ML25269A191
| ML25269A191 | |
| Person / Time | |
|---|---|
| Site: | Limerick  |
| Issue date: | 09/26/2025 |
| From: | Para W Constellation Energy Generation |
| To: | Office of Nuclear Reactor Regulation, Document Control Desk |
| Shared Package | |
| ML25269A189 | List: |
| References | |
| Download: ML25269A191 (1) | |
Text
200 Energy Way Kennett Square, PA 19348 www.ConstellationEnergy.com ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
10 CFR 50.90 September 26, 2025 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Document Control Desk Limerick Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353
Subject:
Final Response to Requests for Additional Information-Limerick Generating Station Digital Plant Protection System
References:
- 1. Constellation Energy Generation, LLC (CEG) letter to the U.S. Nuclear Regulatory Commission (NRC), "License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)," dated September 26, 2022 (NRC Agencywide Documents Access and Management System (ADAMS) Accession No. ML22269A569).
2.
CEG letter to the NRC, "Resubmittal of License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS) - To Address Proprietary Issues with INL HFE Reports," dated September 12, 2023 (ADAMS Accession No. ML23255A095).
3.
Email from Michael Marshall, (NRC) to Ashley Rickey (CEG), Limerick Generating Station, Units 1 and 2 - Request for Additional Information and Draft Requests for Confirmatory Information Regarding Limerick Digital Instrumentation and Controls License amendment Request (EPID L-2022-LLA-0140), dated January 6, 2025 (ADAMS Accession No. ML25007A150).
Final Response to RAIs Limerick Digital Modernization Project Docket Nos. 50-352 and 50-353 September 26, 2025 Page 2 of 5 4.
Email from Michael Marshall, (NRC) to Ashley Rickey (CEG), Limerick Generating Station, Units 1 and 2 - Request for Additional Information and Draft Requests for Confirmatory Information Regarding Limerick Digital Instrumentation and Controls License amendment Request (EPID L-2022-LLA-0140), dated February 5, 2025 (ADAMS Accession No. ML25049A178).
5.
CEG letter to the NRC, Proposed Extension of Due Date of Request for Additional Information, dated April 14, 2025 (ADAMS Accession No. ML25094A145).
6.
NRC letter to CEG, Limerick Generation Station, Unit Nos. 1 and 2 -
Response to Proposed Extension of Due Date of Request for Additional Information re Component Interface Module (EPID L-2022-LLA-0140),
dated April 16, 2025 (ADAMS Accession No. ML25101A252).
7.
Closed Meeting between NRC and CEG on June 25, 2025 regarding the Digital Modernization License Amendment Request (LAR) for Limerick Generating Station, Units 1 and 2 (Meeting Notice dated May 19, 2025, ADAMS Accession No. ML25139A586) 8.
CEG letter to the NRC, Proposed Extension - Response to Requests for Additional Information (RAIs), dated July 2, 2025 (ADAMS Accession No. ML25183A133).
9.
CEG letter to the NRC, Partial Response to Requests for Additional Information - Limerick Generating Station Digital Plant Protection System, dated July 30, 2025 (ADAMS Accession No. ML25211A293).
- 10. NRC letter to CEG, Limerick Generating Station, Units 1 and 2 -
Regulatory Audit Plan Supporting Review of the Limerick Digital Instrumentation and Controls License Amendment Request (EPID L-2022-LLA-0140)," dated August 22, 2025 (ADAMS Accession No. ML25223A077).
In Reference 1 Constellation Energy Generation, LLC (CEG) requested a License Amendment Request (LAR) to facilitate replacement of the Limerick Generating Station (LGS), Units 1 and 2 existing safety-related analog control systems with a single digital Plant Protection System (PPS).
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
Final Response to RAIs Limerick Digital Modernization Project Docket Nos. 50-352 and 50-353 September 26, 2025 Page 3 of 5 In Reference 2, CEG submitted a LAR supplement that replaced in its entirety the original LAR. CEG replaced the original submittal to address issues associated with proprietary/non-proprietary information.
In both the Reference 1 LAR submittal and Enclosure 1 to the Reference 2 LAR resubmittal, CEG indicated that the LAR was developed and submitted in accordance with the Alternate Review Process (ARP) guidance in NRC Digital Instrumentation and Control (DI&C) Interim Staff Guidance (ISG)-06, Licensing Process.
In Reference 3, the NRC provided four requests for confirmatory information (RCIs) and eight requests for additional information (RAIs) (i.e., RAI-24 through -31) to support the NRCs review of the Reference 2 LAR. As part of Reference 3, the NRC requested CEG to provide responses to the RCIs and RAIs by April 6, 2025.
In Reference 4, the NRC provided five additional RAIs (i.e., RAI-32 through -36) to support the NRCs review of the Reference 2 LAR. As part of Reference 4, the NRC requested CEG to provide responses to the five additional RAIs by April 7, 2025.
In Reference 5, CEG requested an additional 90 days, through July 7, 2025, to provide a response to all open RAIs (RAI-24 through -36). Reference 6 is the NRC approval of the extension request.
Based on discussions during the Reference 7 meeting, in Reference 8 CEG requested an additional 60 days from the date of Reference 5 to provide responses to all 13 open RAIs (RAI-24 through -36) (i.e., September 5, 2025).
In Reference 9, CEG provided responses to seven of the 13 open RAIs (i.e., RAI-24, -26,
-29, -33, -34, -35, and -36).
