ML18254A249
| ML18254A249 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 09/11/2018 |
| From: | NRC |
| To: | NRC/NRO/DLSE/LB4 |
| References | |
| Download: ML18254A249 (47) | |
Text
1 Vogtle PEmails From:
Hoellman, Jordan Sent:
Tuesday, September 11, 2018 12:09 PM To:
Vogtle PEmails
Subject:
Draft LAR-18-023 for September 13, 2018 Pre-Submittal Meeting - PUBLIC VERSION Attachments:
ND-18-1085_LAR-18-023_PMS Common Q Watchdog Timers_rD1-PSM_PUBLIC.pdf; ND-18-1085_Encl 5_LAR-18-023_Westinghouse affidavit_PSM.pdf The attached document is provided for NRC Staff review in advance of the September 13 Pre-Submittal Meeting for LAR-18-023, Request for License Amendment: Protection and Safety Monitoring System Watchdog Timer and Common Q Design Description Changes.
This version of the draft LAR does not contain proprietary information and may be released to the Public. The non-Public (i.e., Proprietary) version of this draft LAR will be provided in a separate email. The Westinghouse affidavit supporting this request to withhold proprietary information is attached to both this email as well as the email that will provide the non-Public (Proprietary) version of this draft LAR.
Hearing Identifier:
Vogtle_COL_Docs_Public Email Number:
363 Mail Envelope Properties (SN6PR0901MB23661F400D9403E5EA006BA2D5040)
Subject:
Draft LAR-18-023 for September 13, 2018 Pre-Submittal Meeting - PUBLIC VERSION Sent Date:
9/11/2018 12:08:39 PM Received Date:
9/11/2018 12:09:00 PM From:
Hoellman, Jordan Created By:
Jordan.Hoellman2@nrc.gov Recipients:
"Vogtle PEmails" <Vogtle.PEmails@nrc.gov>
Tracking Status: None Post Office:
SN6PR0901MB2366.namprd09.prod.outlook.com Files Size Date & Time MESSAGE 697 9/11/2018 12:09:00 PM ND-18-1085_LAR-18-023_PMS Common Q Watchdog Timers_rD1-PSM_PUBLIC.pdf 1160474 ND-18-1085_Encl 5_LAR-18-023_Westinghouse affidavit_PSM.pdf 300166 Options Priority:
Standard Return Notification:
No Reply Requested:
No Sensitivity:
Normal Expiration Date:
Recipients Received:
Southern Nuclear Operating Company ND-18-1085 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Request for License Amendment:
PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information)
(This Enclosure consists of 23 pages, including this cover page)
DRAFT ng Plant (VEGP) Units 3 and 4 GP) Units 3 equest for License Amendment for License Amendment:
og Timer and Common Q Design Descrip ommon Q Design Descrip (Publicly Available Information)
(Publicly Available Info (LAR-18 18-023) 023 PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 2 of 23 Table of Contents 1.
SUMMARY
DESCRIPTION 2.
DETAILED DESCRIPTION and TECHNICAL EVALUATION 3.
TECHNICAL EVALUATION (Incorporated into Section 2, above) 4.
REGULATORY EVALUATION 4.1.
Applicable Regulatory Requirements/Criteria 4.2.
Precedent 4.3.
Significant Hazards Consideration 4.4.
Conclusions 5.
ENVIRONMENTAL CONSIDERATIONS 6.
REFERENCES DRAFT 2, above) 2, above)
Criteria Criteria ration DERATIONS RATIONS PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 3 of 23 Pursuant to 10 CFR 52.98(c) and in accordance with 10 CFR 50.90, Southern Nuclear Operating Company (SNC) hereby requests an amendment to Combined License (COL) Nos. NPF-91 and NPF-92 for Vogtle Electric Generating Plant (VEGP) Units 3 and 4, respectively.
1.
SUMMARY
DESCRIPTION The proposed changes would revise the COLs to accurately describe the design and use of the central processing unit (CPU) watchdog timers (WDTs) in the microprocessors of the Processing Section (PS) and the Communication Section (CS) of the Advant Controller 160 (AC160) processor module of the Common Qualified (Common Q) platform portion of the protection and safety monitoring system (PMS). This LAR also proposes several changes to the design description of the Common Q platform, as presented in the Updated Final Safety Analysis Report (UFSAR) and various supporting technical reports that are incorporated by reference into the UFSAR.
The requested amendment proposes a change to UFSAR information that involves a departure from Tier 2* information that is incorporated by reference into the UFSAR. This enclosure requests approval of the license amendment necessary to implement this Tier 2* departure and the involved Tier 2 UFSAR change.
2.
DETAILED DESCRIPTION
Background
It was identified that the [
]a,c within the AC160 software is not enabled as described in WCAP-16097-P-A, Revision 3 (LAR Section 2.1.1). This condition is identified in Westinghouse Nuclear Safety Advisory Letter (NSAL)-17-2, AC160 Processor Module Stall Timers Not Activated as Described in Licensing Basis. In addition, the [
]a,c cycle time provided in WCAP-16097-P-A does not reflect the as-built system. Therefore, WCAP-16097-P-A needs to be changed to accurately reflect the [
]a,c and the [
]a,c timeout window (LAR Section 2.1.2).
As part of an extent of condition performed on the Common Q platform, it was discovered that several additional design descriptions within WCAP-16097-P-A also need to be updated. This includes an updated description of:
The timing of a SYSDia test (LAR Section 2.2)
Where AC160 system software is executed (LAR Section 2.3)
The memory capacity of the CS section of the processor module (LAR Section 2.4)
When the OVERL Terminal is set to TRUE (LAR Section 2.5)
What the processor module does when a CI communication module fails (LAR Section 2.6)
To support these changes, several conforming administrative changes are made to the UFSAR, WCAP-16674, and WCAP-16675 (LAR Sections 2.1.3 and 2.7).
DRAFT ear ear os. NPF os. NPF ly.
ly.
be t e the design and use of the he design and use roprocessors of the Processing roprocessors of the Proces Advant Controller 160 (AC160)
Advant Controller 160 (AC160 latform portion of the protection and latform portion of the protection and poses several changes to the design poses several changes to the design the the Updated Final Safety Analysis Report Updated Final Safety Analysis Report that are incorporated by reference into th that are incorporated by reference into th ge to UFSAR information that involves a de R information by reference into the UFSAR. This enclosur the UFSAR ecessary to implement this Tier 2* depar ecessary to implement this Tier N
hat the [
hat the [
not enabled as described in WCAP not enabled as described in
.1). This condition is identified in Westingho
.1). This condition is identified in W 7-2, AC160 Processor Module Stall Tim 2, AC160 Processor Module Sta ing Basis. In addition, the [
ing Basis. In addition,
]a,c cycle tim cycle t reflect the as reflect the
-built system. Therefore, W uilt system. Therefore, W ccurately reflect the [
ately reflect the [
]a,c a,c and and (LAR Section ction 2.1.2).
.1.2).
As part of an extent of condition perfo As part of an extent of c that several additional design de that several additional de updated. This includes an updat updated. This includes an up The timing of a SYSD The timing of a SYSD Where AC160 sy here AC The memory e mem When the When th What What Se Se sup sup PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 4 of 23 The changes to WCAP-16097-P-A are proposed as changes to WCAP-15927-P-A, Table 3-2, which provides alternatives to the processes and descriptions in WCAP-16097-P-A.
System and Platform Overview Protection and Safety Monitoring System Overview The protection and safety monitoring system (PMS) is the AP1000 plant safety-related instrumentation and controls (I&C) system that provides detection of off-nominal conditions and actuation of appropriate safety-related functions necessary to achieve and maintain the plant in a safe shutdown condition. The PMS consists of four redundant divisions, designated A, B, C, and D.
Common Qualified Platform Overview The PMS is based on the Common Qualified (Common Q) platform, as described in WCAP-16097-P-A, Revision 3. The Common Q platform is designed with a modular structure. It consists, in part, of the following major building blocks: Advant Controller 160 (AC160) processor module, input and output (I/O) modules, and Advant Fieldbus (AF100 bus) communication.
x Processor Module
[
o o
]a,c The Processor Module contains three hardware watchdog timers as discussed below.
x AF100 Communication Interface The processor modules within an AC160 controller share data with each other using the global memory resident on the AF100 bus Communication Interface Module (Model CI631). Each processor module sends data to the CI631 communication interface module for use on the AF100 bus.
DRAFT P-1 descriptio descript AP1000 plant safety AP1000 plant safety-related rela detection of off detection
-nominal minal functions necessary to achieve functions necessary to achieve
. The PMS consists of four
. The PM ied (Common Q) platform, as described in Common Q) platform ommon Q platform is designed with a modu platform is desig ollowing major building blocks: Advant Cont uilding blo nput and output (I/O) modules, and Advant nput and output (I/O) modules, a o
The Pro The Pro below below x
A PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 5 of 23 x
I/O Modules The AC160 uses the S600 I/O system. A range of I/O modules is available, covering analog and digital signals of various types. In addition, there are modules for temperature measurement and rotational speed measurement. The process signals are connected to the front of the I/O modules. [
]a,c Common Q Fault Detection The AC160 performs a variety of diagnostic and supervision functions to continuously monitor the correct operation of the system. Each of the modules has diagnostic functions. The CPU module monitors the system as a whole by collecting all the diagnostic information and checking the consistency of the hardware configuration and the application software. The supervision functions are subdivided into the following groups: problem detection, signaling the nature of the problem, automatic reaction to problems.
Severe problems (e.g., component errors) in the processor module stop the processor module. These errors also switch an internal watchdog timer relay in the processor module. For Common Q applications, this relay is used to provide an alarm, and in some applications, conservative failure responses of the affected division. For example, the watchdog timer relay for the PMS reactor trip Local Coincidence Logic Subsystem processor modules (note: this subsystem combines partial trip signals and generates a trip output signal to the reactor trip switchgear and initiation logic when 2 out of 4 divisions indicate a trip) will generate a trip signal when the watchdog timer relay is open.
