Response to Request for Additional Information Related to Creats Actuation Instrumentation License Amendment Request

ML022890139
Person / Time
Site:	Ginna
Issue date:	10/07/2002
From:	Mecredy R Rochester Gas & Electric Corp
To:	Clark R Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML022890139 (19)
v • d • e

Text

rr A

Subsidiary of RGS Energy Group, Inc ROCHESTER GAS AND ELECTRIC CORPORATION

• 89 EAST AVENUE, ROCHESTER, N Y. 14649-0001

• 585 546-2700 ROBERT C. MECREDY October 7, 2002 Vice President Nuclear Operations Mr. Robert L. Clark Office of Nuclear Regulatory Regulation U.S. Nuclear Regulatory Commission ATTN:

Document Control Desk Washington, DC 20555

Subject:

Response to Request for Additional Information Related to CREATS Actuation Instrumentation License Amendment Request R. E. Ginna Nuclear Power Plant Docket No. 50-244

References:

(1)

Letter from R. Clark, NRC, to R.C. Mecredy, RG&E,

Subject:

Request for Additional Information Regarding R.E. Ginna Nuclear Power Plant (Ginna) License Amendment Request Relating to the Control Room Emergency Air Treatment Actuation Circuitry (TAC No. MB1887), dated August 28, 2002.

(2)

September 24, 2002 Public Meeting to Discuss RG&E's Response to Request for Additional Information

Dear Mr. Clark:

In Reference 1, the NRC provided RG&E with a Request for Additional Information (RAI) related to a proposed license amendment request for Ginna Station concerning the Control Room Emergency Air Treatment System (CREATS) actuation instrumentation (LCO 3.3.6). In response to this RAI, a public meeting was held between RG&E and NRC Staff to discuss the proposed response and schedule (Reference 2). The purpose of this letter is to provide the response to the majority of questions documented in Reference 1 (see enclosure). The remaining responses will be submitted by November 1, 2002 as agreed upon at the public meeting.

I declare under penalty of perjury under the laws of the United States of America that I am authorized by RG&E to make this submittal and that the foregoing is true and correct.

Any questions concerning this submittal should be directed to Mark Flaherty, Manager, Nuclear Safety and Licensing at (585) 771-3275.

Executed on October 7, 2002 Very truly yours, 1N Robert C. Mecredy L

1000555 wwwrge.com DUk IN

MDF_265 Enclosure - Response to NRC Request for Additional Information (RAI) Dated 8/28/02 Attachment I - Inovision Qualification Report 950.366 - DA-EE-2001-009 Electrical Factor Analysis for PCR 99-004 - RG&E Procurement Specification EE-171 - Certificate of Conformance / Purchase Orders for Inovision Equipment - NUPIC Audit Report No. 17889 of Inovision - Listing of Inovision Type 956/956A Ratemeter Users - Software Verification and Validation Plan - RG&E QA Receipt Inspection Document (QA-07) - Vendor Manual 0 - Ginna Station Procedures IP-DES-2 and IP-DES-4 1 - Syncor QA Manual 2 - Ginna Station PSA Review of Radiation Monitoring Circuitry 3 - Isolator Information 4 - Production Information Bulletin for Firmware Verification and Validation 5 - Electrical/Instrumentation Safety-Related Components and Procedures 6 - RG&E Electrical Specification EE-100 7 - Ginna Station Procedure QA-PES-l 8 - RG&E Post Maintenance Test Plans / Procedures 9 - Syncor Quality System Procedures xc:

Mr. Robert L. Clark (Mail Stop O-8-C2)

Project Directorate I Division of Licensing Project Management Office of Nuclear Regulatory Regulation U.S. Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike Rockville, MD 20852 Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 U.S. NRC Ginna Senior Resident Inspector Mr. F. William Valentino, President New York State Energy, Research, and Development Authority 17 Columbia Circle Albany, NY 12203-6399 Mr. Paul Eddy NYS Department of Public Service 3 Empire Plaza Albany, NY 12223

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 1 Response to NRC Request for Additional Information (RAI) Dated August 28, 2002 The response to the RAI is structured as follows. The items in bold are the questions provided by the NRC in the RAI dated August 28, 2002. A response to each item is then provided by RG&E.

Several of the responses refer to RG&E submittals dated May 3, 2001 and May 3, 2002. Also, the complete response to Questions 1, 8, 9, 16, 25, 28, and 32 will be provided by November 1, 2002 as agreed upon at the September 24, 2002 public meeting.

Many of the questions and responses refer to vendor associated with the radiation monitor equipment. The vendor is currently known as Syncor Radiation Management and was formerly known as Inovision (Victoreen before then). For the purposes of these responses, the vendor will be primarily referred to as Syncor with Inovision and Victoreen used as necessary to refer to specific documents that were generated under that company's name.

Finally, the RAI requested that several RG&E procedures be provided. RG&E is providing these procedures for information only. That is, RG&E reserves the right to change and modify these procedures in accordance with the applicable regulation and station quality assurance program.

1.

In RG&E's letter dated May 3, 2002, Attachment 1, Section A, Question 2, page 1, RG&E stated: "The radiation monitoring equipment being installed for this modification was procured from Inovision Radiation Measurements and has been qualified to the requirements of EPRI TR-1 02323-Ri." Please provide the test plans, test procedures, and the results of the tests. Which laboratory was used to perform these tests, or was the testing done by Inovision?