During the weeks of August 11, 2025 and August 18, 2025, the NRC conducted an audit, both virtually and on-site at LGS, to assist in their review of the LGS PPS LAR. The audit plan is documented in Reference 10. Due to the extent of discussions and clarifications that arose during the audit process concerning the six remaining open RAIs, CEG indicated that the responses to the six remaining open RAIs would be submitted by the end of September 2025. Attachment 1 to this letter provides responses to five of the remaining open RAIs (i.e.,
RAI-25, -27, -28, -30, and -32). Attachment 4 to this letter provides a response to RAI-31 (i.e., the sixth open RAI). includes information proprietary to Westinghouse Electric Company, LLC (WEC). Attachment 2 to this letter provides a non-proprietary version of Attachment 1. provides an affidavit signed by WEC, the owner of proprietary information in. The affidavit sets forth the basis upon which the information may be ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
Final Response to RAIs Limerick Digital Modernization Project Docket Nos. 50-352 and 50-353 September 26, 2025 Page 4 of 5 withheld from public disclosure by the NRC, and it addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390 of the NRCs regulations. WEC requests that the WEC proprietary information contained in Attachment 1 be withheld from public disclosure in accordance with 10 CFR 2.390. Future correspondence with respect to the proprietary aspects of the application for withholding related to WEC proprietary information or the WEC affidavit provided in the applicable attachment should reference this affidavit. is considered sensitive, unclassified (non-safeguard) information in accordance with 10 CFR 2.390, 'Public inspections, exemptions, requests for withholding.'
As such, Constellation Generation Company, LLC requests that the information contained in the attachment be withheld from public disclosure for this reason, in addition to withholding for proprietary information, as discussed above.
CEG has reviewed the information supporting a finding of no significant hazards consideration, and the environmental consideration, which was previously provided to the NRC in the Reference 1 and 2 letters. CEG has concluded that the information provided in this letter does not affect the bases for concluding that the proposed license amendments do not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92. In addition, CEG has concluded that the information in this RAI response letter does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendments.
This letter contains no regulatory commitments.
In accordance with 10 CFR 50.91, Notice for public comment; State consultation, paragraph (b), CEG is notifying the Commonwealth of Pennsylvania of this license amendment request supplement by transmitting a copy of this letter to the designated State Official.
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
Final Response to RAIs Limerick Digital Modernization Project Docket Nos. 50-352 and 50-353 September 26, 2025 Page 5 of 5 ATTACHMENTS 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
If you have any questions regarding this submittal, then please contact Ms. Ashley Rickey at Ashley.Rickey@Constellation.com.
I declare under penalty of perjury that the foregoing is true and correct. Executed on this 26th day of September 2025.
Respectfully, Wendi Para Senior Manager - Licensing Constellation Energy Generation, LLC Response to RAI-25, -27, -28, -30, and -32 (Proprietary)
Response to RAI-25, -27, -28, -30, and -32 (Non-Proprietary)
WEC Affidavit CAW-25-053 for WEC Proprietary Information in Attachment 1 Response to RAI-31 (SUNSI) cc:
USNRC Region I, Regional Administrator w/ attachments USNRC Project Manager, LGS USNRC Senior Resident Inspector, LGS Director, Bureau of Radiation Protection - Pennsylvania Department of Environmental Protection
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
Bcc w/ attachments:
Corporate Executive Distribution Limerick Sr. Leadership Team Distribution Limerick RAM (J. Rajan)
Limerick Reg. Assurance Engineer (R. Guy)
Corporate Licensing East Distribution Director, Risk Management (S. Ramos)
Sr. Manager, Risk Management (S. Lloyd)
Risk Engineer, (P. Tarpinian)
Manager, Engineering (M. Samselski)
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
ATTACHMENT 2 Limerick Generating Station, Unit 1 and Unit 2 NRC Docket Nos. 50-352 and 50-353 Response to RAI-25, -27, -28, -30, and -32 (Non-Proprietary)
(35 pages)
©2025 Westinghouse Electric Company LLC. All Rights Reserved Electronically Approved Records Are Authenticated in the Electronic Document Management System Westinghouse Electric Company 1000 Westinghouse Drive Cranberry Township, Pennsylvania 16066 USA Mr. Jerry Segner Principal Project Manager Constellation Energy Generation, LLC Limerick Generating Station 3146 Sanatoga Road Pottstown, PA 19464 jerry.segner@constellation.com Direct Telephone:
(860) 836-4927 E-mail:
odessgwr@westinghouse.com Contract:
00800304 Sales Order:
156102 Our Ref:
LIM-25-150-NP, Rev. 0 September 24, 2025 CONSTELLATION ENERGY GENERATION LIMERICK UNITS 1 AND 2 DIGITAL MODERNIZATION PROJECT Limerick DMP CIM RAIs - Round 3
Dear Mr. Segner:
The following provides Westinghouse's responses to NRC RAIs 25, 27, 28, 30, and 32. These RAI responses cite an Appendix A which was provided earlier to the NRC via the docketed responses for RAIs 24, 26, 29, 33, 34, 35, and 36.
If you have any questions or require additional information regarding this transmittal, please feel free to contact me at (860) 731-6260.
Sincerely, WESTINGHOUSE ELECTRIC COMPANY LLC Electronically Approved Author: Warren Odess-Gillett, Licensing I&C Engineer Reviewer: Matthew Shakun, Principal Licensing Engineer Reviewer: Stephen Seaman, Chief Engineer Approver: Jerrod Ewing, Manager Attachments:
1.
Response to RAI-25, -27, -28, -30, and -32 Westinghouse Non-Proprietary Class 3
Westinghouse Non-Proprietary Class 3 Page 2 of 2 Our Ref: LIM-25-150-NP. Rev. 0 cc: Constellation Energy Steven Hesse steven.hesse@constellation.com Kayla Marriner kaylalover.marriner@constellation.com Zina Gavin zina.gavin@constellation.com Mark Samselski mark.samselski@constellation.com Ashley Rickey ashley.rickey@constellation.com Westinghouse Electric Company LLC Courtney Frank Parastoo Muse Steve Merkiel Andrew Barth Cynthia Olesky
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP. Rev. 0 - Response to RAI-25, -27, -28, -30, and -32
RAI-25
In its letter dated June 14, 2024 (i.e., the response to RAI 21), the licensee stated the CIM-SRNC test program documents for the AP1000 CIM-SRNC, including the test plans and test results ((
)). However, the NRC staff did not find sufficient information within Constellations Limerick digital I&C LARs, as supplemented, to enable it to verify claims made by the licensee regarding the CIM-SRNC development, testing, and verification processes for the CIM-SRNC. Specifically, additional information is needed to demonstrate how CIM-SRNC system test results and documented outcome would support a claim of the CIM not being susceptible to a CCF.
