GNRO-2010/00040, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System

From kanterella
Jump to navigation Jump to search

Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System
ML101790436
Person / Time
Site: Grand Gulf Entergy icon.png
Issue date: 06/03/2010
From: Krupa M
Entergy Operations
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
GNRO-2010/00040, TAC ME2531
Download: ML101790436 (34)
v  d  e


Text

  • --Entergy Entergy Operations, Inc.

P. 0. Box 756 Port Gibson, MS 39150 Michael A. Krupa Director, Extended Power Uprate Grand Gulf Nuclear Station Tel. (601) 437-6684 Attachments 2, 3, 6, and 8 contain PROPRIETARY information.

GNRO-2010/00040 June 3, 2010 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555

SUBJECT:

Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531)

Grand Gulf Nuclear Station, Unit 1 Docket No. 50-416 License No. NPF-29

REFERENCES:

1 Entergy Operations, Inc. letter to the NRC (GNRO-2009/00054),

License Amendment Request - Power Range Neutron Monitoring System Upgrade, November 3, 2009 (ADAMS'Accession No. ML093140463)

2. NRC letter to Entergy Operations, Inc. (GNRI-2010/00067), Grand Gulf Nuclear Station, Unit 1 - Request for Additional Information Re: Power Range Neutron Monitoring System (TAC No. ME2531),

May 4, 2010 (ADAMS Accession No. ML101190125)

Dear Sir or Madam:

In Reference 1, Entergy Operations, Inc. (Entergy). submitted to the NRC a license amendment request (LAR), which proposes to revise the Grand Gulf Nuclear Station (GGNS)

Technical Specifications (TS) to reflect the installation of the digital General Electric-Hitachi (GEH) Nuclear Measurement Analysis and Control (NUMAC) Power Range Neutron Monitoring (PRNM) System.

In Reference 2, the NRC staff requested additional information needed to support their review and approval of Reference 1. Responses to the RAIs are provided in Attachment 1, with exceptions noted below.

On May 25, 2010, representatives from Entergy and GEH met with members of the NRC staff to discuss the Requests for Additional Information (RAIs). As a result of clarifying information presented by the staff in that meeting, Entergy is determining the scope and resources needed to answer RAI Nos. 1, 2, and 3. Entergy will provide a schedule to the NRC for responding to these RAIs by June 18, 2010. In addition, information requested in RAI Nos. 5, Awi

GNRO-2010100040 Page 2 of 3

7. and 8 will be provided on or before dates Identified in Attachment 1. Entergy unrterntandrs these RAI items will remain open until the information is provided to and accepted by the NRC.

Information supporting the responses in Attachment 1 is contained in Attachments 2 through

9. GEH considers information contained in Attachments 2, 3, 6, and 8 to be proprietary and, therefore, requests they be withheld from public disclosure in accordance with 10 CFR 2.390.

Non-proprietary, redacted versions of these documents, with the exception of Attachment 2, are provided in Attachments 4, 7, and 9. Because all the information contained in Attachment 2 is proprietary, a non-proprietary version is not provided. Attachment 10 provides the associated affidavit for this request.

The No Significance Hazards Determination and the Environmental Consideration provided in Reference 1 are not impacted by these responses.

This letter contains new commitments, which are identified In Attachment 11.

If you have any questions or require additional information, please contact Mr. Guy Davant at (601) 368-5756.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on June 3, 2010.

Sincerely, MAK/ghd Attachments: 1. Responses to NRC Requests for Additional Information Pertaining to License Amendment Request - Power Range Neutron Monitoring System Upgrade

2. Response to RAI No. 4 - PRNM System Communications Architecture Diagrams (Proprietary Version)
3. Response to RAI No. 4 - NRC ISG-04 Compliance Matrix (Proprietary Version)
4. Response to RAI No. 4 - NRC ISG-04 Compliance Matrix (Non-Proprietary Information)
5. Response to RAI No. 5 - GE-Hitachi Nuclear Energy Report 0000-0102-0888-R i, Grand Gulf Nuclear Station - Plant-SpecificResponses Required by NUMAC PRNM Retrofit Plus Option It/ Stability Trip Function Topical Report (NEDC-324lOP-A)
6. Response to RAI No. 6 (Proprietary Version)

GNRO-2010/00040 Page 3 of 3

7. Response to RAI No. 6 (Non-Proprietary Version)
8. Response to RAI No. 10 (Proprietary Version)
9. Response to RAI No. 10 (Non-Proprietary Version)
10. Affidavit Supporting Request to Withhold Information from Public Disclosure
11. Licensee-Identified Commitments cc: Mr. Elmo E. Collins, Jr.

Regional Administrator, Region IV U. S. Nuclear Regulatory Commission 612 East Lamar Blvd., Suite 400 Arlington, TX 76011-4005 U. S. Nuclear Regulatory Commission ATTN: Mr. C. F. Lyon, NRR/DORL (w/2)

ATTN: ADDRESSEE ONLY ATTN: Courier Delivery Only Mail Stop OWFN/8 B1 11555 Rockville Pike Rockville, MD 20852-2378 State Health Officer Mississippi Department of Health P. 0. Box 1700 Jackson, MS 39215-1700 NRC Senior Resident Inspector Grand Gulf Nuclear Station Port Gibson, MS 39150

ATTACHMENT 1 GNRO-2010/00040 RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION PERTAINING TO LICENSE AMENDMENT REQUEST POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE to GNRO-2010/00040 Page 1 of 7 RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION PERTAINING TO LICENSE AMENDMENT REQUEST POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE By application dated November 3, 2009, Entergy Operations, Inc. (Entergy) requested NRC staff approval of an amendment to the Grand Gulf Nuclear Station, Unit 1 (GGNS) Technical Specifications (TS) to reflect installation of the digital General Electric - Hitachi (GEH) Nuclear Management Analysis and Control (NUMAC) Power Range Neutron Monitoring (PRNM)

System.1 Entergy received a letter from the NRC staff, dated May 4, 2010, requesting additional information needed to support their review and approval of the proposed amendment. 2 Responses to the RAIs are provided in this attachment with the exceptions noted below.

