ML24166A114

From kanterella
Revision as of 13:22, 4 October 2024 by StriderTol (talk | contribs) (StriderTol Bot change)
Jump to navigation Jump to search

Response to Requests for Additional Information (RAIs 15 Through 23) for License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems
ML24166A114
Person / Time
Site: Limerick  Constellation icon.png
Issue date: 06/14/2024
From: David Helker
Constellation Energy Generation
To:
Office of Nuclear Reactor Regulation, Document Control Desk
Shared Package
ML24166A113 List:
References
EPID L-2022-LLA-0140 LIM-24-085-NP, Revision 2
Download: ML24166A114 (1)
v  d  e


Text

200 Exelon Way Kennett Square, PA 19348 www.ConstellationEnergy.com

ATTACHMENTS 1 and 4 TRANSMITTED HEREWITH CONTAIN PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390

10 CFR 50.90

June 1 4, 2024

U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Document Control Desk

Limerick Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353

Subject:

Response to Requests for Additional Information (RAIs 15 through 23) for License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety -Related Analog Control Systems with a Single Digital Plant Protection System (PPS)

References:

1. Constellation Energy Generation, LLC (CEG) letter to the U.S. Nuclear Regulatory Commission (NRC), "License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)," dated September 26, 2022 (NRC Agencywide Documents Access and Management System (ADAMS) Accession No. ML22269A569).
2. Constellation Energy Generation, LLC (CEG) letter to the U.S. Nuclear Regulatory Commission (NRC), "Resubmittal of License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS) - To Address Proprietary Issues with INL HFE Reports," dated September 12, 2023 (ADAMS Accession No. ML23255A095)
3. Email from Robert Kuntz, U.S. Nuclear Regulatory Commission to Francis Mascitelli, Constellation Energy Generation, LLC, Limerick Generating Station, Units 1 and 2 - Request for Additional Information Regarding Limerick Digital Instrumentation and Controls License Amendment Request (EPID L-2022-LLA -0140), dated May 13, 2024

In accordance with 10 CFR 50.90, Constellation Energy Generation, LLC (CEG) requested a License Amendment Request (LAR) to replace the Limerick Generating Station, Units 1 and 2 existing safety-related analog control systems with a single digital Plant Protection System (PPS) (Reference 1).

ATTACHMENTS 1 and 4 TRANSMITTED HEREWITH CONTAIN PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390.

When separated from Attachments 1 and 4, this cover letter is decontrolled.

Limerick DMP LAR RAIs 15 through 23 Response Docket Nos. 50-352 and 50-353 June 14, 2024 Page 2

ATTACHMENTS 1 AND 4 TRANSMITTED HEREWITH CONTAIN PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390

In Reference 2, CEG submitted a LAR supplement that replaced in its entirety the original license amendment request, dated September 26, 2022. CEG replaced the original submittal to address issues associated with proprietary/non-proprietary information.

In Reference 3, the NRC notified CEG that additional information is needed to complete its review of the Reference 2 submittal.

to this letter contains the proprietary W estinghouse Electric Company (WEC)

LIM-24-0 85-P, Revision 2, Limerick Units 1 and 2 D igital Modernization Project, Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2. (Response to RAIs 15, 16, 17, 18, 19, 20.f, 21, 22, 23) to this letter contains the non-proprietary WEC LIM 085-N P, Revision 2, Limerick Units 1 and 2 Digital Modernization Project, Component Interface Module (CIM)

Request for Additional Information (RAI) - Round 2. (Response to RAIs 15, 16, 17, 18, 19, 20.f, 21, 22, 23) to this letter contains the WEC proprietary affidavit, CAW-24-033, Revision 0, for Attachment 1.

to this letter contains the proprietary CEG response to the Request for Additional Information for RAI 20.a, b, c, d and e. No CEG proprietary affidavit is required as the NRC question and CEG response contain previously WEC-identified proprietary information.

contains the non-p roprietary CEG response to the Request for Additional Information for RAI 20.a, b, c, d, and e.

contains the affidavit signed by WEC, the owner of the proprietary information.

The affidavit sets forth the basis upon which the information may be withheld from public disclosure by the NRC, and it addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390 of the NRCs regulations. WEC requests that the WEC proprietary information contained in Attachment 1 be withheld from public disclosure in accordance with 10 CFR 2.390. Future correspondence with respect to the proprietary aspects of the application for withholding related to WEC proprietary information or the WEC affidavit provided in the applicable Attachments should reference this request letter.

CEG has reviewed the information supporting a finding of no significant hazards consideration, and the environmental consideration, which was previously provided to the NRC in the Reference 2 letter. CEG has concluded that the information provided in this RAI response does not affect the bases for concluding that the proposed license am endments do not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92. In addition, CEG has concluded that the information in this RAI response letter does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendments.

Limerick DMP LAR RAIs 15 through 23 Response Docket Nos. 50-352 and 50-353 June 14, 2024 Page 3

ATTACHMENTS 1 AND 4 TRANSMITTED HEREWITH CONTAIN PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390

This RAI response letter contains no regulatory commitments.

In accordance with 10 CFR 50.91, "Notice for public comment; State consultation,"

paragraph (b), CEG is notifying the Commonwealth of Pennsylvania of this supplemental letter by transmitting a copy of this letter to the designated State Official.

If you have any questions regarding this submittal, then please contact Frank Mascitelli at Francis.Mascitelli@constellation.com.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 14 th day of June 2024.

Respectfully,

David P. Helker Sr. Manager - Licensing Constellation Energy Generation, LLC

Attachments: 1. WEC LIM-24-0 85-P, Revision 2, Limerick Units 1 and 2 Digital Modernization Project, Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2 - Proprietary

2. WEC LIM-24-0 85-NP, Revision 2, Limerick Units 1 and 2 Digital Modernization Project, Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2 - Non-proprietary
3. WEC Proprietary Affidavit, CAW-24-033, Revision 0, for Attachment 1
4. CEG Response to Request for Additional Information RAI 20.a, b, c, d, and e - Proprietary
5. CEG Response to Request for Additional Information RAI 20.a, b, c, d, and e - Non-Proprietary

cc: USNRC Region I, Regional Administrator w/ attachments USNRC Project Manager, LGS "

USNRC Senior Resident Inspector, LGS "

Director, Bureau of Radiation Protection - Pennsylvania w/o attachments 1, 4 Department of Environmental Protection

Attachment 1

License Amendment Request Supplement

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353

WEC LIM-24-085-P, Revision 2, Limerick Units 1 and 2 Digital Modernization Project, Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2 - Proprietary Attachment 2

License Amendment Request Supplement

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353

WEC LIM-24-085-N P, Revision 2, Limerick Units 1 and 2 Digital Modernization Project, Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2 - Non-Proprietary Westinghouse Non-Proprietary Class 3 Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, Pennsylvania 16066 USA

Mr. Jerry Segner Direct Telephone: (860) 731-6260 Principal Project Manager E-mail: shakunma@westinghouse.com Constellation Energy Generation, LLC Contract: 00800304 Limerick Generating Station Sales Order: 156102 3146 Sanatoga Road Our Ref: LIM-24-085-NP, Revision 2 Pottstown, PA 19464 jerry.segner@constellation.com June 11, 2024

CONSTELLATION ENERGY GENERATION LIMERICK UNITS 1 AND 2 DIGITAL MODERNIZATION PROJECT Component Interface Module (CIM) Request for Additional Information (RAI) - Round 2

Dear Mr. Segner:

The following provides Westinghouses responses to NRC RAIs 15 thru 23.