The licensees statements made in Constellations Limerick digital I&C LARs, as supplemented, that the CIM-SRNC has undergone extensive testing per the discussion in Sections 2.2 and 2.2.2 of WNA-AR-01074-GLIM, Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis, are not sufficient to enable the NRC staff to conclude that the specific tests conducted to demonstrate the functionality of the CIM and SRNC when it was developed for the AP1000 application will also satisfy the acceptance criteria within Section B.3.1.2 of BTP 7-19, Revision 8. Specifically, Section 2.2.2 of document WNA-AR-01074-GLIM only provides a high-level overview related to the extensive testing and attributes of defense in depth and diversity related to the Limerick application.
Section 2.2.2, CIM Extensive Testing, of WNA-AR-01074-GLIM, indicates that more detailed information may be available that describes the specific tests that were conducted for the CIM system and how they address the acceptance criteria identified within BTP 7-19 (e.g., testing every possible combination of inputs, every functional state transition among all modes of operation, test results that conform to pre-established test cases and all correctness for all outputs of every case). A reference is made to Document WNA-LI-00096-GEN (Reference 4)
Evaluation of Common Cause Failure Susceptibility of Component Interface Module. However, this document was not submitted to the NRC staff for its reference or use in evaluating the statements in the submitted documents. Further, this document may also point to other documents that describe in greater detail why the tests that were conducted during the development of the CIMs for the AP1000 product line were considered sufficient to satisfy the acceptance criteria in Section B.3.1.2 of BTP 7-19.
Describe the reasoning that was used in WCAP-18598 to describe the CIM as a simple FPGA-based component that would enable it to satisfy the testing acceptance criteria in the NRC staffs review guidance in NUREG-0800, BTP 7-19, Revision 8. Specifically, BTP 7-19 states:
Thorough testing can help to identify latent design defects in DI&C systems, provided the design is simple enough to allow such testing. Describe how it can be concluded that the CIM system can be considered a simple design, or simple enough such that thorough testing to identify latent defects can be effectively performed. To support the conclusion that the CIM is a simple FPGA-based component, please provide a basis supporting the claim that the CIM is a simple component. Describe the licensee's definition of simple design and identify any industry standards or papers used to establish why its definition of simplicity or simple design is adequate.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 2 of 33
Response to RAI-25:
The figure below shows a high-level diagram of the CIM.
[
]a,c Figure 1 - Simplified CIM Device The CIM serves as the interface between digital control systems and physical plant components, enabling actuation of safety-related equipment. It processes commands from multiple sources:
Z-Port: Handles Diverse Protection System (DPS)
X-Port: Receives PPS commands Y-Port: Interfaces with non-safety Distributed Control System (DCS) signals.
The CIM also supports local manual control, [
]a,c The CIM is built around a Field-Programmable Gate Array (FPGA), which allows for programmable logic to manage signal prioritization and diagnostics. [
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 3 of 33
[
]a,c This prioritization ensures that safety-critical commands are executed reliably, even in the presence of faults or degraded conditions.
Comprehensive CIM Testing Validation of the CIM utilized a comprehensive test using overlapping methods. This approach, along with an FMEA that analyzes every possible failure mode of each component on the CIM, provides reasonable assurance that there is not a latent design defect in the CIM. This overlapping approach to testing includes:
FPGA Simulation Logic Test (Purple Box - Figure 1) o
[
]a,c CIM Device Integration Testing (Blue Box & Purple Box - Figure 1) -
o
[
]a,c System Integration Testing with the CIM. The CIM is installed into a target system, and the functionality of the system is verified. This test verifies the external interfaces to the Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 4 of 33
CIM, and only on the functionality that the system uses. For Limerick, that will be the Factory Acceptance Testing of the PPS.
This overlapping approach to testing and design analysis provides reasonable assurance that the CIM device does not have a latent design defect that would cause all CIMs to fail simultaneously preventing them from performing their safety function.
CIM Interface Circuits (Blue Box in Figure 1)
The CIM module contains interface circuits. These circuits are standard interface circuits that are used in many digital systems. [
]a,c CIM Failure Modes and Effects Analysis A CIM Failure Modes and Effects Analysis (6105-20008, CIM Reliability Analysis) is completed to ensure each discrete component has all failures and effects identified to have a known predictable impact [
]a,c The FMEA (6105-20008 Table 4-3) identifies every failure mode [
]a,c on the CIM [
]a,c. The impacts of each component failure are evaluated to confirm 1) no unexpected impacts on overall CIM performance and 2) that the safety system immediately identifies CIM hardware failures to the operator. Immediate system identification (self-diagnostics) of CIM degraded conditions supports timely remediation, precluding multiple latent degraded CIMS in the event of a plant transient.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 5 of 33
[
]a,c The following table summarizes the failure modes and effects for all discrete components on the CIM. The table groups the discrete components by function and provides a summary of the failure mode and effect on the CIM. The details can be found in the FMEA document. [
]a,c, it can be concluded that there is not an unknown failure mode that would exist on the CIM [
]a,c
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 6 of 33
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 7 of 33
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 8 of 33
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 9 of 33
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 10 of 33
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 11 of 33
[
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 12 of 33
]a,c
CIM Device Integration Testing CIM Device integration testing overlaps the analysis of the FMEA and utilizes actual CIM device electronics integrated with the CIM FPGA logic to ensure the electronics perform as designed and do not introduce a latent design defect. [
]a,c The CIM Device integration testing demonstrates the diverse actuation path through the Z-port interface discrete electronics always functions no matter the state of the X & Y port interface discrete electronics.
