undetected failure that kept relays A-KX-18 and B-KX-18 energized, the worst case scenario would be a continuous rod withdrawal event. This event is already addressed in the Chapter 15 accident continuous rod withdrawal accident analysis which takes no credit for rod stops/blocks.
Based on the information provided by TVA that addresses the effects of RPIS failures, including an SWCCF, the NRC staff concludes that TVA has appropriately identified the vulnerabilities of the RPIS and has provided a documented basis that justifies taking no further actions to provide a diverse RPIS. Based on its review of TVA's D3 analysis, and because (1) CERPI is a nonsafety system, (2) TVA takes no credit for the RPIS to mitigate any anticipated operational occurrence or design-basis accident, and (3) TVA takes no credit for accident mitigation by rod stop/rod block, the NRC staff concludes that the RPIS complies with the criteria for defense against a common-cause failure provided in BTP 7-19 and DI&C-ISG-02.
These also demonstrate that the CERPI system complies with the applicable requirements of IEEE Std. 279-1971, Clause 4.7 for control and protection system interaction, and the requirements of IEEE Std. 603-1991, Clause 5.6.3 for independence between safety systems and other systems (e.g., RPIS), because the failure of the RPIS will not prevent any safety system from performing its safety function to mitigate anticipated operational occurrences and design-basis accidents.
7-152 Interfaces with Other Systems The RPIS does not interface or communicate with any safety system; it is isolated from all safety systems. There is no direct interaction between the CERPI system sense and command features and other systems. It provides rod position indication, rod bottom alarms, and other inputs to the plant ICS (plant computer) via the MTP.FSAR Table 7.7-1 lists the interlock for blocking automatic rod withdrawal, designated as interlock C-11. Interlock C-1 1 functions to block automatic rod withdrawal and is derived from a"2/2 control bank D rod position above setpoint" signal. This interlock is a control interlock and is not a safety-related interlock, so it has not been specifically designed to meet the requirements of IEEE protection system standards.
The staff asked (letter item number 301) TVA to address failures of the CERPI system and its effects on the control interlock.
In its letter dated October 29, 2010 (ADAMS Accession No. ML103120711), TVA stated the following:
Control Bank D Automatic Rod Withdrawal Limit would be assured by Operations and control circuitry by the following 2 methods: a. A simultaneous failure of all indications of the Rod Position Indication System places the plant in LCO 3.0.3, since it would prevent compliance with actions in LCO 3.1.8.b. CERPI cabinet relays A-KX-18 and B-KX-18 are the PLC controlled components of Rod Withdrawal Limit. The relays are "active low" requiring power to activate the contacts in the control circuit. Total loss of CERPI will open the contacts and block Automatic Rod Withdrawal.
Additionally, Annunciator window 64F will annunciate to show "C-11 BANK D AUTO WITHDRAWAL BLOCKED." WBN Unit 2 TS LCO 3.0.3 requires that, "When an LCO is not met and the associated ACTIONS are not met, an associated ACTION is not provided, or if directed by the associated ACTIONS the unit shall be placed in a MODE or other specified condition in which the LCO is not applicable." The LCO would require that the plant be placed in a safe condition with respect to this interlock.
As noted above, TVA also stated that no credit is taken for the rod position indication system in any accidents analyzed in WBN Unit 2 FSAR Chapter 15, and no credit is taken for any rod stop/block in any continuous rod withdrawal accident analyzed in WBN Unit 2 FSAR Chapter 15.For control systems isolated from safety systems, the applicable requirements of 10 CFR 50.55a(h) are defined in IEEE Std. 279-1971, Clause 4.7 and IEEE Std. 603-1991, Clause 5.6.3. Based on its review of the information provided in VA's letter dated October 29, 2010, the staff concludes that TVA's response regarding common-cause software failure in the CERPI system meets the applicable guidance of IEEE Std. 279-1971, Clause 4.7 and IEEE Std. 603-1991, Clause 5.6.3 and, therefore, is acceptable.
7-153 RG 1.97, Postaccident Monitoring System RG 1.97 describes an acceptable method for complying with the Commission's regulations to provide instrumentation to monitor plant variables and systems during and following an accident in a light-water-cooled nuclear power plant. RG 1.97 recommends that control rod position indication be a Type B, Category 3 variable (B3) to monitor for reactivity control. WBN Unit 2 FSAR Amendment 102, Table 7.5-2, "Regulatory Guide 1.97 Variable List (Deviation and Justification for Deviations)," deviation number 35, states that control rod position is a Type D, Category 3 variable.
In its letter dated May 9, 1994 (ADAMS Accession No. ML073230654), TVA justified a deviation from RG 1.97 for the control rod position indication variable and that it be categorized as a Type D, Category 3 variable.
TVA stated that control rod position indication is an indirect variable, providing backup indication for monitoring reactivity control. Neutron flux (Category
- 1) is a direct variable that allows the operator to determine if reactivity is under control (i.e., the reactor has tripped and the core is in a subcritical condition).
The NRC staff approved the deviation in Section 7.5.2 of SSER 14, dated December 1994. This variable is considered unique to WBN Unit 2 because it is now processed by the CERPI system. Therefore, there are differences between how the information for this variable is processed in WBN Unit 1 and WBN Unit 2. The information at WBN Unit 2 is processed by the CERPI computer system and is displayed on digital OMs in the MCR. However, a change in the processing system and display device does not necessarily result in a new deviation from the guidance of RG 1.97. TVA's deviation number 35 of FSAR Table 7.5-2 does not propose to change the functional characteristics (e.g., indicated parameter(s) and range of indication) nor the equipment qualification of this PAMS indication from what was previously approved.
Therefore, based on the NRC staffs prior approval, as documented in SSER 14, and on the staffs review of the new digital CERPI system, the staff concludes that, because control rod position provides only backup indication for monitoring reactivity control, the staffs conclusions in the SSER remain valid and using the control rod position as a Type D variable is acceptable (also, see Section 7.5.1.2 of SSER 23 for RG 1.97 compliance).
FSAR Chapter 15, Section 15.2.3, states that the accuracy of the rod position indication is plus or minus 5.0 percent of span (plus or minus 7.2 inches). This conflicts with the accuracy requirement of plus or minus 5.19 percent (plus or minus 7.47 inches) in the CERPI system requirements specification (Attachment 29 to TVA's letter dated October 5, 2010), and the staff asked TVA to clarify the discrepancy.
In its letter dated October 29, 2010, TVA stated (letter item number 301) the following:
The cycle-specific analyses for the static rod misalignment assume full misalignment of an individual rod from the bank position indicator(s).
Such a misalignment exceeds that which is possible during plant operations when accounting for the most adverse combination of the rod deviation alarm and uncertainty of the rod position indicator (both 12 steps). For consistency of parameter (and units) with the deviation alarm and position indicator uncertainty, the WBN Unit 2 FSAR Chapter 15, Section 2.3.1 will be revised in Amendment 102 to read: "The resolution of the rod position indicator channel is +/- 12 steps. Deviation of any RCCA from its group by twice this distance (24 steps) will not cause power distributions worse than the design limits. The deviation alarm alerts the operator to rod deviation with respect to group demand position in excess of 12 steps. If the rod deviation alarm is not operable, the operator is required to take action as required by the Technical Specifications." 7-154 This change is consistent with FSAR section 4.3.2.2.5, Limiting Power Distributions Page 4.3-13, which states the maximum deviation assumed is 12 steps.The maximum uncertainty for rod position indication is plus or minus 12 steps (plus or minus 7.5 inches), as documented in TVA's letter to the staff dated February 2, 2010 (ADAMS Accession No. ML100550494), which provided TS Basis B.3.1.8, "Rod Position Indication." Furthermore, deviation of any RCCA from its group by twice the accuracy limit (24 steps) will not cause power distributions worse than the fuel design limits. Based on the CERPI system accuracy of plus or minus 5.19 percent (plus or minus 7.47 inches), which is within the RPIS TS Basis accuracy of plus or minus 12 steps (plus or minus 7.5 inches), the staff concludes that TVA's response is acceptable.
The staff verified that, in FSAR Amendment 102, TVA updated Chapter 15, Section 2.3.1 to clarify the accuracy requirements for rod position indication.
7.7.1.3.5 Conclusion Based on its review of the information provided by TVA, as discussed above, the NRC staff concludes that the new digital RPIS at WBN Unit 2 meets the acceptance criteria provided in SRP Section 7.7, Revision 5 and, therefore, is acceptable.
7.7.1.4 Distributed Control System Certain nonsafety-related control and indication functions in WBN Unit 2 are implemented using a DCS, as described by TVA in FSAR Section 7.7.1.11.
The functional design of the WBN Unit 2 control system implemented in the DCS is similar to the WBN Unit I analog control system, but it incorporates changes that are designed to improve reliability and eliminate significant single points of failure. The basic components of the DCS are redundant fault-tolerant processor pairs, redundant power supplies with diverse power sources, and redundant communication networks.
Multiple inputs are provided for critical plant parameters.
Redundant field-bus modules are used for critical inputs and outputs. Workstations are provided in the MCR and the auxiliary instrument room for trending, alarm monitoring, and system maintenance activities.
Manual control is available from hand/auto stations on the main and auxiliary control boards. The NRC staff reviewed the WBN Unit 2 DCS as described in FSAR Amendments 96 through 103.7.7.1.4.1
System Description
The WBN Unit 2 DCS is being implemented by TVA using a Foxboro (Invensys)
I/A system for control and monitoring of most nonsafety-related NSSS and balance-of-plant systems. The controls are distributed among 15 control groups, each with a redundant processor pair. In its letter dated April 27, 2010 (ADAMS Accession No. ML1 01230248), TVA stated that there are no digital communications or interactions between the Foxboro I/A and any safety-related system.As described in FSAR Section 7.7.1.11.1, the WBN Unit 2 DCS consists of multiple functional groups, each with a redundant control processor (CP) pair (a master and a backup). The control systems are assigned to different CP pairs to maintain independence between redundant control functions and to limit the effects of failures on the critical control systems.The staff finds that the functions provided by the DCS suppose compliance with GDC 13. The 15 function groups are as follows: 7-155 (1) steam generator 1 level, feedwater flow (2) steam generator 2 level, feedwater flow (3) steam generator 3 level, feedwater flow (4) steam generator 4 level, feedwater flow (5) main feedwater pump speed control and steam dump loss of load interlock (6) rod control (7) steam generator 1 PORV (atmospheric dump)(8) steam generator 2 PORV (atmospheric dump)(9) steam generator 3 PORV (atmospheric dump)(10) steam generator 4 PORV (atmospheric dump)(11) condenser steam dump (12) pressurizer A (pressure, level, charging, letdown, spray, cold overpressure mitigation system (COMS))(13) pressurizer B (pressure, level, charging, letdown, spray, COMS)(14) auxiliary control system (ACS) A (15) ACS B Two groups are dedicated to the ACS instrumentation, which is not required for normal plant operation.
These two groups (i.e., items 14 and 15 in the preceding list) are isolated from the rest of the DCS network during normal operation, except for maintenance purposes, to eliminate the possibility of events external to the auxiliary control room causing loss of these processor pairs. TVA did not evaluate segmentation of the DCS functions of the ACS, because the ACS is not used for normal plant operation, DCS groups 14 and 15 are isolated from the network during normal operation, the unit will be shut down if the MCR has to be abandoned, and no other design-basis event or abnormal plant condition is assumed concurrent with MCR evacuation, except fire or design-basis flood. The NRC staff reviewed the FSAR Chapter 15 accident analyses and verified there was no other analyzed event in which the control room was evacuated.
Power Supplies:
Each of the redundant power supplies for the control groups is fed from an inverter with battery and emergency DG backup-typically the primary power supply is from a 120 volt alternating current (VAC) vital inverter and the secondary from the 120 VAC TSC inverter.
This arrangement is designed to ensure that a single power supply or inverter failure will not result in loss of function, eliminating loss of power as a single point of failure. One significant feature of this configuration is that an inverter failure will not cause a plant trip due to the main feedwater control valves closing.Signal Selection and Validation:
The use of multiple measurement channels for critical parameters such as turbine impulse pressure, steam header pressure, and feedwater pressure allows the use of various signal selectors to improve reliability and eliminate single point failures.
Redundant inputs are typically assigned to different input modules to provide additional hardware diversity and eliminate hardware common-cause failure. Although there is no regulatory requirement for this redundancy and diversity, the staff concludes that it is good engineering practice.A median signal selector chooses the median value signal of three inputs for control use. With the median signal selector, a spurious high or low signal from any one channel will not cause a control action. When only two inputs are available, an average is computed, and a third correlated signal may be provided as a voter. The voter is never used for control. With four inputs, either the highest input (auctioneered) or the second highest input (higher median) is selected for control.7-156 The system also employs signal validation techniques that can remove bad or out-of service signals from the algorithm and select from the remaining good signals or transfer control to manual in the event of multiple input signal failures.
This includes input signals that deviate significantly from the selected signal (auctioneered or median). These conditions will be alarmed and the bad signal removed from the control algorithm.
Use of these techniques is intended to minimize or eliminate the potential for a transient initiated by the failure of a single input.Shared Signals: Some signals are used in more than one functional group or processor pair.They may be provided to each processor as separate inputs, or they may be input to one processor for development of the control signal (e.g., auctioneered, median), which is then transmitted to other processors by either a hardwired analog connection, peer-to-peer network connection, or both. No critical control function depends the network alone. This scheme is intended to eliminate the possibility that failure of a single input signal, a single processor pair, or both communication networks will disable multiple control systems or functions.
External Communication:
Two communication links are provided from the DCS to the plant computer (see also Section 7.9, "Data Communications Systems," of this SSER). Firewalls between the systems limit the volume of data traffic and ensure that common-cause events, such as a data storm, do not impact multiple control systems within the DCS. There are no digital communications from the control system to the protection system. The control system analog process inputs from the protection system are transmitted via qualified isolators as on WBN Unit 1.Network Data Storm: In Enclosure 2 of its letter dated August 11, 2010 (ADAMS Accession No. ML1 02240384), TVA stated the following:
A network data storm test will be performed with the system installed and prior to final commissioning.
The test will confirm that the system will continue to function with a failed communication network without any plant upset.As noted previously, the system is designed with hardwired analog control signal transmission between CP pairs, so that no critical control functions are totally dependent upon the network, and the system will continue to function if the network fails.7.7.1.4.2 Comparison with WBN Unit 1 The following differences exist between the WBN Unit 1 control system and the WBN Unit 2 DCS implemented in the Foxboro IIA: (1) WBN Unit I has analog modules in panels in the Auxiliary Instrument Room and Auxiliary Control Room performing control, monitoring, and alarm functions.
WBN Unit 2 will have a Foxboro I/A, digital DCS with functions implemented using software.(2) WBN Unit I has Foxboro "H-line" and other hand/auto stations on the main control room and auxiliary control room benchboards, which interface with the analog modules described above. WBN Unit 2 has new hand/auto stations interfacing to the digital control system.7-157 (3) On WBN Unit 1, a failure of a controller or other analog module will cause a loop to fail.WBN Unit 2 has redundant CPs executing the control algorithms.
For some critical WBN Unit 2 loops, redundant transmitters and redundant outputs to control valves are added to eliminate single point failures.(4) In WBN Unit 1, four channels of vital power are available, and loops are assigned to each channel to minimize the impact of losing one channel of power. In WBN Unit 2, there are also four channels of vital power, but control hardware is powered by a channel of vital power based on panel location.
In addition, a second redundant power source is provided to each WBN Unit 2 panel. As a result, the loss of a single power source to any WBN Unit 2 panel will not result in a loss of any control or monitoring function.7.7.1.4.3 Regulatory Analysis The staff used the guidance of SRP Section 7.7, Revision 5 in its review of the WBN Unit 2 DCS. The staff's acceptance criteria are based on meeting the relevant requirements of the following regulations:
(1) 10 CFR 50.55a(a)(1), "Quality Standards for Systems Important to Safety." (2) 10 CFR 50.55a(h), "Protection and Safety Systems," requires compliance with IEEE Std.603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. For control systems isolated from safety systems, the applicable requirements of 10 CFR 50.55a(h) are defined in IEEE Std. 603-1991 Clause 5.6.3, "Independence Between Safety Systems and Other Systems," and IEEE Std. 603-1991 Clause 6.3, "Interaction Between the Sense and Command Features and Other Systems." (3) 10 CFR Part 50, Appendix A, General Design Criteria (GDC) 1, "Quality Standards and Records." (4) GDC 13, "Instrumentation and Control." (5) GDC 24, "Separation of Protection and Control Systems." In addition, the NRC staff used the guidance for diversity and defense-in-depth (D3)assessments provided in SRP BTP 7-19.7.7.1.4.4 Technical Evaluation 7.7.1.4.4.1 Segmentation Analysis TVA performed a segmentation analysis, as provided in Enclosure 2 of its letter dated August 11, 2010 (ADAMS Accession No. ML102240384), and concluded that a failure of one CP pair, with all outputs failing high, low, or as is, will not cause any of the following:
(1) the feedwater control valves in more than one loop (steam generator (SG) level control)to fail open 7-158 (2) the feedwater control valves in one loop to fail open concurrent with the main feedwater pump speed control going to maximum speed (3) all of the condenser steam dump valves to fail open (4) both the condenser steam dump valves and atmospheric steam dump valves (SG PORVs) to fail open.(5) more than one SG PORV to fail open (6) both pressurizer PORVs to fail open or closed, including low power operation (COMS)(7) both pressurizer spray valves to fail open or closed loss of charging flow to the reactor coolant pump seals Loss of both reactor coolant letdown paths (8) complete loss of pressurizer heater control and protection One aspect of the analysis that has not yet been confirmed by TVA is the ability of the network to sustain a data storm event without experiencing a plant upset, as necessary to verify compliance with Clause 6.3 of IEEE Std. 603-1991.
In Enclosure 2 of its letter dated August 11, 2010 (ADAMS Accession No. ML102240384), TVA stated the following:
A network data storm test will be performed with the system installed and prior to final commissioning.
The test will confirm that the system will continue to function with a failed communication network without any plant upset.TVA should confirm to the NRC staff the completion of the data storm test on the DCS. This is Open Item 83 (Appendix HH).Based on its review of the segmentation analysis performed by TVA, the staff concluded that the design of the WBN Unit 2 DCS does not introduce new control system failures that could adversely impact the safety analyses as described in the FSAR. Functional diversity and independence are provided for the critical control systems as required by the design basis and in a manner consistent with the WBN Unit I design. The segmentation implemented for Unit 2 eliminates the possibility of a single processor pair failure from disabling multiple control systems or redundant features of these systems.7.7.1.4.4.2 Mesh Network Failure Analysis In Attachment 42 to its letter dated October 5, 2010 (ADAMS Accession No. ML1 02930118, not publicly available), TVA provided a description of the Foxboro I/A mesh network, including an analysis of credible network failures.
Based on its review of the analysis, the staff concluded that a Foxboro I/A mesh network failure in one segment will not disable another segment.7.7.1.4.4.3 Common-Cause Failure The Foxboro I/A DCS is segmented, as described above, into different subsystems such that the failure of any individual segment is within the design basis of WBN Unit 2. The only causal 7-159 mechanism for a failure of one segment to propagate to another segment is through the mesh network. TVA analyzed mesh network failures, as noted above, to ensure that a failure will not propagate across the mesh network. TVA stated in Enclosure 2 of its letter dated August 11, 2010, that it will perform a data storm test. The test will demonstrate conformance to Clause 6.3 of IEEE Std. 603-1991 by proving that the Foxboro I/A mesh will not propagate failures from one segment to another and cause a plant upset.7.7.1.4.4.4 Quality of Distributed Control System The staff notes that the DCS does not perform a safety-related function, so the quality of the system is not regulated by the provisions of Appendix B to 10 CFR Part 50, which regulate safety-related structures, systems, or components.
However, good engineering practice is that management measures need to be applied and quality controls need to be used to the extent that the principles of design control, configuration management, and quality records are maintained.
In Attachment 35 to its letter dated October 5, 2010, TVA provided procedure TVA SPP-2.6, Revision 12, "Computer Software Control," which governs acquisition of digital equipment for WBN Unit 2. The document specifies the required plans, verification and validation documentation, and operating documentation necessary when acquiring various categories of digital plant systems. The document also contains provisions for modification and testing of digital systems.The NRC staff reviewed TVA SPP-2.6. Based on engineering judgment, the staff concludes that the DCS procurement and maintenance procedure complies with the quality standards requirements of 10 CFR 50.55a(a)(1) and GDC 1.7.7.1.4.5 Conclusion The NRC staff reviewed the WBN Unit 2 DCS as described in FSAR Amendments 96 through 103. Based on its review, the staff concludes that the information provided in FSAR Section 7.7.1.11 meets the relevant regulatory requirements identified in SRP Section 7.7, Revision 5, including 10 CFR 50.55a(a)(1), GDC 1, and GDC 13. The staff also concludes that TVA's analysis shows that the new DCS is consistent with Clause 6.3 of IEEE Std. 603-1991 and does not introduce any new failures, or change the probability or consequences of existing failures, not already addressed in the FSAR safety analyses.Additional evaluation by the NRC staff regarding conformance with Clause 5.6.3 of IEEE Std. 603-1991 and GDC 24 is contained in Section 7.9 of this SSER.7.7.2 Safety System Status Monitoring System In Section 7.7.2 of the SER, and in SSER 7 and SSER 13, the NRC staff evaluated WBN FSAR Section 7.7.1.3.6, "Safety System Status Monitoring System." TVA restructured the WBN Unit 2 FSAR in Amendment 96, such that Section 7.7.1.3.6 now references Section 7.5, which provides a description of the BISIS system in FSAR Section 7.5.2.2. The NRC staffs evaluation of the WBN Unit 2 BISI is in Section 7.5.1.1.2 of this SSER.7-160
7.7.3 Volume
Control Tank Level Control System The volume control tank (VCT) is a part of the chemical and volume control system (CVCS).The CVCS provides several services to the RCS, such as maintenance of programmed water level in the pressurizer, supplying water to the reactor coolant pump seals, and coolant purification.
The centrifugal charging pumps of the CVCS also serve as the high-head safety injection pumps in the ECCS. The VCT is described in WBN Unit 2 FSAR Section 9.3.4.2.1.C(1), "Volume Control Tank." The FSAR states the following:
The VCT provides surge capacity for part of the reactor coolant expansion volume not accommodated by the pressurizer.
Overfilling of the VCT is prevented by automatic diversion of the letdown stream to the HUT [CVCS holdup tank]. The VCT also provides a means for introducing hydrogen into the coolant to maintain the required equilibrium concentration and is used for degassing the reactor coolant. It also serves as a head tank for the charging pumps.The volume control tank level control system (VCTLCS) is also described in FSAR Section 9.3.4.2.1 .C(l). The NRC staff reviewed FSAR Amendments 92 through 103 to evaluate any substantive changes from the review of the VCTLCS documented in the SER. In FSAR Amendment 97, TVA incorporated a change to the VCTLCS that relocated the description of the indication and control functions of the VCTLCS to the Foxboro I/A DCS. In its letter dated July 30, 2010 (ADAMS Accession No. ML1 02160349, not publicly available), TVA stated the following:
The devices in the Volume Control Tank Level Control System have been replaced.
The Volume Control Tank Level Indication and Control functions have been relocated to the Foxboro IA system. The transmitters and indicators have been replaced with 4-20mA technology, and the transmitters have been changed to Rosemount.
Because the relocation does not change the function performed by the VCTLCS, the NRC staff concludes that the change is acceptable.
The staff's review of the DCS is documented in Section 7.7.1.4 of this SSER.TVA also revised FSAR Section 9.3.4.2.1 .C(1) to correct the description of the VCT alarm function from "low-low level alarm" to "low level alarm." The additional changes made by TVA to FSAR Section 9.3.4.2.1.C.(1) were editorial or administrative in nature or were made to improve consistency with other FSAR sections and, therefore, were acceptable.
In response to NRC staff questions, TVA provided by letter dated July 30, 2010, a description of how the WBN design addresses level transmitter failures: Upscale failure of LT-62-129A:
Flow is diverted to the holdup tank but makeup continues to maintain level and alarms alert the operator.Upscale failure of LT-62-130A:
Unlike Unit 1, the makeup control system uses inputs from both LT-62-130A and LT-62-129A.
This results in a more robust design that eliminates a single point of failure for LT-62-130A.
If transmitter LT-62-130A fails >20mA, the system disregards the input and uses the LT-62-129A signal for control. If transmitter LT-62-130A is high but <20 mA, the 7-161 deviation between the two causes an alarm, and the diverter valve loop and makeup control both use the last good value of the average. Once the level goes high or low, alarms on LT-62-129A alert the operator to take action to mitigate.The staff concluded that TVA's approach is consistent with the approach previously approved in the SER. Therefore, the NRC staff concludes that the approach is acceptable for WBN Unit 2.Based on the NRC staffs review of WBN Unit 2 FSAR Amendments 92 through 103, the staff concludes that there were no substantive changes to the information provided by TVA in FSAR Section 9.3.4.2.1.C(1), and that the staffs conclusions in the SER remain valid.7.7.4 Pressurizer and Steam Generator Overfill 7.7.4.1 Introduction The WBN Unit 2 pressurizer and steam generator water level control systems provide a level of defense to protect against the consequences of pressurizer and steam generator overfill.Overfill of the pressurizer could result in reactor coolant inventory loss through the pressurizer safety valves, and overfill of the steam generators could result in damage to main steamline components or to the main turbine. Pressurizer water level control is described in WBN Unit 2 FSAR Sections 7.2.2.3.4 and 7.7.1.6, "Pressurizer Water Level Control." Steam generator water level control is described in FSAR Sections 7.2.2.3.5, "Steam Generator Water Level," and 7.7.1.7, "Steam Generator Water Level Control." Additional details about the design of the sensing lines, instruments, and logic for the pressurizer water level controls and the design of the pressurizer high-water reactor trip function are contained in FSAR Sections 7.2.1.1.2(3) and 7.2.1.1.5, and in Figure 7.7-5. Additional details about the logic design of the steam generator water level controls are provided in FSAR Section 7.2.2.3.5 and Figure 7.7-6.TVA provided additional information about pressurizer and steam generator water level controls in its letter dated October 29, 2010 (letter item number 293) (ADAMS Accession No. ML10312071 1). The NRC staff noted that the portions of the pressurizer and steam generator water level controls that protect against vessel overfill conditions for Unit 2 are implemented within the Foxboro I/A DCS, which is a newer version of the DCS than that implemented for WBN Unit 1. A discussion of the NRC staffs evaluation of the differences between these DCS systems is presented in Section 7.7.1.4 of this SSER. It describes the NRC staff's analyses of the power supply distribution independence, segmentation, and failure analysis.
The NRC staffs evaluation of the design of the portions of the Unit 2 pressurizer and steam generator high-level control systems that protect against vessel overfill conditions is presented below.7.7.4.2 Pressurizer Overfill Protection
System Description
The high pressurizer water level reactor trip serves to protect against pressurizer overfill.
Three independent, redundant pressurizer water level monitoring channels are provided and arranged in a two-out-of-three logic to trip the reactor on high pressurizer water level. This reactor trip serves to prevent water discharge through the pressurizer safety relief valves. The high water level trip setpoint provides sufficient margin such that the undesirable condition of discharging reactor coolant inventory through the safety valves is avoided. Even at full-power conditions, which would produce the worst thermal expansion rates, a failure of water level control would not lead to any liquid discharge through the safety valves. This is the result of the automatic high pressurizer pressure reactor trip actuating at a pressure sufficiently below the safety valve 7-162 setpoint.
In addition, alarms are actuated on high or low water level and on significant deviations from programmed level.The pressurizer level channels provide isolated signals to the DCS that are used for normal pressurizer level control. A medium signal selector function in the DCS selects the medium of the three signals for pressurizer level control so that a spurious high or low signal from any one channel would not cause a control room action. If a failed channel is detected by the DCS, it would not be used in the control algorithm and the average of the two remaining channels would be used for control. The pressurizer level alarms described above are independent of the DCS that controls normal water level in the pressurizer.
Channel failure can also be detected by comparison to the other two redundant level channel indicators located in the MCR.A DCS failure resulting in a high or low control signal could result in an increase or decrease in pressurizer level at a slow rate. In Section 7.7.4 of the SER, the NRC staff previously evaluated the effects and consequences of a failure occurring within the control system with the potential to overfill the pressurizer.
TVA previously provided the results of a set of analyses that had been performed for this event. Four cases were presented (with or without pressurizer spray available, and with combinations of charging pump availability).
In all cases, the time it takes to fill the pressurizer after a high-level alarm is reached was more than the 10-minute operator time limit, allowing operators sufficient time to diagnose the event and take appropriate action.Although the DCS hardware and software that implements normal pressurizer level control for WBN Unit 2 is different from the controls previously analyzed for WBN Unit 1, the effects and consequences of a failure of the DCS on the RCS are the same, and the NRC staffs conclusions about pressurizer vessel overfill protection remain valid. A failure of the DCS that implements the normal pressurizer level control system will not result in an unanalyzed condition for the reactor system.The NRC staff evaluated the information provided by TVA in FSAR Amendments 96 through 103, which describe TVA's intended design and regulatory compliance for WBN Unit 2.Although the hardware and software that implement the DCS system that provides the controls for the pressurizer level are different from those for WBN Unit 1, the NRC staff concluded that TVA made no substantive functional changes to the design of the pressurizer overfill prevention features that would invalidate the staff's conclusions documented in the SER.7.7.4.3 Steam Generator Overfill Protection
System Description
The steam generator high-high level interlock (P-14) protects against steam generator overfill.For each steam generator, three independent, redundant steam generator water level monitoring channels are provided and arranged in a two-out-of-three logic to close all feedwater control and isolation valves and trip the turbine. A reactor trip would occur indirectly as a result of a turbine trip if the power is above 50 percent. The steam generator level channels provide isolated signals to the DCS. A medium signal selector in the DCS selects the medium of the three signals for steam generator level control so that a spurious high or low signal from any one channel would not cause a control system action. If a failed channel is detected by the DCS, it would not be used in the control algorithm and the average of the two remaining channels would be used for control.The NRC staff evaluated the information provided in FSAR Amendments 96 through 103, which describe TVA's intended design and regulatory compliance for WBN Unit 2. The staff noted that the description of the overfill protection features of the steam generator high-level trip was not as complete in FSAR Section 7.7.1.7 as depicted in TVA's original FSAR through Amendment 7-163
- 92. In response to an NRC staff question about the location of this information, TVA described in its letter dated October 29, 2010 (letter item number 293; ADAMS Accession No. ML103120711) that this function is identified as ESFAS interlock P-14 in FSAR Section 7.3, Table 7.3-3. The high-high level interlock is also discussed in FSAR Section 10.4.7.3.