Response: The radiation monitoring equipment procured by RG&E has been qualified to the requirements of EPRI TR-102323, Revision 1. This testing was performed by F-Squared Lab in Ohio. The test plans, test procedures, and results of the tests are included in Inovision Qualification Report 950.366 (see Attachment 1). All of the testing passed the EPRI acceptance criteria. However, three exceptions to the EPRI requirements were noted, such that not all test conditions required by the EPRI document were enveloped. Because of these differences, the tests will be updated and a revised qualification report will be issued. These tests will be completed with the revised qualification report submitted by November 1, 2002.

2.

In Attachment 1, Section A, Question 4, page 2, RG&E stated: "A simplified failure modes and effects analysis (FMEA) was performed for the new CREA TS instrumentation system." Please provide a copy of this simplified FMEA.

Response: A simplified failure modes and effects analysis (FEMA) was performed by RG&E for the new CREATS instrumentation system. Section 7 of Electrical Design Analysis DA-EE-2001-009, included as Attachment 2, is a descriptive evaluation of the electrical design for single failure. The discussion describes the failure modes of the new system and concludes that there are no failures that could prevent both trains from performing their intended safety functions.

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 2

3.

In Attachment 1, Section B, page 4, RG&E stated: "The digital ratemeter instrumentation being procured.... as equipment qualified as safety related under all of the requirements of both the Inovision and the Ginna Station QA programs. Ginna procurement specification EE-171 requires that the equipment be safety related and shall be supplied in accordance with the requirements of Title 10 of the Code of Federal Regulations (10 CFR 50), Part 50110 CFR 50, Appendix B." Please provide a copy of EE-171, as well as any Inovision documentation showing that the digital ratemeter instrumentation is designed and manufactured in accordance with the requirements of 10 CFR 50, Appendix B.

Response: RG&E Procurement Specification EE-171 is included as Attachment 3. The Certificate of Conformance (C of C) for the Syncor supplied products is included as. This identifies the compliance of Inovision to 10 CFR 50 Appendix B, in accordance with the RG&E purchase order for this equipment, and in accordance with the referenced Syncor QA Manual, included as Attachment 11. It is noted that Syncor took exception to two requirements in the original Purchase Order: (1) exception to the requirement for Software V&V, and (2) exception to EMI/RFI testing. Those two requirements were covered in later purchase orders that specifically addressed the requirements of Software V&V and EMI/RFI testing (see Attachment 4). Documents confirming that the V&V and EMI/RFI testing meet the identified requirements will be included with the reports that will be submitted by November 1, 2002. Syncor has been audited by NUPIC and the results of the most recent audit are included as Attachment 5.

4.

In Attachment 1, Section B, Question 3, page 5, when asked how many of these units were in use, RG&E stated: "The UDR [Universal Digital Ratemeter] has been installed in over 2,000process and area radiation channels since then. This series of monitoring systems has been provided to fourteen nuclear sites, totaling over 100 channels," and "Ginna Station has 25 units installed that have the 94X series of ratemeters installed with the same or earlier revisions of the same software." This raises several questions.

A.

While the basic algorithms may be the same, is the software used in the type 956A the same as used in the type 94X?

B.

What hardware and software changes were made going from the type 94X to the type 956A. How were these changes verified, validated, tested, and approved?

C.

How many type 956A digital ratemeters are in use at other sites, nuclear and non-nuclear?

Response

As discussed in the September 24, 2002 meeting, historical software development and operating history documentation will not be provided in detail since the Software V&V will address the qualification of the existing equipment. The following answers are

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 3 provided for background information.

(1)

Similar hardware and software design is used for the type 94X and 956A instrumentation. The differences between the models are based on the application of the instrumentation. The 942 model is a process instrument, the 946 model is an ion chamber readout module, and the 956A is a G-M tube readout module.

The software configuration for each is based on the requirements for the specific application.

(2)

In accordance with the Syncor QA Manual, design and testing was performed for both the 94X and 956A designs in the 1980's. These application specific designs were completed, tested, and approved for product sale in accordance with the QA requirements in effect at the time. Since this time, Syncor has been audited by NUPIC and approved for use in both safety-related and non-safety related applications by a number of utilities in the U.S. In addition, Syncor is performing a verification and validation (V&V) of the software as described in the response to Question #8.

(3) provides a listing of the locations of use for the type 956 and 956A ratemeters in the world. The 956A has a different front panel and back panel from the model 956 to make it a more convenient product for the user (i.e., the front panel is flat to make it more user friendly and the back panel was modified for ease of installation and maintenance).

5.

In Attachment 1, Section B, Question 4, page 5, RG&E stated: "Since 1987, of the 200+ 956A units shipped, approximately twenty have been returned. All but five of the units were returned for recalibration. Of the five units not returned for calibration, four were sales demonstration units and one was incorrectly classified as a repair.

This data accurately reflects the field proven reliability of the unit as there is no adverse failure history related to misoperation of the software /firmware.

RG&E has performed a search of the nuclear OE database, and found no history of failures of Inovision or Victoreen radiation monitoring equipment that would be applicable to our installation." Does the staff understand correctly that RG&E is stating that there has never been a failure of a type 956A unit?

