Text

NEDO-33698, Rev 2, Columbia Generating Station Power Range Neutron Monitoring System Design Report on Computer Integrity, Test and Calibration, and Fault Detection
	ML13015A273
Person / Time
Site:	Columbia
Issue date:	12/31/2012
From:	; GE-Hitachi Nuclear Energy Americas
To:	; Office of Nuclear Reactor Regulation
References
	DRF Section 0000-0138-4855, Rev 4, NEDO-33698, Rev 2
	Download: ML13015A273 (23)
	v • d • e

LICENSE AMENDMENT REQUEST TO IMPLEMENT PRNMIARTS/MELLLA -

REVISED REPORTS NEDO-33698 Revision 2 December 2012 COLUMBIA GENERATING STATION POWER RANGE NEUTRON MONITORING SYSTEM DESIGN REPORT ON COMPUTER INTEGRITY, TEST AND CALIBRATION, AND FAULT DETECTION

0 HITACHI GE Hitachi Nuclear Energy NEDO-33698 Revision 2 DRF Section 0000-0138-4855 R4 December 2012 Non-Proprietary Information-Class I (Public)

Columbia Generating Station Power Range Neutron Monitoring System Design Report on Computer Integrity, Test and Calibration, and Fault Detection Copyright 2012 GE-Hitachi Nuclear Energy Americas LLC All Rights Reserved

NEDO-33698 Revision 2 INFORMATION NOTICE This is the non-proprietary version of the document NEDC-33698P, Revision 2, which has the proprietary information removed. Portions of the document that have been removed are indicated by an open and closed bracket as shown here ((

)).

IMPORTANT NOTICE REGARDING CONTENTS OF THIS REPORT Please Read Carefully The design, engineering, and other information contained in this document is furnished for the purpose of supporting the Columbia Generating Station license amendment request for a power range neutron monitor system upgrade in proceedings before the U.S. Nuclear Regulatory Commission. The only undertakings of GEH with respect to information in this document are contained in the contracts between GEH and its customers or participating utilities, and nothing contained in this document shall be construed as changing that contract.

The use of this information by anyone for any purpose other than that for which it is intended is not authorized; and with respect to any unauthorized use, GEH makes no representation or warranty, and assumes no liability as to the completeness, accuracy, or usefulness of the information contained in this document.

ii

NEDO-33698 Revision 2 Revision Summary Revision Change Summary 0

Initial Revision 1

Updated revision number in the reference section for NEDC-33685P.

2 Corrections to Sections 2.2.6 and 4.2.7.

iii

NEDO-33698 Revision 2 TABLE OF CONTENTS Page

1.

IN T R O D U C T IO N..................................................................................................................

1

2.

CGS PRNMS SYSTEM INTEGRITY...............................................................................

1 2.1 A nalysis O bjectives...................................................................................................

1 2.2 Evaluation per SRP Chapter 7, Appendix 7.1-C, Section 5.5 Requirements........... 2 2.3 Evaluation per SRP Chapter 7, Appendix 7. 1-D, Section 5.5 Requirements........... 6

3.

CGS PRNMS CAPABILITY FOR TEST AND CALIBRATION...................................

7 3.1 A nalysis O bjectives...................................................................................................

7 3.2 Evaluation per SRP Chapter 7, Appendix 7. 1-C, Section 5.7 and 6.5 Requirements.. 7 3.3 Evaluation per SRP Chapter 7, Appendix 7.1-D, Section 5.7 Requirements........... 9

4.

CGS PRNMS REPAIR, FAULT DETECTION AND SELF-DIAGNOSTICS.............. 10 4.1 A nalysis O bjectives.................................................................................................

10 4.2 Evaluation per BTP 7-17 Requirements.................................................................

10

5.

R E FE R E N C E S.....................................................................................................................

