Text

Response to Request for Supplemental Information for Completion of Acceptance Review for Prnm/Arts/Mellla System Upgrade
	ML102360357
Person / Time
Site:	Columbia
Issue date:	07/30/2010
From:	Oxenford W; Energy Northwest
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	GO2-10-099, TAC ME3981
	Download: ML102360357 (124)
	v • d • e

W. Scott Oxenford N R YColumbia Generating Station EVP.O.

EN ERT ~IE E T Box 968, P0 Richland, WA 99352-0968 Ph. 509.377.43001 F. 509.377.4150 soxenford @energy-northwest.com July 30, 2010 G02-10-099 10 CFR 50.90 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Subject:

COLUMBIA GENERATING STATION, DOCKET NO. 50-397 RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNMIARTS/MELLLA SYSTEM UPGRADE

References:

1) Letter G02-10-071, from W. S. Oxenford (Energy Northwest) to NRC, dated May 11, 2010, "License Amendment Request to Change Technical Specifications in Support of PRNM / ARTS / MELLLA Implementation" (ADAMS Accession No. 101390368)

2) Letter from NRC to J. V. Parrish (Energy Northwest) dated July 13, 2010, "Columbia Generating Station - Acceptance Review for License Amendment Request to Change Technical Specifications in Support of PRNM/ARTS/MELLLA Implementation (TAC NO. ME3981)

Dear Sir or Madam:

By Reference 1, Energy Northwest submitted to the NRC a license amendment request (LAR), which proposed to revise the Columbia Generating Station (CGS) Technical Specifications (TS) to reflect, along with other items, the installation of the digital General Electric-Hitachi (GEH) Nuclear Measurement Analysis and Control (NUMAC)

Power Range Neutron Monitoring (PRNM) System.

With Reference 2, the NRC requested supplemental information needed to support their review and approval of the LAR. The responses to the supplemental information request are provided in Attachment 1. Information supporting the responses in Attachment; 1 is contained in Attachments 2 through 4. 1 GEH considers certain information contained in Attachments 1, 2, and 3 to be proprietary and, therefore, requests that it be withheld from public disclosure in accordance with 10 CFR 2.390. Non-proprietary versions of these attachments are provided as Attachments 5, 6, and 7. Attachment 8 contains the associated affidavits for this request.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 2 This letter also contains supplemental information, provided in Attachment 9, which corrects two inconsistencies in the Reference 1 submittal.

This letter contains a new commitment, which is identified in Attachment 10.

The No Significant Hazards Determination and the Environmental Consideration provided in Reference 1 are not impacted by this supplemental information.

If you have further questions, please contact D.W. Gregoire at (509) 377-8616.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the date of this letter.

.S. Oxenford Vice President, Nuclear Generation and Chief Nuclear Officer Attachments: 1. Response to Request for Supplemental Information (Proprietary version)

2. Applicable Sections of GE-MS-CT-1 06244-KM 115 (Proprietary version)

3. Applicable Sections of GEH-CGS-1 07474-113 (Proprietary version)

4. Figure 3-1, PRNM System Communication Diagram

5. Response to Request for Supplemental Information (Non-proprietary version)

6. Applicable Sections of GE-MS-CT-1 06244-KM 115 (Non-proprietary version)

7. Applicable Sections of GEH-CGS-1 07474-113 (Non-proprietary version)

8. Affidavits Supporting Request to Withhold Information from Public Disclosure

9. Supplemental Corrections of Original Submittal

10. List of Regulatory Commitments cc: NRC RIV Regional Administrator NRC NRR Project Manager NRC Senior Resident Inspector/988C R.N. Sherman - BPA/1 399 W.A. Horin -Winston & Strawn

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Figure 3-1, PRNM System Communication Diagram

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNMIARTS/MELLLA SYSTEM UPGRADE Response to Request for Supplemental Information (Non-proprietary version)

Information Notice This is a non-proprietary version of Attachment 1, from which the proprietary information has been removed. Portions of the Attachment that have been removed are indicated by an open and closed bracket as shown here (( I].

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 1 of 27 Response to Request for Supplemental Information NRC Request for Supplemental Information (RSI) 1:

Please identify the changes to the GEH NUMAC PRNM System platform from those defined and approved on September 5, 1995 within GE Nuclear Energy (GE) Licensing Topical Report (LTR), "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function,"

NEDC-3241 OP-A, dated October 1995 (ADAMS Legacy Accession No. 9605290009).

For example, the identified changes should include those to hardware, programmable devices, software, applicable development processes, and the like, that will be reflected within the CGS PRNM System upgrade. When considering the software development processes for the platform, the response should address changes (from that previously approved for the GE LTR NEDC-3241 OP-A) to the applicable documentation that is identified under Section B.2 of the Standard Review Plan (SRP or NUREG-0800),

Branch Technical Position 7-14, "Guidance on Software Reviews for Digital Computer-Based Instrumentation and Control Systems," Revision 5, March 2007 (ADAMS Accession No. ML070670183), and the secure development and operational environment.

Energy Northwest Response:

The Columbia Generating System (CGS) PRNM system has been designed in accordance with the LTR. See Attachment 2, pages 1 through 46 (of 78) for a detailed description of the CGS PRNM System platform, including changes made to the platform since approval of the PRNM LTR.

NRC RSI 2:

Please describe how a software common-cause failure of the CGS PRNM/ARTS/

MELLLA and OPRM System upgrade is addressed or coped with, such that, upon its failure, CGS remains within its design basis for all design-basis accidents and anticipated operational occurrences. The software common-cause failure should include failure of the OPRM functions because they will be integrated into the NUMAC PRNM System.

Energy Northwest Response:

The existing APRM subsystem provides a single-sensor input to RPS. Replacing the APRM subsystem with the PRNM system does not change or alter the diversity between RPS and the other plant systems that provide inputs to it. Other diverse sensors (e.g., reactor pressure) and manual RPS actuation provide adequate defense in depth to mitigate a common cause failure of the APRM subsystem. The PRNM system is the only NUMAC input into the RPS at CGS. The OPRM is a single sensor input to RPS; the APRM and manual RPS actuation provide backup. GEH's approved design process and comprehensive V&V program for the PRNM, provide adequate

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 2 of 27 reliability including effects of possible software common cause failures. This methodology, coupled with APRM and OPRM diverse functions and operator actions, provides an effective defense against common cause failures in the software.

An in-depth analysis of common cause software-related failures for the PRNM, which includes both APRM and OPRM functions, was previously performed by GEH and approved by the NRC in their SER. In addition, information provided in Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-in-Depth in Digital Computer-BasesInstrumentation and Control Systems, supports the position that further analysis beyond the LTR's scope is not required. Relevant information from each document is presented below.

The conclusions of section 6.5 of the PRNM LTR are applicable and Columbia Generating Station (CGS) remains within its design bases. The CGS Final Safety Analysis Report (FSAR) has been compared to the design basis accidents and anticipated operational occurrences evaluated in the PRNM LTR. Events evaluated for the PRNM LTR encompass the events analyzed for CGS and the configuration of the PRNM is within the limits of the PRNM LTR.

PRNM LTR Common Cause Failure and Defense in Depth are covered for APRM and OPRM in sections 6.4 and 6.5 of the PRNM LTR.

Regarding the APRM's function, Section 6.4.1 references analysis documented in GEH NEDC-30851 P-A, Technical Specification Improvement Analysis for BWR Reactor Protection System, March 1988, which employs EPRI Report No. NP-2230, Part 3, A TWS: Frequencyof Anticipated Transients.

Section 6.4.1 states in part:

Table F-1 is reproduced below. Notes added to the table identify and resolve differences in the CGS design. The overall conclusion is that adequate diversity and defense in depth are provided and CGS's design is consistent with the PRNM LTR Section 6.4.1.

The NRC approved NEDC-30851 P-A in a letter to the BWR Owners' Group dated January 24, 1988 (Reference 9).

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 3 of 27 TABLE F-1 SENSOR DIVERSITY FOR INITIATING EVENTS I. 4 4 4 + 4

+ 4- 4 4 4 4 -I- 4

+ + 4 4 4 4 4- 4 1]

The CGS design does not include a scram on MSIV High Radiation. However, this design does not adversely impact the conclusions of NEDC-3085 I P-A as applied to CGS since there exist other diverse systems that provide RPS inputs for the event as identified in the table.

2 CGS is also analyzed for these events without bypass capability. The scram sensors for the turbine and generator trip events are applicable regardless of bypass availability. Therefore, the diverse sensors identified for the "with bypass" events also apply to the "without bypass" events.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 4 of 27 Regarding the OPRM function, Section 6.4.2 states:

Section 6.5 of the PRNM LTR documented the following conclusions:

NRC Safety Evaluation Report Section 6.6 of the PRNM LTR states the licensee must confirm applicability of these conclusions by:

(1) Confirming the events defined in EPRI Report No. NP-2230 or Appendices F and G of NEDC-30851,P-A encompass the events that are analyzed for the plant; (2) Confirming the configuration implemented by the plant is within the limits described in the PRNM LTR; and (3) Preparing a plant-specific 10 CFR 50.59 evaluation of the modification per applicable plant procedures.

Energy Northwest confirms the applicability of these items as follows:

(1) Table 2-1 demonstrates that the events defined in Appendices F and G of NEDC-I 30851 P-A encompasses the events that are analyzed for CGS. Table 2-1 lists the events identified in Appendices F and G of NEDC-30851 P-A and identifies the applicable section in Chapter 15, Accident Analyses, of the CGS FSAR in which the event is discussed.

(2) Energy Northwest confirms that the configuration to be implemented by CGS is within the limits described in the PRNM LTR. This is demonstrated by the CGS-specific PRNM System configuration described in the response to RSI 1.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE .

Page 5 of 27 (3) The requirements of 10 CFR 50.59 have been applied to the PRNM modification in accordance with applicable plant procedures.

The NRC evaluated the PRNM System for common-cause software-related failures documented in the PRNM LTR and agreed with GEH's conclusions, as documented in its safety evaluation report (SER) approving the PRNM LTR. Specifically, Section 3.4.6 of the SER states:

"GE performed equipment failure analyses to evaluate the effects of module level failures on critical system functions, and to assess qualitatively the defense-in-depth of the PRNM system. Common cause software related failures, which can result in PRNM system malfunctions were evaluated in the GE analyses. Defense-in-depth design features in the existing RPS, including the diverse anticipated transient without scram mitigation system and manual reactor trip capability, provide an acceptable means to address common mode failures in the APRM and OPRM software functions. Additionally, as mentioned above {Section 3.2 of the SERI, the APRM and OPRM software development process involves a comprehensive quality assurance methodology to detect and correct software errors. This methodology, coupled with APRM diverse functions and operator actions, provides an effective defense against common cause failures in the software. The staff finds the above features to address malfunctions to be acceptable."

BTP 7-19 BTP 7-19 provides guidance for evaluating diversity and defense-in-depth of digital computer-based I&C systems. BTP 7-19 is structured to evaluate diversity and defense-in-depth of plant systems at a plant level. The PRNM System replaces a single-sensor input to the Reactor Protection System (RPS), but does not change or alter the plant-level diversity between RPS and other plant systems. Other sensor inputs within RPS (e.g., reactor dome pressure) are diverse from the PRNM System since these other sensor inputs do not utilize the NUMAC platform. Therefore, they are not subject to the same common-cause failures.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 6 of 27 TABLE 2-1 CROSS-REFERENCE OF NEDC-30851 P-A EVENTS TO CGS FSAR

" ' iIDENTIFIED E ' EVENT

..... , F.A.

,:FSAR SECTION Appendix F - Transient/Accidents Analyses Main Steam Isolation Valve (MSIV) Closure 15.2.4 Turbine Trip (with bypass) (See Note 1) 15.2.3 Generator Trip (with bypass) (See Note 1) 15.2.2 Pressure Regulator Failure (Primary Pressure Decrease) (MSIV Closure). 15.1.3 Pressure Regulator Failure (Primary Pressure Decrease) (Level 8 Trip) 15.1.3 Pressure Regulator Failure (Primary Pressure Increase) 15.2.1 Feedwater Control Failure (High Reactor Water Level) 15.1.2 Feedwater Flow Control Failure (Low Reactor Water Level) 15.2.7 Loss of Condenser Vacuum 15.2.5 Loss of AC Power (Loss of Grid Connections) 15.2.6 Loss of AC Power (Loss of Transformer) 15.2.6 Appendix G -Other Events Loss Of One Feedwater Heater 15.1.1 Start of Idle Recirculation Pump between 60% and 65% CTP 15.4.4 Rod Withdrawal Error from 0% to 100% CTP 15.4.1, 15.4.2 Recirculation Pump Trip (One or Two Pumps) 15.3.1 Loss of Instrument Air 7.3.2 7.4.2 Note 2 Recirculation Flow Control Failure (Increase Flow) 15.4.5 Recirculation Flow Control Failure (Decreasing Flow) 15.3.2 Inadvertent Opening of One Safety/Relief Valve 15.1.4

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 7 of 27 IDENTIFIED EVENT-'SA SECTION Inadvertent RHR Shutdown Cooling Operations 15.1.6 Inadvertent Closure of One MSIV 15.2.4 Partial MSIV Closure 15.2.4 Recirculation Pump Seizure 15.3.3 Rod Withdrawal at Power 15.4.2, 15.4.9 High Flux due to Rod Withdrawal at Startup 15.4.1, 15.4.9 Inadvertent Insertion of Control Rods Note 2 Detected Fault in RPS Note 2 Inadvertent startup of HPCI/HPCS 15.5.1 Scram due to Plant Occurrences (Manual Scram) Note 2 Spurious Trip via Instrumentation, RPS Fault Note 2 Manual Scram - No Out-of-Tolerance Condition Note 2 Note 1: CGS is also analyzed for this event without bypass capability, which is discussed in the referenced FSAR section Note 2: This event does not encroach upon any safety limit and as such is not specifically identified in the FSAR. The design and licensing basis for CGS continues to be met for this event as it is bounded by more limiting anticipated operational occurrences (AOOs) described in the FSAR.

NRC RSI 3:

For the CGS application of the GEH NUMAC PRNM/ARTS/MELLLA and OPRM Systems, please clearly identify and define all safety to non-safety data communications, including the data communications between the PRNM System and the Plant Computer and between independent/redundant PRNM channels. For the data communications among the four PRNM channels of the CGS PRNM System, please include a demonstration of compliance with NRC's "Digital Instrumentation and Controls, DI&C-ISG-04, Task Working Group #4: Highly-Integrated Control Rooms-Communications Issues (HICRc), Interim Staff Guidance, Revision 1," dated March 6, 2009 (ADAMS Accession No. ML083310185) (DI&C-ISG-04), for inter-channel communications. For the plant-specific data communications between the CGS PRNM System and the Plant Computer, please include a demonstration of compliance with DI&C-ISG-04 for safety to non-safety communications. Also address any other

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 8 of 27 communication signals between safety and non-safety systems and/or Plant Computer, as well as any other inter-channel communications.

Energy Northwest Response:

The PRNM System data communication architecture is comprised of the following pathways:

Within the PRNM System (safety-to-safety) and for communications involving the Rod Block Monitors (RBMs) and Operator Display Assemblies (ODAs) (safety-to-non-safety)

" Between the RBMs and the NUMAC Interface Computer (NIC) (non-safety-to-non-safety)

" External communications beyond the NIC, including the Plant Process Computer (PPC) (non-safety-to-non-safety)

A diagram depicting this communication architecture is provided in Attachment 4.

In addition to the internal PRNM communications where the transition between safety related and non-safety related communication occurs, the output of the non-safety related Rod Block Monitors (RBM) is connected via fiber optic cable to the NUMAC Interface Computer (NIC) provided by GE Hitachi. Both of the RBMs communicate with the NIC via transmit and receive fiber optic cables. The NIC output is connected via fiber optic cables to the DASie computer provided by C3-ilex, referred to as the DMZ computer. The DMZ computer and NIC computers communicate with a proprietary communication protocol. The output of the DMZ computer is by transmit only fiber optic to the Plant Process Computer (PPC). The PPC communicates with the core monitoring system computer. The NIC and DMZ computers are connected to a stand alone Universal Time Code (UTC) generator. The DMZ computer has a bar code reader and a keyboard attached to allow inputs for LPRM gain adjustments. Procedural controls will be established to control the transmittal of LPRM and APRM gain information from the core monitoring system to the PRNM as discussed further in the response to RSI 7 below.

