Nonproprietary Issuance of Amendment Regarding Digital Power Range Neutron Monitoring System Upgrade

ML17216A022
Person / Time
Site:	Hope Creek
Issue date:	08/04/2017
From:	Lisa Regner Plant Licensing Branch 1
To:	Sena P Public Service Enterprise Group
Parker C, NRR/DORL/LPLI-II, 415-1603
Shared Package
ML17216A018	List: ML17216A022
References
CAC MF6768
Download: ML17216A022 (135)
v • d • e

Text

OFFICIAL USE ONLY PROPRIETARY INFORMATION UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 August 4, 2017 Mr. Peter P. Sena, Ill President and Chief Nuclear Officer PSEG Nuclear LLC - N09 P.O. Box 236 Hancocks Bridge, NJ 08038

SUBJECT:

HOPE CREEK GENERATING STATION - ISSUANCE OF AMENDMENT REGARDING DIGITAL POWER RANGE NEUTRON MONITORING SYSTEM UPGRADE (CAC NO. MF6768)

Dear Mr. Sena:

The U.S. Nuclear Regulatory Commission (Commission) has issued the enclosed Amendment No. 206 to Renewed Facility Operating License No. NPF-57 for the Hope Creek Generating Station. This amendment consists of changes to the Technical Specifications in response to your application dated September 21, 2015, as supplemented by letters dated November 19, 2015; June 17, 2016; September 12, 2016; and September 23, 2016. 1 The amendment approves changes to the Hope Creek Generating Station Technical Specifications to reflect installation of the digital General Electric-Hitachi Nuclear Measurement Analysis and Control Power Range Neutron Monitoring system.

Enclosure 3 contains Proprietary Information. When separated from Enclosure 3, this letter is DECONTROLLED.

1 Agencywide Documents Access and Management System Accession Nos. ML15265A224, ML15323A268, ML16172AO 12, ML16256A638, and ML16270A006, respectively OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION P. Sena A proprietary and non-proprietary copy of the related safety evaluation is also enclosed. Notice of Issuance will be included in the Commission's biweekly Federal Register notice.

Lisa M. Regner, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. 50-354

Enclosures:

1. Amendment No. 206 to Renewed License No. NPF-57

2. Safety Evaluation (non-proprietary version)

3. Safety Evaluation (proprietary version) cc w/Enclosure 1 and 2: Distribution via Listserv OFFICIAL USE ONLY PROPRIETARY INFORMATION

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 PSEG NUCLEAR LLC DOCKET NO. 50-354 HOPE CREEK GENERATING STATION AMENDMENT TO RENEWED FACILITY OPERATING LICENSE Amendment No. 206 Renewed License No. NPF-57

1. The U.S. Nuclear Regulatory Commission (the Commission) has found that:

A. The application for amendment filed by PSEG Nuclear LLC dated September 21, 2015, as supplemented by letters dated November 19, 2015; June 17, 2016; September 12, 2016; and September 23, 2016, complies with the standards and requirements of the Atomic Energy Act of 1954, as amended (the Act), and the Commission's rules and regulations set forth in 10 CFR Chapter I; B. The facility will operate in conformity with the application, the provisions of the Act, and the rules and regulations of the Commission; C. There is reasonable assurance (i) that the activities authorized by this amendment can be conducted without endangering the health and safety of the public, and (ii) that such activities will be conducted in compliance with the Commission's regulations set forth in 10 CFR Chapter I; D. The issuance of this amendment will not be inimical to the common defense and security or to the health and safety of the public; and E. The issuance of this amendment is in accordance with 10 CFR Part 51 of the Commission's regulations and all applicable requirements have been satisfied.

2. Accordingly, the license is amended by changes to the Technical Specifications as indicated in the attachment to this license amendment, and paragraph 2.C.(2) of Renewed Facility Operating License No. NPF-57 is hereby amended to read as follows:

Enclosure 1

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 206, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the renewed license. PSEG Nuclear LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

3. The license amendment is effective as of its date of issuance and shall be implemented prior to entry into Operational Condition 4 during startup from Refueling Outage 21.

FOR THE NUCLEAR REGULATORY COMMISSION o~o~.., I>

Ja/es G. Danna, Chief Plant Licensing Branch I Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation

Attachment:

Changes to the Renewed License and Technical Specifications Date of Issuance: August 4, 2017

ATTACHMENT TO LICENSE AMENDMENT NO. 206 HOPE CREEK GENERATING STATION RENEWED FACILITY OPERATING LICENSE NO. NPF-57 DOCKET NO. 50-354 Replace the following page of the Renewed Facility Operating License with the attached revised page. The revised page is identified by amendment number and contains a marginal line indicating the area of change.

Remove Insert 3 3 Replace the following pages of the Appendix A Technical Specifications with the attached revised pages. The revised pages are identified by amendment number and contain marginal lines indicating the areas of change.

Remove Insert x x xvii xvii xviii xviii 2-4 2-4 3/4 1-18 3/4 1-18 3/4 3-1 3/4 3-1 314 3-1 a 3/4 3-2 3/4 3-2 3/4 3-4 3/4 3-4 3/4 3-5 3/4 3-5 3/4 3-7 3/4 3-7 3/4 3-8 3/4 3-8 3/4 3-8a 3/4 3-57 3/4 3-57 3/4 3-58 3/4 3-58 3/4 3-59 3/4 3-59 3/4 3-60 3/4 3-60 3/4 3-61 314 3-61 3/4 3-110 3/4 3-110 3/4 4-1 3/4 4-1 3/4 4-2 3/4 4-2 6-20 6-20 6-21 6-21

reactor operation, as described in the Final Safety Analysis Report, as supplemented and amended; (4) PSEG Nuclear LLC, pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use at any time any byproduct, source and special nuclear material as sealed neutron sources for reactor startup, sealed sources for reactor instrumentation and radiation monitoring equipment calibration, and as fission detectors in amounts as required; (5) PSEG Nuclear LLC, pursuant to the Act and 10 CFR Parts 30, 40 and 70, to receive, possess, and use in amounts as required any byproduct, source or special nuclear material without restriction to chemical or physical form, for sample analysis or instrument calibration or associated with radioactive apparatus or components; and (6) PSEG Nuclear LLC, pursuant to the Act and 10 CFR Parts 30, 40 and 70, to possess, but not separate, such byproduct and special nuclear materials as may be produced by the operation of the facility. Mechanical disassembly of the GE14i isotope test assemblies containing Cobalt-60 is not considered separation.

(7) PSEG Nuclear LLC, pursuant to the Act and 10 CFR Part 30, to intentionally produce, possess, receive, transfer, and use Cobalt-60.

C. This renewed license shall be deemed to contain and is subject to the conditions specified in the Commission's regulations set forth in 10 CFR Chapter I and is subject to all applicable provisions of the Act and to the rules, regulations and orders of the Commission now or hereafter in effect; and is subject to the additional conditions specified or incorporated below:

(1) Maximum Power Level PSEG Nuclear LLC is authorized to operate the facility at reactor core power levels not in excess of 3840 megawatts thermal (100 percent rated power) in accordance with the conditions specified herein.

(2) Technical Specifications and Environmental Protection Plan The Technical Specifications contained in Appendix A, as revised through Amendment No. 206, and the Environmental Protection Plan contained in Appendix B, are hereby incorporated in the renewed license. PSEG Nuclear LLC shall operate the facility in accordance with the Technical Specifications and the Environmental Protection Plan.

Renewed License No. NPF-57 Amendment No. 206

INDEX LIMITING CONDITIONS FOR OPERATION AND SURVEILLANCE REQUIREMENTS SECTION PAGE Table 3.3.9-2 Feedwater/Main Turbine Trip System Actuation Instrumentation Setpoints .... 3/4 3-107 Table 4.3.9.1-1 Feedwater/Main Turbine Trip System Actuation Instrumentation Surveillance Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 3-108 3/4.3.10 MECHANICAL VACUUM PUMP TRIP INSTRUMENTATION .............. 3/4 3-109 3 I 4 . 3 . 11 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 I 4 3 - 110 3/4.4 REACTOR COOLANT SYSTEM 3/4.4.1 RECIRCULATION SYSTEM Recirculation Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-1 Figure 3.4.1.1-1 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-3 Jet Pumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-4 Recirculation Loop Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-5 Idle Recirculation Loop Startup . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-6 3/4.4.2 SAFETY/RELIEF VALVES Safety/Relief Valves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-7 Safety/Relief Valves Low-Low Set Function ................ 3/4 4-9 3/4.4.3 REACTOR COOLANT SYSTEM LEAKAGE Leakage Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-10 Operational Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-11 Table 3.4.3.2-1 Reactor Coolant System Pressure Isolation Valves . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-13 Table 3.4.3.2-2 Reactor Coolant System Interface Valves Leakage Pressure Monitors ....... 3/4 4-14 3/4.4.4 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 I 4 4 -15 3/4.4.5 SPECIFIC ACTIVITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-18 Table 4.4.5-1 Primary Coolant Specific Activity Sample and Analysis Program . . . . . . . . . . . . . . . . . . . 3/4 4-20 HOPE CREEK x Amendment No. 206

INDEX BASES SECTION PAGE 3/4.0 APPLICABILITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 0-1 3/4.1 REACTIVITY CONTROL SYSTEMS 3/4.1.1 SHUTDOWN MARGIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 1-1 3/4.1.2 REACTIVITY ANOMALIES........................... B 3/4 1-1 3/4.1.3 CONTROL RODS................................... B 3/4 1-2 3/4.1.4 CONTROL ROD PROGRAM CONTROLS................... B 3/4 1-3 3/4.1.5 STANDBY LIQUID CONTROL SYSTEM.................. B 3/4 1-4 3/4.2 POWER DISTRIBUTION LIMITS 3/4.2.1 AVERAGE PLANAR LINEAR HEAT GENERATION RATE..... B 3/4 2-1 3/4.2.2 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3 I 4 2 -1 3/4.2.3 MINIMUM CRITICAL POWER RATIO................... B 3/4 2-2 3/4.2.4 LINEAR HEAT GENERATION RATE.................... B 3/4 2-3 3/4.3 INSTRUMENTATION 3/4.3.1 REACTOR PROTECTION SYSTEM INSTRUMENTATION...... B 3/4 3-1 3/4.3.2 ISOLATION ACTUATION INSTRUMENTATION............ B 3/4 3-2 3/4.3.3 EMERGENCY CORE COOLING SYSTEM ACTUATION INSTRUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-2 3/4.3.4 RECIRCULATION PUMP TRIP ACTUATION INSTRUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-3 3/4.3.5 REACTOR CORE ISOLATION COOLING SYSTEM ACTUATION INSTRUMENTATION................................ B 3/4 3-4 3/4.3.6 CONTROL ROD BLOCK INSTRUMENTATION.............. B 3/4 3-4 3/4.3.7 MONITORING INSTRUMENTATION Radiation Monitoring Instrumentation........... B 3/4 3-5 HOPE CREEK xvii Amendment No. 206

INDEX BASES SECTION PAGE INSTRUMENTATION (Continued)

Remote Shutdown Monitoring Instrumentation and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-5 Accident Monitoring Instrumentation . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-5 Source Range Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-5 3/4.3.8 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-7 3/4.3.9 FEEDWATER/MAIN TURBINE TRIP SYSTEM ACTUATION INSTRUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-7 Figure B3/4 3-1 Reactor Vessel Water Level .............. B 3/4 3-8 3/4.3.10 MECHANICAL VACUUM PUMP TRIP INSTRUMENTATION .............. B 3/4 3-9 3 I 4 . 3 . 11 DELETED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 3-13 3/4.4 REACTOR COOLANT SYSTEM 3/4.4.1 RECIRCULATION SYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-1 3/4.4.2 SAFETY/RELIEF VALVES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-2 3/4.4.3 REACTOR COOLANT SYSTEM LEAKAGE Leakage Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-3 Operational Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-3 3/4.4.4 CHEMISTRY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-3 3/4.4.5 SPECIFIC ACTIVITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-4 3/4.4.6 PRESSURE/TEMPERATURE LIMITS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B 3/4 4-5 Table B3/4.4.6-l Reactor Vessel Toughness ............... B 3/4 4-7 Figure B3/4.4.6-1Fast Neutron Fluence (E>lMev) at (l/4)T as a Function of Service life ............... B 3/4 4-8 Table B3/4.4.6-2 Numeric Values for Pressure/Temperature Limits ............ B 3/4 4-9 HOPE CREEK xviii Amendment No. 206

TABLE 2.2.1-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SETPOINTS FUNCTIONAL UNIT TRIP SETPOINT ALLOWABLE VALUES

1. Intermediate Range $ 120/125 divisions of $ 122/125 divisions of Monitor, Neutron Flux-High full scale full scale

2. Average Power Range Monitor:

a. Neutron Flux-Upscale $ 17% of RATED THERMAL $ 19% of RATED THERMAL (Setdown) POWER POWER

b. Simulated Thermal Power-Upscale**

1) Flow Biased-Two $ 0. 57w + 59%** 1a' with a $ o~57w + 61%** with a Recirculation Loop maximum of$ 113.5% of maximum of $ 115.5%

Operation RATED THERMAL POWER of RATED THERMAL POWER

2) Flow Biased-Single $ 0.57(w-10.6%) + 59%** 1a! $ 0.57(w-9%) + 61%**

Recirculation Loop with a maximum of with a maximum of Operation $ 113.5% of RATED THERMAL $ 115.5% of RATED POWER THERMAL POWER

c. Neutron Flux-Upscale $ 116.3% of RATED THERMAL $ 118.3% of RATED POWER THERMAL POWER

d. Inoperative NA NA

e. 2-0ut-Of-4 Voter NA NA

f. OPRM Upscale See CORE OPERATING LIMITS NA REPORT

3. Reactor Vessel Steam Dome :o; 1037 psig :o; 1057 psig Pressure - High

4. Reactor Vessel Water ~ 12.5 inches above ~ 11.0 inches above Level - Low, Level 3 instrument zero* instrument zero

5. Main Steam Line Isolation $ 8% closed $ 12% closed Valve - Closure

• See Bases Figure B 3/4 3-1.

• • The Average Power Range Monitor Scram function varies as a function of recirculation loop drive flow (w) .

(a) When the Automated BSP Scram Regions Setpoints are implemented in accordance with Action 10 of Table 3.3.1-1, the Simulated Thermal Power-Upscale Flow Biased Setpoint will be adjusted per the CORE OPERATING LIMITS REPORT.

HOPE CREEK 2-4 Amendment No. 206

REACTIVITY CONTROL SYSTEMS ROD BLOCK MONITOR LIMITING CONDITION FOR OPERATION 3.1.4.3 Both rod block monitor (RBM) channels shall be OPERABLE.

APPLICABILITY: OPERATIONAL CONDITION 1, when THERMAL POWER is greater than or equal to 30% of RATED THERMAL POWER and less than 90% of RATED THERMAL POWER with MCPR less than the value specified in the CORE OPERATING LIMITS REPORT, or THERMAL POWER greater than or equal to 90% of RATED THERMAL POWER with MCPR less than the value specified in the CORE OPERATING LIMITS REPORT.

ACTION:

a. With one RBM channel inoperable:

1. Verify that the reactor is not operating on a LIMITING CONTROL ROD PATTERN, and

2. Restore the inoperable RBM channel to OPERABLE status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Otherwise, place the inoperable rod block monitor channel in the tripped condition within the next hour.

b. With both RBM channels inoperable, place at least one inoperable rod block monitor channel in the tripped condition within one hour.

SURVEILLANCE REQUIREMENTS 4.1.4.3 Each of the above required RBM channels shall be demonstrated OPERABLE by performance of a:

a. CHANNEL FUNCTIONAL TEST and CHANNEL CALIBRATION at the frequencies and for the OPERATIONAL CONDITIONS specified in Table 4.3.6-1.

b. CHANNEL FUNCTIONAL TEST prior to control rod withdrawal when the reactor is operating on a LIMITING CONTROL ROD PATTERN.

HOPE CREEK 3/4 1-18 Amendment No. 206

3/4.3 INSTRUMENTATION 3/4 3.1 REACTOR PROTECTION SYSTEM INSTRUMENTATION LIMITING CONDITION FOR OPERATION 3.3.1 As a minimum, the reactor protection system instrumentation channels shown in Table 3.3.1-1 shall be OPERABLE.

APPLICABILITY: As shown in Table 3.3.1-1.

ACTION:

a. With the number of OPERABLE channels less than required by the Minimum OPERABLE Channels per Trip System requirement for one trip system, place the inoperable channel(s) and/or that trip system*** in the tripped condition* within twelve hours.

b. With the number of OPERABLE channels less than required by the Minimum OPERABLE Channels per Trip System requirement for both trip systems, place at least one trip system** in the tripped condition within one hour and take the ACTION required by Table 3.3.1-1.

SURVEILLANCE REQUIREMENTS 4.3.1.1 Each reactor protection system instrumentation channel shall be demonstrated OPERABLE by the performance of the CHANNEL CHECK, CHANNEL FUNCTIONAL TEST and CHANNEL CALIBRATION operations for the OPERATIONAL CONDITIONS and at the frequencies shown in Table 4.3.1.1-1.

4.3.1.2 LOGIC SYSTEM FUNCTIONAL TESTS and simulated automatic operation of all channels shall be performed in accordance with the Surveillance Frequency Control Program.

Functional Unit 2.a, 2.b, 2.c, 2.d, and 2.f do not require separate LOGIC SYSTEM FUNCTIONAL TESTS. The LOGIC SYSTEM FUNCTIONAL TEST for APRM Function 2.e includes simulating APRM and OPRM trip conditions at the APRM channel inputs to the voter channel to check all combinations of two tripped inputs to the 2-0ut-Of-4 voter logic in the voter channels.

• An inoperable channel need not be placed in the tripped condition where this would cause the Trip Function to occur. In these cases, the inoperable channel shall be restored to OPERABLE status within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> or the ACTION required by Table 3.3.1-1 for that Trip Function shall be taken.

• • If more channels are inoperable in one trip system than in the other, place the trip system with more inoperable channels in the tripped condition, except when this would cause the Trip Function to occur. Note, Action b. is not applicable for Functional Unit 2.a, 2.b, 2.c, 2.d, and 2.f.

• • • For Functional Unit 2.a, 2.b, 2.c, 2.d, and 2.f, inoperable channels shall be placed in the tripped condition to comply with Action a. Placing a trip system in trip is not applicable since these Functions provide trip inputs to both trip systems.

HOPE CREEK 3/4 3-1 Amendment No. 206

INSTRUMENTATION SURVEILLANCE REQUIREMENTS 4.3.1.3 The REACTOR PROTECTION SYSTEM RESPONSE TIME of each reactor trip functional unit shall be demonstrated to be within its limit in accordance with the Surveillance Frequency Control Program. Neutron detectors are exempt from response time testing. For the Reactor Vessel Steam Dome Pressure - High Functional Unit and the Reactor Vessel Water Level - Low, Level 3 Functional Unit, the sensor is eliminated from response time testing for RPS circuits.

4.3.1.4 The provisions of Specification 4.0.4 are not applicable for entry into OPERATIONAL CONDITION 2 or 3 from OPERATIONAL CONDITION 1 for the Intermediate Range Monitors.

HOPE CREEK 3/4 3-1a Amendment No. 206

TABLE 3.3.1-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION MINIMUM APPLICABLE OPERABLE OPERATIONAL CHANNELS PER FUNCTIONAL UNIT CONDITIONS TRIP SYSTEM(al ACTION

1. Intermediate Range Monitors(bl:

a. Neutron Flux - High 2 3 1 3,4 2 2 5(c) 3(d) 3

b. Inoperative 2 3 1 3,4 2 2 5 3(d) 3

2. Average Power Range Monitor(el:

a. Neutron Flux - Upscale 2 3(1) 1 (Setdown)

b. Simulated Thermal Power - 1 3(1) 4 Upscale

c. Neutron Flux - Upscale 1 3(1) 4

d. Inoperative 1, 2 3(1) 1

e. 2-0ut-Of-4 Voter 1, 2 2 1

f. OPRM Upscale ~ 19% RTP(m) 3(1) 10, 11, 12

3. Reactor Vessel Steam Dome 1 2(f) 2 1 Pressure - High

4. Reactor Vessel Water Level - Low, 1, 2 2 1 Level3

5. Main Steam Line Isolation Valve - 1(g) 4 4 Closure HOPE CREEK 3/4 3-2 Amendment No. 206

TABLE 3.3.1-1 (Continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION ACTION ACTION 1 - Be in at least HOT SHUTDOWN within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

ACTION 2 - Verify all insertable control rods to be inserted in the core and lock the reactor mode switch in the Shutdown position within one hour.

ACTION 3 - Suspend all operations involving CORE ALTERATIONS* and insert all insertable control rods within one hour.

ACTION 4 - Be in at least STARTUP within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

ACTION 5 - This ACTION is deleted.

ACTION 6 - Initiate a reduction in THERMAL POWER within 15 minutes and reduce turbine first stage pressure to less than the automatic bypass setpoint within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

ACTION 7 - Verify all insertable control rods to be inserted within one hour.

ACTION 8 - Lock the reactor mode switch in the Shutdown position within one hour.

ACTION 9 - Suspend all operations involving CORE ALTERATIONS*, and insert all insertable control rods and lock the reactor mode switch in the SHUTDOWN position within one hour.

ACTION 10 - a) Initiate action to implement the Manual BSP Regions defined in the CORE OPERATING LIMITS REPORT immediately and b) implement the Automated BSP Scram Region using the modified APRM Simulated Thermal Power -

Upscale scram setpoints defined in the CORE OPERATING LIMITS REPORT within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> and c) initiate action in accordance with Specification 6.9.3.

ACTION 11 - If unable to complete Action 10 within required completion time: a) Initiate action to implement the Manual BSP Regions defined in the CORE OPERATING LIMITS REPORT immediately and b) restore required channel to OPERABLE with 120 days. LCO 3.0.4 is not applicable.

ACTION 12 - If unable to complete Action 11 within the required completion time: Reduce THERMAL POWER to less than 19% RATED THERMAL POWER within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

• Except replacement of LPRM strings provided SAM instrumentation is OPERABLE per Specification 3.9.2.

HOPE CREEK 3/4 3-4 Amendment No. 206

TABLE 3.3.1-1 (Continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION TABLE NOTATIONS (a) A channel may be placed in an inoperable status for up to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for required surveillance without placing the trip system in the tripped condition provided at least one OPERABLE channel in the same trip system is monitoring that parameter.

(b) This function shall be automatically bypassed when the reactor mode switch is in the Run position.

(c) Unless adequate shutdown margin has been demonstrated per Specification 3.1.1, the "shorting links" shall be removed from the RPS circuitry prior to and during the time any control rod is withdrawn*.

(d) The non-coincident NMS reactor trip function logic is such that all channels go to both trip systems. Therefore, when the "shorting links" are removed, the Minimum OPERABLE Channels Per the Trip System are 6 IRMS and 2 SRMS.

(e) An APRM channel is inoperable if there are less than 3 LPRM inputs per level or less than 20 LPRM inputs to an APRM channel.

(f) This function is not required to be OPERABLE when the reactor pressure vessel head is removed per Specification 3.10.1.

(g) This function shall be automatically bypassed when the reactor mode switch is not in the Run position.

(h) This function is not required to be OPERABLE when PRIMARY CONTAINMENT INTEGRITY is not required.

(i) With any control rod withdrawn. Not applicable to control rods removed per Specification 3.9.10.1 or 3.9.10.2.

(j) This function shall be automatically bypassed when turbine first stage pressure is equivalent to THERMAL POWER less than 24% of RATED THERMAL POWER.

(k) Also actuates the EOC-RPT system.

(I) Each APRM/OPRM channel provides inputs to both trip systems.

(m) Following DSS-CD implementation, DSS-CD is not required to be armed while in the OPRM Armed Region during the first reactor startup and during the first controlled shutdown that passes completely through the OPRM Armed Region. However, DSS-CD is considered OPERABLE and shall be maintained OPERABLE and capable of automatically arming for operation at recirculation drive flow rates above the OPRM Armed Region.

Not required for control rods removed per Specification 3.9.10.1 or 3.9.10.2.

