Revised Licensing Technical Report for the Common Q Core Protection Calculator System - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator System and Control Element Assembly Calculator

ML21200A254
Person / Time
Site:	Waterford
Issue date:	07/19/2021
From:	Gaston R Entergy Operations
To:	Document Control Desk, Office of Nuclear Reactor Regulation
Shared Package
ML21200A253	List: W3F1-2021-0051, Revised Licensing Technical Report for the Common Q Core Protection Calculator System - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator System and Control Element Assembly Calculator
References
W3F1-2021-0051 WCAP-18484-NP, Rev 1
Download: ML21200A254 (259)
v • d • e

Text

Proprietary Information - Withhold from Public Disclosure Under 10 CFR 2.390 The balance of this letter may be considered non-proprietary upon removal of Enclosure 1.

Entergy Operations, Inc.

1340 Echelon Parkway Jackson, MS 39213 Tel 601-368-5138 Ron Gaston Director, Nuclear Licensing 10 CFR 50.90 W3F1-2021-0051 July 19, 2021 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

Revised Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System - License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) System and Control Element Assembly Calculator (CEAC) System Waterford Steam Electric Station, Unit 3 NRC Docket No. 50-382 Renewed Facility Operating License No. NPF-38

References:

Entergy Operations, Inc. letter to U.S. Nuclear Regulatory Commission (NRC),

"License Amendment Request to Implement a Digital Upgrade to the Core Protection Calculator (CPC) system and Control Element Assembly Calculator (CEAC) system," dated July 23, 2020, (ADAMS Accession No. ML20205L588)

In the Referenced letter, Entergy Operations, Inc. (Entergy) submitted a proposed amendment to Appendix A, "Technical Specifications" (TS) of Renewed Facility Operating License No.

NPF-38 for Waterford Steam Electric Station, Unit 3 (Waterford). The proposed change would revise the Waterford TS in order to implement a planned digital instrumentation and control (DI&C) modification at Waterford. The DI&C modification will replace the existing digital minicomputers of the Core Protection Calculator (CPC) system and Control Element Assembly Calculator (CEAC) system with the more reliable, digital system based on the Westinghouse Electric Company (Westinghouse) Common Qualified (Common Q) Platform.

The referenced license amendment request (LAR) included WCAP-18484-P, "Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System" in Attachment 4. Subsequent to submittal of the referenced LAR, WCAP-18484-P has been revised. Enclosure 1 to this letter provides the revised WCAP-18484-P, Revision 1, with changes identified with revision bars in the left margin. provides a non-proprietary version, WCAP-18484-NP, Revision 1.

W3F1-2021-0051 Page 2 of 3 contains information proprietary to Westinghouse, it is supported by an Affidavit signed by Westinghouse, the owner of the information. The Affidavit sets forth the basis on which the information may be withheld from public disclosure by the Nuclear Regulatory Commission (NRC) and addresses with specificity the considerations listed in paragraph (b)(4) of Title 10 of the Code of Federal Regulations (10 CFR) Section 2.390.

Accordingly, it is respectfully requested that the information which is proprietary to Westinghouse be withheld from public disclosure in accordance with 10 CFR 2.390.

Correspondence with respect to the copyright or proprietary aspects of the items listed above or the supporting Westinghouse Affidavit should reference CAW-21-5197 (Enclosure 3) and should be addressed to Anthony J. Schoedel, Manager, eVinci Licensing & Configuration Management, Westinghouse Electric Company, 1000 Westinghouse Drive, Cranberry Township, Pennsylvania 16066.

Enclosures 4 and 5 contain revised Technical Specification pages that correct an editorial error in the referenced LAR. The proposed change to Technical Specification 6.8.1 requested in the referenced LAR included an incorrect title for WCAP-16096-P-A. This letter provides replacement pages providing the correct document title for WCAP-16096-P-A.

The No Significant Hazards Consideration determination provided in the referenced submittal is not altered by the information provided in this letter.

There are no new regulatory commitments included in this letter.

In accordance with 10 CFR 50.91(b)(1), "Notice for public comment; State consultation," a copy of this letter, without the proprietary attachments, is being provided to the designated State Official.

Should you have any questions or require additional information, please contact Paul Wood, Regulatory Assurance Manager, Waterford, at (504) 464-3786 or pwood1@entergy.com.

I declare under penalty of perjury, that the foregoing is true and correct. Executed on July 19, 2021.

Respectfully, Ron Gaston RWG/rrd

W3F1-2021-0051 Page 3 of 3

Enclosures:

1. WCAP-18484-P, Revision 1, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Proprietary

2. WCAP-18484-NP, Revision 1, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System, Non-Proprietary

3. Westinghouse Affidavit CAW-21-5197, Proprietary Information Notice, and Copyright in support of WCAP-18484-P, Revision 1, (Enclosure 1)

4. Technical Specification Page Markup

5. Clean Technical Specification Page cc: NRC Region IV Regional Administrator NRC Senior Resident Inspector - Waterford Steam Electric Station, Unit 3 Louisiana Department of Environmental Quality (without Enclosure 1)

NRC Project Manager Waterford Steam Electric Station, Unit 3

Enclosure 2 W3F1-2021-0051 WCAP-18484-NP, Revision 1, Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System Non-Proprietary (247 Pages)

Westinghouse Non-Proprietary Class 3 WCAP-18484-NP June 2021 Revision 1 Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 WCAP-18484-NP Revision 1 Licensing Technical Report for the Waterford Steam Electric Station Unit 3 Common Q Core Protection Calculator System Warren R. Odess-Gillett*

Licensing Engineering June 2021 Reviewers: Allen C. Denyer*

CE Plant Safety Systems Matthew A. Shakun*

Licensing Engineering Approved: Anthony J. Schoedel*, Manager Licensing Engineering

• Electronically approved records are authenticated in the electronic document management system.

Westinghouse Electric Company LLC 1000 Westinghouse Drive Cranberry Township, PA 16066, USA

© 2021 Westinghouse Electric Company LLC All Rights Reserved

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 ii REVISION HISTORY Revision Author Description Completed A Warren Odess-Gillett Revision A - First draft with open items 11/21/2019 B Warren Odess-Gillett 1. Removed technical specification markups from this 2/21/2020 document. Entergy will include the technical specification markups in the LAR document.

2. Added new Appendix B, Elimination of Specific CPCS Technical Specification Surveillance Requirements

3. Incorporated Entergy comments from Revision A.

4. Rewrote Section 3.2.6 with safety analysis qualitative assessment

5. Closed all open items 0 Warren Odess-Gillett 1. Incorporated Entergy comments 4/6/2020 1 Warren Odess-Gillett 1. Corrected errors and revised content in accordance See PRIME with NRC Open Item responses.

2. Updated Figure 3.2.17-1 CPCS Channel B to be consistent with Figure 2.1-2B of WNA-DS-04650-CWTR3, Revision 2.

OPEN ITEMS Item Description Status None WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 iii TABLE OF CONTENTS REVISION HISTORY ..................................................................................................................................II OPEN ITEMS ...........................................................................................................................................II LIST OF TABLES ....................................................................................................................................... vi LIST OF FIGURES .................................................................................................................................... vii ACRONYMS AND TRADEMARKS ....................................................................................................... viii 1 INTRODUCTION ........................................................................................................................ 1-1 2 PLANT SYSTEM DESCRIPTION (D.1) .................................................................................... 2-1 3 SYSTEM ARCHITECTURE (D.2) .............................................................................................. 3-1 3.1 EXISTING ARCHITECTURE (D.2.1) ........................................................................... 3-1 3.2 NEW SYSTEM ARCHITECTURE (D.2.2) .................................................................... 3-5 3.2.1 CPC AC160 Controller .................................................................................... 3-8 3.2.2 CEAC AC160 Controller............................................................................... 3-15 3.2.3 Power Supply ................................................................................................ 3-20 3.2.4 APC Multiplexer ........................................................................................... 3-21 3.2.5 HVAC Requirements ..................................................................................... 3-21 3.2.6 CPCS Design Function .................................................................................. 3-22 3.2.7 Service/Test Functions................................................................................... 3-28 3.2.8 Separation and Independence ........................................................................ 3-39 3.2.9 Cross Divisional Interfaces............................................................................ 3-41 3.2.10 Connections to Human-System Interfaces .................................................... 3-42 3.2.11 Connections between Safety-Related Systems .............................................. 3-42 3.2.12 Connections between Safety-Related and Non-Safety-Related Systems ...... 3-42 3.2.13 Temporary connections ................................................................................. 3-42 3.2.14 Interfacing with Supporting Systems ............................................................ 3-43 3.2.15 Physical Location of System Equipment ....................................................... 3-43 3.2.16 Communications ............................................................................................ 3-43 3.2.17 Failure Modes and Effects Analysis .............................................................. 3-57 3.2.18 Common Cause Failure (CCF) ...................................................................... 3-60 3.2.19 Compliance to Applicable IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003 Clauses .......................................................................................................... 3-61 3.2.20 FSAR Changes .............................................................................................. 3-66 3.3 NEW SYSTEM FUNCTIONS (D.2.3 AND D.2.3.1) ................................................... 3-67 3.3.1 Restoring CEA Rate of Change Lock-In ....................................................... 3-67 3.3.2 IEEE Std 603-1991 Clause 4 Compliance ..................................................... 3-68 3.3.3 IEEE Std 603-1991 Applicable Clauses for New System Functions ............ 3-71 3.3.4 System Requirements Documentation (D.2.3.3 and D.2.3.3.1) .................... 3-77 3.4 FUNCTION ALLOCATION (D.2.4 AND D.2.4.1) ...................................................... 3-82 3.5 SYSTEM INTERFACES (D.2.5) .................................................................................. 3-82 3.5.1 CEA Position Cross Channel Communication .............................................. 3-82 3.5.2 PPS Interface ................................................................................................. 3-83 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 iv 3.5.3 Plant Annunciator System Interface .............................................................. 3-83 3.5.4 OM and MTP Print Screen Interface ............................................................. 3-83 3.5.5 Plant Monitoring System Interface ................................................................ 3-84 3.5.6 CEAPD Interface ........................................................................................... 3-84 3.5.7 MTP Time Synchronization Interface ........................................................... 3-84 3.5.8 Support and Auxiliary System Interfaces ...................................................... 3-85 3.5.9 Safety to Non-Safety Isolation Requirements ............................................... 3-85 3.5.10 IEEE Std 603 and IEEE Std 7-4.3.2 Relevant Clauses.................................. 3-85 3.6 FUNDAMENTAL DESIGN PRINCIPLES IN THE NEW ARCHITECTURE............ 3-91 3.6.1 Redundancy (D.2.6.2.1)................................................................................. 3-91 3.6.2 Independence (D.2.6.2.2) .............................................................................. 3-94 3.6.3 Deterministic Behavior (D.2.6.2.3) ............................................................... 3-97 3.6.4 Defense-in-Depth and Diversity (D.2.6.2.4) ................................................. 3-99 3.6.5 Simplicity of Design (D.2.6.2.5) ................................................................... 3-99 4 HARDWARE EQUIPMENT QUALIFICATION (D.3) ............................................................... 4-1 5 I&C SYSTEM DEVELOPMENT PROCESSES (D.4) ................................................................ 5-1 5.1 COMMON Q SPM PLANT SPECIFIC ACTION ITEMS.............................................. 5-2 5.1.1 PSAI 1 ............................................................................................................. 5-3 5.1.2 PSAI 2 ............................................................................................................. 5-4 5.1.3 PSAI 3 ............................................................................................................. 5-6 5.1.4 PSAI 4 ............................................................................................................. 5-6 5.1.5 PSAI 5 ............................................................................................................. 5-6 5.1.6 PSAI 6 ............................................................................................................. 5-7 5.1.7 PSAI 7 ............................................................................................................. 5-8 5.2 SYSTEM AND SOFTWARE DEVELOPMENT ACTIVITIES (D.4.2.1)...................... 5-8 5.2.1 Plant and Instrumentation and Control System Safety Analysis (D.4.2.1.1) ... 5-8 5.2.2 Instrumentation and Control System Requirements (D.4.2.1.2) ..................... 5-8 5.2.3 Instrumentation and Control System Architecture (D.4.2.1.3) ........................ 5-9 5.2.4 Instrumentation and Control System Design (D.4.2.1.4) ................................ 5-9 5.2.5 Software Requirements (D.4.2.1.5) ............................................................... 5-10 5.2.6 Software Design (D.4.2.1.6) .......................................................................... 5-11 5.2.7 Software Implementation (D.4.2.1.7) ............................................................ 5-11 5.2.8 Software Integration (D.4.2.1.8).................................................................... 5-12 5.2.9 Instrumentation and Control System Testing (D.4.2.1.9) .............................. 5-12 5.2.10 Project Management Processes (D.4.2.2) ...................................................... 5-13 5.2.11 Software Quality Assurance Processes (D.4.2.3) .......................................... 5-14 5.2.12 Software Verification and Validation Processes (D.4.2.4) ............................. 5-14 5.2.13 Configuration Management Processes (D.4.2.5) ........................................... 5-14 6 APPLYING A REFERENCED TOPICAL REPORT SAFETY EVALUATION (D.5) ................ 6-1 6.1 COMMON Q PLATFORM CHANGES (D.5.1.1) .......................................................... 6-1 6.1.1 Common Q Platform Topical Report Revision ............................................... 6-1 6.2 RESOLUTION OF TOPICAL REPORT PLANT-SPECIFIC ACTION ITEMS (D.5.1.2)

......................................................................................................................................... 6-1 6.2.1 Generic Open Items ......................................................................................... 6-2 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 v 6.2.2 Plant-Specific Action Items ............................................................................. 6-2 7 COMPLIANCE/CONFORMANCE MATRIX FOR IEEE STANDARDS 603-1991 AND 7-4.3.2-2003 (D.6) ..................................................................................................................................... 7-1 8 TECHNICAL SPECIFICATIONS (D.7) ...................................................................................... 8-1 9 SECURE DEVELOPMENT AND OPERATIONAL ENVIRONMENT (D.8) ........................... 9-1 9.1 SECURE DEVELOPMENT ENVIRONMENT ............................................................. 9-1 9.2 SECURE OPERATIONAL ENVIRONMENT................................................................ 9-1 9.2.1 Secure Operational Environment Vulnerability Assessment ........................... 9-2 10 REFERENCES ........................................................................................................................... 10-1 11 BIBLIOGRAPHY ....................................................................................................................... 11-1 APPENDIX A WF3 FSAR MARKUPS ................................................................................................. A-1 APPENDIX B ELIMINATION OF SPECIFIC CPCS TECHNICAL SPECIFICATION SURVEILLANCE REQUIREMENTS ........................................................................................ B-1 APPENDIX C ENDNOTES ................................................................................................................... C-1 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 vi LIST OF TABLES Table 3.2.1.1-1 CPC Program Execution Intervals and Input Sampling Rates ........................................ 3-14 Table 3.2.2-1 Preferred Source for CEA Position Data ........................................................................... 3-18 Table 3.2.2-2 CEAC Program Execution Intervals and Input Sampling Rates........................................ 3-20 Table 3.2.16-1 DI&C-ISG-04-Compliance .............................................................................................. 3-45 Table 3.2.17.2-1 Window Watchdog Timer Actuation Summary ............................................................ 3-60 Table 3.3.3-1 ISG-06 System Requirements Document Content............................................................. 3-78 Table 5.1.2-1 BTP 7-14 Documents ........................................................................................................... 5-5 Table 7-1 Compliance/Conformance Matrix for IEEE Std 603 and IEEE Std 7-4.3.2 .............................. 7-1 Table 9.2.1.5-1 Summary of Vulnerabilities, Controls, and Overall Effectiveness ................................... 9-6 Table B.4-1. Annunciation Path FMEDAs.......B-13 Table B.5-2. PM646A Communication Section (CS) Diagnostic Table..B-20 Table B.5-3. CI631 Communication Module Diagnostic Table...B-22 Table B.5-4. Backplane I/O Bus (BIOB) Diagnostic Table.B-23 Table B.5-5. Analog Input Module (AI688) Diagnostic Table....B-24 Table B.5-6. Digital Pulse Module (DP620) Diagnostic TableB-25 Table B.6-1 PM646A Processing Module FMEDA.B-30 Table B.6-2 BIOB FMEDA.B-32 Table B.6-3 CI631 Communications Module FMEDA.. B-33 Table B.6-4. Analog Input Modules (AI688) FMEDA....B-34 Table B.6.5. Digital Pulse Module (DP620) FMEDA.....B-36 Table B.6.6. Digital Output Module (DO625) FMEDA..B-37 Table B.6.7. Interposing Relay Panel (IRP) FMEDA..B-37 Table B.7-1 [ ]a,c.B-39 Table B.7-2. CPCS Components within Scope of TS RTT SRB-42 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 vii LIST OF FIGURES Figure 2-1. CPC Functional Block Diagram ............................................................................................. 2-3 Figure 2-2 Existing CPC/CEAC Architecture Block Diagram .................................................................. 2-4 Figure 2-3. Existing CPC/CEAC Channelization Diagram ...................................................................... 2-6 Figure 3.1-1. Existing CPC/CEAC Architecture Block Diagram ............................................................. 3-1 Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram.......................................................... 3-7 Figure 3.2.17-1 CPCS Channel B ............................................................................................................ 3-58 Figure B-1. Channel Fault Indication and Alarm Paths .......................................................................... B-13 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 viii ACRONYMS AND TRADEMARKS The following abbreviations and acronyms are defined to allow an understanding of their use within this document.

Acronym Definition Tcold Cold leg temperature difference AI Analog Input AC Alternating Current AC160 Advant Controller 160 A/D Analog to Digital [conversion]

AF100 Advant Fieldbus 100 (data bus within a CPC channel)

AO Analog Output AOO(s) Anticipated Operating Occurrence(s)

APC Auxiliary Protective Cabinet AR Alternate Review [process] (new process described in DI&C-ISG-06, Revision 2)

ASGT Asymmetric Steam Generator Transient ATWS Anticipated Transient Without Scram AUX CPC Auxiliary CPC processor in the CPC AC160 controller CCF Common Cause Failure CEA Control Element Assembly CEAC CEA Calculator CEACs CEACs in multiple channels or referring to CEAC 1 and CEAC 2 in one channel CEAPD CEA Position Display WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 ix Acronym Definition CEAPDS CEA Position Display System CMRR Configuration Management Release Report COLR Core Operating Limits Report COLSS Core Operating Limit Supervisory System CONTRM AC160 control module (i.e., periodic executable application in the PM646A)

CPCS Core Protection Calculator System CPCs Core Protection Calculators in multiple channels (as distinguished from CEACs in each channel)

CPP CEA Position Processor CPU Central Processing Unit CRC Cyclic Redundancy Check CS Communication Section (see PS)

CWP CEA Withdrawal Prohibit D3 Defense-in-Depth and Diversity DI(s) Digital Input(s)

DNBR Departure from nucleate boiling ratio DO Digital Output EC Engineering Change ECT EC Testing ESFS Engineered Safety Features System EXLD Excess heat removal due to secondary system malfunction FAT Factory Acceptance Test WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 x Acronym Definition FPD Flat Panel Display FPDS [Common Q] Flat Panel Display System FE Function Enable [key switch]

FICA Fixed incore amplifier FIDAS Fixed Incore Detector Amplifier System FMEA Failure Modes and Effects Analysis GDC General Design Criteria GOI(s) Generic Open Item(s)

GUI Graphical User Interface HCD Hold Coil Delay HFP Hot Full Power HSI Human System Interface HSL(s) High Speed Link(s)

HZP Hot Zero Power I/O Input/Output IEEE Institute of Electrical and Electronics Engineers INOP Inoperable IRIG Inter-range Instrumentation Group [time codes]

ISG [NRC] Interim Staff Guidance IRP Interposing Replay Panel kW/ft Kilowatt per foot WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 xi Acronym Definition LAR License Amendment Request LOOP Loss Of Offsite Power LPD Local power density LTR Licensing Technical Report MCB Main Control Board MCR Main Control Room MSLB Main Steam Line Break MTP Maintenance and Test Panel MUX Multiplexer NI Nuclear incore instrumentation NRC Nuclear Regulatory Commission NRR NRC Office of Nuclear Reactor Regulation NSSS Nuclear Steam Supply System OEM Original Equipment Manufacturer OM Operators module OMs Operators modules OSS Out of service PA Postulated Accident PF Penalty Factor PMC Plant Monitoring Computer PPS Plant Protection System WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 xii Acronym Definition PS 1. Processor Select [switch]

2. Processing Section (within the PM646A)

RCP Reactor Coolant Pump RCS Reactor Coolant System RCPSSSS RCP Shaft Speed Sensing System RDB Reload Data Block RE Responsible Engineer RPS Reactor Protection System RSE Reusable Software Element RSED Reusable Software Element Description RSPT Reed Switch Position Transmitter RTC Real Time Clock RTCB Reactor Trip Circuit Breaker RTD Resistor Temperature Detector RTM Requirements Traceability Matrix RTP Rated Thermal Power RTS Return to Service SAFDL Specified Acceptable Fuel Design Limits SDD Software Design Description SER Safety Evaluation Report SGTR Steam Generator Tube Rupture SHA Software Hazards Analysis WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 xiii Acronym Definition SLB Steam Line Break SLE Software Load Enable [key switch]

SPM Software Program Manual SR Surveillance Requirement SRS Software Requirements Specification TE Test Engineer Tin/Tcold Core inlet temperature (cold leg)

Tout/Thot Core outlet temperature (hot leg)

TRIPSEQ Trip sequence - a periodic executable application in the CPC PM646A (see CONTRM)

TS Technical Specification(s)

Tsat Saturation temperature TSTF 1. Technical Specification Task Force

2. Technical Specification Traveler Form FSAR Updated Final Safety Analysis Report V&V Verification and Validation Vac Volts alternating current Vdc Volts direct current VOPT Variable overpower trip WDT Watchdog timer WF3 Waterford Steam Electric Station Unit 3 WWDT Window watchdog timer WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 1-1 1 INTRODUCTION The Core Protection Calculator System (CPCS) at Waterford Steam Electric Station Unit 3 (WF3) is being replaced with a new system based on the Common Qualified (Common QTM) Platform. This report supports the WF3 License Amendment Request (LAR) to be reviewed and approved by the United States Nuclear Regulatory Commission staff (NRC). This licensing technical report (LTR) follows aspects of the structure in revision 2 of DI&C-ISG-06, Digital Instrumentation and Controls Licensing Process Interim Staff Guidance (Reference 1). The aspects followed are those that pertain to the alternate review (AR) process as described in Section C.2 of DI&C-ISG-06 (Reference 1).

WF3 can use the information in this LTR to complete sections of the LAR that pertain to DI&C-ISG-06 Sections D.1 through D.8. Each section heading will include the corresponding DI&C-ISG-06 Section in parentheses (e.g., Plant System Description (D.1)).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-1 2 PLANT SYSTEM DESCRIPTION (D.1)

The WF3 Plant Protection System (PPS) is comprised of an Engineered Safety Features Actuation System (ESFAS) and a Reactor Protection System (RPS). The Core Protection Calculator System (CPCS) is part of the RPS. The PPS cabinet includes the RPS Coincidence and Initiation Logic. The Auxiliary Protective Cabinet (APC) includes the CPCs and the CEACs. The CPC/CEAC system issues 2 of the 15 reactor trips in the RPS to protect the fuel design limits. These four independent Core Protection Calculators (CPCs), one in each protection channel, calculates departure from nucleate boiling ratio (DNBR) and local power density (LPD). The reactor trips provided by the CPCs are inputs to the RPS Coincidence and Initiation Logic, and the CPC trips have a 2 out of 4 logic. The calculations performed in each CPC utilize the input signals described later in this section. The DNBR and LPD calculation results are compared to trip setpoints for initiation of a low DNBR trip and the high LPD trip.1 These CPCS trip outputs become digital trip inputs to the corresponding Plant Protection System (PPS) channel. The four channel PPS performs the 2 out of 4 voting logic on various reactor trip functions that include the CPC Low DNBR and High LPD. The CPCS is designed to initiate automatic protective action to assure that the specified acceptable fuel design limits (SAFDL) on DNBR and LPD are not exceeded during Anticipated Operational Occurrences (AOOs).2 The High LPD Trip is to prevent the linear heat rate (kW/ft) in the limiting fuel pin in the core from exceeding the value corresponding to the centerline fuel melting temperature. This is to prevent exceeding the safety limit of peak fuel centerline temperature in the event of defined anticipated operational occurrences.3 DNBR is the ratio of Critical Heat Flux to Actual Heat Flux. Critical heat flux (CHF) is that value of heat flux at which Departure from Nucleate Boiling (DNB) occurs.4 The Low DNBR trip is to prevent the DNBR in the limiting coolant channel in the core from exceeding the fuel design limit for the fuel cladding in the event of defined anticipated operational occurrences. In addition, this trip will provide a reactor trip to assist the Engineered Safety Features System (ESFS) in limiting the consequences of the steam generator tube rupture, steam line break and reactor coolant pump shaft seizure accidents.5 CPC DNBR and LPD pre-trip alarms are initiated prior to the trip value to provide audible and visible indication of approach to a trip condition.6 These pre-trip functions have no direct safety function.

The CPC will also initiate only the DNBR and LPD trip outputs which is known as an Auxiliary Trip under the following conditions:7 a) CPC operating space limits are exceeded for the hot pin axial shape index integrated one pin radial peak, maximum and minimum cold leg temperatures, and primary pressure (CPC operating space Trips).

b) Opposing cold leg temperature difference exceeds its setpoint, which varies with power level (Asymmetrical Steam Generator Transient (ASGT) Trip).

c) Reactor power exceeds the variable overpower trip setpoint. The trip setpoint is larger than the steady state reactor power by a constant offset but is limited in how fast it can follow changes in reactor power. This provides protection from sudden power increases (Variable Overpower Trip (VOPT)).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-2 d) The maximum hot leg temperature approaches the coolant saturation temperature (Thot at saturation or Quality Margin).

e) The CPC system is not set in the normal operating configuration (CPC Failure).

f) Reactor coolant pump shaft speed drops below its setpoint value for multiple pumps (Less than two RCPs running).

The Design Basis functions are not changing as a result of this CPCS upgrade. All the design basis events in Chapter 15 and the reliance on the CPCS low DNBR and high LPD trips are unchanged.8 The methodologies and algorithms used in low DNBR and high LPD processor calculations, including CEAC penalty factors, the treatment of raw data processing/filtering, and the treatment of bad data/faulted hardware in calculations, also remain unchanged.

The PPS/RPS performs a two out of four coincidence of like trip signals to generate a reactor trip signal.

The use of four channels allows bypassing of one channel for maintenance while maintaining a two out of three channel trip.9 Each CPC receives the following inputs: core inlet and outlet temperature, pressurizer pressure, reactor coolant pump speed, excore nuclear instrumentation flux power (each subchannel from the safety channel), selected (target) CEA position, and CEA subgroup deviation from the CEA calculators. Input signals are conditioned and processed.10 The scope of the replacement is on the CPCS including sensor terminations, replacement calculators (CPC and CEAC), alarm output termination, analog output terminations (MCR Indication), and output terminations to the PPS/RPS.11 Excluded from the modification are:

Sensors and their cabling to the CPCs Reactor Protection System CPC system Trip setpoints and outputs. All functional requirements for DNBR and LPD trip output are unchanged WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-3 RCS PRESSURE (1)

DIFFERENCE DNBR MARGIN CEAC PENALTY METER (02)

FACTORS TRIP SETPOINT LOW DNBR TARGET CEA TRIP POSITIONS (22) OUT OF SEQUENCE AND SUBGROUP FR(Z) DNBR COMPARATOR LOW DNBR DEVIATION CALCULATION OF DNBR PRETRIP PENALTY FACTORS CALCULATION OF DNBR PIN AND CHANNEL PLANAR RADIALS PRETRIP SETPOINT FZ(Z)

CALCULATION OF PRETRIP SETPOINT CORRECTION FOR CORE AVERAGE SHAPE ANNEALING HIGH LPD AXIAL POWER AND CEA CALCULATION OF LPD LOCAL POWER TRIP DISTRIBUTION SHADOWING LOCAL POWER DENSITY EXCORE SIGNALS FACTORS DENSITY COMPARATOR HIGH LPD (U, M, L)

PRETRIP TRIP SETPOINT LPD MARGIN DIFFERENCE METER (025 KW/FT)

RCP SPEED (4) FLOW CALCULATION F CALCULATION OF F CAL SUMMER CALIBRATED CALIBRATED LINEAR POWER NEUTRON FLUX METER (0 TO 200%)

HOT LEG (2) CALCULATION OF POWER TEMP (TH ) DELTA T POWER BDT COLD LEG (2)

TEMP (TC )

MAXIMUM Q

TC MAX MAXIMUM TC MIN MINIMUM Figure 2-1. CPC Functional Block Diagram12 In the existing CPCS, the CPC in each channel receives one CEA position (target CEA) from each CEA Subgroup, which provides each CPC with one quarter of the CEA position inputs. The existing system has two independent CEA calculators (CEACs), as part of the CPC System, to calculate individual CEA deviations from the position of the other CEAs in their subgroup.13 The position of each CEA is an input to the CEAC. These positions are measured by means of two redundant reed switch assemblies on each CEA. These redundant reed switch assemblies are not being changed as a part of the LAR. In the existing system each CEA is instrumented by redundant CEA reed switch position transmitters (RSPT) identified as RSPT1 and RSPT2 for each CEA.14 The RSPT1 inputs are monitored by CEAC 1 and the RSPT2 inputs are monitored by CEAC 2. CEAC 1 is located in Channel B and CEAC 2 is located in Channel C for the existing CPCS. One set of the redundant signals for all CEAs is monitored by one CEAC and the other set of signals by the redundant CEAC.15 In the new system, each channel will have a CEAC 1 and CEAC 2 calculator processing RSPT1 and RSPT2 signals, respectively, rather than just two CEAC calculators for all four CPCs.16 The CEAs are arranged into control groups that are controlled as subgroups of CEAs. The subgroups are symmetric about the core center. The subgroups are required to move together as a control group and should always indicate the same CEA group position. Each CEAC monitors the position of all CEAs within each control subgroup. Should a CEA deviate from its subgroup position, the CEACs monitor the event, sounds an annunciator, and transmit an appropriate deviation "penalty" factor to each CPC. This WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-4 will cause trip margins to be reduced. This assures conservative operation of the PPS, as any credible failure of a CEA reed switch assembly will result in an immediate operator alarm and conservative RPS trip margins.17 The CPC in each channel utilizes selected "target" CEA position reed switch signals as a measure of subgroup and group CEA position. The CPCs utilize single CEA deviation penalty factors from the CEACs to modify calculation results in a conservative manner should a deviating CEA be detected by either CEAC. The detailed signal paths of CEA position signals are shown in Figure 2-2 Existing CPC/CEAC Architecture Block Diagram.18 Channel A Channel B Channel C Channel D 22 CEAs 43 CEAs 22 CEAs 22 CEAs 43 CEAs 22 CEAs (RSPT1) (RSPT1) (RSPT1) (RSPT2) (RSPT2) (RSPT2)

APC Terminal APC Terminal APC Terminal Blocks APC Terminal Blocks Blocks Blocks Analog Signals CEA Position CEA Position Isolation Assy 22 22 22 22 Isolation Assy MACs I/O MACs I/O MACs I/O MACs I/O MACs I/O MACs I/O Chassis Chassis Chassis Chassis Chassis Chassis 87 CEAs 87 CEAs 21 CEAs CEA 21 CEAs 21 CEAs CEA 21 CEAs Calculator #1 Calculator #2 CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF Digital Core Core Core Core Signals Protection Protection Protection Protection Calculator* Calculator* Calculator* Calculator*

• Only 21 CEAs used in the CPC SW has 22 subgroup s Auxiliary Protective Cabinet CEA Operators Operators Operators Operators Position Module Module Module Module Display MCR Figure 2-2 Existing CPC/CEAC Architecture Block Diagram19 The area within the red box in the figure is what will be replaced for the CPCS modification. It should be noted that the CEA Position Display in the main control room (MCR) is a non-safety display isolated from the two CEACs called the CEA Position Display (CEAPD). This part of the system is not included in the LAR. The plant modification for CEAPD will be performed under 10 CFR 50.59.

The following calculations are performed in the CPC (unless otherwise noted):

a) CEA deviations and corresponding penalty factors:

1) Single CEA deviation in a subgroup calculated by CEA calculators

2) Subgroup deviations in a group calculated by CPCs WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-5

3) Groups out of sequence calculated by CPCs b) Correction of excore flux power for shape annealing and CEA shadowing c) Normalized reactor coolant flowrate from reactor coolant pump speed d) Core average power from reactor coolant temperature and flow information e) Core average power from corrected excore flux power signals f) Axial power distribution from the corrected excore flux power signals g) Fuel rod and coolant channel planar radial peaking factors, selection of predetermined coefficients based on CEA positions h) DNBR i) Comparison of DNBR with a fixed trip setpoint j) Local power density compensated for thermal capacity of fuel k) Comparison of compensated local power density to fixed local power density setpoint l) CEA deviation alarm (CEA calculator)20 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-6 ANALOG REED SWITCH SYSTEM CHANNEL CHANNEL CHANNEL CHANNEL A B C D 5-10 VOLT ANALOG SIGNAL REPRESENTS 0 - 150 IN.

CEA WITHDRAWAL ISOLATOR ISOLATOR CPC CEAC CPC CPC CEAC CPC CHANNEL CHANNEL CHANNEL CHANNEL A B C D ISOLATO R ISOLATOR CPC = CORE PROTECTION CALCULATOR SERIAL DIGITAL LINKS DIGITAL VOLTAGE CEAC = CEA PULSES CALCULATOR MANUAL SWITCH DISPLAY GENERATOR VIDEO CRT BAR CHART CRT DISPLAY ALL CEAS BY GROUP Figure 2-3. Existing CPC/CEAC Channelization Diagram21 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-7 Figure 2-2 Existing CPC/CEAC Architecture Block Diagram, shows four operators modules (OMs) located on the Main Control Board (MCB). These are safety-related modules. Each OM receives data from each CPCS channel and facilitates changes to addressable constants. In Channels B and C, the OM has a select switch to choose which calculator to receive data from, the CPC or CEAC.22 The CPCS has six (6) datalinks to the Plant Monitoring Computer (PMC) provided by four (4) datalinks for the CPCs (one from each channel), and two (2) datalinks from the CEACs (one from each CEAC).

These datalinks are connected to the PMC through the APC Mux chassis. The CPC and CEAC data links are accomplished through interfacing a 16-bit parallel input card in the APC mux chassis to a 16-bit output card within the CPC and CEAC, respectively. The CPC and CEAC provides optically isolated Digital Outputs (16 bits) that are read by the APC Mux optically isolated digital input card (16 bits). The APC MUX communicates CPC and incore information to the PMC. The APC MUXs send their data to the PMC system over fiber optic serial communication links. This optic link provides electrical isolation from the APC MUX and the PMC system. The APC MUX sends the data when a data request is received from the PMC.23 The APC Mux system receives inputs from the Fixed Incore Detector Amplifier System (FIDAS). The FIDAS converts the incoming Fixed Incore Detector Signals (0-10µAmps) into 0 to -10VDC signals for input to the APC Mux. WF3 contains 56 detector assemblies, each containing 5 rhodium detectors located at 15%, 30%, 50%, 70% and 90% of core height, plus one background detector. The FIDAS processes the 5 detector signals and 1 background signal per assembly and provides these six (6) 0 to -10VDC signals per assembly out to the APC Mux for processing, which is a total of 336, 0-10VDC signals. In total, this results in 56 detector assembly strings sending 280 detector signals and 56 background signals.

These signals are split among the 4 APC channels, 14 detector assembly strings per channel that process 70 detector signals and 14 background signals.

