GNRO-2011/00039, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System
| ML111460590 | |
| Person / Time | |
|---|---|
| Site: | Grand Gulf  |
| Issue date: | 05/26/2011 |
| From: | Krupa M Entergy Operations |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| GNRO-2011/00039, TAC ME2531 | |
| Download: ML111460590 (159) | |
Text
Entergy Operations, Inc.
P. O. Box 756 Port Gibson, MS 39150 Michael A. Krupa Director, Extended Power Uprate Grand Gulf Nuclear Station Tel. (601) 437-6684 Attachment 1 and Enclosure 1 contain PROPRIETARY information.
GNRO-2011/00039 May 26, 2011 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555
SUBJECT:
Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531)
Grand Gulf Nuclear Station, Unit 1 Docket No. 50-416 License No. NPF-29
REFERENCES:
- 1. Entergy Operations, Inc. letter to the NRC (GNRO-2009/00054),
License Amendment Request - Power Range Neutron Monitoring System Upgrade, November 3, 2009 (ADAMS Accession No. ML093140463)
- 2. NRC e-mail to Entergy Operations, Inc., Grand Gulf Request for Additional Information Regarding Power Range Neutron Monitoring System License Amendment Request (TAC No. ME2531),
April 27, 2011 (ADAMS Accession Nos. ML111170424 and ML111170432)
Dear Sir or Madam:
In Reference 1, Entergy Operations, Inc. (Entergy) submitted to the NRC a license amendment request (LAR), which proposes to revise the Grand Gulf Nuclear Station (GGNS)
Technical Specifications (TS) to reflect the installation of the digital General Electric-Hitachi (GEH) Nuclear Measurement Analysis and Control (NUMAC) Power Range Neutron Monitoring (PRNM) System.
In Reference 2, the NRC staff transmitted 29 Requests for Additional Information (RAIs) to support their review and approval of Reference 1. Responses to RAIs 1, 2, 8, 9, 10, 14, 18, 19, 20, 27, 28, and 29 are provided in Attachment 1. Documents supporting the response to RAI 1 are provided in Enclosure 1.
When Attachment 1 and Enclosure 1 are removed from this letter, the entire document is NON-PROPRIETARY.
GNRO-2011/00039 Page 2 of 3 GEH considers certain information contained in Attachment 1 and the documents contained in to be proprietary and, therefore, requests they be withheld from public disclosure in accordance with 10 CFR 2.390. A non-proprietary, redacted version of Attachment 1 is provided in Attachment 2. Because the documents provided in Enclosure 1 are entirely proprietary and contain no non-proprietary information, no redacted versions of them are being provided. The associated affidavits for Attachment 1 and Enclosure 1 are provided in Attachments 3 and 4, respectively.
The No Significance Hazards Determination and the Environmental Consideration provided in Reference 1 are not impacted by these responses.
This letter contains no new commitments.
If you have any questions or require additional information, please contact Mr. Guy Davant at (601) 368-5756.
I declare under penalty of perjury that the foregoing is true and correct; executed on May 26, 2011.
Sincerely, MAK/ghd Attachments: 1. Responses to NRC Requests for Additional Information Pertaining to License Amendment Request - Power Range Neutron Monitoring System Upgrade with Affidavit Supporting Request to Withhold Information from Public Disclosure (Proprietary Version)
- 2. Responses to NRC Requests for Additional Information Pertaining to License Amendment Request - Power Range Neutron Monitoring System Upgrade (Non-Proprietary Version)
Enclosure:
- 1. Documents Supporting the Response to NRC RAI 1
GNRO-2011/00039 Page 3 of 3 cc: Mr. Elmo E. Collins, Jr.
Regional Administrator, Region IV U. S. Nuclear Regulatory Commission 612 East Lamar Blvd., Suite 400 Arlington, TX 76011-4005 U. S. Nuclear Regulatory Commission ATTN: Mr. A. B. Wang, NRR/DORL (w/2)
ATTN: ADDRESSEE ONLY ATTN: Courier Delivery Only Mail Stop OWFN/8 B1 11555 Rockville Pike Rockville, MD 20852-2378 State Health Officer Mississippi Department of Health P. O. Box 1700 Jackson, MS 39215-1700 NRC Senior Resident Inspector Grand Gulf Nuclear Station Port Gibson, MS 39150
ATTACHMENT 2 GNRO-2011/00039 RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION PERTAINING TO LICENSE AMENDMENT REQUEST POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE (NON-PROPRIETARY VERSION) to GNRO-2011/00039 Page 1 of 147 NON-PROPRIETARY INFORMATION RESPONSES TO NRC REQUESTS FOR ADDITIONAL INFORMATION PERTAINING TO LICENSE AMENDMENT REQUEST POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE By application dated November 3, 2009, Entergy Operations, Inc. (Entergy) requested NRC staff approval of an amendment to the Grand Gulf Nuclear Station, Unit 1 (GGNS) Technical Specifications (TS) to reflect installation of the digital General Electric - Hitachi (GEH) Nuclear Management Analysis and Control (NUMAC) Power Range Neutron Monitoring (PRNM)
System.1 Entergy received an e-mail from the NRC GGNS Project Manager on April 27, 2011 requesting additional information needed to support their review and approval of the proposed amendment.2 Responses to Requests for Additional Information (RAIs) 3, 5, 6, 12, and 15 are provided in this attachment.
NRC RAI 1 BTP 7-14 contains the evaluation criteria for the high quality development process that is applicable to important to safety system programming, which includes the Power Range Neutron Monitor System (PRNMS).
Describe the processes used to develop and program microprocessor and Programmable Logic Device (PLD) firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives.
The following identifies what the NRC staff considers as sufficient detail. The level of detail is expected to be consistent with information requirements in the Interim Staff Guidance (ISG) for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103). Sufficient detail includes either references to accession numbers of previously docketed and reviewed information, for which changes have been identified, or placement on the docket the applicable revisions of these development processes and other products, which had been referenced in prior responses.
The following further clarifies the rationale for this RAI but does not include additional information requests. Part of the response to RAI #1 (ADAMS Accession No, ML101190125),
which was provided in Table 1-7 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028), identifies changes and a very high level mapping of BTP 7-14 to development processes and products, but does not provide either information or mapping of the guidance to sections within the referenced documents. Supplemental information is necessary for the NRC staff to evaluate the processes and products as satisfying the current regulatory evaluation criteria. Simply mapping sets of document titles to planning documents of Section B.2.1 of BTP 7-14 does not allow the NRC staff to assess how the licensee 1
Entergy Operations, Inc. letter to the NRC, License Amendment Request - Power Range Neutron Monitoring System Upgrade, dated November 3, 2009 (ADAMS Accession No. ML093140463) 2 NRC e-mail to Entergy Operations, Inc., Grand Gulf Request for Additional Information Regarding Power Range Neutron Monitoring System License Amendment Request (TAC No. ME2531),
April 27, 2011 (ADAMS Accession Nos. ML111170424 and ML111170432) to GNRO-2011/00039 Page 2 of 147 NON-PROPRIETARY INFORMATION satisfies the evaluation criteria. Table 1-11 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) similarly provides only a correlated list of 7-4.3.2-2003 section titles to a list of document titles at a high level.
Response
Overview The twelve software plans identified in Section B.2.1 of BTP 7-14 define a comprehensive, independent, and self-contained set of software-specific processes, procedures, activities, and controls, which constitute a stand-alone software development program found acceptable by the NRC for development of software products used in safety-related applications at nuclear power plants. The GEH NUMAC Software Development Program is an alternate approach to the program defined by BTP 7-14, as discussed in the following paragraphs.
The three NUMAC software development plans listed below were first released in October 1990, nearly seven years prior to the initial release of Branch Technical Position (BTP) HICB 14 in June 1997, and more than sixteen years prior to the release of the current revision of BTP 7-14 in March 2007. The three NUMAC software development plans are:
x NUMAC Software Configuration Management Plan (SCMP) x NUMAC Software Management Plan (SMP) x NUMAC Software Verification and Validation Plan (SVVP)
These plans and the software development life cycle process that they represent have remained relatively unchanged since their initial release, except for minor changes to clarify and adjust to changing technology over the years. The current revisions of the three NUMAC software planning documents, as well as other life cycle products, are attached to this RAI response to be placed on the docket for review by the NRC staff.
In contrast to BTP 7-14, the NUMAC software development plans alone do not define a comprehensive, independent, and self-contained software development program. Instead, these plans define how software for NUMAC products will be developed according to the policies and procedures that implement the GEH 10 CFR 50 Appendix B Quality Assurance program NEDO-11209 that has been reviewed and approved by the NRC.
The NUMAC Software Development Program comprises the following:
x NUMAC software development plans listed above, x Activities defined by GEH Engineering Operating Procedures (EOPs) and Common Procedures (CPs) that implement the GEH QA program, x The generic NUMAC [Product Line] Requirements Specification, and x The GEH corporate configuration control tools and associated processes.
to GNRO-2011/00039 Page 3 of 147 NON-PROPRIETARY INFORMATION Evaluation of the NUMAC Software Development Program against the criteria of BTP 7-14 must include consideration of all these elements.
The NUMAC Software Development Program is presented in this RAI response as an alternative approach to the independent and comprehensive software-specific process model defined by BTP 7-14. The information provided is intended to be of sufficient detail, consistent with the information requirements of DI&C-ISG-06, to demonstrate that the NUMAC Software Development Program is a well-defined and disciplined process that results in a high quality product, suitable for use in safety-related applications at nuclear power plants.
Note on Programmable Logic Devices (PLDs): Part of the response to RAI 1 in Attachment 2 to Entergy letter GNRO-2010/00051 provided a discussion of the application and mapping of the NUMAC Software Development Program used for NUMAC microprocessor firmware development to a previously intended PLD voter logic modification. ((
{3}
)) No other PLD logic modifications are planned for the Grand Gulf PRNM project, and all PLD firmware applied to the project is from previously released designs. ((
{3}
)) See the response to RAI 3 in Attachment 1 to Entergy letter GNRO-2011/00038 for additional discussion on PLD development.
Software Planning Documentation (DI&C ISG-06 D.4.4.1)
The following sections provide information that is intended to be consistent with the information requirements in Section D.4.4.1 of DI&C-ISG-06 in order to enable the NRC staff to evaluate the NUMAC Software Development Program against the BTP 7-14 regulatory evaluation criteria for software planning documentation. Table 1-1 below correlates the BTP 7-14 planning documents with the corresponding GEH project documents and applicable GEH policies and procedures.
Table 1-1 Mapping of BTP 7-14 Planning Documents to Applicable GEH Documents, Policies and Procedures
((
to GNRO-2011/00039 Page 4 of 147 NON-PROPRIETARY INFORMATION
((
to GNRO-2011/00039 Page 5 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Software Management Plan (DI&C ISG-06 D.4.4.1.1)
The NUMAC SMP describes the process to be used for the design, development, and maintenance of NUMAC product software, which is more closely aligned with the purpose of a Software Development Plan as defined by the criteria in BTP 7-14. See the discussion below under Software Development Plan for details.
The Project Work Plan is the GEH document that addresses the project management aspects of the Software Management Plan as defined by the criteria in BTP 7-14. The NUMAC SMP is used in conjunction with the Project Work Plan to address the Software Management Plan as defined by the criteria in BTP 7-14.
Section 1.1 of the NUMAC SMP states:
((
{3}
)) The Project Work Plan fully addresses the topics discussed in IEEE Standard 1074-1995, IEEE Standard for Developing Software Life Cycle Processes, Clause 3.1.6, Plan Project Management, as endorsed by RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, as well as IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Clause 5.3.6, Software Project Risk Management, as endorsed by RG 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.
As stated in ((
to GNRO-2011/00039 Page 6 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Project risk management is also a key function of the Project Work Plan. ((
{3}
))
The Grand Gulf PRNM Project Work Plan also defines the interface between Entergy (the licensee) and GEH (the vendor) for the development of the Grand Gulf PRNMS, including how Entergy provides oversight of the software development program through reviews of project deliverables, audits, and participation in the Factory Acceptance Test.
See the discussion under Software Quality Assurance Plan, below, for an explanation of the relationship between the software development group and the quality assurance function, including the independence aspects. Independence of the quality assurance function is also addressed in the response to RAI 2 provided in this attachment.
See the discussion under Software Safety Plan, below, for an explanation of the relationship between the software development group and the software safety function, including the independence aspects. Independence of the software safety function is also addressed in the response to RAI 2.
See the discussion under Software Verification and Validation Plan, below, for an explanation of the relationship between the software development group and the V&V function, including the independence aspects. Independence of the V&V function is also addressed in the response to RAI 2. ((
{3}
))
The Grand Gulf PRNM Project Work Plan identifies the project team, roles, and responsibilities. ((
to GNRO-2011/00039 Page 7 of 147 NON-PROPRIETARY INFORMATION
{3}
)) See discussion under Software Verification and Validation Plan, below.
((
{3}
))
Regulatory Positions 2.1 through 2.5 in RG 1.152 Rev. 2 are very similar to the Regulatory Positions 2.1 through 2.5 in RG 1.152 Draft Rev. 3 - DG1249 on the secure development and operational environment, and the previous response adequately addresses this topic.3
((
{3}
)) These roles and responsibilities are explained in this RAI response and also in the response to RAI 2.
Software Development Plan (DI&C ISG-06 D.4.4.1.2)
((
((3
{3}
))
to GNRO-2011/00039 Page 8 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Together these three plans, used in conjunction with GEH policies and procedures, define software life cycle process activities that are consistent with development process activities and associated integral process activities described in IEEE Standard 1074-1995, IEEE Standard for Developing Software Life Cycle Processes, as endorsed by RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. Compliance with the specific guidance provided by IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Clause 5.3.1, Software Development, as endorsed by RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, is addressed under Software Quality Assurance Plan below.
((
to GNRO-2011/00039 Page 9 of 147 NON-PROPRIETARY INFORMATION
{3}
)) Note that commercial grade software and commercial grade computer hardware are not used to perform any safety function in the NUMAC PRNMS.
NUMAC design philosophy is in accordance with the criterion from IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Clause 5.3.2, Software Tools, as endorsed by RG 1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, that software tools should be used in a manner such that defects not detected by the software tools are detected by V&V
{3}
activities. (( )) The response to RAI 3 provided in Attachment 1 in Entergy letter GNRO-2011/00038 addresses the use of software tools in detail.
((
{3}
)) This document follows the guidance in NUREG/CR-6463, Review Guidelines on Software Languages for Use in Nuclear Power Plant Safety Systems, with specific deviations noted and the rationale for these deviations explained.
Software Quality Assurance Plan (DI&C ISG-06 D.4.4.1.3)
As described above, the NUMAC SCMP, SMP, and SVVP are designed to work in conjunction with the policies and procedures that implement the GEH 10 CFR 50 Appendix B compliant nuclear quality assurance program, NEDO-11209 Rev. 8, developed in accordance with RG 1.28, Revision 3, Quality Assurance Program Requirements. IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear to GNRO-2011/00039 Page 10 of 147 NON-PROPRIETARY INFORMATION Power Generating Stations, Clause 5.3.1, Software Development points to IEEE Standard 730-1998, IEEE Standard for Software Quality Assurance Plans for guidance on developing software QA plans. Likewise, IEEE Standard 1074-1995, IEEE Standard for Developing Software Life Cycle Processes and NUREG/CR-6101 both reference an earlier revision of this standard.
((
{3}
))
For example,
((
to GNRO-2011/00039 Page 11 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 12 of 147 NON-PROPRIETARY INFORMATION
{3}
))
The procedures identified above are just a few examples of the GEH policies and procedures that implement the GEH QA program that also happen to address topics from IEEE Standard 730-1998. All NUMAC software development work is conducted under the auspices of the GEH QA program. The information presented above is not intended to be a comprehensive discussion of the GEH QA program. A complete and comprehensive discussion of the GEH QA program is beyond the scope of this RAI response.
((
{3}
))
Software Integration Plan (DI&C ISG-06 D.4.4.1.4)
((
{3}
)) This phase of the design process fully addresses the topics discussed in IEEE Standard 1074-1995, IEEE Standard for Developing Software Life Cycle Processes, Clause 5.3.7, Plan Integration, as endorsed by RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. ((
to GNRO-2011/00039 Page 13 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Software Installation Plan (DI&C ISG-06 D.4.4.1.5)
Section D.4.4.1.5 of DI&C ISG-06 states:
The Software Installation Plan may not be reviewed in the staff SE. Application installation is not a part of the licensing process. The Software Installation Plan may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the installation prior to the system being put into operational use.