HOPE CREEK 3/4 3-5 Amendment No. 206

TABLE 4.3.1.1-1 REACTOR PROTECTION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS OPERATIONAL CONDITIONS CHANNEL FOR WHICH CHANNEL FUNCTIONAL CHANNEL SURVEILLANCE FUNCTIONAL UNIT CHECK (m) TEST (m) CALIBRATION (a)(m) REQUIRED

1. Intermediate Range Monitors:

(b)

a. Neutron Flux - High 2 3,4,5

b. Inoperative NA NA 2,3,4,5

2. Average Power Range Monitor(1):

(b) (I) (n), (o)

a. Neutron Flux - Upscale 2 (Setdown)

b. Simulated Thermal (g) (e) (d), (g), (n), (o)

Power-Upscale (d), (n), (o)

c. Neutron Flux - Upscale

d. Inoperative NA NA 1, 2

e. 2-0ut-Of-4 Voter NA 1, 2

f. OPRM Upscale (e) (g)  ;:: 19% RTP

3. Reactor Vessel Steam Dome (k) 1, 2 Pressure - High

4. Reactor Vessel Water Level -

(k) 1, 2 Low, Level 3

5. Main Steam Line Isolation Valve - Closure NA

6. This item intentionally blank

7. Drywell Pressure - High (k) 1, 2 HOPE CREEK 3/4 3-7 Amendment No. 206

TABLE 4.3.1.1-1 {Continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS OPERATIONAL CONDITIONS FOR CHANNEL WHICH CHANNEL FUNCTIONAL CHANNEL SURVEILLANCE FUNCTIONAL UNIT CHECK (m) TEST (m) CALIBRATION (m) REQUIRED

8. Scram Discharge Volume Water Level - High:

a. Float Switch NA 1, 2, 5m (k) 1, 2, 5m

b. Level Transmitter!f rip Unit

9. Turbine Stop Valve - NA Closure

10. Turbine Control Valve Fast NA Closure Valve Trip System Oil Pressure - Low 11 . Reactor Mode Switch NA NA 1,2,3,4,5 Shutdown Position

12. Manual Scram NA NA 1,2,3,4,5 (a) Neutron detectors may be excluded from CHANNEL CALIBRATION.

(b) The IRM and SRM channels shall be determined to overlap for at least 1/2 decades during each startup after entering OPERATIONAL CONDITION 2 and the IRM and APRM channels shall be determined to overlap for at least 1/2 decades during each controlled shutdown, if not performed within the previous 7 days.

(c) DELETED (d) This calibration shall consist of the adjustment of the APRM channel to conform to the power values calculated by a heat balance during OPERATIONAL CONDITION 1 when THERMAL POWER~ 24% of RATED THERMAL POWER. Adjust the APRM channel if the absolute difference is greater than 2% of RATED THERMAL POWER.

(e) The CHANNEL FUNCTIONAL TEST includes the recirculation flow input function, excluding the flow transmitters.

(f) The LPRMs shall be calibrated in accordance with the Surveillance Frequency Control Program.

(g) Calibration includes the flow input function.

(h) Deleted.

(i) This item intentionally blank.

(j) With any control rod withdrawn. Not applicable to control rods removed per Specification 3.9.10.1 or 3.9.10.2.

(k) Verify the trip setpoint of the trip unit in accordance with the Surveillance Frequency Control Program.

(I) Not required to be performed when entering OPERATIONAL CONDITION 2 from OPERATIONAL CONDITION 1 until 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> after entering OPERATIONAL CONDITION 2.

(m) Frequencies are specified in the Surveillance Frequency Control Program unless otherwise noted in the table.

HOPE CREEK 314 3-8 Amendment No. 206

TABLE 4.3.1.1-1 (Continued)

REACTOR PROTECTION SYSTEM INSTRUMENTATION SURVEILLANCE REQUIREMENTS (n) If the as-found setpoint is outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service.

(o) The instrument channel setpoint shall be reset to a value that is within the as-left tolerance around the Nominal Trip Setpoint (NTSP) at the completion of the surveillance; otherwise the channel shall be declared inoperable. Setpoints more conservative than the NTSP are acceptable provided that the as-found and as-left tolerances apply to the actual setpoint implemented in the surveillance procedures to confirm channel performance. The methodologies used to determine the as-found and the as-left tolerances are specified in the associated Technical Specification Bases.

HOPE CREEK 3/4 3-8a Amendment No. 206

TABLE 3.3.6-1 CONTROL ROD BLOCK INSTRUMENTATION MINIMUM OPERABLE CHANNELS APPLICABLE PER TRIP OPERATIONAL TRIP FUNCTION FUNCTION CONDITIONS ACTION

1. ROD BLOCK MONITOR(a)

a. Upscale 2 1* 60

b. Inoperative 2 1* 60

c. Downscale 2 1* 60

2. APRM

a. Simulated Thermal Power - Upscale 3 1 61

b. Inoperative 3 1, 2 61

c. Downscale 3 1 61

d. Simulated Thermal Power - Upscale 3 2 61 (Setdown)

3. SOURCE RANGE MONITORS

a. Detector not full in(b) 3 2 61 2 5 61

b. Upscale(c) 3 2 61 2 5 61

c. Inoperative(c) 3 2 61 2 5 61

d. Downscale(dl 3 2 61 2 5 61

4. INTERMEDIATE RANGE MONITORS

a. Detector not full in 6 2, 5 61

b. Upscale 6 2,5 61

c. Inoperative 6 2,5 61

d. Downscale(e) 6 2,5 61

5. SCRAM DISCHARGE VOLUME

a. Water Level-High (Float Switch) 2 1, 2, 5** 62

6. Deleted

7. REACTOR MODE SWITCH SHUTDOWN 2 3, 4 63 POSITION HOPE CREEK 3/4 3-57 Amendment No. 206

TABLE 3.3.6-1 (Continued)

CONTROL ROD BLOCK INSTRUMENTATION ACTION ACTION 60- Declare the RBM inoperable and take the ACTION required by Specification 3.1.4.3.

ACTION 61 - With the number of OPERABLE Channels:

a. One less than required by the Minimum OPERABLE Channels per Trip Function requirement, restore the inoperable channel to OPERABLE status within 7 days or place the inoperable channel in the tripped condition within the next hour.

b. Two or more less than required by the Minimum OPERABLE Channels per Trip Function requirement, place at least one inoperable channel in the tripped condition within one hour.

ACTION 62 - With the number of OPERABLE channels less than required by the Minimum OPERABLE Channels per Trip Function requirement, place the inoperable channel in the tripped condition within one hour.

ACTION 63- With the number of OPERABLE channels less than required by the Minimum OPERABLE Channels per Trip Function requirement, initiate a rod block.

NOTES

• See TS 3.1.4.3 Applicability.

• • With more than one control rod withdrawn. Not applicable to control rods removed per Specification 3.9.10.1 or 3.9.10.2.

a. The RBM shall be automatically bypassed when a peripheral control rod is selected.

b. This function shall be automatically bypassed if detector count rate is > 100 cps or the IRM channels are on range 3 or higher.

c. This function shall be automatically bypassed when the associated IRM channels are on range 8 or higher.

d. This function shall be automatically bypassed when the IRM channels are on range 3 or higher.

e. This function shall be automatically bypassed when the IRM channels are on range 1.

HOPE CREEK 3/4 3-58 Amendment No. 206

TABLE 3.3.6-2 CONTROL ROD BLOCK INSTRUMENTATION SETPOINTS TRIP FUNCTION TRIP SETPOINT ALLOWABLE VALUE

1. ROD BLOCK MONITOR

a. Upscale(a) i) Low Trip Setpoint (LTSP)(b) ** **

ii) Intermediate Trip Setpoint (ITSP)(c) **

iii) High Trip Setpoint (HTSP)(dl **

b. Inoperative NA NA

c. Downscale **

2. APRM

a. Simulated Thermal Power - Upscale*

1) Flow Biased - Two Recirculation s 0.57w + 54%* with a s 0.57w + 56%* with a Loop Operation maximum of s 108% of maximum of s 111% of RATED THERMAL POWER RATED THERMAL POWER

2) Flow Biased - Single Recirculation s 0.57(w-10.6%) + 54%* with a s 0.57(w-9%) + 56%* with a Loop Operation maximum of s 108% of maximum of s 111% of RATED THERMAL POWER RATED THERMAL POWER

b. Inoperative NA NA

c. Downscale <:: 4% of RATED THERMAL <:: 2% of RATED THERMAL POWER POWER

d. Simulated Thermal Power - Upscale s 11% of RATED THERMAL s 13% of RATED THERMAL (Setdown) POWER POWER

3. SOURCE RANGE MONITORS

a. Detector not full in NA NA

b. Upscale s 1.0 x 105 cps s 1.6 x 105 cps

c. Inoperative NA NA

d. Downscale <:: 3 cps <:: 1.8 cps

4. INTERMEDIATE RANGE MONITORS

a. Detector not full in NA NA

b. Upscale s 108/125 divisions of full s 110/125 divisions of full scale scale

c. Inoperative NA NA

d. Downscale <:: 5/125 divisions of full scale <:: 3/125 divisions of full scale

5. SCRAM DISCHARGE VOLUME

a. Water Level-High (Float Switch) 109'1" (North Volume) 109'3" (North Volume) 108'11.5" (South Volume) 109'1.5" (South Volume)

6. Deleted

7. REACTOR MODE SWITCH SHUTDOWN NA NA POSITION

• The rod block function is varied as a function of recirculation loop flow (w).

• • Refer to the CORE OPERATING LIMITS REPORT for these values.

(a) Each upscale trip level is applicable over its specified rated power range. All RBM trips are automatically bypassed below the low power setpoint (LPSP). The upscale LTSP is applied between the LPSP and the intermediate power setpoint (IPSP). The upscale ITSP is applied between the IPSP and the high power setpoint (HPSP) The HTSP is applied above the HPSP.

(b)APRM Simulated Thermal Power is<:: 28% and< 63% RTP.

(c) APRM Simulated Thermal Power is<:: 63% and< 83% RTP.

(d)APRM Simulated Thermal Power is<:: 83%.

HOPE CREEK 3/4 3-59 Amendment No. 206

TABLE 4.3.6-1 CONTROL ROD BLOCK INSTRUMENTATION SURVEILLANCE REQUIREMENTS OPERATIONAL CONDITIONS CHANNEL FOR WHICH CHANNEL FUNCTIONAL CHANNEL SURVEILLANCE TRIP FUNCTION CHECK(t) TEST(t) CALI BRATION(a)(t) REQUIRED

1. ROD BLOCK MONITOR

a. Upscale NA (c) (g), (h) 1*

b. Inoperative NA (c) NA 1*

c. Downscale NA (c) 1*

2. APRM

a. Simulated Thermal Power NA

- Upscale

b. Inoperative NA NA 1, 2

c. Downscale NA 1

d. Simulated Thermal Power NA 2

- Upscale (Setdown)

3. SOURCE RANGE MONITORS

a. Detector not full in NA NA 2,5

b. Upscale NA 2,5

c. Inoperative NA NA 2,5

d. Downscale NA 2,5

4. INTERMEDIATE RANGE MONITORS

a. Detector not full in NA NA 2,5

b. Upscale NA 2,5

c. Inoperative NA NA 2,5

d. Downscale NA 2,5

5. SCRAM DISCHARGE VOLUME

a. Water Level-High (Float NA 1, 2, 5**

Switch)

6. Deleted NA (e) NA 3,4

7. REACTOR MODE SWITCH SHUTDOWN POSITION HOPE CREEK 3/4 3-60 Amendment No. 206

TABLE 4.3.6-1 (Continued)

CONTROL ROD BLOCK INSTRUMENTATION SURVEILLANCE REQUIREMENTS NOTES:

a. Neutron detectors may be excluded from CHANNEL CALIBRATION.

b. DELETED

c. Includes reactor manual control multiplexing system input.

d. DELETED

e. Not required to be performed until 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after reactor mode switch is in the shutdown position.

f. Frequencies are specified in the Surveillance Frequency Control Program unless otherwise noted in the table.

g. If the as-found setpoint is outside its predefined as-found tolerance, then the channel shall be evaluated to verify that it is functioning as required before returning the channel to service.

h. The instrument channel setpoint shall be reset to a value that is within the as-left tolerance around the Nominal Trip Setpoint (NTSP) at the completion of the surveillance; otherwise the channel shall be declared inoperable. Setpoints more conservative than the NTSP are acceptable provided that the as-found and as-left tolerances apply to the actual setpoint implemented in the surveillance procedures to confirm channel performance. The methodologies used to determine the as-found and the as-left tolerances are specified in the associated Technical Specification Bases.

• See TS 3.1.4.3 Applicability.

• • With more than one control rod withdrawn. Not applicable to control rods removed per Specification 3.9.10.1 or 3.9.10.2.

HOPE CREEK 3/4 3-61 Amendment No. 206

3/4.3 INSTRUMENTATION 3/4.3.11 Deleted HOPE CREEK 3/4 3-110 Amendment No. 206

3/4.4 REACTOR COOLANT SYSTEM 3/4.4.1 RECIRCULATION SYSTEM RECIRCULATION LOOPS LIMITING CONDITION FOR OPERATION 3.4.1.1 Two reactor coolant system recirculation loops shall be in operation.

APPLICABILITY: OPERATIONAL CONDITIONS 1* and 2*.

ACTION:

a. With one reactor coolant system recirculation loop not in operation:

1. Within 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s:

a) Place the recirculation flow control system in the Local Manual mode, and b) Reduce THERMAL POWER to :5 60.86% of RATED THERMAL POWER, and c) Increase the MINIMUM CRITICAL POWER RATIO (MCPR)

Safety Limit per Specification 2.1.2, and d) Reduce the AVERAGE PLANAR LINEAR HEAT GENERATION RATE (APLHGR) limit to a value specified in the CORE OPERATING LIMITS REPORT for single loop operation, and e) Reduce the LINEAR HEAT GENERATION RATE (LHGR) limit to a value specified in the CORE OPERATING LIMITS REPORT for single loop operation, and f) Limit the speed of the operating recirculation pump to less than or equal to 90% of rated pump speed, and g) Perform surveillance requirement 4.4.1.1.2 if THERMAL POWER is :5 38% of RATED THERMAL POWER or the recirculation loop flow in the operating loop is :5 50% of rated loop flow.

2. Within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, reduce the Average Power Range Monitor (APRM) Scram Trip Setpoints and Allowable Values to those applicable for single recirculation loop operation per Specification 2.2.1; otherwise declare the APRM channel INOPERABLE and take the action of RPS Instrumentation TS 3.3.1 ACTION a.

3. Within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, reduce the APRM Control Rod Block Trip Setpoints and Allowable Values to those applicable for single recirculation loop operation per Specification 3.3.6; otherwise declare the APRM channel INOPERABLE and take the action of Control Rod Block Instrumentation TS 3.3.6 ACTION a and b.

• See Special Test Exception 3.10.4.

HOPE CREEK 3/4 4-1 Amendment No. 206

REACTOR COOLANT SYSTEM ACTION (Continued)

4. Deleted

5. Deleted

6. Otherwise be in at least HOT SHUTDOWN within the next 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

b. With no reactor coolant system recirculation loops in operation, initiate measures to place the unit in at least STARTUP within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

HOPE CREEK 3/4 4-2 Amendment No. 206

ADMINISTRATIVE CONTROLS 6.9.1.8 Deleted CORE OPERATING LIMITS REPORT 6.9.1.9 Core operating limits shall be established and documented in the PSEG Nuclear LLC generated CORE OPERATING LIMITS REPORT before each reload cycle or any remaining part of a reload cycle for the following Technical Specifications:

2.2 Reactor Protection System Instrumentation Setpoints 3/4.1.4.3 Rod Block Monitor 3/4.2.1 Average Planar Linear Heat Generation Rate 3/4.2.3 Minimum Critical Power Ratio 3/4.2.4 Linear Heat Generation Rate 3/4.3.1 Reactor Protection System Instrumentation 3/4.3.6 Control Rod Block Instrumentation The analytical methods used to determine the core operating limits shall be those previously reviewed and approved by NRC as applicable in the following document:

NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel (GESTAR-11)"

The CORE OPERATING LIMITS REPORT will contain the complete identification for each of the TS referenced topical reports used to prepare the CORE OPERATING LIMITS REPORT (i.e., report number title, revision, date, and any supplements).

The core operating limits shall be determined so that all applicable limits (e.g., fuel thermal-mechanical limits, core thermal-hydraulic limits, ECCS limits, nuclear limits such as shutdown margin, and transient and accident analysis limits) of the safety analysis are met.

The CORE OPERATING LIMITS REPORT, including any mid-cycle revisions or supplements thereto, shall be provided upon issuance, for each reload cycle, to the NRC Document Control Desk with copies to the Regional Administrator and Resident Inspector.

HOPE CREEK 6-20 Amendment No. 206

ADMINISTRATIVE CONTROLS SPECIAL REPORTS 6.9.2 Special reports shall be submitted to the U.S. Nuclear Regulatory Commission, Document Control Desk, Washington, DC 20555, with a copy to the USNRC Administrator, Region 1, within the time period specified for each report.

6.9.3 When a report is required by Action 1O of Specification 3/4.3.1, "RPS Instrumentation, a report shall be submitted within 90 days. The report shall outline the preplanned means to provide backup stability protection, the cause of the inoperability, and the plans and schedule for restoring the required instrumentation channels to OPERABLE status.

6.10 RECORD RETENTION 6.10.1 In addition to the applicable record retention requirements of Title 10, Code of Federal Regulations, the following records shall be retained for at least the minimum period indicated.

6.10.2 The following records shall be retained for at least 5 years:

a. Records and logs of unit operation covering time interval at each power level.

b. Records and logs of principal maintenance activities, inspections, repair, and replacement of principal items of equipment related to nuclear safety.

c. All REPORTABLE EVENTS submitted to the Commission.

d. Records of surveillance activities, inspections, and calibrations required by these Technical Specifications.

e. Records of changes made to the procedures required by Specification 6.8.1.

f. Records of radioactive shipments.

g. Records of sealed source and fission detector leak tests and results.

h. Records of annual physical inventory of all sealed source material of record.

HOPE CREEK 6-21 Amendment No. 206

Enclosure 2 NON-PROPRIETARY VERSION SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 206 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-57 PSEG NUCLEAR LLC HOPE CREEK GENERATING STATION DOCKET NO. 50-354 Proprietary information pursuant to Title 10 of the Code of Federal Regulations 2.390 has been redacted from this document. Redacted information is identified by blank space enclosed with boldface double brackets as shown here (( )).

OfflCIAb USE ONbY PROPRIETARY INFORMATION UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO. 206 TO RENEWED FACILITY OPERATING LICENSE NO. NPF-57 PSEG NUCLEAR LLC HOPE CREEK GENERATING STATION DOCKET NO. 50-354 This document contains proprietary information pursuant to Section 2.390 of Title 1O of the Code of Federal Regulations.

Proprietary information is identified by text enclosed within double brackets.

1.0 INTRODUCTION

By letter dated September 21, 2015 (Reference 1), as supplemented by letters dated November 19, 2015 (Reference 2); June 17, 2016 (Reference 3); September 12, 2016 (Reference 4); and September 23, 2016 (Reference 5) PSEG Nuclear LLC (PSEG or the licensee) requested changes to the Technical Specifications (TSs) for the Hope Creek Generating Station (HCGS).

Specifically, the licensee requested to replace and upgrade the existing analog Average Power Range Monitor (APRM) subsystem of the Neutron Monitoring System (NMS) with General Electric-Hitachi (GEH) digital Nuclear Measurement Analysis and Control (NUMAC) Power Range Neutron Monitoring (PRNM) system.

The replacement system will change HCGS's Asea Brown Boveri (ABB)-based oscillating power range monitoring (OPRM) function from a Boiling Water Reactor Owners Group (BWROG)

Option Ill stability solution to the GEH-based OPRM using Detect and Suppress Solution -

Confirmation Density (DSS-CD) stability solution. The change will also implement "Full" Average Power Range Monitor/Rod Block Monitorfrechnical Specifications (ARTS). The revised design provides a means of providing Automatic Backup Stability Protection (ABSP) in the event that the primary means of stability protection, DSS-CD, becomes inoperable.

The PRNM upgrade also includes the application of Technical Specification Task Force (TSTF)

Traveler TSTF-493, Revision 4, "Clarify Application of Setpoint Methodology for LSSS [Limited Safety System Setting] Functions" (Reference 6), to affected PRNM functions.

The supplements dated June 17, 2016; September 12, 2016; and September 23, 2016, provided additional information that clarified the application, did not expand the scope of the application as originally noticed, and did not change the U.S. Nuclear Regulatory Commission (NRC or the Commission) staff's original proposed no significant hazards consideration determination as published in the Federal Register on June 7, 2016 (81 FR 36607).

OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

2.0 REGULATORY EVALUATION

2.1 Proposed Technical Specification Changes A markup of the proposed HCGS TS modifications was provided by the licensee as of the license amendment request (LAR) (Reference 1) and was supplemented by changes to the TS markup identified by the licensee by letter dated June 17, 2016. The NRC staff evaluated changes proposed to the TS limiting conditions for operation (LCOs) and surveillance requirements (SRs). These changes were compared with previously approved PRNM license topical reports (LTRs), which included example TS markups (NUMAC PRNM LTR safety evaluation (SE), Reference 7, Appendix H). Note that PSEG also identified administrative (e.g., naming) changes to these TSs. Attachment 1 of the LAR identifies these changes. The TS changes listed below were evaluated:

• TS 2.2, "Limiting Safety System Settings"

• TS 3/4.1.4.3, "Rod Block Monitor"

• TS 3/4 4.3.1, "Reactor Protection System Instrumentation"

• TS 3/4.3.6, "Control Rod Block Instrumentation"

• TS 3/4.3.11, "Oscillation Power Range Monitor"

• TS 3/4.4.1, "Recirculation System"

• TS 6.9.1.9, "Core Operating Limits Report"

• TS 6.9.2, "Special Reports" PSEG will also implement TSTF-493, Option A, to the LSSS functions modified in TSs 4.3.1 and 4.3.6.

2.2 Regulatory Requirements and Guidance NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports (SAR) for Nuclear Power Plants: LWR [Light-Water Reactor] Edition" (SRP) Chapter 7, "Instrumentation and Controls," August 2016 (Reference 9), defines the acceptance criteria for this review. SRP Chapter 7 addresses the requirements for instrumentation and control (l&C) systems in light-water nuclear power plants. The regulatory requirements and guidance that the NRC staff considered in its review of the applications are as follows:

• 10 CFR 50.36(a)(1) states, in part, "Each applicant for a license authorizing operation of a production or utilization facility shall include in his application proposed technical specifications in accordance with the requirements of this section."

• Section 50.36(c)(1 )(ii)(A) of Title 10 of the Code of Federal Regulations (10 CFR) requires, in part, that where an LSSS is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. If, during operation, it is determined that the automatic safety system does not function as required, the licensee shall take appropriate action, which may include shutting down the reactor.

• 10 CFR 50.36(c)(2)(i) requires that the TSs include LCOs for equipment required to ensure safe operation of the facility. When an LCO for operation of a nuclear reactor is OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION not met, the licensee shall shut down the reactor or follow any remedial action permitted by the TSs until the condition can be met.

• 10 CFR 50.36(c)(2)(ii) sets forth four criteria to be used in determining whether an LCO is required to be included in the TSs.

• 10 CFR 50.36(c)(3) requires that TS SRs be requirements relating to test, calibration, or inspection to assure that the necessary quality of systems and components is maintained, facility operation will be within safety limits, and the LCO will be met.

• 10 CFR 50.540j) and 50.55(i) require that structures, systems, and components (SSCs) must be designed, fabricated, erected, constructed, tested, and inspected to quality standards, commensurate with the importance of the safety function to be performed.

• 10 CFR 50.55a(h) requires that the protection systems must meet the requirements in Institute of Electrical and Electronics Engineers (IEEE) Standard (hereafter "IEEE Std" or "IEEE") 279-1968, "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," or the requirements in IEEE Std 279-1971, "Criteria for Protection Systems for Nuclear Power Generating Stations," or the requirements in IEEE Std 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995.

• Appendix A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50, Criterion 10, "Reactor design," requires that the reactor core and associated coolant, control, and protection systems be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences.

• Appendix A to 10 CFR 50, Criterion 12, "Suppression of reactor power oscillations,"

requires that the reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations that can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.

• Appendix A to 10 CFR 50, Criterion 19, "Control room," states that a control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents (LOCAs). Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt shutdown of the reactor, including necessary l&Cs to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures.