The FIDAS provides two 0 to -10V outputs for each Incore detector signal, which are read by redundant APC Mux 1 and APC Mux 2 assemblies within each APC cabinet. Each APC Mux is identical with APC Mux 1 and APC Mux 2 communicating to the PMC network where the signals are available to both PMC A and PMC B. 24 The CPC/CEAC system, being part of the PPS/RPS, are periodically tested in accordance with the criteria described in IEEE Standard 338-1971. Test intervals and their bases are included in the technical specification documents (see Appendix A).25 The existing CPCS requires analog to digital (A/D) conversion calibration as well as reference voltage calibration. The CPC/CEAC system performs both automatic and periodic testing. The automatic and periodic tests provide a means of checking, with a high degree of confidence, the operational availability of system input sensors and all devices used to derive the final system output signal. 26 Existing System - Automatic On-Line Testing27 The automatic on-line testing consists of three separate checks: (1) internal self-checking of the input data, (2) internal self-checking of the calculator and (3) an external watchdog timer that monitors the execution of the cyclic scheduling mechanism. Although failures in the on-line system are expected infrequently, the automatic on-line testing is provided to assure high continuous system reliability beyond that provided in typical analog calculated trips.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-8 The protection algorithms check the reasonability of input sensor data against predetermined maximum and minimum values. The CEAC checks raw CEA position data against high and low values for out of range conditions. These setpoints are part of the CPC database. The CEA position signals outside of this range are deemed unreasonable and a sensor failure flag is set. If a sensor is found to be out-of-range, the affected calculator generates the proper annunciation signal.

To provide a check on system software and to detect time frame overruns, an external "watchdog timer" is installed as part of the Data Input/Output (I/O) Subsystem. The watchdog timer lights the CPC or CEAC failure light at the Operators Module (OM) directly.

For all other failures detected during automatic on-line testing, the affected calculator sets its outputs in the fail-safe state, such as "trip" for a CPC. If recovery from the failure is possible, the system maintains its outputs in the safe state and execute Auto-Restart, followed by initialization, followed by normal operation.

Further on-line testing capability is provided by continuous status indication and information read out from each Core Protection Calculator. Continuous displays of the following information are provided to the operator:

a) DNBR margin b) Local power density margin c) Calibrated neutron flux power Manual cross checking of the four channel displays can be made to assure the integrity of the calculator.

The majority of the calculator failures result in anomalous indications from the failed channel that can be readily detected by the operator during cross checking.

Existing System - Periodic Testing28 The CPC is periodically and routinely tested to verify its operability. A complete channel can be individually tested without initiating a reactor trip, and without violating the single failure criterion. The system can be checked from the sensor signal through the bistable contacts for low DNBR and high local power density in the Plant Protection System. Overlap in the checking and testing is provided to assure that the entire channel is functional.

The minimum frequencies for checks, calibration, and testing of the Core Protection Calculator System have been included in the Technical Specification documents (see Appendix A). Periodic testing of the DNBR/LPD Calculator system is divided into two major categories, (1) on-line system tests and (2) off-line performance diagnostic tests. Off-line testing is further subdivided into two categories, performance testing and diagnostic testing. Performance testing is used to check the numerical accuracy of the calculations. Diagnostic testing is used as an aid for troubleshooting whenever the performance tests or the on-line tests (interchannel comparisons) indicate the presence of a failure. Permanent mass storage units are used for storage of the test programs.

Existing System - On-line System Test29 The on-line portion of the periodic testing consists of comparisons of like parameters among the four protective channels. Comparisons are made using the digital displays on the OM and the analog meters on the MCB. Comparisons of like analog and digital inputs give assurance that the analog and digital multiplexers and the A/D converters are functioning properly. These comparisons also give assurance that data are being properly entered into and retrieved from the data base. Comparisons of intermediate and final calculated parameters verify the performance of the protection algorithms and the analog display WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 2-9 meters on the control board. Calibration of the A/D converters is checked by displaying the reference voltage supplies which are connected to each CPC.

Existing System - Off-line Performance Test30 Before off-line testing is initiated, the channel to be tested is bypassed at the plant protection system (PPS) and the trip logic is changed to two-out-of-three for the DNBR and LPD trips. Interlocks are incorporated in the PPS to prevent bypassing more than one channel at a time. To initiate off-line testing a key is required and only one key is provided. This ensures that only one channel can be placed in the test mode at a time. The performance test uses the CPC data base to verify numerical accuracy of the calculations. The data base is divided into three areas, namely, raw input data, filtered input data and calculated values. The raw data area contains the last samples of raw analog and digital data. The filtered data area contains averaged input data, filtered input data, past samples of input data needed for dynamic compensation, and dynamically compensated data. The calculated values area contains intermediate and final calculated values and calibration constants which are updated periodically. During performance testing, the permanent mass storage unit is used to load test inputs directly into the data base. For each set of test inputs, the expected calculated results are also loaded and compared with the values calculated by the protection algorithms. If agreement is achieved, the test program prints the expected results and the actual results on the Teletype and proceeds to the next set of test data. If agreement is not achieved, the test program halts at that point unless restarted by the operator. Dynamic effects in the calculations are tested by loading the filtered data area of the data base with test values representing past values of time varying inputs.

From the standpoint of the CPC software structure, the performance tests are virtually identical to the on-line functions. Only two differences exist from the normal functions of the calculators. First, the calculator outputs are in a fail-safe condition for the duration of the tests, and second, the algorithms use data derived from the permanent mass storage unit instead of the Data I/O subsystem. The algorithms themselves, however, do not recognize the data source or that they are executing in the test mode.

As a final check, the individual instructions in protected memory are compared with an image of the instructions stored on the permanent mass storage unit to ensure the integrity and demonstrate the "reliability" of the protection algorithms during the life span of the DNBR/LPD Calculator System.

Off-Line Diagnostic Tests31 After a given failure is detected by a performance test, on-line test, or on-line diagnostic, hardware diagnostic programs are provided to aid in locating (to the module level) and correcting malfunctions.

The CPCs and CEACs are digital computers. This modification is a digital-to-digital replacement of the existing CPC system.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-1 3 SYSTEM ARCHITECTURE (D.2) 3.1 EXISTING ARCHITECTURE (D.2.1)

As described in Section 2, Plant System Description (D.1), the four independent CPCs, one in each protection channel, calculates departure from nucleate boiling ratio (DNBR) and local power density (LPD). These calculations are performed in each CPC, utilizing the input signals described in Section 2.

The DNBR and LPD calculation results are compared to trip set-points for initiation of a low DNBR trip and the high local power density trip. These trip outputs become digital trip inputs to the Reactor Protection System (RPS). Among the other RPS trip functions, there are these two trip reactor functions:

Low DNBR and High LPD.

The CPC/CEAC are 1970s vintage minicomputers. The CPC/CEAC system performs both automatic and periodic testing. The automatic and periodic tests provide a means of checking, with a high degree of confidence, the operational availability of system input sensors and all devices used to derive the final system output signal. The service/test functions of the existing CPCS is discussed in Section 2.

The four CPCs are separated into protection channels as depicted in Figure 3.1-1.

Channel A Channel B Channel C Channel D 22 CEAs 43 CEAs 22 CEAs 22 CEAs 43 CEAs 22 CEAs (RSPT1) (RSPT1) (RSPT1) (RSPT2) (RSPT2) (RSPT2)

APC Terminal APC Terminal APC Terminal Blocks APC Terminal Blocks Blocks Blocks Analog Signals CEA Position CEA Position Isolation Assy 22 22 22 22 Isolation Assy MACs I/O MACs I/O MACs I/O MACs I/O MACs I/O MACs I/O Chassis Chassis Chassis Chassis Chassis Chassis 87 CEAs 87 CEAs 21 CEAs CEA 21 CEAs 21 CEAs CEA 21 CEAs Calculator #1 Calculator #2 CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF CEAC1 PF CEAC2 PF Digital Core Core Core Core Signals Protection Protection Protection Protection Calculator* Calculator* Calculator* Calculator*

• Only 21 CEAs used in the CPC SW has 22 subgroup s Auxiliary Protective Cabinet CEA Operators Operators Operators Operators Position Module Module Module Module Display MCR Figure 3.1-1. Existing CPC/CEAC Architecture Block Diagram 32 Prior to cycle 12 Waterford 3 had a total of 91 CEAs. Of this number, 83 were full length CEAs and 8 were partial length CEAs. The 83 full length CEAs consisted of 79 full length five element or 5-finger WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-2 CEAs, and 4 full length four element or 4-finger CEAs. The existing CPC system software lists a total of 91 CEAs, and the original CPCS had 23 RSPT signals in each channel assigned to the CPC. The Channel B and C CEAC calculators processed 68 RSPT signals in their respective channels and received 23 CEAs from channels A and D for a total RSPT complement of 91 CEA Positions. There were two modifications at WF3 that impacted this configuration. First CEAs 2 and 3 were part of subgroup 23 in the CPC which had only those two rods. Subgroup 23 in the CPC software was eliminated. However, these signals remain terminated in their respective channels and are sent to the CEAC for use in that calculator only.

The second modification was to replace eight part-length CEAs with full length CEAs and remove four full length four element or 4-finger CEAs (see Reference 23) which were assigned to subgroup 22, Shutdown group A. This resulted in reducing the number of CEAs to 87 from 91. During the refueling outage following cycle 11 (RF11), the following CEA changes were made under the direction of Engineering Request ER-W3-1999-0411-000.

The eight part-length CEAs (CEA numbers 28, 29, 30, 31, 32, 33, 34 and 35) were replaced with full-length five element (i.e., 5-finger) CEAs, and the four full-length four element, i.e., 4-finger CEAs (CEA numbers 88, 89, 90, and 91) were removed. The CEDM coil packs and pressure housings were not removed with the removal of the four CEAs. By not removing the coil packs the CEDM cooling air flow and cooling would not be impacted by the change. The control wiring to the coil packs was de-terminated.

The RSPT wiring for CEA numbers 88, 89, 90, and 91 was de-terminated and the RSPT inputs into the CPC/CEACs for these CEAs which were in subgroup 22 were wired to subgroup 21 for RSPT inputs into the CPC/CEACs thus to simulate movement and eliminate the need for CPC software changes.

As a result of implementing the modification in this manner, the CPC and CEAC Software was not changed and still reflects 22 subgroups and 91 CEAs. The CPCS replacement will have 21 subgroups and a total of 87 CEAs to reflect the current CEA configuration.

The software changes that were made as documented in this engineering request were for the non-safety CEAPD System (CEAPDS) and the PMC. Per procedure EN-IT-104, the software change requests for these changes were SCR-WF3-2001-42 and SCR-WF3-2001-46. As stated above no CPCS software change was required.

Westinghouse letter (LTR-ME-01-1) covered the thermal hydraulic and mechanical assessment of the removal of (CEA numbers 88, 89, 90, and 91). The FSAR changes for the CEA modifications were incorporated with the Cycle 12 reload FSAR changes as documented in engineering request ER-W3-2002-0166-000.

The CPCS receives CEA position signals from the CEA RSPT signals. Each CEA has 2 RSPTs designated as RSPT1 and RSPT2. The RSPT signals for the removed CEA numbers 88, 89, 90 and 91 (Subgroup 22) are provided by RSPT signals from CEAs 81, 83, 85, 87 (Subgroup 21).

The current configuration of the CPCS has a total of 22 RSPT1 input signals terminated in the Channel A Auxiliary Protective Cabinet (APC). There are 21 RSPT1 inputs to be processed by the Channel A CPC and all 22 RSPT1 input signals are sent to CEAC 1 in Channel B. There is a qualified isolator between Channel A and Channel B to maintain separation between the two channels.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-3 The current configuration of the CPCS has a total of 65 RSPT1 signals terminated in the Channel B APC.

Twenty one (21) of these signals are processed by the Channel B CPC. All 65 RSPT1 inputs plus the 22 received from Channel A are processed by the Channel B CEAC No. 1. As a result, CEAC No. 1 reads 87 CEA positions.

The current configuration of the CPCS has a total of 65 RSPT2 signals terminated in the Channel C APC.

Twenty one (21) of these signals are processed by the Channel C CPC. All 65 RSPT2 inputs plus the 22 RSPT2 signals received from Channel D are processed by the Channel C CEAC No. 2. As a result, CEAC No. 2 reads 87 CEA positions.

The current configuration of the CPCS has a total of 22 RSPT2 input signals terminated in the Channel D APC. There are 21 RSPT2 inputs to be processed by the Channel D CPC and all 22 RSPT2 input signals are sent to CEAC 2 in Channel C. There is a qualified isolator between Channel D and Channel C to maintain separation between the two channels.

The CPCs use their channelized set of CEA positions and channelized process inputs to calculate Low DNBR and High LPD. Each CPC uses 21 channelized RSPT signals for the DNBR and LPD calculations. These 21 CEAs are referred to as target rods.33 The lines in Figure 3.1-1 between the CEACs and the CPCs (identified with CEAC 1(2) PF) represents point-to-point serial links between each CEAC to each CPC to provide the CEAC penalty factor to each of the four CPCs. These data links are electrically isolated as they cross protective channel boundaries.34 The CEACs are reading redundant CEA positions and execute a redundant penalty factor calculation. A CPC reads the two penalty factors from the two CEACs to apply the most conservative penalty factor to the calculations for Low DNBR and High LPD.35 As shown in Figure 2-1, each CPC receives the following inputs: core inlet and outlet temperature, pressurizer pressure, reactor coolant pump speed, excore nuclear instrumentation flux power (each subchannel from the safety channel), selected CEA positions, and CEA deviation penalty factors from the CEA calculators.36 Outputs of each CPC are:

a) DNBR trip and pre-trip to the PPS/RPS b) DNBR margin to a safety-related recorder/indicator on the control board c) Local power density trip and pre-trip to the PPS/RPS d) Local power density margin to a safety-related recorder/indicator on the control board e) Calibrated neutron flux power to a safety-related recorder/indicator on the control board f) CEA withdrawal prohibit on DNBR or local power density pre-trip or CEA misoperation to the PPS and to CEA Rod Control from the PPS via a qualified isolator. The PPS interface to the CEA Rod Control is not part of the replacement CPCS scope.37 g) Control room alarms (e.g., CEAC FAIL)

As described in Section 2, each CPC drives an OM located on the control board. It is a safety-related module. From the four modules an operator can monitor all calculators, including specific inputs or calculated functions, and allow operators to change addressable constants. The OM for channels B and C are able to access the CEA calculators in those channels.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-4 During periodic testing a mass storage unit is connected to the CPC channel to perform channel functional testing. This is a temporary connection and the CPC channel trip outputs are bypassed at the PPS during channel functional testing. Section 2 provides further description of the offline testing for the CPC.38 All four channels of the CPC/CEAC system are installed in the Auxiliary Protective Cabinet (APC) in the control room area, where the channels are physically separated and isolated from each other. Each Channel in the APC Cabinet has two redundant APC Multiplexers (APC MUX). See Section 2 for the description of the APC MUX. This non-safety system will be replaced as part of the CPCS modification project, as described in Section 3.2.4, but under 10 CFR 50.59. It is described in the LAR to inform the NRC of the existence of this non-safety related system in the safety APC. The APC MUX in the APC is seismic Category I.39 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-5 3.2 NEW SYSTEM ARCHITECTURE (D.2.2)

The major architectural change between the existing architecture and the new Common Q architecture is in the area of CEA processing. In the existing system, there are two CEACs total (CEAC 1 and CEAC 2) with CEAC 1 located in Channel B and CEAC 2 located in Channel C that receive the CEA RSPT signals from Channels A, B, C, and D. The CEACs located in Channel B and C distribute the penalty factors and other calculated results to the CPCs in Channels A, B, C and D. For the replacement CPCS, there are still four independent CPCs, but each CPC channel includes its own CEAC 1 and CEAC 2. The CEA RSPTs terminated in each channel will be connected to a CEA Position Processor (CPP) located in that channel, and these CPPs will distribute CEA position inputs to the corresponding CEAC 1 and CEAC 2 located in each channel. As in the existing system, the RSPT1 signals will provide CEA positions to CEAC 1, and the RSPT2 signals will provide CEA positions to CEAC 2. The existing architecture has only two CEACs shared by four CPC processors. Increasing the number of CEACs to eight (two in each channel) increases the availability of the CEAC processing.

Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram is a block diagram of the CPCs. In the existing CPCS, the four CPC channels (A through D) are mounted in the APC. The APC (CP-22) is constructed so that each channel is located in a separate cabinet section or bay that is physically separate from the other bays or sections which meets the requirements for channel separation.40 The new Common Q CPCS hardware is mounted within the APC with one channel in each bay just like the existing system. For each channel the architecture of the new system includes the following:41

• CPC AC160 controller chassis (CPC Primary PM646A, CPC Auxiliary PM646A and associated I/O)

• CEAC 1 AC160 controller chassis (CEAC 1 PM646A, CEA Position Processor (CPP) 1 PM646A, and associated I/O)

• CEAC 2 AC160 controller chassis (CEAC 2 PM646A, CPP 2 PM646A and associated I/O)

• Redundant AF100 intrachannel buses connecting the three AC160 controllers (via a CI631 communication module), the OM, and the Maintenance and Test Panel (MTP). The AF100 bus is extended from the APC to the OM via fiber optic cable.

• One-way High Speed Links (HSLs) for each of the following:

o CEA Position from redundant CPPs mounted in the CEAC controller chassis to the CEAC PM646A in all four channels o CEAC PM646As to CPC PM646A in each channel o CPC Primary PM646A to CPC Auxiliary PM646A in the same controller chassis

• Interposing Relay Panel (IRP) which houses the channel interposing relays for each channel digital output (DO) as well as the CPC watchdog timer (WDT) interposing relay and the MTP Test Enable relay.

• An MTP that houses a flat panel display (FPD) and provides isolation between the AF100 bus input and an optically isolated unidirectional Ethernet output connection from the MTP to a non-safety remotely mounted single board computer (SBC) for the UDP to TCP/IP Converter Assembly.

• An OM that consists of the Common Q FPDS, key switches, and AF100 bus optical modem.

• Power Supply Assembly, housing redundant RSPT Power Supplies (15 Vdc), relay power supplies (24 Vdc), and processor power supplies (24 Vdc)

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-6 The OM is mounted on the main control board outside the APC (also depicted in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram). The OM forms the primary graphical user interface (GUI) for the operator during normal system operation. The OM has its own power supply and is provided with vital 120 Vac from the same bus as its associated CPC channel. The OM supports an optically isolated unidirectional Ethernet connection to support the OM Printscreen and Cyber Log functions to a non-safety remotely mounted single board computer (SBC) for the UDP to TCP/IP Converter Assembly.42 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-7 a,c Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram43 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-8 The CEA Display in the upper right corner of Figure 3.2-1 and the APC MUX at the bottom of the figure are non-safety related systems and are not part of the License Amendment Request. That part of the plant modification will be made under the 10 CFR 50.59 process as part of the Engineering Change (EC).

3.2.1 CPC AC160 Controller This controller includes the CPC PM646A primary processor module, used to implement the safety-related CPC algorithms. It also includes an auxiliary CPC PM646A processor used for non-trip related overhead functions, and a variety of I/O modules used to:

• process all required analog inputs with the exception of target CEA positions,

• generate analog outputs to MCB meters,

• generate digital trip signal outputs to the RPS/PPS

• generate digital alarm outputs via the IRP for plant annunciators (including new auxiliary trip pre-trip alarms)

• process all required digital input signals44 The CPC PM646A processor module executes the safety-related algorithms which are functionally identical to those implemented in the existing CPC/CEAC system, as specified in Appendix A of Reference 2 as augmented by Reference 21. Functionally identical means that the algorithms in the upgraded CPCS will accomplish the same function within the same requirements for system time and accuracy45. Changes to the CPC/CEAC applications program required by the new platform is restricted to enhancements, such as improved HMI46 and error handling routines47, and changes to adapt the application programs to the new platform without degrading the ability of the CPCs to perform their safety related function48. These same changes were made as part of the Palo Verde CPCS replacement and was reviewed and approved by the NRC.49 The CPC AC160 Controller consists of the following AC160 modules:

• One CI631 communications module

[

]a,c

• One PM646A Primary CPC processor module (PM646A)

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-9

[

]a,c

• One PM646A Aux CPC processor module The Aux CPC PM646A is located in the AC160 controller slot adjacent to the CPC Primary PM646A. It performs non-essential CPC functions such as storing trip buffer reports and failed sensor stacks, thus unburdening the primary CPC processor, which can more efficiently perform its safety-related trip functions. The primary CPC processor transmits information to the auxiliary CPC processor over one-way HSL.52

• Two AI688 analog input (AI) modules Two analog input (AI) cards redundantly provide the analog inputs used by the CPC PM646A, with the exception of Target CEA positions, which are received over HSL from the CEAC AC160 controllers in the channel. Each of the redundant analog input modules is capable of monitoring up to 16 inputs over the range of 0 to 10 Vdc. CPC Analog inputs to each card include:

o Hot Leg 1 Temperature (1 to 5 Vdc) - one input o Hot Leg 2 Temperature (1 to 5 Vdc) - one input o Cold Leg 1 Temperature (1 to 5 Vdc) - one input o Cold Leg 2 Temperature (1 to 5 Vdc) - one input o RCS Pressurizer Pressure (1 to 5 Vdc) - one input o Upper Subchannel Ex-core NI input (0 to 10 Vdc) - one input o Middle Subchannel Ex-core NI input (0 to 10 Vdc) - one input o Lower Subchannel Ex-core NI input (0 to 10 Vdc) - one input o APC Temperature -one input per AI module, not redundant. There are two separate temperature sensors monitoring APC temperature. Each of the AI cards in the CPC AC160 controller reads a separate sensor (i.e., temperature inputs are not redundant from the same sensor).53 The above list of analog inputs thus encompasses all CPC channel analog inputs with the exception of CEA positions, which will be monitored by the CEA position Processors (CPPs) in the CEAC 1 and 2 AC160 controllers.54 The Palo Verde CPCS used the Common Q AI685 Analog Input Card. This analog input card has been replaced with the Common Q AI688 Analog Input Card. It processes the same 0-10 Vdc signal and has been reviewed by the NRC as part of the 2013 update of the Common Q Topical Report (Reference 4).

• One DP620 pulse to frequency converter module

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-10

[

]a,c The RCP signal conditioning system is not being changed as part of the EC.

• One AO650 analog output (AO) module The AO module provides the 0 to 10 Vdc analog outputs for the following:

o DNBR Margin Indication on the Main Control Board (DNBR MARGIN), Scaled for 0 to 2 DNBR Units o KW/ft Margin Indication on Main Control Board (LPD MARGIN), Scaled for 0 to 25 kW/ft o Calibrated Nuclear Power Indicator/Recorder on MCB (PHICAL), Scaled for 0 to 200%

Rated Thermal Power o Core Total Flow - no indicator, used for startup testing (MASS FLOW), scaled for 0 to 2.0 fraction of rated flow Note that the existing WF3 CPCS provides a 0-10V signal corresponding to 0-10 DNBR units.

The DNBR trip setpoint is set to between 1.2 - 1.3 DNBR units thus the meter only uses 0 - 1.3 Vdc of the entire 10V range. Thus, changing to the above range provides much higher resolution on the meter for this indication.56 A total of eight analog outputs are provided for use. One set of four outputs is sent to MCB indicators, as defined above. The second identical set is available for use if desired (for example, a hard wired analog input to the Plant Monitoring System). All of these values are provided to the Plant Monitoring Computer over the CPCS to PMC data link.57

• One DI620 digital input (DI) module o DNBR and LPD trip channel bypass status from the PPS to enable CPC testing.

As in the existing design, trip channel bypass of the DNBR-Low and LPD-High trips in the PPS channel is a necessary precondition for performing channel CPC or CEAC testing.

This DI provides trip channel bypass status to the CPC channel from the PPS to enable channel functional tests.

o Bypass permissive status (1E-4% power from the Ex-core Nuclear Instrumentation) used to enable DNBR/LPD operating bypass.

Bypass Permissive status from the PPS will be read as a CPC digital input. If the permissive is present, and the bypass has been inserted on the OM or MTP touch screen; a CPC Digital Output will be used to energize a hardware bypass relay. The hardware bypass relay contacts will short the Low DNBR and High LPD trip and pre-trip contacts when in bypass, effectively bypassing the trip and pre-trip functions, as in the present design.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-11 Contacts from this hardware Bypass Relay shall also be used to provide bypass annunciation.

A second means of enabling this bypass relay will be implemented purely in hardware, using a locally (APC) mounted Bypass key lock switch in series with the 1E-4 % power permissive contact signal to energize the Bypass relay. Thus, as in the present design, it shall be possible to bypass a channel if power level is below the permissive setpoint even if that channel is Inoperable due to processor failure. If power rises above the permissive setpoint, the bypass will automatically be removed, as in the present CPC implementation.

o Op. Bypass Inserted Status

[

]a,c o Software Load Enable (SLE) Switch Status This input reads the SLE switch. Placing this switch in the SLE position will result in Low DNBR and High LPD channel auxiliary trips.

o Power Supply Trouble:

Each power supply module within the power supply assembly contains features such as overvoltage, overcurrent, undervoltage, and short circuit protection. A contact output is monitored by the AC160 that indicates a problem with the power supply. In addition, there is a power supply cooling fan assembly which will provide a contact opening on power supply fan failure. The power supply alarm inputs to the DI module are as follows:

PS Fan Failure Power Supply Failure (1 per module)58

• One DO625 digital output (DO) module One DO module is used to provide trip and annunciator output contacts for the following:

o Low DNBR Trip o Low DNBR Pre-trip o High LPD Trip o High LPD Pre-trip o Auxiliary Pre-trip Alarm o CEA Withdrawal Prohibit (CWP) o CPC Trouble o CPC Fail o Aux CPC Trouble o CPC Test o CPC Sensor Fail o CEAC 1 Inoperable WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-12 o CEAC 2 Inoperable o High Cabinet Temperature o Operating Bypass The final DO in the above list will be used to energize the DNBR/LPD Operating Trip Bypass relay when power is below the permissive setpoint.

The digital outputs operate interposing relays mounted on an Interposing Relay Panel (IRP) which provide electrical isolation between the DO modules and the output signals.

[

]a,c 3.2.1.1 CPC Application Program The CPC Primary PM646A executes the CPC application program. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-13

[

]a,c Table 3.2.1.1-1 CPC Program Execution Intervals and Input Sampling Rates shows the inputs and execution interval for each CPC application program.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-14 Table 3.2.1.1-1 CPC Program Execution Intervals and Input Sampling Rates61 a,c 3.2.1.2 Aux CPC Processor Application Program There is a second PM646A in the CPC controller chassis. A high speed link (HSL) is connected between the CPC PM646A and the Aux CPC PM646A. The Aux CPC receives data from the CPC PM646A to formulate the trip buffer and failed sensor stack reports.62 The Aux CPC does not perform any safety-related processing. There are two main functions of the Aux CPC application program: 1) format the trip buffer report and 2) format the failed sensor stack. These functions are a carryover from the legacy CPCS functionality and its implementation is identical to the Palo Verde CPCS replacement.63

• This change from the original CPCS design has been reviewed and approved by the NRC for the Palo Verde CPCS replacement LAR.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-15 The trip buffer is a snapshot of a specified number of variables that is frozen when a CPC trip occurs.

The CPC processor feeds the Aux CPC with the values for the specified variables, and the Aux CPC processor formulates the data into a report for display on the OM and MTP.64 The CPC PM646A provides the Aux CPC with the list of failed sensors for the failed sensor stack and formulates a report for display on the OM and MTP.65 3.2.2 CEAC AC160 Controller There are two CEAC AC160 Controllers referred to as CEAC 1 and CEAC 2. These AC160 controllers include the CEAC PM646A processor as well as CEA Position Processor (CPP) and supporting I/O modules. The CEAC processor calculates CEA deviation-related penalty factors based on CEA position input from all RSPT signals (RSPT1 for CEAC 1 and RSPT2 for CEAC 2) on all CEAs and transmits these penalty factors to the CPC processor within the channel.66

[

]a,c The CEAC 1 and 2 AC160 controller configurations are similar. Their differences are discussed in the description below. This implementation is nearly identical to the implementation of the Palo Verde CPCS. The one difference is the AI688 analog input module. The Palo Verde CPCS uses the AI685 analog input module. The AI688 analog input module was reviewed and approved by the NRC as part of the 2013 Common Q Topical Report update in 2013 (see Reference 4).

The CEAC AC160 controller includes the following AC160 modules:

• One CI631 communications module WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-16

[

]a,c

• One PM646A CEAC processor module The CEAC processor module executes the CEAC algorithm. [

]a,c The CEAC 1 PM646A executes the same safety-related application as the legacy (existing) CEA Calculator No. 1 in Figure 2-2 Existing CPC/CEAC Architecture Block Diagram. The CEAC 2 PM646A executes the same safety-related application as the legacy (existing) CEA Calculator No. 2 in Figure 2-2 Existing CPC/CEAC Architecture Block Diagram. This algorithm generates DNBR and LPD penalty factors in the event of detection of CEA deviations in a CEA subgroup.

These penalty factors are transmitted over HSL to the CPC processor in the same channel. As in the legacy (existing) implementation, the CPC application selects the higher penalty factor from CEAC 1 or CEAC 2. The CEAC algorithms are defined in Appendix A of Reference 2.

The Common Q CEAC implementation also results in the need for the following additional software in the CEAC and CPC, beyond that in the legacy (existing) implementation:

o Target CEA Position transmission: The CPC channel no longer directly reads Target CEA positions using its own analog input modules. Target CEA positions are transmitted to the CPC from the CEAC over the same HSL as the DNBR and LPD penalty factor transmission. [

]a,c o CEA Position sensor fail status is also transmitted to the CPC channel from the CEAC PM646A. This status is received by the CEAC from the CPP along with the CEA position and then passed on to the CPC PM646A via the HSL interface. CEA position sensor status is used in the CPC to establish validity of the target CEA position input. In the event that WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-17 the CEA position input to the CPC via the CEAC 1 data link should fail, the input via the CEAC 2 data link will be utilized by the CPC.

Transmission of Target CEA position via the CEAC HSL is regarded as a separate and distinct function from that of transmitting penalty factors. CEAC 1 in all four CPC channels always generates penalty factors based upon RSPT1 CEA position. CEAC 2 in all four channels always generates penalty factors based upon RSPT2 CEA position.

However, transmission of Target CEA position to the CPC processor within a channel will be from the same RSPT source, whether the CEAC 1 or CEAC 2 data link is employed.

In channels A and B, RSPT1 will provide Target CEA position signals. In channels C and D, RSPT2 will provide Target CEA position information. Thus, it is necessary for both CEACs in each channel to obtain target CEA position from their respective CPPs that are reading analog input modules. In the case of CEAC 1 this will be CPP 1, and for CEAC 2 this will be CPP 2.71

• One PM646A CPP processor module The CEA Position Processor (CPP) reads the RSPT channel hardwired inputs, converts the voltage inputs into CEA position values, detects input channel failures, and transmits the CEA position values over the HSL to a PM646A module in a CEAC AC160 controller chassis in all four CPCS channels. Table 3.2.2-1 Preferred Source for CEA Position Data defines the source of CEA position information for the two CEACs in each of the four CPC channels. [

]a,c CPP 2 transmits the data to CEAC 1 via HSL since it is in a different controller chassis within the channel. [

]a,c CPP 1 transmits the data to CEAC 2 via HSL since it is in a different controller chassis within the channel. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-18 Table 3.2.2-1 Preferred Source for CEA Position Data73 a,c A second function of the CPP is monitoring the target CEA positions within the CPC channel.

Note that in channels A and B, Target CEA positions are based upon RSPT1, whereas in Channels C and D, it is based upon RSPT2.74

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-19

[

]a,c

• Two (channels A and D) or five (channels B or C) AI688 analog input (AI) modules The CPCS design allows for up to 24 CEA positions (5 to 10 Vdc) to be monitored in channels A and D, and up to 73 CEA position inputs (5 to 10 Vdc) to be monitored in channels B and C. The analog input module is capable of monitoring up to 16 inputs over the range of 0 to 10 Vdc.77 In both CEAC AC160 controller chassis, the 15 Vdc auctioneered RSPT power supply voltage is monitored by one analog input through voltage dividers so as not to exceed the range limit of the analog input module.78

• One digital output (DO) module The DO card is used to provide trip and annunciator output contacts for the following alarm and annunciation:

o CEA Deviation CEAC 1 o CEAC 1 Fail (or CEAC 2 Fail in the CEAC 2 AC160 Controller) o CEAC 1 Sensor Fail (or CEAC 2 Sensor Fail in the CEAC 2 AC160 Controller) o CPP 1 Trouble (or CPP 2 Trouble in the CEAC 2 AC160 Controller) o CEAC 1 Trouble (or CEAC 2 Trouble in the CEAC 2 AC160 Controller) o CEAC 1 Test (or CEAC 2 Test in the CEAC 2 AC160 Controller)

The digital outputs operate interposing relays mounted on an Interposing Relay Panel (IRP) which provide electrical isolation between the DO modules and the output signals.79 3.2.2.1 CEAC Application Program The CEAC PM646A executes the CEAC application program. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-20 Table 3.2.2-2 CEAC Program Execution Intervals and Input Sampling Rates a,c 3.2.3 Power Supply The power supply powers the AC160 controllers, relays, HSL Modems, and reed switch position transmitter circuits. Separate power supply modules are used for these different functions. All power supplies within a CPC channel receive AC power from the associated CPC channel Vital AC input power.

There are eight power supplies in each CPC/CEAC channel. These consist of dual auctioneered 24 Vdc processor power supplies for the AC 160 processor equipment, dual auctioneered 24 Vdc auxiliary power supplies for output relays, dual auctioneered 5 Vdc power supplies for the HSL Modems, and dual auctioneered 15 Vdc RSPT power supplies for CEA position input information.

Redundancy will be available for all power supply pairs using diode auctioneering which provides bumpless transfer upon module failure. Faults in one half of a redundant supply will not prevent the other from operating normally. Redundant modules can be replaced while the power supply remains energized without disturbing the powered system.

The power supply is configured so that it is not near its maximum loading to extend its life. Supplemental cooling is provided to extend the life of components.

Sufficient hold up time (20 milliseconds) is provided to allow momentary loss of external power due to bus transfer.

Each power supply has protection features for overvoltage, undervoltage, overtemperature, and over current. Alarm contact outputs from the power supply modules are monitored by the CPC channel DI module. One DI is used for each power supply module.

The power supply assembly includes local monitoring features, such as lamps, to aid in diagnosing individual power supply problems.82 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-21 3.2.4 APC Multiplexer As described in Section 2, each channel in the existing APC has two redundant APC Multiplexers (APC MUX). These APC MUXs transmit the non-safety related Fixed Incore Detector Amplifier Systems (FIDAS) signals to the Plant Computer. Although the APC MUX data acquisition to the plant computer is a non-safety related function, the equipment resides in the safety-related APC and therefore needs to be qualified as an associated circuit in accordance with the WF3 licensing basis (NRC Regulatory Guide 1.75) (Reference 7).

The APC MUX is replaced with a non-safety chassis capable of accepting the 0 to -10Vdc incore detector signals from the incore amplifier and transmitting them via Ethernet to the plant monitoring computer (PMC). The replacement APC MUX provides its own Ethernet link separate from the CPC link to the PMC.83 To meet the requirements of RG 1.75, the replacement APC MUX will go through equipment qualification to meet seismic DBE requirements for structural integrity and to meet EMC requirements to avoid EMI issues with the other safety-related equipment mounted in the APC.84 3.2.5 HVAC Requirements The CPCS is installed in the APC which is located in the main control room area. The HVAC heat load calculation (Reference 38) assumes the CPC heat load in the APC (CP-22) is:

Channel A 2863 Watts Channel B 5171 Watts Channel C 4171 Watts Channel D 2863 Watts POWER LOSS = 15,068 Watts According to the Palo Verde CPCS Technical Manual (Reference 30), Section 2.1.1 specifies the typical power usage, and thus power consumption to be:

Channels A/D: 463.6 Watts Channels B/C: 559.6 Watts This represents a maximum of 16.2% of the assumed heat load in the HVAC heat load calculation for the CPCS. The architecture similarities between the Palo Verde CPCS and the Waterford CPCS replacements are such that should the heat load double for an unforeseen reason, the assumptions in the HVAC heat load calculation would not be affected.