15) The proposed Plant Protection System (PPS) for Limerick includes the Component Interface Module (CIM) to interface a field component to the PPS and the Redundant Reactivity Control System (RRCS)/ Diverse Protection System (DPS). Section 3.2.5 of the Licensing Technical Report (LTR) attached to the letter dated January 26, 2024, for the Limerick Digital Modernization Project (DMP), WCAP-18598-P, Rev. 2, states that the CIM is being used as-is. This sentence implies that no modifications were necessary to the CIM described in the AP1000 design and used in Vogtle, Units 3 and 4. However, the NRC staff has found descriptions in the LTR and CIM related documents that imply that logic functions and/or features utilized in the AP1000/Vogtle are not utilized in the CIM Limerick.

Westinghouse WNA-AR-01074-GLIM-P, Defense in Depth and Diversity Common Cause Failure Coping Analysis, Revision 4, Section 2.2.1 identifies all CIM functions available in the component control logic. This section identifies that the only function to be used in the PPS are ((

)), and the other functions are not used.

The licensee submitted WCAP-17179-P, AP1000 Component Interface Module Technical Report, Revision 6, to provide detailed descriptions of the CIM. This WCAP does not describe these functions, ((

)) Further, the licensee indicated in letter dated November 29, 2022, that Section 2.6 of WCAP-17179 does not apply to Limerick, and instead the description in Section 3.2.5 in the LTR describes its operation. Section 3.2.5 of the LTR does not talk about these functions, including the (( )).

©2024 Westinghouse Electric Company LLC. All Rights Reserved

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 2 of 26 Our Ref: LIM-24-085-NP, Revision 2

The Limerick WNA-DS-04899-GLIM, PPS System Requirement Specification, Revision 4, identifies the requirements for the PPS. Requirement ((

)).

The NRC staff is reviewing the CIM information against the applicable clauses in Institute of Electrical and Electronic Engineers (IEEE) Standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations (IEEE Std 603-1991). This IEEE Standard is incorporated by reference in Title 10 of the Code of Federal Regulations (10 CFR) 50.55a(h) and it establishes the minimum functional design criteria for the power, instrumentation, and control portions of nuclear power generating station safety systems. The NRC staff is evaluating compliance of the CIM with IEEE Std 603-1991 Clause 5.3, Quality, which requires that, Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program. as Additionally, as the CIM is a digital device, its design should comply with applicable positions and Sections in NRC DI&C-ISG-04, Highly Integrated Control Rooms - Communications Issues, which provides interim NRC staff guidance on the review of communications issues, or another suitable alternative to the staffs interim guidance. Therefore:

a. Define what functions and features of the CIM are and are not being used in the CIM application for Limerick.

WEC Response:

This response includes a description of the nine functions of the CIM. The first three functions listed below are related to Priority Logic, whereas the last six functions listed below are related to Component Control Logic. The PPS uses all of these functions except [

]a,c This is to ensure the DPS/RRCS commands can only move a component to the safe direction.

The descriptions below are extracted from WNA-DS-02331-GEN, Rev. 2, Component Interface Module Logic Specification:

[

]a,c

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 3 of 26 Our Ref: LIM-24-085-NP, Revision 2

[

]a,c

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 4 of 26 Our Ref: LIM-24-085-NP, Revision 2

[

]a,c

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 5 of 26 Our Ref: LIM-24-085-NP, Revision 2

b. WNA-AR-01074-GLIM-P states that ((

))

WEC Response:

[

]a,c

c. In Section 2.3.5 of the LTR, the licensee stated that ((

)), which is described in WCAP-17179-P. The NRC staff understands that the (( )) was used in AP1000 to ((

)) Identify the requirement in WNA-DS-04899-GLIM that demands this mode is not used. Also, if (( )), describe how the ((

)) would be performed.

WEC Response:

The PPS does not bring thermal overload inputs into the CIM. Instead, this logic is done in the AC160 software. Because of this, a requirement is being added to the PPS SyDS (WNA-DS-04900-GLIM) which states the following:

[

]a,c

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 6 of 26 Our Ref: LIM-24-085-NP, Revision 2

[

]a,c

16) In Table 3.2.5-2, DI&C-ISG-04, Section 3 Compliance, of the LTR, the licensee describes how the CIM addresses applicable positions on Multidivisional Control and Display Stations in Section 3 of DI&C Interim Staff Guidance (ISG) 04. In this table, the licensee description for Staff Position 3.1, item 3, mentions possible scenarios in which the ((

))

To evaluate compliance of the CIM with IEEE Std 603-1991 Clauses 5.6.3, IEEE Std 7-4.3.2 Clause 5.6, and conformance with Section 3 in of DI&C-ISG-04:

a. Identify where the licensee evaluated scenarios in which ((

))

WEC Response:

Section 4.6 of the Westinghouse WNA-AR-01074-GLIM-P, Defense in Depth and Diversity Common Cause Failure Coping Analysis, Rev. 4, summarizes the DPS controls for addressing Position 4 of the NRCs position on D3 in SRM-SECY-93-087 and BTP 7-

19. These DPS controls were evaluated to identify what diverse controls could potentially conflict with the PPS control actions. The following table summarizes the result of this evaluation:

Equipment/Components DPS Control Action PPS Control Action Potential DPS/PPS involved in the Control Conflict (Yes/No)

Action CS Loop-A Manual initiation of Auto initiation of CS No CS Loop A for core loops upon a LOCA heat removal function signal.

(Section 4.2.1), for RPV inventory control (Section 4.3)

RHR Loop-A Manual initiation for Manual initiation for No suppression pool core heat removal suppression cooling function (Section pooling, as required 4.2.1) to maintain temperature below a prescribed limit.

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 7 of 26 Our Ref: LIM-24-085-NP, Revision 2

Equipment/Components DPS Control Action PPS Control Action Potential DPS/PPS involved in the Control Conflict (Yes/No)

Action ADS SRVs Manual opening for Auto ADS SRV No core heat removal opening upon low function (Section RPV water level or 4.2.1), for RPV high drywell depressurization for pressure.

reactor coolant inventory control (Section 4.3).

Main steam line drain Manual opening for No valve (inboard, HV-041-core heat removal Manual control for

  • F016) function (Section opening.

4.2.1)

RCIC Steam Line Manual isolation of Initiation of RCIC for Yes Isolation Valve (Inboard steam supply to core inventory HV-049-*F007) RCIC due for filling of makeup, requiring the RPV for core heat steam supply removal (Section isolation valve to be 4.2.1), primary opened.

containment isolation (Section 4.4.1)

RCIC Steam Line Primary containment Automatic RCIC No Isolation Valve (Inboard isolation (Section isolation.

HV-049-*F007) 4.4.1)

HPCI Steam Line Manual isolation of Initiation of HPCI for Yes Isolation Valve (Inboard steam supply to core inventory HV-055-*F002) RCIC due for filling of makeup, requiring the RPV for core heat steam supply removal (Section isolation valve to be 4.2.1), primary opened.

containment isolation (Section 4.4.1)

HPCI Steam Line Primary containment Automatic HPCI No Isolation Valve (Inboard isolation (Section isolation HV-055-*F002) 4.4.1)

HV-041-*F022A(B,C,D), Manual isolation of Automatic isolation No Inboard MSIVs main steam lines for of reactor on low filling of the RPV for RPV water level, HV-041-*F028A(B,C,D), core heat removal low main steam Outboard MSIVs (Section 4.2.1), pressure, or high primary containment steam line flow isolation (Section 4.4.1)

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 8 of 26 Our Ref: LIM-24-085-NP, Revision 2

Equipment/Components DPS Control Action PPS Control Action Potential DPS/PPS involved in the Control Conflict (Yes/No)

Action HV-051-*F008, Primary containment Automatic No Outboard Shutdown isolation (Section containment Cooling Supply Line 4.4.1) isolation on low Isolation Valve; RPV water level.