Each module is equipped with two light emitting diode indicators, FAULT and RUN.
During normal operation, the green RUN LED is lit on all modules. The red FAULT LED lights only if a problem occurs on the module. The diagnostic function displays an error code on the front of the CPU module to facilitate fault tracing.
x Common Q Watchdog Timer Overview
[
]a,c The WDTs check for internal faults within the processor modules. If a fault is identified, the processor module is placed into a safe state.
[
DRAFT s available, s availabl n, there are n, there a d measurement. The d measur dules. [
dules. [
d supervision functions to continuously d supervision functions to continuously Each of the modules has diagnostic Each of the modules has system as a whole by collecting all the m as a whole by col e consistency of the hardware configuration ncy of the hardw vision functions are subdivided into the follo are subdivi ng the nature of the problem, automatic rea ng the nature of the problem, au ponent errors) in the processor module sto ent errors) in the processor module sto so switch an internal watchdog timer relay i h an internal watchdog timer relay i Q applications, this relay is used to provid ons, this relay is used to provi conservative failure responses of the affect ilure responses of the affect er relay for the PMS reactor trip Local Coin er relay for the PMS reactor trip Local Coin dules (note: this subsystem combines partia dules (note: this subsystem combin ignal to the reactor trip switchgear and initia ignal to the reactor trip switchgear indicate a trip) will generate a trip signal wh indicate a trip) will generate a trip sign ch module is equipped with two light emittin h module is equipped with two light emittin During normal operation, the green RUN LE normal operation, the green RUN LE lights only if a problem occurs on the mod y if a problem occurs on the mod code on the front of the CPU module t code on the front of th x
Common Q Watchdog Time Common Q Watch
[
for internal faults w r interna processor mod cessor
[
PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 6 of 23
]a,c x
CPU Overload
[
]a,c x
Loss of Communication The AF100 Communication Interface (CI) module, CI631, monitors the validity of the data sets it is supposed to receive. If no data has been received for four cycles for the data set or when the communication interface has failed, the database element for the data set will be flagged as failed. The control module programming will constantly monitor the database element flag and perform the appropriate error processing.
The AC160 CI631 module configuration provides on-line surveillance to ensure that it is in operational condition. The CI module contains self-diagnostics and reports any errors to the application in the processor module. This error report can be used for alarm or screen indication to direct technicians to the specific AC160 node that has the CI failure. Normally the failed module will be indicated by a red light on the front panel.
DRAFT c
d
]a,c a,c x
Loss of Communication Loss of Communicat The AF100 The AF Communi ommuni the data sets it is su he data sets it is su cycles for the da cles for database elem abase programmin ogramm appropria appropr The A The A tha tha PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 7 of 23 PMS Failure Modes and Effects Analysis Overview The PMS failure modes and effects analysis (FMEA) is documented in WCAP-16438, Revision 3 (as modified by the changes provided in UFSAR Appendix 7A.4). The PMS FMEA examines failures of the major PMS components. For each postulated failure, the PMS FMEA assigns a fault classification. This fault classification includes a failure criticality class, a failure detectability class, and a failure likelihood class (see WCAP-16438 Table 3-1, Table 3-2, and Table 3-3). The failure criticality, detectability, and likelihood classes are used to rank the criticality, detectability, and likelihood of each failure. A final safety conclusion is determined based on these classifications. Through the process of examining the relevant failure modes and making a final safety determination for each failure with the given fault classifications, it is concluded that the AP1000 protection system maintains its safety functions during single point failures.
Description and Justification of Proposed Changes 2.1 Common Q Watchdog Timer Description Update 2.1.1 Revise Description of [
]a.c Enable As described in NSAL-17-2, the [
]a,c within the AC160 is not activated as described in WCAP-16097-P-A.
Specifically, WCAP-16097-P-A Section 5.2.1.2.1 item 6 states [
]a,c WCAP-16675 Section 2.2.8 describes what happens when a BPL processor stalls. The text states [
]a,c Brief Description of the Activity The CPU WDT is deleted in WCAP-16097-P-A Sections 5.2.1.2.1 and 5.2.1.3, Table 5-1, and Figure 5-13.
This includes deleting a sentence from the description of the [
]a,c in Table 5-1 which states that it performs the same function as the [
]a,c A statement is added to WCAP-16097-P-A Section 5.2.1.3 to clarify that the
[
]a,c are the credited watchdog for closing Generic Open Item 7.3 from the Common Q Topical Report.
WCAP-16675 Section 2.2.8 is changed [
]a,c DRAFT in WCAP in WCAP-dix 7A.4). The P dix 7A.4).
postulated failure, the postulate cation includes a failure cation includes lure likelihood class (see lure likelihood clas ure criticality, detectability, and ure criticality, detectability ectability, and likelihood of each ectability, and likelihood of ea on these classifications. Through the on these classifications. Through the nd making a final safety determination nd making a final safety determination tions, it is concluded that tions, it is conclud the AP1000 1000 ns during single point failures.
ns during single point fail Changes AF escription Update escrip AF f [ [
SAL-17 17-2, the [
2, the [
C160 is not activated as described not activated as described WCAP-160977-P-A Section 5.2.1.2.1 item 6 A Section 5.2.1.2.1 item
]a,c WCAP WCA -16675 Section 2.2.8 describes 5 Section 2.2.8 describes stalls.
stalls The text states [
text states [
Brief Description Brief Description D
The CPU WD he CP Table 5 able 5-1 descript descrip perfo perfo A
PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 8 of 23 Technical Justification of the Activity There are no PMS requirements that credit the [
]a,c The AP1000 PMS has other mitigations to protect against a stalled processor.
Specifically, upon detection of an internal processor module fault, the [
]a,c will put the PMS in a safe state. [
]a,c See WCAP-16438 for an evaluation of specific PMS faults. Westinghouse has qualified the [
]a,c for this purpose as discussed in the closure of Common Q Topical Report Generic Open Item 7.3 (see WCAP-16097-P-A, Revision 0 and Revision 3 Generic Open Items [ADAMS Accession No. ML030550776] and the Common Q summary qualification report).
If a software anomaly were to occur, the operator would hear and see an alarm of PMS Division Fault via the Alarm Presentation System and see an indication of a Division Fault on the Safety Display. The red FAULT LED lights on the failed processor module would also provide indication of a fault. These indications would be due to the other diagnostics that would annunciate as a result of the same software anomaly. The operator would take the necessary actions to resolve the fault via the maintenance procedures in the PMS technical manual.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927, Section 3.10 (WCAP-16097-P-A, Section 5.2.1.2.1, Item 6)
Delete Item 6 from Section 5.2.1.2.1.
WCAP-15927, Section 3.10 (WCAP-16097-P-A, Section 5.2.1.3)
Update to state that the [
]a,c are the credited watchdog for closing Generic Open Item 7.3 from the Common Q Topical Report.
WCAP-15927, Section 3.10 (WCAP-16097-P-A, Table 5-1)
Delete the [
]a,c from the table.
WCAP-15927, Section 3.10 (WCAP-16097-P-A, Figure 5-13)
Delete the [
]a,c from the figure.
UFSAR Appendix 7A.8 (WCAP-16675 Section 2.2.8)
Change to remove discussion of the [
]a,c DRAFT st a stalled processor st a stalle odule fault, the [
odule fault, the
]a,c See WCAP S
-16438 for an 16438 for ouse has qualified the [
ouse has in the closure of Common Q Topical in the closure of Common Q Topical e WCAP e WCAP-16097-P-A, Revision 0 and and AMS Accession No. ML030550776] and the AMS Accession No. ML030550776] and the n report).
eport).
occur, the operator would hear and see an e operator would he Alarm Presentation System and see an ntation Sys Safety Display. The red FAULT LED lights Safety Display. The red FAULT uld also pro uld also provide indication of a fault. The n of a fau e other diagnostics that would annunciate other diagnostics that would annunciate anomaly. The operator would take the n aly. The operator would take the n ult via the maintenance procedures in the P maintenance procedures in the P Licensing Basis Change Descriptions s Change Descriptions RA Text, Table, or Figure Text, Table, or Descript D
WCAP WCAP-15927, Section 3.10 7, Sec (WCAP (WC
-16097 097-P-A, A,
Section Sectio 5.2.1.2.1, Item 6) 5.2.1.2.1, Item 6)
Delete I Delete WCAP WCAP-15927, Section 15927, Section 3.10 3.10 (WCAP WCAP-16097 160
-P-A, Section tion 5.2.1.3) 5.2.1.3 WCAP WCA -15927, Sec 927, Sec (WCAP (WCA -160977-P Table Table 5-1)
WCAP WCAP-15 (WCAP (WCA Figu Figu U
PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 9 of 23 2.1.2 Correction of Watchdog Timeout Window As described above, [
]a,c Brief Description of the Activity
[
]a,c Technical Justification of the Activity
[
]a,c Therefore, this activity does not adversely impact the safety function of the processor modules.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.2.1.2.1)
Change [
]a,c WCAP-15927 Section 3.10 (WCAP-16097-P-A Table 5-1)
Change [
]a,c WCAP-15927 Section 3.10 (WCAP-16097-P-A Figure 5-13)
Change [
]a,c 2.1.3 Removal of Duplicate Information from WCAP-16675 WCAP-16675 contains duplicate information on the watchdog timers from the information included in WCAP-16097-P-A. Specifically, parts of WCAP-16675 Section 2.2.8 and the entirety of Figure 2-4 and Table 2-1 are duplicated in DRAFT
]a,c
]a,c e Activity AF erefore, this activity does not adversely erefore, this activity does not ad processor modules.
processor modules.