((
{3}
)) a Software Installation Plan as described in BTP 7-14 is neither necessary nor applicable.
to GNRO-2011/00039 Page 14 of 147 NON-PROPRIETARY INFORMATION Software Maintenance Plan (DI&C ISG-06 D.4.4.1.6)
Section D.4.4.1.6 of DI&C ISG-06 states:
The Software Maintenance Plan may not be reviewed in the staff SE. Licensee maintenance is not a part of the licensing process. The Software Maintenance Plan may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the maintenance plan prior to the system being put into operational use.
((
{3}
)) a Software Maintenance Plan as described in BTP 7-14 is neither necessary nor applicable.
Software Training Plan (DI&C ISG-06 D.4.4.1.7)
Section D.4.4.1.7 of DI&C ISG-06 states:
The software training plan may not be reviewed in the staff SE. Licensee training is not a part of the licensing process. Instead, it falls under the regional inspection purview. The licensee should be prepared to support any regional inspections of the training done in preparation for use of the proposed system prior to the system being put into operational use.
Training on PRNMS is handled through normal plant training processes and procedures; therefore, a Software Training Plan as described in BTP 7-14 is neither necessary nor applicable.
Software Operations Plan (DI&C ISG-06 D.4.4.1.8)
Section D.4.4.1.8 of DI&C ISG-06 states:
The Software Operations Plan may not be reviewed in the staff SE. Licensee operations are not a part of the licensing process. The Software Operations Plan may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the preparation for use of the proposed system prior to the system being put into operational use.
Operation of PRNMS is controlled by plant operating procedures; therefore, a Software Operations Plan as described in BTP 7-14 is neither necessary nor applicable.
Software Safety Plan (DI&C ISG-06 D.4.4.1.9)
((
to GNRO-2011/00039 Page 15 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 16 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 17 of 147 NON-PROPRIETARY INFORMATION
{3}
)) This provides a comparable level of assurance to that which would be achieved by compliance with BTP 7-14 criteria for software safety analysis. See the response to RAI 2 provided in this attachment for further details on software safety analysis.
Software Verification and Validation Plan (DI&C ISG-06 D.4.4.1.10)
The NUMAC SVVP is used in conjunction with GEH procedures that govern independent design verification activities to establish methods for V&V that are consistent with guidance provided in IEEE Standard 1012-1998, IEEE Standard for Software Verification and Validation, as endorsed by RG 1.168 Rev. 1, Verification, Validation, Reviews, And Audits for Digital Computer Software Used in Safety Systems Of Nuclear Power Plants. The NUMAC Software Development Program V&V activities are also consistent with guidance found in IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, Clause 5.3.3, Verification and Validation, as endorsed by RG 1.152 Rev. 2, Criteria for Use of Computers in Safety Systems of Nuclear Power Plants, as well as RG 1.152, Rev. 2, Section C.2.2.1, System Features.
The NUMAC SVVP used in conjunction with standard GEH procedures as described below defines V&V activities for NUMAC software that are comparable to those described in the regulatory guidance and are consistent with the objectives stated in the regulatory guidance, even though the NUMAC SVVP does not conform to the conventional model of a Software Verification and Validation Plan as described in IEEE Standard 1012-1990 and NUREG/CR-6101.
((
{3}
)) Independence is applied throughout the design process as described in the response to RAI 2.
((
to GNRO-2011/00039 Page 18 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 19 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 20 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 21 of 147 NON-PROPRIETARY INFORMATION
{3}
))
The discussion above and the response to RAI 2 describe the V&V organization and independence aspects. ((
to GNRO-2011/00039 Page 22 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Software Configuration Management Plan (DI&C ISG-06 D.4.4.1.11)
The NUMAC SCMP is used in conjunction with GEH procedures that implement the GEH corporate configuration management system to establish a software configuration management program for NUMAC products that is consistent with guidance provided in IEEE Standard 1074-1995, Clause 7.2.4, Plan Configuration Management, as endorsed by RG 1.173, Developing Software Life Cycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, as well as guidance provided in IEEE Standard 828-1990, IEEE Standard for Configuration Management Plans, as endorsed by RG 1.169, Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. The NUMAC SCMP used in conjunction with GEH procedures is also consistent with guidance provided in IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems on Nuclear Power Generating Stations, Clause 5.3.5, Software configuration management. ((
{3}
)) The NUMAC SCMP used in conjunction with standard GEH procedures as described below provides for comparable configuration management of NUMAC software that is consistent with the objectives stated in the regulatory guidance, even though the NUMAC SCMP does not conform to the conventional model of a Software Configuration Management Plan as described in IEEE Standard 828-1990 and NUREG/CR-6101.
- 5) ((
to GNRO-2011/00039 Page 23 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 24 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 25 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Software Test Plan (DI&C ISG-06 D.4.4.1.12)
The NUMAC SVVP defines multiple layers of testing to be performed over the software development life cycle defined by the NUMAC SMP in order to assure the quality of NUMAC software:
((
to GNRO-2011/00039 Page 26 of 147 NON-PROPRIETARY INFORMATION
{3}
)) IEEE Standard 829-1983, IEEE Standard for Software Test Documentation, as endorsed by RG 1.170, Software Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, as wells as IEEE Standard 1008-1987, IEEE Standard for Software Unit Testing, as endorsed by RG 1.171, Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants, ((
3}
)) See the discussions of Module Test Report and Integration Test Report under Testing Activities, below, for additional information.
((
{3}
)) IEEE Standard 1012-1998, IEEE Standard for Software Verification and Validation, as endorsed by RG 1.168 Revision 1, Verification, Validation, Reviews, And Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants. ((
to GNRO-2011/00039 Page 27 of 147 NON-PROPRIETARY INFORMATION
{3}
))
See the discussion above under Software Verification and Validation Plan, as well as the response to RAI 2, for further details regarding the degree of independence provided at various stages of the NUMAC software development process for all V&V activities.
Software Plan Implementation (DI&C ISG-06 D.4.4.2)
The following sections provide information that is intended to be consistent with the information requirements in Section D.4.4.2 of DI&C-ISG-06 in order to enable the NRC staff to evaluate the NUMAC Software Development Program against the BTP 7-14 regulatory evaluation criteria for software implementation activities. Table 1-2 below correlates the BTP 7-14 software plan implementation activities with the corresponding GEH activities and associated documentation.
Table 1-2 Correlation of BTP 7-14 Software Plan Implementation Activities to GEH Implementation Activities and Documentation
((
to GNRO-2011/00039 Page 28 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Software Safety Analysis (DI&C ISG-06 D.4.4.2.1)
As previously stated above, the NUMAC Software Development Program includes elements that sufficiently address software safety, ((
{3}
)) These records are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
to GNRO-2011/00039 Page 29 of 147 NON-PROPRIETARY INFORMATION V&V Analysis and Reports (DI&C ISG-06 D.4.4.2.2)
((
{3}
))
to GNRO-2011/00039 Page 30 of 147 NON-PROPRIETARY INFORMATION The V&V records for all baseline configuration items, as well as the baseline review records that show that verification tasks were successfully accomplished at each design phase in the life cycle, are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
Configuration Management Activities (DI&C ISG-06 D.4.4.2.3)
The Product Data Management System is the primary configuration management tool for all engineering controlled documentation, including software for NUMAC products.
((
{3}
))
The Product Data Management System provides unique identification of each configurable item by document identification number, title, and revision. ((
{3}
)) Revision history of all baseline configuration items is tracked and reported by the Product Data Management System.
((
{3}
))
The configuration management records for all baseline configuration items, as well as the baseline review records that establish and document the configuration at each design phase in the life cycle, are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
Testing Activities (DI&C ISG-06 D.4.4.2.4)
((
to GNRO-2011/00039 Page 31 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 32 of 147 NON-PROPRIETARY INFORMATION The module test reports, integration test reports, validation test procedures, validation test procedure traceability matrices, validation test reports, and documented acceptance of the FAT results are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
Design Outputs (DI&C ISG-06 D.4.4.3)
The following sections provide information that is intended to be consistent with the information requirements in Section D.4.4.3 of DI&C-ISG-06 in order to enable the NRC staff to evaluate the NUMAC Software Development Program against the BTP 7-14 regulatory evaluation criteria for software life cycle design outputs. Table 1-3 below correlates the BTP 7-14 design outputs with the corresponding GEH NUMAC software development process design outputs.
Table 1-3 Correlation of BTP 7-14 Design Outputs to GEH NUMAC Design Outputs
((
to GNRO-2011/00039 Page 33 of 147 NON-PROPRIETARY INFORMATION Software Requirements Specification (DI&C ISG-06 D.4.4.3.1)
((
{3}
))
This document is provided in Enclosure 1 of this attachment to be placed on the docket for review by the NRC staff. This and other documents that comprise the Definition and Planning baseline are maintained in the Product Data Management System. Documents referenced within the system requirements specification listed above and other documents from the Definition and Planning baseline not placed on the docket are available for review by the NRC staff at the GEH office.
((
{3}
))
These documents are provided in Enclosure 1 of this attachment to be placed on the docket for review by the NRC staff. These and other documents that comprise the Product Performance Definition baseline are maintained in the Product Data Management System.
Documents referenced within the specifications listed above and other documents from the Product Performance Definition baseline not placed on the docket are available for review by the NRC staff at the GEH office.
These documents establish the software requirements similar to a conventional Software Requirements Specification as described in IEEE Std 830-1993, IEEE Recommended Practice for Software Requirements Specifications, as endorsed by RG 1.172, "Software Requirements Specifications for Digital Computer Software Used in Safety Systems of Nuclear Power Plants.
Software Architecture Description (DI&C ISG-06 D.4.4.3.2)
((
{3}
)) These requirements and the details of the software architecture are further refined in the instrument specific software design specifications established during the High Level Software Design phase.
The generic NUMAC Requirements Specification is attached to this RAI response to be placed on the docket for review by the NRC staff.
to GNRO-2011/00039 Page 34 of 147 NON-PROPRIETARY INFORMATION Software Design Specification (DI&C ISG-06 D.4.4.3.3)
((
{3}
))
These documents are provided in Enclosure 1 of this attachment to be placed on the docket for review by the NRC staff. These documents and other documents that comprise the High Level Software Design baseline are maintained in the Product Data Management System.
Documents referenced within the specifications listed above and other documents from the High Level Software Design baseline not placed on the docket are available for review by the NRC staff at the GEH office.
Code Listings (DI&C ISG-06 D.4.4.3.4)
((
{3}
)) Source code listings are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
System Build Documents (DI&C ISG-06 D.4.4.3.5)
((
{3}
))
to GNRO-2011/00039 Page 35 of 147 NON-PROPRIETARY INFORMATION The firmware release descriptions and firmware drawings are maintained in the Product Data Management System where they are available for review by the NRC staff at the GEH office.
Installation Configuration Tables (DI&C ISG-06 D.4.4.3.6)
Section D.4.4.3.6 of DI&C ISG-06 states:
The Installation Configuration Tables should not be reviewed in the staff SE. Licensee operations are not a part of the licensing process, but they may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the preparation for use of the proposed system prior to the system being put into operational use.
((
{3}
)) Determination of cycle-specific parameter values is not within the scope of the NUMAC Software Development Program.
Operations Manuals (DI&C ISG-06 D.4.4.3.7)
Section D.4.4.3.7 of DI&C ISG-06 states:
The Operations Manual should not be reviewed in the staff SE. Licensee operations are not a part of the licensing process. The Operations Manual may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the preparation for use of the proposed system prior to the system being put into operational use.
((
{3}
))
Software Maintenance Manuals (DI&C ISG-06 D.4.4.3.8)
Section D.4.4.3.8 of DI&C ISG-06 states:
The Software Maintenance Manuals should not be reviewed in the staff SE. Licensee maintenance is not a part of the licensing process, they may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the preparation for use of the proposed system prior to the system being put into operational use.
((
{3}
))
to GNRO-2011/00039 Page 36 of 147 NON-PROPRIETARY INFORMATION Software Training Manuals (DI&C ISG-06 D.4.4.3.9)
Section D.4.4.3.9 of DI&C ISG-06 states:
The Software Training Manuals should not be reviewed in the staff SE. Licensee training is not a part of the licensing process, they may be inspected as part of the regional inspection program. The licensee should be prepared to support any regional inspections of the preparation for use of the proposed system prior to the system being put into operational use.
((
{3}
))
Conclusion The GEH NUMAC Software Development Program used for the Grand Gulf PRNM project is an alternative approach to the independent and comprehensive software-specific process model defined by BTP 7-14. This alternate approach addresses all critical aspects of a high quality development process and provides a level of quality assurance comparable to that which would be achieved by compliance with BTP 7-14. The GEH NUMAC Software Development Program, although different from the program described in BTP 7-14, is a well-defined and disciplined process that results in a high quality product, suitable for use in safety-related applications at nuclear power plants, such as the NUMAC PRNMS for Grand Gulf.
References
- 27. NUMAC Software Configuration Management Plan, 23A5161 Revision 4
- 28. NUMAC Software Management Plan, 23A5162 Revision 3
- 29. NUMAC Software Verification and Validation Plan, 23A5163 Revision 3
- 30. NEDO-11209-04A, "GE Nuclear Energy Quality Assurance Program Description, Revision 8, March 31, 1989.
- 31. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.
- 32. P&P 70-11 Quality System Requirements
- 33. P&P 70-14 Quality Assurance Audit Requirements
- 34. EOP 25-5.00 Work Planning and Scheduling
- 35. EOP 30-3.40 Product Data Management System
- 36. EOP 42-8.00 Document Initiation or Change by ERM/ECN
- 37. EOP 42-10.00 Design Record File to GNRO-2011/00039 Page 37 of 147 NON-PROPRIETARY INFORMATION
- 38. EOP 55-2.00 Engineering Change Control
- 39. EOP 75-5.00 Quality and Technical Training
- 40. EOP 75-6.00 Quality Assurance Records
- 41. EOP 75-7.00 Statistical Techniques
- 42. CP-03-04 Technical Reviews
- 43. CP-03-09 Independent Design Verification
- 44. CP-16-01 Corrective Action Process
- 45. CP-18-101 Self-Assessment Program
- 46. NUMAC Requirements Specification, 23A5082AA Revision 1
- 47. NUMAC PRNM Requirement Specification, 24A5221WA Revision 6
- 48. NUMAC APRM with DSS-CD Performance Specification, 26A8153 Revision 2
- 49. NUMAC APRM with DSS-CD Data Sheet, 26A8153WA Revision 4
- 50. APRM Functional Software Design Specification, 26A7523 Revision 0
- 52. Software Conventions and Guidelines, 26A5410 Revision 0 Note: References 1, 2, 3, 20, 21, 22, 23, 24, and 25 are provided in Enclosure 1 to this attachment.
NRC RAI 2 BTP 7-14 identifies that the Software Management Plan should ensure that the quality assurance organization, the software safety organization and the software verification and validation (V&V) organization maintain independence from the development organization. In particular, the plan should ensure that these assurance organizations do not report to the development organization, and not be subject to the financial control of the development organization.
Describe the characteristics of the Software Management Plan used to develop and program microprocessor and PLD firmware in sufficient detail for evaluation to satisfy the above criteria or to determine them to be acceptable alternatives. Sufficient detail includes mapping the specific process roles, such as those provided in RAI #1s response in Table 1-11 of to GNRO-2010/00051 (ML102150028), with their organization.
to GNRO-2011/00039 Page 38 of 147 NON-PROPRIETARY INFORMATION The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #1s response in Table 1-7 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) does not address organization independence for microprocessor firmware development nor describe maintenance of independence at each stage of verification and validation. The response does not describe 1) the scope/coverage of this verification and validation, 2) the criteria used to identify items having safety-significant aspects, and 3) how safety-significance determinations provide equivalency to Software Safety planning. Similarly, RAI #1s response in Table 1-8 of Attachment 2 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) does not address the criteria to maintain independence for PLD firmware development.
Response
This RAI response addresses independence of microprocessor firmware development and programmable logic device (PLD) firmware development. The response is divided into two major sections under the following headings:
- 3. Microprocessor Firmware Development
- 4. Legacy PLD Firmware Development The development of new PLD firmware follows the process as described in Section 1. The development process for the legacy PLD firmware is described in Section 2.
- 1. Microprocessor Firmware Development The NUMAC Software Management Plan (SMP), NUMAC Software Configuration Management Plan (SCMP), and NUMAC Software Verification and Validation Plan (SVVP) provide the procedure and process requirements for software development and delivery activities. These are in addition to GEH policies and procedures developed in accordance with 10 CFR 50 Appendix B requirements for independent design verification, technical reviews, quality assurance, and other engineering activities. A combination of organizational independence, independent design verifications, baseline reviews, and technical design reviews provides assurance that the design has adequate quality, safety, reliability, and performance.
((
{3}
))
to GNRO-2011/00039 Page 39 of 147 NON-PROPRIETARY INFORMATION This portion of the response is provided in two sections. Section 1.1 provides information that is not baseline-specific. Section 1.2 provides baseline-specific information.