HV-051-*F009, Inboard Shutdown Cooling Supply Line Isolation Valve; HV-051-*F015A, Outboard Shutdown Cooling Return Isolation Valve; HV-051-*F015B, Outboard Shutdown Cooling Return Isolation Valve

HV-051-*F008, Primary containment Manual operation of Yes Outboard Shutdown isolation (Section normal RHR Cooling Supply Line 4.4.1) shutdown cooling Isolation Valve; operation (suction is HV-051-*F009, Inboard taken from the Shutdown Cooling reactor and return to Supply Line Isolation the reactor).

Valve; HV-051-*F015A, Outboard Shutdown Cooling Return Isolation Valve; HV-051-*F015B, Outboard Shutdown Cooling Return Isolation Valve

HV-044-*F001, Inboard Primary containment Automatic No RWCU Supply Line isolation (Section containment Isolation Valve (primary 4.4.1) isolation on low containment isolation) RPV water level.

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 9 of 26 Our Ref: LIM-24-085-NP, Revision 2

Equipment/Components DPS Control Action PPS Control Action Potential DPS/PPS involved in the Control Conflict (Yes/No)

Action HV-051-*F017A(B,C,D), Primary containment Automatic initiation Yes Outboard LPCI isolation (Section of LPCI loops on Discharge Isolation 4.4.1) LOCA and injection Valve into the RPV requiring valves to be opened.

HV-051-*F017A(B,C,D), Primary containment Automatic LPCI No Outboard LPCI isolation (Section isolation.

Discharge Isolation 4.4.1)

Valve Reactor Enclosure Air Secondary Automatic isolation No Supply, HV-76-*07 containment isolation of secondary (Section 4.4.2) containment upon Reactor Enclosure Air high radiation.

Supply, HV-76-*08 Reactor Enclosure Ventilation Exhaust, HV-76-*57

Reactor Enclosure Ventilation Exhaust, HV-76-*58

Reactor Enclosure Equipment Compartment Exhaust, HV-76-*41

Reactor Enclosure Equipment Compartment Exhaust, HV-76-*42

The following valves are identified in the above table as having potential conflicts between DPS and PPS controls, and the mitigation for these conflicts are discussed in Table 3.2.5-2 of WCAP-18598-P, Revision 2:

RHR Shutdown Cooling Valves (HV-051-*F008, HV-051-*F009, and HV-051-

  • F015A)

LPCI Injection Valves (HV-051-*F017A/B/C/D)

HPCI and RCIC Main Steam Supply Inboard PCIVs (HV-055-*F002 and HV-049-

  • F007)
b. Section 4 of the Westinghouse WNA-AR-01074-GLIM-P, Defense in Depth and Diversity Common Cause Failure Coping Analysis, Rev. 4, describes how the proposed
      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 10 of 26 Our Ref: LIM-24-085-NP, Revision 2

PPS addresses Position 4 of the NRCs position on D3 in SRM-SECY-93-087 and BTP 7-19. This section describes the analysis performed to identify ((

)). Identify what ((

)).

WEC Response:

It is the same set as defined in 16.a.

17) Section 3.5.14.6.2 of the LTR describes how the PPS meets the requirements in IEEE Std 603 Clause 5.12.2. This section states that the CIM includes built-in diagnostics, which are described in WCAP-17179, AP1000 Component Interface Module Technical Report, Rev. 6. In letter dated November 29, 2022, the licensee indicated the portions applicable to Limerick. This letter indicated that the paragraph in Section 2.5.1.1.1 about (( )) is not applicable.

However, Section 2.2.1 of WNA-AR-01074-GLIM-P, Rev. 4, lists the ((

)). Since Section 3.2.5 of the LTR states that The CIM is being used as-is, the staff does not have a clear description of what diagnostic functions would be used in the proposed PPS.

To evaluate compliance of the CIM with IEEE Std 603-1991, Clause 5.12.2:

Identify the diagnostic functions enabled for the proposed PPS.

WEC Response:

The self-diagnostic functions for the CIM are outlined in WCAP-18641-P-A Rev. 1 as referenced in Appendix A of the Limerick DMP LTR (WCAP-18598-P Rev. 2). They are all enabled for Limerick PPS. However, due to the HARP, the CIM output Continuity Test is only applicable between the CIM and the HARP relays and is therefore not credited for any Technical Specification Surveillance Requirement Elimination (since the entirety of the circuit from the CIM to the actuating device is not detected via this diagnostic). This functionality is referenced in PPS SyDS (WNA-DS-04900-GLIM) requirements PPS-SyDS-240 and PPS-SyDS-241.

18) In multiple sections of the LTR, the licensee identifies that for the PPS it considers the CIM and High Amperage Relay Panel (HARP) part of the IEEE Std 603-1991 Execute Features. The HARP actuates high amperage loads.

In the Westinghouse document WNA-DS-04900-GLIM, Limerick Generating Station Units 1&2 Digital Modernization Project Plant Protection System System Design Specification, Rev. 6, the licensee describes the design of the PPS deriving from the system requirements. In this document, the guidance for (( )) states that ((

))

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 11 of 26 Our Ref: LIM-24-085-NP, Revision 2

To evaluate compliance of the CIM with IEEE Std 603-1991, Clause 4.2:

a. Describe the configuration and interface between the CIM and HARP. Note that the LTR and other documents docketed do not include information about the connection and configuration between the CIM and HARP.

WEC Response:

The HARP is simply an arrangement of interposing relays to interface with higher amperage loads than the CIM is capable of interfacing with. Therefore, there is no complex interface between the CIMs and the corresponding HARPs (since the HARPs are just relays between the CIM and the actuating devices). The multiple interfaces between the CIM and the HARP are dependent upon the actuating device type and the specific configuration. This interface is described in Section 3.5.9 of the Limerick DMP LTR (WCAP-18598-P Rev. 2), and examples are included in that section.

b. Identify the applicable documents that explain the integration and installation of the CIM into the Limerick application.

WEC Response:

There are multiple sets of documentation that describe the integration and installation of the CIM into the Limerick application:

The Component Interface Specification (WNA-DS-05110-GLIM) provides the configurations of the CIM in relation to the HARPs. These requirements flow through various PPS SyRS (WNA-DS-04899-GLIM) and PPS SyDS (WNA-DS-04900-GLIM) requirements and is also used as a direct input to Hardware Design. In addition, the PPS SyDS provides requirements related to the CIM for Hardware and Software Implementation.

The wiring configurations for external interfaces to the CIM are in the PPS Integrated Logic Cabinet (ILC) Internal Cabling Configuration drawing (10173D11). This would include the details of which inputs need to be jumpered as discussed in Question 15.b.

Installation of a CIM itself into the cabinet will be contained in the PPS Technical Manual (not completed).

19) Section 3.2.5 of the LTR, Component Interface Module, states that The CIM is being used as-is. In other words, the CIM product produced for AP1000 Protection and Safety Monitoring System is exactly the same CIM product used for the Limerick PPS without modification.

In the letter dated February 26, 2024, the licensee provided 17 CIM development documents applicable to the Limerick DMP. One of the 17 documents provided is Revision 22 of 6105-00053, CIM-SRNC Configuration Status Accounting (CSA). The CSA revision that is applicable to the Limerick DMP should include those CIM design and development documents (e.g., plans, procedures, specifications, design descriptions, reports), hardware, logic, tools, etc., applicable

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 12 of 26 Our Ref: LIM-24-085-NP, Revision 2

for the Limerick application, and consistent with the other 16 documents provided in the February 26, 2024, letter.

