NEDO-33751, Revision 3, Columbia Generating Station Power Range Neutron Monitoring System Reliability Analysis, Attachment 3

ML12328A078
Person / Time
Site:	Columbia
Issue date:	10/31/2012
From:	GE-Hitachi Nuclear Energy Americas
To:	Office of Nuclear Reactor Regulation
References
GO2-12-162, DRF Section 0000-0141-5938-R5 NEDO-33751, Rev. 3
Download: ML12328A078 (57)
v • d • e

Text

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION REGARDING LICENSE AMENDMENT REQUEST TO IMPLEMENT PRNMIARTS/MELILLA NEDO-33751 Revision 3 October 2012 COLUMBIA GENERATING STATION POWER RANGE NEUTRON MONITORING SYSTEM RELIABILITY ANALYSIS

HITACHI GE Hitachi Nuclear Energy NEDO-33751 Revision 3 DRF Section 0000-0141-5938-R5 October 2012 Non-Proprietary Information-Class I (Public)

COLUMBIA GENERATING STATION POWER RANGE NEUTRON MONITORING SYSTEM RELIABILITY ANALYSIS Copyright 2012 GE-Hitachi Nuclear Energy Americas LLC All Rights Reserved

NEDO-33751 Revision 3 INFORMATION NOTICE This is a non-proprietary version of the document NEDC-33751P, Revision 3, which has the proprietary information removed. Portions of the document that have been removed are indicated by an open and closed bracket as shown here ((

IMPORTANT NOTICE REGARDING CONTENTS OF THIS REPORT PLEASE READ CAREFULLY The design, engineering, and other information contained in this document are furnished for the purposes of supporting a license amendment request by Energy Northwest, for a power range neutron monitoring system upgrade in proceedings before the U.S. Nuclear Regulatory Commission.

The use of this information by anyone other than Energy Northwest, or for any purpose other than that for which it is intended, is not authorized; and, with respect to any unauthorized use, GEH makes no representation or warranty, express or implied, and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document, or that its use may not infringe privately owned rights.

ii

NEDO-33751 Revision 3 Revision Summary 0

Initial Revision.

Table 2-3 was updated because removal of both fases that supply power 1

to a QLVPS results in a loss of power to the associated 2-Out-Of-4 Logic Module.

Removed reference from Section 3.2.5, clarified defect rate in Section 3.2.5.1, and re-ordered references.

Added proprietary markings to NEDC-33751P and created public version ofNEDC-33751P (NEDO-33751).

iii

NEDO-33751 Revision 3 TABLE OF CONTENTS ACRONYMS AND ABBREVIATIONS.........................................................................

vi

1.

IN T R O D U C T IO N.................................................................................................

1

1.1 Purpose and Scope

1 1.2 Reliability Analysis Using the PRNM Licensing Topical Report.................... 2 1.3 Utility Action to Apply LTR Failure Analysis Conclusions.............................

4 1.4 Nuclear Regulatory Commission DI&C-ISG-06 Review Criteria and G uidelines......................................................................................................

4

2.

RELIABILITY ANALYSIS...............................................................................

5 2.1 PRNM Critical System Functions....................................................................

5 2.2 Equipment Required for PRNM Critical System Functions.............................

5 2.3 Reactor Recirculation Flow Upscale Trip Function..........................................

6 2.4 RBM Upscale Trip Function..............................................................................

6 2.5 Equipment NOT Required for PRNM Critical System Functions....................

6 2.6 Redundancy and Diversity................................................................................

7 2.7 PRNM Hardware Reliability Data....................................................................

7 2.8 Self-Test C overage............................................................................................

8 2.9 M ean Tim e to R epair.......................................................................................

8 2.10 Serviceability of Critical PRNMS Equipment.................................................

8 2.11 Servicing Equipment NOT Required for PRNM Critical System Functions........ 9

3.

PRNM UNAVAILABILITY ANALYSIS......................................................