FSAR Section 15.2.10 analyzes the feedwater malfunction event that causes one or more feedwater control valves to fail to the fully open position.The NRC staff evaluated the information provided in FSAR Amendments 96 through 103, which describe TVA's intended design and regulatory compliance for WBN Unit 2. Although the hardware and software that implement the DCS system providing the controls for the steam generator water level for Unit 2 are different from those evaluated for WBN Unit 1, the NRC staff concludes that TVA made no substantive functional changes to the design of the steam generator overfill prevention features that would invalidate the staffs conclusions as documented in the SER.7.7.4.4 Conclusion The NRC staff reviewed the pressurizer water level controls and the steam generator water level controls to prevent vessel overfill conditions provided by TVA in WBN Unit 2 FSAR Amendments 96 through 103 and in TVA's letter dated October 29, 2010. The staff verified that these systems are functionally the same as those of WBN Unit 1, which was previously reviewed and accepted by the staff, as documented in the SER. Based on the NRC staffs prior evaluation in the SER and the similarity of the WBN Unit 1 and Unit 2 systems, the staff concludes that the information provided in WBN Unit 2 FSAR Sections 7.7.1.6 and 7.7.1.7 is acceptable and that the staffs conclusions in the SER remain valid.7.7.5 Office of Inspection and Enforcement Information Notice 79-22 The NRC staffs evaluation of TVA's response to IE Information Notice 79-22, "Qualification of Control Systems," issued September 1979, was documented in Section 7.7.5 of the SER. The staff evaluated TVA's original assessment of how harsh environments associated with high-energy line breaks might cause control system malfunctions and result in consequences more severe than those of either the FSAR Chapter 15 analyses or those beyond the capability of operators or safety systems.In response to NRC staff questions, TVA described by letter dated July 30, 2010 (ADAMS Accession No. MLI102160349, not publicly available), its implementation of 10 CFR 50.49.IE Information Notice 79-22 was a precursor to 10 CFR 50.49. TVA stated, in part, the following:
In implementing 10 CFR 50.49, TVA upgraded susceptible safety-related devices located in harsh environments to fully qualified devices. For WBN Unit 2, only fully qualified safety-related devices are installed in areas susceptible to a high energy line break. The non-safety-related device/systems within the scope of IEN 79-22 are: 1. Steam generator power operated relief valve control system 2. Pressurizer power operated relief valve control system 3. Main feedwater control system 4. Automatic rod control system 7-164 Failure of these systems/devices due to a high energy line break is fully addressed in Chapter 15, "Accident Analysis," of the WBN Unit 2 FSAR.The NRC staffs evaluation of environmental qualification of electrical equipment is discussed in Section 3.11, "Environmental Qualification of Mechanical and Electrical Equipment," of this SSER.Based on its previous evaluation, as documented in the SER, and on its review of the information provided in TVA's letter dated July 30, 2010, the staff concludes that TVA's assessment of IE Information Notice 79-22 is acceptable, and that the staffs conclusions in the SER remain valid.7.7.6 Multiple Control System Failures In SER Section 7.7.6, "Multiple Control System Failures," the NRC staff evaluated TVA's assessment of (1) loss of power to all control systems powered by a single power supply, (2) failure of each instrument sensor that provides a signal to two or more control systems, and (3) a break of any sensor impulse line that is used for sensors providing signals to two or more control systems. TVA concluded that the consequences of single failure within the control systems are bounded by the analysis in FSAR Chapter 15. The staff concluded that TVA's analysis was acceptable for WBN Units 1 and 2.In order to confirm that the analysis is still applicable to WBN Unit 2, the staff asked TVA to provide the following additional information:
In order for the staff to review the effects of multi control systems failure, provide the summary of the analyses documenting the effect on the plant based on the following events: (1) loss of power to all control systems powered by a single power supply; (2) failure of each instrument sensor which provides signal to two or more control systems; (3) Break of any sensor impulse line which is used for sensors providing signals to two or more control systems; and (4) failure of digital system based on the common cause software failure affecting two or more control systems. For each of these events, confirm that the consequences of these events will not be outside chapter 15 analyses or beyond the capability of operators or safety systems.By letter dated October 21, 2010 (letter item number 276; ADAMS Accession No. ML103140661), TVA responded that, in addition to the DCS, the other nonsafety-related control systems that were analyzed and evaluated included the rod control system and main turbine electro-hydraulic control (EHC) system. For DCS items 1, 2, and 4 of the staffs question, TVA performed a segmentation analysis, which was reviewed and accepted by the staff in Section 7.7.1.4.4.1 of this SSER. For item 3 of the staffs question, TVA submitted the results of its analysis and determined that there are no transmitters on shared sensing lines, such that a sensing line failure would impact any combination of the DCS, rod control, and EHC system. For the rod control and the EHC systems, TVA stated that items I and 2 are bounded by the analysis that was performed for WBN Unit 1. In addition, TVA stated by letter dated December 22, 2010 (ADAMS Accession No. ML1 10100650), that it reviewed all nonsafety-related control systems and determined that failures of nonsafety-related control systems, based on the criteria identified in the staffs question, are bounded by the FSAR Chapter 15 analysis.
The NRC staff concludes that TVA's response is acceptable, because failure of all applicable nonsafety control systems are considered in the FSAR Chapter 15 analysis.7-165 Therefore, based on the staffs previous evaluation, as documented in the SER, and on its evaluation of the information provided by TVA in its response to staff questions, the conclusions in the SER remain valid.7.7.8 Anticipated Transient without Scram Mitigation System Actuation Circuitry The NRC staff reviewed the anticipated transient without scram (ATWS) mitigation system actuation circuitry (AMSAC) for WBN as documented in SSER 9 and SSER 14. The NRC staff reviewed FSAR Amendments 92 through 103 to evaluate any substantive changes from the review documented in the SSERs. TVA described the system in WBN Unit 2 FSAR Section 7.7.1.12, "Anticipated Transient without Scram Mitigation System Actuation Circuitry (AMSAC)." TVA stated, in part, the following:
The AMSAC equipment consists of a freestanding panel which is installed in the auxiliary instrument room of the Control Building.
This modification is diverse from sensor output to the final actuation device. The AMSAC is designed to automatically initiate auxiliary feedwater and trip the turbine under conditions indicative of an ATWS event. An ATWS event will be detected when low-low level in three out of four steam generators is coincidental with the turbine at or above 40 percent load. An AMSAC actuation will ensure the RCS pressure will remain below the pressure that will satisfy the ASME Boiler and Pressure Vessel Code Level C services limit stress criteria.In WBN Unit 2 FSAR Amendment 96, TVA removed a description of the AMSAC software-based system, which has been replaced with relay logic components.
TVA previously performed the AMSAC replacement for WBN Unit 1 under the 10 CFR 50.59,"Changes, Tests and Experiments," process. The NRC staff reviewed TVA's 10 CFR 50.59 safety evaluation for the WBN Unit 1 AMSAC replacement, as provided by TVA by letter dated July 30, 2010, and determined that no changes were made to the overall function of the system or its associated setpoints, and that only the internal components that perform the AMSAC operational logic functions were changed. Because there were no changes to the overall function of the system or associated setpoints, the NRC staff concludes that the proposed change is acceptable for WBN Unit 2.Based on its previous evaluation, as documented in SSER 9 and SSER 14, and on its review of FSAR Amendments 92 through 103 and the information provided by TVA in its letter dated July 30, 2010, the NRC staff determines that its conclusions in the SSERs regarding the AMSAC system remain valid for WBN Unit 2.7.8 NUREG-0737 Items NUREG-0737 forwarded post-TMI accident requirements, which the NRC approved for implementation, to licensees of operating power reactors and applicants for operating licenses.Following the accident at TMI Unit 2, the NRC staff developed an action plan (NUREG-0660) to provide a comprehensive and integrated plan to improve safety at power reactors.
Specific items from NUREG-0660 were approved by the Commission for implementation at reactors.
In NUREG-0737, those specific items were gathered into a single document that includes additional information about schedules, applicability, method of implementation review, submittal dates, and clarification of technical positions.
The total set of TMI-related actions were 7-166 collected in NUREG-0660, but only those items that the Commission approved for implementation were included in NUREG-0737.
The NRC staff reviewed the status of TMI action items for WBN Unit 2, as documented below.7.8.1 Relief and Safety Valve Position Indication (II.D.3)NUREG-0737, Item ll.D.3, requires that the RCS relief and safety valves be provided with a positive indication of valve position in the control room, derived from a reliable valve-position detection device or a reliable indication of flow in the discharge pipe.The NRC staffs review of this item was documented in the SER, SSER 5, and SSER 14, in which the staff approved TVA's revision to the original design to relocate the accelerometers for valve position indication from upstream to downstream of the relief valves. The revision did not change the function of the position indication hardware and so did not affect the staffs conclusions.
As documented in the NRC letter to TVA dated May 28, 2008 (ADAMS Accession No. ML081490093), the staff concluded that there is no change at WBN Unit 2 to the approved design. The NRC staff will verify installation of the acoustic monitoring system for the PORV position indication in WBN Unit 2 before fuel load. This is Open Item 74 (Appendix HH).7.8.2 Auxiliary Feedwater Initiation and Control and Flow Indication (II.E.1.2)
NUREG-0737, Item II.E.1.2, requires a timely initiation of the AFW system, as well as a safety-grade AFW flow indication powered from emergency buses.In the SER, the NRC staff concluded that WVA demonstrated that the AFW automatic initiation system met the applicable requirements of Item II.E.1.2.As documented in the NRC letter to TVA dated May 28, 2008 (ADAMS Accession No. ML081490093), the staff concluded that there is no change at WBN Unit 2 to the approved design. The NRC staff will verify that the test procedures and qualification testing are completed in WBN Unit 2 before fuel load. This is Open Item 75 (Appendix HH).7.8.3 Proportional Integral Derivative Control Modification (11.K.3.9)
NUREG-0737, Item I1.K.3.9, requires implementation of a Westinghouse recommendation to modify the PORV proportional integral derivative controller to prevent derivative action from opening the PORV. Two options are provided.TVA satisfied this requirement by implementing the option of setting the derivative time constant equal to zero. The NRC staff approved TVA's action in the SER.In its letter to the NRC dated July 30, 2010 (ADAMS Accession No. ML1 02170077), TVA committed to setting the derivative time constant equal to zero in WBN Unit 2. The NRC staff concluded that this action satisfies the NUREG-0737 item. The NRC staff will verify that the derivative time constant is set to zero in WBN Unit 2 before fuel load. This is Open Item 76 (Appendix HH).7-167
7.8.4 Proposed
Anticipatory Trip Modification (l1.K.3.10)
NUREG-0737, Item I1.K.3.10, is applicable to licensees who propose an anticipatory trip modification to confine the range of use to high power levels. These licensees should show that the probability of a small-break LOCA resulting from a stuck-open PORV is substantially unaffected by this modification.
In SSER 4, the NRC staff concluded that TVA had adequately addressed the requirements of NUREG-0737, Item II.K.3.10, for removal of the anticipatory reactor trip on turbine trip at or below 50-percent power.The NRC staff reviewed the associated proposed WBN Unit 2 TS and surveillance requirements and concludes that there are no changes from the design approved in SSER 4 or from the WBN Unit 1 TS. Therefore, TVA's proposed actions for WBN Unit 2 are acceptable.
7.8.5 Confirm
Existence of Anticipatory Reactor Trip upon Turbine Trip (11.K.3.12)
NUREG-0737, Item II.K.3.12, states that licensees with Westinghouse-designed operating plants should confirm that their plants have an anticipatory reactor trip upon turbine trip.TVA confirmed that WBN has an anticipatory reactor trip on turbine trip, which satisfied this NUREG-0737 item, as documented in the SER.As documented in the NRC letter to TVA dated May 28, 2008 (ADAMS Accession No. ML081490093), the staff concluded that there is no change at WBN Unit 2 to the approved design. Therefore, it is acceptable to the staff.7.9 Data Communications Systems The digital data communications systems for the Eagle 21 process protection system portions of the reactor protection system (RPS), SSPS, Common Q PAMS, leading edge flow meter, Bentley-Nevada vibration monitoring, Ronan annunciation, CERPI, and Foxboro I/A DCS are evaluated in this section of the safety evaluation.
A description of the digital communications for each of these systems is provided in this section below.7.9.1 System Descriptions 7.9.1.1 Safety System Interdivisional Communications In response to a staff question, TVA stated in its letter dated July 30, 2010 (letter item number 45; ADAMS Accession No. ML102160349, not publicly available), that the only safety-related systems implemented at WBN Unit 2 using digital technology are Eagle 21, the Common Q PAMS, and the containment high-range radiation monitors: (1) Eagle 21 Process Protection System-There are no communications between RPS divisions.
The RPS divisions are physically separated with no interconnection from the input to the outputs. Further information on the RTS and the ESFAS can be found in Sections 7.2 and 7.3 of this safety evaluation.
7-168 (2) Common Q PAMS-There are no communications between divisions.
The divisions are physically separate, with no interconnections.
Additional information about the Common Q PAMS is contained in Section 7.5.2.2 of this safety evaluation.
(3) Containment High-Range Radiation Monitors-The monitors are independent standalone devices with no physical connection to each other. Further information about the containment high-range radiation monitors is contained in Section 7.5.2.3 of this safety evaluation.
7.9.1.2 Intersystem Digital Data Communications In Attachment 34, "Data Communications Systems Description and Regulatory Compliance Analysis," to TVA's letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), TVA provided descriptions of WBN Unit 2 data communication systems, which are paraphased below.Data Acquisition Network Links: The ICS has a network connection to 26 multiplexers.
These multiplexers are located in the computer room (19), auxiliary instrument room (5), and the 480V board room (2). The 26 multiplexers can support approximately 1,500 analog, 1,800 digital, and 24 pulse counter inputs, as well as 13 digital outputs and 12 analog outputs.Each network connection is a bidirectional Ethernet link using the Transmission Control Protocol/Internet Protocol (TCP/IP).(1) From Eagle 21 Process Protection System to ICS: The Eagle 21 system has a unidirectional Ethernet link to the ICS located in the auxiliary instrument room. Each of the 14 Eagle 21 cabinets contains a serial-to-Ethernet controller (SEC) card, which takes data from the Eagle 21 bus and sends it out the Ethernet port. The serial cable connecting the SEC card to the Eagle 21 contains no receive signal connections.
This provides an air gap for any signals coming in from the Ethernet.
These 14 network connections are routed over their own network to a PC located in the computer room.This PC collects the data being sent from Eagle 21 and sends that data to the ICS over a separate network connection.
There are approximately 1,000 Eagle 21 parameters collected by the ICS.(2) From SSPS to Control Board and ICS: The SSPS on WBN Unit 2 is the same as the SSPS on WBN Unit 1. Since the SSPS was approved in the SER, and is in use on Unit 1, the original evaluation of the SSPS is still valid. Therefore, the staff did not perform a complete new review of the SSPS data communications systems for Unit 2.WBN Unit 2 is protected by the SSPS with two types of outputs: one to trip the reactor and the other to actuate safeguards for protection of equipment and personnel.
Two redundant trains, identical in function, provide this protection.
In addition to the train A and train B cabinets, there are two demultiplexing units, one for each train interfacing with the control board and the ICS. Multiplexing techniques are employed to transmit information about the status of the SSPS to the control board and to the ICS. This minimizes the data line interface with the control board and computer.The required monitoring for the SSPS is multiplexed within each train and the outputs are provided to the control board and ICS, where they are demultiplexed.
A time division multiplexing scheme is employed using a clock/counter board, two decoder boards, and multiplexing gates located on the universal logic boards. The clock/counters are 7-169 synchronized with each other. Isolation between the demultiplexers and the trains, and between the two trains, is provided by the isolation boards employing photo-diode coupled pairs.Computer Demultiplexer:
Train B multiplexer gate outputs are routed through isolators and an interconnecting cable to the demultiplexer in the ICS. In the computer demultiplexer, the count outputs are decoded into data addresses for the memory boards that store data at repeated intervals from the multiplexed data lines. Outputs from the memory boards are connected to the computer input/output channels through the connector panel of the demultiplexer.
This demultiplexer is housed inside the ICS in the computer room.Control Board Demultiplexer:
Data are stored on memory boards in this demultiplexer in the same manner as in the computer demultiplexer.
The count outputs and multiplexed data are provided to this cabinet through an interconnecting cable from train A. This demultiplexer is housed, along with interface relays, in a cabinet in the MCR. The memory boards drive the interface relays whose contacts control status lamps and annunciators on the control board.(3) From Common Q PAMS to ICS: The train A and B Common Q MTP units located in the auxiliary instrument room each have a unidirectional Ethernet link to the ICS. The ICS gathers approximately 150 points from each MTP. Each MTP is isolated from the rest of the ICS by its own data diode. The hardware and software that make up the diodes are configured to allow no network traffic to pass from the ICS network to the MTP.The MTP display system has an Ethernet port with TCP/IP communications to support printing to the ICS via a one-way datalink from the MTP. The ICS is nonsafety-related equipment.
The ICS datalink is a custom protocol designed specifically to broadcast data to the ICS. No action over this Ethernet port from outside the safety boundary can affect the Common Q PAMS controller.
In addition, no actions over this Ethernet port from outside the safety boundary can affect the display of the RG 1.97 variables.
The staffs evaluation of Common Q PAMS communications is contained in Section 7.5.2.2.3.7 of this SSER.(4) Between ICS and Leading Edae Flow Meter: The ICS has a bidirectional Ethernet link to the leading edge flow meter located in the auxiliary instrument room. The ICS gathers approximately 40 data points from the leading edge flow meter.(5) Between ICS and Bentley-Nevada Vibration Monitoring:
The ICS has a bidirectional Ethernet link to the Bentley-Nevada vibration monitoring system located in the turbine building.
The ICS gathers approximately 140 data points containing vibration data for the main turbine as well as the main feed pump turbines.
The Bentley-Nevada system is isolated from the rest of the ICS with its own firewall, which limits communications both by source and destination addresses as well as by volume.(6) Between ICS and Ronan Annunciator:
The ICS has a bidirectional Ethernet link to two Ronan annunciator gateway computers located in the computer room. Each gateway computer has a bidirectional Ethernet link to a Ronan computer located in the MCR.Each gateway computer gathers approximately 2,800 points from its corresponding Ronan computer.
The same parameters are obtained from each workstation.
Each 7-170 Ronan computer in the control room is isolated from the rest of the ICS with its own firewall, which limits communications by both source and destination addresses, as well as by volume.(7) Between ICS and CERPI: The ICS has a bidirectional Ethernet link to the train A and train B CERPI system MTP units located in the auxiliary instrument room. The ICS gathers approximately 240 data points from each CERPI MTP and provides the CERPI system with rod bank demands, the auctioneered Delta-T, and a digital signal indicating interlocked rod demand. Each CERPI MTP is isolated from the rest of the ICS with its own firewall, which limits communications by both source and destination addresses, as well as by volume.(8) Between ICS and Foxboro IA DCS: The ICS has a bidirectional Ethernet link to the two DCS workstations in cabinet R184 located in the auxiliary instrument room. The ICS gathers approximately 350 data points from each workstation.
The same parameters are obtained from each workstation.
Each DCS workstation is isolated from the rest of the ICS network with its own firewall, which limits communications by both source and destination addresses, as well as by volume.(9) Between ICS and Man-Machine Network Links: The ICS has bidirectional Ethernet communications links to SDS, which consist of PCs and act as the operator/user interface for ICS functions.
There are six SDS terminals in the control room and one SDS terminal in the computer room.There is one printer in the computer room and another in the MCR. These printers have bidirectional connections to the ICS man-machine interface network and can be accessed by either the SDS computers or the ICS computers.
Typically, the SDS computers print screen copies and the ICS generates reports to these printers.The ICS has bidirectional Ethernet connections to three digital display units mounted in the MCR. These digital display units consist of four line displays that show the current value and quality of an operator selected point.The ICS has bidirectional Ethernet connections to four digital paperless recorders in the MCR. Each recorder can display the value of an operator-selected point.The ICS has a bidirectional communication link with the WBN Unit I ICS via a firewall.The firewall blocks traffic based on source and destination addresses as well as ports and protocols.
This data link is used to transfer common data from the WBN Unit I ICS, such as meteorological data, and to send data to the WBN Unit 2 plant engineering data system (PEDS) computer.The TSC is connected to the WBN Unit 1 ICS network via firewalls.
Firewall rules in the TSC firewalls and the interunit firewall will allow the TSC to access WBN Unit 2 ICS data.The PEDS computer is isolated from the ICS network by a data diode. The diode prevents any traffic from being sent from the PEDS to the ICS network.7-171 The PEDS is also connected to the TVA site network over a separate network connection that is further isolated by a firewall.
The firewall blocks traffic based on source and destination addresses as well as ports and protocols.
The PEDS computer receives the following data from the ICS:* current values and qualities of all ICS points* current database information
- history records collected by the ICS These data are then provided over the TVA network to interested personnel.
The PEDS also has a communication link with the CECC, which performs the functions of an EOF for all TVA nuclear units. The PEDS sends selected parameters to the CECC on a periodic basis. Those data can then be sent by the CECC to the NRC to meet NDL or emergency response data system commitments.
7.9.2 Regulatory
Evaluation The NRC staff reviewed the WBN Unit 2 data communications systems using the guidance of SRP Section 7.9, Revision 5, "Data Communication Systems," which provides guidance to the staff for the review of communication between systems and communication between computers within a system. The SRP section addresses both safety and nonsafety communication systems. The NRC's acceptance criteria are based, in part, on the following regulatory requirements:
10 CFR 50.55a(a)(1), "Quality Standards for Systems Important to Safety." In 10 CFR 50.55a(h), "Protection and Safety Systems," the NRC requires compliance with IEEE Std. 603-1991, and the correction sheet dated January 30, 1995. For nuclear power plants with construction permits issued before January 1, 1971, the applicant/licensee may elect to comply instead with the plant-specific licensing basis.For nuclear power plants with construction permits issued between January 1, 1971, and May 13, 1999, the applicant/licensee may elect to comply instead with the requirements stated in IEEE Std. 279-1971.
The minimum requirements that are applicable to all data communications systems are IEEE Std. 603-1991, Clause 5.6.3, or IEEE Std. 279-1971, Clause 4.7.2, "Isolation Devices," or the plant-specific licensing basis, as defined by 10 CFR 50.55a(h), as noted above.GDC 1, "Quality Standards and Records." GDC 24, "Separation of Protection and Control Systems." For digital data communications that support protection functions, the following additional regulatory requirements apply: In 10 CFR 50.34(f)(2)(v), the NRC details provisions for automatic indication of the bypassed and operable status of safety systems.For the digital data communications that support a control function, the following additional regulatory requirements are applicable:
7-172 GDC 13, "Instrumentation and Control" GDC 19, "Control Room" 7.9.3 Technical Evaluation 7.9.3.1 Quality of Data Communication System The data communication system does not perform a safety-related function, so the quality of the system is not regulated by the provisions of Appendix B to 10 CFR Part 50, which regulates safety-related structures, systems, or components.
However, good engineering practice is that management measures need to be applied and quality controls need to be used to the extent that the principles of design control, configuration management, and quality records are maintained.
In response to staff questions, in Attachment 35 to its letter dated October 5, 2010 (ADAMS Accession No. ML102910324, not publicly available), TVA provided its procedure SPP-2.6, Revision 12, "Computer Software Control." SPP-2.6 governs acquisition of digital equipment for WBN Unit 2. The document specifies the required plans, verification and validation documentation, and operating documentation necessary when acquiring various categories of digital plant systems. The document also contains provisions for modification and testing of digital systems.Based on its review of TVA procedure SPP-2.6 and on its engineering judgment, the NRC staff concludes that Data Communication System procurement and maintenance is addressed by a licensee procedure commensurate with the importance of the safety function of the system.Therefore, the system complies with the quality standards requirements of 10 CFR 50.55a(a)(1) and GDC 1.7.9.3.2 Separation of Protection and Control Systems Using the regulatory criteria of IEEE Std. 603-1991, Clause 5.6.3, and GDC 24, which pertain to independence and separation of protection and control systems, the NRC staff reviewed the communications between digital safety-related and nonsafety-related equipment.
Eagle 21 Process Protection System: The safety-related Eagle 21 system communicates with the following nonsafety-related systems: (1) Plant Computer-TVA described the digital communications isolation between Eagle 21 and the plant computer in Enclosure 1 to TVA's letter dated August 25, 2008 (ADAMS Accession No. ML082410088).
Some analog outputs are sent directly to the plant computer.
These outputs use the same qualified analog output module as the Foxboro I/A interface described below.By letter dated December 5, 2007 (ADAMS Accession No. ML073440022), TVA notified the NRC that TVA intended to use the Westinghouse Eagle 21 process protection system on WBN Unit 2. In its letter, TVA stated the following:
The Watts Bar Unit 2 Westinghouse Eagle-21 process protection system will be constructed to the same specification and standards as the Watts 7-173 Bar Unit 1 Eagle-21 system. Watts Bar Unit 2 hardware will be identical or equivalent to Unit 1. Watts Bar Unit 2 safety related firmware will be identical to the Watts Bar Unit 1 firmware....
TVA has made one design change to the Unit I Eagle-21 system under 10 CFR 50.59 after initial licensing
[provided to the NRC in Attachment 20 to TVA's letter dated October 5, 2010]. An external unidirectional communications interface was installed between the Eagle-21 test subsystem and the plant process computer.
This non-safety-related change allows the process computer to acquire data from the Eagle-21 system. This same modification will be performed for the Unit 2 Eagle-21 system.By letter dated December 27, 2007 (ADAMS Accession No. ML073610443), the NRC requested additional information about the Eagle 21 system to be employed at WBN Unit 2. By letter dated February 28, 2008 (ADAMS Accession No. ML080640269, not publicly available), TVA provided additional information on the Eagle 21 process protection system. By letter dated May 7, 2008 (ADAMS Accession No. ML081210506), the NRC transmitted a separate request for additional information to obtain further information on the Eagle 21 system based on TVA's initial response.
By letter dated August 25, 2008 (ADAMS Accession No. ML082410088), TVA provided additional detail on the Eagle 21 communication capabilities.
In order to verify the information provided by TVA about the communications connectivity of the Eagle 21 system in the letters identified above, the NRC staff reviewed design documentation during an audit conducted at the manufacturer's facility from May 10 to 13, 2010, to verify that the external communications interface was, in fact, unidirectional.
The November 2, 2010, audit report (ADAMS Accession No. ML1 02240630) documented the following:
The Eagle 21 internal wiring diagrams 1856E57 through 70 show the Serial to Ethernet Controller (SEC) is connected to the Eagle 21 system in three ways: (1) SEC Multibus card edge, (2) serial port J2, and (3) parallel port J1. Each of the connections was examined as described below.(1) The iSBC@ 286/12 manual (see page 4-20) describes the removal of jumper E19-E20 and installation of jumper E20-E21, which will disable Multibus communication of the SEC board. This jumper configuration was verified to be used in the Watts Bar application and is shown on the board configuration drawing 5D93433.(2) The iSBC 286/12 manual (see page 3-17) describes the pin-out of the serial port J2. Watts Bar uses a cable whose wiring is described by drawing 3D20355 to connect to this port. The transmit (from SEC) wires are omitted in the manufacturing of this cable.(3) The iSBC 286/12 manual (see page 5-10) describes placing a jumper on E138-E140, which will configure the parallel port J1 as a receive port. This jumper configuration was verified to be used 7-174 in the Watts Bar application and is shown on the board configuration drawing 5D93433.Based on its review of the design, the NRC staff concluded that the design enforces one-way communication, such that data from the Eagle 21 system can be sent to external systems; however, the external systems do not have a viable pathway to transmit data back to the Eagle 21 safety system. This communication restriction meets the provisions of IEEE Std. 603-1991, Clause 5.6.3, and GDC 24. This conclusion is also consistent with the findings of TVA's 10 CFR 50.59 analysis (ADAMS Accession No. ML102920611, not publicly available), which was performed for the original installation of an identical connection in WBN Unit 1.However, the NRC staff was not able to confirm that sufficient testing was performed to demonstrate that two-way communication was precluded by the specific configuration changes described above. TVA should confirm to the staff that testing has sufficiently demonstrated that two-way communication is precluded with the described configurations.