However, five of the other 16 documents the licensee provided in the February 26, 2024, letter as being applicable to the Limerick DMP are a different revision from those identified in Revision 22 of the CSA:

  • 6105-00092, CIM-SRNC IV&V Summary Report, Revision 11, was provided, but the CSA lists Revision 9.
  • 6105-60019, CIM-SRNC Software Hazards Analysis Report, Revision 4, was provided, but the CSA lists Revision 3.
  • 6105-00000, CIM-SRNC Management Plan, Revision 13 was provided, but the CSA lists Revision 12.
  • 6105-00001, CIM-SRNC Quality Assurance Plan, Revision 11 was provided, but the CSA lists Revision 10.
  • WAAP-12879, Revision 0, was provided which contains excerpts of 6105-00015, CIM-SRNC Software Program Manual, Revision 8, but the CSA lists Revision 7 of the SPM.
a. Explain if the changes made to these documents - from the revision listed in the CSA to the revision provided in the February 26, 2024, letter - resulted in changes to the CIM requirements, design, configuration, or functionality that would make the Limerick CIM different than the Vogtle/AP1000 CIM?

WEC Response:

The later revisions of these documents were applicable for Vogtle/AP1000 CIM, and therefore they are applicable to the Limerick CIM and do not represent any changes to the CIM requirements, design, configuration, or functionality that would make the Limerick CIM different than the Vogtle/AP1000 CIM.

b. Explain if there is a latter revision of the CSA (i.e., after Revision 22) that accurately reflects the documents applicable to the Limerick DMP. If there is a revision of the CSA after Revision 22, explain why Revision 22 is applicable to the Limerick CIM.

WEC Response:

There is not a later revision of the CSA document that accurately reflects the CIM documents that apply to the Limerick DMP. Towards the end of the Vogtle/AP1000 CIM project, a decision was made to stop using the CSA document to track the revision of documents. The primary reason was due to cross referencing. For example, the CSA document and V&V report (6105-00092) cross reference each other. So a revision to the CSA, would necessitate a revision to the V&V report.

20) 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, Section (c)(3) states in part, that Each boiling water reactor must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation device.

In addition, 10 CFR 50.62 (c)(5) states that: Each boiling water reactor must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 13 of 26 Our Ref: LIM-24-085-NP, Revision 2

[anticipated transient without scram]. This equipment must be designed to perform its function in a reliable manner.

In WCAP-18598-P, Licensing Technical Report for the Limerick Generating Station Units 1&2 Digital Modernization Project, Revision 2, states in part, that The CIM is being used as-is. In other words, the CIM product produced for AP1000 Protection and Safety Monitoring System is exactly the same CIM product used for the Limerick PPS without modification.

In WCAP-17179-P, AP1000 Component Interface Module Technical Report, Revision 6, it states, in part:

Staff Position 3: The CIM prioritizes the commands from the safety system and non-safety system.

The DAS [diverse actuation system] does not interface with the CIM; the DAS actuation path is completely independent of the CIM. If a demand from the safety system is present, the logic in the CIM blocks the commands from the non-safe ty system. Redundant commands from the PMS are used to reduce the probability of spurious actuation.

The NRC staff understands that a final actuation device, for most safety related components controlled by a given PPS, is typically a field com ponent used to actuate the safety related function of a given safety related device (e.g., an electrical breaker actuates causing a prime mover (electrically driven pump) to actuate or a solenoid valve actuating to admit (or vent) air to an air-operated safety-related valve). The NRC staff further understands that the diverse system for the AP1000, ((

)) and conforms to the requirements of 10 CFR 50.62.

a. In the Limerick Digital Modernization Project, which safety-related component(s) does(do) the (( )) is(are) not the final actuation device for the given safety-related component?

CEG to respond

b. For those cases where the (( )) are not the final actuation devices for the CIM controlled (( )) components what is the licensees basis for concluding the design complies with the requirements of 10 CFR 50.62 given that the diverse system must be diverse up to and including the final actuation device?

CEG to respond

Since the commercial grade Ovation system serves the purpose of the non-safety related distributed control system (DCS) (i.e., the non-safety-related control system) and ((

)):

c. How does this proposed design satisfy the requirements of 10 CFR 50.62 where Alternate Rod Injection (ARI) functions are to be diverse from the sensor output to the final actuation device?

CEG to respond

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 14 of 26 Our Ref: LIM-24-085-NP, Revision 2

d. To assist in clarifying the NRC staffs understanding of the proposed design of the CIM module as intended for use in accomplishing the DPS/RRCS functions, provide a description and/or sketches of how the final actuation devices for the following DPS/RRCS related functions will be driven by the CIM Modules that are also driven by outputs from the PPS Logic:

(1) Recirculation Pump Trip

(2) Feedwater System Runback

(3) Reactor Water Cleanup System Isolation

(4) Alternate Rod Insertion HCU Solenoids

(5) Standby Liquid Control System Initiation

CEG to respond

e. Since the safety-related signals for initiating reactor protection functions are electrically isolated at the input to the PPS cabinets and sent via fiber optic cable to the DPS/RRCS processors, explain why it is necessary to use a CIM module from the output of the PPS cabinet to drive the final actuation devices for the DPS/RRCS functions. Provide examples as to how this would be accomplished for the ARI solenoids, reactor recirculation system pump trip, or feedwater runback functions.

CEG to respond

In WCAP 18598, Section 3.3.2.1, IEEE Std 603-1991 Clause 5.2 and 7.3, it states, in part, that

((

)).

However, Digital Instrumentation and Controls Interim Staff Guidance (DI&C ISG)-04, Highly-Integrated Control RoomsCommunications Issues (HICRc), states under Command Prioritization that, Safety-related commands that direct a component to a safe state must always have the highest priority and must override all other commands.

f. Given that the signal for the (( )) is not a safety-related signal, what is the justification for (( )) with the non-safety-related (( )) signal?

Additionally, how is the signal prioritization managed for a component with more than one safe state, (e.g., an ECCS admission valve that would isolate from the core in the event of a LOCA, but may be called upon to open again once pressure is low enough to actuate the ECCS) and why does the licensee believe this scenario is acceptable and meets the requirements of 10 CFR 50.62?

WEC Response:

As stated in 20.d., the actuations for RRCS functions to meet 10 CFR 50.62 for a BWR do not go through the CIM, except for SLCS. The Diverse Protection System (DPS) functions defined in the Limerick D3 Analysis (WNA-AR-01074-GLIM), go through the CIM Z-port,

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 15 of 26 Our Ref: LIM-24-085-NP, Revision 2

which has the highest priority, to a single safe state. As described in the CIM Technical Report (WCAP-17179-P) there are two Z-port inputs. For the Limerick project, the DPS interfaces with one Z-port input for actuating the component to a safe state and the other Z-port input is not used. The result is that the DPS can only put the actuating component in one safe state. As implied in the question, there can be actuating components that can have more than one safety state based on the plant condition, however the DPS will only initiate the Z-port actuation when it is appropriate to do so. A spurious actuation of a DPS function at the Z-port would have the same effect as a PPS spurious actuation of the same function, and this is analyzed in the D3 Analysis (WNA-AR-01074-GLIM), Section 5, along with an analysis of the spurious actuation of the RRCS functions ported to the new DCS.

There are four unlikely scenarios described and analyzed (see RAI 16), due to a coincident error of the DPS spuriously actuating when the PPS needs to actuate the components in the opposite direction.

21) Appendix A to Part 50General Design Criteria for Nuclear Power Plants, Criterion 1 Quality standards and records states, in part, Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.

In addition, 10 CFR Part 50, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, in Criterion III, Design Control, states, in part, that The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program. The verifying or checking process shall be performed by individuals or groups other than those who performed the original design, but who may be from the same organization. Where a test program is used to verify the adequacy of a specific design feature in lieu of other verifying or checking processes, it shall include suitable qualifications testing of a prototype unit under the most adverse design conditions.

Text in WCAP 6105-00012, CIM/SRNC vs. DAS Diversity, states that, ((

)) This report was used in the AP1000 Component Interface Module (CIM) System that described the operation of the CIM and Safety-Related Remote Node controller (SRNC). The text reveals the (( ))

development method used for the Advanced Logic System (ALS) in developing a ((

)) was used for the AP1000 CIM and SRNC.

