Issuance of Amendment No. 83, Revising the Improved Technical Specifications to Reflect Design Changes to the Actuation Circutry Associated with the Control Room Emergency Air Treatment System Actuation Instrumentation Change

ML032060024
Person / Time
Site:	Ginna
Issue date:	08/29/2003
From:	Clark R NRC/NRR/DLPM/LPD1
To:	Mecredy R Rochester Gas & Electric Corp
Clark R, NRR/DLPM, 415-2297
References
TAC MB1887
Download: ML032060024 (38)
v • d • e

Text

August 29, 2003 Dr. Robert C. Mecredy Vice President, Nuclear Operations Rochester Gas and Electric Corporation 89 East Avenue Rochester, NY 14649

SUBJECT:

R. E. GINNA NUCLEAR POWER PLANT - AMENDMENT RE: CONTROL ROOM EMERGENCY AIR TREATMENT SYSTEM ACTUATION INSTRUMENTATION CHANGE (TAC NO. MB1887)

Dear Dr. Mecredy:

The Commission has issued the enclosed Amendment No. 83 to Facility Operating License No.

DPR-18 for the R. E. Ginna Nuclear Power Plant. This amendment is in response to your application dated May 3, 2001, as supplemented August 7, 2001, October 29, 2001, May 3, 2002, October 7, 2002, November 5, 2002 and June 6, 2003.

The amendment revises the Improved Technical Specifications to reflect design changes to the actuation circuitry associated with the Control Room Emergency Air Treatment System. The proposed design changes consist of replacing the current radiation monitors with two Geiger-Mueller tubes powered from two independent safety-related power supplies which are then configured into two redundant actuation logic trains. The actuation logic trains utilize safety-grade digital instrumentation which meet Class 1E safety system requirements.

A copy of the related Safety Evaluation is also enclosed. A Notice of Issuance will be included in the Commissions biweekly Federal Register notice.

Sincerely,

/RA/

Robert Clark, Project Manager, Section 1 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket No. 50-244

Enclosures:

1. Amendment No. 83 to License No. DPR-18

2. Safety Evaluation cc w/encls: See next page

Dr. Robert C. Mecredy Vice President, Nuclear Operations Rochester Gas and Electric Corporation 89 East Avenue Rochester, NY 14649

SUBJECT:

R. E. GINNA NUCLEAR POWER PLANT - AMENDMENT RE: CONTROL ROOM EMERGENCY AIR TREATMENT SYSTEM ACTUATION INSTRUMENTATION CHANGE (TAC NO. MB1887)

Dear Dr. Mecredy:

The Commission has issued the enclosed Amendment No. 83 to Facility Operating License No.

DPR-18 for the R. E. Ginna Nuclear Power Plant. This amendment is in response to your application dated May 3, 2001, as supplemented August 7, 2001, October 29, 2001, May 3, 2002, October 7, 2002, November 5, 2002 and June 6, 2003.

The amendment revises the Improved Technical Specifications to reflect the design changes to the actuation circuitry associated with the Control Room Emergency Air Treatment System.

The proposed design changes consist of replacing the current radiation monitors with two Geiger-Mueller tubes powered from two independent safety-related power supplies which are then configured into two redundant actuation logic trains. The actuation logic trains utilized safety-grade digital instrumentation which meet Class 1E safety system requirements.

A copy of the related Safety Evaluation is also enclosed. A Notice of Issuance will be included in the Commissions biweekly Federal Register notice.

Sincerely,

/RA/

Robert Clark, Project Manager, Section 1 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket No. 50-244

Enclosures:

1. Amendment No. 83 to License No. DPR-18

2. Safety Evaluation cc w/encls: See next page ADAMS Accession Numbers:

Package Number: ML, Amendment: ML032060024, TS(s): ML

• See previous concurrence OFFICE PDI-1\\PM PDI-1\\LA EEIB-A/SC* SPSB/SC*

RORP DIPM NAME RClark SLittle EMarinos RDennig SE provided SE provided DATE 8/29/03 8/29/03 8/7/03 07/31/03 01/30/02 09/16/01 OFFICE SPLB EEIB-B OGC*

PDI-1\\SC NAME SE provided SE provided RWeisman RLaufer DATE 07/10/01 11/14/01 8/28/03 8/29/03 OFFICIAL RECORD COPY

DATED: August 29, 2003 AMENDMENT NO. 83 TO FACILITY OPERATING LICENSE NO. DPR-18 GINNA NUCLEAR POWER PLANT DISTRIBUTION:

PUBLIC PDI-1 R/F RLaufer OGC GHill (2)

WBeckner ACRS BPlatchek, RI RClark SLittle MReinhart EMarinos PLoeser PRebstock MHart MWaterman DNguyen cc: Plant Service list

R.E. Ginna Nuclear Power Plant cc:

Kenneth Kolaczyk, Sr. Resident Inspector R.E. Ginna Plant U.S. Nuclear Regulatory Commission 1503 Lake Road Ontario, NY 14519 Regional Administrator, Region I U.S. Nuclear Regulatory Commission 475 Allendale Road King of Prussia, PA 19406 Mr. William M. Flynn, President New York State Energy, Research, and Development Authority 17 Columbia Circle Albany, NY 12203-6399 Charles Donaldson, Esquire Assistant Attorney General New York Department of Law 120 Broadway New York, NY 10271 Daniel F. Stenger Ballard Spahr Andrews & Ingersoll, LLP 601 13th Street, N.W., Suite 1000 South Washington, DC 20005 Ms. Thelma Wideman, Director Wayne County Emergency Management Office Wayne County Emergency Operations Center 7336 Route 31 Lyons, NY 14489 Ms. Mary Louise Meisenzahl Administrator, Monroe County Office of Emergency Preparedness 1190 Scottsville Road, Suite 200 Rochester, NY 14624 Mr. Paul Eddy New York State Department of Public Service 3 Empire State Plaza, 10th Floor Albany, NY 12223

ROCHESTER GAS AND ELECTRIC CORPORATION DOCKET NO. 50-244 R. E. GINNA NUCLEAR POWER PLANT AMENDMENT TO FACILITY OPERATING LICENSE Amendment No. 83 License No. DPR-18 1.

The Nuclear Regulatory Commission (the Commission or the NRC) has found that:

A.

The application for amendment filed by the Rochester Gas and Electric Corporation (the licensee) dated May 3, 2001, as supplemented August 7, 2001, October 29, 2001, May 3, 2002, October 7, 2002, November 5, 2002, and June 6, 2003 complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commissions rules and regulations set forth in 10 CFR Chapter I; B.

The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C.

There is reasonable assurance: (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commissions regulations; D.

The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E.

The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commissions regulations and all applicable requirements have been satisfied.

2.

Accordingly, the license is amended by changes to the Technical Specifications as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Facility Operating License No. DPR-18 is hereby amended to read as follows:

(2)

Technical Specifications The Technical Specifications contained in Appendix A, as revised through Amendment No. 83, are hereby incorporated in the license. The licensee shall operate the facility in accordance with the Technical Specifications.

3.

This license amendment is effective as of the date of its issuance and shall be implemented within 30 days of the date of issuance.

FOR THE NUCLEAR REGULATORY COMMISSION

/RA/

Richard J. Laufer, Chief, Section 1 Project Directorate I Division of Licensing Project Management Office of Nuclear Reactor Regulation

Attachment:

Changes to the Technical Specifications Date of Issuance: August 29, 2003

ATTACHMENT TO LICENSE AMENDMENT NO. 83 FACILITY OPERATING LICENSE NO. DPR-18 DOCKET NO. 50-244 Replace the following pages of the Appendix A Technical Specifications with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Insert 3.3.6-1 3.3.6-1 3.3.6-2 3.3.6-2 3.3.6-3 3.3.6-3

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 83 TO FACILITY OPERATING LICENSE NO. DPR-18 ROCHESTER GAS AND ELECTRIC CORPORATION R. E. GINNA NUCLEAR POWER PLANT DOCKET NO. 50-244

1.0 INTRODUCTION

By letter dated May 3, 2001, (ADAMS Accession No. ML011280171), as supplemented by letters dated August 7, 2001, (ADAMS Accession No. ML012270396), October 29, 2001, (ADAMS Accession No. ML020230159), May 3, 2002, (ADAMS Accession No. ML021300208),

October 7, 2002, (ADAMS Accession No. ML022890139), November 5, 2002, (ADAMS Accession No. ML023220246), and June 6, 2003, (ADAMS Accession No. ML031690033), the Rochester Gas and Electric Corporation (RG&E or the licensee) submitted a request that would change the R. E. Ginna Nuclear Power Plant Improved Technical Specifications (ITS) to reflect design changes to the actuation circuitry associated with the Control Room Emergency Air Treatment System (CREATS). The proposed design changes consist of replacing the current radiation monitors with two Geiger-Mueller (GM) tubes powered from two independent safety-related power supplies which are then configured into two redundant actuation logic trains. The actuation logic trains would use safety-grade digital instrumentation. As a result of the proposed design changes, the licensee requested that the following changes be made to limiting condition for operation (LCO) 3.3.6.

The completion time of the required action for a loss of one channel/train would be extended from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 7 days as a result of installing redundant channels/trains.

A new condition would be added for the loss of two channels/trains with an immediate completion time for the required action.

A new surveillance would be added to require a CHANNEL CHECK of the control room radiation intake monitors once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Table 3.3.6-1 would be revised to replace the column heading Trip Setpoint with Allowable Value.

Table 3.3.6-1 would be revised to increase the number of trains of manual initiation and automatic actuation logic and actuation relays from one train to two trains.

Table 3.3.6-1 would be revised to remove reference to the iodine, noble gas, and particulate control room radiation intake monitors. These radiation monitors would be replaced by two new GM tubes. This change would also include the allowable value for the trip setpoint for the new radiation monitors.