The Waterford CPCS heat load calculation will be issued once the detailed hardware design is complete.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-22 3.2.6 CPCS Design Function The CPCS design functions are unchanged as a result of the CPCS upgrade using the Common Q Platform. The same design basis algorithms are used however the timing of some of the application programs were changed to accommodate the change in platform. This is identified in Table 3.2.1.1-1 CPC Program Execution Intervals and Input Sampling Rates. These changes were analyzed for the impact on response time in a timing analysis performed for the Palo Verde CPCS upgrade. The analysis concluded that the Common Q CPCS meets the design basis response time requirements for the Palo Verde Nuclear Generating Station.

Similar to Palo Verde, nuclear power plants typically allocate a response time budget for the I&C equipment portion of the safety system in their safety analysis. These budgets usually are conservative assumptions independent of the I&C equipment used and confirmed once by their safety analysis. In the case of WF3, the actual response time calculations of the legacy I&C CPCS equipment established the response time criteria (budget) in the safety analysis for the CPCS with no timing margin.

The WF3 CPCS Timing Analysis (Reference 55) documents the response time for the WF3 Common Q CPCS upgrade. [

]a,c As part of the normal fuel reload process, Waterford runs the safety analysis of record with the WF3 CPCS calculated response times to validate that acceptable margin is maintained. It is the fuel reload process performed under 10 CFR 50.59 that evaluates the results of the rerun of the safety analysis prior to core reload.

The estimate is documented in Reference 24. The basis of the estimate is the CEA rod drop time LAR submitted in 2015 that increased the CEA rod drop time in the safety analysis an additional 200 ms due to a hold coil delay that needed to be accounted for. The method used for the CPCS delay time estimate on thermal margin results is to take the thermal margin degradation of the CEA rod drop 200 ms delay and then extrapolate for the increase in CPCS response times. [

]a,c In the case of the following DBEs both the 200 millisecond increase in hold coil delay [

]a,c resulted in minimal changes to the minimum DNBR or high LPD (peak linear heat rate):

Increased Main Steam Flow (FSAR Section 15.1.1.3)

Uncontrolled CEA Withdrawal from a critical condition (FSAR Section 15.4.1.3)

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-23 In the case of Asymmetric Steam Generator Transient (FSAR Section 15.9.1.1), the combination of the CPCS Tcold trip in combination with the required overpower margin reserved in COLSS ensures that all the acceptance criteria (DNBR 1.24 and LHR 21 kw/ft) continue to be met. This conclusion was not impacted by the 200 milliseconds increase in hold coil delay time [

]a,c.

The 0.8 sec HCD time column is the margin degradation as a result of the 200 millisecond hold coil delay time. The next column to the right is the combination of this 200 millisecond delay [

]a,c. AOR stands for the Safety Analysis of Record.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-24 Table 3.2.6-1 [ ]a,c a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-25 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-26 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-27

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-28 3.2.7 Service/Test Functions The Common Q CPCS is designed for fail safe operation under component failure or loss of electrical power as defined in the Failure Modes and Effects Analysis (FMEA) in Appendix 2 of the Topical Report, Reference 5. Sections 2.3.3, 2.4.2, 3.1.1.1.3, 3.1.1.4 and 3.1.1.7 of the CPCS System Requirements Specification (Reference 2 as augmented by Reference 21) provides the CPCS failure analysis.85 The following list of processor fault conditions for the existing CPC implementation, describes how they are addressed for the Common Q CPCS:

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-29 3.2.7.1 Maintenance and Test Panel (MTP)

Each CPC channel has an MTP. This panel is provided at the APC as the primary human system interface (HSI) for routine maintenance and testing by plant technicians. It is located in the APC and uses a display screen. Many of the OM display functions are duplicated on the MTP. The MTP has a test mode to support maintenance testing.91 This functionality is identical to the Palo Verde CPCS replacement that was reviewed and approved by the NRC. The Palo Verde implementation included AI calibration as part of this function, but the AI688 cards do not require calibration and therefore are not included in this description.

The CPCS requires two input signals to go into test mode, PPS Test Enable and the MTP function Enable signals. The PPS Test Enable signal is generated by bypassing the DNBR and LPD signals at the PPS and provides the permissive signal for allowing the CPCS to be tested. The MTP has a Function Enable (FE) key switch that must be in the enable position in order to allow entering the Test Mode.92 Test Mode Displays are:

Test Main Page93 The Main Surveillance Test page provides status indicators showing which of the processors are in Test Mode. This will depend upon which of the tests have been initiated.

CPC Functional Test94 Note: This functional test screen is not to be confused with the technical specification periodic channel function test surveillance requirement, which is being eliminated.

Selecting the CPC Functional Test Icon forces entry into the CPC Test Mode, causing an auxiliary trip (DNBR/LPD channel trips), Channel Test indication, and CPC Test annunciation. A separate icon is used to exit from the CPC Functional Test. The auxiliary trip and associated indication/annunciation are cleared when the CPC Processor is no longer in Test Mode. The CPC remains in Test Mode until the functional tests are inactive (complete) and the Exit Functional test icon has been selected.

The Cabinet Temp DO Test is supported by an On icon, which initiates the cabinet temperature DO test by opening the alarm contact, and an Off icon which terminates the test, by restoring it to its pre-test position.

The DNBR and LPD Trip relay test is supported by buttons that allow the operator to change the state of the DNBR and LPD output trip contacts between OPEN and CLOSED.

Load Addressable Constants95 A Load Addressable Constants icon on the Test page supports loading of addressable constants into the CPC, CEAC 1, and CEAC 2 AC160 processors. A separate icon in proximity of the Load Addressable Constants icon is used to exit the Load Addressable Constants mode, clearing all associated trips, indication, and annunciation.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-30 Depressing the Load Addressable Constants icon forces the CPC channel under test in a test mode, causing an auxiliary trip, and cause Channel Test indication, CPC Test, CEAC 1 Test, and CEAC 2 Test annunciation.

Addressable constants are loaded from removable media. This media is stored and secured using plant procedures. When the Addressable Constants are to be read in from removable media, the cyclic redundancy check (CRC), date, time, and channel identifier generated at time the addressable constants were saved is displayed. A prompt asks for verification that the data is correct, prior to permitting addressable constant load.

CPPs remain functional throughout this mode of operation, permitting normal CEA position transmission to all channels.

• Load Reload Data Block (RDB) Constants96 Reload Data Block is in reference to fuel-dependent variables that need to be updated every refueling cycle. The Common Q CPCS replicates this functionality. The RDB block is loaded from removable media. This media is stored and secured using plant procedures. A Load RDB icon on the Test page supports loading of the RDB. A separate icon in proximity to the Load RDB icon is used to exit the RDB Load mode, clearing all associated trips, indication, and annunciation. Depressing the Load RDB icon forces the CPC channel in a test mode, causing an auxiliary trip, and cause Channel Test indication, CPC Test, CEAC 1 Test, and CEAC 2 Test annunciation. The CRC, Sequence, and Version of the RDB media is displayed. A prompt asks for verification that the data is correct, prior to permitting RDB load. CPPs remain functional throughout this mode of operation, permitting normal CEA position transmission to all channels.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-31 The MTP is also used to load AC160 software. In order to load CPCS AC160 processor applications software it is necessary to place the two position SLE key-switch in the SLE position and select the destination AC160 processor (one of six) with the processor select (PS) switch. While the SLE switch is in the enable position, Low DNBR and High LPD trip contacts are opened in the affected channel.97 The SLE switch can perform the following three functions:

[

]a,c This functionality is identical to the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

3.2.7.2 OM/MTP Service/Test Functions In addition to the MTP service and test functions described in Section 3.2.7.1, there are service/test functions that are both available on the OM as well as the MTP. These display functions are identical to those implemented for the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

3.2.7.2.1 Standard Display102 The Standard Display Page emulates the existing OM interface, but with additional Tag Names for point ID values, to minimize training required to use the new displays. A Find Tag Name icon is provided on this display as an operator aid in associating tag names with Point IDs.

The memory protect keylock on the existing (legacy) display is eliminated. This function is addressed by the SLE interlock at the APC. The existing dedicated Channel Bypass switch and Change Value switches have had their functions combined into a common Function Enable key-lock switch mounted near the OM display.

The existing Calculator Select switch on the OM is eliminated. Instead of using this switch to display either CPC or CEAC point IDs, the point ID assignments have been changed by converting the three-digit point IDs of the existing CPCS to a four-digit Point ID. The first digit denotes the calculator.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-32 The existing OM keypad, Point ID, Change Value, and Execute icons have been retained and have similar functionality in the new OM display. The replicated functions for the standard display include:

Point ID Requests - Displays a value associated with a Point ID or addressable constant.

Change Value Requests - Allows changing a value associated with a Point ID if it is classified as an addressable constant. The FE key switch must be in the enable position to allow this function.

Operating Bypass Insertion and Removal - This replicates the existing CPCS function. This function can also be performed on a dedicated DNBR/LPD OP BYPASS display. Operating bypass of the CPC channel may only be performed when the power level, as sensed by the PPS Safety Channel Nuclear Instrumentation, is below the bypass permissive setpoint (nominally 1E-4%), and if the FE switch is placed in the enable position. The bypass permissive is provided from the PPS as a DI to the CPC channel. The FE switch position is a DI to the OM/MTP PC Node Box. Both DIs need to be true to allow this function to be performed.

In addition to the OM and MTP bypass capability described above, it is also possible to perform the bypass at the APC using a dedicated two position (OFF/BYPASS) key switch, independent of the function enable switches on the OM or MTP. This is to provide a hardware backup bypass capability in case the CPC channel is inoperable. This CPC hardware bypass switch must be left in the bypass position as long as the bypass is to be in effect. This is governed by administrative procedures. This function is identical to that implemented for the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

3.2.7.2.2 Nuclear Instrumentation (NI) Calibration Display103 This display replaces the manual procedure for NI calibration. This display calibrates the NIs based on one of three offline sources of calorimetric power entered by the operator. The FE key switch must be in the enable position to allow this function. This is an identical function implemented for the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

3.2.7.2.3 System Status: CPCS System Health Page104 The CPCS System Health Page includes a graphical depiction of the CPCS channel including all major components. This display is to facilitate diagnosis of CPCS system failures, at least to the module level.

Alarm (or system error) conditions affecting one or more of the displayed components causes a color change of that component. The color shall remain in an alarm condition for the duration of the alarm condition.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-33 3.2.7.2.4 System Event List105 The System event list provides one or more pages of dynamic alarm and status information. This list includes all CPCS channel current diagnostic failure (error) conditions. There is also a System Event Log that provides one or more pages of historical alarm and status information. It includes historical logging of the previous thirty diagnostic system failures. The log can be cleared with the FE key switch in the enable position.

3.2.7.2.5 CPC and CEAC Trip Buffer Displays106 In the event of a Low DNBR or High LPD channel trip, the CPC trip buffer will be frozen at the time of trip [

]a,c. Similarly, the CEAC snapshot will be frozen on each of the following conditions:

At least one of the CEAs in a subgroup with a deviation is between the top and bottom deadbands Multiple deviations in a subgroup Excessive number of input signal failures in a core quadrant Excessive number of deviations in a core quadrant (the is a subset of first condition)

When a snapshot is frozen, the current snapshot will depict data at the time of the freezing. [

]a,c A printout of the CPC Trip Buffer and the CEAC snapshot can be initiated from this display.

3.2.7.2.6 Failed Sensor Stack107 This display mimics the legacy (existing) CPC failed sensor stack. It displays the last twenty sensor failures. There are separate failed sensor stacks for the CPC, CEAC 1 and CEAC 2 AC160 controllers.

This display also provides the means to clear the CEAC rate of change failure condition. The CEAC application program monitors for an excessive rate of change of CEA position. The rate of change failure latches and must be manually cleared via this display. The CEAC application program considers this a CEA failed sensor until the latch is cleared.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-34 3.2.7.2.7 CRC/SysLoad This page provides a dynamic display of the status of the PM646A CRC diagnostic and the processor loading. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-35

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-36

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-37

[

]a,c 3.2.7.2.8 Trip Status Display This display provides status indication for any trips, pre-trips or when a CWP alarm is present.118 3.2.7.2.9 FPD Status List Each flat panel display (OM, MTP) contains a diagnostics page applicable to that display.119 3.2.7.2.10 Input Module Comparison120 Provides one or more pages displaying dynamic analog input module values. Redundant module readings are displayed in a side by side format to facilitate comparison of the readings from each of the redundant modules.

The deviation between readings for each module is also displayed in a separate column to the immediate right of the two display columns. This column is provided to facilitate monitoring of the deviation magnitude between redundant inputs.

Redundant pairs include:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-38 The AI modules in CPCS processor slots 5 and 6, which redundantly provide analog inputs to the CPC processor, and the AI modules in the CEAC processors.

Corresponding AI modules in both CEAC AC160 controllers. CEA positions are redundantly processed by AI modules in both CEAC AC160 controllers. AI module locations and channel assignments are identical in the two CEAC AC160 controllers. Therefore, the side by side display includes AI module readings from the corresponding AI modules in each of the two CEAC AC160 controllers.

3.2.7.2.11 Misc. displays of variables These displays are based on context (e.g., plant mode or support an operator function like channel check).121 3.2.7.2.12 Dedicated Alarm Indication122 The following alarm conditions are displayed on the OM and MTP. Note that it is possible to have several of these alarm icons illuminated simultaneously, if conditions dictate. For example, a processor module (PM646A) may detect a failure that will result in both a Channel TRBL and CPC Fail condition, each with a dedicated alarm icon.

All OM and MTP alarm icons will clear when the alarm condition clears, with the exception of the CPC Fail, CEAC 1 Fail, and CEAC 2 Fail alarms, which latch in, and must be manually reset by depressing the appropriate alarm icon. This is consistent with the existing CPCS functionality and the Palo Verde CPCS replacement. Resetting the alarm icons on either the OM or MTP will clear the alarm state at both locations.

For each of the alarm conditions, the system event list (Section 3.2.7.2.4) may be accessed on the OM or MTP. This page will provide diagnostic messages as to the alarm condition. In addition, the failed sensor stack (Section 3.2.7.2.6), and System health display (Section 3.2.7.2.3) may be used to provide diagnostic information.

The OM and MTP monitors all of the data packets being sent over the AF100 for indication that a data packet is not being updated. This can be the result of lost communication with the AC160 controller from where the data packet originated. Some alarm icons have multiple data packets associated with it that is used to determine the state of the alarm. The OM/MTP backlights an alarm icon with magenta when the OM/MTP detects a failed status on any data packet associated, as long as there is no alarm present on any of the data packets. If any of the "good" data packets associated with an Alarm icon contain an alarm value, the alarm value takes precedence over the failed status.

The CHAN TRBL alarm icon is displayed red when one of the AC160 controllers initiates a channel trouble alarm. The CHAN TEST alarm icon is red when one of the AC160 controllers imitates a channel test alarm.

The following Alarm icons are also present on the OM/MTP:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-39 CPC FAIL CPC SENS FAIL CEAC 1 (2) INOP*

CEAC 1 (2) FAIL CEAC 1 (2) SENS FAIL CEAC 1 (2) CEA DEV

• A CEAC can be manually put in the inoperable state (INOP) by the operator if the CEAC has failed.

The CPC algorithm will use the last good penalty factor prior to this condition for selecting the maximum penalty factor between the two CEACs.

3.2.8 Separation and Independence Each redundant CPC channel is electrically independent and isolated from adjacent channels, with the exception of the shared CEA position information through fiber-optically isolated HSL data links from the CEA Position Processors. This configuration of shared CEA position information is consistent with the current licensing basis described in the FSAR. It is also the exact same configuration for the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

The CPCS provides safety to non-safety communication through the Flat Panel Displays - OM and MTP.

The OM and MTP contain a fiber optic modem and provide a single fiber transmit only link out of the CPCS channel. The fiber optical cabling provides electrical isolation to prevent external fault propagation back into the transmitting CPC channel. [

]a,c The destination devices are the Plant Monitoring Computer or CEAPDS or a printer to support the Print screen function.123 3.2.8.1 Interposing Relays The trip, pre-trip, and CWP outputs to the PPS are channelized such that these outputs will be provided only in the associated PPS channel. CPC output contacts and associated field terminations to annunciators maintain separation from the PPS input/output contacts and other CPC channel equipment to prevent propagation of external faults into the CPC channel, as currently implemented in the existing CPCS.124 The interposing relays for the annunciator system are considered the Class 1E to non-1E isolation of these signals. The annunciator circuit is current limited to .002 A and 125 VDC. The IRP relay contacts are rated to switch a voltage of at least 200 V and the current rating is at least 0.200 A. The relay coil to contact isolation is of at least 1000 Vac.125 The following Interposing Relay Panel-mounted relays interface with the associated PPS channel, and are considered Class 1E on both the coil and contact side. The DNBR/LPD Trip and Pre-trip relays use one relay for output to the PPS, and one relay for output to the Input/Output Simulator. For the CWP relay, there is a second set of contacts that are currently spare but may be used in the future to interface with the WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-40 CPCS Input/output simulator for testing. Though the CWP relay is equipped with dual Form C contacts, only the normally open (Form A) contacts are used:

• DNBR Trip output to PPS (two Solid State Form A)

• DNBR Pre-trip output to PPS (two Solid State Form A)

• LPD Trip output to PPS (two Solid State Form A)

• LPD Pre-trip output to PPS (two Solid State Form A)

• CWP Output to PPS (two Form C)126 The following IRP relay contacts are outputs to annunciator circuits. The second set of form C contacts on each relay are wired to connectors used to interface with the input/output simulator for testing.

Though the individual relays are equipped with dual Form C contacts, only the normally open (Form A) contacts are used:

• CPC Fail Annunciator (two Form C)

• CPC Trouble Annunciator (two Form C)

• CPC Test Annunciator (two Form C)

• CPC Sensor Fail Annunciator (two Form C)

• CEAC 1 Inoperable Annunciator (two Form C)

• CEAC 2 Inoperable Annunciator (two Form C)

• Aux CPC Trouble Annunciator (two Form C)

• CEA Deviation, CEAC 1 Annunciator (two Form C)

• CEA Deviation, CEAC 2 Annunciator (two Form C)

• CEAC 1 Fail Annunciator (two Form C)

• CEAC 2 Fail Annunciator (two Form C)

• CEAC 1 Trouble Annunciator (two Form C)

• CEAC 2 Trouble Annunciator (two Form C)

• CEAC 1 Sensor Fail Annunciator (two Form C)

• CEAC 2 Sensor Fail Annunciator (two Form C)

• CPP 1 Trouble Annunciator (two Form C)

• CPP 2 Trouble Annunciator (two Form C)

• CEAC 1 Test Annunciator (two Form C)

• CEAC 2 Test Annunciator (two Form C)

• Cabinet High Temperature (two Form C)

• Auxiliary Pre-trip Alarm (two Form C)127 Three IRP Relays are used to perform operating bypass of the CPC channel. Each of the three relays has two form C contacts. Though the individual relays are equipped with dual Form C contacts, only the normally open (form A) contacts are needed in the bypass function. The relay used for annunciation utilizes the form A contact which will provide a closed contact when the relay is energized in an annunciate state:

• One relay is used to bypass the Low DNBR trip and pre-trip when the relay is energized. Two form C contacts are arranged in a form A configuration. Both the coil and contact are considered Class 1E.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-41

• One relay is used to bypass the High LPD trip and pre-trip when the relay is energized. Two form C contacts are arranged in a form A configuration. Both the coil and contact are considered Class 1E.

• One relay is used to provide bypass annunciation when the relay is in an energized state. As such, the normally open (form A) contact is used. The second set of form C contacts on this relay are wired to connectors used to interface with the input/output simulator for testing. Only the normally open (form A) contact is used for this purpose. The relay contact is considered associated.128

[

]a,c The Test Enable MTP input (two form C) IRP relay is used to provide test enable low voltage input to the MTP when the Low DNBR and High LPD trips are in trip channel bypass in the PPS. Relay contacts are subject to low voltage (5 Vdc) and current. Dual form C relay contacts are used in a single Form A configuration.130 3.2.9 Cross Divisional Interfaces 3.2.9.1 CEA Position Data Each channel of the CPCS has two CEACs. The purpose of these two AC160 controllers is to calculate a PF multiplier to be used by the CPC algorithms based on CEA position deviations. CEAC 1 calculates the CEA position PF using the RSPT1 signals, and CEAC 2 calculates the CEA position PF using the RSPT2 signals.

In the existing (legacy) CPCS configuration there are four independent CPC channels that each contain a CPC. Then there are two CEACs (Channel B - CEAC 1, Channel C - CEAC 2) that calculate PFs associated with CEA rod positions and send the PFs and other related data to the individual CPCs via fiber optic data links. As a result, the legacy (existing) CPCS used cross channel (division) interfaces.

The CPCS replacement integrates the CEAC function into each CPCS channel. As a result, instead of providing the CEAC calculated results across channels, the CPCS replacement transmits CEA position data across channels so that each CPCS channel has a complete set of RSPT1 and RSPT2 signals for calculating CEAC PFs and other values within the channel.

The RSPT signals are channelized and read by each CPP in each channel redundantly (i.e., CPP 1 and CPP 2 in each channel read the same channelized RSPT signals). APC Channels A and B read RSPT1 signals and Channels C and D read RSPT2 signals. Each CPP then transmits these signals to the other 3 channels of the CPCS. The cross channel communication of the CEA position data is via the Common Q AC160 HSL through fiber optic modems that provide electrical isolation between channels. This is a secure, unidirectional communication protocol using fiber optic cable isolation that has been reviewed and approved by the NRC for cross channel communication (Reference 4).131 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-42 Section 3.2.8 discusses the safety to non-safety data communication interfaces for the OM and MTP.

This design is identical to the Palo Verde CPCS replacement implementation that has been reviewed and approved by the NRC (Reference 3).

3.2.10 Connections to Human-System Interfaces There are two Human System Interfaces (HSIs) in each CPCS channel: MTP and OM. The MTP is primarily used for the service and test functions described in Section 3.2.7.1 It is located in the APC along with the AC160 controllers.

The OM is the primary HSI for the control room operator. It mimics many of the OM functions of the existing CPCS OM located in CP-7 on the main control board. These functions are described in Section 3.2.7.2.

The CPCS channel has a redundant AF100 bus that provides communication among the CPCS channel subsystems.132 The AF100 bus was reviewed and approved by the NRC and is described in Reference 4.

The OM AF100 uses a fiber optic interface because of its location outside the APC.133 Section 3.2.8.1 discusses the hardwired interfaces to support the alarm annunciation of the CPCS channel.

3.2.11 Connections between Safety-Related Systems The only external connection between the CPCS and other safety-related systems is the existing plant protection system. Those interfaces are hardwired using interposing relays as described in Section 3.2.8.1.

3.2.12 Connections between Safety-Related and Non-Safety-Related Systems Section 3.2.8 discusses the OM, MTP and hardwired interfaces to non-safety-related systems.

3.2.13 Temporary connections The CPCS design allows for the connection of an I/O simulator to support testing.134 A single location is provided from which the CPCS I/O simulator may be connected to the CPCS for testing. Connection of the I/O simulator to the CPCS in this manner provides the following simulation and monitoring capabilities to the CPC channel:

• Simulate all externally sourced analog input values to the CPC and CEAC processor subracks

• Simulate all externally sourced digital inputs to the CPC processor subrack.

• Simulate CEA Position HSL inputs

• Monitor channel HSL outputs

• Monitor all CPCS digital outputs to the PPS

• Monitor all CPCS annunciator contact outputs, by means of a spare contact on each annunciator relay.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-43

• Monitor all CPCS analog output channels.135 Section 3.2.8.1 describes the IRP connections to the I/O simulator. The CPCS channel is put into Test by administrative procedure before connecting the I/O simulator to the CPCS channel.

3.2.14 Interfacing with Supporting Systems The two supporting systems for the CPCS are the nuclear plant vital power and the main control room HVAC. Each CPCS channel receives plant power from the same vital instrument power supply used for the PPS as described in the WF3 FSAR Chapter 8. The PPS is supplied AC power from four inverters, two from each division, to supply power for the four measurement channels. A 120V uninterruptible ac system has been provided to supply the Plant Protection System control and instrumentation channels.

The power supplies discussed in Section 3.2.3 convert the ac power into dc to power the described subsystems within the CPCS channel. The OM and MTP use AC power and so that power is provided directly from the 120V uninterruptible ac system.

Section 3.2.5 describes the HVAC requirements for the replacement CPCS.

3.2.15 Physical Location of System Equipment The CPCS equipment is located in the existing APC replacing the legacy CPCS equipment. Only the OM is outside the APC and it is located on the main control board in the control room.

3.2.16 Communications The data communications for the Common Q CPCS are:

[

]a,c The Common Q Topical Report (Reference 4), Sections 4.4, 5.3.1.4, and 5.4.1.4 describe the functionality and capability of the AF100 bus. [

]a,c Topical report sections 4.5, 5.3.1.3, and 5.4.1.3 describe the functionality and capability of the HSL.

The Common Q Topical Report Section 5.6 addresses the compliance for the HSL communication protocol to the twenty communication criteria established in DI&C-ISG-04 (Reference 9). Table 3.2.16-1 DI&C-ISG-04-Compliance describes the difference in disposition of the criteria for the CPCS application.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-44 As stated in the topical report, in all cases the AF100 will not apply to the positions because the AF100 is contained within the channel. [

]a,c Citations in the dispositions to section numbers are to the sections in this document unless a specific document is mentioned.

There is one inbound communication channel in the CPCS channel and that is the time synchronization data link using the inter-range instrumentation group (IRIG) input to the MTP in each channel. This input communication channel is fiber optically isolated.140 This input is used to provide a common time reference for such functions as the print screen function, trip buffer report, and failed sensor stack.141 Time Synchronization is not required for the CPCS to perform its safety related functions. [

]a,c The time synchronization aligns the MTPs clocks in all four channels. This is for the time stamping of the trip buffer report and other reports generated by the CPCS. This allows for comparing the trip buffer reports and determining the channel sequence for the trip thus simplifying the analysis of a trip. This function saves considerable operating costs without complicating the CPCS design. Without the time synchronization, operations would have to 1) look at the time since restart on each train and correlate to a real time clock, 2) determine the difference in time between channels, and 3) line up manually the trip buffer reports in each channel to determine the sequence of events.

The use of the IRIG interface is identical to the Palo Verde CPCS implementation that was reviewed and approved by the NRC. The NRC safety evaluation report for the Palo Verde CPCS, ML033030363, states, The first component is an IRIG-B time card installed in the FPDS, that is used for time stamping events for the trip buffer and failed sensor stack. The card has been qualified (Seismic, EMI, environmental) to operate in the FPDS. The staff concludes that there is reasonable assurance that failure of this card does not adversely impact the safety functions operating in the CPCs or CEACs and, therefore, finds that the IRIG-B time card is appropriately used in the FPDS application.

Table 3.2.16-1 DI&C-ISG-04-Compliance also includes the disposition of the IRIG communication channel to the 20 criteria in DI&C-ISG-04.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-45 Table 3.2.16-1 DI&C-ISG-04-Compliance a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-46 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-47 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-48 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-49 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-50 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-51 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-52 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-53 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-54 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-55 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-56 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-57 3.2.17 Failure Modes and Effects Analysis158 The failure modes and effects analysis (FMEA) is a qualitative evaluation which identifies various failure modes which contribute to a systems unreliability. The FMEA identifies significant single failures and their effects or consequences on the systems ability to perform its functions.

The CPC system is designed so that any single failure in any channel will not prevent proper protective action of the other CPC channels, or inhibit operation of the PPS at the system level. The failure modes and effects analysis for this system shows that no single failure will defeat more than one of the four redundant CPC channels. The FMEA assumes that one of the four CPC channels is permanently bypassed, resulting in a two out of three PPS logic, as is consistent with plant Technical Specifications, LCO 3.3.1.

The FMEA addresses all credible outputs from the CPC/CEAC computers (e.g., communications failures, stalls, etc.), not all possible causes of the failure condition. At the hardware interface level, the FMEA bounds all cases by considering the worst case effects at the computer module outputs.

The CPCs possess several redundancy features to enhance channel reliability. Significant among these are redundant analog input monitoring by each CPC channel, and redundant CEA position transmission to the other three CPC channels. In order for a channel to remain operable, only one of the redundant signal paths (CPPs and associated HSL) need be operable. [

]a,c In cases where all CEA position transmission from a channel is interrupted, such as upon loss of channel power, the presence or absence of redundant CPP links in other channels is irrelevant, since one channel will trip, and one CEAC will be rendered inoperable in the other operable channels. In cases where a failure impacts only one of the two redundant CPP links in the sending channel, the redundant link will maintain CEA position signal transmission to the applicable CEACs in the other channels, unless the receiving signal path is unavailable due to redundant link failure within the receiving channel. In this case, the CEAC in the receiving channel with the inoperable redundant link will be treated by the CPC as failed, due to loss of both sources of CEA position input. Other channels with both links operable will retain operability of the affected CEAC. These specific subsets are not addressed in this FMEA due to the numerous possible permutations of processor and link availabilities in all channels. However, all possible combinations are bounded by the case in which both redundant signal transmission paths are unavailable in the sending channel. In this case, one CPC channel is rendered inoperable, and one CEAC in the other three channels will fail. This is consistent with the response of the existing CPCS.

Figure 3.2.17-1 depicts Channel B of the CPCS architecture.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-58 a,c Figure 3.2.17-1 CPCS Channel B 3.2.17.1 Analog Input Module Failure Modes Analog input failures are complicated by the overlaying of new failure modes attributable to analog input module error condition monitoring upon the failure modes as established in the existing CPCS. Generally, there has been no change to the manner in which the CPCS responds to sensor failures. That is, in the WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-59 existing CPC, a sensor out of range condition provides a sensor failure indication and uses a fixed value in its calculations indicative of the out of range limit. In the CEAC, the last valid position of the sensor is used prior to the failure. In the CEAC, both range limits and rate of change of sensor input are used to establish a sensor failure condition.

In the replacement CPCS, all analog inputs will be redundantly processed by two analog input modules.

For all inputs except CEA position, these two modules are in the CPC AC160 controller. For CEA positions, these modules are located in each of the two CEAC AC160 controllers.

Each analog input module is monitored for individual channel failures and module failures. The range of each analog input module input channel is 0 to 10 Vdc. If the input exceeds this range limit in either direction by greater than 10% of range (greater than 11.0 Vdc or less than -1.0 Vdc), the channel error terminal is set. In the CPC, if one or more individual channel error terminals are set, the same channels on the backup module will be used.

[

]a,c The FMEA is documented in Reference 39.

3.2.17.2 Watchdog Timer159

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-60

[ ]a,c The DNBR and LPD Trip relays are solid state Form A (normally open) relays.

These outputs are dedicated solid state relays outputs used for the Low DNBR trip and High LPD trip. In the case for the other PM646A WWDT outputs in other AC160 controllers, Table 3.2.17.2-1 Window Watchdog Timer Actuation Summary lists the reaction to these WWDT actuations. Note the IR for these outputs are standard relays with two DPDT contact outputs using the Form A configuration for actuation.

Table 3.2.17.2-1 Window Watchdog Timer Actuation Summary a,c 3.2.18 Common Cause Failure (CCF)

The existing CPCS is implemented in computer-based hardware, so the change to the Common Q platform represents a digital-to-digital upgrade. The original licensing basis for WF3 assumes a potential CCF of the CPCS.160 The replacements of the current digital CPCS with the Common Q platform does not change the WF3 licensing basis for defense in depth and diversity. The following description summarizes the original assessment for a digital CPCS and the coping strategy for a postulated beyond design basis CPCS CCF, and its application to WF3.

In practice, consequences of four channel CPC failure are significantly less severe than loss of all four PPS channels, since the CPCs provide only a small subset of the RPS trips. Since the WF3 PPS is analog, it is assumed that the remainder of the PPS is implemented in hardware diverse from that in the CPCs.

Thus, the remaining PPS trips provide diverse actuations for the FSAR Chapter 15 Anticipated Operational Occurrences (AOOs) and accidents for which the CPCs are credited.

The technical and licensing basis for the existing CPCS are the following sections of the WF3 UFSAR:

• Chapter 7.2 (Since the CPCS is an integral part of the Reactor Protective System, the CPCS basis is described throughout the section. Note Section 7.2.1.1.8 establishes the licensing basis for diversity against a predictable common failure mode)

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-61

• Appendix 4.3A.5.2 & 4.3A.5.3 To summarize what is described in UFSAR Chapter 7.2.1.1.2.5, the basic architecture for the CPCS is a four channel computer system (i.e., Core Protection Calculator [CPC]) that calculates these parameters and initiates reactor trip signals to the analog reactor protection system. This basic architecture also includes two computers (CEAC 1 and CEAC 2) that calculate a CEA position penalty factor used by all four CPC computers.

The WF3 I&C architecture mirrors the echelons of defense described in NUREG 6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, to protect the health and safety of the public. The first echelon is the non-safety control systems which controls the nuclear plant process within its technical specification limits. The second echelon of defense is the plant protection system to automatically shutdown reactivity and provide heat removal in case of an accident.

And the third echelon of defense is the manual indications and controls to allow operators to manually control the plant. In addition to these echelons of defense, there is an ATWS system to protect the health and safety of the public should an anticipated transient occur without a scram.

This plant modification only impacts the second echelon of defense, the plant protection system, and in particular, two specific trips (Low DNBR Margin and High Local Power Density) in the reactor protection system. The WF3 operating license allows for a computerized digital system to calculate and initiate a reactor trip on low DNBR and High LPD in support of the WF3 accident analysis, as described in the WF3 UFSAR Chapter 7.2.1.1.2.5. As summarized above and described in detail in WF3 UFSAR Chapter 7.2.1.1.2.5, the basic architecture for this aspect of the reactor protection system is a four channel computer system (i.e., CPC) that calculates these parameters and initiates reactor trip signals to the analog reactor protection system. This basic architecture also includes two computers (CEAC 1 and CEAC 2) that calculate a CEA position penalty factor used by all four CPC computers. This plant modification does not invalidate the diversity claims in UFSAR Section 7.2.1.1.8.

The Common Q CPCS upgrade preserves this basic architecture but improves upon it by multiplying the number of CEAC computers from two to eight (2 in each channel) to improve system reliability. There are still four independent CPC channels calculating DNBR and LPD as in the existing architecture.

Therefore the Defense-in-Depth and Diversity (D3) strategy for WF3 is not impacted by this plant modification.

There are no plans at this time to replace any of the non-safety plant control systems with the Common Q platform which could potentially impact the WF3 D3 strategy. Should the PPS be replaced with a digital system, then compliance to BTP 7-19 would be required.

3.2.19 Compliance to Applicable IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003 Clauses The licensing basis for WF3 is IEEE Std. 279, and this modification will not change the WF3 licensing, basis. This licensing technical report and this section in particular, demonstrates compliance to the applicable clauses in IEEE Std 603-1991 and IEEE Std 7-4.3.2 for the new system architecture as identified in ISG-06 (Reference 1), Section D.2.2.1. In addition, IEEE Std 603 Clause 5.11 is addressed in this section.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-62 3.2.19.1 IEEE Std 603-1991 3.2.19.1.1 IEEE Std 603-1991 Clause 5.1 IEEE Std 603-1991, Clause 5.1, Single-Failure Criterion states (in part):

The safety systems shall perform all safety functions required for a design basis event in the presence of:

(1) any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions that cause or are caused by the design basis event requiring the safety functions. The single-failure criterion applies to the safety systems whether control is by automatic or manual means. IEEE Std 379-1988 [5] provides guidance on the application of the single-failure criterion.[B21].

[

]a,c 3.2.19.1.2 IEEE Std 603-1991 Clause 5.7 IEEE Std 603-1991, Clause 5.7, Capability for Test and Calibration states:

Capability for testing and calibration of safety system equipment shall be provided while retaining the capability of the safety systems to accomplish their safety functions. The capability for testing and calibration of safety system equipment shall be provided during power operation and shall duplicate, as closely as practicable, performance of the safety function. Testing of Class 1E systems shall be in accordance with the requirements of IEEE Std 338-1987 [3]. Exceptions to testing and calibration during power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. In this case:

(1) appropriate justification shall be provided (for example, demonstration that no practical design exists),

(2) acceptable reliability of equipment operation shall be otherwise demonstrated, and WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-63 (3) the capability shall be provided while the generating station is shut down.