• 10 CFR 50.46 sets forth acceptance criteria for the performance of the emergency core cooling system (ECCS) following postulated LOCAs. Appendix K, "ECCS Evaluation Models," to 10 CFR 50 describes required and acceptable features of the evaluation models used to calculate ECCS performance.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

• 10 CFR 50.62, in part, specifies the equivalent flow rate, level of boron concentration, and boron-10 isotope enrichment required for boiling-water reactor (BWR) standby liquid control systems.

• 10 CFR 50.120 requires that the licensee establish, implement, and maintain a training program.

Section 3.1.1 of the Hope Creek Generating Station Updated Final Safety Analysis Report (hereafter "UFSAR") states: " ... the Hope Creek Generating Station is in compliance with the General Design Criterion." Section 3.1.2, "Criterion Conformance," lists each of these criteria and provides an assessment of conformance for each of the 64 criteria included as the plant's licensing basis. The following criteria were used by the NRC staff to evaluate the HCGS PRNM system design for conformance to the plant's licensing basis.

• UFSAR Section 3.1.2.1.1, Criterion 1, "Quality Standards and Records," requires SSCs important to safety to be designed, fabricated, erected, and tested to quality standards, commensurate with the importance of the safety functions to be performed.

• UFSAR Section 3.1.2.1.2, Criterion 2, "Design Bases for Protection Against Natural Phenomena," requires SSCs important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches, without loss of capability to perform their safety functions. The design bases for these SSC shall reflect: (1) appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated; (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena; and (3) the importance of the safety functions to be performed.

• UFSAR Section 3.1.2.1.4, Criterion 4, "Environmental and Missile Design Bases,"

requires SS Cs important to safety shall be designed to accommodate the effects of, and to be compatible with, the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including LOCAs. These SSCs shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

• UFSAR Section 3.1.2.2.1, Criterion 10, "Reactor Design," requires the reactor core and associated coolant, control, and protection systems be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences (AOOs ).

• UFSAR Section 3.1.2.2.3 Criterion 12, "Suppression of Reactor Power Oscillations,"

requires the reactor core and associated coolant, control, and protection systems to be OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION designed to assure that power oscillations that can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed.

• UFSAR Section 3.1.2.2.4, Criterion 13, "Instrumentation and Control," requires that instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, AOOs, and accident conditions, as appropriate, to assure adequate safety, including those variables and systems that can affect the fission process, integrity of the reactor core, reactor coolant pressure boundary, and containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges.

• UFSAR Section 3.1.2.2.6, Criterion 15, "Reactor Coolant System (RCS) Design," requires the RCS and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including AOOs.

• UFSAR Section 3.1.2.3.1, Criterion 20, "Protection System Functions," requires the protection system be designed (1) to initiate automatically the operation of appropriate systems, including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of AOOs, and (2) to sense accident conditions and to initiate the operation of systems and components important to safety.

• UFSAR Section 3.1.2.3.2, Criterion 21, "Protection System Reliability and Testability,"

requires that the system be designed for high functional reliability and inservice testability, with redundancy and independence sufficient to preclude loss of the protection function from a single failure and preservation of minimum redundancy, despite removal from service of any component or channel.

• UFSAR Section 3.1.2.3.3, Criterion 22, "Protection System Independence," requires that the system be designed so that natural phenomena, operating, maintenance, testing, and postulated accident conditions do not result in loss of the protection function.

• UFSAR Section 3.1.2.3.4, Criterion 23, "Protection System Failure Modes," requires that the system be designed to fail to a safe state in the event of conditions such as disconnection, loss of energy, or postulated adverse environments.

• UFSAR Section 3.1.2.3.5, Criterion 24, "Separation of Protection and Control Systems,"

requires that interconnection of the protection and control systems be limited to assure safety in case of failure or removal from service of common components.

• UFSAR Section 3.1.2.3.6, Criterion 25, "Protection System Requirements for Reactivity Control Malfunctions," requires that the protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems.

• UFSAR Section 3.1.2.3.10, Criterion 29, "Protection Against Anticipated Operational Occurrences," requires that protection and reactivity control systems shall be designed OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION to assure an extremely high probability of accomplishing their safety functions in the event of AOOs.

The NRC Staff Requirements Memorandum (SRM) on SECY 93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR)

Designs," dated July 21, 1993 (Reference 10), describes the position of the NRC regarding diversity and defense-in-depth (D3). This SRM states that applicants using digital or computer-based technology shall assess the defense-in-depth (DID) and diversity of the proposed l&C system to demonstrate that vulnerabilities to common-mode failures have been adequately addressed. The SRM also states:

In performing the assessment, the vendor or applicant shall analyze each postulated common-mode failure for each event that is evaluated in the accident analysis section of the safety analysis report (SAR) using best estimate methods.

The vendor or applicant shall demonstrate adequate diversity within the design for each of these events.

NUREG-0800, Chapter 18, Revision 3, "Human Factors Engineering," provides the NRC staff's guidance for the review of human performance for applicants (Reference 11 ).

NUREG-0711, Revision 3, "Human Factors Engineering Program Review Model," provides the methodology for the NRC staff's review of human factors engineering (HFE) programs (Reference 12).

The NRC staff evaluated the licensee's proposal using the applicable portions of the following guidance:

• Regulatory Guide (RG) 1.75, Revision 3, "Criteria for Independence of Electrical Safety Systems" (Reference 13), describes a method acceptable to the NRC staff for satisfying physical independence of the circuits and electrical equipment that comprise, or are associated with, safety systems.

• RG 1.100, Revision 3, "Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants" (Reference 14), describes a method acceptable to the NRC staff for satisfying the seismic qualification.

• RG 1.105, Revision 3, "Setpoints for Safety-Related Instrumentations" (Reference 15),

describes a method acceptable to the NRC staff for complying with the NRC's regulations for ensuring that instrumentation setpoints are initially within, and remain within, the TS limits. RG 1.105 endorses Part I of International Society of Automation (ISA)-S67.04-1994, "Setpoints for Nuclear Safety Instrumentation," subject to NRC staff clarifications.

• RG 1.152, Revision 3, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants" (Reference 16), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to high functional reliability and design requirements for computers used in safety systems of nuclear power plants.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAb USE ONbY PROPRIETARY INFORMATION

• RG 1.168, Revision 2, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Reference 17), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to the verification and validation of safety system software.

• RG 1.169, Revision 1, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Reference 18), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to the configuration management of safety system software.

• RG 1.170, Revision 1, "Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Reference 19), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to test documentation of safety system software.

• RG 1.171, Revision 1, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Reference 20), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to the unit testing of safety system software.

• RG 1.172, Revision 1, "Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants" (Reference 21) describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to preparation of software requirement specifications for safety system software.

• RG 1.173, Revision 1, "Developing Software Lifecycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants" (Reference 22), describes a method acceptable to the NRC staff for complying with the NRC's regulations as they apply to the development processes for safety system software.

• RG 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems" (Reference 23),

describes a method acceptable to the NRC staff for the design, installation, and testing practices to address the effects of electromagnetic and radio-frequency interference and power surges on safety-related l&C systems.

• RG 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants," March 2007 (Reference 24), describes a method acceptable to the NRC staff for satisfying the environmental qualification (EQ) of safety-related, computer-based l&C systems for service in mild environments at nuclear power plants.

• Digital Instrumentation and Control (Dl&C)-lnterim Staff Guidance (ISG)-04, Revision 1, "Task Working Group #4: Highly-Integrated Control Rooms-Communications Issues (HICRc), Interim Staff Guidance" (Reference 25), describes methods acceptable to the NRC staff to prevent adverse interactions among safety divisions and between safety-related equipment and equipment that is not safety-related.

OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

• Dl&C-ISG 06, "Task Working Group #6: Licensing Process, Interim Staff Guidance,"

Revision 1 (Reference 26), describes the licensing process to be used for the review of LARs associated with Dl&C system modifications.

The NRC staff also considered applicable portions of the branch's technical positions in accordance with the review guidance established within NUREG-0800, Chapter 7, and interim staff guidance (Reference 9), as follows:

• Branch Technical Position (BTP) 7-11, Revision 6, "Guidance on Application and Qualification of Isolation Devices";

• BTP 7-12, Revision 6, "Guidance on Establishing and Maintaining Instrument Setpoints";

• BTP 7-14, Revision 6, "Guidance on Software Reviews for Digital Computer- Based Instrumentation and Control Systems";

• BTP 7-19, Revision 7, "Guidance for Evaluation of Diversity and Defense-In-Depth in Digital Computer-Based Instrumentation and Control Systems"; and

• BTP 7-21, Revision 6, "Guidance on Digital Computer Real-Time Performance."

3.0 TECHNICAL EVALUATION

This technical evaluation includes consideration of earlier NRC staff conclusions that are documented in the SEs for the approved NU MAC PRNM LTR SEs (Reference 7 and Reference 8). Sections 3.3 through 3. 7 of this SE provide technical evaluations to address areas where newer regulatory evaluation criteria exist and apply to the HCGS PRNM system. Section 3.9 addresses deviations from the prior approved LTRs. The NRC staff determined that revised current applicable regulatory evaluation criteria did not adversely affect the acceptability of the proposed HCGS PRNM system. A confirmation that plant-specific actions identified in the NU MAC PRNM LTR SE (Reference 7) have been satisfied is provided in Section 3.10 of this SE.

3.1 System Description and Configuration HCGS is a BWR/4 series reactor, and the current licensed thermal power is 3,840 megawatts thermal. The operational flexibility of a BWR during power ascension from the low-power, low-flow core condition to the rated high-power, high-flow core condition is restricted by several factors. Also, once rated power is achieved, periodic adjustments to core flow and control rod positions must be made to compensate for the reactivity changes due to Xenon buildup and decay with fuel and burnable poison burnup. Factors currently restricting plant flexibility at HCGS in efficiently achieving and maintaining rated power include:

• The current operating power-flow map,

• The APRM flow-biased flux scram and flow-biased rod block setdown requirements, and

• The rod block monitor (RBM) flow-referenced rod block trip.

HCGS has proposed TS changes to address the above restrictions that are similar to the changes requested and approved by the staff at other BWR plants.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAb USE ONbY PROPRIETARY INFORMATION The PRNM system measures power range neutron flux in the power range of reactor operation and consists of the Local Power Range Monitor (LPRM), APRM, and OPRM subsystems. The LPRM subsystem provides signals proportional to local neutron flux at various core positions to the APRM, the Process Plant Computer (PPC), and the RBMs. The APRM system calculates core average power based on inputs received from LPRM detectors. The average power level signals are used to provide power level displays to control room operators, provide protective trips to preserve fuel clad integrity, and provide trip signals to the reactor manual control system.

The OPRM monitors neutron flux and performs alarm and reactor trip functions when unstable conditions are detected.

The licensee is replacing the existing analog APRM subsystem of the NMS with the GEH digital NU MAC PRNM system at HCGS. All of the existing power range monitor functions are retained, including LPRM detector signal processing, LPRM averaging, APRM trips, and RBM logic and interlocks. ((

)) The existing analog LPRM signal processing electronics, LPRM averaging, APRM trip electronics, and LPRM detector power supply hardware and recirculation flow signal processing electronics are being replaced by the integrated digital NUMAC chassis-based APRM electronics. The following subsections describe the various functions performed within the PRNM system and include descriptions of design changes being proposed.

The PRNM system design retrofit includes an OPRM capability to detect and suppress reactor instability using the DSS-CD stability solution. The DSS-CD function is further described in NEDC-33075P-A, Revision 8, "Licensing Topical Report GE-Hitachi Boiling Water Reactor Detect and Suppress," dated November 19, 2013 (Reference 27).

The NU MAC PRNM LTR (Reference 7) provides the approved generic system design for the PRNM system, and Appendix A of the LAR provides a supplemental description of the PRNM system (Reference 1). HCGS deviations from the approved generic design are described in Appendix J of the LAR (Reference 1).

3.1.1 Average Power Range Monitor The existing HCGS APRM consists of six channels that are grouped into two groups of three channels each to form two separate trip channels. The replacement NUMAC-based APRM will change this configuration to a four channel design with each channel receiving input from one-fourth of the available LPRM detectors.

The replacement PRNM consists of four independent APRM channels, two RBM channels, four flow transmitter channels, and interface channels. Four 2-out-of-4 voter channels are being added between the APRM channels and the existing Reactor Protection System (RPS) logic, with each receiving input from all four APRM channels and providing two outputs to each RPS trip logic.

Each of the four APRM channels consists of an APRM master, an APRM slave LPRM, a 2-out-of-4 voter, a quad low voltage power supply (QLVPS), analog isolators, redundant reactivity control system power supplies, as well as detector and input/output interface panels, which are all safety-related components.

OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The safety functions performed by each PRNM channel involve the processing of sensor inputs to produce a set of trip votes that must then satisfy 2-out-of-4 coincidence voting logic to cause the PRNM relay outputs to the RPS trip system to change state. The HCGS PRNM system provides the following scram functions:

• APRM Neutron Flux - High trip

• APRM Neutron Flux- High (Setdown) Trip

• APRM Simulated Thermal Power - High

• OPRM Instability Detect-and-Suppress Trip Both the master and the slave modules receive inputs from the associated LPRM detectors.

The master APRM chassis processes the LPRM detector signals and recirculation loop flow inputs and performs trip and alarm processing to generate system outputs. The slave APRM processes the assigned LPRM inputs and provides its data to the master APRM. Flow transmitters in each of the recirculation loops provide the loop flow input to the associated APRM channels.

3.1.1.1 Quad Low Voltage Power Supply The QLVPSs provide direct current electrical voltage for use by the APRM or RBM modules.

((

))

3.1.1.2 Redundant Reactivity Control System Power Supply The RRCS power supplies provide electrical excitation power from the PRNM system to RRCS.

Redundant reactivity control system power supplies are installed in a single bay of the five bays in the power range monitor panels.

3.1.1.3 Fiber Direct Data Interface Modules APRM communication with the RBM is conducted through Fiber Direct Data Interface (FDDI) modules. The FDDI modules provide electrical and communication isolation of the signals while permitting the data to be transmitted between PRNM and RBM system components.

((

))

3.1.2 Trip Function Voting Logic The NUMAC design includes 2-out-of-4 coincidence voter logic channels that combine the trip inputs from the four APRM channels to supply separate inputs to each of two RPS trip system divisions. The NUMAC PRNM system also includes an APRM bypass switch that allows any single APRM channel to be bypassed for the purpose of performing channel testing or maintenance as allowed by the plant TSs. Section 5.3.2.3 of the NUMAC PRNM LTR (Reference 7) provides a more detailed description of the APRM bypass switch function.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.1.3 Rod Block Monitor TS improvement program The function of the RBM is to prevent fuel damage in the event of erroneous rod withdrawal from locations of high-power density during high-power level operation. It does this by blocking control rod movement, which could result in violating a thermal limit (the safety limit minimum critical power ratio or the 1 percent cladding plastic strain limit) in the event of a rod withdrawal error (RWE) event.

The functions of the APRM system include:

1. Generation of a trip signal to scram the reactor during core-wide neutron flux transients before exceeding the safety analysis design basis;

2. Blocking control rod withdrawal whenever operation exceeds set limits in the operating map prior to approaching the scram level; and

3. Providing an indication of the core average power level in the power range.

The existing flow-biased RBM will be replaced by a power dependent RBM. The power dependent RBM will permit HCGS to implement "Full" ARTS versus the current "Partial" ARTS, allowing cycle-specific RWE analyses to credit the blocking of rod withdrawals.

ARTS changes the form of the RBM from a flow-biased to a power-biased function. The evaluation of the RWE event was performed, taking credit for the mitigating effect of the power-dependent RBM. The power-dependent RBM analytical limits and allowable values were provided.

The proposed full implementation of the ARTS improvement program will increase the plant operating efficiency by updating the thermal limits requirements to be consistent with current GEH methodology and from improvements in plant instrumentation accuracy. The ARTS improvement program includes changes to the current APRM system, which requires the TS changes as described in Section 3.2 of this SE. The functions of the APRM are integrated within the NU MAC PRNM system. The safety-related functions of the APRM include:

1. Generation of trip signals to automatically scram the reactor during core-wide neutron flux transients before the neutron flux level exceeds the safety analysis design bases.

This prevents exceeding design bases and licensing criteria from single operator errors or equipment malfunctions;

2. Blocking control rod withdrawal before core power approaches the scram level when operation occurs in excess of set limits in the power-flow map; and

3. Providing an indication of the core average power level of the reactor in the power range.

The NUMAC PRNM system APRM calculates an average LPRM chamber signal such that the APRM signal is proportional to the core average neutron flux and can be calibrated as a means of measuring core thermal power. The APRM signals are used to calculate the simulated thermal power (STP) that closely approximates reactor thermal power during a transient. The OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION STP signals are compared to a recirculation drive flow-referenced scram and a recirculation drive flow-referenced control rod withdrawal block.

The existing HCGS design incorporates six APRM channels. Each APRM channel uses input signals from a number of LPRMs. The six APRM channels are combined in two groups of three channels each to form two trip channels. The PRNM modification will replace the six-channel APRM with a four-channel APRM configuration whereby each channel uses one-fourth of the total LPRM detectors. The APRM functions in each channel are the same; however, four 2-out-of-4 voter logic channels are added. Each APRM provides inputs to all four of the 2-out-of-4 voter logic channels. Outputs from two voter logic channels supply inputs to each of two RPS trip system divisions.

An RBM channel within the PRNM consists of an RBM instrument, an RBM interface module, power supplies, and other ancillary equipment. The RBM instrument uses the same processor as the APRM instrument. The RBM provides information to the NUMAC interface computer (NIC), as well as output signals for monitoring devices and operator displays.

3.1.4 Oscillation Power Range Monitor Function The PRNM system design retrofit includes an automatic instability trip function, OPRM, with the DSS-CD methodology (Reference 27). DSS-CD is a type of long-term stability solution. The existing ABB OPRM with BWROG Option Ill stability solution will change to the GEH OPRM with the DSS-CD stability solution. In Reference 3, GEH stated that no deviations from the approved solution are being implemented in the HCGS PRNM design.

The DSS-CD is designed to detect power oscillations upon inception and initiate control rod insertion (scram) to terminate the oscillations prior to any significant amplitude growth. DSS-CD introduces an enhanced detection algorithm that detects the inception of power oscillations and generates an earlier power suppression trip signal based on successive period confirmation recognition and an amplitude component. The existing Option Ill algorithms are retained (with generic setpoints) to provide DID protection for unanticipated reactor instability events. These algorithms are the period based detection algorithm (PBDA), the amplitude based algorithm, and the growth rate algorithm.

3.2 Proposed Technical Specification Changes TS 2.2. "Limiting Safety System Settings" Table 2.2.1-1, "Reactor Protection System Instrumentation Setpoints," lists RPS instrument functional units (FUs) and includes allowable values and trip setpoints assigned to each FU.

The proposed changes to this table are:

• A new trip setpoint for the neutron flux upscale (setdown) function FU 2.a. This change was determined to be consistent with Section H.1.2 of Reference 8. New setpoints were developed in accordance with approved methodology described in Appendix P of the LAR (Reference 1.P).

• Replace FU 2.b "Flow Biased" function with "Simulated Thermal Power-Upscale" function with flow-biased setpoints for both two recirculation loop and single OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION recirculation loop operation. This change reflects the design change described in Section 3.1.1 of this SE and is consistent with Section H.1.2 of Reference 8. The trip setpoints and allowable values for this function were also changed.

• Change the title of FU 2.c, "Neutron Flux-Upscale." This is a format change. The trip setpoint and allowable value for this function were also changed. This change has been reviewed by the NRC staff and approved as part of Sections 3.2.5 and 8.3.1.2 of the NUMAC PRNM LTR (Reference 7) and with Section H.1.2 of Reference 7.

• Add a new APRM FU 2.e to the table for the 2-out-of-4 voter functions associated with the replacement PRNM system described in Section 3.1.1.1 of this SE. This change was previously reviewed as part of Section 5.3.3.17 of the NU MAC PRNM LTR (Reference 7) and has been approved.

• Add a new APRM FU 2.f to the table for the OPRM upscale function associated with the replacement PRNM system described in Section 3.1.4 of this SE. This change was previously reviewed as part of Section 8.4.1.4 of the NU MAC PRNM LTR (Reference 7) and has been approved.

• Add references to the Core Operating Limits Report (COLR) for trip setpoints, which will be specified for each core load. This change is consistent with the NUMAC PRNM LTR (Reference 7 and Reference 8, Section H.1.2) and is, therefore, acceptable.

TS 3/4.1.4.3. "Rod Block Monitor" An additional applicability criteria was added to the existing operational Condition 1 to specify channel operability requirements applicable to the new STP upscale trip function for conditions of greater than 90 percent rated thermal power. Operability requirements under these conditions will be dependent on the value of maximum critical power ratio. This change has been reviewed, and the NRC staff determined it is consistent with implementation of full ARTS as described in the supplemental information for ARTS for HCGS (Reference 1, Appendix S).

TS 3/4 4.3.1. "Reactor Protection System Instrumentation" A note is added to Action 3.3.1.a to clarify requirements for placing inoperable channels to a trip condition. This clarification is necessary because the applicable FUs provide trip inputs to both of the trip systems in the replacement PRNM system design. Therefore, placing that trip system in trip would no longer be an applicable option. This change is consistent with the NUMAC PRNM LTR (Reference 7 and Reference 8, Section H.1.1 ).

An additional clarification statement is added to the "Logic System Functional Test" requirements to identify that the replacement PRNM system no longer requires separate Logic System Functional Tests be performed. Instead, the FU 2e, "2-out-of-4 voter" channel check will be credited for meeting the Logic System Functional Test requirements. The NRC staff agrees that the new voter channels checked for all combinations of two trip inputs would satisfy this TS requirement. This change is consistent with the NU MAC PRNM LTR (Reference 7 and Reference 8, Section H.1.1 ).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION A note is being added to identify that Action 3.3.1 b is no longer applicable for specified FUs 2a, 2b, 2c, 2d, and 2f. The NRC staff finds this acceptable because each of these FUs provides trip status input to both of the trip systems in the revised voter logic design. This change is consistent with the NUMAC PRNM LTR (Reference 7 and Reference 8, Section H.1.1 ).

Table 3.3.1-1 is being revised in a manner similar to the revisions described above for Table 2.2.1-1. The voter and OPRM upscale FUs are being added to the table, and FU 2.b "Flow Biased" function is replaced with "Simulated Thermal Power-Upscale" function. Changes to the associated applicable operating conditions, minimum operable channel requirements, and required actions are also being made to reflect the new four-channel with voter functionality configuration of the replacement PRNM system. This change has been reviewed by the NRC staff and approved as part of Sections 3.2.5 and 8.3.1.2 of the NU MAC PRNM LTR (Reference 7) and with Section H.1.2 of Reference 8.

Three new actions are being added to Table 3.3.1-1 (Actions 10, 11, and 12) to account for the functional operability requirements of the new OPRM upscale FU.

• Action 10 provides direction for operators to implement manual backup stability protection (BSP) regions as defined in the COLR, initiate the automated backup stability scram region, and initiate action for special reporting requirements.

• Action 11 provides direction for operators to implement manual BSP regions if automated BSP actions outlined in Action 1O cannot be implemented.

• Action 12 addresses the condition where no backup means of stability protection can be implemented. This action requires a reduction in thermal power level.

These actions are consistent with the NUMAC PRNM LTR (Reference 7 and Reference 8, Section H.1.2) and are, therefore, acceptable.

Table 3.3.1-1 notations are being supplemented to address the added number of LPRM signal inputs available to each APRM channel in the revised PRNM system design. Two new notes are also being added to reflect the revised design FUs as providing trip signal inputs to both trip channels, and a limited exemption for the DSS-CD function arming requirements during the first reactor startup and controlled shutdown following installation of the revised PRNM system. This change is consistent with the NUMAC PRNM LTR and is, therefore, acceptable.

Table 4.3.1.1-1 is used to define the required surveillance functions for each of the identified FUs. The new FUs (e & f) described above are being added to this table, as well as new SRs associated with them. New SRs are also being proposed for FUs 2a, 2b, and 2c to reflect the testing requirements for the revised PRNM system equipment. The NRC staff compared the SRs in this table to the example markup TSs in Appendix H of the LTR and found them to be consistent in content.