The letters referenced above provided clarifying information that did not change the scope of the amendment, as described in the original notice, and did not change the initial proposed no significant hazards consideration determination.

2.0 REGULATORY EVALUATION

NUREG-0800, the U.S. Nuclear Regulatory Commission (NRC) Standard Review Plan (SRP),

Revision 4, dated June 1997, defines the acceptance criteria for this review. Specifically, Section 7 of the SRP addresses the requirements for instrumentation and control (I&C) systems in light-water nuclear power plants. The procedures for review of digital systems appear principally in SRP Appendices 7.0-A, 7.1-A; Sections 7.1, 7.8, and 7.9; and Branch Technical Positions (BTPs) HICB-14, HICB-17, and HICB-21. SRP Appendix 7.1-C and Sections 7.2 through 7.7 provide additional criteria that the staff applied in the review.

The suitability of a digital platform for use in safety systems depends on the quality of its components; design quality, and system implementation aspects such as real-time performance, independence, and online testing. Because this equipment was being supplied as Appendix B qualified equipment, the staff used the provisions of Institute of Electrical and Electronics Engineers (IEEE) Std 603 and IEEE Std 7-4.3.2, as well as the guidance contained in Chapter 7 of the SRP in its review.

In particular, the NRC staff considered the following codes, criteria, and standards to evaluate the Model 955A GM Tube Area Radiation Monitor for suitability:

Title 10 of the Code of Federal Regulations (10 CFR) Section 50.55a(a)(1) 10 CFR 50.55a(h) 10 CFR Part 50, Appendix A, General Design Criteria [GDC] for Nuclear Power Plants

GDC 1, Quality Standards and Records

GDC 2, Design Basis for Protection Against Natural Phenomena

GDC 4, Environmental and Dynamic Effects Design Bases

GDC 19, Control Room

GDC 20, Protection System Functions

GDC 21, Protection System Reliability and Testability

GDC 22, Protection System Independence

GDC 23, Protection System Failure Modes

GDC 24, Separation of Protection and Control Systems Regulatory Guide (RG) 1.53, Application of the Single-Failure Criterion to Nuclear Power Plant Protection Systems, which endorses IEEE Std 379-1977, Application of the Single Failure Criterion to Nuclear Power Generating Station Class 1E Systems."

RG 1.75, Physical Independence of Electrical Systems, which endorses IEEE Std 384-1977, Criteria for Independence of Class 1E Equipment and Circuits."

RG 1.100, Seismic Qualification of Electric and Mechanical Equipment for Nuclear Power Plants, which endorses IEEE Std 344-1987, IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations."

RG 1.105, Setpoints For Safety-Related Instrumentation which endorses Part l of ISA-S67.04-1994, Setpoints for Nuclear Safety-Related Instrumentation."

RG 1.152, Criteria for Digital Computers in Safety Systems of Nuclear Power Plants, which endorses IEEE Std 7-4.3.2-1993, Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations.

RG 1.153, Criteria for Power Instrumentation and Control Portions of Safety Systems, which endorses IEEE Std 603-1991, Criteria for Safety Systems for Nuclear Power Generating Stations.

RG 1.168, Verification, Validation, Reviews and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std 1012-1998, IEEE Standard for Software Verification and Validation Plans.

RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std 828-1990, IEEE Standard for Software Configuration Management Plans, and American National Standards Institute (ANSI)/IEEE Std 1042-1987, IEEE Guide to Software Configuration Management.

RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorses IEEE Std 1074-1995, IEEE Standard for Developing Software Life Cycle Processes.

RG 1.180, Guidelines for Electromagnetic Interference Testing in Nuclear Power Plants, which endorses Electric Power Research Institute (EPRI) TR-102323, Rev. 1, Guideline for Electromagnetic Interference Testing in Power Plants."

EPRI TR-102348, Rev. 1 and NRC Regulatory Issue Summary 2002-22, Guidelines on Licensing Digital Upgrades.

ANSI/American Society of Mechanical Engineers (ASME) NQA-1, 1994, Quality Assurance Program Requirements for Nuclear Facility Applications.

The Ginna FSAR Section 3.1 includes analysis to show conformance to the GDC. Accordingly, the staff has considered the GDC in its review of the requested amendment.

3.0 TECHNICAL EVALUATION

3.1 Background

In the early 1980s, the Ginna licensee performed an evaluation of the control room habitability system in response to NUREG-0737, Item III.D.3.4, Control Room Habitability. This evaluation concluded that the Area Radiation Monitors (ARMs) in the control room were poorly located and of insufficient sensitivity to conform to the guidance in the NUREG. Based on this assessment, the licensee installed additional instrumentation and controls to detect airborne radioactive materials at the control room ventilation system air intake and isolate the emergency zone upon detection of such materials.

The offline radiation monitoring system takes suction from the control room ventilation system air intake and includes a single train of particulate (R-37), iodine (R-38), and noble gas (R-36) radiation monitors. The detectors are located on the operating level of the Turbine Building floor outside of the control room access door and utilize a common air supply pump. The monitor skid is powered from a non-safety related electrical source, and upon a loss of power fails to the safe condition i.e., initate an alarm and place CREATS in the recirculation mode. A high radiation signal from any of these detectors (particulate > 10-8 microcurie per cubic centimeter (µCi/cm3), iodine >9 x l0-9 µCi/cm3, and noble gas > l0-5 µCi/cm3) will initiate the CREATS filtration train and isolate each air supply path with two dampers. The control room operator can also initiate the CREATS filtration train and isolate the air supply paths by using a manual pushbutton in the control room.

The Ginna CREATS actuation instrumentation system has had a number of associated failures and issues that have necessitated the isolation of the control room ventilation system and caused the CREATS filtration train to be placed in service for long periods of time in accordance with the requirements of LCO 3.3.6. These issues included numerous component failures, system actuation as a result of electronic noise, quality concerns, and obsolescence of replacement parts. Both engineering and maintenance personnel have expended a large amount of time in an attempt to resolve these issues and maintain the system in an operable condition. Based on these concerns, the licensee determined that a system replacement was necessary to ensure adequate reliability.

RG&E decided to replace the existing monitoring system with a pair of GM tube plenum probes, which would detect and measure the radiation within the 42-inch control room ventilation system air intake. The probes and associated monitors would be powered by two separate safety-related sources and would be configured into two redundant actuation logic trains, each with manual initiation. This style of monitor does not depend on a sample pump or any moving parts to accomplish its monitoring function, thereby providing increased system reliability (see Figure 1).

The present system employs only one particulate/iodine/noble gas (PING) monitor, which relies upon isokinetic sampling from the air intake duct (i.e., there is no redundancy in the present system). The ITS establish limiting values for the detected concentrations of particulate, iodine, and noble gas substances, and require control room isolation if a limiting value is exceeded.

The proposed system utilizes a single GM tube (per channel) instead of a PING monitor. The sensor will be located in the air supply duct. There is no sample line or pump, nor any of the active components used in support of a PING monitor. The GM tubes are designed such that the variation of the detector efficiency with photon energy closely matches the variation of exposure with photon energy. This design feature ensures that the importance of each photon is weighted correctly by the inherent efficiency of the detector. As a result the GM tubes and associated electronics are capable of measuring gross exposure over a broad spectrum of photon energies. GM tubes are typically calibrated in terms of equivalent dose rate, based on a referenced gamma photon energy and intensity.

The Final Safety Analysis Report (FSAR) Chapter 15 accident analyses establish the particular mix of isotopes that might be released for postulated accidents, and those various mixes establish the PING concentrations to which the CREATS must respond. Whereas the existing system detects volumetric concentrations of three specific forms of isotopes, the proposed system measures the bulk radiation level in the duct. Consequently, the PING limits in the ITS would be replaced with a single radiation dose rate limit. This dose rate limit will be based upon the anticipated dose rates for each of the postulated events addressed in the accident analyses, and will be selected to ensure that the control room heating, ventilation, and air condition (HVAC) is isolated in time to prevent the operators from receiving an excessive dose, regardless of the particular event.

Figure 1. Radiation Monitoring System The radiation monitoring system proposed for use by Ginna in the new CREATS was originally designed by Victoreen in 1984. In 1998, Victoreen merged with another company, Keithley Instruments, and formed Inovision Radiation Measurements (IRM). This company subsequently became Syncor Radiation Management (SRM). For this reason, various documents addressing the design of the CREATS system were attributed as originating from either Victoreen, IRM, or SRM. For the purposes of this review, the companies are considered to be the same vendor.

3.2 Radiation Monitoring System Description The radiation monitoring system proposed for use by Ginna is a Model 955A GM tube ARM manufactured by SRM. The Model 955A GM tube ARM consists of a Model 956A-201 Universal Digital Ratemeter (UDR) and a Model 897A-210 GM detector. The Model 956A-210 UDR is a microprocessor-based device controlled by the installed firmware. The microprocessor is an 8-bit Motorola 6802. The digital ratemeter part number is 94095603 electronically programable read-only memory (EPROM). The detector operates over the range of 10-2 to 103 milli-Roentgens per hour (mR/h). The Model 956A UDR provides display, control, and annunciation functions. The basic functions of the UDR are to convert the input pulses from the detector into a digital value and to compare this value with the setpoint. Analog outputs are provided for connection to the Ginna Plant process computer system and recorder.

Alarm setpoints are programmed through the main printed circuit board inside the UDR.