[
]a,c The priority scheme of Port X, Port Y, Port Z and local controls are validated by these tests. Any command from a higher priority source blocks all commands from sources of lower priority. The tests validate priority logic as defined by the priority logic requirements. This results in validation of the interface between the FPGA and electronic components considered for the diverse actuation path including inputs and outputs. This provides an overlap test with the thorough testing the of FPGA logic resulting in reasonable assurance that there are no latent design defects added by the integration of the interfaces between the FPGA and discrete electronics on the CIM device.
CIM Comprehensive Testing Approach For the CIM, an alternative approach was taken to best ensure the CIM does not have a latent design defect. As stated in the NRC BTP 7-19, The applicant may use various testing methods, which the reviewer should consider on a case-by-case basis. In each case, the reviewer should consider whether the technical basis for these testing methods is acceptable. The following description is the justification for comprehensive CIM testing.
As described above, the CIM is comprised of an FPGA and external hardware circuitry. Note that once logic is in the FPGA, the FPGA is considered a hardware device (i.e., the FPGA itself is hardware, the potential software CCF sources precede the instantiation of the logic onto the FPGA chip).
The following figure is duplicated from above and depicts the CIM layout with the FPGA in the center and the hardware circuitry surrounding the FPGA:
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 13 of 33
[
]a,c
[
]a,c the FPGA that is a programmable digital device in the CIM.
The approach taken was to test the FPGA logic to ensure it did not have latent design errors that could trigger a CCF. [
]a,c As described later in this response, and response to RAI 27.b, simulation testing was conducted in accordance with the following test coverage criteria below:
Testing every possible combination of inputs, Testing every possible executable logic path (this includes non-sequential logic paths).
Testing every functional state transition, and Test monitoring for correctness of all outputs for every case.
The simulation testing successfully passed these test coverage criteria to conclude the HDL logic does not have a latent design error that could trigger a CCF. The CIM HDL logic is the highest-level abstraction of the FPGA logic design.
To load the HDL design on to a FPGA, it must be described in terms of gates and their interconnections. This lower-level representation is called a netlist.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 14 of 33
The next step in converting the HDL to logic elements that reside in the FPGA (e.g., logic gates, flip-flops, connecting circuitry) is a process called synthesis. This synthesis produces a netlist that defines the FPGA elements and connections representing the HDL logic.
Once the design is described in terms of FPGA elements and their interconnections, the next step is to define the placement and routing of these FPGA elements on the FPGA chip itself.
This process is called place and route (PAR). The output of this PAR process is another netlist file that is used by the FPGA PAR tool to configure the FPGA device.
It can be postulated that a latent design error could exist in the FPGA tool that generates the synthesis netlist and subsequently the PAR netlist. The CIM development process used a tool, called [
]a,c to verify the equivalence between the synthesis netlist and the HDL, and the equivalence between the PAR netlist and the synthesis netlist.
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 15 of 33
The process of downloading the PAR netlist to configure the FPGA includes diagnostics to ensure no errors are encountered during that process. [
]a,c The testing process and verification of FPGA configuration files, as described, provide the reasonable assurance that there is no latent design defect residing in the FPGA device.
Advantages of Using HDL Simulation Simulation testing demonstrates that Testing every possible executable logic path (this includes non-sequential logic paths) and testing every functional state transition. [
]a,c This visibility into the logic would not be possible in a test setup using the whole CIM hardware configuration.
Simulation testing measures test coverage of the HDL code, branch coverage, and requirements coverage. [
]a,c Black box testing of the CIM hardware would lack this visibility into test coverage such that latent errors could remain.
Simulation was chosen instead of testing an actual CIM hardware device for the test criterion, Testing every possible combination of inputs:
Testing for every combination of inputs was completed by a supplemental FPGA logic simulation test conducted in 2025 (as described in RAI response 27 b.) to meet this criterion. The same simulation test configuration as that used for the original design testing was utilized. The discrete components failure modes of the FPGA interface circuits are defined in the Failure Mode and Effects Analysis (FMEA). This establishes the impacts to the inputs to the FPGA on all interfaces as a 1 or 0.
Simulation testing includes these impacts to provide evidence that the component failures have no adverse effects to the FPGA logic function.
A CIM device integration test was conducted to demonstrate that the discrete hardware electronic circuits integrated with the FPGA operated in accordance with the design requirements for the CIM hardware and hardware interfaces as described below.
The CIM device (configured FPGA with the interface circuits (purple & blue boxes)) is a hardware device, and as such any failure in the CIM is considered a random failure instead of a systematic failure leading to a CCF.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 16 of 33
CIM FPGA Simulation Testing Description
[
]a,c The process also verified that unexpected inputs did not result in unexpected performance. This was verified with recent supplemental testing on the same FPGA logic, as described in the response to RAI 27.b. The complete set of test cases for this process are described in Appendix A, CIM Simulation Test Cases. The appendix identifies which test cases address expected performance and which test cases address unexpected performance. In some instances, the test cases address both.
[
]a,c The results displayed in this figure were based on the complete set of test cases described in Appendix A.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 17 of 33
Figure 4
/SE Test Dashboard Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 18 of 33
CIM Device Integration Level Testing CIM Device Integration Testing (WNA-TR-02718-GEN, CIM SRNC Subsystem Test Report) included the configured FPGA on the CIM Device and interface circuits. This functional testing verified/validated expected performance of the discrete circuits and FPGA interfaces to validate proper CIM functional performance for design verification purposes. This test was conducted to ensure the CIM FPGA and the interface hardware circuitry when integrated worked correctly.
This test also confirmed that the CIM device external interfaces worked correctly and did not introduce any latent design defects.
Integration level testing is a functional test which is used to demonstrates that an integrated CIM devices (purple and blue box) implementation meets the functional design requirements and to confirm that interfaces function as designed and are correctly integrated with the CIM FPGA logic. The test cases for integration level tests are derived from the design requirement specifications. The integration level testing validates external interfaces beyond CIM modules boundary.
Test Criteria As described later in this response, CIM device integration testing was conducted in accordance with the following test criteria below:
[
]a,c Test Configuration Integration testing was performed on the same CIM being used for Limerick, including the programmed CIM FPGA which was integrated into CIM printed circuit board (PCB), using test tools to simulate external interfaces. The integration testing utilizes and validates the correct operation of the CIM FPGA, and the discrete CIM interface circuits placed on the CIM PCB.