30 3.1 Methodology for PRNMS Unavailability Analysis.......................................

30 3.2 Data Used for PRNMS Unavailability Analysis............................................

30 3.3 PRNMS UNAVAILABILITY ANALYSIS RESULTS.................................

34

4.

C O N CLU SIO N..............................................................................................

44

5.

R EFER EN C E S..............................................................................................

45 A PPE N D IX A...................................................................................................................

A -1 iv

NEDO-33751 Revision 3 FIGURES Figure 2-1 PRNMS Functional Block Diagram.............................................................

29 Figure 3-1 PRNM Equipment NPR Summary Breakdown............................................

43 TABLES Table 2-1 PRNM Equipment Required for Critical System Functions.........................

10 Table 2-2 Reliability Data for CGS PRNM Equipment.................................. 11 Table 2-3 Serviceability of Critical PRNMS Equipment.............................................

24 Table 2-4 Effect of Failures of Non-Critical PRNM Equipment on Critical Functions..... 26 Table 3-1 Channel Independent Parameters....................................................................

35 Table 3-2 PRNM Equipment NPR Summary (1995-2011)...........................................

36 Table 3-3 Maximum Expected PRNM System Response Time.....................................

37 Table 3-4 Common Cause Parameters..........................................................................

38 V

NEDO-33751 Revision 3 ACRONYMS AND ABBREVIATIONS Term:

Defiif-ioiil AC Alternating Current APRM Average Power Range Monitor ARTS Average Power Range Monitor, Rod Block Monitor Technical Specification Improvement Program ASP Automatic Signal Processor BTP Branch Technical Position CCF Common Cause Failure CGS Columbia Generating Station C/M Calibration/Monitoring D3 Diversity and Defense-in-Depth DC Direct Current DI&C Digital Instrumentation and Control EPRI Electric Power Research Institute FDDI Fiber Direct Data Interface GDC General Design Criterion GEDAC General Electric Data Acquisition and Communication GEH GE Hitachi Nuclear Energy GGNS Grand Gulf Nuclear Station HVPS High Voltage Power Supply IEEE Institute of Electrical and Electronics Engineers INOP Inoperative I/O Input/Output ISG Interim Staff Guidance LAR License Amendment Request LED Light Emitting Diode LER Licensing Event Report LPRM Local Power Range Monitor LTR Licensing Topical Report LVPS Low Voltage Power Supply MCR Main Control Room vi

NEDO-33751 Revision 3 MTBF Mean Time Between Failure MTTR Mean Time to Repair NIC NUMAC Interface Computer NPR NUMAC Problem Reports NRC Nuclear Regulatory Commission NUMAC Nuclear Measurement Analysis and Control ODIO Open Drain Input/Output OPRM Oscillation Power Range Monitor PCI Power Range Communication Interface PDS Previously Developed Software PPC Plant Process Computer PRM Power Range Monitor PRNM Power Range Neutron Monitor PRNMS Power Range Neutron Monitoring System QA Quality Assurance QLVPS Quad Low Voltage Power Supplies RBM Rod Block Monitor RG Regulatory Guide RMCS Reactor Manual Control System RPS Reactor Protection System RRS Reactor Recirculation System SRP Standard Review Plan STP Simulated Thermal Power VAC Volts Alternating Current VDC Volts Direct Current V&V Validation and Verification vii

NEDO-33751 Revision 3

1.

INTRODUCTION 10 CFR Part 50 Appendix A identifies General Design Criterion (GDC) 21--Protection System Reliability and Testability. This criterion states in part that the protection system shall be designed for high functional reliability.

Sections 5.3.14 and 6.0 of the Nuclear Measurement Analysis and Control (NUMAC)

Power Range Neutron Monitor (PRNM) Licensing Topical Report. (LTR) (Reference 1) as modified by LTR Supplement 1 (Reference 2) contain the reliability analysis for the generic PRNM equipment. For the PRNM modification, this reliability analysis contains an evaluation of the replacement PRNM with the objective of' demonstrating that the reliability of the replacement PRNM is equal to or better than the current Power Range Monitor (PRM) system.