3.2.1 Hardware Description 3.2.1.1 Detector Model 897A-210 The Model 897A-210 version number shows that the detector has a range of 10-2 to 103 mR/h, and that the housing is made of aluminum. The detector has two major parts; the GM tube and the preamplifier. The GM tube is used as a gamma radiation detector. The GM tube has a thin outer wall which serves as the negative electrode (cathode) and a very small diameter wire which serves as the positive electrode (anode). The GM tube is also filled with a mixture of gases, one of which acts as a quenching agent, while the other gases support ionization. The positive electrode (anode) is maintained at a steady potential of 500/650 volt direct current (Vdc) and the negative electrode (cathode) is near ground potential. When a gamma photon penetrates the shield encasing the GM tube, an ionizing event occurs. An ion pair is produced, triggering an avalanche of ion pairs. The current pulses produced (one pulse per ionizing event) are independent of the energy of the initiating particle. Multiple discharges, caused by the release of electrons from the cathode due to excess energy, are eliminated after a short time, also known as dead time, (typically 20
45 microseconds), by the quenching gas in the GM tube. The resulting pulses are conditioned and transmitted to a preamplifier, which provides input pulse discrimination and amplifies pulses received from the GM tube to a 5 Vdc amplitude.

If a very high-intensity radioactive source is detected, the GM tube may become saturated, (i.e.,

the pulses may be separated by a period less than the dead time of the tube). This would have the effect of holding the preamplifier output at a relatively constant output voltage, resulting in a count loss at the readout. Anti-jam circuitry in the preamplifier produces a full-scale output square wave signal, providing a full-scale indication when the GM tube becomes saturated.

The response time of the system to a step change in radiation value is 60 seconds because of the operation of the pulse counting algorithm. The detector radiation value displayed is the result of a rolling average of the latest sixty 1-second values, and is updated once per second.

An alarm will be initiated within 1 second after the current 1-minute average exceeds the alarm setpoint.

A manual check source in the UDR is used by the operator to check detector operation. The check source push-button is a momentary contact switch which remains active as long as the pushbutton is depressed. Upon removal of the check source request, the internal counting registers are cleared and, within 1 minute, the display value will slowly return to the actual average radiation value. This is attributable to the action of the averaging algorithm in the UDR firmware. During check source activation, analog outputs are forced to zero. In addition, the High and Warn alarms are configured to be inhibited during check source operation.

3.2.1.2 Universal Digital Ratemeter Model 956A-201 Operation of the 956A-201 UDR consists of operator functions and configuration functions. All operator functions are performed using the front panel. Factory configuration functions are performed using internal switches and/or jumpers, which are accessible via partial removal of the UDR from the mounting enclosure. No configuration functions are performed at Ginna.

Figure 2. System Block Diagram The Model 956A-201 UDR is composed of the following five circuit board assemblies mounted within the unit (see Figure 2):

1.

Main Circuit Board, 2.

High Voltage Supply, 3.

Relay Circuit Board, 4.

Front Panel Board, 5.

Power Supply These circuit boards provide input/output, display, power, and control for the UDR. The circuit boards are described in the following sections.

3.2.1.2.1 Main Circuit Board The main circuit board contains the microprocessor, memory, analog output, signal input, and control circuitry. The microprocessor is a Motorola 6802, an 8-bit microprocessor with 16-bit memory addressing. The 6802 contains a crystal-controlled internal clock oscillator and driver circuitry. The 4 megahertz (MHz) crystal is utilized with the internal clock circuitry to obtain 1 MHz operation.

The processor memory consists of (1) 32K of ultraviolet erasable programmable read only memory (PROM) contained on one memory chip, (2) 8K of dynamic random access memory (DRAM), contained on one memory chip, and (3) 64-bytes of electrically erasable memory used for setpoint storage. The PROM contains the program being run on the microprocessor, and the DRAM is used for temporary data storage for the program. The PROM and the electrically erasable memory are nonvolatile and will retain the stored program and setpoint data if power is lost or if the system is turned off.

As the count pulses are received from the detector, the counter is incremented. This count is used to determine 1-second, 1-minute, and 1-hour radiation values.

The analog output is converted from digital values using an 8-bit digital-to-analog converter.

The output is a 0- to 10-Vdc signal or a 4-20 milliamp signal.

The anti-jam circuitry detects a rapid increase in pulses attributable to a rapid increase in radiation at the detector. In a very high radiation field, the detector will conduct continuously rather than continuing to provide pulses. The absence of pulses would normally indicate a low radiation field. The purpose of the anti-jam circuit is to detect that this situation is about to occur and to signal the high radiation condition to the main processor by setting the anti-jam bit high.

The watchdog timer is based on a bipolar monostable multivibrator (one shot) and is not dependent on the processor clock to operate. Unless the watchdog is reset before it times out, the change in state will cause a FAIL alarm and fail light to activate. The time required for the watchdog to time out is not programable, but is determined by a fixed resistor and capacitor.

The watchdog timer is reset by the operating program; therefore, if the program halts for any reason, the watchdog will generate the FAIL alarm.

The system has the following six adjustable setpoints:

(1)

High Alarm Limit setpoint (2)

Warn Alarm Limit setpoint (3)

Analog Full Scale value (4)

Over-range setpoint (5)

Analog Low-Scale value (6)

Under-range Limit setpoint Setpoints are entered by using the function switch, the digit button, the value button, and the enter button, which are all located on the main circuit board. To access these controls, the UDR must be pulled partially out of the rack chassis. To access or change a setpoint, the system user rotates the function switch to the appropriate position, uses the digit and value buttons to change the value, and pushes the enter button to enter the value.

There are four alarm states in this system:

(1)

HIGH Alarm
occurs when the display dose rate is greater than or equal to the HIGH alarm setpoint. When the HIGH alarm is tripped, the red HIGH alarm indicator begins flashing, the bargraph changes to red, the HIGH alarm relay coil de-energizes, and the UDR sets its auxiliary output to h. The HIGH alarm is normally inhibited when performing a Check Source operation.

(2)

WARN Alarm
occurs when the display dose rate is greater than or equal to the WARN alarm setpoint. When the WARN alarm is tripped, the amber WARN alarm indicator begins flashing, the bargraph changes to amber, and the WARN alarm relay coil de-energizes. The WARN alarm is normally inhibited when performing a Check Source operation.

(3)

RANGE Alarms

a.

UNDER-RANGE occurs when the dose rate is below the under-range setpoint.

The RANGE indicator illuminates, the analog output is set to zero, and the display reads 0.00 mR/h. The bargraph will operate normally.

b.

OVER-RANGE occurs when the dose rate is greater than or equal to the overrange setpoint or the Model 897A preamplifier is sending an output pulse greater than the UDR electronics anti-jam circuit setpoint. When the OVER-RANGE alarm is active, WARN and HIGH alarms are true, the red RANGE indicator illuminates, the bargraph illuminates red, the analog output reads full scale, and the display reads EEEEE.

(4)

FAIL Alarms
occurs whenever equipment failure is detected. Four types of failures are detectable: including the No count failure, the power failure, the main processor failure, and the anti-jam trip. When a fail condition occurs, other than power failure, the red FAIL alarm indicator illuminates. The FAIL alarm is discussed in Section 3.3.4 below, which deals with system self-diagnostic capacity.

3.2.1.2.2 High Voltage Power Supply The high voltage power supply is utilized by the GM detector with a range of 500 to 650 volts.

The high voltage output is designed to limit current to the oscillator section within 10 seconds of the output being shorted. The board plugs into the main circuit board.

3.2.1.2.3 Relay Circuit Board The relay circuit board contains five independently controlled mechanical relays, including the Check Source, Fail, Warn, and Alarm relays and a spare relay. The Fail, Warn, and Alarm relays are software-controlled, and are de-energized when active. The Check Source relay is de-energized when the check source function is used.

3.2.1.2.4 Front Panel Circuit Board The front panel circuit board consists of the seven-segment display, backlights, status indicators, switches, and bargraph assembly (see Figure 3). The front panel interfaces to the main circuit board.

3.2.1.2.5 Low Voltage Power Supply The UDR power supply is rated at +5 volts direct current (Vdc) at 3 amps, +15 Vdc at 2.0 amps, and -15 Vdc at 0.5 amps. The input is 115 volts direct alternating current (Vac), with a tolerance of 92 Vac to 132 Vac. The power supply is designed to meet Underwriters Laboratory safety requirements and to comply with Federal Communications Commission Class B requirements for electromagnetic interference (EMI).

The power supply provides all internal UDR voltages, as well as detector supply voltages. All outputs are protected with automatic recovery upon removal of an overload or short circuit condition.

Figure 3. Front Panel Display 3.2.1.2.6 Optional Circuit Board The system has an option that allows the installation of one of several input or output boards to allow digital or analog communications or analog outputs. None of these boards are being used in the Ginna configuration and, therefore, were not considered in the staffs review.

3.2.2 Software Description The operational software for the UDR is contained in the 32K PROM and therefore considered firmware. There are about 8,000 lines of code. The code was originally developed on a Hewlett-Packard 64000 microprocessor development system and was written in Motorola 6802 Assembly Language. Modifications to the software have been written on an ASCII text editor.

The American Arium Development System assembler and linker are now used to generate executable source files. The software, programmed in assembly language, does not contain an embedded operating system.

An initialization routine is run when the system is started. Once the initialization is completed, the main program, which performs all functions, begins operating in a recurring loop. This main loop services interrupts from communications ports; checks to see if there are any inputs from the data entry button; and if so, services them; and then checks to see if one second has expired since the last time the counted pulses in the accumulator were checked. If 1 second has not elapsed, the main loop returns to the beginning of the routine and restarts. This looping continues until 1 second has elapsed. At this time, the loop acquires the total number of counts from the previous 1 second and resets the accumulator. The count value is converted into a mR/h value, and then displayed on the front panel. The count value is compared to the trip setpoints, and if any of the setpoints are exceeded, the appropriate action is taken. The hardware watchdog timer is reset at this point in the loop. The routine then determines whether 1 minute, 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, or 1 day has elapsed since the corresponding minute, hourly, or daily averages have been updated, and if so, the corresponding time-averaged counts value is updated. The main loop then returns to its start, and begins again.

If the watchdog timer has timed out, that is, if the main loop has not completed its cycle and provided a watchdog reset, a Fail condition will occur, causing the Fail relay to change state and the front panel FAIL LED to illuminate. The Fail relay is wired into the isolation circuitry so that a FAIL alarm will initiate a control room isolation.