On May 25, 2010, representatives from Entergy and GEH met with members of the NRC staff to discuss these Requests for Additional Information (RAIs). As a result of the clarification information presented by the staff in that meeting, Entergy is determining the scope and resources needed to answer RAI Nos. 1, 2, and,3. Entergy will provide a schedule to the NRC for responding to these RAIs by June 18, 2010. In addition, information requested in RAI Nos. 5, 7, and 8 will be provided on or before the dates identified in the responses to the individual RAIs, below. Entergy understands these RAIs will remain open until the information is provided to and accepted by the NRC.

NRC RAI No. 4 For the GGNS application of the GEH NUMAC PRNM System, please clearly identify and define all safety to non-safety data communications, including the data communications between the PRNM system and the Plant Computer and between independent/redundant PRNM channels. For the data communications among the four PRNM channels of the Grand Gulf PRNM System, include a demonstration of compliance with DI&C-ISG-04.

(ML083310185) for intra-channel communications. For the plant specific data communications between the Grand Gulf PRNM System and the Plant Computer, include a demonstration of compliance with DI&C-ISG-04 for safety to non-safety communications.

Response.

The PRNM System data communication architecture is comprised of the following pathways:

  • Within the PRNM System channels (safety-to-non-safety)-
  • Between.the PRNM Process Computer Interfaces (PCI) and the NUMAC Interface Computer (NIC) (non-safety-to-non-safety)

Entergy Operations, Inc. letter to the NRC, License Amendment Request - Power Range Neutron Monitoring System Upgrade, dated November 3, 2009 (ADAMS Accession No. ML093140463) 2 NRC letter to Entergy Operations, Inc., Grand Gulf Nuclear Station, Unit 1 - Request for Additional Information Re: Power Range Neutron Monitoring System (TAC No. ME2531), dated May 5, 2010 (ADAMS Accession No. ML101190125) to GNRO-2010/00040 Page 2 of 7

  • Between the NIC and the Plant Process Computer (PPC) (non-safety-to-non-safety)

Diagrams depicting these communication architectures are provided in Attachment 2.

In addition to the communications shown in these diagrams, there exist point-to-point fiber optic connections between each Two-Out-of-Four Voter Logic Module and the APRM bypass switch, and point-to-point communications among the Two-Out-of-Four Voter Logic Modules to transmit the APRM channel bypass status for the division in which it resides in. These are safety-to-safety communications.

The data contents from safety-to-non-safety systems consists of Local Power Range Monitor (LPRM) fluxes, APRM flux, channel trip status, instrument self-test status, recirculation flow value, and Oscillation Power Range Monitor (OPRM) cell status for transmittal to the non-divisional interfaces and NUMAC Interface Computer.

The data contents from non-safety to safety components consists of LPRM Gain Adjustment Factors, APRM Gain Adjustment Factors, flow compare alarm status from the PCI instrument to the APRM instrument. The data messages transmitted from non-safety components to safety components are not used in the APRM instrument's safety function except for the APRM and LPRM Gain Adjustment Factors. However, the way in which they are transmitted and accepted by the APRM for use do not affect the APRM's ability to perform its safety function as described in the attached ISG-04 compliance matrix.

A compliance matrix that evaluates the GGNS-designed PRNM System to the guidance of ISG-04 for the safety-to-non-safety communications within the PRNM System is provided in Attachments 3 and 4 (proprietary and non-proprietary versions, respectively). This matrix demonstrates:

(1) The PRNM System design for GGNS is compliant with ISG-04; and (2) The architecture of the communications between safety and non-safety devices provides adequate protection for the safety instrumentation.

Entergy has not developed specific compliance matrices for the PCI-to-NIC and NIC-to-PPC communication architectures since these are non-safety-to-non-safety pathways for which ISG-04 does not apply.

NRC RAI No. 5 In accordance with the NUMAC PRNM LTR, both the documentation of the qualification activities and the licensee's confirmation "should be included in the plant-*pecific licensing submittals;" however, this information was not addressed in the LAR. Please provide the analyses or reference documents (such as the referenced "Qualification Summary") that demonstrate the environmental conditions for Grand Gulf PRNM System configuration are enveloped by the conditions to which GE NUMAC PRNM System equipment has been environmentally qualified (for example, Regulatory Guide 1.89, IEEE 323-1974, IEEE 323-1983, Regulatory Guide 1.100, IEEE 344-1975, etc) as discussed in section 4.4.2 of GE LTR NEDC-32410P-A. Paragraph 5.0 Item 4) in the original Safety Evaluation Report for the LTR requires plant-specific action to confirm appropriate qualification has been completed.

However, as is indicated in the following table the LAR does not identify the applicable Grand to GNRO-2010/00040 Page 3 of 7 Gulf environmental conditions nor confirm that they have been enveloped by equipment qualification or analysis.

LAR*

Qualification SERLA Item Quaifatm Paragraph PaRap Enr Attachment 2 RAI Issue to be Resolved

______ Entry.

Temperature 3.4.1 4.4.2.2.1.4 The LAR identifies the normal control room temperature. Please indicate if the identified temperature applies to the worst-case conditions in which the equipment is required to remain operable.

Humidity 3.4.1 4.4.2.2.1.4 The LAR identifies the normal control room relative humidity. Please indicate if the identified relative humidity applies to the worst-case conditions in which the equipment is required to remain operable.

Pressure 3.4.2 4.4.2.2.2.4 The LAR identifies the normal control room pressure. Please indicate if the identified pressure applies to the worst-case conditions in which the equipment is required to remain operable.

Radiation 3.4.2 4.4.2.2.3.4 The LAR identifies the normal control room dose rates. Please indicate if the identified dose rates apply to the worst-case conditions in which the equipment is required to remain operable.

Seismic 3.4.3 4.4.2.3.4 Please provide documentation of the qualification action and that the licensee's confirmation has taken place.