[

]a,c 3.2.19.1.3 IEEE Std 603-1991 Clause 5.8.1 IEEE Std 603-1991, Clause 5.8.1, Displays for Manually Controlled Actions states:

The display instrumentation provided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to accomplish their safety functions shall be part of the safety systems and shall meet the requirements of IEEE Std 497-1981 [9]. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator.

[

]a,c 3.2.19.1.4 IEEE Std 603-1991 Clause 5.8.2 IEEE Std 603-1991, Clause 5.8.2, System Status Indication states:

Display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. This information shall include indication and identification of protective actions of the sense and command features and execute features. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator. The display instrumentation provided for safety system status indication need not be part of the safety systems.

[

]a,c 3.2.19.1.5 IEEE Std 603-1991 Clause 5.8.3 IEEE Std 603-1991, Clause 5.8.3, Indication of Bypasses, states:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-64 If the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, continued indication of this fact for each affected safety group shall be provided in the control room.

5.8.3.1 This display instrumentation need not be part of the safety systems.

5.8.3.2 This indication shall be automatically actuated if the bypass or inoperative condition (a) is expected to occur more frequently than once a year, and (b) is expected to occur when the affected system is required to be operable.

5.8.3.3 The capability shall exist in the control room to manually activate this display indication.

[

]a,c 3.2.19.1.6 IEEE Std 603-1991 Clause 5.8.4 IEEE Std 603-1991, Clause 5.8.4, Location, states:

Information displays shall be located accessible to the operator. Information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions.

[

]a,c 3.2.19.1.7 IEEE Std 603-1991 Clause 5.11 IEEE Std 603, Clause 5.11, Identification states:

In order to provide assurance that the requirements given in this standard can be applied during the design, construction, maintenance, and operation of the plant, the following requirements shall be met:

(1) Safety system equipment shall be distinctly identified for each redundant portion of a safety system in accordance with the requirements of IEEE Std 384-1981 [61] and IEEE Std 420-1982

[7].

(2) Components or modules mounted in equipment or assemblies that are clearly identified as being in a single redundant portion of a safety system do not themselves require identification, (3) Identification of safety system equipment shall be distinguishable from any identifying markings placed on equipment for other purposes (for example, identification of fire protection equipment, phase identification of power cables).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-65 (4) Identification of safety system equipment and its divisional assignment shall not require frequent use of reference material.

(5) The associated documentation shall be distinctly identified in accordance with the requirements of IEEE Std 494-1974 (R1990) [8].

[

]a,c 3.2.19.2 IEEE Std 7-4.3.2 3.2.19.2.1 IEEE Std 7-4.3.2 Clause 5.5.2 IEEE Std 7-4.3.2, Clause 5.5.2, Design for Test and Calibration states:

Test and calibration functions shall not adversely affect the ability of the computer to perform its safety function. Appropriate bypass of one redundant channel is not considered an adverse effect in this context.

It shall be verified that the test and calibration functions do not affect computer functions that are not included in a calibration change (e.g., setpoint change).

V&V, configuration management, and QA shall be required for test and calibration functions on separate computers (e.g., test and calibration computer) that provide the sole verification of test and calibration data. V&V, configuration management, and QA shall be required when the test and calibration function is inherent to the computer that is part of the safety system.

V & V, configuration management, and QA are not required when the test and calibration function is resident on a separate computer and does not provide the sole verification of test and calibration data for the computer that is part of the safety system.

[

]a,c 3.2.19.2.2 IEEE Std 7-4.3.2 Clause 5.5.3 IEEE Std 7-4.3.2, Clause 5.5.3, Fault Detection and Self-Diagnostics states:

Computer systems can experience partial failures that can degrade the capabilities of the computer system, but may not be immediately detectable by the system. Self-diagnostics are one means that can be WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-66 used to assist in detecting these failures. Fault detection and self-diagnostics requirements are addressed in this subclause.

The reliability requirements of the safety system shall be used to establish the need for self-diagnostics.

Self-diagnostics are not required for systems in which failures can be detected by alternate means in a timely manner. If self-diagnostics are incorporated into the system requirements, these functions shall be subject to the same V&V processes as the safety system functions.

If reliability requirements warrant self-diagnostics, then computer programs shall incorporate functions to detect and report computer system faults and failures in a timely manner. Conversely, self-diagnostic functions shall not adversely affect the ability of the computer system to perform its safety function, or cause spurious actuations of the safety function. A typical set of self-diagnostic functions includes the following:

- Memory functionality and integrity tests (e.g., PROM checksum and RAM tests)

- Computer system instruction set (e.g., calculation tests)

- Computer peripheral hardware tests (e.g., watchdog timers and keyboards)

- Computer architecture support hardware (e.g., address lines and shared memory interfaces)

- Communication link diagnostics (e.g., CRC checks)

Infrequent communication link failures that do not result in a system failure or a lack of system functionality do not require reporting.

When self-diagnostics are applied, the following self-diagnostic features shall be incorporated into the system design:

a) Self-diagnostics during computer system startup b) Periodic self-diagnostics while the computer system is operating c) Self-diagnostic test failure reporting

[

]a,c 3.2.20 FSAR Changes Appendix A provides draft FSAR markups to aid in the NRC review of the LAR.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-67 3.3 NEW SYSTEM FUNCTIONS (D.2.3 AND D.2.3.1)

The Common Q CPCS replacement is not adding or modifying CPCS design basis functions except for adding new pre-trip alarms for the auxiliary trips.163 The auxiliary trips are defined in the Common Q CPCS System Requirements Specification (Reference 2 as augmented by Reference 21), Appendix A, Section 3.2.5.4. The Common Q CPCS will continue to assure that the DNBR in the reactor core is greater than or equal to the minimum required. The Common Q CPCS will also continue to assure that the Local Power Density in the core does not exceed a value at which fuel centerline melting would occur for the list of design bases anticipated operational occurrences.164 Chapter 15.0 of the WF3 Updated Final Safety Analysis Report (FSAR) presents analytical evaluations of the nuclear steam supply system (NSSS) response to postulated disturbances in process variables and to postulated malfunctions or failures of equipment. The assumptions for CPC performance, response time, and accuracy in Chapter 15.0 will continue to be met with the new system as described in Section 3.2.6.

The existing design functions of the CPCS are tabulated in the document CPCS Design Function Summary, Reference 32. These safety analysis design functions are not changing as a result of the CPCS replacement project. The following information is included:

• FSAR Events (AOOs/PAs relevant to the plant equipment discussed in the LAR)

• Credited Trip/Actuation Signals

• Variable(s) and ranges

• Nominal (100% RTP) Analytical Limit

• Number of Channels

• Coincidence Logic

• Automated Protection Function (all are reactor trip functions)

• Interlock / Permissive / Override and conditions for these functions

• Response Time Assumed in FSAR Event Analysis (note that the response times are modified from the legacy system as noted in Section 3.2.6 of this licensing technical report)

The service/test functions are different to accommodate the difference in hardware. These service and test functions are described in Section 3.2.7. Other non-design basis function changes from the existing CPCS are described below.

3.3.1 Restoring CEA Rate of Change Lock-In The CPCS, when monitoring CEA positions, the CEAC program performs validity checks of the CEA input signal. These checks consist of 1) a range check to verify the CEA position is within the CEA operating band and 2) a rate of change check to verify CEA movement is reasonable.165 The range check is a comparison of the CEA position to the lower and upper limit of the operating band and to lower and upper failed sensor setpoints, which are outside the operating band. If the CEA position is detected outside the failed sensor setpoints, the CEA is considered failed; but the failure can be automatically cleared if the position is detected inside the failed sensor setpoints.166 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-68

[

]a,c 3.3.1.1 New CEA Rate of Change Reset Correcting this coding deficiency in the replacement CPCS would allow the operators to manually reset the CEA position in the CEAC to the current good position (as validated by redundant position RSPT/Pulse Counter indication) without rebooting, thus reducing operational delays (see Section 3.2.7.2.6). There is no impact on DNBR and LPD. If the condition is due to the software lock-in, then continued group movement will create a deviation and generate a penalty. This would be a very conservative response. If the CEA position deviation is real, both CEACs will monitor it and respond accordingly.168 3.3.2 IEEE Std 603-1991 Clause 4 Compliance IEEE Std 603-1991 Clause 4 requires the plant design basis to be documented for the following criteria.

For each criterion, the impact on the existing design basis for WF3 is indicated as a result of replacing the CPCS with the Common Q platform based system.

Clause 4.1: The design basis events applicable to each mode of operation of the generating station along with the initial conditions and allowable limits of plant conditions for each such event.

[ ]a,c Clause 4.2: The safety functions and corresponding protective actions of the execute features for each design basis event.

[

]a,c Clause 4.3: The permissive conditions for each operating bypass capability that is to be provided.

[

]a,c Clause 4.4: The variables or combinations of variables, or both, that are to be monitored to manually or automatically, or both, control each protective action; the analytical limit associated with each variable, WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-69 the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is ensured.

[

]a,c Clause 4.5: The following minimum criteria for each action identified in 4.2 whose operation may be controlled by manual means initially or subsequent to initiation.

[

]a,c Clause 4.6: For those variables in 4.4 that have a spatial dependence (that is, where the variable varies as a function of position in a particular region), the minimum number and locations of sensors required for protective purposes.

]a,c Clause 4.7: The range of transient and steady-state conditions of both motive and control power and the environment (for example, voltage, frequency, radiation, temperature, humidity, pressure, and vibration) during normal, abnormal, and accident circumstances throughout which the safety system shall perform.

[

]a,c Clause 4.8: The conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems).

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-70

[

]a,c Clause 4.9: The methods to be used to determine that the reliability of the safety system design is appropriate for each safety system design and any qualitative or quantitative reliability goals that may be imposed on the system design.

[

]a,c Clause 4.10: The critical points in time or the plant conditions, after the onset of a design basis event, including:

Clause 4.10.1: The point in time or plant conditions for which the protective actions of the safety system shall be initiated.

Clause 4.10.2: The point in time or plant conditions that define the proper completion of the safety function.

Clause 4.10.3: The points in time or the plant conditions that require automatic control of protective actions.

Clause 4.10.3: The point in time or the plant conditions that allow returning a safety system to normal.

[

]a,c Clause 4.11: The equipment protective provisions that prevent the safety systems from accomplishing their safety functions.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-71

[

]a,c Clause 4.12: Any other special design basis that may be imposed on the system design (example:

diversity, interlocks, regulatory agency criteria).

[

]a,c 3.3.3 IEEE Std 603-1991 Applicable Clauses for New System Functions This section demonstrates compliance to the applicable clauses in IEEE Std 603-1991 for new system functions as identified in ISG-06 (Reference 1), Section D.2.3.1.

3.3.3.1 IEEE Std 603-1991 Clause 5.2 IEEE Std 603-1991, Clause 5.2, Completion of Protective Action states:

The safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion. Deliberate operator action shall be required to return the safety systems to normal. This requirement shall not preclude the use of equipment protective devices identified in 4.11 of the design basis or the provision for deliberate operator interventions. Seal-in of individual channels is not required.

[

]a,c 3.3.3.2 IEEE Std 603-1991 Clause 5.5 IEEE Std 603-1991, Clause 5.5, System Integrity states:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-72 The safety systems shall be designed to accomplish their safety functions under the full range of applicable conditions enumerated in the design basis.

[

]a,c 3.3.3.3 IEEE Std 603-1991 Clauses 5.7, 6.5, 6.5.1 and 6.5.2 IEEE Std 603-1991 Clause 5.7 is addressed in Section 3.2.19.1.2.

IEEE Std 603-1991 Clause 6.5.1 states:

Means shall be provided for checking, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation.

This may be accomplished in various ways; for example:

(1) by perturbing the monitored variable, (2) within the constraints of 6.6, by introducing and varying, as appropriate, a substitute input to the sensor of the same nature as the measured variable, or (3) by cross-checking between channels that bear a known relationship to each other and that have readouts available.

[

]a,c IEEE Std 603-1991 Clause 6.5.2 states: One of the following means shall be provided for assuring the operational availability of each sense and command feature required during the post-accident period:

(1) Checking the operational availability of sensors by use of the methods described in 6.5.1.

(2) Specifying equipment that is stable and retains its calibration during the post-accident time period.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-73

[

]a,c 3.3.3.4 IEEE Std 603-1991 Clause 5.8 This clause is addressed in Sections 3.2.19.1.3 through 3.2.19.1.6.

3.3.3.5 IEEE Std 603-1991 Clause 5.9 IEEE Std 603-1991 Clause 5.9, Control of Access states: The design shall permit the administrative control of access to safety system equipment. These administrative controls shall be supported by provisions within the safety systems, by provision in the generating station design, or by a combination thereof.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-74

[

]a,c 3.3.3.6 IEEE Std 603-1991 Clause 5.10 IEEE Std 603-1991 Clause 5.10, Repair states: The safety systems shall be designed to facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment.

[

]a,c 3.3.3.7 IEEE Std 603-1991 Clauses 6.6 and 7.4 IEEE Std 603-1991 Clause 6.6, Operating Bypasses states: Whenever the applicable permissive conditions are not met, a safety system shall automatically prevent the activation of an operating bypass or initiate the appropriate safety function(s). If plant conditions change so that an activated operating bypass is no longer permissible, the safety system shall automatically accomplish one of the following actions:

(1) Remove the appropriate active operating bypass(es).

(2) Restore plant conditions so that permissive conditions once again exist.

(3) Initiate the appropriate safety function(s).

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-75

[

]a,c 3.3.3.8 IEEE Std 603-1991 Clauses 6.7 and 7.5 IEEE Std 603-1991 Clause 6.7, Maintenance Bypass states: Capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of 5.1 and 6.3.

EXCEPTION One-out-of-two portions of the sense and command features are not required to meet 5.1 and 6.3 when one portion is rendered inoperable, provided that acceptable reliability of equipment operation is otherwise demonstrated (that is, that the period allowed for removal from service for maintenance bypass is sufficiently short to have no significantly detrimental effect on overall sense and command features availability).

[

]a,c 3.3.3.9 IEEE Std 603-1991 Clause 6.8 IEEE Std 603-1991 Clause 6.8.1, Setpoints states: The allowance for uncertainties between the process analytical limit documented in Section 4.4 and the device setpoint shall be determined using a documented methodology. Refer to ISA S67.040-1987 [18].

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-76 IEEE Std 603-1991 Clause 6.8.2, Setpoints states: Where it is necessary to provide multiple setpoints for adequate protection for a particular mode of operation or set of operating conditions, the design shall provide positive means of ensuring that the more restrictive setpoint is used when required. The devices used to prevent improper use of less restrictive setpoints shall be part of the sense and command features.

[

]a,c 3.3.3.10 IEEE Std 603-1991 Clause 5.3 IEEE Std 603-1991 Clause 5.3 Quality states: Components and modules shall be of a quality that is consistent with minimum maintenance requirements and low failure rates. Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program (ANSI/ASME NQA1-1989 [16]).

[

]a,c IEEE Std 7-4.3.2-2003, Clause 5.4.2 Qualification of existing commercial computers, states: NOTE-See Annex C for more information about commercial grade item dedication.

The qualification process shall be accomplished by evaluating the hardware and software design using the criteria of this standard. Acceptance shall be based upon evidence that the digital system or component, including hardware, software, firmware, and interfaces, can perform its required functions.

The acceptance and its basis shall be documented and maintained with the qualification documentation.

In those cases in which traditional qualification processes cannot be applied, an alternative approach to verify a component is acceptable for use in a safety-related application is commercial grade dedication.

The objective of commercial grade dedication is to verify that the item being dedicated is equivalent in quality to equipment developed under a 10 CPR 50 Appendix B program [B 16].

The dedication process for the computer shall entail identification of the physical, performance, and development process requirements necessary to provide adequate confidence that the proposed digital system or component can achieve the safety function. The dedication process shall apply to the computer hardware, software, and firmware that are required to accomplish the safety function. The dedication process for software and firmware shall, whenever possible, include an evaluation of the design process.

There may be some instances in which a design process cannot be evaluated as part of the dedication process. For example, the organization performing the evaluation may not have access to the design process information for a microprocessor chip to be used in the safety system. In this case, it would not be possible to perform an evaluation to support the dedication. Because the dedication process involves all aspects of life cycle processes and manufacturing quality, commercial grade item dedication should be limited to items that are relatively simple in function relative to their intended use.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-77 Commercial grade item dedication involves preliminary phase and detailed phase activities. These phase activities are described in 5.4.2.1 through 5.4.2.2.

[

]a,c 3.3.4 System Requirements Documentation (D.2.3.3 and D.2.3.3.1)

Reference 2 is the CPCS System Requirements Document for the reference design for the Common Q CPCS. The reference design system requirements are based on two requirements documents that define the legacy CPCS functionality:

Functional Design Requirements for a Core Protection Calculator (Reference 36) and Functional Design Requirements for a Control Element Assembly Calculator (Reference 37)

The Common Q CPCS reference design system requirements specification (Reference 2) was developed to migrate the functional requirements of References 36 and 37 to a Common Q CPCS architecture. The result was the Palo Verde CPCS implementation. Note that Revision 7 of Reference 2 (ML032830027) was reviewed by the NRC.

The existing Waterford CPCS is based on the same two functional design requirements documents (References 36 and 37). Therefore, the CPCS reference design is also applicable to the Waterford CPCS replacement plus additional changes to accommodate plant interface differences, requested licensee improvements, and changes in technology in the Common Q platform. Reference 2 is the current revision of the CPCS System Requirements Document for the reference design.

Reference 21 is the WF3 CPCS specific system requirements specification. This document includes additional system features and modifications to reflect the specific WF3 CPCS requirements. It describes the necessary clarifications, additions, changes, and modifications to Reference 2. The WF3 specific system requirements specification supplements Reference 2, and is used by both the hardware and software development teams as a source document for the design of the WF3 CPCS hardware and software.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-78

[

]a,c Table 3.3.3-1 ISG-06 System Requirements Document Content a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-79 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-80 The Reference 21 system requirements specification, Section 2.3.1.3 requires the software to be designed, developed and tested in accordance with the NRC-approved Common Q Software Program Manual (Reference 6). The hardware design requirements are defined in the Westinghouse 10 CFR 50 Appendix B Quality Assurance procedures. The Westinghouse NRC-approved Appendix B quality assurance program is in accordance with NRC Regulatory Guide 1.28, Revision 4, with clarifications, alternatives, and exceptions defined in Appendix A of the NRC-approved QA manual.

Sections 2.3 and 2.4 of the CPCS system requirements specification (Reference 21) define the CPCS dynamic performance requirements including accuracy and response time. The functional requirements are in Appendix A of Reference 2.

Section 2.3.11 of Reference 21 defines the accuracy requirements for the input signals based on the total uncertainties attributable to:

1) loading effects

2) reference voltage supply regulation

3) electrical noise

4) linearity

5) A/D converter power supply sensitivity

6) quantization The one interlock in the CPCS is the operating bypass function of the CPCS. It avoids a spurious reactor trip when power measured by the nuclear instrumentation is below the bypass permissive set point of 1E-4%. The requirements for the operating bypass function are defined in Reference 21, Sections 2.1.3.3.2, 2.2.1.4.1.3, and 2.7.

The Reference 21 system requirements specification defines the requirements for boundary interfaces with other systems in Section 4 and independence requirements in Section 2.3.9.

Since the CPCS replacement is a modification of a system that is already installed in the plant, the constraint is replacing the internal parts of the APC, so there are no additional physical constraints to be considered beyond the APC. There is also the constraint in regards to the control board in the main control room where the Common Q Flat Panel Display System will be installed to replace the existing Remote Operator Panel. The design of the parts will take into account fitting within the existing APC and control board space. So fitting in the existing cabinet and control board is the constraint. The Reference 2 system requirements specification and the Reference 21, WF3 system requirements specification define this as an installation constraint.

The CPCS system requirements specification (Reference 21) defines the operator and maintenance technician interface requirements in Sections 2.1.1.4 and 2.1.2.1.

The requirements for equipment qualification to environmental conditions is specified in Section 3.1.4 in Reference 21. That same section references out to the seismic and electromagnetic compatibility requirements in the Common Q Topical Report (Reference 4), Section 8.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-81 The Reference 21 system requirements specification defines the service/test functions that will be deployed for the CPCS in Section 2.2.1.4.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-82 3.4 FUNCTION ALLOCATION (D.2.4 AND D.2.4.1)

The allocation of design functions is described in Sections 3.2.1 and 3.2.2. The CPC logic is defined in Reference 21, Appendix A, Sections 3.2.1 - 3.2.5. This logic is executed in the CPC PM646A in the CPC AC160 controller.

The CEAC logic is defined in Reference 21, Appendix A, Section 3.2.6. This logic is executed in the CEAC PM646A in both CEAC AC160 controllers. CEAC 1 PM646A uses the RSPT1 signals, and CEAC 2 PM646A uses the RSPT2 signals.

The allocation of service/test functions is described in Section 3.2.7. Some of these functions are operator or technician initiated calibrations and tests. Other functions are reported status from the self-diagnostic functions within the AC160 controllers. These are described in Section 3.1.1.1.3 of the CPCS system requirements specification Reference 21.

The description of how the response time of the new design meets the response times credited in the accident analysis is found in Sections 3.2.1.1 and 3.2.6. The response time analysis includes the time delays associated with cross channel communications of the RSPT signals.

For the discussion on system interfaces, see Section 3.5.

3.5 SYSTEM INTERFACES (D.2.5)

This section will describe each of the CPCS channel external interfaces. The implementation of these interfaces is identical to the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

3.5.1 CEA Position Cross Channel Communication Section 3.2.2 describes this cross channel communication using the unidirectional, fiber optically isolated HSL communication. Section 3.2.9.1 provides the justification for this cross channel communication.

There is cross channel communication in the existing CPCS implementation. The replacement system increased the redundancy of the CEAC processors in the architecture and re-purposed the cross channel communication from communicating PFs to communicating CEA positions.191 The CPC trip function uses channelized target CEAs for the Low DNBR and High LPD trips. The cross channel CEA positions are used for calculating a PF to be applied to the algorithm in a conservative direction.

Section 3.2.16 demonstrates how communication hazards are controlled via HSL communication compliance to DI&C-ISG-04. These cross channel comparison communication paths have no external path (e.g., human contact point) to jeopardize the secure operating environment of the CPCS.

This cross channel CEA position communication function is identical to the Palo Verde CPCS replacement that was reviewed and approved by the NRC.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-83 3.5.2 PPS Interface The PPS interface is a hardwired interface as described in Section 3.2.8.1. It is the only external hardwired safety-related interface except for the safety-related indications on the control board. The purpose of the PPS interface is to provide the PPS with two trip inputs, Low DNBR and High LPD. It also provides a control rod withdrawal prohibit digital signal. CWP is initiated by the CPCS channel on the following conditions:

• Low DNBR Pre-trip

• High LPD Pre-trip

• CEA Group Out of Sequence

• Subgroup Deviation alarm

• Group P CEA Group excessive insertion

• CEA deviation or reactor power cutback input from the channel CEACs192 The PPS two out of four coincidence logic for the CPCS trips protects the plant from spurious reactor trip due to a failure in a CPCS channel that spuriously actuates these hardwired trip signals (e.g., WWDT actuation on CPC PM646A failure).193 The CPC receives the PPS operating bypass permissive signal (excore power < 10-4 % power) via a hardware digital input (see Section 3.2.1 discussion on the DI620 module).

The Test Enable signal is generated when the Low DNBR and High LPD trips are in trip channel bypass in the PPS. This signal drives an IRP relay and is read by the Digital Input card of the CPC AC160 Rack.

One of the IRs contact outputs (two form C contacts) is used to generate an MTP test enable input signal.

The relay contacts are subject to low voltage (5 Vdc for the MTP and 24 Vdc for the DI card) and current.194 These hardwired interface functions are identical to the existing CPCS implementation, and it is identical to the CPCS replacement at Palo Verde that was reviewed and approved by the NRC.

3.5.3 Plant Annunciator System Interface The CPCS channel provides hardwired outputs to the plant annunciator system as described in Section 3.2.8.1. The implementation of these hardwired outputs is identical to the CPCS replacement at Palo Verde that was reviewed and approved by the NRC.

3.5.4 OM and MTP Print Screen Interface This function allows the operator or technician to capture any screen displayed on the OM or MTP for printing external to the CPCS.195 The MTP and OM transmit the screen capture file [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-84

[

]a,c 3.5.5 Plant Monitoring System Interface Each channels MTP provides a unidirectional fiber optically isolated Ethernet data link to the plant computer [

]a,c 3.5.6 CEAPD Interface Each channels MTP provides a unidirectional fiber optically isolated Ethernet data link to the CEAPD [

]a,c 3.5.7 MTP Time Synchronization Interface The existing CPCS includes no capability to provide time stamping of any display functions. In the legacy CPCS sensor failures are logged in hours since the last auto restart, rather than being keyed to a real-time clock.

The replacement CPCS includes time synchronization using an inter-range instrumentation group (IRIG) input to the MTP in each channel as described in Section 3.2.16 This communication is the only external communication coming into the CPCS channel.203 [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-85

[

]a,c Compliance to DI&C-ISG-04 is demonstrated in Table 3.2.16-1 DI&C-ISG-04-Compliance.

This implementation is identical to the implementation at Palo Verde for the replacement CPCS and was reviewed and approved by the NRC. The same implementation is running in the Common Q CPCS at Shin Kori Units 1-4 and Shin Wolsong Units 1 and 2.

3.5.8 Support and Auxiliary System Interfaces There is no direct interface between the CPCS and the control room HVAC where the APC is located.209 Section 3.2.5 discusses the demonstration of compatibility of the replacement CPCS to the HVAC requirements in the control room.

Each channel of the CPCS is powered from the vital bus power supply system 1E inverter (Section 3.2.14). The CPCS complies with IEEE 603-1991 Clause 8.1 because it is using the existing WF3 vital power that meets its licensing basis for an electrical power source. IEEE 603-1991, Clause 8.2 does not apply because the CPCS only uses electrical power. The CPCS is compliant to IEEE 603-1991 Clause 8.3 via the trip channel bypass described in Section 3.2.8.1 (DI620 module discussion).

These interfaces are identical to the implementation of the Palo Verde CPCS that was reviewed and approved by the NRC.

3.5.9 Safety to Non-Safety Isolation Requirements Data communications to non-safety systems use fiber optic cable to provide electrical isolation. The IRP relay provides electrical isolation to the non-safety annunciator system. The IRP relay contacts are rated to switch a voltage of at least 200 V and the current rating is at least 0.200 A.210 The IRP is described in Section 3.2.8.1 and for digital data communications see Section 3.2.16.

3.5.10 IEEE Std 603 and IEEE Std 7-4.3.2 Relevant Clauses The following clauses to IEEE Std 603-1991 and IEEE Std 7-4.3.2 are relevant to the discussion of system interfaces as identified in DI&C-ISG-06 (Reference 1), Section D.2.5.

3.5.10.1 IEEE Std 603 Clause 5.6.1 Clause 5.6.1, states: Independence Between Redundant Portions of a Safety System. Redundant portions of a safety system provided for a safety function shall be independent of and physically separated from each other to the degree necessary to retain the capability to accomplish safety function during and following any design basis event requiring, that' safety function.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-86

[

]a,c 3.5.10.2 IEEE Std 603 Clause 5.6.2 Clause 5.6.2 states: Independence Between Safety Systems and Effects of Design Basis Event. Safety system equipment required to mitigate the consequences of a specific design basis event shall be independent of, and physically separated from, the effects of the design basis event to the degree necessary to retain the capability to meet the requirements of this standard. Equipment qualification in accordance with 5.4 is one method that can be used to meet this requirement.

[

]a,c 3.5.10.3 IEEE Std 603 Clause 5.6.3 Clause 5.6.3 states: Independence Between Safety Systems and Other Systems. The safety system design shall be such that credible failures in and consequential actions by other systems, as documented in 4.8 of the design basis, shall not prevent the safety systems from meeting the requirements of this standard.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-87 3.5.10.3.1 IEEE Std 603 Clause 5.6.3.1 Clause 5.6.3.1 states: Interconnected Equipment Classification: (1) Equipment that is used for both safety and nonsafety functions shall be classified as part of the safety systems, Isolation devices used to effect a safety system boundary shall be classified as part of the safety system.

(2) Isolation: No credible failure on the non-safety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design basis event requiring that safety function. A failure in an isolation device shall be evaluated in the same manner as a failure of other equipment in a safety system.

[

]a,c 3.5.10.3.2 IEEE Std 603 Clause 5.6.3.2 Clause 5.6.3.2 states: Equipment in Proximity (1) Separation: Equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associated circuit nor another Class 1E circuit, shall be physically separated from the safety system equipment to the degree necessary to retain the safety systems' capability to accomplish their safety functions in the event of the failure of non-safety equipment. Physical separation may be achieved by physical barriers or acceptable separation distance. The separation of Class 1E equipment shall be in accordance with the requirements of IEEE Std 384-1981 (2) Barriers: Physical barriers used to effect a safety system boundary shall meet the requirements of 5.3, 5.4 and 5.5 for the applicable conditions specified in 4.7 and 4.8 of the design basis.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-88 3.5.10.3.3 IEEE Std 603 Clause 5.6.3.3 Clause 5.6.3.3 states: Effects of a Single Random Failure. Where a single random failure in a nonsafety system can (1) result in a design basis event, and (2) also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure. See IEEE Std 379-1988 [51 for the application of this requirement.

[

]a,c 3.5.10.4 IEEE Std Clause 5.6.4 Clause 5.6.4 states: Detailed Criteria. IEEE Std 384-1981 [6] provides detailed criteria for the independence of Class 1E equipment and circuits [B3].

[

]a,c 3.5.10.5 IEEE Std 7-4.3.2 Clause 5.6 Clause 5.6 states: In addition to the requirements of IEEE Std 603-1998, data communication between safety channels or between safety and nonsafety systems shall not inhibit the performance of the safety function.

IEEE Std 603-1998 requires that safety functions be separated from nonsafety functions such that the nonsafety functions cannot prevent the safety system from performing its intended functions. In digital systems, safety and nonsafety software may reside on the same computer and use the same computer resources.

Either of the following approaches is acceptable to address the previous issues:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-89 a) Barrier requirements shall be identified to provide adequate confidence that the nonsafety functions cannot interfere with performance of the safety functions of the software or firmware.

The barriers shall be designed in accordance with the requirements of this standard. The nonsafety software is not required to meet these requirements.

b) If barriers between the safety software and nonsafety software are not implemented, the nonsafety software functions shall be developed in accordance with the requirements of this standard.

Guidance for establishing communication independence is provided in Annex E.

[

]a,c 3.5.10.6 IEEE Std 603 Clause 5.12 IEEE Std 603-1991 Clause 5.12 defines criteria for Auxiliary Features. The following sections describe compliance to the underlining subclauses 5.12.1 and 5.12.2.

3.5.10.6.1 IEEE Std 603 Clause 5.12.1 Clause 5.12.1 states: Auxiliary supporting features shall meet all requirements of this standard.

[

]a,c 3.5.10.6.2 IEEE Std 603 Clause 5.12.2 Clause 5.12.2 states: Other auxiliary features that (1) perform a function that is not required for the safety systems to accomplish their safety functions, and (2) are part of the safety systems by association (that is, not isolated from the safety system) shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level.

Examples of these other auxiliary features shown in Fig 3 and an illustration of the application of this criteria is contained in Appendix A.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-90

[

]a,c 3.5.10.7 IEEE Std 603 Clause 5.14 Clause 5.14 states: Human Factors Considerations. Human factors shall be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operator(s) and maintainer(s) can be successfully accomplished to meet the safety system design goals, in accordance with IEEE Std 1023-1988 [12].

[

]a,c 3.5.10.8 IEEE Std 603 Clauses 8.1 - 8.3 These clauses are addressed in Section 3.5.8.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-91 3.6 FUNDAMENTAL DESIGN PRINCIPLES IN THE NEW ARCHITECTURE This section discusses how the CPCS replacement meets the four fundamental design principles:

Redundancy, Independence, Deterministic Behavior, and Defense-in-Depth and Diversity, and the attribute Simplicity of Design.

3.6.1 Redundancy (D.2.6.2.1)

The replacement CPCS mirrors the existing CPCS redundancy by providing four independent channels of CPC that calculate and initiate trips for Low DNBR and High LPD. The replacement CPCS enhanced the redundancy of the CPCS by putting CEAC 1 and 2 AC160 controllers in each channel rather than relying on two CEACs in the existing CPCS. The safety-related data communications (i.e., AF100 bus and HSL) are redundant communication channels providing better availability of the CPCS.214 The replacement CPCS enhanced redundancy within a channel by providing redundant AI688 modules to read the process inputs for the CPC (except for the RCP speed).215 The replacement CPCS also provides redundant data acquisition within a channel for the CEA positions (CPP 1 and CPP 2, see discussion on the PM646A CPP Processor Module in Section 3.2.2).

Reference 39 is the Failure Modes and Effects Analysis (FMEA) for the WF3 CPCS that uses the redundancy of the system to meet IEEE Std 603-1991 single failure criterion. The FMEA is a bounding analysis. It postulates higher level failures that cover lower level failures that would have the same impact on the system.

The impact of WF3 plant failures on the CPCS are the same for both the existing CPCS and the replacement CPCS. The EQ Summary Report (Reference 35), documents the qualification of the CPCS equipment to mitigate against WF3 design basis events.

3.6.1.1 Relevant IEEE Std 7-4.3.2 Clauses This section documents compliance to IEEE Std 7-4.3.2-2003 clauses deemed relevant by DI&C-ISG-06, Section D.2.6.2.1.2 (Reference 1).

3.6.1.1.1 IEEE Std 7-4.3.2 Clause 5.1 Clause 5.1 states: No requirements beyond IEEE Std 603-1998 are necessary (see also Annex B).

IEEE Std 603-1991, Clause 5.1 is addressed in Section 3.2.19.1.1.

3.6.1.1.2 IEEE Std 7-4.3.2 Clause 5.15 Clause 5.15 states: Reliability NOTE-See Annex F for more information about the reliability criterion.

In addition to the requirements of IEEE Std 603-1998, when reliability goals are identified, the proof of meeting the goals shall include the software. The method for determining reliability may include combinations of analysis, field experience, or testing. Software error recording and trending may be used in combination with analysis, field experience, or testing.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-92

[

]a,c 3.6.1.1.3 IEEE Std 7-4.3.2 Clause 6.7 IEEE Std 7-4.3.2-2003 does not have additional criteria for IEEE Std 603-1991 Clause 6. IEEE Std 603-1991 Clause 6.7 is addressed in Section 3.3.3.8.

3.6.1.1.4 IEEE Std 7-4.3.2 Clause 7.5 IEEE Std 7-4.3.2-2003 does not have additional criteria for IEEE Std 603-1991 Clause 7. IEEE Std 603-1991 Clause 7.5 is addressed in Section 3.3.3.8.

3.6.1.2 IEEE Std 379 Criteria IEEE Std 603-1991 cites IEEE Std 379-1988 for guidance on the application of the single failure criterion. NRC Regulatory Guide 1.53 endorsed IEEE Std 379-2000. The following paragraphs address compliance to IEEE Std 379-2000.

Clause 5.1 addresses Independence and redundancy. [

]a,c Clause 5.2 addresses non-detectable failures. [

]a,c Clause 5.3 addresses Cascaded failures. [

]a,c Clause 5.4 addresses Design basis events. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-93 Clause 5.5 addresses Common-cause failures. [

]a,c Clause 5.6 addresses Shared systems. [

]a,c Clause 6 addresses Design analysis for single failure. [

]a,c 3.6.1.3 GDC 21 GDC 21 Protection System Reliability and Testability states: The protection system shall be designed for high functional reliability and in service testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

[

]a,c 3.6.1.4 GDC 24 GDC 24 Separation of Protection and Control Systems states: The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-94

[

]a,c 3.6.2 Independence (D.2.6.2.2)

The WF3 CPCS replacement maintains the independence of the existing CPCS. It provides for four functional and electrical CPCS channels that calculate and initiate Low DNBR and High LPD trip signals.