Proposed Licensing Basis Proposed Licensing Change Des nge Des RA Text, Table, or Figure Text, Table, or Figure WCAP WCAP-15927 Section 3.10 15927 Section 3.10 (WCAP CAP-16097 1609 -P-A Section 5.2.1.2.1) 5.2.1.2.1)
WCAP WCA -15927 Sectio 5927 Sect (WCAP (WCA -16097 97-P Table Table 5-1)
WCAP WCAP-159 (WCAP (WCA Figure Figur
.1.3
.1.3 PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 10 of 23 WCAP-16097-P-A Section 5.2.1.3, Table 5-1, and Figure 5-13. Therefore, the information can be removed from WCAP-16675.
Brief Description of the Activity The first paragraph of WCAP-16675 Section 2.2.8 is changed to point to the Common Q alternatives in WCAP-15927 for a description of the processor module WDTs. WCAP-16675 Figure 2-4 and Table 2-1 are deleted.
Technical Justification of the Activity This is an administrative change only to remove duplicate licensing basis information. No content is being removed from the licensing basis information.
The information will be maintained in WCAP-15927, which is a Tier 2* document.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change UFSAR Appendix 7A.8 (WCAP-16675 Section 2.2.8)
Change the first paragraph of WCAP-16675 Section 2.2.8 to point to the Common Q alternatives in WCAP-15927 for a description of the processor module WTDs.
UFSAR Appendix 7A.8 (WCAP-16675 Figure 2-3)
Delete Figure 2-4.
UFSAR Appendix 7A.8 (WCAP-16675 Table 2-1)
Delete Table 2-1.
2.2.
SYSDia Test Timer Correction
[
]a,c
[
]a,c Brief Description of the Activity
[
]a,c Technical Justification of the Activity
[
DRAFT Ther Ther changed to point to the changed to scription of th scription of the processor e p 2-1 are deleted.
1 are deleted.
o remove duplicate licensing basis o remove duplicate licensing basis ed from the licensing basis in ed from the licens formation.
mation.
WCAP WCAP-15927, which is a Tier 2* document.
15927, which is a Tier 2* document.
e Descriptions Descriptions AF Description of the Proposed Chan cription of the n 2.2.8) n 2.2.8)
Change the first paragraph of WCA first paragr Section 2.2.8 to point to the Com Section 2.2.8 to point to th alternatives in WCAP alternatives in WCAP-15927 fo 15927 of the processor module WT of the processor module WT endix 7A.8 6675 Figure 2-3) 3)
Delete Figure 2 ete Figure 2-4.
R Appendix 7A.8 R Append CAP CAP-16675 Tab 16675 Ta le 2-1)
Delete Table 2 Delete T
-1 2..
SYSDia Test Timer Correction SYSDia Test Timer Correc
[
[
Brief Des Brief De D
[
PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 11 of 23
]a,c Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.2.1.2.1)
Update to state [
]a,c 2.3. Revise Description of AC160 System Software Execution Location WCAP-16097-P-A Section 5.2.1.1.1 states, [
]a,c
[
]a,c Brief Description of the Activity WCAP-16097-P-A Section 5.2.1.1.1 is updated [
]a,c Technical Justification of the Activity The safety function and operability of the processor module is not adversely impacted by this change.
[
]a,c Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.2.1.1.1)
Update to state [
]a,c DRAFT c
Proposed Change Proposed C
]a,c ftware Execution Location are Execution Location states, [
]a,cc on of the Activity on of the A RA 097 097-P-A Section 5.2.1.1.1 is updated [
A Section 5.2.1.1.1 is upda hnical Justification of the Activity hnical Justification of th RA The safety function and operability of the safety function and operability of the by this change.
change.
[
Proposed Licens ed Lice D
Text, Ta Text, Ta WCAP WCAP (WC (WC PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 12 of 23 2.4 Processor Communication Section Memory Capacity Change WCAP-16097-P-A Section 5.2.1.1.1 states, A second Motorola MC68360 processor for HSL communications, with an extra 512 Kbytes nonvolatile memory (Flash PROM) for the system software and an extra 2 Mbytes SRAM is provided for communications.
However, the CS of the processor module has 512 Kbyte RAM, not 2 Mbytes of RAM.
Brief Description of the Activity The description of the memory capacity of the processor module is changed from 2 Mbytes of RAM to 512 Kbyte of RAM to match the as-built design.
Technical Justification of the Activity The CS of the processor module has 512 Kbyte of SRAM, which is sufficient memory for the CS software.
If the CS software is larger than the available CS memory, then the user will not be able to load the software into the processor module. The actual size of the CS software is less than 512 Kbyte. Therefore, the reduced size of the CS memory described in WCAP-16097-P-A will not impact the functionality of the CS software.
The size of the memory does not contribute to the safety function or operability of the CS of the processor module.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.2.1.1.1)
Change the description of the memory capacity of the processor module from 2 Mbytes of RAM to 512 Kbyte of RAM.
2.5 Change to Description of when the Overload (OVERL) Terminal is set to TRUE
[
]a,c WCAP-16097-P-A, Section 5.3.1.1 states [
]a,c DRAFT 360 proces 360 proce ry (Flash PROM) ry (Flash d for communications.
d for comm M, not 2 Mbytes of RAM.
M, not 2 Mbytes processor module is changed processor module is chang ch the as ch the as-built design.
Kbyte of SRAM, which is sufficient memory Kbyte of SRAM, which is sufficient memory vailable CS memory, then the user will not b S memory, then ssor module. The actual size of the CS so The actual re, the reduced size of the CS memory d re, the reduced size of the CS pact the functionality of the CS software.
pact the functionality of the CS softwa oes not contribute to the safety function or op not contribute to the safety function or o
- e.
censing Basis Change Descriptions s Change Descriptions RA xt, Table, or Fig xt, Table, ure Description o Description o CAP CAP-15927 Section 3.10 15927 Sect (WCAP (WCAP-16097 16097-P-A Section A
5.2.1.1.1) 5.2.1.1 Change the d Cha capacity of capa 2 Mbyte Mby 5
Change to Description of when the to Description of when the Ov Ov
[
WCAP WCAP PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 13 of 23 Brief Description of the Activity WCAP-16097-P-A, Section 5.3.1.1 is updated [
]a,c Technical Justification of the Activity
[
]a,c Therefore, this activity does not impact the ability to detect high CPU load conditions and, therefore, does not have an adverse impact on the system to perform its safety function.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.3.1.1)
Update to state [
]a,c 2.6 Deletion of Description of the Processor Module [
]a,c WCAP-16097-P-A Section 5.4.1.4.1 states that the processor module will reboot the CI communication module if the CI communication module has a transient error. However, the processor does not reboot the CI communication module. [
]a,c The failed CI communication modules will be indicated by a red light on the front panel and will not be rebooted.
Brief Description of the Activity The text in WCAP-16097-P-A Section 5.4.1.4.1 that states the PM reboots the CI communication module is deleted.
Technical Justification of the Activity The PMS FMEA evaluates [
]a,c This change does not impact these analyses, including the fault classification. The system continues to fail to a safe state. Therefore, the proposed change is consistent with the current PMS FMEA and does not adversely impact the PMS safety functions.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change WCAP-15927 Section 3.10 (WCAP-16097-P-A Section 5.4.1.4.1)
Delete the text that states [
]a,c the PM reboots the CI communication module.
DRAFT impact the ability to detect high impact the ability to detect hi an adverse impact on the system to an adverse impact on the system to ns ns F
cription of the Proposed Change ption of the Proposed date to state [
e [
]a,c a,c n of the Processor Module [
rocessor Module [
]a,c P-A Section 5.4.1.4.1 states that the proce A Section 5.4.1.4.1 states that tion module if the CI communication modul tion module if the CI communicati essor does not reboot the CI essor does not rebo communicatio commu dules will be indicated by a red light on the dules will be indicated by a red light on the Brief Description of the Activity f Description of the Activity R
The text t in WCAP in WCAP-16097 16
-P-A Sectio A Sectio communication module is deleted.
communication modu Technical Justification of the Act Technical Justification of DR The PMS FMEA evaluates [
e PMS FMEA evaluates change does not impa does n continues to fail to a s to fa current PMS FME PMS F Proposed Lice Proposed Lic D
Tex Tex WC WC PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 14 of 23 2.7 Conforming Administrative Changes Various conforming changes are necessary to support the changes described above.
This includes:
x Updating the revision number of WCAP-15927 throughout the licensing basis x
Updating the title for WCAP-15927 Section 3.10 and Table 3-2 because it contains additional exceptions unrelated to design processes x
Adding a note to Reference 1 of WCAP-16674 (i.e. WCAP-16097-P-A, Rev.3) to state, as modified by the Topical Report alternatives in WCAP-15927, Rev.7 x
Adding Reference 15 to WCAP-16674 (i.e., WCAP-15927).
Brief Description of the Activity x
WCAP-15927 is changed from Revision 6 to Revision 7 throughout the licensing basis. The revision number of WCAP-15927 is deleted in UFSAR Appendix 1A.
x WCAP-15927, Section 3.10 (including the titles of the section and Table 3-2) is changed to capture the fact that the alternative approaches to WCAP-16097-P-A now include technical material unrelated to design processes.
x A note is added to Reference 1 of WCAP-16674 (i.e. WCAP-16097-P-A, Rev. 3) to state, as modified by the Topical Report alternatives in WCAP-15927, Rev.7.
x Reference 15 (i.e., WCAP-15927) is added to WCAP-16674.
Technical Justification of the Activity This is an administrative change only. See the other changes for an evaluation of the change to technical content to WCAP-16097-P-A and WCAP-15927.
It is unnecessary to list the revision number of WCAP-15927 in UFSAR Appendix 1A; the revision number listed in UFSAR Table 1.6-1 and Chapter 7 is sufficient.