This is Open Item 93 (Appendix HH).(2) Foxboro I/A DCS-The communications between Eagle 21 and the DCS are via the analog output module; this is not considered to be a digital data communication system.By letter dated April 27, 2010 (ADAMS Accession No. ML1 01230248), TVA stated (Enclosure Item No. 14) that there are no digital communications or interactions originating from the Foxboro I/A DCS to any safety-related system. Additional staff review of the Foxboro I/A DCS is documented in Section 7.7.1.4 of this SSER.(3) Annunciator System-The communications between Eagle 21 and the annunciator system are via the contact output module and the partial trip output module; this is not considered to be a digital data communication system.Common Q PAMS: The safety-related Common Q PAMS communicates with the following nonsafety-related system: Plant Computer-As described in Enclosure 1, Item No. 14 of TVA's letter dated July 30, 2010 (ADAMS Accession No. MLI 02160349, not publicly available), the communications isolation between the safety-related Common Q PAMS and the plant computer are unidirectional via the MTP and a nonsafety-related data diode. See Section 7.5.2.2.3.7 of this SSER for a detailed evaluation of this item.Containment High-Range Radiation Monitors:
The safety-related containment high-range radiation monitors communicate with the following nonsafety-related systems: (1) Annunciator-The communications isolation between the safety-related radiation monitors and the nonsafety-related annunciator system is provided by the output relay contacts in the monitor. These are not considered to be digital data communication systems and so are not addressed in this section.(2) Plant Computer System-The communication to the nonsafety-related plant computer is from the analog output of the monitor via qualified isolation cabinets 2-R-1 63 (train A)and 2-R-164 (train B). These are not considered to be digital data communication systems and so are not addressed in this section.7-175 Additional information about the communication capabilities of the containment high-range radiation monitors is contained in Section 7.5.2.3 of this SSER.Based on its review, the staff concludes that the communications between digital safety-related and nonsafety-related equipment, as described above, meet the regulatory criteria of IEEE Std. 603-1991, Clause 5.6.3, and GDC 24, which pertain to the independence and separation of protection and control systems.7.9.3.3 Safety System Status Indication As described in Attachment 34 to TVA's letter dated October 5, 2010 (ADAMS Accession No. ML1 02910324, not publicly available), status indication for the BISI system is provided for by Eagle 21 and the SSPS. Additional information on the BISI system is contained in Section 7.5.1.1.2 of this SSER.7.9.4 Conclusion Based on the NRC staffs review of the interfaces between the data communication systems and plant systems described in WBN Unit 2 FSAR Amendment 103, as supplemented by the TVA documents referenced above, the staff concludes that the data communication systems meet the relevant acceptance criteria identified in SRP Section 7.9, Revision 5, including the requirements of IEEE Std. 603-1991, Clause 5.6.3, and GDC 24 with regard to control and protection system interactions.
7-176 9 AUXILIARY SYSTEMS 9.1 Fuel Storage Facility 9.1.3 Spent Fuel Pool Cooling and Cleanup System Background Section 9.1.3 of the WBN Unit 2 FSAR describes the spent fuel storage facility.
The spent fuel pool cooling and cleanup system (SFPCCS) is a shared system that cools the shared spent fuel pool for WBN Units 1 and 2.In Section 9.1.3 of the SER, dated June 1982, the staff concluded that the SFPCCS design was in compliance with the requirements of Title 10 of the Code of Federal Regulations (10 CFR)Part 50, "Domestic Licensing of Production and Utilization Facilities," Appendix A, "General Design Criteria for Nuclear Power Plants," General Design Criterion (GDC) 2, 4, 44, 45, 46, 61, and 63 with "respect to protection against natural phenomena and missiles, cooling water capability, inservice inspection, functional testing, fuel cooling and radiation protection, and monitoring provisions, and the guidance of Regulatory Guides 1.13, 1.26, and 1.29 relating to the system's design, quality group and seismic classification." Subsequent t the SER, the NRC staff has reviewed other issues related to spent fuel pool cooling at WBN. In SSER 11, dated April 1993, the staff concluded that the SFPCCS pumps may be excluded from the inservice testing program. In SSER 15, dated June 1995, the staff concluded that the system had an acceptable capability to maintain or recover spent fuel pool cooling following design-basis events with the potential to interrupt spent fuel pool cooling. By letter dated July 28, 1997 (ADAMS Accession No. ML020780158), the U. S. Nuclear Regulatory Commission (NRC) issued WBN Unit 1 License Amendment No. 6, authorizing installation of new spent fuel storage racks and an increase in the maximum number of stored spent fuel assemblies to 1610, which increased the potential peak heat load placed on the SFPCCS. The NRC issued WBN Unit 1 License Amendment Nos. 37, 40, 48, 67, and 77 on February 21, 2002 (ADAMS Accession No. ML0205806120);
September 23, 2002 (ADAMS Accession No.ML022540925);
October 8, 2003 (ADAMS Accession No. ML032880062);
January 18, 2008 (ADAMS Accession No. ML073520546);
and May 4, 2009 (ADAMS Accession No.ML090920506);
respectively.
These license amendments authorized irradiation of tritium production burnable absorber rods (TPBARs) within WBNP Unit I core and transfer of these irradiated TPBARs through the shared WBN spent fuel pool, which also resulted in a small increase in the potential peak heat load. In addition to addressing irradiation of TPBARs, WBN Unit I License Amendment No. 37 authorized a revised SFP cooling analysis methodology for WBN that resulted in an increased allowable maximum heat load from 32.6 to 47.4 million British Thermal Units per hour (BTU/hr).
This revised methodology credited additional heat removal capability resulting from lower-than-design component cooling water temperature and heat exchanger fouling at the time of the fuel transfer.
The improved heat removal capability allowed a decrease in the minimum decay time necessary to maintain the peak SFP temperature below the design temperature of 159.24°F with one SFPCCS train in operation.
The staff's safety evaluation for this amendment concluded that the SFPCCS had adequate capacity and cooling margin to perform its safety and non-safety functions with the additional heat loads imposed by tritium production activities.
9-1 Technical Evaluation Operation of WBN Unit 2 would result in a further increase in the potential peak heat load above that authorized by WBN Unit 1 License Amendment No. 37. The increase results from the lower average decay time for past outages when two reactors, rather than only one reactor, discharge to a shared spent fuel pool. The NRC staff requested (RAI SBPB 9.1-2) that iVA confirm the expected heat loads for representative dual-unit scenarios and describe the methodology, including decay heat models, used to determine the heat load. In its response, by letter to the NRC dated July 31, 2010, TVA described that the spent fuel pool would receive refueling offloads, alternating between the two units, on recurring intervals of about 180 and 355 days.TVA described normal discharges of 96 assemblies from Unit 1 (as a result of the tritium production core) and 80 assemblies from Unit 2. WVA stated that it calculated the expected heat loads for dual-unit operating conditions in accordance with ANS Standard 5.1, "Decay Heat Power in Light Water Reactors," and RG 3.54, "Spent Fuel Heat Generation in an Independent Spent Fuel Pool Storage Installation," assuming irradiated fuel assemblies filled all 1386 storage locations in the spent fuel pool and considering the added heat introduced by the presence of irradiated TPBARs. For these conditions, TVA determined the heat load for the specified offload cases would be:* 39.06 Million BTUIhr for a full core discharge (193 assemblies) with a 12-day decay time 0 25.62 Million BTU/hr for a full core discharge with a 60 day decay time following a normal Unit I outage discharge with a 96-day decay time In WBN Unit 2 FSAR Amendment 100, dated September 1, 2010, TVA incorporated the above decay heat values. In FSAR Amendment 100, TVA also modified the WBN Unit 2 FSAR to: " increase the maximum allowed spent fuel pool heat load from 47.4 million to 50.21 million BTU/hr for below-design cooling water temperature and heat exchanger fouling conditions" revise the expected water heat-up rates and boil-off times listed in FSAR Table 9.1-1 for a total loss of cooling capability accident for the full core discharge, the full core discharge following a normal refueling, and the maximum allowed heat load cases" describe the fuel inventory associated with the full core discharge following a normal discharge in footnote 3 of FSAR Table 9.1-1 The staff noted, however, that the existing spent fuel pool temperature limits provided in FSAR Amendment 100 in Table 9.1-1 were unchanged for all design cases, and the methodology applied to determine the heat load associated with a given inventory of fuel assemblies was not described.
Section 9.1.3.1.1 of FSAR Amendment 100 stated that the temperatures listed in FSAR Table 9.1-1 can be maintained for the various full core offload scenarios assuming the SFPCCS heat exchangers are supplied with component cooling water at its design flow and temperature.
The staff determined through independent calculations that the spent fuel pool temperature limits listed in Table 9.1-1 for the design full core offload case would not be achievable at the design cooling water inlet temperature of 95 0 F. Similarly, the specified spent fuel pool temperature limits would not be achievable at the maximum allowed heat load because this heat load was 9-2 derived from the heat removal capability of the SFPCCS at specific below-design cooling water temperature and heat exchanger fouling factor values. However, the maximum spent fuel pool temperature limits listed in Table 9.1-1 for the design full core offload case following a routine refueling discharge would be achievable because the heat load was bounded by the corresponding design case for Unit 1 operation, which was calculated assuming a much shorter decay time than the 60-day decay time assumed above.The staff discussed spent fuel pool cooling issues with TVA staff during public meetings on October 12, October 26, and November 3, 2010. The TVA staff explained that the data provided in Table 9.1-1 of FSAR Amendment 100 was based on proposed cooling system modifications that enhanced its cooling capacity.
However, FSAR Amendment 100 did not include revised cooling system performance data reflecting the modification.
Because the timing of the modification was uncertain, TVA elected to revise the spent fuel pool information.
By letter to the NRC dated December 10, 2010, TVA provided a revised description of spent fuel transfer scenarios, spent fuel heat load values, peak calculated pool temperature values, and the methodology used to determine the values. By letter to the NRC dated December 21, 2010, TVA provided marked-up and clean pages reflecting the associated changes proposed for FSAR Section 9.1.3 and Table 9.1-1. The fuel transfer scenarios maintained the existing maximum spent fuel pool temperature values, heat-up rates, and boil-off times bounding by decreasing the decay heat associated with the last refueling offload. This would be accomplished by delaying refueling fuel transfers to the spent fuel pool to compensate for the additional heat load resulting from more frequent discharges resulting from the proposed operation of both WBN Unit I and Unit 2.The staff reviewed the changes proposed by TVA to the WBN Unit 2 FSAR in its letter dated December 21, 2010, and compared the changes to the spent fuel pool cooling acceptance criteria applied to WBN Unit 1 and the FSAR content requirements of 10 CFR 50.34. The staff found that the design of the SFPCCS is unchanged and remains acceptable, consistent with the conclusions of the staff as documented in the SER and its supplements.
Based on its review, the staff concluded that TVA demonstrated that the cooling capability of the existing SFPCCS was adequate for the increased heat load imposed by alternating fuel discharges from WBN Units I and 2 under normal operating conditions, as required by GDC 44 and 61. The staff concludes that the proposed description of the design and operation of the spent fuel pool cooling and cleanup system in FSAR Section 9.1.3 adequately supports operation of WBN Unit 2 and is consistent with the requirements of 10 CFR 50.34, and is, therefore, acceptable.
Amendment of the FSAR description of the design and operation of the spent fuel pool cooling and cleanup system in FSAR Section 9.1.3 as proposed by TVA in its December 21, 2010, letter to the NRC, is Open Item 60 (Appendix HH).9.2 Water Systems 9.2.1 Essential Raw Cooling Water System The essential raw cooling water (ERCW) system is a shared system for Watts Bar Nuclear Plant (WBN) Units 1 and 2. The staff of the U.S. Nuclear Regulatory Commission (NRC) previously evaluated the ERCW system in Section 9.2.1 of the safety evaluation report (SER)(NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant Units I and 2," issued June 1982). Based on its review, the staff concluded that the ERCW system conformed to the requirements of General Design Criteria (GDC) 2, 4, 5, 44, 45, and 46 in Appendix A, "General Design Criteria for Nuclear Power Plants," to Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization 9-3 Facilities." Subsequent system testing performed by the Tennessee Valley Authority (TVA)revealed that the ERCW pumps did not perform in accordance with the design-basis capability.
Consequently, as documented in SER Supplement (SSER) 18, issued October 1995, the staff concluded that the ERCW system did not conform to GDC 5, "Sharing of Structures, Systems, and Components," for two-unit operation, and that the ERCW was acceptable for Unit 1 operation only. GDC 5 requires that structures, systems, and components important to safety not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining unit.In its letter dated August 3, 2007 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML072190047), TVA stated the following:
The existing Essential Raw Cooling Water (ERCW) pumps were sized in 1974.In order to license WBN Unit 2, a two-unit preoperational flow balance test will be required.
In their present conditions, the ERCW pumps do not provide adequate flow margin to meet the acceptance criteria of a two-unit flow balance test.An engineering study was performed to determine the best alternative for meeting the design requirements of the ERCW system for two-unit operation.
The alternatives are currently being reviewed.
Appropriate measures will be taken to ensure the system is fully capable of meeting design requirements for two unit operation.
In Enclosure 1 to its response dated December 10, 2010 (ADAMS Accession No. ML1 03480708; Enclosure 1 to the letter is not publicly available), to staff Request for Additional Information (RAI) 9.2.1-ERCW-5, TVA stated the following:
All eight ERCW pumps are being replaced with new ERCW pumps prior to the ERCW dual unit flow balance that meet all specified performance requirements and have sufficient capability to supply all required ERCW normal and accident flows for dual unit operation and accident response.The staff should verify that the ERCW dual unit flow balance confirms that the ERCW pumps meet all specified performance requirements and have sufficient capability to supply all required ERCW normal and accident flows for dual unit operation and accident response, in order to verify that the ERCW pumps meet GDC 5 requirements for two-unit operation.
This is Open Item 90 (Appendix HH).In WBN Unit 2 Final Safety Analysis Report (FSAR) Amendment 95, dated November 24, 2009, TVA updated Section 9.2.1, "Essential Raw Cooling Water (ERCW)," to include operation of Unit 1 and Unit 2.In FSAR Section 9.2.1.3, "Safety Evaluation," it states that "The availability of water for the design basis condition on the ERCW system is based on one unit being in a LOCA and the other unit in hot standby...." In RAI 9.2-CCS-1, the staff asked TVA to explain how the ERCW system meets the requirements of GDC 5. In RAI 9.2.1-ERCW-3, the staff also asked TVA to provide minimum flow and heat transfer requirements for a design-basis accident in one unit and an orderly shutdown and cooldown of the nonaccident unit. In its response dated December 10, 2010, TVA stated the following:
9-4 Section 9.2.2.4 (Safety Evaluation) of the Unit 2 FSAR states that the definition of"Safe Shutdown" is "Hot Standby," and is therefore not required to cooldown to Cold Shutdown." Current calculations indicate that the Component Cooling System (CCS) and the Essential Raw Cooling Water (ERCW) system have sufficient capability to support the accident unit and the other unit in Hot Standby with all credible and licensing basis failures considered; therefore, this statement is consistent with the GDC 5 requirement to allow, "... an orderly shutdown...
of the remaining units." The NRC staff reviewed TVA's response and concluded that it did not address the requirement of GDC 5 to be able to cool down the nonaccident unit.In its response to RAI 9.2.1-ERCW-3 dated December 10, 2010, TVA also stated that "The GDC 5 Cooldown assumes Design Basis Accident Conditions, which are .... One unit in LOCA, and the other unit in Hot Standby." For RAI 9.2.1-ERCW-3, TVA also provided, in Enclosure 5 of its letter dated December 10, 2010, a summary of heat load and flow rate tables for the ERCW. These tables show the ERCW heat loads and flow rates for safety injection (SI) and loss-of-coolant accident (LOCA) recirculation in both Unit 1 and Unit 2. Based on its review of TVA's responses, it was unclear to the staff that the ERCW system complied with the requirements of GDC 5. The staff asked TVA (RAI-1) for additional information to address the issue.In its response by letter dated April 13, 2011 (ADAMS Accession No. ML11 104A059), TVA stated that the most limiting cooldown analysis to verify compliance with GDC 5 is a LOCA in Unit 2 with a complete loss of ERCW train A equipment as the single failure with a loss of offsite power (LOOP). All ERCW train B equipment is available, including CCS heat exchanger C and two of four ERCW train B pumps. Core decay heat for the accident unit is conservatively held constant.
TVA's analysis determined that ERCW train B has sufficient capability, approximately 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> after the nonaccident unit enters hot standby, to remove decay heat from both the accident unit and the nonaccident unit. The time to reach cold shutdown for the nonaccident unit is 46 hours5.324074e-4 days <br />0.0128 hours <br />7.60582e-5 weeks <br />1.7503e-5 months <br /> after the nonaccident unit is shut down to hot standby. Based on its review of the information provided by TVA in its letter dated April 13, 2011, the staff concludes that the ERCW system is able to support a cold shutdown of the nonaccident unit within 46 hours5.324074e-4 days <br />0.0128 hours <br />7.60582e-5 weeks <br />1.7503e-5 months <br /> of a LOCA in the other unit and hot standby in the nonaccident unit, coincident with a single failure and a LOOP. Therefore, the staff concludes that the ERCW system meets the requirements of GDC 5, which requires that sharing of systems that are important to safety will not significantly impair their ability to perform their safety functions, including an orderly shutdown and cooldown of the nonaccident unit. TVA should update the FSAR with information describing how WBN Unit 2 meets GDC 5, as provided in TVA's letter dated April 13, 2011, and as described above.This is Open Item 91 (Appendix HH).9.2.2 Component Cooling System (Reactor Auxiliaries Cooling Water System)The CCS is a shared system for WBN Units I and 2. As stated in Section 9.2.2 of the SER (NUREG-0847), the CCS, a safety-related system designed to seismic Category I and Quality Group B and C requirements, provides cooling water to various plant components and rejects heat to the ERCW system. It serves as an intermediate cooling loop between radioactive or potentially radioactive heat sources and the ERCW system. The systems served by the CCS are residual heat removal, chemical and volume control, SI, waste disposal, spent fuel pool cooling and cleaning, sampling, and containment spray.9-5 The NRC staff previously evaluated the CCS in the SER and concluded that "the CCS meets the requirements of GDC 2, 4, 5, 44, 45, and 46 with respect to its protection against natural phenomena, missiles and environmental effects, sharing of systems, heat removal capability, inservice inspection and functional testing, and the guidelines of Regulatory Guides 1.26[Revision 3, "Quality Group Classifications and Standards for Water-, Steam-, and Radioactive-Waste-Containing Components of Nuclear Power Plants"], 1.29 [Revision 3, "Seismic Design Classification"], 1.102 [Revision 1, "Flood Protection for Nuclear Power Plants"], and 1.117[Revision 1, "Tornado Design Classification,"]
with respect to the system's quality group and seismic qualification, and flood and tornado missile protection." In the SER, the NRC staff stated that TVA committed to relocating the component cooling booster pumps above the probable maximum flood (PMF) level. The staff found this commitment acceptable pending verification that the modifications were completed before loading fuel into the reactor. In SSER 5, dated November 1990, the staff verified that these pumps for Unit 1 had been relocated above PMF level. TVA should confirm, and the NRC staff should verify, that the component cooling booster pumps for Unit 2 are above PMF level. This is Open Item 67 (Appendix HH).No additional NRC staff evaluation of the CCS was documented through SSER 21, with the exception of SSER 5, noted above. In SSER 20, issued February 1996, the NRC staff approved WBN FSAR Amendment
- 91. In WBN Unit 2 FSAR Amendment 95, dated November 24, 2009, TVA updated FSAR Section 9.2.2, "Component Cooling System (CCS)," to address operation of both Unit 1 and Unit 2.In FSAR Section 9.2.2.4, "Safety Evaluation," the NRC staff noted that WVA described the functions of both the A train and B train for dual unit operation and included "Unit 1 only" operations.
In RAIs, 9.2-CSS-2 and 9.2-CSS-3, the staff asked TVA to clarify both why the WBN Unit 2 FSAR makes reference to Unit I operations only, and which CCS headers and heat exchangers supply the train A and train B engineered safety features (ESFs) for Unit 1 and Unit 2. TVA provided its response to the staff questions by letter dated December 10, 2010 (ADAMS Accession No. ML1 03480708), and subsequently submitted WBN Unit 2 FSAR Amendment 102, dated December 30, 2010, to correct the text. As stated above, the CCS is a shared system; however, portions of the system are unit specific.
Pumps 1A-A and 1 B-B and heat exchanger A serve the Unit I train 1A ESF and miscellaneous equipment.
Pumps 2A-A and 2B-B and heat exchanger B serve the Unit 2 train 2A ESF and miscellaneous equipment.
Pump C-S and heat exchanger C and associated piping are shared between Unit I and Unit 2 and are aligned with both the Unit 1 train 1B and Unit 2 train 2B equipment.
Pump 1B-B is used as additional capacity for train 1A, as required, and as a replacement for pumps 1A-A or C-S, if one should be out of service. Pump 2B-B is used as additional capacity for train 2A, as required, and as a replacement for pumps 2A-A or C-S, if one should be out of service.In RAI 9.2-CSS-1, the staff asked TVA to explain how the CSS meets the requirements of GDC 5. TVA responded in its letter dated December 10, 2010, as follows: Section 9.2.2.4 (Safety Evaluation) of the Unit 2 FSAR states that the definition of"Safe Shutdown" is "Hot Standby, and is therefore not required to cool down to Cold Shutdown." Current calculations indicate that the Component Cooling System (CCS) and the Essential Raw Cooling Water (ERCW) system have sufficient capability to support the accident unit and the other unit in Hot Standby with all credible and licensing basis failures considered; therefore, this statement 9-6 is consistent with the GDC 5 requirement to allow, "...an orderly shutdown.. .of the remaining units." The NRC staff reviewed TVA's response and concluded that TVA did not address the requirement of GDC 5 to be able to cool down the nonaccident unit. The CCS is a shared system between Units 1 and 2, and GDC 5 requires that systems important to safety shall not be shared unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units. As noted below, the staff asked TVA, in RAI 9.2-CCS-6, to further justify how the CSS complies with GDC 5.WVA provided a summary of the heat load and flow rate tables for the CSS in Enclosure 3 to its letter dated December 10, 2010. These tables show the CSS heat loads and flow rates for SI mode and LOCA recirculation mode in both Unit 1 and Unit 2. In reviewing the tables and TVA's response to RAI 9.2-CSS-1, the staff could not determine whether the CSS complied with GDC 5. In RAI 9.2-CCS-6, the staff asked TVA to provide clarification.
In its letter dated April 13, 2011 (ADAMS Accession No. MLII 04A059), TVA stated that the most limiting cooldown analysis to verify compliance with GDC 5 is a LOCA in Unit 2 with a complete loss of CCS train A as the single failure and with a LOOP. All CSS train B equipment is available.
Core decay heat for the accident unit is conservatively held constant.
The analysis determined that CCS train B has sufficient capability, approximately 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> after the nonaccident unit enters hot standby, to remove decay heat for both the accident unit and the nonaccident unit, with two CCS pumps providing flow to CCS heat exchanger C. The time to reach cold shutdown of the nonaccident unit is 46 hours5.324074e-4 days <br />0.0128 hours <br />7.60582e-5 weeks <br />1.7503e-5 months <br /> after the nonaccident unit is shut down to hot standby. Based on its review of the information provided by TVA in its letter dated April 13, 2011, the staff concludes that the CCS is able to support cold shutdown of the nonaccident unit within 46 hours5.324074e-4 days <br />0.0128 hours <br />7.60582e-5 weeks <br />1.7503e-5 months <br /> of a LOCA in the other unit and hot standby in the nonaccident unit, with a single failure and LOOP. Therefore, the staff concludes that the CCS meets the requirements of GDC 5, which requires that sharing of systems that are important to safety will not significantly impair their ability to perform their safety functions, including an orderly shutdown and cooldown of the nonaccident unit.9.2.5 Ultimate Heat Sink The ultimate heat sink (UHS) is a shared system for Watts Bar Nuclear Plant (WBN), Units 1 and 2. As stated in WBN Unit 2 FSAR Section 9.2.5, the sink is comprised of a single water source, the Tennessee River, including the complex of TVA-controlled dams upstream of the plant intake, TVA's Chickamauga Dam (the nearest downstream dam), and the plant intake channel.The NRC staff previously evaluated the UHS in the SER, NUREG-0847, dated June 1982. In SER Section 9.2.5, the NRC staff concluded that "the UHS design conforms to the requirements of GDC [General Design Criterion]
2, 4, and 44 [of Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," Appendix A,"General Design Criteria for Nuclear Power Plants,"]
with respect to the need for protection from natural phenomena and missiles, and heat removal capability, and the guidelines of Regulatory Guide (RG) 1.27 ["Ultimate Heat Sink for Nuclear Power Plants, Revision 1, March 1974"] as related to the functional and design requirements of the UHS, and is, therefore, acceptable." No additional NRC staff evaluation of the UHS was documented through SSER 21. In SSER 20, dated February 1996, the NRC staff approved WBN FSAR Amendment
- 91. In WBN Unit 2 9-7 FSAR Amendment 95, dated November 24, 2009, TVA updated FSAR Section 9.2.5, "Ultimate Heat Sink," to address operation of both Unit 1 and Unit 2. The NRC staff reviewed Section 9.2.5 of the FSAR Amendment 95 for Unit 2 and compared it to Section 9.2.5 of FSAR Amendment 91 for Unit 1, to determine the acceptability for two unit operation.
In FSAR Amendment 95, TVA updated Section 9.2.5.2, "Design Bases," to include the capability of the UHS to provide sufficient cooling for the safe shutdown and cool down of both nuclear reactor.units.TVA stated in WBN Unit 2 FSAR Section 9.2.5.3, "Safety Evaluation," that, The most severe combination of events considered credible to occur would be the simultaneous occurrence of a loss-of-coolant accident in one unit and hot standby of the other, loss of offsite power, and loss of upstream and/or downstream dams either individually or concurrently.
Under this extreme situation, the sink retains the capability required by regulatory position 1 [of RG 1.27].The NRC staff noted (RAI 9.2-CSS-1) that the FSAR states for the component cooling system in Section 9.2.2.4, "Safety Evaluation," that, "If one unit is in an accident condition, the other unit should be maintained at hot standby (if it can not be maintained in its operating mode) until the accident unit cooldown is accomplished." The staff considers that the statement is not in accordance with the requirements of GDC 5, "Sharing of Systems, Structures, and Components." GDC 5 does not permit sharing of systems important to safety unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cool down of the remaining units. In its response to RAI 9.2-CSS-1 by letter dated December 10, 2010 (ADAMS Accession No. ML1 03480708), TVA stated that, Current calculations indicate that the Component Cooling System (CCS) and the Essential Raw Cooling Water (ERCW) system have sufficient capability to support the accident unit and the other unit in Hot Standby with all credible and licensing basis failures considered; therefore, this statement is consistent with the GDC 5 requirement to allow, "... an orderly shutdown ... of the remaining units." In response to NRC questions regarding the GDC 5 requirement to cooldown the remaining unit, it is noted that there is no time requirement in GDC 5, and thus a target time has been chosen consistent with other events which do have an imposed time limit. The project has performed calculations which demonstrate that there is sufficient ERCW and CCS capability to bring the non-accident unit to Cold Shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> from entry into the Hot Standby mode. This is consistent with the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> requirement to be in Cold Shutdown for an Appendix R event.The NRC staff considers the ability to bring the nonaccident unit to cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to meet "the orderly shutdown and cool down" requirement of GDC-5. Since the minimum available flow from the Tennessee River is well in excess of the ERCW flow requirements, the staff considers the UHS to meet the requirements of GDC 5. TVA should clarify FSAR Section 9.2.5 to add the capability of the UHS to bring the nonaccident unit to cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This is Open Item 66 (Appendix HH).9-8 10 STEAM AND POWER CONVERSION SYSTEM 10.2 Turbine Generator 10.2.2 Turbine Disk Integrity The applicant, the Tennessee Valley Authority (TVA), addressed turbine rotor and disk integrity for Watts Bar Nuclear Plant (WBN), Unit 2 in Amendment 99 to the final safety analysis report (FSAR), dated May 27, 2010, Section 10.2.3, "Turbine Rotor and Disk Integrity." The NRC staff evaluated this section against the acceptance criteria specified in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (hereafter referred to as the SRP), Section 10.2.3, Revision 1, "Turbine Disk Integrity," for low-pressure turbine disks. The U.S. Nuclear Regulatory Commission (NRC) issued SRP Section 10.2.3, Revision 2 in March 2007 to expand the review area from turbine disks to turbine rotors. However, only minor changes were made to the acceptance criteria for turbine disks, and applying either version to them does not affect the evaluation conclusion.
The acceptance criteria cover five areas: materials selection, fracture toughness, preservice inspection, turbine disk design, and inservice inspection.
The staff noted that meeting the turbine missile requirements specified in SRP Section 3.5.1.3, "Turbine Missiles," and discussed in Section 3.5.1.3 of supplemental safety evaluation report (SSER) 22, issued February 2011, already ensures disk integrity by keeping the probability of turbine missile generation low.Therefore, the NRC staff concludes that SRP Section 10.2.3 essentially supplements SRP Section 3.5.1.3 to assure that (1) the materials input to the turbine missile analysis of SRP Section 3.5.1.3 is appropriate, (2) adequate preservice and inservice inspections that are not specified in SRP Section 3.5.1.3, Revision 2, issued 1981, are performed, and (3) turbine disk design limits the maximum stress and controls rotor natural frequencies (critical speeds) during operation, such that the SRP Section 3.5.1.3-related turbine missile analysis produces acceptable results and is based on valid assumptions.
The NRC staffs evaluation of WBN Unit 2 FSAR Amendment 99 versus the SRP Section 10.2.3 acceptance criteria is provided below.Regarding the first criterion (materials selection), SRP Section 10.2.3 requires 0 degrees Fahrenheit for the maximum 50-percent fracture appearance transition temperature (a brittle-to-ductile transition temperature commonly used in the turbine industry), and 60 foot-pounds for the minimum Charpy V-notch energy for the disks. This criterion also requires that chemical analysis of the materials be performed.
The first criterion is satisfied because the material properties listed in FSAR Amendment 99, Section 10.2.3.1 described that the rotor and disk materials meet the requirements stated above. FSAR Amendment 99 also stated that the chemical analysis of the disk and rotor forgings had been performed by the manufacturer.
Regarding the second criterion (fracture toughness), SRP Section 10.2.3 requires the ratio of the fracture toughness (Kic) of the disk material to the maximum tangential stress at speeds from normal to design overspeed be at least 2 /in. Further, this criterion requires the Kic be obtained through one of the four methods specified in the SRP. However, FSAR Amendment 99, Section 10.2.3.1, does not reveal how fracture toughness values for the rotor shaft and disks were obtained.