For electrical independence see Section 3.2.8. For data communications functional and electrical independence see Section 3.2.16. This section describes the unidirectional communications between channels of the CPCS and between the CPCS and non-safety systems which meets the IEEE Std 384 criteria for independence of Class 1E equipment and circuits.

3.6.2.1 Relevant IEEE Std 7-4.3.2 Clauses This section documents compliance to IEEE Std 7-4.3.2-2003 clauses deemed relevant by DI&C-ISG-06, Section D.2.6.2.2.2 (Reference 1).

3.6.2.1.1 IEEE Std 7-4.3.2 Clause 5.6 Clause 5.6 is addressed in Section 3.5.10.5 3.6.2.1.2 IEEE Std 7-4.3.2 Clause 5.11 Clause 5.11 states: To provide assurance that the required computer system hardware and software are installed in the appropriate system configuration, the following identification requirements specific to software systems shall be met:

a) Firmware and software identification shall be used to assure the correct software is installed in the correct hardware component.

b) Means shall be included in the software such that the identification may be retrieved from the firmware using software maintenance tools.

c) Physical identification requirements of the digital computer system hardware shall be in accordance with the identification requirements in IEEE Std 603-1998.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-95 3.6.2.1.3 IEEE Std 7-4.3.2 Clause 6.3 IEEE 7-4.3.2 states that there are no additional requirements beyond IEEE Std 603 Clause 6. IEEE Std 603 Clause 6.3 Interaction Between the Sense and Command Features and Other Systems has two subclauses 6.3.1 and 6.3.2.

IEEE Std 603-1991 Clause 6.3.1 states: Where a single credible event, including all direct and consequential results of that event, can cause a non-safety system action that results in a condition requiring protective action and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, one of the following requirements shall be met:

(1) Alternate channels not subject to failure resulting from the same single event shall be provided to limit the consequences of this event to a value specified by the design basis. Alternate channels shall be selected from the following:

(a) Channels that sense a set of variables different from the principal channels.

(b) Channels that use equipment different from that of the principal channels to sense the same variable.

(c) Channels that sense a set of variables different from those of the principal channels using equipment different from that of the principal channels. Both the principal and alternate channels shall be part of the sense and command features.

(2) Equipment not subject to failure caused by the same single credible event shall be provided to detect the event and limit the consequences to a value specified by the design bases. Such equipment is considered a part of the safety system.)

See Fig 5 for a decision chart for applying the requirements of this section.

[

]a,c IEEE Std 603-1991, Clause 6.3.2 states: Provisions shall be included so that the requirements in 6.3.1 can be met in conjunction with the requirements of 6.7 if a channel is in maintenance bypass. These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiating a protective action from the bypassed channel.

[

]a,c 3.6.2.2 RG 1.75 NRC Regulatory Guide 1.75 (RG 1.75) applies to one aspect of this license amendment. The APC MUX function that transmits the amplified fixed incore detector signals to the plant monitoring computer is a non-safety related system residing in the APC in close proximity to the CPCS. This equipment is considered an associated circuit as described in RG 1.75. As a result, the APC MUX equipment is WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-96 qualified to Class 1E requirements to demonstrate that the non-safety related system will not adversely impact the safety related CPCS (see Sections 3.2.4 and 3.5.10.3.2).

3.6.2.3 Applicable 10 CFR 50 Appendix A General Design Criteria The following sections address the GDCs listed in Reference 1, Section D.2.6.2.2.2 for the fundamental principle of Independence.

3.6.2.4 GDC 13 Instrumentation and Control GDC 13 states: Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

[

]a,c 3.6.2.5 GDC 21 Protection System Reliability and Testability Compliance to GDC 21 is discussed in Section 3.6.1.3.

3.6.2.6 GDC 22 Protection System Independence GDC 22 states: The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

[

]a,c 3.6.2.7 GDC 23 Protection System Failure Modes GDC 23 states: The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-97 system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g.,

extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

[

]a,c 3.6.2.8 GDC 24 Separation of Protection and Control Systems CPCS compliance to GDC 24 is discussed in Section 3.6.1.4.

3.6.3 Deterministic Behavior (D.2.6.2.3)

The fundamental element for deterministic behavior of the CPCS is the AC160 PM646A controller and its cyclic execution of the application programs described in Sections 3.2.1.1 and 3.2.2.1. The cycle time of CPC and CEAC PF application programs are established to meet the response time requirements for the Chapter 15 events as described in Section 3.2.6.223 [

]a,c The WF3 CPCS timing analysis calculates the worst possible response time for each event in Chapter 15 of the FSAR (see Section 3.2.6).

3.6.3.1 Applicable IEEE Std 603 and IEEE Std 7-4.3.2 Clauses The following sections address applicable clauses to IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003 as described in Section D.2.6.2.3.2 of Reference 1.

3.6.3.1.1 IEEE Std 603 Clause 5.2 There is no corresponding Clause 5.2 in IEEE Std 7-4.3.2, and Clause 5.2 in IEEE Std 603 is addressed in Section 3.3.3.1.

3.6.3.1.2 IEEE Std 603 Clause 5.5 and IEEE Std 7-4.3.2 Clauses 5.5.1 - 5.5.3 Clause 5.5 in IEEE Std 603 is addressed in Section 3.3.3.2.

IEEE Std 7-4.3.2 Clause 5.5.1 states: Design for computer integrity. The computer shall be designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function. For example, input and output processing failures, precision or roundoff problems, improper recovery actions, electrical input voltage and frequency fluctuations, and maximum credible number of coincident signal changes.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-98 If the system requirements identify a safety system preferred failure mode, failures of the computer shall not preclude the safety system from being placed in that mode. Performance of computer system restart operations shall not result in the safety system being inhibited from performing its function.

[

]a,c IEEE Std 7-4.3.2 Clause 5.5.2 is addressed in Section 3.2.19.2.1.

IEEE Std 7-4.3.2 Clause 5.5.3 is addressed in Section 3.2.19.2.2.

3.6.3.1.3 IEEE Std 603 Clause 6.1 IEEE Std 603 states: Automatic Control. Means shall be provided to automatically initiate and control all protective actions except as justified in 4.5. The safety system design shall be such that the operator is not required to take any action prior to the time and plant conditions specified in 4.5 following the onset of each design basis event. At the option of the safety system designer, means may be, provided to automatically initiate and control those protective actions of 4.5.

[

]a,c 3.6.3.1.4 IEEE Std 603 Clause 6.2 IEEE Std 603 Clause 6.2 is criteria for Manual Control. [

]a,c 3.6.3.1.5 IEEE Std 603 Clause 7.1 Clause 7 in IEEE Std 603 is criteria on the execute or executive functions of the protective action. [

]a,c 3.6.3.2 Applicable 10 CFR 50 Appendix A General Design Criteria This section describes CPCS compliance to the listed GDCs in Section D.2.6.2.3.2 in Reference 1.

3.6.3.2.1 GDC 13 Instrumentation and Control GDC 13 is addressed in Section 3.6.2.4.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-99 3.6.3.2.2 GDC 21 Protection System Reliability and Testability GDC 21 is addressed in Section 3.6.2.5.

3.6.3.2.3 GDC 23 Protection System Failure Modes GDC 23 is addressed in Section 3.6.2.7 3.6.3.2.4 GDC 29 Protection Against Anticipated Operational Occurrences GDC 29 states: The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.

[

]a,c 3.6.4 Defense-in-Depth and Diversity (D.2.6.2.4)

Section 3.2.18 explains the licensing basis for why the existing defense in depth strategy for WF3 has not changed as a result of the replacement of the CPCS.

Reference 1 identifies GDC 13, 22 and 24 to be applicable to this fundamental principle. These GDCs are addressed in Sections 3.6.2.4, 3.6.2.6, and 3.6.2.8 respectively.

3.6.5 Simplicity of Design (D.2.6.2.5)

The design of the replacement system is very similar to the design of the existing CPCS. There are four independent CPCs that run the same application program [

]a,c. In the existing system, there are two CEACs that calculate a PF to steer the DNBR and LPD calculations into a conservative direction based on CEA deviations. However instead of two CEACs shared among the four CPC channels, each CPC channel now has its own CEAC 1 and CEAC 2.

This change increases availability by replicating the CEAC 1 and CEAC 2 functions in each CPCS channel. By doing this, the CEA positions are shared among the four channels using fiber optically isolated, unidirectional HSLs. This design change is identical to the implementation at Palo Verde that was reviewed and approved by the NRC.

Another design change in the replacement CPCS is the used of an IRIG data link to synchronize time to a site wide standard clock. This significantly reduces WF3 staff burden when analyzing reports generated by the CPCS. The hazards for this data link are discussed in Sections 3.2.16 and 3.5.7. This design change is identical to the Palo Verde replacement CPCS that was reviewed and approved by the NRC.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 3-100 3.6.5.1 IEEE Std 603 Clause 6.4 DI&C-ISG-06, Reference 1, identifies IEEE Std 603-1991, Clause 6.4 as relevant to this fundamental design attribute.

Clause 6.4 states: Derivation of System Inputs. To the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 4-1 4 HARDWARE EQUIPMENT QUALIFICATION (D.3)

The Common Q Platform Topical Report (Reference 4), Section 7, describes the equipment qualification methodology for the generic qualification of the Common Q Platform. The Common Q equipment is mounted in a test rack in the same manner as it will be mounted in an actual cabinet.

IEEE Std 603-1991, Clause 5.4 requires that Safety system equipment shall be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting, on a continuing basis, the performance requirements as specified in the design basis. Qualification of Class 1E equipment shall be in accordance with the requirements of IEEE Std 323-1983 [2] and IEEE Std 627-1980 [11].

[

]a,c IEEE Std 7-4.3.2, 2003, Clause 5.4.1 Computer system testing, states: Computer system qualification testing (see 3.1.36) shall be performed with the computer functioning with software and diagnostics that are representative of those used in actual operation. All portions of the computer necessary to accomplish safety functions, or those portions whose operation or failure could impair safety functions, shall be exercised during testing. This includes, as appropriate, exercising and monitoring the memory, the CPU, inputs and outputs, display functions, diagnostics, associated components, communication paths, and interfaces. Testing shall demonstrate that the performance requirements related to safety functions have been met.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 4-2

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-1 5 I&C SYSTEM DEVELOPMENT PROCESSES (D.4)

Westinghouse will be using the NRC-approved Common Q Software Program Manual (SPM, Reference

6) as the framework for the design and development of the WF3 CPCS replacement. This framework is a supplement to the Westinghouse 10 CFR 50 Appendix B Quality Assurance program to specifically addressed digital I&C safety system development. Attributes of the framework as outlined in DI&C-ISG-06, Revision 2 (Reference 1), D.4.1 are:

a. Create the concepts on which the system design will be based. For the WF3 CPCS there are three basic concepts upon which the WF3 CPCS system design is based.

1. The WF3 CPCS system design is based on the design described in the Common Q Topical Report, Appendix 2 for the Core Protection Calculator System (Reference 5).

2. The WF3 CPCS system design is based on the Palo Verde Common Q CPCS system design with minor modifications such as newer NRC-approved analog input modules (AI688 versus AI685).

3. The WF3 CPCS system design concept is based on the existing WF3 CPCS system (e.g., four channel CPC, CEA configurations, etc.) as described in Section 2, Plant System Description (D.1).

b. Translate these concepts into system requirements. The base system requirements for the WF3 CPCS is the CPCS System Requirements Specification (Reference 2). The NRC has reviewed Revision 7 of that document as part of the Palo Verde CPCS replacement. These requirements are augmented by the WF3 CPCS System Requirements Specification (Reference 21) to document changed or new requirements specific to the WF3 CPCS replacement. These documents translate the concepts upon which the system design is based into system requirements.

c. Allocate system requirements to system elements (e.g., software, hardware, and human-system interfaces). The base system requirements that are documented in CPCS System Requirements Specification (Reference 2) have already been allocated to system elements as part of the NRC-approved Palo Verde CPCS replacement. This represents the reference design for the WF3 CPCS replacement. Changed or revised requirements from the reference design is documented in in the WF3 CPCS System Requirements Specification (Reference 21). These requirements are allocated to hardware, software, and other responsible groups in accordance with the requirements management plan.225 The independent V&V team assess the allocation of functions for completeness and correctness per the NRC approved Common Q SPM (Reference 6)226.

d. Implement the design into hardware and software functions. As stated in c. above, the requirements traceability matrix documents the implementation of the system requirements into hardware and software functions in accordance with the NRC-approved Common Q SPM (Reference 6).

e. Integrate system elements such as software and hardware. Westinghouse uses its testing methodology as described in the NRC-approved Common Q SPM (Reference 6), Section 7, that documents successive levels of testing to integrate the system elements (both software and hardware).

f. Test the unit functions and the completed system to confirm that system requirements have been implemented correctly. The NRC-approved Common Q SPM (Reference 6), Section 7, describes the successive levels of testing up to a System Validation Test, and a Factory Acceptance Test to validate manufacturing. These last two tests may be combined in the case of WF3 because it is a WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-2 single NPP installation. The independent V&V team uses the RTM to trace testable requirements to test procedures and reports.

g. Perform appropriate human factors engineering for the human-system interfaces throughout the development process. The WF3 CPCS has the benefit of operating experience with the CPCS operators module and Maintenance and Test Panel. These displays have been in operation at the Palo Verde three nuclear units for at least 15 years. WF3 have engaged operations staff early in the project to familiarize them with the established display set so that operating procedures can be prepared in a timely manner to take advantage of the benefits of an improved human-system interface. None of the displays are necessary for the CPCS to perform its safety function but are used to assess status of the system and configure and test the system when not in service.

h. Analyze hazards and incorporate requirements that eliminate or mitigate identified hazards throughout the development process. The WF3 CPCS replacement has the benefit of extensive hazards analyses that have been performed on both the conceptual design (see the Failure Modes and Effects Analysis (FMEA) in the CPCS Topical Report Appendix, Reference 5), and on the Palo Verde CPCS replacement. A WF3 CPCS replacement FMEA is developed to eliminate or mitigate any additional hazards identified in that analysis. The WF3 CPCS documents a software hazards analysis (SHA) in accordance with the Common Q SPM (Reference 6) to eliminate or mitigate any software hazards identified in the analysis (see Reference 54).

i. Perform V&V activities on work products throughout the development process. The WF3 CPCS development will undergo independent verification and validation (V&V) in accordance with the NRC-approved Common Q SPM (Reference 6).

The software life cycle process is governed by the NRC-approved Common Q SPM (Reference 6).

Section 1.4.1 in the Common Q SPM defines the software life cycle to be:

Concept Requirements Analysis Design Implementation or Coding Test Installation and Checkout Operation and Maintenance Retirement The WF3 CPCS replacement project will be following this life cycle process. Any clarifications or exceptions (with justification) to the processes described in the NRC-approved Common Q SPM are documented in the WF3 CPCS Software Development Plan (Reference 25). There are other overarching processes such as Project Management, Verification and Validation (V&V), and Configuration Management. V&V and Configuration Management will be performed in accordance with the NRC-approved Common Q SPM (Reference 6). Project Management is discussed in Section 5.2.10.

5.1 COMMON Q SPM PLANT SPECIFIC ACTION ITEMS The NRC documented seven Plant Specific Action Items (PSAIs) in the safety evaluation on the NRC-approved SPM (Reference 6). This section provides the dispositions for the seven PSAIs.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-3 5.1.1 PSAI 1 As noted in Sections 3.2.1 and 3.2.3, WEC may choose to use alternatives to the SPM defined processes when performing Initiation phase activities for individual projects. These alternatives are required to be documented in the Project Quality Plan (PQP). This PQP should be reviewed to determine if alternatives to the SPM are being used for development of project specific software. When such alternatives are being used, the PQP should be evaluated to determine if the justifications for the use of alternatives to the SPM processes are acceptable.

The SPM states, When the SPM refers to a PQP, it includes the Project Quality Plan and Project Plan (including the Software Development Plan) defined in the Westinghouse Quality Management System Procedures. Any exceptions to the SPM would be documented in the WF3 CPCS Software Development Plan (Reference 25).

The WF3 CPCS Software Development Plan (WNA-PD-00594-CWTR3) documents the following alternatives to the Common Q SPM (WCAP-16096-P-A):

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-4

[

]a,c 5.1.2 PSAI 2 The Common Q SPM only includes the Software Life Cycle Process Planning Documentation as outlined in SRP BTP 7-14, Section B.2.1. As such, the plant-specific documentation outlined in SRP BTP 7-14, Sections B.2.2, Software Life Cycle Process Implementation, and B.2.3, Software Life Cycle Process Design Outputs, is to be evaluated separately for any application that references the Common Q SPM.

The following table provides the cross reference between the documents listed in BTP 7-14 Sections B.2.2 and B.2.3 and the name of the Westinghouse WF3 CPCS corresponding document. If the document is complete, a document number will be cited, otherwise the document is produced later in the life cycle.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-5 Table 5.1.2-1 BTP 7-14 Documents BTP 7-14 Document Westinghouse Corresponding Document B.2.2 Documents Safety analyses Software Hazards Analysis (Reference 54)

Verification and validation analysis and test V&V Phase Summary Reports reports V&V Task Reports V&V Module Test Reports Configuration management reports Configuration Baseline Reports Configuration Management Release Reports Testing Activities Test Plan System verification test / FAT procedures and test reports Requirements CPCS System Requirements Specification (References 2 and 21)

CPCS Software Requirements Specification Design Software Design Descriptions Implementation Software Release Records Integration V&V module and unit test reports (Unit tests may be part of the System Verification Test / FAT)

Validation System Verification Test / FAT Reports Installation Technical Manual Operations and maintenance Technical Manual B.2.3 Documents Software Requirements Specification (See Requirements above).

Hardware and software architecture descriptions Software Requirements Specification (for software architecture)

Hardware Design Description (for hardware architecture)

Software design descriptions (See Design above)

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-6 Table 5.1.2-1 BTP 7-14 Documents BTP 7-14 Document Westinghouse Corresponding Document Code listings Code resides on secure development environment and documented in Software Release Records.

Build documents Various Westinghouse internal work instructions and CPCS Technical Manual Installation configuration tables Installation configuration tables reside on secure development environment and documented in Software Release Records.

Operations manuals CPCS Technical Manual Maintenance manuals CPCS Technical Manual Training Manuals Separate training materials as part of a WF3 site training program.

5.1.3 PSAI 3 The Common Q SPM only addresses the vendor software planning processes for a Common Q-based system. For all activities in which the applicant or licensee assumes responsibility within a given project (including vendor oversight) for quality assurance, additional evaluations, audits or inspections must be performed to ensure that these licensee responsibilities are fulfilled.

Entergy has developed a vendor oversight plan that is summarized in the LAR to verify that Westinghouse is performing its activities in accordance with their quality assurance commitments. This verification is conducted by Entergy by way of evaluations, audits or inspections.

5.1.4 PSAI 4 Because the Common Q SPM does not address the criteria of BTP 7-14 Section B.3.1.8.4, Software Operations Plan, an evaluation of compliance must be performed at the time of system development when the operational aspects of the system have been defined.

Westinghouse will develop a technical manual that includes the elements of a Software Operations Plan.

As part of Entergys vendor oversight activities as documented in the WF3 CPCS vendor oversight plan, Entergy will verify that the elements of BTP 7-14 for a Software Operations Plan is incorporated into the WF3 CPCS technical manual.

5.1.5 PSAI 5 Site acceptance testing and installation testing are not covered under the Common Q Software Test Plan because they are considered to be licensee actions that are to be addressed during the development of a Common Q based application. As such, a project specific, site acceptance and installation test plan WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-7 should be developed and used to address these aspects of software test planning. Because the Common Q SPM does not address all aspects of the BTP 7-14 Section B.3.2.4 criteria, an evaluation of compliance must be performed at the time of system development when the site and installation testing activities have been defined.

Entergys Engineering Change (EC) Process, EN-DC-115, (Reference 60) identifies testing including pre-installation testing, construction testing, functional testing, software V&V, additional post installation testing, and post return to service tests. The Responsible Engineer (RE) is responsible for preparing the EC testing requirements in accordance with EN-DC-115, with input from the Test Engineer (TE),

Operations and other reviewers as applicable.

The EC Testing (ECT) is identified in the EC but is controlled outside of the EC process. The Engineering Change Process points to Entergys Post Modification Testing and Special Instructions, EN-DC-117, (Reference 61) for the details for performing testing. Modification and special testing are controlled by this process, which creates the EC Test to perform post modification Functional Testing.

This ECT format demonstrates that modified or affected systems, structures, or components will perform satisfactorily in service and satisfy design requirements. The ECT format may be used for Post Return to Service Testing. The TE is a qualified individual that is responsible for coordinating review and approval of ECT formatted tests. This includes reviewing and concurring with the ECT requirements developed by the RE, in addition to the ECT development and performance, and Return To Service (RTS) for the EC.

All ECT requirements are captured by at least one of the above types of tests.

The Post Modification Testing Philosophy, in general, is that the test for an EC should test the modification under all configurations, test not only what has been added by the EC, but also what has been deleted, test the EC thoroughly and at least one step beyond the interface to the equipment, which hasnt been modified, avoid testing by simulation when equipment may be operated safely, consider the use of the Simulator and other methods to aid in developing and validating the test procedure/instruction, and be sequenced to perform the most basic tests first, then proceed to perform more complex component and system level functional and acceptance tests.

Testing will be controlled with procedures or work orders that will use the ECT format. Many of the tests for the WF3 CPC replacement including the Site Acceptance Testing (SAT) will be performed with an ECT procedure due to the complexity of the testing.

Testing will be based on design requirements specified in the Westinghouse documents, as well as those specified in the ECT. Testing will also address license requirements associated with the WF3 Technical Specifications, which will include the approved changes for this modification. Testing will include hardware and software functional testing, verification of field inputs, post-installation testing, and integrated testing. Response time testing (RTT) will be performed for the two CPC trip signals to Reactor Protection System (RPS).

5.1.6 PSAI 6 A licensee implementing an application based upon the Common Q platform should perform a review of the current Common Q Record of Changes document to assess the validity of previously derived safety conclusions if changes have been made to the Common Q SPM.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-8 There have been no changes to the SPM since its approval by the NRC. As a result, the Common Q Record of Changes document will not include any assessments of changes to the SPM.

5.1.7 PSAI 7 Secure Development and Operational Environment - An applicant or licensee referencing the Common Q SPM for a safety-related plant specific application should ensure that a secure development and operational environment has been established for its plant specific application, and that it satisfies the applicable regulatory evaluation criteria of RG 1.152, Revision 3.

Section 9 describes how the CPCS replacement project will meet the requirements in NRC Regulatory Guide 1.152 for a Secure Development and Operational Environment.

The NRC-approved Common Q SPM (Reference 6) describes the Westinghouse Secure Development Environment. As part of the Entergy vendor oversight activities, Entergy will verify the secure development environment at Westinghouse meets the criteria in Section 12 of the SPM.

See Section 9.2 for the Secure Operational Environment vulnerability assessment and the correlation to system requirements.

5.2 SYSTEM AND SOFTWARE DEVELOPMENT ACTIVITIES (D.4.2.1)

The NRC-approved SPM (Reference 6), Section 4.3.2 describes the tasks and responsibilities for each life cycle phase. These tasks and responsibilities are applicable to the WF3 CPCS replacement project and will be followed. The detailed description of analyses, reviews and test activities for each life cycle phase are described in the SPM Sections 3 (Software Safety Plan), 4 (Software Quality Assurance Plan), 5 (Software V&V Plan), 6 (Software Configuration Management Plan), 7 (Software Test Plan), and 12 (Secure Development and Operational Environment Plan).

5.2.1 Plant and Instrumentation and Control System Safety Analysis (D.4.2.1.1)

As described in Section 3.3, there are no changes to the plant safety analysis associated with the WF3 CPCS replacement. [

]a,c This is documented in the WF3 CPCS Software Development Plan (Reference 25). The independent V&V will be performed in accordance with the NRC-approved SPM for Protection class software for the AC160 controller software and for Important to Safety for the OM and MTP software.

5.2.2 Instrumentation and Control System Requirements (D.4.2.1.2)

The project input documents are collected and defined in a configuration baseline227. These documents include Entergy input documents along with Westinghouse CPCS product documents like the CPCS System Requirements Specification (Reference 2). The attributes of the System Requirements Specification (i.e., References 2 and 21) are described in Section 3.3.4. The WF3 CPCS replacement system requirements specification (Reference 21) is independently reviewed, traced to input documents WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-9 identified in the configuration baseline, and approved.228 The configuration baseline is then revised to incorporate the WSES system requirements specification (Reference 21) for later system development life cycle activities.

A requirements traceability matrix (RTM) is created to trace the WF3 CPCS replacement system requirements to hardware and software design, implementation and test.229 The independent V&V performs a requirements traceability analysis (RTA) in accordance with the Common Q SPM (Reference

6) Section 5.4.5.3.

5.2.3 Instrumentation and Control System Architecture (D.4.2.1.3)

The WF3 CPCS replacement system requirements specification (Reference 21) defines the WF3 CPCS replacement system architecture. It is based on the NRC-approved Palo Verde CPCS replacement architecture. The technical elements described in Section 3.2 of this document are incorporated in the WF3 CPCS replacement system requirements specification (Reference 21). As described in Section 5.2.2, the WF3 CPCS replacement system requirements specification is independently reviewed, approved, and baselined as an input to the ongoing life cycle activities.

5.2.4 Instrumentation and Control System Design (D.4.2.1.4)

Both the CPCS system requirements specification and the WF3 CPCS replacement system requirements specification (References 2 and 21) also fulfill the role as the system design specification. Again, the WF3 CPCS replacement system requirements specification (Reference 21) is based on the CPCS system requirements specification (Reference 2), defining the differences in the system design from the Palo Verde CPCS replacement.

As stated earlier, the reference design for the WF3 CPCS replacement is documented in Reference 2.

Revision 7 of these requirements and their traceability have already been reviewed and approved by the NRC as part of the Palo Verde CPCS replacement. The WF3 delta requirements from the reference design are documented in Reference 21 and are traced bidirectionally using the requirements traceability matrix as described in the Common Q SPM (Reference 6), Section 5.4.5.3. The architecture and functional logic design in the reference design has already been traced to the design reference requirements as part of the Palo Verde CPCS replacement.230 The WF3 delta system requirements in Reference 21 include tracing to the architecture and functional logic designs.

DI&C-ISG-06 (Reference 1), D.4.2.1.4 states, DI&C system safety analyses should be reviewed to identify hardware, software, or human-system interfaces that have the potential to cause a hazard or are credited to eliminate or mitigate hazards. The WF3 CPCS FMEA (Reference 39) identifies the hardware and human-system interface hazards and their mitigation or elimination, and the WF3 CPCS SHA (Reference 54) identifies the software hazards and their mitigation or elimination.

As described in Section 5.2.2, the WF3 CPCS replacement system requirements specification is independently reviewed, approved, and baselined as an input to the ongoing life cycle activities.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-10 5.2.5 Software Requirements (D.4.2.1.5)

The WF3 CPCS replacement software requirements specification (SRS) will be developed in accordance with the NRC-approved SPM (Reference 6), which states that the SRS complies in content but not format to IEEE Std 830-1998, IEEE Recommended Practice for Software Requirements Specifications as augmented by NRC Regulatory Guide 1.172, Rev. 1 (July 2013), Software Requirements Specifications for Digital Computer Software used in Safety Systems of Nuclear Power Plants.

The allocation of CPCS reference design system requirements (Reference 2) to software have already been accomplished as part of the Palo Verde CPCS replacement. The WF3 delta requirements from the reference design are documented in Reference 21. These are allocated to software as described in Section 5, item c and documented in the SRS.

The WF3 SRS is based on the Palo Verde CPCS replacement SRS (Reference 26) which documents additional or different requirements from the Palo Verde design. The WF3 replacement CPCS SRS completes the identification of the requirements for the software in the system. The SRS documents the requirements for the software in each subsystem (e.g., CPC processor, CEAC processor, CPP processor, etc.).

Information in the SRS include:

Specific inputs and outputs, both those that are physical signals and information that is received from and supplied to human users and external data systems.

Valid input ranges Output ranges, if they must be specifically limited Required HSI formats (only if not specified in the CPCS System Requirements Specification)

Required sequences of operations (only if not specified in the CPCS System Requirements Specification)

Functional processing of the data Timing requirements or constraints Response to abnormal conditions and error recovery Retention, use, and initialization of previous state information, where required Safety and security requirements Design constraints (e.g., adherence to the Common Q platform design restrictions in Reference 18)231 Similar to the WF3 system requirements specification, the SRS is independently reviewed, approved, and baselined as an input to the ongoing life cycle activities.

In addition, the RTM is updated showing the tracing of software requirements to the WF3 system requirements specification (Reference 21).232 An independent V&V team develops module and/or unit test procedures and conducts those tests. An independent test team develops system test plans and procedures and conducts the system testing.

The RTM traces the SRS requirements to either test or inspection documents for requirements validation.233 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-11 5.2.6 Software Design (D.4.2.1.6)

The software design description (SDD) decomposes the software requirements to document the design and implementation of software components, modules, and units used to implement the WF3 CPCS replacement system. The NRC-approved SPM (Reference 6) states that the SDD must comply with IEEE Standard 1016-1998 (Reaffirmed 2009), IEEE Recommended Practice for Software Design Descriptions.

There are a number of SDDs that document the complete detailed design of each software element of the system and how the software components are combined into the application program. [

]a,c The WF3 SDDs will be based on the Palo Verde replacement CPCS SDDs, with new and changed design descriptions to address the WF3 CPCS replacement system requirements specification (Reference 21) and WF3 SRS. These SDDs describe the design of the WF3 application.

For the AC160 controller there are lower level software modules, referred to as Reusable Software Elements (RSE). These software modules are described in the SDDs and document their instantiation in the application. Many of these RSEs will remain unchanged since their usage in the NRC-approved Palo Verde CPCS replacement application software. The independent V&V team writes the module test procedures and test reports for these RSEs.235

[

]a,c The traceability of the WF3 SRS to the WF3 SDDs will be documented in the RTM to aid in the V&V of the adequate design implementation of the SRS requirements.236 The tools used to generate the WF3 CPCS replacement software are the same tools described in the Common Q topical report (Reference 4). The SPM (Reference 6), Section 3.3.10 defines the requirements for tools used for both development and V&V.

Similar to the WF3 system requirements specification, the SDDs are independently reviewed, approved, and baselined as an input to the ongoing life cycle activities.

5.2.7 Software Implementation (D.4.2.1.7)

The generation of the WF3 CPCS replacement application software and revised RSEs is governed by the requirements in the NRC-approved SPM (Reference 6), Westinghouse work instructions237, the Common Q coding standards (Reference 27), and the Common Q design restrictions (Reference18).

The WF3 replacement CPCS application software is reviewed by the independent V&V team for correct implementation of the software requirements.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-12 Each RSE set has a test procedure and test report generated by the independent V&V team. The WF3 replacement CPCS application software is tested by the independent test team. These tests are developed, performed and documented in accordance with the SPM (Reference 6), which leverages the guidance in IEEE Std 829, and was reviewed and approved by the NRC using the guidance in Regulatory Guide 1.170, Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants (Reference 34).

The NRC-approved SPM (Reference 6) states that the RSE module testing shall be performed in accordance with the Test Plan (Section 7 in the SPM) which is in compliance with IEEE Standard 1008-1987 (Reaffirmed 2009), IEEE Standard for Software Unit Testing. The RSE testing includes internal state testing.

The RSEs and WF3 CPCS replacement software is under configuration control, is released using a software release record specifying the configuration baseline for which the software is released. The application software CMRR will identify the RSE libraries used for the application software.238 5.2.8 Software Integration (D.4.2.1.8)

Section 7 of the NRC-approved SPM (Reference 6) outlines the sequence of tests that define the integration process for the WF3 CPCS replacement system.

RSE testing (or module testing) - this is the elemental level. The RSE is developed and tested independent of any application program by the independent V&V team.

Unit testing - this is testing a function chart application in a PM646A processor module, in which RSEs and standard function blocks are instantiated to create the logic for the application. The OM and the MTP software are considered unit software. Often unit testing is combined with Integration and System Validation testing. Unit testing is conducted by either the independent V&V team or the independent test team.

Integration Test - is an informal test in preparation for the System Validation Test. Any anomalies identified during integration testing are resolved before the System Validation Test, if practical. If not, the open anomaly is tracked during formal System Validation testing.

System Validation Test - this is formal integration testing of the software and hardware performed by the independent test team. The System Validation Test traces the test cases to the WF3 CPCS replacement system requirements specification (Reference 21).

5.2.9 Instrumentation and Control System Testing (D.4.2.1.9)

Testing will be conducted in accordance with the Common Q SPM, Section 7 describing the levels of testing of the software modules and units (e.g., MTP and OM) culminating with an integrated system test.

Section 7 of the SPM also describes the methodology for response time testing. Multiple runs of the DNBR and LPD trip functions will be conducted to demonstrate the system meets the response time requirements.

The testing includes the factory acceptance test (FAT) that is conducted on the deliverable WF3 CPCS.

The Common Q SPM (Reference 6), Exhibit 7-1, lists the types of tests that will be conducted on the WF3 CPCS for FAT.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-13 Both the independent V&V team and the independent test team execute the test plan in the SPM (Reference 6), Section 7 on a complete, integrated CPCS using a baseline version. The independent V&V team executes the module tests and the independent test team executes the system validation testing and FAT. The unit testing is either conducted by the independent V&V team or included in the system validation testing.

The RTM traces the test cases to the WF3 system requirements specification (Reference 21) which will include the requirements to mitigate or eliminate hazards identified in the FMEA and SHA.

The system test reports will identify the CPCS replacement system configuration baseline and software CMRRs that were tested. System test results are documented in a test report. The NRC-approved SPM (Reference 6) states that the test report shall comply with IEEE Standard 829-1998, IEEE Standard for Software Test Documentation, Section 11.

Similar to the WF3 system requirements specification, the WF3 CPCS replacement system test plan and test documentation are independently reviewed and approved; and stored under configuration control.

5.2.10 Project Management Processes (D.4.2.2)

The WF3 Project Plan (Reference 28) describes project management processes and project organization.

It cites the Project Quality Plan that identifies the Westinghouse 10 CFR 50 Appendix B Quality Assurance procedures to be followed for the project. It describes the controls for identifying the project scope, determination of deliverables, lines of communication, formal and informal reviews, and interfaces with other internal and external organizations.

The WF3 Project Plan provides for the establishment, documentation, and maintenance of a schedule that considers the overall project, as well as interactions of milestones. It provides for risk management, including problem identification, impact assessment, and development of risk-mitigation plans for risks that have the potential to significantly affect system quality goals.

The establishment of quality metrics throughout the life cycle to assess whether the quality requirements of IEEE Std 603-1991, Clause 5.3, are being met, in keeping with the additional guidance from IEEE Std 7-4.3.2-2003, Clause 5.3 is achieved by performing the metric processes defined in the NRC-approved SPM (Reference 6), Section 4.5.2.4.

Adequate control of software tools to support system development and software V&V processes, in keeping with the additional guidance in IEEE Std 7-4.3.2-2003, Clause 5.3.2 is achieved by following the NRC-approved SPM (Reference 6), Section 6 Software Configuration Management Plan. The WF3 CPCS Software Development Plan (Reference 25) describes the use of the various tools used for the WF3 CPCS replacement.

Those tools used by the design team to develop the CPCS application are used in a manner such that defects not detected by the software tool will be detected by independent verification and validation activities. Those tools used by the independent verification and validation team have undergone a tool validation program that provides confidence that the necessary features of the software tool function as required.239 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 5-14 5.2.11 Software Quality Assurance Processes (D.4.2.3)

The WF3 CPCS replacement project will follow the software quality assurance plan in the NRC-approved SPM (Reference 6), Section 4.