The way in which the gains are transmitted and accepted by the APRM for use do not affect the APRM's ability to perform its safety function as described in the attached ISG-04 compliance matrix.

All of the communication equipment from the RBMs to the PPC is non-safety related and is located in the main control room. Only status information data is transmitted to the PPC via the NIC and DMZ computers. The data being transferred does not involve any safety functions, either for the APRM or OPRM. Failure of the data being transmitted does not degrade the capability of the APRM or OPRM to perform its safety function.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 9 of 27 This communication string does not support wireless communication and the equipment located in cyber security level 4 does not have any means for connecting external storage devices.

A compliance matrix that evaluates the CGS-designed PRNM System to the guidance of ISG-04 for the safety-to-non-safety communications within the PRNM System is provided in Attachment 2, pages 47 through 69 (of 78). This matrix demonstrates:

(1) The PRNM System design for CGS is compliant with ISG-04; and (2) The architecture of the communications between safety and non-safety devices provides adequate protection for the safety instrumentation.

Energy Northwest has not developed specific compliance matrices for the RBM-to-NIC and communications external to the NIC communication architectures since these are non-safety-to-non-safety pathways for which ISG-04 does not apply.

NRC RSI 4:

In Section 3.3 of the LAR, the licensee stated that it complies with Section 73.54, "Protection of digital computer and communication systems and networks," of Title 10 of the Code of Federal Regulations (10 CFR), NRC Regulatory Guide (RG) 5.71, "Cyber Security Programs for Nuclear Facilities," dated January 2010, and Nuclear Energy Institute (NEI) 08-09, Revision 3, "Cyber Security Plan for Nuclear Power Reactors,"

dated September 2009. The LAR will not be reviewed for compliance to cyber security-related rules/guidance. However, the software changes will be reviewed for meeting the guidance of regulatory positions 2.1 through 2.5 of draft Regulatory Guide 1.152, Revision 3, which is available for public comment at the NRC's public Web site as DG-1 249, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" (ADAMS Accession No. ML100490539). For all software changes and updates, please provide the appropriate documents necessary for their comparison to the guidance of RG 1.152 Energy Northwest Response:

In Attachment 2, a compliance matrix with Regulatory Guide 1.152, Revision 2 has been provided beginning on page 41. Regulatory positions 2.1 through 2.5 of Regulatory Guide 1.152, Revision 3 are addressed with the response provided and demonstrate that a secure development and operational environment (SDOE) for the CGS PRNM system has been established. The SDOE for the CGS PRNM system ensures that (i) measures and controls have been taken to establish a secure environment for development of the PRNM system against undocumented, unneeded and unwanted modifications and (ii) that protective actions have been established to protect against a predictable set of undesirable acts (e.g., inadvertent operator actions or the undesirable behavior of connected systems) that could challenge the integrity, reliability, or functionality of the PRNM system during operations.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTSIMELLLA SYSTEM UPGRADE Page 10 of 27 NRC RSI 5:

In accordance with the NUMAC PRNM LTR, both the documentation of the qualification activities and the required confirmation "should be included in the plant-specific licensing submittal." The licensee has provided limited information regarding plant-specific environmental conditions being encompassed by the generic environmental qualifications of the PRNM equipment. For example, in Section 4.4.2.2.1.4 of to the LAR, the licensee has stated that the control room temperature range is40-104 degrees Fahrenheit which is encompassed by the generic conditions.

Please confirm that the worst-case temperature including the mounting panel temperature rise is encompassed by the generic qualification temperature envelope (see Section 3.4.1 of the Safety Evaluation Report (SER) for NEDC-3241 0-P-A).

Similarly, the control room humidity range is stated as 10 to 60 percent, but it has not been made clear whether this is the maximum humidity under all conditions when the equipment functionality is required. Section 4.4.2.4.4 requires implementation of specific administrative actions as well as confirmation of electromagnetic interference (EMI) emission levels, which have not been fully addressed in Attachment 1 to the LAR.

Please provide the analyses or reference documents that demonstrate the environmental conditions for the CGS PRNM System configuration are enveloped by the conditions to which GEH NUMAC PRNM System equipment has been environmentally qualified (for example, NRC RG 1.89, "Environmental Qualification of Certain Electric Equipment Important to Safety for Nuclear Power Plants"; Institute of Electrical and Electronics Engineers (IEEE) 323-1974; IEEE 323-1983; NRC RG 1.100 "Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants";

IEEE 344-1975, etc.) as discussed in Section 4.4.2 of GE LTR NEDC-32410P-A and as required in Section 5.0, item 4 of the original SER for the LTR.

Energy Northwest Response:

The main control room at Columbia Generating Station is considered a mild environment for all Design Basis Events and Accidents. The License Basis for Columbia Generating Station does not require environmental qualification of safety-related equipment in the main control room. New PRNM equipment being installed in the main control room must meet the environmental design conditions for the main control room.

THERMAL The maximum limit for the CGS main control room is 104 0 F . As addressed in the GE/Hitachi Qualification Summary (4.2.2.1), GE measured the heat rise in similar PNRM equipment as 150 F. They applied an additional 50 F conservatism for a PRNM required design temperature of 124 0 F. For testing, the margin in IEEE 323-1974 of 15°F was added to the required test temperature (139 0 F). All PRNM equipment has been tested to 142 0 F giving an additional 30 F margin. The tested capability exceeds the maximum allowed control room conditions including internal heat rise.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 11 of 27 The minimum design limit for main control room is 40 0 F. As addressed in the GE/Hitachi Qualification Documentation, all PRNM equipment has been tested to 4.44°C (400F). Therefore, the new PRNM equipment is capable of functioning in the lowest design basis ambient temperature for the main control room.

Other Margin: To support coping with a station blackout event, the main control room is required to operate at 75 0 F + or - 30 F ( 72 0 F to 78 0 F). This operating envelope is controlled by the Licensee Controlled Specifications.

HUMIDITY The design basis humidity conditions for the main control room are 10% - 60% rh. The PRNM equipment is designed for ambient humidity of 20% - 90% rh (non-condensing).

The equipment was tested in humidity conditions of 20% - 90% rh. The main control room upper design basis value of 60% rh is bounded by the testing performed. The test equipment was limited to a lower humidity level of 20% rh. GE/Hitachi has analyzed the PRNM equipment and determined low humidity was not a concern. The low humidity can challenge equipment by drying out components or producing conditions that promote electrostatic discharges. Based on a review by GE/Hitachi, the PRNM equipment does not contain components susceptible to drying out. Electrostatic discharge testing was successfully conducted on the equipment.

A study of actual humidity conditions at the site over a two year time period showed that the lowest daily average humidity was 19% rh. Based on the HVAC design for the control room the ambient humidity is representative of the outside average humidity rather than the lowest level during the day.

Based on testing and analysis, the PRNM equipment has been shown to be capable of functioning in the humidity range inside the main control room during normal and design basis event/accident conditions.

PRESSURE The main control room ambient pressure conditions are the same as normal atmospheric conditions except during a DBE LOCA when the main control room is pressurized to around 1" WC to maintain habitability. The PRNM equipment was tested from 13-16 psi which envelops the required conditions.

RADIATION The main control room uses shielding and HVAC pressurization during accident conditions to limit radiation exposure to operating presonnel. The normal operating design limit for the main control room is < 1 mR/hr and a TID gamma dose over 40 yrs of 350 Rad. During accident conditions the main control room dose is limited to less than 5 Rads in 30 days. The PRNM equipment was tested at 0.5 mR/hr up to 1000 Rads TID gamma. The testing exceeds the required dose.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 12 of 27 SEISMIC QUALIFICATION Since the PNRM equipment is safety-related, it has been seismically qualified by GE/Hitachi to the requirements of IEEE 344-1975. Analysis was used to determine the seismic accelerations at the PRNM equipment mounting locations and testing was used to qualify the equipment for the required seismic accelerations.

GENERAL Similarity analyses were used to show that the type testing was applicable to the specific equipment being supplied to Columbia Generating Station.

ELECTROMAGNETIC COMPATIBILITY (EMC)

The CGS main control room emissions are below the limits established in RG 1.180 and EPRI-TR-1 02323, Guidelines for ElectromagneticInterference Testing in Power Plants, Rev. 2, dated 2000. The CGS emission levels were obtained using data taking methodologies consistent with MIL-STD-461 E recommended test set-ups for RE1 01, RE102 and CE101. The EMI mapping was performed in June, 2004. Since June 2004, modifications in CGS have all met the EMC qualification requirements of RG 1.180 in accordance with plant procedures. Additionally, the use of portable transceivers is administratively controlled by CGS procedure PPM 1.3.72, "Control of Portable RF Transmitting Devices".

Electrical separation is maintained in accordance with CGS Design Specification 201, "Electrical Separation Design Requirements". The CGS PRNM design meets the separation requirements of CGS Design Specification 201.

Several test methods were performed on generic PRNM instruments in order to demonstrate that the instruments will not be susceptible to failure under certain electromagnetic conditions and that the new design is compatible with electromagnetic environments where the equipment will be installed. The differences between the CGS instruments and the tested instruments were evaluated and found to have no impact on the EMC qualification levels of the CGS instruments. The new PRNM equipment that will be installed at CGS is electro-magnetically qualified based on specific analysis of requirements and comparisons with generic PRNM components.

The following two tables outline the EMC Testing Requirements per NEDC-32410P-A, October 1995, Licensing Topical Report, NUMAC PRNM Retrofit Plus Option III Stability Trip Function:

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 13 of 27 Table 5-1: Susceptibility Requirements EMC LTR test RG 1.180 Test Levels equivalent Electrostatic IEC 801-2 None LTR: Severity Level 4 (15 kV air, 8 kV Discharge contact)

Fast Transient/ IEC 801-4 IEC 61000-4-4 LTR: Severity Level 4 (4 kV power Burst lines, 2 kV other lines)(4)

RG 1.180: 4 kV/2 kV power lines, 2 kV/1 kV other lines ("medium/low" exposure)

Surge IEC 801-5 IEC 61000-4-5 LTR: Severity Level 4 (4 kV power Immunity lines)

RG 1.180: 4 kV/2 kV power lines, 2 kV/1 kV other lines (medium/low exposure)

Power Leads Mil-Std-461 D, Mil-Std-461 E, LTR: Mil-Std-461 D, Figure CS101-1, CS101 CS101 136 dBpV (30 Hz) to 116 dBpV (50 kHz)

RG 1.180(1): 136 dBpV (30 Hzto 5 kHz) to 106.5 dBpV (150 kHz)

Electric Fields Mil-Std-461 D, Mil-Std-461 E, LTR: Mil-Std-461 D, Figure CS114-1, (picked up by CS114 CS114 Curve 2, connected 43 dBpA (10 kHz) to 83 dBpA (4 MHz) cables) RG 1.180(2):

100 dBpA (10-200 kHz), 97 dBpA (200 kHz - 30 MHz)

Magnetic Mil-Std-461D, Mil-Std-461E, LTR: Mil-Std-461D, Figure RS101-2, Fields RS101 RS101 180 dBpT (30 Hz to 60 Hz) to 116 dBpT (100 kHz)

RG 1.180: 180 dBpT (30 Hz to 60 Hz) to 116 dBpT (100 kHz)

Electric Fields Mil-Std-461 D, Mil-Std-461 E, LTR: Mil-Std-461 D, (picked up by RS103 RS103 10 kHz to 18 GHz, 25 V/m (pass/fail);

equipment 50 V/m (objective) under test) RG 1.180(3): 30 MHz to 10 GHz, 10 V/m

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 14 of 27 Table 5-2: Emissions Requirements EMI LTR test RG 1.180 Test Levels equivalent Power Leads Mil-Std-461D, Mil-Std-461E, LTR: Mil-Std-461D, Figure CE102-1 CE102 CE102 94 dBpV (10 kHz) to 60 dBpV (500 kHz to 10 MHz)

RG 1.180: 100 dBpV (10 kHz) to 79 dBpV (112 - 500 kHz), 73 dBpV (500 kHz -2 MHz)

Electric Fields Mil-Std-461D, Mil-Std-461E, LTR(1): MiI-Std-461D, Figure RE102-RE102 RE102 3 (Navy Fixed and Air Force), 44 dBpV/m (2 MHz to 100 MHz) to 89 dBpV/m (18GHz)

RG 1.180 (2): 59 dBpV/m (2 - 25 MHz) to 72 dBpV/m (1 GHz)

Analysis of LTR and RG 1.180 EMC requirements for Susceptibility and Emissions Table 5-3 identifies all EMC testing that was performed on PRNM instrumentation.

Specific analysis is included for the qualification of the PRNM equipment.

Specific tests required by CGS in accordance with RG 1.180, where noequivalent GEH EMC test for qualification of PRNM instruments were performed, are listed in Table 5-4.

Analysis of these test requirements was performed, and determined that the test requirements listed in Table 5-4 are adequately bounded by the tests that were performed by GEH (Table 5-1). Therefore, it is shown that the intent of these specific test requirements was met.

The test method shown in Table 5-3 is the one most similar (per Reg. Guidel.180) to the test method used for PRNM qualification.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 15 of 27 Table 5-3: EMC and EMI Requirements Susceptibility EMC Test Analysis Electrostatic Discharge IEC 801-2 PRNM instruments are qualified to these susceptibility requirements.

An equivalent test is not required by RG 1.180.

Fast Transient/Burst, IEC 801-4 The test levels of IEC 801-4 are Power and Signal cables equal to or more limiting than those of IEC 61000-4-4, which is the test required by RG 1.180.

Therefore, IEC 61000-4-4 is bounded by IEC 801-4. This test is acceptable for Fast Transient burst susceptibility qualification of PRNM instruments at CGS.

Surge Immunity IEC 801-5 The test levels of IEC 801-5 are equal to or more limiting than those of IEC 61000-4-5, which is the test required by RG 1.180.

None of the connections for the PRNM equipment are routed in areas of significant exposure to lightning strikes. Additionally, all connections were confirmed to be highly buffered. Therefore, IEC 61000-4-4 is adequately bounded by IEC 801-5. This test is acceptable for Surge Immunity susceptibility qualification of PRNM system instruments at CGS.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 16 of 27 Conducted Susceptibility, MIL-STD-462D, The test levels of MIL-STD-461 D, Power Leads, Low CS101 CS101 are less severe than requirements per RG 1.180 Frequency (50Khz vs 150Khz). However CS114 (next test below) extends testing levels to 10Khz, overlapping this test for all but the frequency range from 30Hz to 10Khz. Additionally, the PRNM equipment also passed the transient/burst susceptibility test (IEC 801-4) which included broad frequency spectrums The combination of this test, the CS114 test, and the IEC 801-4 test is sufficient to assure that the PRNM system also meets the qualification test levels of USNRC Regulatory Guideline 1.180.

Therefore, the PRNM instrumentation meets the Conducted Susceptibility level requirements at CGS.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 17 of 27 Conducted Susceptibility, MIL-STD-462D, The test levels of MIL-STD-461 D, Power Leads, and signal CS114 CS1 14 are less severe than Leads, High Frequency requirements per RG 1.180.

In order to qualify the NUMAC PRNM system relative to signal leads, the equipment was tested at substantially higher field strengths and frequencies than required by RG 1.180 in the Electric Fields susceptibility test MIL-STD-462D, RS103 (25V/m up to 18 GHz vs. 10V/m up to 10 GHz). This test provides adequate assurance that the equipment would pass the CS114 test at higher signal levels for the signal leads. Therefore, it is can be concluded that the combined results of the MI[I-STD-462D, CS114 and RS163 tests assure that the PRNM instrumentation qualification meets the intent of RG 1.180.

In order to qualify the NUMAC PRNM system relative to power leads, additional CS114 testing was performed on hardware similar to that of the PRNM. The test levels used [103 dBpA (10-400 MHz)] exceed the requirements of those of the MIL-STD-461E, CS114. Therefore, it is can be concluded that the results obtained by the additional test ensure that the PRNM instrumentation qualification meets the intent of RG 1.180.