In WCAP-18598-P, Licensing Technical Report (LTR) for the Limerick Generating Station Units 1&2 Digital Modernization Project, Revision 2, states in part, that: The CIM is being used as-is.

In other words, the CIM product produced for AP1000 Protection and Safety Monitoring System is exactly the same CIM product used for the Limerick PPS without modification.

However, in relation to the Limerick review, the NRC staff was unable to locate the specific requirements documentation, and the associated test plan, test results, and test summary reports that describe how the (( )) CIMs and SRNCs FPGAs ((

)) were tested to verify the proper operation of, and different failure modes for the (( )). Limerick stated the (( )) provides ((

)) diversity to the functionality of the CIM and SRNC. The NRC staff was unable to locate the necessary documentation to determine how the stated conditions (for normal and off normal

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 16 of 26 Our Ref: LIM-24-085-NP, Revision 2

operation of the (( ))) for the CIM and SRNC FPGAs did not adversely impact the operation of the CIM and SRNC under all postulated conditions.

The CIM System will be used in concert with/as part of the PPS to control (( ))

components at Limerick and given that one of the two ((

)).

Provide the NRC staff with documentation showing how the design requirements, testing, and verification processes were implemented, including the basis for demonstrating that appropriate reliability, determinism, failure modes, and quality requirements have been met. Specifically, provide documentation demonstrating, via the device requirements, design documentation, and test documentation (including test results) how the redundancy checker operates reliably in accordance with all its operational modes and the systems response under all failure modes.

WEC Response:

CIM and SRNC failure modes, reliability and quality requirements are documented in CIM hardware requirements specification (WNA-DS-01271-GEN) and SRNC requirements specification (WNA-DS-01272-GEN), respectively. CIM and SRNC requirements traceability matrices (in 6105-20010 and 6105-10010, respectively) provide documentation of the fulfilment of these requirements and a mapping to applicable documentation. The CIM-SRNC test program, described in the CIM-SRNC IV&V plan (6105-00013) and the CIM-SRNC Test Plan (65105-00005), and the successful execution of the tests demonstrate the deterministic nature of CIM and SRNC. Specifically, the correct operation of the [ ]a,c and the actions taken by CIM and SRNC when a failure is detected have been tested via the IV&V Simulation Environment (ISE). In addition to the [ ]a,c being functional in all test cases, test cases were also executed that simulate [ ]a,c failures when values differ between cores. The sole purpose of the [ ]a,c is to compare the values provided to it for comparison. CIM diagnostics including [ the

]a,c provide the diagnostic coverage for the integrity of the data provided to the [

]a,c. Integration testing for the Limerick Digital Modernization Project (DMP) will take credit for the CIM product verification testing and not repeat these fault-injected redundancy checker tests. A discrepancy, resulting from the [ ]a,c, will feed into the PPS division fault alarm that is tested as part of the Limerick DMP integration testing.

22) The NRC staff is reviewing the information de scribing the component interface module (CIM) system against the applicable clauses in the Institute of Electrical and Electronics Engineers (IEEE) Standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. This IEEE Standard is incorporated by reference in 10 CFR 50.55a(h) and it establishes the minimum functional design criteria for the power, instrumentation, and control portions of nuclear power generating station safety systems. Clause 5,3 Quality requires in part that, Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program.

In addition, Title 10 of the Code of Federal Regulations (10 CFR), Part 50, Domestic Licensing of Production and Utilization Facilities, Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants, states, in part:

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 17 of 26 Our Ref: LIM-24-085-NP, Revision 2

Criterion II Quality Assurance Program, requires, The program shall take into account the need for special controls, processes, test equipment, tools, and skills to attain the required quality, and the need for verification of quality by inspection and test. And;

Criterion III Design Control requires, in part, These measures shall include the establishment of procedures among participating design organizations for the review, approval, release, distribution, and revision of documents involving design interfaces. In addition, it states, The design control measures shall provide for verifying or checking the adequacy of design, such as by the performance of design reviews, by the use of alternate or simplified calculational methods, or by the performance of a suitable testing program.

In WNA-AR-01054-GEN, CIM Diversity Analysis, Section 2.2.2 Design Diversity, it states,

((

))

Referring to information in Section 2.2.3 Tool Diversity, the NRC staff understands that the manner by which ((

))

Related to the robustness of the testing program established for the Limerick Digital Modernization Project to ensure a quality and reliable high safety significance system has been

produced,
a. If the (( )) is not recognized as an industry standard in relation to its use as an FPGA programming verification tool, what mechanisms were employed to validate the correct and proper operation of the ((

)) results under all possible test conditions for the devices under test?

WEC Response:

WNA-AR-01054-GEN, CIM Diversity Analysis, Section 2.2.4 provides further clarification on the use of the ALS Test Suite:

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 18 of 26 Our Ref: LIM-24-085-NP, Revision 2 a,c

The ALS Test Suite is used by the design team to perform engineering and manufacturing tests. The ALS Test Suite went through a documented validation process. The IV&V team uses diverse tools for the HDL simulation verification process and the Integration Test process. It is the IV&V test suite that is used to verify that the CIM operates as specified in the CIM requirements and design documentation. The IV&V test tools also have been through a documented validation process.

and

b. The ((

)) functionality to verify its proper operation under various input conditions.

WEC Response:

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 19 of 26 Our Ref: LIM-24-085-NP, Revision 2

The correct operation of the [ ]a,c has been tested via the IV&V Simulation Environment (ISE). In addition to the [ ]a,c being functional in all test cases, test cases were also executed that simulate [

]a,c failures when values differ between cores. The sole purpose of the [

]a,c Other CIM diagnostics including [

] a,c This diagnostic coverage is described in the NRC-approved WCAP-18461-P-A, Common Q Platform and Component Interface Module System Elimination of Technical Specification Surveillance Requirements. Integration testing for the Limerick Digital Modernization Project (DMP) will take credit for the CIM product verification testing and not repeat these [ ]a,c A discrepancy, resulting from the [ ] a,c will feed into the PPS division fault alarm that is tested as part of the Limerick DMP integration testing.

23) The NRC staff is reviewing the information de scribing the component interface module (CIM) system against the applicable clauses in the Institute of Electrical and Electronics Engineers (IEEE) Standard 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations. This IEEE Standard is incorporated by reference in 10 CFR 50.55a(h) and it establishes the minimum functional design criteria for the power, instrumentation, and control portions of nuclear power generating station safety systems. Clause 5,3 Quality requires in part that, Safety system equipment shall be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed quality assurance program.

Also, 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants, Criterion 22, Protection system independence. The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function or shall be demonstrated to be acceptable on some other defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function.

In addition, Criterion 23Protection system failure modes. The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced.

Additionally, SRM to SECY 93-087, (ML003760768) states, in part, that, The applicant shall assess the defense-in-depth and diversity of the proposed instrumentation and control system to demonstrate that vulnerabilities to common-mode failures have adequately been addressed.

Given the multiple references in this licensing amendment request (LAR) to the Westinghouse AP1000 design documents and the Wolf Creek main steam and feedwater isolation system (MSFIS) documentation including the safety evaluation (SE) and the reference made to the MSFIS approval in the ALS Topical Report SE, this request for information is broken down into three parts.

PART 1

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 20 of 26 Our Ref: LIM-24-085-NP, Revision 2

In reviewing, Response to Requests for Additional Information (RAIs 1, 2, and 3) for License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS), (ML24057A427) the staff noted that the licensee states, in multiple locations:

6105-00012, CIM/SRNC vs. DAS Diversity is not applicable for Limerick. The component interface module (CIM) diversity characteristics are explained in WNA AR-01074-GLIM-P, Defense in Depth and Diversity Common Cause Failure Coping Analysis.