HCGS does not include surveillance frequencies in Table 4.3.1.1-1. Instead, a note is referenced, which states that "Frequencies are specified in the Surveillance Frequency Control Program unless otherwise noted in the table." The licensee did, however, provide an analysis of surveillance frequency changes in Section 2.0 of Attachment 1 to the LAR. The NRC staff was, therefore, able to evaluate and assess the adequacy of the surveillance frequencies proposed OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION for the replacement PRNM system instrumentation. Based on its review of the surveillance frequency changes, comparison to the approved NUMAC PRNM LTR (Reference 7), and the evaluation of the licensee's Surveillance Frequency Control Program, the NRC staff determined that surveillance frequencies proposed for the HCGS PRNM system are acceptable.

Notes (n & o) were added to Table 4.3.1.1-1 to identify criteria for determining instrument operability based on surveillance as-found calibration data, as well as the ability to return the instrument to its as-left tolerance limits in accordance with TSTF-493, Option A. The NRC staff finds these notes to be consistent with TSTF-493 guidance and, therefore, acceptable.

TS 3/4.3.6, "Control Rod Block Instrumentation" Tables 3.3.6-1 and 3.3.6-2 are being updated to reflect instrumentation associated with the revised PRNM system. The APRM functions, "Flow Biased Neutron Flux" and "Neutron Flux Upscale, Startup," trip functions are being replaced with "Simulated Thermal Power," and Simulated Thermal Power - Upscale (Setdown)," respectively.

APRM control rod block functions are not credited in the UFSAR; however, they are being retained in the TSs for administrative reasons. The number of minimum operable channels for all APRM functions is being changed to three. This is consistent with the approved LTR.

The RCS recirculation flow trip functions are being eliminated from Tables 3.3.6-1 and 3.3.6-2.

This change reflects the change from flow-biased trip setpoint logic to STP logic. Recirculation flow blocks are no longer needed for ARTS implementation. Justification for this change is provided in Section 8.5.1.3 of the NU MAC PRNM LTR (Reference 7). This TS change is, therefore, consistent with the approved NUMAC PRNM LTR SE (Reference 7).

The asterisk associated with applicable conditions for the RBM trip functions is being revised to refer to TS 3.1.4.3 applicability in lieu of the greater or equal to 30-percent rated thermal power statement. The enhanced conditional requirements referred to are consistent with the implementation of full ARTS.

Table 3.3.6-1, Functions 6a, 6b, and 6c, for ARTS implementation are being removed.

Notes are being added to Table 3.3.6-2 to identify the ranges for upscale trip levels and provide reference to the COLR for setpoints and allowable values, which change between operating cycles.

Table 3.3.6-2, Function 1.a - 1.c RBM trip setpoints and allowable values are being relocated to the COLR. A note was added identifying the values that will be located in the COLR. This change is consistent with the approved topical report and with previously approved PRNM license amendments.

The trip setpoints and allowable values for Table 3.3.6-2, APRM Trip Function 2.a and the allowable value for Function 2.c are being changed in accordance with revised calculations.

See Section 3.5 of this SE for evaluation of setpoint methodology and calculations.

Names for Table 4.3.6-1 are being updated to reflect instrumentation associated with the revised PRNM system. The APRM functions, "Flow Biased Neutron Flux" and "Neutron Flux OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Upscale, Startup," trip functions, are being replaced with "Simulated Thermal Power," and "Simulated Thermal Power - Upscale (Setdown)," respectively.

Table 4.3.6-1, Functions 6a, 6b, and 6c, for ARTS implementation are being removed.

Notes (g & h) are being added to Table 4.3.6-1 to identify criteria for determining instrument operability based on surveillance as-found calibration data, as well as the ability to return the instrument to its as-left tolerance limits in accordance with TSTF-493, Option A. The NRG staff finds these notes to be consistent with TSTF-493 guidance and, therefore, acceptable.

TS 3/4.3.11, "Oscillation Power Range Monitor" TS 3/4.3.11, "Oscillation Power Range Monitor," is being deleted from the HCGS TSs. This deletion is acceptable because the OPRM LCOs are being replaced with the OPRM Upscale Function 2.f as part of the RPS instrumentation requirements in Tables 3.3.1-1 and 4.3.1.1-1.

TS 3/4.4.1. "Recirculation System" TS 3.4.1.1 Actions a.2 and a3 are being modified to declare the channel inoperable, and references to TS 3.3.1 or TS 3.3.6 actions are added, respectively. This change is being made to account for the revised design, which will have all four APRM channels providing input to each of the four voter channels. Because of this new design, there is no longer a condition where only one of the trip systems can have reduced setpoints established. When APRM channel setpoints are reduced, these reductions will always apply to all associated voter channels.

TS 3.4.1.1 Action a.4 is being deleted. This change is associated with the implementation of full ARTS. Because the reactor coolant recirculation flow functions are being eliminated from Tables 3.3.6-1 ad 3.3.6-2, this action will no longer be required.

TS 6.9.1.9. "Core Operating Limits Report" New requirements are being added for the COLR to ensure the new analytical limits and setpoints associated with the revised PRNM system are established and documented. These new COLR limits are in relation to Sections; 2.2, 3/4.1.4.3, 3/4.3.1 and 3/4.3.6 TSs.

TS 6.9.2, "Special Reports" A new special reporting requirement associated with Action 10 of TS 3/4.3.1, "RPS Instrumentation," is being added as an administrative control in TS 6.9.2. This change is consistent with the approved DSS-CD LTR.

The NRG staff determined all proposed HCGS TS changes are consistent with the example markups of the TSs provided in the previously approved NU MAC PRNM LTR (Reference 7) and are, therefore, acceptable for use.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.3 PRNM System Interfaces, Including Digital Instrumentation Communications Section 50.55a(h) of 10 CFR 50.55 approved the 1991 version of IEEE Std 603, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," for incorporation by reference, including the correction sheet dated January 30, 1995.

IEEE 603-1991, Clause 5.6, "Independence," requires independence between (1) redundant portions of a safety system, (2) safety systems and the effects of design-basis events, and (3) safety systems and other systems. SRP Chapter 7, Appendix 7.1-C, Section 5.6, "Independence," provides acceptance criteria for this requirement, and among other guidance, provides additional acceptance criteria for communications independence. Section 5.6 states that (1) where data communication exists between different portions of a safety system, the analysis should confirm that a logical or software malfunction in one portion cannot affect the safety functions of the redundant portions, and (2) if a digital computer system used in a safety system is connected to a digital computer system used in a nonsafety system, a logical or software malfunction of the nonsafety system must not be able to affect the functions of the safety system.

IEEE 7-4.3.2-2003 endorsed by RG 1.152, Clause 5.6, "Independence," provides guidance on how IEEE 603-1991 requirements can be met by digital systems. This clause of IEEE 7-4.3.2 states that in addition to the requirements of IEEE Std 603-1991, data communication between safety channels or between safety and nonsafety systems shall not inhibit the performance of the safety function. SRP Chapter 7, Appendix 7.1-0, Section 5.6, "Independence," provides acceptance criteria for independence.

Additional guidance on digital communications is contained in Dl&C-ISG-04 (Reference 25).

The HCGS PRNM system consists of digital instrumentation that performs safety functions and includes safety-to-nonsafety interfaces and inter-channel (i.e., safety-to safety) communications.

Physical and electrical independence characteristics via separation and isolation devices were previously evaluated by the NRC in the NUMAC PRNM LTR SE (Reference 7, Sections 3.5 and 3.6) and remain valid for the HCGS PRNM system. The licensee also performed a design analysis on electrical independence, which was provided as an appendix to the LAR (Reference 1, Appendix L). (See Sections 3.15 and 3.16 of this SE for more detailed evaluations of the PRNM system independence characteristics.)

The GEH NUMAC PRNM system configuration includes the following types of communications:

1. Safety channel to safety channel communication: This type of communication includes:

a. Communication between each of the four APRM modules and all four of the 2-out-of-4 voter logic modules,

b. Safety channel to safety channel communication between all four of the 2-out-of-4 voter logic modules, and

c. Safety channel to safety channel communication between the four 2-out-of-4 voter logic modules and the bypass switch (optical).

2. Between safety and nonsafety systems: Safety system to nonsafety system communication exists between each of the four APRM and LPRM safety modules and OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION the two nonsafety RBM modules. This type also includes safety channel to nonsafety channel communication between APRM masters and the operator control panel operator display assemblies (ODAs).

3. Nonsafety to nonsafety communications: Nonsafety to nonsafety communication occurs between the two RBM modules and NIC, and between NIC and the HCGS PPC through a secure link.

PRNM system communications interfaces were evaluated by the NRC staff against the data independence criteria of Dl&C-ISG-04. The NRC staff concludes that NUMAC PRNM system communications interfaces, as implemented in the HCGS application, are compliant with the criteria of ISG-04 and are, therefore, acceptable.

The HCGS configuration, as described and illustrated in Section 4.1.2 of the LAR (Reference 1),

is similar to the configuration shown in Figure E.1.5 in Volume 2 of NEDC-31410P-A of the NU MAC PRNM LTR (Reference 7). To confirm compliance of the HCGS PRNM system with the criteria of ISG-04, the NRC staff compared the HCGS plant-specific design configuration with the approved LTR design variations, as noted by the licensee in Appendix J of the LAR (Reference 1).

3.3.1 Intra-Channel Communications Between Safety Components Dl&C-ISG-04 does not directly address interfaces between safety-related components within a channel. Nevertheless, the NRC staff evaluated two PRNM system intra-channel communication interfaces (1) between the 2-out-of-4 voters and the APRMs and (2) interfaces to support maintenance and monitoring functions. The results of this evaluation concluded that these intra-channel interfaces do not compromise the independence between safety channels and that operability of interconnected channel components is not adversely affected by the communications through these interfaces.

3.3.2 Inter-Channel Communications Between PRNM System Safety Components Dl&C-ISG-04 states that digital instrumentation communication interfaces between independent safety channels should meet the same criteria as established for communication interfaces between nonsafety and safety equipment. The NRC staff evaluated two PRNM system inter-channel communication interfaces (1) between 2-out-of-4 voters and (2) between APRMs and 2-out-of-4 voters against the criteria of Dl&C-ISG-04 Staff Position 1, "lnterdivisional Communications." The results of this evaluation concluded that inter-channel interfaces do not compromise the independence between safety channels and that operability of interconnected system components is not adversely affected by the communications through these interfaces.

Based on the NRC staff's review of the 2-out-of-4 voter to 2-out-of-4 voter communications, the NRC staff determined that these interdivisional communications do not compromise the independence of the safety channels or adversely affect the operability of the safety functions.

3.3.3 Interfaces with the Operator's Control Panel Dl&C-ISG-04 does not directly address communication interfaces between safety-related components within a channel and discrete switches or analog indications that may be shared OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION among channels. Based on its evaluation of this type of interface, the NRC staff confirmed that components shared among PRNM system channels do not adversely affect reliable performance of the safety functions within independent PRNM system channels.

3.3.4 Inter-Channel Communications Between PRNM System Safety Components and Nonsafety Equipment Dl&C-ISG-04 establishes criteria for bidirectional communication interfaces between a safety division and nonsafety equipment to ensure that these communications do not adversely affect the operability of the safety functions. The NRC staff evaluated two such interfaces associated with the PRNM system: (1) APRM and LPRM to the RBM and 2) RBM to APRM and LPRM.

The PRNM system has communication interfaces ((

)) The PPC provides gain adjustment data to the NUMAC PRNM system via the nonsafety-related NIC.

Based on its review, the NRC staff determined that communications interfaces to nonsafety components of the NU MAC PRNM system do not adversely affect the ability of the PRNM to perform required safety functions.

3.4 Diversity and Defense-In-Depth The PRNM system is designed to preclude an undetected common-cause failure (CCF). There are hardware watchdog timers, described in Section 4.3.4 of the PRNM System Architecture Description (Reference 1, Appendix A), ((

))

The NRC staff reviewed the HCGS PRNM system design using the guidance provided in BTP 7-19 to establish whether vulnerabilities to common-cause NUMAC software failures had been adequately addressed by the licensee. BTP 7-19 establishes that the licensee should analyze each postulated software CCF coincident with each AOO and postulated accident within the plant design basis using a best-estimate (i.e., realistic assumptions) approach.

BTP 7-19 provides guidance to address D3. This document includes guidance for evaluation to address the concern regarding CCF vulnerabilities with regard to the use of digital computer-based l&C systems. BTP 7-19 establishes evaluation criteria for providing reasonable assurance that CCFs do not defeat either the protection provided by alternative means (i.e., an independent and diverse safety function) or an echelon of defense that provides DID.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONbY PROPRIETARY INFORMATION The HCGS PRNM system safety functions are a portion of the overall RPS and are required to be operable as defined in TS Table 3.3.1-1. Each PRNM system channel consists of a digital computer-based system that acquires neutron flux data via LPRM detector strings and uses this data to calculate parameters to support PRNM APRM and DSS-CD functions. The PRNM system functions can be affected by a software CCF because each PRNM system channel contains the same safety processor software and voter logic.

The approved NUMAC PRNM LTR (Reference 7, Section 6.4) discusses a design approach to 03 to address potential vulnerabilities to PRNM CCF. This approach includes actions taken to reduce the probability of PRNM system CCF to an acceptable level and to mitigate consequences of such a failure. The LTR establishes that diversity at the plant system level, which is beyond the PRNM system scope, provides the 03 to provide adequate protection against a CCF of the PRNM system.

Because common-cause software failures of the PRNM system could occur and the replacement system may have failure effects that are different from those evaluated in a plant's SAR, licensees that apply the LTRs are required, as described in Section 6.6 of the LTR, to confirm that a PRNM CCF is not adverse to public health and safety. This confirmation requires the licensee to demonstrate that the analyzed set of AOOs, postulated accidents, and events within the plant's design basis remain valid and bounding following the incorporation of the PRNM system and with full consideration for the complete common-mode loss of the entire set of PRNM system safety functions.

The licensee performed a 03 analysis for HCGS following implementation of the PRNM (Reference 1.1, Appendix I). This analysis describes the diversity between safety channels, as well as diversity within safety channels. The analysis identifies consequences of CCF that completely impair the PRNM system.

As described in Section 5.3 of the PRNM System Architecture Description (Reference 1, Appendix A), the existing APRM/OPRM subsystem provides a single-sensor type input to the RPS. Therefore, replacing the APRM/OPRM subsystem within the PRNM system does not change or alter the diversity between APRM/OPRM and other plant systems that provide input to the RPS. Other diverse sensors (e.g., reactor pressure, etc.) provide diverse trip inputs to RPS and thereby maintain their diverse trip functions that provide adequate mitigation against the CCF of the APRM/OPRM (Reference 1, Appendix J, Section 2).

For the 03 analysis, the licensee assumed a single CCF that completely impaired the PRNM system. In this worst-case scenario, either the entire PRNM system or a part of the system could fail. An additional analysis assumption is that the failure is not detectable until the system is stressed by an event or an accident, at which time all PRNM channels will be considered absent or incorrect. This analysis basis meets the current regulatory guidance. The licensee further cited the results of the analysis for various failures, including failure of 2-out-of-4 voter logic modules, partial failure of one APRM channel, or a combination of failures. The licensee determined that during those scenarios, the APRM system will either remain capable of providing automatic protection, or an indication to the operator will prompt action to trip the reactor.

BTP 7-19 provides nine criteria for acceptance. The licensee provided the results of its analysis demonstrating how the PRNM system met BTP 7-19 criteria for 03. The licensee provided responses to each of these criteria in its analysis. The results are summarized below.

OFFICIAL USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION BTP 7-19 acceptance criteria 1 and 2 require that when applying realistic assumptions for each AOO or for each postulated accident, the plant response should neither exceed the applicable radiation release criteria nor violate the containment integrity by maintaining the integrity of the primary coolant pressure boundary through identification of sufficient diversity, which addresses any vulnerabilities and documents and necessary actions to overcome those vulnerabilities.

For these requirements, the licensee provided an evaluation of each AOO for which safety analysis could credit a protective signal from PRNM (Reference 1, Appendix I, Table 4.1 ). This evaluation identifies credited alternate protection functions and includes evaluation/discussion to address any specific comments or applicability. In general, an alternate trip means is available, or no specific action is required. The licensee identified that instability is the only AOO requiring a diverse protection method. The licensee explained that manual operator action (MOAs) will remain the backup method for assuring stability protection and, therefore, the NRC staff considers BTP 7-19 criterion 1 satisfied. BTP 7-19 acceptance criterion 2 requires applying realistic assumptions for each postulated accident. The licensee identified that a control rod drop accident is the only accident where PRNM safety function is credited in the UFSAR. The licensee noted diverse protection exists in the event of a PRNM CCF and, therefore, the NRC staff considers BTP 7-19 criterion 2 satisfied.

BTP 7-19 acceptance criterion 3 requires an analysis to address any common element or signal source shared by a control system and reactor trip system {RTS) when a CCF can be postulated that creates a condition requiring a reactor trip while simultaneously impairing the ability to trip. To address criterion 3, the licensee explained that the PRNM system is not used for plant automatic control, except for providing the rod block signal and the rod block function is not credited as a safety function. Therefore, this type of CCF is not applicable to HCGS's LAR, and the NRC staff considers BTP 7-19 criterion 3 satisfied.

BTP 7-19 acceptance criterion 4 requires a response to address any common element or signal source shared by a control system and engineered safety features actuation system (ESFAS) when a CCF can be postulated that creates a condition that requires an engineered safety feature (ESF) actuation, while simultaneously impairing the ESF. To address criterion 4, the licensee explained that the PRNM system is not used for plant automatic control and cannot cause a plant condition that requires an ESF actuation. Furthermore, neither the existing HCGS system, nor the replacement PRNM system, perform ESF functions or interface with the ESFAS. Therefore, this type of CCF is not applicable to HCGS's LAR, and the NRC staff considers BTP 7-19 criterion 4 satisfied.

BTP 7-19 acceptance criterion 5 requires that no failure in monitoring and display systems should influence the functioning of the RTS or the ESFAS, and if a failure in the monitoring and display systems should result in operating the plant outside the safety limits or in violation of an LCO, the analysis must show that such operator-induced transients will be compensated by a protection system function. In the case of HCGS, the PRNM system does not receive any input from the monitoring and display echelon (one of the four echelons of defense cited in BTP 7-19). Therefore, a failure or display in the monitoring or display system will not propagate to the PRNM system. Should a failure in the monitoring and display system result in operator-induced transients, the automatic protective functions of the PRNM system are available for compensation. Therefore, the NRC staff concludes that the HCGS design meets BTP 7-19 criterion 5.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION BTP 7-19 acceptance criterion 6 requires means to manually initiate automatic RTS and ESF functions, and these manual means should involve a minimum number of manual manipulations. If the manual means are independent and diverse from the safety-related, automatically initiated RTS and ESFAS functions, the design meets the system level actuation criteria in criterion 6 of BTP 7-19. For HCGS, the present automatic initiation of RTS and ESFAS is maintained, and means of independent manual actuation are available for RTS, as well as ESFAS. Therefore, the NRC staff concludes that the HCGS design meets BTP 7-19 criterion 6.

The PRNM system is not credited for any response to anticipated transients without scram events for light water-cooled nuclear power plants per 10 CFR 50.62. Based on this information, NUREG-0800, Section 7.8, "Diverse Instrumentation and Control Systems," criteria do not apply to the HCGS LAR.

BTP 7-19 acceptance criteria 7, 8, and 9 require evaluation of the methods for accomplishing the independent and diverse means for actuating the protective safety function when the 03 analysis reveals the potential for a CCF. The NUMAC PRNM system only provides trip signal inputs to the RPS and does not have interfaces to ESFAS. The RTS and ESFAS systems are not affected by the revised design of the PRNM system, and these systems are not vulnerable to the PRNM system CCF. Therefore, the NRC staff concludes that the HCGS design meets BTP 7-19 acceptance criteria 7, 8, and 9.

The postulated CCF assumed to result in comprehensive loss of PRNM system functionality would also disable the OPRM system (i.e., confirmation density algorithm (CDA) for DSS-CD and PBDA for Option Ill). The loss of PRNM system functionality would also disable the ABSP function of DSS-CD, which is invoked per Action 10-b) of TS Table 3.3.1-1.

If the OPRM system is inoperable, and the ABSP function performed by the APRM either cannot be implemented or is inoperable, manual BSP becomes the licensed stability solution (TS Table 3.3.1-1, Action 11). This is essentially the same backup approach used in Option Ill, current operation. In the Option Ill solution, there is only one BSP option, which is provided by the manual BSP regions and associated operator actions.

The HCGS power - recirculation flow graph, contains regions of operation that are defined for BSP. Manual BSP regions are defined in the COLR as part of the credited backup stability solution. When plant conditions result in operation within these manual BSP regions, administrative actions are followed, which may require initiation of a manual reactor scram. This is described in Section 7.2.3 of the approved DSS-CD LTR (Reference 27) and is consistent with the proposed TS changes identified in Section 8.

Relevant plant transient scenarios were considered in the 03 analysis (Reference 1.1, Appendix I). ((

)) This analysis identified MOAs as diverse means of maintaining plant safety when the automatic trip functions performed by the DSS-CD algorithms and the ABSP become unavailable due to a postulated common-mode failure of the NU MAC PRNM system.

The 03 analysis identified that the postulated CCF in the PRNM system results in the system providing valid indications of plant conditions until the stability transient occurs, at which time OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION they become anomalous. In the case of power oscillations, PRNM system indications of power and flow would track consistently with other plant indicators, as they change, to a state point where the potential exists for high growth-rate power oscillations (i.e., the region of the power-flow map where thermal hydraulic instabilities become prevalent), but fail to provide any protection when large amplitude oscillations begin to occur. ((

))

((

))

This immediate action is uncomplicated. The NRC staff confirmed the systems used for controlling core flow, reactor power and manual scram do not rely on digital or software based technologies. The NRC staff determined these systems would, therefore, not be affected by the postulated software CCF of the PRNM system that rendered the automatic protection functions inoperable.

((

))

((

))

The NRC staff confirmed that the systems used for controlling core flow, reactor power, and manual scram do not rely on NUMAC-based technology. The NRC staff determined these systems would, therefore, not be affected by a postulated software CCF of the PRNM system that renders the automatic protection functions inoperable.

This evaluation concludes that the manual control measures needed to support BSP protection are sufficiently diverse from the digital PRNM system NUMAC systems and, therefore, provide an acceptable means of diverse protection for the DSS-CD safety function. The licensee's evaluation of the PRNM system against the criteria in BTP 7-19 was determined to be sufficient and, based on the information provided, the NRC staff found the results acceptable.

3.5 Setpoint Methodology and Calculations Section 50.36(c)(1 )(ii)(A) of 10 CFR states, in part:

Limiting safety system settings for nuclear reactors are settings for automatic protective devices related to those variables having significant safety functions.

Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION protective action will correct the abnormal situation before a safety limit is exceeded. If, during operation, it is determined that the automatic safety function does not function as required, the licensee shall take appropriate action, which may include shutting down the reactor.

RG 1.105 describes a method acceptable to the NRC staff for complying with the NRC's regulations to ensure that setpoints for safety-related instrumentation are initially within, and remain within, the TS limits. This RG endorses Part I of ISA-S67.04-1994, "Setpoints for Nuclear Safety-related Instrumentation," subject to staff clarifications. Part I defines a framework for ensuring that setpoints for nuclear safety-related instrumentation are established and maintained within specified limits. This RG does not address or endorse Part II of ISAS67 .04-1994, "Methodologies for the Determination of Setpoints for the Nuclear Safety-related Instrumentation." Part II of the standard provides recommended practices and guidance for implementing Part I.

RG 1.105 establishes acceptance criteria that there is a 95 percent probability that the constructed limits contain 95 percent of the population of interest for the surveillance interval selected. BTP 7-12 provides guidance for NRC staff reviewers for evaluating the process an applicant or a licensee follows to establish and maintain instrument setpoints.

TSTF-493 provides additional guidance to assure identification of instrument degradation as soon as possible using as-left and as-found values. TSTF-493, Option A, further provides guidance to include suitable TS notes regarding the as-found and as-left values. Based on the guidance of TSTF-493, these notes are used to indicate actions to be taken when the as-left tolerances cannot be achieved following channel calibration or when the as-found tolerance is found to be exceeded during surveillance testing. The TSTF-493 notes also clarify the document containing nominal setpoint values.

Notes (n & o) were added to Table 4.3.1.1-1 to identify criteria for determining instrument operability based on surveillance as-found calibration data, as well as the ability to return the instrument to its as-left tolerance limits in accordance with TSTF-493, Option A. The NRC staff finds these notes to be consistent with TSTF-493 guidance and, therefore, acceptable.