Therefore, the PRNM instrumentation meets the Conducted Susceptibility level requirements at CGS.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTSIMELLLA SYSTEM UPGRADE Page 18 of 27 Magnetic Fields MIL-STD -462D, The test levels of MIL-STD-461 D, RS101 RS101 are equal to or more limiting than those of MIL-STD-461 E, RS101, which is the test required by RG 1.180. Therefore, MIL-STD-462E is bounded by MIL-STD-462D. Additionally, there are no known sources of magnetic fields near the NUMAC PRNM equipment. This test is acceptable for Magnetic Fields susceptibility qualification of PRNM system instruments at CGS Electric Fields (picked up MIL-STD -462D, This test is required by RG 1.180 by equipment under test) RS103 and the test levels of MIL-STD-461 D, RS1 03 are equal to or more limiting than those of MIL-STD-461E, RS103, in field strength and frequency range. Therefore, MIL-STD-462E is bounded by MIL-STD-462D. This test is acceptable for Electric Fields Susceptibility qualification of PRNM instruments at CGS.

General Notes:

(1) For source voltage > 28 V. 10 dBpV lower for lower source voltages.

(2) 91 dBpA from 10 kHz to 30 MHz for signal leads in "low exposure" areas.

(3) NRC Regulatory Guide 1.180, Rev 1 recommends applying CS114 for the frequency range 10 kHz to 30 MHz.

(4) PRNM LTR states 3 kV for other lines, but actual qualification testing was at 2 kV.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 19 of 27 EMI Emissions Test Emissions Test Power Leads, High MIL-STD-462D, The emission levels of MIL-STD-Frequency conducted CE102 461 D, CE1 02 (10 kHz to 10 MHz) are more restrictive than those required per RG 1.180 (10 kHz to 2 MHz).

The NUMAC PRNM equipment was tested at substantially higher frequency (10 kHz to 10 MHz) than required by RG 1.180 The highest levels obtained per this test were 42 dBpV with a little below 40 dBpV over most of the range.

Therefore, the results of the MIL-STD-462D, CE102 test meet the intent of RG 1.180. It is concluded that the PRNM instruments are qualified to meet power leads conducted emissions requirements.

Radiated emissions MIL-STD-462D, The test levels of MIL-STD-461 D, Electric Fields RE102 RE102 are more limiting than those of MIL-STD-461E, RE102, which is the test required by RG 1.180.

Therefore, MIL-STD-462E, RE102 is bounded by MIL-STD-462D, RE102. This test is acceptable for Electric Fields Radiated Emissions of PRNM instruments at CGS.

General Notes:

(1) Actual measured emissions were higher than these values at some frequencies, but were justified for the generic PRNM by GEH as adequate for BWR control room applications.

(2) NRC Regulatory Guide 1.180, Rev 1 requires qualification up to 10 times the maximum intentionally generated frequency within the equipment. The maximum intentionally generated frequency in the PRNM equipment is 32 MHz, the clock frequency of the processor in the 80386 CPU Module, a maximum upper frequency requirement from NRC Regulatory Guide 1.180, Rev 1 of less than 1 GHz.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 20 of 27 Table 5-4: Specific Tests Test not included in GEH Test per Reg. Analysis of excluded test EMC qualification Guide 1.180 of PRNM instrumentation Susceptibility Tests Conducted susceptibility, ring IEC 61000-4-12 The NUMAC PRNM equipment wave, power and signal was subjected to Electrostatic cables Discharge testing at maximum levels (test which is not identified in RG 1.180) and to radiated electrical field strengths 2.5 times the level recommended in RG 1.180. The combined results of these tests indicate a very high level of immunity to frequency distortions in the PRNM equipment to signals coupled in from outside the equipment, including EMI noise. Therefore, 'the combination of RS103 and CS 114 tests (applicable to power cables and signal lines) performed overlap the oscillatory frequency ranges recommended per RG1.180 for the IEC 61000-4-12.

Therefore, IEC 61000-4-12 is bound by MIL-STD-462D, RS103 and MIL-STD-462D, CS1 14, and it is acceptable that this test was not performed.

Emissions Tests Power Leads, low frequency MIL-STD-462E, Based on the results of test MIL-conducted CE101 STD-462D, CE102 which shows that the higher frequency conducted emissions were kept below the levels recommended by MIL-STD-461 E, CE101 (42 dBpV with a little below 40 dBpV). It is concluded that the PRNM instruments are qualified to meet the power leads, low frequency

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 21 of 27 conducted emissions requirements. Therefore, MIL-STD-461 E, CE101 is bounded by test MIL-STD-461 D, CE102, and it is acceptable that this test was not performed Radiated emissions, MIL-STD-462E, The NUMAC PRNM equipment magnetic. RE101 does not include "magnetic field generators" and equipment is not located near equipment that could potentially be affected by radiated magnetic fields. Also, each PRNM "channel" is encapsulated in its own bay, providing sufficient shielding to protect adjacent equipment. This is consistent with USNRC Regulatory Guideline 1.180, Rev 1. Therefore, it is acceptable that this test was not performed.

The PRNM components, when mounted in accordance with the specified mounting methods, are qualified by type testing and analysis to demonstrate that the PRNM system will perform all specified functions correctly when operated within the specified EMI limits.

Based on CGS analysis of the GEH Qualification Summary, the PRNM components are capable of performing their intended functions within design limits and without degradation when subjected to the Electro Magnetic Interference (EMI) conditions as specified in:

EPRI Report "Guidelinesfor EMI Testing in Power Plants"EPRI TR-1 02323, June 1994,

" EPRI-TR1 02348 Rev 1 "Guideline on Licensing Digital Upgrade",per Reg.

Guide 1.180 "Guidelinesfor Evaluating Electromagneticand Radio-Frequency Interference in Safety-Related Instrumentation and Controls".

" Reg. Guide 1.180 "Guidelines for Evaluating Electromagneticand Radio-Frequency Interference in Safety-Related Instrumentationand Controls".

EMC/RFI analysis results shown in Tables 5-3 and 5-4.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 22 of 27 NRC RSI 6:

As required by item 6 of Section 5.0 in the original SER for the LTR, please provide the information necessary to demonstrate that any changes to CGS's operator's panel have received human factors reviews per plant-specific procedures. Please provide the necessary information for the NRC staff to determine that human factors review has been conducted and meets the human factors review guidance. Please provide the human factors evaluation (HFE) information for staff review.

Energy Northwest Response:

HUMAN FACTORS The PRNM system design is analyzed in accordance with NUREG-0700 and the CGS Design Specification 204 for Human Factors. The discussion is generic to the RBM, APRM, OPRM, and LPRM components, which are all a NUMAC design.

Human Factors considerations for panel H13/P608:

The design for the new PRNM system replacement complies with NUREG-0700 requirements as applicable to panel H13/P608. The following human factors requirements were met by the new PRNM system:

" Functional layout considerations when determining control panel dimensions have been met. The new hardware for the replacement system is mounted in the existing panel after removal of the currently installed APRM hardware. This configuration complies with requirements of NUREG 0700.

" Labeling of control panels and instrument racks were in compliance with CGS Design Specification 204.

" The new PRNM system provides new indications (in bar-graph format and LCD displays) and annunciations of alarms. The PRNM annunciator changes were made to be consistent with the design and terminology of the current Power Range Monitoring system.

" The addition of the displays to panel H13/P608 provides the Operators with quick access to APRM, LPRM, OPRM, and RBM information that is currently unavailable or requires extensive investigation and troubleshooting. The menus may be scrolled to display different groups of information. The top of each menu display is reserved for critical information and channel status, including INOP, Bypass, Trouble, and Alarm indications to ensure that the Operator is always aware of the status of the chassis. ((

)). This minimizes the risk of operator error. The changes to the human machine interfaces at panel H13/P608 are equivalent to or better than the existing interface. The changes are consistent with CGS Design Spec 204 and NUREG 0700 human factors.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 23 of 27

" The new PRNM system is designed to facilitate the recognition, location, replacement, repair, and/or adjustment of malfunctioning components or modules. The self-test features provide fault information at the chassis panel display that allows the Operators and Maintenance personnel to determine the exact fault location and type. The self-test provides alarms and indications to panel H13/P603 to alert operators of a fault condition. The existence of a fault is displayed on the top of all displays, including the respective ODA, as a trouble indication. Additionally, an audible trouble alarm is provided at panel H13/P603.

A critical fault will also result in an INOP vote (and rod block) from the respective APRM chassis, or rod block from the RBM Chassis. The design of the panel display is consistent with NUREG 0700 requirements, sections 1.2, 1.3, and 1.4.

" Switch keys and firmware passwords will be required to be retained and controlled for access to the system for calibration and testing, including bypassing and un-bypassing LPRM detectors. This design conforms to the requirements of Capability for Test and Calibration as per IEEE-279-1971 Paragraph 4.10 and conforms to the requirements of Access to Set Point Adjustment, Calibration, and Test Points as per IEEE-279-1971 Paragraph 4.18.

This design is consistent with sections 2.9 (System Security) and 12.1.1.11-5 (User-Configuration Displays) of the NUREG 0700.

The base design for panel H13/P603 uses the existing operator interface devices, so there is no effect on the plant human factors evaluation as stated on NEDC-32410P-A.

Human Factors considerations for Control Room Panel H13/P603:

One of the major changes in this panel is the introduction of ODAs per the new PRNM system design. Four (4) ODAs will be installed in this panel to replace the existing four (4) groups of four (4) (total = sixteen (16)) LPRM analog meter displays. Location of ODAs and switches have been reviewed and approved by CGS operations and meet NUREG 0700 requirements. The ODAs are self-contained graphics displays with four menu soft-keys below the display. The ODAs provide alphanumeric indication of system parameters, and can be scrolled by the operator to provide additional information. There is an ODA provided for each RBM (A and B), and two (2) ODAs for the four APRM channels. APRM ODAs provide OPRM status information, indication of bypasses, and conventional APRM and LPRM data. This simplifies data presentation to the operators by the removal of existing selector switches.

o The display is divided into upper, mid, and lower display sections that provide critical information to the operator. This meets the requirement of Data Presentation as per CGS "DesignSpecification for Division 200 Section 204 Human Factors",in accordance with NUREG 0700.

o The controls (bypassing) and displays (ODAs) are readily available and provide the operating personnel with logical arrangement of indications to allow rapid assessment of plant conditions and for operator actions if required. This complies with the requirements of CGS "Design Specification for Division 200 Section 204 Human Factors",and NUREG 0700.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 24 of 27 Additionally, this design conforms to the requirements of "Indicationof Bypasses" per IEEE-279-1971 Paragraph 4.13.

o Data displays are designed such that optical reflections, ambient noise, and control room environmental factors do not interfere with the ability of the operators to perceive and comprehend the data provided by the new PRNM system. This complies with the requirements of CGS "DesignSpecification for Division 200 Section 204 Human Factors",and is in accordance with NUREG 0700 sections 1.5 (DISPLAY PAGES) and 1.6 (DISPLAY DEVICES).

o Adequate levels of illumination are part of the new ODAs and ensure that visual effectiveness is sufficient for task performance. This complies with the requirements of CGS "DesignSpecification for Division 200 Section 204 Human Factors",and is in accordance with NUREG 0700 section 7.2 (INFORMATION DISPLAY).

o The location and alarm setpoint information provided by the ODAs makes the APRM "push-to-record" switches APRM-RMS-1 A, 1B, 10C, and 1D no longer necessary. The infrequently used switches are removed by this modification.

The switches are used infrequently due to their unreliability and the difficulty in obtaining an accurate value off of the recorder's plotting paper. The digital alphanumeric display of the APRM setpoints is superior to using "push-to-record"switches. The removal of unnecessary switches meets the intent of CGS Design Spec 204 and NUREG 0700 for human factors.

The two (2) recirculation Flow Unit bypass switches (C52B-S7 and C52B-$8) will be removed. The function of the Flow Unit bypass switches is integrated into the single APRM bypass switch. A single bypass switch minimizes operator movement as there is only one switch instead of two (2). This improves operations and improves the ability of operating staff to take appropriate corrective actions from a centralized point. This complies with the requirements of CGS "DesignSpecification for Division 200 Section 204 Human Factors",and is in accordance with NUREG 0700.

The Eight (8) IRM/APRM selector switches are removed from panel H13/P603 as these are no longer needed due to the addition of multi-channel Yokogawa recorders.

Labeling meets requirements of CGS "DesignSpecification for Division 200 Section 204 Human Factors",in accordance with NUREG 0700.

Human Factors considerations for Panel C91/P610:

e As mentioned in the previous sections, all functions from the previous Power Range Monitoring system continue to be supported. The criteria established for the new PRNM system not only incorporates the minimum design criteria to be applied for maintaining the safety functions of the system, but also includes requirements applicable to digital computer based safety systems. The following Human Factors have been identified and met in panel C91/P610:

o Layout considerations for determining the location for controls and displays

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 25 of 27 on this panel have been considered. The NIC and the DMZIC have also been designed such that optical reflections, ambient noise, and control room environmental factors do not interfere with the ability of the operators to perceive and comprehend the displayed data. This meets the intent of CGS "DesignSpecification for Division 200 Section 204 Human Factors",in accordance with NUREG 0700.

o Monitor light levels are adequate to ensure visual effectiveness as required by CGS Design Spec 204.

o Glare is almost non-existent and displays-are not shadowed. Surface colors are recognizable under both normal and emergency lighting conditions. This meets the intent of CGS "DesignSpecification for Division 200 Section 204 Human Factors",in accordance with NUREG 0700.

Data submitted by GEH and the C3-ilex vendor about Human Factors requirements has been reviewed,- checked, and accepted by CGS. The requirements pertaining to Human Factors for panel H13/P608, panel H13/P603 and panel C91/P610 have been met. Therefore, the requirements imposed by CGS "DesignSpecification for Division 200 Section 204 Human Factors"'in accordance with NUREG 0700 have been met by this design.

NRC RSI 7:

The original SER for the LTR (Section 5, item 5), requires a plant-specific action to confirm administrative controls for channel bypass or removal for operation, as well as access to the PRNM operating panel and the Average Power Range Monitor/Oscillation Power Range Monitor (APRM/OPRM) channel bypass switch that will be provided (see paragraphs 3.10, 3.17, and 5.0, and Item 5 of the original SER for the LTR). Please describe the administrative controls that CGS will provide for the GEH NUMAC PRNM System upgrade. Please demonstrate in your response that the administrative controls are provided for manually bypassing APRM/OPRM channels, or protective function, and for controlling access to the CGS PRNM System panel and the APRM/OPRM channel bypass switch. Also, please identify and describe any administrative' controls requiring operator involvement in the generation, review, and use of new Local Power Range Monitor gain and calculated core thermal power values, which can affect APRM and OPRM setpoints.

Energy Northwest Response:

The following delineates the administrative controls associated with the PRNM System Upgrade:

The PRNM system interfaces will be solely located in the Main Control Room at CGS.

In accordance with plant procedures, access to the Main Control room is limited to those with approval from station management and controlled by the use of key cards.

The CGS Operating Policies, Programs, and Practices Procedure dictates who, and

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 26 of 27 under what circumstances, is allowed to operate equipment in the Main Control Room.

By procedure guidance, the PRNM equipment will be controlled with permission from Main Control Room Supervision. All operations personnel and technicians who will interface with the PRNM system will be trained on its operating fundamentals and the procedures which delineate their interaction with the system. This training will incorporate classroom and simulator training prior to the startup from the outage in which the PRNM plant modification is installed. A commitment to conduct this training prior to the startup from the outage that the PRNM modification is installed is provided in 0.

The APRM/OPRM bypass switch will be located on panel H13-P603 in the "Operator-at-the-Controls zone" within the main control room. By procedure, entry into this area requires Control room supervision permission. The APRM/OPRM bypass switch will cause an indicator lamp to illuminate, as well as an indication of bypass status on displays at the APRM and its respective ODA. The APRM/OPRM bypass switch will be operated in accordance with plant procedures by a Licensed Reactor Operator.