Proposed Licensing Basis Change Descriptions Text, Table, or Figure Description of the Proposed Change UFSAR Table 1.6-1 x
Update WCAP-16096 and WCAP-16097 references from Revision 6 to Revision 7.
x Update WCAP-15927 reference from Revision 6 to Revision 7. Update document number to refer to both P (proprietary) and NP (non-proprietary) versions.
UFSAR Appendix 1A Delete the revision number of WCAP-15927.
UFSAR Section 7.1.7 x
Update WCAP-16096 and WCAP-16097 references from Revision 6 to Revision 7.
DRAFT ges described abov ges descr hout the licensing basis hout the licensing ba nd T nd Table 3 ble 3-2 because it contains use it cont esses esses 6674 (i.e. WCAP 6674 (i.e.
-16097-P-A, Rev.3) to ev.3) to t alternatives in WCAP t alternatives in WCA -15927, Rev.7 7
74 (i.e., WCAP 4 (i.e., WC
-15927).
5927).
om Revision 6 to Revision 7 throughout the Revision 7 er of WCAP er of
-15927 is deleted in UFSAR Ap deleted in n 3.10 (including t 3.10 (including the titles of the section a the sectio the fact that the alternative approaches to fact that the alternative approaches to nical material unrelated to design processe terial unrelated to design processe ed to Reference 1 of WCAP nce 1 of WCAP-16674 (i.e. W 16674 (i.e. W as modified by the Topical Report alternativ s modified by the Topical Report alternativ ence 15 (i.e., WCAP ence 15 (i.e., W
-15927) is added to WC 927) is add al Justification of the Activity al Justification of the RA is an administrative change only. See the is an administrative change only. See th hange to technical content to WCAP ange to technical content to WCAP-16097 6097 It is unnecessary to list the revision num nnecessary to list the revision num the revision number liste ion number l d in UFSAR T FSAR T Proposed Licensing Basis Change Proposed Licensing Ba DR Text, Table, or Figure Text, Table, or Figure UFSAR Table 1.6 AR Table
-1 UFS UFS PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 15 of 23 x
Update WCAP-15927 reference from Revision 6 to Revision 7. Update document number to refer to both P (proprietary) and NP (non-proprietary) versions.
UFSAR Appendix 7A.7 (WCAP-16674 References Section)
A note is added to Reference 1 of WCAP-16674 (i.e. WCAP-16097-P-A, Rev.3) to state, as modified by the Topical Report alternatives in WCAP-15927, Rev.7.
WCAP-15927 is added as Reference 15.
WCAP-15927 Section 3.10 WCAP-15927, Section 3.10 and Table 3-2 is changed to capture the fact that the alternative approaches to WCAP-16097-P-A now include technical material unrelated to design descriptions.
Common Evaluation of Changes The proposed changes do not affect the radiological source terms (i.e., amounts and types of radioactive materials released, their release rates and release durations) used in the accident analyses. The PMS Common Q platform equipment involved in these proposed changes does not affect a fission product barrier. No system or design function or equipment qualification is adversely affected by the proposed changes. The changes do not result in a new failure mode, malfunction or sequence of events that could adversely affect a radioactive material barrier or safety-related equipment. The proposed changes do not allow for a new fission product release path, result in a new fission product barrier failure mode, or create a new sequence of events that would result in significant fuel cladding failures.
The SSCs affected by this license amendment request are not used to contain, control, channel, monitor, process or release radioactive and non-radioactive materials. The types and quantities of expected effluents are not changed, and no effluent release path is adversely affected by the proposed changes. Therefore, radioactive or non-radioactive material effluents are not affected by the proposed changes.
Plant radiation zones (as described in UFSAR Section 12.3), controls under 10 CFR 20, and expected amounts and types of radioactive materials are not affected by the proposed changes.
Therefore, individual and cumulative radiation exposures do not change.
Summary The proposed changes revise the COLs to accurately describe the design and use of the CPU WDTs in the microprocessors of the PS and CS of the AC160 processor module of the Common Q platform portion of the PMS. This LAR also proposes several changes to the design description of the Common Q platform, as presented in the UFSAR and various supporting technical reports that are incorporated by reference into the UFSAR. The above proposed changes would not adversely affect any safety-related equipment or function, design function, radioactive material barrier or safety analysis.
DRAFT h P h P oprietary) oprietary) ce 1 of ce 1 of AP AP-16097 16097-P-A, Rev.3)
Rev.3) by the Topical Report by the Topical Report AP AP-15927, Rev.7.
15927 added as Reference 15.
added a 27, Section 3.10 and Table 3 27, Section 3.10 and Ta
-2 is to capture the fact that the o capture the fact that th ative approaches to WCAP pproaches to WCAP-16097-P-A include technical material unrelated to hnical materia esign descriptions.s ect the radiological source terms (i.e., amo he radiological source terms (i.e., am their release rates and release durations) ease rates and release durations) n Q platform m equipment involved in these equipment involved in these t barrier. No system or design function or stem or design function or e proposed changes. The changes do not e proposed changes. The changes do not nce of events that could adversely affect a nce of events that could adverse pment. The proposed pment. The propo changes do not allow ges do new fission product barrier failure mode, or new fission product barrier failure mode n significant fuel cladding failures.
n significant fuel claddin affected by this license amendment reque ffected by this license amendment reque
, process or release radioactive and non ss or release radioactive and non-r pected effluents are not changed, and no e ents are not changed, and no e oposed changes.
oposed chan Therefore, radioactive o Therefore by the proposed changes.
by the proposed changes.
Plant radiation zones (as described in Plant radiation zones (as described expected amounts and types of radi expected amounts and types of radi Therefore, individual and cumulat Therefore, individual and cumulat Summary Summ D
The proposed changes re The proposed changes WDTs in the microproce WDTs in the microproc form portion of th form portion of th Common Q Common Q ncorp ncorp f
PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 16 of 23 3.
TECHNICAL EVALUATION (Incorporated into Section 2, above) 4.
REGULATORY EVALUATION 4.1 Applicable Regulatory Requirements/Criteria x
10 CFR Part 52, Appendix D, VIII.B.6 requires prior NRC approval for departure from Tier 2* information. The proposed activity makes changes to WCAP-15927, which is referenced in UFSAR as a Tier 2* document. Therefore, a license amendment request (LAR) (as supplied herein) is required.
x 10 CFR 52, Appendix D, Section VIII.B.5.a allows an applicant or licensee who references this appendix to depart from Tier 2 information, without prior NRC approval, unless the proposed departure involves a change to or departure from Tier 1 information, Tier 2* information, or the Technical Specifications, or requires a license amendment under paragraphs B.5.b or B.5.c of the section. The requested amendment proposes changes to Tier 2 information that involve Tier 2*
changes and, thus, requires prior NRC approval.
x 10 CFR 50.55a(a)(1), Quality Standards for Systems Important to Safety, requires that Structures, systems, and components must be designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the importance of the safety function to be performed. The Common Q Topical Report was determined to be an acceptable approach to satisfying the regulatory requirements in 10 CFR 50.55a(a)(1) applicable to the Common Q portion of the protection and safety monitoring system. The Common Q Topical Report is modified by the Topical Report alternatives proposed and evaluated in this License Amendment Request. Therefore, it is concluded that the requirements of 10 CFR 50.55a(a)(1) are met.
x 10 CFR 50.55a(h), Protection and safety systems, approves the 1991 version of IEEE Standard 603, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, including the correction sheet dated January 30, 1995 for incorporation by reference. The Common Q portion of the protection and safety monitoring system described in WCAP-16096 (Revision 4), as modified by the Topical Report alternatives in WCAP-15927 (Revision 7) and the proposed changes to these alternatives in Enclosure 2, continues to meet the requirements in IEEE Standard 603-1991 and, therefore, satisfies 10 CFR 50.55a(h).
x 10 CFR Part 50, Appendix A, General Design Criteria for Nuclear Power Plants The design of the Common Q-based safety systems continues to meet the relevant requirements of GDC 1, 2, 4, 13, and 19 through 25.
DRAFT prior NRC approval for departure prior NRC approval for departu y makes changes to WCAP y makes changes to WCAP-15927,
- 15927, r 2* document. Therefore, a license r 2* document. Therefore, a license herein) is required.
herein) is required.
VIII.B.5.a allows an applicant or licensee w
.B.5.a allows an applic art from Tier 2 information, without prior m Tier 2 informati departure involves a change to or depart nvolves a cha formation, or the Technical Specifications, Technical S nder paragraphs B.5.b or B.5.c of the s nder paragraphs B.5.b or B.5.c proposes roposes changes to Tier 2 information tha changes to Tier 2 information requires prior NRC approval.
uires prior NRC approv 5a(a)(1), Quality Standards for Systems Quality Standards for System Structures, systems, and components mu ystems, and components mu constructed, tested, and inspected to qual onstructed, tested, and inspected to qual e importance of the safety function to be e importance of the safety funct cal Report was determined to be an acce cal Report was determined to be gulatory requiremen gulatory requirements in 10 CFR 50.55a CFR 50 portion of the protection and safety monit portion of the protection and safety mon Report is modified by the Topical Repo Report is modified by the Topical Repo this License Amendment Request. Th this License Amendment Request. Th of 10 CFR 50.55a(a)(1) are met.
f 10 CFR 50.55a(a)(1) are met.
x 10 CFR 50.55a(h), Protectio 10 CFR 50.55a(h IEEE Standard 603, IEEE IEEE Standard 603 Generating Stations, in Generating Stations, incorporation by refer incorporation by refer monitoring system monitoring system Topical Report pical R changes to th nges t in IEEE Sta IEEE S x
10 CF 10 CF The de The de qu qu PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 17 of 23 General Design Criteria:
x GDC 1, Quality Standards and Records, states that structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
The Common Q Topical Report adequately identifies the regulatory guides and industry codes applicable to the Common Q. The Common Q Topical Report was determined to be an acceptable approach to satisfying the regulatory requirements in GDC 1. The changes proposed by this activity do not change the PMS compliance with the regulatory guides or industry standards applicable to the Common Q platform. Therefore, the requirements of GDC 1 are met.
x GDC 2, Design Basis for Protection Against Natural Phenomena, states that structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena without loss of capability to perform their safety functions.