Response: This is correct (i.e., that there is no failure documented in the OE database nor in the Syncor system). Syncor uses procedure QSP-213 (included in Attachment 19) to control nonconforming products identified for incoming, in-processing or finished material. QSP-14-01 (included in Attachment 19) describes the process to receive, review, and evaluate customer complaints. These procedures contain requirements to ensure that nonconforming items are identified/documented and that appropriate personnel are involved in the review and disposition including notification of the utility/customer if required (reference page 9 of NUPIC Audit Number 17889, ). The audit found this area to be satisfactory.

6.

In Attachment 1, Section B, Question 4, page 5, RG&E stated: "The microprocessor uses standard 54LS logic for timing and system interfaces. Program storage is provided

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 4 on 32Kb ultraviolet erasable, programmable, read-only memory (EPROM). 8KB random access memory (RAM) is provided for data storage, stack, and operating parameters. A 64 byte electrically erasable, programmable, read-only memory (EEPROM) is provided for long tern parameter storage (i.e., set points)."

A.

The staff understand that the timing and system interface chips are Mii-Spec.

low-powered Schottky TTL type devices. Are the memory chips of the same type?

B.

Are the chips soldered in place or in chip carriers. If chip carriers are used, to what degree are they environmentally qualified? (Temperature, humidity, vibration, seismic shock)

C.

How is the memory organized?

Response

A.

The memory Chips are not the same type as the timing and system interface chips.

They are CMOS type devices.

B.

The chips are soldered in place and are qualified to the requirements in the RG&E specification EE-171, as documented in Qualification Report 950.366 included as.

C.

The memory organization is very simple and are intended to perform only the limited functions required for the applications of the equipment. It is not an object oriented system with multiple functions or tasks running at the same time.

Additional details of the software and firmware design will be included in the Software V&V as noted in Question #8.

7.

In Attachment 1, Section B, Question 6, page 6, RG&E stated: "The code was originally developed on a Hewlitt-Packard 64000 microprocessor development system, and is written in Motorola 6802 Assembly Language. The software development system has since been transferred to an ASCII text editor on a DOS based PC. The American Arium (formerly American Automation) Development System's assembler and linker are used to generate the absolute executable source files."

A.

Was the assembled code from the Motorola and the Arium assemblers compared? What were the differences?

B.

How were the American Arium Development System's assembler and linker qualified? Has this previously been reviewed by NRC staff?

Response: As discussed in the September 24, 2002 meeting, historical software development and operating history documentation will not be provided in detail since the Software V&V will address the qualification of the existing equipment. The following answers are provided for background information.

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 5 A.

The assembled code was compared through functional testing such that the differences are considered minor. For example, the Motorola version used 4 character syntax while the American Arium version used 3 characters. There is no documentation of any specific code comparison tests performed by the vendor.

B.

The HP 64100 and American Arium Development System's assembler and linker were commercially available software development tools that were used by machine language code developers when the code was developed. To ensure that the code was assembled, linked, and operated as required, the firmware was subjected to functional testing as required by the factory test procedures. The equipment is qualified by meeting the qualification requirements and passing the factory acceptance testing. We are not aware of any review of the American Arium Development System product by the NRC.

8.

In Attachment 1, Section B, Question 6, page 6, RG&E provided an excerpt from a correspondence with Inovision. This excerpt stated: "The software (firmware) is programmed in assembly language, and does not contain an embedded operating system. Upon start up, an initialization routine is run. Once completed, the main program loop, which performing allfunctions, executes. The main loop calls function specific subroutines, (e.g. counts, alarms, analog output, check source, calibration, RS232 communications, display, setpoint entry, etc. ) to run each cycle. The system is timed by the Non-Maskable Interrupt (NMI), which is generated from a 4Mhz crystal clock. Four NMI events are generated each second. A hardware watchdog timer is provided. If the watchdog timer is permitted to time out (i.e. the main loop does not complete its cycle and provide a reset output), a MPU Fail condition will occur, causing the FAIL relay to change state and the front panel FAIL LED to illuminate.

The Fail relay is wired into the CRHVAC Isolation circuitry so that a FAIL alarm will initiate a Control Room Isolation. The functional operation of the specific monitor functions may be easily verified in the monitor factory acceptance test (FAT)."

The staff does not understand the program flow from this description. Please provide the following documents:

i) a complete software description ii) whatever was used as a software requirements specification iii) software flow diagram iv) description of how interrupts are generated and handled v) description of how the watchdog operates, how it is set and reset, and the sequence of events if the watchdog timer times out.

The same section referred to a Nuclear Utilities Procurement Issues Committee (NUPIC) Audit. Please provide a copy of that audit report.

Response: RG&E has contracted with Syncor to perform a software Verification and Vahdation (V&V). The Software V&V Plan for Prom P/N 94095603 GM Area Monitor is included as Attachment 7. This plan also provides an overview of the program flow.

The output of this V&V effort will include:

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 6 Software Requirements Specification (SRS)

Software Design Description (SDD)

Software Verification/Valdation Test Procedure Software Verification/Validation Test Report Software Verification/Validation Matrix Software Design Review These documents will also contain a description of the software, flow diagrams, requirements, and the use of interrupts and watchdogs. These will be provided by November 1, 2002. A copy of the latest NUPIC audit is included as Attachment 5.

9.