Setpoint Methodology Evaluation A description of the setpoint methodology used for determination of HCGS PRNM system setpoints was provided as Appendix P of the LAR (Reference 1 ), NEDC-33864P, "GEH Instrument Setpoint Methodology- Overview, HCGS PRNM." This methodology is based on the setpoint methodology prescribed in NEDC-31336P-A, "General Electric Setpoint Methodology," September 1996. This methodology conforms to the modified ISA Method 2 of ISA-recommended practice RP67.04.02, "Methodologies for the Determination of Setpoints for Nuclear Safety-related Instrumentation." The ISA-67.04-1994 standard is currently endorsed by the NRC by BTP 7-12.

The setpoint method, as documented in NEDC-31336P-A, is based on, but not identical to, ISA standard S67.04. The NRC staff reviewed details of the methodology, including the explanation of calculation of as-found tolerance and as-left tolerance, and how the calculations assure with high probability (( )) that the setpoint used will not exceed the analytical limit, and with almost an equally high probability (( )), that the allowable value will not be OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION exceeded. The NRC staff confirmed that random errors and bias terms were identified and that random terms are combined using the square root of the sum of squares method, while non-conservative bias errors are algebraically summed.

The NRC staff determined that the setpoint methodology, as described above, provides an acceptable method for determination of PRNM system setpoints. Application of the setpoint methodology to the PRNM system setpoints satisfies the system design basis in accordance with the safety analysis, TSs, and expected maintenance practices. This methodology, as applied for the determination of HCGS APRM and RBM setpoints, adequately addresses the regulations identified within 10 CFR 50.36(c)(1 )(ii)(A) and is, therefore, acceptable.

OPRM setpoints are considered as nominal values, and their selection is based on a comprehensive BWROG methodology for stability analysis, which was approved by the NRC (Reference 3). OPRM setpoints are not considered to be LSSSs because power oscillations are treated as a special event and not as an AOO, which defines LSSSs. The "OPRM Upscale" setpoint is based on cycle-specific reload stability analysis and will be included in the COLR.

The documented approach for the "OPRM Upscale" setpoint is consistent with the TSs reviewed in Section 3.2.2 of this SE.

Setpoint Calculation Evaluation The licensee provided two representative instrument limit calculations for (1) NUMAC PRNM system - APRM and (2) NUMAC PRNM system - RBM, as Appendix P1 and Appendix P2, respectively, to the LAR. These calculations are used to establish the limiting trip setpoint and the nominal trip setpoint, as well as the acceptable as-found and as-left values for the PRNM system setpoints. The NRC staff reviewed these calculations and found them consistent with the approved GEH methodology.

3.6 Response Time Performance The accident analyses of design-basis events at nuclear power plants include a determination of how soon protective actions are needed to mitigate design-basis events. The basis for this determination is contained in 10 CFR 50.55a, which states that protective systems must meet the requirements set forth in editions or revisions of the Institute of Electrical and Electronics Engineering Standard: "Criteria for Protective Systems for Nuclear Power Generating Stations" (IEEE 1971-279). This regulation remains applicable with respect to response time performance because HCGS's design basis for safety-related equipment is IEEE Std 279-1971, and the replacement NUMAC PRNM system will remain compliant with the criteria of that standard. Also, 10 CFR 50.36(c)(1 )(ii)(A) requires that the TSs include the limiting safety systems settings for nuclear reactors where those settings are "so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded." Once the total time required for a protective action has been determined, licensees allocate portions of that time to portions of the protective system (e.g., the time required for (1) the sensor's response to changes in plant conditions, (2) sensor processing, (3) the actuation logic, and (4) a valve to close or rods to insert, etc.).

BTP 7-21 identifies acceptance criteria to reach a staff conclusion that a completed system will meet timing requirements. BTP 7-21 criteria establishes that an applicant should demonstrate that limiting response times are sufficient to satisfy applicable safety requirements and that OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION digital computer timing is sufficient to satisfy the limiting response times for the system's implementation, including hardware, software, and data communication systems. The link between the setpoint analyses and limiting response times should be demonstrated.

The NRC staff evaluated the time response performance characteristics of the HCGS replacement PRNM system by performing the following activities.

1. Identify Plant-specific Response Time Requirements (Basis)

The HCGS PRNM system response time requirements are discussed in Section 7.2.1.3.3 of the plant's UFSAR, which refers to UFSAR Table 7.2-3. This table defines the PRNM system-related safety function response time requirements as follows:

• APRM Flow Biased Simulated Thermal Power -

Upscale Resp. Time :s; 0.09 seconds

• APRM Fixed Neutron Flux -

Upscale Resp. Time :s; 0.09 seconds

• Simulated Thermal Power Time Constant Delay =6 +/- 0.6 seconds

• APRM Neutron Flux - High (Setdown Actuation) Not Applicable

• APRM Inoperative Not Applicable

2. Identify NUMAC Response Time Performance Capabilities The NUMAC PRNM system NUMAC PRNM LTR established digital response time specifications for each PRNM system trip function (Reference 7, Section 3.3.2). These timing specifications establish the minimum performance capabilities for the NUMAC-based PRNM system.

((

))

For the APRM STP (Flow Biased, Function 2) High, the PRNM system relay output must transition to the tripped state within a specified time after the plant parameters reach the trip setpoint (while excluding the time constant of the STP algorithm from the measurement). Similarly, the APRM Neutron Flux - High (Setdown Actuation, Function 3) must function within the specified time once the trip setting is reached while in the startup mode (Mode 2). For the OPRM Upscale Trip (Function 4 ), the PRNM system relay output OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION must transition to the tripped state within a specified time after the plant parameters reach a setpoint determined by any of the instability detect-and-suppress algorithms.

For trip setpoints that are calculated based on recirculation flow (Function 2), the time from a change in the process flow value until this value is reflected in the trip setpoint shall not exceed a specified time.

3. Evaluate if the HCGS PRNM System Meets Plant-specific Requirements in 1 Above The response time requirements established in the UFSAR are not being changed as a result of the PRNM system upgrade project. Therefore, these requirements will remain the license basis for the replacement PRNM system. The NRC staff confirmed the specifications for the NU MAC-based PRNM system (identified in step 2 above) meet all response time requirements in the UFSAR (identified in step 1 above) and, therefore, the replacement PRNM system response time performance is acceptable for the APRM safety functions.

The UFSAR does not identify response time requirements for the OPRM Instability Detect-and-Suppress - Trip (Reactor Scram) function; however, the performance requirements established for the replacement NU MAC system were evaluated by the NRC during the topical report review (Reference 27) and were determined to be acceptable for General Electric BWR nuclear power plants. As such, the response times established for the NUMAC PRNM system are acceptable for the HCGS application.

4. Confirm that Factory Acceptance Test Results Demonstrate HCGS Timing Requirements are Met The NRC staff confirmed that System Validation and Factory Acceptance Tests verified the correct response times of all requirements for PRNM system timing constraints. All measured timing responses were verified to not exceed the specified limits. Results of all timing verifications are described in Section 6.2.13 of the HCGS PRNM Verification and Validation Test Summary Report (Reference 29.d).

The NRC staff assessed the HCGS PRNM system performance to establish reasonable assurance that applicable safety requirements to suppress power oscillations and to prevent fuel design limits from being exceeded will be maintained with the replacement PRNM system.

The NRC staff confirmed that prior NUMAC PRNM LTR evaluations remain applicable for the HCGS PRNM system because the proposed instrument configuration and its descriptions are consistent with the previously evaluated basis (Reference 7, Section 3.2).

Implementation of ARTS/Maximum Extended Load Line Limit Analysis (MELLLA) within the PRNM system software does not change the basic system configuration, and thus, is not expected to have an adverse effect on the response time performance of the system.

The NRC staff's previous review of NUMAC PRNM response time performance included an evaluation of the generic PRNM system hardware, software, and data communication architecture for the safety signal path to which the limiting response times apply. The OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION licensee provided the "Power Range Neutron Monitoring System Response Time Analysis Report" (Reference 1, Appendix N) to demonstrate that the plant-specific system response time requirements applicable to HCGS with the current APRM continue to apply to the response time performance established for the replacement PRNM system. This report demonstrates compliance with the criteria of the BTP 7-21 and Staff Positions 1.19 and 1.20 of D&IC-ISG-04.

The NRC staff confirmed the NUMAC PRNM response times to be within the allowable response time specified in the UFSAR Chapter 15, "Accident Analyses." The design basis for the RPS response time from the opening of a trip sensor contact up to and including opening of the trip actuator contacts is acceptable for the PRNM system APRM reactor trip functions. The NRC staff determined that response time performance requirements established in the NUMAC PRNM system LTRs have been maintained and that specified response time performance requirements for the HCGS PRNM system as established by the design basis of the existing APRM are not being changed. The NRC staff concludes that prior LTR response time performance requirements remain bounding, applicable to the HCGS PRNM system modification, and consistent with the plant's safety requirements.

Based on the specification, analysis, testing, and successful test results for HCGS PRNM system response time performance, the NRC staff determined that the NUMAC PRNM system meets the HCGS response time requirements and that these response time requirements satisfy the HCGS PRNM safety analysis bases.

3.7 System Development Process The NRC staff performed an evaluation of the system and software development lifecycle processes used for the HCGS PRNM. The HCGS development was performed in conformance with the equipment manufacturers (GEH) of Appendix 8, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50. The HCGS PRNM system development process emphasizes and systematically applies the use of system components that are based on previously approved LTRs. This evaluation includes consideration for use of previously approved NUMAC PRNM system components. This evaluation applies NRC staff technical judgment in the determination of whether the development processes applied to the HCGS PRNM system, as well as compensatory measures that were identified and performed, are sufficiently equivalent methods to those methods currently endorsed in regulatory guidance for system and software development.

A description of previously developed NUMAC PRNM components is contained in the NUMAC PRNM LTR (Reference 7, Reference 8, and Reference 27). The set of pre-developed software supports interfaces with NUMAC modules and instrument-specific application functions, which are configured to construct plant-specific instrumentation such as the HCGS PRNM system.

The NRC staff evaluated the previously developed software during its review of the base LTR in 1995. The acceptability of both the system level approach, functionality to be provided, and software development processes, including verification and validation (V&V), were determined using the applicable regulatory evaluation criteria of that time. However, since that time, the applicable regulatory evaluation criteria used by the NRC staff to evaluate software-based safety functions within digital safety-related equipment have changed. Furthermore, GEH changed its development processes to incorporate modifications identified during the previous PRNM system reviews and align them with current regulatory guidance. Therefore, the NRC OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION staff performed an evaluation of the modified software development process. Appendix K of the LAR (Reference 1.K) describes the alignment between current NUMAC processes and current regulatory guidance. In this report, GEH describes the updated processes and states that design outputs remain similar to the initial PRNM system design, and their alignment to BTP 7-14 criteria was not affected. GEH performed process enhancements to address current regulatory criteria. These process enhancements have not been previously evaluated by the NRC. The following subsections address the updated NUMAC lifecycle and development process aspects of the HCGS PRNM system.

3.7.1 Software Planning Documents BTP 7-14, Section B.3.1, describes acceptance criteria for the software development activities and documentation. In addition, IEEE Std 7-4.3.2-2003, "Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," provides specific requirements concerning software development activities. (See Section 3.16 of this SE for details concerning the licensee's conformance with IEEE Std 7-4.3.2-2003.)

GEH Process Changes GEH modified its processes to address the guidance of BTP 7-14. A summary of changes made to the NUMAC processes was also provided by the licensee (Reference 1.K). GEH prepared four plans to provide the information required to address eight of the plans named in BTP 7-14. GEH noted these plans define the activities performed during each phase of the system lifecycle, and all activities are performed within the approved NED0-11209, Revision 11, "GE Hitachi Nuclear Energy Quality Assurance Program Description," dated February 12, 2015 (Reference 30). Section 4.2.1 of the LAR provides a table mapping the GEH NU MAC software plans to BTP 7-14 software planning documentation. The subsections below provide evaluations for each of the GEH plans.

3.7.1.1 HCGS NUMAC PRNM System Management Plan The HCGS System Management Plan (SyMP) was evaluated for compliance with SRP BTP 7-14, Section B.3.1.1, "Acceptance Criteria for Software Management Plan (SMP)." This section refers to RG 1.173. RG 1.173 endorses IEEE Std 1074-2006, "IEEE Standard for Developing Software Life Cycle Processes." Further, IEEE Std 1074-2006, Clause A.1.2.7, "Plan Project Management," of the standard contains an acceptable approach to software project management.

The HCGS SyMP (Reference 1.E) describes the process used to manage the PRNM development project and the overall project lifecycle. The HCGS system management plan follows the guidance of IEEE Std 1074-2006 and follows the quality assurance (QA) processes defined in the HCGS NUMAC SyQAP (Reference 1.C).

The HCGS SyMP establishes project planning and scheduling, project monitoring and control, and project execution activities for the HCGS PRNM system project. The SyMP describes the project organization, interfaces, and roles and responsibilities for the personnel involved in the project. Project design team personnel are assigned the following roles: (1) Project Manager, responsible for managing the commercial aspects of the project. The Project Manager is also responsible for project administration and establishing and maintaining communication OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION interfaces among project team members and stakeholders; (2) Technical Project Engineer, functions as design team leader, coordinates the technical activities to ensure the system requirements are implemented and traceable to licensee technical requirements, and is responsible for the system configuration management activities; (3) System Engineer, responsible for the system requirements, design, and implementation; (4) Lead Software Engineer, leads the system software design and implementation; and (5) Lead Hardware Engineer leads the system hardware and panel design.

Project Independent V&V (IVV) team personnel are assigned the following roles: (1) Chief Consulting Engineer, supervises the IVV team and manages the IVV program; (2) System V&V Engineer, performs V&V activities as defined in the System Independent Verification and Validation Plan (SylVVP); (3) System Safety Analysis Engineer, performs system safety analysis activities as defined in the SylVVP; and (3) Test and Qualification Engineer, responsible for equipment qualification and testing. The NUMAC development team also includes a System Quality Assurance Engineer who is responsible for product quality and implementation of the GEH QA plan. Both the IVV team and the QA team have organizational reporting structures that are independent from the design team.

GEH maintains training records for all staff participating in the PRNM system project to ensure that only qualified personnel are assigned to perform safety critical tasks for their job function.

The NRC staff reviewed GEH training records during the regulatory audit (Reference 28) and found them acceptable.

The SyMP identifies the reviews and audits conducted during system development and defines project deliverables, schedule and budget, process model, and project management methodologies used during the project to track progress and record corrective actions and for configuration management and project metrics. For this project, GEH used the Product Lifecycle Management system as the official repository for approved documents and plans. A software tool called Dynamic Object Oriented Requirements System (DOORS) is used for establishing and maintaining requirements traceability, and the GEH Corrective Actions Program is used to address deficiencies and corrective actions.

Risk management activities are addressed in Section 5.0 of the SyMP. GEH uses a Project Risks Register to identify monitor, control, and mitigate project risks and issues. This worksheet is maintained and reviewed periodically by the project manager and the technical project engineer.

Section 4.5.1 of the System Engineering Development Plan (SyEDP) describes how GEH identifies and records discrepancies or deficient conditions and performs problem resolution activities. Non-conformities are recorded, addressed, and tracked via the GEH corrective action program (CAP). The discrepancy or deficient condition may be documented by a NUMAC Problem Report, an Engineering Change Order, or a Field Deviation Disposition Request.

A NUMAC Problem Report may be opened by anyone observing a problem with a NUMAC product. An Engineering Change Order is used to process design changes during the normal course of development. Field Deviation Disposition Requests are used to initiate changes to resolve issues that are discovered after shipment of equipment to the licensee. Corrective actions are resolved using procedures specified in the GEH CAP. The SyMP describes how OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION problems are resolved during the different system lifecycle phases. The SyMP identifies and describes supporting system plans developed for the HCGS PRNM replacement project.

The NRC staff finds that the SyMP established an acceptable organization and authority structure for the PRNM application software development, procedures used, and relationships between major activities. This management structure provided adequate project oversight, control, reporting, review, and assessment; therefore, the SyMP satisfies IEEE Std 1074-2006 in terms of software project management. The NRC staff finds that the SyMP adequately addresses the planning aspects of BTP 7-14, Section B.3.1.1, and is, therefore, acceptable.

3.7.1.2 NUMAC Systems Engineering Development Plan (SyEDP) (Reference 31)

The SyEDP defines the processes for design and development, integration, and configuration management for the NUMAC PRNM system. As such, the processes defined within the SyEDP were used for application development of the HCGS PRNM system. Appendix K of the LAR (Reference 1.K) describes the modification made to the SyEDP to align with the criteria of BTP 7-14. GEH modified this plan to clearly define technical design reviews and a process for performing hand-offs to the IW team.

Software Development The SyEDP was evaluated for compliance with BTP 7-14, Section B.3.1.2, which describes acceptance criteria for software development plans (SDPs ). RG 1.173 endorses IEEE Std 1074-2006 as an acceptable approach to software development processes for meeting the regulatory requirements and guidance as they apply to development processes for safety system software. IEEE Std 7-4.3.2-2003, Clause 5.3.1, contains additional guidance on software development.

The NUMAC system development lifecycle uses a waterfall model that includes the following phases and (Baselines):

• Concept Phase (Baseline 1)

• Requirements Phase (Baseline 2)

• Design Phase (Baseline 3)

• Implementation Phase (Baseline 4)

• Test Phase (Baseline 5)

Activities performed for each of these lifecycle phases are described in the NUMAC SyEDP.

The NUMAC SyEDP defines a baseline review process to be performed upon completion of development activities for each phase. The stated purpose of the baseline reviews is to perform a process check to confirm that project plans are being executed as intended. The baseline reviews are used as a means of determining if all required activities are complete for the applicable phase prior to proceeding to the next development phase. Project risks are also evaluated during each phase. These risks are considered by the baseline review team prior to proceeding to the next development phase. The baseline review team consists of representatives of the design, independent review team, and the QA organizations, and includes the system configuration management engineer. Activities performed during each baseline review, as well as documentation requirements, are described in the SyEDP.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Document Verification and Technical Design Reviews: When NUMAC design artifacts are to be released, GEH procedures require the design team to perform verification of documentation prior to its release. Released documents are then provided to the IW team for performance of the independent verification in accordance with the SylWP (Reference 1.D). Conduct of IW activities, as defined in the SylWP (Reference 1.D, Section 3.0), constitutes the Technical Design Review, which is performed by the IW team under the supervision of the Chief Engineer's Office.

Hand-offs to the IW Team: GEH uses a document known as a test item transmittal report as a means of performing a formal hand-off of design artifacts from the design team to the IW test team for performance of IW testing activities.

Activities Performed by the Licensee: The licensee did not develop software for the HCGS PRNM system replacement project. Thus, no licensee SOP was evaluated. The licensee is, however, required to create or acquire a number of documents from vendors that provide safety-related equipment. The licensee uses these documents to ensure the vendor has a quality process in place for software and product design and that the process and design are accurately documented and tested. The required documents include a configuration management plan, a problem management and reporting process, a disaster recovery process, documented functional requirements, a documented technical design, a SylWP, testing reports, user documentation, code review process and documentation, and a traceability matrix to ensure all requirements are tested.

The licensee lead responsible engineers are responsible for ensuring design changes that include digital devices are provided to a design engineer for review. The licensee's design engineers are responsible for reviewing such design change packages to ensure an adequate critical digital review (CDR) is performed and documented. The CDR is an independent review conducted by the licensee or its designee to provide assurance that vendor requirements and quality standards are being correctly implemented for all digital safety systems at HCGS.

The licensee participated in CDR that was led by an independent company, ProDesCon, on the GEH PRNM system. The CDR report pointed out that GEH has an established regulatory-approved Appendix B quality program and that GEH's processes are suitable to ensure the quality of the design, configuration control, Part 21 reportability, and system maintenance throughout the system lifecycle. The CDR included a high-level review of the overall system design, focusing on the safety functions of the system and how digital design principles indicative of highly reliable digital systems were applied to the PRNM system.

The licensee has reviewed and commented on software lifecycle documentation produced by GEH throughout the project. The licensee also performed two audits to ensure product reliability. These audits focused on GEH audits performed on subcontractor Gavial, the GEH actions and process to correct identified issues, QA hold points placed on the purchase order, overall test plans and completed testing, restrictions placed on the Gavial subcontractor, cyber security aspects of the project, and the GEH engineering change process. The licensee's QA department witnessed the factory testing and performed a test audit. The licensee found all vendor-performed activities to be acceptable after identified audit findings had been addressed.

SyEDP Safety

Conclusions:

The SyEDP states which tasks are associated with each lifecycle development phase and allows the licensee and vendor to monitor the software development OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION processes. The corrective action processes are sufficient to identify deviations from the software development process in a timely manner. Project risks are adequately identified, reviewed, and considered during the various phases of the application development process prior to proceeding to the next phase. These risks and the associated analyses are documented and used as a basis for project implementation decisions.

The GEH NUMAC application development project phases follow the lifecycle planning guidance of IEEE Std 1074-2006, as endorsed by RG 1.173. The inputs, tasks, processes, and outputs/results activities for each of the system development phases include processes for V&V, software configuration management (SCM), software QA, software safety, and issue resolution.

The NRC staff determined that the SyEDP used for the HCGS PRNM system development provides a careful and deliberate development process, which promotes high functional reliability and design quality of safety-related software that is suitable for its intended use.

Integration The SyEDP was evaluated for compliance with the criteria in SRP, BTP 7-14, Section B.3.1.4, "Software Integration Plan." RG 1.173 endorses IEEE Std 1074-2006 as an acceptable approach to software integration processes for meeting the regulatory requirements and guidance. Clause 1.2.8, "Plan Integration," contains an acceptable approach relating to planning for integration. Clause A.1.2.8, states that software requirements and the Software Design Description should be analyzed to determine the order for combining software components into an overall system and that the integration methods should be documented.

The integration plan should be coordinated with the test plan. The integration plan should also include the tools, techniques, and methodologies needed to perform the integrations. The planning shall include developing schedules; estimating resources, identifying special resources, staffing, and establishing exit or acceptance criteria.

NUREG/CR-6101, "Software Reliability and Safety in Nuclear Reactor Protection Systems,"

Section 3.1.7, "Software Integration Plan," and Section 4.1.7, "Software Integration Plan,"

provide additional guidance on software integration plans. Section 3.1. 7 states that software integration should consist of three parts: (1) integrating the various software modules together to form a single program, (2) integrating the result of this with the hardware and instrumentation, and (3) testing the resulting integrated product.

The integration plan governing the development of the NUMAC PRNM software is provided by the SyEDP (Reference 31 ). The SyEDP describes the strategy used for integrating the various software functions into a PRNM system. This includes the processes used for integrating the PRNM software with the NUMAC hardware.

The SyEDP includes sections for each of the development lifecycle phases that describe the activities performed. PRNM software integration activities begin at the Design Phase (Baseline 3) with the development of the software design specifications. These software design specifications implement the system functional requirements as defined in the software requirements specifications (including performance specifications) and allocate specific functions to the software modules that are to perform them.

Software integration activities are then performed during the Implementation Phase (Baseline 4) in the form of evaluation and testing activities. Once PRNM system software components are OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION developed, they are subject to various levels of testing, including unstructured testing, exploratory testing, software module testing, programmable logic module testing, and integration testing to ensure that required functionality is achieved. An evaluation of previously developed software is also performed during this phase to confirm that the previously developed software starting point and build environment are acceptable.

Integration activities performed in the Test Phase (Baseline 5) include development of user documentation and installation instructions for the system. At the conclusion of the Test Phase, a firmware unconditional release record is issued. All identified anomalies must be resolved, and test reports must be issued prior to this release. Upon completion of the Test Phase, all NUMAC PRNM system software integration is complete, and the fully integrated PRNM system can be released for plant installation.

The NRC staff determined that the software integration plan, as implemented by the SyEDP, is compliant with the requirements of IEEE Std 1074-2006 and, therefore, provides reasonable assurance that an acceptable method of software integration was used for the development of the HCGS PRNM system.