Section 6.5 of Reference 1 as modified by PRNM LTR Supplement 1 (Reference 2) contains the following conclusions:

))

1.1 Purpose and Scope

The purpose of this report is to provide an updated supporting analysis to confirm that the conclusions contained in Section 6.5 of the PRNM LTR remain valid, based upon the plant specific configuration of the Columbia Generating Station (CGS) PRNM modification.

This supporting analysis is intended to supplement the reliability analysis contained in Sections 5.3.14, 6.0, and Appendix F of the PRNM LTR (Reference 1) as modified by the PRNM LTR Supplement 1 (Reference 2). This report also contains additional reliability analysis information intended to address review criteria and guidelines for reliability analysis contained in Sections D.9.4.2.15 and D.10.4.2.15 of Digital Instrumentation and Control (DI&C)-Interim Staff Guidance (ISG)-06 (Reference 3).

The scope of the supporting analysis contained in this report is limited to confirmation that the configuration of the CGS PRNM modification is within the limits as described in Section 6.6, item (2) of the PRNM LTR (Reference 1), as modified by the PRNM LTR Supplement 1 (Reference 2). Section 6.6, items (1) and (3) of the PRNM LTR (Reference 1), modified by the PRNM LTR Supplement 1 (Reference 2) are addressed in the CGS PRNM System Diversity and Defense-in-Depth (D3) Analysis (Reference 4).

1

NEDO-33751 Revision 3 1.2 Reliability Analysis Using the PRNM Licensing Topical Report The supporting reliability and unavailability analysis contained in Sections 2 and 3 of this report provide the basis for concluding that Sections 5.3.14 and 6.0 of the PRNM LTR (Reference 1) as modified by LTR Supplement 1 (Reference 2) remain valid for the CGS PRNM System (PRNMS). Specifically, the analysis contains an evaluation of the effect of the PRNM modification on the reliability and availability of the APRM critical system functions and overall RPS failure frequency.

1.2.1 PRNM Modification Reliability Goals The reliability goals for the PRNM modification are to ensure that the availability of the APRM critical system functions and overall RPS failure frequency following the PRNMS modification is equivalent to or better than, that of the current PRMV[ system installed.

Reliability and availability requirements for NUJMAC equipment included in the CGS PRNMS design are specified in Section 4.2.8 of the NUMAC Requirements Specification (Reference 5). Section 4.2.8 of the NUMAC Requirements Specification requires that the Mean Time Between Failures (MTBFs) for continuous operation at 40'C in a benign environment shall be computed for each NUMAC component using MIL-HDBK-217 (Reference 6).

1.2.2 Reliability Analysis Methodology The PRNM modification reliability analysis includes both quantitative and qualitative analysis of information pertaining to the reliability of the PRNMS modification as follows:

Hardware Reliability Data: Quantitative analysis of reliability data for the PRNMS hardware is performed to the module level, including determination of updated MTBF values for the PRNM equipment, based on calculated, vendor-supplied and field operating experience reliability data values for the CGS PRNM equipment. A qualitative comparison of the updated plant-specific PRNM equipment MTBF values with those listed in the PRNM LTR (Reference 1) and LTR Supplement 1 (Reference 2) is also performed.

System Self-Test Coverage: A qualitative analysis of the automatic PRNMS test features used to detect both hardware and software failures within the PRNM equipment is included in Section 6.3 of the PRNM LTR (Reference 1) as modified by LTR Supplement 1 (Reference 2). A quantitative analysis of the testability of the PRNM equipment is also included in the LTR, which includes determination of demand failure rate, probability of test caused failure, test interval, allowed test time and allowed repair time. These values are used in determination of channel independent and combined system common caused failure rates.