EMI 3.4.4 4.4.2.4.4 Please provide direct testing references to the Compatibility EMI requirements under 4.4.2.4.2 or compliance per 4.4.2.4.3 of the NUMAC PRNM LTR. Please provide documentation of the qualification action and the licensee's confirmation has taken place.

Response

This RAI requests Entergy to:

(1) Provide the worst-case environmental conditions in which the equipment is required to remain operable for temperature, humidity, pressure, and radiation (LAR Attachment 2, Sections 4.4.2.2.1.4, 4.4.2.2.2.4, and 4.4.2.2.3.4);

(2) Confirm these worst-case conditions have been enveloped by equipment qualification or analysis; and to GNRO-2010/00040 Page 4 of 7 (3) Provide documentation to confirm qualification actions for seismic conditions and EMI compatibility have taken place (LAR Attachment 2, Sections 4.4.2.3.4 and 4.4.2.4.4). of the PRNMS LAR contains GE-Hitachi Nuclear Energy Report 0000-.0102-0888-RO, Grand Gulf Nuclear Station - Plant-SpecificResponses Required by NUMAC PRNM Retrofit Plus Option Ill Stability Trip Function Topical Report (NEDC-3241OP-A). In response to Item (1), Entergy has revised the information contained in Sections 4.4.2.2.1.4, 4.4.2.2.2.4, and 4.4.2.2.3.4 of this report to reflect the range of values reflecting the worst-case conditions for the identified parameters, as requested. A revised report, 0000-0102-0888-Ri, is provided in Attachment 5.

In response to Items (2) and (3), the requested information is scheduled to be available from GEH during the fourth quarter 2010; therefore, Entergy will provide it to the NRC on or before January 17, 2011.

NRC RAI No. 6 Please provide the information necessary to evaluate the equipment configuration (for example, identify the revisions/version of hardware, programmable devices, software, etc.) for the Grand Gulf PRNM System. Item 1) of paragraph 5.0 in the original Safety Evaluation Report for the LTR, requires the applicant to provide information that reconciles differences between the specific plant design, which is a BWR6 for Grand Gulf, and the topical report design description, whose supporting analysis is largely non-BWR6 based. While Attachment 2 of the license amendment does define changes to the plant configuration, it does not define the upgraded equipment's configuration. The entry for Section 2.3.4 in Attachment 2 of the license amendment identifies Grand Gulf's options, but the information provided does not define the equipment configuration specific to its BWR6 application in sufficient detail to support the safety evaluation. For example, BWR6 application incorporates replacement of the Rod Block Monitor with the Computer Interface Units, which is not described within the GE LTR NEDC-32410P-A. Furthermore, GE LTR NEDC-32410P-A recognizes the Plant Computer and its data communications as plant specific items.

Response

This RAI requests Entergy to:

(1) Provide the information necessary to evaluate the equipment configuration for the GGNS PRNM System; and (2) Provide information that reconciles differences between the GGNS-specific PRNM System design and the topical report design description.

The response to RAI No.1, which has been deferred, will provide the information necessary to address Item (1). Attachments 6 and 7 (proprietary and non-proprietary versions, respectively) contain the information to address Item (2); specifically, the additions to and deletions from the PRNM LTR descriptions to reflect the GGNS application.

to GNRO-2010/00040 Page 5 of 7 NRC RAI No. 7 As required by Item 6) of paragraph 5.0 in the original Safety Evaluation Report for the LTR, please provide the information necessary to demonstrate that any changes to Grand Gulf's operator's panel have received human factors reviews per plant-specific procedures.

Contrary to the Safety Evaluation Report, Section 2.3.4 in Attachment 2 does not contain the results of the human factors review. Please provide the HFE information that is representative of the statements made in 2.3.3.6.2.1 that the Grand Gulf operator panel will "maintain the current interface feel."

Response

As stated in Section 2.3.4 of Attachment 2 to the PRNMS LAR, the human factors review is performed as part of the engineering design and modification process. This review is typically performed in the latter phases of the process following component and system design. The requested information is scheduled to be completed during the second quarter 2011; therefore, Entergy will provide it to the NRC on or before June 30, 2011. In accordance with the modification process, the procedures that reflect the PRNM System man-machine interface will be validated during operator training, which is scheduled to begin during the fourth quarter 2011.

NRC RAI No. 8 Please identify how the failure rate data for the identified hardware items, as provided in NEDC-3241OP-A Table F.2, is affected by the Grand Gulf BWR6 equipment configuration.,

Response

Table F.2 of the PRNM LTR contains failure rate data for components of a typical PRNM System. With the exception of the Rod Block Monitor (RBM) chassis and module, these components are found in the GGNS-specific system. However, the table-does not reflect failure rate data for the PCI module, which is used in the PRNM System design for the BWR/6. Entergy is developing a table based on Table F.2 that reflects the BWR/6 PRNM System design and includes the PCI module. This table is scheduled to be completed during the third quarter 2010; therefore, Entergy will provide it to the NRC on or before September 30, 2010.

NRC RAI No. 9 The original SER for the LTR requires a plant-specific action to confirm administrative controls for channel bypass or removal for operation, as well as access to the PRNM operating panel and the Average Power Range Monitor/Oscillating Power Range Monitor (APRM/OPRM) channel bypass switch will be provided (see paragraph 3.10, paragraph 3.17 and paragraph 5.0 Item 5). Please describe the administrative controls that Grand Gulf will provide for the GE NUMAC PRNM System upgrade. Please demonstrate in your response that the administrative controls are provided for manually bypassing APRM/OPRM channels, or protective function, and for controlling access to the Grand Gulf PRNM System panel and the APRM/OPRM channel bypass switch. Also, please identify and describe any administrative controls requiring operator involvement in the generation, review, and use of new LPRM gain and calculated core thermal power values, which can affect APRM and OPRM setpoints.

to GNRO-2010/00040 Page 6 of 7

Response

The following are the administrative controls for controlling access to the PRNM panels and manually bypassing APRM/OPRM channels:

1. Presently, there are two APRM bypass switches located in the main control room on the principal control console, 1H13-P680. These two switches will be replaced by one fiber-optic selector switch mounted on the same panel. Access to the main control room, which requires special approval by station management, is controlled via keycard.
2. Once in the main control room, permission from the Shift Manager must be obtained to enter the area where 1H 13-P680 is located.
3. There is only one station operator authorized to sit directly in front of 1 H1 3-P680, thereby limiting access to the APRM bypass switch.
4. When an APRM is bypassed, an indicating light on 1H13-P680 illuminates. In addition, a signal is sent to the PPC.
5. There are two PRNM System panels in the main control room (1H13-P670 and P672) and two in the upper control, cabinet area (1H13-P669 and P671). As with the main control room, access to the upper control cabinet area is controlled via keycard as well as permission from the Operations Shift Manager to enter.

The following are the administrative controls that will be in place to control access to the APRM chassis mounted in the PRNM System panels and to system functions used for adjusting APRM channel gains. Also identified are system design attributes that notify operators of manipulations to the system (e.g., channel bypass).

1. The APRM bypass switch mounted on 1H13-P680 is used to bypass the selected PRNM panel to allow gain adjustments. Plant procedures dictate when the APRM bypass switch may be placed in the BYPASS position based on plant conditions. If the APRM bypass switch is placed in BYPASS, an annunciator will alarm for the respective channel being bypassed. A BYPASS indicating light at the PRNM panel will also illuminate on 1H13-P680.
2. Each APRM channel at its associated PRNM panel utilizes an OPERATE-INOP keylock switch. When the respective APRM channel keylock switch is placed in the INOP position, an annunciator will alarm for that respective channel if the APRM bypass switch on 1H 13-P680 has not been placed in BYPASS. The key for the switch will be controlled by Operations in accordance with plant procedures.
3. The APRM channel gain may be adjusted in one of two ways:
a. Entering the OPERATE-SET mode, which is password-controlled; or
b. Using the OPERATE-INOP keylock switch located at the associated PRNM panel to switch from OPERATE to INOP, and entering a password.

The password will be controlled by Operations in accordance with plant procedures.

to GNRO-2010/00040 Page 7 of 7 NRC RAI No. 10 To support NRC assessment of the acceptability of the LAR for the Grand Gulf PRNM System setpoints, please provide documentation (including representative calculations) of the setpoint methodology used for establishing the limiting setpoint (or NSP) and the limiting acceptable values for the As-Found and As-Left setpoints. Please indicate the related Analytical Limits and other limiting design values (and the sources of these values) for each setpoint. In addition to demonstration of acceptable values for the new OPRM Upscale setpoint, the representative calculations should reflect the upgraded equipment to confirm values for existing setpoints, such as Neutron Flux-High (Setdown), Fixed Neutron Flux-High, and Flow Biased Simulated Thermal Power-High.

Response

Attachments 8 and 9 (proprietary and non-proprietary versions, respectively) contain the response to RAI No.10, which describes the GEH methodology used to calculate the GGNS PRNM System setpoints. Although not included in this letter, the NRC may, upon request, review a representative setpoint calculation and the setpoint input/output document at the GEH offices in Washington, DC.

Per the guidance provided in TSTF-493, Clarify Application of Setpoint Methodology for LSSS Functions, Rev. 4, Entergy will set the as-found tolerance equal to the Square Root Sum of the Squares (SRSS) combination of as-left tolerance and the projected drift, both of which are provided in the setpoint calculations. The as-found and as-left tolerances will be reflected in the associated surveillance test procedures. Entergy will complete these actions prior to startup from the 2012 refueling outage.

ATTACHMENT 4 GNRO-2010/00040 RESPONSE TO RAI No. 4 (NON-PROPRIETARY VERSION)

This is a non-proprietary version from which the proprietary information has been removed.

Portions of the enclosure that have been removed are indicated by an open and closed bracket as shown here (( I].

to GNRO-2010/00040 Page 1 of 22 Table 4-1 ISG-04 Compliance Matrix ISG-04text/guidance PRNM Conformance to ISG-04 1 Scope: K Design and review of digital systems proposed for safety This statement is not a requirement.

2 related service in nuclear power plants Does not apply to interactions within the same division of This statement defines the scope but is not a requirement.

3_ safety related systems 4 Does not apply to non-safety related systems This statement defines the scope but is not a requirement.

Applies to non-safety related systems that may affect plant This statement defines the scope but is not a requirement.

5 conformance to safety analysis (accident analysis, transient analysis) 6 Definitions:

The term "Highly-Integrated Control Room" (HICR) refers to The statement is not a requirement but a definition; it is not a control room in which the traditional control panels, with applicable to the GGNS PRNM System.

7 their assorted gauges, indicating lights, control switches, annunciators, etc., are replaced by computer-driven consolidated operator interfaces. In an HICR:

The primary means for providing information to the plant The statement is not a requirement but a definition; it is not 8 operator is by way of computer driven display screens applicable to the GGNS PRNM System.

mounted on consoles or on the control room walls The primary means for the operator to command the plant is The statement is not a requirement but a definition; it is not 9 by way of touch screens, keyboards, pointing devices or applicable to the GGNS PRNM System.

other computer-based provisions to GNRO-2010/00040 Page 2 of 22

  • ISG-04 text/guidance PRNM Conformance to ISG-04 A digital workstation is in essence just one device. Unlike a Divisional separation is maintained in the PRNM. Displays, whether conventional control panel, there is no way for its many in the control room (ODA), or on the face of an instrument, are functions to be independent of or separated from one divisional.

10 another, because they all use the same display screen, processing equipment, operator interface devices, etc.

Functions that must be independent must be implemented in independent workstations This ISG describes how controls and indications from all No comment. Not a requirement.

safety divisions can be combined into a single integrated workstation while maintaining separation, isolation, and 11 independence among redundant channels. This ISG does not alter existing requirements for safety-related controls and displays to support manual execution of safety functions.