Software Configuration Management The SyEDP was evaluated for compliance with BTP 7-14, Section B.3.1.11, which provides guidance to evaluate SCM plans. IEEE Std 1074-2006, Clause 7.2, provides an acceptable approach to SCM. IEEE Std 1074-2006, Clause 7.2.1, states that SCM identifies the items in a software development project and provides both for control of the identified items and for reporting the status of such items to management to maintain visibility and accountability throughout the software lifecycle. Examples of items to be controlled include, but are not limited to, code, documentation, plans, and specifications. BTP 7 14, Section 8.3.1.11.1, asks for the definition of the responsibilities and authority of the SCM organization.

The SyEDP (Reference 31) describes SCM activities used during development of the HCGS PRNM system. This plan defines Configuration Management (CM) activities performed during each of the development phases; personnel responsible for performing CM activities, including the System Configuration Management Engineer; schedule for such activities; and resources required. The System Configuration Management Engineer is a member of the NUMAC design team and the responsibilities are defined in the SyEDP. In particular, the System Configuration Management Engineer (SCME) is responsible for project configuration status accounting at each lifecycle phase and maintaining configuration status accountability for changes made to previously established baseline configurations. The SCME is also responsible for documenting performance of configuration management activities, including changes made to the configuration task report. The SCME is a key participating member of the baseline review team.

The SyEDP defines required configuration items for each development phase. Each of these items is required to be baselined at the completion of the associated phase prior to proceeding to the next phase of development. Once a baseline review is complete, subsequent changes to the baseline design or documentation require reconvening a baseline review team to perform a change control board function to approve changes to the baseline and to establish a new baseline. Section 4.5 of the SyEDP describes the configuration control processes used during application development. These processes include change initiation, change control, and change approval. Configuration changes can be initiated by any of three sources: NU MAC OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Problem Report, Engineering Change Order, or Field Deviation Disposition Request, depending on the nature of the change being made and the method and time of discrepancy identification.

The NRC staff determined that the SCM processes, as defined in the SyEDP, meet the planning requirements of IEEE Std 828-2005 and American National Standards Institute (ANSl)/IEEE Std 1042-1987 and are, therefore, acceptable. The NRC found that GEH established a process to control software items through a librarian and provides a process to control code and documentation changes through a baseline review team. The SyEDP adequately addresses the guidance of BTP 7-14 R. 6, Section B.3.1.11.

3.7.1.3 NUMAC Systems Quality Assurance Plan The SyQAP was evaluated for compliance with BTP 7-14, Section B.3.1.3, which provides guidance for evaluating a Software Quality Assurance Plans (SOAP). The SOAP must conform to the requirements of 10 CFR Part 50, Appendix B, and the applicant's overall QA program.

Appendix B to 10 CFR Part 50 states that the applicant shall be responsible for the establishment and execution of the QA program. The applicant may delegate the work of establishing and executing the QA program, or any part thereof, but shall retain responsibility for the QA program. The SOAP would typically identify which QA procedures are applicable to specific software processes, identify particular methods chosen to implement QA procedural requirements, and augment and supplement the QA program as needed for software.

IEEE Std 7-4.3.2-2003, Clause 5.3.1, which is endorsed by RG 1.152, also provides guidance on software QA. IEEE Std 7-4.3.2-2003, Clause 5.3.1, states, "Computer software shall be developed, modified, or accepted in accordance with an approved software QA plan consistent with the requirements of IEEE/Electronic Industries Association Std 12207.0-1996," and that "Guidance for developing software QA plans can be found in IEEE Std 730-1998."

The NUMAC system's SyQAP establishes processes for QA oversight during development of safety-related NUMAC products, including the HCGS PRNM system. It defines the organizational responsibilities for the various activities relating to software QA. The nuclear quality organization is responsible for the overall GEH QA program and for execution of the NUMAC SyQAP.

The HCGS PRNM project SyMP documents the application of the NUMAC SyQAP to the development of the system. The SyQAP defines the software and data methodology, as well as documentation requirements for plant application software, in the form of a product quality records package. Quality assurance methods addressed by the SyQAP include functional configuration audit and activities associated with the baseline process. The baseline review is a process check to confirm that project plans are being executed as intended. The baseline reviews are used as a means of determining if all required activities are complete for the applicable phase prior to proceeding to the next development phase. Specific QA activities performed for each baseline are further defined in the SylWP.

The organization of the QA department has sufficient authority and organizational freedom, including sufficient independence from cost and schedule, to ensure that the effectiveness of the QA organization is not compromised.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The NRC staff determined that the SyQAP, in conjunction with the activities defined in the SylWP, is compliant with the requirements of IEEE Std 730-2002. Therefore, it provides reasonable assurance that high quality software capable of performing its safety functions was produced for the HCGS PRNM system.

3.7.1.4 NUMAC System Verification and Validation Plan The SylWP defines the processes for performing software V&V, software safety, and software testing activities for the NUMAC PRNM system. Appendix K of the LAR (Reference 1.K) describes the modification made to the SylWP to align with BTP 7-14. GEH modified this plan to clearly define technical design reviews and the process to hand-off to the IW team. The NUMAC SylWP establishes processes for safety analysis, independent V&V reviews, independent V&V testing, and equipment qualification of safety-related NUMAC products.

Software Verification and Validation The SylWP was evaluated for compliance with BTP 7-14, Section 8.3.1.10, which provides guidance to evaluate a software SylWP. RG 1.168 endorses IEEE Std 1012-2004 as providing methods acceptable for meeting the applicable regulatory requirements listed in Section 2 of this report.

The level of independence of the IW organization from the software design and development organization is documented in the SylWP and has been verified by the NRC staff during a regulatory audit conducted at the GEH facility (Reference 28). During the audit, the NRC staff determined that PRNM software V&V efforts meet the requirements of IEEE Std 1012-2004, and the V&V program includes provisions to reliably verify and validate the design outputs for each stage of the software design process. The NRC staff determined that the personnel involved in the V&V effort were qualified to perform the assigned V&V activities, as defined in the SylWP, by conducting interviews with IW personnel and by performing document reviews.

The IW team is not subject to scheduling constraints or to pressure from the software designers or project managers for reports or review effort. The IW team reports to a level of management that does not exert direct pressure for a favorable V&V report.

GEH has defined a method for quantifying software criticality and has provided a mapping between the GEH Software Integrity Levels (SILs) and the SILs defined in IEEE Std 1012-2004.

The PRNM software used for performance of system safety functions is assigned an integrity level of 4, which aligns closely with SIL 4, as defined in IEEE Std 1012-2004. The NRC staff determined this method of quantifying the criticality of the HCGS PRNM safety-related software to be acceptable.

For each project phase or baseline, the SylWP established a minimum set of IW activities to be performed. The licensee provided a document of conformance to IEEE Std 1012-2004 (Reference 1. K, Section 4 ). This document identifies tasks from IEEE Std 1012 and corresponding activities in the NUMAC plans. Satisfactory completion of each IW task is documented and reviewed during each associated baseline review for completeness and accuracy. The NRC staff performed an evaluation of the HCGS PRNM System Verification and Validation Task Report (Section 3.7.2.2 of this SE) to confirm completion of the required IW tasks and to evaluate their effectiveness in producing high quality software for the PRNM application.

OFFICIAL USI! ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The NRC staff determined that the SylWP outlines a V&V process, which is sufficiently disciplined and rigorous, and demonstrates a high quality software development process. The SylWP process includes activities for identification and resolution of problems that could detract from a high quality design effort.

Software Safety The SylWP was evaluated for compliance with the acceptance criteria in BTP 7-14, Section B.3.1.9, "Software Safety Plan," and Section B.3.2.1, "Acceptance Criteria for Safety Analysis Activities." These sections state the Software Safety Plan should provide a general description of the software safety effort and the intended interactions between the software safety organization and the general system safety organization. The sections further state that NUREG/CR-6101, Section 3.1.5, "Software Safety Plan," and Section 4.1.5, "Software Safety Plan," contain guidance on Software Safety Plans. Further guidance on safety analysis activities can be found in NUREG/CR-6101. Also, RG 1.173, Section C.3, "Software Safety Analyses," contains guidance on safety analysis activities.

The SylWP identifies software safety activities performed during each of the lifecycle phases.

For each of these activities, a design review safety analysis is conducted, and the results are documented in the V&V summary report. The NRC staff assessed the performance of these activities and determined that planning for software safety is appropriate for the PRNM system application and is, therefore, acceptable. Furthermore, the NRC staff concludes that software safety planning, as executed by the SylWP, provides adequate assurance that software safety activities were effective in resolving safety issues presented during the design and development of the HCGS PRNM system software. See Section 3. 7.2.1 of this SE for evaluation of system safety activity results.

Software Test The SylWP was evaluated for compliance with BTP 7-14, Section B.3.1.12, which provides guidance to evaluate a Software Test Plan. IEEE Std 829 1983, as endorsed by RG 1.170 provides an acceptable method for providing test documentation. IEEE Std 1008-1987, "IEEE Standard for Software Unit Testing," as endorsed by RG 1.171, provides an acceptable method for satisfying software unit test requirements. BTP 7-14, Section B.3.1.12.4, states the Software Test Plan should cover all testing done to the software, including unit testing, integration testing, factory acceptance testing, site acceptance testing, and installation testing.

The NUMAC SylWP identifies software testing activities to be performed during system development, including software module testing, programmable logic module testing, subsystem integration and validation testing, system validation testing, and factory acceptance testing.

Test reporting requirements are also outlined in the SylWP. Site acceptance testing and installation testing are licensee-controlled activities and are, therefore, not addressed within the GEH NUMAC SylWP.

The NRC staff examined the SylWP and determined the test planning process was understandable, that testing responsibilities were assigned to the appropriate personnel, and that adequate provisions were made for retest in the event of test failures. Test failures are considered nonconformities and are recorded, addressed, and tracked via the GEH CAP. The OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION discrepancy or deficient condition may be documented by a NUMAC Problem Report, an Engineering Change Order, or a Field Deviation Disposition Request. The SylWP test processes require full regression tests to be run after modifications are made to the software.

Since final system testing is considered a V&V test, the SylWP assigns the responsibilities for test definition, test design, and test performance to the IW group.

The NRC staff determined that the software test plans, as implemented in the SylWP, were sufficiently comprehensive to demonstrate the HCGS PRNM will meet its required functionality, and there is reasonable assurance the system will perform its required safety functions. (See Section 3. 7.2.2 of this SE for evaluation of system V&V activity results.)

3.7.2 Software Process Implementation This section summarizes the evaluation of the application software implementation documentation of the HCGS PRNM system. This documentation corresponds with the software lifecycle process implementation information described in BTP 7-14, Section 8.2.2, "Software Life Cycle Process Implementation," and Section B.3.2, "Acceptance Criteria for Implementation."

3. 7 .2.1 Safety Analyses The acceptance criteria for SSA activities are contained in the BTP 7-14, Section 8.3.2.1, "Acceptance Criteria for Safety Analysis Activities." This section states: (1) the documentation should show that the system safety requirements have been adequately addressed for each activity group; (2) no new hazards have been introduced; (3) the software requirements, design elements, and code elements that can affect safety have been identified; and (4) all other software requirements, design, and code elements will not adversely affect safety. Further guidance on safety analysis activities can be found in NUREG/CR-6101 and RG 1.173, Section C.3.

The NRC staff reviewed the assessments of these software safety activities provided in the V&V activity summary reports (Section 3.7.2.2 of this SE) and the HCGS PRNM System Safety Analysis Task Report (Reference 29.A) and determined that safety analyses activities were performed in accordance with the SylWP. The system analysis task report provides objective evidence that the system safety requirements have been correctly implemented and provides reasonable assurance that no new hazards have been introduced into the system as a result of software development activities. Software elements that have the potential to affect safety were identified, and safety problems and resolutions identified during the analyses were documented and dispositioned in an appropriate manner. Software requirements, including design and code elements, have been implemented in a manner that will not adversely affect the safety of the system. Based on review of the V&V activity summary reports (Section 3.7.2.2 of this SE) and the HCGS PRNM System Safety Analysis Task Report, the NRC staff has determined that the safety analysis activities are acceptable and are compliant with BTP 7-14, Section 8.3.2.1.

3.7.2.2 Software Verification and Validation Activity Evaluation The SylWP (Reference 1.D) describes the V&V tasks that are to be carried out during development of the HCGS PRNM system. BTP 7-14, Section B.3.2.2, "Acceptance Criteria for Software Verification and Validation Activities," states that the acceptance criteria for software OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION V&V implementation is that the tasks in the Software Verification and Validation Plan (SWP) have been carried out in their entirety. Documentation should exist that shows that the V&V tasks have been successfully accomplished for each lifecycle activity group. In particular, the documentation should show that the requirements, design, code, integration, and installation design outputs satisfy the appropriate software development functional and process characteristics.

The HCGS PRNM System Verification and Validation Task Report (Reference 29.B) was reviewed by the NRC staff to determine if V&V activities were being effectively performed to ensure development of quality software.

The NRC staff determined that the HCGS PRNM System Verification and Validation Task Report adequately describes a detailed and thorough V&V effort. The SyWP was implemented in a manner that supports the development of software that will perform all required safety functions for the HCGS PRNM system. The NRC staff found that activities performed and documented in the System Verification and Validation Task Report provide reasonable assurance that V&V efforts were effectively implemented to support the development of a software product that is suitable for use in safety-related nuclear applications. The report is written such that the information reviewed, level of detail, and findings of the V&V effort are understandable and informative. The System Verification and Validation Task Report provides adequate documentation to show that V&V tasks were successfully accomplished for each software lifecycle phase.

Problems identified during the V&V effort were entered into the GEH CAP. Problem descriptions and actions required to correct or mitigate each problem were adequately documented. Based on its review as described above, the NRC staff concludes that the software development functional and process characteristics of the V&V effort are acceptable.

Subsequent testing of the same design performed for another PRNM system client revealed an anomaly that affected the automatic calibration functions of the PRNM system. A Condition Report (CR) was generated and evaluated for potential impact to the HCGS PRNM system.

The Condition Review Board determined that the identified condition was not reportable under 10 CFR Part 21 because the effects of the failure were limited to the auto calibrate function of the PRNM system that can only be performed when the associated PRNM channel is placed in the inoperable status. However, the condition was determined and confirmed to be applicable to the HCGS PRNM system and corrective actions to replace the affected circuit boards in the HCGS system were initiated. Thus, the operating PRNM system channels would not have been affected by the anomaly, but the calibration process to establish operability could have been impacted. Replacement circuit boards that have modified logic designs to prevent auto calibrate failures will be installed into the HCGS PRNM system prior to installation into the plant.

3.7.2.3 Configuration Management Report The SyEDP describes the SCM tasks that are to be carried out by GEH (Section 3. 7 .1.2 of this SE). The acceptance criteria for SCM activities are identified in BTP 7-14, Section B.3.2.3, "Acceptance Criteria for Software Configuration Management Activities." This acceptance criteria requires that the tasks in the SCM plan be carried out in their entirety. Documentation should exist showing that the CM tasks for that activity group have been successfully accomplished. In particular, the documentation should show that: (1) configuration items have OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION been appropriately identified, (2) configuration baselines have been established for the activity group, (3) an adequate change control process has been used for changes to the product baseline, and (4) appropriate configuration audits have been held for the configuration items created or modified for the activity group.

The System Configuration Management Task Report (Reference 29.C) summarizes the configuration management activities performed during each phase of the project and documents the conclusions reached. Attachment C of the Task Report includes the System Configuration Status Accounting Spreadsheet, which identifies the baseline documents and versions at the end of each lifecycle phase. These include plans, specifications, schematics, test procedures, test reports, and source codes.

GEH uses a product data management system tool as a repository to maintain and control design documentation and logic files. Changes to controlled files were tracked by the tool and required an Engineering Change Order. During the regulatory audit, the NRC staff reviewed the GEH procedure for performing Engineering Change Orders. The System Quality Assurance Functional Configuration Audit Checklist performed for the Test Phase (Baseline 5) identifies that the Configuration Audit was completed and that changes to previous baseline configurations were approved.

The NRC staff determined that the SCM processes and activities performed meet the requirements of IEEE Std 828-1998 and ANSI/IEEE Std 1042-1987 and are, therefore, acceptable. The SCM activities adequately addresses the guidance in BTP 7-14, Section B.3.2.3.

3.7.2.4 Testing Activities The acceptance criteria for testing activities is contained in the SRP, BTP 7-14, Section 8.3.2.4, "Acceptance Criteria for Testing Activities." This section states that RG 1.168, Section 7 .2, "Regression Analysis and Testing," and RG 1.170, which endorse IEEE Std 829-2008, "IEEE Standard for Software Test Documentation," and RG 1.171, which endorses IEEE Std 1008-1987, identifies acceptable methods to satisfy software testing requirements.

Testing activities for the HCGS PRNM system were found, consistent with the requirements of the System Requirements Specification (Reference 1.F) and the APRM Functional Controller Software Design Specifications (Reference 1.G). The test programs provided comprehensive test coverage of the entire integrated PRNM system. The NRC staff observed appropriate adherence to the test program procedures. Discrepancies discovered during the test evaluations were appropriately documented and addressed. The Factory Acceptance Test adequately verified that all intended application-specific functions were properly implemented.

Test results and verification of test completion were documented in the HCGS PRNM V&V Test Summary Report (Reference 29.d). Therefore, the NRC staff finds that the Software Test activities adequately address the guidance in BTP 7-14, Section B.3.2.4.

3. 7 .2.5 Requirements Traceability Evaluation Evaluation criteria for the use of a requirements traceability matrix is contained in BTP 7-14. A definition for "Requirements Traceability Matrix (RTM)" is provided in Section A.3, which states:

"An RTM shows every requirement, broken down in to sub-requirements as necessary, and OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAb USE ONbY PROPRIETARY INFORMATION what portion of the software requirement, software design description, actual code, and test requirement addresses that system requirement." This is further clarified in Section B.3.3, "Acceptance Criteria for Design Outputs," in the subsection on process characteristics. This section states that the requirements traceability matrix should show what portion of the software requirement, software design description, actual code, and test requirement addresses each system requirement.

Three primary specification documents provided as attachments to the LAR were used as the basis for establishing requirements traceability for the HCGS PRNM system. They are:

• System Requirements Specification (SyRS) (Reference 1.F, Part 1)

• Instrument Performance Specification (IPS) (Reference 1.F, Part 2)

• APRM Functional Controller Software Design Specification (SOS) (Reference 1.G)

Traceability is established using various tools, including DOORS. Traceability matrix tables are included in the specification documents themselves, which allow review of traceability links without the need to directly access the DOORS application.

For traceability to test documentation, including various test procedures and test results reports, the IW team creates tables that are embedded in the test documents. These tables provide traceability between specified requirements and test activities used to verify implementation.

Testing traceability is a separate activity from the specification documentation traceability.

Several requirements were selected for evaluation by the NRC staff during a regulatory audit conducted at the GEH NUMAC development facility in Wilmington, North Carolina. A summary of each of these threads is provided in the audit report (Reference 28).

The NRC staff observed that requirements traceability tables show that each of the requirements delineated in the SyRS, IPS, and the SOS is broken down into sub-requirements for the HCGS PRNM application. The traceability matrices indicate which portion of the implementation documents and test requirements are being credited to address each system requirement. The NRC staff concludes that requirements tracing processes as implemented in the SyRS, IPS, and SOS provide reasonable assurance that all requirements are correctly implemented in the HCGS PRNM application hardware and software and are, therefore, acceptable.

3.7.3 Software Design Outputs

3. 7 .3.1 Software Requirement Specifications The acceptance criteria for software requirements specifications (SRSs) is contained in BTP 7-14, Section B.3.3.1, "Requirements Activities - Software Requirements Specification."

This section states that RG 1.172 endorses IEEE Std 830-1998, "IEEE Recommended Practice for Software Requirements Specifications." That standard describes an acceptable approach for preparing software requirements specifications for safety system software. Additional guidance is also provided in NUREG/CR-6101, Section 3.2.1 "Software Requirements Specification," and Section 4.2.1, "Software Requirements Specifications."

The SRS documentation for the HCGS PRNM system (Reference 1.F) was found to comply with the characteristics necessary to facilitate the development of quality software and OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION programmable logic for use in nuclear safety applications. The NRC staff determined that each of the HCGS PRNM requirements evaluated was appropriately included in the associated SRS documentation. The NRC staff determined that the SRS documentation is adequately controlled by licensee and vendor processes. Vendor oversight activities performed by the licensee were evaluated in Section 3.7.1.2, "Activities Performed by the Licensee." Therefore, the NRC staff finds that the SRSs adequately address the guidance in BTP 7-14, Section B.3.3.1.

3.7.3.2 Software Design Description The acceptance criteria for Software Design Description are contained in BTP 7-14, Section B.3.3.3, "Design Activities - Software Design Specification." This section states that the software design should accurately reflect the software requirements and that NUREG/CR-6101, Section 3.3.2, "Software Design Specification," and Section 4.3.2, "Software Design Specifications," contain relevant guidance.

The APRM Functional Controller Software Design Specification SOS (Reference 1.G) was reviewed by the NRC staff to determine if the above regulatory requirements were satisfied.

The functional and software development process characteristics of the SOS were determined to be acceptable for use in nuclear safety software applications. A thread audit was conducted at the GEH NUMAC development facility in Wilmington, North Carolina (Reference 28). During this audit, several requirements were checked and traced through to the function NUMAC software requirements and to applicable test plans and procedures. The SOS was understandable and contained sufficient information to facilitate implementation of requirements into the NUMAC development environment. A review of the HCGS PRNM system V&V Task Report (Reference 29.B) was also conducted (Section 3.7.2.2 of this SE). The NRC staff concluded that the V&V team performed an adequate job of assuring the SOS was developed and used in a manner that resulted in the development of quality NUMAC software capable of performing all required safety functions for the PRNM system. The HCGS PRNM system V&V Task Report provided reasonable assurance that adequate V&V was performed for all PRNM system documents produced during system development. Therefore, the NRC staff finds that the APRM Functional Controller Software Design Specification SOS adequately addresses the guidance in BTP 7-14, Section B.3.3.3.

3.8 Equipment Qualification Criteria for EQs of safety-related equipment are provided in UFSAR Section 3.1.2.1.2, Criterion 2, "Design Bases for Protection Against Natural Phenomena," and UFSAR Section 3.1.2.1.4, Criterion 4, "Environmental and Missile Design Bases."

The PRNM system equipment will be installed in the HCGS control room, which is a mild environment. Equipment qualification tests of the PRNM system equipment and some of the nonsafety equipment, including APRM ODAs, RBM equipment, and NIC were performed to establish conformance with the operating envelopes applicable to the HCGS installation. The HCGS PRNM system equipment qualification includes temperature, humidity, pressure, radiation, seismic, and electromagnetic compatibility (EMC).

The IW Plan (Reference 1.0) describes the IW team as being responsible for preparation of the EQ plan and establishes the Digital l&C System Test and Qualification process OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION requirements. The licensee submitted NUMAC Qualification Program HCGS (Reference 1.H),

which describes the EQ program and identifies environmental requirements for the replacement PRNM system. Equipment qualification project-specific planning information was provided in the HCGS Qualification Summary Report (Reference 29.F).

The replacement NUMAC PRNM system is designed to maintain functional operability under conditions specified in the HCGS PRNM system upgrade project. The NRC staff confirmed that equipment qualification test requirements adequately address all HCGS PRNM system specifications and that qualification test results provide assurance that the PRNM system equipment is qualified to operate within its installed environment. PRNM qualification requirements are defined in the HCGS specification and in the NUMAC PRNM System Requirements Specification (Reference 1.F). The qualification requirements in Appendix F, Part 1, Section 9, are obtained directly from the HCGS specification.

Execution of the qualification program was performed in accordance with GEH's Digital l&C System Test and Qualification program requirements. A summary of the NUMAC equipment qualification to plant-specific requirements was provided in the HCGS Qualification Summary Report (Reference 29.F). The NRC staff reviewed all generic and plant-specific EQ requirements to confirm the PRNM system to be capable of performing required safety functions within the specified environmental conditions for operation and found them acceptable.

PRNM System Component Environmental Qualification Testing Equipment Tested is itemized in Table 1.2-1 of the HCGS Qualification Summary Report (Reference 29.F). The NRC staff confirmed the PRNM system equipment components to be used at HCGS are included as equipment covered by the HCGS PRNM system qualification summary report.

Note: The licensee originally indicated that a new, redesigned Universal Front Panel (UFP) display would be used in the HCGS PRNM system; however, a later design change restored the previously qualified UFP display to the HCGS design. The NRC staff confirmed this UFP display to be a component of the APRM subsystem identified in Table 1.2-1 of the qualification summary report.