• Software Reliability: A qualitative assessment of the PRNM software reliability is performed based on PRNM software operating history, processes to minimize software defects and ensure that the PRNM software is high quality, and plant D3 2

NEDO-33751 Revision 3 measures to mitigate the consequences of PRNMS common cause failures attributed to software defects.

PRNM Unavailability: A quantitative analysis of PRNMS channel independent failure rate and data representing testability of the PRNMS channels is performed in order to determine total average unavailability of the PRNM equipment, which supports the PRNM critical functions described in Section 3.3.2 of the PRNM LTR (Reference 1) as.modified by the LTR Supplement 1 (Reference 2).

PRNMS channel redundancy features and the common caused unavailability for the overall PRNMS function are considered in this analysis, as described in Section 6.3 of the PRNM LTR (Reference 1) as modified by LTR Supplement 1 (Reference 2). The total average unavailability of the PRNMS equipment for RPS trip functions is compared to that of the currently installed PRM system in order to determine if the reliability goals for the PRNMS modification are satisfied.

• Design Processes and Strategies: A qualitative analysis of the design processes and design strategies implemented to reduce the probability and mitigate the consequences of common cause PRNMS hardware and software failures is described in Section 6.4 of the PRNM LTR (Reference 1) as modified by the LTR Supplement 1 (Reference 2). This PRNM LTR analysis is further supported by the following:

o Diversity and Defense-in-Depth: An assessment of the D3 related to the CGS PRNMS modification is contained in the CGS PRNMS D3 Analysis (Reference 4). The CGS PRNMS D3 analysis contains an evaluation of the postulated worst-case common-cause failure in the PRNMS programmable entities, and directly addresses all criteria of Branch Technical Position (BTP) 7-19. The evaluations contained in the CGS D3 analysis (Reference 4) demonstrate that the CGS plant design has the D3 to cope with any potential Common Cause Failure (CCF) in the programmable entities of the PRNMS modification.

o Software Quality:

A description of the processes that were used to develop and test the CGS PRNMS microprocessor firmware is contained in NEDC-33685P (Reference

7)

Section 4.4, "NUMAC Software Development Process Evaluation." Section 4.4 of Reference 7 contains a description of the degree of independence that existed during development of the CGS PRNMS firmware, and the compensatory measures taken in order to close gaps with respect to the degree of independence described in Institute of Electrical and Electronics Engineers (IEEE)

Standard 1012-1998. Section 4.4.1.3 of NEDC-33685P (Reference 7) also contains a description of the software Quality Assurance (QA) plan under which the CGS PRNMS firmware was developed.

3

NEDO-33751 Revision 3 The reliability analysis methodology contained in this report is consistent with that described in Section 6.0 of the PRNM LTR (Reference 1) as modified by LTR Supplement 1 (Reference 2). The predicted reliability and unavailability of the PRNMS equipment is determined and compared with that of the current PRM system in order to confirm that the reliability goals for the CGS PRNM modification are satisfied.

1.3 Utility Action to Apply LTR Failure Analysis Conclusions Section 6.6 of the PRNM LTR (Reference 1) as modified by PRNM LTR Supplement 1 (Reference 2), "Utility Action to Apply Failure Analysis Conclusions" requires the utility to confirm applicability of the conclusions contained in Section 6.5 of the PRNM LTR by:

(1) Confirming that the events defined in Electric Power Research Institute (EPRI)

Report No. NP-2230 or Appendices F and G of Reference 8 encompass the events that are analyzed for the plant, (2) Confirming that the configuration implemented by the plant is within the limits described in this report, and (3) Preparing a plant-specific 10 CFR 50.59 evaluation of the modification per the applicable plant procedures.

These confirmations and conclusions should be documented in the plant-specific licensing submittal for the PRNM modification.