12 1. INTERDIVISIONAL COMMUNICATIONS 13 Scope:

As used in this document, interdivisional communications Not a requirement.

includes transmission of data and information among components in different electrical safety divisions and 14 communications between a safety division and equipment that is not safety-related. It does not include communications within a single division. Interdivisional communications may be bidirectional or unidirectional.

15 STAFF POSITION Bidirectional communications among safety divisions and This is a high level guide and compliance is demonstrated by between safety and.nonsafety equipment is acceptable addressing the specific NRC guidance in the following sections.

16 provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems.

to GNRO-2010/00040 Page 3 of 22

.- . .,ISG-04.text/guidance- ' - PRNM Conformance to ISG-04 Systems which include communications among safety This is a high level guide and compliance is demonstrated by A.

divisions and/or bidirectional communications between --addressing the specific NRC guidance in the following sections.

safety division and non-safety-equipment should'adhere to . . The reviewer in this document is assumed to be the NRC reviewer.

the guidance described in the remainder of this section.

.17 Adherence to each point should be demonstrated by the applicant and verified by the reviewer. This verification should include detailed review of the system configuration and software specifications, and may also involve a review of selected software code.

Staff Position 1.1 A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its 18 safety function. This is a fundamental consequence of the independence requirements of IEEE603. It is recognized that division-voting logic must receive inputs from multiple safety divisions.

Staff Position 1.2 The safety function of each safety channel should be protected from adverse influence from

. 19 outside the division of which that channel is a member.

1]

Staff Position 1.2 (implementation details) Information S *

  • and signals- originating outside the division must not be able to inhibit or delay the safety function. This protection must be implemented within the affected division (rather than in the 20 sources outside the division), and must not itself be affected by any condition or information from outside the affected division. This protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division.

to G NRO-2010/00040 Page 4 of 22 S., ISG-04 text/guidahe~ -- - .PRNM Conformance to ISG-04 Continuation of response from above.

21 Staff Position 1.3 A safety channel should not receive any communication from outside its own safety division unless

that communication supports or enhances the performance of the safety function. Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety systems should be as simple as

-22 possible. Functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be

- more complex than a system that performs the same safety.

function, but is not designed to perform other functions. The more complex system would increase the likelihood of failures and software errors.

to GNRO-2010/00040 Page 5 of 22

- ISG-04 text/guid*nce *. PRNM Conformance to ISG-04 Continuation of staff position 1.3 from above. Such a

.- complex design, therefore, should be avoided within the

.safety system. For example, comparison of readings from sensors.indifferent divisions may provide useful information 23' -concerning the behavior of the sensors (for example, On-

-Line Monitoring). Such a function executed within a safety system;. however, could also result in unacceptable influence

-of one division over another, or could involve functions not directly. related to the safety functions, and should not be

- executed within the safety system.

Continuation of response to staff position 1.3.

24 Continuation of response to staff position 1.3.

25

))

Continuation of response to staff position 1.3.

26

))

Staff Position 1.3 (implementation details) Receipt-of See the above justification. All of the data received-by the safety information from outside the division, and the performance of system that does not support a safety function are simple functions not directly related.to thesafety function- if used, operations and are executed on a lower priority basis than the should be justified. It shouldbe demonstrated that the added safety function. This requirement is met.

system/software complexity associated with the performance 2-7 of functions not directly related to the safety function and with the receipt of information in support of those functions does .not significantly increase the likelihood of software specification or coding errors, including errors that would

  • -affect more than one division. The applicant should justify the definition of "significantly" used in the demonstration.

to GNRO-2010/00040 Page 6 of 22 ISG-04 text/guidace .-.. . . . PRNM Conformance to ISG-04 Staff Position 1.4 The communication process itself should

  • becarried out by a communications processor separate from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety function. The communication and function processors should operate asynchronously, sharing-information only by means of dual-ported memory or

-some other shared memory resource that is dedicated

- exclusively to this exchange of information. The function 28 processor, the communications processor, and the shared memory, along with all supporting circuits and software, are all considered to be safety-related, and must be designed, qualified, fabricated, etc., in accordance with 10 C.F.R. Part

.50, Appendix A and B. Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety function in a deterministic manner.

Continuation of Staff position 1.4 For example, if the Continuation of response to Staff Position 1.4. ((

communication processor is accessing the shared memory at~a time when the function processor needs to access it, the function processor should gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses. If the shared memory cannot support_

unrestricted simultaneous access by both processors, then 29 the access controls should be configured such that the function processor always has precedence. The safety function circuits and program logic should ensure that the safety function will be performed within the timeframe

-established in the safety analysis, and will be completed

-. successfully without data from the shared memory in the event that the function processor is unable to gain access to the shared memory.

to GNRO-2010/00040 Page 7 of 22 ISG-04 text/guidance PRNM Conformance to ISG-04 Staff Position 1.5 The cycle time for the safety function processor should be determined in consideration of the longest possible completion time for each access to the shared memory. This longest-possible completion time should:include the response time of the memory itself and of

. 30 the circuits longest associated with it, and should also include the possible delay in access to the memory by the

  • function processor assuming worst-case conditions for the transfer of access from the communications processor to the function processor. Failure of the system to meet the limiting cycle time should be detected and alarmed.

-Staff Position 1.6 The safety function processor should 31

  • perform no communication handshaking and should not

.accept interrupts from outside its own safety division.

Staff Position 1.7 Only predefined data sets should be used by the receiving system. Data from unrecognized messages

32. must not be used Within the safety logic executed by the safety function processor.

. Staff Position 1.7 (implementation details) Unrecognized

-messages and data should be identified and dispositioned 33 by.the receiving system in accordance with the pre-specified design requirements.

))

Staff Position 1.7 (implementation details)Message Communication protocol specifications define the message

.. format and protocol should be pre-determined. - . -- structure, the message type, and the content of each message.