3.2.3 Product Qualifications The following sections discuss several industry consensus standards, technical documents, and topical reports (e.g., IEEE standards, licensee equipment specifications, and EPRI reports) that set out methodologies for developing and implementing safety-related systems and functions.

The NRC has endorsed some of the methodologies described in these standards, documents and reports as acceptable approaches for compliance with the Commissions regulations. The NRC has documented these endorsements in the NRC guidance documents identified in Section 2.0 of this SE.

Industry standards, documents and reports use the word requirements to denote provisions that must be implemented to ensure compliance with the corresponding document.

Additionally, these standards, documents and reports provide guidance or recommendations that need not be adopted by the user to ensure compliance with the corresponding document.

The word requirement is used throughout the instrumentation and control discipline.

However, licensee or vendor documentation of conformance to the requirements provided in industry standards, documents and reports referenced in this SE only constitutes conformance with NRC regulatory requirements, insofar as endorsed by the NRC. Furthermore, use of the word requirements in these documents does not indicate that the requirements are NRC regulatory requirements.

The qualifications for the control room radiation monitor were specified in the RG&E purchase specification EE-171. These qualifications are discussed in the following sections.

3.2.3.1 Environmental Requirements Section 3.2 of the RG&E purchase specification, EE-171, listed the environmental conditions in the areas where the radiation monitoring equipment will be located and included the following statement:

The ratemeter will be installed in RMS2 in the Control Room. Per Table 3.11.1 of reference 2.4, the normal ambient conditions in the Control Room are less than 104°F, 0 psig, 60% humidity, radiation is negligible.

The detectors will be mounted in the Control Room intake air duct which draws outside air and is located in the Turbine Building. Per Section 2.3.2.2 of reference 2.4, the ambient conditions in the air duct are 2°F to 91°F, 0 psig, 100% humidity. To provide additional margin the detectors should operate over a range of -10°F to 122°F.

3.2.3.2 Electromagnetic Interference/Radio Frequency Interference (EMI/RFI) Requirements Section 3.2.3 of the RG&E purchase specification, EE-171, stated that the ARM would meet the requirements of EPRI TR-102323, and that the testing will verify that the monitors remain functional with an 8 dB margin over the generic emission measurement surveys in the guideline. EPRI TR-102323 is also shown as a requirement of EPRI TR-106439.

3.2.3.3 Electrostatic Discharge (ESD) Withstand Requirements Because the ARM would meet EPRI TR-102323, chapter 5, page 5-17 of that document outline the ESD withstand requirements. The system would meet these limits without disrupting operation or causing any damage.

3.2.3.4 Seismic Withstand Requirements Ginna Procedure IP-DES-2, Plant Change Process requires that components be qualified in accordance with IEEE Std 344, IEEE Recommended Practices for Seismic Qualification of Class 1E Equipment for Nuclear Power Generating Stations."

3.2.3.5 Surge Withstand Requirements EPRI TR-102323, Chapter 5, page 5-15 describes Surge Withstand Requirements.

3.2.3.6 Class 1E to Non
1E Isolation Requirements Both 10 CFR Part 50 (Appendix A, General Design Criteria (GDC) 22 and 24) and IEEE Std 603, Section 5.6.3.1 require that protection systems be designed to ensure that the effects of normal operating and postulated accident conditions do not result in the loss of the protective function and that a failure of a control system does not adversely affect the protection system.

Additional requirements are provided in IEEE Std 384-1977, Criteria for Independence of Class 1E Equipment and Circuits."

3.3 Evaluation of Hardware and Software The acceptance criteria for this review are defined in NUREG-0800, the NRC SRP, Revision 4, dated June 1997. The subsections below list the sections of 10 CFR Part 50, general industry standards, BTPs, and other guidance were used in the staffs review, as well as the review methodology used by the staff.

3.3.1 Method of Review The material reviewed by the staff is contained in the original submittal dated May 3, 2001; the supplemental letters dated August 7, 2001; and October 29, 2001, and in request for additional information (RAI) responses dated May 3, 2002, and October 7, 2002. In addition, the staff visited Syncor Radiation Management on February 25
27, 2003, to discuss various aspects of the radiation monitor design.

The staff reviewed: (1) hardware design, (2) software design, (3) qualification testing, (4) verification and validation procedures, (5) quality control, and (6) history of use of the system in other applications. In doing so, the staff reviewed the ARM design process and compared that process to applicable review guidance. Additionally, the staff performed a thread audit, which involved selecting certain sample equipment functions and tracing the implementation of those functions through the hardware and software. This review included evaluating actual sections of the code on a sample basis and following the signal path through the hardware circuitry.

A major challenge associated with this review was that the equipment was designed circa 1984.

The original design documentation on both the hardware and software was not retained by Victoreen and was, therefore, no longer available for review. This lack of design detail is not unusual in older equipment, but does present a challenge when attempting to verify that the equipment was correctly designed, is of high quality, and will perform the necessary safety functions under all anticipated conditions. However, the detailed as built description of the ARM, the code listings, and the equipment manuals were available for review. The vendor used the system manuals to generate the system and software requirements, the equipment description to generate the hardware specification, and the code listings to generate the software specification. In effect, the as built description was compared and tested to the expectations described in the manuals, thereby providing assurance that the system would operate as intended.

The staffs review, therefore, was similar to a staff review of commercial grade equipment when design documentation is not available. To evaluate the quality of the Victoreen ARM, the staff identified several safety functions; determined the characteristics the system must possess to perform those functions; and then requested that the vendor demonstrate that the ARM and the computer system in the digital ratemeter, both hardware and software, were capable of performing those functions in an acceptable manner.

The safety functions were obtained from the Ginna requirements documents; the system characteristics were obtained from the system and software requirements developed by the vendor; and the demonstration was by test and by comparisons of the as built equipment to the Ginna requirements.

3.3.2 Hardware Design Review The staffs review of the hardware design included the hardware architecture and signal flow; quality provisions for the hardware; and the environmental testing and qualification methodology and results.

The staff reviewed the hardware schematics (UDR Schematic Diagram, Drawing Number 942-200-13, dated August 6, 2002); and compared the schematics to the block diagram description in the Installation, Operation and Maintenance Instruction Manual (part number 955A-1, dated May 1996), the Design Specification (Universal Digital Ratemeter, dated December 21, 1983), Revision A of the Design Specification (dated February 1, 1984), and the Loop Diagram for Control Room Intake Monitor (Drawing Number S157033A-104, dated January 8, 2001). The staff found several minor typographical errors in the block diagrams, and the vendor has stated these errors will be corrected in the next version of the manual. The staff traced signals from sensor input to data and trip signal output through the schematics to determine which portions of the circuitry were used in both normal operation and in trip conditions.

The staff also reviewed design, manufacturing, quality control, and testing procedures and documentation.

3.3.2.1 Hardware Quality Control The Victoreen radiation monitoring system was initially developed in 1984 as an Appendix B qualified system. The staff reviewed the following manuals, which describe the processes and procedures for the various aspects of the system manufacture to determine the conformance of the vendor quality control (QC) procedures with the requirements of 10 CFR Part 50, Appendix B; and the guidance in American National Standards Institute (ANSI)/ASME NQA-1-1994, Quality Assurance Program Requirements for Nuclear Facility Applications, IEEE Std 1074-1995, IEEE Standard for Developing Software Life Cycle Processes, IEEE Std 828-1990, IEEE Standard for Software Configuration Management Plans, and ANSI/IEEE Std 1042-1987, IEEE Guide to Software Configuration Management:

(1)

Syncor Quality Assurance Manual, QSP-100, Ver. 004, dated March 14, 2002.

(2)

Inovision Quality System Procedure QSP-214, Ver. G, Corrective and Preventive Action, dated October 10, 2001.

(3)

Inovision Quality System Procedure QSP-204, Ver. D, Product Development/Design Control Procedure, dated April 10, 2002.

(4)

Inovision Quality System Procedure QSP-205, Ver. G, Document and Data Control Procedure, dated October 9, 2001.

(5)

Inovision Quality System Procedure QSP-213, Ver. E, Control of Nonconforming Product, dated October 10, 2001.

(6)

Inovision Quality System Procedure QSP-05-08, Ver. G, Engineering/Document Change Notice Procedure, dated October 7, 2002.

(7)

Inovision Quality System Procedure QSP-14-01, Ver. F, Complaint Handling Procedure, dated October 10, 2001.

(8)

Inovision Quality System Procedure QSP-14-02, Ver. A, Medical Device/Nuclear Reporting Procedures, dated July 30, 1999.

(9)

Nuclear Procurement Issues Committee (NUPIC) Audit Report 17889, Supplier Quality Unit Audit Report of Inovision Radiation Measurements, dated June 6, 2001.

During the visit at SRM, the staff reviewed selected UDR manufacturing records, processes and products; and had discussions with the vendor staff, Ginna licensee staff, and consultants regarding the quality of the UDR system components and software that are used in the Ginna CREATS.

The staff verified that the vendor has the capability to perform environmental testing of its equipment, with the exception of electromagnetic compatibility, radiation, and seismic qualification tests, which are performed off site.

The staff noted that the vendor has upgraded its quality assurance processes such that all equipment is electronically tracked throughout the facility using bar code tagging and readers.

This process ensures that each piece of equipment is appropriately controlled with quality assurance hold points included on the routing document accompanying the product through its manufacturing life cycle. These hold points assure that further work would not be performed without QC consent.

The staff reviewed training records of the personnel who performed the maintenance, quality assurance, and testing to ensure that these personnel were qualified to perform maintenance and testing activities in accordance with vendor quality assurance procedures. The training records are maintained in a centralized location by a single person, who coordinates training schedules for each employee to ensure that appropriate Appendix B, Criterion II training requirements have been met in a timely manner. The records were maintained in an orderly manner, and were up to date. The training courses were appropriate for the personnel reviewed.