In response to a staff question, TVA described in its letter dated March 24, 2011 (Agencywide Documents Access and Management System (ADAMS)Accession No. ML1I10880504), that the Kic values were calculated from tensile and minimum Charpy data on actual disk material using the Barsom-Rolfe method. This is acceptable to the staff because the Barsom-Rolfe method was reviewed and accepted by the NRC in a 10-1 July 22, 2003, safety evaluation (ADAMS Accession No. ML032180141) approving a topical report on the Siemens Westinghouse turbine missile analysis methodology.
In its response, TVA also provided fracture toughness values for the shaft and disks. Considering these values and the stress values that were reported in the Siemens Energy, Inc., report CT-27467 supporting the review of turbine missiles (see SSER 22, Section 3.5.1.3), the staff confirmed that the requirement on the ratio of the Kic of the disk material to the maximum tangential stress is satisfied.
Regarding the third criterion (preservice inspection), SRP Section 10.2.3 requires (1) 100 percent volumetric (ultrasonic test), surface, and visual examinations for the finished rotor, (2) surface examination of finish machined bores, keyways, and drilled holes, and (3) a spin test at 5 percent of trip speed. FSAR Amendment 99, Section 10.2.3.5.1, "Low Pressure Turbine Rotor," described that all of these criteria are satisfied, except that the surface and visual examinations are not mentioned.
This is acceptable because the July 22, 2003, NRC safety evaluation stated that "one of the requirements which form the bases for the development of Siemens' disk inspection system is to be able to detect small flaws with radial depth< 0.1 inch and to size the detected cracks reliably." Further, the July 22, 2003, safety evaluation indicated that the initial surface flaw depth was assumed to be 0.12 inch in the turbine missile analysis; therefore, lack of surface and visual examinations is not a concern.Regarding the fourth criterion (turbine disk design), SRP Section 10.2.3 requires that (1) the combined stresses of the low-pressure turbine rotor at design overspeed should not exceed 0.75 of the minimum specified yield strength of the material, and (2) the natural frequencies (critical speeds) of the turbine shaft assemblies should be controlled so as to cause no distress to the unit during operation.
Based on comparing the stresses of the CT-27467 report and the minimum yield strength values of FSAR Amendment 99, Section 10.2.3.1, the staff determined that the minimum specified yield strength requirement of this criterion is satisfied.
FSAR Amendment 99 also did not address the requirement of this criterion for controlling critical speeds. In response to a staff question, TVA provided in its letter dated March 24, 2011, the critical speeds of the turbine rotor, which are reasonably distant from the normal speed of 1,800 revolutions per minute. Therefore, the staff concludes that distress to the unit during operation due to vibration caused by proximity to resonance is unlikely to happen, and that this criterion's requirement to control critical speeds is satisfied.
Regarding the last criterion (inservice inspection), SRP Section 10.2.3 requires disassembly of the turbine at approximately 10-year intervals and complete inspection of all normally inaccessible parts, such as couplings, coupling bolts, turbine shafts, low-pressure turbine blades, low-pressure disks, and high-pressure rotors. FSAR Amendment 99 does not address this requirement.
In response to a staff question, TVA listed in its letter dated March 24, 2011, the turbine components and their associated nondestructive examinations to be performed following 100,000 operating hours, in accordance with the manufacturer's (Siemens)recommendations.
These included all of the components listed in the SRP Section 10.2.3 inservice inspection criterion.
Therefore, the staff concludes that the inservice inspection criterion is satisfied.
In summary, the NRC staff concludes that FSAR Amendment 99, Section 10.2.3, is acceptable, because it demonstrated that the WBN Unit 2 turbine disks have met the five acceptance criteria of SRP Section 10.2.3. Meeting these top-level criteria of SRP Section 10.2.3 ensures that the SRP Section 3.5.1.3-related turbine missile analysis will generate acceptable results.10-2 10.4 Other Features 10.4.9 Auxiliary Feedwater System Background In Section 10.4.9 of NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2," issued June 1982 (hereafter referred to as the SER), the NRC staff documented its review of the WBN FSAR Section 10.4.9, "Auxiliary Feedwater System." The staff reviewed TVA's auxiliary feedwater (AFW) system description and design criteria for its compliance with the applicable regulatory requirements and adherence to regulatory guidance.
In the SER, the staff concluded that the AFW system met the requirements stated in Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," Appendix A, "General Design Criteria for Nuclear Power Plants," General Design Criteria (GDC) 2, 44, 45, and 46 and met the guidelines provided in Branch Technical Position (BTP) Auxiliary Systems Branch (ASB) 10-1, Regulatory Guides 1.26, 1.29, and 1.117, and NUREG-0737, "Clarification of TMI Action Plan Requirements," issued November 1980.In supplemental SER (SSER) 14, issued December 1994, the NRC staff reviewed TVA's revised minimum flow requirements for AFW for a loss-of-normal-feedwater event with a loss of offsite power, and the revised design flow rates for the AFW pumps. The staff found that TVA's changes were supported by an analysis of design-basis events that was included in the accident and transient analyses in WBN FSAR Chapter 15. The staff concluded that TVA's revised flow rates were acceptable.
In SSER 21, issued February 2009, the NRC staff reviewed existing licensing topics to determine whether any remained open for each section of the FSAR. No open topics were identified for WBN FSAR Section 10.4.9.Evaluation The NRC staff reviewed TVA's proposed changes to Section 10.4.9 in recent WBN Unit 2 FSAR Amendments 95 through 102. The specific review criteria contained in the guidance of SRP Section 10.4.9, Revision 3, "Auxiliary Feedwater System (PWR)," directs the staff to verify, in part, compliance with GDC 2, 4, 5, 19, 34, 44, 45, and 46, and with 10 CFR 50.63, "Loss of All Alternating Current Power." Because the original SER noted only GDC 2, 44, 45, and 46 and BTP ASB 10-1, the staff reviewed the FSAR to verify the compliance of the AFW system with the regulatory requirements of GDC 4, 5, 19, 34, 10 CFR 50.62, "Requirements for Reduction of Risk from Anticipated Transients without Scram (ATWS) Events for Light-Water-Cooled Nuclear Power Plants," and 10 CFR 50.63: GDC 4, "Environmental and Dynamic Effects Design Bases," requires, in part, that structures, systems, and components (SSCs) important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents (LOCAs).GDC 5, "Sharing of Structures, Systems, and Components," requires, in part, that SSCs important to safety shall not be shared among nuclear power units unless it can be 10-3 shown that such sharing will not significantly impair their ability to perform their safety functions.
GDC 19, "Control Room," requires, in part, that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including LOCAs.GDC 34, "Residual Heat Removal," requires, in part, that a system to remove residual heat shall be provided.
AFW system diversity and performance are reviewed for decay heat removal capability.
The regulation in 10 CFR 50.62 provides requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants. The review verifies whether the design meets the requirements of 10 CFR 50.62(c)(1) for automatic initiation of the AFW system in an ATWS.The regulation in 10 CFR 50.63 addresses loss of all alternating current power. AFW system diversity and performance are reviewed for station blackout capacity.In WBN Unit 2 FSAR Section 10.4.9, TVA states that the AFW system design function is to supply feedwater to the steam generators in the event main feedwater is lost, in order to remove heat from the primary coolant system. The AFW system is credited in preventing overpressurization of the reactor coolant system and subsequent core damage during transients and accidents.
In order to accomplish its design function, the AFW system has two motor-driven pumps and one steam-turbine-driven pump. In FSAR Section 10.4.9, TVA describes the AFW system components and their design requirements and how the components meet their safety functions.
The NRC staff reviewed TVA's changes in FSAR Amendments 95 through 102 to the description of the AFW system in FSAR Section 10.4.9 and requested additional information from TVA in a letter dated November 9, 2010, in order to verify that the AFW system complies with the applicable regulatory requirements noted above. TVA responded to the staffs questions in letters dated December 10, 2010, and February 25, 2011.The NRC staff asked (Request for Additional Information (RAI) 10.4.9-BOP-AFW-1)
TVA to demonstrate how it satisfies GDC 5 (i.e., system independence) for the AFW system. In its letter dated December 10, 2010, TVA stated that "Each Unit's AFW system is independent of the other with no shared components that are important to safety." FSAR Section 10.4.9 states that "The preferred sources of water for all auxiliary feedwater pumps are the two 395,000 gallon condensate storage tanks (CSTs)." WBN Unit 1 Technical Specification (TS) 3.7.6,"Condensate Storage Tank (CST)," and the proposed equivalent Unit 2 TS 3.7.6 require that a minimum of 200,000 gallons be maintained in the CST. In its letter to the staff dated February 25, 2011, TVA stated the following:
Unit 2 Technical Specifications Limiting Condition for Operation (TSLCO) 3.7.6 states, "The CST level shall be > 200,000 gal." 10-4 As described in the TS Bases for LCO 3.7.6, the CST level required is equivalent to a usable volume of > 200,000 gallons, which is based on holding the unit in MODE 3 for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, followed by a cooldown to RHR [residual heat removal]entry conditions at 50 OF/hour. This basis is established in the CST level calculation and exceeds the volume required by the accident analysis.The quantity of feedwater required to bring the plant down to RHR cut-in conditions is 196,112 gallons, including a 3,000 gallon allowance to account for AFW Pump heat described in Westinghouse Technical Bulletin TB-09-4, "Impact of Auxiliary Pump Heat on Westinghouse and Combustion Engineering Analyses/Methodologies." There is 2,851 gallons of water unavailable due to vortexing/air injection, which results in a minimum required volume of CST water of 198,963 gallons. This is less than the TS requirement of > 200,000 gallons.The CSTs are credited in the mitigation of a station blackout (SBO) event as the sole source of water to the turbine-driven AFW pump. However, the staff noted that station drawings illustrate two CSTs on site that have piping connected to each unit's AFW system; therefore, either unit can use either CST. TVA's response and the station drawings appeared to be in conflict.
In a teleconference between the NRC staff and TVA on February 10, 2011, TVA stated that it intends to operate with each CST isolated from the other, and that each CST will be dedicated to only one unit. In its letter to the staff dated February 25, 2011, TVA committed to the following:
Amendment 103 to the Unit 2 FSAR will revise Section 10.4.9.2, "System Description," by adding the following sentence...: "The two CSTs are normally isolated from each other, with one CST dedicated to each unit. The AFW safety analyses take no credit for the ability to cross-tie the CSTs." TVA's proposed clarification to the FSAR is acceptable to the NRC staff. Because the CSTs are credited only for the SBO event under 10 CFR 50.63, and TVA does not plan to share CSTs between the units during plant operation, the staff concludes that TVA satisfies GDC 5 regarding the CSTs. Confirmation by the staff of TVA's change to FSAR Section 10.4.9 to reflect TVA's intention to operate with each CST isolated from the other is Open Item 62 (Appendix HH).The NRC staff asked (RAI 10.4.9-BOP-AFW-2)
WVA to justify (1) the required number of pumps needed to meet the minimum flow to mitigate design-basis events, (2) whether any single failure could result in loss of more than one pump, and (3) the most limiting single failure. In its response letter dated December 10, 2010, TVA stated, "There is no single active failure that could reduce the number of required AFW pumps below the minimum required." In addition, TVA identified the most limiting failure for each design-basis event and the number of pumps required.The NRC staff asked (RAI 10.4.9-BOP-AFW-3)
TVA to describe how the high-pressure fire pumps (HPFPs) will be configured with the two units to provide adequate flow in the event of a flood that makes the normal AFW pumps unavailable.
In its response letter dated December 10, 2010, TVA provided a detailed description of the HPFP configuration, power 10-5 supplies, piping arrangements, and flow capabilities of the system to show how the system meets the design-basis function.
Additionally, TVA stated that "GDC 5 is met as the shared HPFP system simultaneously meets the AFW requirements of both units." The NRC staff asked (RAI 10.4.9-BOP-AFW-4)
TVA to explain whether or not operator action within the first 10 minutes is credited for the AFW system in order to mitigate the design-basis accidents described in the FSAR Chapter 15. In its letter dated December 10, 2010, TVA stated that "Operator intervention within 10 minutes is required in order to meet maximum flow requirements for the main steamline break inside containment, or within 12 minutes to meet the minimum flow requirements for the feedline rupture." This clarification is acceptable to the staff.The NRC staff asked (RAI 10.4.9-BOP-AFW-5)
TVA to describe how it intends to meet testing requirements to show that a safety-related flow path is operable to the steam generators from the essential raw cooling water (ERCW) and HPFP systems. In its letter dated December 10, 2010, TVA responded that it does not intend to put undesirable raw water in the steam generators; it will add a pre-operational test program, PTI-026-01 R.0, similar to the one used by Unit 1, to demonstrate that HPFP water can flow to the Unit 2 AFW piping system. TVA stated that it will also use similar test procedures used on Unit I to show that ERCW suction valves open to AFW pump suction on Unit 2. This is acceptable to the staff, because the test procedures have already been successfully used on Unit 1.Based on its review of the information provided by TVA in its December 10, 2010, and February 25, 2011, letters, the staff concluded that its questions were adequately addressed.
TVA subsequently made changes in FSAR Amendments 100 and 102, to reflect its responses to the staff, and committed to clarify in FSAR Amendment 103 the system description regarding the CSTs, as discussed above.In its AFW system safety evaluation in WBN Unit 2 FSAR Section 10.4.9.3, WVA describes the safety functions and the critical system parameters needed to mitigate design-basis events. As noted above (RAI 10.4.9-BOP-AFW-4), TVA revised its safety evaluation to indicate that operator intervention is required within 10 minutes to mitigate a main steamline break and within 12 minutes to mitigate a feedline rupture.Based on its review of Amendments 95 through 102 and the information provided in TVA's letters dated December 10, 2010, and February 25, 2011, the NRC staff concluded that the changes to FSAR Section 10.4.9 do not challenge the AFW system design basis and that the changes to the system description do not change the staff's conclusions in the SER and SSER 14. The staff reviewed the licensee's proposed FSAR Section 10.4.9, and finds that the licensee complies with the appropriate regulatory requirements as defined in Appendix A to 10 CFR Part 50 and as described in NUREG-0800.
The staff verified that the conclusions of the original SER, NUREG-0847, remain valid, and that the AFW system complies with the regulatory requirements of GDC 4, 5, 19, 34, 10 CFR 50.62, and 10 CFR 50.63. Therefore, WBN Unit 2 FSAR Section 10.4.9 is acceptable.
10-6 14 INITIAL TEST PROGRAM This evaluation supplements NUREG-0847, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant Units 1 and 2," issued June 1982 (referred to hereafter as the SER), including 16 supplements to the SER, the last of which (Supplement
- 16) was issued in September 1995. Supplement 16 of the SER (SSER 16) summarized the U.S. Nuclear Regulatory Commission's (NRC's) staff's evaluation, with respect to the initial test program (ITP), as described in Chapter 14 of the final safety analysis report (FSAR) of the Watts Bar Nuclear Plant (WBN), up to and including Amendment
- 89. SSER 16 also evaluated the commitments made by the Tennessee Valley Authority (TVA) in its letter to the NRC dated January 5, 1995. In SSER 16, the NRC staff concluded that the ITP description is generally comprehensive and encompasses the major phases of the testing program guidance presented in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (hereafter referred to as the SRP), and in Regulatory Guide (RG) 1.70, Revision 3, "Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)." In its review, the staff primarily used the guidance of SRP Section 14.2, Revision 2, "Initial Plant Test Program-Final Safety Analysis Report." The NRC issued SRP Section 14.2, Revision 3, in 2007 to incorporate information from Title 10 of the Code of Federal Regulations (10 CFR) Part 52, "Licenses, Certifications, and Approvals for Nuclear Power Plants." The use of Revision 2, rather than the more current Revision 3, does not affect the staffs evaluation or its conclusions for WBN Unit 2.During the evaluation documented in this SSER, the NRC staff reviewed SSERs 18 and 19 and the changes in the WBN Unit 2 FSAR associated with Amendments 90 through 100. By reviewing these documents, the staff gained a better understanding of the regulatory history related to the issues associated with TVA's ITP. TVA submitted WBN Unit 2 FSAR Amendments 97 and 98, to the NRC on January 11 and May 7, 2010, respectively.
TVA stated that FSAR Amendment 97 incorporated changes resulting from its ongoing design and reverification effort supporting the completion of the WBN Unit 2 design basis. FSAR Amendment 98 was more editorial and administrative in nature. In response to staff questions during the evaluation, which are documented in this SSER, TVA submitted FSAR Amendments 100 and 101, dated September 1, 2010, and December 17, 2010, respectively, to revise information in FSAR Table 14.2.As required by 10 CFR 50.34(b)(6)(iii), the FSAR must include plans for preoperational testing and initial operations.
In addition, Criterion XI, "Test Control," of Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50,"Domestic Licensing of Production and Utilization Facilities," requires that a test program be established to ensure that all testing necessary to demonstrate that structures, systems, and components will perform satisfactorily in service is identified and conducted in accordance with written test procedures, which incorporate the requirements and acceptance limits contained in applicable design documents.
To evaluate the ITP, the NRC staff primarily relied on RG 1.68,"Initial Test Programs for Water-Cooled Nuclear Power Plants." In its review, the staff used RG 1.68, Revision 2, issued August 1978, which is the licensing basis for WBN Unit 1 in accordance with the staff requirements memorandum (SRM) associated with SECY-07-0096,"Possible Reactivation of Construction and Licensing Activities for the Watts Bar Nuclear Plant Unit 2," dated July 25, 2007 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML072060688).
In this SRM, the Commission supported a licensing review approach that employs the current licensing basis for WBN Unit 1 as the reference basis for the review and licensing of WBN Unit 2. The NRC issued RG 1.68, Revision 3. in 2007 to incorporate information from 10 CFR Part 52. WVA references Revision 2 of RG 1.68 in the 14-1 WBN Unit 2 FSAR. The use of RG 1.68, Revision 2, rather than the more current Revision 3, does not affect the staffs evaluation or its conclusions.
The following sections present the staffs evaluation of Chapter 14 of the WBN Unit 2 FSAR, as revised through FSAR Amendment 102, dated December 30, 2010. The section numbering reflects that used in previous SSERs for FSAR Chapter 14.14.2 Preoperational Tests (1) In Chapter 14 of FSAR Amendment 97, TVA proposed design-bases changes, in addition to editorial changes, for Sections 6.4, 6.5.1, and 9.4.1-9.4.5.
TVA deleted certain systems from FSAR Table 14.2-1, "Preoperational Tests Summaries Index," and Table 14.2-2, "Power Ascension Test Summaries Index," entirely; selectively deleted testing attributes (e.g., objective, prerequisites, test method, and acceptance criteria)from some systems; and provided descriptions only in the "Test and Inspections" section for some systems. Specifically, in Table 14.2-1, Sheet 1 of 89, and Table 14.2-2, Sheet 1 of 39, TVA deleted, without providing a justification, the preoperational and power ascension test summary abstracts for the following systems: boron recycle system (Sheet 21 of 89), control building ventilation system (Sheet 34 of 89), diesel generator (DG) building ventilation system (Sheet 43 of 89), direct current power system (Sheets 50 and 51 of 89), vital 120-volt (V) alternating current (ac) power system (Sheet 52 of 89), auxiliary building ventilation system (Sheets 36 and 37 of 89), and power ascension test summary spent fuel pool cooling system (Sheet 11 of 39).In response to Requests for Additional Information (RAIs) 14-2, 14-3, and 14-4, TVA provided in a letter dated June 3, 2010, its basis for removing this information from the FSAR. TVA stated that the ITP for WBN Unit 2 is similar to that performed for WBN Unit 1 and that the majority of changes are caused by the turnover of equipment to WBN Unit 1. TVA provided revised Tables 14.2-1 and 14.2-2, which included explanations for the revisions, modifications, or deletions to the tables. The staff found the test summaries for the control building ventilation system (FSAR Amendment 97, Section 9.4.1.4), the DG building ventilation system (FSAR Amendment 97, Section 9.4.5.2.1.4), and the auxiliary building ventilation system (FSAR Amendment 97, Section 9.4.3.4) acceptable because (a) the systems were tested initially as part of the preoperational test program, (b) the systems are in continuous operation and accessible for periodic inspection, and (c) after maintenance or modification activities that affect a system function, TVA performs testing to verify the system or component operation.
Based on its review of the information provided in TVA's letter dated June 3, 2010, the staff concluded that TVA provided an adequate basis for its changes to Tables 14.2-1 and 14.2-2 of the FSAR. Therefore, the staff concludes that TVA's response is acceptable.
(2) In FSAR Amendment 88, TVA revised Table 14.2-1, Sheet 48 of 90, "AC Power Distribution System Test Summary," by deleting the requirement under "Test Method" to verify the capability of each common station service transformer (CSST) to carry the load necessary to supply engineered safety feature (ESF) loads of one unit under loss-of-coolant accident (LOCA) conditions, in addition to providing the power required to shut down the nonaccident unit, in accordance with the guidance in Subparagraph 1 .g.(1) of Appendix A to RG 1.68. This requirement relates to the design bases of both units. SSER 14 identified this issue as Item 11.14-2 SSER 16 documents the staffs review of FSAR Amendment 89 and confirms that TVA revised Table 14.2-1, Sheets 48 and 49, to incorporate demonstration of the capability of each CSST to carry the load required to supply ESF loads on WBN Unit 1 under LOCA conditions.
As a result, the staff closed Item 11 as it pertained to the design basis for WBN Unit 1. However, the staff stated that, before issuance of an operating license for WBN Unit 2 TVA would have to demonstrate the capability of each CSST to carry the load required to supply ESF loads of one unit under LOCA conditions, in addition to the power required for shutdown of the nonaccident unit.The staff noted that FSAR Amendment 97, Table 14.2-1, Sheet 48 of 89, did not address the SSER 14, Item 11, issue for WBN Unit 2 in the "Test Method" section of the test description.
In response to RAI 14-1, as well as requests for information from the Quality and Vendor Branch of NRC's Division of Engineering (RAI EQVB 14.2-1 and RAI EQVB 14.2-2), TVA responded in a letter dated July 31, 2010, that "Amendment 100 to the Unit 2 FSAR will correct the test description and Acceptance Criteria." In Enclosure 1 of Amendment 100, dated September 1, 2010, to the WBN Unit 2 FSAR, TVA identified Items 5, 18, and 20 that related to this issue. As stated in Item 5 of the enclosure, TVA revised FSAR Table 14.2-1, Sheets 48 and 49, to include the statement,"in addition to power required for shutting down the non-accident unit." In Item 18, TVA revised Table 14.2-1, Sheet 49, to add acceptance criteria from FSAR Section 8.3.1. In Item 20, WVA added language to Table 14.2-1, Sheet 44, pertinent to the WBN Unit 2 emergency diesel generators (EDGs). The NRC staff verified the changes to Table 14.2-1, Sheets 48 and 49, in FSAR Amendment 100. Based on its review, the staff concludes that TVA's response is acceptable for WBN Unit 2.(3) In FSAR Amendment 97, TVA deleted from the "Test Method" section of Table 14.2-1, Sheet 48 of 89, the requirement from Item 5 to "Demonstrate manual and automatic transfer schemes operate in accordance with design drawings." The NRC staff requested, in RAI EQVB 14.2-1, that TVA provide the basis for why this test is not required for WBN Unit 2 in order to demonstrate the capability of the manual and automatic transfer schemes for the alternating current (ac) power distribution system for dual-unit operation.
The staff also requested that TVA (1) describe the transfer scheme, including whether running loads are shed and then resequenced on, or whether the loads are block loaded, and (2) verify that WBN Unit I technical specification (TS)surveillance requirement (SR) 3.8.1.89 includes Unit 2, if TVA is taking credit for the performance of this TS SR on Unit 2.In its letter to the NRC dated July 31, 2010, TVA stated the following:
The automatic and manual features of the Unit 2 6.9 kilovolt (kV)Shutdown Boards have been tested since Unit 1 began operation and are tested every 18 months on all four 6.9 kV Shutdown Boards in accordance with [WBN procedure]
0-SI-211-1 which demonstrates fulfillment of TS SR 3.8.1.8.WBN, Unit 1, TS SR 3.8.1.8 requires that the licensee, on an 18-month frequency, "verify automatic and manual transfer of each 6.9 kV shutdown board power supply from the normal offsite circuit to each alternate offsite circuit." 14-3 In a letter dated February 2, 2010 (ADAMS Accession No. ML100550326), TVA provided developmental revision B of the WBN Unit 2 TS. The proposed TS SR 3.8.1.8 for WBN Unit 2 is the same requirement as that for WBN Unit 1. Consequently, the staff concludes that the requirement is acceptable.
Since the TS SR for the WNB, Unit 2, 6.9-kilovolt (kV) shutdown board loads will be conducted before the startup of WBN Unit 2 the staff concludes that TVA's response is acceptable.
In its letter to the NRC dated July 31, 2010, TVA provided its justification as to why additional testing is not required during the startup of WBN Unit 2 to demonstrate the capability of the manual and automatic transfer schemes for the ac power distribution system for dual-unit operation.
TVA stated the following:
Unit 2 startup and operation will be the same as Unit l's. Thus, there are no planned design changes to the transfer schemes of the Unit 2 6.9 kV Shutdown Boards. For Unit 2, the manual transfer from normal to alternate feeder is performed remotely by control room hand switch and locally by hand switches provided on the compartment doors. This is the same as the Unit 1 methodology.
Automatic transfers of both the Unit 1 and Unit 2 6.9kV Shutdown Boards from normal feeder to alternate or Standby power supply feeder are initiated
[by fault conditions].
Both the automatic and manual transfer schemes, from the Normal feeder to the Alternate feeder, are not affected by loads or loading on the 6.9kV Shutdown Board electrical bus. The transfer scheme is solely dependent upon the initiating condition and source of the [fault condition].
To test the[fault condition], the automatic transfer scheme test is actuated by simulating an electrical fault on the Normal feeder Offsite Power supply by rotating the appropriate protective electrical relay disc closing a contact in the transfer circuit initiating an automatic transfer from the normal feeder to the alternate feeder. The protective relay that initiates the transfer from Normal feeder to Alternate feeder initiates a transfer on both the Unit 1 and the Unit 2 6.9 kV Shutdown Boards simultaneously due to the common power supply.Based on TVA's response, the staff has reasonable assurance that additional testing is not required before the startup of WBN Unit 2 to demonstrate the capability of the manual and automatic transfer schemes for the ac power distribution system for dual-unit operation.
In its July 31, 2010, letter, WVA also described the transfer scheme to explain whether running loads are shed and then resequenced on or whether the loads are block loaded.As TVA described in its response, no loads are shed and resequenced back onto the buses in the fast transfer scheme from normal to alternate feeder. For all loss of voltage or degraded voltage conditions, the staff concludes that TVA's description of the automatic transfer of the loads onto the onsite standby power supply is satisfactory.
As described by TVA, there is no block loading of loads onto the buses, other than the 480-V ac shutdown board transformers, once load shedding has occurred, when supplied by the onsite standby power source. After the EDG is started and proper voltage and frequency is verified, the loads are sequenced onto the bus. The staff concludes that the scheme is acceptable, since double sequencing of the loads or block loading will not result in unintended consequences.
14-4 In its July 31, 2010, letter, TVA also justified its deletion of the requirement to demonstrate that manual and automatic transfer schemes operate in accordance with design drawings.
TVA stated that this test is currently performed for both units every 18 months, in accordance with TS SR 3.8.1.8, Furthermore, WVA stated that loads will be added to the 6.9-kV shutdown boards in WBN Unit 2 as a result of the startup of WBN Unit 2 and these boards will be tested under WBN procedures 2-PTI-262-01 and 2-PTI-262-02 (Unit 2 Integrated Safeguards Test, Train 2A and 2B, respectively) for the loss of voltage and degraded voltage transfer schemes. The staff verified that TVA made appropriate changes in FSAR Amendment 100 to reflect the testing requirements.
The staff concludes that TVA's response is acceptable because WVA stated that the TS SR will include the 6.9-kV shutdown board loads, and appropriate testing will be conducted before the startup of WBN Unit 2.(4) In FSAR Amendment 97, WVA deleted the requirement to verify Item 2 under the acceptance criteria of Table 14.2-1, Sheet 49 of 89, "AC Power Distribution System Test Summary." The staff requested in RAI EQVB 14.2-3 that TVA (1) provide a justification for why this test is not required for the start of WBN Unit 2 and (2) describe how the loads of WBN Unit 2 are addressed with respect to the capability of the manual and automatic transfer schemes for the ac power distribution system between onsite (standby) diesels units from normal or alternate supply for dual-unit operation.
In its response to the NRC dated July 31, 2010, TVA stated that the following:
This test will be performed by 2-PTI-262-01 (Unit 2 Integrated Safeguards Test, Train 2A) and 2-PTI-262-02 (Unit 2 Integrated Safeguards Test, Train 2B). Amendment 100 to the Unit 2 FSAR will add item 2, "Power supply to safety related loads will automatically and manually transfer to the onsite (standby) diesel units from the normal or alternate supply or manually from the diesel generator units back to the normal or alternate supply as described by FSAR Section 8.3.1" back to Table 14.2-1, Sheet 49.The staff verified the change in FSAR Amendment 100. In its letter dated July 31, 2010, TVA stated that startup and operation of WBN Unit 2 will be the same as WBN, Unit 1;thus, no design changes to the transfer schemes are planned. The only change in loading is the addition of WBN Unit 2 loads not previously included and tested with WBN Unit 1. Since these tests will be conducted before startup of WBN Unit 2 to verify the capability of the manual and automatic transfer schemes for the ac power distribution system between onsite (standby) diesel units from normal or alternate supply for dual-unit operation, the staff concludes that TVA's response is acceptable.
(5) In FSAR Amendment 97, TVA revised the test objective in Table 14.2-2, Sheet 13 of 39,"Pressurizer Spray Capability and Continuous Spray Flow Setting Test Summary," to remove performance of the test during a plant trip from 100-percent power. In response to RAI 14-2, TVA stated in a letter to the NRC, dated June 3, 2010, the following basis for removing the test: Performance of the Pressurizer Spray Capability and Continuous Spray Flow Setting test, Sheet 13 of 39, from a plant trip at 100 percent power, was modified to remove the 100 percent power requirement.