In Attachment 1, Section B, Question 8, page 7, RG&E stated: "The code was developed prior to the application of a forinal validation and verification program. The code was manually verified and tested by the developer. Those records are not available." What assurance is there that the code is well written, contains no unused code, and is deterministic in nature. How is the licensee able to determine that the software will function correctly in all circumstances. Has any reverse engineering been done to verify that the original developer did a good job?

Response: The model 956 was originally designed, built, and tested in 1985 to meet 10 CFR 50 Appendix B requirements m accordance with the Victoreen QA Manual. Since then, over 200 model 956 units have been installed and operated over three million hours.

As described in the response to Question #8, a software V&V will be performed to provide assurance that the software meets the requirements for 10 CFR 50 Appendix B and RG&E requirements for installation as a digital upgrade. This V&V program also serves, in lieu of reverse engineering, to qualify the product following the EPRI guidelines.

10.

In Attachment 1, Section B, Question 9, page 7, RG&E stated: "Final hardware testing is the Loop Test LT956A1897A-21X included in the System Manual issued with the equipment. This procedure tests the entire channel using operating firn ware and a multi-rate portable radiation source to trip alarms, drive analog outputs, verify over/under and loss of count modes. Additional tests for UDR hardware and inemnory using diagnostic firm ware, and factory multi-point range calibration of the GM detector for linearity have been provided to Ginna. Additional contract-specific testing is documented in Qualification Report 950.366. These tests include energy dependency, detector stability over contract temperature range requirements, tube plateau and repeatability. Consistent with IEEE 7-4.3.2, this testing was performed with the computer functioning with software and diagnostics that are representative of those used in actual operation, and all portions of the computer necessary to accomplish the safety function were exercised during testing." This does not describe how the hardware was tested during design and implementation, or first article testing. Please provide copies of the test documentation used at the time of design.

In addition, please provide:

i)

The test plan and procedures for Loop Test LT956A/897A-21X

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 7 ii)

The System Manual iii)

Qualification Report 950.366 iv)

Operators Instruction Manual, RG&E Purchase Order 4500008671 In the same section, RG&E stated: "This testing of the hardware was performed by Inovision as part of the procurement process, and has been submitted to Ginna as part of the qualification documentation in the Operators Instniction Manual, RG&E Purchase Order 4500008671. These documents have been transmitted to RG&E, and have been reviewed for acceptance by engineering. A written test plan was used and reviewed by RG&Efor acceptability." Please provide the written test plan and the RG&E review of that test plan.

Response: Attachment I provides a copy of Qualification Report 950.366. Attachment 9 is the Syncor vendor manual issued with the equipment. The manual contains the following:

The test procedures for loop test LT956A/897A-21X The System Manual The Operators Instruction Manual, as called for in RG&E Purchase Order 500008671.

Written factory acceptance test procedures. These procedures and completed factory acceptance test results were reviewed and testing witnessed by RG&E as documented on form QA-07, Attachment 8.

11.

In Attachment 1, Section B, Question 10, page 8, RG&E stated: "The device contains jumnpers that can be moved to select different operating imodes for output functions. These jumpers and their functions are described in the vendor manual. All of these functions were reviewed atid selected appropriately for the output functions desired for this design and incorporated into the design change package, which receives engineering independent review and verification. Changes to these junipers cannot be made without following the appropriate design change process, per Ginna procedure IP-DES-2, 'Plant Change Process'." Please provide the vendor manual and Ginna procedures IP-DES-2 and IP-DES-4.

Response: As requested, the vendor manual is included in Attachment 9. Ginna Station procedures IP-DES-2 and IE-DES-4 are included in Attachment 10.

12.

In Attachment 1, Section B, Question 11, page 8, RG&E was asked about vendor configuration control. The answer provided only discussed firmware code listings.

Please state what configuration control the vendor has for both hardware and software, and if Ginna decides to buy a replacement device in 5 years, what assurance do they have that the new device will be the same as the old device? If it is different, how will Ginna know what the differences are?

In the same section, RG&E discussed EPROM part numbers. Do these part numbers have a revision level, and if so, what changes trigger a new revision level.

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 8 Is it possible to make minor changes or corrections in the firmware without triggering a part number or revision level change? RG&E stated: "'The specific EPROM part number and, if necessary, the revision originally supplied may be reproduced from our controlled source files." Does RG&E have the ability to burn or program these EPROMs?

Response: Syncor has a design control program that documents by Engineering Change Notice (ECN) changes and upgrades for both hardware and software in accordance with their QA Manual (Syncor procedure QSP-205 included in Attachment 19). This procedure has controlled the product development and issue over the past 20 years. The Syncor QA Manual is included as Attachment 11.

The EPROM is controlled at a revision level and the ECN procedure covers all changes to the software. There is a new release and a part number change to address each change RG&E does not have the equipment to perform these changes, including burning EPROMS.

13.

In Attachment 2, paragraph 4.9, page 12 of 30, RG&E stated: "The appropriate reliability level requirem ents for this safety function have been determined by reviewing the operating requirements and comparing them to the criticality of operation of the safety function with respect to time and consequences." What was the appropriate reliability level determined to be. Please provide any documentation generated during this determination.

