ML12073A393

From kanterella
Revision as of 05:24, 2 April 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search

TVA White Paper Common Q Pams Design Basis Conformance to the Requirements of IEEE 603-1991, Dated March 8, 2012 (Letter Items 1 and 3, Sser 23 Appendix Hh Item Numbers 94 and 105). Attachment 4
ML12073A393
Person / Time
Site: Watts Bar Tennessee Valley Authority icon.png
Issue date: 03/08/2012
From: Clark M S
Tennessee Valley Authority
To:
Office of Nuclear Reactor Regulation
References
TAC ME0853
Download: ML12073A393 (42)
v  d  e


Text

Attachment 4TVA white paper "Common Q PAMS Design Basis Conformance tothe Requirements of IEEE 603-1991," dated March 8, 2012(Letter Items 1 and 3, SSER 23 Appendix HH Item Numbers 94 and 105)

White PaperCommon Q PAMSDesign Basis Conformanceto the Requirements of IEEE 603-1991Revision 0Page 1 of 41March 8, 2012~z~z2 71/ Z 7/, ZPrepared by:Reviewed by:Reviewed by:Approved by:M. S. Clark W:"/ _/i- )-Name 81 inture atetoJ. T. Kepler z3//& h-/ -Name Signature DdteR. H. Bryan , ..3/*1,2_Name Signatde bateS. A. Hilmes FiName Signature Date Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0Acronyms and AbbreviationsThe following acronyms/abbreviations are used in this document:AIRANS1ANSIAOI2ASMETMCETCO2Common QCRDRDBEECCSEDCREMCEMIEOI3EPRIEQESDFEFMEAFPDSFSARGHzHzICCMICS4IEEETM51 NPO61SAkHzMHzLOCAMCRMTBFMTPMTTRNRCNSSSOBEOMAuxiliary Instrument RoomAmerican Nuclear SocietyAmerican National Standards InstituteAbnormal Operating InstructionAmerican Society of Mechanical EngineersCore Exit ThermocoupleCarbon dioxideCommon Qualified PlatformControl Room Design ReviewDesign Basis EarthquakeEmergency Core Cooling SystemEngineering Document Change RequestElectro-Magnetic CompatibilityElectro-Magnetic InterferenceEmergency Operating InstructionElectric Power Research InstituteEnvironmental QualificationElectrostatic DischargeFunction EnableFailure Modes and Effects AnalysisFlat Panel Display SystemFinal Safety Analysis ReportGigahertzHertz (frequency in cycles per second)Inadequate Core Cooling MonitorIntegrated Computer SystemInstitute of Electrical and Electronics EngineersInstitute of Nuclear Power OperatorsInternational Society of AutomationKilohertzMegahertzLoss of Coolant AccidentMain Control RoomMean Time Between FailuresMaintenance and Test PanelMean Time to RepairNuclear Regulatory CommissionNuclear Steam Supply SystemOperating Bases EarthquakeOperator's Module1 ANSI is a registered trademark of the American National Standards Institute.2 ASME is a registered trademark of the American Society of Mechanical Engineers.3 EPRI is a registered trademark of the Electric Power Research Institute Inc.4 IEEE is a registered trademark of the Institute of Electrical and Electronics Engineers Inc.5 INPO is a registered trademark of the Institute of Nuclear Power Operations.6 ISA is a registered trademark of the International Society of Automation.Page 2 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0PAMS Post-Accident Monitoring SystemPC Personal ComputerRCP Reactor Coolant PumpRCS Reactor Coolant SystemRG Regulatory Guiderms root mean squareRTD Resistance Temperature DetectorRVLIS Reactor Vessel Level Indicating SystemSGTR Steam Generator Tube RuptureSI Safety InjectionSLE Software Load EnableSMM Saturation Margin MonitorSRS Software Requirements SpecificationSSC Structure/System or ComponentSSER Supplemental Safety Evaluation ReportSSPS Solid State Protection SystemSysRS System Requirements SpecificationTID Total Integrated DoseTVA Tennessee Valley AuthorityUPS Uninterruptible Power SupplyVac Volts alternating currentWBN Watts Bar Nuclear PlantNotes:1. Italicized text is quoted from 7IEEE 603TM-1991, "IEEE Standard Criteria for Safety Systemsfor Nuclear Power Generating Stations."2. Following each, IEEE 603-1991 requirement, is a discussion of the Watts Bar Nuclear PlantUnit 2 (WBN Unit 2) Common Q Post-Accident Monitoring System (PAMS) licensing basis.3. In the following discussion it is acknowledged that a Post Accident Monitoring System(PAMS) variable may meet more than one type and category classification. Forsimplification, the discussion uses the highest classification with the most stringentrequirements.4. The WBN Unit 2 design basis is contained in multiple documents. The design basisdocuments used in the preparation of this report are listed in the References section at theend of the report.5. Core Exit Thermocouples (CETs) are referred to a "Incore Thermocouples" in the WBN Unit2 Abnormal Operating Instructions (AOIs) and Emergency Operating Instructions (EOIs)6. The Saturation Margin Monitor (SMM) is also referred to as the "Subcooling Margin Monitorin WBN Unit 2 AOIs and EOIs.7 IEEE 603 is a registered trademark of the Institute of Electrical and Electronics Engineers Inc.Page 3 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0PurposeThis document summarizes the Common Q PAMS conformance to IEEE-603-1991. Thedocument provides the basis for the selection of applicable requirements from the IEEEstandard. This paper provided the response to NRC SSER 23, 24 and 25 Appendix HH items94 and 105 and follow-up NRC requests.SummaryThe following evaluations show that the Common Q PAMS meets the design basis needs andrequirements for Watts Bar Unit 2. The design utilized the specifications for the Unit 1Inadequate Core Cooling Monitor (ICCM-86). The variables selected for display were based onthe requirements of Regulatory Guide 1.97 Revision 2 (Reference 2). The placement ofdisplays and associated controls for Unit 2 was subjected to a Human Factors Engineeringreview during the design process for EDCR 52351, Common Q PAMS and the Control RoomDesign Review (CRDR).Background/MethodolocvThe Common Q PAMS for WBN U2 supplies the Reactor Vessel Level Indication System(RVLIS), Core Exit Thermocouples (CET) and Saturation Margin Monitor (SMM). The PAMSprovides information to the operators and other emergency response personnel inunderstanding and managing potential accident and transient events at WBN.There are twenty-seven Final Safety Analysis Report (FSAR) Chapter 15 events addressed byfifty-seven abnormal and emergency operating instructions. The Chapter 15 events are definedin a variety of regulatory documents such as Regulatory Guides, NUREGs, and NRC endorsedindustry standards. The emergency operating instructions and to a lesser degree the abnormaloperating procedures are symptom based as opposed to event based procedures. They arealso set up to allow management of plant conditions if they, in an unlikely event, degradebeyond the design basis accident and transients described in FSAR Chapter 15. As aconsequence, a direct correlation between the emergency procedures and the Chapter 15events does not exist. Thus, a single instruction may and frequently does contain direction onresponding to multiple events.Determining the applicability of the guidance in IEEE-603 is dependent on the use of the PAMvariables by the operators in managing the Chapter 15 Design Basis Events. The WBN Unit 2,event termination criteria (stabilized plant conditions) is defined as reaching "hot standby" (Mode3) for most events. For a LOCA or SGTR, event termination occurs when the Reactor CoolantSystem (RCS) is below 200'F and depressurized.A review of the WBN Unit 1 AOls and EOIs was performed to identify uses of the Common QPAMS variables of RVLIS, CET, and SMM. The EOls and AOls were then mapped to theFSAR Chapter 15 events. The review is documented in Appendix 1. AOIs not associated withChapter 15 events (fire, earthquake, etc) did not need to be evaluated and were not. Thismapping is shown in Appendix 2.In the evaluations, the SMM, CET and RVLIS columns identify if the Common Q PAMS variableis used in the instruction. If a variable is used, then the notes column in the evaluation(Appendix 1) describes how the Common Q PAMS variable is used.Page 4 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0Regulatory Guide (RG) 1.97, defines type A variables as:those variables to be monitored that provide the primary informationrequired to permit the control room operator to take specific manuallycontrolled actions for which no automatic control is provided and thatare required for safety systems to accomplish their safety functions fordesign basis accident events. Primary information is information that isessential for the direct accomplishment of the specified safetyfunctions; it does not include those variables that are associated withcontingency actions that may also be identified in written procedures."The EOI/AOI review determined that RVLIS, SMM, and CET meets the definition of a Type "A"variable. The SMM and CET functions had been classified as Type "A" variables but RVLIS hadnot. As a result, the following commitments are made:1. RIVLIS will be included as a type A variable in the next revision of'TVA calculationWBNOSG4047, "PAM Type "A" Variables Determination."2. WBN Unit 2 FSAR, Table 7.5-2, "Regulatory Guide 1.97 Post Accident Monitoring VariablesLists," will be updated to show RVLIS as a Type "A" variable in a future amendment.3. TVA Design Criteria Document WB-DC-30-7, Revision 24, "Post Accident MonitoringInstrumentation," will be updated to show RVLIS as a Type "A" variable in a future revision.4. WBN Unit 2 Technical Specifications Table 3.3.3-1 Line item 6 Reactor Vessel Water Levelwill be revised to remove the reference to note (g).5. WBN Unit 2 Technical Specification Bases will be revised to identify RVLIS as a Type "A"variable.NOTE: By definition, Type "A" variables are "key variables" and must meet Category 1design and qualification criteria, as defined in RG 1.97, Section 1.3.1. RVLIS iscurrently defined as a Category 1 Variable (B1 and Cl). Therefore, categorizing itas a Type "A" variable has no impact on equipment qualification, design orinstallation.Page 5 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0IEEE-603 Requirements Review ResultsThe results of a review of the Common Q PAMS design against the requirements in eachClause of IEEE-603, 1991 is provided below.Clause 4 "Safety system design basis"4. A specific basis shall be established for the design of each safety system of the nuclearpower generating station. The design basis shall also be available as needed to facilitatethe determination of the adequacy of the safety system, including design changes. Thedesign basis shall be consistent with the requirements of ANSI/ANS 51.1-1983 or ANSI/ANS52.1-1983 and shall document as a minimum:4.1. The design basis events applicable to each mode of operation of the generatingstation along with the initial conditions and allowable limits of plant conditions for eachsuch event.WBN Unit 2 Analysis:The design basis events, their applicable mode(s) of operation, initial conditions andallowable limits are described in WBN Unit 2 FSAR, Chapter 15, "Accident Analysis."Additional details are contained in TVA Design