An editorial error introduced in Unit 1 FSAR Amendment 91 was subsequently 14-5 corrected by deleting the performance of the test during a plant trip at 100 percent power. The Unit 2 FSAR was revised to be consistent with Unit 1. The Unit 1 test was performed in 1-PAT-3.2 with the prerequisite condition of MODE 3 prior to initial criticality.
Based on its review of the information provided by TVA, the staff concludes that TVA's response is acceptable.
(6) In FSAR Amendment 97, TVA deleted much of the description in the "Test Method" and"Acceptance Criteria" sections of Table 14.2-1, Sheet 13 of 89, "Fire Protection System Test Summary." The staff requested that TVA provide its basis for the revision.
In its letter to the NRC dated June 3, 2010, TVA stated that it revised the test to identify the test scope remaining for WBN Unit 2. This scope includes the WBN Unit 2 annulus;reactor building; and 713-foot elevation containment purge air exhaust filters, fans, and control station. Other common piping and equipment from WBN Unit 2 were turned over to WBN Unit 1 responsibility.
Since much of the common equipment is now under the scope of WBN Unit 1 and TVA changed the description in the WBN Unit 2 FSAR to reflect the actual scope for WBN Unit 2 the staff concludes that TVA's response is acceptable.
(7) In FSAR Amendment 97, TVA deleted much of the description in the "Test Method" and"Acceptance Criteria" sections of Table 14.2-1, Sheets 44-46 of 89, "Diesel Generators Test Summary." Specifically, TVA deleted the requirements to verify Items 1-5 under"Test Method," on Sheet 44 of 89. The staff requested in RAI EQVB 14.2-4 that TVA (1) justify why these tests are not required for the start of WBN Unit 2 (2) summarize the impact of dual-unit operation on these tests for the WBN Unit 2 DGs, if these tests are currently being performed under the WBN Unit 1 TS SRs, and (3) identify the WBN Unit I TS surveillances that are currently being performed to accomplish these tests.In its letter to the NRC dated July 31, 2010, TVA provided the following response: 1. These tests were previously performed as part of declaring the DGs [diesel generators]
functional and operable for Unit 1 operation.
All four DGs were designated as required for Unit 1 operations.
- 2. Preop[erational]
testing for these Test Methods was completed for all DG systems and support systems on Unit 1. The DGs are being maintained operable per the Unit 1 TS, including surveillance requirements, for single unit operation.
- 3. In changing to a dual unit operation, the only impact on the current testing methodology is to add the Unit 2 loads not currently being tested and to revise the appropriate surveillance instructions.
Unit 2 preop testing will test the additional loads on the Unit 2 DGs to confirm design calculations.
- 4. The Unit 2 DGs will be tested again to account for the additional loading required for Unit 2 operations prior to being declared operable per the Unit 2 TS for Unit 2 operations.
The testing will 14-6 satisfy Unit 1 TS SRs during the Unit 2 preop testing in order to be able to call the Unit 2 DGs and Unit 2 Shutdown Boards TS operable for Unit I coming out of Unit I RF10 [refueling outage 10]. The Unit 2 PTIs [preoperational test instructions]
will contain all SRs required for Unit I and later Unit 2 SRs, as currently known.It is appropriate to not require the five items listed under Test Method due to the previous testing and acceptance for Unit I operations.
The Unit 2 DGs have been maintained operable per the Unit I TS since that acceptance testing. The only impact on the Unit 2 DGs due to dual unit operations is the new Unit 2 loads that will be added to the DG.Integrated Safeguards testing for Unit 2 operations will retest the Unit 2 DGs and 6.9 kV Shutdown Boards to ensure the components will fulfill their required safety function as well as all design features.In its response, TVA also referenced the applicable preoperational test instructions (PTIs) and surveillance tests for the DGs. Based on the information provided by WVA, the staff concludes that reasonable justification exists to omit Items 1-5 under "Test Method" on Table 14.2-1, Sheet 44 of 89; therefore, TVA's response is acceptable.
(8) In FSAR Amendment 97, TVA deleted the requirement to verify Item 10 under "Test Method,' in Table 14.2-1, Sheet 45 of 89, "Diesel Generator Test Summary." Item 10 related to the 24-hour DG loading test. The staff requested, in RAI EQVB-14.2-5, that TVA (1) confirm that WBN Unit 1 TS SR 3.8.1.14 accomplishes this test, if this test is currently performed on WBN Unit 2 DGs under the requirements of WBN Unit 1 TS SR 3.8.1.14.
and (2) confirm that this surveillance, performed for verifying the capacity of the WBN Unit 2 DGs, envelops the design-basis accident loads of WBN Unit 2 plus the power required for the WBN Unit I loads.In its letter to the NRC dated July 31, 2010, TVA stated the following:
0-SI-82-15 (24 Hour Load Run-DG 2A-A) and 0-SI-82-16 (24 Hour Load Run-DG 2B-B) are performed to satisfy Unit I TS SR 3.8.1.14 requirements.
This TS SR has a frequency of 18 months and may be performed anytime in Modes I through 4, if required.
This 24-hour test fulfills the requirements of the items mentioned in Test Method 10.The capacity of the Unit 2 diesel generators to envelope the Unit 2 design-basis accident (DBA) loads plus the common (shared) Unit 1 loads will be demonstrated by tests 2-PTI-262-01 (Unit 2 Integrated Safeguards Test, Train 2A) and 2-PTI-262-02 (Unit 2 Integrated Safeguards Test, Train 2B).Since the DG tests are currently performed under the WBN Unit I TS and TVA stated that it will perform the tests before the startup of WBN Unit 2 to verify that the DGs can perform their intended safety function, the staff concludes that TVA's response is acceptable.
(9) During its review, the staff noted that Table 14.2-1, Sheets 44-46 of 89, do not list a test to verify that the WBN Unit 2 DG automatic trip is bypassed upon an automatic or 14-7 emergency start signal, except for engine overspeed and generator differential current.The staff requested in RAI EQVB 14.2-6 that TVA discuss why the test is not required before the startup of WBN Unit 2. The staff also requested that TVA identify the WBN Unit 1 TS SR that accomplishes the test on the WBN Unit 2 DGs, if it is currently performed.
In its letter to the NRC dated July 31, 2010, TVA responded as follows, Currently, surveillances performed by Unit 1 per 0-SI-82-3 (18 Month Loss of Offsite Power With Safety Injection-DG 1-AA) and 0-SI-82-4 (18 Month Loss of Offsite Power With Safety Injection-DG 1-BB) check the engine and generator trips are disconnected as required every 18 months. When the new surveillances for Unit 2 (i.e., 2-SI-82-5, and 2-SI-82-6) are written, the Unit 2 DG checks will be removed from the Unit I surveillances.
This feature will also be verified as part of 2-PTI-262-01 (Unit 2 Integrated Safeguards Test, Train 2A) and 2-PTI-262-02 (Unit 2 Integrated Safeguards Test, Train 2B).To be in compliance with RG 1.9 and System Description N3-82-4002 (Standby Diesel Generator System), Amendment 100 to the Unit 2 FSAR will add a requirement to Table 14.2-1 to test the features.
The current Unit 1 TS SRs are applied to both the Unit 1 and the Unit 2 diesel generators.
Unit 2 is tested to the same requirements as Unit 1 (i.e., TS SR 3.8.1.13).
The staff verified that TVA added the above test requirement in Amendment 100 to the WBN Unit 2 FSAR. Since the test is currently performed under the WBN Unit 1 TS and TVA stated in its letter dated July 31, 2010, that the test will be performed before the startup of WBN Unit 2 the staff concludes that TVA's response is acceptable.
14.2.2 Conformance with NRC Regulatory Guides (1) In FSAR Amendment 97, Section 14.2.7, "Conformance of Test Programs with Regulatory Guides," paragraph 14.2.7(4)(A)(1-4), TVA proposed to take certain exceptions or alternate approaches to Regulatory Position C. 1 of RG 1.68, Revision 2, which included some provisions that did not apply to the design of WBN, some provisions that were tested in programs or surveillances other than the power ascension program, and some provisions that were tested in the preoperational phase rather than in the ITP. The NRC staff reviewed the exceptions and alternate approaches listed in paragraph 14.2.7(4)(A)(1-4) of the FSAR and noted that the staff had previously reviewed and satisfactorily resolved the issues, as documented in Section 14.2 of earlier SSERs, including, most recently, SSER 19 (issued November 1995), SSER 18 (issued October 1995), SSER 16 (issued September 1995), and SSER 14 (issued December 1994). The staff's previous evaluations of these issues are valid for WBN.Unit 2.In FSAR Amendment 97, WVA deleted Section 14.2.7(4)(B), which included a previously approved exception to Regulatory Position C.4 of RG 1.68, Revision 2, regarding when test procedures must be made available to the NRC staff for review before conducting 14-8 the tests. Section 14.2.2, "Conformance with Regulatory Guides," of SSER 12, issued October 1993, previously discussed the issue of when test procedures must be made available to the NRC staff. TVA resolved the issue by revising FSAR Section 14.2.7.4.b in FSAR Amendment 74, dated May 21, 1993, to state that "preoperational test procedures for satisfying FSAR testing commitments will be made available for NRC inspection approximately 30 days preceding their intended use, and that power ascension tests will be made available to the NRC 60 days preceding fuel load, in accordance with SSER 3." The staff found TVA's revision in FSAR Amendment 74 acceptable, as documented in SSER 12.In FSAR Amendment 97, TVA relocated and modified the provision in Section 14.2.7(4)(B) to FSAR Section 14.2.11, "Test Program Schedule." TVA stated that "approved preoperational test procedures for satisfying FSAR testing commitments will be made available to NRC regional personnel a minimum of 60 days prior to their intended use; and 60 days prior to fuel load for power ascension tests." Based on its review, the staff concludes that IVA's revision to the FSAR complies with Regulatory Position C.4 of RG 1.68 and is therefore acceptable.
(2) In FSAR Section 14.2.7, TVA stated that the ITP complies with the requirements of RG 1.68, Revision 2, "with the following exceptions and/or alternate approaches." Section 5 of RG 1.68 lists the following test as one that should be included in the power-ascension test phase: "bb. Conduct neutron and gamma radiation surveys to establish the adequacy of shielding and identify high-radiation zones as defined in 10 CFR Part 20." FSAR Table 14.2-2, Sheet 18, "Radiation Baseline Survey Test Summary," summarizes the test to be performed, but does not commit to any regulatory guidance or standards for conducting the test.Section C.3 of RG 1.69, "Concrete Radiation Shields and Generic Shield Testing for Nuclear Power Plants," Revision 1, issued May 2009, endorses American National Standards Institute/American Nuclear Society (ANSI/ANS)-6.3.1-1987; R2007, "Program for Testing Radiation Shields in Light Water Reactors (LWR)," which describes a test program to be used in evaluating biological radiation shielding in nuclear reactor facilities under normal operating conditions, including anticipated operational occurrences.
The Commission, in the SRM for SECY-07-0096, directed the staff to encourage TVA to adopt updated standards for WBN Unit 2 when it would not significantly detract from design and operational consistency between WBN Unit 1 and WBN Unit 2. Conducting the test program in accordance with ANSI/ANS-6.3.1 would substantially improve confidence that the WBN Unit 2 shielding results in exposures to personnel that are as low as reasonably achievable, as well as confidence in the assumptions used by TVA in equipment qualifications.
In a letter to TVA dated September 8, 2010, the staff requested that TVA evaluate conducting its radiation baseline survey test in accordance with ANSI/ANS-6.3.1-1987; R2007, or otherwise show how the specified test program significantly detracts from design or operational consistency between the two units. In its letter to the NRC dated November 9, 2010, TVA responded as follows: The Radiation Baseline Survey Test for Unit 2 will be performed consistent with the test performed for Unit 1, RCI-1 26 (Radiation Baseline Survey). RCI-126 listed ANSI/ANS-6.3.1-1987, "Program for Testing Radiation Shields in Light Water Reactors (LWR)" as a developmental reference.
This test will satisfy the requirements of this document.14-9 Since TVA stated that it will conduct the radiation baseline survey test in accordance with an NRC-endorsed standard, the staff concludes that TVA's response is acceptable.
(3) In FSAR Section 14.2.7, TVA stated that the ITP will comply fully with the requirements of RG 1.41, "Preoperational Testing of Redundant On-site Electric Power Systems to Verify Proper Load Group Assignments," as discussed in FSAR Section 8.1.5.3. This section of the FSAR states that TVA fully complies with RG 1.41, Revision 0. In response to questions from the staff, TVA provided additional information in a letter to the NRC dated September 17, 2010, regarding its approach to performing this testing for WBN Unit 2. TVA stated that it verified the independence of the electrical distribution system from each of the EDGs to its respective 6.9-kV shutdown board and from the 6.9-kV shutdown boards to WBN Unit 1 and common respective loads required for operation of WBN Unit 1 during the WBN Unit 1 preoperational testing, in accordance with 1-PTI-262-01, "Unit 1 Integrated Safeguards Test." Accordingly, the WBN Unit 2 testing will only need to test those WBN Unit 2 loads that were not previously connected or tested to demonstrate functional independence during simulated accident conditions.
Since onsite power system is a shared system, the staff agrees with TVA that, for WBN Unit 2 TVA satisfies the requirements of RG 1.41 by (a) the previous performance of the WBN Unit 1 independence load group tests in I -PTI-262-01 and (2) the remaining testing of the WBN Unit 2 equipment that was not tested during the WBN Unit I preoperational testing, in accordance with 2-PTI-262-01 and 2-PTI-262-02.
TVA also discussed in its letter dated September 17, 2010, that it verified the onsite power system's train separation, independence, and redundancy through other system functional checks and operational tests. Therefore, the staff concludes that, to satisfy the requirements of RG 1.41, the only WBN Unit 2 equipment to be tested will be those WBN Unit 2 loads that were not previously connected or tested to demonstrate functional independence during simulated accident conditions.
14.2.3 Conclusions Section 1.7 of SSER 21 lists FSAR Section 14.0.0 as "Open (Inspection)." The staff performed its review for WBN Unit 2 using the information provided by TVA in FSAR Amendments 97 through 102. Based on its review of the information provided by TVA, as described above, and its previous review, as documented in the SER and its supplements, the staff concludes that the ITP description contained in Chapter 14 of the WBN Unit 2 FSAR, as updated through Amendment 102, is comprehensive and encompasses the major phases of the testing program requirements prescribed by various guidance documents, including the SRP and RG 1.70, Revision 3.14-10 21 FINANCIAL QUALIFICATIONS 21.1 TVA Financial Qualifications for WBN Unit 2 By letter dated May 13, 2010, as supplemented on July 29, 2010, and February 22, 2011, the Tennessee Valley Authority (TVA) submitted antitrust information to the U.S. Nuclear Regulatory Commission (NRC) in conjunction with its updated application for an operating license for Watts Bar Nuclear Plant (WBN) Unit 2.Pursuant to the antitrust review of the information for WBN Unit 2, the Director of the Office of Nuclear Reactor Regulation has made a finding in accordance with Section 105c(2) of the Atomic Energy Act of 1954, as amended, that no significant antitrust changes have occurred subsequent to the previous antitrust construction permit review.The NRC staff's review and recommendation related to the finding of no significant antitrust changes were provided by letter to TVA dated March 22, 2011 (ADAMS Accession No.ML1 10260321), and the Director's Decision was published in the Federal Register on March 28, 2011 (76 FR 17160).A copy of the Director's Decision is provided in Appendix AA of this SSER for information.
21-1
APPENDIX A CHRONOLOGY OF RADIOLOGICAL REVIEW OF WATTS BAR NUCLEAR PLANT, UNIT 2, OPERATING LICENSE REVIEW Public correspondence exchanged between the NRC and TVA during the review of the operating license application for Watts Bar Nuclear Plant (WBN), Units 1 and 2, is available through the NRC's Agencywide Documents Access and Management System (ADAMS) or the Public Document Room (PDR). This correspondence includes that occurring subsequent to TVA's letter notifying the NRC of its decision to reactivate construction of WBN Unit 2, which had been in a deferred status under the Commission's Policy Statement on Deferred Plants.Web-based ADAMS (WBA) is the latest interface to ADAMS introduced in October 2010. This powerful, versatile, and easy-to-use search engine enables searching the ADAMS repository of official agency records (Publicly Available Records System (PARS) and Public Legacy libraries) for publicly available regulatory guides, NUREG-series reports, inspection reports, Commission documents, correspondence, and other regulatory and technical documents written by NRC staff, contractors, and licensees.
WBA permits full-text searching and enables users to view document images, download files, and print locally. New documents become accessible on the day they are published, and are released periodically throughout the day. ADAMS documents are provided in Adobe Portable Document Format (PDF).The NRC PDR reference staff is available to assist with ADAMS. Contact information for the PDR staff is on the NRC Web site at http://www.nrc.,ov/readin-q-rm/contact-pdr.html.
A-1
APPENDIX C NUCLEAR REGULATORY COMMISSION UNRESOLVED SAFETY ISSUES Section 210 of the Energy Reorganization Act of 1974, as amended, states, in part, The Commission shall develop a plan for providing for specification and analysis of unresolved safety issues relating to nuclear reactors and shall take such action as may be necessary to implement corrective measures with respect to such issues.The NRC staff continuously evaluates the safety requirements used in its review against new information as it becomes available.
In some cases, the staff takes immediate action or interim measures to ensure safety. In most cases, however, the initial assessment indicates that immediate licensing actions or changes in licensing criteria are not necessary.
In any event, further study may be deemed appropriate to make judgments as to whether existing requirements should be modified.
The issues being studied are sometimes called generic safety issues because they are related to a particular class or type of nuclear facility.The NRC staff documented its original review of Unresolved Safety Issues (USIs) for Watts Bar Nuclear Plant (WBN), Units 1 and 2, in Appendix C to the safety evaluation report (SER;NUREG-0847, June 1982). A discussion of the status of resolution of these generic issues for TVA's application for an operating license for WBN Unit 2 is provided below.Task A-i: Water Hammer The NRC staff evaluated the USI for water hammer for Watts Bar Nuclear Plant (WBN), Units 1 and 2, as documented in the safety evaluation report (SER) (Appendix C to NUREG-0847, June 1982), and concluded that WBN Units 1 and 2 can be operated before the ultimate resolution of this generic issue without undue risk to the health and safety of the public. The SER states that if Task A-1 identifies some other potentially significant water hammer scenarios that have not explicitly been accounted for in the design and operation of WBN Units 1 and 2, corrective measures will be required at that time.The NRC staff supplemented the SER in June 1995 (NUREG-0847, Supplement 15; SSER 15), indicating that the generic issue of water hammer was specifically resolved for WBN Units 1 and 2 in Appendix C to the SER, and was generically resolved in March 1984 with issuance of NUREG-0927, "Evaluation of Water Hammer Occurrence in Nuclear Power Plants -Technical Findings Relative to Unresolved Safety Issue A-1 ." SSER 15 also stated that the Standard Review Plan (NUREG-0800) was revised to ensure that future plants (those that request construction permits after 1984) would incorporate design improvements for the resolution of this issue. SSER 15 concluded that the NRC staffs evaluation in Appendix C of the SER still stands with no need for additional action, and the issue was closed for WBN.In its letter dated September 26, 2008 (ADAMS Accession No. ML082750019), TVA stated that this USI was specifically resolved for WBN in Appendix C and sections 10.4.7 and 10.4.9 of the SER, and the issue is considered closed for WBN Unit 2.C-1 In its letter dated January 25, 2011 (ADAMS Accession No. ML1 10250678), TVA stated that WBN Unit 2 continues to utilize the same design principles and transient evaluations as used for WBN Unit 1. The WBN Unit 2 pre-operational test program will demonstrate piping vibration in accordance with the requirements of Regulatory Guide 1.68.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, this USI is considered closed.Task A-2: Asymmetric Blowdown Loads on Reactor Prmary Coolant Systems As documented in Appendix C to the SER, the NRC staff issued NUREG-0609,"Asymmetric Blowdown Loads on PWR Primary Systems," which provided the proposed resolution to this USI.In SSER 15, dated June 1995, the NRC staff stated that this issue led to a revision of 10 CFR Part 50, Appendix A, General Design Criterion
- 4. As a result, upon the applicant's requests, the staff approved leak-before-break analyses applied to the reactor coolant system primary loop piping (see Appendix J of SSER 5, dated November 1990) and the pressurizer surge line (see Section 3.6.3 of SSER 12, dated October 1993). SSER 15 also stated that TVA has accordingly revised the FSAR, and the issue is resolved for WBN Units I and 2.In its letter dated September 26, 2008, TVA stated that, A Safety Evaluation in Appendix J of SSER5 approved elimination of postulated primary loop pipe ruptures as a design basis for both units. In SSER5 the NRC concluded that the probability or likelihood of large pipe breaks occurring in the primary coolant system loops of WBN Units 1 and 2 was sufficiently low such that dynamic effects associated with postulated pipe breaks need not be a design basis. The staff concluded in SSER12 (section 3.6.3) that WVA could eliminate pressurizer surge line rupture from the design basis for Units 1 and 2. The FSAR was revised to reflect the specific application.
This issue is closed for WBN Unit 2.In its letter dated January 25, 2011, TVA stated that The Unit 1 and Unit 2 reactor vessels and reactor coolant systems are of an identical design, and the Unit 2 components will be operated at the same thermal-hydraulic conditions; therefore, the basis for closure remains valid for Unit 2.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, this USI is considered closed.Task A-3: Westinghouse Steam Generator Tube Integrity In Appendix C to the SER, the NRC staff stated that TVA has employed specific measures, as described in Section 10.2 of the SER, such as steam generator (SG) design features and a secondary water chemistry control and monitoring program, to minimize the onset of SG tube problems at WBN Units I and 2. In addition, in-service inspection requirements were described in Section 5.4.2 of the SER. Therefore, TVA met all of the requirements regarding SG tube C-2 integrity known at the time SER was issued. WVA committed to include requirements in the Technical Specifications for actions to be taken in the event that SG tube leakage occurs during plant operation.
However, the SER recognized the fact that the Model D-3 SG design, used at WBN Units 1 and 2, has the potential for tube degradation caused by flow-induced vibration in the preheater section for power levels greater than 50 percent. This concern was originally identified at foreign facilities.
The staff expected WVA to incorporate Westinghouse guidance into procedures, controls, and any necessary hardware modifications before plant startup, and that TVA would give special attention during preoperational testing to tube vibration and potential wear as a result of movement in the tube support sheets and antivibration bars. The NRC staff concluded that WBN Units 1 and 2 can be operated before ultimate resolution of this generic issue without undue risk to the health and safety of the public, with the exception of the concern regarding tube degradation potential in the preheater section of the Model D-3 SGs for power levels greater than 50 percent.SSER 4, dated March 1985, stated that the staff has reviewed the additional information for Model D-3 SGs and concluded that the modifications to the Model D-3 SGs at WBN Units I and 2 are acceptable and the plant can be operated at 100 percent power.SSER 15, dated June 1995, stated that the staff had issued NUREG-0844, "NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3, A-4, and A-5 Regarding Steam Generator Tube Integrity," September 1988, and concluded that risk from SG tube rupture events is not a significant contributor to total risk at a given site, nor to the total risk to which the general public is routinely exposed. The SER concluded that no plant-specific action is needed at WBN, and the issue is considered complete.In its letter dated September 26, 2008, TVA restated the conclusions from the NRC staff evaluations and stated that TVA has implemented the plant modifications to address the issue of Model D-3 SGs. TVA also stated it responded to Generic Letter (GL) 85-02, "Staff Recommended Actions Stemming from NRC Integrated Program for the Resolution of Unresolved Safety Issues Regarding Steam Generator Tube Integrity," on June 17, 1985, and that the GL is closed with a required action to perform steam generator inspections.
In its letter dated January 25, 2011, TVA stated Unit 2 utilizes model D-3 steam generators as reviewed in SSER 4 with no changes to the steam generator tubes; therefore, the basis for closure remains valid for Unit 2. Further, Unit 2 adopted Steam Generator Tube Integrity TSTF[Technical Specifications Task Force traveler]
-442 in the Unit 2 Technical Specifications.
The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, this USI is considered closed with a required action to perform steam generator inspections.
A-9: Anticipated Transient Without Scram (ATWS)In Appendix C to the SER, the NRC staff stated that NUREG-0460, "Anticipated Transients Without Scram for Light Water Reactors," has been issued and provides the proposed resolution to this USI.C-3 SSER 15, dated June 1995, stated that this issue was resolved for WBN Units 1 and 2 in Appendix W, "Compliance with ATWS Rule 10 CFR 50.62," of SSER 9, dated June 1992. The NRC stated that currently there is no existing guidance on ATWS equipment technical specifications (TSs) and that the WBN Units 1 and 2 TSs will be modified to incorporate the guidance developed in the future.In its letter dated September 26, 2008, WVA stated that this issue is closed with a required action to address in TSs, as appropriate.
In Enclosure 1 of its letter dated March 13, 2008 (ADAMS Accession No. ML080770237), TVA listed an action required for licensing to "Address ATWS Mitigation System Actuation Circuitry in Technical Specifications as appropriate on or before March 26, 2010." In its letter dated January 25, 2011 (ADAMS Accession No.ML1 10250678), TVA stated that, The SER evaluated the ATWS Mitigating System Actuation Circuitry (AMSAC)design for both Unit I and Unit 2 and found them to be acceptable.
In September 2000, Unit I replaced the digital system with a relay based analog system. This change was performed under 10 CFR 50.59. Unit 2 is installing a similar relay based analog system. The Unit I hardware change resulted in no changes in the setpoints or operation of the Unit I AMSAC circuitry.
Therefore, the basis for closure remains valid for Unit 2.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, and will address the final resolution in the WBN Unit 2 TSs, this USI is considered closed with a required action to address the issue in TSs, as appropriate.
A-11: Reactor Vessel Materials Toughness In Appendix C to the SER, the NRC staff stated that the WBN Unit 2 reactor vessel meets the fracture toughness requirements of Appendix G to 10 CFR Part 50 and is expected to meet the specified safety margins through its life.In its letter dated September 26, 2008, WVA stated In Appendix C of the SER, NRC staff concluded that the WBN Unit 2 reactor vessel meets 10 CFR 50 Appendix G requirements.
This issue is closed for WBN Unit 2.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed.A-12: Fracture Toughness of Steam Generator and Reactor Coolant Pump Supports In Appendix C to the SER, the NRC staff stated that it was necessary to reassess the fracture toughness of the SG and reactor coolant pump support materials for all the operating pressurized-water reactor (PWR) plants and those in Construction Permit and Operating License review due to questions identified at North Anna Power Station. NUREG-0577,"Potential for Low Fracture Toughness and Lamellar Tearing on PWR Steam Generator and Reactor Coolant Pump Supports," which summarized the NRC's work toward resolution of the issue, was issued for public comment in November 1979. The NRC staff stated that after C-4 completing its review and analysis of the comments, the staff would issue the final version of NUREG-0577, which would include a full discussion and resolution of the comments and a final plan for implementation.
The NRC staff stated that support failures from inadequate fracture toughness are not expected to occur except for unlikely combinations of certain conditions, as described in the SER, and concluded that there is reasonable assurance that WBN can be operated before ultimate resolution of this generic issue without endangering the health and safety of the public. Additional research was recommended to provide a more definitive and complete evaluation of the importance of lamellar tearing to the structural integrity of the nuclear power plant support systems.In its letter dated September 26, 2008, TVA stated for this USI, Resolved by GL 80-46/47 -Generic Technical Activity A-12, "Fracture Toughness and Additional Guidance on Potential for Low Fracture Toughness and Laminar Tearing on PWR Steam Generator Coolant Pump Supports." No response was required for this GL, and NUREG-0577, "Potential for Low Fracture Toughness and Lamellar Tearing on PWR Steam Generator and Reactor Coolant Pump Supports," states that the lamellar tearing aspect of this issue was resolved by the NUREG. Further, the NUREG states that for plants under review, the fracture toughness issue was resolved.
This issue is closed for WBN Unit 2.Based on the conclusions of NUREG-0577, this USI is resolved for WBN Unit 2, and the issue is considered closed.A-17: System Interactions in Nuclear Power Plants As documented in Appendix C to the SER, the NRC staff reviewed potential adverse system interactions for safety significance and generic implications, based on the fault tree analysis of WBN performed by Sandia Laboratories.
In the SER, the staff concluded that no corrective measures needed to be implemented immediately, except for the potential interaction between the power-operated relief valve (PORV) and its block valve. Since TVA was in the process of implementing corrective measures to address interaction between the PORV and its block valve as a result of evaluations done of the TMI-2 accident, no separate measures were needed for this USI. The SER further stated the NRC staff would determine whether WVA must perform further evaluations for adverse system interactions after the final resolution of this USI.In SSER 15, dated June 1995, the NRC staff stated that this issue was resolved by GL 89-18 and required no action by licensees.
In its letter dated September 26, 2008, TVA stated that GL 89-18 resolved this issue and required no licensee action, and the issue is closed for WBN Unit 2. The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed.A-24: Environmental Qualification of Safety-Related Electrical Equipment In SSER 15, dated June 1995, the NRC staff stated that it had completed review of the equipment environmental qualification program for WBN Unit I and the USI was resolved for Unit 1.C-5 In its letter dated September 26, 2008, TVA stated that this USI is still open for WBN Unit 2. In its letter dated January 25, 2011, TVA stated that, Unit 2 provides the environmental qualification (EQ) of electrical equipment to the same requirements as used for Unit 1. The Unit 2 procedures likewise implement the WBN EQ process; therefore, the basis for closure remains valid for Unit 2.Therefore, the USI for environmental qualification of safety-related electrical equipment remains open for WBN Unit 2.A-26: Reactor Vessel Pressure Transient Protection As documented in Appendix C to the SER, the NRC staff stated that NUREG-0224,"Reactor Vessel Pressure Transient Protection for Pressurized Water Reactors," and RSB[Reactor Systems Branch] BTP [Branch Technical Position]
5-2 provide the proposed resolution to this USI.SSER 15, dated June 1995, stated that resolution of this USI was documented in SER Section 5.2.2, "Overpressure Protection," in SER Section 7.6.5, "Overpressure Protection During Low Temperature Operation," and in SSER 7, dated September 1991, Section 8.3.3.4, "Compliance with NUREG-0737 Items." SSER 15 also states that the staff found TVA's response to GL 88-11, "NRC Position on Radiation Embrittlement of Reactor Vessel Materials and its Impact on Plant Operations," acceptable, and the issue was complete for WBN.In its letter dated September 26, 2008, TVA stated that, NRC approved in SSER2 (see Section 5.2.2, "Overpressure Protection").