The test configuration consisted of the following:
- 1. [
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 19 of 33
Test Functions The CIM device integration test procedure was performed using WNA-TP-04019-GEN CIM SRNC Subsystem Test Procedure. This is the integration test procedure to validate the CIM module including the CIM interface circuits and FPGA logic. The results of this test are documented in WNA-TR-02718-GEN, CIM SRNC Subsystem Test Report The following features of the CIM have been tested in accordance with the cited test procedure. The inputs stimulated and outputs monitored were at the boundary of the CIM device during the execution of the integration testing.
CIM Device Integration Tests
[
]a,c Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 20 of 33
[
]a,c Test Results WNA-TR-02718-GEN provides the summary of the test results. All tests described in the section above for CIM device integration level testing have passed successfully.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 21 of 33
RAI-27
The Limerick digital I&C LAR, as supplemented, does not contain a thorough description of the extensive testing of the CIM to identify latent design defects. During the audit, the NRC staff was provided access to the following documents:
WNA-LI-00096-GEN, Evaluation of Common Cause Failure Susceptibility of Component Interface Module A Table provided during the audit that summarized the specific types of tests performed on the CIM, and identified how these tests address the criteria in BTP 7-19 Section B.3.1.2 a)
Describe (i.e., summarize) or provide the documentation describing the testing that clearly demonstrates how the specific tests performed on the CIM module during its development for the AP1000 application directly address the criteria for testing simple devices to identify possible latent defects or other vulnerabilities that could lead to a possible CCF. In the description or documentation, as a minimum:
highlight those tests that were performed not just to validate expected performance of the CIM based on ((
)) within the functional requirements specification, but also highlight which tests were conducted on combinations of inputs and input sequences that are not based on functional requirements, to help identify or uncover any potential latent defects b)
Describe (i.e., summarize) any additional testing conducted beyond the tests described in a) above that was used to show that all latent design defects were identified and corrected so that the CIM will function as needed under anticipated operational transient and accident conditions. In the description, as a minimum:
highlight those tests that were performed not just to validate expected performance of the CIM based on ((
)) within the functional requirements specification, but also highlight which tests were conducted on combinations of inputs and input sequences that are not based on functional requirements, to help identify or uncover any potential latent defects.
c)
Describe the criteria the licensee used to conclude that the testing of the CIM is adequate to uncover and identify all latent design defects for its planned use in the Limerick I&C modification.
Response to RAI-27.a):
The information provided in Appendix A demonstrates how the specific simulation tests performed on the CIM during its development contribute to the necessary testing to identify possible latent defects or other vulnerabilities that could lead to a possible CCF in the FPGA logic. The response to RAI-25 provides the complete testing regime that was used to adequately address the concern of a possible latent defect that could lead to a possible CCF.
Appendix A provides a listing of all simulation test cases. It indicates if the test case 1) validated expected performance based on [
]a,c within the functional requirements specification, 2) tests where combinations of inputs and input sequences were not Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 22 of 33
based on functional requirements but rather designed to identify or uncover potential latent defects, or 3) both.
Response to RAI-27.b):
In addition to the original ISE testing described in the response to RAI-25 and RAI-27.a, Westinghouse has performed recent supplemental testing on the same FPGA logic that was tested, as described in the response to RAI-25, using the same test environment [
]a,c and directed combination of inputs (i.e.,
unexpected inputs). This supplemental testing was not based on functional requirements but rather designed to clearly demonstrate that every combination of inputs (i.e., expected and unexpected inputs) were tested.
The supplemental testing stimulated the CIM FPGA logic with every combination of inputs to validate the operation of the CIM FPGA logic. The supplemental testing passed with no anomalies. The results are documented in WNA-VR-00644-GEN, Component Interface Module FPGA Logic Supplemental Test Report. Successful completion of the supplemental testing validated the original ISE testing conclusion (i.e., the original testing did not fail to identify a latent design error).
Furthermore, since the checkers developed for the original testing was active during the execution of the supplemental test cases, the entire CIM FPGA logic operation was being monitored, while every combination of inputs to the CIM FPGA logic was exercised. There were no errors recorded during the supplemental tests by the checkers which indicates that the CIM FPGA logic implementation correctly processed every possible combination of inputs with respect to its design requirements.
Response to RAI-27.c):
As stated in the response to RAI-25, CEG describes the overlapping approach to CIM testing and analysis that was utilized. The overlapping approach to CIM testing and analysis is used to achieve reasonable assurance that there is no latent design defect in the CIM.
The elements of the overlapping approach to testing and analysis that provide the reasonable assurance conclusion that there is not a latent design defect in the CIM are:
FPGA Simulation Logic Test This testing exercised every logic branch, state transition, and functional requirement to demonstrate that the FPGA logic was comprehensively tested to provide reasonable assurance that there is no latent design defect in the FPGA logic. This is described in detail in the response to RAI-25.
Supplemental simulation testing of the FPGA logic This testing exercised every combination of inputs into the FPGA logic to confirm the conclusion that there is reasonable assurance that there is no latent design defect in the FPGA logic. This is described in detail in the response to RAI-27b.
Use of the [
]a,c Verification Tool (6105-00108)
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 23 of 33
[
]a,c Through formal methods, [
]a,c verifies that the FPGA logic that was tested by simulation was correctly translated into FPGA circuitry (FPGA netlist files). The FPGA configuration file (netlist) was then used to configure the FPGA device with checks to confirm that the FPGA was correctly configured. At this point the configured FPGA is considered a hardware device (i.e., not software). This is described in the response to RAI-
- 25.
CIM Interface Circuit Argument The CIM module contains interface circuits. These circuits are standard interface circuits that are used in many digital systems. [
]a,c No additional logic exists on the CIM device beyond what is coved in the thorough testing of the FPGA logic. Discrete components have all failures and effects identified with a known predictable impact to the FPGA inputs [
]a,c analyzed in the FMEA. It includes diagnostics that detect failure (e.g., CRC errors, low voltage, and ground faults). A complete list of circuits analyzed by the FMEA can be found in the table for the response to RAI-25.