-As stated in Section 1.1 of this report, Section 6.6 items (1) and (3) of the PRNM LTR

'(Reference 1), modified by the PRNM LTR Supplement 1 (Reference 2) are addressed in the CGS PRNM System D3 Analysis (Reference 4).

1.4 Nuclear Regulatory Commission DI&C-ISG-06 Review Criteria and Guidelines DI&C-ISG-06 (Reference 3) describes the licensing process that may be used in the review (against licensing criteria - the Standard Review Plan (SRP), NUREG-0800) of license amendment requests (LARs) associated with DI&C system modifications in operating plants originally licensed under 10 CFR Part 50. Sections D.9.4.2.15 and D.10.4.2.15 of DI&C-ISG-06 (Reference 3) contain review criteria and guidelines pertaining to reliability analysis performed for DI&C system modifications to ensure compliance with IEEE Standard 603-1991 (Reference 9).

Appendix A of this report contains a cross reference between the review criteria and guidelines contained in Sections D.9.4.2.15 and D.10.4.2.15 of DI&C-ISG-06 (Reference 3), and the related sections of this report.

4

NEDO-33751 Revision 3

2.

RELIABILITY ANALYSIS 2.1 PRNM Critical System Functions The CGS PRNM is designed for high functional reliability and in-service testability commensurate with the PRNM critical system functions, which are identified in Section 3.3.2 of References 1 and 2. These PRNM critical system functions are identified as:

• ((I A functional block diagram of the CGS PRNMS architecture is shown in Figure 2-1.

2.2 Equipment Required for PRNM Critical System Functions The CGS PRNMS equipment required to perform critical system fiinctions includes:

M ((

5

NEDO-33751 Revision 3 Table 2-1 provides a summary of the PRNM instruments and major assemblies that are required to support the critical PRNM functions.

2.3 Reactor Recirculation Flow Upscale Trip Function l[i 2.4 REM Upscale Trip Function 2.5 Equipment NOT Required for PRNM Critical System Functions 11 6

NEDO-33751 Revision 3 1]

2.6 Redundancy and Diversity An assessment of D3 for the CGS PRNM modification is contained in the CGS PRNMS D3 analysis (Reference 4). The CGS PRNMS D3 analysis contains a detailed D3 analysis based on a postulated worst-case common-cause failure in the PRNMS programmable entities, and directly addresses all criteria of BTP 7-19. The CGS PRNMS D3 analysis demonstrates that the CGS plant design includes D3 to cope with any potential CCF in the programmable entities in the PRNM modification.

2r]

2.7 PRNM Hardware Reliability Data 2.7.1 MIL-RDBK-217 Calculated MTBF Values 7

NEDO-33751 Revision 3 2.7.2 Vendor Supplied MTBF Values 2.7.3 Updated Field Hour MTBF Values 2.8 Self-Test Coverage 1]

2.9 Mean Time to Repair 2.10 Serviceability of Critical PRNMS Equipment 8

NEDO-33751 Revision 3 11 2.11 Servicing Equipment NOT Required for PRNM Critical System Functions Table 2-4 contains an effect summary for servicing of major equipment in the PRNMS panels, which does not support the PRNM critical system functions.

9

NEDO-33751 Revision 3 Table 2-1 PRNM Equipment Required for Critical System Functions 10

NEDO-33751 Revision 3 Table 2-2 Reliability Data for CGS PRNM Equipment 11

NEDO-33751 Revision 3 12

NEDO-33751 Revision 3 13

NEDO-33751 Revision 3 14

NEDO-33751 Revision 3 15

NEDO-33751 Revision 3 16

NEDO-33751 Revision 3 17

NEDO-33751 Revision 3 18

NEDO-33751 Revision 3 19

NEDO-33751 Revision 3 20

NEDO-33751 Revision 3 21

NEDO'33751 Revision 3 11]

22

NEDO-33751 Revision 3 Notes for Table 2-2:

1.