Criteria Document WB-DC-40-64,Revision 12, "Design Basis Events Design Criteria."As part of the EOI and AOl review, a cross reference between the EOIs and AOls tothe Chapter 15 events was developed. The cross reference is provided in Appendix 2.As shown in the cross reference, it is not possible to assign a specific procedure toeach event, and some events have multiple procedures. This shows a disconnectbetween the regulatory requirements and guidance documents. The regulatorydocuments seek a one to one correspondence while the EOIs and AOIs are developedbased on responding to the plant conditions that can occur during an accident with afocus on reaching stabilized plant conditions (event termination).The EOl/AOl review also focused on the setpoints required by the procedures. Thisreview was performed to verify the Common Q PAMS met the design basisrequirements of the procedures. Table 1 below provides the results of the EOI/AOIsetpoint review. The following summarizes the required ranges:" Saturation Margin Monitor required range: 44 to 2139F (subcooled)" Core Exit Thermocouples required range: < 200 to 1200°F" Reactor Vessel Level required range: 33 to 95%As documented in WNA-DS-01 617-WBT-P, Revision 4, "Post Accident MonitoringSystem -System Requirements Specification," Table 2.6-4, the Common Q PAMvariable ranges envelope the ranges shown above. This demonstrates that theCommon Q PAMS meets the requirements of the AOIs and EOls. Westinghouseconsiders the values in WNA-DS-01617-WBT-P, Table 2.6-4, as proprietary; thereforethey are not repeated here.Page 6 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0The mapping of the TVA system design requirements to the associated WEC designcriteria is provided in WNA-LI-00058-WBT-P, Revision 3, "Post-Accident MonitoringSystem (PAMS) Licensing Technical Report," Section 12, "Contract ComplianceMatrix."Table I -Common Q PAMS Required SetpointsSetpoint(s):Procedure# Incore TIC SMM* RVLISAOI-2 None NA NAAOI-33 Various between 433 and 65°F and 750F NA491OFE-0 NA 650F NAE-1 NA 650F and 850F 95%E-2 None 65°F and 850F NAE-3 Various between 433 and Various between 65 and 121'F 95%491OFECA-0.0 12000F 650F and 850F NAECA-0.1 None 65°F and 85°F NAECA-2.1 None Various between 65 and 11 5°F 95%ECA-3.1 None Various between 65 and 213°F 95%ECA-3.2 Various between 211 and Various between 59 and 126°F 63, 76 and 95%600°FECA-3.3 NA NA 60, 63 and 76%ES-0.1 None 650F NAES-0.2 200°F Various between 65 and 1650F 95%ES-0.3 200°F 65, 85 and 101OF 69 and 95%ES-0.4 2000F 65 and 101OF NAES-1.1 None Various between 65 and 1150F 95%ES-1.2 None Various between 57 and 213°F 95%ES-3.1 None Various between 65 and 1150F 95%ES-3.2 None Various between 65 and 1150 F 95%ES-3.3 None Various between 65 and 11 5°F 95%FR-0 727 and 12000F 65 and 850F 33, 44 and 95%FR-C.1 727 and 1200°F 65 and 850F 33 and 60%FR-C.2 727°F 65 and 850F 33, 44 and 60%FR-C.3 7270F 65 and 850F 33 and 44%FR-H.1 None Various between 44 and 650F 60%FR-1.3 None Various between 65 and 1350F 95%FR-P.1 NA Various between 65 and 135°F 60 and 63%FR-S.1 1200OF NA NA* All SMM setpoints are subcooled valuesPage 7 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 04.2. The safety functions and corresponding protective actions of the execute features foreach design basis event.WBN Unit 2 Analysis:The Common Q PAMS has no automatic execute features. Manual safety-relatedactions are based on the Common Q PAMS indications of CETs, RVLIS and SMM.The use of these variables in the AOIs and EOIs is documented in Appendix 1. Across reference to the FSAR Chapter 15 events is provided in Appendix 2.4.3. The permissive conditions for each operating bypass capability that is to be provided.WBN Unit 2 Analysis:Not applicable. The PAMS has no automatic execute features to bypass.4.4. The variables or combinations of variables, or both, that are to be monitored manuallyor automatically, or both, to control each protective action; the analytical limitassociated with each variable, the ranges (normal, abnormal, and accident conditions);and the rates of change of these variables to be accommodated until propercompletion of the protective action is ensured.WBN Unit 2 Analysis:There are no automatic protection associated with the PAMS. The variables that aremonitored manually for protective actions are the CETS, RVLIS and SMM.The required ranges are established in Chapter 22 of the Westinghouse FunctionalRequirements Specification. The response to SSER 24 Appendix HH, Item 105 whichis in item 4.1 above demonstrates that the PAMS variables have sufficient range tomeet the requirements of the AOIs and EOIs.4.5. The following minimum criteria for each action identified in 4.2 whose operation maybe controlled by manual means initially or subsequent to initiation. See IEEE Std 494-1974 (R1990).4.5.1. The points in time and the plant conditions during which manual control isallowed.WBN Unit 2 Analysis:The points in time and plant conditions during which manual control is allowedare identified in the EOls and AOls listed in Appendix 1. The use of aprocedure based approach is in agreement with RG 1.97 Revision 4. Theresults of the EOI and AOI review identify how the Common Q PAMS variablesare used.4.5.2. The justification for permitting initiation or control subsequent to initiation solelyby manual means.Page 8 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:Not applicable. The Common Q PAMS indications are used for manual actionsfor which no automatic action is available.4.5.3. The range of environmental conditions imposed upon the operator duringnormal, abnormal, and accident circumstances throughout which the manualoperations shall be performed.WBN Unit 2 Analysis:The range of conditions are those experienced by the operator in either theMain Control Room (MCR) or Auxiliary Instrument Room (AIR) during normaland accident conditions. The table below summarizes the conditions. Wherethe values are different, information is provided for both the MCR and the AIR.Parameter Normal Abnormal AccidentTemperature MCR 75 to 80°F 60 to 1040F MCR 75 to 820FRange AIR 64 to 90OF AIR 55 to 870FRelative MCR 40 to 60% 20 to 90% NAHumidity AIR 40 to 70%Radiation 40 year TID NA MCR 40 year TID 362.76 RadExposure 350.4 Rad AIR 40 year TID 512.5 RadDesign Bases NA NA 3.0g horizontal and 2.0gEarthquake vertical(DBE)4.5.4. The variables in 4.4 that shall be displayed for the operator to use in takingmanual action. See IEEE Std 497-2002 for additional information.WBN Unit 2 Analysis:" Core Exit Thermocouple Temperature* Reactor Coolant Saturation Margin" Reactor Vessel Level4.6. For those variables in 4.4 that have a spatial dependence (i.e., where the variablevaries as a function of position in a particular region), the minimum number andlocations of sensors required for protective purposes.WBN Unit 2 Analysis:The Core Exit Thermocouple variable has a spatial dependence. TechnicalSpecifications require the minimum number and location of the CETs as two channelswith a minimum of two thermocouples/channel in each core quadrant.Page 9 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 04.7. The range of transient and steady-state conditions of both motive and control powerand the environment (for example voltage, frequency, radiation, temperature, humidity,pressure and vibration) during normal, abnormal, and accident circumstancesthroughout which the safety system shall perform.WBN Unit 2 Analysis:The Common Q PAMS hardware is located in either the MCR or the AIR. These areasare defined as mild environments. The table below summarizes the conditions.Where the values are different, information is provided for both the MCR and the AIR.Control power is provided by an uninterruptible power supply (UPS) in the 120 Vacvital distribution system.Parameter Normal Abnormal AccidentControl Power Voltage + 2% of nominal 120 Vac +/- 15% 60 to 195 V peakoutput (120 Vac rmsrms)Control Power Frequency 60 +/- 0.5 Hz + 0.2 Hz NAControl Power Harmonic 5% maximum NA NAdistortionTemperature Range MCR 75 to 80'F 60 to 104°F MCR 75 to 820FAIR 64 to 90°F AIR 55 to 870FRelative Humidity MCR 40 to 60% 20 to 90% NAAIR 40 to 70%Radiation Exposure 40 year TID NA MCR 40 year TID350.4 Rad 362.76 RadAIR 40 year TID512.5 RadOperating Bases Earthquake NA 0.09g for NA(OBE) horizontalmotion and0.06g forvertical motionDesign Bases Earthquake (DBE) NA NA 3.Og horizontalI_ and 2.0g verticalElectromagnetic susceptibility testing is performed as part of the Westinghousequalification process as documented in WNA-00058-WBT, Revision 3, "Post-AccidentMonitoring System (PAMS) Licensing Technical Report," Section 4.4, "Plant SpecificAction Item 6.4."TVA has committed to perform installed EMI/RFI surveys.4.8. The conditions having the potential for functional degradation of safety systemperformance and for which provisions shall be incorporated to retain the capability forperforming the safety functions (for example, missiles, pipe breaks, fires, loss ofventilation, spurious operation of fire suppression systems, operator error, failure innon-safety-related systems).Page 10 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:The PAMS equipment itself is located in a mild environment area and is notsusceptible to missiles or pipe breaks. The ventilation system in the MCR and AIR issafety-related.The Common Q PAMS equipment is qualified to remain operable under the worst caseoperating conditions in the preceding response to 4.7. Analysis (TVA calculationsEPMMCP071689 and EPMLCP072489) has shown that a loss of temperature orhumidity control in the MCR or Auxiliary Instrument Room (AIR) will not result inconditions that exceed the Common Q PAMS hardware qualification. The PAMS isdesigned and installed as a class 1 E system and does not rely on any non-safety-related Structures, Systems and Components (SSCs) to remain operable.The carbon dioxide (C02) fire suppression piping, storage vessels, and othercomponents are installed at elevations lower than the Main and Auxiliary ControlRooms to prevent rendering these rooms uninhabitable during any operating oraccident condition.The AIR is protected by the CO2 fire protection system. The CO2 system is designed(or plant equipment protected) to assure an initiating failure such as a pipe break or asingle inadvertent actuation of the system will not damage nuclear safety-relatedsystems to the degree that the failure will:" Prevent the functioning of both trains of safety-related plant features needed forsafe shutdown or cause the release of radioactivity.