The PRNM panel access will be controlled by several means in addition to the Main Control Room controls. There are three modes in which the PRNM panels can be used to manipulate the equipment, INOP-CAL, INOP-SET, and OPER-SET.

lIE Local Power Range Monitor (LPRM) gain values and Core Thermal Power (CTP) values will be determined in accordance with plant procedures. Plant personnel will be required by procedure to obtain Operations supervision permission to upload the LPRM gain and CTP values into the PRNM as per the administrative controls described above

([ f))). Energy Northwest had previously committed to establishing these administrative controls prior to startup from the outage the PRNM modification is installed in Attachment 9 of the original LAR.

NRC RSI 8:

To support NRC assessment of the acceptability of the LAR for the CGS PRNM System setpoints, please provide documentation (including representative calculations) of the setpoint methodology used for establishing the limiting setpoint (or nominal setpoint)

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNM/ARTS/MELLLA SYSTEM UPGRADE Page 27 of 27 and the limiting acceptable values for the As-Found and As-Left setpoints. Please indicate the related Analytical Limits and other limiting design values (and the sources of these values) for each setpoint. In addition to demonstration of acceptable values for the new OPRM Upscale setpoint, the representative calculations should reflect the upgraded equipment to confirm values for existing setpoints, such as Neutron Flux-High (Setdown), Fixed Neutron Flux-High, and Flow Biased Simulated Thermal Power-High.

If more than one setpoint methodology (e.g., plant-specific setpoint methodology and GE setpoint methodology) has been used, please identify them and provide the needed information for each method. Also, please confirm whether or not the single-sided setpoint method of calculation has been used for any of the setpoints. Please identify any cycle-specific setpoints and how they will be controlled. For those setpoints which are controlled in a document other than the TSs (e.g., OPRM-related setpoints), please describe how it will be ensured that the controls will be implemented.

Energy Northwest Response:

See Attachment 3. Cycle specific setpoints for the OPRM and RBM are required by Technical Specifications to be specified in the Core Operating Limits Report (COLR).

The current OPRM system setpoints are presently specified in the COLR. As discussed in the LAR section 3.5.5, inclusion of the RBM setpoints in the COLR was approved by the NRC for Monticello.

RESPONSE TO REQUEST FOR SUPPLEMENTAL INFORMATION FOR COMPLETION OF ACCEPTANCE REVIEW FOR PRNMIARTS/MELLLA SYSTEM UPGRADE Applicable Sections of GE-MS-CT-1 06244-KM115 (Non-proprietary version)

Information Notice This is a non-proprietary version of Attachment 2, from which the proprietary information has been removed. Portions of the Attachment that have been removed are indicated by an open and closed bracket as shown here (( )). Pages 1 through 69 (of 78) are included. Pages 70 through 78 (of 78) are not included.

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Request for Supplemental Information #1 Please identify the changes to the GEH NUMAC PRNM System platform from those defined and approved on September 5, 1995 within GE Nuclear Energy (GE) Licensing Topical Report (LTR), "Clean Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function,"

NEDC-32410P-A, dated October 1995 (ADAMS Legacy Accession No. 9605290009).

For example, the identified changes should include those to hardware, programmable devices, software, applicable development processes, and the like, that will be reflected within the CGS PRNM System upgrade. When considering the software development processes for the platform, the response should address changes (from that previously approved for the GE LTR NEDC-3241OP-A) to the applicable documentation that is identified under Section B.2 of the Standard Review Plan (SRP or NUREG-0800),

Branch Technical Position 7-14, "Guidance on Software Reviews for Digital Computer - Based Instrumentation and Control Systems," Revision 5, March 2007 (ADAMS Accession No. ML070670183), and the secure development and operational environment.

Response to Request for Supplemental Information #1 The response is prepared in four parts:

Part 1 provides a discussion of the hardware changes that have been made to the PRNM platform by comparing the Columbia PRNM to the Hatch PRNM, which is identical to the platform described in the PRNM LTR. Tables 1-1, 1-2, and 1-3 provide a detailed comparison of the hardware modules used in each application. Table 1-4 provides the detailed change history for all hardware modules.

Part 2 provides a discussion of the software changes that have been made to the PRNM platform, including a description of the overall software change process. Table 1-5 provides the detailed change history for all affected source code modules leading up to the Columbia application.

Part 3 provides a discussion of the changes that have been made to the approved software development process, including changes to the NUMAC software plan documents and compliance with Branch Technical Position (BTP) 7-14. Table 1-6 provides the detailed revision history for each of the NUMAC software plan documents. Table 1-7 provides a correlation of the NUMAC PRNM design process to section B.2 of BTP 7-14.

Part 4 provides a discussion of PRNM compliance with regulatory changes that have occurred because the PRNM LTR was first reviewed and approved. Table 1-8 provides an evaluation of the PRNM against the current applicable Regulatory Guides (RG) identified in Table 7-1 of the SRP or NUREG-0800. Table 1-9 provides a correlation of Page 1 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information the NUMAC PRNM design process to RG 1.152 Revision 2 and Table 1-10 provides a correlation of the NUMAC PRNM design process to IEEE 7-4.3.2-2003.

All programmable logic devices used in the Columbia PRNM application are the original design. No evaluation of changes to programmable logic devices was performed because the design of these devices has not changed since the original design that was reviewed and approved by the Nuclear Regulatory Commission (NRC).

Part 1: NUMAC PRNM Platform Hardware Changes The first PRNM system installed in the United States was installed at Hatch in 1997. The PRNM platform at Hatch is identical to the platform described in PRNM LTR NEDC-3241OP-A, and therefore provides a basis for comparison to the platform that was originally reviewed and approved by the NRC. Tables 1-1, 1-2, and 1-3 show the differences in the NUMAC platform between the initial United States (US) application at Hatch in 1997 and the Columbia PRNM application by comparing the part numbers of the hardware modules used in the Hatch application to the part numbers of the hardware modules used in the Columbia application. Table 1-4 summarizes all the changes to the hardware modules by parts list revision since the initial US application at Hatch.

Regardless of any hardware changes that have occurred since the original application, if the part number used for Columbia is the same part number that was used for Hatch, then the part is fully interchangeable with respect to form, fit and function in accordance with GEH engineering operating procedures. The following paragraphs provide details of the significant hardware platform changes.

APRM Chassis Subassembly

[ Ci GEDAC Communication/Memory Module Page 2 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Relay Logic Card I((

Part 2: NUMAC PRNM Platform Software Changes Table 1-5 identifies changes made to the safety-related generic APRM/Oscillation Power Range Monitor (OPRM) firmware since the original design up to and including changes made for the Columbia PRNM. The table lists the files containing revised firmware and a description of the changes. This table does not include changes made to the data files that are changed for each new plant application. These changes have been made in accordance with the NUMAC Verification and Validation (V&V) process and the NUMAC configuration management process that were previously reviewed and approved by the NRC, as stated in Section 3.2 of the safety evaluation report (SER) in NEDC-3241OP-A. The following is a synopsis of the APRM/OPRM software evolution process:

Design Inputs Firmware Control Page 3 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Page 4 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Firmware History

((

1]

Firmware Testing Page 5 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Future Application I((

Summary 1]

Part 3: NUMAC PRNM Platform Software Development Process Changes 11 Section 3.2 of the SER in LTR NEDC-32410P-A states that the standard NUMAC software development process defined by these plans and implemented for PRNM has been reviewed and accepted by the NRC. Consistent with the commitment that was made by GEH to the NRC as documented in Section 3.2 of the SER in NEDC-3241OP-A, the NUMAC software development plans were issued as formally controlled corporate documents. Since the NRC first reviewed and approved the NUMAC software Page 6 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information development plans, several changes have been made to these documents. These document changes were made in accordance with GEH procedures and in accordance with the required engineering and quality assurance reviews as was committed to the NRC at the time NEDC-32410P-A and these NUMAC software development plans were first reviewed and approved. The changes that have been made to these documents do not in any way alter the fundamental software life cycle process that was originally reviewed and approved by the NRC. Table 1-6 summarizes the revision history of the NUMAC software plans since they were first reviewed and approved by the NRC. Table 1-7 shows the correlation of the NUMAC design process to the requirements of BTP 7-14 Revision 5.

NUMAC Software Plans Revision History BTP 7-14 Compliance The primary NRC guideline available at the time the NUMAC design processes were developed was NRC RG 1.152 Revision 0 (1985), primarily endorsing ANSI/IEEE 7-4.3.2-1982. IEEE 7-4.3.2-1993 was issued prior to completion of the original PRNM design, but was not endorsed by the NRC until 1996 (via RG 1.152 Revision 1). Evaluation of the NUMAC design process against both of those guides is included in NEDC-32410P-A, Appendix A. In addition, NEDC-32410P-A, Supplement 1, Appendix A, includes an evaluation of the process to ANSI NQA2, Part 2.7. A general description of the design process applied to the NUMAC PRNM is included in NEDC-3241OP-A, Chapter 9. Finally, Appendix C in Page 7 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information NEDC-3241OP-A includes a comparison of the NUMAC PRNM equipment with NUMAC equipment previously designed and reviewed by the NRC.

Since the original PRNM design and NRC review of the NUMAC PRNM LTR, the NRC has issued BTP 7-14 Revision 5. This BTP and most of the NRC RGs listed therein were not issued at the time of the original design of the NUMAC PRNM equipment. BTP 7-14 guidance is intended to address complete digital systems in a plant, including full Reactor Trip Systems and Engineered Safety Features Systems. ((

)) Extensive field experience of NUMAC equipment, including PRNM, demonstrates that the design process applied for the NUMAC equipment, including PRNM, provides a fully adequate digital design for the NUMAC applications.

Part 4: PRNM Platform Regulatory Compliance Discussion NRC regulatory guidance and associated codes and standards have evolved since NEDC-3241OP-A and NEDC-3241OP-A Supplement 1 were first reviewed and approved by the NRC. Table 1-8 provides an evaluation of the NUMAC PRNM platform against current revisions of regulatory guidance cited in NUREG-0800 SRP versus the guidance listed in the NEDC-3241OP-A.

The primary NRC guideline available at the time the NUMAC design processes were developed was RG 1.152 Revision 0 (1985), primarily endorsing ANSMIEEE 7-4.3.2-1982. The NUMAC design process was later evaluated against and found to be compliant with RG 1.152 Revision 1 (1996), primarily endorsing IEEE 7-4.3.2-1993. The latest version of RG 1.152 endorses IEEE 7-4.3.2-2003 and includes cyber security requirements. Table 1-9 provides a correlation of the NUMAC PRNM design process to RG 1.152 Revision 2 (2006), and specifically to the regulatory position on cyber security. The same analysis may be applied to the guidance of regulatory positions 2.1 through 2.5 of draft RG 1.152 Revision 3 (DG-1249) regarding the establishment of a secure development and operational environment.

NEDC-3241OP-A provides a comparison of the NUMAC PRNM design process to IEEE 7-4.3.2-1993, which is structured as a supplement to IEEE 603-1991 to identify additional requirements applicable to digital computer based safety systems. As stated in NEDC-3241 OP-A, IEEE 603-1991 applies primarily to the overall system design and, to the extent it applies to PRNM, largely duplicates the requirements of IEEE 279-1971.

Clarifications in IEEE 603-1991 have been considered in the evaluations of channel independence, separation, and single failures. IEEE 7-4.3.2-2003 represents an Page 8 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information incremental change from IEEE 7-4.3.2-1993 that PRNM has already been evaluated against. Table 1-10 provides an updated correlation of the NUMAC PRNM design process against the requirements of IEEE 7-4.3.2-2003.

Page 9 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-1. NUMAC Platform Changes - APRM Chassis Part Number Used for Part Number Used for Module Hatch APRM (1997) Columbia APRM (2010)

((

4-

+

4-I___

4-4-

4-

((

Page 10 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-2. NUMAC Platform Changes - RBM Chassis Part Number Used for Part Number Used for Hatch RBM (1997) Columbia RBM (2010)

[

Page 11 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-3. NUMAC Platform Changes - Two-Out-Of-Four Logic Module Part Number Used for Part Number Used for Module Hatch Two-Out-Of-Four Columbia Two-Out-Of-Logic Module (1997) Four Logic Module (2010) rr

[

I'l Page 12 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-4. Changes to Hardware Modules by Parts List Revision Parts Module Part Number List Date Description Rev

[R Page 13 of 78 i

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Page 14 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description Rev Page 15 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description MDev

+ i i Page 16 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description Rev

+ i i i i i

+ i i i

+ + + +

Page 17 of 78 t 1

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description Rev Page 18 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description Rev Page 19 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Page 20 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Parts Module Part Number List Date Description Rev Page 21 of 78

GE-MS-CT-106244-KMl 15 GEH Non-Proprietary Information Table 1-5. NUMAC APRMtOPRM Firmware Changes File Description of Change File Date Page 22 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information File Description of Change File Date 4 4 Page 23 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information File Description of Change File Date

-4. Page 24 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information File Description of Change File Date I

I .1 Page 25 of 78 iI

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information File Description of Change File Date

+ I.-

Page 26 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information File Description of Change File Date 1]

Page 27 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-6. Revision History of NUMAC Software Plans Page 28 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Enclosure I Page 29 of 78 1

GE-MS-CT-106244-KM 115 GEH Non-Proprietary Information Table 1-7. Correlation of PRNM Design Process to BTP 7-14 Software Life Cycle Process Planning BTP 7-14 Section B.2.1 NUMAC PRNM Design Process Software Management Plan (SMP)

Software Development Plan (SDP)

Software Quality Assurance Plan (SQAP)

Software Integration Plan (SIntP)

Software Installation Plan (SInstP)

Software Maintenance Plan (SMaintP)

Software Training Plan (STrngP)

Software Operations Plan (SOP)

Software Safety Plan (SSP)

Software Verification and Validation Plan (SVVP)

Software Configuration Management Plan (SCMP)

Software Test Plan (STP)

Software Life Cycle Process Implementation BTP 7-14 Section B.2.2 NUMAC PRNM Design Process Requirements:

Safety analysis

V&V analysis and test reports

Configuration management reports

Testing activities Page 30 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Design:I i S Safety analysis 0 V&V analysis and test reports S Configuration management reports 0 Testing activities Page 31 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information IMniementation:

Safety analysis V

V&V analysis and test reports

Configuration management reports

Testing activities 11 Page 32 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information

[r i

11 Integration.

Safety analysis

V&V analysis and test reports

Configuration management reports

Testing activities Page 33 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information 11 Validation:

S Safety analysis S V&V analysis and test reports S Configuration management reports 0 Testing activities Page 34 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Installation:

Safety analysis

V&V analysis and test reports

Configuration management reports

Testing activities 1]

Operations and Maintenance:

Safety analysis

V&V analysis and test reports

Configuration management reports

Testing activities

))

Page 35 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Software Life Cycle Process Design Outputs BTP 7-14 Section B.2.3 NUMAC PRNM Design Process Software requirements specifications Hardware and software architecture descriptions Software design specifications S

Code listings Build documents Installation configuration tables Operations manuals Maintenance manuals Training manuals Page 36 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-8. Comparison of NUMAC PRNM LTR versus the Regulatory Guides Listed in Standard Review Plan Guide Revision Revision Number Title Listed in Listed in Evaluation NumberLTR SRP*

Periodic Testing of Protection System Actuation Functions (Safety Guide 22) 0 0 ((

Bypassed and Inoperable Status 0 0 1.47 Indication for Nuclear Power Plant Safety Systems Application of the Single-Failure 0 2 Criterion to Nuclear Power Plant 1.53 Protection Systems Manual Initiation of Protective Actions 0 1.62 Physical Independence of Electric 2 3 Systems 1.75 Setpoints for Safety-Related 1 3

-17105 Instrumentation Page 37 of 78

GE-MS-CT-106244-KM 115 GEH Non-Proprietary Information Guide Revision Revision Guide Title Listed in Listed in Evaluation Number LTR SRP*

Periodic Testing of Electric Power and 2 3 Protection Systems 1.118 1.151 Instrument Sensing Lines -- 0 Criteria for Digital Computers in Safety 0 2 Systems of Nuclear Power Plants 1.152 Page 38 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Guide Revision Revision Number Title listed in LTR listed in Evaluation SRP*