Westinghouse has identified those systems and components for the safety systems designed to survive the effects of earthquakes, abnormal environments and missiles, and other natural phenomena. These systems and components continue to be consistent with their design bases. Therefore, the requirements of GDC 2 are met.
x GDC 4, Environmental and Dynamic Effects Design Basis, states that structures, systems, and components important to safety shall be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents.
Equipment in the Common Q-based portion of the PMS is qualified for a mild environment per the AP1000 Equipment Qualification Program. The proposed change does not affect the Electromagnetic Interference (EMI)/ Radio Frequency Interference (RFI) testing, environmental testing, or seismic testing that is performed to demonstrate that the equipment in the Common Q portion of the PMS will function under prescribed mild environment conditions. Therefore, the requirements of GDC 4 are met.
x GDC 13, Instrumentation and Control, states that instrumentation shall be provided to monitor and control variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions The Common Q portion of the protection and safety monitoring system appropriately supports actions to monitor and operate the nuclear power unit in a safe and reliable manner during normal operation, anticipated operational occurrences, and accident conditions. The proposed changes do not adversely res, systems, res, syste d, erected, and test d, erected f the safety functions to f the safety ifies the regulatory guides and ifies the regulatory guides he Common Q Topical Report was he Common Q Topical Report wa atisfying the regulatory requirements atisfying the regulatory requirements this activity do not change the PMS this activity do not change the PMS or industry standards applicable to the or industry standards applicable to the requirements of GDC 1 are met.
equirements of GDC 1 a ection Against Natural Phenomena, gainst Natural P state mponents important to safety shall be des ortant to sa tural phenomena without loss of capability tural phenomena without loss identified those systems and compone ntified those systems and compone d to survive the effects of earthquakes, ab vive the effects of earthquakes, ab and other natural phenomena.
natural phenomena. These sy These s be consistent with their design bases. The ith their design bases. The e me e met.t.
C 4, Environmental and Dynamic Effects D C 4, Environmental and Dynamic E ystems, and components important to safe ystems, and components important to the effects of, and to be compatible with, t the effects of, and to be compatible with, with normal with no operation, maintenance, te operation, maintenance, te loss loss-of of-f coolant accidents.
coolant accidents.
Equipment in the Common Q ipment in the Common Q environment per the AP1000 environment per change does change does not affect the not af Interference (RFI) test Interference (RFI) te performed to demons performed to demons will function unde will function unde requirements of uireme x
GDC 13, DC 13 provided provided range range acc acc PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 18 of 23 impact the PMS ability to monitor and operate the AP1000 nuclear power units.
Therefore, the requirements of GDC 13 are met.
x GDC 19, Control Room, states that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions.
The proposed change does not adversely affect the ability of the Common Q portion of the PMS to appropriately support actions to monitor and operate the nuclear power unit from a control room in a safe and reliable manner during normal operation, anticipated operational occurrences, and accident conditions.
Therefore, the requirements of GDC 13 are met.
x GDC 20, Protection System Functions, states that the protection system shall be designed to initiate automatically the operation of appropriate systems to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and to sense accident conditions and to initiate the operation of systems and components important to safety.
The proposed change does not affect conformance to IEEE Std 603-1991 by the Common Q portion of the PMS, nor does it affect the ability of the PMS to detect accident conditions and anticipated operational occurrences in order to initiate reactor shutdown consistent with the accident analysis presented in UFSAR Chapter 15. Therefore, the requirements of GDC 20 are met.
x GDC 21, Protection System Reliability and Testability, states that the protection system shall be designed for high functional reliability and in-service testability commensurate with the safety functions to be performed.
The Common Q portion of the PMS facilitates conformity to the guidelines of Regulatory Guide 1.22 and Regulatory Guide 1.118 for periodic testing, the guidelines of Regulatory Guide 1.47 for bypassed and inoperable status indication, and IEEE Std 379-2000, as supplemented by Regulatory Guide 1.53, for the application of the single-failure criterion, and satisfies the requirements of IEEE Std 603-1991 with regard to system reliability and testability. The proposed change does not affect aspects of the Common Q portion of the PMS that would have an adverse effect on system reliability and testability, as demonstrated by continued conformance to these Regulatory Guides and industry guidance.
Therefore, the requirements of GDC 21 are met.
x GDC 22, Protective System Independence, states that the protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function or shall be demonstrated to be acceptable on some other defined basis.
The proposed change does not adversely affect the plants existing compliance with Regulatory Guide 1.75 for protection system independence, nor does it DRAFT r po r po provided from whi provided nit safely under normal nit safely un ccident conditions.
ccident condition the ability of the Common Q the ability of the Commo ctions to monitor and operate the ctions to monitor and operate th fe and reliable manner during normal fe and reliable manner during normal urrences, and acciden
- urrences, t conditions.
ditions.
are met.
are met.
ions, states that the protection system sha
, states that the prote y the operation of appropriate systems to ration of approp el design limits are not exceeded as a s are not currences and to sense accident conditi currences and to sense acc systems and components important to safet systems and components important ge does not affect conformance to IEEE S oes not affect conformance to IEEE S on of the PMS, nor does it affect the ability e PMS, nor does it affect the ability itions and anticipated operational occurre nticipated operational occurre tdown consistent with the accident anal nt with the accident anal
- 15. Therefore, the requirements of GDC 20
- 5. Therefore, the requirements o C 21, C 21, Protection System Reliability and Te Protection System Reliability ystem shall be designed for high function ystem shall be designed for high fun commensurate with the safety functio commensurate with the safety functions to ns The Common Q portion of the PM The Common Q portion of the PM Regulatory Guide 1.22 and Reg Regulatory Guide 1.22 and Reg guidelines of Regulatory Guide delines of Regulatory Guide an a d IEEE Std 379 EEE Std 3
-2000, as application of the single application of the s
-fa Std Std 603 60 -1991 with rega 91 with re change does not affe change does not affe have an adverse e ave an adverse e continued confo ntinued Therefore, th erefore x
GDC 22 GDC 22 shall shall ope ope PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 19 of 23 adversely affect the ability of the Common Q portion of the PMS to satisfy the requirement of IEEE Std 603-1991 with regard to system independence.
Therefore, the requirements of GDC 22 are met.
x GDC 23, Protective System Failure Modes, states that the protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy, or postulated adverse environments are experienced.
The AP1000 failure modes and effects analysis adequately demonstrates how the protection and safety monitoring system will operate with a single failure under all postulated operating conditions. The proposed activity does not adversely affect this analysis and the PMS continues to fail to a safe state. Therefore, the requirements of GDC 23 are met.
x GDC 24, Separation of Protection and Control, states that the protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system.
Regulatory Guide 1.153 endorses IEEE Std 603-1991 as an acceptable method for satisfying the requirements of GDC 24. The Common Q portion of the PMS and the plant operating control systems continue to satisfy the requirements of IEEE Std 603-1991 with regard to protection and control system interactions.
Therefore, the requirements of GDC 24 are met.
x GDC 25, Protection System Requirements for Reactivity Control Malfunctions, states that the protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems.
The Common Q portion of the PMS continues to satisfy protection system requirements for malfunctions of the reactivity control system such as accidental withdrawal of control rods. Therefore, the requirements of GDC 25 are met.
4.2 Precedent No precedent is identified.
4.3 Significant Hazards Consideration The proposed changes would revise the Combined Licenses (COLs) to accurately describe the design and use of the central processing unit (CPU) watchdog timers (WDTs) in the microprocessors of the Processing Section (PS) and the Communication Section (CS) of the Advant Controller 160 (AC160) processor module of the Common Q platform portion of the protection and safety monitoring system (PMS). This LAR also proposes several changes to the design description of the Common Qualified (Common Q) platform, DRAFT to s to s indepen indepe t the protection system t the protect state demonstrated to be state demonstra such as disconnection of the such as disconnection ironments are experienced.
ironments are experienced.
sis adequately demonstrates how the sis adequately demonstrates how the ill operate with a single failure under all ill operate with a single failure under all roposed activity does not roposed activity does adversely affect ffect es to fail to a safe state s to fail to a safe stat. Therefore, th ction and Control, states that the protectio trol, states ontrol systems to the extent that failure of ontrol systems to the extent th ent or channel, or failure or removal from ent or channel, or failure or remova em component or channel which is comm m component or channel which is com ems, leaves intact leaves intact a system satisfying all rel a system satisfying all rel ce requirements of the protection system.
ements of the protection system.
Guide 1.153 endorses IEEE Std 603 dorses IEEE Std 603-1991 1991 ying the requirements of GDC 24. The Co ying the requirements of GDC 24 e plant operating control systems continu e plant operating control systems E Std 603 E Std 603-1991 with regard to protection 1991 with regard to p herefore, the requirements of GDC 24 are herefore, the requirements of GDC 24 GDC 25, Protection System Requirem GDC 25, Protection System Requirem states that the protection system states that the protection system acceptable fuel design limits are cceptable fuel design limits are reactivity control systems.
tivity contro The Common Q portion The Common Q p requirements for malfun requirements for malf withdrawal of control withdrawal of control 4.2 Precedent eceden No precedent is ide No precedent is 4.3 4.3 Signific Signific The prop The prop escrib escrib PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 20 of 23 as presented in the Updated Final Safety Analysis Report (UFSAR) and various supporting technical reports that are incorporated by reference into the UFSAR.