* Prevent the habitability of the Main Control Room due to toxic levels or depletionof oxygen by any gases.The PAMS does not have any automatic control functions that are susceptible tooperator error. If the operator were to misinterpret or misread the PAMS display, itcould result in miss-operation of other plant equipment used in response to anaccident. However, TVA Design Criteria Document WB-DC-40-64, Revision 12,"Design Basis Events Design Criteria," Appendix A "Generic Operator Action Criteria"A.2.2 states:"Safety-related operator actions or sequences of actions may be performed by anoperator only where a single operator error of one manipulation does not result inexceeding design requirements for design basis events."Operator error is possible in the entry of constants, alarm setpoints etc. used by thePAMS functions. This type of error is minimized by the system design which requiresa verification step for changing parameters. The CET and SMM functions have built indiagnostic programs for testing the functions.Page 11 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0In addition, A.2.3 states:"The number of safety-related operator actions or sequences of actions shall beminimized to the extent that the operator(s) has sufficient time to monitor the results ofactions on the plant status and to perform required and optional operator actions.Preplanned safety-related operator actions required for mitigation of a design basisevent are based on indications of post-accident monitoring (PAM) Type "A" variables.Optional and contingency safety-related operator actions may be initiated based onindications of PAM Type "B" and "C" variables. Definitions and identification of PAMvariables are provided in the PAM design criteria WB-DC-30-7 (Reference A.5.1)."As part of the design process, the Common Q PAMS displays (software and displaylocations) were subjected to Human Factors Reviews. The WBN Unit 2 AOIs andEOIs will be developed using the WBN Unit 1 procedures as a basis. The Unit 1 AOIsand EOIs were developed in accordance with the Westinghouse Standard EmergencyResponse Guidelines. In addition, the AOIs and EOIs are verified as part of ongoingcontrol room operator training.Based on the above requirements, the impact of operator error due to misinterpretingor misreading a PAMS indication is minimized and sufficient time is planned to allowthe operator to identify the error and take corrective action.4.9. The methods to be used to determine that the reliability of the safety system design isappropriate for each safety system design and any qualitative or quantitative reliabilitygoals that may be imposed on the system design.WBN Unit 2 Analysis:Reliability goals for the PAMS were established as part of the procurement contract forthe system and are included in the Contract Compliance Matrix (Section 12) inWestinghouse document WNA-LI-00058-WBT-P, Revision 3, "Post-AccidentMonitoring System (PAMS) Licensing Technical Report." The specific items are:178. "The proposed system shall have a Mean Time Between Failure (MTBF) ofgreater than 40 years. A failure for this case is considered the loss of systemability to Monitor/Display. The Offerer shall provide MTBF data for the proposedsystem and the rationale behind it."179. "The proposed system shall have a Mean Time To Repair (MTTR) of less than 2hours. The Offerer shall provide MTTR data for the proposed system and therationale behind it."A reliability analysis of the PAMS was performed (WNA-AR-00189-WBT, Revision 0,"Post Accident Monitoring System Reliability Analysis") and approved by engineering.The Westinghouse analysis showed that the requested the MTTR was not achievable.The Westinghouse calculated MTTR of 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is acceptable.Page 12 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0Westinghouse calculated a system availability of 0.99639776. Assuming a probabilityof detection of 0.95 and surveillance interval of 17520 hours, these results in anestimated System MTBF of 14 years. This MTBF is acceptable.Westinghouse performed a Failure Modes and Effects Analysis of the PAMS. Thisanalysis is documented WNA-AR-00180-WBT, Revision 0, "Failure Modes and EffectsAnalysis (FMEA) for the Post Accident Monitoring System," which was found to beacceptable and approved by engineering.4.10. The critical points in time or the plant conditions, after the onset of a design basisevent, including:4.10.1. The point in time or plant conditions for which the protective actions of thesafety system shall be initiated.WBN Unit 2 Analysis:The PAMS has no automatic protective or control functions. Safety relatedoperator actions based on PAMS variables, are specified in the AOIs and EOIs.4.10.2. The point in time or plant conditions that define the proper completion of thesafety function.WBN Unit 2 Analysis:The PAMS performs no automatic safety functions. Completion of manualsafety functions are specified in the AOls and EOls.4.10.3. The point in time or the plant conditions that require automatic control ofprotective actions.WBN Unit 2 Analysis:Not Applicable, The PAMS performs no automatic protective actions.4.10.4. The point in time or the plant conditions that allow returning a safety system tonormal.WBN Unit 2 Analysis:Not Applicable. The PAMS has no execute or control functions to be returnedto normal.4.11. The equipment protective provisions that prevent the safety systems fromaccomplishing their safety functions.WBN Unit 2 Analysis:Not Applicable. The PAMS safety function is not dependent on the availability ofexternal protective equipment.Page 13 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 04.12. Any other special design basis that may be imposed on the system design (example,diversity, interlocks, regulatory agency criteria).WBN Unit 2 Analysis:Additional regulatory and industry standard criteria that the PAMS is required to meetand compliance with those criteria is included in the WBN Unit 2 FSAR, Table 7.1-1,"Watts Bar Nuclear Plant NRC Regulatory Guide Conformance."Clause 5 "Safety System Criteria"5. Safety System Criteria. The safety systems shall, with precision and reliability, maintainplant parameters within acceptable limits established for each design basis event. Thepower, instrumentation, and control portions of each safety system shall be comprised ofmore than one safety group of which any one safety group can accomplish the safetyfunction. (See Appendix A for an illustrative example.)WBN Unit 2 Analysis:The PAMS does not perform any automatic functions. Therefore, the first part of thisrequirement is not applicable. The PAMS complies with the requirements for more thanone safety group. The PAMS consists of two fully independent and redundant trainseither of which provides the necessary information for the operators to accomplish therequired manual safety-related actions specified in the EOls and AOls.5.1 Single-Failure Criterion. The safety systems shall perform all safety functionsrequired for a design basis event in the presence of. (1) any single detectable failurewithin the safety systems concurrent with all identifiable but non-detectable failures;(2) all failures caused by the single failure; and (3) all failures and spurious systemactions that cause or are caused by the design basis event requiring the safetyfunctions. The single-failure criterion applies to the safety systems whether control isby automatic or manual means. IEEE Std 379-1988 provides guidance on theapplication of the single-failure criterion.This criterion does not invoke coincidence (or multiple-channel) logic within a safetygroup; however, the application of coincidence logic may evolve from other criteria orconsiderations to maximize plant availability or reliability. An evaluation has beenperformed and documented in other standards to show that certain fluid systemfailures need not be considered in the application of this criterion. The performanceof a probable assessment of the safety systems may be used to demonstrate thatcertain postulated failures need not be considered in the application of the criterion.A probable assessment is intended to eliminate consideration of events and failuresthat are not credible; it shall not be used in lieu of the single-failure criterion, IEEEStd 352-1987 and IEEE Std 577-1976 provide guidance for reliability analysis.Page 14 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0Where reasonable indication exists that a design that meets the single-failurecriterion may not satisfy all the reliability requirements specified in 4.9 of the designbasis, a probable assessment of the safety system shall be performed. Theassessment shall not be limited to single failures. If the assessment shows that thedesign basis requirements are not met, design features shall be provided orcorrective modifications shall be made to ensure that the system meets the specifiedreliability requirements.WBN Unit 2 Analysis:The Common Q PAMS meets the single failure criterion as described in WNA-LI-00058-WBT-P, Revision 3, "Post-Accident Monitoring System (PAMS) LicensingTechnical Report," sections:* 4.10, "Plant Specific Action 6.10"* 5.3, "Response to Individual Criteria in DI&C-ISG-04," Criterion 12* 12, "TVA Contract Compliance Matrix," items 58, 223, 303 and 505.5.2 Completion of Protective Action. The safety systems shall be designed so that, onceinitiated automatically or manually, the intended sequence of protective actions of theexecute features shall continue until completion. Deliberate operator action shall berequired to return the safety systems to normal. This requirement shall not precludethe use of equipment protective devices identified in 4.11 of the design basis or theprovision for deliberate operator interventions. Seal-in of individual channels is notrequired.WBN Unit 2 Analysis:Not applicable. The Common Q PAMS performs no automatic safety or protectivefunctions.5.3 Quality. Components and modules shall be of a quality that is consistent withminimum maintenance requirements and low failure rates. Safety system equipmentshall be designed, manufactured, inspected, installed, tested, operated, andmaintained in accordance with a prescribed quality assurance program (ANSI/ASMENQAI- 1989.WBN Unit 2 Analysis:The Common Q PAMS was designed, manufactured and tested in accordance withthe approved Westinghouse Electric Company LLC, Quality Assurance Program asdocumented in WNA-PQ-00220-WBT, Revision 1, "Watts Bar Unit 2 NSSSCompletion I&C Projects Project Quality Plan."Page 15 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 05.4 Equipment Qualification. Safety system equipment shall be qualified by type test,previous operating experience, or analysis, or any combination of these threemethods, to substantiate that it will be capable of meeting, on a continuing basis, theperformance requirements as specified in the design basis. Qualification of Class 1Eequipment shall be in accordance with the requirements of IEEE Std 323-1983 andIEEE Std 627-1980.WBN Unit 2 Analysis:The Common Q PAMS MTP and OM qualification is documented in:* EQ-QR-68-WBT-P, Revision 0, "Qualification Summary Report for Post-AccidentMonitoring System (PAMS)"" CN-EQT-10-44-P, Revision 1, "Dynamic Similarity Analysis for the Watts Bar Unit2 Post Accident Monitoring