16 iv

NEDO-33698 Revision 2 ACRONYMS AND ABBREVIATIONS Term Definition APRM Average Power Range Monitor BTP Branch Technical Position BWR Boiling Water Reactor CGS Columbia Generating Station CTP Core Thermal Power DI&C-ISG Digital Instrumenation & Control-Interim Staff Guidance EC Engineering Change EMC Electromagnetic Compatibility FMEA Failure Modes and Effects Analysis GAF Gain Adjustment Factor GEH GE-Hitachi Nuclear Energy Americas LLC IEEE Institute of Electrical and Electronics Engineers INOP Inoperable IRM Intermediate Range Monitor LAR License Amendment Request LPRM Local Power Range Monitor LTR Licensing Topical Report NRC Nuclear Regulatory Commission NUMAC Nuclear Measurement Analysis and Control NUREG Nuclear Regulatory Commission Regulation ODA Operators Display Assembly OPRM Oscillation Power Range Monitor PRM Power Range Monitor PRNMS Power Range Neutron Monitoring System RBM Rod Block Monitor v

NEDO-33698 Revision 2 Term Definition RPS Reactor Protection System SER Safety Evaluation Report SRP Standard Review Plan STP Simulated Thermal Power TS Technical Specifications V&V Verification & Validation vi

NEDO-33698 Revision 2

1.

INTRODUCTION This report provides information in support of documentation submittal requirements of a Tier 2 review identified in item 1.18 of Enclosure B of "Digital Instrumenation & Control-Interim Staff Guidance," DI&C-ISG-06 (Reference 1).

The digital Nuclear Measurement Analysis and Control (NUMAC) Power Range Neutron Monitoring System (PRNMS), as described in the Licensing Topical Report (LTR)

NEDC-3241OP-A (Reference 2), was approved by the NRC for implementation as a retrofit for Boiling Water Reactor (BWR) plants on the condition that the recommended plant-specific actions were evaluated and incorporated.

This report addresses Reference 1 Sections D.9.4.2.5, D.9.4.2.7, D.9.4.2.10, D.9.4.3.5, D.10.4.2.5.1, D.10.4.2.5.2, D.10.4.2.5.3 and D.10.4.2.7 for the Columbia Generating Station (CGS) PRNMS. In doing so, this report demonstrates compliance with Institute of Electrical and Electronics Engineers (IEEE) Standard 603-1991, Clauses 5.5, 5.7, 5.10 and 6.5, and IEEE Standard 7-4.3.2 Clauses 5.5.1, 5.5.2, 5.5.3 and 5.7.

This report provides the basis to conclude that the CGS PRNMS installation has been designed so that: (1) the system can accomplish its safety functions under the full range of applicable conditions enumerated in the design basis; (2) the capability for testing and calibration of the safety system equipment is provided while retaining the capability of the safety systems to accomplish their safety functions; (3) the safety system is designed to facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment; and (4) it is possible to check, with a high degree of confidence, the operational availability of each of the sense and command feature input sensors needed for a safety function during reactor operation, including the availability of each sense and command feature needed during the post-accident period.

2.

CGS PRNMS SYSTEM INTEGRITY 2.1 Analysis Objectives This section addresses the criteria of Standard Review Plan (SRP) Chapter 7, Appendix 7.1-C, Section 5.5 and Appendix 7. 1-D Section 5.5 for Computer and System Integrity, IEEE Standard 603-1991, Clause 5.5, and IEEE Standard 7-4.3.2 sub-clause 5.5.1.

This section addresses Reference 1, Sections D.9.4.2.5 and D.10.4.2.5.1 for the CGS PRNMS.

1

NEDO-33698 Revision 2 2.2 Evaluation per SRP Chapter 7, Appendix 7.1-C, Section 5.5 Requirements 2.2.1 Environmental Qualification Requirement: Per the information provided in accordance with IEEE Std 603-1991 Clauses 4.7 and 4.8, confirm that the design includes the qualification of equipment for the conditions identified in the design bases.