Response: The quoted sentence from section 4.9 is the introduction of the paragraphs that follow, the intent of which are to address IEEE 603 section 4.9. The actual review that was performed was primarily based on qualitative insights. RG&E did not define any specific, quantitative reliability values. Instead, RG&E used a combination of a review of the overall system design, a PSA review, and the equipment's operating history in the industry. The PSA review is included as Attachment 12. The Software V&V documents will provide software quality assurance in lieu of specific quantitative reliability values.

14.

In Attachment 2, paragraph 4.9.1, page 12 of 30, RG&E stated: "A Probabilistic Safety Assessment (PSA) review of the mnodification design has been conducted to quantify the potential for a failure to impact the risk of release of fission product."

Please provide a copy to this Probabilistic Safety Assessment.

In the same section, RG&E stated: "The resultant probability of failure to perform the intended safety function is 1.93E-4. This probability is acceptable when consideration is given to the low frequency of expected need combined with the ability of the operators to miitigate the consequential conditions with a manual initiation if the failure were to occur." This value of 1.93E-4 is also discussed in Section 5.15.1.

Please provide a copy of the calculations which were used to determine this value.

The staff is particularly interested in how the software failure and software common

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 9 mode failure values were determined. The staff is also interested in the logic used to determine that this value is acceptable.

Response: The PSA Review of the CREATS actuation is provided in Attachment 12.

The values used in determining software failure and common cause were generated using a beta factor of 0.025 associated with the component having the highest failure rate (radiation element). The primary purpose of this PSA review was to confirm the system's simplicity.

15.

In Attachment 2, paragraph 4.9.2, page 12 of 30, RG&E stated: "Factory testing of the units is extensive and documented in the Inovision Radiation Measurements Control Room Intake Radiation Monitors Operator's Instruction Manual provided via Inovision Shop Order number S157033. This testing was performed over a wide range of input conditions, specifically testing the digital components extensively. Test data for the units for this modification are included in the vendor manual." Please provide copies of.

i)

Inovision Radiation Measurements Control Room Intake Radiation Monitors Operator's Instruction Manual ii)

Inovision Shop Order number S157033 iii)

The vendor manual Response: This information is included in Attachment 9.

16.

In Attachment 2, paragraph 4.9.2, page 12 of 30, RG&E stated: "The Inovision Appendix B program has been audited by NUPIC (see Audit ID no: 17889) to verify...." Please provide a copy of the NUPIC audit report.

In the same section, RG&E stated: "It was noted in this report that Inovision did not process any tion-conformance pertaining to Firmware or EPROAls since the last NUPIC audit." Does this mean that no non-conformance reports were received, or that they were received but not processed? Is there a requirement for users to provide non-conformance reports?

Response: The NUPIC audit found the vendor's nonconformance process to be acceptable (refer to Question 5) The audit stated that the vendor had not received any nonconformance reports regarding Firmware or EPROMs. However, the vendor's procedures would have adequately controlled them if any were received. Only those customers specifically addressed by 10 CFR Part 21 are required to report nonconformances to the vendor. The NUPIC statement means that no non-conformance reports were received. User's are not required to provide non-conformance reports, but are encouraged to report operation or performance issues that affect customer satisfaction.

Syncor is currently reviewing their records for additional rehability feedback from customers. This will be provided by November 1, 2002.

17.

In Attachment 2, paragraph 5.1, page 14 of 30, RG&E stated: "The proposed safety

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 10 system will perform all required safety functions for a design basis event in the presence of (1) any single detectable failure within the safety systems concurrent with all identifiable but non -detectable failures; (2) all failures caused by the single failure; and (3) all failures and spurious system actions which cause or are caused by the design basis event requiring the safety functions. " Was common mode software failure considered when RG&E made this determination?

Response: Common mode software failures were not specifically considered. The quality and design processes, including the new V&V program, were determined to provide reasonable assurance that the likelihood of failure due to software is sufficiently low. Also, the design of the system is relatively simple There are no shared databases or common inputs Finally, since the system is not considered part of the reactor protection system or ESFAS, diversity and defense-in-depth are not normally required, in accordance with NUREG 0800, Standard Review Plan, Chapter 7.

18.

In Attachment 2, paragraph 5.1.1.5, page 15 of 30, RG&E stated: "Mounting of all redundant components in the same structures (such as both detectors in the duct, both trains of logic in Auxiliary Benchboard, both trains of conduit sharing conduit supports) has been performed in a manner to preclude a single component failure (mounting bolt, etc.)from causing both trains to fail, including design basis seismic events." Did this determination take missile hazard into account?

Response: Yes, see section 4.9 of the referenced response as copied below.

The equipment has been specified, designed, and installed in a configuration and in locations that will not result in the degradation of safety system performance for any conditions described in the UFSAR for the applicable design basis events listed in section 4.1. All appropriate design provisions have been incorporated to retain the capability for performing the safety functions required for those events.

Other events, (such as fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in a non-safety system, or missiles and pipe breaks not listed in section 4.1), either do not degrade the sys tern or do not result in a condition that will require the system to perform its safety fiuction.

Specifically, the ratemeters, control circuitry, and electrical power are all installed inside of the Control Building, which is not subject to missile hazard. Components in the Turbine Building (the detectors and associated cable) if damaged by a missile will fail in a manner that a control room isolation will be initiated.

19.

In Attachment 2, paragraph 5.1.2.1, page 15 of 30, RG&E makes reference to "independent qualified IE optical isolators." Please provide detail on the type and qualification of the isolators.