System (PAMS)"" EQ-EV-62-WBT-P, Revision 1, "Comparison of Tested Conditions for the A1687and A1688 Common Q Modules to the Watts Bar Unit 2 (WBT) Requirements"" EQRL-171-P, Revision 1, Environmental and Seismic Test Report Analog Input(AI)687 and A1688 Modules and Supporting Components for use in CommonQualified (Common Q) Post Accident Monitoring System (PAMS)" EQ-QR-64-GEN-P, Revision 0, "A1687 and A1688 for use in Common Q PAMSEMC Test Report and Installation Limitations"5.5 System Integrity. The safety systems shall be designed to accomplish their safetyfunctions under the full range of applicable conditions enumerated in the designbasis.WBN Unit 2 Analysis:The Common Q PAMS is qualified, as documented in the response to 5.4, to the fullrange of applicable conditions identified in 4.5.3 and 4.7.5.6 Independence5.6.1 Between Redundant Portions of a Safety System. Redundant portions of asafety system provided for a safety function shall be independent of andphysically separated from each other to the degree necessary to retain thecapability to accomplish safety function during and following any design basisevent requiring that safety function.Page 16 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:As shown in WNA-LI-00058-WBT, Revision 3, "Post Accident MonitoringSystem (PAMS) Licensing Technical Report, Figure 2.2-1, "Watts Bar Unit 2PAMS Hardware Architecture" there is no interconnection between the twotrains of the Common Q PAMS.5.6.2 Between Safety Systems and Effects of Design Basis Event. Safety systemequipment required to mitigate the consequences of a specific design basisevent shall be independent of, and physically separated from, the effects ofthe design basis event to the degree necessary to retain the capability tomeet the requirements of this standard. Equipment qualification inaccordance with 5.4 is one method that can be used to meet thisrequirement.WBN Unit 2 Analysis:The Common Q PAMS MTP and OM equipment is located in a mildenvironment and qualified as stated in 5.4 to perform its safety function overthe full range of accident conditions to which it is expected to operate asidentified in 4.5.3 and 4.7.5.6.3 Between Safety Systems and Other Systems. Safety system design shall besuch that credible failures in and consequential actions by other systems, asdocumented in 4.8 of the design basis, shall not prevent the safety systemsfrom meeting the requirements of this standard.5.6.3.1 Interconnected Equipment(1) Classification: Equipment that is used for both safety and non-safety functions shall be classified as part of the safety systems.Isolation devices used to effect a safety system boundary shall beclassified as part of the safety system.WBN Unit 2 Analysis:The interface between the safety-related Common Q PAMS andthe non-safety-related Integrated Computer System (ICS) is thePC Node Box in the Maintenance and Test Panel. Thisequipment is part of the safety-related Common Q PAMS. Theinterface to the plant annunciator system is via an isolation relay inthe MTP which is part of the safety-related Common Q PAMS.(2) Isolation: No credible failure on the non-safety side of an isolationdevice shall prevent any portion of a safety system from meetingits minimum performance requirements during and following anydesign basis event requiring that safety function. A failure in anisolation device shall be evaluated in the same manner as afailure of other equipment in a safety system.Page 17 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:The PC Node Box in the Maintenance and Test Panel is thequalified isolation device between the Common Q PAMS and theIntegrated Computer System. The isolation function was testedduring the Factory Acceptance Test as documented in WNA-TR-02426-WBT, Revision 1, "Post-Accident Monitoring System DataStorm Test Report." A failure of the isolation relay interface to theplant annunciator does not impact operation of the Common QPAMS.5.6.3.2 Equipment in Proximity(1) Separation: Equipment in other systems that is in physicalproximity to safety system equipment, but that is neither anassociated circuit nor another Class 1E circuit, shall be physicallyseparated from the safety system equipment to the degreenecessary to retain the safety systems' capability to accomplishtheir safety functions in the event of the failure of non-safetyequipment. Physical separation may be achieved by physicalbarriers or acceptable separation distance. The separation ofClass 1E equipment shall be in accordance with the requirementsof IEEE Std 384-1981.WBN Unit 2 Analysis:The Common Q PAMS equipment in the AIR is mounted indedicated locked cabinets that provide physical separation. Theinstallation of the Operators Modules in the main control boardsmeets the separation requirements of IEEE 384-1981. WBN Unit2 conformance to IEEE 384 is limited to the internal panelequipment and wiring. WBN Unit 2 separation criteria for externalcabling is in accordance with FSAR Sections 8.1.5.3, 8.3.1.4,8.3.2.4 and 8.3.2.5.(2) Barriers: Physical barriers used to effect a safety system boundaryshall meet the requirements of 5.3, 5.4 and 5.5 for the applicableconditions specified in 4.7 and 4.8 of the design basis.WBN Unit 2 Analysis:The physical barrier is the Common Q PAMS Maintenance andTest Panel (MTP) cabinet which is qualified to the requirements5.3, 5.4 and 5.5 for the applicable conditions specified in 4.7 and4.8 of the design basis.Page 18 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 05.6.3.3 Effects of a Single Random Failure. Where a single random failure ina non-safety system can (1) result in a design basis event, and (2)also prevent proper action of a portion of the safety system designedto protect against that event, the remaining portions of the safetysystem shall be capable of providing the safety function even whendegraded by any separate single failure. See IEEE Std 379-1988 forthe application of this requirement.WBN Unit 2 Analysis:The Common Q PAMS non-safety-related interfaces are with the ICSand plant annunciator. The ICS interface is protected by a non-safety-related data diode and the safety-related PAMS PC Node Boxin the MTP. The safety related isolation function of the Common QPAMS MTP PC Node Box was tested during the Factory AcceptanceTest as documented in WNA-TR-02426-WBT, Revision 1, "Post-Accident Monitoring System Data Storm Test Report."As previously described the plant annunciator interface is via a safety-related isolation relay and failure of the relay does not impactoperation of the Common Q PAMS.5.6.4 Detailed Criteria. IEEE Std 384-1981 provides detailed criteria for theindependence of Class 1E equipment and circuits.WBN Unit 2 Analysis:WBN Unit 2 conformance to IEEE 384 is limited to the internal panelequipment and wiring. WBN Unit 2 separation criteria for external cabling isin accordance with FSAR Sections 8.1.5.3, 8.3.1.4, 8.3.2.4 and 8.3.2.5.5.7 Capability for Test and Calibration. Capability for testing and calibration of safetysystem equipment shall be provided while retaining the capability of the safety systemsto accomplish their safety functions. The capability for testing and calibration of safetysystem equipment shall be provided during power operation and shall duplicate, asclosely as practicable, performance of the safety function. Testing of Class 1E systemsshall be in accordance with the requirements of IEEE Std 338-1987. Exceptions totesting and calibration during power operation are allowed where this capability cannotbe provided without adversely affecting the safety or operability of the generatingstation. In this case:(1) appropriate justification shall be provided (for example, demonstration that nopractical design exists),(2) acceptable reliability of equipment operation shall be otherwise demonstrated, and(3) the capability shall be provided while the generating station is shut down.Page 19 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:Testing of the CET and SMM functions of the Common Q PAMS is provided by built intest programs. Testing of the RVLIS functions is performed by loop calibration. Toallow testing during operation, the RVLIS transmitters are mounted in normallyaccessible locations outside primary containment.5.8 Information Displays5.8.1 Displays for Manually Controlled Actions. The display instrumentation providedfor manually controlled actions for which no automatic control is provided andthat are required for the safety systems to accomplish their safety functions shallbe part of the safety systems and shall meet the requirements of IEEE Std 497-1981. The design shall minimize the possibility of ambiguous indications thatcould be confusing to the operator.WBN Unit 2 Analysis:The safety-related PAMS displays are the Operator's Modules in the MainControl Room. Human Factors reviews of the displays (hardware location andsoftware) was performed to ensure unambiguous indications to the operator.5.8.2 System Status Indication. Display instrumentation shall provide accurate,complete, and timely information pertinent to safety system status. Thisinformation shall include indication and identification of protective actions of thesense and command features and execute features. The design shall minimizethe possibility of ambiguous indications that could be confusing to the operator.The display instrumentation provided for safety system status indication need notbe part of the safety systems.WBN Unit 2 Analysis:Common Q PAMS system status information is part of the Flat Panel DisplaySystem (FPDS) software. The system status displays are defined in WNA-SD-00239-WBT-P, Revision 4, "Software Requirements Specification for the PostAccident Monitoring System," sections 7.2.14 through 7.2.27. The FPDSsoftware was subjected to a Human Factors review during display developmentto avoid the possibility of ambiguous indications that could confuse the operator.5.8.3 Indication of Bypasses. If the protective actions of some part of a safety systemhave been bypassed or deliberately rendered inoperative for any purpose otherthan an operating bypass, continued indication of this fact for each affectedsafety group shall be provided in the control room.5.8.3.1 This display instrumentation need not be part of the safety systems.Page 20 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 05.8.3.2 This indication shall be automatically actuated if the bypass or inoperativecondition (a) is expected to occur more frequently than once a year, and(b) is expected to occur when the affected system is required to beoperable.5.8.3.3 The capability shall exist in the control room to manually activate thisdisplay indication.WBN Unit 2 Analysis:5.8.3 and all sub-clauses are not applicable. Common Q PAMS is an indicationonly system and does not perform any protective actions.5.8.4 Location. Information displays shall be located accessible to the operator.Information displays provided for manually