Verification, Validation, Reviews, and -- 1 Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Configuration Management Plans for 0 1.169 Digital Computer Software Used in Safety Systems of Nuclear Power Plants Software Test Documentation for Digital 0 1.170 Computer Software Used in Safety Systems of Nuclear Power Plants Software Unit Testing for Digital 0 1.171 Computer Software Used in Safety Systems of Nuclear Power Plants Software Requirements Specifications for 0 1.172 Digital Computer Software Used in Safety Systems of Nuclear Power Plants Developing Software Life Cycle 0 1.173 Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants Page 39 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Guide Revision Revision Number Title listed in LTR listed in Evaluation SRP*

1.180 Guidelines for Evaluating -- Rev. 1 Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems 1.204 Guidelines for Lightning Protection of -- Rev. 0 Nuclear Power Plants

Applicable RGs per SRP Table 7-1, Safety Analysis Report (SAR) Chapter 7.2 Page 40 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-9. Correlation of PRNM Design Process to RG 1.152 Revision 2 C. Regulatory Position NUMAC PRNM Design Process

1. Functional and Design Requirements

2. Security 2.1 Concepts Phase 2.2 Requirements Phase 2.2.1 System Features 2.2.2 Development Activities 2.3 Design Phase 2.3.1 System Features 2.3.2 Development Activities

___________________________________________________ I))

I Page 41 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information C. Regulatory Position NUMAC PRNM Design Process 2.4 Implementation Phase 2.4.1 System Features 2.4.2 Development Activities 2.5 Test Phase 2.5.1 System Features 2.5.2 Development Activities 2.6 Installation, Checkout, and Acceptance Testing 2.6.1 System Features 2.6.2 Development Activities Page 42 of 78

GE-MS-CT-106244-KM 115 GEH Non-Proprietary Information C. Regulatory Position NUMAC PRNM Design Process 2.7 Operation Phase 2.8 Maintenance Phase 2.8.1 Maintenance Activities 2.8.2 Quality Assurance 2.8.3 Incident Response 2.8.4 Audits and Assessments 2.9 Retirement Phase

3. Referenced Standards 11 Page 43 of 78 i

I

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 1-10. Correlation of PRNM Design Process to IEEE 7-4.3.2-2003 IEEE 7-4.3.2-2003 Paragraph NUMAC PRNM Design Process

1. Scope

2. References

3. Definitions and abbreviations

4. Safety system design basis

5. Safety system criteria 5.1 Single failure criterion 5.2 Completion of protective action 5.3 Quality 5.3.1 Software development 5.3.1.1 Software quality metrics 5.3.2 Software tools 5.3.3 Verification and validation Page 44 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information IEEE 7-4.3.2-2003 Paragraph NUMAC PRNM Design Process 5.3.4 Independent V&V (IV&V) requirements 5.3.5 Software configuration management 5.3.6 Software project risk management 5.4 Equipment qualification 5.4.1 Computer system testing Page 45 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information IEEE 7-4.3.2-2003 Paragraph NUMAC PRNM Design Process 5.4.2 Qualification of existing commercial computers 5.5 System integrity 5.5.1 Design for computer integrity 5.5.2 Design for test and calibration 5.5.3 Fault detection and self-diagnostics 5.6 Independence 5.7 Capability for test and calibration 5.8 Information displays 5.9 Control of access 5.10 Repair 5.11 Identification 5.12 Auxiliary features 5.13 Multi-unit stations 5.14 Human factor considerations 5.15 Reliability

6. Sense and command features -

functional and design requirements

7. Execute features - functional and design requirements

8. Power source requirements ))

Page 46 of 78

GE-MS-CT-106244-KM1 15 GEH Non-Proprietary Information Request for Supplemental Information #3 For the CGS application of the GEH NUMAC PRNM/ARTS/MELLLA and OPRM Systems, please clearly identify and define all safety to non-safety data communications, including the data communications between the PRNM System and the Plant Computer and between independent/redundant PRNM channels. For the data communications among the four PRNM channels of the CGS PRNM System, please include a demonstration of compliance with NRC's "Digital Instrumentation and Controls, DI&C-ISG-04, Task Working Group #4: Highly-Integrated Control Rooms-Communications Issues (HICRc), Interim Staff Guidance, Revision 1,"

dated March 6,2009 (ADAMS Accession No. ML083310185) (DI&C-ISG-04), for inter-channel communications. For the plant-specific data communications between the CGS PRNM System and the Plant Computer, please include a demonstration of compliance with DI&C-ISG-04 for safety to non-safety communications. Also address any other communication signals between safety and non-safety systems and/or Plant Computer, as well as any other interchannel communications.

Response to Request for Supplemental Information #3 The GEH scope for this request was to supply the ISG-04 matrix. Table 3-1 contains the ISG-04 matrix.

Page 47 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information Table 3-1. ISG-04 Compliance Matrix ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04

1. Scope:

2. Design and review of digital systems proposed for safety This statement is not a requirement.

related service in nuclear power plants Does not apply to interactions within the same division of This statement defines the scope but is not a requirement.

safety related systems

4. Does not apply to non-safety related systems This statement defines the scope but is not a requirement.

Applies to non-safety related systems that may affect plant This statement defines the scope but is not a requirement.

5. conformance to safety analysis (accident analysis, transient analysis)

6. Definitions:

The term "Highly-Integrated Control Room" (HICR) refers The statement is not a requirement but a definition. The following to a control room in which the traditional control panels, is provided for clarification only. Operator Display Assemblies with their assorted gauges, indicating lights, control (ODAs) are provided as part of the Power Range Neutron Monitor switches, annunciators, etc., are replaced by (PRNM) upgrade for displaying PRNM variables and status. The computer-driven consolidated operator interfaces. In an ODAs are not used to control safety functions.

HICR:

The primary means for providing information to the plant The ODAs are generally used as the primary display for some

8. operator is by way of computer driven display screens functions; however, most other parameters remain on the main mounted on consoles or on the control room walls bench board.

The primary means for the operator to command the plant is PRNM does not provide capability to operate any plant equipment

9. by way of touch screens, keyboards, pointing devices or from the ODA, touch screens, keyboards, pointing devices, or any other computer-based provisions other computer-based provision.

10. A digital workstation is in essence just one device. Unlike a Divisional separation is maintained in the PRNM. Displays, conventional control panel, there is no way for its many whether in the control room (ODA), or on the face of an Page 48 of 78

GE-MS-CT- 106244-KM 1 15 GEH Non-ProprietaTy Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 functions to be independent of or separated from one instrument, are divisional.

another, because they all use the same display screen, processing equipment, operator interface devices, etc.

Functions that must be independent must be implemented in independent workstations This ISG describes how controls and indications from all No comment. Not a requirement.

safety divisions can be combined into a single integrated workstation while maintaining separation, isolation, and

11. independence among redundant channels. This ISG does not alter existing requirements for safety-related controls and displays to support manual execution of safety functions.

12. 1. INTERDIVISIONAL COMMUNICATIONS Not a requirement.

13. Scope:

As used in this document, interdivisional communications ((

includes transmission of data and information among components in different electrical safety divisions and communications between a safety division and equipment that is not safety-related. It does not include communications within a single division. Interdivisional communications may be bidirectional or unidirectional.

14.

____ _______________________________________________________________))

Page 49 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04

15. STAFF POSITION Bidirectional communications among safety divisions and This is a high level guide and compliance is demonstrated by

16. between safety and nonsafety equipment is acceptable addressing the specific NRC guidance in the following sections.

provided certain restrictions are enforced to ensure that there will be no adverse impact on safety systems.

Systems which include communications among safety This is a high level guide and compliance is demonstrated by divisions and/or bidirectional communications between addressing the specific NRC guidance in the following sections.

safety division and non-safety equipment should adhere to The reviewer in this document is assumed to be the NRC reviewer.

the guidance described in the remainder of this section.

17. Adherence to each point should be demonstrated by the applicant and verified by the reviewer. This verification should include detailed review of the system configuration and software specifications, and may also involve a review of selected software code.

Staff Position 1.1. A safety channel should not be dependent upon any information or resource originating or residing outside its own safety division to accomplish its

18. safety function. This is a fundamental consequence of the independence requirements of IEEE603. It is recognized that division-voting logic must receive inputs from multiple safety divisions.

Staff Position 1.2. The safety function of each safety channel should be protected from adverse influence from outside the division of which that channel is a member.

Staff Position 1.2 (implementation details). Information ((

20. and signals originating outside the division must not be able to inhibit or delay the safety function. This protection must Page 50 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 be implemented within the affected division (rather than in the sources outside the division), and must not itself be affected by any condition or information from outside the affected division. This protection must be sustained despite any operation, malfunction, design error, communication error, or software error or corruption existing or originating outside the division. ))

Continuation of response from above.

21.

Staff Position 1.3. A safety channel should not receive any ((

communication from outside its own safety division unless that communication supports or enhances the performance

22. of the safety function. Receipt of information that does not support or enhance the safety function would involve the performance of functions that are not directly related to the safety function. Safety systems should be as simple as Page 51 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 possible. Functions that are not necessary for safety, even if they enhance reliability, should be executed outside the safety system. A safety system designed to perform functions not directly related to the safety function would be more complex than a system that performs the same safety function, but is not designed to perform other functions. The more complex system would increase the likelihood of failures and software errors.

Continuation of staff position 1.3 from above. Such a complex design, therefore, should be avoided within the safety system. For example, comparison of readings from sensors in different divisions may provide useful information concerning the behavior of the sensors (for

23. example, On-Line Monitoring). Such a function executed within a safety system, however, could also result in unacceptable influence of one division over another, or could involve functions not directly related to the safety functions, and should not be executed within the safety system.

Continuation of response to staff position 1.3.

24.

I]

Continuation of response to staff position 1.3.

25.

Staff Position 1.3 (implementation details). Receipt of See the above justification. All of the data received by the safety information from outside the division, and the performance system that does not support a safety function are simple Page 52 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 of functions not directly related to the safety function, if operations and are executed on a lower priority basis than the used, should be justified. It should be demonstrated that the safety function. This requirement is met.

added system/software complexity associated with the performance of functions not directly related to the safety function and with the receipt of information in support of those functions does not significantly increase the likelihood of software specification or coding errors, including errors that would affect more than one division.

The applicant should justify the definition of "significantly" used in the demonstration.

i Staff Position 1.4. The communication process itself should be carried out by a communications processor separate from the processor that executes the safety function, so that communications errors and malfunctions will not interfere with the execution of the safety fuinction.

The communication and fuinction processors should operate asynchronously, sharing information only by means of dual-ported memory or some other shared memory resource that is dedicated exclusively to this exchange of 27.

information. The function processor, the communications processor, and the shared memory, along with all supporting circuits and software, are all considered to be safety-related, and must be designed, qualified, fabricated, etc., in accordance with 10 C.F.R. Part 50, Appendix A and B. Access to the shared memory should be controlled in such a manner that the function processor has priority access to the shared memory to complete the safety fuinction in a deterministic manner.

28. 1Continuation of Staff position 1.4. For example, if the I((

Page 53 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 communication processor is accessing the shared memory at a time when the function processor needs to access it, the function processor should gain access within a timeframe that does not impact the loop cycle time assumed in the plant safety analyses. If the shared memory cannot support unrestricted simultaneous access by both processors, then the access controls should be configured such that the function processor always has precedence. The safety function circuits and program logic should ensure that the safety function will be performed within the timeframe established in the safety analysis, and will be completed successfully without data from the shared memory in the event that the function processor is unable to gain access to the shared memory.

Staff Position 1.5. The cycle time for the safety function ((

processor should be determined in consideration of the longest possible completion time for each access to the shared memory. This longest-possible completion time should include the response time of the memory itself and of the circuits associated with it, and should also include the longest possible delay in access to the memory by the function processor assuming worst-case conditions for the transfer of access from the communications processor to the function processor. Failure of the system to meet the limiting cycle time should be detected and alarmed.

Staff Position 1.6. The safety function processor should ((

30. perform no communication handshaking and should not accept interrupts from outside its own safety division.

Page 54 of 78

GE-MS-CT-106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.7. Only predefined data sets should be used ((

by the receiving system. Data from unrecognized messages

31. must not be used within the safety logic executed by the safety function processor.

Staff Position 1.7 (implementation details). Unrecognized ((

messages and data should be identified and dispositioned by

32. the receiving system in accordance with the pre-specified design requirements.

Staff Position 1.7 (implementation details). Message Communication protocol specifications define the message format and protocol should be pre-determined. structure, the message type, and the content of each message.

Staff Position 1.7 (implementation details). Every message Every message, as defined by the governing protocol spec, has the should have the same message field structure and sequence, same message field structure including sequence, message ID, including message identification, status information, data status information, data, and check sum.

bits, etc. in the same locations in every message.

Staff Position 1.7 (implementation details). Every datum Message format and protocol are pre-determined. Every message should be included in every transmit cycle, whether it has has the same message field structure and sequence, including

35. changed since the previous transmission or not, to ensure message identification, status information, data bits, etc. in the deterministic system behavior. same locations in every message. Every datum is included in every transmit cycle, whether it has changed due to the previous transmission or not.

Staff Position 1.8. Data exchanged between redundant safety divisions or between safety and nonsafety divisions should be processed in a manner that does not adversely affect the safety function of the sending divisions, the receiving divisions, or any other independent divisions.

Page 55 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.9. Incoming message data should be stored ((

in fixed predetermined locations in the shared memory and in the memory associated with the function processor.

These memory locations should not be used for any other purpose. The memory locations should be allocated such that input data and output data are segregated from each other in separate memory devices or in separate pre-specified physical areas within a memory device.

Staff Position 1.10. Safety division software should be

38. protected from alteration while the safety division is in operation.

Staff Position 1.10 (implementation details). On-line changes to safety system software should be prevented by hardwired interlocks or by physical disconnection of maintenance and monitoring equipment. A workstation (e.g.

engineer or programmer station) may alter addressable constants, setpoints, parameters, and other settings

39. associated with a safety function only by way of the dual-processor / shared-memory scheme described in this guidance, or when the associated channel is inoperable.

Such a workstation should be physically restricted from making changes in more than one division at a time. The restriction should be by means of physical cable disconnect, or by means of keylock switch that either physically opens Page 56 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 the data transmission circuit or interrupts the connection by means of hardwired logic.

Staff Position 1.10 (implementation details). "Hardwired No software changes are allowed online; therefore, this switch is logic" as used here refers to circuitry that physically not used.

interrupts the flow of information, such as an electronic AND gate circuit (that does not use software or firmware) with one input controlled by the hardware switch and the other connected to the information source: the information

40. appears at the output of the gate only when the switch is in a position that applies a "TRUE" or "1" at the input to which it is connected. Provisions that rely on software to effect the disconnection are not acceptable. It is noted that software may be used in the safety system or in the workstation to accommodate the effects of the open circuit or for status logging or other purposes.

Staff Position 1.11. Provisions for interdivisional communication should explicitly preclude the ability to send software instructions to a safety function processor unless all safety functions associated with that processor are either bypassed or otherwise not in service. The progress of

41. a safety function processor through its instruction sequence should not be affected by any message from outside its division. For example, a received message should not be able to direct the processor to execute a subroutine or branch to a new instruction sequence.

Staff Position 1.12. Communication faults should not adversely affect the performance of required safety Page 57 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 functions in any way.

Staff Position 1.12 (Implementation details) Faults, including communication faults, originating in nonsafety

43. equipment, do not constitute "single failures" as described in the single failure criterion of 10 C.F.R. Part 50, Appendix A.

Staff Position 1.12 (Implementation details). Examples of Title. Not a requirement.

44. credible communication faults include, but are not limited to, the following:

Staff Position 1.12 (Implementation details). Messages may be corrupted due to errors in communications

45. processors, errors introduced in buffer interfaces, errors introduced in the transmission media, or from interference or electrical noise.

Staff Position 1.12 (Implementation details). Messages

46. may be repeated at an incorrect point in time.

Staff Position 1.12 (Implementation details). Messages may be sent in the incorrect sequence.

47.

Staff Position 1.12 (Implementation details). Messages

48. may be lost, which includes both failures to receive an uncorrupted message or to acknowledge receipt of a message.

Page 58 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.12 (Implementation details). Messages may be delayed beyond their permitted arrival time window

49. for several reasons, including errors in the transmission medium, congested transmission lines, interference, or by delay in sending buffered messages.