[

23

NEDO-33751 Revision 3 Table 2-3 Serviceability of Critical PRNMS Equipment IL i

+

24

NEDO-33751 Revision 3 t

qip i

-i-ptonIIhow I

-t-jIfea of Removing PRNMIS Equipment fromt Service iL,. e-nerg~n g PRNM SE quiupm, l)n PlINM1Criti-ieal tIII 25

NEDO-33751 Revision 3 Table 2-4 Effect of Failures of Non-Critical PRNM Equipment on Critical Functions

~Equipmentt Descriptioni Effect ofServicing Equipment on PRINM Critica S~ystem Functionus

[R 26

NEDO-33751 Revision 3 27

NEDO-33751 Revision 3 28

NEDO-33751 Revision 3 Figure 2-1 PRNMS Functional Block Diagram 29

NEDO-33751 Revision 3

3.

PRNM UNAVAILABILITY ANALYSIS 3.1 Methodology for PRNMS Unavailability Analysis The methodology for the unavailability analysis for the CGS PRNMS is the same that used to prepare Reference 8, which was reviewed and approved by the Nuclear Regulatory Commission (NRC) in 1988. Thus, the following relationship is used:

Er 3.2 Data Used for PRNMS Unavailability Analysis 3.2.1 Hardware Reliability Data E[

3.2.2 Channel Independent Parameters Table 3-1 contains a comparison of the channel independent unavailability analysis parameters for the current CGS PRM system and for the PRNM replacement system.

3.2.3 Software Reliability 30

NEDO-33751 Revision 3 3.2.4 Software Quality GEH utilizes independent design verifications, an extensive V&V program, and design reviews as part of its development process to obtain high quality PRNM software, as described in Section 4.4 of NEDC-33685P (Reference 7). Section 6 of the PRNM LTR (Reference 1) as modified by LTR Supplement 1 (Reference 2) describes the methods and strategies utilized in the PRNM design to reduce the probability of, and mitigate the consequences of common-cause PRNM hardware and software failures. ((

))

3.2.5 PRNM Software Operating Experience The NRC acceptance of the PRNM LTR is contained in NEDC-3241OP-A (Reference 1),

dated September 5, 1995.

The PRNM LTR provides the basis for licensing of the NUMAC PRNM modification.

31

NEDO-33751 Revision 3 Er 3.2.5.1 NUMAC PRNM Problem Report History Er 3.2.5.2 PRNM Communication Data Error Rates Er Table 3-3 contains a summary of the maximum expected PRNM response time based upon error rates listed above.

Er 32

NEDO-33751 Revision 3 3.2.6 Common Cause Parameters

((

33

NEDO-33751 Revision 3 11 3.3 PRNMS UNAVAILABILITY ANALYSIS RESULTS Table 3-5 contains a summary of the unavailability analysis for the current PRM and PRNM modification. The analysis results were obtained using the methodology and data for analysis described in Sections 3.1 and 3.2 of this report.

34

NEDO-33751 Revision 3 Table 3-1 Channel Independent Parameters

+

4

.4-4 4 4

4

-+

+

Note: Table 3-1 notes have been combined with the Table 3-4 notes, and are shown below Table 3-4.

35

NEDO-33751 Revision 3 Table 3-2 PRNM Equipment NPR Summary (1995-2011)

N PR Catexory

~

Quantity

• 1-

.4-

+

+

11 Note:

(a) ((

36

NEDO-33751 Revision 3 Table 3-3 Maximum Expected PRNM System Response Time

-I.

i.

i.

-I.

Notes:

(a) ((

37

NEDO-33751 Revision 3 Table 3-4 Common Cause Parameters

~, Current Parameter Current~ PRM

ýN NUM"A('

1. 1Ou-'

PRM Re]2 PaN Voter~

Re]I es for Tables 3-1 and 3-4:

(a) ((

Noti 38

NEDO-33751 Revision 3 39

NEDO-33751 Revision 3 Table 3-5 PRNMS Unavailability Analysis Results 40

NEDO-33751 Revision 3 41

NEDO-33751 Revision 3 42

NEDO-33751 Revision 3 1]

Figure 3-1 PRNM Equipment NPR Summary Breakdown 43

NEDO-33751 Revision 3

4.