GL 88-11, "NRC Position on Radiation Embrittlement of Reactor Vessel Material and its Impact on Plant Operations," provided additional guidance.
NRC accepted WBN approach by letter dated June 29, 1989, for both units. GL 88-11 is closed I implementation, with a required action to submit pressure temperature curves.In its letter dated January 25, 2011, TVA stated that, Unit 2 contains the same design safety valves and power operated relief valves (PORVs) used on Unit 1. For Unit 2, the Unit 1 Cold Over Pressure Mitigation System (COMS) analog actuation circuitry has been replaced by a digital distributed control system (DCS). The DCS uses the same inputs and duplicates the function of the Unit 1 analog controls in software.
As described in Unit 2 FSAR Amendment 102, Sections 7.7.1.11 and 5.2.2.4.1, the DCS provides redundant processors and other enhancements which improve COMS reliability.
The valves and actuation circuitry will be tested in the same manner as used in Unit 1; therefore, the basis for closure remains valid for Unit 2.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed with a required action by TVA to submit pressure temperature curves for NRC staff review and approval prior to fuel load of WBN Unit 2.C-6 A-31: Residual Heat Removal Shutdown Requirements In Appendix C to the SER, the NRC staff stated that NUREG-0800 (Section 5.4.7 and BTP 5-1,"Residual Heat Removal Systems")
incorporates the requirements of USI A-31 and provide the proposed resolution to this USI.SSER 15, dated June 1995, stated that the resolution to this issue was documented in SER Section 5.4.3, "Residual Heat Removal System," and in SSER 5, dated November 1990, and the issue is resolved for WBN.In its letter dated September 26, 2008, TVA stated that the issue is considered closed with a required action to verify installation of an RHR [residual heat removal] flow alarm to alert the operator to initiate alternate cooling modes in the event of loss of RHR pump suction. In its letter dated January 25, 2011, TVA stated that the WBN Unit 2 RHR system design is the same as for Unit 1; therefore, the basis for closure of this URI for WBN Unit 2 remains valid..The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed with a required action by TVA to verify installation of an RHR flow alarm to alert the operator to initiate alternate cooling modes in the event of loss of RHR pump suction for WBN Unit 2.A-36: Control of Heavy Loads Near Spent Fuel In Appendix C to the SER, the NRC staff stated that NUREG-0612, "Control of Heavy Loads at Nuclear Power Plants," provide the proposed resolution to this USI.SSER 15, dated June 1995, stated that the issue was resolved for WBN in SSER 13, dated April 1994, Section 9.1.4, "Fuel Handling System." In its letter dated September 26, 2008, TVA stated that, This USI was resolved with the issuance of GL 80-113. GL 80-113 was superseded by GL 81-07, "Control of Heavy Loads." GL 81-07 is closed I implementation, with a required action to be in compliance with NUREG-0612,"Control of Heavy Loads at Nuclear Power Plants." In its letter dated January 25, 2011, TVA stated that, For USI A-36 and Generic Letter 81-07, Unit 2 will utilize the same approach used for Unit I including implementation of the guidelines of NEI [Nuclear Energy Institute]
08-05 Rev. 0, Industry Initiative on the Control of Heavy Loads, as endorsed by the NRC per RIS [Regulatory Issue Summary] 2008-08.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed with a required action by TVA to implement the requirements of NUREG-0612 at WBN Unit 2.A-40: Seismic Design Criteria C-7 In Appendix C to the SER, the NRC staff stated that the seismic design basis and seismic design of WBN was evaluated at the operating license stage, and found acceptable.
The NRC staff did not expect the results of USI A-40 to affect these conclusions.
The SER stated that should the resolution of USI A-40 indicate a change is needed in licensing requirements, all operating reactors, including WBN, will be reevaluated on a case-by-case basis. The NRC staff concluded that WBN can be operated before the ultimate resolution of this generic USI without endangering the health and safety of the public.SSER 15, dated June 1995, stated that this USI was resolved for WBN Units 1 and 2 in SSER 7, dated September 1991, Section 3.7.3, "Seismic Subsystem Analysis." In its letter dated September 26, 2008, TVA stated that The USI was resolved and new requirements established by revisions to the NUREG-0800, "Standard Review Plan," Sections 2.5.2, 3.7.1, 3.7.2, and 3.7.3 in 1981. As part of the resolution of USI A-40, the method of analysis of above ground, flexible, vertical tanks was identified as a topic requiring technical resolution.
In SSER7, Section 3.7.3, "Seismic Subsystem Analysis," NRC found the criteria for evaluating the refueling water storage tank (RWST) met the requirements of SRP section 3.7.3. The staff concluded that the issue of wall flexibility was considered resolved.
The evaluation of RWST structural integrity was performed during a civil calculation audit as part of the Design Baseline Verification CAP [corrective action program].
This is an open CAP for WBN Unit 2.In its letter dated January 25, 2011, TVA has stated that This issue addresses the design of the refueling water storage tank. The Unit 1 and Unit 2 tanks were designed using the same criteria and design. The NRC closed the issue for WBN Unit 1 and 2 in SSER 7. The Unit 2 tank has not been modified; therefore, the basis for closure remains valid for Unit 2.WVA will meet the original design requirements for resolution of the USI on WBN Unit 2, however; the NRC staff concludes that final resolution to this URI remains open due to the open CAP verification.
A-43: Containment Emergency Sump Reliability In Appendix C to the SER, the NRC staff concluded that there was reasonable assurance that WBN can be operated before ultimate resolution of this generic issue without endangering the health and safety of the public.In its letter dated September 26, 2008, TVA described that the initial NRC review of the WBN Units I and 2 sump design against RG 1.82, Revision 0, is documented in SER Section 6.3.3.In GL 2004-02, "Potential Impact of Debris Blockage on Emergency Recirculation During Design Basis Accidents at Pressurized-Water Reactors," the NRC requested that licensees perform new, more realistic analysis to confirm functionality of emergency core cooling systems and containment spray systems during design basis accidents requiring recirculation operations.
The resolution to GL 2004-02 is still open and under review by the NRC staff. TVA stated that, C-8 Prior to fuel load, WBN Unit 2 will install new sump strainers identical to WBN Unit 1. As part of the modification, TVA will perform the necessary containment walkdowns and analysis (debris generation study, debris transport analysis, chemical effects and downstream effects analysis) for WBN Unit 2. TVA will inspect and repair service level I coatings and limit fibrous insulation to the extent practicable.
The programmatic controls that ensure potential sources of debris introduced into containment are assessed for potential adverse effects will be put in place prior to fuel load.The NRC performed an audit of the WBN Unit 1 sump evaluations and issued a final report by letter entitled "Watts Bar Nuclear Plant, Unit 1 -Audit Report of New Strainer Design in Response to Generic Letter 2004-02 and Generic Safety Issue -191" dated February 7, 2007. The letter concluded that "overall the staffs impression is that the WBN new sump modifications appear to be robust with sufficient design margin." In its letter dated January 25, 2011, TVA stated that, SSER 9 discussed the sump design. Unit 2 is utilizing the Unit I program and design changes as the basis for closure of this issue. The containment emergency sump screens are being replaced with new screens which are as large as the Unit 1 screens but employ an enhanced internal flow pattern and thus results in improved performance.
Unit 2 will have a conservatively lower fibrous material loading than Unit 1; therefore, the basis for closure remains valid for Unit 2.Based on the information above, TVA has stated that prior to fuel load, WBN Unit 2 will install new sump strainers identical to WBN Unit 1. As part of the modification, TVA will perform the necessary containment walkdowns and analysis (debris generation study, debris transport analysis, chemical effects and downstream effects analysis) for WBN Unit 2. TVA will inspect and repair service level I coatings and limit fibrous insulation to the extent practicable.
The programmatic controls that ensure potential sources of debris introduced into containment are assessed for potential adverse effects will be put in place prior to fuel load. This URI is open pending validation of these actions for WBN Unit 2 and resolution of GL 2004-02 for WBN Unit 2.A-44: Station Blackout In Appendix C to the SER, the NRC staff stated that USI A-44 involves a study of whether or not nuclear power plants should be designed to accommodate a complete loss of all alternating current (ac) power (i.e., loss of both the offsite and the onsite emergency diesel generator ac power supplies).
This issue arose because of operating experience regarding the reliability of ac power supplies.
A number of operating plants have experienced a total loss of offsite electrical power, and more occurrences are expected.As stated in the SER, a loss of all ac power was not a design-basis event for WBN.Nonetheless, a combination of design, operational, and testing requirements that have been imposed on the licensee to ensure that the units will have substantial resistance to a loss of all ac power and that, even if a loss of all ac should occur, there is reasonable assurance that the core will be cooled. Based on its review, as documented in Appendix C of the SER, the NRC C-9 staff concluded that there is reasonable assurance that WBN can be operated before the ultimate resolution of this generic issue without endangering the health and safety of the public.SSER 15, dated June 1995, stated that resolution of this USI led to revision of 10 CFR 50.63,"Loss of All Alternating Power." TVA proposed actions to meet the regulation, and the issue was resolved.In its letter dated January 25, 2011, TVA stated that, As addressed in SSER 13, the station blackout load profile has been changed to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> with manual load shedding after 30 minutes into the event. Battery sizing for this load profile has been completed.
The NRC documented its station blackout review in a letter dated March 18, 1993. The staff submitted supplement to that SER on September 9, 1993. The WBN site (Units 1 and 2)will maintain the 4-hour coping duration.
Battery sizing will be demonstrated to be acceptable for two units. Unit 2 will implement battery load shedding procedures similar to Unit 1 procedures; therefore, the basis for closure remains valid for Unit 2.The NRC staff concludes that since WVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed with a required action by TVA to implement the station blackout requirements for WBN Unit 2.A-45: Shutdown Decay Heat Removal Requirements In Appendix C to the SER, the NRC staff stated that this USI will evaluate the benefit of providing alternate means of decay heat removal which could substantially increase the plant's capability to handle a broader spectrum of transients and accidents.
Following the TMI-2 accident, the importance of the auxiliary feedwater (AFW) system was highlighted, and a number of steps were taken to improve the reliability of the AFW system.The staff's review of the AFW system is in SER Section 10.4.9. It was also stipulated that plants must be capable of providing the required AFW flow for at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> from one AFW pump train, independent of any ac power source (that is, if both offsite and onsite ac power sources are lost). PWRs also have an alternate means of removing decay heat if an extended loss of feedwater is postulated, called "feed and bleed," which uses the high pressure injection system to add feedwater (feed) to the primary system. Since decay heat increases the reactor coolant system pressure, energy is removed through the PORVs and/or the safety valves (bleed), as necessary.
At low primary system pressure (below about 200 psi), the long-term decay heat is removed by the RHR system to achieve cold shutdown conditions.
Based on the above, the staff concluded that WBN can be operated before ultimate resolution of this generic issue without endangering the health and safety of the public.SSER 15, dated June 1995, documented that SECY-88-260, "Shutdown Decay Heat Removal Requirements (USI A-45)," stated that resolution of this issue would be through plant-specific analyses under the Individual Plant Evaluation (IPE) program. SSER 15 also stated that GL 88-20 was issued to request plant-specific actions on IPE. IPE was resolved for WBN by NRC letter dated October 5, 1994 (ADAMS Accession No. ML073230696).
C-10 In its letter dated September 26, 2008, TVA stated that for WBN Unit 2, GL 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities," is open with a required action to perform the IPE for Unit 2.In its letter dated January 25, 2011, TVA stated that, As addressed in SSER 15, this action was tracked for Unit 1 under the Individual Plant Evaluation (IPE) program. Unit 2 has an IPE program for dual unit operation that will utilize the same criteria used previously for Unit 1 except it will consider dual unit operation.
Completion of the dual unit IPE will address the requirements of A-45; therefore, the basis for closure remains valid for Unit 2.TVA will meet the original design requirements for resolution of the USI on WBN Unit 2;however, the issue is open with a required action for TVA to perform the IPE for WBN Unit 2.A-46: Seismic Qualification of Equipment in Operating Plants In Appendix C to the SER, the NRC staff stated that its seismic qualification review team had performed the seismic qualification audit for WBN and that the staff would report the results of its audit in a supplement to the SER.Appendix C of SSER 3, dated January 1985, stated that the scope of USI A-46 is limited to the seismic qualification of currently operating plants, and the NRC staffs evaluation of the seismic qualification of equipment at WBN was discussed in Section 3.10 of SSER 3. It further stated that the evaluation for WBN will not be handled under USI A-46 because it is being handled on a case-by-case basis. SSER 3 stated that this USI should be deleted for WBN.Based on the above, USI A-46 does not apply to WBN Unit 2 and is closed.A-47: Safety Implications of Control Systems This issue concerns the potential for transients or accidents being made more severe as a result of control system failures or malfunctions.
In Appendix C to the SER, the NRC staff stated, The Watts Bar control and safety systems have been designed with the goal of ensuring that control system failures will not prevent automatic or manual initiation and operation of any safety system equipment required to trip the plant or to maintain the plant in a safe shutdown condition following any "anticipated operational occurrence" or "accident." This has been accomplished either by providing independence between safety and nonsafety systems or by providing isolating devices between safety and nonsafety systems. These devices preclude the propagation of nonsafety system equipment faults to the protection system. Also, to ensure that the operation of safety system equipment is not impaired, the single-failure criterion has been applied in the plant design. Design reviews are being performed (IE Bulletin 79-27) to ensure that the loading on certain Class 1 E power boards maintains the separation and independence of plant systems as designed.A systematic evaluation of the control system design, as contemplated for this USI, has not been performed to determine-whether postulated accidents could C-1l cause significant control system failures which would make the accident consequences more severe than presently analyzed.
However, a wide range of bounding transients and accidents is analyzed to ensure that the postulated events such as steam generator overfill and overcooling events would be adequately mitigated by the safety systems. In addition, systematic reviews of safety systems have been performed with the goal of ensuring that control system failures (single or multiple) will not defeat safety system action. These reviews are part of an ongoing evaluation program to qualify Class 1 E plant equipment to function for all postulated service conditions to which it is subjected.
Based on the above, the staff concluded that there is reasonable assurance that WBN can be operated before ultimate resolution of this generic issue without endangering the health and safety of the public.SSER 15, dated June 1995, stated that GL 89-19 communicated the required plant-specific actions to resolve this issue. The NRC staff accepted TVA's response; TVA stated that appropriate requirements will be incorporated into the WBN Unit 1 TSs and Technical Requirements Manual (TRM). The draft version of the TRM at that time contained requirements regarding isolation devices. SSER 15 stated that the issue was resolved for WBN Unit 1.In its letter dated September 26, 2008, TVA stated that, "For WBN Unit 2, GL 89-19 is closed I implementation, with a required action to perform evaluation of common mode failures due to fire." In its letter dated January 25, 2011, TVA stated that, "The Unit 2 TRM contains the same information as included in the current Unit 1 TRM; therefore, the basis for closure remains valid for Unit 2." Therefore, the NRC staff considers this URI closed with a required action by TVA to perform an evaluation of common mode failures due to fire.A-48: Hydrogen Control Measures and Effects of Hydrogen Bums on Safety Equipment Appendix C of SSER 15, dated June 1995, states that, Generic resolution of this issue was affected by issuance of the final rule, 10 CFR 50.44. This issue was resolved for Watts Bar in Section 6.2.5, "Combustible Gas Control Systems," of SSER 8 [January 1992], SSER 4 [March 1985], and the SER. The evaluation in SSER 8 specifically addressed compliance with 10 CFR 50.44.In its letter dated September 26, 2008, TVA stated that, Generic resolution was by rulemaking under 10 CFR 50.44. A-48 was resolved in SSER8. To meet the rule, a hydrogen-ignition system with igniters located throughout the containment is used. Hydrogen SRP Section 6.2.5 is Open. The hydrogen recombiners will be removed from the design and licensing basis based on 10 CFR 50.44 final rule, September 16, 2003.In its letter dated January 25, 2011, TVA stated that, As addressed in SSER 8, SSER 4, and the SER, Unit 2 utilizes the same design hydrogen igniters (including backup power supply), containment spray system, C-12 and containment structure as Unit 1; therefore, the basis for closure remains valid for Unit 2.Based on the above, the issue is open for WBN Unit 2 with a required action by TVA to remove the hydrogen recombiners from the design and licensing basis of WBN Unit 2, based on the requirements of 10 CFR 50.44.A-49: Pressurized Thermal Shock Appendix C to SSER 15, dated June 1995, stated that, Generic resolution of this issue was effected by issuance of the final rule, 10 CFR 50.61; Regulatory Guide 1.99, "Radiation Embrittlement of Reactor Vessel Materials;" and Generic Letters 88-11 and 92-01. The issue was resolved for Watts Bar by letter, S. C. Black to 0. D. Kingsley, June 29, 1989 (regarding Generic Letter 88-11); Section 5.3.1, "Reactor Vessel Materials," of SSER 11;Section 5.3.1 of SSER 14 (regarding 10 CFR Part 50 Appendix G and Generic Letter 92-01).In its letter dated September 26, 2008, TVA stated that the issue was generically resolved by rulemaking under 10 CFR 50.61, RG 1.99, and GLs 88-11 and 92-01. For WBN Unit 2, GL 92-01 is closed with a required action to submit pressure-temperature curves. In its letter dated January 25, 2011, TVA stated that WBN Unit 2 uses the same Regulatory Guidance as WBN Unit 1; therefore, the basis for closure of this USI for WBN Unit 2 remains the same.The NRC staff concludes that since TVA will meet the original design requirements for resolution of the USI on WBN Unit 2, the NRC staff considers this issue to be closed with a required action by TVA to submit pressure-temperature curves for WBN Unit 2.C-13
APPENDIX E PRINCIPAL CONTRIBUTORS TO SSER 22 AND 23 D. Allsopp, NRR/DIRS/IOLB C. Basavaraju, NRRPDE/EMCB J. Bettle, NRR/DSS/SCVB J. Billerbeck, NRR/DCI/CPTB L. Brown, NRR/DRAAADB N. Carte, NRRJDE/EICB S. Darbali, NRRJDE/EICB S. Gardocki, NRR/DSS/SBPB H. Garg, NRRPDEEICB L. Gibson, NRR/DORL/LPL4 V. Goel, NRR/DE/EEEB D. Hoang, NRR/DE/EMCB Y. Huang, NMSS/DSFST/LID W. Jessup, NRR/DE/EMCB S. Jones, NRRJDSS/SBPB W. Kemper, NRR/DE/EICB S. LaVie, NSIR/DPRJDDEP B. Lee, NRRJDSS/SCVB F. Lyon, NRRIDORL/LPWB K. Martin, NRRIDIRS/IHBP G. Matharu, NRRIDEEEEB M. McConnell, NRR/DE/EEEB T. McLellan, NRR/DCI/CVIB P. Milano, NRR/DORL/LPWB K. Miller, NRR/DE/EEEB R. Pettis, NRR/DE/EQVB J. Poehler, NRRJDCI/CVIB J. Poole, NRRJDORL/LPWB R. Pichumani, NRR/DE/EMCB P. Prescott, NRRJDE/EQVB G. Purciarello, NRRJDSS/SBPB L. Raghavan, NRRJDORL/LPWB D. Rahn, NRRJDE/EICB J. Raval, NRRJDSS/SCVB A. Sallman, NRR/DSS/SCVB S. Sheng, NRRJDCIICVIB G. Singh, NRR/DE/EICB E. Smith, NRR/DSS/SBPB J. Wiebe, NRRJDORL/LPWB M. Yoder, NRRPDCI/CSGB E-1
APPENDIX Z SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION PRESERVICE INSERVICE INSPECTION PROGRAM TENNESSEE VALLEY AUTHORITY WATTS BAR NUCLEAR PLANT, UNIT 2 DOCKET NO. 50-391
1.0 INTRODUCTION
By letter dated June 17, 2010, letter (Agencywide Documents Access and Management System (ADAMS) Accession No. ML101680561), the Tennessee Valley Authority (TVA, the applicant) provided Revision 3 of its Preservice Inspection (PSI) Program Plan to the U.S. Nuclear Regulatory Commission (NRC) staff for review, in accordance with Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Section 50.55a (Reference
- 1) for Watts Bar Nuclear Plant (WBN), Unit 2. TVA is required by the regulations at 10 CFR 50.55a(g)(2) to have a PSI Program Plan for WBN Unit 2 that meets the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code (Code),Section XI, inspection requirements.
In response to an NRC request for additional information (RAI), TVA provided additional information in its letter dated October 13, 2010 (ADAMS Accession No. MLI 02861846).
2.0 REGULATORY EVALUATION
The following General Design Criteria (GDC) found in 10 CFR Part 50, Appendix A, "General Design Criteria for Nuclear Power Plants," require that the respective safety systems be designed such that they permit periodic inspection, pressure testing and functional testing of the system components and piping: " GDC 32, "Inspection of Reactor Coolant Pressure Boundary"* GDC 36, "Inspection of Emergency Core Cooling System"* GDC 37, "Testing of Emergency Core Cooling System"" GDC 39, "Inspection of Containment Heat Removal System"* GDC 40, "Testing of Containment Heat Removal System"* GDC 42, "Inspection of Containment Atmosphere Cleanup Systems"" GDC 43, "Testing of Containment Atmosphere Cleanup Systems"" GDC 45, "Inspection of Cooling Water System"* GDC 46, "Testing of Cooling Water System" The regulations at 10 CFR 50.55a(g)(2) require that: For a boiling or pressurized water-cooled nuclear power facility whose construction permit was issued on or after January 1, 1971, but before July 1, 1974, components (including supports) which are classified as ASME Code Class 1 and Class 2 must be designed and be provided with access to enable Z-1 the performance of inservice examination of such components (including supports) and must meet the preservice examination requirements set forth in editions and addenda of ASME Boiler and Pressure Vessel Code incorporated by reference in paragraph (b) of this section (or the optional ASME Code cases listed in NRC Regulatory Guide 1.147, Revision 15, that are incorporated by reference in paragraph (b) of this section) in effect six months before the date of issuance of the construction permit. The components (including supports) may meet the requirements set forth in subsequent editions and addenda of this Code which are incorporated by reference in paragraph (b) of this section (or the optional ASME Code cases listed in NRC Regulatory Guide 1.147, Revision 15, that are incorporated by reference in paragraph (b) of this section), subject to the applicable limitations and modifications.
The applicable requirements for Revision 3 of the WBN Unit 2 PSI Program Plan (Reference 3)are the 2001 Edition through the 2003 Addenda of the ASME Code,Section XI.The construction permit for WBN Unit 2 was issued on January 23, 1974. The code of record at that time was the 1971 Edition through the winter 1971 Addenda of the ASME Code,Section XI.Subsequently, TVA requested in its letter dated January 13, 2011 (ADAMS Accession No.ML1 10140074) to use the 2001 Edition through the 2003 Addenda of the ASME Code,Section XI for the WBN Unit 2 PSI activities.
The NRC staff approved TVA's request by letter dated February 17, 2011 (ADAMS Accession No. ML1 10260025).
The regulations at 10 CFR 50.55a(b)(3)(v) allow the optional use of Subsection ISTD, "Inservice Testing of Dynamic Restraints (Snubbers) in Light-Water Reactor Power Plants," of the ASME OM Code, 1995 Edition through the latest edition and addenda, in place of the requirements for snubbers in Section XI, Articles IWF-5200(a) and (b) and IWF-5300(a) and (b), by making appropriate changes to the technical specifications (TSs) or licensee-controlled documents.
If Subsection ISTD is used in place of Section XI, Article IWF-5000, for snubber inservice inspection (ISI) and testing, then preservice and inservice examinations must be performed using the VT-3 visual examination method described in Section XI, Article IWA-2213.Pursuant to 10 CFR 50.55a(a)(3):
Proposed alternatives to the requirements.. .of this section or portions thereof may be used when authorized by the Director, Office of Nuclear Reactor Regulation....
The applicant shall demonstrate that: (i) The proposed alternatives would provide an acceptable level of quality and safety, or (ii) Compliance with the specified requirements of this section would result in hardship or unusual difficulty without a compensating increase in the level of quality and safety.Pursuant to 10 CFR 50.55a(g)(5)(iii)
If the licensee has determined that conformance with certain code requirements is impractical for its facility, the licensee shall notify the Commission and submit...
information to support the determinations.
Z-2 Pursuant to 10 CFR 50.55a(g)(6)(i), The Commission will evaluate determinations under paragraph (g)(5) of this section that code requirements are impractical.
The Commission may grant such relief and may impose such alternative requirements as it determines is authorized by law and will not endanger life or property or the common defense and security and is otherwise in the public interest giving due consideration to the burden upon the licensee that could result if the requirements were imposed on the facility.The NRC staff reviewed the information provided by TVA in its letter dated June 17, 2010, which provided the PSI Program Plan, Revision 3, for WBN Unit 2. TVA's letter included a request for relief from certain ASME Code, Section Xl requirements, for which TVA has proposed an alternative.
The staff performed its review using the guidance in NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (SRP), Section 5.2.4, Revision 2, "Reactor Coolant Pressure Boundary Inservice Inspection and Testing," and Section 6.6, Revision 2, "Inservice Inspection and Testing of Class 2 and 3 Components" (Reference 4).The NRC staff's review of the PSI Program Plan, Revision 3, for WBN Unit 2 is documented in Section 3.0 of this safety evaluation (SE) report. Specifically, the PSI Program Plan was evaluated for (1) compliance with the appropriate edition/addenda of Section XI, (2) acceptability of examination sample, (3) correctness of the application of system or component examination exclusion criteria, and (4) compliance with PSI-related commitments identified during NRC previous reviews. TVA's request for relief and proposed alternative are evaluated in Section 4.0 of this report. Unless otherwise stated, references to the ASME Code refer to the ASME Code, Section Xl, 2001 Edition through the 2003 Addenda.3.0 EVALUATION OF PRESERVICE INSPECTION PROGRAM PLAN This evaluation documents the NRC staffs review of applicable program documents to determine whether or not they are in compliance with the ASME Code requirements pertinent to PSI activities.
This section describes the submittals reviewed and the results of the review.3.1 Documents Reviewed The NRC staff reviewed the documents applicable to the WBN Unit 2 PSI Program Plan listed in Section 6 of this SE.3.2 Review of ASME Code and OM Code Requirements
3.2.1 Applicable
ASME Code, OM Code, and ASME Code Cases As specified in 10 CFR 50.55a(g)(4), Throughout the service life of a boiling or pressurized water-cooled nuclear power facility, components (including supports) which are classified as ASME Code Class 1, Class 2 and Class 3 must meet the requirements, except design and access provisions and preservice examination requirements, set forth in Z-3 Section Xl of editions of the [ASME Code] and Addenda that become effective subsequent to editions specified in paragraphs (g)(2) and (g)(3) of this section and that are incorporated by reference in paragraph (b) of this section, to the extent practical...
TVA stated that it has prepared the PSI Program Plan, Revision 3, to meet the requirements of the ASME Code, 2001 Edition through the 2003 Addenda. The ASME Code, Section Xl, IWF-5000 requirements for preservice examination and tests of snubbers are governed by the ASME/ American National Standards Institute (ANSI) Code for Operation and Maintenance of Nuclear Power Plants (OM Code), Part 4, 1987 with OMa-1988, using the VT-3 visual examination methodology.
As noted above, the regulations at 10 CFR 50.55a(b)(3)(v) allow the optional use of Subsection ISTD, "Inservice Testing of Dynamic Restraints (Snubbers) in Light-Water Reactor Power Plants," of the ASME OM Code, 1995 Edition through the latest edition and addenda, in place of the requirements for snubbers in Section Xl, Articles IWF-5200(a) and (b) and IWF-5300(a) and (b), by making appropriate changes to the technical specifications (TSs) or licensee-controlled documents.
If Subsection ISTD is used in place of Section Xl, Article IWF-5000, for snubber inservice inspection (ISI) and testing, then preservice and inservice examinations must be performed using the VT-3 visual examination method described in Section XI, Article IWA-2213.In accordance with 10 CFR 50.55a(g)(2), 10 CFR 50.55a(c)(3), 10 CFR 50.55a(d)(2), and 10 CFR 50.55a(e)(2), ASME Code Cases may be used as alternatives to ASME Code requirements.
ASME Code Cases that the NRC has approved for use are listed in Regulatory Guide (RG) 1.147, Revision 15, "lnservice Inspection Code Case Acceptability, Division 1," (Reference
- 9) with additional conditions the NRC may have imposed. When used, these ASME Code Cases must be implemented in their entirety.
Published ASME Code Cases awaiting approval and subsequent listing in RG 1.147 may be adopted only if the applicant requests, and the NRC authorizes, their use on a case-by-case basis.TVA's PSI program plan includes the ASME Code Cases listed below. These ASME Code Cases either have been approved for use in RG 1.147, Revision 15, or are incorporated by reference in 10 CFR 50.55a(g)(6)(ii)(D)(2).