Staff Position 1.7 (implemetation details) Every message -Every message; as:defined by the governing protocol spec, has the

, should have the same messagefieldstructure and...... - same message field structure including sequence, message ID, 35 sequence, including message identification, status-- status information, data, and check sum.

  • - information, data bits, etc. in the same locations in every message.

to GNRO-2010/00040 Page 8 of 22 ISG-04 text/guidahce- . PRNM Conformance to ISG-04 Staff Position 1.7 (implementation details) Every datum Message format and protocol are pre-determined. Every message should be included in every transmitcycle, Whether it has. has the same message field structure and sequence, including changed.since the previous transmission or.not;*.to ensure message:identification, status information, data bits, etc. in the deterministic system behavior. - same locations in every message. Every datum is included in every

, .transmit cycle, whether it has changed since the previous transmission or not.

Staff Position 1.8 Data exchanged between redundant safety'divisions or between safety and nonsafety divisions

-. should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.

37

.. Staff Position 1.9 Incoming message data should be stored in fixed predetermined locations in the shared memory and in the memory associated with the function processor. These memory locations should not be used for any other purpose.

38- The memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate pre-specified physical areas within a memory device.

Staff Position 1.10 Safety division software should be 39- protected from alteration while the safety division is in operation.

to GNRO-2010/00040 Page 9 of 22

-SG-04text/guidance, - -* -. " PRNM Conformance to ISG-04 Staff Position 1.10 (implementation details) On-line changes to safety system software should be prevented by

-- hardwired interlocks or by physical disconnection of maintenance and monitoring equipment. A workstation (e.g.

engineer or programmer station) may alter addressable
-constants, setpoints, parameters, and other settings

'associated with a safety function only by way of the dual-40 processor/shared-memory scheme described-in this guidance, or when the associated channel is inoperable.

Sucha workstation should be physically restricted from making changes in more than one division at a time. The restriction should be by means of physical cable disconnect,

.or.by means of keylock switch that either physically opens the data transmission circuit or interrupts the connection by means of hardwired logic.

Staff Position 1.10 (implementation details) "Hardwired. No software changes are allowed online; therefore, this switch is not logic" as used here refers to circuitry that physically used.

interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information appears Al .at the output of the gate only when the switch is in a position that'applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the

-disconnection are not acceptable. It is noted that software may be.used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes.

to GNRO-2010/00040 Page 10 of 22 ISG-04 text/guidaice . PRNM Conformance to ISG-04 Staff Position 1.11 Provisions for interdivisional communication should explicitly preclude the ability to send software-instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service. The progress of a safety function processor through its instruction sequence 42 should not be affected by any message from outside its division.-For example, a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence.

Staff Position 1.12 Communication faults should not adversely affect the performance of required safety functions 43 in any way.

Staff Position 1.12 (Implementation details) Faults, including communication faults, originating in nonsafety equipment, do not constitute "single failures" as described in the single failure criterion of 10 C.F.R. Part 50, Appendix A.

.Staff Position 1.12 (Implementation details) Examples of Title, not a requirement.

45 credible communication faults include, but are not limited to, the following:

Staff Position 1.12 (Implementation details) Messages may be corrupted due to errors in communications 46 processors, errors introduced in buffer interfaces, errors 4introduced in the transmission media, or from interference or electrical noise.

Staff Position 1.12 (Implementation details) Messages 47 may be repeated at an incorrect point in time.

to G NRO-2010/00040 Page 11 of 22 ISG-04 text/guidahce, - PRNM Conformance to ISG-04 Staff-Position 1.12 (Implementation details) Messages may be sent in the incorrect sequence.

48

))

Staff Position 1.12 (Implementation details) Messages may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.

49 Staff Position 1.12 (Implementation details) Messages maybe:delayed beyond their permitted arrival time window 50' for several reasons, including errors in the transmission medium, congested transmission lines, interference, or by J delay in sending buffered messages.

S.-Staff Position 1.12 (Implementation details) Messages may be inserted into the communication medium from 51 unexpected or unknown sources.

11

'Staff Position 1.12 (Implementation details) Messages may be sent to the wrong destination, which could treat the 52 message as a valid message.

Staff Position 1.12 (Implementation details) Messages

-:53 may be longer than the receiving buffer, resulting in buffer overflow and memory corruption.

Staff Position 1.12 (Implementation details) Messages. In this casethe instrument declares the data invalid and the data is 54 -may contain data that is outside the expected range. not used.

to GNRO-2010/00040 Page 12 of 22 ISG-04 text/guidanCe - PRNM Conformance to ISG-04

'Staff Position 1.12 (Implementation details) Messages

'may appear valid, but data may be placed in incorrect locations within the message.

55 I]

'Staff-Position 1.12 (Implementation details) Messages may.occur-at a high rate that degrades or causes the system 56 to fail (i.e., broadcast storm).

Staff Position 1.12 (Implementation details) Message The firmware rejects these messages.

headers or addresses may be corrupted.

Attachment 4 to GNRO-2010/00040 Page 13 of 22 ISG-04 text/guidance, ,. PRNM Conformance to ISG-04 Staff Position 1.13 Vital communications, such as the

,--sharing-of channel trip decisions for the purpose of voting,

- should include provisions for ensuring that received ]

-messages are correct and are correctly understood. Such communicationsshould employ error-detecting or error-IJ correcting. coding along with means for dealing with corrupt, inValid, untimely or otherwise questionable data. The

- .effectiveness of error detection/correction should be

-demonstrated in the design and proof testing of the

58 associated codes, but once demonstrated is not subject to i .'periodictesting. Error-correcting methods, if used, should be

':shown to always reconstruct the original message exactly or

.todesighate the message as unrecoverable. None of this activity should affect the operation of the safety-function processor.

Staff Position 1.14 Vital communications should be point-to- ((

point-by means of a dedicated medium (copper or optical cable). In this context, "point-to-point" means that the message is passed directly from the sending node to the

59. -.receiving node without the involvement of equipment outside S- the division~of the sending or receiving node. Implementation
.of other-communication strategies should provide the same reliability and should be justified.