controlled protective actions shall bevisible from the location of the controls used to effect the actions.WBN Unit 2 Analysis:The Common Q PAMS displays are the Operator's Modules in the Main ControlRoom. The displays are part of the PAMS safety system. A Human Factorsreview of the display locations was performed as part of the Control RoomDesign Review (CRDR) to ensure the displays were properly located in relationto the controls associated with the manually controlled protective actions.Operator training and staffing is tailored to ensure that actions based on PAMSindications are accomplished in the required response time.5.9 Control of Access. The design shall permit the administrative control of access tosafety system equipment. These administrative controls shall be supported byprovisions within the safety systems, by provision in the generating station design, orby a combination thereof.WBN Unit 2 Analysis:The Common Q PAMS equipment is located within the WBN Unit 2 protected area. Inaddition, the MTP in the AIR is a locked cabinet. The keys to the MTP are controlledin accordance with WBN key control procedures.To modify the software or to change constants etc. one of two keylock switches mustbe actuated. The Function Enable (FE) allows modification of constants, printing andother routine maintenance activities. The Software Load Enable (SLE) keyswitchallows modification or reloading of the system software. The MTP has both a FE andSLE keyswitch located behind the locked front panel. The keys to the FE and SLEkeyswitches are different and are controlled in accordance with WBN key controlprocedures.Page 21 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0The Operator's Module (OM) does not have a SLE function. The OM FE keyswitch isnot permanently installed. If the OM is required for maintenance, then the FEkeyswitch can be installed on the PC Node Box via a pigtail to a port on the back of thebox. Both the OM FE keyswitch and the key for the keyswitch are controlled inaccordance with WBN key control procedures.5.10 Repair. The safety systems shall be designed to facilitate timely recognition, location,replacement, repair, and adjustment of malfunctioning equipment.WBN Unit 2 Analysis:Faults in the Common Q PAMS actuate the system trouble alarm in the MCR.Adequate displays are included to allow timely recognition of a fault. The mean time torepair the Common Q PAMS is 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> as documented in WNA-AR-00189-WBT.5.11 Identification. In order to provide assurance that the requirements given in thisstandard can be applied during the design, construction, maintenance, and operationof the plant, the following requirements shall be met:(1) Safety system equipment shall be distinctly identified for each redundant portion ofa safety system in accordance with the requirements of IEEE Std 384-1981 andIEEE Std 420-1982.WBN Unit 2 Analysis:Plant equipment is labeled in accordance with TVA procedures TI-209, Revision 2,"Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of PlantComponent Identification Tagging and Labeling." These procedures are based onthe guidance of EPRI NP-6209, "Effective Plant Labeling," dated December 1988and INPO Good Practice OP-208 (INPO 88-009), "System and Plant Labeling,"dated June 1991. These procedures are compliance with the requirements ofIEEE 420-1982, Clause 4.9, "Identification" and IEEE 384-1981, Clause 6.1.2,"Identification."Labeling of cables is in accordance with TVA General Specification G-38, Revision20, "Installation, Modification and Maintenance of Insulated Cables Rated up to15,000 Volts," section 13, "Identification." Color coding of cables, terminations andterminal strips is in accordance with TVA Standard Drawing SD-E 15.3.4, Revision4, "Raceways CA & W IDENT Tags (Sequoyah NUC PLT & All Subsequent NUCProjects" and TVA Procedure TI-209, Revision 2, "Plant Labeling." Thesepractices are in accordance with the requirements of IEEE 420-1982, Clause 4.9,"Identification" and IEEE 384-1981, Clause 6.1.2, "Identification."(2) Components or modules mounted in equipment or assemblies that are clearlyidentified as being in a single redundant portion of a safety system do notthemselves require identification.Page 22 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:This requirement is applicable to the Common Q PAMS MTPs. However, labelingis still required and performed in accordance with TVA procedures TI-209, Revision2, "Plant Labeling" and TI-12.14, Revision 5, "Replacement and Upgrade of PlantComponent Identification Tagging and Labeling."(3) Identification of safety system equipment shall be distinguishable from anyidentifying markings placed on equipment for other purposes (for example,identification of fire protection equipment, phase identification of power cables).WBN Unit 2 Analysis:This requirement is addressed in TVA procedures TI-209, Revision 2, "PlantLabeling" and TI-12.14, Revision 5, "Replacement and Upgrade of PlantComponent Identification Tagging and Labeling" which provide unique labelingrequirements for plant that distinguishes safety-related from other specifichardware labeling requirements (i.e. fire protection, EOP, SBO, PAM etc.).(4) Identification of safety system equipment and its divisional assignment shall notrequire frequent use of reference material.WBN Unit 2 Analysis:TVA procedures TI-209, Revision 2, "Plant Labeling" and TI-12.14, Revision 5,"Replacement and Upgrade of Plant Component Identification Tagging andLabeling" require color coding and train designation be included on safety relatedequipment labels.(5) The associated documentation shall be distinctly identified in accordance with therequirements of IEEE Std 494-1974 (R1990) [8].WBN Unit 2 Analysis:Not required, IEEE Std 494-1974 (R1990) has been withdrawn. TVA procedureNEDP-3, Revision 15, "Drawing Control" does not require the safety classificationon the drawing.5.12 Auxiliary Features5.12.1 Auxiliary supporting features shall meet all requirements of this standard.WBN Unit 2 Analysis:The Common Q PAMS receives information from the Eagle 21 and Solid StateProtection system. It sends information to the ICS and plant annunciatorsystem.Page 23 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0The Eagle 21 and Solid State Protection systems meet the requirements ofIEEE 603-1991 and are necessary for the SMM and RVLIS functions. The ICSand plant annunciator system are not required for Common Q PAMS toperform its design function and do not meet the requirements of IEEE 603-1991.5.12.2 Other auxiliary features that (1) may function that is not required for the safetysystems to accomplish their safety function and (2) are part of the safetysystems by association (that is, not isolated from the safety system) shall bedesigned to meet those criteria necessary to ensure that these components,equipment, and systems do not degrade the safety systems below anacceptable level. Examples of these other auxiliary features shown in Fig 3 andan illustration of the application of this criteria is contained in Appendix A.WBN Unit 2 Analysis:No other auxiliary features besides those identified in 5.12.1 are required forthe Common Q PAMS to perform its design function.5.13 Multi-Unit Stations. The sharing of structures, systems, and components between unitsat multi-unit generating stations is permissible provided that the ability tosimultaneously perform required safety functions in all units is not impaired. Guidanceon the sharing of electrical power systems between units is contained in IEEE Std 308-1980. Guidance on the application of the single failure criterion to shared systems iscontained in IEEE Std 379-1988.WBN Unit 2 Analysis:The Common Q PAMS hardware is located in the shared WBN MCR and the sharedAIR structures. As part of this design, the Common Q PAMS MCR displays arelocated on Unit 2 specific control boards such that there is no interference between theunits. The Common Q PAMS display in the AIR is part of the qualified isolation deviceand as such performs no safety function. There is no sharing of components betweenthe Unit 1 ICCM-86 system and the Common Q PAMS. Safety related powerdistribution is in accordance with the WBN design basis.5.14 Human Factors Considerations. Human factors shall be considered at the initial stagesand throughout the design process to assure that the functions allocated in whole or inpart to the human operator(s) and maintainer(s) can be successfully accomplished tomeet the safety system design goals in accordance with IEEE Std 1023-1988.WBN Unit 2 Analysis:Both the Common Q PAMS displays and controls as well as the location of the controlroom displays in relation to the equipment being controlled were subjected to HumanFactors reviews as part of the design change process associated with the Common QPAMS modification [Engineering Design Change Request (EDCR) 52351] and theWBN Unit 2 Control Room Design Review.Page 24 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 05.15 Reliability. For those systems for which either quantitative or qualitative reliability goalshave been established, appropriate analysis of the design shall be performed in orderto confirm that such goals have been achieved. IEEE Std 352-1987 and IEEE Std577-976 provide guidance for reliability analysis.WBN Unit 2 Analysis:A reliability analysis of the PAMS was performed (WNA-AR-00189-WBT, Revision 0,"Post Accident Monitoring System Reliability Analysis") and approved by engineering.The Westinghouse analysis showed that requested the MTTR was not achievable.The Westinghouse calculated MTTR of 7.