ASME Code Case N-460 Alternative Examination Coverage for Class I and 2 welds To be used on all IWB-2500, Class 1 and IWC-2500, Class 2 welds, Division 1.ASME Code Case N-648-1 Alternative Requirements for Inner Radius Examinations of Class 1, Reactor Vessel Nozzles, Division 1 ASME Code Case N-648-1 is conditionally accepted as noted below for use in RG 1.147, Revision 15: In place of UT [ultrasonic testing] examination, licensees may perform a visual examination with enhanced magnification that has a resolution sensitivity to detect a 1-mil width wire or crack, utilizing the allowable flaw length criteria of Table IWB-3512-1 with limiting assumptions on the flaw aspect ratio. The provisions of Table IWB-2500-1, Examination Category B-D, continue to apply except that, in place of examination volumes, the surface to be examined are the Z-4 external surfaces shown in the figures applicable to this table (the external surface is form point M to point N in the figure).The following ASME Code Cases are incorporated by reference in 10 CFR 50.55a(g)(6)(ii)(D)(2) and 10 CFR 50.55a(g)(6)(ii)(E) respectively and shall be utilized where applicable.
ASME Code Case N-729-1 Alternative Examination Requirements for PWR Reactor Vessel Upper Heads with Nozzles having Pressure Retaining Partial Penetration Welds, Division 1 ASME Code Case N-729-1 shall be used subject to the conditions as noted below specified in paragraphs 10 CFR 50.55a(g)(6)(ii)(D)(2) through (6).(D) Reactor Vessel Head Inspections (1) All licensees of pressurized water reactors shall augment their inservice inspection program with ASME Code Case N-729-1 subject to the conditions specified in paragraphs (g)(6)(ii)(D)(2) through (6) of this section. Licensees of existing operating reactors as of September 10, 2008, shall implement their augmented inservice inspection program by December 31, 2008. Once a licensee implements this requirement, the First Revised NRC Order EA-03-009 no longer applies to that licensee and shall be deemed to be withdrawn.
(2) Note 9 of ASME Code Case N-729-1 shall not be implemented.
(3) Instead of the specified
'examination method' requirements for volumetric and surface examinations in Note 6 of Table 1 of Code Case N-729-1, the licensee shall perform volumetric and/or surface examination of essentially 100 percent of the required volume or equivalent surfaces of the nozzle tube, as identified by Figure 2 of ASME Code Case N-729-1.A demonstrated volumetric or surface leak path assessment through all J-groove welds shall be performed.
If a surface examination is being substituted for a volumetric examination on a portion of a penetration nozzle that is below the toe of the J-groove weld [Point E on Figure 2 of ASME Code Case N-729-1], the surface examination shall be of the inside and outside wetted surface of the penetration nozzle not examined volumetrically.
(4) By September 1, 2009, ultrasonic examinations shall be performed using personnel, procedures and equipment that have been qualified by blind demonstration on representative mockups using a methodology that meets the conditions specified in (50.55a(g)(6)(ii)(D)(3)(i) through (50.55a(g)(6)(ii)(D)(4)(iv), instead of the qualification requirements of Paragraph
-2500 of ASME Code Case N-729-1. References herein to Section Xl, Appendix VIII shall be to the 2004 Edition with no Addenda of the ASME BPV [Boiler and Pressure Vessel] Code.(i) The specimen set shall have an applicable thickness qualification range of +25 percent to -40 percent for nominal depth through-wall Z-5 thickness.
The specimen set shall include geometric and material conditions that normally require discrimination from primary water stress corrosion cracking (PWSCC) flaws.(ii) The specimen set must have a minimum of ten (10) flaws which provide an acoustic response similar to PWSCC indications.
All flaws must be greater than 10 percent of the nominal pipe wall thickness.
A minimum of 20 percent of the total flaws must initiate from the inside surface and 20 percent from the outside surface. At least 20 percent of the flaws must be in the depth ranges of 10-30 percent through wall thickness and at least 20 percent within a depth range of 31-50 percent through wall thickness.
At least 20 percent and no more than 60 percent of the flaws must be oriented axially.(iii) Procedures shall identify the equipment and essential variables and settings used for the qualification, and are consistent with Subarticle VIII-2100 of Section Xl, Appendix VIII. The procedure shall be prequalified when an essential variable is changed outside the demonstration range as defined by Subarticle VIII-3130 of Section Xl, Appendix VIII and as allowed by Articles VIII-4100, ViII-4200 and Vi11-4300 of Section XI, Appendix VIII. Procedure qualification shall include the equivalent of at least three personnel performance demonstration test sets. Procedure qualification requires at least one successful personnel performance demonstration.(iv) Personnel performance demonstration test acceptance criteria shall meet the personnel performance demonstration detection test acceptance criteria of Table VIII-SIO-1 of Section XI, Appendix VIII, Supplement
- 10. Examination procedures, equipment, and personnel are qualified for depth sizing and length sizing when the RMS error, as defined by Subarticle VIII 3120 of Section XI, Appendix VIII, of the flaw depth measurements, as compared to the true flaw depths, do not exceed 1/8 inch (3 mm), and the root mean square (RMS) error of the flaw length measurements, as compared to the true flaw lengths, do not exceed 3/8 inch (10 mm), respectively.
(5) If flaws attributed to PWSCC have been identified, whether acceptable or not for continued service under Paragraphs
-3130 or -3140 of ASME Code Case N-729-1, the re-inspection interval must be each refueling outage instead of the re-inspection intervals required by Table 1, Note (8) of ASME Code Case N-729-1.(6) Appendix I of ASME Code Case N-729-1 shall not be implemented without prior NRC approval.ASME Code Case N-722 Additional Examinations for PWR Pressure Retaining Welds in Class I Components Fabricated with Alloy 600/82/182 Materials, Division 1 ASME Code Case N-729-1 shall be used subject to the conditions as noted below specified in paragraphs 10 CFR 50.55a(g)(6)(ii)(E)(1) through (4).Z-6 (E) Reactor coolant pressure boundary visual inspections.
1 0 (1) All licensees of pressurized water reactors shall augment their inservice inspection program by implementing ASME Code Case N-722 subject to the conditions specified in paragraphs (g)(6)(ii)(E)(2) through (4) of this section. The inspection requirements of ASME Code Case N-722 do not apply to components with pressure retaining welds fabricated with Alloy 600/82/182 materials that have been mitigated by weld overlay or stress improvement.
(2) If a visual examination determines that leakage is occurring from a specific item listed in Table 1 of ASME Code Case N-722 that is not exempted by the ASME Code,Section XI, IWB-1220(b)(l), additional actions must be performed to characterize the location, orientation, and length of crack(s) in Alloy 600 nozzle wrought material and location, orientation, and length of crack(s) in Alloy 82/182 butt welds.Alternatively, licensees may replace the Alloy 600/82/182 materials in all the components under the item number of the leaking component.
(3) If the actions in paragraph (g)(6)(ii)(E)(2) of this section determine that a flaw is circumferentially oriented and potentially a result of primary water stress corrosion cracking, licensees shall perform non-visual nondestructive examination (NDE) inspections of components that fall under that ASME Code Case N-722 item number. The number of components inspected must equal or'exceed the number of components found to be leaking under that item number. If circumferential cracking is identified in the sample, non-visual NDE must be performed, in the remaining components under that item number.(4) If ultrasonic examinations of butt welds are used to meet the NDE requirements in paragraphs (g)(6)(ii)(E)(2) or (g)(6)(ii)(E)(3) of this section, they must be performed using the appropriate supplement of Section XI, Appendix VIII of the ASME Boiler and Pressure Vessel Code.3.2.2 Acceptability of Piping ASME Code Classification ASME Code Class 1, 2, and 3 Preservice Examination of ASME Code, Class 1 Components
-Classification and Boundaries In its letter dated July 17, 2010, TVA describes that the only ASME Class 1 (TVA Class A)components, including welded attachments, which are not included under the PSI Program for ASME Class 1 components are those exempt under the provisions of IWB-1220, "Components Exempt from Examination." In RAI EMCB PSIPP-1, the NRC staff asked TVA to confirm that the requirements of ASME Code, Subarticle IWB-1 200, "[Class 1] Components Subject to Evaluation," of Section XI, Subsection IWB of the ASME Code had been satisfied for WBN 10 For inspections to be conducted every refueling outage and inspections conducted every other refueling outage, the initial inspection shall be performed at the next refueling outage after January 1, 2009. For inspections to be conducted once per interval, the inspections shall begin in the interval in effect on January 1, 2009, and shall be prorated over the remaining periods and refueling outages in this interval.Z-7 Unit 2. Additionally, the staff asked TVA to identify whether any variances existed between the examination requirements for ASME Class 1 components at WBN Unit 1 and Unit 2 and, if variances existed, to provide justification for the variances.
In its response to the NRC by letter dated September 29, 2010 (ADAMS Accession No.ML1 02730184), TVA stated that, The WBN Unit 2 Preservice Inspection (PSI) program for ASME Class 1 components (TVA Class A) includes those systems containing water, steam, or radioactive waste subject to the exemptions listed in ASME Section XI, IWB-1220, "Components Exempt from Examination." There is no variance in the systems requiring examination between WBN Units 1 and 2 and the applicable IWB-1 220 exemptions, since both the current interval WBN Unit 1 Inservice inspection (ISI) Program and the WBN Unit 2 PSI Program were developed using the 2001 Edition through 2003 Addenda of ASME Section XI.The only reductions in inspection scope are the inherent differences between the PSI requirements of IWB-2200 for WBN Unit 2 and the ISI requirements of IWB-2400 for WBN Unit 1. ASME Section XI, IWB-2200, does not require performance of Examination Category B-P (pressure test) or the VT-3 examination for Examination Categories B-L-2 and B-M-2. ASME Section XI, IWB-2400, requires the examinations associated with Examination Categories B-P, B-L-2, and B-M-2 for the ISI Program.The WBN Unit 2 construction completion process is ongoing for the systems within the ASME Class 1 scope, and the Unit 2 PSI program will continue to be revised to reflect the addition of welds for Class I systems.Based on TVA's response, the NRC staff concluded that TVA has satisfied the provisions relative to the classification and boundary requirements for preservice examinations of the ASME Code,Section XI, Subsection IWB. Based on the information provided by TVA, the NRC staff concludes that there are no deviations from applicable regulatory requirements, the ASME Code, and licensee commitments for the WBN Unit 2 PSI Program Plan, Revision 3.Preservice Examination of Class 2 Components
-Classification and Boundaries In its letter dated July 17, 2010, TVA describes that the only Class 2 (TVA Class B)components, including welded attachments, which are not included under the PSI Program for Class 2 components are those exempt under the provisions of IWC-1 220, "Components Exempt from Examination." In RAI EMCB PSIPP-2, the NRC staff asked TVA to confirm that the requirements of ASME Code, Subsection IWC, Subarticle IWC-11200, "[Class 2] Components Subject to Evaluation," had been satisfied.
Additionally, the NRC staff asked TVA to identify whether any variances existed between the examination requirements for ASME Class 2 components at WBN Unit I and Unit 2 and, if variances existed, to provide justification for the variances.
In its response to the NRC by letter dated September 29, 2010, TVA stated that, The WBN Unit 2 PSI program for ASME Class 2 components (TVA Class B)includes those systems containing water, steam, or radioactive waste subject to Z-8 the exemptions listed in ASME Section XI, IWC-1220, "Components Exempt from Examination." There is no variance in the systems requiring examination between WBN Units 1 and 2 and the applicable IWC-1220 exemptions, since both the current interval WBN Unit I Inservice Program and the WBN Unit 2 Preservice Program were developed using the 2001 Edition through 2003 Addenda of ASME Section Xl.The only reductions in inspection scope are the inherent differences between the PSI requirements of IWC-2200 for WBN Unit 2 and the ISI requirements of IWC-2400 for WBN Unit 1. ASME Section Xl, IWC-2200, does not require performance of Examination Category C-H (pressure test). ASME Section Xl, IWC-2400, requires the examinations associated with Examination Category C-H for the ISI program.The WBN Unit 2 construction completion process is ongoing for the systems within the ASME Class 2 scope, and the Unit 2 PSI program will continue to be revised to reflect the addition of welds for Class 2 systems.Based on TVA's response, the NRC staff concluded that TVA has satisfied the provisions relative to the classification and boundary requirements for preservice examinations of the ASME Code, Section Xl, Subsection IWC. Based on the information provided by TVA, the NRC staff concludes that there are no deviations from applicable regulatory requirements, the ASME Code, and licensee commitments for the WBN Unit 2 PSI Program Plan, Revision 3.Preservice Examination of ASME Code, Class 3 Components
-Classification and Boundaries In its letter dated July 17, 2010, TVA describes that the only Class 3 (TVA Classes C and D)components, including welded attachments, which are not included under the PSI Program for Class 3 components are those exempt under the provisions of ASME Code, Section Xl, IWD-1220, "Components Exempt from Examination." In EMCB RAI PSIPP-3, the NRC staff asked TVA to confirm that the requirements of ASME Code, Section Xl, Subsection IWD, Subarticle IWD-1 200, "[Class 3] Components Subject to Evaluation," had been satisfied for WBN Unit 2.Additionally, the NRC staff asked TVA to identify whether any variances existed between the examination requirements for ASME Code, Class 3 components at WBN Unit 1 and Unit 2 and, if variances existed, to provide justification for the variances.
In its response to the NRC by letter dated September 29, 2010, TVA stated that, The WBN Unit 2 PSI program for ASME Class 3 components (TVA Class C and D) includes those systems containing water, steam, or radioactive waste subject to the exemptions listed in ASME Section XI, IWD-1220, "Components Exempt from Examination." There is no variance in the systems requiring examination between WBN Units 1 and 2 and the applicable IWD-1 220 exemptions, since both the current interval WBN Unit I Inservice Program and the WBN Unit 2 Preservice Program were developed using the 2001 Edition through 2003 Addenda of ASME Section Xl.The only reductions in inspection scope are the inherent differences between the PSI requirements of IWD-2200 for WBN Unit 2 and the inservice requirements of IWD-2400 for WBN Unit 1. ASME Section XI, IWD-2200, does not require Z-9 performance of Examination Category D-B (pressure test). ASME Section Xl, IWD-2400, requires the examinations associated with Examination Category D-B for the ISI program.The WBN Unit 2 construction completion process is ongoing for the systems within the ASME Class 3 scope, and the Unit 2 PSI program will continue to be revised to reflect the addition of integral attachment welds for Class 3 systems.Based on TVA's response, the NRC staff concluded that TVA has satisfied the provisions relative to the classification and boundary requirements for preservice examinations of the ASME Code,Section XI, Subsection IWD. Based on the information provided by TVA, the NRC staff concludes that there are no deviations from applicable regulatory requirements, the ASME Code, and licensee commitments for the WBN Unit 2 PSI Program Plan, Revision 3.Preservice Examination of Class 1. 2. and 3 Supports -Classification and Boundaries In its letter dated July 17, 2010, TVA describes that the only Class 1, 2, and 3 component supports (TVA Classes A, B, C and D component supports) which are not included under the PSI Program for component supports are those exempt under the provisions of IWF-1230,"Supports Exempt from Examination." In EMCB RAI PSIPP-4, the NRC staff asked TVA to confirm that the requirements of ASME Code,Section XI, Subsection IWF, Subarticle IWF-1300, "Support Examination Boundaries," had been satisfied for WBN Unit 2. Additionally, the NRC staff asked TVA to identify whether any variances existed between the examination requirements for these component supports at WBN Unit I and Unit 2 and, if variances existed, to provide justification for the variances.
In its response to the NRC by letter dated September 29, 2010, TVA stated that, The WBN Unit 2 PSI program for ASME Class 1, 2, and 3 component supports (WVA Class A, B, C and D) includes those systems containing water, steam, or radioactive waste subject to the exemptions listed in ASME Section XI, IW (B, C, or D, as applicable)-1220, "Components Exempt from Examination." There is no variance in the systems requiring examination between WBN Units 1 and 2 and the applicable IWF-1230 exemptions, since both the current interval WBN Unit 1 Inservice Program and the WBN Unit 2 Preservice Program were developed using the 2001 Edition through 2003 Addenda of ASME Section XI. Also, there is no variance in the ASME Section XI, Subarticle IWF-1300, "Support Examination Boundaries," requirement between the WBN Unit 2 PSI Program and the WBN Unit I ISI Program.The only differences in inspection scope are the inherent differences between the PSI requirements of IWF-221 0 for WBN Unit 2 and the ISI requirements of IWF-2400 for WBN Unit 1. There is no reduction in inspection scope based on these inherent differences.
The WBN Unit 2 construction completion process is ongoing for the systems within the ASME Class 1, 2, and 3 scope, and the Unit 2 PSI program will continue to be revised to reflect the inclusion of those supports for Class 1, 2, and 3 systems.Z-10 Based on TVA's response, the NRC staff concluded that TVA has satisfied the provisions relative to the classification and boundary requirements for preservice examinations of the ASME Code,Section XI, Subsection IWF. Based on the information provided by TVA, the NRC staff concludes that there are no deviations from applicable regulatory requirements, the ASME Code, and licensee commitments for the WBN Unit 2 PSI Program Plan, Revision 3.3.2.3 Acceptability of the Examination Sample In its Staff Requirements Memorandum (SRM)-SECY-07-0096, "Possible Reactivation of Construction and Licensing Activities for the Watts Bar Nuclear Plant Unit 2," dated July 25, 2007 (ADAMS Accession No. ML072060688), the Commission stated that it supports a licensing review approach that employs the current licensing basis for Unit 1 as the reference basis for the review and licensing of Unit 2. Therefore, the NRC staff s review of the PSI Program Plan for WBN Unit 2 focused on resolving variations between the WBN Unit 1 and WBN Unit 2 baseline Final Safety Analysis Report (FSAR) and items found in the Safety Evaluation Report (SER, NUREG-0847, dated June 1982) and Supplemental Safety Evaluation Reports (SSERs) which are applicable to SER Sections 5.2.4 and 6.6. In SSERs 10, 12 and 15, the staff approved the baseline FSAR related to the ISI of Class 1, 2 and 3 Components and the PSI Program Plan for WBN Unit 1. In its review of Reference 3 related to Class 1, 2 and 3 components, the NRC staff used SRP Sections 5.2.4 "Reactor Coolant Boundary Inservice Inspection and Testing;" and 6.6, "Inservice Inspection and Testing of Class 1, 2, and 3 Components." TVA stated in its letter dated July 17, 2010, that it has prepared the PSI Program Plan, Revision 3, to meet the requirements of the ASME Code, 2001 Edition through the 2003 Addenda (the reference code). The staff reviewed the PSI Program Plan requirements for Class 1, 2, and 3 components subject to examination and concluded that they were in accordance with the requirements of IWB, IWC, and IWD of the reference code and SRP Sections 5.2.4 and 6.6.The ASME Code exemptions from examination for Class 1, 2 and 3 components contained within Reference 3 were also found to be in accordance with the reference code. The staff reviewed the ASME Class 1, 2, and 3 Supports "Summary Tables" of Reference 3 and found them to contain the correct Examination Categories, Item Numbers, Exam Methods, Examination Requirements and Acceptance Standards, in accordance with the reference ASME Code. However, TVA listed many of the entries in the "Total Population" and "Required Examination" columns as "TBD" (to be determined) in the Class 1, 2, and 3 Supports "Summary Tables." TVA explained the TBD entries in its letter dated September 29, 2010 (Reference 8), in responses to staff questions EMCB RAI PSIPP-2, EMCB RAI PSIPP-3 and EMCB RAI PSIPP-4. In these responses, TVA stated that, "[t]he WBN, Unit 2 construction completion process is ongoing for the systems within the ASME Class 2, ASME Class 3 and ASME Class 1, 2 and 3 supports scope, and the WBN, Unit 2 PSI program will continue to be revised to reflect the inclusion items in these areas." As a result, the NRC staff cannot verify the populations and the number of required examinations in accordance with the reference code. This is Open Item 70 (Appendix HH of SSER 23) until TVA revises the WBN Unit 2 PSI program to include numbers of components so that the NRC staff can verify that the numbers meet the reference ASME Code. The staff also noted that TVA has made no requests for relief, similar to those approved by the staff for WBN Unit 1 in SSER 10, for WBN Unit 2 either for (1) examinations that cannot be performed or (2)examinations for which the required coverage cannot be obtained.Z-1 1 Based on its review of the information provided by TVA in its letter dated July 17, 2010, as supplemented by letter dated September 29, 2010, the staff concluded that preservice volumetric, surface, and visual examinations will be performed by TVA on ASME Code Class 1 components and their supports using sampling schedules described in Section Xl of the ASME Code of record for the WBN Unit 2 PSI Program Plan and 10 CFR 50.55a(b).
Sample size and weld selection procedures have been implemented in accordance with the ASME Code of record and 10 CFR 50.55a(b) and appear to be correct, and no deviations were found from regulatory requirements, the ASME Code, and commitments for the WBN Unit 2 PSI Program Plan, Revision 3, for ASME Code Class 1 components and their supports.3.2.4 Exemption Criteria The criteria used to exempt components from examination shall be consistent with Paragraphs IWB-1 220, IWC-1220, IWC-1230, IWD-1 220, and 10 CFR 50.55a(b).
Based on its review of the information provided by TVA in its letter dated July 17, 2010, as supplemented by letter dated September 29, 2010, the NRC staff concluded that the exemption criteria have been applied by TVA in accordance with the ASME Code, as discussed in the PSI program plan, and no deviations were found from regulatory requirements, the ASME Code, and commitments for the WBN, Unit 2 PSI Program Plan, Revision 3.3.2.5 Augmented Examination Commitments In addition to the requirements specified in the ASME Code,Section XI, TVA has committed in its letter dated July 17, 2010, to perform the following augmented examinations:
ASME Code Case N-722 Additional Examinations for [Pressurized Water Reactor] PWR Pressure Retaining Welds in Class I Components Fabricated with Alloy 600/82/182 Materials, Division 1.Altemative Examination Requirements for PWR Reactor Vessel Upper Heads with Nozzles having Pressure Retaining Partial Penetration Welds, Division 1.ASME Code Case N-729-1 TVA has also committed to perform baseline examinations of the RPV head penetration nozzles and the lower head penetrations prior to fuel load. These examinations, along with the examinations required by Code Cases N-722 and N729-1, will serve as baseline examinations for the components addressed in the following NRC Bulletins for WBN Unit 2 inservice activities:
NRC Bulletin 2001-01 NRC Bulletin 2002-1 NRC Bulletin 2002-02 NRC Bulletin 2003-02 Circumferential Cracking of RPV Head Penetration Nozzles RPV Head Degradation and Reactor Coolant Pressure Boundary Integrity RPV Head and Vessel Penetration nozzle Inspection Program Leakage from RPV Lower Head Penetrations and Reactor Coolant Pressure Boundary Integrity Z-1 2 NRC Bulletin 2004-01 Inspection of Alloy 82/182/600 Materials used in the Fabrication of Pressurizer Penetrations and Steam Space Piping Connection at PWR Reactors 3.2.6 Snubbers In Section 3.18.3 of the WBN Unit 2 PSI Program Plan, Revision 3, TVA states that "Integral and non-integral attachments for snubbers, including lugs, pins, bolting and claps, shall be examined in accordance with the requirements of this document [i.e., the PSI Program Plan]." The NRC staff reviewed References 3 and 11, the documents which pertain to the WBN Unit 2 PSI program snubber examination and testing, and found no deviations from the applicable regulatory requirements, the ASME OM Code 2001 Edition through OMb 2003 Addenda, and TVA's commitments for snubbers in the WBN Unit 2 PSI Program Plan.
4.0 CONCLUSION
The NRC staff reviewed TVA's submittal and concluded that IVA has addressed all of the regulatory requirements set forth in 10 CFR 50.55a and, based the staff's review of the documents listed in Section 6 of this report, no deviations from applicable regulatory requirements or TVA's commitments were identified in the PSI Program Plan, Revision 3, for WBN Unit 2. Open Item 70 (Appendix HH of SSER 23), as noted in Section 3.2.3 of this report, remains open pending NRC staff verification of the populations and the number of required examinations in accordance with the reference code.5.0 EVALUATION OF PROPOSED ALTERNATIVES In its WBN Unit 2 PSI Program Plan, Revision 3, dated July 17, 2010, WVA proposed an alternative to the ASME Code preservice inspection requirements in its request for relief No.WBN-2/PDI-4.
The NRC staff evaluation is provided in the following section.5.1 Proposed Alternative Regarding Reactor Pressure Vessel Vessel-to-Flange Weld Examinations TVA requested an alternative to the ASME Code requirements for certain reactor pressure vessel (RPV) vessel-to-flange weld examinations for the PSI Program Plan at WBN Unit 2. TVA proposed to use the procedures, personnel, and equipment qualified to meet the requirements of ASME Code,Section XI, Appendix ViII, Supplements 4 and 6, as administered by the Electric Power Research Institute's Performance Demonstration Initiative, to conduct the ASME Code-required RPV vessel-to-flange weld examinations.
5.2 Staff
Evaluation TVA's proposed alternative was authorized by the NRC staff in a safety evaluation dated September 3, 2009 (ADAMS Accession No. ML092300608).
Since there has been no change to the technical evaluation provided in the staff's safety evaluation, the staff concludes that TVA's proposed examination continues to be an acceptable alternative to the ASME Code requirements.
Z-1 3
6.0 REFERENCES
- 1. Title 10 of the Code of Federal Regulations, Section 50.55a, "Title Code and Standards." 2. American Society of Mechanical Engineers Boiler and Pressure Vessel Code, Section Xl, Division 1, 2001 Edition through the 2003 Addenda.3. Letter from M. Bajestani, TVA, to NRC, "Watts Bar Nuclear Plant (WBN) Unit 2 -Preservice Inspection Program Plan, Revision 3 and Additional Information," dated June 17, 2010.(ADAMS Accession No. ML101680561)
- 4. NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition" (SRP), Section 5.2.4, Revision 2, "Reactor Coolant Pressure Boundary Inservice Inspection and Testing," and Section 6.6, Revision 2, "Inservice Inspection and Testing of Class 2 and 3 Components," dated March 2007.5. Letter from M. Bajestani, TVA, to NRC, "Watts Bar Nuclear Plant (WBN) Unit 2 -Preservice Inspection Program Plan and Additional Information," dated April 20, 2010. (ADAMS Accession No. ML1012002044)
- 6. Letter from J. Poole, NRC, to A. Bhatnagar, TVA, "Watts Bar Nuclear Plant, Unit 2 -Request for Additional Information Regarding Section 3.5 of the Preservice Inspection Program Plan (TAC No. ME4074)," dated September 7, 2010. (ADAMS Accession No.ML102420625)
- 7. Letter from J. Poole, NRC, to A. Bhatnagar, TVA, "Watts Bar Nuclear Plant, Unit 2 -Request for Additional Information From the Vessels Integrity Branch Regarding Preservice Inspection Program Plan (TAC No. ME4074)," dated September 7, 2010. (ADAMS Accession No. ML102430175)
- 8. Letter from M. Bajestani, TVA, to NRC, "Watts Bar Nuclear Plant (WBN) Unit 2- Response to Request for Additional Information (RAI) Regarding Preservice Inspection Program Plan, Revision 2 (TAC Nos. ME4074 and ME3113)," dated September 29, 2010. (ADAMS Accession No. ML102730184)
- 9. Regulatory Guide 1.147, Revision 15, "Inservice Inspection Code Case Acceptability." 10. Letter from L. Raghavan, NRC, to A. Bhatnagar, TVA, "Watts Bar Nuclear Plant, Unit 2 -Relief Request WBN-2/PDI-4 Related to Ultrasonic Examination of the Reactor Pressure Vessel Shell-to-Flange Welds (TAC No. ME0022)," dated September 3, 2009. (ADAMS Accession No. ML092300608).
- 11. ASME/ American National Standards Institute (ANSI) OM Code, 2001 Edition through 2003 OMb Addenda, as permitted by 10 CFR 50.55a(b)(3)(v).
- 12. NUREG-0847, Supplement 10, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units I and 2," Dated October 1992. (ADAMS Accession No.ML072060473)
Z-14
- 13. NUREG-0847, Supplement 12, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2," dated October 1993. (ADAMS Accession No.ML072060479)
- 14. NUREG-0847, Supplement 5, "Safety Evaluation Report Related to the Operation of Watts Bar Nuclear Plant, Units 1 and 2," dated June 1995. (ADAMS Accession No. ML072060488
- 15. Letter from J. Poole, NRC, to A. Bhatnager, TVA, "Watts Bar Nuclear Plant, Unit 2 -Request for Additional Information from the Component Performance and Testing Branch Regarding Preservice Inspection Plan (TAC No. ME3113)," dated September 28, 2010. (ADAMS Accession No. MLI102630535)
- 16. Letter from M. Bajestani, TVA, to NRC, "Watts Bar Nuclear Plant, Unit 2,- Response to Request for Additional Information Regarding the Preservice Inspection Plan (TAC Nos.ME4074 and ME3113)," dated October 13, 2010. (ADAMS Accession No. ML102861846)
Z-1 5
APPENDIX AA UNITED STATES OF AMERICA NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REACTOR REGULATION Eric J. Leeds, Director In the Matter of ))TENNESSEE VALLEY AUTHORITY ) Construction Permit No. CPPR-92)(Watts Bar Nuclear Plant Unit 2) ) Docket No. 50-391 DIRECTOR'S DECISION REGARDING OPERATING LICENSE ANTITRUST REVIEW AND FINDING OF NO SIGNIFICANT CHANGE UNDER SECTION 105c(2) OF THE ATOMIC ENERGY ACT 1. Introduction Section 105c(2) of the Atomic Energy Act of 1954, as amended, provides for an antitrust review of an application for an operating license if the Commission determines that significant changes in the applicant's activities or proposed activities have occurred subsequent to the previous construction permit (CP) review. The Commission has delegated the authority to make the"significant change" determination to the Director of the Office of Nuclear Reactor Regulation.