5.2.12 Software Verification and Validation Processes (D.4.2.4)

The WF3 CPCS replacement project will follow the software V&V plan in the NRC-approved SPM (Reference 6), Section 5. Exhibit 2-1 in the SPM shows the independence requirements between the V&V and design team. The minimum requirement is that the independent V&V team and the design team shall report to two different directors in the organization. The Westinghouse current organization reporting structure for the independent V&V team and design team meets this requirement.240 5.2.13 Configuration Management Processes (D.4.2.5)

The WF3 CPCS replacement project will follow the software configuration management plan in the NRC-approved SPM (Reference 6), Section 6. The WF3 CPCS Replacement Project Configuration Management Plan (Reference 31) provides the project specific details for configuration management.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-1 6 APPLYING A REFERENCED TOPICAL REPORT SAFETY EVALUATION (D.5)

The replacement CPCS is based on the Common Q Platform. Westinghouse has on record an NRC-approved topical report on the Common Q Platform (Reference 4). Currently Westinghouse has submitted a revision 4 of the topical report for NRC review and approval (Reference 24).

6.1 COMMON Q PLATFORM CHANGES (D.5.1.1)

Managing changes to a safety system platform after the initial NRC Safety Evaluation Report (SER), and how these changes are reviewed by the NRC in a timely fashion, has been a topic of concern for digital software-based safety systems. The Common Q Platform received its original SERs from the NRCs Office of Nuclear Reactor Regulation (NRR) that encompassed a) the Topical Report including closeout of generic open items (GOIs) in February 2003 and b) the Software Program Manual in September 2004.

In January 2020 Westinghouse received an SER from the NRC on the updated version of the Common Qualified Platform Topical Report (Reference 4), and in November 2018, Westinghouse received an SER from the NRC on the updated Software Program Manual for Common Q Systems (Reference 6).

There have been changes to the Common Q Platform since its approval. Westinghouse has a documented change process that evaluates platform changes. The process evaluates each change of the platform against the safety conclusions reached by the NRC in its safety evaluation report for the platform. This process is described in WCAP-17266-P, Common Q Platform Generic Change Process (Reference 12).

Appendix 5 of the Common Q Topical Report (Reference 13) is the output document for the change process described in Reference 12). The document provides a summary of changes and then a detailed recording of analysis and/or qualification documents, and a conclusion statement on the status of the change relative to the NRC safety conclusions. Reference 13 can be audited by the NRC staff to achieve reasonable assurance that Westinghouse is maintaining the Common Q Platform within the bounds of the safety conclusions in the safety evaluation of the platform.

6.1.1 Common Q Platform Topical Report Revision The Common Q Platform Topical Report revision that applies to this licensing technical report and LAR is Revision 4 (see Reference 4) 6.2 RESOLUTION OF TOPICAL REPORT PLANT-SPECIFIC ACTION ITEMS (D.5.1.2)

The Common Q Topical Report (Reference 4) has two Generic Open Items (GOIs) and 24 Plant-Specific Action Items (PSAIs). PSAI 3 is closed and does not need to be addressed by licensees.241 This section addresses each for the WF3 CPCS replacement. The Common Q Software Program Manual (Reference

6) also has PSAIs. These are addressed in Section 5.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-2 6.2.1 Generic Open Items Although the SER for the Common Q Topical Report lists 12 GOIs, all have been closed but two. These are addressed in this section.

6.2.1.1 GOI 8 GOI 8 states: Westinghouse needs to provide in future submittals the design information for the loop controllers to support their diversity from the Common Q components. This is discussed in Section 4.4.4.3.2.

This GOI refers to the loop controllers described in the Common Q Platform Appendix 4 (Reference 15).

The loop controllers fulfill the function of a priority module as described in DI&C-ISG-04, Section 2 Command Prioritization (Reference 9). The replacement CPCS does not include loop controllers nor does it include a priority module function. Therefore this GOI does not apply to the replacement CPCS.

6.2.1.2 GOI 12 GOI 12 states: Westinghouse has not yet concluded seismic, environmental and Electromagnetic Compatibility (EMC) qualification testing of the following Common Q platform hardware components:

CI528W Communications Interface Module ATS-PCNB-007 - PC Node Box 10160D05 Processor Module 10160D06 Fiber Optic Module 10160D07 Input / Output Module 10160D08 Synchronization Module 10160D09 Power Supply Module These hardware components are required to be tested and qualified for the specific plant conditions prior to being placed into operation within a safety system application.

The replacement CPCS does not use this equipment in the CPCS architecture, so this GOI does not apply to the replacement CPCS (this equipment is related to a new alternate Flat Panel Display System architecture under development and not deployed for the WF3 CPCS).

6.2.2 Plant-Specific Action Items There are 25 PSAIs for the Common Q Platform Topical Report. One of these PSAIs, PSAI 3, has been resolved generically and therefore is not addressed here. The other 24 PSAIs are addressed in this section.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-3 6.2.2.1 PSAI 1 PSAI 1 states: Each licensee implementing a specific application based upon the Common Q platform must assess the suitability of the S600 I/O modules to be used in the design against its plant-specific input/output requirements. See Section 4.1.1.1.2.

The CPCS system requirements specification (Reference 2 and 21) Section 2.3.11 and 2.3.12 define the interface input and output requirements for the CPCS replacement. Aside from the number of CEAs and clarifications on accuracy, these are the same requirements for the Palo Verde CPCS replacement. The same I/O modules are used except for the analog input module. The Palo Verde CPCS replacements used the AI685 analog input module. The WF3 CPCS replacement uses the AI688 analog input module. The AI688 analog input module characteristics for the 0-1vdc and 0-10 vdc meet the requirements of Reference 2, Section 2.3.11242.

6.2.2.2 PSAI 2 PSAI 2 states: A hardware user interface that replicates existing plant capabilities for an application may be chosen by a licensee as an alternative to the FPDS. The Review of the implementation of such a hardware user interface would be a plant-specific action item. See Section 4.1.2.

The WF3 CPCS replacement is not using an alternative to the flat panel display system (FPDS) described in the Common Q Topical Report (Reference 4). Therefore, this PSAI does not apply to the WF3 CPCS replacement.

6.2.2.3 PSAI 4 PSAI 4 states: Each licensee implementing a Common Q application must verify that its plant environmental data (i.e., temperature, humidity, seismic, and electromagnetic compatibility) for the location(s) in which the Common Q equipment is to be installed are enveloped by the environment considered for the Common Q qualification testing, and that the specific equipment configuration to be installed is similar to that of the Common Q equipment used for the tests. The licensee must also ensure that the plant specific common Q system configuration does not exceed the configuration used during platform qualification testing. See Sections 4.2.2.1.1, 4.2.2.1.2, and 4.2.2.1.3.

The Common Q test specimen was configured for seismic testing using dummy modules to fill all the used rack slots. As part of the verification of its plant-specific equipment configuration the licensee must check that it does not have any unfilled rack slots. See Section 4.2.2.1.2.

The WF3 CPCS EQ Summary Report (Reference 35) analyzes the EQ of the components that make up the replacement CPCS and concludes that the testing and results encompass WF3 site requirements for the CPCS. The spare AC160 controller slots in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram, will be filled by the AC160 dummy module. Section 3.1.1.1 of the WF3 system requirements specification (Reference 21) defines the requirement to use dummy modules for unused AC160 controller slots.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-4 6.2.2.4 PSAI 5 PSAI 5 states: On the basis of its review of the Westinghouse software development process for application software, the NRC staff concludes that the Common Q software program manual SPM specifies plans that will provide a quality software life cycle process, and that these plans commit to documentation of life cycle activities that will permit the NRC staff or others to evaluate the quality of the design features upon which the safety determination will be based. When a license amendment process is used for implementation of a Common Q based safety system, the NRC staff will review the implementation of the life cycle process and the software life cycle process design outputs for specific applications on a plant-specific basis. See Section 4.3.2.

As stated in DI&C-ISG-06 (Reference 1) Section D.4.2, Sections D.4.2.1.1 through D.4.2.1.4 address life cycle activities that are part of the NRC review scope. Sections D.4.2.1.5 through D.4.2.1.9 describe process evaluations that are part of the NRC review scope. The evaluation of the design outputs using the process described in Sections D.4.2.1.5 through D.4.2.1.9 are not within the scope of the LAR review. The licensee is responsible for ensuring vendor use of procedures and the acceptability of all vendor work products discussed in Sections D.4.2.1.1 through D.4.2.1.9.

Section D.4.2.1.1 through D.4.2.1.4 represent the design life cycle phases respectively:

Plant and Instrumentation and Control System Safety Analysis Instrumentation and Control System Requirements Instrumentation and Control System Architecture Instrumentation and Control System Design It is understood that the licensee is responsible for ensuring vendor use of procedures and the acceptability of all vendor work products discussed in these phases. The NRC staff will also evaluate the implementation of the life cycle process and the software life cycle process design outputs for the CPCS replacement for these life cycle phases listed above. This represents the Common SPM life cycle phases

1) Concept and 2) Requirements Analysis (see Reference 6, Section 1.4.1).

As stated in DI&C-ISG-06 above, Sections D.4.2.1.5 through D.4.2.1.9 are not within the scope of the LAR review. Section D.4.2.1.5 through D.4.2.1.9 represent the design life cycle phases respectively:

Software Requirements Software Design Software Implementation Software Integration Instrumentation and Control System Testing This represents the Common Q SPM life cycle phases (see Reference 6, Section 1.4.1):

Requirements Analysis Design Implementation or Coding Test WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-5 The WF3 vendor oversight plan describes how WF3 will verify Westinghouse use of procedures and will verify the acceptability of Westinghouse work products to the requirements of the Common Q SPM.

6.2.2.5 PSAI 6 PSAI 6 states: When implementing a Common Q safety system (i.e., PAMS, CPCS, or DPPS), the licensee must review the timing analysis and validation tests for that Common Q system in order to verify that it satisfies its plant-specific requirements for accuracy and response time presented in the accident analysis in Chapter 15 of the safety analysis report. See Sections 4.1.1.4 and 4.1.3.4 of this SE as well as Sections 4.4.1.3, 4.4.2.3, and 4.4.3.3 of Reference 3 for additional information on this item.

Section 3.2.6 describes how the response time criteria for the Common Q WF3 CPCS is created and how it will be demonstrated that the CPCS calculated response times maintain the safety margin for the plant.

The Common Q SPM, Section 7, describes the testing to be performed on the replacement CPCS. The response time of the replacement CPCS will be validated to confirm the system meets the timing analysis results (see the Common Q SPM Exhibit 7-1). The accuracy requirements for the WF3 replacement CPCS are summarized in Section 3.3 and defined in the CPCS system requirements specification (Reference 2 and 21) Section 2.3.11. The accuracy requirements are validated by test as described in the Common Q SPM test plan Section 7.3.1.5 and Exhibit 7-1. The WF3 vendor oversight plan describes how the licensee will verify that Westinghouse properly propagates these requirements through the design, implementation, and test of the replacement CPCS.

6.2.2.6 PSAI 7 PSAI 7 states: The OM and the MTP provide the human machine interface for the Common Q platform.

Both the OM and the MTP will include display and diagnostic capabilities unavailable in the existing analog safety systems. The Common Q design provides means for access control to software and hardware such as key switch control, control to software media, and door key locks. The human factors considerations for specific applications of the Common Q platform will be evaluated on a plant-specific basis. See Sections 4.4.1.3, 4.4.2.3, 4.4.3.3, and 4.4.4.3.6 of Reference 3 for additional information on this item.

The OM and MTP displays are summarized in Section 3.2.7. The requirements for these displays are specified in the CPCS system requirements specification (Reference 2), Section 2.2 and the WF3 specific CPCS system requirements specification (Reference 21). These displays have been reviewed by WF3 operations staff and modified accordingly to support their control room tasks.

In regards to access control, Section 3.3.3.5 describes how access control meets the criteria of IEEE Std 603-1991. These secure operational controls are similar to the controls implemented for the Palo Verde CPCS replacement and found to be acceptable from a human factors perspective.

6.2.2.7 PSAI 8 PSAI 8 states: If the licensee installs a Common Q PAMS, CPCS or DPPS, the licensee must verify on a plant-specific basis that the new system provides the same functionality as the system that is being WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-6 replaced, and meets the functionality requirement applicable to those systems. See Sections 4.4.1.3, 4.4.2.3, and 4.4.3.3 of Reference 3 for additional information on this item.

The CPCS system requirements (Reference 2) defines the functional and system requirements for the replacement CPCS to meet the same functionality of the existing CPCS. Reference 2 is the reference design system requirements, representing the Palo Verde CPCS implementation. The WF3 CPCS system requirements specification (Reference 21) defines those unique requirements for the WF3 CPCS replacement that differ from the Palo Verde replacement CPCS functional and system requirements.

6.2.2.8 PSAI 9 PSAI 9 states: Modifications to plant procedures and/or TS due to the installation of a Common Q safety system will be reviewed by the NRC staff on a plant-specific basis. Each licensee installing a Common Q safety system shall submit its plant-specific request for license amendment with attendant justification.

See Sections 4.4.1.3, 4.4.2.3, and 4.4.3.3 of Reference 3 for additional information on this item.

WF3 is submitting a plant-specific request for license amendment with attendant justification for the replacement CPCS. The license amendment is following the guidance in DI&C-ISG-06 (Reference 1).

6.2.2.9 PSAI 10 PSAI 10 states: A licensee implementing any Common Q application (i.e., PAMS, CPCS, or DPPS) must prepare its plant-specific model for the design to be implemented and perform the FMEA for that application. See Section 5.0 and 4.1.3.4 of this SE as well as Sections 4.4.1.3, 4.4.2.3, and 4.4.3.3 of Reference 3 for additional information on this item.

The model for the WF3 CPCS replacement is defined in the CPCS system requirements specification (Reference 2) as augmented by the WF3 CPCS system requirements specification (Reference 21). The FMEA (Reference 39) for the WF3 CPCS replacement is summarized in Section 3.2.17.

6.2.2.10 PSAI 11 PSAI 11 states: A licensee implementing any Common Q application (i.e., PAMS, CPCS, or DPPS) shall demonstrate that the plant-specific Common Q application complies with the criteria for defense against common-mode failure in DI&C systems and meets the requirements of BTP 7-19. See Sections 4.1.6 of this SE as well as Sections 4.4.2.3, 4.4.3.3, and 4.4.4.3.3 of Reference 3 for additional information on this item.

The WF3 defense against common-mode failure (i.e., common cause failure) is addressed in Section 3.2.18.

6.2.2.11 PSAI 12 PSAI 12 states: A licensee implementing a Common Q DPPS shall define a formal methodology for overall response time testing. See Section 4.4.3.3 of Reference 3 for additional information on this item.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-7 As part of the CPCS replacement license amendment request, Entergy is proposing elimination of specific technical specification surveillance requirements including response time by crediting AC160 diagnostics.

Appendix B - Elimination of Specific CPCS Technical Specification Surveillance Requirements provides the analysis and justification for this technical specification change. The WF3 CPCS is tested at the factory and during installation to confirm that the response time for the system is met. The methodology used is found in the Common Q SPM, Exhibit 7-1.

6.2.2.12 PSAI 13 PSAI 13 states, The analysis of the capacity of the shared resources to accommodate the load increase due to sharing. Section 4.4.4.3.1 of Reference 3 for additional information on this item.

This PSAI is in reference to the Common Q Topical Report Appendix 4 (Reference 15) that describes an architecture that integrates the functions of the plant protection system, core protection calculator system and the post accident monitoring system. The WF3 license amendment is only replacing the CPCS and not the plant protection system. This PSAI, regarding shared resources between the CPCS and other Common Q based systems, is not applicable to this license amendment.

6.2.2.13 PSAI 14 This PSAI states: The licensee implementing Common Q applications must ascertain that the implementation of the Common Q does not render invalid any of the previously accomplished TMI action items. See Section 5.0.

The WF3 CPCS is a pre-TMI system that generates reactor trip signals for Low DNBR and High LPD trips. The OM for the CPCS is not used for any post accident monitoring. Once the reactor is tripped other systems are used for post accident monitoring.

6.2.2.14 PSAI 15 This PSAI states: During the Software development process, the licensee must specify plant specific requirements for system automatic self-testing features that are needed to ensure proper functioning of the Common Q application during operation. See Section 4.1.1.3.

The plant-specific requirements for system automatic self-testing features that are needed to ensure proper function of the Common Q application during operation is specified in the CPCS system requirements specification (Reference 2), Section 2.4.2.1 as augmented by WF3 CPCS system requirements specification (Reference 21). The service/test functions of the WF3 CPCS replacements are described in Section 3.2.7 in this document.

6.2.2.15 PSAI 16 This PSAI states: A licensee implementing a Common Q DPPS shall ensure that no more than four processor modules are installed within a single AC160 controller. See Section 2.1.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-8 As shown in the architecture drawing of the four channel CPCS in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram, there are only two PM646A processor modules in a single AC160 controller.

6.2.2.16 PSAI 17 This PSAI states: A licensee implementing a Common Q DPPS must ensure that all hardware components used for system development are approved for use in nuclear safety system class 1E applications and are listed in Table 1. See Section 2.1 for a discussion of the hardware components of the Common Q platform.

Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram shows the following AC160 modules that will be used for the WF3 CPCS. They are listed below and all of them are listed on Table 1 of the safety evaluation. The product revision listed below are the current revisions of the modules. The Common Q record of changes document (Reference 13) assesses these later, qualified product revisions and the qualification references demonstrating that the product remains consistent with the safety conclusions in the NRC safety evaluation. Reference 13 is a living document that is continuously updated as revisions to modules are made.

AI688 - S600 Analog Input Module, PR: C AO650 - S600 Analog Output Module, PR: B CI527W - Communications Interface Module, PR: C CI631 - Communications Interface Module, PR: H DI620 - S600 Digital Input Module, PR: D DO625 - S600 Digital Output Module, PR: B DP620 - S600 Pulse Counter Module, PR: B PM646A - Advant Controller 160 (AC160) Processor Module: PR: U AC160 Base Software - Base Software, PR: 1.3/11 ACC Tool - Tool, PR: 1.7/1 The final equipment designation for the flat panel display system, power supply, and HSL fiber optic modems will be documented during the hardware design phase. The product revision levels for all Common Q platform equipment will be finalized at time of FAT for the CPCS. The Common Q Topical Report record of changes document (Reference 13) is a living document that is updated when platform changes are processed in accordance with Reference 12. WF3, via the vendor oversight plan, will compare the equipment part numbers to those listed in Table 1 of the safety evaluation. Where differences exist in part number or product revision, WF3 will review the topical report record of changes document (Reference 13) for adequate qualification documentation that demonstrate that the changes do not invalidate safety conclusions in the safety evaluation of the Common Q platform.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-9 6.2.2.17 PSAI 18 This PSAI states: The licensee implementing Common Q applications must ensure that administrative controls are put into place to ensure that changes to setpoints are only performed while the system is not being relied upon to perform its safety functions. The affected division of the Common Q safety system must be declared inoperable prior to implementation of setpoint changes. See Section 4.1.3.4.

Table 3.2.16-1 DI&C-ISG-04-Compliance, Position 10 describes the administrative controls for changing setpoints in the WF3 CPCS replacement. WF3 procedures exist to declare a CPCS channel inoperable and put the CPCS channel in maintenance bypass when changing CPCS setpoints.243 6.2.2.18 PSAI 19 This PSAI states: A licensee implementing a specific application based upon the Common Q platform must ensure that the serial communications link between the MTP and the Processor Module is disabled by means of a physical disconnection (i.e., cable is removed from the serial port at the front of the PM646A). Alternative means of disconnecting this serial communication link may be considered, however, any means of disabling this communication link which rely upon software logic would invalidate the DI&C-ISG-04 conformance safety conclusions in Section 4.1.3.4 Staff Position 1, Point 10 of this SE.

The serial communications link between the MTP and the PM646A, referred to in this PSAI, is the programming cable that allows the MTP to load a new program into the PM646A. DI&C-ISG-04 compliance to the requirement that a physical disconnection (i.e., cable is removed from the serial port at the front of the PM646A) is addressed in Table 3.2.16-1 DI&C-ISG-04-Compliance, Position 10. [

]a,c This is the same methodology used for the NRC-approved Palo Verde CPCS replacement.

6.2.2.19 PSAI 20 This PSAI states: A licensee implementing an application based upon the Common Q platform that utilizes fiber optic cables to connect HSLs between safety divisions shall ensure that all plant specific environmental qualification requirements for this cabling are met. See Section 4.2.2.2.

Fiber optic cable at WF3 is purchased to Entergy specification, SPEC-10-00001-MULTI, 73.55 Fleet Strategy Implementation - Fiber Optic Cable Common-Procurement Specification (Reference 40) to ensure meeting the WF3 site environmental qualification requirements.

6.2.2.20 PSAI 21 This PSAI states: A licensee implementing an application based upon the Common Q platform that includes implementation of HSL must perform a site specific analysis to quantify the impact of higher electromagnetic emissions on operation of locally mounted equipment. See Section 4.2.2.1.3.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-10 The WF3 equipment qualification summary report (Reference 35, Section 3.3) confirms that the electromagnetic emissions from the HSL do not adversely affect the operation of locally mounted equipment.

6.2.2.21 PSAI 22 This PSAI states: A licensee implementing an application based upon the Common Q platform that uses AI685 modules configured for either RTD or Thermocouple input must ensure that the installation includes a metallic barrier in front of the module. See Section 4.2.2.1.3.

The WF3 CPCS replacement uses the AI688 analog input module in place of the AI685 analog input module as shown in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram. Therefore, this PSAI does not apply to the WF3 CPCS replacement.

6.2.2.22 PSAI 23 This PSAI states: A licensee implementing an application based upon the Common Q platform should perform a review of the current Common Q Record of Changes document to assess the validity of previously derived safety conclusions if changes have been made to the Common Q platform hardware, software, or processes defined in the Common Q TR.

The response to PSAI 17 (Section 6.2.2.16) addresses this PSAI.

6.2.2.23 PSAI 24 PSAI 24 states: A licensee implementing an application based upon the Common Q platform that relies on the FPDS to perform safety critical functions shall perform an evaluation to address the added reliance on the FPDS to accomplish the required safety functions. The affects of not having the necessary information available on the FPDS during the design basis event should be considered and addressed in this evaluation.

The OM and MTP do not perform safety critical functions. As defined in the Common Q SPM (Reference 6), safety critical functions are those functions that are necessary to directly perform RPS control actions, ESFAS control actions, and safe shutdown control actions. The MTP and OM functions are described in Section 3.2.7. None of these functions involve an RPS control action, ESFAS control action, or safe shutdown control action. Therefore, this PSAI does not apply to the WF3 CPCS replacement.

6.2.2.24 PSAI 25 This PSAI states: A licensee implementing an application based upon the Common Q platform that relies upon the use of ITPs and the AF100 busses to provide separation between safety and non-safety signals must evaluate the plant-specific design against the independence criteria of IEEE 7-4.3.2-2003, Section 5.6.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 6-11 As shown in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram, the AF100 bus resides within one channel of the CPCS architecture. Only the unidirectional, fiber optically isolated HSL is used for CPCS interchannel communication.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 7-1 7 COMPLIANCE/CONFORMANCE MATRIX FOR IEEE STANDARDS 603-1991 AND 7-4.3.2-2003 (D.6)

This section provides a compliance/conformance table for IEEE Std 603-1991 and IEEE Std 7-4.3.2-2003. Table 7-1 Compliance/Conformance Matrix for IEEE Std 603 and IEEE Std 7-4.3.2 provides a summary of compliance and a cross reference to sections in this document that explain the compliance/conformance. The Compliance/Conformance column will have the following code:

C: Complies PC: Partially Complies E: Exception N/A: Not applicable Table 7-1 Compliance/Conformance Matrix for IEEE Std 603 and IEEE Std 7-4.3.2 IEEE IEEE Std Title Compliance/ Section(s)

Std 603 7-4.3.2 Conformance Clause Clause 4.1 4* Safety System Design Basis C 3.3.2 Clause 4.1 4.2 C 3.3.2 Clause 4.2 4.3 C 3.3.2 Clause 4.3 4.4 C 3.3.2 Clause 4.4 4.5 C 3.3.2 Clause 4.5 4.6 C 3.3.2 Clause 4.6 4.7 C 3.3.2 Clause 4.7 4.8 C 3.3.2 Clause 4.8 4.9 C 3.3.2 Clause 4.9 4.10 C 3.3.2 Clause 4.10 4.11 C 3.3.2 Clause 4.11 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 7-2 IEEE IEEE Std Title Compliance/ Section(s)

Std 603 7-4.3.2 Conformance Clause Clause 4.12 C 3.3.2 Clause 4.12 5.1 5.1* Single Failure Criterion C 3.2.17 3.2.19.1.1 5.2 5.2* Completion of Protective Action C 3.3.3.1 5.3 5.3 Quality C 3.3.3.10 5

5.3.1 Software Development C 5.2 5.3.1.1 Software Quality Metrics C 5.2.10 5.3.2 Software Tools C 5.2.10 5.3.3 Verification and Validation C 5.2.12 5.3.4 Independent V&V Requirements C 5.2.12 5.3.5 Software Configuration Management C 5.2.13 5.3.6 Software Project Risk Management C 5.2.10 5.4 5.4 Equipment Qualification C 4 5.4.1 Computer System Testing C 4 5.4.2 Qualification of Existing Commercial C 3.3.3.10 Computers 6.1 5.5 5.5 System Integrity C 3.3.3.2 5.5.1 Design for Computer Integrity C 3.6.3.1.2 5.5.2 Design for Test and Calibration C 3.2.19.2.1 5.5.3 Fault Detection and Self-Diagnostics C 3.2.19.2.2 5.6 5.6 Independence C 3.5.10.5 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 7-3 IEEE IEEE Std Title Compliance/ Section(s)

Std 603 7-4.3.2 Conformance Clause Clause 5.6.1 Between Redundant Portions of a Safety PC 3.5.10.1 System 5.6.2 Between Safety Systems and Effects of C 3.5.10.2 Design-Basis Event 5.6.3 Between Safety Systems and Other Systems C 3.5.10.3 5.6.4 Detailed Criteria C 3.5.10.4 5.7 5.7* Capability for Testing and Calibration C 3.2.19.1.2 5.8 5.8* Information Displays N/A - No N/A specified criteria 5.8.1 Displays for Manually Controlled Actions C 3.2.19.1.3 5.8.2 System Status Indication C 3.2.19.1.4 5.8.3 Indication of Bypasses C 3.2.19.1.5 5.8.4 Location C 3.2.19.1.6 5.9 5.9* Control of Access C 3.3.3.5 5.10 5.10* Repair C 3.3.3.6 5.11 5.11 Identification C 3.2.19.1.7 3.6.2.1.2 5.12 5.12* Auxiliary Features N/A - No N/A specified criteria 5.12.1 Auxiliary Features C 3.5.10.6.1 5.12.2 Other Auxiliary Features C 3.5.10.6.2 5.13 5.13* Multi-Unit Stations N/A - The N/A CPCS is not WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 7-4 IEEE IEEE Std Title Compliance/ Section(s)

Std 603 7-4.3.2 Conformance Clause Clause shared among multiple NPPs 5.14 5.14* Human Factors Considerations C 3.5.10.7 5.15 5.15 Reliability C 3.3.2 Clause 4.9 3.6.1.1.2 6.1 6* Automatic Control C 3.6.3.1.3 6.2 Manual Control C 3.6.3.1.4 6.3 Interaction between the Sense and N/A - No N/A Command Features and Other Systems specified criteria 6.3.1 Requirements C 3.6.2.1.3 6.3.2 Provisions C 3.6.2.1.3 6.4 Derivation of System Inputs C 3.6.5.1 6.5 Capability for Testing and Calibration N/A - No N/A Criteria 6.5.1 Checking the Operational Availability C 3.3.3.3 6.5.2 Assuring the Operational Availability C 3.3.3.3 6.6 Operating Bypasses C 3.3.3.7 6.7 Maintenance Bypass C 3.3.3.8 6.8 Setpoints C 3.3.3.9 7.1-7.5 7* Executive Features - Functional and Design N/A - The N/A Requirements CPCS only performs Sense and WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 7-5 IEEE IEEE Std Title Compliance/ Section(s)

Std 603 7-4.3.2 Conformance Clause Clause Command Features.

8.1 8* Electrical Power Sources C 3.5.8 8.2 Non-electrical Power Sources N/A - CPCS 3.5.8 does not use non-electrical power sources 8.3 Maintenance Bypass C 3.5.8

• The standard does not add additional criteria beyond that stated in IEEE Std 603-1991.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 8-1 8 TECHNICAL SPECIFICATIONS (D.7)

WF3 is replacing the existing digital CPCS with a new, functionally equivalent, digital Common Q CPCS provided by Westinghouse Electric Power LLC. However, there will now be 8 CEACs instead of just two for the whole system. As a result, the technical specification changes will reflect improved operability capability than the existing CPCS. In addition, the technical specification changes will reflect elimination of certain surveillance requirements by crediting the CPCS diagnostics. The analysis for which surveillance requirements can be eliminated is in Appendix B of this document. The Entergy WF3 CPCS LAR provides the actual technical specification markups for WF3 as a result of the CPCS replacement.

These proposed changes to the technical specifications continue to satisfy the requirements of 10 CFR 50.36.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-1 9 SECURE DEVELOPMENT AND OPERATIONAL ENVIRONMENT (D.8)

This section describes the secure development and operational environment of the CPCS meeting the guidance in both DI&C-ISG-06 (Reference 1) and RG 1.152 (Reference 17).

9.1 SECURE DEVELOPMENT ENVIRONMENT The replacement CPCS is designed and developed by Westinghouse within their facility up to and including the FAT. Once FAT is completed, the CPCS is shipped to WF3 and stored until it is installed in the plant.

While the replacement CPCS is at the Westinghouse facility, it is designed and implemented using a secure development environment. The secure development environment is described in the Common Q SPM (Reference 6), Section 12.2.1.2. The NRC evaluated the secure development environment controls.

Based on the NRCs review of the Westinghouse Common Q secure development environment as described in the Common Q SPM (Reference 6), the staff concluded that the described controls meet the requirements of RG 1.152 (Reference 17).

Entergys vendor oversight plan will include verifying that Westinghouse complies with the requirements in the SPM for a secure development environment. This will address the NRCs Plant Specific Action Item 7 in their safety evaluation report for the SPM:

Secure Development and Operational Environment - An applicant or licensee referencing the Common Q SPM for a safety-related plant specific application should ensure that a secure development and operational environment has been established for its plant specific application, and that it satisfies the applicable regulatory evaluation criteria of RG 1.152, Revision 3.

9.2 SECURE OPERATIONAL ENVIRONMENT The NRC stated in its safety evaluation in the Common Q Topical Report (Reference 4), Although application software is not within the scope of this review, platform features that contribute to the SDOE for the application are identified and discussed. Credit may be taken for the use of these security capabilities in establishing a secure operational environment for a plant specific safety-related application.

The replacement CPCS physical and logical access features are included in the system requirements (see Table 9.2.1.5-1 Summary of Vulnerabilities, Controls, and Overall Effectiveness). The CPCS system requirements specification (Reference 2) as augmented by the WF3 system requirements specification (Reference 21) would normally have derived secure operational environment requirements from a vulnerability assessment as described in RG 1.152 (Reference 17). However, the CPCS system requirements specification (Reference 2) was developed prior to RG 1.152 specifying criteria for a secure operational environment. To meet the criteria of RG 1.152, a vulnerability assessment is included as part of the replacement CPCS LAR to confirm that the necessary secure operational environment requirements have been captured in Reference 2 and 21.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-2 9.2.1 Secure Operational Environment Vulnerability Assessment This assessment addresses the secure operational environment to address 1) deficiencies in the design that may allow inadvertent, unintended, or unauthorized access or modifications to the safety system that may degrade its reliability, integrity or functionality during operations, and 2) the potential inability of the system to sustain the safety function in the presence of undesired behavior of connected systems as described in RG 1.152 (Reference 17).

The Common Q SPM (Reference 6), Section 12 includes the vulnerability assessment ensuring that the system is developed without undocumented codes (e.g., backdoor coding), unwanted functions or applications, and any other coding that could adversely affect the reliable operation of the digital system.

The NRC has reviewed these controls as part of the review of the Common Q SPM (see Safety Evaluation Report, Section 3.2.13, embedded in Reference 6).

9.2.1.1 CPCS System Architecture The CPCS system architecture is depicted in Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram. It consists of the following components:

AC160 - AC160 controllers perform the CPCS safety function (i.e., CPC and CEAC, see Sections 3.2.1 and 3.2.2).

OM - The OM is in the control room and provides the operator with CPCS information (e.g., Low DNBR/High LPD Status, Post Trip Reports, etc.). The OM also allows the operator to adjust addressable constants and perform testing (see Section 3.2.7.2).

MTP - The MTP is a local display system within the locked APC that provides system status information, adjustment for addressable constants, and provides for testing the CPCS. The MTP also provides an interface to an IRIG data link for time synchronization and a unidirectional, fiber optically isolated data link to the plant monitoring computer, CEAPD, and to a printer (see Section 3.5).

AF100 - The AF100 bus is a network within a CPCS channel to allow the sharing of data between the AC160 controllers, the OM and the MTP. This network does not extend beyond the boundaries of the channel (see Sections 3.2.1 and 3.2.2).

HSL - The HSL is a point to point data link which is used to communicate data within a channel when real time performance is critical (e.g., between CPC and CEAC AC160 controllers within a CPCS channel) and between channels (see Section 3.5.1).

9.2.1.2 CPCS Potential Vulnerability Assessment Process A systems secure operational environment assessment addresses 1) the digital exposure along connectivity pathways for the system including direct and indirect connectivity, 2) the physical exposure of the system, including direct and indirect connectivity, 3) the effectiveness of the communication flow controls, and 4) the effectiveness of the access control and authorization mechanisms. As part of these assessments, vulnerabilities associated with inadvertent access or changes to a system are examined and failures or unpredictable behavior of connected systems are identified and addressed. This process identifies secure operational environment vulnerabilities associated with inadvertent access or changes to the system by performing an analysis of how the systems functions are accessed. Vulnerabilities related WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-3 to failures or unpredictable behaviors of connected systems are identified by examination of systems, networks, and communication systems that could be potential pathways for compromise.

This secure operational environment vulnerability assessment documents the controls that are in place as defined by the system requirements to mitigate the vulnerabilities identified.

9.2.1.3 Vulnerability Identification Using Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram as a reference, digital connectivity pathways are assessed and potential vulnerabilities are identified.

Assessed interfaces to the replacement CPCS include:

The replacement CPCS has an AF100 network interface for communication within a channel.

The replacement CPCS has HSLs that can communicate within a channel and between channels.

The MTP and OM support removable media to allow for saving and loading addressable constants.

Each channel of the replacement CPCS has an OM in the control room. The OM provides the capability to change system addressable constants and activate the DNBR/LPD operating bypass.

MTP and OM support removable media to allow for saving and loading addressable constants.

Each channel of the replacement CPCS has an MTP. The MTP provides the capability to perform tests, change CPCS addressable constants, load Reload Data Block constants, and activate the DNBR/LPD operating bypass when operating under QNX.

The MTP provides an interface to an IRIG data link for time synchronization The MTP provides a unidirectional, fiber optically isolated data link to the plant monitoring computer, CEAPD, and to a print server.

Each AC160 controller, MTP, and OM provides a connection point for reprogramming or reconfiguring the CPCS.

The MTP has the capability to reboot into Windows to allow the use of the Advant AC160 ACC tool for loading new applications to the processor modules in a channel. The system is in offline mode and tripped for these activities.