1.1 Generic Across Baselines 1.1.1 GEH Organizational Structure for GGNS PRNMS
((
to GNRO-2011/00039 Page 40 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 41 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure 2-1 Simplified Outline of GEH Organizational Structure 1.1.2 Independent Design Verification The requirements for GEH independent design verification are defined in GEH policies and procedures and comply with the requirements in 10 CFR 50 Appendix B. Independent design verification is a key process in GEH software development. ((
{3}
))
The NUMAC SMP and NUMAC SVVP specify various requirements for independent design verification. The GEH design process requires independent design verification at various stages of the design.
to GNRO-2011/00039 Page 42 of 147 NON-PROPRIETARY INFORMATION All independent design verifications, including verification by an individual within the same organization, must abide by the following independence requirements for the responsible verifier (RV). Common Procedure (CP) 03-09, Independent Design Verification (Reference 1), Section 7.1.3, states that the following independence criteria shall be met.
((
{3}
))
1.1.3 Baseline Review Process The NUMAC SMP defines the deliverables for each life-cycle baseline. A Baseline Review is performed at the conclusion of each life-cycle baseline to provide a formal, independent evaluation of conformance to the design process, effectiveness, and completeness of the process to that point. ((
{3}
))
1.1.4 Technical Design Review Process GEH policies and procedures also require periodic Technical Design Reviews be conducted for each project. For the GGNS PRNMS project there will be four design reviews performed and documented at various stages of the project in accordance with GEH policies and procedures. Design review objectives include verifying that the design meets all design requirements, including safety requirements. The Design Review also ensures product operability, safety and reliability.
to GNRO-2011/00039 Page 43 of 147 NON-PROPRIETARY INFORMATION
{3}
))
1.1.5 Items Having Safety-Significant Aspects For the GGNS PRNMS project, the basis for identifying an item as having safety-significant aspects is outlined in NEDC-32410P-A (Reference 3). This basis is used to identify safety-significant aspects in life cycle baseline to GNRO-2011/00039 Page 44 of 147 NON-PROPRIETARY INFORMATION documentation. ((
{3}
))
1.1.6 Safety-Significance Determinations Equivalency to Software Safety Planning Safety-significant aspects of the design are identified in the baseline documentation described in Section 1.2, Baseline Specific Information, below.
This is compliant with the BTP 7-14 requirement that appropriate safety requirements be included in the software requirements specification.
Identifying the safety-significant aspects in the baseline documentation provides assurance that safety-significant aspects are sufficiently addressed during the independent design verification.
((
{3}
)) For the GGNS PRNMS project, common-cause failures to GNRO-2011/00039 Page 45 of 147 NON-PROPRIETARY INFORMATION are addressed in the responses to RAIs 8, RAI 9, and RAI 10 provided in this attachment, and the response to RAI 11 provided in Reference 4.
1.1.7 Summary of Section 1.1 Therefore, the NUMAC SMP, NUMAC SCMP, NUMAC SVVP, and GEH policies and procedures provide multiple layers of independent design verifications, independent baseline reviews, independent technical design reviews, and QA confirmation to ensure that the design has adequate quality, safety, reliability, and performance of the software product. Organizational and financial independence is provided at various stages of the software design process as defined in these procedures. The application of these processes in each baseline is described in the next section below.
((
to GNRO-2011/00039 Page 46 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 47 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 48 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 49 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 50 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 51 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 52 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 53 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 54 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 55 of 147 NON-PROPRIETARY INFORMATION
{3}
))
- 2. Legacy PLD Firmware Development The legacy PLD firmware follows a hardware process compliant to GEH policies and procedures and in compliance with 10 CFR 50 Appendix B.
((
{3}
))
Future PLD development will follow the NUMAC software development plans.
to GNRO-2011/00039 Page 56 of 147 NON-PROPRIETARY INFORMATION References
- 1. Common Procedure - Independent Design Verification, CP-03-09.
- 2. Common Procedure - Technical Reviews, CP-03-04.
- 3. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October 1995.
- 4. Entergy Letter GNRO-2011/00032 to the NRC, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), May 3, 2011 (ADAMS Accession No. ML111230756)
- 5. NUMAC PRNM Requirements Specification, 24A5221WA.
- 6. NUMAC APRM with DSS-CD Performance Specification, 26A8153.
- 7. APRM Functional Software Design Specification, 26A7523.
NRC RAI 8 Describe in detail how the upgrade addresses common-cause programming failures that could adversely affect safety function redundancy to demonstrate that either the digital upgrade maintains the plant within its design basis or that the plant has the ability to cope with any vulnerability to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #3s response in Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) did not demonstrate that the Acceptance Criteria identified in BTP 7-19 were satisfied. No analysis was provided that addressed potential common-cause programming failures of each programmable entity (microprocessor and PLD) to defeat redundancy.
Response
Overview The Power Range Neutron Monitoring System (PRNMS) upgrade was evaluated using the Acceptance Criteria identified in NRC Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems (Reference 1). The evaluation demonstrates that the plant has the ability to cope with any potential common-cause failure (CCF) in the programmable entities in the upgrade system. The acceptance criteria that relate to diversity are discussed in response to this RAI; those that relate to defense-in-depth are discussed in the response to RAI 9 provided in this attachment.
to GNRO-2011/00039 Page 57 of 147 NON-PROPRIETARY INFORMATION Diversity NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems (Reference 2) Section 3.2, identifies and describes six types of diversity: design, equipment, functional, human, signal, and software. In cases where a diverse system is identified to respond in the absence of a response from PRNMS, the justification for evaluating the system as diverse is provided.
Description of Postulated CCF A worst-case CCF in the PRNMS was postulated in order to perform the Diversity and Defense-in-Depth (D3) assessment. Rather than postulating individual CCFs in each of the programmable entities (((
{3}
))), a single CCF that completely impairs PRNMS was assumed. The postulated CCF in PRNMS was assumed to remain latent and non-detectable until the system is stressed by an event or accident, at which time all PRNMS outputs from all four channels are absent or incorrect. In other words, the system was assumed to:
x Provide no advanced notice of trouble, x Fail to provide the correct responses such as rod blocks and trips during a transient, and x Provide misleading indications of plant parameters during the transient.
Different CCFs could have been postulated to occur in the 2-Out-Of-4 Logic Modules, or in the APRM instruments. Each of these scenarios is less severe than the worst-case CCF assumed. If a CCF occurs in the 2-Out-Of-4 Logic Modules, ((
{3}
))
If a CCF in only the APRM instrument occurs, ((
{3}
))
Additionally, CCFs in either the 2-Out-Of-4 Logic Modules or the APRM instruments ((
to GNRO-2011/00039 Page 58 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Based on this reasoning, GEH maintains that the postulated CCF is a very remote scenario.
Additionally, the NUMAC PRNMS has operated over 200 plant-years safely and reliably.
GEH is not aware of a single instance of a system that failed in this manner. Nevertheless, the single worst-case CCF in the PRNMS as described above was assumed.
Evaluation to BTP 7-19 Acceptance Criteria Acceptance Criteria (1) and (2):
(3) For each anticipated operational occurrence in the design basis occurring in conjunction with each single postulated CCF, the plant response calculated using realistic assumptions (e.g., plant operating at normal power levels, temperatures, pressures, flows, normal alignments of equipment, etc.) analyses should not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary. The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.
(4) For each postulated accident in the design basis occurring in conjunction with each single postulated CCF, the plant response calculated using realistic assumptions analyses should not result in radiation release exceeding the applicable siting dose guideline values, violation of the integrity of the primary coolant pressure boundary, or violation of the integrity of the containment (i.e., exceeding coolant system or containment design limits). The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.
These first two criteria require an evaluation of each anticipated operational occurrence (AOO) and design basis accident (DBA), assuming the CCF in PRNMS occurs. The purpose of the evaluation is to ensure that sufficient diversity exists to allow the plant to cope with the events if they occur in conjunction with the postulated CCF. Table 8-1 lists each scenario from Chapter 15 of the Grand Gulf Updated Final Safety Analysis Report (Reference 3) and the credited trip response, if any. The right-most column contains the discussion or evaluation of the effect of the postulated CCF in PRNMS. The conclusion is that there are no events that lead to any threat to the specified limits.
to GNRO-2011/00039 Page 59 of 147 NON-PROPRIETARY INFORMATION Table 8-1 UFSAR Credited Title Evaluation/Discussion Section Trip Signals No impact from a PRNMS CCF.
Loss of Feedwater The analysis for the initial cycle credited scrams 15.1.1 None Heating on thermal power and neutron flux, but the current analysis does not take credit for any PRNMS response.
Feedwater No impact from postulated CCF because the High Water Level 15.1.2 Controller Failure - analysis does not take credit for any PRNMS (L8)
Maximum Demand response.
No impact from postulated CCF because the Pressure Controller 15.1.3 MSIV Closure analysis does not take credit for any PRNMS Failure - Open response.
Inadvertent No impact from postulated CCF because the 15.1.4 Safety/Relief Valve None analysis does not take credit for any PRNMS Opening response.
Spectrum of Steam System Piping Failures Inside and 15.1.5 None NA to BWR plants.
Outside of Containment in a PWR No impact from a PRNMS CCF.
The PRNMS is not credited in the analysis, but rather mentioned as the back-up to the primary Inadvertent RHR protection, which is operator action. The event 15.1.6 Shutdown Cooling None is applicable only during Startup or cool down Operation operation, when Intermediate Range Monitor (IRM) also is in operation. The IRM is an analog system. Therefore, it is diverse from the digital PRNMS and not vulnerable to the postulated CCF.
to GNRO-2011/00039 Page 60 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals No impact from postulated CCF in PRNMS.
This event is classified as an infrequent event.
Even though Reference 1 does not require an evaluation for this category, an explanation is Neutron Flux, included because the event is retained in Pressure Controller 15.2.1 Vessel Dome Chapter 15 of Reference 3. GEH performed a Failure - Closed Pressure bounding analysis that demonstrates that if the neutron flux scram does not occur, the radiological consequence is within Acceptance Criterion (1). By applying a relaxed acceptance criterion that considers frequency, additional margin would result.
Power > 40% -
Generator Load Turbine Control Rejection Valve (TCV) Fast No impact from postulated CCF because the (with Bypass Closure, analysis does not take credit for any PRNMS System response.
operational) Power < 40% -
None 15.2.2 Power > 40% -
Turbine Control Generator Load Valve (TCV) Fast No impact from postulated CCF because the Rejection Closure, analysis does not take credit for any PRNMS (with Bypass response.
System failure) Power < 40% -
Vessel Dome Pressure Power > 40% -
Turbine Trip Turbine Stop No impact from postulated CCF because the (with Bypass Valve Closure 15.2.3 analysis does not take credit for any PRNMS System response.
operational) Power < 40% -
None Power > 40% -
Turbine Stop Turbine Trip Valve Closure, No impact from postulated CCF because the 15.2.3 (with Bypass analysis does not take credit for any PRNMS System failure) Power < 40% - response.
Vessel Dome Pressure No impact from postulated CCF because the MSIV Closures - all 15.2.4 MSIV Closure analysis does not take credit for any PRNMS valves response.
to GNRO-2011/00039 Page 61 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals An automated response from diverse safety-related system exists if PRNMS fails to respond.
Neutron Flux, MSIV Closure -
The Vessel Dome Pressure scram signal is one valve Vessel Dome issued by an analog system. Therefore, it is Pressure diverse from the digital PRNMS and not vulnerable to the postulated CCF.
No impact from postulated CCF because the Loss of Condenser Turbine Stop 15.2.5 analysis does not take credit for any PRNMS Vacuum Valve Closure response.
Loss of RPS Power, No impact from postulated CCF because the 15.2.6 Loss of AC Power analysis does not take credit for any PRNMS Turbine Control response.
Valve (TCV) Fast Closure No impact from postulated CCF because the Loss of Feedwater Low Water Level 15.2.7 analysis does not take credit for any PRNMS Flow (L3) response.
Feedwater Line 15.2.8 NA NA - refer to 15.6.6.
Break No impact from postulated CCF because the Failure of RHR 15.2.9 None analysis does not take credit for any PRNMS Shutdown Cooling response.
Opening scram No impact from postulated CCF because the Loss of Instrument 15.2.10 inlet and outlet analysis does not take credit for any PRNMS Air System valves response.
1 pump - None 2 pumps - No impact from postulated CCF because the Recirculation Pump 15.3.1 Reactor Water analysis does not take credit for any PRNMS Trip Level(L8), response.
Turbine Stop Valve Closure 1 valve - None Recirculation Flow No impact from postulated CCF because the 15.3.2 Control Failure - 2 valves - analysis does not take credit for any PRNMS Decreasing Flow Reactor Water response.
Level (L8) to GNRO-2011/00039 Page 62 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals During two loop operations (TLO)
- Reactor Water No impact from postulated CCF because the Recirculation Pump Level (L8),
15.3.3 analysis does not take credit for any PRNMS Seizure response.
During single loop operations (SLO) - None No impact from postulated CCF because the Recirculation Pump Reactor Water 15.3.4 analysis does not take credit for any PRNMS Shaft Break Level (L8) response.
No impact from postulated CCF because the Rod Withdrawal 15.4.1 None analysis does not take credit for any PRNMS Error - Low Power response.
No impact from a PRNMS CCF.
The analysis credits the Rod Pattern Controller Rod Withdrawal System (RPCS), which is part of RC&IS, to 15.4.2 None Error at Power block further withdrawal. The PRNMS provides inputs to the RC&IS, but none of them are required by the RPCS. Therefore, the PRNMS has no credited role in the event.
Control Rod Maloperation 15.4.3 (System NA NA - refer to 15.4.1 and 15.4.2.
Malfunction or Operator Error)
No threat to applicable limits is posed by PRNMS CCF.
No protection systems response is anticipated because the intent is to start the pump without a scram. Normal procedures prohibit starting the Abnormal Startup pump at a power level that would lead to 15.4.4 of Idle Recirculation None automatic actions. Even if it were supposed Pump that an operator error occurs and the pump is started when power is high enough for a neutron flux scram to occur during the flux spike, the analysis shows that the thermal power would rise more slowly and steady out at an acceptable higher level.
to GNRO-2011/00039 Page 63 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals No threat to applicable limits is posed by PRNMS CCF.
The failure affects only one loop at Grand Gulf because they operate only in loop manual. The slow opening of one recirculation flow control valve establishes the thermal limits basis for this Slow Opening -
event because the analysis process, which Recirculation Flow None does not take credit for a scram during slow 15.4.5 Control Failure with flow run-up, is designed to maximize the heat Increasing Flow Fast Opening -
flux change.
Neutron Flux During a fast run-up event, a neutron flux scram may occur during the flux spike. If the scram is postulated to not occur, the heat flux after the event stabilizes would be similar to the slow run-up analysis, which imposes larger heat flux changes with no scram.
Chemical and Volume Control 15.4.6 NA NA for BWR.
System Malfunctions No impact from postulated CCF because the Misplaced Bundle 15.4.7 None analysis does not take credit for any PRNMS Accident response.
15.4.8 Deleted NA NA An automated response from a diverse safety-related system exists if PRNMS fails to respond.
The CRDA analysis does not credit IRM for conservatism, but in reality, the IRM would Control Rod Drop terminate the event. The IRM is an analog 15.4.9 Neutron Flux Accident (CRDA) system. Therefore it is diverse from the digital PRNMS, and not vulnerable to the postulated CCF.
See the response to RAI 10 provided in this attachment for further discussion.
No impact from postulated CCF because the Inadvertent HPCS Reactor Water 15.5.1 analysis does not take credit for any PRNMS Startup Level (L8) response.
to GNRO-2011/00039 Page 64 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals Chemical Volume Control System 15.5.2 NA NA for BWR.
Malfunction (or Operator Error)
BWR Transients Which Increase 15.5.3 NA Refer to 15.1 and 15.2.
Reactor Coolant Inventory Inadvertent 15.6.1 Safety/Relief Valve NA Refer to 15.1.4.
Opening Failure of Small Lines Carrying 15.6.2 Primary Coolant NA NA for Grand Gulf.
Outside Containment Steam Generator 15.6.3 NA NA for BWR.
Tube Failure Steam System No impact from postulated CCF because the Piping Break 15.6.4 MSIV Closure analysis does not take credit for any PRNMS Outside response.
Containment Loss-of-Coolant Accidents (Resulting from Spectrum of No impact from postulated CCF because the Postulated Piping Low Water Level 15.6.5 analysis does not take credit for any PRNMS Breaks within the (L3) response.
Reactor Coolant Pressure Boundary
- Inside Containment)
Feedwater Line No impact from postulated CCF because the Low Water Level 15.6.6 Break-Outside analysis does not take credit for any PRNMS (L3)
Containment response.
to GNRO-2011/00039 Page 65 of 147 NON-PROPRIETARY INFORMATION UFSAR Credited Title Evaluation/Discussion Section Trip Signals The analysis mentions that the underlying causes of the leak or failure (e.g., seismic event) could result in automatic trip signals, but Offgas System not based on neutron flux.