CIM Device Integration Testing is a design validation test included in the comprehensive overlapping test methods. The CIM Device integration test demonstrates that all the hardware circuits of the CIM device, including the FPGA, integrate with no identified latent design defects to provide reasonable assurance.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 24 of 33
Failure Modes and Effects Analysis As described in the response to RAI-25 an FMEA was performed. This analysis examines each component on the CIM for potential failure modes and the effect of each failure mode on the operation of the CIM. By analyzing all the failure modes for each and every discrete component, the FMEA results demonstrate there are no new combinations of inputs into the FPGA beyond what was simulated in the thorough testing of the CIM FPGA logic. This demonstration confirms that the thorough testing of the FPGA logic includes the failures that could be introduced by the electronics of the CIM device and the CIM device responds predictably. This provides reasonable assurance that all failure modes of the CIM hardware circuits are known, and their effects documented.
CIM Device Integration Testing (WNA-TR-02718-GEN)
As described in the response to RAI-25, the CIM device (including the configured FPGA) was tested. This functional testing verified/validated expected performance of these interfaces to validate proper CIM functional performance. This test was conducted to ensure the CIM FPGA and the interface hardware circuitry worked correctly. The response to RAI-25 defines the functions that were tested. This test also confirmed that the CIM external interfaces worked correctly and did not introduce any latent design defects.
PPS System Integration Testing with the CIM (Limerick PPS FAT)
As described in the response to RAI-25, a system integration test on the Limerick PPS is conducted. This test verifies that the CIM (including the FPGA) and its interfaces work correctly for Limerick ECCS and NSSSS functions, the Diverse Protection System functions and the DCS functions. This functional testing verified/validated expected performance of these interfaces to validate proper CIM functional performance. The results of this test confirm external interfaces to the CIM in an integrated environment worked correctly and did not introduce any latent design defects.
This overlapping approach to testing of the CIM and design analysis, as described in the responses to RAI 25 and RAI 27, was conducted on CIM FPGA Version 1.155 which is used in the Limerick I&C DMP. These tests were successfully executed and passed without errors.
This overlapping approach to testing and design analysis provides reasonable assurance that the CIM does not have a latent design defect that would cause all CIMs to fail simultaneously preventing them from performing their safety function.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 25 of 33
RAI-28
The Limerick digital I&C LAR, as supplemented, does not contain a thorough description of the testing of the CIM-SRNC to identify latent design defects. During the audit the NRC staff reviewed the following documents to gain a better understanding of testing conducted on the CIM-SRNC system:
WNA-LI-00096-GEN, Evaluation of Common Cause Failure Susceptibility of Component Interface Module APP-PMS-T1P-080, Rev. 0 APP-PMS-T2R-080, Rev. 1 WNA-DS-02904-GEN, Rev. 0 WNA-TP-04019-GEN, Rev. 2 WNA-TR-02718-GEN, Rev 4 A Table provided during the audit that summarized the specific types of tests performed on the CIM and identified how these tests address the criteria in BTP 7-19 Section B.3.1.2.
Describe (i.e., summarize) or provide the documentation listed above describing how the testing was conducted on the CIM-SRNC system, and for which specific CIM-SRNC platform this testing was conducted, if testing of the CIM-SRNC was not conducted for the Limerick project.
Demonstrate how the specific extensive tests performed on the CIM module during its development for the AP1000 application directly address the criteria for testing simple devices to identify possible latent defects or other vulnerabilities that could lead to a possible CCF. Highlight those tests that were performed not just to validate expected performance of the CIM based on ((
)) within the functional requirements specification, but also which tests were conducted on combinations of inputs and input sequences that are not based on functional requirements, to help identify or uncover any potential latent defects. Include descriptions of the testing that was performed as presented to the NRC staff during the recent audit.
Response to RAI-28.a):
The CIM structured approach to testing, as described in the response to RAI-25 and RAI-27, is being credited to be sufficient to provide reasonable assurance there is not a latent design defect in the CIM that would cause a CCF of all CIMs. Other than the System Integration Testing, all tests were conducted on the CIM as a generic product. The only relationship to AP1000 is that the CIM was used for the AP1000 Protection and Safety Monitoring System (PMS) and therefore was part of the PMS system integration testing. Therefore, the structured approach to testing as described in the responses to RAI-25 and RAI-27 does not rely on the AP1000 test documentation listed above (i.e., APP-PMS-T1P-080 and APP-PMS-T2R-080).
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 26 of 33
The same identical CIM FPGA version 1.155 that was tested as described in RAI responses 25 and 27, is used on the Limerick project. The documents listed above are described below.
WNA-LI-00096-GEN, Evaluation of Common Cause Failure Susceptibility of Component Interface Module documents the evaluation that the CIM, which is part of the safety-related PPS and interfaces with both safety and non-safety-related systems in controlling field components, can be eliminated from further CCF consideration. These RAI responses supersede arguments in WNA-LI-00096-GEN to conclude that the CIM testing performed and described in these RAI responses, meets the NRC criteria for concluding a CIM CCF does not need to be considered.
WNA-DS-02904-GEN, Rev. 0 CIM SRNC Subsystem Test Tool Design Specification documents the hardware and software components of the CIM SRNC Subsystem Test Tool. This test environment was used during integration level of testing of the CIM by IV&V, in which CIM and SRNC modules were assembled together as a subsystem.
See the responses to RAI-25 and RAI-27 for the CIM Integration Testing.
WNA-TP-04019-GEN, Rev. 2, CIM SRNC Subsystem Test Procedure is the integration level test procedure that defines the integration level testing and test cases, using the test environment specified in WNA-DS-02904-GEN CIM SRNC Subsystem Test Tool Design Specification, where both CIM and SRNC tested as an integrated subsystem to validate CIM design requirements. See the responses for RAI-25 and 27 for the CIM Integration Testing.