The staff confirmed that the vendor has established measures to indicate, by the use of markings such as stamps, tags, labels, routing cards, or other means, the status of inspections and tests performed upon the UDR. These measures provide for the identification of items that have satisfactorily passed specified inspections and tests, where necessary, to preclude inadvertent bypassing of such inspections and tests.

On the basis of the review of the documentation listed above, and the information gathered during the staff visit to the vendor, the staff determined, as described above, that the vendors QC procedures are acceptable for the intended safety-related use at Ginna.

3.3.2.2 Environmental Testing and Qualification To comply with the requirements of GDC 4, 10 CFR 50.49, and IEEE Std 279-1971, Criteria for Protection Systems for Nuclear Power Generating Stations, or IEEE Std 603-1991, IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations, the licensee must demonstrate that each item of electric equipment covered by 10 CFR 50.49 meets its specified performance requirements when the equipment is subject to the conditions predicted to be present when it must perform its safety function up to the end of its qualified life. The subsections below discuss the staffs review of the radiation monitoring systems environmental testing.

3.3.2.2.1 Temperature and Humidity Testing The vendor performed environmental tests to demonstrate that the radiation monitoring system will not experience failures as a result of abnormal service conditions of temperature and humidity. Specifically, Section 3.2 of the RG&E purchase specification, EE-171, listed the following environmental conditions in the areas where the radiation monitoring equipment will be located. EE-171 stated:

The ratemeter will be installed in RMS2 in the Control Room. Per Table 3.11.1 of reference 2.4, the normal ambient conditions in the Control Room are less than 104°F, 0 psig, 60% humidity, radiation is negligible.

The detectors will be mounted in the Control Room intake air duct which draws outside air and is located in the Turbine Building. Per Section 2.3.2.2 of reference 2.4, the ambient conditions in the air duct are 2°F to 91°F, 0 psig, 100% humidity. To provide additional margin. the detectors should operate over a range of -10°F to 122°F.

The vendor performed temperature and humidity tests as documented in Appendix IV of the Environmental Qualification Report for the Victoreen Digital Ratemeter, Report 950.360. This report was supplied to the staff by RG&E as part of the response to the August 28, 2002, RAI.

The staff reviewed this report and determined that the ratemeter is qualified in a temperature range of -2.8 °F to 125 °F at 90 percent relative non-condensing humidity, and the detector is qualified in a temperature range of -10 °F to 122 °F at 100 percent relative non-condensing humidity. The tested range envelopes the Ginna environmental conditions at the location where the equipment must perform as specified, accounting for aging. Therefore, the staff concludes that the ratemeter and detector are appropriately qualified for the temperature and humidity environments at the Ginna plant.

3.3.2.2.2 Radiation Withstand Testing Section 3.3.1 of the licensees purchase specification, EE-171, stated that the radiation rate range expected during routine monitoring will be 1.0E-2 to 1.0E+3 mR/hr. The model 897A-210 detectors are the only portion of the ARM which is subject to radiation. The remainder of the equipment is contained within a mild environment in the control room, and therefore does not require radiation withstand testing. The vendor tested the detectors for radiation rate and dose dependency. The test results were documented in the Environmental Qualification Report for the Victoreen Digital Ratemeter, Report 950.360. After review of this report, the staff determined that the radiation withstand capacity of the model 897A-210 detectors meet that specified in the purchase specification, and therefore is acceptable for the intended safety-related use at Ginna.

3.3.2.2.3 Seismic Withstand Testing To demonstrate that the ARM system hardware will function under seismic motion conditions, the vendor tested the ARM in accordance with IEEE Std 344-1987 for the operating basis earthquake event and safe shut down earthquake event seismic response spectra for the 289-foot elevation of the Ginna Control Building. These tests were documented in the Environmental Qualification Report for the Victoreen Digital Ratemeter, Report 950.360.

After review of these tests, the staff determined that the tests of the seismic withstand capacity of the ARM were appropriate and the seismic withstand capacity meets the recommendations of RG 1.100 and IEEE Std 344-1987 and is, therefore, acceptable for the intended safety-related use at Ginna.

3.3.2.2.4 Electromagnetic Compatibility Testing Section 3.2.3 of the licensees purchase specification, EE-171, stated that the ARM shall meet the requirements of EPRI TR-102323, and that the testing will verify that the monitors remain functional with an 8 dB margin over the generic emission measurement surveys in the guideline.

EPRI Topical Report TR-102323, Guideline for Electromagnetic Interference Testing in Power Plants, was submitted for staff review in 1994. That report provided alternatives to performing site-specific EMI surveys to qualify digital plant safety I&C equipment in a plants electromagnetic environment. In 1996, the NRC staff issued a safety evaluation concluding that the recommendations and guidelines in TR-102323 provide an adequate method for qualifying digital I&C equipment for a plants electromagnetic environment without the need for plant-specific EMI surveys, provided that the plant-specific electromagnetic environment is confirmed to be similar to that identified in TR-102323.

RG&E documented the electromagnetic interference test plan in vendor document number 948.343 and supplied it to the staff as part of its response to the August 28, 2002, RAI. The following equipment was supplied by the vendor as test specimens.

(1)

Model 956A-201 Digital Ratemeter (2)

Model 897A0210 G-M Detector (3)

S157033A2 EMI Filter Assembly (4) 948B-1A-5 2 Bay Rack Chassis (5) 75 feet of 50-100 Cable The digital radiation monitoring equipment was tested by F-Squared Laboratories, an independent testing laboratory, and the test details and results were documented in their report number CLE 033100-01. This report was supplied to the staff as a part of the Environmental Qualification Report for the Victoreen Digital Ratemeter, Report 950.360. The following tests were performed by F-Squared Laboratories:

(1)

Electrostatic Discharge Immunity Test (Test Method IEC 802-2)

(2)

Radiated Immunity Test 20 MHz to 1000 MHz (Test Method EN 61000-4-3:1995 IEC 801-3)

(3)

Radiated Immunity Test 10 KHz to 20 MHz (Test Method Mil STD-462D, RS103)

(4)

Electrical Fast Transient/Burst Test, 3.0 kV (Test Method EN 61000-4-4:1995, IEC 801-4)

(5)

Surge Test, 3.0 kV (Test Method EN 61000-4-5:1995 IEC 801-5)

(6)

Conducted Immunity Test, 30 Hz to 50 kHz (Test Method MIL-STD-462D, CS101-2)

(7)

Conducted Immunity Test, 50 kHz to 400 MHz (Test Method EN 61000-4-6:1995 IEC 801-6)

(8)

Radiated Emissions Test, 30 Hz to 100KHz (Test Method MIL-STD-462D, RE101)

(9)

Radiated Emissions Test, 10 KHz to 1000 MHz (Test Method MIL-STD-462D, RE102)

(10)

Conducted Emissions Test, 30 Hz to 50KHz (Test Method MIL-STD-462D, CE101)

(11)

Conducted Emissions Test, 50KHz to 400 MHz (Test Method MIL-STD-462D, CE102)

In each test, the results were compared to the requirements of TR-102323. F-Squared Laboratories, in its report number CLE 033100-01, determined that Victoreen radiation monitoring equipment met the requirements of TR-102323. The staff reviewed the test methods and results in the F-Squared Laboratories report and concluded that the equipment is qualified for EMI, surge withstand, and electrostatic discharge withstand requirements, and is therefore acceptable for the intended safety-related use at Ginna.

3.3.2.3 Class 1E to Non-1E Isolation Isolation between Class 1E and non-1E equipment is required by 10 CFR Part 50 and by IEEE Std 603. Pursuant to the GDC, a protection system must be designed to ensure that the effects of normal operating and postulated accident conditions do not result in the loss of the protective function and that a failure of a control system does not adversely affect the protection system.

In the case of the Victoreen digital radiation monitoring equipment, there are two concerns: (1) that the system power be isolated in the event of a power failure in some other equipment; and (2) that the outputs of the system going to non-1E equipment be protected against postulated failure in that non-1E equipment. Fuses are used to protect the digital radiation monitoring equipment from the toxic gas system power and input contact circuits. These fuses will open in the presence of high voltage to protect the digital radiation monitoring equipment. Signal isolation is accomplished by optical isolators, used to isolate the analog output of the ratemeter from the station non-1E Plant Process Computer System and recorders. The isolators used are Model FCA-300 4 channel encapsulated analog isolation amplifiers, manufactured by NUS Instruments, and are qualified as 10 CFR Part 50, Appendix B components, as well as meeting the requirements of IEEE Std 384. Power to the isolators is connected on the non-1E side of the unit so power to the isolators is also fused to provide electrical separation on the power circuits. All fuses used in the system to provide isolation between non-safety components and safety components are classified as part of the safety system and the components are qualified as safety-related. The isolators are also classified safety-related.

The staff reviewed these isolation provisions and determined that there is no credible failure on the non-safety side of the isolation devices that could prevent any portion of the safety-related ARM system from meeting its performance requirements. The staff concludes that the ARM system meets the requirements of 10 CFR Part 50, Appendix A, GDC 22 and 24, IEEE Std 603 Section 5.6.3.1, and meets the standards of IEEE Std 384-1977, and is therefore acceptable for the intended safety-related use at Ginna.

3.3.2.4 Failure Modes and Effects Analysis The licensee provided document DA-EE-2001-009, Electrical Factors Analysis for PCR 99-004" as a Failure Modes and Effects Analysis (FMEA) for the Victoreen digital area radiation monitor system. This was Attachment 2 to the RAI response dated October 7, 2002.

While this document does not describe a classic FMEA, as defined in Section 4.1 of IEEE Std 352, General Principles of Reliability Analysis of Nuclear Power Generation Station Safety Systems, there is no requirement that licensees provide an FMEA of this type. The document discussed component rating factors, separation, cabling, single failure criteria, fail safe design, control logic analysis, and other technical operational considerations.