15.7.1 Manual Leak or Failure No impact from postulated CCF because the analysis does not take credit for any PRNMS response.
Radioactive Liquid Waste System No impact from postulated CCF because the 15.7.2 Leak or Failure None analysis does not take credit for any PRNMS (Release to the response.
Atmosphere)
Postulated Radioactive No impact from postulated CCF because the 15.7.3 Releases Due to None analysis does not take credit for any PRNMS Liquid Radwaste response.
Tank Failure No impact from postulated CCF because the Fuel Handling 15.7.4 None analysis does not take credit for any PRNMS Accident response.
No impact from postulated CCF because the Spent Fuel Cask 15.7.5 None analysis does not take credit for any PRNMS Drop Accidents response.
Capabilities of Present BWR 4/5/6 No impact from postulated CCF because the 15.8.1 Design to None analysis does not take credit for any PRNMS Accommodate response.
ATWS In conclusion, based on the evaluation presented in Table 8-1, the proposed upgrade satisfies Acceptance Criteria (1) and (2).
Undetected Power Oscillations The OPRM plays an important role in the detection and suppression of power oscillations.
The postulated CCF, assumed to result in comprehensive loss of PRNMS functionality, would also disable the OPRM. Although Reference 3 does not include power oscillations among the AOO or DBA, it is appropriate to discuss them. As discussed above, the postulated CCF in PRNMS results in the system providing valid indications of plant conditions until the transient, at which time they become anomalous. In the case of power oscillations, therefore, PRNMS indications of power and flow would track consistently with other plant indicators as they change to a state point where the potential exists for high growth-rate power oscillations (i.e.,
to GNRO-2011/00039 Page 66 of 147 NON-PROPRIETARY INFORMATION the upper left corner of the power/flow map), but somehow fail to provide any protection if large amplitude oscillations begin to occur. Nevertheless, even while maintaining the severity of the postulated CCF, the plant has the ability to cope with it in conjunction with power oscillations.
Grand Gulf procedures require immediate action to reduce reactor power or increase core flow in order to mitigate possible high growth-rate power oscillations following unanticipated core flow reduction events, such as a two-recirculation pump trip. The operators would know the state point because the status of recirculation pumps is provided independent of PRNMS, flow information is available from the recirculation flow system, and power level information is available from either the electrical power output or a core thermal power calculation.
Furthermore, the reactor recirculation flow system, Rod Control and Information System (RC&IS), and manual scram are unaffected by the CCF. Thus, the plant is able to cope with the CCF because they can determine that defensive steps are necessary and execute those steps.
Acceptance Criteria (3) through (5):
(3) When a failure of a common element or signal source shared by the control system and reactor trip system (RTS) is postulated and the CCF results in a plant response that requires reactor trip and also impairs the trip function, then diverse means that are not subject to or failed by the postulated failure should be provided to perform the RTS function. The diverse means should assure that the plant response calculated using realistic assumptions analyses does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary.
(4) When a failure of a common element or signal source shared by the control system and ESFAS is postulated and the CCF results in a plant response that requires engineered safety features (ESF) and also impairs the ESF function, then diverse means that are not subject to or failed by the postulated failure should be provided to perform the ESF function. The diverse means should assure that the plant response calculated using realistic assumptions analyses does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary.
(5) No failure of monitoring or display systems should influence the functioning of the RTS or ESFAS. If a plant monitoring system failure induces operators to attempt to operate the plant outside safety limits or in violation of the limiting conditions of operation, the analysis should demonstrate that such operator-induced transients will be compensated by protection system function.
These acceptance criteria require an assessment of interactions between different echelons, and are therefore related to defense-in-depth. Therefore, these evaluations are discussed in the response to RAI 9 provided in this attachment.
to GNRO-2011/00039 Page 67 of 147 NON-PROPRIETARY INFORMATION Acceptance Criterion (6):
(6) For safety systems to satisfy IEEE Std. 603-1991 Clauses 6.2 and 7.2, which are incorporated by reference in 10 CFR 50.55a(h), a safety-related means shall be provided in the control room to implement manual initiation at the division level of the RTS and ESFAS functions. The means provided shall minimize the number of discrete operator manual manipulations and shall depend on operation of a minimum of equipment. If the means is independent and diverse from the safety-related automatically initiated RTS and ESFAS functions, the design meets the system-level actuation criterion in Point 4 of this BTP. If credit is taken for a manual actuation method that meets both the IEEE Std.
603-1991, Clauses 6.2 and 7.2 requirements and a need for a diverse manual backup, then the applicant/licensee should demonstrate that the criteria are satisfied and sufficient diversity exists.
This criterion requires a safety-related means for manual initiation of the RTS and ESFAS functions.
This criterion is not applicable to the PRNMS upgrade. The evaluation performed for Acceptance Criteria (1) and (2) demonstrates that if a CCF occurs in PRNMS, the plant is able to cope without relying on a manual scram or ESF actuation. It is noted that the manual scram and ESF actuation are retained, if needed for other reasons, because they are totally separate from PRNMS and not affected by the proposed upgrade in any way.
Acceptance Criteria (7) through (9):
(7) If the D3 assessment reveals a potential for a CCF, then the method for accomplishing the independent and diverse means of actuating the protective safety functions can be accomplished via either an automated system (see Section 3.4, Use of Automation in Diverse Backup Safety Functions below), or manual operator actions that meet HFE acceptability criteria (see Section 3.5, Use of Manual Action in Diverse Backup Safety Functions below).
(8) If the D3 assessment reveals a potential for a CCF, then the method for accomplishing the independent and diverse means of actuating the protective safety functions should meet the following criteria: The independent and diverse means should be:
f) at the division level; g) initiated from the control room; h) capable of responding with sufficient time available for the operators to determine the need for protective actions even with malfunctioning indicators, if credited in the D3 coping analysis; i) appropriate for the event; to GNRO-2011/00039 Page 68 of 147 NON-PROPRIETARY INFORMATION j) supported by sufficient instrumentation that indicates:
- 1. the protective function is needed,
- 2. the safety-related automated system did not perform the protective function, and
- 3. the automated backup or manual action is successful in performing the safety function.
(9) If the D3 assessment reveals a potential for a CCF, then, in accordance with the augmented quality guidance for the independent and diverse backup system used to cope with a CCF, the design of a diverse automated or diverse manual backup actuation system should address how to minimize the potential for a spurious actuation of the protective system caused by the diverse system. Use of design techniques (for example:
redundancy, conservative setpoint selection, and use of quality components) to mitigate these concerns is recommended.
These criteria require evaluations of the methods for accomplishing the independent and diverse means of actuating the protective safety function when the D3 analysis reveals the potential for a CCF.
The NUMAC platform is not present in any part of RTS except the PRNMS, and is not present in the ESFAS. Their designs are not affected by the proposed upgrade, and these systems are not vulnerable to the postulated CCF in PRNMS. Therefore, Acceptance Criteria (8) and (9) are not applicable to the PRNMS upgrade.
Summary and Conclusion The proposed PRNMS upgrade was evaluated using the acceptance criteria provided in Reference 1. The response to this RAI addresses Acceptance Criteria (1) and (2), and (6) through (9). Criteria (3) through (5) are evaluated in the response to RAI 9 provided in this attachment. Taken together, it was determined that sufficient diversity exists and defense-in-depth is not adversely affected by the upgrade, so that the plant has the ability to cope with any CCF in PRNMS.
References
- 1. NRC Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, (ADAMS Accession No. ML093490771).
- 2. NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, (ADAMS Accession No. ML071790509).
- 3. Grand Gulf Updated Final Safety Analysis Report.
to GNRO-2011/00039 Page 69 of 147 NON-PROPRIETARY INFORMATION NRC RAI 9 Describe in detail how the upgrade addresses common-cause programming failures that could adversely affect multiple echelons of defense to demonstrate that either the digital upgrade maintains the plant within its design basis or that the plant has the ability to cope with any vulnerability to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #3s response in Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) did not demonstrate the Acceptance Criteria identified in BTP 7-19 were satisfied but only identified diversity provided through other sensor inputs into RPS, and did not indicate whether defense-in-depth is also maintained. The response did not address whether the NUMAC platform is relied upon for echelons of defense other than the RPS (i.e., Control, Engineered Safety Features Actuation, and Monitoring and Indicators).
No analysis was provided that addressed potential common-cause programming failures of each programmable entity (microprocessor and PLD) to defeat different echelons of defense.
Response
Overview The upgrade was evaluated using the acceptance criteria identified in NRC Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems (Reference 1). It was determined that the plant has the ability to cope with any potential common cause failure (CCF) in the programmable entities that exist in the upgrade system. The acceptance criteria that relate to defense-in-depth are discussed in response to this RAI, and those that relate to diversity are discussed in response to RAI 8 provided in this attachment.
Defense in Depth Reference 1, Section 1.1 and NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems (Reference 2), Section 2.2 identify and describe four echelons of defense, which are specific applications of the principle of defense-in-depth to the arrangement of instrumentation and control systems attached to a nuclear reactor for the purpose of operating the reactor or shutting it down and cooling it.
The four echelons of defense that are identified, and their applicability to Grand Gulf, are as follows.
(1) Control System - consists of (usually) non-safety equipment that is used in the normal operation of a nuclear power plant (NPP) and routinely prevents operations in unsafe regimes of NPP operations. The Grand Gulf control system fits this definition. Part of this echelon is PRNMS, which provides inputs to the Rod Control and Information System (RC&IS).
(2) Reactor Trip System (RTS) - consists of safety equipment designed to reduce reactivity rapidly in response to an uncontrolled excursion. The Grand Gulf safety equipment collectively referred to as the Reactor Protection System (RPS) fits this definition.
to GNRO-2011/00039 Page 70 of 147 NON-PROPRIETARY INFORMATION PRNMS is one of the sensor systems in this echelon. The other equipment, as well as the actuation system, are not affected by the upgrade.
(3) Engineered Safety Features Actuation System (ESFAS) - consists of safety equipment that removes heat or otherwise assists in maintaining the integrity of the three physical barriers to radioactive release. The Grand Gulf ESFAS complies with this definition. The PRNMS does not interface with this echelon.
(4) Monitoring and Indicators - consists of sensors, displays, data communication systems, and manual controls required by operators to respond to NPP operating events. The Grand Gulf display and other instrumentation systems fit this definition. The PRNMS provides inputs to this echelon (e.g., annunciators) but does not receive any signals from this echelon.
It is of particular importance to ensure that no single CCF can disable more than one echelon.
Description of Postulated CCF A CCF in PRNMS was postulated in order to perform the Diversity and Defense-in-Depth (D3) assessment. Rather than postulating individual CCFs in each of the programmable entities
{3}
(( )),
a single CCF that completely impairs the PRNMS was used. Also, the CCF in PRNMS was assumed to remain latent and non-detectable until the system is stressed by an event or accident, at which time all of the PRNMS outputs, from all four channels, are absent or incorrect. As discussed in more detail in the response to RAI 8, a CCF isolated in one PRNMS device would be less severe than the single CCF that was assumed.
Evaluation of BTP 7-14 Acceptance Criteria Acceptance Criteria (1) and (2):
(1) For each anticipated operational occurrence in the design basis occurring in conjunction with each single postulated CCF, the plant response calculated using realistic assumptions (e.g., plant operating at normal power levels, temperatures, pressures, flows, normal alignments of equipment, etc.) analyses should not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary. The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.
(2) For each postulated accident in the design basis occurring in conjunction with each single postulated CCF, the plant response calculated using realistic assumptions analyses should not result in radiation release exceeding the applicable siting dose guideline values, violation of the integrity of the primary coolant pressure boundary, or violation of the integrity of the containment (i.e., exceeding coolant system or containment design limits). The applicant/licensee should (1) demonstrate that sufficient diversity exists to achieve these goals, (2) identify the vulnerabilities discovered and the corrective actions taken, or (3) identify the vulnerabilities discovered and provide a documented basis that justifies taking no action.
to GNRO-2011/00039 Page 71 of 147 NON-PROPRIETARY INFORMATION These first two criteria require an evaluation of each anticipated operational occurrence (AOO) and design basis accident (DBA), assuming the CCF in PRNMS occurs. The purpose of the evaluation is to ensure that sufficient diversity exists to allow the plant to cope with the events if they occur in conjunction with the postulated CCF. This evaluation is discussed in the response to RAI #8.
Acceptance Criterion (3):
(3) When a failure of a common element or signal source shared by the control system and RTS is postulated and the CCF results in a plant response that requires reactor trip and also impairs the trip function, then diverse means that are not subject to or failed by the postulated failure should be provided to perform the RTS function. The diverse means should assure that the plant response calculated using realistic assumptions analyses does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary.
This criterion requires an evaluation of potential interaction between the Control System and RTS echelons when a postulated CCF results in a plant response that requires a reactor trip and also impairs the trip function. PRNMS is not used for automatic control of plant operations, so if the postulated CCF occurs, it will not result in a plant response that requires a reactor trip. Therefore, the type of CCF described in this criterion cannot occur in the upgrade system. Acceptance Criterion (3) is satisfied.
Acceptance Criterion (4):
(4) When a failure of a common element or signal source shared by the control system and ESFAS is postulated and the CCF results in a plant response that requires engineered safety features (ESF) and also impairs the ESF function, then diverse means that are not subject to or failed by the postulated failure should be provided to perform the ESF function. The diverse means should assure that the plant response calculated using realistic assumptions analyses does not result in radiation release exceeding 10 percent of the applicable siting dose guideline values or violation of the integrity of the primary coolant pressure boundary This criterion requires an evaluation of potential interactions between the Control System and ESFAS echelons when a postulated CCF results in a plant response that requires an ESF response and also impairs ESF function. PRNMS is not used for automatic control of plant operations, so if the postulated CCF occurs, it will not result in a plant response that requires an ESF response. Furthermore, neither the existing nor replacement PRNMS interface with the ESFAS. Therefore, the type of CCF described in this criterion cannot occur in the upgrade system. Acceptance Criterion (4) is satisfied.
Acceptance Criterion (5):
(5) No failure of monitoring or display systems should influence the functioning of the RTS or ESFAS. If a plant monitoring system failure induces operators to attempt to operate the plant outside safety limits or in violation of the limiting conditions of operation, the analysis should demonstrate that such operator-induced transients will be compensated by protection system function.
to GNRO-2011/00039 Page 72 of 147 NON-PROPRIETARY INFORMATION This criterion requires that a failure in the monitoring and display echelon will not adversely affect the RTS or ESFAS echelons. PRNMS does not rely on or receive any input from the monitoring and display echelon; therefore, a failure in the monitoring and display systems will not propagate to PRNMS. If the failure in the monitoring and display system results in an operator-induced transient, the automatic protective functions of PRNMS are available for compensation. Acceptance Criterion (5) is satisfied.
Acceptance Criterion (6):
(6) For safety systems to satisfy IEEE Std. 603-1991 Clauses 6.2 and 7.2, which are incorporated by reference in 10 CFR 50.55a(h), a safety-related means shall be provided in the control room to implement manual initiation at the division level of the RTS and ESFAS functions. The means provided shall minimize the number of discrete operator manual manipulations and shall depend on operation of a minimum of equipment. If the means is independent and diverse from the safety-related automatically initiated RTS and ESFAS functions, the design meets the system-level actuation criterion in Point 4 of this BTP. If credit is taken for a manual actuation method that meets both the IEEE Std.
603-1991, Clauses 6.2 and 7.2 requirements and a need for a diverse manual backup, then the applicant/licensee should demonstrate that the criteria are satisfied and sufficient diversity exists.
This criterion requires a safety-related means for manual initiation of the RTS and ESFAS functions. As discussed in RAI 8, the plant retains the ability to initiate these functions because they are separate from PRNMS.
Acceptance Criteria (7) through (9):
(7) If the D3 assessment reveals a potential for a CCF, then the method for accomplishing the independent and diverse means of actuating the protective safety functions can be accomplished via either an automated system (see Section 3.4, Use of Automation in Diverse Backup Safety Functions below), or manual operator actions that meet HFE acceptability criteria (see Section 3.5, Use of Manual Action in Diverse Backup Safety Functions below.)
(8) If the D3 assessment reveals a potential for a CCF, then the method for accomplishing the independent and diverse means of actuating the protective safety functions should meet the following criteria: The independent and diverse means should be:
a) at the division level; b) initiated from the control room; c) capable of responding with sufficient time available for the operators to determine the need for protective actions even with malfunctioning indicators, if credited in the D3 coping analysis; d) appropriate for the event; to GNRO-2011/00039 Page 73 of 147 NON-PROPRIETARY INFORMATION e) supported by sufficient instrumentation that indicates:
- 1. the protective function is needed,
- 2. the safety-related automated system did not perform the protective function, and
- 3. the automated backup or manual action is successful in performing the safety function.