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is acceptable.Westinghouse calculated a system availability of 0.99639776. Assuming a probabilityof detection of 0.95 and surveillance interval of 17520 hours, this results in anestimated System MTBF of 14 years. This MTBF is acceptable.Clause 6 "Sense and Command Features-Functional and Design Requirements"6. Sense and Command Features-Functional and Design RequirementsIn addition to the functional and design requirements in Section 5, the followingrequirements shall apply to the sense and command features:6.1 Automatic Control. Means shall be provided to automatically initiate and control allprotective actions except as justified in 4.5. The safety system design shall be such thatthe operator is not required to take any action prior to the time and plant conditionsspecified in & following the onset of each design basis event. At the option of the safetysystem designer, means may be provided to automatically initiate and control thoseprotective actions of 4.5.WBN Unit 2 Analysis:Not applicable. The Common Q PAMS performs no automatic protective actions.6.2 Manual Control6.2.1 Means shall be provided in the control room to implement manual initiation at thedivision level of the automatically initiated protective actions. The meansprovided shall minimize the number of discrete operator manipulations and shalldepend on the operation of a minimum of equipment consistent with theconstraints of 5.6.1.WBN Unit 2 Analysis:Not applicable. The Common Q PAMS is an indication only system andperforms no automatic actions.Page 25 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 06.2.2 Means shall be provided in the control room to implement manual initiation andcontrol of the protective actions identified in 4.5 that have not been selected forautomatic control under 6.1. The displays provided for these actions shall meetthe requirements of 5.8.1.WBN Unit 2 Analysis:The PAMS displays are part of the Operator's Modules in the MCR. The displaysare part of the Common Q PAMS safety system. A Human Factors review of thescreens was performed as part of EDCR 52351 to minimize the possibility ofambiguous indications that could be confusing to the operator. Controls toperform the manual protective actions based on the PAMS displays are providedin the control room. A human factors review of the PAMS display locations andthe system controls was performed as part of the Control Room Design Reviewprocess.Operator training and staffing is tailored to ensure that actions based on PAMSindications are accomplished in the required response time.6.2.3 Means shall be provided to implement the manual actions necessary to maintainsafe conditions after the protective actions are completed as specified in 4.10.The information provided to the operators, the actions required of theseoperators, and the quantity and location of associated displays and controls shallbe appropriate for the time period within which the actions shall be accomplishedand the number of available qualified operators. Such displays and controls shallbe located in areas that are accessible, located in an environment suitable for theoperator, and suitably arranged for operator surveillance and action.WBN Unit 2 Analysis:The Common Q PAMS performs no automatic protective action. Manual actionsare taken based on the Common Q PAMS displays for CETS, SMM and RVLIS.The Common Q PAMS screens and location of the Common Q PAMS displays inthe MCR were subjected to Human Factors Reviews as part of EDCR 52351 andCRDR. The analysis of the information provided to the operators, the actionsrequired of these operators, response time, and the quantity and location ofassociated displays and controls was analyzed as part of the WestinghouseStandard Emergency Response Guidelines.6.3 Interaction Between the Sense and Command Features and Other Systems6.3.1 Where a single credible event, including all direct and consequential results ofthat event, can cause a non-safety system action that results in a conditionrequiring protective action and can concurrently prevent the protective action inthose sense and command feature channels designated to provide principalprotection against the condition, one of the following requirements shall be met:(1) Alternate channels not subject to failure resulting from the same single eventshall be provided to limit the consequences of this event to a value specifiedby the design basis. Alternate channels shall be selected from the following:Page 26 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0(a) Channels that sense a set of variables different from the principalchannels.(b) Channels that use equipment different from that of the principal channelsto sense the same variable.(c) Channels that sense a set of variables different from those of the principalchannels using equipment different from that of the principal channels.Both the principal and alternate channels shall be part of the sense andcommand features.(2) Equipment not subject to failure caused by the same single credible eventshall be provided to detect the event and limit the consequences to a valuespecified by the design bases. Such equipment is considered a part of thesafety system.See Fig 5 for a decision chart for applying the requirements of this section.WBN Unit 2 Analysis:The Common Q PAMS meets criteria 2. The PC Node Box in the MTP is part ofthe Common Q PAMS system and is the qualified isolation device between theCommon Q PAMS and the ICS. The safety related isolation function of theCommon Q PAMS MTP PC Node Box was tested during the Factory AcceptanceTest as documented in WNA-TR-02426-WBT, Revision 1, "Post-AccidentMonitoring System Data Storm Test Report."6.3.2 Provisions shall be included so that the requirements in 6.3.1 can be met inconjunction with the requirements of 6.7 if a channel is in maintenance bypass.These provisions include reducing the required coincidence, defeating the non-safety system signals taken from the redundant channels, or initiating aprotective action from the bypassed channel.WBN Unit 2 Analysis:Each train has its own PC Node Box in the MTP that provides isolation of thetrain from the non-safety-related ICS. Each MTP PC Node Box provides thenecessary isolation for the entire train.6.4 Derivation of System Inputs. To the extent feasible and practical, sense and commandfeature inputs shall be derived from signals that are direct measures of the desiredvariables as specified in the design basis.WBN Unit 2 Analysis:For RVLIS, Reactor Coolant Pump (RCP) status is obtained from a contact in the SolidState Protection System (SSPS). Other sense requirements are obtained directly fromhardware specific to the RVLIS function.Page 27 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0For CETs, the sense feature is direct from the thermocouple to the Common Q PAMSMTP.For SMM, Reactor Coolant temperature and pressure are obtained via analog outputsfrom the Eagle 21 system and CET temperature is obtained directly from the CETs.The Common Q PAMS has no command features.6.5 Capability for Testing and Calibration6.5.1 Means shall be provided for checking, with a high degree of confidence, theoperational availability of each sense and command feature input sensorrequired for a safety function during reactor operation. This may be accomplishedin various ways; for example:(1) by perturbing the monitored variable,(2) within the constraints of 6.6, by introducing and varying, as appropriate, asubstitute input to the sensor of the same nature as the measured variable, or(3) by cross-checking between channels that bear a known relationship to eachother and that have readouts available.WBN Unit 2 Analysis:SMM -Channel cross checking is available by monitoring RCS pressure andtemperature from the Eagle 21 channels and performing manualcalculations and by comparing the SMM output value between the twoPAMS trains. The internal PAMS SMM function can be checkedusing the built in test function. The SMM function can be checkedagainst the ICS SMM function.CETs -The 58 CETs (29 per PAMS train) outputs can be compared bycomparing the individual channels against adjacent locations. Theinternal PAMS CET function can be checked using the built in testfunction.RVLIS -The RVLIS transmitters are outside primary containment inaccessible locations which allows loop testing of the individual RVLISloops during reactor operation. The RVLIS function can be checkedagainst the other PAMS train.6.5.2 One of the following means shall be provided for assuring the operationalavailability of each sense and command feature required during the post-accident period:(1) Checking the operational availability of sensors by use of the methodsdescribed in 6.5.1.Page 28 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0(2) Specifying equipment that is stable and retains its calibration during the post-accident time period.WBN Unit 2 Analysis:The RVLIS sensors, Eagle 21 sensors and hardware and the CETs are allprocured safety related and qualified to perform and retain their calibration ina post accident environments in which they are installed. The PAMShardware is installed in the MCR and AIR and is qualified to remainoperational in the post accident environments expected in the installedlocations.6.6 Operating Bypasses. Whenever the applicable permissive conditions are not met, asafety system shall automatically prevent the activation of an operating bypass or initiatethe appropriate safety function(s). If plant conditions change so that an activatedoperating bypass is no longer permissible, the safety system shall automaticallyaccomplish one of the following actions:(1) Remove the appropriate active operating bypass(es).(2) Restore plant conditions so that permissive conditions once again exist.(3) Initiate the appropriate safety function(s).WBN Unit 2 Analysis:Not applicable. The Common Q PAMS does have automatic safety functions to bypass.6.7 Maintenance Bypass. Capability of a safety system to accomplish its safety functionshall be retained while sense and command features equipment is in maintenancebypass. During such operation, the sense and command features shall continue to meetthe requirements of 5.1 and 6.3.EXCEPTION One-out-of-two portions of the sense and command features are notrequired to meet 5.1 and 6.3 when one portion is rendered inoperable, provided thatacceptable reliability of equipment operation is otherwise demonstrated (that is, that theperiod allowed for removal from service for maintenance bypass is sufficiently short tohave no significantly detrimental effect on overall sense and command featuresavailability).WBN Unit 2 Analysis:Not applicable. The Common Q PAMS does have automatic safety functions to bypass.6.8 Setpoints6.8.1 The allowance for uncertainties between the process analytical limit documentedin Section 4.4 and the device setpoint shall be determined using a documentedmethodology. Refer to ISA S67.040-1987.Page 29 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0WBN Unit 2 Analysis:The Common Q PAMS is an indication only system and performs no automaticactions therefore there are no setpoints associated with the PAMS hardware.Setpoints for manual actions are documented in TVA calculations that areperformed in accordance with the approved TVA setpoint methodology whichinclude allowances for uncertainties.6.8.2 Where it is necessary to provide multiple setpoints for adequate protection for aparticular mode of operation or set of operating conditions, the design shallprovide positive means of ensuring that the more restrictive setpoint is usedwhen required. The devices used to prevent improper use of less restrictivesetpoints shall be part of the sense and command features.WBN Unit 2 Analysis:The Common Q PAMS is an indication only system and performs no automaticactions therefore there are no devices used to prevent improper use of lessrestrictive setpoints. If multiple setpoints for manual actions are required they aredocumented in the E0I or AOI at the applicable point. Since these are"Continuous Use" procedures, including the appropriate setpoint in the procedurestep is the method used to prevent improper use of less restrictive setpoints.IEEE 603 Clauses 