[

]a,c 9.2.1.4 Mitigating System Requirements 9.2.1.4.1 Safety System Independence Features The following types of interfaces between the CPCS and external systems are summarized below along with independence features that protect the safety system from failures of external systems:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-4

[

]a,c 9.2.1.4.2 Compliance with IEEE Std 603-1991, Clause 5.9 Control of Access Refer to Section 3.3.3.5 for compliance to IEEE Std 603-1991, Clause 5.9.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-5 9.2.1.5 Summary of Vulnerabilities, Identified Controls, and Overall Effectiveness of Controls Table 9.2.1.5-1 Summary of Vulnerabilities, Controls, and Overall Effectiveness identifies the assessed interfaces, associated vulnerabilities, description of controls, assessment of effectiveness of controls, and references to system requirements for the controls. The requirements cited in Table 9.2.1.5-1 Summary of Vulnerabilities, Controls, and Overall Effectiveness will be traced through the WF3 CPCS development life cycle for correct implementation through design, implementation and test, as required by RG 1.152 (Reference 17).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-6 Table 9.2.1.5-1 Summary of Vulnerabilities, Controls, and Overall Effectiveness a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-7 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-8 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-9 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 9-10 a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 10-1 10 REFERENCES

1. DI&C-ISG-06, Digital Instrumentation and Controls Licensing Process Interim Staff Guidance, ML18269A259, Revision 2, United States Nuclear Regulatory Commission

2. System Requirements Specification for the Common Q Core Protection Calculator System, 00000-ICE-30158, Revision 14

3. Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Issuance of Amendments on the Core Protection Calculator System Upgrade (TAC Nos. MB6726, MB6727 and MB6728),

ML033030363, US Nuclear Regulatory Commission

4. Common Qualified Platform Topical Report, WCAP-16097-P-A, Revision 4, Westinghouse Electric Company LLC

5. Common Qualified Platform Topical Report Appendix 2 Core Protection Calculator System, WCAP-16097-P-A Appendix 2, Westinghouse Electric Company LLC

6. Software Program Manual for Common Q' Systems, WCAP-16096-P-A, Revision 5, Westinghouse Electric Company LLC

7. Physical Independence of Electric Systems, Regulatory Guide 1.75, Revision 1, US Nuclear Regulatory Commission

8. Control Panel 7 & 2 Cyber Security Door Lock Plan, ENT-WF3-CPC-115, March 17, 2020, Entergy Operations, Inc.

9. DI&C-ISG-04, Highly-Integrated Control RoomsCommunications Issues (HICRc) Interim Staff Guidance, ML083310185, Revision 1, United States Nuclear Regulatory Commission

10. S600 I/O Hardware Advant Controller 160 for Westinghouse Version 1.3 Reference Manual, 3BDS 005 740R501, Asea Brown Boveri

11. RPS/ESFAS Extended Test Interval Evaluation, CEN-327-A, May 1986, Combustion Engineering, Inc.

12. Common Q Platform Generic Change Process, WCAP-17266-P, Revision 1, Westinghouse Electric Company LLC

13. Common Qualified Platform Record of Changes, WCAP-16097-P Appendix 5, Revision 5, Westinghouse Electric Company LLC

14. AC160 Processor Module Stall Timers Not Activated as Described in Licensing Basis, Nuclear Safety Advisory Letter NSAL-17-2, Revision 1, Westinghouse Electric Company LLC

15. Common Qualified Platform Integrated Solution, WCAP-16097-P-A Appendix 4, Revision 0, Westinghouse Electric Company LLC

16. Guidance for the Review of Changes to Human Actions, NUREG-1764, Revision 1 (ML072640413), United States Nuclear Regulatory Commission

17. Criteria for Use of Computers in Safety System of Nuclear Power Plants, Regulatory Guide 1.152, Revision 3 (ML102870022), United States Nuclear Regulatory Commission

18. Application Restrictions for Generic Common Q Qualification, WNA-DS-01070-GEN, Revision 15, Westinghouse Electric Company LLC

19. Not used

20. Technical Specifications, NUREG-1117 (ML053130318 Appendix A), Waterford Steam Electric Station, Unit No. 3, Docket 50-382, Entergy Operations, Inc.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 10-2 REFERENCES (cont.)

21. System Requirements Specification for the Core Protection Calculator System, WNA-DS-04517-CWTR3, Revision 5, Westinghouse Electric Company LLC

22. Core Protection Calculator (CPC) System Input Error Analysis, 00000-ICE-3672, Revision 5, Westinghouse Electric Company LLC.

23. WF3 Appendix K and PLCEA Replacement CPC Reload Data Block, LTR-TAS-01-20, Revision 0, Westinghouse Electric Company LLC

24. Waterford Unit 3 Common Q Implementation - Non-LOCA Evaluation of Updated CPCS Response Times, LTR-TA-20-4, Revision 0, Westinghouse Electric Company LLC

25. Software Development Plan for the Core Protection Calculator System Upgrade, WNA-PD-00594-CWTR3, Revision 2, Westinghouse Electric Company LLC

26. Software Requirements Specification for the Common Q Core Protection Calculator System, 00000-ICE-3233, Revision 9, Westinghouse Electric Company LLC.

27. Coding Standards and Guidelines for Common Q Systems, 00000-ICE-3889, Revision 16, Westinghouse Electric Company LLC

28. Project Management Plan for the Waterford 3 Core Protection Calculator Upgrade, GPEP-PMP-2019-000020, Revision 2, Westinghouse Electric Company LLC

29. Safety Evaluation Report related to operation of Arkansas Nuclear One, Unit 2, Supplement 1, NUREG-0308, Suppl. No. 1 (ML102850080), US Nuclear Regulatory Commission Office of Nuclear Regulation

30. Palo Verde Nuclear Generating Station Units 1, 2, & 3 Core Protection Calculator System Technical Manual, 14273-ICE-3460, Revision 4, Westinghouse Electric Company LLC

31. Configuration Management Plan for the Core Protection Calculator System Upgrade Project, WNA-PC-00069-CWTR3, Revision 2, Westinghouse Electric Company LLC

32. Waterford 3 Core Protection Calculator System Safety Function Table, LTR-TA-19-154, Revision 0, Westinghouse Electric Company LLC

33. WF3 Cycle 23 Final Safety Analysis Groundrules, NF-WTFD-18-5, Revision 0, Entergy Services, Inc.

34. Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, Regulatory Guide 1.170, Revision 1, US Nuclear Regulatory Commission.

35. Core Protection Calculator System Upgrade Project Equipment Qualification Summary Report for Waterford Unit 3, EQ-QR-400-CWTR3, Revision 0.

36. Functional Design Requirements for a Core Protection Calculator, 00000-ICE-3208, Revision 08, Westinghouse Electric Company LLC

37. Functional Design Requirement for a Control Element Assembly Calculator, Requirements No.

00000-ICE-3234, Revision 6, Westinghouse Electric Company LLC

38. Control Room Heat Load (Normal and Station Blackout), ECE89-002, Revision 8, Entergy Operations, Inc.

39. Failure Modes and Effects Analysis for the Core Protection Calculator System, WNA-AR-00909-CWTR3, Revision 1, Westinghouse Electric Company LLC.

40. 73.55 Fleet Strategy Implementation Fiber Optic Cable Common-Procurement Specification, SPEC-10-00001-MULTI, Rev. 0, Entergy Operations, Inc.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 10-3 REFERENCES (cont.)

41. Waterford 3 CPCS Reliability Block Diagram Analysis, WNA-AR-00913-CWTR3, Revision 0, Westinghouse Electric Company LLC.

42. Vogtle Electric Generation Plant Units 3 and 4 - Request for Licenses Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR 19-001), ML19084A309, Southern Nuclear Operating Company

43. Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination, SV0-PMS-AR-001, Rev. 1, Westinghouse Electric Company, LLC.

44. Equipment Qualification Summary Report for Waterford Unit 3, EQ-QR-412-CWTR3, Revision 2, Westinghouse Electric Company LLC

45. Final Quality Assessment and Justification Report, MOD 97-7771, Rev. 6, Westinghouse Electric Company, LLC.

46. Qualification of Category A I&C Self supervision and test functions FMEA, MOD 97-3184, Rev.

3, Westinghouse Electric Company, LLC.

47. AC160 Product Specification for AP1000 PMS, GBRA095801, Rev. E, Westinghouse Electric Germany, GmbH.

48. Evidence of Documentation for AC160 Platform Diagnostics, GIC-SSP-FSD-19-005, Rev. 1, Westinghouse Electric Company LLC.

49. Publicly Available - Vogtle Electric Generating Plant Units 3 and 4 Safety Evaluation (LAR 19-001), ML19297D159, United States Nuclear Regulatory Commission.

50. Description of Function HW - BIM2-2 ASIC, 3BSC140054D0060, Rev. 0, ABB Process Automation Corporation.

51. AI688M Analog Input 16Ch. (Main-board), 3BSE052212D0002, Rev. D, ABB Process Automation Corporation.

52. Description of Function HW CI627, 3BSE009799D0060, Rev. 0, ABB Process Automation Corporation.

53. Ceramic Capacitor Aging Made Simple, Johanson Dielectrics Inc., 2012

54. Software Hazard Analysis for the Core Protection Calculator System Upgrade Project, WNA-AR-00861-CWTR3, Rev. 2, Westinghouse Electric Company LLC.

55. Core Protection Calculator System Response Time Calculation, WNA-CN-00572-CWTR3, Revision 1, Westinghouse Electric Company LLC.

56. Reliability and Availability Analysis Methods, WNA-IG-00064-GEN, Rev. 3, Westinghouse Electric Company LLC.

57. Reliability Data Sheet, Advant Controller 160 Including S600 I/O, GKWF310708, Rev. 0, ABB Power Plant Control.

58. 2982786 PLC-OSC- 24DC/ 24DC/ 5/ACT Datasheet, Phoenix Contact.

59. Core Protection Calculator (CPC) System Input Processing Uncertainty Calculation for Waterford Unit 3, WNA-CN-00566-CWTR3, Revision 0, Westinghouse Electric Company LLC.

60. Engineering Change Process, Entergy Quality Related Procedure (includes instructions for IP-ENG-001, Standard Design Process), EN-DC-115, Rev. 27, Entergy Operations, Inc.

61. Post Modification Testing and Special Instructions, Entergy Quality Related Procedure, EN-DC-117, Rev. 14, Entergy Operations, Inc.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 11-1 11 BIBLIOGRAPHY

1. Waterford-3 Comprehensive Checklist for Non-LOCA Transient Analysis with Revised CEA Drop Time Curve, CN-TDA-09-7, Revision 3, Westinghouse Electric Company LLC

2. WF3 Cycle 23 Core Operating Limits Report (per Section 1.1 of Reference 33)

3. WF3 Technical Requirements Manual, Docket 50-382, Amendment 145 (per Section 1 of Reference 33)

4. Waterford-3 CPC and CEAC Data Base Document, 9270-ICE-3212, Revision 01, Westinghouse Electric Company LLC

5. Waterford-3 CPC Response Time Calculation, IC-03-040, Revision 05, Westinghouse Electric Company LLC

6. Functional Design Requirements for a Core Protection Calculator, 00000-ICE 3208, Revision 8, Westinghouse Electric Company LLC

7. Functional Design Requirements for a Control Element Assembly Calculator (CEAC), 00000-ICE 3234, Revision 6, Westinghouse Electric Company LLC

8. Acceptance for Referencing of Topical Report CENPD-396-P, Rev. 01, Common Qualified Platform and Appendices 1, 2, 3, and 4, Rev. 01 (TAC No. MA1677), ML003740165, United States Nuclear Regulatory Commission.

9. Design and Life Cycle Evaluation Report on Previously-Developed Software in ABB AC160, I/O Modules and Tool, GKWF700777, Rev. 2, ABB Utility Automation, GmbH WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-1 APPENDIX A WF3 FSAR MARKUPS WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-2 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-3 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-4 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-5 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-6 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-7 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-8 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-9 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-10 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-11 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-12 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-13 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-14 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-15 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-16 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-17 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-18 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-19 CEA CPC/

CPC/CEAC CPC/CEAC CPC/CEAC CEAC Fiber Optically Isolated, Unidirectional Ethernet Links CPC = CORE PROTECTION Flat Panel Display CALCULATOR CEAC = CEA CALCULATOR WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-20 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 A-21 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-1 APPENDIX B ELIMINATION OF SPECIFIC CPCS TECHNICAL SPECIFICATION SURVEILLANCE REQUIREMENTS B.1 INTRODUCTION B.1.1 Purpose The purpose of this appendix is to provide the necessary analysis to justify the elimination of specific Technical Specification (TS) Surveillance Requirements (SRs) related to the CPCS. Based on NRC review, this will potentially culminate with the elimination of the need to perform specific surveillances on CPCS equipment based on the Common Q platform. This will lead to increased duration of plant operations with full CPCS redundancy and reduced operational and maintenance costs over the lifecycle of the CPCS.

The scope of this appendix is limited to Waterford-3 TS SRs that apply to the CPCS. SR candidates for elimination are outlined in Section B.1.3 of this appendix and are defined within Section 4.3.1 of the WF3 TS (Reference 20).

B.1.2 Background TS establish requirements a nuclear facility must meet during operations. The basis for these specifications can be traced up to 10 CFR 50, Domestic Licensing of Production and Utilization Facilities, Section 36 Technical Specifications. Specifically relating to the safety system of a nuclear plant is 10 CFR 50.36(c)(ii)(A) which establishes limiting safety system settings for nuclear reactors.

To demonstrate that the CPCS is operable, which ensures that limiting conditions of operation (LCOs) are met, the TS stipulate various SRs (per 10 CFR 50.36(c)(3)). These SRs range from functional tests and calibrations, to visual inspections; and are performed on a periodic interval governed by the Waterford-3 Surveillance Frequency Control Program. The number of functions related to the CPCS coupled with the SR frequency, results in significant testing that is to be performed over the life of the CPCS.

In an effort to eliminate SRs in order to inherently increase the safety of the plant through reducing the duration of how long the CPCS is at less than full redundancy, Westinghouse has produced this appendix detailing the analyses necessary to justify the elimination of certain SRs. These SR eliminations take full advantage of the Common Q platform self-diagnostic features, something not accounted for in the Waterford-3 TS. The elimination of SRs will also reduce the burden on operations and maintenance personnel, as well as the generation and preservation of procedures related to SR testing.

The methodology to eliminate TS SRs in this appendix leverages ML19084A309, Vogtle Electric Generation Plant Units 3 and 4 - Request for Licenses Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR 19-001) (Reference 42). This reference received an NRC safety evaluation (ML19297D159, Reference 49)

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-2 which approves the removal of surveillance requirements related to the Vogtle 3&4 Common Q based safety system (the Protection and Safety Monitoring System).

B.1.3 Scope of Analysis The scope of SRs analyzed within this appendix are limited to SRs that are related to the CPCS and can be eliminated within the implemented Common Q equipment (as well as the IRP, which is described in Section 3.2.8.1). This simplifies to Channel Functional Tests related to the CPCS (which include the LPD and DNBR trip functions), response time testing on the trip functions implemented within the CPCS, on top of other SRs solely applicable to the current WF3 CPCS. Specially, the WF3 TS (Reference 20) SRs subject for elimination are:

SR 4.3.1.1 (Channel Functional Testing of the CPCS portion of the SR) which states:

Each reactor protective instrumentation channel shall be demonstrated OPERABLE by the performance of the CHANNEL CHECK, CHANNEL CALIBRATION and CHANNEL FUNCTIONAL TEST operations for the MODES and at the frequencies shown in Table 4.3-1.

Note: This includes TS Table 4.3-1 Note 9, which states, The CHANNEL FUNCTIONAL TEST shall include verification that the correct values of addressable constants are installed in each OPERABLE CPC.

SR 4.3.1.3 (CPCS portion of the SR) which states:

The REACTOR TRIP SYSTEM RESPONSE TIME of each reactor trip function shall be demonstrated to be within its limit in accordance with the Surveillance Frequency Control Program. Neutron detectors are exempt from response time testing. Each test shall include at least one channel per function such that all channels are tested as shown in the "Total No. of Channels" column of Table 3.3-1.

SR 4.3.1.4 which states that, each CEA isolation amplifier and each optical isolator for CEA Calculator to Core Protection Calculator data transfer shall be verified in accordance with the Surveillance Frequency Control Program during the shutdown.

SR 4.3.1.5 which states:

The Core Protection Calculator System and the Control Element Assembly Calculator System shall be determined OPERABLE in accordance with the Surveillance Frequency Control Program by verifying that less than three auto restarts have occurred on each calculator during the past 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

SR 4.3.1.6 which states:

The Core Protection Calculator System shall be subjected to a CHANNEL FUNCTIONAL TEST to verify OPERABILITY within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of receipt of a High CPC Cabinet Temperature alarm.

B.2 INDUSTRY STANDARDS AND REGULATORY GUIDANCE The following regulations, industry standards, and regulatory guidance are applicable to periodic testing during normal plant operations and therefore related to this effort:

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-3 10 CFR 50 (specifically Section 36, Section 55a, and Appendix A)

IEEE 279-1971 IEEE 338-1971 BTP 7-17 These regulations and standards are discussed in the following sections. IEEE 338-2012 is also discussed below, though not endorsed by the NRC, to provide context as to the current industry position regarding self-diagnostics and how they relate to surveillance testing.

B.2.1 10 CFR 50 10 CFR 50 contains several regulations related to manual surveillance testing requirements. These are summarized as follows:

1. 10 CFR 50, Section 36, Technical Specifications - 10 CFR 50.36 establishes the need for TS to verify the operability of select systems and components in the plant. The TS are derived from the analyses and evaluations included in the safety analysis report. The TS include, in part, limiting conditions for operation and SRs. When a limiting condition for operation of a nuclear reactor is not met, the licensee is required to shut down the reactor or follow any remedial action permitted by the TS until the condition can be met. SRs are requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, that facility will be within safety limits, and that the LCOs will be met.

2. 10 CFR 50, Section 55a, Codes and Standards - Paragraph h of this section establishes the requirement to meet IEEE 603-1991. IEEE 279-1971 is a predecessor to this standard, one that is discussed in more detail below in Section B.2.2.

3. 10 CFR 50, Appendix A, General Design Criteria for Nuclear Power Plants - There are two General Design Criteria (GDC) applicable to this effort:

GDC 18, Inspections and Testing of Electric Power Systems, requires (in part) that electric power systems important to safety be designed to permit periodic testing, including periodic testing of the performance of the components of the system and the system as a whole.

GDC 21, Protection System Reliability and Testability, requires (in part) that the protection system be designed to permit its periodic testing during reactor operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred.

4. 10 CFR 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants - Criterion XI, Test Control, requires (in part) that a test program be established to ensure that all testing, including operational testing required to demonstrate that systems and components will perform satisfactorily in-service, is identified and performed in accordance with written test procedures.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-4 B.2.2 IEEE 279 IEEE 279-1971, IEEE Standard Criteria for Protection Systems for Nuclear Power Generating Stations requires that the protection system to have certain capabilities regarding testing. Specifically, Section 4.10 Capability for Test and Calibration, requires the protection system to have the capability for testing and calibration during power operations while retaining the capability of the safety systems to accomplish their safety functions. This section does not state that the protection system needs to use these features as part of a testing program, but just that they are available.

B.2.3 IEEE 338 IEEE 338-1971, "Trial-use Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Protection Systems" provides minimum requirements for the safety-related functional performance and reliability of the protection system for nuclear power generating station safety systems.

Included within this set of requirements are those related to the capability for testing the protection system.

The scope of periodic testing is defined within this standard as including functional tests and checks, calibration verification, and time response measurements, as required, to verify the protection system performs to meet its defined safety function. However, what is not defined is how to determine what should be included within the manual surveillance program. Instead, the standard provides guidance for those tests within the surveillance program. Even though the self-diagnostics are not part of the surveillance program, they do support the basis of the standard (i.e., IEEE 338-1971, Section 4) in that they continuously and periodically check the system to verify operability.

IEEE 338-2012, IEEE Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, Section 5.4.3, though not currently endorsed by the NRC or included in the WF3 licensing basis, does provide a basis for eliminating periodic surveillance tests as evidenced by the following statement, Digital control/protection systems or equipment that have a mechanism to continuously verify proper digital processing are exempt from periodic testing provided:

a) Input interfaces are tested either automatically or manually.

b) Output interfaces are tested either automatically or manually.

c) Any malfunction that may affect design assumptions is alarmed in the control room.

B.2.4 BTP 7-17 NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, Branch Technical Position (BTP) 7-17, Guidance on Self-Test and Surveillance Test Provisions, provides NRC review guidance into periodic surveillance testing and self-diagnostic features for a digital system. This BTP acknowledges the use of automatic self-testing as an appropriate method to perform periodic surveillance tests. Additionally, BTP 7-17 states, Self-test functions should be verified during periodic functional tests. This statement will be assessed in relation to this Appendix in the evaluation section below.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-5 B.2.5 Evaluation/Conclusion Although historically industry and regulatory standards have required periodic surveillance testing during normal operations for safety systems, exceptions have been allowed. Specifically:

IEEE 279-1971: Requires protection systems to have the capability to test. However, the approach taken in this appendix is to not to eliminate the capability for manual testing to be performed on a protection system, but instead credit self-diagnostics in order to eliminate the need to perform SRs. The self-diagnostics being credited within the SR elimination analysis (Section B.5 of this appendix) are automatic tests that are performed within the CPCS at an interval significantly shorter than the current SR interval. These proposed Tech Spec modifications for elimination of SRs result in improved safety system availability and reduced potential for human error.

IEEE 338-1971: This activity proposes the removal of several Tech Spec surveillances due to self-diagnostic test coverage. These self-diagnostics will not be part of the surveillance program, and therefore, the requirements in IEEE 338-1971 are not directly applicable. Additionally, this standard is written specifically for analog systems, resulting in guidance that does not explicitly address self-diagnostic testing features.

IEEE 338-2012: Though not endorsed by the NRC, this standard provides an exception to periodic surveillance tests based on being able to continuously verify proper digital processing.

This shows how the industry has adapted IEEE 338 for digital systems.

BTP 7-17: Acknowledges automatic self-testing as an appropriate substitute to periodic surveillance tests. However, an important caveat is Acceptance Criterion 3 which states that self-test functions should be verified during periodic functional tests. It is not possible to test self-diagnostics as part of surveillance testing because it would require creating destructive faults within the I&C system, such as Random-Access Memory (RAM) errors. Therefore, this acceptance criterion is addressed as follows:

o Software-based diagnostics are confirmed to be functional by Cyclic Redundancy Checks (CRCs) of the system software and are not subject to random failure. The CRC diagnostic is described in WCAP-16097-P-A (Reference 4). A CRC number is generated when the firmware is qualified and released. The CRC diagnostic compares the run-time calculated CRC of the system software to the qualified release CRC number and if it is different, then it is possible that a hardware failure may have impacted the operation of the firmware-based diagnostics. This will result in a CPC FAIL alarm and operator notification (See Section B.4 for more details). The NRC Safety Evaluation Report (SER) for the Common Q Topical Report states, Any changes made to AC160 software will also affect the CRC checksum value which is continually monitored by the safety application which will activate a system alarm. In the case of the CPCS, that system alarm is the CPCS FAIL Alarm.

o The CRC diagnostic is monitored to be completed within the allotted cycle time (discussed in more detail in Section B.3.1.2). If it is not, then the CPC FAIL alarm will be annunciated.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-6

[

]a,c In summary, the elimination of SRs by crediting self-diagnostics meets the underlying NRC regulations.

Although some of these standards/guidance documents assume a testing program is in place (which will continue to be the case for some items related to the CPCS), others allow for exceptions to testing given that designated criteria are met justifying the change. This appendix will demonstrate that the self-diagnostics being credited in lieu of an SR are adequate which will make some SRs unnecessary.

Therefore, the intent of the standards/regulations will be met even when SRs are eliminated.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-7 B.3 INTRODUCTION TO COMMON Q SELF-DIAGNOSTICS B.3.1 Overview There are two types of self-diagnostics which are used to detect faults in the CPCS. These are:

AC160 Platform Self-Diagnostics - implemented in hardware and firmware by the equipment manufacturer (ABB).

Application Self-Diagnostics - specific software design by Westinghouse for the CPCS application.

B.3.1.1 AC160 Platform Self-Diagnostics The AC160 platform self-diagnostics have been designed, implemented, design tested, configuration controlled and produced under the same processes as the AC160 equipment that implements the CPCS safety functions. Westinghouse has subjected this equipment to equipment qualification testing and uses the same quality processes to commercially dedicate, assemble, and test this equipment as the other CPCS safety equipment, since most of the platform self-diagnostics are integral to the equipment that performs the safety functions. This platform software qualification was done for the Oskarshamn 1 RPS Modification (O1 MOD) Project, and summarized in MOD 97-7771, Final Quality Assessment and Justification Report (Reference 45). This report summarizes the methodologies and results of qualification activities for the AC160 for use as a Category A I&C system (synonymous with Class 1E in the U.S.) for the O1 MOD project. The results of this report were discussed with the NRC staff during the licensing of the Common Q platform. The NRC also reviewed this document as part of their review of LAR 19-001 for Vogtle 3&4 (Reference 42).

MOD 97-7771 (Reference 45) references MOD 97-3184, Qualification of Category A I&C Self Supervision and Test Functions FMEA (Reference 46). This report postulates failures of the platform self-supervision and documents their effects. Section 6 of this reference summarizes the results of self-supervision FMEA.

The platform is described in WCAP-16097-P-A (Reference 4). Section 5.4 of WCAP-16097-P-A describes system diagnostics including the passive monitoring that includes the use of self-diagnostics and the MTP/OM to monitor system operation and provide indication of detected faults. This topical report has been reviewed and approved by the NRC.

B.3.1.2 Guaranteed Completion of AC160 Self-Diagnostics

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-8

[

]a,c B.3.1.3 Application Self-Diagnostics The application self-diagnostics of the CPCS will be developed, implemented, and subjected to Independent Verification & Validation (IV&V) under the processes described in WCAP-16096-P-A, Software Program Manual for Common Q Systems, (Reference 6) which has been reviewed and approved by the NRC.

B.3.1.4 Self-Diagnostic Online Testing There are two PM646A Processor Module self-diagnostics that provide on-line self-testing. These are the

[

]a,c both of which are discussed in the Common Q platform topical report (Reference 4). These diagnostics include on-line self-testing to verify that these diagnostics are performing as designed.

Since the platform self-diagnostics are embedded in the safety system equipment, it is not feasible to periodically test these functions without significant disassembly of the equipment and the use of specialized test equipment, which would compromise the integrity of the safety system equipment being tested in this manner. The evaluations of the self-diagnostics that are described and evaluated in this appendix have shown that there are multiple self-diagnostics with a level of diversity for the detection of each postulated fault.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-9 B.3.1.5 Single Failure Criteria In evaluating the single failure criteria, it is necessary to consider single failures together with all other identifiable, but non-detectable failures that may be present in the system. In the current regulatory framework, failures not detected by self-diagnostics are expected to be detected by a surveillance test.

With the methodology for eliminating SRs within this appendix, the diagnostics must cover these postulated failure modes. This is done by starting with Waterford-3 CPCS FMEA (WNA-AR-00909-CWTR3, Failure Mode and Effects Analysis for the Core Protection Calculator System, Reference 39),

which shows that the CPCS is single failure tolerant. The Failure Modes, Effects, and Diagnostics Analyses (FMEDAs) listed in Section B.6 are based mostly on the failure modes outlined in SV0-PMS-AR-001, Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination (Reference 43), which contains the underlying analysis for Vogtle 3&4 LAR 19-001 (Reference 42). These tables demonstrate diagnostic coverage for the aforementioned failure modes. By doing so, it is established that the CPCS will still be single failure tolerant. Note that the Waterford-3 CPCS FMEA (Reference 39) was compared with the FMEDAs listed in Section B.6 to ensure that the failure modes outlined in these tables are bounding.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-10 B.3.2 Qualification of AC160 Self-Diagnostics B.3.2.1 Platform Differences Since Initial NRC Review and Palo Verde CPCS The only module not used in the Oskarshamn Reactor Protection System (the basis for the original NRC review) or the Palo Verde CPCS, but is used in the Waterford-3 CPCS configuration and included in this analysis is the AI688 analog input module. This module has been reviewed by the NRC in 2019 via topical report WCAP-16097-P-A (Reference 4). The results of this report were discussed with the NRC staff during the licensing of the Common Q platform. This module was also included in the NRC staff review of LAR 19-001 for Vogtle 3&4 (Reference 42).

The PM646A firmware has changed since the original qualification (based on the Oskarshamn Reactor Protection System) and since the Palo Verde CPCS. Both installations used PM646A firmware version 1.3/4. There have been improvements to the diagnostic functions since this version which are taken credit for in this report. For example, in PM646A version 1.3/4 it is not possible to store setpoint data onto the PM646A Flash Programmable Read-only Memory (FPROM). It is now a feature of the PM646A firmware and it is described in the Common Q Topical Report WCAP-16097-P-A (Reference 4). As a result, an alternate method of verifying that the setpoints have not inadvertently changed is deployed for the use in some Common Q based safety systems. This method of verifying setpoints is described in WCAP-16097-P-A (Reference 4) which was reviewed and approved by the NRC staff.

Its important to note that the NRC staff reviewed PM646A firmware version 1.3/9 for the Vogtle 3&4 LAR 19-001 (Reference 42). Although the WF3 CPCS is using version 1.3/11, the differences between the two revision levels have no impact on this report (except for an improved version of the overload and high-load self-diagnostics, see PS-9 and PS-10 in Table B.5-1).

B.3.2.2 Southern Nuclear Company LAR 19-001 Southern Nuclear Company (SNC) submitted a Licensing Amendment Request (LAR) (ML19084A309, Vogtle Electric Generation Plant Units 3 and 4 - Request for Licenses Amendment Regarding Protection and Safety Monitoring System Surveillance Requirement Reduction Technical Specification Revision (LAR 19-001), Reference 42) for the Vogtle 3&4 AP1000 Nuclear Power Plants in 2019 which involved crediting the PMS (Safety I&C System based on Common Q) self-diagnostics to eliminate Tech Spec SRs. Many of the diagnostics tables and FMEDAs, which were accepted by the NRC, were used within in this appendix. In their Safety Evaluation Report (ML19297D159, Reference 49), the NRC staff made the following statements regarding crediting PMS (Common Q and CIM self-diagnostics) for eliminating TS SRs.

Benefits of Self-diagnostics vs. Manual Testing: The NRC staff agreed with the position that the method of crediting self-diagnostics reduces risks associated with manual testing. Specifically, the staff states in the SER that, The current manual SRs require the PMS division under test to be in bypass mode resulting in less than full redundancy. Whereas, the PMS self-diagnostic functions execute continuously and do not require the PMS channel under test to be bypassed. In addition, automatic self-diagnostic minimizes risks associated with potential human errors in performing manual surveillance tests. Considering these factors, the NRC staff concludes that the removal of manual SRs for the channel check, COT, ALT, and ALOT could potentially reduce the WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-11 risk associated with the PMS manual surveillance testing. Note that COT, ALT, and ALOT are PMS surveillances that together, cover the protection path for trip signals (similar to the Channel Functional Tests).

Qualifications of Self-diagnostics: The NRC staff reviewed various aspects of the self-diagnostics including the qualification and documentation relating to these functions. The qualifications of these self-diagnostic functions, which are documented within this appendix, were found to be acceptable. Within the SER, the NRC staff stated, the staff finds that that Common-Q diagnostic functions credited in the SNC LAR, were developed, tested, qualified, and will be maintained using rigorous processes in accordance with Appendix B requirements, and provide reasonable assurance for the detection of platform-level faults for the Common-Q based PMS.

Adequacy of Self-diagnostics for Detecting Faults: The NRC staff agreed that the Common Q and application self-diagnostics are an adequate substitute for manual surveillance testing.

Specifically stated in the SER, the staff concludes that the self-diagnostic functions are able to detect most PMS hardware faults, and are designed to initiate a division fault alarm to alert the operator to respond as directed by the alarm response procedure. The self-diagnostics continuously assess the health of all digital processor and communication components and are therefore substantially more effective in detecting hardware faults than are the PMS manual surveillances currently specified for detecting hardware faults by exercising each safety logic pathway.

B.3.2.3 Conclusion on Qualification Status of Diagnostics In summary, the AC160 diagnostics were commercially dedicated to the same standards as the rest of the AC160 system software and have been reviewed by the NRC staff in their application to justify eliminating and extending surveillance test frequencies.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-12 B.4 CPCS CHANNEL FAULT INDICATION/ANNUNCIATION PATH Annunciation is necessary to alert operators when a fault is detected by self-diagnostics within the CPCS.

There are multiple ways that the operator can be informed of a CPCS fault. These are:

[

]a,c There are various alarm signals that are generated from the CPC and CEAC processors, some of which are used to indicate a fault within the system. These alarms are indicated on the OMs and MTPs (as described in Section 3.2.7.2.12), as well as transmitted to the MCR for annunciation via the Interposing Relay Panel. The following alarms (described in more detail within WNA-DS-04517-CWTR3, Reference

21) indicate a fault within the CPCS that requires the attention of operations:

[

]a,c The AC160 platform and application software self-diagnostics function to detect these conditions which generate the aforementioned alarms. When this occurs, the alarm signal is sent from the corresponding CPC or CEAC to the [

]a,c These paths are shown in Figure B-1 below.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-13 a,c Figure B-1. Channel Fault Indication and Alarm Paths Indication and Alarm Path FMEDAs

[

]a,c Table B.4-1. Annunciation Path FMEDAs a,c CPCS Annunciation via the IRP WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-14

[

]a,c MTP and OM Diagnostics and Indication

[

]a,c CEAPD and PMC Interface

[

]a,c Summary The annunciation of CPCS faults is assured by self-diagnostics for the entire communication path (with the exception of the DO625 and IRP outputs which will still be cycled via the CPCS Output Test). These diagnostics are sufficient to replace the need to test the annunciation features previously performed during surveillance testing.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-15 B.5 SELF-DIAGNOSTIC FUNCTIONS Section B.6 of this appendix contains the FMEDA tables which demonstrate that postulated failure modes of the CPCS equipment can credit the platform/application self-diagnostics to eliminate TS surveillance testing. The diagnostics being credited to cover these failure modes are contained within the various tables within this section, and are distinguished by the Common Q equipment (or application software) that the self-diagnostics reside in.

It is important to note that there is more than one self-diagnostic capable of detecting each failure mode within the FMEDA tables within Section B.6, due to the sequential processing of digital functions. This characteristic of a digital system provides multiple lines of fault detection for postulated failures. There are levels of diversity between self-diagnostics detecting failures on the equipment in which the platform software is included and the self-diagnostics on equipment that is monitoring the component where the failure is postulated. There is also diversity provided between the self-diagnostics within the platform software, and those which are implemented in the application software.

B.5.1 AC160 Self-Diagnostics The AC160 platform self-diagnostics are implemented in the hardware and firmware of the platform equipment. In the same manner as all the other platform equipment, the self-diagnostic functions have been designed, implemented, tested and configuration controlled by the platform equipment supplier and has been commercially dedicated by Westinghouse consistent with Westinghouses Commercial Grade Dedication process. The platform self-diagnostics have a large installed base in Nuclear Power Plants in the U.S., South Korea, China, and Europe.

[

]a,c The platform self-diagnostics are described in the tables below. These tables were derived from the Vogtle 3&4 LAR 19-001 (Reference 42). To simplify the self-diagnostic evaluation, each type of platform self-diagnostic to be used within this analysis is assigned a designator for the platform equipment where it has a primary self-diagnostic function. The self-diagnostic designators are:

PS-N, where PS refers to the Processing Section of the PM646A processor module and N is the line number for a specific diagnostic (see Table B.5-1).

CS-N, where CS refers to the Communication Section of the PM646A processor module and N is the line number for a specific diagnostic (see Table B.5-2).

CI-N, where CI refers to the CI631 communications module and N is the line number for a specific diagnostic (see Table B.5-3).

B-N, where B refers to the BIOB and N is the line number for a specific diagnostic (see Table B.5-4).

AI-N, where AI refers to the AI688 analog input cards and N is the line number for a specific diagnostic (see Table B.5-5).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-16 DP-N, where DP refers to the DP620 pulse input cards and N is the line number for a specific diagnostic (see Table B.5-6).