However, given that the 6105-00012 document is an integral part of the suite of documents directly related to the AP1000 design and the relationship between the CIM-SRNC and the advanced logic system (ALS)-based DAS, and given that in Section 1.1 Purpose, it states:

((

))

And in Section 3.2.1, (( )), it states: ((

)) and in Section 3.2.2 ((

)), it states: ((

))

Beyond the statements related to the applicability of 6105-00012 in the RAI Responses, the licensee stated in WCAP-18598-P, Licensing Technical Report for the Limerick Generating Station Units 1&2 Digital Modernization Project that: ((

))

The NRC staff understands that certain details delineated in the 6105-00012 report will not apply to the Limerick design, for example ((

)) In addition, the ALS Diversity Analysis document describes that ((

)) Therefore, the staff is not clear why certain sections of the 6105-00012 report should not be considered relevant to the Limerick Digital Modernization Project given that the innate characteristics of diversity between the two systems described in the 6105-00012 report appear to remain valid.

a. Explain the technical basis as to why the information in the 6105-00012 document has been deemed, not applicable to the Limerick design, and
      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 21 of 26 Our Ref: LIM-24-085-NP, Revision 2

WEC Response:

The purpose of 6105-00012 is to assess the diversity between the CIM and the Advance Logic System (ALS) - used for the AP1000 Diverse Actuation System (DAS), which is a later evolution of the ALS platform from the MSFIS ALS. The descriptions of the CIM diversity from the ALS DAS do not apply to the ALS used for MSFIS. CIM and the ALS MSFIS use the same FPGA so the diversity claims in 6105-00012 are not valid or applicable to the MSFIS ALS. For Limerick, the DAS is the Ovation-based Diverse Protection System (DPS). For these reasons, this diversity analysis is not applicable for the Limerick Digital Modernization Project.

b. Explain why the licensee believes the staffs understanding of what the staff considers relevant technical information describing the (( )) between the CIM-SRNC and ALS-based DAS is not valid for the Limerick design.

WEC Response:

As stated in 23a., the ALS used for the AP1000 DAS, described in 6105-00012, is not the same version of ALS used in the Wolf Creek MSFIS, but rather a later evolution of the platform. For example, the CIM and MSFIS ALS use the same FPGA. That is not the case for the ALS platform described in 6105-00012 for the AP1000 DAS. For this reason, the diversity attributes described in 6105-0012 are not applicable to the MSFIS ALS.

PART 2

Additionally, Defense in Depth and Diversity Common Cause Failure Coping Analysis, WNA-AR-01074-GLIM-P, Revision 4, states, in part:

((

))

c. Explain the apparent discrepancy between the text and the figure in the document and describe in which location of the PPS and CIM-SRNC system the (( )) resides.

WEC Response:

The High Amperage Relay Panel is used in two places. One place is the interface between the CIM outputs and plant actuating equipment. The second place is part of the reactor trip interface. Both uses are stated in the LTR, Section 3.5.9.1. As stated in the LTR, Section 3.5.6:

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 22 of 26 Our Ref: LIM-24-085-NP, Revision 2

Each PPS division has an RPS Reactor Scram Matr ix that is described in Section 3.2.3.

These Reactor Scram Matrices interface with a configuration of the HARP as shown in Figure 3.5.6-1. The Scram HARP is an interposing relay panel that interfaces to field devices powered by AC or DC voltage that draw more current than is rated for the Common Q equipment. The combination of the Reactor Scram Matrix and the HARP in each division is referred to as the RPS Termination Unit (RPS TU).

The HARP for the Reactor Scram function is encapsulated in the RPS Termination Unit.

The HARP interface to the CIM is described in the LTR, Section 3.5.9.1. See also RAI 16.

Related to the description of the MSFIS approval in the ALS Topical Report SE, (ML13298A095 and ML13298A096), the staff understands the staffs approval of the Wolf Creek MSFIS is based on the combination of the application-specific criteria found in the MSFIS.

This staff conclusion is based on the following: 1) a fundamental difference between an FPGA logic implementation and a microprocessor-based implementation, 2) an ability to directly confirm the resultant diversity from development process output products, 3) prior precedent, which approved equivalent diverse microprocessors with diverse operating software, and 4) the simplicity of the MSFIS (it is only a valve actuation system and is not a full trip or actuation system).

Additionally, in the safety evaluation for the Wolf Creek MSFIS, (ML090610317) it states, in part:

The NRC staff therefore determined that for the MSFIS, the system meets the guidance provided in D&IC-ISG-02, and the MSFIS is acceptable for use in this safety-related application at WCGS (Wolf Creek Generating Station). This determination is specific to the MSFIS design. Future and more complex uses of the ALS platform, such as for a system receiving sensor signals and making trip or actuation determinations, may require additional design diversity. An example of this additional design diversity may be to provide the independent development of diverse HDL code for each core. Any future determination of adequate diversity based on meeting DI&C-ISG-02, issue 5, staff position 1 will be based upon the application-specific use of the ALS platform.

Given the possibly of (( )) information based on excerpts from the reports above, including the Wolf Creek MSFIS and ALS Topical Safety Evaluations, regarding the information related to the ((

)) in the 6105-00012 document, and the statement of ((

)) must be tempered with the overall conclusions made in the Wolf Creek and the ALS Topical Report SEs.

d. What is the basis for the assertion in the WNA-AR-01074-GLIM-P document that the ((

)) existing between the two devices?

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 23 of 26 Our Ref: LIM-24-085-NP, Revision 2

WEC Response:

See response to 23.b.

PART 3

Section 2.2 (( ))

states, in part:

((

))

The ALS Topical Reports SE also described the bases for the conclusions made in the Wolf Creek SE.

The NRC staffs SE report for Wolf Creek's MSFIS evaluated these diversity claims and concluded the ALS platform development process provided sufficient diversity within the programmable portion of the ALS platform, such that CCFs of programming are adequately addressed. This staff conclusion is based on the following:1) a fundamental difference between an FPGA logic implementation and a microprocessor-based implementation, 2) an ability to directly confirm the resultant diversity from development process output products, 3) prior precedent, which approved equivalent diverse microprocessors with diverse operating software, and 4) the simplicity of the MSFIS (it is only a valve actuation system and is not a full trip or actuation system).

Based on a review of both documents the conclusions in the SEs that (( )) had been addressed for the MSFIS based on:

((

))

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 24 of 26 Our Ref: LIM-24-085-NP, Revision 2

WEC Response:

There are two types of diversity described over the years as the ALS platform evolved from that used on MSFIS and the one used for the AP1000 DAS. In the case of the AP1000 DAS ALS platform, two types of diversity were described in the ALS Topical Report, 6002-00301-A, approved by the NRC on September 9, 2013 (ML13218A979).

These two types of diversity are described as follows (quoted from the NRC Safety Evaluation Report):

Core Diversity generates two redundant logic implementations for placement within each FPGA for each standardized circuit board. The two redundant logic implementations (Core 1 and Core 2) use the same hardware descriptive language files per standardized circuit board. However, each logic implementation is produced using different synthesis directives (see Reference 47, Section 2.2 for details of Core Diversity). All ALS platform applications will contain Core Diversity.

Embedded Design Diversity requires the production of two versions of hardware descriptive language files for each standardized circuit board, where each version has been developed by an independent design team."

Both the MSFIS ALS and the CIM-SRNC employ Core Diversity, the same level of diversity in both designs. Embedded Design Diversity did not appear until the implementation of the AP1000 ALS-based DAS.