CONCLUSION

)) The conclusions stated in Section 6.5 of the PRNM LTR (Reference 1) are therefore valid, and the criteria of 10 CFR 50 Appendix A, Criterion 2 1-"Protection System Reliability and Testability" are therefore satisfied following installation of the CGS PRNMS modification.

44

NEDO-33751 Revision 3

5.

REFERENCES

1. GE Nuclear Energy, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function,"

NEDC-32410P-A, October 1995.

2. GE Nuclear Energy, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function,"

NEDC-32410P-A, Supplement 1, November 1997.

3. DI&C-ISG-06, "Task Working Group #6: Licensing Process," Revision 1, dated January 19, 2011 (ADAMS Accession No. ML110140103).

4. GE Hitachi Nuclear Energy, "Columbia Generating Station Power Range Neutron Monitoring System Diversity and Defense-in-Depth (D3) Analysis," NEDC-33694P, Revision 1, January 2012 (ADAMS Accession No. ML12040A076).

5. "NUMAC Requirements Specification," 23A5082, Revision 1.

6. Military Handbook, "Reliability Prediction of Electronic Equipment," MIL-HDBK-217F, December 1991.

7. GE Hitachi Nuclear Energy, "Digital I&C-ISG-06 Compliance for Columbia Generating Station NUMAC Power Range Neutron Monitoring Retrofit Plus Option III Stability Trip Function," NEDC-33685P, Revision 1, January 2012 (ADAMS Accession No. ML12040A074).

8. GE Nuclear Energy, "Technical Specification Improvement Analysis for BWR Reactor Protection System," NEDC-30851 P-A, May 1988.

9. IEEE Standard 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," 1991.

10. Power Range Neutron Monitoring System Elementary Diagram, 105E1503TC, Revision 7.

11. GEH Engineering Service Instruction, "Instrumentation and Controls (I&C) Product Problem Reports and Failure History Tracking,"

ESI 30-2.00, Revision 1,

December 2007.

12. GE Hitachi Nuclear Energy, "Columbia Generating Station Power Range Neutron Monitoring System Response Time Analysis Report," NEDC-33690P, Revision 0, November 2011 (ADAMS Accession No. ML12040A075).

13. "Broadcaster Module" Performance Specification, 24A5217, Revision 1.

14. General Electric Company, "An Analysis of Functional Common-Mode Failures in GE BWR Protection and Control Instrumentation," NEDO-10189, July 1970.

45

NEDO-33751 Revision 3

15. "NUMAC Power Range Neutron Monitor System" Requirement Specification, 24A5221, Revision 18.

16. "Oscillation Power Range Monitor Data Sheet," 25A5041AD, Revision 1.

46

NEDO-33751 Revision 3 APPENDIX A DI&C-ISG-06 Review Criteria Cross Reference D.9.4.1.9 Clause 4.9 requires the identification of the methods used to determine that the reliability of the safety system design is appropriate for each such design, and the identification of the methods used to verify that reliability goals imposed on the system design have been met. NRC staff acceptance of system reliability is based on the deterministic criteria described in IEEE Standard 603-1991, and IEEE Standard 7-4.3.2-2003.

1.2 The NRC staff does not endorse the concept of quantitative reliability goals as a sole means of meeting the NRC's regulations for reliability of safety systems. Quantitative reliability determination, using a 1.2, 2.1, 2.2, 2.5-2.11, D.9.4. 1.9 combination of analysis, testing, and operating experience can provide an added level of confidence, 3.1, 3.2 but alone is not sufficient.