3.8.1 Environmental Qualification of PRNM System RG 1.209 endorses and provides guidance for compliance with IEEE Std 323-2003, which describes a method acceptable to the NRC staff for satisfying the EQ of safety-related computer-based l&C systems for service in mild environments. The NUMAC equipment required to accomplish the APRM and OPRM reactor trip functions is required to be environmentally qualified.

The licensee HCGS NUMAC PRNM system Qualification Summary Report (Reference 29.F) addresses all EQ requirements for the replacement PRNM system. The HCGS PRNM equipment qualification is based on analysis of requirements, comparisons with generic PRNM components, and similarity analysis of previously qualified components.

The NRC staff evaluated the EQ specifications for a mild environment and analyses activities performed by the licensee, as well as the results of EQ tests performed, and determined the OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION PRNM equipment satisfies the HCGS environmental requirements. The following subsections provide details of the NRC staff evaluation for each of the EQ areas considered.

3.8.1.1 Atmospheric Qualification The licensee-specified atmospheric EQ level requirements for the replacement PRNM equipment are provided in Table 3.3-1 of the HCGS PRNM Qualification Summary Report (Reference 29.F). The environmental conditions to which the PRNM system equipment are qualified are provided in Table 4.1-1 of Appendix H to the LAR (Reference 1.H). The HCGS PRNM system equipment was qualified in accordance with RG 1.209 (Reference 24 ).

The maximum control room temperature is 78 degrees Fahrenheit (°F). A 20 °F temperature rise was included in the equipment qualification analysis (Table 3.3-1 of Reference 29.F), which is consistent with the test margin required by IEEE 323-2003. Per Section 4.4.2.2.1.3 of the approved NU MAC PRNM LTR (Reference 7), all PRNM equipment is qualified for continuous operation at temperatures up to 122 °F, and all PRNM components have been tested to operate at localized temperatures up to 142 °F, accounting for internal cabinet temperature rise. The tested capability, therefore, exceeds the maximum allowed control room conditions for the HCGS control room, including internal heat rise.

The lowest control room temperature specified for the HCGS PRNM installation location is 66 °F. For conservatism, no panel temperature rise was assumed in the analysis. The equipment is qualified to operate at temperatures down to 41 °F. Therefore, the PRNM equipment is qualified to operate at temperatures lower than the minimum temperature requirements for the HCGS control room. Thus, PRNM equipment is qualified to operate within the temperature range requirements for the HCGS control room.

The pressure and humidity ranges established for the HCGS control room are 20 to 60 percent humidity and pressure of -.25"WC to +.25"WC (14.691 to 14.709 pounds per square inch absolute (psia)). NUMAC equipment qualification levels are 20 to 90 percent humidity and 13 to 16 psia. Therefore, the PRNM equipment is qualified to operate within the pressure and humidity range requirements for the HCGS control room.

The HCGS PRNM system qualification summary report includes a discussion of PRNM equipment qualified service life. The NRC staff reviewed the data provided and considers the component service lifetimes to be reasonable for safety-related digital l&C equipment.

The NRC staff confirmed that temperature, humidity, and atmospheric pressure levels to which the PRNM system NUMAC equipment is qualified encompass the levels specified by the licensee and by the NUMAC PRNM System Requirements Specification.

3.8.1.2 Seismic Qualification The HCGS replacement PRNM equipment will be located in cabinets where existing PRNM system hardware is located within the control room, and the ODA and fiber optic bypass switch will be located on the operator's panels in the control room.

PRNM control room electronics were qualified by type testing and analysis to the criteria of IEEE Std 344-1975. (See Section 4.4.2.3 of the NU MAC PRNM LTR, Reference 7, "Seismic OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Qualification.") The seismic acceleration levels to which the generic PRNM system is qualified are provided in that section of the LTR. The seismic response spectra referenced in the LTR were used to establish the seismic frequency dependent acceleration levels to which the NUMAC PRNM is qualified. A table, which approximates the horizontal and vertical qualification levels for 3 percent damping, is also included in the LTR.

The HCGS was qualified in accordance with RG 1.100, which endorses IEEE Std 344-2004.

Each subsystem of the PRNM system, with the exception of the NIC, was qualified by type-testing and/or analysis to one or the other NU MAC requirements specification.

The HCGS Qualification Summary Report (Reference 29.F) includes seismic response spectra for the areas in which the PRNM equipment will be located. The analyzed seismic acceleration is based on the required response spectra at the panel mounting location and the actual equipment location within the panel. These spectra were used to establish the seismic requirements for the HCGS PRNM system. These spectra provide a basis for comparison of required seismic levels for the HCGS installation location to the qualification levels of the generic NUMAC PRNM equipment to be installed.

Note: The panel analysis did not provide credit for the PRNM rear doors when closed. The results of this analysis demonstrate that the PRNM system is qualified for the HCGS seismic environment, even when the added structural integrity that these doors provide is not considered.

The NRC staff reviewed these spectra and determined that PRNM system qualification levels exceeded the required acceleration levels for the HCGS installation with significant margin over the entire applicable range of frequencies. The NIC was not qualified for seismic adequacy because it is not a safety-related component and it is not mounted in a safety-related panel or near safety-related equipment.

Based on the site-specific analysis and comparison with the actual test data, the NRC staff concludes the NUMAC PRNM system safety-related components are seismically qualified for use at HCGS. Reference 29.F contains a summary of the qualifications and addresses PRNM system seismic qualification.

3.8.2 Electromagnetic Compatibility Qualification RG 1.180 describes a method acceptable to the NRC staff for the design, installation, and testing practices to address the effects of electromagnetic and radio-frequency interference and power surges on safety-related l&C systems.

The HCGS replacement PRNM system equipment is to be installed in the main control room, which is an administratively controlled area. The use of portable transceivers is administratively controlled by HCGS plant procedures. HCGS procedures require new equipment to be evaluated to determine susceptibility to electromagnetic and radio frequency interference and the new equipment's potential to affect nearby equipment through electromagnetic and radio frequency emissions.

The licensee provided a summary of EMC qualification of the HCGS PRNM system. (See Reference 29.F, Table 3.2-1, for susceptibility, and Table 3.2-2 for emissions.) The HCGS OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION PRNM system components were qualified by type testing or analysis to demonstrate that the PRNM system will perform all specified functions when operated within the specified EMC limits and when mounted in accordance with the specified methods. EMC testing of representative NUMAC equipment was performed to demonstrate that PRNM system components satisfy the guidance of RG 1.180 (Reference 28).

For NUMAC PRNM system emissions, the licensee specified emission test levels in accordance with test methods RE101, RE102, CE101, and CE102, as recommended in Military Standard (MIL-STD)-461 E. For NUMAC PRNM system susceptibility, the licensee specified immunity test levels in accordance with test methods International Electrotechnical Commission (IEC) 61000-4-2, 4-3, 4-4, 4-5, 4-6, and 4-12, as well as CS101 and RS101, as recommended in MIL-STD-461E. RG. 1.180 only requires compliance with IEC standards or with MIL-STD-461E.

Since PRNM equipment complies with both sets of standards, it is acceptable.

As indicated by EMC test results (Reference 29.F), PRNM system EMC emissions were satisfactory because the measured levels were less than or equal to the limits specified in RG 1.180. Similarly, the EMC susceptibilities were found to be satisfactory because the applied test levels were greater than or equal to the limits specified in RG 1.180, and the equipment under test performed satisfactorily during the tests. The NRC staff reviewed the summary of EMC tests to confirm the test result conclusions. The NRC staff's review was limited to the components used in the HCGS PRNM system and did not include other generic NUMAC components that were not used in the HCGS design. Based on the analysis, testing, and availability of test results for PRNM system EMC, the NRC staff determined that the replacement NUMAC PRNM system satisfies the EMC guidance provided by RG 1.180 to support installation within the HCGS control room.

3.8.3 Radiation Qualification The HCGS control room normal radiation dose rate is 0 radiation absorbed dose (rad)/hour, and the maximum dose rate is 5 X 10-4 rad/hour. The total integrated dose over 40 years is 200 rads (Reference 29.F, Table 3.3-1 ). The PRNM system instruments are qualified to normal operating dose rate of 5 X 10-4 rad/hour and a total integrated radiation dose of 1,000 rads (Reference 1.H, Table 4.1-1 ). Therefore, the NRC staff found the LTR's radiation qualification results meet the HCGS requirements and satisfy the radiation qualification requirements.

3.9 Deviations from Prior LTRs The LAR identified and provided technical basis justification for six deviations from the NU MAC PRNM LTR (Reference 1.J). This section identifies and addresses the acceptability of each of these six deviations.

1. APRM Upscale/OPRM Upscale, APRM INOP Function Logic (Reference 1, Appendix J1 .J, Table 1, Item 1). Justification for this deviation is that it ((

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAb USE ONbY PROPRIETARY INFORMATION

))

The NRC staff determined the proposed change is conservative relative to the current LTR approach. This plant-specific deviation is, therefore, acceptable.

2. Time to Calculate Flow-biased Trip Setpoint (Reference 1, Appendix J, Table 1, Item 2).

Justification for this deviation is that ((

))

The NUMAC PRNM LTR (Reference 7, Section 3.3.2, "Safety Functions and Response Times of the NU MAC PRNM System") specifies ((

)] The flow transmitters used at HCGS are widely used in the industry. This deviation was discovered during the execution of the Columbia PRNM system project, and GEH notified other customers of this problem. The licensee's evaluation of the increased delay concludes there are no adverse effects on safety because STP trip does not protect against fast transients. The APRM neutron flux high trip, which is not affected by this deviation, is intended to provide protection during fast transients. The STP trip is intended to cover slow transients (e.g., loss of feedwater heating) that add positive reactivity. In such cases, the thermal power and the flow rates increase gradually, and the slow response time is of no consequence. The licensee further stated that the safety analysis does not take credit for STP high trip in any of the design-basis events.

The NRC staff determined the impact of the proposed change does not adversely affect the PRNM system safety functions. The NRC staff, therefore, concludes this plant-specific deviation is acceptable.

3. Abnormal Conditions Leading to Inoperative Status (Reference 1, Appendix J, Table 1, Item 3). Justification for this deviation is ((

11 The NRC staff confirmed the deviation request does not adversely affect safety functions and provides the necessary alarms to inform the operator of the status of the modules.

The NRC staff, therefore, concludes this plant-specific deviation is acceptable.

4. OPRM Pre-Trip Alarms (Reference 1, Appendix J, Table 1, Item 4). Justification for this item is ((

))

OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The NRC staff determined this plant-specific deviation is acceptable because the associated OPRM pre-trip alarm functions being excluded in the HCGS PRNM design are neither credited nor required in the DSS-CD method of stability protection.

5. Increased Instrument Security (Reference 1, Appendix J, Table 1, Item 5). Justification for this deviation ((

))

The NRC staff reviewed the specific activities for which the additional security measures will apply and determined this plant-specific deviation to be acceptable. The evaluation of IEEE 7-4.3.2 2003, Clause 5.5.1, "Design for Computer Integrity," in Section 3.16 of this SE provides additional information on security measures taken to support the HCGS PRNM system.

6. PRNM System Input Power Source (Reference 1, Appendix J, Table 1, Item 6).

Justification for this deviation is ((

))

The NRC staff found that the power source to the HCGS PRNM system was different than the power sources described in the NUMAC PRNM LTR (Reference 7). The LTR includes an incorrect assumption that electrical power sources to PRNM system equipment are the same for all plants. The proposed power source to the replacement PRNM system equipment will be the same as the power being supplied to the existing equipment. The NRC staff confirmed the power source to the PRNM system at HCGS to remain compliant with regulatory requirements. The NRC staff, therefore, concludes this plant-specific deviation is acceptable.

3.10 Confirmation of LTR Safety Evaluation Plant-specific Actions The NUMAC PRNM LTR SE identifies six plant-specific actions that are required when a licensee references the LTR as part of a license amendment submittal (Reference 7, SE, Section 5.0). This section identifies each of these actions and summarizes the steps taken by the licensee to fulfill each action to address each required confirmation.

1. Confirm applicability of NEDC-32410 and reconcile any differences between the specific plant design and the topical report description.

The license amendment submittal identified the specific HCGS PRNM system configuration options from those available in NEDC-32410 to demonstrate general applicability (Reference 1, Appendix R). There are six deviations from the LTR, and each one of the deviations has been explained, justified, and evaluated in Section 3.9 of this SE. The NRC staff confirmed the applicability and reconciliation of differences between the HCGS PRNM plant-specific design as provided by the licensee and the topical report description. The NRC staff, therefore, concludes this plant-specific action has been fulfilled.

2. Confirm the applicability of the BWROG topical reports that address the PRNM system and its associated instability functions, setpoints, and margins.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The license amendment submittal provided this confirmation through its direct reference to the BWROG topical reports and their uses when developing the PRNM system setpoints to include the reload-related aspects (Reference 1, Appendixes R and T, and Section 3.5 of this SE). This l&C evaluation confirmed applicability of the BWROG topical reports to the proposed HCGS PRNM system, including its associated DSS-CD instability functions, setpoints, and margins, as provided by the licensee. NEDC-3241 O and NU MAC PRNM LTR (Reference 7 and Reference 8) include a description of the Option Ill stability, which is not being implemented in HCGS. Based on the information provided by the licensee as evaluated by the NRC staff, this plant-specific action has been fulfilled.

3. Provide plant-specific revised TS pages for the PRNM system functions consistent with NEDC-32410, Appendix H.

The licensee provided plant-specific revised TS pages. An evaluation of these changes was performed by the NRC staff (Section 3.2 of this SE), which determined all proposed changes were consistent with NEDC-32410, Appendix H of the NU MAC PRNM LTR (Reference 7). Therefore, this plant-specific action has been fulfilled.

4. Confirm the plant-specific environmental conditions are enveloped by the PRNM system equipment qualification values.

The licensee provided a NUMAC Power Range Neutron Monitor System Qualification Summary Report (Reference 29.F) to support this confirmation. This submittal addresses the HCGS plant-specific conditions. The NRC staff reviewed the HCGS PRNM equipment qualification to determine that installation specific environmental requirements have been suitably enveloped (Section 3.8 of this SE) and determined the HCGS PRNM system equipment is qualified for the installation environment. Therefore, the NRC staff determined this plant-specific action has been fulfilled.

5. Confirm that administrative controls are provided for manually bypassing APRM/OPRM channels or protective functions, and for controlling access to the panel and the APRM/OPRM channel bypass switch.

The license amendment submittal states that design features, currently in place, which control access to the PRNM system for setpoint adjustments, calibrations, and test points are not proposed to change from the approach previously reviewed and approved. The license amendment submittal also confirmed that administrative controls will be provided for manually bypassing APRM/OPRM channels or protective functions, and for controlling access to the panel and the APRM/OPRM channel bypass switch (Reference 1, Appendix 0, Section 3.3.9). This l&C evaluation reviewed the specifications for and commitment to administrative controls, as provided by the licensee. Based on the information provided by the licensee and evaluated by the NRC staff, this plant-specific action has been fulfilled.

6. Confirm that any changes to the plant operator's panel have received human factors reviews per plant-specific procedures.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The license amendment submittal provided a brief review of the human factors in Section 9.2.14 of Appendix H to the LAR (Reference 1). It states that the design meets the intent of NUREG-0700, Revision 2, "Human-System Interface Design Review Guidelines." An evaluation of these changes was performed by the NRC staff (Section 3.20.4 of this SE), which determined all proposed changes were consistent with NUREG-0711. Therefore, this plant-specific action has been fulfilled.

3.11 DSS-CD Implementation The DSS-CD design function performed by the HCGS PRNM system provides automatic detection and suppression of reactor instability caused by thermal-hydraulic instabilities in the RCS and minimizes reliance on the operator to suppress instability events. The "Confirmation Density Algorithm" CDA is designed to recognize an instability and initiate control rod insertion before the power oscillations increase much above the noise level.

((

))

An NRC evaluation of the GEH DSS-CD algorithms was completed in November of 2013 and the DSS-CD function was approved as an acceptable means of providing long-term stability protection for BWRs (Reference 27). The licensee is implementing the DSS-CD solution in accordance with the approved SE and has stated there are no deviations being taken from the approved solution to be applied to the HCGS NUMAC PRNM.

The licensee provided an evaluation of the DSS-CD implementation for HCGS (Reference 1, Appendix T). This evaluation includes an applicability checklist to be incorporated into the plant's reload evaluation process. The NRC staff confirmed that all DSS-CD applicability parameters were correctly applied for the HCGS application during the regulatory audit conducted at the GEH NUMAC facilities in Wilmington, North Carolina (Reference 28).

Section 3.19 of this SE provides more detail of the NRC staff's evaluation of thermal-hydraulic stability.

3.12 Tests and Self-Test Diagnostics The NUMAC PRNM system automatically executes continuous self-test while the system key lock switch is in the operate position. ((

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

)) The NUMAC PRNM system includes additional manual testing features that are performed with key switch in the INOP position.

The NUMAC system also includes a watchdog timer function, which is specified in Section 4.3.4 of the PRNM System Architecture Description (Reference 1, Appendix A). This function is described in Section 3.4 of this SE.

The NRC staff evaluated NUMAC PRNM self-test functions described in Section 5.3.11 and specified in Reference 1, Appendix F, as applied to the HCGS PRNM system. The staff determined that test methods, including self-test functions as described in the LAR, adequately duplicate the performance of the system safety functions to provide reasonable assurance these functions can be maintained in an operable state during plant power operations. See Section 3.15, "IEEE 603-1991, Clause 5.7, "Capability for Test and Calibration," for additional information on this safety determination.

3.13 System Failure Analysis There is no specific regulatory guidance on required format, complexity, or conclusions concerning system failure analysis; however, the following guidance was used by the NRC staff as a means of determining the effectiveness of the failure analysis programs as recorded in the NUMAC PRNM system documentation.

1. IEEE Std 379-2000, "Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems"

2. RG 1.153, Revision 1, "Criteria for Safety Systems," June 1995

3. IEEE Std 603-1991, Section 5.1, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations - Single Failure Criterion"

4. IEEE Std 603-1991, Section 5.15, "Standard Criteria for Safety Systems for Nuclear Power Generating Stations - Reliability" A system failure analysis is provided in Section 6.0 of the NU MAC PRNM LTR (Reference 7).

This analysis consists of an equipment failure analysis, a critical system function failure analysis, and CCF-DID analysis. To address changes that have been made to regulatory criteria for failure analysis, the licensee also submitted a Failure Modes and Effects Analysis (FMEA) Report (Reference 29.E). Refer to FMEA Evaluation in the IEEE 603, Clause 5.1, evaluation in Section 3.15 of this SE for additional evaluation details on the HCGS PRNM FMEA report.

The equipment failure analysis was performed at the module level. It identified failure types and provides estimates of module failure rates. The module failure rates were used to determine availability values for critical system functions of the APRM, OPRM, and control rod block subsystems. The effects of these failures on critical system functions were further analyzed in the Critical System Function Failure analysis in the NUMAC PRNM LTR (Reference 7, Section 6.3). Automatic self-test features of the NU MAC system were considered in this analysis. The results were used to assess the relative impact of the replacement PRNM system on the performance characteristics of critical system functions, which include the safety protection functions performed by the PRNM system.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The NUMAC system failure analysis includes performance of an unavailability analysis, which is used to assess system and component reliability and availability with respect to pre-established goals. The unavailability analysis is also used to confirm that the PRNM design can support the surveillance test intervals to be implemented for the system. The system failure analyses are used to address the single failure and reliability requirements of the NU MAC PRNM system.

The FMEA method used by GEH is consistent with IEEE Std 379-2000, as endorsed by RG 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems." The NU MAC PRNM FMEA considers all single detectable failures concurrent with identifiable but non-detectable failures, failures caused by the single failure and failures and spurious system actuations that cause or are caused by a design-basis event for which the PRNM is required to initiate a reactor scram.

The NRC staff reviewed the NUMAC PRNM system failure analysis as augmented by the HCGS PRNM FMEA (Reference 29.e) and determined the level of detail is appropriate for a system with this degree of complexity. The augmented failure analysis is sufficiently detailed to provide a useful assessment of the potential failures and the effects of those failures on the HCGS PRNM safety functions. The NRC staff determined that the augmented failure analysis provides reasonable assurance that single-failure criteria is met for all credible single failures within the NUMAC PRNM system and all failures caused by a single failure. The failure analysis demonstrates that an input signal or system failure, including power supply or input power failure, will cause the PRNM system to fail in a predefined safe state and will annunciate that failure to the operators. Based on the NRC staff review of the PRNM failure analysis, there is reasonable assurance that all credible failure modes have been properly identified and evaluated for the replacement NUMAC PRNM system.

3.14 Determinism In Section 3.15 of this SE, the NRC staff evaluated the NU MAC PRNM system deterministic performance attributes as part of the IEEE 603-1991, Clause 6.1, "Automatic Control," review.

The NRC staff reviewed the system performance requirements and validation test results that demonstrate deterministic performance characteristics of the PRNM system and compliance with requirements of IEEE 603-1991, Clause 6.1. The HCGS PRNM systems real time performance was found to be deterministic and known. The NRC staff determined that functional requirements have been appropriately allocated between hardware and software, and adequate deterministic behavior of the PRNM system has been demonstrated via satisfactory test results. The NRC staff concludes that the HCGS PRNM system meets the criteria for deterministic behavior and predictable performance and is, therefore, acceptable.

3.15 Compliance to IEEE Std 603 Requirements For nuclear power generating stations, the regulation at 10 CFR 50.55a(h) requires that safety systems must meet the requirements stated in IEEE Std 603-1991, "IEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. The NRC staff's evaluation is based on the guidance contained in SRP Chapter 7, Appendix 7.1-C, "Guidance for Evaluation of Conformance to IEEE Std 603," which provides acceptance criteria for this standard. This NRC staff's evaluation also addresses RG 1.153 endorsement of IEEE Std 603-1991.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION When the NUMAC PRNM system was originally evaluated by the NRC, it was determined to be compliant with the criteria of IEEE 279-1971 (NRC SE for NEDC-32410 within the NUMAC PRNM LTR SE Reference 7). For HCGS, the licensee included a report on compliance with IEEE Std 603-1991 within Appendix 0 of the LAR (Reference 1). The NRC staff is, therefore, including the following evaluation and determination of compliance with IEEE 603-1991 and the correction sheet dated January 30, 1995, to support the safety conclusions of this SE.

IEEE 603-1991, Clause 4 This item requires that a specific basis is established for the safety system. The PRNM system design basis consists of the plant accident analysis and TSs. Changes to the system design basis as applied to various BWR designs were described in the NUMAC PRNM system retrofit LTR (Reference 7 and Reference 8). The design changes presented in the topical report include multiple variations of TSs and changes to TS basis. This topical report also includes a process for licensees to select and customize design-basis changes presented based on the size and type of reactor plant being modified.

The LAR identified the specific HCGS PRNM system configuration options from those available in NEDC-32410 (Reference 2 and Reference 3) to demonstrate general applicability (Reference 1, Appendix R). There were six deviations, as addressed and evaluated in Section 3.10 of this SE.

IEEE 603-1991. Clause 4.1. "Identification of the Design-basis Events" This item requires that the design-basis documentation include the safety functions and corresponding protective actions of the execute features for each design-basis event.

The licensee documented the PRNM plant-specific design-basis change selections made for HCGS. These selections were provided in Appendix R, "Plant-specific Responses Required by PRNM LTR," to the LAR (Reference 1, Appendix R). The licensee evaluated the revised PRNM system design and determined the replacement system continues to meet the requirements set forth in the UFSAR Chapter 15, "Safety Analysis."

The NRC staff reviewed the design-basis documents for the HCGS PRNM system and determined the revised basis for the replacement PRNM system is consistent with the approved PRNM system topical report. Therefore, the HCGS PRNM system meets the criteria of IEEE 603-1991, Clauses 4 and 4.1.

IEEE 603-1991. Clause 4.2. "Identification of Safety Functions and Protective Actions" This item requires that the design-basis documentation include the safety functions and corresponding protective actions of the execute features for each design-basis event.

The safety functions of the existing PRNM system are included in the HCGS design-basis documentation. These PRNM safety functions and corresponding protective actions of the execute features for each design-basis event for HCGS are unchanged from the existing power range monitoring system as a result of the system upgrade; therefore, the HCGS PRNM system remains compliant with the criteria of IEEE 603-1991, Clause 4.2.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE 603-1991. Clause 4.3, "Permissive Conditions for Operating Bypasses" This item requires that the design-basis documentation include the permissive conditions for each operating bypass capability that is to be provided.