The document concluded that the electrical factors discussed in the report demonstrate that the design of the Victoreen digital ARM is adequate and appropriate for the Ginna installation and use.

The staff concludes that, while the discussion within this document is not in sufficient detail to confirm the licensees conclusions, the document does add to the overall conclusion that the equipment is appropriately designed and suitable for the intended use at Ginna, as set forth elsewhere throughout this SE.

3.3.2.5 Response Time Characteristics GDC 20 (defined in Appendix A to 10 CFR Part 50) constitutes requirements for timely operation of the protection features. To meet these requirements, BTP HICB-21 provides the following guidance:

1.

The feasibility of design timing may be demonstrated by allocating a timing budget to components of the system architecture (Annex E of IEEE Std 7-4.3.2) so that the entire system meets its timing requirements.

2.

Timing requirements should be satisfied by design commitments.

The Installation, Operation, and Maintenance Instruction Manual for the Victoreen Digital Area Radiation Monitor includes the following statement on page 4-2:

The response time of the system to a step change in radiation value is 60 seconds, due to the operation of the pulse counting algorithms. The detector radiation value displayed is the result of a rolling average of the latest 60, 1 second values, and is updated once per second. An alarm will be initiated within 1 second after the current one minute average exceeds the alarm setpoint.

The licensee stated on page 7 and 8 in Attachment 2 to the May 3, 2002, RAI response:

The most limiting rate of change is the step change, and that has been analyzed with respect to the response time of the new equipment in section 7.3.1 of DA-EE-2001-013, as follows: The total response time of the system to a step change in the radiation value is 60 seconds, which is the total averaging time of the detector due to the pulse counting algorithm. The DBA cloud would have a concentration of noble gas that would result in an in-duct reading of 5.63 mr/hr (from DA-EE-2001-013), as described above. At time zero, the 60 second rolling average is at 0 mr/hr. When the most severe design basis cloud reaches the detectors with an instantaneous equivalent dose of 5.63 mr/hr cloud, it would take 11 seconds to reach an averaged reading at the ratemeter of 0.96 mr/hr.

Two factors make that delay in reaching the analytical limit insignificant. First, the transit time for the air to get from the in-duct detector location to the Control Room isolation dampers is greater than 30 seconds, so the cloud will not have reached the Control Room in that time period. Secondly, if the transit time is not considered and it is assumed that the cloud is dumping into the Control Room for the complete 11 seconds, that air is diluted into the total Control Room volume, dramatically reducing the cloud concentration and hence effective dose.

Mathematically, 11 seconds of air at 2,000 cfm (existing HVAC capacity) is 367 cu. ft., diluted into the Control Room volume of 36,000 cu. ft. (measured volume of CR). The resulting concentration of noble gas in the Control Room is approximately 1% of the DBA concentration, or less than 0.9 mr/hr actual Control Room dose which is insignificant when compared to the GDC 19 limit 30 day dose rate of 15 mr/hr.

The event that would result in the longest total response time would be a fractional event that resulted in a cloud that had a dose rate that exactly matched the setpoint of 0.25 mr/hr. This event would take the complete 60 seconds (60 data samples) to bring the average value up to the 0.25 setpoint. Again, without taking credit for the transit time in the duct, the 60 seconds of cloud traveling into the Control Room at 2,000 cfm is diluted into the 36,000 cu. ft. Control Room volume will result in a dose rate 18 times (36,000 cf/2000 cfm x 1m) smaller than the measured setpoint. No credit was taken for this dilution factor in the setpoint analyses, so the resulting isolation at this limiting condition would be a factor of 18 times below the 30 day dose rate.

Based on the foregoing, the staff concludes that the ARM response time of 60 seconds is acceptable in the Ginna application and meets the response time requirements of GDC 20, and the guidance of BTP HICB-21, and IEEE Std 7-4.3.2.

3.3.3 Software Review The staff used BTP 14, IEEE Std 603 and IEEE Std 7-4.3.2 as the bases for the review of the ARM software. Generally, the software qualification consisted of evaluating the processes, procedures, and practices used to develop the software; reviewing the software architecture; and assessing the history of the software and its associated documentation and operating experience. In this case, the development documentation was not available for review, and therefore, the staff placed a greater emphasis on the software architecture and the actual software code.

3.3.3.1 Software Documentation The staff reviewed the following software documentation:

Installation, Operation and Maintenance Instruction Manual, part number (P/N) 955A-1, dated May 1996. This document provided a description of the hardware and software.

Review of this document gave the staff an understanding of how the ARM is supposed to work and the flow of the program.

Software Design Description for PROM P/N 94095603, G-M Monitor, 94095603SDD, dated October 23, 2002. This document is not the source of information used to develop the program for the PROM as is usually the case, but was reverse-engineered by examination of the source code on the PROM. This was necessary because, as explained above, the original documentation was not available. This document described the design of the operational software.

Software Requirements Specification for PROM P/N 94095603, G-M Monitor, 94095603SRS, dated October 23, 2002. Again, this was not the original document derived from the system requirements, but was developed from the Installation, Operation and Maintenance Instruction Manual. This document specified the requirements of the operational software.

Software Validation Test Procedure for PROM P/N 94095603, G-M Area Monitor, 94095603VTP, dated October 28, 2002.

Software Requirements Traceability Matrix for PROM P/N 94095603, G-M Area Monitor, 94095603RTM, dated November 4, 2002. This document compares the Requirements Specification, the Design Description, and the Test Procedure to verify that every requirement had been implemented in the design, and was in turn tested in the test procedure. The body of the matrix was in table format, listing each requirement and the corresponding paragraphs of the Requirements Specification, the Design Description, and test procedures.

Software Verification and Validation Plan for PROM P/N 94095603, G-M Area Monitor, 94095603VVP, dated September 11, 2002.

Software Verification and Validation Test Report for PROM P/N 94095603, G-M Area Monitor, 94095603VVTR, dated November 4, 2002.

Each of these documents was compared to the guidance in BTP HICB-14, IEEE Std 7-4.3.2-1993, and the requirements of IEEE Std 603-1991. Because the documents were not originally developed in accordance with these specifications, the organization of the documents was not the same as in the standards; however, the documentation allowed the staff to determine, with a reasonable level of assurance, that the software would perform the intended safety function.

3.3.3.2 Software Configuration Management and Life Cycle Planning Regulatory guidance regarding software configuration management and life cycle planning are contained in RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorsed IEEE Std 828-1990, IEEE Standard for Software Configuration Management Plans, and ANSI/IEEE Std 1042-1987, IEEE Guide to Software Configuration Management; and in RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, which endorsed IEEE Std 1074-1995, IEEE Standard for Developing Software Life Cycle Processes. The vendors QC procedures were previously discussed in Section 3.3.2.1 of this SE, Hardware Quality Control. In that section, the staff determined that the SRM QC procedures were acceptable.

The software management and life cycle planning were somewhat more difficult for the staff to evaluate because the ARM was designed before the IEEE configuration management and life cycle standards were developed. The intent of this portion of the review was to ensure that any future changes to the software would be performed in a manner that allows future traceability and review, and that future changes will continue to be in accordance with the vendors QC procedures. In particular, the staff examined the following documents:

(1)

Syncor Quality Assurance Manual, QSP-100, Ver. 004, dated March 14, 2002.

(2)

Inovision Quality System Procedure QSP-204, Ver. D, Product Development/ Design Control Procedure, dated April 10, 2002.

(3)

Inovision Quality System Procedure QSP-205, Ver. G, Document and Data Control Procedure, dated October 9, 2001.

(4)

Inovision Quality System Procedure QSP-05-08, Ver. G, Engineering/Document Change Notice Procedure, dated October 7, 2002.

The staff specifically reviewed these documents to determine the acceptability of the vendors software configuration management and life cycle planning. On the basis of this review, and the information gathered during the visit to the vendors manufacturing facilities, the staff determined that while the software management and life cycle planning process used by the vendor do not conform with every requirement in IEEE Standards 828, 1042, and 1074, the vendor processes meets the intent of these standards to the degree that any future changes to the software will be done in a manner that allows traceability and review, including appropriate documentation control. The staff, therefore, concludes that the vendors software configuration management and life cycle planning activities are acceptable for the intended safety-related use at Ginna.

3.3.3.3 Plant-Specific Software Programs The design of the ARM is such that there is no plant-specific software. The system can only be modified to program plant-specific setpoints. Since there is no plant-specific software, there is no need for the plant-specific software installation plan, software operations plan, or software safety plan.

3.3.3.4 Reliability and Availability Analysis The licensee provided a probabilistic safety assessment (PSA) of the ARM equipment, PSAER number 2002-0017. This document was Attachment 12 to the RAI response dated October 7, 2002. This document concluded that the probability of failure of the control room radiation monitor circuitry to perform its intended function, given a demand for that function, is 1.93 x 10-4. Due to the lack of documentation for the predicted failure rate of software, the staff was unable to determine the accuracy of this probability; however, the scope of the document added to the staffs overall conclusion that the equipment is appropriately designed and suitable for its intended use at Ginna.

3.3.3.5 Thread Audit The staff conducted a thread audit walk-through of the ARM system hardware and software.

This thread audit consisted of the following four steps:

(1)

Tracing signals through the hardware components.

(2)

Reviewing the actual code within the processor.

(3)

Examining the Software Requirements Specification, the Software Design Description, and the Software Validation Test, and comparing these documents to the actual code.

(4)

Reviewing the final test results.

During this audit, vendor personnel were able to quickly retrieve the appropriate documentation; explain the various processes, and walk the staff through the signal and software flow. On the basis of the thread audit and the review of the vendors programs, the staff has determined that the functions selected for the thread audit were appropriately implemented. Accordingly, in this respect, the staff concludes that the software is suitable for use in the safety-related CREATS system at Ginna.