The level of testing is based on the requirements of each system/component. The requirements for the CIM-SRNC are defined in their respective requirements specifications previously provided to the NRC in the first set of RAIs:

6105-10004, SRNC FPGA Software Requirements Specification, Rev. 13

6105-20004, CIM FPGA Software Requirements Specification, Rev. 17

These requirements are traced to testing performed on the CIM-SRNC as demonstrated in the CIM-SRNC requirements traceability matrices:

Component Interface Module Requirement Traceability Matrix 6105-20010, Rev.

20

Safety System Remote Node Controller Requirement Traceability Matrix 6105-10010, Rev. 17

f. ((

))

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 25 of 26 Our Ref: LIM-24-085-NP, Revision 2

WEC Response:

The basis for the conclusion that the CIM is not susceptible to a CCF is two-fold as described in the D3 Analysis (WNA-AR-01074-GLIM-P).

The first basis is the similarity in design and processes between the MSFIS ALS and the CIM-SRNC, that the NRC found sufficient to conclude the MSFIS was not susceptible to a CCF. These similarities include, and which are described in detail in the D3 Analysis:

1. Design Features - [

]a,c

2. Lifecycle Processes used in development and verification
3. Simplicity of the Design

The second basis for concluding that the CIM-SRNC is not susceptible to a CCF is the extensive testing that was performed on the CIM-SRNC, as described in Section 2.2.2 in the D3 Analysis. The testing performed on the CIM-SRNC is compared to the BTP 7-19 criteria for extensive testing to be sufficient to exclude the need to postulate a CCF in a component.

It is these two bases in combination that support the argument that the CIM-SRNC is not susceptible to a CCF. Identifying only one attribute in the design similarities between the CIM-SRNC and MSFIS is not sufficient to conclude that the CIM-SRNC is not susceptible to a CCF.

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 Page 26 of 26 Our Ref: LIM-24-085-NP, Revision 2

If you have any questions or require additional information regarding this transmittal, please feel free to contact me at (860) 731-6260.

Sincerely, WESTINGHOUSE ELECTRIC COMPANY LLC Electronically Approved

Matthew Shakun Principal Licensing Engineer

cc: Constellation Energy Steven Hesse steven.hesse@constellation.com Kayla Marriner kaylalover.marriner@constellation.com Zina Gavin zina.gavin@constellation.com Mark Samselski mark.samselski@constellation.com David Molteni david.molteni@constellation.com Ashley Rickey ashley.rickey@constellation.com Frank Mascitelli francis.mascitelli@constellation.com

Westinghouse Electric Company LLC Courtney Frank Westinghouse Parastoo Muse Westinghouse Boyan Setchenski Westinghouse Andrew Lutz Westinghouse Steve Merkiel Westinghouse Andrew Barth Westinghouse Cynthia Olesky Westinghouse Warren Odess-Gillett Westinghouse

Electronically Approved Records Are Authenticated in the Electronic Document Management System

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

LIM-24-085-NP Revision 2 Non-Proprietary Class 3

    • This page was added to the quality record by the PRIME system upon its validation and shall not be considered in the page numbering of this document.**

Approval Information

Author Approval Shakun Matthew A Jun-12-2024 09:44:44

Files approved on Jun-12-2024

      • This record was final approved on 06/12/2024 09:44:44. (This statement was added by the PRIME system upon its validation)

Attachment 3

License Amendment Request Supplement

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353

WEC Proprietary A ffidavit, CAW-24 -033, Revision 0, for Attachment 1

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-24-033 Page 1 of 3

Commonwealth of Pennsylvania:

County of Butler:

(1) I, Zachary Harper, Senior Manager, Licen sing, have been specifically delegated and authorized to apply for withholding and execu te this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).

(2) I am requesting the proprietary portions of LIM-24-085-P, Revision 2 be withheld from public disclosure under 10 CFR 2.390.

(3) I have personal knowledge of the criteri a and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.

(4) Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld fr om public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.

(ii) The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.

(iii) Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a docum ent should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense servi ces for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

      • This record was final approved on 06/12/2024 13:20:08. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-24-033 Page 2 of 3

(5) Westinghouse has policies in place to identify pr oprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, incl uding test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

(6) The attached documents are bracketed and marked to indicate the bases for withholding. The justification for withholding is indicated in both versions by means of lower-case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower-case letters refer to the types of in formation Westinghouse customarily holds in confidence identified in Sections (5)(a) through (f) of this Affidavit.

      • This record was final approved on 06/12/2024 13:20:08. (This statement was added by the PRIME system upon its validation)

Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-24-033 Page 3 of 3

I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief. I declare under pe nalty of perjury that the foregoing is true and correct.

Executed on: 6/12/2024 _____________________________

Signed electronically by Zachary Harper

      • This record was final approved on 06/12/2024 13:20:08. (This statement was added by the PRIME system upon its validation)

CAW-24-033 Revision 0 Non-Proprietary Class 3

    • This page was added to the quality record by the PRIME system upon its validation and shall not be considered in the page numbering of this document.**

Approval Information

Manager Approval Harper Zachary S Jun-12-2024 13:20:08

Files approved on Jun-12-2024

      • This record was final approved on 06/12/2024 13:20:08. (This statement was added by the PRIME system upon its validation)

Attachment 4

License Amendment Request Supplement

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353

CEG Response to Request for Additional Information RAI 20.a, b, c, d and e

- Proprietary Attachment 5

License Amendment Request Supplement

Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353

CEG Response to Request for Additional Information RAI 20.a, b, c, d and e

- Non-Proprietary Atachment 5 CEG Response to Request for Addional Informaon RAI 20.a, b, c, d and e - N on-P roprietary Page 1 o f 5

20) 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water-cooled nuclear power plants, Section (c)(3) states in part, that Each boiling water reactor must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation device.

In addition, 10 CFR 50.62 (c)(5) states that: Each boiling water reactor must have equipment to trip the reactor coolant recirculating pumps automatically under conditions indicative of an ATWS [anticipated transient without scram]. This equipment must be designed to perform its function in a reliable manner.

In WCAP-18598-P, Licensing Technical Report for the Limerick Generating Station Units 1&2 Digital Modernization Project, Revision 2, states in part, that The CIM is being used as -is. In other words, the CIM product produced for AP1000 Protection and Safety Monitoring System is exactly the same CIM product used for the Limerick PPS without modification.

In WCAP-17179-P, AP1000 Component Interface Module Technical Report, Revision 6, it states, in part:

Staff Position 3: The CIM prioritizes the commands from the safety system and non-safety system. The DAS [diverse actuation system] does not interface with the CIM; the DAS actuation path is completely independent of the CIM. If a demand from the safety system is present, the logic in the CIM blocks the commands from the non-safety system. Redundant commands from the PMS are used to reduce the probability of spurious actuation.

The NRC staff understands that a final actuation device, for most safety related components controlled by a given PPS, is typically a field component used to actuate the safety related function of a given safety related device (e.g., an electrical breaker actuates causing a prime mover (electrically driven pump) to actuate or a solenoid valve actuating to admit (or vent) air to an air-operated safety -related valve). The NRC staff further understands that the diverse system for the AP1000, ((

)) and conforms to the requirements of 10 CFR 50.62.

a. In the Limerick Digital Modernization Project, which safety -related component(s) does(do) the (( )) is(are) not the final actuation device for the given safety-related component?

CEG RESPONSE In the Limerick Digital Modernization Project design, the CIM controls the following components related to 10 CFR 50.62 but is not the final actuation device as described above:

  • Standby Liquid Control Pump C - *C-P208 The CIM for each SLC pump drives an interposing relay at the MCC which then energizes the pump start contactor. The signal from RRCS/DPS is momentary so that the PPS can provide the stop signal on low tank level. A maximum of two SLC pumps can be Atachment 5 CEG Response to Request for Addional Informaon RAI 20.a, b, c, d and e - N on-P roprietary Page 2 o f 5

armed for automatic start through RRCS/DPS. Manual control of all three is through either the DCS HMI or the PPS HMI.