Staff Position 1.12 (Implementation details). Messages

50. may be inserted into the communication medium from unexpected or unknown sources.

Staff Position 1.12 (Implementation details). Messages the

51. may be sent to the wrong destination, which could treat message as a valid message.

))

Staff Position 1.12 (Implementation details). Messages

52. may be longer than the receiving buffer, resulting in buffer overflow and memory corruption.

Staff Position 1.12 (Implementation details). Messages In this case the instrument declares the data invalid and the data is may contain data that is outside the expected range. not used.

Staff Position 1.12 (Implementation details). Messages may appear valid, but data may be placed in incorrect

54. locations within the message.

Page 59 of 78

GE-MS-CT- 106244-KM1 15 GEH Non-PropTietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.12 (Implementation details). Messages ((

55. may occur at a high rate that degrades or causes the system to fail (i.e., broadcast storm).

Staff Position 1.12 (Implementation details). Message The firmware rejects these messages.

headers or addresses may be corrupted.

Staff Position 1.13 Vital communications, such as the sharing of channel trip decisions for the purpose of voting, should include provisions for ensuring that received messages are correct and are correctly understood. Such communications should employ error-detecting or error-correcting coding along with means for dealing with corrupt, invalid, untimely or otherwise questionable data.

57. The effectiveness of error detection/correction should be demonstrated in the design and proof testing of the associated codes, but once demonstrated is not subject to periodic testing. Error-correcting methods, if used, should be shown to always reconstruct the original message exactly or to designate the message as unrecoverable. None of this activity should affect the operation of the safety-function processor.

be

58. Staff Position 1.14. Vital communications should point-to-point by means of a dedicated medium (copper or Page 60 of 78

GE-MS-CT-106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 optical cable). In this context, "point-to-point" means that the message is passed directly from the sending node to the receiving node without the involvement of equipment outside the division of the sending or receiving node.

Implementation of other communication strategies should provide the same reliability and should be justified.

Staff Position 1.15. Communication for safety functions ((

should communicate a fixed set of data (called the "state")

at regular intervals, whether data in the set has changed or not.

59.

Staff Position 1.16. Network connectivity, liveness, and ((

real-time properties essential to the safety application should be verified in the protocol. Liveness, in particular, is taken to mean that no connection to any network outside the division can cause an RPS/ESFAS communication protocol to stall, either deadlock or livelock. (Note: This is also

60. required by the independence criteria of: (1) 10 C.F.R. Part 50, Appendix A, General Design Criteria ("GDC") 24, which states, "interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired."; and (2) IEEE 603-1991 IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations.) (Source: NUREG/CR-6082, 3.4.3)

Page 61 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.17. Pursuant to 10 C.F.R. § 50.49, the medium used in a vital communications channel should be qualified for the anticipated normal and post-accident environments. For example, some optical fibers and components may be subject to gradual degradation as a

61. result of prolonged exposure to radiation or to heat. In addition, new digital systems may need susceptibility testing for EMI/RFI and power surges, if the environments are significant to the equipment being qualified.

Staff Position 1.18. Provisions for communications should ((

be analyzed for hazards and performance deficits posed by unneeded functionality and complication.

62.

Staff Position 1.19 If data rates exceed the capacity of a communications link or the ability of nodes to handle traffic, the system will suffer congestion. All links and nodes should have sufficient capacity to support all functions. The applicant should identify the true data rate,

63. including overhead, to ensure that communication bandwidth is sufficient to ensure proper performance of all safety functions. Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.

Page 62 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 1.20. The safety system response time calculations should assume a data error rate that is greater than or equal to the design basis error rate and is supported

64. by the error rate observed in design and qualification testing.

65. 2. COMMAND PRIORITIZATION Title. Not a requirement.

66. Scope:

This section presents guidance applicable to a prioritization Definition. Not a requirement.

67. device or software function block, hereinafter referred to simply as a "priority module."

A priority module receives device actuation commands The APRM system does not use priority modules. Therefore, this from multiple safety and non-safety sources, and sends the section does not apply. The system is designed as a fail safe (fail command having highest priority on to the actuated device, in a trip state). The actuation of the solenoid valves is performed The actuated device is a safety-related component such as a by the reactor protection system (RPS).

motor actuated valve, a pump motor, a solenoid operated valve, etc. The priority module must also be safety-related.

69. STAFF POSITION Title. Not a requirement.

Existing Diversity and Defense-in-Depth guidance indicates ((

that diverse actuation signals should be applied to plant equipment control circuits downstream of the digital system

70. to which they are diverse, in order to ensure that the diverse actuation will be unaffected by digital system failures and malfunctions. Accordingly the priority modules that combine the diverse actuation signals with the actuation Page 63 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 signals generated by the digital system should not be executed in digital system software that may be subject to common-cause failures (CCF).

Software implementation of priority modules not associated As discussed above, this requirement does not apply to PRNM.

with diverse actuation would result in the availability of two ((

kinds of priority modules, one of which is suitable for diverse actuation and one type not suitable for diverse actuation. An applicant should demonstrate that adequate configuration control measures are in place to ensure that software-based priority modules that might be subject to CCF will not be used later for credited diversity, either deliberately or accidentally (for example, there is protection from design error and from maintenance / implementation error). This applies both to existing diversity provisions and to diversity provisions that might be credited later. The applicant should show how such provisions fit into the overall Appendix B quality program.

Staff Position 2.1. A priority module is a safety related N/A for PRNM device or software function. A priority module must meet

72. all of the 10 C.F.R. Part 50, Appendix A and B requirements (design, qualification, quality, etc.) applicable to safety-related devices or software.

Staff Position 2.2. Priority modules used for diverse N/A for PRNM actuation signals should be independent of the remainder of the digital system, and should function properly regardless of the state or condition of the digital system. If these recommendations are not satisfied, the applicant should show how the diverse actuation requirements are met.

Page 64 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04

-t 1-Staff Position 2.3. Safety-related commands that direct a component to a safe state must always have the highest priority and must override all other commands. Commands that originate in a safety-related channel but which only cancel or enable cancellation of the effect of the safe-state command (that is, a consequence of a Common-Cause Failure in the primary system that erroneously forces the

74. plant equipment to a state that is different from the designated "safe state."), and which do not directly support any safety function, have lower priority and may be overridden by other commands. In some cases, such as a containment isolation valve in an auxiliary feedwater line, there is no universal "safe state:" the valve must be open under some circumstances and closed under others.

Continuation of Staff position 2.3 description. The relative N/A for PRNM priority to be applied to commands from a diverse actuation system, for example, is not obvious in such a case. This is a system operation issue, and priorities should be assigned on the basis of considerations relating to plant system design or other criteria unrelated to the use of digital systems. This issue is outside the scope of this ISG. The reasoning behind the proposed priority ranking should be explained in detail.

The reviewer should refer the proposed priority ranking and the explanation to appropriate systems experts for review.

"Staff Position 2.3. (implementation details). The priority N/A for PRNM module itself should be shown to apply the commands correctly in order of their priority rankings, and should meet all other applicable guidance. It should be shown that the Page 65 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 unavailability or spurious operation of the actuated device is accounted for in, or bounded by, the plant safety analysis.

Staff Position 2.4. A priority module may control one or N/A for PRNM more components. If a priority module controls more than one component, then all of these provisions apply to each of the actuated components.

Staff Position 2.5. Communication isolation for each N/A for PRNM

78. priority module should be as described in the guidance for interdivisional communications.

Staff Position 2.6. Software used in the design, testing, N/A for PRNM maintenance, etc. of a priority module is subject to all of the applicable guidance in Regulatory Guide 1.152, which endorses IEEE Standard 7-4.3.2-2003 (with comments).

This includes software applicable to any programmable device used in support of the safety function of a prioritization module, such as programmable logic devices (PLDs), programmable gate arrays, or other such devices.

Section 5.3.2 of IEEE 7-4.3.2-2003 is particularly applicable to this subject. Validation of design tools used

79. for programming a priority module or a component of a

priority module is not necessary if the device directly affected by those tools is 100% tested before being released for service. 100% testing means that every possible combination of inputs and every possible sequence of device states is tested, and all outputs are verified for every case. The testing should not involve the use of the design tool itself. Software-based prioritization must meet all requirements (quality requirements, V&V, documentation, etc.) applicable to safety-related software.

Page 66 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 2.7. Any software program that is used in N/A for PRNM support of the safety function within a priority module is safety-related software. All requirements that apply to safety-related software also apply to prioritization module software. Nonvolatile memory (such as burned-in or reprogrammable gate arrays or random-access memory)

80. should be changeable only through removal and replacement of the memory device. Design provisions should ensure that static memory and programmable logic cannot be altered while installed in the module. The contents and configuration of field programmable memory should be considered to be software, and should be developed, maintained, and controlled accordingly.

Staff Position 2.8. To minimize the probability of failures N/A for PRNM due to common software, the priority module design should be fully tested (This refers to proof-of-design testing, not to individual testing of each module and not to surveillance testing.). If the tests are generated by any automatic test generation program then all the test sequences and test results should be manually verified. Testing should include

81. the application of every possible combination of inputs and the evaluation of all of the outputs that result from each combination of inputs. If a module includes state-based logic (that is, if the response to a particular set of inputs depends upon past conditions), then all possible sequences of input sets should also be tested. If testing of all possible--

sequences of input sets is not considered practical by an applicant, then the applicant should identify the testing that is excluded and justify that exclusion.

Page 67 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 Staff Position 2.9. Automatic testing within a priority N/A for PRNM module, whether initiated from within the module or triggered from outside, and including failure of automatic

82. testing features, should not inhibit the safety function of the module in any way. Failure of automatic testing software could constitute common-cause failure if it were to result in the disabling of the module safety function.

Continuation of Staff position 2.9 description. The N/A for PRNM applicant should show that the testing planned or performed provides adequate assurance of proper operation under all conditions and sequences of conditions. Note that it is possible that logic devices within the priority module include unused inputs: assuming those inputs are forced by

83. the module circuitry to a particular known state, those inputs can be excluded from the "all possible combinations" criterion. For example, a priority module may include logic executed in a gate array that has more inputs than are necessary. The unused inputs should be forced to either "TRUE" or "FALSE" and then can be ignored in the "all possible combinations" testing.

Staff Position 2.10. The priority module must ensure that N/A for PRNM the completion of a protective action as required by IEEE Standard 603 is not interrupted by commands, conditions, or failures outside the module's own safety division.

3. MULTIDIVISIONAL CONTROL AND DISPLAY Title. Not a requirement.

-85. STATIONS

86. Scope: Title. Not a requirement.

Staff Position 3.0. This section presents guidance Page 68 of 78

GE-MS-CT- 106244-KM 115 GEH Non-Proprietary Information ISG-04 Text/Guidance Columbia PRNM Conformance to ISG-04 concerning operator workstations used for the control of plant equipment in more than one safety division and for display of information from sources in more than one safety division. This guidance also applies to workstations that are used to program, modify, monitor, or maintain safety systems that are not in the same safety division as the workstation. Multidivisional control and display stations addressed in this guidance may themselves be safety-related or not safety-related, and they may include controls and displays for equipment in multiple safety divisions and for equipment that is not safety-related, provided they meet the conditions identified herein. Even though the use of multidivisional control and display stations is relatively new to the nuclear industry, the concepts to maintain the plant safety contained in this guidance is in line with the current NRC regulations.

GENERIC COMMENTS The PRNM does not have control stations, which can be used to operate equipment. The PRNM does not have equipment to

87. monitor equipment in multiple divisions. An optional Operator Display Panel per division is installed in the MCR to provide the operator divisional status and information but has no control or maintenance functions. Therefore this section does not apply.

This compliance matrix uses the term requirements and guidance synonymously. It is recognized that the ISG is guidance however for practicality, the sections of this ISG will be evaluated as requirements.

Page 69 of 78

LICENSE AMENDMENT REQUEST TO CHANGE TECHNICAL SPECIFICATIONS IN SUPPORT OF PRNM / ARTS / MELLLA IMPLEMENTATION Applicable Sections of GEH-CGS-1 07474-113 (Non-proprietary version)

Information Notice This is a non-proprietary version of Attachment 3, from which the proprietary information has been removed. Portions of the Attachment that have been removed are indicated by an open and closed bracket as shown here (( I].

GEH-CGS-107474-113 Non-Proprietary Information Request for Supplemental Information #8:

To support NRC assessment of the acceptability of the LAR for the CGS PRNM System setpoints, please provide documentation (including representative calculations) of the setpoint methodology used for establishing the limiting setpoint (or nominal setpoint) and the limiting acceptable values for the As-Found and As-Left setpoints. Please indicate the related Analytical Limits and other limiting design values (and the sources of these values) for each setpoint. In addition to demonstration of acceptable values for the new OPRM Upscale setpoint, the representative calculations should reflect the upgraded equipment to confirm values for existing setpoints, such as Neutron Flux-High (Setdown), Fixed Neutron Flux-High, and Flow Biased Simulated Thermal Power-High. If more than one setpoint methodology (e.g., plant-specific setpoint methodology and GE setpoint methodology) has been used, please identify them and provide the needed information for each method. Also, please confirm whether or not the single-sided setpoint method of calculation has been used for any of the setpoints. Please identify any cycle-specific setpoints and how they will be controlled. For those setpoints which are controlled in a document other than the TSs (e.g., PRM-related setpoints), please describe how it will be ensured that the controls will be implemented.

Response to Request for Supplemental Information #8 Setpoint Methodology -Non-OPRM GEH setpoints are calculated using the NRC approved methodology contained in NEDC-31336P-A (Reference 8-1). Conceptually, the GEH method is based on Instrument Society of America (ISA) Method 2, but leads to more conservative setpoints and is referred to as "Method 2 plus". According to this NRC approved methodology, the setpoints are calculated from the Analytic Limit (AL), or the Allowable Value (AV) if there is no AL, using a top down approach, and margin is calculated by methodology:

between the AL and the AV,

between the AL and the Nominal Trip Setpoint (NTSP), and

" between the AV and the NTSP.

The margin between the AL and the final NTSP is at least equal to, and generally greater than that needed to meet the 95% probablility requirement of Regulatory Guideline (RG) 1.105.

GEH's setpoint methodology for operating plants uses single-sided distributions in the development of AVs and NTSPs for instrument channels that provide trips when the process variable being measured approaches the setpoint in one direction, as described in ISA standard 67.04 part II. Each of the setpoint functions for the CGS Power Range Neutron Monitoring System (PRNMS) and APRM RBM Technical Specifications (ARTS)/Maximum Extended Load Page 1 of 9

GEH-CGS-107474-113 Non-Proprietary Information Line Limit Analysis (MELLLA) project provide trips where the setpoint is approached in only one direction. Per the Safety Evaluation (SE) from the NRC (dated 6 November 1995) for Reference 8-1:

"The GE methodology utilizes single-sided distributions in the development of trip setpoints and allowable values. ... The staff has stated that this methodology is acceptable provided that a channel approaches a trip in only one direction."

GEH's setpoint methodology for operating plants uses vendor instrument error specifications conservatively to provide setpoints that meet margin requirements to a high degree of confidence. This was demonstrated by actual data analysis during licensing of the GEH methodology (Reference 8-1). The NRC approved GEH's Instrument Setpoint Methodology in November 1995 while RG 1.105 Revision 2 was in use. RG 1.105 Revision 3 was introduced in December 1999, but the revised content, that quantified the confidence level to be 95%, did not invalidate or affect the approved GEH Setpoint Methodology. Per the SE from the NRC for Reference 8-1:

"... the BWROG presented data to show that although the GE setpoint methodology does not produce results with a defined confidence level, it was shown that the data analysis can produce results that have a high degree of confidence (95 percent confidence limits). ... By establishing that the 95 percent confidence intervals are bounded by the design allowances developed per NEDC-31336, GE has shown that the results produced by the GE setpoint methodology can be established with high confidence."