(9) If the D3 assessment reveals a potential for a CCF, then, in accordance with the augmented quality guidance for the independent and diverse backup system used to cope with a CCF, the design of a diverse automated or diverse manual backup actuation system should address how to minimize the potential for a spurious actuation of the protective system caused by the diverse system. Use of design techniques (for example:
redundancy, conservative setpoint selection, and use of quality components) to mitigate these concerns is recommended.
Criteria (7) through (9) require evaluations relating to diversity of back-up systems; therefore, these criteria are evaluated in the response to RAI 8.
Summary and Conclusion The proposed upgrade was evaluated using the acceptance criteria provided in BTP 7-19.
The response to this RAI addresses Acceptance Criteria (3) through (5). Acceptance Criteria (1), (2), and (6) through (9) are evaluated in the response to RAI 8. Taken together, it was determined that sufficient redundancy and diversity exists so that the plant has the ability to cope with any CCF in PRNMS.
References
- 1. NRC Branch Technical Position (BTP) 7-19, Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems, (ADAMS Accession No. ML093490771).
- 2. NUREG/CR-6303, Method for Performing Diversity and Defense-in-Depth Analyses of Reactor Protection Systems, (ADAMS Accession No. ML071790509).
NRC RAI 10 Application of the PRNMS LTR requires its failure analysis conclusions be confirmed by the utility through a confirmation that the events defined in EPRI Report No. NP-2230 or Appendices F and G of NEDC-30851 P-A encompass the events (i.e. bound the complete set) that are analyzed for the plant.
Describe in detail the confirmation of the failure analysis, including consideration of common-cause programming failures, to address all events that are analyzed for the plant.
to GNRO-2011/00039 Page 74 of 147 NON-PROPRIETARY INFORMATION The following further clarifies the rationale for this RAI but does not include additional information requests. The staff could not determine how RAI #3s response in Attachment 1 to GNRO-2010/00051 (ML102150028) addressed Grand Gulf Nuclear Station (GGNS) Final Safety Analysis Report, as Updated (UFSAR) Section 15.2.4 for Partial MSIV Closure as defined in Appendix G. RAI #3s response did not correlate the Other Events of Appendix G (Reference 11 of the PRNM LTR) to APRM/OPRM functions (similar to Table F-1 in to GNRO-2010/00051). The staff could not determine how RAI #3s response addressed Control Rod drop accident in GGNS UFSAR 15.4.9, 15.4.9.2.3 and 15A.6-35 for which a documented potential radioactive release consequence is identified and the PRNMS provides a role.
Response
The responses to RAIs 8 and 9 provided in this attachment address the evaluation of digital upgrade failures, including common-cause programming failures, their potential impact on safety functions, and the ability of the plant to cope with any resulting vulnerabilities. The response to RAI 8 addresses common-cause failures from a diversity perspective while RAI 9 addresses such failures from a defense-in-depth perspective.
The following information supplements the response to RAI 3 in Attachment 1 to Entergy letter GNRO-2010/00051 (ML102150028) (Reference 1) to provide additional clarifying information that confirms the failure analysis conclusions as required in Section 6.6 of GE Licensing Topical Report (LTR) NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function (Reference 2).
Table 10-1 correlates the events analyzed for GGNS identified and described in UFSAR Chapter 15 with the events identified in Appendices F and G of GE Licensing Topical Report NEDC-30851P-A, Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation (Reference 3).
TABLE 10-1 CORRELATION OF GGNS UFSAR CHAPTER 15 ACCIDENTS WITH NEDC-30851P-A EVENTS GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.1 DECREASE IN REACTOR COOLANT TEMPERATURE 15.1.1 Loss of Feedwater N/A Loss of One Accident analysis Heating Feedwater Heater takes no credit for a scram.
to GNRO-2011/00039 Page 75 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.1.2 Feedwater Controller Feedwater Control N/A Accident analysis Failure - Maximum Failure (High Reactor takes no credit for a Demand Water Level) PRNMS scram.
15.1.3 Pressure Control Pressure Regulator N/A Accident analysis Failure - Open Failure (Primary takes no credit for a Pressure Decrease) PRNMS scram.
(MSIV Closure Trip)
Pressure Regulator Failure (Primary Pressure Decrease)
(Level 8 Trip)4 15.1.4 Inadvertent N/A Inadvertent Opening Accident analysis Safety/Relief Valve of One Safety/Relief takes no credit for a Opening Valve PRNMS scram.
15.1.5 Spectrum of Steam N/A N/A This event is not System Piping Failures applicable to GGNS.
Inside and Outside of Containment in a PWR 15.1.6 Inadvertent RHR N/A Inadvertent RHR Accident analysis Shutdown Cooling Shutdown Cooling takes no credit for a Operation Operations PRNMS scram.
15.2 INCREASE IN REACTOR PRESSURE 15.2.1 Pressure Controller Pressure Regulator N/A Accident analysis Failure - Closed Failure (Primary credits a scram from Pressure Increase) either high reactor vessel dome pressure or high neutron flux.
15.2.2 Generator Load Generator Trip (with N/A Accident analysis Rejection5 Bypass) takes no credit for a PRNMS scram.
15.2.3 Turbine Trip2 Turbine Trip (with N/A Accident analysis Bypass) takes no credit for a PRNMS scram.
4 GGNS is not specifically analyzed for this event. GEH 10 CFR Part 21 Communication SC05-03, Potential to Exceed Low Pressure Technical Specification Safety Limit, documents that reactor vessel level swell resulting from a Pressure Regulator Failure - Maximum Demand (Open) may not be sufficient to cause a high reactor water level scram. Therefore, this event is bounded by the Pressure Regulator Failure (Primary Pressure Decrease) (MSIV Closure Trip) event.
5 GGNS is analyzed for this event both with and without bypass capability.
to GNRO-2011/00039 Page 76 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.2.4 MSIV Closure - all MSIV Closure Accident analysis valves takes no credit for a PRNMS scram.
MSIV Closure - one Inadvertent Closure Accident analysis valve of One MSIV states a scram from either high reactor Partial MSIV Closure vessel dome pressure or high neutron flux may result at power levels > 80%.
See Item (1), below, for more information.
15.2.5 Loss of Condenser Loss of Condenser N/A Accident analysis Vacuum Vacuum takes no credit for a PRNMS scram.
15.2.6 Loss of AC Power Loss of AC Power N/A Accident analysis (Loss of Grid takes no credit for a Connections) PRNMS scram.
Loss of AC Power (Loss of Transformer) 15.2.7 Loss of Feedwater Feedwater Flow N/A Accident analysis Flow Control Failure (Low takes no credit for a Reactor Water Level) PRNMS scram.
15.2.8 Feedwater Line Break N/A N/A Refer to 15.6.6.
Accident analysis takes no credit for a PRNMS scram.
15.2.9 Failure of RHR N/A N/A Accident analysis Shutdown Cooling takes no credit for a PRNMS scram.
15.2.10 Loss of Instrument Air N/A Loss of Instrument Air Accident analysis System takes no credit for a PRNMS scram.
15.3 DECREASE IN REACTOR COOLANT SYSTEM FLOW RATE 15.3.1 Recirculation Pump N/A Recirculation Pump Accident analysis Trip Trip (One or Two takes no credit for a Pumps) PRNMS scram.
to GNRO-2011/00039 Page 77 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.3.2 Recirculation Pump N/A Recirculation Flow Accident analysis Flow Control Failure - Control Failure takes no credit for a Decreasing Flow (Decreasing Flow) PRNMS scram.
15.3.3 Recirculation Pump N/A Recirculation Pump Accident analysis Seizure Seizure takes no credit for a PRNMS scram.
15.3.4 Recirculation Pump N/A Recirculation Pump Accident analysis Shaft Break Trip (One or Two takes no credit for a Pumps) PRNMS scram.
15.4 REACTIVITY AND POWER DISTRIBUTION ANOMALIES 15.4.1 Rod Withdrawal Error - N/A Rod Withdrawal Error Accident analysis Low Power from 0% to 100% takes no credit for a Power scram.
High Flux due to Rod Withdrawal at Startup 15.4.2 Rod Withdrawal Error N/A Rod Withdrawal Error Accident analysis at Power from 0%to 100% takes no credit for a Power scram.
Rod Withdrawal at Power 15.4.3 Control Rod N/A Inadvertent Insertion Accident analysis Maloperation (System of Control Rods takes no credit for a Malfunction or scram.
Operator Error) 15.4.4 Abnormal Startup of N/A Start of Idle Accident analysis Idle Recirculation Recirculation Pump takes no credit for a Pump Between 60% and scram.
65% Power 15.4.5 Recirculation Flow N/A Recirculation Flow Analysis of this type of Control Failure with Control Failure event is based on slow Increasing Flow (Increasing Flow) recirculation flow run-out to establish MCPRf where credit for a scram is not taken.
During a flow control valve fast opening event, a high neutron flux scram may occur.
to GNRO-2011/00039 Page 78 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.4.6 Chemical and Volume N/A N/A This event is not Control System applicable to GGNS.
Malfunctions 15.4.7 Misplaced Bundle N/A N/A Accident analysis Accident takes no credit for a scram.
15.4.8 Deleted N/A N/A 15.4.9 Control Rod Drop N/A N/A For conservatism, the Accident (CRDA) accident analysis credits a PRNMS scram, but in reality, the Intermediate Range Monitor (IRM) would terminate the event. See Item (3),
below, for more information.
15.5 INCREASE IN REACTOR COOLANT INVENTORY 15.5.1 Inadvertent HPCS N/A Inadvertent Startup of Accident analysis Startup HPCI/HPCS takes no credit for a PRNMS scram.
15.5.2 Chemical Volume N/A N/A This event is not Control System applicable to GGNS.
Malfunction (or Operator Error) to GNRO-2011/00039 Page 79 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.5.3 BWR Transients Which Feedwater Control Loss of One These events are Increase Reactor Failure (High Reactor Feedwater Heater covered in UFSAR Coolant Inventory Water Level) Sections 15.1 and Inadvertent Opening 15.2; see the above Pressure Regulator of One Safety/Relief entries for application Failure (Primary Valve of PRNMS, if any, to Pressure Decrease) each event.
(MSIV Closure Trip) Inadvertent RHR Shutdown Cooling Pressure Regulator Operations Failure (Primary Pressure Decrease) Inadvertent Closure (Level 8 Trip) of One MSIV Pressure Regulator Partial MSIV Closure Failure (Primary Pressure Increase) Loss of Instrument Air Generator Trip (with Bypass)
Turbine Trip (with Bypass)
MSIV Closure Loss of Condenser Vacuum Feedwater Flow Control Failure (Low Reactor Water Level) 15.6 DECREASE IN REACTOR COOLANT INVENTORY 15.6.1 Inadvertent N/A Inadvertent Opening This event is covered Safety/Relief Valve of One Safety/Relief in UFSAR Section Opening Valve 15.1.4.
Accident analysis takes no credit for a PRNMS scram.
15.6.2 Failure of Small Lines N/A N/A This event is not Carrying Primary applicable to GGNS.
Coolant Outside Containment 15.6.3 Steam Generator Tube N/A N/A This event is not Failure applicable to GGNS.
to GNRO-2011/00039 Page 80 of 147 NON-PROPRIETARY INFORMATION GGNS UFSAR NEDC-30851P-A COMMENTS SECTION ACCIDENT APPENDIX F EVENT APPENDIX G EVENT 15.6.4 Steam System Piping N/A N/A Accident analysis Break Outside takes no credit for a Containment PRNMS scram.
15.6.5 Loss-of-Coolant N/A N/A Accident analysis Accidents (Resulting takes no credit for a from Spectrum of PRNMS scram.
Postulated Piping Breaks Within the Reactor Coolant Pressure Boundary -
Inside Containment) 15.6.6 Feedwater Line Break N/A N/A Accident analysis
- Outside Containment takes no credit for a PRNMS scram.
15.7 RADIOACTIVITY RELASE FROM A SUBSYSTEM AND COMPONENT 15.7.1 Offgas System Leak or N/A N/A Accident analysis Failure takes no credit for a PRNMS scram.
15.7.2 Radioactive Liquid N/A N/A Accident analysis Waste System Leak or takes no credit for a Failure (Release to the PRNMS scram.
Atmosphere) 15.7.3 Postulated Radioactive N/A N/A Accident analysis Releases Due to Liquid takes no credit for a Radwaste Tank Failure PRNMS scram.
15.7.4 Fuel Handling Accident N/A N/A Accident analysis takes no credit for a PRNMS scram.
15.7.5 Spent Fuel Cask Drop N/A N/A Accident analysis Accidents takes no credit for a PRNMS scram.
15.8 ANTICIPATED TRANSIENT WITHOUT SCRAM (ATWS) 15.8.1 Capabilities of Present N/A N/A Accident analysis BWR 4/5/6 Design to takes no credit for a Accommodate ATWS PRNMS scram.
As indicated in Table 10-1 above, the events analyzed for GGNS that utilize PRNMS are addressed in Appendices F and G, except for the CRDA. The evaluation for the CRDA is provided in Item (3), below.
to GNRO-2011/00039 Page 81 of 147 NON-PROPRIETARY INFORMATION Each of the existing APRM units of the GGNS Neutron Monitoring System (NMS) provides a single trip output to the Reactor Protection System (RPS). Replacing the APRM subsystem with PRNMS does not change or alter the design of RPS; hence, the diversity among the plant systems that provide inputs into RPS (e.g., reactor dome pressure, reactor water level) remains unaffected. Of the sensor inputs into RPS, only PRNMS utilizes the GE NUMAC platform. Therefore, no common-cause failure, either hardware- or software-related, exists that could disable or adversely impact the ability of RPS to perform its function.
The following discussions provide additional information.
(1) The staff could not determine how RAI #3s response in Attachment 1 to GNRO-2010/00051 (ML102150028) addressed Grand Gulf Nuclear Station (GGNS) Final Safety Analysis Report, as Updated (UFSAR) Section 15.2.4 for Partial MSIV Closure as defined in Appendix G.
Appendix G, Treatment of Other Events, of Reference 3 identifies events that are so mild that the scram setpoint is not reached, safety limits are not violated, or immediate scram response is not required. It also states that further analysis of the listed events is judged to be unnecessary since the major events modeled provide a bounding analysis, which is provided in Appendix F.
Appendix G identifies two events associated with MSIV closure: a Partial MSIV Closure event and an Inadvertent Closure of One MSIV event. Neither is specifically defined or described in the appendix. These events are bounded by the more severe MSIV Closure event identified in Appendix F.
The GGNS UFSAR doesnt specifically discuss partial MSIV closure; however, UFSAR Sections 15.2.4.1.2.2, 15.2.4.2.2.2, and 15.2.4.3.3.2 discuss closure of one MSIV.
Section 15.2.4.2.2.2 states that a closure of one MSIV at any given time does not initiate a reactor scram since the valve position scram trip logic is designed to accommodate single valve operation and testing during normal reactor operation. Partially closing one MSIV is performed during TS surveillance testing by closing the valve to less than or equal to 7% closed (i.e., SRs 3.3.1.1.8, 3.3.1.1.12, 3.3.1.1.13, and 3.3.1.1.15). If for any reason the valve would continue to close, the event would then be classified as closure of one MSIV. Fully closing one MSIV is also performed during TS surveillance testing to ensure valve closure time is within specifications (i.e., SR 3.6.1.3.6). The consequences of partially closing one MSIV are bounded by the MSIV events discussed in UFSAR Section 15.2.4.
Therefore, for the GGNS design, it is reasonable to correlate closure of one MSIV discussed in the UFSAR Section 15.2.4 with the Inadvertent Closure of One MSIV event and the Partial MSIV Closure event identified in Appendix G.
to GNRO-2011/00039 Page 82 of 147 NON-PROPRIETARY INFORMATION (2) RAI #3s response did not correlate the Other Events of Appendix G (Reference 11 of the PRNM LTR) to APRM/OPRM functions (similar to Table F-1 in Attachment 1 to GNRO-2010/00051).
Appendix G states in part:
These events are so mild that the scram setpoint is not reached, safety limits are not violated or immediate scram response is not required.
Therefore, Appendix G does not contain a table similar to Table F-1 correlating the APRM/OPRM scram functions to the events since there are none.
(3) The staff could not determine how RAI #3s response addressed Control Rod Drop Accident in GGNS UFSAR 15.4.9, 15.4.9.2.3 and 15A.6-35 for which a documented potential radioactive release consequence is identified and the PRNMS provides a role.