Response: The class I E isolators were ordered from NUS Instruments which is an Appendix B supplier. These analog isolators are designed to perform the isolation functions specified by IEEE-384-1981. The isolators were purchased safety-related and

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 11 meet the Class 1E qualification requirements of IEEE-323-1974/1983 and the seismic qualification requirements of IEEE-344-1975/1987 3 contains the purchase order for this equipment that documents the qualification requirements of the isolators, and that the supplier be qualified to IOCFR50 Appendix B. Attachment 13 also includes the operation and maintenance manual that contains some design detail on the isolators.

20.

In Attachment 2, paragraph 5.1.2.2, page 15 of 30, RG&E stated: "These signals and power to the toxic gas power supplies are all isolated from the safety related portion of the design by qualified fuses." Please explain how fuses provide signal isolation.

Response: As stated in 5.2.2.2 of the IEEE 603 review document (Attachment 2 to the May 3, 2002 response), the "signals" from the toxic gas system are contact outputs that are wired in series with the 120 VAC control logic. These are not instrumentation signals. Fuses are acceptable isolation devices for use in 120 VAC control circuits.

21.

In Attachment 2, paragraph 5.1.4, page 16 of 30, RG&E stated: "The vendor has provided a document citing the extensive use of these digital products throughout the industry and the high reliability of the equipment. Inovision has provided a summary of the product's operating history, stating that the digitalfirmn ware has been an extremely reliable product, with a large installed base and extensive control over any changes that have been incorporated." Please provide a copy of the vendor supplied document.

Response: The document referred to is Product Information Bulletin, Victoreen Model 94X Digital Ratemeter, "Firmware Verification and Validation," included as Attachment

14. The Software V&V will provide the qualification for this product as it is used at Ginna for this modification.

22.

In Attachment 2, paragraph 5.3.1, page 17 of 30, RG&E stated: "This modification installs a limited number of new components. All components required to maintain the safety functions and maintain independence for the installation were procured safely related from qualified vendors, or were commercial grade dedicated by the controls of the Ginna Quality Assurance Program." Please provide a list of which electrical/instrumentation components were purchased as safety-related, and which were dedicated by Ginna. Include the source of the components, and for the dedicated components, how they were dedicated.

Response: Attachment 15 lists the safety-related electrical/instrumentation components and those which were qualified for this modification. All of the equipment was provided safety related by qualified vendors or were dedicated by RG&E utilizing the processes specified in RG&E procedures IP-PES-2 and A-405 included as Attachment 15

23.

In Attachment 2, paragraph 5.3.2, page 17 of 30, RG&E stated: "TThe isolation relays have been procured as safety related from a qualified supplier. Fuses amid fuse blocks for isolation, independence, and protective fulnctions have been procured

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 12 comnnercial grade but have been dedicated via a controlled, approved process as described in Ref. 2.18 electrical specification EE-100." Please provide a copy of electrical specification EE-100.

Response: Electrical Specification EE-100 is provided in Attachment 16.

24.

In Attachment 2, paragraph 5.3.3, page 18 of 30, RG&E stated: "RG&E implements a vendor oversight program to monitor vendor's quality control for safety related products. This program falls under IOCFR50 appendix B Criterion VII which requires us to establish specific measures to assure that purchased material, equipment and services conform to procurement documents. Nuclear Assessment Procedure QA PES-I describes the methods used by Quality Assurance in evaluating a supplier's capability to be considered as a qualified Safety-Related, IOCFR50 Appendix B supplier, or as a qualified Commercial Grade Supplier, and the mnethods to be used for their periodic requalification." Please provide a copy of Nuclear Assessment Procedure QA-PES-1.

Response: Procedure QA-PES-1 is provided in Attachment 17.

25.

In Attachment 2, paragraph 5.3.4, page 18 of 30, RG&E stated: "The software was developed prior to existing requirements, therefore, no development tracking or formal verification and validation documentation has been developed. IEEE 7-4.3.2 Annex D provides guidance on addressing qualification of computers that were not developed per this standard. The objective of this qualification is to determine, with reasonable assurance, that the item being qualified satisfies the requirements necessary to accomplish the safety function. This involves identifying the safety functions that the computer tiust perform, identifying the characteristics the computer must possess in order to accomplish the safety functions, and demonstrating that the characteristics are acceptably implemented. Tire documentation that provides that assurance is provided on the Product Information Bulletin. In sumnmnary, the combination of actual operating experience in commercial and nuclear facilities, control of the firm ware and changes, and functional testing that replicates the actual conditions and safety functions that must be performned, combine to provide adequate evidence that the unit will perform as designed." IEEE 7-4.3.2 Annex D is informative only, and is not a part of the approved standard. Nevertheless, Section D.2.3.2 on Software states that "An evaluation should be performed to show that the functional and performance requirements and ACEs identified in D.2.2.2 have been complied with and resolved.

This may require performance of special tests, performance of certain V&V activities, evaluation of published vendor specifications, or reliance on documented operating experience that is similar to the manner in which the computer will be used in the nuclear power generating station." Was this done? If so, please provide the analysis and other data. In addition, please:

A.

Identify the safety functions the computer must perform B.

Identify the characteristics the computer must possess in order to accomplish

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 13 the safety functions C.