The AL is a process parameter value used in the safety analysis and represents a limiting value for the automatic initiation of protective actions. From the AL, an AV is first calculated which has margin to the AL based on all measurement errors except Drift. ((

)) All random errors are combined using Square Root of the Sum of the Squares (SRSS) method, and non-conservative bias errors are added algebraically. The AV represents the limiting value to which a setpoint can drift (as determined from surveillance) and still assure that the AL is protected. ((

)) The AV is the value specified in the Technical Specifications, and is an AL surrogate that assures the AL is protected if the setpoint does not exceed it.

Page 2 of 9

GEH-CGS-107474-113 Non-Proprietary Information 11 Figure 8-1 The approved GEH setpoint methodology basically results in two calculated NTSPs as shown in Figure 8-1. ((

)) NTSP1 is the Limiting Trip Setpoint (LTSP), as the instrument setting can be no closer to the AL than NTSP1. However, NTSP1 generally does not have the margin to the AV required by GEH methodology, and so is seldom the final adjusted NTSP, called "NTSP(Adj)", the second NTSP. An intermediate NTSP, "NTSP2" is also calculated as part of the NTSP(Adj) calculations. ((

)) Relevant equations are shown below. [Notes: 91 refers to the random component for each error. The subscript L refers to the error for the whole instrument loop, and the errors are based on a one-sided approach to the setpoints.]

AV = AL - AVMARGIN (for an increasing setpoint)

Page 3 of 9

GEH-CGS-107474-113 Non-Proprietary Information NTSP1 = AL - NTSPIMARGIN (for an increasing setpoint)

= Limiting Trip Setpoint (LTSP)

Per NEDC-31336P-A (Reference 8-1), ((

)) As shown in Figure 8-1, ((

)) All setpoints are reset to the NTSP(Adj),

within the ALT, after calibration. E[

)) (also see the equation below). All LATs are equal to their associated ALTs (the tolerance within which the device calibration reading is left after calibrating). Relevant equations are shown below.

(( )) (calculated for each instrument i in the instrument loop)

LAT = ALT The calibration tools and standards uncertainties (errors) are considered within GEH methodology and the values used are identified in the GEH Instrument Limits Calculation(s).

These uncertainty values in the calculation bound the tools and standards used for calibration in the field. Calibration tools and standards uncertainties are used within the calculation and they provide the uncertainty boundaries for the use of any new instruments. Otherwise the setpoint calculation would need to be re-calculated using the uncertainties of the new instrument(s) that are outside of the bounding values in the calculation for the calibration tools and standards.

Regarding Calibration conditions, the temperature range for Calibrations is considered in the GEH Setpoint Methodology, as part of the Temperature Effect for the instruments involved. For example, for the calibration of the Recirculation Flow Transmitters, the temperature range for calibration is 70 to 104'F, meaning that the calibration could occur at a different specific temperature each time. The total difference in temperature could be 34°F, and that maximum is applied to the Temperature Effects for the Rosemount 1153 Flow Transmitter instruments in the calculation of instrument errors. ((

I))

Page 4 of 9

GEH-CGS-107474-113 Non-Proprietary Information

)) If the AV/NTSP1 margin is not sufficient for the LER avoidance test, the NTSP is conservatively adjusted to provide added margin.

The GEH setpoint methodology performs an additional LAT test to determine if the NTSP needs to be adjusted further in the conservative direction. ((

If the NTSP has sufficient margin to meet these requirements for LAT, no adjustment to NTSP is required. However, if margin is not sufficient, the NTSP is adjusted to provide added margin.

This adjusted NTSP is "NTSP(Adj)", and it is also checked for LER avoidance. The NTSP(Adj) is the final NTSP that is set into the instrument loop. After each calibration, the instrument is reset to this final NTSP(Adj), within the ALT.

((I

)) The OL is an operational limit on the opposite side of the setpoint than the AL, and generally represents the parameter value for normal operation.

The following table provides an example of results from a typical setpoint calculation performed using GEH setpoint methodology. The example is for a plant's APRM Neutron Flux Scram setpoint function in units of percent Rated Thermal Power (RTP). Note as stated earlier, the final NTSP(Adj) is further away from the AL than NTSP1, the Limiting Trip Setpoint (LTSP).

Page 5 of 9

GEH-CGS-107474-113 Non-Proprietary Information Table 8-1 Parameter % RTP AL 122 AV 119.3 NTSP1 (LTSP) 118.9 NTSP(Adj) 117.3 GEH Setpoint Calculation Methodology Without an AL In the case where there is no AL, such as for the APRM Flow Biased Simulated Thermal Power Scram setpoint function, then the input to the setpoint calculation is an AV, instead of an AL.

For such a case, NTSP1, the Limiting Trip Setpoint (LTSP) is not pertinent and cannot be calculated.

When the input to the setpoint calculation is the AV, then margin is calculated by GEH methodology between the AV and the NTSP(Adj), as discussed above.

Setpoint Calculation - Non-OPRM - CGS Specific Average Power Range Monitor (APRM) setpoint calculations were performed to support installation of PRNMS at CGS. The APRM Flow Biased Simulated Thermal Power-High setpoint was calculated to support PRNM and ARTS/MELLLA. Calculations included scrams and rod blocks. All calculations were based on the error terms associated with the upgraded PRNMS equipment. As Left Tolerances (ALTs) (the tolerance within which the device calibration reading is left after calibration) were considered in the calculations; these tolerances were based on the existing Recirculation Loop flow transmitters, and PRNMS flow and power electronics. The AV/NTSP margin includes instrument loop accuracy under calibration conditions, instrument calibration errors, and instrument drift errors. ((

For the APRM Flow Biased Simulated Thermal Power setpoint functions, some of the instrument errors are related to the Flow instruments used to measure Recirculation Drive (Loop) flows. Flow errors were converted to Power errors using the slope of the power-flow Allowable Values (AVs), such that all errors were combined using the same unit of Percent Rated Thermal Power (% RTP).

Page 6 of 9

GEH-CGS-107474-113 Non-Proprietary Information The following table summarizes the limits, ALs or AVs, associated with the PRNMS setpoint calculations for CGS. Columns for both CLTP and PRNMS (ARTS/MELLLA) values are shown. If a setpoint is not credited in a safety evaluation, there is no applicable AL, per GEH setpoint methodology.

Table 8-2 r I Setpoint Function CLTP PRNMS Source / Basis

(% RTP) (ARTS/MELLLA)

(% RTP)

APRM Flow Biased TLO: 0.58 Wd + TLO: 0.63 Wd + 64.0 Protects against slow reactivity Simulated Thermal 62 transients (Reference 8-8)

Power Scram t SLO: 0.63 Wd + 60.8 AVs SLO: 0.58 Wd-+

62 APRM Flow Biased TLO: 0.58 Wd + TLO: 0.63 Wd + 60.1 Prevents rod withdrawal and alerts Simulated Thermal 53 the Operator if the power is Power Rod Block ý SLO: 0.63 Wd + 56.9 significantly above licensed power AVs SLO: 0.58 Wd + level; the rod block function 53 precedes a flow-biased Scram (Reference 8-8)

(Same as TLO)

APRM STP Scram 114.9 114.9 Protects against slow reactivity Clamp t transients. (Reference 8-8)

AV APRM Rod Block None Ill Prevents rod withdrawal and alerts Clamp t the Operator if the power is AV significantly above licensed power level; the rod block function precedes a Scram (Reference 8-8)

An AL is not applicable because this setpoint function is not used in any safety or transient analyses.

Reference 8-2 provides representative calculation summaries and is available for NRC review.

Setpoints -- OPRM As described in Section 3.7.4 of the License Amendment Request (LAR), the Oscillation Power Range Monitor (OPRM) setpoints are the nominal setpoints, which are established using a comprehensive BWR Owners' Group (BWROG) methodology for stability analysis approved by the NRC (Reference 8-3). There is no Analytic Limit (AL) or Allowable Value (AV) with defined instrument error margins to the Nominal Trip Setpoint (NTSP) for the OPRM setpoints.

Note that OPRM setpoints are not considered to be Limiting Safety System Settings (LSSSs) since stability is a special event, and not an Anticipated Operational Occurrence (AOO) which define LSSSs.

Page 7 of 9

GEH-CGS- 107474-113 Non-Proprietary Information As shown in Attachment 5 of the LAR, the following OPRM setpoints will be in the Core Operating Limits Report (COLR).

OPRM Upscale Oscillation Amplitude OPRM Upscale Successive Confirmation Count OPRM Trip Enable, APRM Simulated Thermal Power (STP)

OPRM Trip Enable, Recirculation Drive Flow OPRM Operable, Thermal Power The OPRM Upscale function setpoints (Period Based Algorithm Oscillation Amplitude and Successive Confirmation Count setpoints) are established as nominal values based on cycle specific reload stability analyses in accordance with Reference 8-3.

The OPRM Upscale function auto-enable (not bypassed) region is established generically to correspond to reactor power greater than or equal to 30% of rated, and core flow (implemented as Recirculation drive flow) less than or equal to 60% of rated per Reference 8-3. Note that it is conservative to use Recirculation drive flow in place of core flow for the OPRM Upscale function auto-enable region boundary. The OPRM Upscale function auto-enable region is confirmed by a cycle-specific analysis each reload, and expanded if necessary. The OPRM Operable Thermal Power setpoint is established as 5% of rated power less than the OPRM Trip Enable, APRM STP per Reference 8-4.

OPRM Upscale function auto-enable (not bypassed) power and core flow setpoints are permissive setpoints. These setpoints are not explicitly modeled in stability analyses. Because permissives or interlocks are only one of multiple conservative starting assumptions for the accident analysis, they are generally considered as nominal values without regard to measurement accuracy.

Use of nominal setpoints for the OPRM Upscale function has been addressed during the licensing of the PRNMS at Browns Ferry Unit 1 (Reference 8-5) and at Monticello (Reference 8-6) previously. Note also that the OPRM trip setpoints are not listed in the BWR/4 Standard Technical Specifications (STS, Reference 8-7).

Demonstration calculations for the nominal setpoints of the OPRM Upscale function are available for review. The associated analyses may be viewed by the NRC at a GEH office, upon request, and to a schedule agreed to by GEH and the NRC.

[Cycle specific setpoints and control of setpoints outside of the TS are to be provided by CGS, as these questions are related to CGS controlled information, procedures and processes.]

Page 8 of 9

GEH-CGS-107474-1 13 Non-Proprietary Information REFERENCES 8-1. NEDC-31336P-A, "General Electric Instrument Setpoint Methodology", Class 3, September 1996. [NRC Accession Number ML072950103]

8-2. GEH Report 0000-0112-7649-Ri, Instruments Limits Calculation, ENERGY NORTHWEST Columbia Generating Station, Average Power Range Monitor, Power Range Neutron Monitoring System (NUMAC-ARTS/MELLLA), Class III, Rev. 1, March 2010.

8-3. NEDO-32465-A, "Licensing Topical Report, Reactor Stability Detect and Suppress Solutions Licensing Basis Methodology for Reload Applications, Licensing Topical Report," August 1996.

8-4. NEDC-324 1OP-A Supplement 1, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," Class III, November 1997.

8-5. TVA to NRC, "Browns Ferry Nuclear Plant (BFN) - Unit 1, Technical Specifications (TS) Change TS Request for Additional Information (RAI) Regarding Oscillation Power Range Monitor (OPRM) - (TAC No. MC9565), NA-BFN-TS-443, October 2, 2006.

8-6. MNGP to NRC, "Response to Requests for Additional Information for License Amendment Request for Power Range Neutron Monitoring System Upgrade (TAC No.

MD8064), September 16, 2008.

8-7. NUREG 1433 Rev 3, "Standard Technical Specifications General Electric Plants, BWR/4," June 2004.

8-8. GE Hitachi Nuclear Energy, "Energy Northwest Columbia Generating Station APRM/RBM/Technical Specifications/Maximum Extended Load Line Limit Analysis (ARTS/MELLLA)," NEDC-33507P, Revision 0, April 2010.

Page 9 of 9

LICENSE AMENDMENT REQUEST TO CHANGE TECHNICAL SPECIFICATIONS IN SUPPORT OF PRNM / ARTS / MELLLA IMPLEMENTATION Affidavits Supporting Request to Withhold Information from Public Disclosure

GE-Hitachi Nuclear Energy Americas LLC AFFIDAVIT I, James F. Harrison, state as follows:

(1) I am the Vice President, Fuel Licensing, Regulatory Affairs, GE-Hitachi Nuclear Energy Americas LLC (GEH), and have been delegated the function of reviewing the information described in paragraph (2) which is sought to be withheld, and have been authorized to apply for its withholding.

(2) The information sought to be withheld is contained in Enclosure 1 of GEH letter, GE-MS-CT-106244-KMl18, Kahlim Miller (GEH) to James Snyder (Energy Northwest), "GEH Review of Proprietary Information in Columbia Generating Station Responses to Request for Supplemental Information #2, 3, 4, 5, 6, and 7," dated July28, 2010. The GEH proprietary information in Enclosure 1, which is entitled "Responses to Request for Supplemental Information 2, 3, 4, 5, 6 and 7," is enclosed by double square brackets. ((T-is.

se.nte.n.ce..is..an.ex..a..mp.1..)) Figures containing GEH proprietary information are identified with double square brackets before and after the object. In each case, the superscript notation f3) refers to Paragraph (3) of this affidavit that provides the basis for the proprietary determination.

(3) In making this application for withholding of proprietary information of: which it is the owner or licensee, GEH relies upon the exemption from disclosure set forth in the Freedom of Information Act (FOIA), 5 USC Sec. 552(b)(4), and the Trade Secrets Act, 18 USC Sec. 1905, and NRC regulations 10 CFR 9.17(a)(4), and 2.390(a)(4) for trade secrets (Exemption 4). The material for which exemption from disclosure is here sought also qualifies under the narrower definition of trade secret, within the meanings assigned to those terms for purposes of FOIA Exemption 4 in, respectively, Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F2d 871 (DC Cir. 1992), and Public Citizen Health Research Group v. FDA, 704 F2d 1280 (DC Cir. 1983).

(4) The information sought to be withheld is considered to be proprietary for the reasons set forth in paragraphs (4)a. and (4)b. Some examples of categories of information that fit into the definition of proprietary information are:

a. Information that discloses a process, method, or apparatus, including supporting data and analyses, where prevention of its use by GEH's competitors without license from GEH constitutes a competitive economic advantage over GEH and/or other companies.

b. Information that, if used by a competitor, would reduce their expenditure of resources or improve their competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product.

c. Information that reveals aspects of past, present, or future GEH customer-funded development plans and programs, that may include potential products of GEH.

GE-MS-CT- 106244-KM 118, 7/28/2010 Affidavit Page I of 3

d. Information that discloses trade secret and/or potentially patentable subject matter for which it may be desirable to obtain patent protection.

(5) To address 10 CFR 2.390(b)(4), the information sought to be withheld is being submitted to the NRC in confidence. The information is of a sort customarily held in confidence by GEH, and is in fact so held. The information sought to be withheld has, to the best of my knowledge and belief, consistently been held in confidence by GEH, not been disclosed publicly, and not been made available in public sources. All disclosures to third parties, including any required transmittals to the NRC, have been made, or must be made, pursuant to regulatory provisions or proprietary and/or confidentiality agreements that provide for maintaining the information in confidence. The initial designation of this information as proprietary information, and the subsequent steps taken to prevent its unauthorized disclosure are as set forth in the following paragraphs (6) and (7).

(6) Initial approval of proprietary treatment of a document is made by the manager of the originating component, who is the person most likely to be acquainted with the value and sensitivity of the information in relation to industry knowledge, or who is the person most likely to be subject to the terms under which it was licensed to GEH. Access to such documents within GEH is limited to a "need to know" basis.

(7) The procedure for approval of external release of such a document typically requires review by the staff manager, project manager, principal scientist, or other equivalent authority for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside GEH are limited to regulatory bodies, customers, and potential customers, and their agents, suppliers, and licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or proprietary and/or confidentiality agreements.

(8) The information identified in paragraph (2) above is classified as proprietary because it contains details developed by GEH from NEDC-3241OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron (NUMAC PRNM) Retrofit 'Plus Option III Stability Trip Function," dated October 1995. Development of the NUMAC PRNM, and information related to the design, modification, analyses methodologies and processes related to the NUMAC PRNM was achieved at a significant cost to GEH. The development of the evaluation process, along with the interpretation and application of the analytical results, is derived from the extensive experience database that constitutes a major GEH asset.