[

]a,c Additional information on the AC160 platform self-diagnostics is provided in WCAP-16097-P-A (Reference 4) and GBRA095801, AC160 Product Specification for AP1000 PMS, (Reference 47). Its also worth noting that GIC-SSP-FSD-19-005, Evidence of Documentation for AC160 Platform Diagnostics (Reference 48), which is cited in the tables below (provides details regarding the documentation of testing performed AC160 diagnostics) was created for a separate analysis. However, this document still applies to this analysis since the diagnostics listed in the tables within this section are contained within GIC-SSP-FSD-19-005. The NRC staff reviewed the aforementioned documents as part of their review of LAR 19-001 for Vogtle 3&4 (Reference 42).

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-17 Table B.5-1. PM646A Processing Section (PS) Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-18 Table B.5-1. PM646A Processing Section (PS) Diagnostic Table (cont.) a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-19 Table B.5-1. PM646A Processing Section (PS) Diagnostic Table (cont.) a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-20 Table B.5-2. PM646A Communication Section (CS) Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-21 Table B.5-2. PM646A Communication Section (CS) Diagnostic Table (cont.) a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-22 Table B.5-3. CI631 Communication Module Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-23 Table B.5-4. Backplane I/O Bus (BIOB) Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-24 Table B.5-5. Analog Input Module (AI688) Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-25 Table B.5-6. Digital Pulse Module (DP620) Diagnostic Table a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-26 B.5.2 Application Diagnostics The application software contains self-diagnostic functions that are carried out within the CPC and CEAC PMs as well as the OM and MTP. There are many self-diagnostic functions that monitor the system for errors [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-27

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-28 B.6 FAILURE MODES, EFFECTS, AND DIAGNOSTIC ANALYSES The evaluations of the suitability of the self-diagnostics to replace the manual Tech Spec SRs are documented by the FMEDA Tables within this section (one table for each CPCS component that is currently covered by manual surveillances). The FMEDAs use the failure modes outlined in SV0-PMS-AR-001, Protection and Safety Monitoring System Technical Specification Surveillance Requirement Elimination (Reference 43) as a basis (except for Tables B.6-6 and B.6-7, which were derived within this analysis). For each fault postulated in Reference 43 relating to the CPCS components within the FMEDA tables, the self-diagnostics capable of detecting the type of fault are identified. Additionally, the WF3 CPCS application-specific FMEA (WNA-AR-00909-CWTR3, Reference 39) was analyzed to ensure all failure modes associated with the LPD/DNBR trip paths were enveloped by those within the FMEDA tables in Reference 43 (and Tables B.6-6 and B.6-7 which were constructed in this analysis). Where there was not overlapping coverage, the failure mode from Reference 39 was added to the FMEDA tables within this section with a note denoting that it is not from the application-specific FMEA. The following FMEDA tables were developed:

PM646A FMEDA - Table B.6-1 BIOB FMEDA- Table B.6-2 CI631 FMEDA - Table B.6-3 AI688 FMEDA - Table B.6-4 DP620 FMEDA - Table B.6-5 DO625 FMEDA - Table B.6-6 IRP FMEDA - Table B.6-7 The module FMEDA tables document the evaluation of diagnostic coverage for postulated module faults.

The format of the FMEDA tables is as follows.

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-29

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-30 Table B.6-1 PM646A Processing Module FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-31 Table B.6-1 PM646A Processing Module FMEDA (cont.) a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-32 Table B.6-2 BIOB FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-33 Table B.6-3 CI631 Communications Module FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-34 Table B.6-4. Analog Input Modules (AI688) FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-35 Table B.6-4. Analog Input Modules (AI688) FMEDA (cont.) a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-36 Table B.6.5. Digital Pulse Module (DP620) FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-37 Table B.6.6. Digital Output Module (DO625) FMEDA a,c Table B.6.7. Interposing Relay Panel (IRP) FMEDA a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-38 B.7 TECHNICAL SPECIFICATION SURVEILLANCE REQUIREMENT MAPPING The general approach to showing TS SRs can be eliminated can be summarized as follows:

The Common Q components (and the IRP) that are tested by current manual Tech Spec SRs are identified.

The failure modes for these components are identified (see FMEDAs in Section B.6).

The platform and application software self-diagnostics are then mapped to the failure modes (see FMEDAs in Section B.6)

If all failure modes for all components within the test envelope the current manual Tech Spec SRs are covered by the Common Q self-diagnostics or an existing test, then that surveillance test can be eliminated as a requirement for the CPCS based off of the Common Q platform.

There are some deviations from this general methodology when the analysis involves response time testing. These deviations are described in more detail within the corresponding sub-section within Section B.7.3. Section B.7.1 contains the analysis for the elimination of SR 4.3.1.1 (Channel Functional Testing of the CPCS portion of the SR), Section B.7.2 contains the analysis for the elimination of SR 4.3.1.3 (CPCS portion of RTT SR), and Sections B.7.3 - B.7.5 contain the justifications behind the elimination of SRs 4.3.1.4 - 4.3.1.6 respectively.

B.7.1 CPCS Channel Functional Test SR Elimination The CPC and CEAC subracks are required to be tested [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-39

[

]a,c B.7.1.1 CPCS Output Test Surveillance Frequency

[

]a,c Table B.7-1 [ ]a,c a,c

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-40 B.7.1.2 Channel Functional Test Elimination Conclusion and Additional Considerations Based on the above analysis, the Channel Functional Test SRs performed on the CPCS can be eliminated.

Furthermore, there are two additional items worth discussing.

[

]a,c A Channel Check to review that these screens contain no alarms verifies that the system is functioning correctly.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-41 B.7.2 CPCS RTT SR Elimination The foundation for the RTT SR elimination analysis consists of the following two notions:

The system and application diagnostics that are being credited in this report to eliminate other SRs in this appendix, although only designed to test the operability of the system, would still capture failures of the CPCS that would result in slower response times.

Portions of the CPCS actuation paths are tested under other SRs not eliminated within this appendix.

Based on these, only failures that cause a response time delay, but have no functional effect on the component, will be considered. These failures are those that will either effect the CONTRM (i.e., the control module structure PC element used for execution control of modules within a PC program) cycles in the PMs or hardware failures that result in response time delays. Therefore, to eliminate RTT SRs, it must be demonstrated that both the CONTRM cycle time and hardware are covered by diagnostics.

NOTE: Its important to note that the following two assumptions were made during the development of this section:

1. The excore nuclear instrumentation processing equipment can be response time tested independently of the CPCS.

2. The scope of RTT for the LPD and DNBR trips begins at the input modules to the CPCS and ends at the output to the PPS.

B.7.2.1 Methodology The methodology to be used to eliminate RTT is as follows:

1. Determine all RTT paths tested under WF3 TS (Reference 20) SR 4.3.1.3 related to the CPCS.:

a. Table 4.3-1, Function 9 Low Power Density - High

b. Table 4.3-1, Function 10 DNBR - Low

c. Table 4.3-1, Function 14 Core Protection Calculators

d. Table 4.3-1, Function 15 CEA Calculators Once all paths are determined, the scope of the components that make up the functional paths for response time testing can be determined.

2. Analyze the components identified in Step 1 for potential failures that could generate delays in response time. For identified failures, diagnostics will be discussed which will be credited to ensure the response time will not continue to degrade to a point that would be qualitatively worse than the current frequency of checking the response time of the system (any given division is only response time tested every 4th refueling outage). This will be done by analyzing the components in three groups:

a. Input Modules

b. Processing and Communication Components

c. Output Modules WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-42 This captures the subrack portion of the actuation paths which constitutes the scope of this SR elimination task. This methodology and most of the analysis that follows is derived from the RTT elimination portion of SNC LAR 19-001 (Reference 42). The NRC staff reviewed that analysis for the Vogtle 3&4 PMS and provided the following conclusion in their SER (ML19297D159, Reference 49), the NRC staff finds the methodology presented in the LAR for use of PMS racks allocated times acceptable because it satisfies the applicable requirements of 10 CFR 50.55a(h). Its important to note that although RTT of the PMS rack was eliminated from the Vogtle 3&4 TS, the SRs remain as a result of this effort. This was an implementation decision since the SRs cover more than just the PMS rack. Within the WF3 TS, the RTT SR applicable to the CPCS (SR 4.3.1.3) invokes the CPCS via Table 4.3-1. Therefore, this Appendix will eliminate the CPCS portion of the RTT SR by explicitly stating within SR 4.3.1.3 that the CPCS is excluded from being applicable to the SR.

B.7.2.2 Response Time Paths In order to eliminate the RTT SRs related to the CPCS (identified in methodology step 1), these components that comprise the trip paths need to be determined. Table B.7-2 provides the list of components that needs to be analyzed per the identified paths using Figure 3.2-1 and the detailed architecture described in the WF3 CPCS SyRS (WNA-DS-04517-CWTR3, Reference 21).

Table B.7-2. CPCS Components within Scope of TS RTT SR Type of Component CPCS Rack Components within SR Paths Input Modules - AI688

- DP620 Processing/Communication -PM646

- BIOB

- CI631

- HSL Output Modules - DO625

- IRP1 Note:

1. The IRP does not contain Common Q components but is part of the CPCS portion of the LPD/DNBR trip paths and thus included in this analysis.

B.7.2.3 Input Module Analyses Input Module Scope The input modules utilized within the RT actuation paths are listed below, along with a synopsis as to whether they should be included in the RTT elimination analysis.

1. AI688 Input Modules - The AI688 is a high-level analog input module used in the CPCS to process 4-20 mA, 0-10 VDC and 0-1 VDC inputs. [ ]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-43

[

]a,c

2. DP620 Input Module - The CPCS uses the frequency measurement mode for Reactor Coolant Pump Shaft Speed Sensing System inputs. [

]a,c AI688 Analysis

[

]a,c DP620 Analysis The FMEDA for this type of input device is defined in Table B.6.5 Digital Pulse Module (DP620)

FMEDA. [

]a,c Input Filter Analysis An important discussion revolves around the fact that the aforementioned input cards contain [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-44

[

]a,c Time-degradation of capacitors leads to the capacitance of the devices to degrade (reduce) over time [

]a,c B.7.2.4 Processing/Communication Component Analysis Processing/Communication Component Scope Processing within the CPC and CEAC racks is performed within the PM646A processing modules. These modules communicate with each other via the BIOB and the CI631 (which contains the Global Memory for the subrack). Communication from subrack to subrack is done via HSLs. These components that comprise the Processing/Communication portions of the RTT SR paths are summarized below along with a synopsis as to whether they should be included in the RTT elimination analysis.

1. PM646A Processing Module - Component failures that do not result in a functional failure captured by diagnostics used to eliminate other SRs [

]a,c

2. CI631 Communication Module - The Global Memory stored on the CI631 is used to share information among PMs. [

]a,c

3. Backplane I/O Bus (BIOB) - The backplane connects the PMs with the CI631 and I/O modules.

[

]a,c

4. High-Speed Link (HSL) - [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-45

[

]a,c PM646A Analysis The FMEDA for this device is defined in Table B.6-1 PM646A Processing Module FMEDA. [

]a,c CI631 Analysis The FMEDA for this device is defined in Table B.6-3 CI631 Communications Module FMEDA. [

]a,c B.7.2.5 Output Module Analysis The only Common Q based output module used in the protection path of the CPCS is the DO625. This module has 16 solid-state output channels. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-46 Similarly, the IRP is included in the output module analysis since it is included in the CPCS response time paths due to the interface it provides with the CPCS and the PPS. [

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-47 B.7.3 CEA Isolation Amplifier and Optical Isolator Operability (SR 4.3.1.4 Elimination)

The existing CPCS contains isolation amplifiers and optical isolators between the CEAC and the CPC racks. These will no longer exist in the Common Q implementation of the CPCS, resulting in this surveillance no longer having any applicability in the WF3 TS. Therefore, this SR can be eliminated.

B.7.4 CPC and CEAC Operability (SR 4.3.1.5 Elimination)

Determining operability by verifying the auto-restart count of the CPCS doesnt apply to the Common Q platform. [

]a,c B.7.5 CPCS Operability Following High Temperature Alarm (SR 4.3.1.6 Elimination)

[

]a,c WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 B-48 B.8 CONCLUSIONS The evaluations within Sections B.7.1 - B.7.5 show that the respective surveillances analyzed can be eliminated based on the AC160 platform and application software self-diagnostic functions, as well as overlapping test coverage and in some cases, due to the Common Q architecture. This is summarized as follows:

1. SR 4.3.1.1 (Channel Functional Testing of the CPCS portion of the SR) - The channel functional tests for the LPD and DNBR trip functions are no longer required based on ability of self-diagnostic functions to detect failures within the trip path, [

]a,c

2. SR 4.3.1.3 (CPCS portion of the SR) - Response time testing of the CPC/CEAC racks and related functions is no longer required. This includes the LPD/DNBR trip path portion of the IRP which is included in Section B.7.2.5.

3. SR 4.3.1.4 (CEA Isolation Amplifier and Optical Isolator Operability SR) - This SR was tailored to a feature of the legacy CPCS architecture which will no longer exist in the Common Q CPCS implementation. As a result, this SR is no longer required.

4. SR 4.3.1.5 - This SR was dependent on the legacy CPCS auto-restart feature that does not exist in the Common Q CPCS [ ]a,c. As a result, this SR is no longer required to ensure operability of the CPCS based on self-diagnostics being credited to confirm operability of the system.

5. SR 4.3.1.6 - This SR is no longer required to ensure operability of the CPCS after receipt of a high-cabinet temperature alarm [

]a,c.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-1 APPENDIX C ENDNOTES 1

Waterford FSAR Section 1.2.2.3.2 2

Waterford Plant Protection System design basis document, W3-DBD-12 3

Waterford FSAR Section 7.2.1.1.1.3 and 00000-ICE-3208, Rev 8, Section 2.1.b 4

Waterford FSAR Section 4.4.4.1 5

Waterford FSAR Section 7.2.2.2.4 6

Waterford FSAR Section 7.2.2.1 7

Waterford FSAR Section 7.2.1.1.1.4, CPCS Functional Design Requirements 00000-ICE-3208, Section 4.2.9 8

CPCS System Requirements Specification, 00000-ICE-30158 Appendix A represents the CPCS design basis algorithms. The revision changes over time to Appendix A are not related to CPCS design basis functions (see revision descriptions in the document). WSES-3 specific CPCS System Requirements Specification, Reference 21, only modifies Appendix A to add pre-trip alarms for auxiliary trips.

9 Waterford FSAR Section 1.2.2.3.2 10 Waterford FSAR Section 1.2.2.3.2 11 Entergy Purchase Specification SPEC-18-00005-W, Rev. 0, Paragraph 1.6.3.5 12 Waterford FSAR Figure 7.2-6 13 Waterford FSAR Section 7.2.1.1.2.5 14 Waterford FSAR Section 7.5.1.6.2 15 Waterford FSAR Figures 7.2-3 and 7.2-4 16 WSES-3 specific CPCS System Requirements Specification, Reference 21, Figure 2.1-1 17 Waterford FSAR Section 7.2.1.1.2.2 18 Waterford FSAR Section 7.2.1.1.2.2 19 Waterford FSAR Sections 4.1 and 7.1.1.7, Table 1.7-1 and Figure7.2-3, modified to correct CEA quantities and to add equipment detail from existing CPCS technical manual.

20 Waterford FSAR Section 7.2.1.1.2.5 21 Waterford FSAR Figure 7.2-4 22 Waterford FSAR Section 7.2.1.1.2.5 23 Existing CPCS Technical Manual 24 APC Incore Multiplexer System Requirements Specification, WNA-DS-04831-CWTR3 25 Waterford FSAR Section 7.1.2.5 26 Waterford FSAR Section 7.2.1.1.9.3 27 Waterford FSAR Section 7.2.1.1.9.3 28 Waterford FSAR Section 7.2.1.1.9.3 29 Waterford FSAR Section 7.2.1.1.9.3 30 Waterford FSAR Section 7.2.1.1.9.3 31 Waterford FSAR Section 7.2.1.1.9.3 32 Waterford Engineering Changes, ER-W3-1999-0411-000, ER-W3-1999-0411-002, and ER-W3-2002-0166-000 33 Waterford FSAR Section 7.2.1.1.2.2 34 Waterford FSAR Section 7.2.1.1.2.5 35 Refer to Section 2 citation for source for this repeated information.

36 Refer to Section 2 citation for source for this repeated information.

37 Waterford FSAR Section 7.2.1.1.2.5 38 Waterford FSAR Section 7.2.1.1.9.3, Periodic Testing 39 Waterford FSAR Section 7.2.1.2(j) 40 CPCS SyRS 00000-ICE-30158, Section 1.1 41 CPCS SyRS 00000-ICE-30158, Section 2.1 42 CPCS SyRS 00000-ICE-30158, Section 2.1 43 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Figure 2.1-1 44 CPCS SyRS 00000-ICE-30158, Section 2.1.1.1 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-2 45 Reference 3, Section 3.3.2 46 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4 47 CPCS SyRS 00000-ICE-30158, Sections 2.2.1.4.13 - 16, 2.2.1.4.21, 2.2.1.4.23 48 CPCS SyRS 00000-ICE-30158, Section 2.4.1.2.1.2 49 Reference 3 50 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.1 51 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.2 52 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.3 53 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.4, AI688 identified in WSES-3 CPCS Hardware Design Description (HDD) WNA-DS-04650-CWTR3, Section 2.1.1.1 54 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.4.1 55 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.5; module number specified in WSES-3 CPCS HDD WNA-DS-04650-CWTR3, Section 2.1.2.6 56 Entergy Purchase Specification SPEC-18-00005, Section 5.1.1.8 57 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.6 and WSES-3 CPCS SyRS WNA-DS-04517-CWTR3 R-DS-04517-10083 58 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10084; module number specified in WSES-3 CPCS HDD WNA-DS-04650-CWTR3, Figures 2.1-2A - 2.1-2D.

59 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.8; module number specified in WSES-3 CPCS HDD WNA-DS-04650-CWTR3, R-DS-04650-10006.

60 CPCS SyRS 00000-ICE-30158, Section 2.4.1.2.1.2 61 CPCS SyRS 00000-ICE-30158, TABLE 2.4.1.2-1 62 CPCS SyRS 00000-ICE-30158, Sections 2.2.1.5.2.2.4, and 3.1.1.1.1.5.1, and Table 3.1.1.1.7-1 63 CPCS SyRS 00000-ICE-30158, Section 2.1.1.1 64 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.4 65 CPCS SyRS 00000-ICE-30158, Sections 2.1.2.1.7.4, 2.2.1.4, and 2.2.1.4.17 66 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3 67 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.3 and 3.1.1.1.1.4 68 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.2.1 69 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.3 and 3.1.1.1.1.4 70 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.1 71 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.2 72 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.3 and 3.1.1.1.1.4.3 73 CPCS SyRS 00000-ICE-30158, Table 2.1.1-1 74 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.3 and 3.1.1.1.1.4.3 75 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.2.1, 3.1.1.1.1.3.3, 3.1.1.1.1.4.2, and 3.1.1.1.1.4.3 76 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.3 and 3.1.1.1.1.4.3 77 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.4.1 78 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.4.2 79 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.3.5 80 CPCS SyRS 00000-ICE-30158, Table 2.4.1.2-1 81 CPCS SyRS 00000-ICE-30158, Table 2.4.1.2-1 82 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.10, as augmented by WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, R-DS-04517-10125 83 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Figure 2.1-3 84 Waterford FSAR Section 7.5a III. E 85 CPCS SyRS 00000-ICE-30158, Section 2.3.3 86 CPCS SyRS 00000-ICE-30158, Section 2.4.2.2.1 87 CPCS SyRS 00000-ICE-30158, Section 2.4.2.2.1 88 CPCS SyRS 00000-ICE-30158, Section 2.4.2.2.2 89 Common Q Topical Report CPCS Appendix 2, Section A2.1.2.1 F.

90 Common Q Topical Report CPCS Appendix 2, Section A2.1.2.1 G.

91 CPCS SyRS 00000-ICE-30158, Sections 1.1 and 2.1.1.4 92 CPCS SyRS 00000-ICE-30158, Section 2.2.1.3 93 CPCS SyRS 00000-ICE-30158, Section 2.2.2.4.6 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-3 94 CPCS SyRS 00000-ICE-30158, Section 2.2.2.4.1 95 CPCS SyRS 00000-ICE-30158, Section 2.2.2.4.4 96 CPCS SyRS 00000-ICE-30158, Section 2.2.2.4.5 97 CPCS SyRS 00000-ICE-30158, Section 2.2 98 CPCS SyRS 00000-ICE-30158, Section 2.2.3.5 and 2.4.2.2.7 99 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.3.13.10 100 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.8 101 CPCS SyRS 00000-ICE-30158, Section 2.2.3.6 102 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.1 103 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.12 and 2.2.1.4.12.2 104 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.13 105 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.14 106 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.4 107 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.17 108 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.21 109 Many in this list are descriptions of what is not implemented in the CPCS. The descriptions are background information, but the important fact is that the listed restriction is met by not including the design element in the CPCS design that can be verified by analyzing the CPCS architecture. Where a restriction is software based, then a citation to the Common Q Application Restrictions Document (Reference 18) is made. Therefore, citations to these descriptions for what is not in the CPCS design is not included.

110 Reference 18, Restriction S122 111 Reference 18, Restriction S57:12 112 The Palo Verde CPCS Software Design Descriptions (SDDs) were reviewed to validate that the OPT: enhanced PCDB is not used. The Palo Verde CPCS application code was reviewed to validate that neither the STEP nor SEQ PC element is used 113 Reference 26, Section 2.7.2 114 Reference 18, Restriction S5 115 Reference 18, Restriction S4 116 Reference 18, Restrictions S13-14 117 Reference 26, Section 2.7.2 118 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.22 119 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.23 120 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.16 121 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.3 122 CPCS SyRS 00000-ICE-30158, Section 2.2.1.5 123 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirements R-DS-04517-10074 - 78 124 CPCS SyRS 00000-ICE-30158, Section 2.3.9.3 125 WNA-DS-04650-CWTR3 Section 2.1.1.7.1, R-DS-04650-10009 126 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6.1 127 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6.2 128 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6.3 129 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6.4 130 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6.5 131 CPCS SyRS 00000-ICE-30158, Section 2.1.1.2 and 2.1.3.1.1 132 CPCS SyRS 00000-ICE-30158, Section 2.5.1.2 133 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.7 134 CPCS SyRS 00000-ICE-30158, Section 1.1 135 CPCS SyRS 00000-ICE-30158, Section 2.1.1.8 136 CPCS SyRS 00000-ICE-30158, Section 2.1.3.1.1 137 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10008 138 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10008 139 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.2.1 140 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.6 141 CPCS SyRS 00000-ICE-30158, Section 2.1.1.4.3.7 142 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.9.14 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-4 143 Common Q Topical Report, Reference 4, Section 4.5 144 Common Q Topical Report, Reference 4, Section 5.2.1.1.1 and CPCS SyRS 00000-ICE-30158, Section 2.1.1.1 145 Common Q Topical Report, Reference 4, Section 5.2.1.2.2 146 Common Q Topical Report, Reference 4, Section 5.2.1.2.1, Base Software, Communication Section Software Description 147 Common Q Topical Report, Reference 4, Section 5.2.1.2.1, Base Software, Task Scheduler (Tick ISR) and Advant Controller 100 Series - System Manual, Figure 16-1.

148 Advant Controller 100 Series System Software Manual, Chapter 16 149 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.6 150 The MTP and AC160 are two different computer systems and thus run asynchronously.

151 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.9.14 152 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.21 153 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.1.6 154 Software Design Description for the Common Q Generic Flat Panel Display Software, 00000-ICE-30157, Rev.

26, Section 5.6.7 155 AC160 Product Specification for the AP1000 PMS, GBRA095801 Rev. E, Table 15 156 CPCS SyRS 00000-ICE-30158, Section 2.2.1.3 157 Software Design Description for the Common Q Generic Flat Panel Display Software, 00000-ICE-30157, Rev.

26, Section 4.5.13 158 Failure Modes and Effects Analysis for the Common Q Core Protection Calculator System for Waterford Unit 3, WNA-AR-00909-CWTR3 159 CPCS SyRS 00000-ICE-30158, Section 2.1.1.5 160 Waterford FSAR Section 7.2.1.1.8 161 CPCS SyRS 00000-ICE-30158, Section 2.3.3 162 CPCS SyRS 00000-ICE-30158, Section 2.1.3.3.1.1 163 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Section A.2 164 CPCS SyRS 00000-ICE-30158, Appendix A, Section 1.2 165 CPCS SyRS 00000-ICE-30158, Appendix A, Section 3.2.6.1.1 166 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.17.2 and Appendix A, Table A8 167 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.17.2 and Appendix A, Table A8 168 CPCS SyRS 00000-ICE-30158, Appendix A, Table A8 169 CPCS SyRS 00000-ICE-30158, Section 3.1.4 170 CPCS SyRS 00000-ICE-30158, Table 3.1.4-1 171 CPCS SyRS 00000-ICE-30158, Section 2.2.1.5.2.1.1 172 System Operating Procedure Core Protection Calculator System, OP-004-006 173 CPCS SyRS 00000-ICE-30158, Section 2.2 174 See LTR Sections 3.2.8.1, 3.2.9, 3.2.11, 3.2.12, and 3.2.16 175 CPCS SyRS 00000-ICE-30158, Section 2.1.1.5 176 CPCS SyRS 00000-ICE-30158, Section 3.1.1.1.3.13.7 and Appendix A, P. A39, variable NPASMX 177 CPCS SyRS 00000-ICE-30158, Section 2.3.3.3.4 178 CPCS SyRS 00000-ICE-30158, Section 2.1.1.8 179 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4.12.2 180 Cyber Security Physical Access Requirements for Critical Digital Assets, Section 5.4, EN-IT-103-07, Entergy Operations Inc. The keys for the cabinets are stored in a cyber security locker and a cyber control log is kept of the keys in EN-IT-103-07 Att. 9.1 181 CPCS SyRS 00000-ICE-30158, Section 2.3.2.2 182 CPCS SyRS 00000-ICE-30158, Section 2.3.2.1 183 CPCS SyRS 00000-ICE-30158, Section 2.2.1.3 184 CPCS SyRS 00000-ICE-30158, Sections 2.2.1.4.12.2, 2.2.2.2 and 2.2.2.3 185 CPCS SyRS 00000-ICE-30158, Section 2.2 186 WCAP-16097-P-A, Section 5.6.10 187 WCAP-16097-P-A, Section 5.2.1.2.1 Slow Background Task, and 00000-ICE-3239 Section 3.2.24 188 Section 3.2.7.2.7 in this document, and CPCS SyRS 00000-ICE-30158, Sections 2.2.1.4.21 and 2.4.2.1.2 189 Reference 30 only identifies the AI685 analog input module requiring calibration. The new AI688 for the WSES-3 CPCS will use the AI688 analog input module that does not require calibration.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-5 190 System Operating Procedure Core Protection Calculator System, OP-004-006 191 Figure 2-2 Existing CPC/CEAC Architecture Block Diagram in this document 192 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10012 193 FSAR Section 7.2.2.2 194 CPCS SyRS 00000-ICE-30158, Sections 2.3.9.6.5 and 3.1.1.1.3.13.10 195 CPCS SyRS 00000-ICE-30158, Section 2.2.1.4 196 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04157-10009 197 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10008 198 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10075 199 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10008 200 CPCS SyRS 00000-ICE-30158, Sections 2.5.1.4.2 and 3.1.1.1.1.6, and WNA-DS-04683-CWTR3, Sections 1.2 and 2.1 201 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirements R-DS-04517-10074 and R-DS-04517-10075 202 See 200 203 See Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

204 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Figure 2.1-2 205 00000-ICE-30157 Section 4.5.13 206 CPCS SyRS 00000-ICE-30158, Section 2.3.2 207 00000-ICE-30157 Section 4.5.13 208 Advant Controller 100 Series System Software Manual, Chapter 16 209 See Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

210 CPCS SyRS 00000-ICE-30158, Section 2.3.9.6 211 CPCS SyRS 00000-ICE-30158, Section 2.2.1.5.2.1.1 212 See Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

213 See Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

214 See Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

215 CPCS SyRS 00000-ICE-30158, Section 2.1.3.1.3 216 FSAR Section 4.11 217 CPCS SyRS 00000-ICE-30158, Table 3.1.1.1.7-1, Note 1 218 Section 3.5 in this document.

219 WCAP-16097-P-A, Section 5.2.1.1.1 Diagnostic Functions 220 Section 3.5 in this document.

221 CPCS SyRS 00000-ICE-30158, Table 2.3.11-1 222 Section 3.2.17.2 in this document 223 Section 3.2.6 in this document 224 00000-ICE-30165 225 WNA-RM-00015-CWTR3 WSES-3 CPCS Requirements Management Plan, Section 1.4.2. The engineering organization is delineated by system design, hardware design, and software design.

226 WCAP-16096-P-A SPM Section 4.6.2.2.1 227 WNA-BR-00379-CWTR3 228 WNA-RTM-00076-CWTR3 229 WCAP-16096-P-A SPM, Definition for RTM 230 00000-ICE-37755 231 Reference 26 in this document.

232 WCAP-16096-P-A SPM, Section 4.6.2.1 233 WCAP-16096-P-A SPM, Exhibit 5-1 234 Based on Palo Verde CPCS SDDs - 00000-ICE-30106 - 08, 11, 29, 40,65-66 235 WCAP-16096-P-A SPM, Exhibit 5-1 236 WCAP-16096-P-A SPM, Section 5.5.4.1 and 5.5.4.2 237 There are a multitude of Westinghouse internal work instructions. One example is WNA-WI-00053-GEN, Custom PC Element Compile and Link Work Instructions 238 Reference 25 in this document and Configuration Management Implementation Guideline WNA-IG-00109-GEN 239 WCAP-16096-P-A SPM, Sections 2.1.1.3 and 3.3.10 240 Westinghouse can provide an organization chart at time of review.

241 Reference 4 in this document, PSAI 6.3 WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 C-6 242 AI688 description in Reference 10 of this document.

243 System Operating Procedure Core Protection Calculator System, OP-004-006 244 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10050 245 WSES-3 CPCS SyRS WNA-DS-04517-CWTR3, Requirement R-DS-04517-10051 246 Locked cabinet: CPCS SyRS 00000-ICE-30158, Section 2.3.2.1; Secure location: APC in the main control room; Procedural Controls: Cyber Security Physical Access Requirements for Critical Digital Assets, EN-IT-103-07, Revision 7, Entergy Operations, Inc.; and Control of Portable Digital Media Connected to Critical Digital Assets, EN-IT-103-01, Revision 13, Entergy Operations, Inc.

247 Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

248 Figure 3.2-1 Common Q CPC/CEAC Architecture Block Diagram in this document.

249 Sections 3.5.4, 3.5.5, and 3.5.6 in this document.

WCAP-18484-NP June 2021 Revision 1

• • • This record was final approved on 6/25/2021 8:24:16 AM. (This statement was added by the PRIME system upon its validation)

Enclosure 3 W3F1-2021-0051 Westinghouse Affidavit CAW-21-5197, Proprietary Information Notice, and Copyright in support of WCAP-18484-P, Revision 1, (Enclosure 1)

(3 Pages)

Westinghouse Non-Proprietary Class 3 CAW-21-5197 Page 1 of 3 COMMONWEALTH OF PENNSYLVANIA:

COUNTY OF BUTLER:

(1) I, Jill S. Monahan, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2) I am requesting the proprietary portions of WCAP-18484-P, Revision 1 be withheld from public disclosure under 10 CFR 2.390.

(3) I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4) Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii) The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii) Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable

• • • This record was final approved on 6/25/2021 9:22:52 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 CAW-21-5197 Page 2 of 3 others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

(5) Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

• • • This record was final approved on 6/25/2021 9:22:52 AM. (This statement was added by the PRIME system upon its validation)

Westinghouse on-Proprietary Class 3 CAW-21 -5197 Page 3 of 3 (6) The attached documents are bracketed and marked to indicate the bases for withholding. The justification for withholding is indicated in both Yersions by means of lower-case letters (a) through (f) located as a superscript immediately follo\Ying the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower-case letters refer to the types of information Westinghouse customaril y holds in confidence identified in Sections (5)(a) through (f) of this Affidavit I declare that the averrnents of fact set forth in this Affidavit are true and correct to the best of my kJ.10\vledge, information , and belief.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on: (o-9S-a.oJ..\

Jill S. Monahan, Manager eVinci Modeling and Analysis

• • • This record was final approved on 6/25/2021 9:22:52 AM. (This statement was added by the PRIME system upon its validation)

Enclosure 4 W3F1-2021-0051 Technical Specification Page Markup TS Page 6-14 1 Page of INSERTS

ADMINISTRATIVE CONTROLS 6.6 NOT USED 6.7 NOT USED 6.8 PROCEDURES AND PROGRAMS 6.8.1 Written procedures shall be established, implemented and maintained covering the activities referenced below:

a. The applicable procedures recommended in Appendix A of Regulatory Guide 1.33, Revision 2, February 1978 and Emergency Operating Procedures required to implement the requirements of NUREG-0737 and NUREG-0737, Supplement 1, as stated in Generic Letter 82-33.

b. Refueling operations. Replace with INSERT K

c. Surveillance and test activities of safety-related equipment.

d. Not used.

e. Not used.

f. Not used.

g. Modification of Core Protection Calculator (CPC) Addressable Constants, including independent verification of modified constants.

NOTES:

(1) Modification to the CPC addressable constants based on information obtained through the Plant Computer - CPC data link shall not be made without prior approval of the On-Site Safety Review Committee.

(2) Modifications to the CPC software (including algorithm changes and changes in fuel cycle specific data) shall be performed in accordance with the most recent version of CEN-39(A)-P, "CPC Protection Algorithm Software Change Procedure," that has been determined to be applicable to the facility.

Additions or deletions to CPC Addressable Constants or changes to Addressable Constant software limits values shall not be implemented without prior NRG approval.

h. Administrative procedures implementing the overtime guidelines of Specification 6.2.2e., including provisions for documentation of deviations.

i. PROCESS CONTROL PROGRAM implementation.

WATERFORD - UNIT 3 6-14 AMENDMENT NO. 5,61,63,100,109 152, 188, 248

INSERT K

g. Modification of core protection calculator (CPC) addressable constants.

These procedures shall include provisions to ensure that sufficient margin is maintained in CPC type I addressable constants to avoid excessive operator interaction with CPCs during reactor operation.

Modifications to the CPC software (including changes of algorithms and fuel cycle specific data) shall be performed in accordance with the most recent version of WCAP-16096-P-A, "Software Program Manual for Common QTM Systems," which has been determined to be applicable to the facility. Additions or deletions to CPC addressable constants or changes to addressable constant software limit values shall not be implemented without prior NRC approval.

Enclosure 5 W3F1-2021-0051 Clean Technical Specification Page TS Page 6-14

ADMINISTRATIVE CONTROLS 6.6 NOT USED 6.7 NOT USED 6.8 PROCEDURES AND PROGRAMS 6.8.1 Written procedures shall be established, implemented and maintained covering the activities referenced below:

a. The applicable procedures recommended in Appendix A of Regulatory Guide 1.33, Revision 2, February 1978 and Emergency Operating Procedures required to implement the requirements of NUREG-0737 and NUREG-0737, Supplement 1, as stated in Generic Letter 82-33.

b. Refueling operations.

c. Surveillance and test activities of safety-related equipment.

d. Not used.

e. Not used.

f. Not used.

g. Modification of core protection calculator (CPC) addressable constants.

These procedures shall include provisions to ensure sufficient margin is maintained in CPC type I addressable constants to avoid excessive operator interaction with CPCs during reactor operation.

Modifications to the CPC software (including changes of algorithms and fuel cycle specific data) shall be performed in accordance with the most recent version of WCAP-16096-P-A, "Software Program Manual for Common QTM Systems," which has been determined to be applicable to the facility. Additions or deletions to CPC addressable constants or changes to addressable constant software limit values shall not be implemented without prior NRC approval.

h. Administrative procedures implementing the overtime guidelines of Specification 6.2.2e., including provisions for documentation of deviations.

i. PROCESS CONTROL PROGRAM implementation.

WATERFORD - UNIT 3 6-14 AMENDMENT NO. 5,61,63,100,109 152, 188, 248