Demonstrate that the characteristics are acceptably implemented Please provide whatever documentation exists which considers these items, identifies the safety functions, characteristics of the computer, and shows they are acceptably implemented.

EPRI TR-106439, Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications, also addresses dedication of commercial software. Section 4.2, when discussing dependability characteristics, states:

"This is the category in which dedication of digital equipment differs the most from that of other types of components. It addresses attributes that typically cannot be verified through inspection and testing alone and are generally affected by the process used to produce the device. A key issue is that hardware failures are typically associated with fabrication defects, aging and wear-out, but software does not wear out. If there is a problem in the software that degrades the dependability of a device, it reflects a design error that was built into the device, or a inismatch between the application requirements and the device design.

In traditional dedications of mechanical amid electrical equipment, dependability issues have been treated within the supplier's QA program and have been delineated in the conintercial grade survey or source inspection plan.

Due to the increased importance of these built-in attributes to a digital device, this document has defined these attributes as critical characteristics to ensure that they are adequately addressed and documented during the dedication process. Although this may be viewed as a departure from traditional procurement and dedication practices, the end result is considered compatible with current industry practices."

Table 4-1 shows methods of verification of critical characteristics, including dependability. Has this, or a similar method been used? If so, please provide the appropriate documentation.

Response

A.

The safety function of the computer is to read data, determine when the setpoint is reached, and change the output state of a contact to initiate CREATS isolation.

B.

The computer characteristics will be addressed by the software V&V described in the response to Question #8.

C.

The verification that the computer characteristics are acceptably implemented will be addressed by the software V&V described in the response to Question #8

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 14

26.

In Attachment 2, paragraph 5.4.2, page 19 of 30, RG&E stated: "None of tile equipment installed for this modification is dependent on ariy environmental control system in order to perform any safety futnction." In the past, the staff has found that electronic equipment has environmental requirements concerning temperature and humidity for the equipment to work properly. Will the installed equipment function correctly in all possible temperature and humidity conditions in the worst-case postulated accident? What are the vendor's listed temperature and humidity limitations?

Response: The equipment was specified in EE-171 to meet the environmental conditions required for the location of installation as described in the Ginna UFSAR. The vendor supplied documentation demonstrates that the equipment meets those specifications.

These values are listed in Table I of the IEEE 603 review document submitted previously (May 3, 2002 submittal). Specifically:

Control Room - digital ratemeter location: Ratemeters are qualified to 104 degrees F, 60 % relative humidity.

Air Intake Duct - detector location: Detectors are qualified to -10 to 122 degrees F, 0 - 100% relative humidity.

The vendor qualifcation report is included as Attachment 1

27.

In Attachment 2, paragraph 5.4.3, page 19 of 30, RG&E stated: "Specification EE 171 specifically requires that the instrumentation in the modification, provided by Inovision, be qualified to ineet the requirements of EPRI TR-102323, "Guidelines for Electromagnetic Interference Testing in Power Plants" to demonstrate that the equipment is qualified to operate in an environment with EMI and electrostatic discharge concerns. Inovision has provided documentation demonstrating compliance with the requirements of this EPRI document with respect to EMI/RFI qualification."

Please provide a copy of the Inovision provided documentation.

Response: The vendor qualification report is included as Attachment 1. A revised report will be issued by November 1, 2002 as stated in Question 1 to address discrepancies.

28.

In Attachment 2, paragraph 5.4.5, page 20 of 30, RG&E stated: "IEEE 7-4.3.2 has additional requirements for this section of IEEE 603. Equipment qualification testing shall be performed with the computer functioning with software aiid diagnostics that are representative of those used in actual operation." Please provide information showing the diagnostics coverage of the computer functions.

Response: This is answered by V&V program documents discussed in the response to Question #8.

29.

In Attachment 2, paragraph 5.5.2, page 20 of 30, RG&E stated: "Post-modification testing has been structured to demonstrate that system response will be adequate ill the configuration installed in the plant, in both active and bypass modes. " Please provide copies of the test plan and test procedures for the post-modification testing.

R.E Gmna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 15 Response: The post-modification test plans and test procedures are provided in 8. This attachment contains sections of the PCR issued for construction that specify the Test Instructions, which are the engineering test plans. Also included in the attachment are procedures SM-99-004.1 and SM-99-004.2, which are the station modification procedures used to implement the PCR. Sections of those procedures contain the post-modification testing.

30.

In Attachment 2, paragraph 5.5.3, page 21 of 30, RG&E stated: "Failure of digital hardware or software of the system in the ratemeters will not inhibit manual initiation of protective functions. This is evident in attachment 2 wiring diagram that shows the manual isolation pushbuttont contacts in series with ratemneter outputs so that if ratemeter outputs failed to the closed contact position, a manual initiation would still drop out the isolation relays and the system would performn its function." From the data provided by RG&E, it appears that the operators will know to manually isolate the system based upon the digital displays mounted in the control room. It also appears that the digital displays receive the radiation level data from the digital ratemeters. What backup is available if the digital ratemeters fail?

Response. As described m the response to Question #17, since the system is not considered part of the reactor protection system or ESFAS, diversity and defense-in-depth are not normally required. Additional indication and plant staff actions are part of the Ginna operation if this equipment is not available, but these actions are not committed to by this response.

31.