For safety systems that include digital computers, both hardware and software reliability should be D.9.4. 1.9 2.7, 3.2.1-3.2.6 considered.

Software errors that are not the consequence of hardware failures are caused by design errors and, therefore, do not follow the random failure behavior used for hardware reliability analysis.

D.9.4. 1.9 3.2.3-3.2.6 Consequently, different methodologies may be used to assess the unreliability introduced by hardware and software.

Clause 5.15 requires that for those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that D.9.4.2.15 such goals have been achieved.6 1.2.1, 1.2.2, 4 6 A reliability analysis provides sufficient detail to support and justify that the system meets the reliability requirements.

A-1

NEDO-33751 Revision 3 APPENDIX A DI&C-ISG-06 Review Criteria Cross Reference The information provided should justify that the degree of redundancy, diversity, testability, and quality provided in the safety system design is adequate to achieve functional reliability commensurate with the safety functions to be Derformed.

D.9.4.2.15 2.6, 2.8, 2.10, 2.11, 3.2.4 D.9.4.2.15 For computer systems, both hardware and software should be included in this analysis.

2.7, 3.2.1-3.2.6 The NRC staff considers software that complies with the quality criteria of Clause 5.3, and that is used in safety systems that provide measures for defense against common-cause failures as described in D.9.4.2. 151.,26326 D.6, also complies with the fundamental reliability requirements of GDC 21, IEEE Standard 279-1971, and IEEE Standard 603-1991.

Further, the assessment against Clause 5.15 should consider the effect of possible hardware failures and software errors and the design features provided to prevent or limit their effects, and that hardware 1.2.2, 2.2, 2.5-2.7, 3.2.1, D.9.4.2.15 failure conditions to be considered should include failures of portions of the computer itself and 3.2.2, 3.2.3, 3.2.5.2, failures of portions of the communications systems. This should include hard failures, transient 3.2.6 failures, sustained failures, and partial failures.

With respect to software, common-cause failures, cascading failures, and undetected failures should be D.9.4.2. 15 2.6, 3.2.3-3.2.6, 3.3 considered.

D.9.4.2.15 Quantitative reliability goals alone are not sufficient as a means of meeting the regulations for the 1.2, 1.2.2, 2.2, 2.6, 2.8, reliability of digital computers used in safety systems.

2.10, 2.11, 3.1, 3.2 A-2

NEDO-33751 Revision 3 APPENDIX A DI&C-ISG-06 Review Criteria Cross Reference D. 10.4.2.15 Clause 5.15 specifies that, in addition to the requirements of IEEE Standard 603-1991, when reliability goals are identified, the proof of meeting the goals should include the software. The method for determining reliability may include combinations of analysis, field experience, or testing. Software error recording and trending may be used in combination with analysis, field experience, or testing.'1 Il A reliability analysis provides sufficient detail to support and justify that the system meets the reliability reauirements.

2.6, 2.8, 3.1, 3.2.3-3.2.6 As stated in Regulatory Guide (RG) 1.152, the NRC does not endorse the concept of quantitative reliability goals as the sole means of meeting the NRC's regulations for reliability in digital computers 1.2, 1.2.2, 1.3, 2.2, 2.7, D. 10.4.2.15 for safety-related applications. Quantitative reliability determination, using a combination of analysis, testing, and operating experience, can provide an added level of confidence in the reliable performance of the system.

Since there is not a widely accepted view on the determination of software reliability values, determining an error probability and therefore a reliability value may not be appropriate. The reviewer should be cautious if vendors or licensees offer such a value. The NRC staff relies on the vendor 1.2, 1.3, 2.6, 2.8, 3.1, D. 10.4.2.15 implementing a high quality process of software design to obtain high quality software. The reviewer should expect the software to be of the highest quality, but should not credit the software being perfect. The NRC staff should review software reliability calculations and that the firmware and software is in accordance with NRC reliability guidelines.

A-3