3.3.4 System Self-Diagnostic Capacity The ARM has only limited self-test functions. Each function can produce a FAIL alarm. The following conditions cause a FAIL alarm:

No Count Failure
If no pulses are received by the UDR for 5 minutes, a no count failure is detected and the FAIL alarm is actuated. A no count alarm usually indicates a failure in the detector or UDR detector high voltage supply.

Power Failure
If power is lost to the UDR, the bargraph, alarm indicators, and the display are turned off. The HIGH, WARN, and FAIL relay coils de-energize and the FAIL alarm is actuated.

MPU Failure
If the FAIL timer circuit, which checks the main processor function, is allowed to time out because of a hardware failure, a failure condition will be indicated and the FAIL alarm is actuated.

Anti-Jam Trip
Should the detector output exceed the UDR anti-jam circuit threshold, the anti-jam fuse opens and the FAIL alarm is actuated.

When the FAIL alarm is actuated, the red FAIL alarm indicator illuminates and the FAIL relay coil de-energizes. The FAIL alarm logic is fail-safe, and will automatically reset when the fail condition is corrected.

3.3.5 Historic Data on ARM Use The licensee included the following statement in its May 3, 2002, RAI response:

The Victoreen 94X series digital ratemeters were originally designed in 1984.

The same basic algorithms are also used in the 956A type devices. The UDR has been installed in over 2,000 process and area radiation channels since then.

This series of monitoring systems has been provided to fourteen nuclear sites, totaling over 100 channels. At four of the sites, Inovision (Victoreen) provided them as qualified units. Ginna Station has 25 units installed that have the 94X series of ratemeters installed with the same or earlier revisions of the same software.

Historic data is insufficient by itself for the staff to approve a system for safety-related use in nuclear power plants; however, the licensees quoted data does show a successful history of use.

3.3.6 Cable Separation, Isolation, and Power Train Separation All new circuits (outside of cabinets) for this modification are run in conduit. Each conduit is dedicated to a single train; therefore no conduit carries both Train A and Train B conductors.

All new circuits are Class 1E. Power to the existing, non-Class 1E toxic gas monitoring system is connected through qualified fuses to provide electrical isolation. The new ratemeters will be installed in the control room in radiation monitor system rack 2 (RMS2). The hand control and logic devices (relays) for the system are installed in an auxiliary benchboard in the rear of the control room, consistent with the existing design. Separation of devices and trains of internal wiring in these cabinets (RMS2 and the auxiliary benchboard) will be maintained, however only minimum physical separation is possible where redundant wiring is terminated on a common device. All wiring is qualified to the IEEE 383-1974 flame test to minimize the possibility of a fault resulting in a fire that would propagate between trains. The power for the two radiation monitoring systems is fed by independent Class 1E power trains via the 120-Vac instrument power system. Normally supplied by the inverters fed from station dc systems, the system will switch to ac supply with emergency diesel generator backup if necessary. The Class 1E power trains are addressed in the Ginna TS (LCOs 3.8.7 and 3.8.9).

3.3.7 Instrument Bus Loading The additional loading from the new CREATS actuation instrumentation will remain within the existing margins. The load on the 120-Vac instrument buses is controlled by a detailed design analysis that lists all loads fed by these buses and determines the loading margins for all supply equipment. The new radiation monitoring system will draw a maximum power of 1.98 amperes per train. This includes power supplies for the radiation monitoring system, toxic gas system, control relays, signal isolation modules, and indicating lights. This load, when added to existing instrument bus loads, is within the ratings of all equipment (i.e., the panel ratings and the breaker ratings of the instrument buses, the MQ-400 distribution panels, the inverter, and the voltage-regulating transformers). The analysis performed for this modification demonstrates that the changes do not result in exceeding the loading margins.

3.4 Analytical Limit Calculation The staff reviewed the licensees analytical limit calculation [DA-EE-201-013 Revision 0] used to formulate the allowable values for the new control room radiation intake monitors (GM tubes).

The allowable values will be placed in the Ginna ITS Table 3.3.6-1 to ensure that the CREATS instrumentation will actuate control room isolation within 30 seconds post-accident, as assumed in the existing Ginna Updated Final Safety Analysis Report (UFSAR) Chapter 6.4, Control Room Habitability Analysis.

The licensee determined the GM tube response to the radioactivity release expected for the postulated design-basis loss-of-coolant accident (LOCA). Because the GM tubes are designed to respond to gamma radiation, the licensee considered the whole-body dose rate due to external exposure in the determination of the analytical limit. The licensee considered the 30-day weighted average whole body dose rate of 15 millirem per hour (mrem/hr) to be the analytical dose limit for the control room. Next, RG&E determined what exposure rate reading the in-duct detectors would indicate for an accident release that could cause an external dose rate of 15 mrem/hr in the control room. The staff reviewed this calculation and, as discussed below, has determined that it is acceptable.

The licensee developed the analytical limit for the control room radiation monitors by performing calculations to determine the relationship between an in-duct exposure rate indication and a control room dose rate for the same concentration of radioactivity at each location. For these calculations, the licensee used a computer code to analyze shielding and evaluate exposure from gamma radiation. The licensee assumed a cloud of uniform radioactivity concentration representative of the design-basis LOCA release in terms of the isotopes present and their respective concentrations. This representative cloud included both iodines and noble gases, as used in the Ginna UFSAR control room habitability analysis. The staff has confirmed that the isotopes and their concentrations are representative of a design-basis LOCA radioactivity release at Ginna. The licensee calculated the expected exposure rate to a detector immersed in the radioactivity release cloud in the intake duct, then calculated the dose rate in the center of the control room from immersion in the same cloud, assuming no isolation, no dilution, and that the cloud has uniformly filled the control room to the design-basis accident (DBA) cloud concentrations for all noble gas and radioiodine isotopes. The staff found the uniform concentration assumption to be reasonable, based on operation of the Ginna CREATS, which provides recirculation of the control room air without positive pressurization of the control room with respect to adjacent areas. The staff reviewed the licensees calculations as provided by letter dated May 3, 2002, and found the assumptions and the modeling to be acceptable.

In the next step, the licensee found the ratio between the calculated dose rate in the control room and the corresponding in-duct radiation monitor exposure rate and, assuming this is a linear relationship, determined the in-duct exposure rate indication associated with a 15 mrem/hr external dose rate in the control room. This calculated exposure rate of 0.96 mR/hr is the analytical limit for the control room radiation monitors mounted in the intake duct. The licensees evaluation also revealed that the control room radiation monitor analytical limit of 0.96 mR/hr would be reached for the design-basis LOCA concentration cloud at approximately 11 seconds post-LOCA. Basing the control room isolation actuation setpoint on this calculated radiation monitor analytical limit of 0.96 mR/hr ensured that, with the replacement GM detectors, the control room isolation time would be bounded by the 30-second assumption in the current design-basis control room habitability analysis, as documented in the Ginna UFSAR.

This bounding limit further ensured that the current control room habitability analysis will remain applicable after the monitor replacement, and that the control room design continues to meet GDC-19 dose criteria of 5 rem whole body or its equivalent to any part of the body.

The staff, therefore, concludes that the licensees analysis for determining the analytical limit for the new control room radiation monitors is acceptable and that the analyzed radiological consequences of DBAs will continue to meet the requirements of 10 CFR Part 50, Appendix A, GDC-19.

3.5 Allowable Value Analysis The licensee, in Design Analysis DA-EE-2000-009, Revision 0 (Enclosure 1 to the licensees May 3, 2002, letter), computes a channel uncertainty of 37.3 percent of reading and establishes an allowable value (AV) of 0.5 mR/hr based upon that uncertainty and the 0.96 mR/hr Analytical Limit. The staff has reviewed the derivation of the uncertainty as presented in the referenced Design Analysis, and finds it to be consistent with the recommendations of RG 1.105.

The uncertainty analysis is based, in part, upon an exposure rate uncertainty contribution of

+/-15% due to photon energy. Information from the GM tube manufacturer indicates that the

+/-15% specification applies to photons in the energy range of 80 keV to 1.5 MeV. The licensees Analytical Limit calculation [DA-EE-201-013 Revision 0] shows that contributions to the total dose may be expected from photons ranging from 100 keV to 4 MeV. The photons between 1.5 MeV and 4 MeV contribute a non-trivial fraction of the net dose, but fall outside the energy range to which the uncertainty specification applies. In a letter dated June 6, 2003, the licensee presented information indicating that the response of the GM tube can be expected to increase with photon energy in the range form 1.5 MeV to 6 MeV, and so the additional error that might be expected in the 1.5 MeV to 4 MeV range will be conservative and does not compromise the AV determination based upon the +/-15% specification. The additional error in measured dose rate due to photons between 1.5 Mev and 4 MeV will be positive, resulting in a measured dose rate higher than the actual dose rate, and therefore will not compromise the safety of the control room inhabitants.

By letter dated May 3, 2002, in response to a staff RAI, RG&E stated that the modified system has been designed to function for all DBAs. The fuel-handling accident (FHA) is the only DBA other than the LOCA for which the Ginna ITS requires CREATS actuation. The Ginna UFSAR Chapter 15.7 control room habitability analysis for the FHA assumes that the CREATS actuates 30 seconds after the start of the accident. To assure that the proposed AV will enable the CREATS to perform its intended safety function for an FHA, the staff determined the expected response of the control room radiation intake monitors (GM tubes) to a radioactivity cloud representative of the Ginna FHA and compared that to the response for the LOCA. The staff used the FHA radioactivity source term and release characteristics as described in the Ginna UFSAR. The staffs calculations indicate that the control room radiation monitors would be expected to read a higher dose rate for the FHA than for the LOCA, and would, therefore, activate the CREATS within the 30 seconds assumed in the licensees UFSAR analysis.

The staff, therefore, concludes that the AV specified in ITS Table 3.3.6-1 was established in an acceptable manner on the basis of the proposed analytical limit and anticipated uncertainties.