(9) Public disclosure of the information sought to be withheld is likely to cause substantial harm to GEH's competitive position and foreclose or reduce the availability of profit-making opportunities. The information is part of GEH's comprehensive BWR safety and technology base, and its commercial value extends beyond the original development cost.

The value of the technology base goes beyond the extensive physical database and analytical methodology and includes development of the expertise to determine and apply the appropriate evaluation process. In addition, the technology base includes the value derived from providing analyses done with NRC-approved methods.

GE-MS-CT- 106244-KM 118, 7/28/2010 Affidavit Page 2 of 3

The research, development, engineering, analytical and NRC review costs comprise a substantial investment of time and money by GEH. The precise value of the expertise to devise an evaluation process and apply the correct analytical methodology is difficult to quantify, but it clearly is substantial. GEH's competitive advantage will be lost if its competitors are able to use the results of the GEH experience to normalize or verify their own process or if they are able to claim an equivalent understanding by demonstrating that they can arrive at the same or similar conclusions.

The value of this information to GEH would be lost if the information were disclosed to the public. Making such information available to competitors without their having been required to undertake a similar expenditure of resources would unfairly provide competitors with a windfall, and deprive GEH of the opportunity to exercise its competitive advantage to seek an adequate return on its large investment in developing and obtaining these very valuable analytical tools.

I declare under penalty of perjury that the foregoing affidavit and the matters stated therein are true and correct to the best of my knowledge, information, and belief.

Executed on this 2 8 th day of July 2010.

James F. Harrison Vice President, Fuel Licensing, Regulatory Affairs GE-Hitachi Nuclear Energy Americas LLC GE-MS-CT-106244-KM 118, 7/28/2010 Affidavit Page 3 of 3

GE-Hitachi Nuclear Energy Americas LLC AFFIDAVIT I, Edward D. Schrull, PE, state as follows:

(1) I am the Vice President, Regulatory Affairs, Services Licensing, GE-Hitachi Nuclear Energy Americas LLC (GEH), and have been delegated the function of reviewing the information described in paragraph (2) which is sought to be withheld,' and have been authorized to apply for its withholding.

(2) The information sought to be withheld is contained in Enclosure 1 of GEH letter, GE-MS-CT-106244-KMl15, Kahlim Miller (GEH) to James Snyder (Energy Northwest),

"Responses to Request for Supplemental Information #1, 3, and 8," dated July 19, 2010.

The GEH proprietary information in Enclosure 1, which is entitled "Responses to Request for Supplemental Information 1, 3, and 8," is enclosed by double square brackets. ((This sen.te.n.ce.n .s.an. example. ..3.)) Figures containing GEH proprietary information are identified with double square brackets before and after the object. In each case, the superscript notation 3 refers to Paragraph (3) of this affidavit that provides the basis for the proprietary determination.

(3) In making this application for withholding of proprietary information of which it is the owner or licensee, GEH relies upon the exemption from disclosure set forth in the Freedom of Information Act (FOIA), 5 USC Sec. 552(b)(4), and the Trade Secrets Act, 18 USC Sec. 1905, and NRC regulations 10 CFR 9.17(a)(4), and 2.390(a)(4) for trade secrets (Exemption 4). The material for which exemption from disclosure is here sought also qualifies under the narrower definition of trade secret, within the meanings assigned to those terms for purposes of FOIA Exemption 4 in, respectively, Critical Mass Energy Proiect v. Nuclear Regulatory Commission, 975 F2d 871 (DC Cir. 1992), and Public Citizen Health Research Group v. FDA, 704 F2d 1280 (DC Cir. 1983).

(4) The information sought to be withheld is considered to be proprietary for the reasons set forth in paragraphs (4)a. and (4)b. Some examples of categories of information that fit into the definition of proprietary information are:

a. Information that discloses a process, method, or apparatus, including supporting data and analyses, where prevention of its use by GEH's competitors without license from GEH constitutes a competitive economic advantage over GEH and/or other companies.

b. Information that, if used by a competitor, would reduce their expenditure of resources or improve their competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product.

c. Information that reveals aspects of past, present, or future GEH customer-funded development plans and programs, that may include potential products of GEH.

Responses to Request for Supplemental Information, 7/19/2010 Affidavit Page I of 3

d. Information that discloses trade secret and/or potentially patentable subject matter for which it may be desirable to obtain patent protection.

(5) To address 10 CFR 2.390(b)(4), the information sought to be withheld is being submitted to the NRC in confidence. The information is of a sort customarily held in confidence by GEH, and is in fact so held. The information sought to be withheld has, to the best of my knowledge and belief, consistently been held in confidence by GEH, not been disclosed publicly, and not been made available in public sources. All disclosures to third parties, including any required transmittals to the NRC, have been made, or must be made, pursuant to regulatory provisions or proprietary and/or confidentiality agreements that provide for maintaining the information in confidence. The initial designation of this information as proprietary information, and the subsequent steps taken to prevent its unauthorized disclosure are as set forth in the following paragraphs (6) and (7).

(6) Initial approval of proprietary treatment of a document is made by the manager of the originating component, who is the person most likely to be acquainted with the value and sensitivity of the information in relation to industry knowledge, or who is the person most likely to be subject to the terms under which it was licensed to GEH. Access to such documents within GEH is limited to a "need to know" basis.

(7) The procedure for approval of external release of such a document typically requires review by the staff manager, project manager, principal scientist, or other equivalent authority for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside GEH are limited to regulatory bodies, customers, and potential customers, and their agents, suppliers, and licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or proprietary and/or confidentiality agreements.

(8) The information identified in paragraph (2) above is classified as proprietary because it contains details developed by GEH from NEDC-3241OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," dated October 1995. Development of the NUMAC PRNM, and information related to the design, modification, analyses methodologies and processes related to the NUMAC PRNM was achieved at a significant cost to GEH. The development of the evaluation process, along with the interpretation and application of the analytical results, is derived from the extensive experience database that constitutes a major GEH asset.

(9) Public disclosure of the information sought to be withheld is likely to cause substantial harm to GEH's competitive position and foreclose or reduce the availability of profit-making opportunities. The information is part of GEH's comprehensive BWR safety and technology base, and its commercial value extends beyond the original development cost.

The value of the technology base goes beyond the extensive physical database and analytical methodology and includes development of the expertise to determine and apply the appropriate evaluation process. In addition, the technology base includes the value derived from providing analyses done with NRC-approved methods.

Responses to Request for Supplemental Information, 7/19/2010 Affidavit Page 2 of 3

The research, development, engineering, analytical and NRC review costs comprise a substantial investment of time and money by GEH. The precise value of the expertise to devise an evaluation process and apply the correct analytical methodology is difficult to quantify, but it clearly is substantial. GEH's competitive advantage will be lost if its competitors are able to use the results of the GEH experience to normalize or verify their own process or if they are able to claim an equivalent understanding by demonstrating that they can arrive at the same or similar conclusions.

The value of this information to GEH would be lost if the information were disclosed to the public. Making such information available to competitors without their having been required to undertake a similar expenditure of resources would unfairly provide competitors with a windfall, and deprive GEH of the opportunity to exercise its competitive advantage to seek an adequate return on its large investment in developing and obtaining these very valuable analytical tools.

I declare under penalty of perjury that the foregoing affidavit and the matters stated therein are true and correct to the best of my knowledge, information, and belief.

Executed on this 19th day of July 2010.

Edward D. Schrull Vice President, Regulatory Affairs Services Licensing GE-Hitachi Nuclear Energy Americas LLC 3901 Castle Hayne Rd.

Wilmington, NC 28401 edward.schrull@ge.com Responses to Request for Supplemental Information, 7/19/2010 Affidavit Page 3 of 3

GE-Hitachi Nuclear Energy Americas LLC AFFIDAVIT I, James F. Harrison, state as follows:

(1) I am the Vice President, Fuel Licensing, Regulatory Affairs, GE-Hitachi Nuclear Energy Americas LLC (GEH), and have been delegated the function of reviewing the information described in paragraph (2) which is sought to be withheld, and have been authorized to apply for its withholding.

(2) The information sought to be withheld is contained in Enclosure 1 of GEH letter, GEH-CGS-107474-113, Kevin M. Whildin (GEH) to James Snyder (Energy Northwest),

"Response to Request for Supplemental Information #8," dated July 28, 2010. The GEH proprietary information in Enclosure 1, which is entitled "Response to Request for Supplemental Information #8," is enclosed by double square brackets. ((This..sentence.eis ... an.

examp..e..3 .*1)) Figures containing GEH proprietary information are identified with double square brackets before and after the object. In each case, the superscript notation 13) refers to Paragraph (3) of this affidavit that provides the basis for the proprietary determination.

(3) In making this application for withholding of proprietary information of which it is the owner or licensee, GEH relies upon the exemption from disclosure set forth in the Freedom of Information Act (FOIA), 5 USC Sec. 552(b)(4), and the Trade Secrets Act, 18 USC Sec. 1905, and NRC regulations 10 CFR 9.17(a)(4), and 2.390(a)(4) for trade secrets (Exemption 4). The material for which exemption from disclosure is here sought also qualifies under the narrower definition of trade secret, within the meanings assigned to those terms for purposes of FOIA Exemption 4 in, respectively, Critical Mass Energy Proiect v. Nuclear Regulatory Commission, 975 F2d 871 (DC Cir. 1992), and Public Citizen Health Research Group v. FDA, 704 F2d 1280 (DC Cir. 1983).

(4) The information sought to be withheld is considered to be proprietary for the reasons .set forth in paragraphs (4)a. and (4)b. Some examples of categories of information that fit into the definition of proprietary information are:

a. Information that discloses a process, method, or apparatus, including supporting data and analyses, where prevention of its use by GEH's competitors without license from GEH constitutes a competitive economic advantage over GEH and/or other companies.

b. Information that, if used by a competitor, would reduce their expenditure of resources or improve their competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product.

c. Information that reveals aspects of past, present, or future GEH customer-funded development plans and programs, that may include potential products of GEH.

d. Information that discloses trade secret and/or potentially patentable subject matter for which it may be desirable to obtain patent protection.

GEH-CGS-107474-113, 7/28/2010 Affidavit Page I of 3

(5) To address 10 CFR 2.390(b)(4), the information sought to be withheld is being submitted to the NRC in confidence. The information is of a sort customarily held in confidence by GEH, and is in fact so held. The information sought to be withheld has, to the best of my knowledge and belief, consistently been held in confidence by GEH, not been disclosed publicly, and not been made available in public sources. All disclosures to third parties, including any required transmittals to the NRC, have been made, or must be made, pursuant to regulatory provisions or proprietary and/or confidentiality agreements that provide for maintaining the information in confidence. The initial designation of this information as proprietary information, and the subsequent steps taken to prevent its unauthorized disclosure are as set forth in the following paragraphs (6) and (7).

(6) Initial approval of proprietary treatment of a document is made by the manager of the originating component, who is the person most likely to be acquainted with the value and sensitivity of the information in relation to industry knowledge, or who is the person most likely to be subject to the terms under which it was licensed to GEH. Access to such documents within GEH is limited to a "need to know" basis.

(7) The procedure for approval of external release of such a document typically requires review by the staff manager, project manager, principal scientist, or other equivalent authority for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside GEH are limited to regulatory bodies, customers, and potential customers, and their agents, suppliers, and licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or proprietary and/or confidentiality agreements.

(8) The information identified in paragraph (2) above is classified as proprietary because it contains details developed by GEH from NEDC-3241OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function," dated October 1995. Development of the NUMAC PRNM, and information related to the design, modification, analyses methodologies and processes related to the NUMAC PRNM was achieved at a significant cost to GEH. The development of the evaluation process, along with the interpretation and application of the analytical results, is derived from the extensive experience database that constitutes a major GEH asset.

(9) Public disclosure of the information sought to be withheld is likely to cause substantial harm to GEH's competitive position and foreclose or reduce the availability of profit-making opportunities. The information is part of GEH's comprehensive BWR safety and technology base, and its commercial value extends beyond the original development cost.

The value of the technology base goes beyond the extensive physical database and analytical methodology and includes development of the expertise to determine and apply the appropriate evaluation process. In addition, the technology base includes the value derived from providing analyses done with NRC-approved methods.

The research, development, engineering, analytical and NRC review costs comprise a substantial investment of time and money by GEH. The precise value of the expertise to GEH-CGS-107474-113, 7/28/2010 Affidavit Page 2 of 3

devise an evaluation process and apply the correct analytical methodology is difficult to quantify, but it clearly is substantial. GEH's competitive advantage will be lost if its competitors are able to use the results of the GEH experience to normalize or verify their own process or if they are able to claim an equivalent understanding by demonstrating that they can arrive at the same or similar conclusions.

The value of this information to GEH would be lost if the information were disclosed to the public. Making such information available to competitors without their having been required to undertake a similar expenditure of resources would unfairly provide competitors with a windfall, and deprive GEH of the opportunity to exercise its competitive advantage to seek an adequate return on its large investment in developing and obtaining these very valuable analytical tools.

I declare under penalty of perjury that the foregoing affidavit and the matters stated therein are true and correct to the best of my knowledge, information, and belief.

Executed on this 2 8th day of July 2010.

James F. Harrison Vice President, Fuel Licensing, Regulatory Affairs GE-Hitachi Nuclear Energy Americas LLC GEH-CGS-107474-113, 7/28/2010 Affidavit Page 3 of 3

LICENSE AMENDMENT REQUEST TO CHANGE TECHNICAL SPECIFICATIONS IN SUPPORT OF PRNM / ARTS / MELLLA IMPLEMENTATION Supplemental Corrections of Original Submittal On page 10 of the Enclosure of the LAR, in section 2.3.4.1, the required number of minimum operable OPRM cells is specified as 24. This value is inconsistent with the value that was provided in the information copy of the TS Bases, Insert D to Bases page 3.3.1.1-6, which lists the required number of OPRM cells as being 25 to support the OPRM Upscale function. The correct value is 25. The corrected statement in LAR section 2.3.4.1 should read (with bold emphasis placed on the change):

The required minimum number of operable OPRM cells is 25 with each cell requiring a minimum of 2 operable LPRMs.

On page 36 of the Enclosure of the LAR, in section 3.7.1, the APRM Neutron Flux -

High (Setdown) value is listed in the table as having a Nominal Trip Setpoint (NTSP) value of 18%. With the implementation of the digital PRNM system, a NTSP of 18%

would be supported; however, it is Energy Northwest's intent to retain the analog APRM NTSP of 15%. The corrected table in LAR section 3.7.1 should read (with bold emphasis placed on the change):

APRM / OPRM Nominal Trip Allowable Analytical Function TS Table Setpoint Value Limit 3.3.1.1-1 Name (NTSP) (AV) (AL) 2.a APRM Neutron < 15% RTP 5 20% RTP NA Flux - High (Setdown)

LICENSE AMENDMENT REQUEST TO CHANGE TECHNICAL SPECIFICATIONS IN SUPPORT OF PRNM / ARTS / MELLLA IMPLEMENTATION 0 List of Regulatory Commitments The following table identifies the regulatory commitments in this document. Any other statements in this submittal intended or planned actions, are provided for information purposes, and are not considered to be regulatory commitments.

TYPE SCHEDULED COMMITMENT one-time continuing COMPLETION DATE compliance Training will be conducted on Prior to startup from administrative controls outage that installs the (procedures) related to X PRNM modification, controlling access to the PRNM (currently planned for system and bypass switches. spring 2011).

v t e Letter Sequence Supplement
TAC:ME3981, (Open)
Initiation Acceptance, Acceptance Supplement Administration Questions Answers Results Approval... Other: ML101870640
MONTHYEAR2010-07-30 [Table View]

GO2-10-099, Response to Request for Supplemental Information for Completion of Acceptance Review for Prnm/Arts/Mellla System Upgrade

Text

Subject:

References:

Dear Sir or Madam:

Navigation menu

GO2-10-099, Response to Request for Supplemental Information for Completion of Acceptance Review for Prnm/Arts/Mellla System Upgrade

Text

Subject:

References:

Dear Sir or Madam:

Navigation menu

Search