- WNA-TR-02718-GEN, Rev 4, CIM SRNC Subsystem Test Report is the test report where the results of integration testing is documented to validate the CIM design requirements. CIM and SRNC were tested as an integrated subsystem per the test procedure WNA-TP-04019-GEN using the test environment described in WNA-DS-02904-GEN. See the responses to RAI-25 and RAI-27 for the CIM Integration Testing.
APP-PMS-T1P-080, Rev. 0, AP1000 Protection and Safety Monitoring System, System Integration Test CIM Priority Test Procedure - This test procedure is not being credited to meet the CCF criteria.
APP-PMS-T2R-080, Rev. 1 AP1000 Protection and Safety Monitoring System, System Integration Test CIM Priority Test Report - This test report is not being credited to meet the CCF criteria.
The table provided during the audit that summarized the specific types of tests performed on the CIM and had identified how these tests address the criteria in BTP 7-19 Section B.3.1.2, is no longer applicable to CEGs justification for adequate testing.
[
]a,c This justification can be found in the responses to RAI-25 and RAI-27.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 27 of 33
Response to RAI-28.b):
As stated in the response to part a) of this RAI, the CIM testing being credited is generic product testing and not AP1000 or Limerick-specific testing (except for the System Integration Testing described in the responses to RAI-25 and RAI-27). Therefore, it does not rely on the AP1000 test documentation. The responses to RAI-25 and RAI-27 demonstrate how the structured approach to testing of the CIM provides adequate testing to identify possible latent defects or other vulnerabilities that could lead to a possible CCF. As described above, the responses to RAI 25 & 27 describe the comprehensive testing performed on the CIM. The response to RAI-27.b) describes supplemental simulation testing that exercises every possible combination of FPGA logic inputs. This is a part of the strategic approach to testing that provides reasonable assurance that the CIM does not have a latent design defect that would cause all CIMs to fail simultaneously preventing them from performing their safety function. The test report for the supplemental testing is WNA-VR-00644-GEN.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 28 of 33
RAI-30
The Limerick digital I&C LAR, as supplemented, does not contain a sufficiently complete comparison between the Wolf Creek MSFIS and the Limerick CIM to demonstrate the Wolf Creek MSFIS precedent is applicable to the Limerick CIM. Specifically, the licensee does not address the differences between the Wolf Creek MSFIS and Limerick CIM. Section 2.2 of WNA-AR-01074-GLIM states, in part,
((
))
((
))
However, the licensee in its letter dated June 14, 2024 (i.e., response to RAI 23f) states:
The basis for the conclusion that the CIM is not susceptible to a CCF is two-fold as described in the D3 Analysis (WNA-AR-01074-GLIM-P).
The first basis is the similarity in design and processes between the MSFIS ALS and the CIM-SRNC, that the NRC found sufficient to conclude the MSFIS was not susceptible to a CCF.
These similarities include, and which are described in detail in the D3 Analysis:
Design Features - ((
))
Lifecycle Processes used in development and verification Simplicity of the Design The second basis for concluding that the CIM-SRNC is not susceptible to a CCF is the extensive testing that was performed on the CIM-SRNC, as described in Section 2.2.2 in the D3 Analysis. The testing performed on the CIM-SRNC is compared to the BTP 7-19 criteria for extensive testing to be sufficient to exclude the need to postulate a CCF in a component.
The NRC staff understands it is the licensees claim that these two bases in combination that support the argument that the CIM-SRNC is not susceptible to a CCF. However, identifying a small number of design similarities between the CIM-SRNC and MSFIS without further context is not sufficient to conclude that the CIM-SRNC used in the Limerick project is not susceptible to a CCF. Further, as described below, based on a description of the CIM provided within submittal Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 29 of 33
documents, the NRC staff is not able to substantiate the licensees claim that both devices are of the same simple design or low level of complexity.
The two arguments, the former being diverse design attributes and extensive testing, versus the latter stating it is the similarity in design and processes between the MSFIS ALS and the CIM-SRNC and extensive testing are not the same argument being offered equally in all document submittals and arguments presented.
Since the MSFIS and CIM-SRNC are markedly different systems with different levels of complexity and safety-significance, the NRC staff does not have a clear understanding that an adequate basis exists that allows the NRC staff to conclude the CIM is not susceptible to a CCF due to a few of its diversity characteristics being similar to those applied to the Wolf Creek MSFIS design.
Document WNA-AR-01074-GLIM-P presents a table ((
)) that compares four design attributes between the CIM design and the MSFIS design, namely ((
)) and concludes that since these four basic characteristics are the same, they are both ((
)) However, the comparison presented does not appear to identify other significant differences because it does not also show that the MSFIS device is a simple 13-state logic device with two input and two output states with a delay, four modes of operation, and likely only a few dozen lines of programmed logic steps while the CIM ((
)) as well as hardware for serial communications and drivers for LED lights, among other key differences.
To remedy the confusion and ambiguity among these disparate explanations in multiple documents, please provide a clear, comprehensive explanation detailing the actual internal design features of the ((
)) and the actual internal design features and capabilities of the Limerick CIM-SRNC system design, with a more complete analysis showing how it is possible to support the claim they can both be considered simple devices that would justify the use of ((
)) and not additional diverse design measures to achieve internal diversity.
Response to RAI-30:
Upon further review, Constellation has determined that the CIM [
]a,c The argument that a postulated CIM CCF is adequately addressed is based on the information provided in the responses to RAI 25 and RAI 27 sufficiently demonstrates that the CIM is not vulnerable to a CCF.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 30 of 33
RAI-32
In Constellations letter dated June 14, 2024 (i.e., response to RAI 21), the licensee stated the CIM safety related node controller (CIM-SRNC) test program documents for the AP1000 CIM-SRNC, including the test plans and test results ((
)). However, the staff does not have sufficient information (evidence) within the application, as supplemented, to enable it to verify claims made by the licensee regarding the CIM-SRNC development, testing, and veri"cation processes for the CIM-SRNC.