The requested amendment proposes a change to UFSAR information that involves a departure from Tier 2* information that is incorporated by reference into the UFSAR. This enclosure requests approval of the license amendment necessary to implement this Tier 2* departure and the involved Tier 2 UFSAR change.
An evaluation to determine whether or not a significant hazards consideration is involved with the proposed amendment was completed by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment, as discussed below:
4.3.1 Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?
Response:No.
The proposed change would revise the COLs in regard to the design description of the watchdog timers of the Common Q portion of the protection and safety monitoring system (PMS) and other design description aspects of the Common Q platform. The watchdog timers are components within the processor modules that check for internal faults within the processor modules and place the processor module into a safe state if an internal fault is detected.
The proposed change revises the description of the design and use of the diagnostic functions of the watchdog timers and the Common Q platform and does not alter any safety-related functions of the PMS or any supported systems. The change does not affect the operation of any systems or equipment that initiate an analyzed accident or alter any structures, systems, and components (SSC) accident initiator or initiating sequence of events.
The change does not impact the support, design, or operation of mechanical and fluid systems. There is no change to plant systems or the response of systems to postulated accident conditions. There is no change to the predicted radioactive releases due to normal operation or postulated accident conditions.
Consequently, the plant response to previously evaluated accidents or external events is not adversely affected, nor does the proposed change create any new accident precursors.
Therefore, the proposed amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated.
DRAFT an an FSAR.
FSAR.
tion that involve tion that e into the UFSAR. This e into the U essary to implement this essary to imple azards consideration is involved azards consideration is invol ng on the three standards set forth ng on the three standards set fort ussed below:
ussed bel nvolve a signif nvolve a significant increase in the icant increase in the an accident previously evaluated?
an accident previously would revise the COLs in regard to th he COLs chdog timers of the Common Q portion of t chdog timers of the Common Q p ng system (PMS) and other design descrip ng system (PMS) and other design de platform. The watchdog t tform. The watchdo imers are comp are com dules that check for internal faults within the hat check for internal faults within the he processor module into a safe state if an in or module into a safe state if an posed change revises the description of th revises the description of th ostic functions of the watchdog timers and t tic functions of the watchdog timers and t s not alter any safety s not alter any safety-related functions o related fu ystems. The change does not affect th ystems. The change does not equipment that initiate an ana equipment that initiate an analyzed accid lyzed and components (SSC) accident initiato and components (SSC) accident initi The change does not impact the s The change does not impact the s and fluid systems. There is no and fluid systems. There is no systems to postulated acciden systems to postulated acciden radioactive releases due to adioactive Consequently, the plant r nsequently events is not adverse events is not ad new accident precu new accident prec Therefore, the p Therefore, the p the probabilit the pr PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 21 of 23 4.3.2 Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?
Response:No.
The proposed change would revise the COLs in regard to the design description of the watchdog timers of the Common Q portion of the protection and safety monitoring system (PMS) and other design description aspects of the Common Q platform. The proposed change does not affect the operation of any systems or equipment that may initiate a new or different kind of accident or alter any SSC such that a new accident initiator or initiating sequence of events is created.
Therefore, the proposed amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated.
4.3.3 Does the proposed amendment involve a significant reduction in a margin of safety?
Response:No.
The proposed change would revise the COLs in regard to the design description of the watchdog timers of the Common Q portion of the PMS and other design description aspects of the Common Q platform. The PMS continues to meet the requirements of the applicable 10 CFR Part 50, Appendix A, General Design Criteria for the design of safety-related reactor protection systems, engineered safety features systems, and other plant systems, and the supporting industry standards for the design of digital systems.
No safety analysis is adversely affected by the proposed changes.
Furthermore, no system function, design function, or equipment qualification will be adversely affected by the change. Consequently, no safety analysis or design basis acceptance limit/criterion is challenged or exceeded by the proposed change, thus the margin of safety is not reduced.
Therefore, the proposed amendment does not involve a significant reduction in a margin of safety.
Based on the above, it is concluded that the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.
4.4 Conclusions In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public. Pursuant to DRAFT w or w or in regard to the design in regard to th n Q n Q portion of the protection portion of the pro r design description aspects of r design description aspec ange does not affect the operation ange does not affect the operatio ate a new or different kind of acciden ate a new or different kind of accident cident initiator or initiating sequence of cident initiator or initiating sequence of ment does not create the possibility of a ne ent does not create the om any accident previously evaluated.
accident previousl mendment involve a significant reduct volve a sig d change would revise the COLs in re ge would revise the COLs in re of the watchdog timers of the Common Q hdog timers of the Common Q esign description aspects of the Commo n aspects of the Commo ues to meet the requirements of the a ues to meet the requirements of the a pendix A, General Design Criteria for the pendix A, General Design Criteria protection systems, engineered safety fe protection systems, engineered s systems, and the supporting industry systems, and the supporting indu systems.
syste No safety analysis is adverse No safety analysis is adverse Furthermore, no system functio Furthermore, no system functio will be adver will be adversely affected by ffected by design basis acceptance esign basi proposed change, thus posed chan Therefore, the propo Therefore, the pro in a margin of saf in a margin of saf Based on the above, it the ab significant hazards co hazard accordingly, a findin accordingly, a fin 4.4 4.4 Conclu Conclu In conclus In conclus suran suran PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 22 of 23 10 CFR 50.92, the requested change does not involve a Significant Hazards Consideration.
5.
ENVIRONMENTAL CONSIDERATIONS The details of the proposed changes are provided in Section 2 of this license amendment request.
The proposed changes would revise the Combined Licenses (COLs) to accurately describe the design and use of the central processing unit (CPU) watchdog timers (WDTs) in the microprocessors of the Processing Section (PS) and the Communication Section (CS) of the Advant Controller 160 (AC160) processor module of the Common Q platform portion of the protection and safety monitoring system (PMS). This LAR also proposes several changes to the design description of the Common Q platform, as presented in the Updated Final Safety Analysis Report (UFSAR) and various supporting technical reports that are incorporated by reference into the UFSAR.
The requested amendment proposes a change to UFSAR information that involves a departure from Tier 2* information that is incorporated by reference into the UFSAR. This enclosure requests approval of the license amendment necessary to implement this Tier 2* departure and the involved Tier 2 UFSAR change.
This review has determined the proposed change requires an amendment to the COL. However, a review of the anticipated construction and operational effects of the requested amendment has determined the requested amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9), in that:
(i)
There is no significant hazards consideration.
As documented in Section 4.3, Significant Hazards Consideration Determination, of this license amendment request, an evaluation was completed to determine whether or not a significant hazards consideration is involved by focusing on the three standards set forth in 10 CFR 50.92, Issuance of amendment. The Significant Hazards Consideration determined that (1) the requested amendment does not involve a significant increase in the probability or consequences of an accident previously evaluated; (2) the requested amendment does not create the possibility of a new or different kind of accident from any accident previously evaluated; and (3) the requested amendment does not involve a significant reduction in a margin of safety. Therefore, it is concluded that the requested amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of no significant hazards consideration is justified.
(ii)
There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.
The proposed changes in the requested amendment revise the COLs in regard to various aspects of equipment in the protection and safety monitoring system (PMS). The PMS is the AP1000 plant safety-related instrumentation and controls (I&C) system that provides detection of off-nominal conditions and actuation of appropriate safety-related functions necessary to achieve and maintain the plant in a safe shutdown condition. The proposed changes are unrelated to any aspect of plant construction or operation that would DRAFT ant ant s licens icense amendment request.
ndment req (COLs) to (COLs) accurately describe the escribe the
) watchdog timers (WDTs) in the
) watchdog timers (WDTs) in the he Communication Section (CS) of the he Communication Section (CS) of the f the Common f the Com Q platform portion of the Q platform portion of the is LAR also proposes several changes to t s LAR also proposes sev presented in the Updated Final Safety Ana ented in the Updated ical reports that are incorporated by referen that are incorp change to UFSAR information that involve change to UFSAR information tha orated by reference into the UFSAR. This en ated by reference into the UFSAR. This ent necessary to implement this Tier 2*
necessary to implement this Tier 2*
the proposed change requires an amendm change requires an amendm d construction and onstruction and operational effects of the operational effects of the sted amendment meets the eligibility criter ted amendment meets the eligib 2(c)(9), in that:
2(c)(9), in that:
no significant hazards consideration.
no significant hazards consideration.
ocumented in Sec ocumented in Section 4.3, Significant Haza tion 4.3, Significant Haza ense amendment request, an evaluation w se amendment request, an evaluation w significant hazards consideration is involve ant hazards consideration is involve in 10 CFRR 50.
50.92, Issuance of amend 92, Issuance of amend determined that (1) the requested am determined that (1) the the probability or consequences o the probability or consequ amendment does amendment d not create the not create accident previously evaluate ent previously evaluate significant reduction in a m nt reduction in a m amendment does not inv nt does forth in 100 CFR CFR 50.
consideration is ju consideration is
)
There is no sign There is no sig effluents tha effluents tha The prop The prop pec pec PUBLIC VERSION
ND-18-1085 Request for License Amendment: PMS Watchdog Timer and Common Q Design Description Changes (Publicly Available Information) (LAR-18-023)
Page 23 of 23 introduce any change to effluent types (e.g., effluents containing chemicals or biocides, sanitary system effluents, and other effluents), or affect any plant radiological or non-radiological effluent release quantities. Furthermore, the proposed changes do not affect any effluent release path or diminish the functionality of any design or operational features that are credited with controlling the release of effluents during plant operation. Therefore, it is concluded that the requested amendment does not involve a significant change in the types or a significant increase in the amounts of any effluents that may be released offsite.
(iii)
There is no significant increase in individual or cumulative occupational radiation exposure.