In Attachment 2, paragraph 5.6.1, page 21 of 30, RG&E stated: "A review of the design of the electrical systems associated with the proposed design has been performed to demonstrate that compliance with the requirements of IEEE Std 384,

'IEEE Standard Criteria for Independence of Class I E Equipment and Circuits'."

Please provide a copy of that design review.

Response: The electrical design was reviewed in electrical engineering design analysis DA-EE-2001-009 (Attachment 2). A complete description of the compliance with IEEE 384 is within the text of section 5.6.1 through 5.6.4 of the IEEE 603 compliance document attachment to the May 3, 2002 submittal.

32.

In Attachment 2, paragraph 5.15.2, page 27 of 30, RG&E stated: "Inovision has provided evidence that this product has adequate operating history and error tracking to demonstrate design reliability, and that Inovision QA engineering control and testing provides assurance that the specific units shipped to Ginna for this application will meet the operating requirements with the sanme levels of reliability." Please provide a copy of this evidence. The staff is particularly interested in the requirements for non-regulated industrial users to report operating history and failures.

Response: See response to Question #16

R E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 16

33.

In Attachment 2, paragraph 6.1, page 27 of 30, RG&E stated: "The digitally-based portion of the automatic actuation circuitry has also been evaluated for real-time performance with respect to the systems requirements in these design analyses and found appropriate for the system to perform its functions.'" Please provide the evaluation which shows the required system response time, the system response time, and the method of determining the system response time. How will this response time be tested in the future?

Response: The required system response time is based on the dose analysis assumption of the accident cloud entering the control room for 30 seconds at the beginning of the event.

The analysis is very conservative in that the transit time of the cloud from the detector to the isolation dampers is approximately 40 seconds. The system response time is described in the Section 7.3 of setpoint analytical limit calculation analysis DA-EE-2001 013, which was provided in the May 3, 2001 submittal as Enclosure 2 The total system response time testing (from actuation to isolation) is normally performed as part of the Technical Specitication required surveillance testing of the Control Room Emergency Air Treatment System (SR 3.7.9.3)

34.

In Attachment 2, paragraph 6.5.1, page 28 of 30, RG&E stated: "AAny anomalies are immediately evaluated to explicit criteria for operability." What are these criteria?

Response: These monitors will be cahbrated with RG&E procedures that utilize data sheets to document various channel parameters. These data sheets require documenting "As Found" values and specify the allowable tolerances for these values If any of these "As Found" values are outside of the required tolerances, the anomaly is procedurally required to be documented via the Ginna Station corrective action process The corrective action process requires these type of setpoint problems to be assessed for their impact on equipment operability. The acceptance criteria are based on calibration limits determined in the Setpoint Verification design analysis DA-EE-2000-009 (May 3, 2001 submittal, Enclosure 1).

35.

In reference to Ginna procedure EP-3-S-505, "Instrument Setpoint/Loop Accuracy Calculation Methodology," not all versions of ANSLIISA-67.04 and RG 1.105 require that setpoints meet a 95/95 confidence level. Ginna did not provide the publication dates or revision levels for ANSIJISA-67.04.01, ANSI/ ISA-RP67.04.02 standards, and for RG 1.105 which were used to developing the Ginna setpoint calculation methodology (procedure EP-3-S-505). Please provide the publication dates or revision levels of the standards used, and confirm that the setpoint calculation methodology meets 95/95 confidence level requirement.

Response: This question is being addressed by the NRC review associated with the license amendment request to revise safety limits and instrumentation setpoints (see RG&E letter dated April 9, 2002)

36.

In Attachment 2, paragraph 4.0, page 4 of 30, RG&E stated: "The modified system has been designed to function for the following events amid resulting operating

R.E. Ginna Nuclear Power Plant Response to RAI Dated August 28, 2002 Enclosure, Page 17 conditions: Large Break Loss-of-Coolant Accident, Sinall Break Loss-of-Coolant Accident, Rod Ejection Accident, Steam Generator Tube Rupture Accident, Steam Line Break Accident, Fuel Handling Accident, and Tornado Missile in Spent Fuel Pool."

Per RG&E's design calculations, DA-EE-2001-013 RO, "Control Room Radiation Monitors Analytical Limit Calculation," the analytical limit for the CREATS radiation monitors was calculated based on the release expected from a worst-case design basis loss-of-coolant accident (LOCA). In developing the radiation monitor analytical limit

1.

Were any evaluations or analyses performed to determine the limiting source term and radiological releases the radiation monitors would be exposed to?

2.

Are the radiation monitors capable of detecting the releases from the non LOCA accidents listed above and is the CREATS response time within the time assumed in the radiological analysis?

Response

As detailed in design analysis DA-EE-2001-013 (May 3, 2001 submittal, ), the setpoints were calculated by determining the allowable dose to control room operators per GDC 19. That is, given the dose limit over 30 days as specified by GDC 19, a setpomt could be determined for the area radiation monitors. In this manner, no matter what accident occurred, if the resulting dose rate over 30 days would cause the dose to control room operators to exceed the GDC limit, control room isolation would occur. Accidents with larger source terms (e.g., LOCAs and fuel handling accidents) would have a rapid control room isolation. Accidents with smaller source terms (e.g.,

SGTR, steam line breaks) would have control room isolation only if the dose rate, as averaged over 30 days, would cause GDC 19 to be exceeded. Finally, Ginna Station procedures require isolation of the control room during tornado watch conditions.