6 to GNRO-2010/00040 Page 14 of 22 ISG-04 text.guidAn.ce, PRNM Conformance to ISG-04 Staff Position 1.15 Communication for safety functions should'communicate a fixed set of data (called the "state") at regular:intervals, whether data in the set has changed or not.

60

.Staff Position 1.16'Network connectivity, liveness, and real- ((

time properties essential to the safety application should be verified in the protocol. Liveness, in particular, is taken to

,mean that no colfnection to any network outside the division can cause an RPS/ESFAS communication. protocol to stall,

- :, ;eeither.deadlock or livelock. (Note: This is also required by 61 , .the independence criteria of: (1) 10 C.F.R. Part 50, Appendix

".:,A,-General Design Criteria ("GDC") 24, which states,

-interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired.'; and (2) IEEE 603-1991 IEEE Standard Criteria for Safety-Systems for Nuclear Power Generating Stations.)

(Source: NUREG/CR-6082, 3.4.3)-

StaffPosition 1.17 Pursuant to 10 C.F.R. § 50.49, the medium used in a vital communications channel should be qualified for the anticipated normal and post-accident

-environments. For example, some opti'al fibers and

- components may be subject to gradual degradation as a 62 resultof prolonged exposure to radiation or to heat. In

.addition, new digital systems may need susceptibility testing

-for EMI/RFI and power surges, if the environments are significant to the equipment being qualified.

__________ ))

to GNRO-2010/00040 Page 15 of 22 ISG-04 textlguidance PRNM Conformance to ISG-04 Staff Position 1.18 Provisions for communications should be analyzed for hazards and performance deficits posed by unneeded functionality and complication.

63 Staff Position 1.19 If data rates exceed the capacity of a communications link or the ability of nodes to handle traffic, the system Will suffer congestion. All links and nodes should have sufficient capacity to support all functions.

The applicant should identify the true data rate, including overhead, to ensure that communication bandwidth is 64 sufficient to ensure proper performance of all safety functions. Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing..

I))

Staff Position 1.20 The safety system response time calculations should assume a data error rate that is greater than or equal to the design basis error rate and is supported 65 by the error rate observed in design and qualification testing.

66 2. COMMAND PRIORITIZATION 67 Scope:

This section presents guidance applicable to a prioritization Definition and not a requirement.

68 device or software function block, hereinafter referred to simply as a "priority module."

to GNRO-2010/00040 Page 16 of 22 ISG-04 text/guidance PRNM Conformance to ISG-04 A priority module receives device actuation commands from The APRM system does not use priority modules. Therefore this multiple safety and non-safety sources, and sends the section does not apply. The system is designed as a fail safe (fail in command having highest priority on to the actuated device, a trip state). The actuation of the solenoid valves is performed by 69 The actuated device is a safety-related component such as a the reactor protection system (RPS).

motor actuated valve, a pump motor, a solenoid operated valve, etc. The priority module must also be safety-related.

70 STAFF POSITION Existing Diversity and Defense-in-Depth guidance indicates that diverse actuation signals should be applied to plant equipment control circuits downstream of the digital system to which they are diverse, in order to ensure that the diverse actuation will be unaffected by digital system failures and malfunctions. Accordingly the priority modules that combine the diverse actuation signals with the actuation signals generated by the digital system should not be executed in ]

digital system software that may.be subject to common-cause failures (CCF).

Software implementation of priority modules not associated As discussed above, this requirement does not apply to PRNM.

with diverse actuation would result in the availability of two Diverse backup systems such as the manual scram, ATWS, and kinds of priority modules, one of which is suitable for diverse SLC are not in the scope of this review.

actuation and one type not suitable for diverse actuation. An applicant should demonstrate that adequate configuration control measures are in place to ensure that software-based priority modules that might be subject to CCF will not be 72 used later for credited diversity, either deliberately or accidentally (for example, there is protection from design error and from maintenance / implementation error). This applies both to existing diversity provisions and to diversity provisions that might be credited later. The applicant should show how such provisions fit into the overall Appendix B quality program.

to GNRO-2010/00040 Page 17 of 22 ISG-04 text/guidarice. "-Vt:, ...... , PRNM Conformance to ISG-04 Staff Position 2.1 A priority:module is a safety related N/A for PRNM

..device or software function. A priority module must meet all

.. 7of the 10C.F.R. Part 50, Appendix A and B requirements

, : (design, qualification, quality, etc.) applicable to safety-related devices or software.

Staff Position 2.2 Priority modules used for diverse N/A for PRNM actuation signals should be independent of the remainder of the-digital system, and should function properly regardless of

.74 the state or condition of the digital system. If these recommendations are not satisfied, the applicant should

. - .:. .show how the diverse actuation requirements are met.

StaffPosition 2.3. Safety-related commands that direct a component to a safe state must always have the highest S... priorityand must override all other commands. Commands

- thatoriginate in a safety-related channel but which only

-cancel orenable cancellation of the effect of the safe-state command (that is, a consequence of a Common-Cause Failure in the primary system that erroneously forces the 75 plant equipment to a state that is different from the designated "safe state."), and which do not directly support

, - .. any safety function, have lower priority and may be

-- overridden by other commands. In some cases, such as a

-containment isolation valve in an auxiliary feedwater line, there is no universal "safe state:" the valve must be open under some circumstances and closed under others.

Attachment 4 to G NRO-2010/00040 Page 18 of 22 S- - '  :" ISG-04 text/guidance, PRNM Conformance to ISG-04 Continuation of Staff position.2.3 description. The N/A for PRNM relative priority to be applied to commands from a diverse

.actuation:system, for example, is not obvious in such a case.

, ., , This is a system operation issue, and priorities should be

.- assigned on the basis of considerations relating to plant systemrdesign or other criteria unrelated to the use of digital

." systems: This issue is outside the scope of this ISG. The reasoning behind the proposed priority ranking should be explained in detail. The reviewer should refer the proposed

. priority ranking and the explanation to appropriate systems experts for review.