The proposed changes in the requested amendment revise the COLs in regard to various aspects of equipment in the PMS. Plant radiation zones (addressed in UFSAR Section 12.3) are not affected, and controls established under 10 CFR 20 to preclude a significant increase in occupational radiation exposure are not affected. Therefore, the requested amendment does not involve a significant increase in individual or cumulative occupational radiation exposure.
Based on the above review of the requested amendment, it has been determined that anticipated construction and operational effects of the requested amendment do not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in the individual or cumulative occupational radiation exposure. Accordingly, the requested amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), an environmental impact statement or environmental assessment of the proposed exemption is not required.
- 6. REFERENCES None.
DRAFT s or s or ological o ological anges do not a anges do r operational feature r operatio nt operation. Therefore, t operation.
a significant change in the a significant chan s that may be released offsite.
that may be released o ve occupational radiation ve occupational radiation ent revise the COLs in regard to various ent revise the COLs in regard to various radiation zones (addressed in UFSAR radiation zones (addressed in UFSAR established under 10 established under 10 CFR CF 20 to preclude tion exposure are not affected.
xposure are not affe Therefore e a significant increase in individual or cum ant increase in sted amendment, it has been determined th sted amendment, it has been deter of the requested amendment do not involve f the requested amendment do not inv cant change in the types or change in the types or significant incre ant incre leased offsite, or (iii) a significant increas offsite, or (iii) a significant increas ation exposure. Accordingly, the requested ure. Accordingly, the requeste rical exclusion set forth in 10 set forth in 10 CFR CFR 51.22(c) 51.22(c) nvironmental impact statement or enviro vironmental impact statement or enviro s not required.
s not required CES CES PUBLIC VERSION
Southern Nuclear Operating Company ND-18-1085 Vogtle Electric Generating Plant (VEGP) Units 3 and 4 Proposed Changes to Licensing Basis Documents (Publicly Available Information)
Insertions Denoted by Blue Underline and Deletions by Red Strikethrough Omitted text is identified by three asterisks ( * * * )
(This Enclosure consists of 12 pages, including this cover page)
DRAFT erating Plant erating (VEGP) Units 3 and 4 Units 3 an posed Changes to Licensing Basis Docu to Licensing Basis Docu (Publicly Available Information (Publicly Available Inf (LAR-18 18-023 023)
Insertions Insertions PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information)
Page 2 of 12
- 1. UFSAR Section 1.6, Table 1.6-1, Material Referenced:
Revise Tier 2* text applicable to DCD Section 7.1 in UFSAR Table 1.6-1 to reflect changes to referenced WCAPs.
DCD Section Number Westinghouse Topical Report Number Title 7.1
[WCAP-16096-P-A WCAP-16096-NP-A Software Program Manual for Common Q' Systems, Revision 4, February 2013 (1) (as modified by the SPM alternatives in WCAP-15927, Revision 67)]*
[WCAP-16097-P-A WCAP-16097-NP-A Common Qualified Platform Topical Report, Revision 3, February 2013 (as modified by the Topical Report alternatives in WCAP-15927, Revision 67)]*
[WCAP-15927-P WCAP-15927-NP WCAP-15927 (NP)
Design Process for AP1000 Common Q Safety Systems, Revision 76, February 2017]*
- 2. UFSAR Appendix 1A, Conformance with Regulatory Guides:
x Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) 1.152, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.152, Rev. 1, 1/96 - Criteria for Digital Computers in Safety Systems of Nuclear Power Plants Regulatory Guide 1.152, Rev. 2, 1/06 - Criteria for Use of Computers in Safety Systems of Nuclear Power Plants Conformance of the design aspects with Revision 1 of the Regulatory Guide is as stated below in the DCD.
General ANSI/
IEEE-ANS-7-4.3.2
-1993 Exception The Common Q portion of the protection and safety monitoring system is developed using the Common Q Software Program Manual (SPM) (as modified by the SPM alternatives in WCAP-15927, Revision 4) and Common Q Topical Report (as modified by the Topical Report alternatives in WCAP-15927, Revision 6). The Common Q SPM and Topical Report were reviewed and approved by the NRC. The Common Q SPM and Topical Report meet IEEE Std. 7-4.3.2-2003, as endorsed by Regulatory Guide 1.152, Revision 3.
DRAFT refle refle T
FTT nual for Common Q' Systems, Revision 4, nual for Common Q' Systems, Revision 4, s modified s modified by the SPM SPM alternatives in vision vision 67) 7 ]*
FTT alified Platform Topical Report Platform Topical Repo, Revision 3, Feb modified by the Topical Report alternatives in W he Topical Repo Revision 67) 7 ]*
AF AFFT AF Design Process for AP1000 Common Q Safe esign Process for AP1000 Common Q Safe Revision vision 76, February 2017 February 2017]*]*
7 AF AF RA RA RA RA RA dix 1A, Conformance with Regulatory G dix 1A, Conformance with Reg RA Tier 2 Regulatory Guide conformance p Tier 2 Regulatory Guide conformance egulatory Guide (RG) 1.152 egulatory Guide (RG) 1.15, as follows:
llows:
Criteria Criteria Section Section Referenced Reference Criteria Criteria AP1000/
AP1000/
FSAR Pos DR DR DRR Reg. Guide 1.152, Rev. 1, 1/96 2, Rev. 1,
- Crite rite Regulatory Guide 1.152, Rev. 2, 1/
Regulatory Guide 1.152, R Plants Plan Conformance of the design as Conformance of the design DR General General ANSI/
ANSI/
IEE IEE PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information)
Page 3 of 12 x
Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) RG 1.168, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.168, Rev. 0, 9/97 and Rev. 1, 2/04 - Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Conformance of the design aspects with Revision 0 of the Regulatory Guide is as stated below in the DCD.
General Exception See Chapter 7 for a discussion of the instrumentation and control software program related to Common Qualified Platform (Common Q).
The Common Q portion of the protection and safety monitoring system is developed using the Common Q SPM (as modified by the SPM alternatives in WCAP-15927, Revision 6). The Common Q SPM was reviewed and approved by the NRC using the criteria of IEEE Std. 1012-1998 and IEEE Std. 1028-1997 as endorsed by Regulatory Guide 1.168, Revision 1.
x Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) RG 1.169, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.169, Rev. 0, 9/97 - Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants General Exception Westinghouse uses the Common Q SPM (as modified by the SPM alternatives in WCAP-15927, Revision 6) to develop and maintain the Common Q portion of the protection and safety monitoring system. The Common Q SPM was reviewed and approved by the NRC using the criteria of Regulatory Guide 1.169, Revision 0 and IEEE 828-2005.
The CIM subsystem complies with Regulatory Guide 1.169, Revision 0 with the exception(s) identified below:
DR Reg. Guide 1.169, Rev. 0, 9/97 Reg. Guide 1.169, Rev. 0, 9/97 - Configuration Con Safety Systems of Nuclear Power Plants Safety Systems of Nuclear Power Plan DRAFT ry descripti ry descri ummary Description of ummary Descriptio Exceptions Exceptio FT dation, Reviews, and Audits for Digital dation, Reviews, and Audits for Digital Plants Plants latory Guide is as latory Guid stated below in the DCD.
ated belo FT See Chapter 7 for a discussion of the instrumentatio Chapter 7 for a discussion control software program related to Common Qua software program rela Platform (Common Q).
Common Q).
The Common Q portion of the protection an Q portion of monitoring system is develope em is develop d using the SPM (as modified SP by the SPM alternat by the SPM WCAP WCAP-15927, Revision on 6). The Com
). The C AF reviewed and approved by the NR reviewed and approved by the NR IEEE Std. 1012 IEEE Std. 1012-1998 199 and IEEE IEEE endorsed by Regulatory Gu orsed by Regulatory G 2 Regulatory Guide conformance positio 2 Regulatory Guide conformanc atory Guide (RG) RG atory Guide (RG) R 1.169, as follows:
as foll on Referenced ced Criteria Criteria AP1000/
FSAR FSAR Position Position DR DR DRR DR General Ge PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information)
Page 4 of 12 x
Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) RG 1.170, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.170, Rev. 0, 9/97 - Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants General Exception The Common Q portion of the protection and safety monitoring system is developed using the Common Q SPM (as modified by the SPM alternatives in WCAP-15927, Revision 6). The Common Q SPM was reviewed and approved by the NRC using the criteria of Regulatory Guide 1.170, Revision 0 and IEEE 829-1998.
The CIM subsystem complies with Regulatory Guide 1.170, Revision 0 with the exception(s) identified below:
x Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) RG 1.172, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.172, Rev. 0, 9/97 - Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants General Exception The Common Q portion of the protection and safety monitoring system is developed using the Common Q SPM (as modified by the SPM alternatives in WCAP-15927, Revision 6). The Common Q SPM was reviewed and approved by the NRC using the criteria of Regulatory Guide 1.172, Revision 0 and IEEE 830-1998.
See Chapter 7 for a discussion of the instrumentation and control software program.
DRAFT descri descri mary Description of mary Descrip xceptions xceptions T
gital Computer Software Used in Safety gital Computer Software Used in Safety FT ommon Q portion of the protection and safety ommon Q portion of the protection and safety itoring system is developed using the Common itoring system is developed u Q
PM (as M (as modified modifi by the SPM alternatives in the SPM al WCAPP-15927 15927, Revision
, Revision 6). The Common Q SPM w
). Th AFT reviewed and approved by the NRC using the cr d and approved by t Regulatory Guide 1.170, Revision Guide 1.170, 0 and IEEE The CIM subsystem complies with Regula ystem compl 1.170, Revision 0 with the exception(s) with the exc latory Guide conformance position and conformance position and Guide (RG) RG uide (R 1.172, as follows:
72, as follows Referenced Referenced Criteria Cr AP1000/
0/
FSAR Position Clarif RA RA RA RA RA uide 1.172, Rev. 0, 9/97 2, Rev. 0, 9/97 - Software Requirements Software Requirements afety Systems of Nuclear Power Plants of Nuclear Pow RA General General Excepti PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information)
Page 5 of 12 x
Revise Tier 2 Regulatory Guide conformance position and summary description for Regulatory Guide (RG) RG 1.173, as follows:
Criteria Section Referenced Criteria AP1000/
FSAR Position Clarification/Summary Description of Exceptions Reg. Guide 1.173, Rev. 0, 9/97 - Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants General Exception Westinghouse uses the Common Q SPM (as modified by the SPM alternatives in WCAP-15927, Revision 6) to develop and maintain the Common Q portion of the protection and safety monitoring system. The Common Q SPM was reviewed and approved by the NRC using the criteria of IEEE 1074-1995 as endorsed by Regulatory Guide 1.173, Revision 0.