Per Section 5.0 of NEDC-33685P (Reference 3), the environmental conditions for the CGS PRNMS configuration are enveloped by the conditions to which the PRNMS equipment has been qualified. The qualification of the PRNMS for environmental, seismic and Electromagnetic Compatibility (EMC) was performed in two steps: first, the qualification of the PRNM instruments in accordance with their individual instrument requirements, and then, the qualification of the PRNM panel in accordance with the panel requirements (control room environments). To meet project requirements, the qualification at both the instrument and the panel level must be demonstrated. However, the qualification at the panel level is the bounding requirement to demonstrate qualification for the PRNM equipment as installed. The qualification summary report covers both instrument and panel qualification.

The qualification levels of instruments mounted in those panels are included in the Qualification Summary for Energy Northwest (ENW), CGS (Reference 4).

The CGS plant-specific environmental qualification document (Reference 4) includes the results of qualification testing for the PRNM instrument and for the PRNM instruments installed in cabinets and panels in the control room environment.

The environment specified for the qualification is consistent with the design basis of CGS, which addresses the design basis conditions (for example, voltage, frequency, radiation, temperature, humidity, pressure, and vibration) identified in Clause 4.7 of IEEE Standard 603-1991.

The design basis (for example, missiles, pipe breaks, fires, loss of ventilation, spurious operation of fire suppression systems, operator error, failure in non-safety-related systems) identified in Clause 4.8 of IEEE Standard 603-1991 remains the same for the PRNM retrofit application at CGS.

Per Section 9.2.6 of the NEDC-33685P (Reference 3), the CGS PRNM meets the independence requirements identified in IEEE Standard 603-1991, Clause 5.6.2.

Per Section 9.2.1 of the NEDC-33685P (Reference 3), the PRNMS design meets the single failure criteria and the reliability requirements as identified in IEEE Standard 603-1991, Clause 5.1.

2.2.2 System Real-Time Performance Requirement: Confirm that system real-time performance is adequate to ensure completion of protective action within the critical points of time identified as required by Clause 4.10 of IEEE Standard 603-1991.

PRNMS response time requirements are described in Chapter 3 of NEDC 3241OP-A (Reference 2). The system and equipment architecture was selected with the specific objective 2

NEDO-33698 Revision 2 of assuring the response time requirements could be met. ((

NEDC-33690P (Reference 5) evaluated the response time of the CGS PRNMS versus the safety analysis requirements and standard criteria for digital instrumentation and controls. The response time for the PRNM has been shown by analysis and testing to be less than the required response times, and thus, the PRNM performs sufficiently to meet safety analysis requirements (Section 2.2 of Reference 5). The NUMAC PRNMS response time is adequate to meet the Limiting Response Time of RPS consistent with the guidance provided in NUREG-0800 and Branch Technical Position (BTP) 7-21, and in accordance with the IEEE Standard 603-1991, Clause 4.10 requirement for the safety system design basis.

2.2.3 Computer System Hardware Integrity Requirement: Evaluation of computer system hardware integrity should be included in the evaluation against the requirements of IEEE Standard 603-1991.

This IEEE Standard 603-1991 requirement with guidance from IEEE Standard 7-4.3.2 1993, is the same as IEEE Standard 279 Clause 4.5, which is addressed in the LTR (Reference 2)

Section 4.4.1.1.5. All equipment required to perform APRM/Oscillation Power Range Monitor (OPRM) trip functions and to assure no inadvertent bypass is designed to operate in both the normal and abnormal plant control room environment, including EMI, and under seismic loads.

Refer to Section 2.2.1 above regarding hardware integrity in design basis environment.

The PRNMS is designed to achieve system integrity in digital equipment for use in safety systems with regard to: (1) design for test and calibration in accordance with IEEE Standard 7-4.3.2 Clause 5.5.2 (provided in Section 3.3 of this report) and (2) fault detection and self-diagnostics in accordance with IEEE Standard 7-4.3.2 Clause 5.5.3 (provided in Section 4.2 of this report).

3

NEDO-33698 Revision 2 2.2.4 Computer System Software Integrity Requirement: Computer system software integrity (including the effects of hardware-software interaction) should be demonstrated by the applicant/licensee's software safety analysis activities.