-Staff Position 2.3. (implermentation details) The priority N/A for PRNM S .. - "module itself should be shown to apply the commands

  • ,correctly in order of their priority rankings, and should meet
7-. all other-applicable guidance. It should be shown that the unavailability or spurious operation of the actuated device is

- . .accounted for in, or bounded by, the plant safety analysis.

Staff Position 2.4. A priority-module may control one or N/A for PRNM more components. If a priority module controls more than S78 . one component, then all of these provisions apply to each of the actuated components.

Staff Position 2.5. Communication isolation for each priority N/A for PRNM

.. .79- - module should be as described in the guidance for interdivisional communications.

to GNRO-2010/00040 Page 19 of 22 ISG-04 text/guidance;. PRNM Conformance to ISG-04 Staff Position 2.6. Softwar'e used in the design, testing, N/A for PRNM

..maintenrance, etc. of a priority module is subject to all of the applicable guidance in Regulatory Guide 1.152, which endorses IEEE Standard 7- 4.3.2-2003 (with comments).

-,!This includes software applicable to any programmable device used in support of the safety function of a prioritization module, such as programmable logic devices (PLDs), programmable gate arrays, or other such devices.

. :. Section 5.3.2 of IEEE 7-4.3.2-2003 is particularly applicable to this subject. Validation of design tools used for

    • . O -programming a priority module or a component of a priority

-module is not necessary if the device directly affected by

. --those tools is 100% tested before being released for service.

100% testing means that every possible combination of

inputs and every possible sequence of device states is

-.tested, and all outputs are verified for every case. The testing should not involve the use of the design tool itself.

... A-. Software-based prioritization must meet all requirements (quality requirements, V&V, documentation, etc.) applicable to safety-related software.

Staff.Position 2.7. Any software, program that is used in N/A for PRNM

-support of the safety function within a priority module is

-safety-related software. All requirements that apply to safety-related software also apply to prioritization module software.

Nonvolatile memory (such as burned-in or reprogrammable gate arrays or random-access memory) should be 81 changeable only through removal and replacement of the memory device. Design provisions should ensure that static

.memory and programmable logic cannot be altered while installed in the module. The contents and configuration of fieldprogrammable memory should be considered to be software, and should be developed, maintained, and controlled accordingly.

Attachment 4 to GNRO-2010/00040 Page 20 of 22

  • ..*~ . -/I iSG-04.textlguidance: .. PRNM Conformance to ISG-04 Staff Position 2.8. To minirfize the probability of failures N/A for PRNM

. - ,.due to common software, the priority module design should

.. .. ~~. -*befully-tested (This refers to proof-of-design testing, not to

. ...-. individual testing of each module and not to surveillance testing:). If the tests are generated by any automatic test

.- ; ,. .. :r. ..-generation program then all the test sequences and test results should be manually verified. Testing should include the application of every possible combination of inputs and

...,82 . the evaluation of all of the outputs that result from each combination-of inputs. If a module includes state-based logic (that-is,:if the response to a particular set of inputs depends S ,.:. - .. upon past conditions), then all possible sequences of input sets should also be tested. If testing of all possible sequences of input sets is not considered practical by an applicant,, then the applicant should identify the testing that is excluded and justify that exclusion.

. -

  • Staff Position 2.9. Automatic. testing within a priority N/A for PRNM module, -whether initiated from within the module or triggered from outside, and including failure of automatic testing 83 features,should not inhibit the safety function of the module

. .83-.. -in-any way. Failure of automatic testing software could

.- constitute common-cause failure if it were to result in the disabling of the module safety function.

to GNRO-2010/00040 Page 21 of 22 ISG-04 text/guidance PRNM Conformance to ISG-04 Continuation of Staff position 2.9 description. The N/A for PRNM applicant should show that the testing planned or performed provides adequate assurance of proper operation under all conditions and sequences of conditions. Note that it is possible that logic devices within the priority module include unused inputs: assuming those inputs are forced by the 84 module circuitry to a particular known state, those inputs can be excluded from the "all possible combinations" criterion.

For example, a priority module may include logic executed in a gate array that has more inputs than are necessary. The unused inputs should be forced to either 'TRUE" or "FALSE" and then can be ignored in the "all possible combinations" testing.

Staff Position 2.10. The priority module must ensure that N/A for PRNM the completion of a protective action as required by IEEE 85 Standard 603 is not interrupted by commands, conditions, or failures outside the module's own safety division.

to GNRO-2010/00040 Page 22 of 22 ISG=04 text/guidance, PRNM Conformance to ISG-04

3. MULTIDIVISIONAL CONTROL AND DISPLAY 86 STATIONS 87 Scope:

Staff Position 3.0. This section presents guidance concerning operator workstations used for the control of plant equipment in more than one safety division and for display of information from sources in more than one safety division. This guidance also applies to workstations that are used to program, modify, monitor, or maintain safety systems that are not in the same safety division as the workstation. Multidivisional control and display stations addressed in this guidance may themselves be safety-related or not safety-related, and they may include controls and displays for equipment in multiple safety divisions and for equipment that is not safety-related, provided they meet the conditions identified herein. Even though the use of multidivisional control and display stations is relatively new to the nuclear industry, the concepts to maintain the plant safety contained in this guidance is in line with the current NRC regulations.

The PRNM does not have control stations which can be used to 88 GENERIC COMMENTS operate equipment. The PRNM does not have equipment to monitor equipment in multiple divisions. Therefore this section does not apply.

This compliance matrix uses the term requirements and guidance synonymously. It is recognized that the ISG is guidance however for practicality, the sections of this ISG will be evaluated as requirements.

Retrieved from "https://kanterella.com/w/index.php?title=GNRO-2010/00040,_Responses_to_NRC_Requests_for_Additional_Information_Pertaining_to_License_Amendment_Request_for_Power_Range_Neutron_Monitoring_System&oldid=2648940"