Speci"cally, additional information is needed to demonstrate how CIM-SRNC system test results and documented outcome would support a claim of the CIM-SRNC not being susceptible to a common cause failure (CCF).
The statements made in the submittal documents to date stating the CIM-SRNC has undergone extensive testing per the discussion in Sections 2.2 and 2.2.2 of WNA-AR-01074-GLIM, Limerick Generating Stations Units 1 & 2 Digital Modernization Project Defense in Depth and Diversity Common Cause Failure Coping Analysis are not sufficient to enable the NRC staff to conclude that the speci"c tests conducted to demonstrate the functionality of the CIM and SRNC when it was developed for the AP1000 application will also satisfy the acceptance criteria within Section B.3.1.2 of BTP 7-19 Revision 8. However, document WNA-AR-01074-GLIM only provides a high-level overview related to the attributes of defense-in-depth and diversity related to the Limerick application.
- a. The staff understands that the number of programmed logic steps, ((
)) used in each programmed sub-module, as well as the number of program logic steps that were tested and veri"ed against test cases for each V&V test may number in the thousands. Provide a clear explanation regarding how testing was conducted that supports the identi"cation of latent defects in the programmed logic steps that was generated. For example, describe how the tests were structured to ensure every functional operation was tested to respond to expected inputs and veri"ed to meet expected CIM module performance. Also, describe how these tests were designed to go beyond expected performance of modules and sub-modules by testing unexpected sets of inputs and verifying no fatal faults would occur.
- b. Provide a summary describing how every possible combination of inputs and possible sequence of inputs from the "eld component status feedback inputs were extensively tested and veri"ed to provide feedback through the Y-port to the Ovation RNC without encountering a latent defect or faulted condition.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 31 of 33
- c. Related to automated test cases and built-in test coverage, explain what the component and system response would be if the inputs to the ((
)).
- d. If a hypothetical condition were to occur where ((
)). If the staff's understanding is correct, and this condition were allowed to exist with no noti"cation to the operator, explain why this fault condition would be acceptable as an adequate diagnostic result.
Response to RAI-32.a):
As described in the response to RAI 25, the process used to conduct testing that employed the
[
]a,c test environment indicated that every line, branch, and functional group was successfully tested, thus ensuring that testing was thorough. The Dashboard figure in the RAI-25 response summarizes that every line, branch, and functional group was successfully tested.
The results displayed in this figure were based on the complete set of test cases listed in Appendix A.
In addition to the [
]a,c testing described in the response to RAI 25, the response to RAI-27 describes additional testing that was conducted to validate that unexpected sets of inputs will not result in any fault, thus verifying the absence of any latent design defects. This test validates that the original testing performed on the CIM did not miss a latent design fault.
Response to RAI-32.b):
The testing processes described in response to RAI-25 and RAI-27 included testing every possible combination of inputs, including the field component status feedback inputs to provide feedback [
]a,c Response to RAI-32.c):
[
]a,c Response to RAI-32.d):
Such a hypothetical scenario would require simultaneous and identical logic defects in both cores. If this were to occur, the CIM component feedback circuit would still be operational, thus Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 32 of 33
providing the operator with real-time plant and equipment conditions. In addition, since the PPS, the PPC, and the Ovation DCS systems are still operational, the operator will be able to readily identify any off-normal equipment configuration or condition based on unexpected change in plant conditions (e.g., reactor water level, reactor pressure, containment pressure, etc.) and take appropriate actions in accordance with the EOPs.
Westinghouse Non-Proprietary Class 3 LIM-25-150-NP, Rev. 0 Page 33 of 33
ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 ATTACHMENT 4 CONTAINS SECURITY-RELATED (SUNSI) INFORMATON -
WITHHOLD UNDER 10 CFR 2.390 When separated, the cover letter, Attachment 2, and Attachment 3 are decontrolled.
ATTACHMENT 3 Non-Proprietary Limerick Generating Station, Units 1 and 2 NRC Docket Nos. 50-352 and 50-353 WEC Affidavit CAW-25-053 For Proprietary Information in Attachment 1 (3 pages)
Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-25-053 Page 1 of 3 Commonwealth of Pennsylvania:
County of Butler:
(1)
I, Rosemary Null, Manager, New Plants Licensing, Cranberry Township, PA, have been specifically delegated and authorized to apply for withholding and execute this Affidavit on behalf of Westinghouse Electric Company LLC (Westinghouse).
(2)
I am requesting the proprietary portions of LIM-25-150-P, Revision 0 be withheld from public disclosure under 10 CFR 2.390.
(3)
I have personal knowledge of the criteria and procedures utilized by Westinghouse in designating information as a trade secret, privileged, or as confidential commercial or financial information.
(4)
Pursuant to 10 CFR 2.390, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.
(i)
The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse and is not customarily disclosed to the public.
(ii)
The information sought to be withheld is being transmitted to the Commission in confidence and, to Westinghouses knowledge, is not available in public sources.
(iii)
Westinghouse notes that a showing of substantial harm is no longer an applicable criterion for analyzing whether a document should be withheld from public disclosure. Nevertheless, public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar technical evaluation justifications and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.
Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-25-053 Page 2 of 3 (5)
Westinghouse has policies in place to identify proprietary information. Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:
(a)
The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.
(b)
It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage (e.g., by optimization or improved marketability).
(c)
Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.
(d)
It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.
(e)
It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.
(f)
It contains patentable ideas, for which patent protection may be desirable.
(6)
The attached documents are bracketed and marked to indicate the bases for withholding. The justification for withholding is indicated in both versions by means of lower-case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower-case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections (5)(a) through (f) of this Affidavit.
Westinghouse Non-Proprietary Class 3 AFFIDAVIT CAW-25-053 Page 3 of 3 I declare that the averments of fact set forth in this Affidavit are true and correct to the best of my knowledge, information, and belief. I declare under penalty of perjury that the foregoing is true and correct.
Executed on: 9/26/2025 Signed electronically by Rosemary Null