Computer system software integrity is addressed by the Software Safety Plan and the Software Safety Analysis in Sections 4.4.1.9 and 4.4.2.1 of NEDC-33685P (Reference 3).

2.2.5 Safety System Failure to a Safe State Requirement: Confirm that the design provides for safety systems to fail in a safe state, or into a state that has been demonstrated to be acceptable on some other defined basis, if conditions such as disconnection of the system, loss of energy, or adverse environments, are experienced The PRNM scope is limited to one-sensor system within the Reactor Trip System, and is designed to fail-safe (tripped) by hardware means like the current power range monitor (PRM) system design.

The single failure-proof design of the PRNMS, as described in the LTR (Reference 2), meets the requirements of IEEE Standard 279-1971, Clause 4.2 (Section 4.4.1.1.2 of the LTR). The failure analysis for the PRNMS is provided in Section 6 of Volume I of the LTR and in Appendix F of Volume 2 of the LTR.

The replacement design has been specifically designed to have the same or more conservative "fail safe" failure modes as the current system (Appendix G of Volume 2 of the LTR, Reference 2). ((

2.2.6 Automatic Actions on Detection of Inoperable Input Instruments Requirement: The system should, upon detection of inoperable input instruments, automatically place the protective functions associated with the failed instrument(s) into a safe state (e.g., automatically place the affected channel(s) in trip), unless the operator has already placed the affected channel in a bypass mode (this would change a two-out-of-four logic to a two-out-of-three logic).

[R 4

NEDO-33698 Revision 2 2.2.7 Hardware or Software Failures Detected by Self-diagnostics Requirement: Hardware or software failures detected by self-diagnostics should place a protective function into a safe state or leave the protective function in an existing safe state.

Failure of computer system hardware or software should not inhibit manual initiation of protective functions or the operator performance ofpreplanned emergency or recovery actions.

The testability and self-test capability of the PRNMS are provided in Section 5.3.11 of the LTR.

Section 6.3.5 of Reference 2 provides the self-test coverage.

((I 2.2.8 Actions on Partial or Full System Initialization or Shutdown after a Loss of Power During either partial or full system initialization or shutdown after a loss of power, control output to the safety system actuators should fail to a predefined, preferred failure state. A system restart upon restoration of power should not automatically transfer the actuators out of the predefined failure state. Changes to the state of plant equipment from the predefined state following restart and reinitialization (other than changes in response to valid safety system signals) should be under the control of the operator in accordance with appropriate plant procedures.

((

5

NEDO-33698 Revision 2 2.3 Evaluation per SRP Chapter 7, Appendix 7.1-D, Section 5.5 Requirements In addition to the system integrity criteria required by IEEE Standard 603-1991, and the guidance in Subsection 5.5 of SRP Appendix 7.1-C, IEEE Standard 7-4.3.2-2003 includes criteria in sub-clauses 5.5.1 through 5.5.3 for designs for computer integrity, test and calibration, and fault detection and self-diagnostics activities. The following are necessary to achieve system integrity in digital equipment for use in safety systems:

" Design for computer integrity (sub-clause 5.5.1 - addressed in this section)

Design for test and calibration (sub-clause 5.5.2 - addressed in Section 3.3.1)

" Fault detection and self-diagnostics (sub-clause 5.5.3 - addressed in Sections 3.3.2 through 4.2) 2.3.1 Design for computer integrity (IEEE Std 7-4.3.2 Sub-Clause 5.5.1)

Requirement: The computer is designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function.

As described in Sections 2.2.1 through 2.2.8 above, the computer is designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function.

6

NEDO-33698 Revision 2

3.

CGS PRNMS CAPABILITY FOR TEST AND CALIBRATION 3.1 Analysis Objectives This section addresses the criteria of SRP Chapter 7, Appendix 7.1-C, Sections 5.7 and 6.5, and Appendix 7.1-D Section 5.7 for the Capability for Test and Calibration, and demonstrates compliance with these requirements. In addition, this evaluation demonstrates compliance with IEEE Standard 603-1991, Clauses 5.7 and 6.5, IEEE Standard 7-4.3.2 Clauses 5.5.2 and 5.7, and addresses Staff Guidance of DI&C-ISG-06 Sections D.9.4.2.7, D.9.4.3.5, D.10.4.2.5.2 and D.10.4.2.7 for the CGS PRNMS.