7 and 8WBN Unit 2 Analysis:Not applicable per NRC reviewer's comments to SSER item 94.Page 30 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0References:1. IEEE 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power GeneratingStations"2. Regulatory Guide 1.97, Revision 2, "Instrumentation for Light-Water-Cooled Nuclear PowerPlants to Assess Plant and Environs Conditions During and Following an Accident"3. WBN Unit 2 FSAR, Table 7.1-14. WBN Unit 2 FSAR, Table 7.5-25. WBN Unit 2 FSAR Sections 8.1.5.3, 8.3.1.4, 8.3.2.4 and 8.3.2.56. Watts Bar Unit 2 FSAR, Chapter 157. TVA Calculation WBNOSG4047, Revision 4, "PAM Type "A" Variables Determination"8. TVA Calculation EPMMCP071689, Revision 21, "Cooling/Heating Load &Equipment/Component Performance Analysis for the Control Building Electrical BoardRoom Areas (EL. 692.0 & 708.0)"9. TVA Calculation EPMLCP072489, Revision 15, "Cooling and Heating Load Analysis, MainControl Room HVAC"10. TVA Calculation WBNAPS3127, Revision 0, "EQ Dose in the Control Building"11. TVA Calculation WBNAPS4004, Revision 27, "Summary of Mild Environment Conditionsfor Watts Bar Nuclear Plant"12. TVA Design Criteria Document WB-DC-30-7, Revision 24, "Post Accident MonitoringInstrumentation"13. TVA Design Criteria Document WB-DC-30-20, Revision 4, "Control Panels"14. TVA Design Criteria Document WB-DC-30-23, Revision 2, "Human Factors"15. TVA Design Criteria Document WB-DC-30-27, Revision 33, "AC and DC Control PowerSystems -(Unit 1 / Unit 2)"16. TVA Design Criteria Document WB-DC-30-32, Revision 3, "Design Criteria for Grounding"17. TVA Design Criteria Document WB-DC-30-4,Revision 23, "Separation / Isolation"18. TVA Design Criteria Document WB-DC-40-31.2, Revision 13, "Seismic Qualification ofCategory I Fluid System Components and Electrical or Mechanical Equipment"19. TVA Design Criteria Document WB-DC-40-42, Revision 7, "Environmental Design"20. TVA Design Criteria Document WB-DC-40-64, Revision 12, "Design Basis Events DesignCriteria"Page 31 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 021. TVA System Description N3-30CB-4002, Revision 16, "Control Building Heating,Ventilating, Air Conditioning, and Air Cleanup System"22. TVA System Description N3-39-4002, Revision 10, "CO2 Storage, Fire Protection, AndPurging"23. TVA Drawing 2-47E235-16, Revision 0, "Environmental Data Environment -Mild EL755.0"24. TVA Drawing 2-47E235-17, Revision 0, "Environmental Data Environment -Mild EL708.0"25. Westinghouse document WNA-AR-00189-WBT-P, Revision 0 "Post Accident MonitoringSystem Reliability Analysis"26. Westinghouse document WNA-LI-00058-WBT-P, Revision 3, "Post-Accident MonitoringSystem (PAMS) Licensing Technical Report"27. Westinghouse document WNA-AR-00180-WBT-P, Revision 0, "Failure Modes and EffectsAnalysis (FMEA) for the Post Accident Monitoring System"28. Westinghouse document WNA-DS-01617-WBT-P, Revision 4, "Post Accident MonitoringSystem -System Requirements Specification,"29. TVA Procedure AOI-2, Revision 38, "Malfunction of Reactor Control System"30. TVA Procedure AOI-3, Revision 29, "Malfunction of Reactor Makeup Control"31. TVA Procedure AOI-6, Revision 34, "Small Reactor Coolant System Leak"32. TVA Procedure AOI-16, Revision 33, "Loss of Normal Feedwater"33. TVA Procedure AOI-17, Revision 49, "Turbine Trip"34. TVA Procedure AOI-18, Revision 23, "Malfunction of Pressurizer Pressure ControlSystem"35. TVA Procedure AOI-20, Revision 32, "Malfunction of Pressurizer Level Control System"36. TVA Procedure AOI-24, Revision 29, "RCP Malfunctions During Pump Operation"37. TVA Procedure AOI-29, Revision 21, "Dropped or Damaged Fuel or Refueling Cavity SealFailure"38. TVA Procedure AOI-31, Revision 23, "Abnormal Release of Radioactive Material"39. TVA Procedure AOI-33, Revision 34, "Steam Generator Tube Leak"40. TVA Procedure E-0, Revision 32, "Reactor Trip or Safety Injection"41. TVA Procedure E-1, Revision 16, "Loss of Reactor or Secondary Coolant"Page 32 of 41 42.43.44.Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 0TVA Procedure E-2, Revision 12, "Faulted Steam Generator Isolation"TVA Procedure E-3, Revision 23, "Steam Generator Tube Rupture"TVA Procedure ECA-0.0, Revision 22, "Loss of Shutdown Power"45. TVA Procedure ECA-0.1, Revision 11, "Recovery From Loss of Shutdown Power WithoutSI Required"46. TVA Procedure ECA-0.2, RevisionRequired"47. TVA Procedure ECA-1.1, Revision48. TVA Procedure ECA-1.2, Revision49. TVA Procedure ECA-2.1, RevisionGenerators"50. TVA Procedure ECA-3.1, Revision51. TVA Procedure ECA-3.2, Revision12, "Recovery From Loss of Shutdown Power With SI12, "Loss of RHR Sump Recirculation"5, "LOCA Outside Containment"12, "Uncontrolled Depressurization of All Steam12, "SGTR and LOCA -Subcooled Recovery"11, "SGTR and LOCA -Saturated Recovery"52. TVA Procedure ECA-3.3, Revision 11, "SGTR Without PZR Pressure Control"53. TVA Procedure ES-0.0, Revision 3, "Rediagnosis"54. TVA Procedure ES-0.1, Revision55. TVA Procedure ES-0.2, Revision56. TVA Procedure ES-0.3, RevisionVessel (With RVLIS)"57. TVA Procedure ES-0.4, RevisionVessel (Without RVLIS) "58. TVA Procedure ES-I .1, Revision59. TVA Procedure ES-1.2, Revision60. TVA Procedure ES-1i.3, Revision61. TVA Procedure ES-1.4, Revision62. TVA Procedure ES-3.1, Revision63. TVA Procedure ES-3.2, Revision64. TVA Procedure ES-3.3, Revision24,21,11,"Reactor Trip Response""Natural Circulation Cooldown""Natural Circulation Cooldown With Steam Void In7, "Natural Circulation Cooldown With Steam Void In17,15,18,11,14,16,15,"SI Termination""Post LOCA Cooldown And Depressurization""Transfer To Containment Sump""Transfer To Hot Leg Recirculation""Post-SGTR Cooldown Using Backfill""Post-SGTR Cooldown Using Blowdown""Post-SGTR Cooldown Using Steam Dump"65. TVA Procedure FR-0, Revision 14, "Status Trees"Page 33 of 41 Common Q PAMS Design Basis Conformance to theRequirements of IEEE 603-1991Revision 066. TVA Procedure FR-C.1, Revision 16, "Inadequate Core Cooling"67. TVA Procedure FR-C.2, Revision 12, "Degraded Core Cooling"68. TVA Procedure FR-C.3, Revision 9, "Saturated Core Cooling"69. TVA Procedure FR-H.1, Revision 18, "Loss of Secondary Heat Sink"70. TVA Procedure FR-H.2, Revision 6, "Steam Generator Overpressure"71. TVA Procedure FR-H.3, Revision 7, "Steam Generator High Level"72. TVA Procedure FR-H.4, Revision 7, "Loss of Normal Steam Release Capabilities"73. TVA Procedure FR-H.5, Revision 5, "Steam Generator Low Level"74. TVA Procedure FR-I.1, Revision 11, "High Pressurizer Level"75. TVA Procedure FR-I.2, Revision 10, "Low Pressurizer Level"76. TVA Procedure FR-I.3, Revision 22, "Voids In Reactor Vessel"77. TVA Procedure FR-P.1, Revision 15, "Pressurized Thermal Shock"78. TVA Procedure FR-P.2, Revision 6, "Cold Overpressure Condition"79. TVA Procedure FR-S.1, Revision 20, "Nuclear Power Generation/ATWS"80. TVA Procedure FR-S.2, Revision 7, "Loss of Core Shutdown"81. TVA Procedure FR-Z.1, Revision 11, "High Containment Pressure"82. TVA Procedure FR-Z.2, Revision 7, "Containment Flooding"83. TVA Procedure FR-Z.3, Revision 7, "High Containment Radiation"Appendices1. EOI/AOI Evaluation2. FSAR Chapter 15 Event to EOI/AOI Cross ReferencePage 34 of 41 Appendix 1EOI and AOI Common Q PAMS Variable ReviewFebruary 7, 2012Page 35 of 41Procedure# Title Chapter 15 Incore SMM RVLIS NotesTICAOI-2 Malfunction of Reactor Control System 15.2.1 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal From A Incore -Used to monitor power distribution no direct operatorSubcritical Condition action.15.2.2 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal At Power Y N N15.2.3 Rod Cluster Control Assembly Misalignment15.3.6 Single Rod Cluster Control Assembly Withdrawal At Full PowerAOI-3 Malfunction of Reactor Makeup Control 15.2.4 Uncontrolled Boron Dilution N N NAOI-6 Small Reactor Coolant System Leak 15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes or From Cracks In N N NLarge Pipes Which Actuate the Emergency Core Cooling SystemAOI-16 Loss of Normal Feedwater 15.2.8 Loss of Normal Feedwater N N NAOI-17 Turbine Trip 15.2.7 Loss of External Electrical Load and/or Turbine Trip N N NAOI-18 Malfunction of Pressurizer Pressure Control 15.2.12 Accidental Depressurization of the Reactor Coolant System N N NSystemAOI-20 Malfunction of Pressurizer Level Control 15.2.15 Chemical and Volume Control System Malfunction During Power N N NSystem OperationAOI-24 RCP Malfunctions During Pump Operation 15.2.5 Partial Loss of Forced Reactor Coolant Flow15.4.4 Single Reactor Coolant Pump Locked RotorAOI-29 Dropped or Damaged Fuel or Refueling Cavity 15.4.5 Fuel Handling Accident N N NSeal FailureAOI-31 Abnormal Release of Radioactive Material 15.3.5 Waste Gas Decay Tank Rupture N N NAOI-33 Steam Generator Tube Leak 15.4.3 Steam Generator Tube Rupture Incore -Used to determine cooldown temperature to stabilize plantconditions and monitored to control cooldown and maintainY Y N plant temperature. Control depressurization to maintainsubcoolingSubcooling -control depressurizationAOI-35 Loss of Offsite Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the N N NStation -Loss of Offsite Power to the Station AuxiliariesAOI-38 Main Steam or Feedwater Line Leak 15.3.2 Minor Secondary System Pipe Breaks N N NE-O Reactor Trip or Safety Injection N Y N Subcooling -Monitor plant conditionsE-1 Loss of Reactor or Secondary Coolant 15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes Or From Cracks N Y Y Subcooling -Check Safety Injection (SI) Reset Criteria, SI re-In Large Pipes Which Actuate The Emergency Core Cooling System initiation criteria15.3.2 Minor Secondary System Pipe Breaks RVLIS -Consult TSC for guidance15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of CoolantAccident)15.4.2 Major Secondary System Pipe Rupture15.4.6 Rupture of A Control Rod Drive Mechanism Housing (Rod ClusterControl Assembly Ejection)E-2 Faulted Steam Generator Isolation 15.4.3 Steam Generator Tube Rupture Y Y N Subcooling & Incore -Event Identification & Transition to other____rocedurePage 35 of 41 Appendix IEO and AOI Common Q PAMS Variable ReviewFebruary 7, 2012Page 36 of 41Procedure# Title Chapter 15 Incore SMM RVLIS NotesTICE-3 Steam Generator Tube Rupture 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling -Event Identification & Transition to other procedure,Maintain >650F during depressurization, Stopdepressurization if <65°F, SI Termination criteriatransition to ECA-3.1, Manual restart of EmergencyCore Cooling System (ECCS) pumps following SItermination if <65°Fdue to loss of coolant conditionand transition to ECA-3.1, CLA isolation criteria <65°Ftransition to ECA-3.1, Control RCS pressure maintain>65°F, Maintain >101°F prior to starting RCPS,Monitor natural circulation, dump steam to maintaincooldownIncore -Stop RCS Cooldown, Maintain target temperature, Monitornatural circulation, dump steam to maintain cooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs.ECA-0.0 Loss of