The events described in the GGNS UFSAR Chapter 15 that have a documented potential radioactive release consequence but were not specifically addressed in the response to RAI 3 provided in Attachment 1 to Reference 1 are:
x Feedwater Line Break (UFSAR Sections 15.2.8 and 15.6.6) x Failure of RHR Shutdown Cooling (UFSAR Section 15.2.9) x Control Rod Drop Accident (CRDA) (UFSAR Section 15.4.9)
The analyses for the Feedwater Line Break and the Failure of RHR Shutdown Cooling do not rely upon PRNMS to terminate these events.
The CRDA, as analyzed and reported in GGNS UFSAR Section 15.4.9, takes a conservative approach in that the event is terminated with a scram initiated by the APRM Fixed Neutron Flux - High trip function. The purpose of this approach is to provide a bounding analysis for the CRDA with the assumption that the reactor is operating in Mode 1, RUN, with no credit given for moderator feedback and minimal credit for the Doppler coefficient feedback6.
However, the consequences of a CRDA are most severe in terms of fuel enthalpy increases during lower reactor power conditions in which the reactor is operating in Mode 2, STARTUP. While in Mode 2, rather than the APRM Fixed Neutron Flux - High trip function, the APRM Neutron Flux - High, Setdown and the Intermediate Range Monitor (IRM) Neutron Flux - High trip functions are required to be operable.
The IRM subsystem of the NMS, described in UFSAR Section 7.6.1.5.4, is separate from the current APRM subsystem and is not impacted by the PRNMS upgrade.
6 The Doppler coefficient is another name used for the "fuel temperature coefficient of reactivity," or the change in reactivity per degree of change in the temperature of nuclear fuel. The Doppler coefficient is the physical property of fuel pellet material (uranium-238) that causes the uranium to absorb more neutrons away from the fission process as fuel pellet temperature increases. This acts to stabilize power reactor operations.
to GNRO-2011/00039 Page 83 of 147 NON-PROPRIETARY INFORMATION
((
{3}
)) Therefore, for a realistic CRDA scenario, a postulated common-cause failure in the software of the PRNMS preventing the scram from either the APRM Fixed Neutron Flux - High function or the APRM Neutron Flux - High, Setdown function would not affect the initiation of a scram from IRM Neutron Flux - High function.
The consequences of a postulated CRDA are limited through the use of Banked Position Withdrawal Sequence (BPWS) to restrict static control blade worth to less than 1.0% 'K, during the range of rod withdrawals affected by a CRDA (see Reference 5). As discussed in GGNS UFSAR Section 4.3.2.5.2, the BPWS assures that fuel failures (if any) are localized and result in no significant challenge to the dose limits. For GGNS, the BPWS is enforced by the dual channel Rod Pattern Controller (RPC) that is independent of PRNMS. Refer to the response to RAI 11 in Attachment 1 to Entergy letter GNRO-2011/00032 (ML111230756) (Reference 6) for additional information on the RPC and its independence from PRNMS.
In realistic 3D evaluations for the limiting CRDA scenarios (Reference 7), the presence or absence of a scram is irrelevant since the impact of the scram occurs too late to have an impact on the calculated peak fuel enthalpy that is dominated by Doppler coefficient feedback and moderator feedback (non-adiabatic calculation). CRDA scenarios starting at higher temperatures and higher powers, where neither the IRM Neutron Flux - High nor the APRM Neutron Flux - High, Setdown function is present, are less limiting with respect to the calculated peak fuel enthalpy because, in addition to Doppler coefficient feedback, the increased generation of voids in the reactor core provides significant negative feedback mechanism so that crediting the scram is not required (see Figures 10-1, 10-2, and 10-3 taken from Reference 7). The moderator feedback is also more effective in reducing the reactivity increase during higher power conditions.
In conclusion, based on the information above, a CRDA may be terminated by:
x The APRM Fixed Neutron Flux - High trip function x The IRM Neutron Flux - High trip function, or x Moderator feedback and Doppler coefficient feedback.
Therefore, a postulated common-cause failure of PRNMS would not adversely affect plant protection during a CRDA.
References
- 1. Entergy Letter GNRO-2010/00051, Responses to NRC Request for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), July 29, 2010 (ADAMS Accession No. ML102150028) to GNRO-2011/00039 Page 84 of 147 NON-PROPRIETARY INFORMATION
- 2. GE Licensing Topical Report NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Volumes 1 and 2, and Supplement 1
- 3. GE Licensing Topical Report NEDC-30851P-A, Technical Specification Improvement Analysis for BWR Control Rod Block Instrumentation, June 1986
- 4. GE Licensing Topical Report NEDE-24011P-A-17-US, General Electric Standard Application for Reactor Fuel (GESTAR II), September 2010
- 5. C. J. Paone, Banked Position Withdrawal Sequence, January 1977 (NEDO-21231) and Letter from O. D. Parr (USNRC) to G. G. Sherwood (GE), Topical Report - NEDO-21231, "Banked Position Withdrawal Sequence," January 18, 1978
- 6. Entergy Letter GNRO-2011/00032, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), May 3, 2011 (ADAMS Accession No. ML111230756)
- 7. GE November 9, 2006 Presentation Slides, provided at NRC Public Workshop on Interim Reactivity-initiated Accidents Criteria, November 9, 2006 (Meeting Summary - ADAMS Accession Number ML063260310; Slides - ADAMS Accession Number ML063190108) to GNRO-2011/00039 Page 85 of 147 NON-PROPRIETARY INFORMATION Power Response for Realistic CRDA Analysis Figure 10-1 to GNRO-2011/00039 Page 86 of 147 NON-PROPRIETARY INFORMATION Dynamic Reactivity Responses for Realistic CRDA Analysis Figure 10-2 to GNRO-2011/00039 Page 87 of 147 NON-PROPRIETARY INFORMATION Total Enthalpy Responses for Realistic CRDA Analysis Figure 10-3 to GNRO-2011/00039 Page 88 of 147 NON-PROPRIETARY INFORMATION NRC RAI 14 For the inter-divisional communications interface between 2-out-of-4 voter channels, further describe in detail:
a) any function that the programmed PLD performs in support of these communications; b) If this inter-divisional communications exists and a common programmed PLD is involved in all four divisions, then include an additional evaluation of this interface to satisfy BTP 7-19 or to determine that the proposed approach is an acceptable alternative. Otherwise the detail may justify why the criteria does not apply.
The following further clarifies the rationale for this RAI but does not include additional information requests. The replacement Figure E.2.1 of Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438) does not identify direct 2-out-of-4 voter inter-divisional communications; however, DI&C-ISG-04 matrix response item #75 states that The voter using hardware logic sends a fiber-optic signal to the other divisions. Also, the original Figure E.2.1 showed SELF TEST DATA & BYPASS STATUS DATA from each 2-out-of-4 voter to its divisions APRMs, where the APRM could then feedback its status to all four voters. However, the replacement figure neither depicts this signal flow nor other inter-divisional communications between 2-out-of-4 voters. Therefore, it is unclear whether 1) the SELF TEST DATA & BYPASS STATUS DATA interface still exists or 2) inter-divisional communications between 2-out-of-4 voters exist.
Response
This response follows the convention of other responses in that the term division is used only with respect to the Reactor Protection System (RPS). The term channel is used in all other cases.
(a) For the inter-channel communications interface between 2-Out-Of-4 logic modules (voter channels), Programmable logic device (PLD) U11 supports the APRM channel bypass signal communications that are unidirectional from each 2-Out-Of-4 logic module to all of the other 2-Out-Of-4 logic modules. These are the only inter-channel communication interfaces between 2-Out-Of-4 logic modules. Refer to Figure 14-1.
The inter-channel interfaces receive simple pulse stream signals indicating the status of the APRM bypass switch. With the system functioning normally, either no channels or one channel can be bypassed; therefore there is at most one pulse stream signal.
((
to GNRO-2011/00039 Page 89 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 90 of 147 NON-PROPRIETARY INFORMATION
{3}
))
(b) ((
{3}
))
The responses to RAIs 8 and 9 provided in this attachment show that the PRNMS upgrade meets the BTP 7-19 acceptance criteria when postulating a common-cause failure (CCF) in PRNMS. In those evaluations, a comprehensive CCF was postulated, without providing specific details and without discriminating between programmable entities. In the response to this RAI, more specific potential CCFs related to the bypass signal in the 2-out-of-4 logic module are considered, and the more limited impact is described.
Failures that prevent a valid bypass from being detected are not considered because this is a conservative fail-safe state. Table 14-1 postulates common-cause failures in which a bypass on one or more channels is incorrectly applied. Only CCFs related to the bypass signal are evaluated.
to GNRO-2011/00039 Page 91 of 147 NON-PROPRIETARY INFORMATION Table 14-1
((
{3}
))
In summary, a CCF in U11 such that a channel is incorrectly bypassed does not prevent trips.
A CCF in U11 that results in multiple channels bypassed forces U21 to ignore bypasses. A CCF of U21 that causes multiple channels to be bypassed is detected by the APRM. It is concluded that failures related to the bypass signal processing either do not prevent trips or are detectable by the APRM.
Attachment 2 to GNRO-2011/00039 Page 92 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure 14-1
Attachment 2 to GNRO-2011/00039 Page 93 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure 14-2 to GNRO-2011/00039 Page 94 of 147 NON-PROPRIETARY INFORMATION NRC RAI 18 Staff Positions 1.19 and 1.20 of DI&C-ISG-04 address the potential impact of data throughput and data error rates on worst-case response time.
Describe in detail the testing performed to ensure proper performance of all safety functions to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. The RAI response DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, items 64 and 65, did not address throughput and error rates observed through design and qualification testing on system response time calculations.
Response
Supporting Information:
((
{3}
))
Staff Position 1.19:
If data rates exceed the capacity of a communications link or the ability of nodes to handle traffic, the system will suffer congestion. All links and nodes should have sufficient capacity to support all functions. The applicant should identify the true data rate, including overhead, to ensure that communication bandwidth is sufficient to ensure proper performance of all safety functions. Communications throughput thresholds and safety system sensitivity to communications throughput issues should be confirmed by testing.
The following response explains how PRNMS satisfies the criteria of Staff Position 1.19. This response:
x Discusses the features used to ensure sufficient link capacity, x Identifies link capacity, and x Details testing performed to ensure communication links have sufficient capacity to ensure proper performance of safety functions.
((
to GNRO-2011/00039 Page 95 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Table 18-1 FDDI Link Capacity Usage
((
{3}
))
to GNRO-2011/00039 Page 96 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Based on the above information, the PRNMS system communication link features, capacity usage information, and testing described in the response satisfy the criteria of Staff Position 1.19.
Staff Position 1.20:
The safety system response time calculations should assume a data error rate that is greater than or equal to the design basis error rate and is supported by the error rate observed in design and qualification testing.
The following response explains how PRNMS satisfies the criteria of Staff Position 1.20. ((
to GNRO-2011/00039 Page 97 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Table 18-2 Data Error Rate Impact to PRNM System Response Time
((
{3}
))
((
{3}
))
Table 18-3 Maximum Expected PRNMS Response Time
((
{3}
))
to GNRO-2011/00039 Page 98 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
The data error rate for each safety-related communication link was established and used to determine the impact of data errors on safety system response time. The established data error rates are supported by testing during the development of PRNMS. Therefore, the criteria of Staff Position 1.20 are met.
NRC RAI 19 Staff Position on Command Prioritization of DI&C-ISG-04 could apply to the 2-out-of-4 voter design if the same 2-out-of-4 voter (or a common design) is used to process any of the following in addition to the PRNMS trips:
d) the diverse actuation signals in addition to those generated by the PRNMS (i.e. those diverse trips associated with RAI 3 in Attachment 1 to GNRO-2010/00051); or e) the Manual Trips signal; or f) the future diverse automatic trip required to enable DSS-CD function.
Describe the plants intended use of the PRNMS 2-out-of-4 voter design to satisfy the above criteria or to determine the proposed approach is an acceptable alternative and include justification, as applicable, that evaluates criteria within DI&C-ISG-02 and BTP 7-19.
The following further clarifies the rationale for this RAI but does not include additional information requests. The RAI response DI&C-ISG-04 compliance matrix in Attachment 3 to GNRO-2010/00040, item 71, to Staff Position on Command Prioritization of DI&C-ISG-04 mentions diverse systems but does not state that they are not input to a NUMAC platform-based 2-out-of-4 voter.
Response
As noted in the DI&C-ISG-04 compliance matrix, Item 69, provided in the response to RAI 4 in to Entergy letter GNRO-2010/00040 (Reference 1), ((
{3}
)) The diversity of signals and processes within the PRNMS design, as discussed below, when integrated with the existing GGNS design, provides a level of diversity that exceeds or is equivalent to the GGNS existing licensing basis.
Attachment 2 to GNRO-2011/00039 Page 99 of 147 NON-PROPRIETARY INFORMATION It should be noted that the response to RAI 8 provided in this attachment provides a detailed discussion of the effects of a comprehensive common-cause failure (CCF) postulated in PRNMS. The response here is specific to processes related to the RAI questions. The discussion on DSS-CD addresses the failures within the APRM instrument. Complete failure of PRNMS, including for stability protection, is addressed in the response to RAI 8.
Response to each specific question are as follows:
d) As noted in the response to RAI 3 in Attachment 1 to Entergy letter GNRO-2010/00051 (Reference 2), ((
{3}
)) All other trip signals to RPS by the other sensors are unchanged.
((
{3}
))
As discussed in the response to RAI 3 in Attachment 1 to Entergy letter GNRO-2010/00035 (Reference 3) and also in the response to RAI 4 provided in this attachment, GGNS will not enable the DSS-CD algorithm trip at this time. ((
Attachment 2 to GNRO-2011/00039 Page 100 of 147 NON-PROPRIETARY INFORMATION
{3}
)) Therefore, the following discussion regarding DSS-CD reflects system attributes that are not yet realized at GGNS.
((
{3}
))
In summary, for compliance with DI&C-ISG-02 and BTP 7-19, the defense-in-depth and diversity requirements are unchanged from the current plant design for the transients and accident events evaluated in Chapter 15 of the GGNS FSAR (Reference 4). The existing PRM signals are diverse from other sensor signals input to the RPS. The new PRNMS maintains the same RPS configuration and the PRNMS (including 2-Out-Of-4 voter outputs) signals are also diverse from other sensor signals that input into RPS, including manual scram trips. See the responses to RAIs 8, 9, and 10 provided in this attachment for further discussion on defense-in-depth and diversity.
((
Attachment 2 to GNRO-2011/00039 Page 101 of 147 NON-PROPRIETARY INFORMATION
{3}
)) Therefore, the level of diversity and defense-in-depth are maintained with the implementation of PRNMS at GGNS.
References
- 1. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2010/00040, dated June 3, 2010 (ADAMS Accession No. ML101790436).
- 2. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2010/00051, dated July 29, 2010 (ADAMS Accession No. ML102150028).
- 3. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2010-00035, dated May 18, 2010 (ADAMS Accession No. ML101410094).
- 4. Grand Gulf Updated Final Safety Analysis Report.
NRC RAI 20 NUREG-0800, SRP, BTP 7-21, Guidance on Digital Computer Real-Time Performance (ADAMS Accession No, ML070550070), provides the NRC staff guidance for reviewing the performance of a digital safety system and contains the acceptance criteria for Limiting Response time as follows, Limiting response times should be shown to be consistent with safety requirements (e.g., suppress power oscillations, prevent fuel design limits from being exceeded, prevent a non-coolable core geometry). Setpoint analyses and limiting response times should also be shown to be consistent. These limiting response times must be acceptable to the organizations responsible for reactor systems, electrical systems, and plant systems before acceptance as a basis for timing requirements.
Describe in detail the performance of the replacement system to demonstrate that its real-time performance and response time is adequate. The response should include identification of the response time performance start and end event(s) and the instruments response time performance relationship to the safety analyses to satisfy the above criteria or to determine the proposed approach is an acceptable alternative.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI #2s response in Table 2-2 of Attachment 1 to GNRO-2010/00051 (ADAMS Accession No, ML102150028) contains performance values for PRNMS Performance and RPS Requirement without clearly identifying the start and end event(s) of the response time performance requirement(s). The relationships among the RPS Requirement, the PRNMS Requirement, and the safety analyses is not described. The to GNRO-2011/00039 Page 102 of 147 NON-PROPRIETARY INFORMATION staff understands that response times associated with PRNMS APRM/OPRM generated trips include LPRM sensing through 2/4 logic outputs to the RPS. The information associated with system response time of digital upgrades is defined in Enclosure B of the ISG for the Licensing Process of Digital Instrumentation & Controls, Digital I&C-ISG-06, (ADAMS Accession No, ML110140103) for System Response Time Confirmation Report.