3.2 Evaluation per SRP Chapter 7, Appendix 7.1-C, Section 5.7 and 6.5 Requirements 3.2.1 Periodic Testing (Appendix 7.1-C, Section 5.7)

Requirement: Periodic testing should duplicate, as closely as practical, the overall performance required of the safety system. The test should confirm operability of both the automatic and manual circuitry. The capability should be provided to permit testing during power operation.

When this capability can only be achieved by overlapping tests, the test scheme must be such that the tests do, in fact, overlap from one test segment to another.

Section 5.3.11 of the LTR (Reference 2) describes the testability and self-test capability of the PRNM system, including overlap testing from one test segment to another.

The PRNMS supports the continued performance of surveillance tests per the requirements of the Technical Specifications (TS) as discussed in Section 3.2.3 of this report.

3.2.2 Test Provisions Should Address Increased Potential for Subtle System Failures (Appendix 7.1-C, Section 5.7)

Requirement: Test provisions should address the increased potential for subtle system failures such as data errors and computer lockup.

The test provisions provided to address subtle system failures are the continuous self-test and watchdog timer. Section 5.3.11 of the LTR (Reference 2), provides the testability and self-test capability of the PRNMS. Section 6.3.5 (Reference 2) provides the self-test coverage. ((

3.2.3 Design Supports Types of Testing Required by Technical Specifications (Appendix 7.1-C, Section 5.7)

Confirm that the system design supports the types of testing required by the Technical Specifications. The system design should also support the compensatory actions required by 7

NEDO-33698 Revision 2 Technical Specifications when limiting conditions for operation are not met. The design should allow for tripping or bypass of individual functions in each safety system channel.

The PRNMS design supports testing required by TS, including channel checks, channel functional testing, channel calibrations, response time testing, and logic system functional testing. Sections 8.3.4 and 8.4.4 of the LTR (Reference 2) describe the recommended changes to channel checks, channel functional testing, channel calibrations, response time testing and how these changes are supported by the PRNMS design. Sections 8.3.5 and 8.4.5 of Reference 2 describe the recommended changes to the logic system functional testing and how these changes are supported by the design. Additionally, these sections specify the ENW action to implement changes to TS to ensure they are revised accordingly for the PRNMS design. See the CGS plant-specific responses (Reference 6), for more detailed information about the utility action taken.

The PRNMS design supports the performance of the compensatory actions required by TS when limiting conditions for operation are not met. ((

3.2.4 Checking Operational Availability of Sensors (Appendix 7.1-C, Section 6.5)

Requirement: Means shall be provided for checking the operational availability of each sensor required for a safety function.

The PRNM design maintains the same sensor check capability for the LPRM detectors and the recirculation flow sensors as exists in the current PRM design.

((l 8

NEDO-33698 Revision 2 3.3 Evaluation per SRP Chapter 7, Appendix 7.1-D, Section 5.7 Requirements 3.3.1 Test and Calibration Functions Have No Adverse Effect on System Performance (IEEE Standard 7-4.3.2, Sub-clause 5.5.2)

Requirement: Test and calibration functions should not adversely affect the ability of the system to perform its safety function.

((

3.3.2 Fault Detection/Self-Diagnostics Standard 7-4.3.2, Sub-clause 5.5.3) and Partial System Failures (IEEE Requirement: Fault detection and self-diagnostics are one means that can be used to assist in detecting partial system failures that could degrade the capabilities of the computer system, but may not be immediately detectable by the system.

As described in Section 3.2.2 of this report, the test provisions provided to address subtle system failures are the continuous self-test and watchdog timer. Section 5.3.11 of the LTR (Reference 2) describes the testability and self-test capability of the PRNMS.