The staff also concludes that the proposed AV will enable the CREATS to perform its intended safety function (provide adequate protection of control room personnel) for all DBAs assumed in the licensees control room habitability analyses.

3.6 Technical Specification Changes The licensee has requested an amendment to LCO 3.3.6 to reflect the changes associated with the proposed installation of the new safety-grade actuation system. The proposed amendment will result in the following changes:

The allowable outage time (AOT) associated with the required action for a loss of one channel/train will be extended from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 7 days as a result of installing redundant channels/trains.

A new condition will be added for the loss of two channels/trains with an immediate completion time for the required action.

A new surveillance will be added to require a CHANNEL CHECK of the control room radiation intake monitors once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

Table 3.3.6-1 will be revised to replace the column heading Trip Setpoint with Allowable Value.

Table 3.3.6-1 will be revised to increase the number of trains of manual initiation and automatic actuation logic and actuation relays from one train to two trains.

Table 3.3.6-1 will be revised to remove reference to the iodine, noble gas, and particulate concentration limits. The existing monitors will be replaced by two new GM tubes. This change will also include the AV for the trip setpoint for the new radiation monitors.

The above changes to LCO 3.6.6 are appropriate for the following reasons:

The present single-channel system is to be replaced with a dual-channel system with the two channels on separate and independent power supplies. As a consequence, LCO 3.6.6 must be revised to reflect the appropriate number of manual and automatic actuation logics associated with a two train system.

With the proposed system, CREATS must be placed in Mode F immediately if both channels fail, or within 7 days if just one channel fails. In effect, the AOT is reduced to zero for complete loss of the radiation detection function. The 7-day AOT for a single channel failure is acceptable because the redundant channel maintains the needed functionality, and the AOT is exit immediately, should a redundant channel also fail. The proposed LCO is, therefore, more conservative than the existing LCO.

Performance of the CHANNEL CHECK once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> ensures that gross failure of instrumentation has not occurred. A CHANNEL CHECK is normally a comparison of the parameter indicated on one channel to a similar parameter on other channels. It is based on the assumption that instrument channels monitoring the same parameter should read approximately the same value. Significant deviations between the instrument channels could be an indication of excessive instrument drift in one of the channels or of more serious instrument conditions. A CHANNEL CHECK will detect gross channel failure; thus, it is a verification that the instrumentation continues to operate properly between each CHANNEL CALIBRATION. The frequency of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is based on operating experience that demonstrates channel failure is rare.

Replacing the PING concentration limits with a dose rate limit is acceptable because the GM tubes are designed to measure dose rates. The dose rate limit which is the AV was determined from the analytical limit which was derived from the accident analysis. Therefore, the existing PING concentration limits do not need to be converted to equivalent units compatible with the GM tube.

Replacing the column heading Trip Setpoint with Allowable Value is consistent with NUREG-1431, Standard Technical Specifications for Westinghouse Plants, and the Ginna Station Setpoint Verification Program which is consistent with RG 1.105, Instrument Setpoints For Safety-Related Systems.

The staff concludes that the proposed changes to LCO 3.3.6 are consistent with the design and operation of the new system, as evaluated in this SE, and are, therefore, acceptable.

3.7 Regulatory Compliance The following subsections discuss the degree of regulatory compliance of the ARM. The GDCs listed in Appendix A to 10 CFR Part 50 establish the minimum requirements for the design of nuclear power plants; 10 CFR 50.55a(h) incorporates IEEE Std 603-1991. The RGs and endorsed industry codes and standards listed in Table 7-1 of the SRP are the guidelines used as the basis for this evaluation.

Section 50.55a(a)(1), Quality Standards for Systems Important to Safety, is addressed by conformance with the codes and standards listed in the SRP. In developing the ARM, the vendor used codes and standards that are the same as or equivalent to the standards identified in the SRP. Accordingly, the staff concludes that the ARM conforms with this requirement.

Section 50.55a(h) endorses IEEE Std 603-1991, which addresses both system-level design issues and quality criteria for qualifying devices. In Attachment 2 to the May 3, 2002, RAI response, the licensee discussed conformance of the CREATS to the requirements of IEEE Std 603. The licensee stated that the CREATS meets the design-basis requirements of Sections 4.1 through 4.12; the safety system requirements of Sections 5.1 through 5.15; the function and design requirements of Sections 6.1 through 6.8; the function requirements of Sections 7.1 through 7.5; and the power source requirements of Sections 8.1 through 8.3. The staff reviewed Attachment 2 as well as the supporting documentation submitted as RAI responses dated October 7, 2002, and November 5, 2002, and verified that the licensee had addressed each of the applicable requirements of IEEE Std 603-1991. Accordingly, the staff concludes that the CREATS and the ARM satisfy the requirements of 10 CFR 50.55a(h) with regard to IEEE Std 603-1991.

The staff determined that the following GDCs specified in Appendix A to 10 CFR Part 50 were the applicable design criteria for this review:

GDC 1, Quality Standards and Records GDC 2, Design Basis for Protection Against Natural Phenomena GDC 4, Environmental and Dynamic Effects Design Bases GDC 13, Instrumentation and Control GDC 19, Control Room GDC 20, Protection System Functions GDC 21, Protection System Reliability and Testability GDC 22, Protection System Independence GDC 23, Protection System Failure Modes GDC 24, Separation of Protection and Control Systems GDC 1 requires that structures, systems, and components (SSCs) important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. The staff reviewed the equipment description for conformance to the guidelines in the regulatory guides and industry codes and standards that apply to this equipment. As discussed in Sections 3.2 and 3.3 of this SE, the staff concludes that the CREATS and the ARM design conforms to the applicable guidelines and regulatory criteria of GDC 1 and 10 CFR 50.55a(a)(1).

GDC 2 requires that SSCs important to safety shall be designed to withstand the effects of natural phenomena. GDC 4 requires that SSCs important to safety be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs. As discussed in Sections 3.3.2.2 of this SE, the staff determined that the licensee and the vendor have designed the CREATS and ARM consistent with the design bases for the intended safety-related application, and therefore these system designs are in accordance with the requirements of GDC 2 and 4.

GDC 13 requires that instrumentation shall be provided to monitor variables over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within their prescribed operating ranges.

The licensee established an acceptable allowable value consistent with the design basis analytical limit. As discussed in Sections 3.4 and 3.5 of this SE, the staff reviewed the derivation of the uncertainty as presented in the referenced Design Analysis, and found it to be consistent with the recommendations of Regulatory Guide 1.105. The licensee qualified the CREATS and ARM for the environment in which the systems are to operate. On the basis of these activities, the staff concluded that the CREATS and ARM designs were in accordance with GDC 13.

GDC 19 requires that a control room be provided from which actions can be taken to maintain the nuclear power unit in a safe condition under accident conditions including LOCAs.

Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. As discussed in Sections 3.3.2.4 and 3.4.1 of this SE, the staff determined that the ARM design is in accordance the requirements of GDC 19 GDC 20 requires that protection systems be designed to sense accident conditions and to automatically initiate the operation of systems and components important to safety. On the basis of the system review as discussed in Sections 3.2 and 3.3 of this SE, the staff concluded that the ARM design is in accordance with the requirements of GDC 20.

GDC 21 requires that the protection systems be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed, and that no single failure results in loss of the protection function. These systems must be designed to permit periodic testing of their functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. On the basis of the staffs review of the CREATS and ARM as discussed in Section 3.3.4 of this SE, the staff concludes that these systems conform to the guidelines for periodic testing in RG 1.22 and RG 1.118. As discussed in Sections 3.3.2.4 and 3.3.3.4 of this SE, the CREATS installation also conforms to the guidelines regarding the application of the single-failure criterion in IEEE Std 379, as supplemented by RG 1.53. The staff further concludes that the ARM is consistent with the guidance of IEEE Std 603 with regard to system reliability and testability. Therefore, the staff finds that the ARM design is in accordance with the requirements of GDC 21.

GDC 22 requires that protection systems be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or the systems shall be demonstrated to be acceptable on some other defined basis. As discussed in Sections 3.3.2.2, 3.3.2.4, 3.3.6, and 3.3.7 of this SE, the staff finds that the CREATS design is in accordance with the requirements of GDC 22.

GDC 23 requires that protection systems be designed to fail into a safe state. On the basis of its review of the CREATS and ARM as discussed in Sections 3.2 and 3.3 of this SE, the staff concludes that the CREATS was designed to fail into a safe mode and, therefore, the CREATS design is in accordance with the requirements of GDC 23.

GDC 24 requires that protection systems be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. On the basis of its review of the interfaces between the CREATS and other plant systems as discussed in Sections 3.3.2.3 and 3.3.6 of this SE, the staff concludes that the CREATS design satisfies the requirements of IEEE Std 603 with regard to control and protection system interactions and, therefore, is in accordance with the requirements of GDC 24.

On the basis of the above conclusions, the staff determined that the ARM design and the CREATS design are in accordance with the relevant requirements of GDCs 1, 2, 4, 13, and 19 through 24.

3.8 Approval For the reasons set forth above, the staff concludes that the CREATS actuation instrumentation and the ARM are in accordance with the requirements of 10 CFR 50.55a(a)(1) and 50.55a(h).

The systems also are in accordance with GDC 1, 2, 4, 13, and 19 through 24, and IEEE Std 603. On that basis, the staff concludes that the ARM is acceptable for use in the safety-related CREATS actuation circuitry, and that this system is acceptable for use at Ginna.

4.0 STATE CONSULTATION

In accordance with the Commissions regulations, the New York State official was notified of the proposed issuance of the amendment. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

The amendment changes a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes surveillance requirements. The NRC staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (66 FR 46481). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commissions regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributors: Paul Loeser Michelle Hart Paul Rebstock Michael Waterman Duc Nguyen Robert Clark Date: August 29, 2003