Shutdown Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the Y Y N Subcooling -Determine recovery instructionStation -Loss of Offsite Power to the Station Auxiliaries Incore -Transition to SAMGECA-0.1 Recovery From Loss of Shutdown Power 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the Y Y N Subcooling -transition to recovery procedure, control PZR heatersWithout SI Required Station -Loss of Offsite Power to the Station Auxiliaries based on indication, monitor natural circulationincrease steam dump to maintain cooldown.Incore -Monitor natural circulation, dump steam to maintaincooldownECA-0.2 Recovery From Loss o Shutdown Power With 15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power to the N N NSI Required Station -Loss of Offsite Power to the Station AuxiliariesECA-1.1 Loss of RHR Sump Recirculation NA NA NA NA Beyond design basis event recoveryECA-1.2 LOCA Outside Containment NA NA NA NA Excluded by FSAR Chapter 15 DBE scopeECA-2.1 Uncontrolled Depressurization of All Steam Y Y Y Subcooling -SI Actuation Criteria, Natural Circulation coolingGenerators control, Align BIT injection path, initiate boration, SI re-initiation criteriaIncore -Natural Circulation cooling controlRVLIS -Control PZR LevelECA-3.1 SGTR and LOCA -Subcooled Recovery 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Y Y Y Subcooling -Start RHR Pump, Natural Circulation cooling control,Accident) Start RHR pump, stop RCS depressurization, Close15.4.3 Steam Generator Tube Rupture CLA isolation valves, SI re-initiation criteriaIncore -Natural Circulation CriteriaRVLIS -Control PZR LevelECA-3.2 SGTR and LOCA -Saturated Recovery 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant Y Y Y Subcooling -Start RHR Pump, Natural Circulation cooling control,Accident) Close CLA isolation valves15.4.3 Steam Generator Tube Rupture Incore -Natural Circulation cooling control, dump steam control,start ECCS pumps,RVLIS -SI re-initiation criteria, Control PZR Level, manually startECCS pumpsECA-3.3 SGTR Without PZR Pressure Control 15.4.3 Steam Generator Tube Rupture N N Y RVLIS -Branch to ECA-3.1, Manually start ECCS pumps asnecessary (after manual stop), Close CLA isolation valves,Determine if RHR should be placed in service, SI re-initiation criteriaES-0.0 Rediagnosis N N NPage 36 of 41 Appendix 1EOI and AOI Common Q PAMS Variable ReviewFebruary 7, 2012Page 37 of 41Procedure# Title Chapter 15 Incore SMM RVLIS NotesTICES-0.1 Reactor Trip Response Y Y N Subcooling -SI Actuation Criteria, Natural Circulation CriteriaIncore -Natural Circulation CriteriaES-0.2 Natural Circulation Cooldown V Y Y Subcooling -Control RCS depressurization, SI re-initiation criteriaIncore -RCS depressurization,RVLIS -RCS pressure control,ES-0.3 Natural Circulation Cooldown With Steam Void Y V Y Subcooling -Steam dump control, Control RCS depressurization,In Vessel (With RVLIS) SI re-initiation criteriaIncore -RCS depressurization,RVLIS -PZR level control, RCS pressure controlES-0.4 Natural Circulation Cooldown With Steam Void Y Y N Subcooling -Steam dump control, SI re-initiation criteriaIn Vessel (Without RVLIS) Incore -RCS depressurization,ES-1.1 SI Termination Y Y Y Subcooling -Manual restart of ECCS pumps following SItermination if <65°Fdue to loss of coolant conditionand transition to ECA-3.1, Monitor natural circulation,dump steam to maintain cooldownIncore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs, Increase RCS Subcooling,Control PZR heatersES-1.2 Post LOCA Cooldown And Depressurization 15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant V V Y Subcooling -RCS pressure control, Start of RHR pump, RCSAccident) depressurization control, Manual restart of chargingpump or SI pumps, Monitor natural circulation, dumpsteam to maintain cooldown, SI re-initiation criteriaIncore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs, Increase RCS Subcooling,Control PZR heatersES-1.3 Transfer To Containment Sump N N NES-1.4 Transfer To Hot Leg Recirculation N N NES-3.1 Post-SGTR Cooldown Using Backfill 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling -Monitor natural circulation, dump steam to maintaincooldownIncore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs, Increase RCS Subcooling,Control PZR heatersES-3.2 Post-SGTR Cooldown Using Blowdown 15.4.3 Steam Generator Tube Rupture V V V Subcooling -Monitor natural circulation, dump steam to maintaincooldownIncore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs, Increase RCS Subcooling,Control PZR heatersPage 37 of 41 Appendix IEOI and AOI Common Q PAMS Variable ReviewFebruary 7, 2012Page 38 of 41Procedure# Title Chapter 15 Incore SMM RVLIS NotesTICES-3.3 Post-SGTR Cooldown Using Steam Dump 15.4.3 Steam Generator Tube Rupture Y Y Y Subcooling -Monitor natural circulation, dump steam to maintaincooldownIncore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Increase pressurizer level to accommodate void collapse inthe head prior to starting RCPs, Increase RCS Subcooling,Control PZR heatersFR-0 Status Trees Y Y Y All -Core Cooling Status Tree FR-C, Attachment 1, page 2 of 8directs to appropriate recovery instruction.RVLIS -Inventory Status Tree FR-I, Attachment 1, page 8 of 8directs to appropriate recovery instruction.FR-C.1 Inadequate Core Cooling Y Y Y All -Section 2.1 Symptoms and Entry ConditionsIncore -Determine if H2 recombiners should be placed in service,Depressurize S/Gs, Determine if RCPs should be started,Branch to SACRG-1, Severe Accident Control RoomGuideline Initial Response.RVLIS -Monitor RWST Level, Depressurize S/GsFR-C.2 Degraded Core Cooling Y Y Y All -Section 2.1 Symptoms and Entry ConditionsIncore- Monitor RWST Level, If CLAs not injected, then injectRVLIS- Monitor RWST Level, Determine if RCP should be stopped,If CLAs not injected, then inject, Depressurize S/GsFR-C.3 Saturated Core Cooling Y Y Y All -Section 2.1 Symptoms and Entry ConditionsFR-H.1 Loss of Secondary Heat Sink Y Y Y Subcooling -Transition to LOCA procedure,Incore -Establish condensate flow to a S/G, Establish RCS bleedand feed,RVLIS -Transition to LOCA procedureFR-H.2 Steam Generator Overpressure N N NFR-H.3 Steam Generator High Level N N NFR-H.4 Loss of Normal Steam Release Capabilities N N NFR-H.5 Steam Generator Low Level N N NFR-I.1 High Pressurizer Level N N NFR-I.2 Low Pressurizer Level N N NFR-1.3 Voids In Reactor Vessel Y Y Y. Subcooling -Monitor natural circulation, dump steam to maintaincooldown, control steam flow to maintain stable RCSconditions, RX vessel vent termination criteria,Incore -Monitor natural circulation, dump steam to maintaincooldownRVLIS -Start of CRDM, upper and lower containment cooler fans,Align CRDM dampers to the shroud, RX vessel venttermination criteria, Increase RCS pressureFR-P.1 Pressurized Thermal Shock N Y Y Subcooling -Manual restart of RCPs, SI Reset, Manual restart ofECCS pumps following SI termination if <65°F, RCSdepressurization control, Monitor natural circulation,dump steam to maintain cooldownRVLIS -Manual restart of RCPs, SI ResetFR-P.2 Cold Overpressure Condition N N NFR-S.1 Nuclear Power Generation/ATWS Y N N Incore -Transition to SAMGPage 38 of 41 Appendix IEOI and AOI Common Q PAMS Variable ReviewFebruary 7, 2012Page 39 of 41Procedure# Title Chapter 15 Incore SMM RVLIS NotesTICFR-S.2 Loss of Core Shutdown N N NFR-Z.1 High Containment Pressure N N NFR-Z.2 Containment Flooding N N NFR-Z.3 High Containment Radiation N N NPage 39 of 41 Appendix 2Chapter 15 Cross Reference to Abnormal and Emergency Operating InstructionsFebruary 7, 2012Page 40 of 41Section Title Procedure Title15.2.1 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal AOI-2 Malfunction of Reactor Control SystemFrom A Subcritical Condition15.2.2 Uncontrolled Rod Cluster Control Assembly Bank Withdrawal AOI-2 Malfunction of Reactor Control SystemAt Power15.2.3 Rod Cluster Control Assembly Misalignment AOI-2 Malfunction of Reactor Control System15.2.4 Uncontrolled Boron Dilution AOI-3 Malfunction of Reactor Makeup Control15.2.5 Partial Loss of Forced Reactor Coolant Flow AOI-24 RCP Malfunctions During Pump Operation15.2.6 Startup of An Inactive Reactor Coolant Loop15.2.7 Loss of External Electrical Load and/or Turbine Trip AOI-17 Turbine Trip15.2.8 Loss of Normal Feedwater AO1-1 6 Loss of Normal Feedwater15.2.9 Coincident Loss of Onsite and External (Offsite) AC Power To AOI-35 Loss of Offsite PowerThe Station -Loss of Offsite Power To The Station Auxiliaries ECA-0.0 Loss of Shutdown PowerECA-0.1 Recovery From Loss of Shutdown Power Without SIRequiredECA-0.2 Recovery From Loss o Shutdown Power With SI Required15.2.10 Excessive Heat Removal Due To Feedwater SystemMalfunctions15.2.11 Excessive Load Increase Incident15.2.12 Accidental Depressurization of The Reactor Coolant System AOI-18 Malfunction of Pressurizer Pressure Control System15.2.13 Accidental Depressurization of The Main Steam System15.2.14 Inadvertent Operation of Emergency Core Cooling System15.2.15 Chemical And Volume Control System Malfunction During AOI-20 Malfunction of Pressurizer Level Control SystemPower Operation15.3.1 Loss of Reactor Coolant From Small Ruptured Pipes or From AOI-6 Small Reactor Coolant System LeakCracks In Large Pipes Which Actuate The Emergency Core E-1 Loss of Reactor or Secondary CoolantCooling System15.3.2 Minor Secondary System Pipe Breaks E-1 Loss of Reactor or Secondary Coolant15.3.3 Inadvertent Loading of A Fuel Assembly Into An ImproperPosition15.3.4 Complete Loss of Forced Reactor Coolant Flow15.3.5 Waste Gas Decay Tank Rupture AOI-31 Abnormal Release of Radioactive Material15.3.6 Single Rod Cluster Control Assembly Withdrawal At Full Power AOI-2 Malfunction of Reactor Control SystemPage 40 of 41 Appendix 2Chapter 15 Cross Reference to Abnormal and Emergency Operating InstructionsFebruary 7, 2012Page 41 of 41Section Title Procedure Title15.4.1 Major Reactor Coolant System Pipe Ruptures (Loss of Coolant E-1 Loss of Reactor or Secondary CoolantAccident) ECA-3.1 SGTR and LOCA -Subcooled RecoveryECA-3.2 SGTR and LOCA -Saturated RecoveryES-1.2 Post LOCA Cooldown And Depressurization15.4.2 Major Secondary System Pipe Rupture E-1 Loss of Reactor or Secondary Coolant15.4.3 Steam Generator Tube Rupture AOI-33 Steam Generator Tube LeakE-2 Faulted Steam Generator IsolationE-3 Steam Generator Tube RuptureECA-3.1 SGTR and LOCA -Subcooled RecoveryECA-3.2 SGTR and LOCA -Saturated RecoveryECA-3.3 SGTR Without PZR Pressure ControlES-3.1 Post-SGTR Cooldown Using BackfillES-3.2 Post-SGTR Cooldown Using BlowdownES-3.3 Post-SGTR Cooldown Using Steam Dump15.4.4 Single Reactor Coolant Pump Locked Rotor AOI-24 RCP Malfunctions During Pump Operation15.4.5 Fuel Handling Accident AOI-29 Dropped or Damaged Fuel or Refueling Cavity Seal Failure15.4.6 Rupture of A Control Rod Drive Mechanism Housing (Rod E-1 Loss of Reactor or Secondary CoolantCluster Control Assembly Ejection)Page 41 of 41

Retrieved from "https://kanterella.com/w/index.php?title=ML12073A393&oldid=553532"