Section 6.3.5 (Reference 2) describes the self-test coverage.

3.3.3 Use of a Non-Software Watchdog Timer Requirement: Use of a non-software watchdog timer is critical in the overall diagnostic scheme.

((

)) (Section 6.3.5 of the LTR - Reference 2).

9

NEDO-33698 Revision 2

4.

CGS PRNMS REPAIR, FAULT DETECTION AND SELF-DIAGNOSTICS 4.1 Analysis Objectives This section addresses the criteria of BTP 7-17 (failure detection, self-test and surveillance testing), and demonstrates compliance with those requirements.

In addition, this evaluation demonstrates compliance with IEEE Standard 603-1991, Clause 5.10 and IEEE Standard 7-4.3.2 Clause 5.5.3, and addresses the Staff Guidance provided by DI&C-ISG-06 Sections D.9.4.2.10 and D.10.4.2.5.3 for the CGS PRNMS.

4.2 Evaluation per BTP 7-17 Requirements The objectives of the BTP are to confirm that:

The safety system, including self-test, is designed for in-service testability commensurate with the safety functions to be performed through all modes of plant operation.

(Additional information regarding this topic is included in Section 3.2.1 of this report.)

" The positive aspects of self-test features are not compromised by the additional complexity that may be added to the safety system by the self-test features. (Additional information regarding this topic is included in Section 3.3.1 of this report.)

" Hardware and software design support the required periodic testing.

(Additional information regarding this topic is included in Section 3.2.1 of this report.)

Failure modes assumed to be detectable by the single-failure analysis are in fact detectable. Failures may be detectable by observing operational characteristics as well as other methods. (Specific information regarding this topic is included in Section 4.2.1 of this report.)

4.2.1 Failures Detected are Consistent with Assumptions in Single Failure Analyses and FMEA Requirement: Failures detected by hardware, software, and surveillance testing should be consistent with the failure detectability assumptions of the single-failure analysis and the failure modes and effects analysis.

The automatic self-test and surveillance functions included in the PRNM are described in Section 6.3 of the LTR (Reference 2), which includes a discussion of the self-test coverage and the methods used to confirm that the self-test functions are operating. The self-test functions are integrated into the main PRNM equipment, and are designed to the same qualification, independence, integrity, single failure and Verification & Validation (V&V) requirements. The overall self-test design and surveillance provisions are consistent with the guidance of the BTP.

The PRNMS failure analysis is described in Section 6 and Appendix F of the LTR (Reference 2).

10

NEDO-33698 Revision 2

((I

)) The self-test coverage is described in Section 6.3.5 of the LTR (Reference 2). The PRNMS failure analysis considers equipment failures, and functional failures, as described in Sections 6.2 and 6.3 of the LTR (Reference 2).

4.2.2 Self Test of Computer System on System Initialization Requirement: The design includes self-test features to confirm computer system operation on system initialization.

((

4.2.3 Continuous Self-Testing of Computer System Requirement: The system includes continuous self-testing. Self-tests include monitoring memory and memory reference integrity, using watch-dog timers or processors, monitoring communication channels, monitoring central processing unit status, and checking data integrity.

((

Continuous self-testing, use of watchdog timers, monitoring of communication channels and monitoring central processing unit status, et al. are discussed in Sections 3.2.2, 3.3.2 and 3.3.3 of this report.

Section 5.3.11 of the LTR (Reference 2), provides the testability and self-test capability of the PRNMS; Section 6.3.5 (Reference 2) provides the self-test coverage. These sections demonstrate that the monitoring tasks listed in this requirement are performed.

4.2.4 Design Maintains Independence, Integrity and Meets Single-Failure Criterion Requirement: The design of automatic self-test features should maintain channel independence, maintain system integrity, and meet the single-failure criterion during testing. The scope and extent of interfaces between software that performs protection functions and software for other functions such as self-test should be designed to minimize the complexity of the software logic and data structures. The safety classification of the hardware and software used to perform automatic self-testing should be equivalent to that of the tested system unless physical, electrical, and communications independence are maintained such that no failure of the test function can inhibit the performance of the safety function.