Response
Introduction This response describes the Power Range Neutron Monitoring System (PRNMS) response time in support of the four safety-related trip signals. As defined by Section 3.3.2 of GE Nuclear Licensing Topical Report (LTR) NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function (Reference 1), The safety functions of the PRNMS are:
x APRM Neutron Flux - High Trip x APRM Simulated Thermal Power (STP) - High Trip x APRM Neutron Flux - High (Setdown) Trip x OPRM Instability Detect-and-Suppress Trip The GGNS PRNMS uses the Oscillation Power Range Monitor (OPRM) Defense-In-Depth Algorithm (DIDA) to comprise the LTR-defined OPRM Instability Detect-and-Suppress Trip.
OPRM DIDA consists of the OPRM Option III algorithms described in Section 3.3 of Reference 1, which is the licensing basis for the GGNS NUMAC PRNMS.
The following discussion demonstrates that the replacement systems real-time performance is adequate to meet the limiting response time requirements, per the criteria of BTP 7-21.
Real-Time Performance Methodology The instrument response time performance determination for PRNMS is performed by tracking the signal flow from the LPRM input at PRNMS, through the LPRM and APRM instruments, ending at the output of the 2-Out-Of-4 Logic Modules Relay Logic Cards output to the Reactor Protection System (RPS), and calculating the design goal processing time delay for each step of the signal transfer process. Figure 20-1 provides a block diagram for a single APRM channel.
Response Time Start and End Events The LPRM detector input exceeding the respective setpoint is the start event of the NUMAC PRNMS response time while the Relay Logic Card module trip signals to RPS being the end event for response time determination.
to GNRO-2011/00039 Page 103 of 147 NON-PROPRIETARY INFORMATION Response Time Performance Table 20-1 provides a tabulation of the PRNMS instrument processing delay times associated with supporting each of the safety functions identified above.
Table 20-1 APRM Neutron Flux - High Trip, APRM Neutron Flux High - High (Setdown) Trip
& APRM STP - High Trip Time Processing Step (msec)
((
{3}
))
OPRM DIDA Trip Time Processing Step (msec)
((
to GNRO-2011/00039 Page 104 of 147 NON-PROPRIETARY INFORMATION OPRM DIDA Trip Time Processing Step (msec)
{3}
))
The total channel response (delay) time for the safety functions is calculated by applying the methodology as described above. The longest path of flux data for inclusion in the channel calculations is at the input of the LPRM instrument, processing through the APRM instrument, then output from the 2-Out-Of-4 Logic Module. ((
{3}
))
Table 20-2 provides a summary of the PRNMS response time requirements (per Section 3.3.2 of Reference 1) and the calculated PRNMS response times (per Table 20-1).
This is the total delay time for PRNMS to send a trip signal to RPS in response to a flux input that exceeds the setpoint.
to GNRO-2011/00039 Page 105 of 147 NON-PROPRIETARY INFORMATION Table 20-2 Safety Function Response Times PRNM Response PRNM Calculated PRNM Safety Function Time Requirement Response Time (msec) (msec)
APRM Neutron Flux - High Trip 40 ((
APRM STP - High Trip 40 APRM Neutron Flux - High (Setdown) Trip 40
{3}
OPRM Instability Detect-and-Suppress Trip 400 ))
Tests are performed during the PRNMS System Validation and the Factory Acceptance Test to confirm the Grand Gulf PRNMS system configuration meets the response time requirement. Testing is performed on production (non-development) equipment manufactured in accordance with the Grand Gulf design documentation.
During equipment qualification, various alarms and trips are input to the system with response monitored. This is done after each qualification test is performed to ensure the equipment is operating satisfactorily when subject to environmental extremes. The software functions that perform the safety functions are continually running during normal operation to support alarm and trip processing. Therefore, the NUMAC PRNMS meets the safety function response time requirement within the full range of the qualified environmental envelope.
In summary, the calculated PRNMS response times presented above in Table 20-2 meet the requirement of a response time analysis report as stated in Section D.9.2.4 of DI&C-ISG-06.
Confirmation of response time is performed during verification and validation testing.
RPS Response Time Requirement As identified in Table 2-2 of the response to RAI 2 in Attachment 1 to Entergy letter GNRO-2010/00051 (Reference 2), the RPS response time requirement for the APRM Fixed Neutron Flux - High and the APRM Flow Biased Simulated Thermal Power - High scram functions is 0.09 second. The 0.09-second RPS response time for these functions is consistent with the total RPS response time used in the transient analysis for the Grand Gulf UFSAR (Reference
- 3) Chapter 15 Accident Analyses (see Section 15.0.3.3.2). Chapter 15 does not credit OPRM functions in the transient analyses so its response time is not discussed in the context of total RPS response time.
Section 7.2.1.1.4.3 of Reference 3 states the following with regards to RPS response time:
The system response from the opening of a sensor contact up to and including the opening of the trip actuator contacts, is less than 50 milliseconds.
to GNRO-2011/00039 Page 106 of 147 NON-PROPRIETARY INFORMATION The sensor contact for the NUMAC PRNM system is the RPS Relay Logic Card contacts in the 2-Out-Of-4 Logic Module. The 40-millisecond response time of NUMAC PRNMS plus the 50-millisecond RPS response time support the 90-millisecond total RPS response time requirement assumed in the Reference 3 safety analyses. This is the same response time requirement for the current APRM system at GGNS.
In summary, the response time for PRNMS has been shown by analysis and testing to be less than the required response times; thus, PRNMS performs sufficiently to meet safety analysis requirements. There is no change in the total RPS response time requirement; therefore, there is no change in setpoint analyses for the GGNS NUMAC PRNMS due to response time. The NUMAC PRNMS response time is adequate to meet the Limiting Response Time of RPS consistent with the guidance provided in NUREG-0800 and BTP 7-21.
References
- 1. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October, 1995.
- 2. MA Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2010/00051, dated July 29, 2010 (ADAMS Accession No. MLXX).
- 3. Grand Gulf Updated Final Safety Analysis Report.
to GNRO-2011/00039 Page 107 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure 20-1 to GNRO-2011/00039 Page 108 of 147 NON-PROPRIETARY INFORMATION NRC RAI 27 10 CFR Part 50 Appendix A identifies General Design Criterion 23--Protection system failure modes. This criterion states that The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced." Furthermore, while allowing for an exception IEEE 603-1991 Clause 6.7 states that the Capability of a safety system to accomplish its safety function shall be retained while sense and command features equipment is in maintenance bypass. During such operation, the sense and command features shall continue to meet the requirements of 5.1 and 6.3.
Describe in detail the 2-out-of-4 logic modification sufficient to satisfy the above criteria.
This description should:
a) fully explain the logics behavior, eliminate apparent inconsistencies (e.g. conditions that will produce a SCRAM request to the RPS, fail safe states, etc.) and justify why the proposal produces acceptable voter logic; b) explain for each required channel availability of APRM functions whether the LCOs and SRs (and associated logic tests) distinguish (or need to distinguish) this unique loss of power condition, and if so to what degree; c) provide justification to support the modification as acceptable in terms of the surveillance requirements, tests, and intervals.
Sufficiently describe each of the following in the information provided:
a) why the modification to Paragraph 5.3.2.3 states unequivocally that a SCRAM will occur on total loss of UPS power, where Paragraph 5.3.2.6 indicates that no SCRAM will result upon a loss of power to the division's UPS bus and that one trip from the other division is required to SCRAM; b) the meaning of "All PRNM equipment operating on the UPS buses is designed to fail safe on loss of power;"
c) whether the as described loss of power constitutes the loss of 2 channels, so that the LCO is not met for Modes 1, 2 or 3, which represents all Modes where a minimum of 3 channels are required for some type of APRM trip (excluding the 2-Out-of-4 Voter as contained in Table 3.3.1.1-1 and identified as the "Required Channels per Trip System" of "3.");
d) the adequacy of the proposed approach to satisfy General Design Criterion 23 above; e) the adequacy of the proposed approach to satisfy IEEE 603-1991 Clause 6.7 above; to GNRO-2011/00039 Page 109 of 147 NON-PROPRIETARY INFORMATION f) the modifications to LTR Paragraph 5.3.8.1 to clarify and identify 1) the power supplies whose loss results in an INOP condition, 2) what defines the "safe condition," 3) how the trip "safe condition" is known to result from the loss of input power and not another form of concurrent/common-cause failure, and 4) how the determination method is reliable and independently made by each 2-out-of-4 voter.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 6s response describes a 2-out-of-4 logic modification in paragraph 5.3.2.3 in Attachment 6 to GNRO-2010/00040 (ADAMS Accession No, ML101790438).
However, the description appears inconsistent with other information and is not accompanied by statements to justify it as satisfying the above criteria.
Response
Previous submittals described Entergys original intent to implement voting logic for BWR\6 plants with only one AC power source to the APRM channel as described in GE Nuclear Licensing Topical Report (LTR) NEDC-32410P-A, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, (Reference 1). That approach has since been reevaluated and it has been determined that the GGNS 120 VAC Class 1E Uninterruptible Power System (UPS) described in Section 8.3.1.1.4.1.4 of the GGNS UFSAR (Reference 2) provides sufficient protection against the loss of a single power bus. Because the UPS provides protection, the special BWR\6 voting logic that was designed to compensate for loss of a single AC bus that would cause loss of signal from two APRM channels is not required at GGNS. As such, GGNS will implement the voting logic as described in the base LTR report (Reference 3).
This is the same voting logic that has been implemented with all previous PRNM applications.
Because GGNS will use the original voting logic described in Reference 3, this RAI response does not address the questions above pertaining to the special BWR\6 voting logic described in Reference 1, as that logic will not be used for the GGNS application. Instead, this RAI response provides clarification to Reference 3 to describe the GGNS application using the original voting logic described in Reference 3.
Consequently, portions of the response to RAI 6 in Attachment 6 to Entergy letter GNRO-2010/00040 (Reference 4) for LTR Sections 5.3.2.3, 5.3.2.6, 5.3.8.1, 5.3.8.2, 5.3.17.1, Figure E.2.2, and Figure E.5.6 are rescinded and replaced by the following:
5.3.2.3 Two-Out-Of-Four Logic Module (1) 2-Out-Of-4 Voting Logic and Interface for APRM/OPRM Outputs to the RPS Modify the fourth paragraph under subheading (1) to indicate that power for the voting logic is provided by the UPS. Clarify the GGNS voting logic by deleting the 7th paragraph (ahead of the last paragraph) under subheading (1) that was added by supplement 1 to the base report.
((
to GNRO-2011/00039 Page 110 of 147 NON-PROPRIETARY INFORMATION
{3}
))
5.3.2.6 Quad Low Voltage Power Supply Chassis Modify the second, third and fourth paragraphs of the base report as follows to reflect the GGNS configuration (additions shown in italics and deletions shown as strikethrough):
((
{3}
))
5.3.8.1 Loss of Input Power Clarify the treatment of AC power input for GGNS of the base report by adding a new second paragraph and modifying the first, third and fourth paragraphs as follows (additions shown in italics and deletions shown as strikethrough):
((
to GNRO-2011/00039 Page 111 of 147 NON-PROPRIETARY INFORMATION
{3}
))
5.3.8.2 Abnormal Conditions Leading to Inoperative Status Clarify the GGNS configuration of the base report by deleting and RBM in the first sentence and by deleting the note that was added at the end of the section by supplement 1 to the base report.
((
{3}
))
5.3.17.1 Input Power Supplies Clarify the GGNS configuration of the base report by amending the subsection as follows (additions shown in italics, deletions shown as strikethrough):
((
to GNRO-2011/00039 Page 112 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Figures E.2.2 and E.5.6 are attached.
References
- 1. GE Nuclear Licensing Topical Report NEDC-32410P-A, Supplement 1, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM)
Retrofit Plus Option III Stability Trip Function, November 1997
- 2. Grand Gulf Updated Final Safety Analysis Report
- 3. NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, October, 1995
- 4. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2010/00040, June 3, 2010 (ADAMS Accession No. ML101790436) to GNRO-2011/00039 Page 113 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure E.2.2 - Replacement APRM / RPS Interface Block Diagram, Grand Gulf to GNRO-2011/00039 Page 114 of 147 NON-PROPRIETARY INFORMATION
((
{3}
))
Figure E.5.6 - Replacement Configuration, Grand Gulf to GNRO-2011/00039 Page 115 of 147 NON-PROPRIETARY INFORMATION NRC RAI 28 10 CFR Part 50 Appendix A identifies General Design Criterion 21--Protection system reliability and testability. This criterion states in part that the protection system shall be designed for high functional reliability.
Describe in detail the analysis performed to ensure that the conclusions of Section 5.3.14 in NEDC-32410P-A dated October 1995 remain valid and satisfy the above criterion.
The following further clarifies the rationale for this RAI but does not include additional information requests. RAI 8s response in Attachment 1 to GNRO-2010/00064 (ADAMS Accession No, ML102810307) does not demonstrate that the analysis has been performed to reaffirm the conclusion of Section 6.0 in NEDC-32410P-A Supplement 1 dated November 1997. RAI 8s response does not address the potential of failures of non-safety equipment that may adversely affect the availability of the APRM to perform its safety function. The Mean Time Between Failures (MTBF) are less conservative than those originally identified in the LTR. Servicing a failed item that the licensee has identified as not supporting the safety function (e.g. PCI, Display) has not been discussed in either the LTR or RAI 8s response to assess any potential impact that repair of new or modified equipment may have on the availability of the safety function.
Response
The conclusions stated in Sections 5.3.14 and 6.0 of GE Nuclear Licensing Topical Report NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Volumes 1 and 2 (Reference 1) as modified by Supplement 1 (Reference2) remain valid for the Grand Gulf Nuclear Station (GGNS) Power Range Neutron Monitoring System (PRNMS) modification.
As stated in Section 6.5 of Reference 1), the PRNMS modification results in no increase in overall unavailability of the APRM trip functions, and as such, no overall increase in the Reactor Protection System (RPS) failure frequency. The 10 CFR 50 Appendix A, Criterion 21
-- Protection system reliability and testability, is, therefore, satisfied by the BWR-6 PRNM modification.
The analysis that follows provides the basis for concluding that Sections 5.3.14 and 6.0 of References 1 and 2 remain valid for the GGNS PRNMS. Specifically, the analysis contains an evaluation of impact of the PRNM modification on the reliability and availability of the APRM critical system functions and overall RPS failure frequency.
The analysis methodology is consistent with that described in Section 6.0 of References 1 and 2. ((
to GNRO-2011/00039 Page 116 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 117 of 147 NON-PROPRIETARY INFORMATION
((
PRNMS Functional Block Diagram Figure 28-1 to GNRO-2011/00039 Page 118 of 147 NON-PROPRIETARY INFORMATION
((
to GNRO-2011/00039 Page 119 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 120 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 121 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 122 of 147 NON-PROPRIETARY INFORMAITON
((
\
to GNRO-2011/00039 Page 123 of 147 NON-PROPRIETARY INFORMAITON
\
to GNRO-2011/00039 Page 124 of 147 NON-PROPRIETARY INFORMAITON
\
to GNRO-2011/00039 Page 125 of 147 NON-PROPRIETARY INFORMAITON
\
to GNRO-2011/00039 Page 126 of 147 NON-PROPRIETARY INFORMAITON
\
to GNRO-2011/00039 Page 127 of 147 NON-PROPRIETARY INFORMAITON
\
to GNRO-2011/00039 Page 128 of 147 NON-PROPRIETARY INFORMAITON
\
{3}
))
- 22. ((
to GNRO-2011/00039 Page 129 of 147 NON-PROPRIETARY INFORMAITON
{3}
))
to GNRO-2011/00039 Page 130 of 147 NON-PROPRIETARY INFORMATION
((
to GNRO-2011/00039 Page 131 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 132 to 147 NON-PROPRIETARY INFORMATION
((
to GNRO-2011/00039 Page 133 to 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 134 to 147 NON-PROPRIETARY INFORMATION
{3}
))
((
to GNRO-2011/00039 Page 135 to 147 NON-PROPRIETARY INFORMATION
Attachment 2 to GNRO-2011/00039 Page 136 to 147 NON-PROPRIETARY INFORMATION
{3}
))
((
to GNRO-2011/00039 Page 137 to 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 138 to 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 139 to 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 140 of 147 NON-PROPRIETARY INFORMATION
((
to GNRO-2011/00039 Page 141 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 142 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 143 of 147 NON-PROPRIETARY INFORMATION
{3}
))
Because the replacement PRNMS provides equal or better unavailability at the RPS trip level for the APRM trips relative to the current PRM system, the PRNMS modification results in no increase in overall unavailability in the RPS failure frequency. Therefore, the conclusions stated in Section 6.5 of Reference 1 are valid, and 10 CFR 50 Appendix A, Criterion 21 -
Protection system reliability and testability is satisfied following installation of the GGNS PRNMS modification.
References
- 1. GE Nuclear Licensing Topical Report NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Volumes 1 and 2, October 1995
- 2. GE Nuclear Licensing Topical Report NEDC-32410P-A, Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Supplement 1, November 1997
- 3. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Request for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No.