On May 24, 1971, the Tennessee Valley Authority (TVA) filed its application for construction permits for Watts Bar Nuclear Plant (WBN), Units 1 and 2. As required by Section 105c of the Atomic Energy Act of 1954, the Atomic Energy Commission (AEC; predecessor to the Nuclear regulatory Commission (NRC)) requested the advice of the Assistant Attorney General of the Antitrust Division of the U.S. Department of Justice (DOJ) as to whether: (1) no antitrust hearing was needed, (2) a hearing was necessary, or (3) no hearing was necessary if the applicant took certain actions or if certain conditions were attached to the CP. In its advice letter dated December 11, 1972, the Assistant Attorney General forwarded a decision recommending that no hearing be held.In a letter dated December 5, 1989, TVA provided NRC with an "Updated Regulatory Guide 9.3 Information Pursuant to the Commission's Operating License Antitrust Review," for WBN Unit 1.By letter dated September 20, 1991, the NRC staff concluded that there was no new information that would suggest changes to the 'no significant change' finding for WBN Unit 1.In a letter dated May 13, 2010, as supplemented on July 29, 2010, and February 22, 2011, TVA provided updated antitrust information pursuant to Regulatory Guide 9.3, "Information Needed by the AEC Regulatory Staff in Connection with its Antitrust Review of Operating License Applications for Nuclear Power Plants," with respect to WBN Unit 2. The information provided by TVA addressed changes in the antitrust information from that submitted for WBN Unit 1 on December 5, 1989, to the present.AA-1 The documents provided by TVA are available in the Agencywide Documents Access and Management System (ADAMS) for inspection at the Commission's Public Document Room (PDR), located at One White Flint North, Public File Area 01 F21, 11555 Rockville Pike (first floor), Rockville, Maryland.
Publicly available records will be accessible from the ADAMS Public Electronic Reading Room on the NRC Web site http:llwww.nrc.gov/reading-rm/adams.html.
Persons who do not have access to ADAMS or who encounter problems in accessing the documents located in ADAMS should contact the NRC PDR reference staff by telephone at 1 800 397 4209, or 301 415 4737, or by e mail to PDR.Resource@nrc.gov.
II. Discussion Based upon an examination of the events since the previous operating license review of TVA's activities conducted in 1979 in connection with WBN Units 1 and 2, the NRC staff has concluded, after consultation with DOJ, that the changes that have occurred since the construction permit review are not of the nature to require a formal antitrust review at the operating license stage of the application.
In reaching its conclusion, the staff considered the structure of the electric utility industry in the Tennessee Valley and adjacent areas, the events relevant to the WBN construction permit review, and the previous operating license reviews of WBN.Ill. Conclusion The conclusion of the staff analysis is as follows: A review of TVA activities since 1989 in constructing new generation and transmission capacity including cancellation of planned capacity, showed normal engineering and economic actions for a utility of TVA's class and no apparent anticompetitive efforts. Additionally, TVA appears to be vigorously working to retain its existing customers, including its nominally captive customers, rather than limiting competition for its customers or potential customers.
A 1997 Settlement Agreement resolved pending antitrust issues related to requests to purchase power from TVA and exchange power arrangements.
Subsequent Congressional hearings in 1999 did not find that TVA was engaging in anticompetitive conduct.Based upon the examination of the events since 1989, the staff concludes that no significant changes have occurred that would require an antitrust review.Based on the staff analysis and recommendation, it is my finding that there have been no"significant changes" in the applicant's activities or proposed activities since the completion of the previous antitrust review.AA-2 A copy of this Director's Decision will be filed with the Secretary of the Commission for the Commission to review. This decision will constitute the final action of the Commission 30 days after the date of the decision unless the Commission, on its own motion, institutes a review of the decision within that time.Dated at Rockville, Maryland, this 21st day of March 2011.FOR THE NUCLEAR REGULATORY COMMISSION IRA/Eric J. Leeds, Director Office of Nuclear Reactor Regulation AA-3
APPENDIX HH WATTS BAR UNIT 2 ACTION ITEMS TABLE This table provides a status of required action items associated of all open items, confirmatory issues, and proposed license conditions that the staff has identified.
Unless otherwise noted, the item references are to sections of this SSER.Item Type Action Required Lead Status (1) Cl Review evaluations and corrective actions NRR Open associated with a power assisted cable pull. (NRC safety evaluation dated August 31, 2009, ADAMS Accession No. ML092151155)
(2) CI Conduct appropriate inspection activities to verify RII Open cable lengths used in calculations and analysis match as-installed configuration. (NRC safety evaluation dated August 31, 2009, ADAMS Accession No. ML092151155)
(3) Cl Confirm TVA submitted update to FSAR section NRR Open 8.3.1.4.1. (NRC safety evaluation dated August 31, 2009, ADAMS Accession No. ML092151155)
(4) CI Conduct appropriate inspection activities to verify RII Open that TVA's maximum SWBP criteria for signal level and coaxial cables do not exceed the cable manufacturers maximum SWBP criteria. (NRC safety evaluation dated August 31, 2009, ADAMS Accession No. ML092151155)
(5) Cl Verify timely submittal of pre-startup core map and NRR Open perform technical review. (TVA letter dated September 7, 2007, ADAMS Accession No.ML072570676)
(6) Cl Verify implementation of TSTF-449. (TVA letter NRR Open dated September 7, 2007, ADAMS Accession No.ML072570676)
(7) Cl Verify commitment completion and review electrical RII Open design calculations. (IVA letter dated October 9, 1990, ADAMS Accession No. ML073551056)
(8) CI TVA should provide a pre-startup map to the NRC NRR Open staff indicating the rodded fuel assemblies and a projected end of cycle burnup of each rodded assembly for the initial fuel cycle 6-months prior to fuel load. (NRC safety evaluation dated May 3, 2010, ADAMS Accession No. ML101200035)
(9) Cl Confirm that education and experience of RII Open management and principal supervisory positions down through the shift supervisory level conform to Regulatory Guide 1.8. (SSER 22, Section 13.1.3)HH-1 (10) Cl Confirm that TVA has an adequate number of RII Open licensed and non-licensed operators in the training pipeline to support the preoperational test program, fuel loading, and dual unit operation. (SSER 22, Section 13.1.3)(11) Cl The plant administrative procedures should clearly RII Open state that, when the Assistant Shift Engineer assumes his duties as Fire Brigade Leader, his control room duties are temporarily assumed by the Shift Supervisor (Shift Engineer), or by another SRO, if one is available.
The plant administrative procedures should clearly describe this transfer of control room duties. (SSER 22, Section 13.1.3)(12) TVA's implementation of NGDC PP-20 and EDCR NRR Open Appendix J is subject to future NRC audit and inspection. (SSER 22, Section 25.9)(13) TVA is expected to submit an IST program and NRR Open specific relief requests for WBN Unit 2 nine months before the projected date of OL issuance. (SSER 22, Section 3.9.6)(14) WVA stated that the Unit 2 PTLR is included in the NRR Open Unit 2 System Description for the Reactor Coolant System (WBN2-68-4001), which will be revised to reflect required revisions to the PTLR by September 17, 2010. (SSER 22, Section 5.3.1)(15) TVA should confirm to the NRC staff the completion NRR Open of Primary Stress Corrosion Cracking (PWSCC)mitigation activities on the Alloy 600 dissimilar metal butt welds (DMBWs) in the primary loop piping.(SSER 22, Section 3.6.3)(16) Based on the uniqueness of EQ, the NRC staff must RII/NRR Open perform a detailed inspection and evaluation prior to fuel load to determine how the WBN Unit 2 EQ program complies with the requirements of 10 CFR 50.49. (SSER 22, Section 3.11.2)(17) The NRC staff should verify the accuracy of the RII/NRR Open WBN Unit 2 EQ list prior to fuel load. (SSER 22, Section 3.11.2.1)(18) Based on the extensive layup period of equipment RII/NRR Open within WBN Unit 2, the NRC staff must review, prior to fuel load, the assumptions used by TVA to re-establish a baseline for the qualified life of equipment.
The purpose of the staffs review is to ensure that TVA has addressed the effects of environmental conditions on equipment during the layup period. (SSER 22, Section 3.11.2.2)HH-2 (19) The NRC staff should complete its review of TVA's RII/NRR Open EQ Program procedures for WBN Unit 2 prior to fuel load. (SSER 22, Section 3.11.2.2.1)
(20) Resolve whether or not routine maintenance RII/NRR Open activities should result in increasing the EQ of the 6.9 kV motors to Category I status in accordance with 10 CFR 50.49. (SSER 22, Section 3.11.2.2.1).
(21) The NRC staff should confirm that the Electrical RII/NRR Open Penetration Assemblies (EPAs) are installed in the tested configuration, and that the feedthrough module is manufactured by the same company and is consistent with the EQ test report for the EPA.(SSER 22, Section 3.11.2.2.1)
(22) TVA must clarify its use of the term "equivalent" NRR Open (e.g., identical, similar) regarding the replacement terminal blocks to the NRC staff. If the blocks are similar, then a similarity analysis should be completed and presented to the NRC for review.(SSER 22, Section 3.11.2.2.1)
(23) Resolve whether or not TVA's reasoning for not NRR Open upgrading the MSIV solenoid valves to Category I is a sound reason to the contrary, as specified in 10 CFR 50.49(l). (SSER 22, Section 3.11.2.2.1)
(24) The NRC staff requires supporting documentation NRR Open from TVA to justify its establishment of a mild environment threshold for total integrated dose of less than lx103 rads for electronic components such as semiconductors or electronic components containing organic material. (SSER 22, Section 3.11.2.2.1)
(25) Prior to the issuance of an operating license, TVA is NRR Open required to provide satisfactory documentation that it has obtained the maximum secondary liability insurance coverage pursuant to 10 CFR 140.11(a)(4), and not less than the amount required by 10 CFR 50.54(w) with respect to property insurance, and the NRC staff has reviewed and approved the documentation. (SSER 22, Section 22.3)(26) For the scenario with an accident in one unit and NRR Open concurrent shutdown of the second unit without offsite power, TVA stated that Unit 2 pre-operational testing will validate the diesel response to sequencing of loads on the Unit 2 emergency diesel generators (EDGs). The NRC staff will evaluate the status of this issue and will update the status of the EDG load response in a future SSER. (SSER 22, Section 8.1)HH-3 (27) TVA should provide a summary of margin studies NRR Open based on scenarios described in Section 8.1 for CSSTs A, B, C, and D. (SSER 22, Section 8.2.2)(28) TVA should provide to the NRC staff a detailed NRR Open discussion showing that the load tap changer is able to maintain the 6.9 kV bus voltage control band given the normal and post-contingency transmission operating voltage band, bounding voltage drop on the grid, and plant conditions. (SSER 22, Section 8.2.2)(29) TVA should provide the transmission system NRR Open specifics (grid stability analyses) to the NRC staff.In order to verify compliance with GDC 17, the results of the grid stability analyses must indicate that loss of the largest electric supply to the grid, loss of the largest load from the grid, loss of the most critical transmission line, or loss of both units themselves, will not cause grid instability. (SSER 22, Section 8.2.2)(30) TVA should confirm that all other safety-related RII/NRR Open equipment (in addition to the Class 1 E motors) will have adequate starting and running voltage at the most limiting safety related components (such as motor operated valves, contactors, solenoid valves or relays) at the degraded voltage relay setpoint dropout setting. TVA should also confirm that the final Technical Specifications are properly derived from these analytical values for the degraded voltage settings. (SSER 22, Section 8.3.1.2)(31) TVA should evaluate the re-sequencing of loads, NRR Open with time delays involved, in the scenario of a LOCA followed by a delayed LOOP, and ensure that all loads will be sequenced within the time assumed in the accident analysis. (SSER 22, Section 8.3.1.11)(32) TVA should provide to the NRC staff the details of NRR Open the administrative limits of EDG voltage and speed range, and the basis for its conclusion that the impact is negligible, and describe how it accounts for the administrative limits in the Technical Specification surveillance requirements for EDG voltage and frequency. (SSER 22, Section 8.3.1.14)(33) Cl TVA stated in Attachment 9 of its letter dated July RII/NRR Open 31, 2010, that certain design change notices (DCNs) are required or anticipated for completion of WBN Unit 2, and that these DCNs were unverified assumptions used in its analysis of the 125 V dc vital battery system. Verification of completion of these DCNs to the NRC staff is necessary prior to issuance of the operating license. (SSER 22, Section 8.3.2.3)HH-4 (34) Cl TVA stated that the method of compliance with NRR Open Phase I guidelines would be substantially similar to the current Unit 1 program and that a new Section 3.12 will be added to the Unit 2 FSAR that will be materially equivalent to Section 3.12 of the current Unit 1 FSAR. (SSER 22, Section 9.1.4)(35) TVA should provide information to the NRC staff NRR Open that the CCS will produce feedwater purity in accordance with BTP MTEB 5-3 or, alternatively, provide justification for producing feedwater purity to another acceptable standard. (SSER 22, Section 10.4.6)(36) TVA should provide information to the NRC staff to NRR Open enable verification that the SGBS meets the requirements and guidance specified in the SER or provide justification that the SGBS meets other standards that demonstrate conformance to GDC 1 and GDC 14. (SSER 22, Section 10.4.8)(37) Cl The NRC staff will review the combined WBN Unit 1 NSIR Open and 2 Appendix C prior to issuance of the Unit 2 OL to confirm (1) that the proposed Unit 2 changes were incorporated into Appendix C, and (2) that changes made to Appendix C for Unit 1 since Revision 92 and the changes made to the NP-REP since Revision 92 do not affect the bases of the staff's findings in this SER supplement. (SSER 22, Section 13.3.2)(38) Cl The NRC staff will confirm the availability and RII/NSIR Open operability of the ERDS for Unit 2 prior to issuance of the Unit 2 OL. (SSER 22, Section 13.3.2.6)(39) Cl The NRC staff will confirm the adequacy of the RII/NSIR Open communications capability to support dual unit operations prior to issuance of the Unit 2 OL. (SSER 22, Section 13.3.2.6)(40) Cl The NRC staff will confirm the adequacy of the RII/NSIR Open emergency facilities and equipment to support dual unit operations prior to issuance of the Unit 2 OL.(SSER 22, Section 13.3.2.8)(41) Cl TVA committed to (1) update plant data displays as RII/NSIR Open necessary to include Unit 2, and (2) to update dose assessment models to provide capabilities for assessing releases from both WBN units. The NRC staff will confirm the adequacy of these items prior to issuance of the Unit 2 OL. (SSER 22, Section 13.3.2.9)(42) Cl The NRC staff will confirm the adequacy of the RII/NSIR Open accident assessment capabilities to support dual unit operations prior to issuance of the Unit 2 OL.(SSER 22, Section 13.3.2.9)HH-5 (43) Cl Section V of Appendix E to 10 CFR Part 50 requires NSIR Open TVA to submit its detailed implementing procedures for its emergency plan no less than 180 days before the scheduled issuance of an operating license.Completion of this requirement will be confirmed by the NRC staff prior to the issuance of an operating license. (SSER 22, Section 13.3.2.18)
(44) TVA should provide additional information to clarify NRR Open how the initial and irradiated RTNDT was determined. (SSER 22, Section 5.3.1)(45) Cl TVA stated in its response to RAI 5.3.2-2, dated NRR Open July 31, 2010, that the PTLR would be revised to incorporate the COMS arming temperature. (SSER 22, Section 5.3.2)(46) Cl The LTOP lift settings were not included in the NRR Open PTLR, but were provided in TVA's response to RAI 5.3.2-2 in its letter dated July 31, 2010. TVA stated in its RAI response that the PTLR would be revised to incorporate the LTOP lift settings into the PTLR.(SSER 22, Section 5.3.2)(47) The NRC staff noted that TVA's changes to NRR Open Section 6.2.6 in FSAR Amendment 97, regarding the implementation of Option B of Appendix J, were incomplete, because several statements remained regarding performing water-sealed valve leakage tests "as specified in 10 CFR [Part] 50, Appendix J." With the adoption of Option B, the specified testing requirements are no longer applicable; Option A to Appendix J retains these requirements.
The NRC discussed this discrepancy with TVA in a telephone conference on September 28, 2010. TVA stated that it would remove the inaccurate reference to Appendix J for specific water testing requirements in a future FSAR amendment. (SSER 22, Section 6.2.6)(48) CI The NRC staff should verify that its conclusions in NRR Open the review of FSAR Section 15.4.1 do not affect the conclusions of the staff regarding the acceptability of Section 6.5.3. (SSER 22, Section 6.5.3)(49) Cl The NRC staff was unable to determine how TVA RII Open linked the training qualification requirements of ANSI N45.2-1971 to TVA Procedure TI-1 19.Therefore, the implementation of training and qualification for inspectors will be the subject of future NRC staff inspections. (NRC letter dated July 2, 2010, ADAMS Accession No. ML1 01720050)(50) C1 TVA stated that about 5 percent of the anchor bolts RII Open for safety-related pipe supports do not have quality control documentation, because the pull tests have not yet been performed.
Since the documentation is HH-6 still under development, the NRC staff will conduct inspections to follow-up on the adequate implementation of this construction refurbishment program requirement. (NRC letter dated July 2, 2010, ADAMS Accession No. ML1 01720050)(51) CI The implementation of TVA Procedure TI-119 will RII Open be the subject of NRC follow-up inspection to determine if the construction refurbishment program requirements are being adequately implemented.(NRC letter dated July 2, 2010, ADAMS Accession No. ML101720050)
(52) Not used.through (58)(59) The staffs evaluation of the compatibility of the ESF NRR Open system materials with containment sprays and core cooling water in the event of a LOCA is incomplete pending resolution of GSI-1 91 for WBN Unit 2.(Section 6.1.1.4)(60) CI TVA should amend the FSAR description of the NRR Open design and operation of the spent fuel pool cooling and cleanup system in FSAR Section 9.1.3 as proposed in its December 21, 2010, letter to the NRC. (Section 9.1.3)(61) TVA should provide information to the NRC staff to NRR Open demonstrate that PAD 4.0 can conservatively calculate the fuel temperature and other impacted variables, such as stored energy, given the lack of a fuel thermal conductivity degradation model.(Section 4.2.2)(62) CI Confirm TVA's change to FSAR Section 10.4.9 to NRR Open reflect its intention to operate with each CST isolated from the other. (Section 10.4.9)(63) Cl WVA should confirm to the NRC staff that testing RII Open prior to Unit 2 fuel load has demonstrated that two-way communications is impossible with the Eagle 21 communications interface. (Section 7.2.1.1)(64) Cl TVA stated that, "Post modification testing will be RII Open performed to verify that the design change corrects the Eagle 21, Rack 2 RTD accuracy issue prior to WBN Unit 2 fuel load." This issue is open pending NRC staff review of the testing results. (Section 7.2.1.1)(65) TVA should provide justification to the staff NRR Open regarding why different revisions of WCAP-1 3869 are referenced in WBN Unit I and Unit 2. (Section 7.2.1.1)(66) Cl TVA should clarify FSAR Section 9.2.5 to add the NRR Open capability of the UHS to bring the nonaccident unit to cold shutdown within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. (Section 9.2.5)HH-7 (67) Cl TVA should confirm, and the NRC staff should RII Open verify, that the component cooling booster pumps for Unit 2 are above PMF level. (Section 9.2.2)(68) Not used.(69) CI The WBN Unit 2 RCS vent system is acceptable, RII Open pending verification that the RCS vent system is installed. (Section 5.4.5)(70) TVA should provide the revised WBN Unit 2 PSI NRR Open program ASME Class 1, 2, and 3 Supports"Summary Tables," to include numbers of components so that the NRC staff can verify that the numbers meet the reference ASME Code. (Section 3.2.3 of Appendix Z of SSER 23)(71) By letter dated April 21, 2011 (ADAMS Accession NRR Open No. MLI 11110513), TVA withdrew its commitment to replace the Unit 2 clevis insert bolts. TVA should provide further justification for the decision to not replace the bolts to the NRC staff. (Section 3.9.5)(72) The NRC staff should complete its review and NRR Open evaluation of the additional information provided by TVA regarding the ICC instrumentation. (Section 4.4.8)(73) Cl The NRC staff will inspect to confirm that TVA has RI1 Open completed the WBN Unit 2 EOPs prior to fuel load.(Section 7.5.3)(74) Cl The NRC staff will verify installation of the acoustic-RII Open monitoring system for the power-operated relief valve (PORV) position indication in WBN Unit 2 before fuel load. (Section 7.8.1)(75) CI The NRC staff will verify that the test procedures RII Open and qualification testing for auxiliary feedwater initiation and control and flow indication are completed in WBN Unit 2 before fuel load. (Section 7.8.2)(76) Cl The NRC staff will verify that the derivative time RII Open constant is set to zero in WBN Unit 2 before fuel load. (Section 7.8.3)(77) It is unclear to the NRC staff which software V&V NRR Open documents are applicable to the HRCAR monitors.WVA should clarify which software V&V documents are applicable, in order for the staff to complete its evaluation. (Section 7.5.2.3)(78) TVA intends to issue a revised calculation reflecting NRR Open that the TID in the control room is less than Ix103 rads, which will be evaluated by the NRC staff.(Section 7.5.2.3)HH-8 (79) TVA should perform a radiated susceptibility survey, NRR Open after the installation of the hardware but prior to the RM-1 000 being placed in service, to establish the need for exclusion distance for the HRCAR monitors while using handheld portable devices (e.g., walkie-talkie) in the control room, as documented in Attachment 23 to TVA's letter dated February 25, 2011, and item number 355 of TVA's letter dated April 15, 2011. (Section 7.5.2.3)(80) TVA should provide clarification to the staff on how NRR Open TVA Standard Specification SS-E18-14.1 meets the guidance of RG 1.180, and should address any deviations from the guidance of the RG. (Section 7.5.2.3)(81) The extent to which TVA's supplier, General NRR Open Atomics (GA), complies with EPRI TR-106439 and the methods that GA used for its commercial dedication process should be provided by WVA to the NRC staff for review. (Section 7.5.2.3)(82) The staff concluded that the information provided by NRR Open TVA pertaining to the in-containment LPMS equipment qualification for vibration was incomplete.
TVA should provide (item number 362 of ADAMS Accession No. ML1 11050009), documentation that demonstrates the LPMS in-containment equipment has been qualified to remain functional in its normal operating vibration environment, per RG 1.133, Revision 1. (Section 7.6.1)(83) Cl TVA should confirm to the NRC staff the completion NRR Open of the data storm test on the DCS. (Section 7.7.1.4)(84) Not used.through (89)(90) CI The NRC staff should verify that the ERCW dual RII/NRR Open unit flow balance confirms that the ERCW pumps meet all specified performance requirements and have sufficient capability to supply all required ERCW normal and accident flows for dual unit operation and accident response, in order to verify that the ERCW pumps meet GDC 5 requirements for two-unit operation. (Section 9.2.1)(91) TVA should update the FSAR with information NRR Open describing how WBN Unit 2 meets GDC 5, assuming the worst case single failure and a LOOP, as provided in TVA's letter dated April 13, 2011.(Section 9.2.1)(92) Not used.HH-9 (93) TVA should confirm to the staff that testing of the RII Open Eagle 21 system has sufficiently demonstrated that two-way communication to the ICS is precluded with the described configurations. (Section 7.9.3.2)(94) TVA should provide to the staff either information NRR Open that demonstrates that the WBN Unit 2 Common Q PAMS meets the applicable requirements in IEEE Std. 603-1991, or justification for why the Common Q PAMS should not meet those requirements.(Section 7.5.2.2.3)
(95) TVA should update FSAR Table 7.1-1, "Watts Bar NRR Open Nuclear Plant NRC Regulatory Guide Conformance," to reference IEEE Std. 603-1991 for the WBN Unit 2 Common Q PAMS. (Section 7.5.2.2.3)
(96) TVA should (1) update FSAR Table 7.1-1 to include NRR Open RG 1.100, Revision 3, for the Common Q PAMS, or (2) demonstrate that the Common Q PAMS is in conformance with RG 1.100, Revision 1, or provide justification for not conforming. (Section 7.5.2.2.3)
(97) TVA should demonstrate that the WBN Unit 2 NRR Open Common Q PAMS is in conformance with RG 1.153, Revision 1, or provide justification for not conforming. (Section 7.5.2.2.3)
(98) TVA should demonstrate that the WBN Unit 2 NRR Open Common Q PAMS is in conformance with RG 1.152, Revision 2, or provide justification for not conforming. (Section 7.5.2.2.3)
(99) TVA should update FSAR Table 7.1-1 to reference NRR Open IEEE 7-4.3.2-2003 as being applicable to the WBN Unit 2 Common Q PAMS. (Section 7.5.2.2.3)
(100) TVA should update FSAR Table 7.1-1 to reference NRR Open RG 1.168, Revision 1; IEEE 1012-1998; and IEEE 1028-1997 as being applicable to the WBN Unit 2 Common Q PAMS. (Section 7.5.2.2.3)
(101) TVA should demonstrate that the WBN Unit 2 NRR Open Common Q PAMS application software is in conformance with RG 1.168, Revision 1, or provide justification for not conforming. (Section 7.5.2.2.3)
(102) WVA should update FSAR Table 7.1-1 to reference NRR Open RG 1.209 and IEEE Std. 323-2003 as being applicable to the WBN Unit 2 Common Q PAMS.(Section 7.5.2.2.3)
(103) TVA should demonstrate that the WBN Unit 2 NRR Open Common Q PAMS conforms to RG 1.209 and IEEE Std. 323-2003, or provide justification for not conforming. (Section 7.5.2.2.3)
(104) Cl The NRC staff will review the WEC self assessment NRR Open to verify that it the WBN Unit 2 PAMS is compliant to the V&V requirements in the SPM or that deviations HH-10 from the requirements are adequately justified.(Section 7.5.2.2.3.4.2)
(105) TVA should produce an acceptable description of NRR Open how the WBN Unit 2 Common Q PAMS SysRS and SRS implement the design basis requirements of IEEE Std. 603-1991 Clause 4. (Section 7.5.2.2.3.4.3.1)
(106) TVA should produce a final WBN Unit 2 Common Q NRR Open PAMS SRS that is independently reviewed.(Section 7.5.2.2.3.4.3.1)
(107) Cl TVA should provide to the NRC staff documentation NRR Open to confirm that the final WBN Unit 2 Common Q PAMS SDDs that are independently reviewed.(Section 7.5.2.2.3.4.3.2)
(108) TVA should demonstrate to the NRC staff that there NRR Open are no synergistic effects between temperature and humidity for the Common Q PAMS equipment.(Section 7.5.2.2.3.5.2)
(109) TVA should demonstrate to the NRC staff NRR Open acceptable data storm testing of the Common Q PAMS. (Section 7.5.2.2.3.7.1.8)
(110) TVA should provide information to the NRC staff NRR Open describing how the WBN Unit 2 Common Q PAMS design supports periodic testing of the RVLIS function. (Section 7.5.2.2.3.9.2.6)
(111) WVA should confirm to the staff that there are no NRR Open changes required to the technical specifications as a result of the modification installing the Common Q PAMS. If any changes to the technical specifications are required, TVA should provide the changes to the NRC staff for review. (Section 7.5.2.2.3.11)
Cl -Confirmatory Issue HH-11
NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION
- 1. REPORT NUMBER[12-2010) (Assigned by NRC, Add Vol., Supp., Rev., NRCMD 3.7 and Addendum Numbers, If any.)BIBLIOGRAPHIC DATA SHEET NUREG-0847 (See instructions on the reverse) Supplement No. 23 2. TITLE AND SUBTITLE 3. DATE REPORT PUBLISHED Safety Evaluation Report MONTH YEAR Related to the Operation of Watts Bar Nuclear Plant Unit 2 Jul 2011 Docket No. 50-391 4. FIN OR GRANT NUMBER 5. AUTHOR(S)
- 6. TYPE OF REPORT P. Milano and others as listed in Appendix E. Technical 7. PERIOD COVERED (inclusive Dates)8. PERFORMING ORGANIZATION
-NAME AND ADDRESS (If NRC, provide Division, Office orRegion, U.S. Nuclear Regulatory Commission, and mailing address; if contractor, provide name and mailing address.)U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Division of Operating Reactor Licensing Washington, DC 20555-0001
- 9. SPONSORING ORGANIZATION
-NAME AN D ADDRESS (ff NRC, OWp 'Same as above,; if oentrector, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Comm-Uisson, and mailing address.)Same as above.10. SUPPLEMENTARY NOTES Docket No. 50-391 11. ABSTRACT (200 words or less)This report supplements the safety evaluation report (SER), NUREG-0847 (June 19 82), Supplement No. 22 (February 2011;Agencywide Documents Access and Management System (ADAMS) Accession No. ML1 0390197), with respect to the application filed by the Tennessee Valley Authority (TVA), as applicant and own er, for a license to operate Watts Bar Nuclear Plant (WBN) Unit 2 (Docket No. 50-391).In its SER and supplemental SER (SSER) Nos. I through 20, issued by the Office of Nuclear Reactor Regulation of the U.S.Nuclear Regulatory Commission (NRC or the staff), the NRC staff documented its safety evaluation and determination that WBN Unit I met all applicable regulations.
Based on satisfactory findings from all applicable inspections, on February 7, 1996, the NRC issued a full-power operating license for WBN Unit 1, authorizing opera tion up to 100 percent power.In SSER 21, the staff addressed TVA's application for a license to operate WBN Unit 2, and provided information regarding the status of items remaining to be resolved, which were outstanding at the time t hat TVA deferred construction of WBN Unit 2, and were not evaluated and resolved as part of the licensing of WBN Unit 1. In SSER 22, the staff documented its evaluation and closure of open items in support of TVA's application for a license to oper ate WBN Unit 2.In this and future SSERs, the staff continues its documentation of its review o f open items in support of TVA's application for an operating license for WBN Unit 2.12. KEY WORDSIDESCRIPTORS (Ust words or phrases that vali assist researchers in locating te report.) 13. AVAILABILITY STATEMENT Safety Evaluation Report (SER) unlimited Watts Bar Nuclear Plant 14. SECURITY CLASSIFICATION Docket No. 50-391 This Page)unclassified (This Report)unclassified
- 15. NUMBER OF PAGES 16. PRICE NRC FORM 335 (12-2010)
" .Federal RIcyclng