11

NEDO-33698 Revision 2 The automatic self-test and surveillance functions included in the PRNM are described in the LTR (Reference 2), which includes a discussion of the self-test coverage and the methods used to confirm that the self-test functions are operating. The self-test functions are integrated into the main PRNM equipment, and are designed to the same qualification, independence, integrity, single failure and V&V requirements. The overall self-test design and surveillance provisions are consistent with the guidance of the BTP.

4.2.5 Benefit of Self-Test Not Compromised by Complexity Requirement: The positive aspects of self-test features should not be compromised by the additional complexity that may be added to the safety system by the self-test features. The improved ability to detect failures provided by the self-test features should outweigh the increased probability offailure associated with the self-test feature.

The automatic self-test and surveillance functions included in the PRNM are described in the LTR (Reference 2), which includes a discussion of the self-test coverage and the methods used to confirm that the self-test functions are operating. The self-test functions are integrated into the main PRNM equipment, and are designed to the same qualification, independence, integrity, single failure and V&V requirements. The overall self-test design and surveillance provisions are consistent with the guidance of the BTP.

E[

)) (Section 5.3.3.1 of the LTR, Reference 2).

Er 4.2.6 Self-Test Functions Verified Requirement: Self-test functions should be verified during periodicfunctional tests.

The self-test function is verified during the channel functional test steps of the periodic surveillance tests described in Section 4.2.7. For details of the CGS plant specific actions taken to verify the APRM self-test functions during channel functional tests, refer to Section 8.3.4.2.4 of Reference 6.

4.2.7 System Supports Periodic Surveillance Testing per TS Requirement: Systems should be able to conduct periodic surveillance testing consistent with the technical specifications and plant procedures. As delineated in Regulatory Guide 1. 118, periodic 12

NEDO-33698 Revision 2 testing consists of functional tests and checks, calibration verification, and time response measurements.

Section 5.3.11 of the LTR (Reference 2) describes the testability and self-test capability of the PRNMS.

The PRNMS supports the continued performance of surveillance tests per the requirements of the Technical Specifications, which include ((

)) For details of the CGS plant-specific actions taken regarding Technical Specification surveillance testing requirements, see Reference 6.

4.2.8 Indication of Bypassed Protective Action Requirement: If the protective action of some part of a protection or safety system is bypassed or deliberately rendered inoperative for testing, that fact should be continuously indicated in the control room. Provisions should also be made to allow operations staff to confirm that the system has been properly returned to service.

For information regarding indication of bypasses, see Section 9.2.8.3 of NEDC-33685P (Reference 3), which discusses compliance with IEEE Standard 603-1991, Clause 5.8.3. ((

4.2.9 Tests Should Not Require Makeshift Test Setups Requirement: Test procedures for periodic tests should not require makeshift test setups. For digital computer-based systems, makeshift test setups, including temporary modification of code or data that must be appropriately removed to restore the system to service, should be avoided Per Section 8.3.5.3 of the LTR (Reference 2), ((

)) so the risk of problems caused by the normal operation of the system is greatly reduced.

Per Section 6.3.4, Table Note 3 of the LTR (Reference 2), ((

13

NEDO-33698 Revision 2 4.2.10 Automatic Tests Credited with Performance of Surveillance Tests Requirement: If automatic test features are credited with performing surveillance test functions, provisions should be made to confirm the execution of the automatic tests during plant operation. The capability to periodically test and calibrate the automatic test equipment should also be provided. The balance of surveillance and test functions that are not performed by the automatic test feature should be performed manually to meet the intent of Regulatory Guide 1. 118. In addition, the automatic test feature function should conform to the same requirements and considerations (e.g., test interval) as the manual function.

((

4.2.11 Safety Classification/Quality of the Hardware/Software Used for Periodic Testing Requirement: The safety classification and quality of the hardware and software used to perform periodic testing should be equivalent to that of the tested system. The design should maintain channel independence, maintain system integrity, and meet the single-failure criterion during testing. Commercial digital computer-based equipment used to perform periodic testing should be appropriately qualified for its function.