  • RWCU PCIV - HV-044- *F004 The CIMs for these valves interface with the contactor in the motor c ontrol center to close the valve. An isolation signal from the RRCS/DPS or the PPS results in closing these valves. The close output on the CIM is in parallel with the Main Control Room handswitch. In the final design, following a reset of the isolation signal, the Main Control Room handswitch can then be used to reopen the valves. The Main Control Room handswitch can also be used to manually close each valve
b. For those cases where the (( )) are not the final actuation devices for the CIM controlled (( )) components what is the licensees basis for concluding the design complies with the requirements of 10 CFR 50.62 given that the diverse system must be diverse up to and including the final actuation device?

CEG RESPONSE Per 10 CFR 50.62, Requirements for reduction of risk from anticipated transients without scram (ATWS) events for light-water -cooled nuclear power plants, Section (c)(3) states in part, that Each boiling water reactor must have an alternate rod injection (ARI) system that is diverse (from the reactor trip system) from sensor output to the final actuation device.

In the Limerick Digital Modernization Project design, the Alternate Rod Inser tion function as described in 10 CFR 50.62 is not controlled by CIMs.

In the Limerick Digital Modernization Project design, the CIM controlled components related to 10 CFR 50.62 are all a part of the Standby Liquid Control function. 10 CFR 50.62 does not require diversity up to and including the final actuation device for the SLC system.

The SLCS requirement in 10 CFR 50.62 states:

Each boiling water reactor must have a standby liquid control system (SLCS) with the capability of injecting into the reactor pressure vessel a borated water solution at such a flow rate, level of boron concentration and boron-10 isotope enrichment, and accounting for reactor pressure vessel volume, that the resulting reactivity control is at least equivalent to that resulting from injection of 86 gallons per minute of 13 weight percent sodium pentaborate decahydrate solution at the natural boron-10 isotope abundance into a 251-inch inside diameter reactor pressure vessel for a given core design. The SLCS and its injection location must be designed to perform its function in a reliable manner. The SLCS initiation must be automatic and must be designed to perform its function in a reliable manner for plants granted a construction permit after July 26, 1984, and for plants granted a construction Atachment 5 CEG Response to Request for Addional Informaon RAI 20.a, b, c, d and e - N on-P roprietary Page 3 o f 5

permit prior to July 26, 1984, that have already been designed and built to include this feature.

The Limerick Digital Modernization Project is not making any changes related to system flowrate, boron concentration or enrichment, or reactor pressure vessel volume. The SLCS section of 10 CFR 50.62 requires that the function be automatic and implemented in a reliable manner.

The RRCS implementation in Ovation includes automatic actuation of the SLCS system. As discussed in LTR section 9.5, the Ovation system is reliable as required by 10 CFR 50.62:

The DCS is based on the Ovation platform. The reliability analysis for the platform is documented in WNA-AR-00039-GEN (Reference 65). It summarizes the reliability of each component in the platform, including those components used for the RRCS/DPS functions. ((

)) a, c The level of reliability of the Ovation platform provides the basis for an Ovation-based DCS to perform its RRCS functions in a reliable manner to meet the ATWS rule.

All RRCS functions meet the requirements of 10 CFR 50.62. ARI is diverse from sensor output up to and including the final actuation devices. SLCS functions are implemented by the reliable Ovation platform.

Since the commercial grade Ovation system serves the purpose of the non-safety related distributed control system (DCS) (i.e., the non-safety -related control system) and ((

)):

c. How does this proposed design satisfy the requirements of 10 CFR 50.62 where Alternate Rod Injection (ARI) functions are to be diverse from the sensor output to the final actuation device?

CEG Response

The Limerick Digital Modernization Project does not utilize the CIM for Alternate Rod Insertion (ARI) function. Shared sensor interfaces are discussed in LTR section 3.5.3. ARI required sensor outputs are sent to both a PPS input card and a DCS input card and processed independently. DPS o utputs to ARI solenoids are driven through 2 out of 3 modules inside the DCS. The output of the 2 out of 3 module is a non-safety related signal which is then isolated from the existing safety related solenoids by a dedicated interposing relay in the PPS MTC cabinet. The 2 out of 3 modules and associated interposing relays do not require any PPS software or CIMs Atachment 5 CEG Response to Request for Addional Informaon RAI 20.a, b, c, d and e - N on-P roprietary Page 4 o f 5

to drive the ARI solenoids. The ARI solenoids are only powered and actuated from the dedicated ARI circuits and are therefore completely independent of PPS and the RPS equipment.

d. To assist in clarifying the NRC staffs understanding of the proposed design of the CIM module as intended for use in accomplishing the DPS/RRCS functions, provide a description and/or sketches of how the final actuation devices for the following DPS/RRCS related functions will be driven by the CIM Modules that are also driven by outputs from the PPS Logic:

(1) Recirculation Pump Trip (2) Feedwater System Runback (3) Reactor Water Cleanup System Isolation (4) Alternate Rod Insertion HCU Solenoids (5) Standby Liquid Control System Initiation

CEG Response

1) Recirculation Pump Trip To support 10 CFR 50.62 ATWS implementation for Recirculation pump trips there is a dedicated ATWS breaker trip coil. This coil is independent from the End of Cycle Recirculation Pump Trip Coil. The ATWS function is not driven by a CIM. There are 2 out of 3 modules inside the DCS that drive dedicated interposing relays in the PPS MTC cabinets. Those components do not require any PPS software or CIMs to trip the recirculation pump from RRCS via the DCS.

2.) Feedwater System Runback This function is not utilized by the Limerick Digital Modernization Project. LT R section 9.6 discusses elimination of the feedwater runback function of RRCS.

3.) Reactor Water Cleanup System Isolation This function utilizes CIM outputs. The isolation output does not require PPS software to provide an output to RWCU isolation when initiated from RRCS via the DCS. The RRCS function utilizes the highest priority port on the CIM and is only wired to take the valve in the CLOSED direction.

4.) Alternate Rod Insertion HCU Solenoids This function is not driven by a CIM. There are 2 out of 3 modules inside the DCS that drive dedicated interposing relays in the PPS MTC cabinets. Those components do not require any PPS software or CIMs to provide an output to the ARI solenoids.

5.) Standby Liquid Control System Initiation This function utilizes CIM outputs. The automatic initiation does not require PPS software to provide an output to SLCS initiation from RRCS via the DCS. The RRCS function utilizes the highest priority port on the CIM and is only wired to take the pump to the START position and the valves to the OPEN position. The signal from RRCS/DPS is momentary so that the PPS can provide the stop signal on low tank level. A maximum of two SLC pumps can be armed for automatic start through Atachment 5 CEG Response to Request for Addional Informaon RAI 20.a, b, c, d and e - N on-P roprietary Page 5 o f 5

RRCS/DPS. Manual control of all three is through either the DCS HMI or the PPS HMI.

e. Since the sa fety-related signals for initiating reactor protection functions are electricall y isolated at the input to the PPS cabinets and sent via fiber optic cable to the DPS/RRCS processors, explain why it is necessary to use a CIM module from the output of the PPS cabinet to drive the final actuation devices for the DPS/RRCS functions. Provi de examples as to how this would be accomplished for the ARI solenoids, reactor recirculation system pump trip, or feedwater runback functions.

CEG Response

The CIM is necessary for DPS/RRCS functions where there is a need for a priority module to interface with the final actuation devices for a function. The function can be those associated with Standby Liquid Control System (SLCS) for RRCS, or those diverse functions identified as required in the Diversity and Defense in Depth Analysis documented in WNA -AR-01074-GLIM.

The CIM is not utilized for ARI solenoids or reactor recirculation pump trip functions.

The feedwater runback function has been eliminated.

Retrieved from "https://kanterella.com/w/index.php?title=ML24166A114&oldid=3675171"