The CIM subsystem complies with Regulatory Guide 1.173, Revision 0 with the exception(s) identified below.
- 3. UFSAR Subsection 7.1.7,
References:
Revise Tier 2* information for references, as shown in the excerpts below:
- 8. [WCAP-16097-P-A (Proprietary) and WCAP-16097-NP-A (Non-Proprietary), Revision 3, Common Qualified Platform Topical Report, February 2013. (Note: as modified by the Topical Report alternative in WCAP-15927, Revision 67).]*
- 9. [WCAP-16096-P-A (Proprietary) and WCAP-16096-NP-A (Non-Proprietary), Revision 4, Software Program Manual for Common Q' Systems, February 2013. (Note: as modified by the Software Program Manual alternatives in WCAP-15927, Revision 67)]*
- 20. [WCAP-15927-P (Proprietary) and WCAP-15927-NP (Non-Proprietary), Revision 7, WCAP-15927, Revision 6 (Non-proprietary), Design Process for AP1000 Common Q Safety Systems.]*
DRAFT descri descri mary Description of mary Descrip xceptions xceptions T
cesses for Digital Computer Software cesses for Digital Computer Software FT ghouse uses the Common Q ghouse uses the Commo SPM (as modified by ied by SPM alternatives in WCAP SPM alternatives in WCAP-15927 15
, Revision 6) to FT evelop and maintain the Common Q portion elop and maintain the Comm of the protection and safety monitoring system. The Com tion and safety monitori SPM was reviewed and approved by the NRC us s reviewed and app criteria of IEEE 1074 EEE 1074-1995 as endorsed by Re 199 Guide 1.173, Revision 0.
Revision 0.
The CIM subsystem complies with Regu em complies 1.173, Revision 1.173 0 with the exception(
ith the excep 7.1.7, References 7.1.7,
References:
RA mation for references, as shown in the e mation for references, as show P-16097 16097-P-A (Proprietary) and WCAP oprietary) and WCAP
-160 160 ommon Qualified Platform Topical Report, mmon Qualified Platform Topical Report, Topical Report alternative in WCAP l Report alternative in WCAP-15927,
- 15927,
- 9. [WCAP-16096 096-P-A (Proprietary)
A (Pr and W and W Software Program Manual for Comm Software Program Man modified by the Software Program modified by the Software P
- 20. [WCAP-15927 5927-P (Proprie P (Proprie D
WCAP-15927 927, Revisio
, R 7 Revisio R
7 D
Safety Systems.
stems.]*
PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 6 of 12
- 4. UFSAR Appendix 7A, Instrumentation and Controls Licensing Basis Document Changes, Subsection 7A.7, WCAP-16674-P and WCAP-16674-NP, AP1000 I&C Data Communication and Manual Control of Safety Systems and Components:
Revise Tier 2 information in Subsection 7A.7 regarding the References in WCAP-16674-P and WCAP-16674-NP, as follows:
x Revise the Reference section, as follows:
1.
WCAP-16097-P-A, Rev. 0 3 (proprietary), Common Qualified Platform Topical Report, Westinghouse Electric Company LLC (as modified by the Topical Report alternatives in WCAP-15927, Rev. 7)
- 15. WCAP-15927, Rev. 7, Design Process for AP1000 Common Q Safety Systems, Westinghouse Electric Company LLC DRAFTT WCAP WCAP-1667 1
alified Platform Topical Report, alified Platform Topical Report y the Topical Report alternatives in y the Topical Report alternatives in FT or AP1000 Common Q Safety Systems, 000 Common Q Sa AFT PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 7 of 12
- 5. UFSAR Appendix 7A, Instrumentation and Controls Licensing Basis Document Changes, Subsection 7A.8, WCAP-16675-P and WCAP-16675-NP, AP1000 Protection and Safety Monitoring System Architecture Technical Report:
Revise Tier 2 information in Subsection 7A.8, following the current directions to revise Section 1.3, as follows:
x Revise Section 2.2.8, Watchdog Timer Implementation, as follows:
[
]a,c Refer to the Common Q Topical Report alternatives in WCAP-15927, Design Process for AP1000 Common Q Safety Systems, (Reference 40) for a description of the Processor Module Watchdog Timers.
When a stall WDT activation occurs in a BPL processor, it resets the CPU which will terminates, it resets the BPL processor stalls, the HSL communication to the LCLs is terminated. The LCL then marks the BPL data with bad quality. If only the window WDT activates, then the BPL will mark all HSL data as bad quality. In either case, if both BPLs fail than the LCLs go to a 1oo3 for Reactor Trip and 2oo3 for ESFAS coincidence logic for the affected parameter.
x Delete Figure 2-4, Watchdog Timer Configuration.
x Delete Table 2-1, Processor Module WDT Arrangement Watchdog Timer Summary.
- 6. WCAP-15927-P and WCAP-15927-NP, Design Process for AP1000 Common Q Safety Systems:
Revise Tier 2* information in UFSAR Chapter 7 reference document, WCAP-15927-P and WCAP-15927-NP, Design Process for AP1000 Common Q Safety Systems, as follows:
Note that WCAP-15927 is incorporated by reference as a Tier 2* document, however, the text in this document is not depicted using italics and brackets as is typical of Tier 2* material in the UFSAR (plant-specific DCD).
ons to revis ons to rev follows:
follows:
o the Common Q Topical Report alternative o the Common Q Topical Report alt AF Common Q Safety Systems, (Reference 4 Common Q Safety Systems, (Referenc AF atchdog Timers.
og Timers.
A vation occurs in a curs in a BPL processor PL processor, it resets
, it rese A
the BPL processor stalls, cessor stalls, the the HSL commu HSL commu RA R
LCL then marks the BPL data with bad qu CL then marks the BPL data with bad qu n the BPL will mark all HSL data as bad qua n the BPL will mark all HSL data a CLs go to a 1oo3 for Reactor Trip and 2oo3 CLs go to a 1oo3 for Reactor Trip a parameter.
parameter Delete Figure 2 igure 2-4, Watchdog Timer Con 4, Watchdog Timer Con x
Delete Table 2 Delete Tabl
-1, Processor Mo
, Processo
- 6. WCAP WCAP-15927-P and WCAP d WC D
Systems Systems :
D vise Tier 2 vise Tier 2* informa inform 7-NP, Design NP, Design t WCAP t WCAP en en PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 8 of 12 x
Revise Section 3.10, Alternative to Processes Defined in WCAP-16097-P-A, with corresponding change to the Table of Contents, as follows:
3.10 ALTERNATIVES METHODS TO PROCESSES DEFINED AND DESCRIPTIONS IN WCAP-16097-P-A Table 3-2 identifies alternatives to the processes defined and design descriptions in WCAP-16097-P-A, Common Qualified Platform Topical Report (Reference 4.2.2).
x Revise Table 3-2, Alternative Methods and Design Descriptions to the Common Q Topical Report, as follows:
Table 3-2 Alternative Methods and Design Descriptions to the Common Q Topical Report WCAP-16097-P-A Section WCAP-16097-P-A Text Alternative References
- 27. WCAP-17266, Rev. 0, Common Q Platform Generic Change Process, Westinghouse Electric Company LLC.
Alternative
- 27. WCAP-17266, Common Q Platform Generic Change Process, Westinghouse Electric Company LLC.
a,c DRAFT ESCR ESCR T
gn descriptions gn descrip in T
(Reference 4.2.2).
(Reference criptions to the Common Q Topical criptions to the Common Q T riptions riptions to the Common Q Topical Report to the Common Q Topical Report FT xt Alternative FT AF Common Q e Process, e Pro Company LLC.
Company L Alternative Alternative AF
- 27. WCAP
. WCAP-17266, Com 17 Generic Change Proce eric Change Electric Company LL Company AF AF D AF AF AF AF AF DRAF DR DR DR DR D
PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 9 of 12 Table 3-2 Alternative Methods and Design Descriptions to the Common Q Topical Report WCAP-16097-P-A Section WCAP-16097-P-A Text Alternative a,c DRAFT rnative rnative T
FTT AFT AF AF AF AF AF AF AF AF RAA RA RA DR DR DR DR DR D
PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 10 of 12 x
Revise Section 5.2.1.3, Watchdog Timer, as shown in the Updated Section 5.2.1.3 Watchdog Timer Text, provided below:
a,c DRAFTT PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 11 of 12 x
Replace Figure 5-13, Watchdog Timer Configuration, with the Updated Figure 5-13 Watchdog Timer Configuration, provided below:
a,c DRAFTT D
PUBLIC VERSION
ND-18-1085 Proposed Changes to Licensing Basis Documents (Publicly Available Information) (LAR-18-023)
Page 12 of 12 x
Revise Table 5-1, Processor Module WDT Arrangement Watchdog Timer Summary, as shown in the Updated Table 5-1 Processor Module WDT Arrangement Watchdog Timer Summary, provided below:
DRAFTT FT FTT FT FTT AFT AF AF AF AF AF AF AF AF PUBLIC VERSION