Er 4.2.12 Compensatory Action on Detection of Any Failed or Inoperable Component Requirement: The design should have either the automatic or manual capability to take compensatory action on detection of any failed or inoperable component. The design capability and plant technical specifications, operating procedures, and maintenance procedures should be consistent with each other.

The design capability of the PRNMS to take either automatic or manual compensatory action on detection of any failed or inoperable component is addressed in Sections 2.2.5, 2.2.6 and 2.2.7, and throughout this document.

14

NEDO-33698 Revision 2 Plant operating and maintenance procedures will be updated during the implementation phase for consistency with changes in the system design capability and the plant TS in accordance with plant procedures and per the Engineering Change (EC) process. The procedural changes that reflect the PRNMS man-machine interface are validated during operator training on the replacement system.

4.2.13 Plant Procedures Specify Manual Compensatory Actions Requirement: Plant procedures should specify manual compensatory actions and mechanisms for recovery from automatic compensatory actions.

Plant operating and maintenance procedures will be updated during the implementation phase for consistency with changes in the system design capability and the plant TS in accordance with plant procedures and per the EC process. The procedural changes that reflect the PRNMS man-machine interface are validated during operator training on the replacement system.

As discussed in Sections 4.2.8, 4.2.12, and 4.2.14, the PRNMS provides the controls and indications necessary to perform all required compensatory actions relative to the PRNMS.

4.2.14 Operator Notification of Detected Failures Requirement: Mechanisms for operator notification of detected failures should comply with the system status indication provisions of IEEE Standard 603-1991 and should be consistent with, and support, plant technical specifications, operating procedures, and maintenance procedures.

Operator notification of detected failures and channel trip and bypass indications comply with the system status indication provisions of IEEE Standard 603-1991 ((

15

NEDO-33698 Revision 2

5.

REFERENCES

1. NRC Interim Staff Guidance DI&C-ISG-06, Revision 1, Digital Instrumentation & Controls; Licensing Process, January 19, 2011 (ADAMS Accession No, ML110140103).

2. NEDC-3241OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option III Stability Trip Function, Licensing Topical Report," October 1995 (Including SER); (Including Supplement 1, November 1997).

3. GE Hitachi Nuclear Energy, "Digital I&C-ISG-06 Compliance for Columbia Generating Station NUMAC Power Range Monitoring Retrofit Plus Option III Trip Function,"

NEDC-33685P, Revision 2, December 2012.

4. NUMAC Power Range Neutron Monitoring (PRNM) Components 268XI331TCGO01, 268X1332TCG001, G002 268X1333TCG001 Qualification Summary for Energy Northwest (ENW), Columbia Generating Station (CGS), Revision 1.

5. GE Hitachi Nuclear Energy, "Columbia Generating Station Power Range Neutron Monitoring System Response Time Analysis Report," NEDC-33690P, Revision 0, November 2011.

6. GE Hitachi Nuclear Energy, "Columbia Generating Station Plant-Specific Responses Required by NUMAC PRNM Retrofit Plus Option III Stability Trip Function Topical Report (NEDC-324 OP-A)," Report# 0000-0101 -7647-R3, October 2011.

16

v t e Letter Sequence Request
TAC:ME7905, Clarify Application of Setpoint Methodology for LSSS Functions (Approved, Closed)
Initiation Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request, Request Acceptance Administration Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance, Withholding Request Acceptance Questions 15 June 2012 15 June 2012 10 July 2012 10 July 2012 17 September 2012 23 July 2012 5 September 2012 15 October 2012 18 December 2012 12 March 2013 8 April 2013 10 April 2013 26 April 2013 3 June 2013 10 July 2013 23 August 2013 Answers 22 August 2012 12 November 2012 9 May 2013 6 August 2013 Results Approval Other:
MONTHYEAR2012-07-10 [Table View]

ML13015A273

Text

Navigation menu

Search