ME2531), GNRO-201/00038, dated May 16, 2011 (ADAMS Accession No, ML102810307)
- 4. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Response to NRC Request for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531),
GNRO-2010/00064, dated September 29, 2010 (ADAMS Accession No, ML102810307)
- 5. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Response to NRC Request for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No.
ME2531), GNRO-2010/00070, dated December 14, 2010 (ADAMS Accession No, ML103490095) to GNRO-2011/00039 Page 144 of 147 NON-PROPRIETARY INFORMATION
- 6. Technical Specification Improvement Analysis for BWR Reactor Protection System, Licensing Topical Report Supplement 1, GE Nuclear Energy, NEDC-30581P-A, March 1988
- 7. M. A. Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, License Amendment Request - Power Range Neutron Monitoring System Upgrade, GNRO-2009/00054, dated November 3, 2009 (ADAMS Accession No, ML093140463)
NRC RAI 29 Similar to RAI 28) above, the licensee is requested to explain whether either PCI or 2 out-of-4 voter unavailability can adversely impact the availability of any RC&IS safety functionsee earlier RAIs 11) and 13) that reference GGNS UFSAR Section 7.7.1.2.1.3 and the signals shown in Figure E.2.1 of Attachment 6 to GNRO-2010/00040, and ask the licensee to explain whether the RC&IS has a safety function.
Response
Unavailability of the Power Range Neutron Monitoring System (PRNMS) PRNM Communication Interface (PCI) or 2-Out-Of-4 Logic Module (Voter) does not adversely impact the availability of the Rod Control and Information System (RC&IS) functions classified as required for safety in Section 7.7.1.2.1.3 of the Grand Gulf Nuclear Station (GGNS) UFSAR (Reference 1).
As documented in the GGNS UFSAR (Reference 1, Section 7.7.1.2.1.3), RC&IS is an operational system with certain safety functions. As discussed in UFSAR Section 7.6.1.7, the Rod Pattern Controller (RPC) is a safety-related subsystem of RC&IS that reduces the consequences of the postulated rod drop accident to an acceptable level by restricting control rod patterns. RC&IS does not include any of the circuitry or devices used to automatically or manually trip the reactor. Certain portions of RC&IS pertaining to rod blocks and pattern control are, however, classified as required for safety. The RPC instrumentation and Rod Action Control Subsystem (RACS) of RC&IS perform the rod pattern control and rod block functions. The replacement PRNMS does not alter the current design of the GGNS RC&IS equipment, including the RPC and RACS.
((
to GNRO-2011/00039 Page 145 of 147 NON-PROPRIETARY INFORMATION to GNRO-2011/00039 Page 146 of 147 NON-PROPRIETARY INFORMATION
{3}
))
to GNRO-2011/00039 Page 147 of 147 NON-PROPRIETARY INFORMATION Conclusion No changes are made to the RC&IS equipment, including the RPC and RACS as part of the PRNMS modification. The PRNMS equipment (including the PCI and 2-Out-Of-4 Logic Module) does not support, nor does it provide, any inputs to RC&IS used to perform the RC&IS functions classified as required for safety in the GGNS UFSAR (Reference 1). The PCI of PRNMS does not provide any inputs to RC&IS required for the rod pattern control function. ((
{3}
))
Based upon PRNMS and RC&IS design, PRNMS cannot adversely impact RC&IS functions classified as required for safety in the GGNS UFSAR. Based upon the predicted unavailability of PRNMS, installation of the PRNMS modification does not adversely impact the availability of other RC&IS functions.
References
- 1. Entergy Grand Gulf Nuclear Station Updated Final Safety Analysis Report (UFSAR),
dated August 2009, Sections 7.6.1.7 and 7.7.1.2.1.3.
- 2. MA Krupa (Entergy Operations Inc.) to U.S Nuclear Regulatory Commission Document Control Desk, Responses to NRC Requests for Additional Information Pertaining to License Amendment Request for Power Range Neutron Monitoring System (TAC No. ME2531), GNRO-2011/00032, dated May 3, 2011.
- 3. Schematic Diagram, C51 Power Range Neutron Monitoring System, RCIS Outputs, Entergy Drawing No. E-1172-56 Rev 2 (GE Drawing Number 828E530BA Rev 16, Sheet 53).
- 4. Power Range Neutron Monitoring System Elementary Drawing, 105E1503WA Revision 6, Sheet 25.
ATTACHMENT 3 GNRO-2011/00039 GEH AFFIDAVIT SUPPORTING PROPRIETARY INFORMATION PROVIDED IN ATTACHMENT 1
GE Hitachi Nuclear Energy Americas LLC AFFIDAVIT I, James F. Harrison, state as follows:
(1) I am the Vice President, Fuel Licensing, Regulatory Affairs, GE-Hitachi Nuclear Energy Americas LLC (GEH), and have been delegated the function of reviewing the information described in paragraph (2) which is sought to be withheld, and have been authorized to apply for its withholding.
(2) The information sought to be withheld is contained in Enclosure 1 of GEH letter, GG-PRNM-168777-EC134, NRC Instrumentation and Controls Branch RAIs 1, 2, 8, 9, 10, 14, 18, 19, 20, 27, 28, & 29, dated May 19, 2011. The GEH proprietary information in Enclosure 1, which is entitled GEH Responses to GGNS NRC I&CB RAIs 1, 2, 8, 9, 10, 14, 18, 19, 20, 27, 28, & 29 is identified by a dark red dotted underline inside double square brackets. ((This sentence is an example.{3})) Large figures containing GEH proprietary information are identified with double square brackets before and after the object. In each case, the superscript notation {3} refers to Paragraph (3) of this affidavit, which provides the basis for the proprietary determination.
(3) In making this application for withholding of proprietary information of which it is the owner or licensee, GEH relies upon the exemption from disclosure set forth in the Freedom of Information Act (FOIA), 5 USC Sec. 552(b)(4), and the Trade Secrets Act, 18 USC Sec. 1905, and NRC regulations 10 CFR 9.17(a)(4), and 2.390(a)(4) for trade secrets (Exemption 4). The material for which exemption from disclosure is here sought also qualifies under the narrower definition of trade secret, within the meanings assigned to those terms for purposes of FOIA Exemption 4 in, respectively, Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F2d 871 (DC Cir. 1992), and Public Citizen Health Research Group v. FDA, 704 F2d 1280 (DC Cir. 1983).
(4) The information sought to be withheld is considered to be proprietary for the reasons set forth in paragraphs (4)a. and (4)b. Some examples of categories of information that fit into the definition of proprietary information are:
- a. Information that discloses a process, method, or apparatus, including supporting data and analyses, where prevention of its use by GEH's competitors without license from GEH constitutes a competitive economic advantage over other companies;
- b. Information that, if used by a competitor, would reduce their expenditure of resources or improve their competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product;
- c. Information that reveals aspects of past, present, or future GEH customer-funded development plans and programs, resulting in potential products to GEH; Affidavit for Enclosure 1 of GG-PRNM-168777-EC134 Affidavit Page 1 of 3
GE Hitachi Nuclear Energy Americas LLC
- d. Information that discloses trade secret and/or potentially patentable subject matter for which it may be desirable to obtain patent protection.
(5) To address 10 CFR 2.390(b)(4), the information sought to be withheld is being submitted to NRC in confidence. The information is of a sort customarily held in confidence by GEH, and is in fact so held. The information sought to be withheld has, to the best of my knowledge and belief, consistently been held in confidence by GEH, not been disclosed publicly, and not been made available in public sources. All disclosures to third parties, including any required transmittals to the NRC, have been made, or must be made, pursuant to regulatory provisions or proprietary and/or confidentiality agreements that provide for maintaining the information in confidence. The initial designation of this information as proprietary information, and the subsequent steps taken to prevent its unauthorized disclosure, are as set forth in the following paragraphs (6) and (7).
(6) Initial approval of proprietary treatment of a document is made by the manager of the originating component, who is the person most likely to be acquainted with the value and sensitivity of the information in relation to industry knowledge, or who is the person most likely to be subject to the terms under which it was licensed to GEH. Access to such documents within GEH is limited to a need to know basis.
(7) The procedure for approval of external release of such a document typically requires review by the staff manager, project manager, principal scientist, or other equivalent authority for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside GEH are limited to regulatory bodies, customers, and potential customers, and their agents, suppliers, and licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or proprietary and/or confidentiality agreements.
(8) The information identified in paragraph (2), above, is classified as proprietary because it contains detailed GEH design information of the instrumentation and control equipment used in the design and analysis of the power range neutron monitoring system for the GEH Boiling Water Reactor (BWR). Development of these methods, techniques, and information and their application for the design, modification, and analyses methodologies and processes was achieved at a significant cost to GEH.
The development of the evaluation processes along with the interpretation and application of the analytical results is derived from the extensive experience databases that constitute a major GEH asset.
Affidavit for Enclosure 1 of GG-PRNM-168777-EC134 Affidavit Page 2 of 3
GE Hitachi Nuclear Energy Americas LLC (9) Public disclosure of the information sought to be withheld is likely to cause substantial harm to GEH's competitive position and foreclose or reduce the availability of profit-making opportunities. The information is part of GEH's comprehensive BWR safety and technology base, and its commercial value extends beyond the original development cost.
The value of the technology base goes beyond the extensive physical database and analytical methodology and includes development of the expertise to determine and apply the appropriate evaluation process. In addition, the technology base includes the value derived from providing analyses done with NRC-approved methods.
The research, development, engineering, analytical and NRC review costs comprise a substantial investment of time and money by GEH. The precise value of the expertise to devise an evaluation process and apply the correct analytical methodology is difficult to quantify, but it clearly is substantial. GEH's competitive advantage will be lost if its competitors are able to use the results of the GEH experience to normalize or verify their own process or if they are able to claim an equivalent understanding by demonstrating that they can arrive at the same or similar conclusions.
The value of this information to GEH would be lost if the information were disclosed to the public. Making such information available to competitors without their having been required to undertake a similar expenditure of resources would unfairly provide competitors with a windfall, and deprive GEH of the opportunity to exercise its competitive advantage to seek an adequate return on its large investment in developing and obtaining these very valuable analytical tools.
I declare under penalty of perjury that the foregoing affidavit and the matters stated therein are true and correct to the best of my knowledge, information, and belief.
Executed on this 19th day of May 2011.
James F. Harrison Vice President, Fuel Licensing, Regulatory Affairs GE Hitachi Nuclear Energy Americas LLC Affidavit for Enclosure 1 of GG-PRNM-168777-EC134 Affidavit Page 3 of 3
ATTACHMENT 4 GNRO-2011/00039 GEH AFFIDAVIT SUPPORTING PROPRIETARY INFORMATION PROVIDED IN ENCLOSURE 1 OF ATTACHMENT 1
GE Hitachi Nuclear Energy Americas LLC AFFIDAVIT I, James F. Harrison, state as follows:
(1) I am the Vice President, Fuel Licensing, Regulatory Affairs, GE-Hitachi Nuclear Energy Americas LLC (GEH), and have been delegated the function of reviewing the information described in paragraph (2) which is sought to be withheld, and have been authorized to apply for its withholding.
(2) The information sought to be withheld is contained in Enclosure 4 of GEH letter, GG-PRNM-168777-EC134, NRC Instrumentation and Controls Branch RAIs 1, 2, 8, 9, 10, 14, 18, 19, 20, 27, 28, & 29, dated May 19, 2011. The GEH proprietary information in Enclosure 4, which is entitled GEH References to GGNS NRC I&CB RAI 1, is Proprietary in its entirety. The header on each page in this enclosure carries the notation GEH Proprietary Information-Class III (Confidential){3}. In each case, the notation {3}
refers to Paragraph (3) of this affidavit, which provides the basis for the proprietary determination.
(3) In making this application for withholding of proprietary information of which it is the owner or licensee, GEH relies upon the exemption from disclosure set forth in the Freedom of Information Act (FOIA), 5 USC Sec. 552(b)(4), and the Trade Secrets Act, 18 USC Sec. 1905, and NRC regulations 10 CFR 9.17(a)(4), and 2.390(a)(4) for trade secrets (Exemption 4). The material for which exemption from disclosure is here sought also qualifies under the narrower definition of trade secret, within the meanings assigned to those terms for purposes of FOIA Exemption 4 in, respectively, Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F2d 871 (DC Cir. 1992), and Public Citizen Health Research Group v. FDA, 704 F2d 1280 (DC Cir. 1983).
(4) The information sought to be withheld is considered to be proprietary for the reasons set forth in paragraphs (4)a. and (4)b. Some examples of categories of information that fit into the definition of proprietary information are:
- a. Information that discloses a process, method, or apparatus, including supporting data and analyses, where prevention of its use by GEH's competitors without license from GEH constitutes a competitive economic advantage over other companies;
- b. Information that, if used by a competitor, would reduce their expenditure of resources or improve their competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing of a similar product;
- c. Information that reveals aspects of past, present, or future GEH customer-funded development plans and programs, resulting in potential products to GEH; Affidavit for Enclosure 4 of GG-PRNM-168777-EC134 Affidavit Page 1 of 3
GE Hitachi Nuclear Energy Americas LLC
- d. Information that discloses trade secret and/or potentially patentable subject matter for which it may be desirable to obtain patent protection.
(5) To address 10 CFR 2.390(b)(4), the information sought to be withheld is being submitted to NRC in confidence. The information is of a sort customarily held in confidence by GEH, and is in fact so held. The information sought to be withheld has, to the best of my knowledge and belief, consistently been held in confidence by GEH, not been disclosed publicly, and not been made available in public sources. All disclosures to third parties, including any required transmittals to the NRC, have been made, or must be made, pursuant to regulatory provisions or proprietary and/or confidentiality agreements that provide for maintaining the information in confidence. The initial designation of this information as proprietary information, and the subsequent steps taken to prevent its unauthorized disclosure, are as set forth in the following paragraphs (6) and (7).
(6) Initial approval of proprietary treatment of a document is made by the manager of the originating component, who is the person most likely to be acquainted with the value and sensitivity of the information in relation to industry knowledge, or who is the person most likely to be subject to the terms under which it was licensed to GEH. Access to such documents within GEH is limited to a need to know basis.
(7) The procedure for approval of external release of such a document typically requires review by the staff manager, project manager, principal scientist, or other equivalent authority for technical content, competitive effect, and determination of the accuracy of the proprietary designation. Disclosures outside GEH are limited to regulatory bodies, customers, and potential customers, and their agents, suppliers, and licensees, and others with a legitimate need for the information, and then only in accordance with appropriate regulatory provisions or proprietary and/or confidentiality agreements.
(8) The information identified in paragraph (2), above, is classified as proprietary because it contains detailed GEH design information of the instrumentation and control equipment used in the design and analysis of the power range neutron monitoring system for the GEH Boiling Water Reactor (BWR). Development of these methods, techniques, and information and their application for the design, modification, and analyses methodologies and processes was achieved at a significant cost to GEH.
The development of the evaluation processes along with the interpretation and application of the analytical results is derived from the extensive experience databases that constitute a major GEH asset.
Affidavit for Enclosure 4 of GG-PRNM-168777-EC134 Affidavit Page 2 of 3
GE Hitachi Nuclear Energy Americas LLC (9) Public disclosure of the information sought to be withheld is likely to cause substantial harm to GEH's competitive position and foreclose or reduce the availability of profit-making opportunities. The information is part of GEH's comprehensive BWR safety and technology base, and its commercial value extends beyond the original development cost.
The value of the technology base goes beyond the extensive physical database and analytical methodology and includes development of the expertise to determine and apply the appropriate evaluation process. In addition, the technology base includes the value derived from providing analyses done with NRC-approved methods.
The research, development, engineering, analytical and NRC review costs comprise a substantial investment of time and money by GEH. The precise value of the expertise to devise an evaluation process and apply the correct analytical methodology is difficult to quantify, but it clearly is substantial. GEH's competitive advantage will be lost if its competitors are able to use the results of the GEH experience to normalize or verify their own process or if they are able to claim an equivalent understanding by demonstrating that they can arrive at the same or similar conclusions.
The value of this information to GEH would be lost if the information were disclosed to the public. Making such information available to competitors without their having been required to undertake a similar expenditure of resources would unfairly provide competitors with a windfall, and deprive GEH of the opportunity to exercise its competitive advantage to seek an adequate return on its large investment in developing and obtaining these very valuable analytical tools.
I declare under penalty of perjury that the foregoing affidavit and the matters stated therein are true and correct to the best of my knowledge, information, and belief.
Executed on this 19th day of May 2011.
James F. Harrison Vice President, Fuel Licensing, Regulatory Affairs GE Hitachi Nuclear Energy Americas LLC Affidavit for Enclosure 4 of GG-PRNM-168777-EC134 Affidavit Page 3 of 3