The existing two APRM bypass switches are being replaced with a single mechanical fiber optic bypass switch. The functionality of this new bypass switch is described in Section 5.5 of the PRNM System Requirements Specification (Reference 1, Appendix F). The permissive conditions for operation of the bypass functions as described in Section 7.2.1.1.1 of the UFSAR are not affected by the NU MAC PRNM design changes. Operation of the APRM bypass switch will continue to allow only one APRM channel to be bypassed at any time. Bypassing an APRM channel will not inhibit the NMS from providing protective action where required. The NRC staff, therefore, determined that the requirements of IEEE 603-1991, Clause 4.3, are satisfied.

IEEE 603-1991. Clause 4.4. "Identification of Variables Monitored" This item requires that the design-basis documentation include the variable or combinations of variables or both that are to be monitored to manually or automatically or both control each protective action; the analytical limit associated with each variable; the ranges (normal, abnormal, and accident conditions); and the rates of change of these variables to be accommodated until proper completion of the protective action is assured.

The variables associated with the PRNM system are neutron flux from the APRM detectors and recirculation flow signals. These variables are not being changed as a result of the NU MAC upgrade. Section 5, "Inputs," of the NU MAC PRNM System Requirements Specification (Reference 1, Appendix F) includes necessary requirements for processing of these variables.

The NRC staff, therefore, determined that the requirements of IEEE 603-1991, Clause 4.4, are satisfied.

System response times, accuracies, and setpoints did, however, require evaluation to determine if changes resulting from the PRNM system modification would impact proper completion of the PRNM required protective actions. See Section 3.6 of this SE for evaluation of the PRNM system response time requirements. The setpoint calculations for the revised PRNM system setpoints are evaluated in Section 3.5 of this SE.

IEEE 603-1991. Clause 4.5. "Minimum Criteria for Manual Protective Actions" This item requires that the design-basis documentation include the minimum criteria for each protective action in Clause 4.2 whose operation may be controlled by manual means initially or subsequent to initiation.

The PRNM safety actuation function is the initiation of a reactor trip. The reactor trip function includes manual controls for reactor trip actuation. Manual reactor trip control functions are not within the scope of the NU MAC PRNM system; therefore, the PRNM replacement does not alter the manual actuation configuration as described in Sections 7.2.1.1.10, "Manual Scram," and 7.2.1.1.11, "Reactor Mode Switch Manual Scram," of the UFSAR. The revised PRNM system design retains indicators of plant variables to support operator use in taking manual actions.

The NRC staff, therefore, considers the requirements of IEEE 603-1991, Clause 4.5, to remain satisfied.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE 603-1991, Clause 4.6. "Identification of the Minimum Number and Location of Sensors" This item requires that the design-basis documentation include, for those sensors in Clause 4.4 that have spatial dependence (that is, where the variable varies as a function of position in a particular region), the minimum number and location of sensors required for protective purposes.

Because manual reactor trip control functions are not within the scope of the NUMAC PRNM system, the proposed modification does not alter the manual actuation configuration or affect the number or location of sensors or scram switches. The NRC staff, therefore, considers the requirements of IEEE 603-1991, Clause 4.6, to remain satisfied.

IEEE 603-1991. Clause 4. 7. "Range of Transient and Steady-State Conditions" This item requires that the design-basis documentation include the range and steady-state transient conditions of both motive and control power and the environment (for example, voltage, frequency, radiation, temperature, humidity, pressure, and vibration) during normal, abnormal, and accident circumstances throughout which the safety system shall perform.

The replacement NUMAC PRNM system equipment will be located in the same cabinets that house the existing power range monitor equipment. Therefore, the environmental conditions experienced by the modified system will remain the same. The range of transient and steady-state conditions during normal, abnormal, and accident conditions will not be affected as a result of the PRNM modification. Therefore, no evaluation was performed with respect to the documentation of the range of transient and steady state conditions. The replacement PRNM equipment is qualified to operate in the existing plant environmental conditions. See Section 3.8 of this SE for the NRC staff's evaluation of PRNM equipment qualification. The NRC staff, therefore, considers the requirements of IEEE 603-1991, Clause 4.7, to remain satisfied.

IEEE 603-1991. Clause 4.8. "Conditions Causing Functional Degradation" This item requires that the design-basis documentation include the conditions having the potential for functional degradation of safety system performance and for which provisions shall be incorporated to retain the capability for performing the safety functions.

The installation of the replacement PRNM will not change any of the provisions or associated conditions that are documented as part of the plant design basis. Since the location of the new system is the same as the old system, no new conditions having the potential for causing degradation are being introduced.

The replacement PRNM system is also qualified to operate within the environmental conditions that may exist during any accident or transient that requires the PRNM system to perform its safety function. The NRC staff, therefore, determined that the modified PRNM system complies with the requirements of IEEE 603-1991, Clause 4.8.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE 603-1991. Clause 4.9. "Methods Used to Determine Adequate Reliability of the Safety System" This item requires that the design-basis documentation include the methods used to determine that reliability of the safety system design is appropriate for the safety systems design and any qualitative or quantitative goals that may be imposed on the system design.

The method used for determining reliability of the PRNM system is based on the establishment of quantitative goals specified by the licensee. The licensee specified PRNM system reliability and availability requirements in Section 7 of the NU MAC APRM DSS-CD Performance Specification (Reference 1, Appendix F, Part 2). The NRC staff found that the reliability goals and the methods employed by the NUMAC system vendor to meet these goals were appropriate and were determined to provide an adequate means of meeting the performance requirements of the PRNM system. The NRC staff, therefore, determined that the modified PRNM system complies with the requirements of IEEE 603-1991, Clause 4.9.

IEEE 603-1991. Clause 4.10. "Control After Protective Actions" This item requires that the design-basis documentation include the critical point in time or plant conditions after the onset of the design-basis event, including the point in time or plant conditions (1) for which the protective actions of the safety system shall be initiated, (2) that define the proper completion of the safety function, (3) that require automatic control of protective actions, and (4) that allow returning the safety system to normal.

The replacement PRNM system does not modify the existing design-basis critical points in time or plant conditions where the protective actions of the safety system are required to be initiated.

The point in time where the protective action is required is determined by the setpoint for that protective action. The completion of the protective action is determined by the response time, and this is specified in the PRNM system performance specification (Reference 1, Section 3.3.3.5 of Appendix F, Part 2). The definition of proper completion of the safety function, the required automatic control of protective actions, and the determination of when the safety system may be returned to normal will not change as a result of this modification. The NRC staff, therefore, determined that the replacement PRNM system complies with the requirements of IEEE 603-1991, Section 4.10.

IEEE 603-1991. Clause 4.11, "Equipment Protective Provisions" This item requires that the design-basis documentation include the equipment protective provisions that prevent the safety system from accomplishing safety functions.

Several new features are being introduced to the design of the replacement PRNM system to ensure that safety functionality will be maintained. These features enhance the reliability of the PRNM replacement system and do not provide equipment protective features that would prevent the system from performing the required safety functions. The NRC staff reviewed these new features as defined in the NUMAC PRNM System Requirements Specification and determined that the replacement PRNM system complies with the requirements of IEEE 603-1991, Section 4.11.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE 603-1991, Clause 4.12. "Special Design Bases" This item requires that the design-basis documentation include any other special design-basis provisions that prevent the safety systems from accomplishing their safety functions.

The NUMAC PRNM system does not contain design provisions that would prevent the safety system from accomplishing its safety functions. A 03 analysis was performed and provided to the NRC as Appendix I of the LAR (Reference 1, Appendix I). This analysis postulates the common cause software failure of the NUMAC PRNM system and identifies available diverse protection measures used to maintain reactor safety. Section 3.16 of this SE provides an NRC staff evaluation of the HCGS PRNM 03 analysis. The NRC staff determined that the replacement PRNM system complies with the requirements of IEEE 603-1991, Section 4.12.

IEEE 603-1991. Clause 5. "System" This clause requires that safety systems with precision and reliability maintain plant parameters within acceptable limits established for each design-basis event. The power l&C portions of each safety system are required to be comprised of more than one safety group of which any one safety group can accomplish the safety function.

The precision aspects of the PRNM system for safety-related functions are addressed by the signal processing of input signals associated with the initiation of safety functions. Signal processing requirements are specified in the NUMAC PRNM System Requirements Specification (Reference 1, Appendix F, Part 1). Precision and reliability requirements are specified in the NUMAC APRM DSS-CD Performance Specification (Reference 1, Appendix F, Part 2). Once implemented, these requirements were verified during performance of the system validation and factory acceptance testing activities. The NU MAC PRNM system consists of four APRM channels that have independent inputs and outputs. Electric power to each of these channels is also supplied by redundant sources. The trip signal output from each APRM channel is provided to four independent 2-out-of-4 coincidence voter channels. Each voter channel is associated with one of the four RPS trip system channels. The one-out-of-two-taken-twice logic in the RPS is unchanged. The PRNM system is, therefore, considered to be comprised of two safety groups, and each of these safety groups is capable of providing the necessary actuation signals to accomplish the required safety functions. The NRC staff's evaluation conclusions for each of the IEEE 603-1991, Section 5 subclauses are provided below.

IEEE 603-1991. Clause 5.1. "Single-Failure Criteria" This clause requires that the safety system be able to perform its safety function required for a design-basis event in the presence of:

1. any single detectable failure within the safety systems concurrent with all identifiable but non-detectable failures,

2. all failures caused by the single failure, and

3. all failures and spurious system actions that cause or are caused by the design-basis event requiring the safety functions.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION SRP Chapter 7, Appendix 7 .1-C, Section 5.1, "Single Failure Criterion," provides acceptance criteria for the single-failure criteria, including RG 1.53, Revision 2, which endorses IEEE Std 379-2000.

The ability of the PRNM system to meet single-failure criteria was previously evaluated in Section 3.6.2, "Single Random Failure," of the NU MAC PRNM LTR SE (Reference 7). That evaluation referenced the criteria of IEEE 279-1971; however, the evaluation and results remain relevant to the criteria of IEEE 603-1991 and were, therefore, considered in the NRC staff's evaluation of single-failure criteria for the HCGS PRNM design.

PRNM system equipment failure analysis and critical system function failure analysis were performed to provide a basis for conformance to the single-failure criteria. The analyses are described in Section 6.2, "Equipment Failure Analysis," and 6.3, "Critical System Function Failure Analysis," of the NU MAC PRNM LTR (Reference 7) and are evaluated in Section 3.13 of this SE. These analyses identify PRNM system failures, as well as means of detecting analyzed failures. There were no non-detectible PRNM component failures identified in these analyses.

The PRNM system architecture includes separation of APRM components into four separate channels. Any single detectable failure within an APRM channel component would not cause the system safety function to be incapacitated because the remaining three APRM channels would retain the capability of completing required safety functions. The PRNM system architecture also includes four separate voter modules. Any single detectable failure within a PRNM voter module would not cause the system safety function to be incapacitated because the remaining three voters would remain capable of completing the required safety functions.

No postulated spurious system actions that cause or are caused by the design-basis event requiring the safety functions were identified in the PRNM equipment failure or critical system function failure analyses.

Failure Modes and Effects Analysis GEH performed an FMEA (Reference 29.E) of the HCGS PRNM system. A systematic analysis of the design was performed to identify credible failures of the PRNM system, evaluate the consequence and effects of those failures, and to verify the design satisfies the single-failure criteria of IEEE 603-1991.

Section 3.13 of this SE includes an evaluation of system failure analyses performed for the PRNM system. The equipment failure and critical system function analyses adequately demonstrate that the PRNM system will remain capable of performing required safety functions when postulated single failures of the system occur. Based on the evaluations referenced above, the NRC staff determined that the replacement PRNM system complies with the requirements of IEEE 603-1991, Clause 5.1.

IEEE 603-1991, Clause 5.2, "Completion of Protective Action" This clause states that the safety systems shall be designed so that once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion, and that deliberate operator action shall be required to return the safety OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION systems to normal. SRP Chapter 7, Appendix 7.1-C, Section 5.2, "Completion of Protective Action," provides acceptance criteria for this requirement.

The PRNM system voter modules provide trip input signals to the HCGS RPS, which is not within the scope of the PRNM upgrade. The RPS system is designed such that once tripped, the RPS reactor trip will proceed to completion, and deliberate operator action is required to reset a reactor trip. The NRC staff finds the replacement PRNM system complies with the requirements of IEEE 603-1991, Clause 5.2.

IEEE 603-1991, Clause 5.3. "Quality" This clause states that the components and modules within the safety system be of a quality that is consistent with minimum maintenance requirements and low failure rates and that safety system equipment be designed, manufactured, inspected, installed, tested, operated, and maintained in accordance with a prescribed QA program: SRP Chapter 7, Appendix 7.1-C, Section 5.3, "Quality," provides acceptance criteria for the quality requirement. This acceptance criteria states that the QA provisions of 10 CFR Part 50, Appendix B, apply to a safety system.

The UFSAR Section 3.1.2.1.1, Criterion 1, states that SSCs important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized, codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency, and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A QA program shall be established and implemented in order to provide adequate assurance that these SSCs will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of SSCs important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit.

PRNM system components are developed under the equipment manufacturer's QA program, and the system is procured as safety-related by the licensee. The licensee has an NRG-approved 10 CFR Part 50, Appendix B, QA program. The licensee has audited the PRNM vendor and maintains GEH on its approved Appendix B suppliers list. During the design, development, and testing of the replacement PRNM system, the licensee has conducted oversight activities. The NRC staff confirmed that platform components are of adequate quality and meet the acceptance criteria of SRP Chapter 7, Appendix 7.1-C, Section 5.3, "Quality."

Therefore, the NRC staff finds that the replacement PRNM system conforms to the requirements of IEEE 603-1991, Clause 5.3.

IEEE 603-1991. Clause 5.4, "Equipment Qualification" This clause states that safety system equipment be qualified by type test, previous operating experience, or analysis, or any combination of these three methods, to substantiate that it will be capable of meeting the performance requirements as specified in the design basis.

Acceptance criteria for IEEE Std 603-1991, Clause 5.4 are provided in SRP Chapter 7, Appendix 7.1-C, Section 5.4, "Equipment Qualification." This acceptance criteria states that the applicant/licensee should confirm that the safety system equipment is designed to meet the functional performance requirements over the range of normal environmental conditions for the area in which it is located. RG 1.89, Revision 1, "Environmental Qualification of Certain Electric OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Equipment Important to Safety for Nuclear Power Plants," June 1984, endorses and provides guidance for compliance with IEEE Std 323-1974, "IEEE Standard for Qualifying Class 1 E Equipment for Nuclear Power Generating Stations."

Equipment qualification of the PRNM system equipment is evaluated in Section 3.8 of this SE.

The NRC staff determined that the PRNM system equipment qualifications adequately demonstrate that the replacement system is capable of meeting its functional performance requirements over the range of normal and worst-case accident environmental conditions to be expected at the HCGS main control room. The NRC staff finds that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.4.

IEEE 603-1991, Clause 5.5. "System Integrity" This clause states that the safety systems be designed such that the system can accomplish its safety functions under the full range of applicable conditions enumerated in the design basis.

SRP Chapter 7, Appendix 7.1-C, Section 5.5, "System Integrity," provides acceptance criteria for system integrity. This acceptance criteria states that the NRC staff should confirm that tests have been conducted on safety system equipment components, system racks and panels, as a whole, to demonstrate that the safety system performance is adequate. Ensure completion of protective actions over the range of transient and steady state conditions of both the energy supply and the environment. Ensure the test shows that if the system does fail, it fails in a safe state, and that failures detected by self-diagnostics should also place a protective function into a safe state.

The replacement PRNM system will be installed inside the HCGS control room. The review discussed in Section 3.8 of this SE has determined that the replacement PRNM system is qualified for that environment. The control room envelope is maintained in an ambient mild environment during normal and accident conditions. The equipment qualification evaluated in Section 3.8 of this SE provides reasonable assurance that the replacement PRNM system is capable of performing its safety functions over the full range of environmental conditions that may exist during the worst-case design-basis event during which the safety functions are required.

The NRC staff's review confirmed that the equipment failure and critical system function analyses provide reasonable assurance that an input signal or system failure, including power supply or input power failure, will cause the PRNM system to fail to the actuated safe state and annunciate such failures to the operators. Further, the NRC staff's review confirmed the self-diagnostic features and tests performed by the NUMAC computers will place the PRNM system into a safe state and will annunciate failure status to the operators. The NRC staff determined that the replacement PRNM system meets the criteria of IEEE 603-1991, Clause 5.5.

IEEE 603-1991. Clause 5.6, Independence IEEE 603-1991, Clause 5.6.1 between Redundant Portions of a Safety System This clause states that the safety systems be designed such that there is sufficient independence between redundant portions of a safety system such that the redundant portions are independent of and physically separated from each other to the degree necessary to retain OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION the capability to accomplish the safety function during and following any design-basis event requiring that safety function.

The replacement PRNM system design consists of four independent channels. Each of these channels is physically separated and electrically isolated from the other APRM/OPRM channels.

The 2-out-of-4 voter channels are also physically separated and electrically isolated from the APRM/OPRM channel components. The replacement PRNM system does not incorporate any communications links or data-sharing features between redundant APRM/OPRM channels.

Communication interfaces between APRM/OPRM channels and voter modules are not considered as part of the Clause 5.6.1 evaluation because voter modules are not redundant with the ARM/OPRM channels. Communications independence between the APRM/OPRM channels and the voter channels, as well as communication to external systems, is addressed in Section 3.3.4 of this SE.

Each PRNM channel has dedicated sensors that provide analog input signals needed to accomplish safety functions. Electrical independence between redundant portions of the PRNM system is provided for by using diverse power supplies and separation of cabling. Each PRNM channel is powered from a separate vital 120 volts alternating current (VAC) bus. Cables associated with the four PRNM channels are routed in separate cable trays. The requirement for physical isolation between redundant portions of the PRNM is met by the physical arrangement of each APRM/OPRM channel within separate bays.

Signal interfaces with external systems are maintained electrically compatible using interface subassemblies. The interface to the plant computer and plant operator's panel interface to the plant computer system is accomplished by the NIC system, as described in Section 3.3 of this SE.

The NRC staff determined that there is sufficient independence between redundant portions of the replacement PRNM system; therefore, the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.6.1.

IEEE 603-1991, Clause 5.6.2 between Safety Systems and the Effects of Design-Basis Event This clause states that the safety systems required to mitigate the consequences of a specific design-basis event be independent of and physically separated from the effects of the design-basis event to the degree necessary to retain the capability to meet the requirements of this standard. Clause 5.6.2 further states that equipment qualification in accordance with Clause 5.4 is one method that can be used to meet this requirement.

UFSAR Section 3.1.2.3.3, Criterion 22, "Protection System Independence," requires, in part, that the protection system be designed to assure that the effects of natural phenomena and of normal operating, maintenance, and testing do not result in loss of protection function.

The NRC staff reviewed the equipment qualifications of the replacement PRNM system and determined this qualification demonstrates sufficient independence between the replacement PRNM system and effects of design-basis events. The digital PRNM system is capable of mitigating the consequences of design-basis events, and is sufficiently physically separated OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION from the effects of the design-basis events. The NRC staff, therefore, determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.6.2.

IEEE 603-1991, Clause 5.6.3 between Safety Systems and Other Systems This clause states that the safety systems be designed such that credible failures in and consequential actions by other systems will not prevent the safety systems from meeting the requirements of this standard. This requirement is subdivided into requirements for interconnected equipment, equipment in proximity, and the effects of a single random failure.

The three subsections below document the evaluation of interconnected equipment, equipment in proximity, and the effects of a single random failure separately. The NRC staff evaluated the communication independence between the replacement PRNM system and other systems in Section 3.3.4 of this SE. In addition, the security aspects of Clause 5.6.3 were evaluated by the NRC staff in Section 3.17 of this SE. Based on these evaluations, the NRC staff determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.6.3.

IEEE 603-1991, Clause 5.6.3.1, "Interconnected Equipment" This clause states that equipment that is used for both safety- and nonsafety functions, as well as the isolation devices used to affect a safety system boundary, shall be classified as part of the safety systems. This clause further states that no credible failure on the nonsafety side of an isolation device shall prevent any portion of a safety system from meeting its minimum performance requirements during and following any design-basis event requiring that safety function, and that a failure in an isolation device will be evaluated in the same manner as a failure of other equipment in a safety system.

Some components of the replacement PRNM system such as the RBM are classified as nonsafety-related. The NRC staff confirmed that none of these devices is used for the accomplishment of any of the PRNM safety functions. PRNM voter modules are safety-related and are, therefore, classified as part of the PRNM safety system. Interconnection to the voter modules is, therefore, acceptable.

The effect of isolation device failures is considered in the system failure analysis for the PRNM (Section 3.13 of this SE). Because isolation devices used in the PRNM system are classified as safety-related, they are evaluated for failures in the same manner as the other safety-related components of the PRNM system. The NRC staff, therefore, determined the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.6.3.1.

IEEE 603-1991, Clause 5.6.3.2, "Equipment in Proximity" This clause states that equipment in other systems that is in physical proximity to safety system equipment, but that is neither an associated circuit nor other Class 1E circuit, will be physically separated from the safety system equipment to the degree necessary to retain the safety system's capability to accomplish their safety functions in the event of the failure of nonsafety equipment, and that physical separation may be achieved by physical barriers or acceptable separation distance. This clause further states that the physical barriers used to affect a safety system boundary shall meet the requirements of Section 5.3, "Quality"; 5.4, "Equipment OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Qualification"; and 5.5, "System Integrity," for the applicable conditions specified in Clauses 4.7 and 4.8 of the design basis.

The existing cabinets housing the NMS will be retained and the replacement PRNM components will be installed into them. The need for physical isolation is met by the physical arrangement of each PRNM channel within separate cabinets. Physical separation is maintained between redundant PRNM channels by the cabinet and cable layouts.

Outside the PRNM cabinets, vital signals and wiring are separated and physically protected to preserve channel independence and maintain system redundancy against physical hazards.

System sensors are physically separated from each other. The arrangement of system sensors and field wiring is not changed by the proposed design change.

The replacement PRNM channels are installed in separate safety-related cabinets within the control room. There is no change in the physical proximity or separation of these cabinets.

These cabinets and their location ensure that there is no equipment in other systems in physical proximity to the PRNM equipment that would prevent it from performing its safety functions.

The replacement PRNM system, therefore, meets the requirements of IEEE 603-1991, Clause 5.6.3.2.

IEEE 603-1991. Clause 5.6.3.3. "Effects of a Single Random Failure" This clause states that where a single random failure in a nonsafety system can result in a design-basis event, and also prevent proper action of a portion of the safety system designed to protect against that event, the remaining portions of the safety system shall be capable of providing the safety function even when degraded by any separate single failure.

Section 3.8, "Equipment Qualifications," and the NRC staff evaluation of IEEE 603, Clause 5.4, of this SE evaluate the ability of the replacement PRNM system to function in all anticipated operating environments, including those present during design-basis events. The NRC evaluation determined the replacement PRNM system will function independently of credible failures of interconnected equipment and equipment in proximity to the PRNM system.

The NRC staff evaluation determined there are no single random failures of nonsafety systems that can result in a design-basis event and also prevent proper action of the PRNM system safety functions designed to protect against that event; therefore, the replacement PRNM system complies with the criteria of IEEE 603-1991, Clause 5.6.3.

IEEE 603-1991. Clause 5.7. "Capability for Test and Calibration" This clause states that the safety system shall have the capability for test and calibration while retaining the capability to accomplish its safety function, and that this capability be provided during power operation, and shall duplicate, as closely as practicable, performance of the safety function. Exceptions to testing and calibration during power operation are allowed where this capability cannot be provided without adversely affecting the safety or operability of the generating station. However, appropriate justification must be provided, acceptable reliability of equipment operation must demonstrated, and the capability shall be provided while the generating station is shut down.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETJ!.RY INFORMATION BTP 7-17, "Guidance on Self-Test and Surveillance Test Provisions," describes additional considerations in the evaluation of test provisions in digital computer-based systems. The self-test features associated with the replacement PRNM system are described in Section 6.3.5, "Self Test Coverage," of the NU MAC PRNM system LTR. When the LTR was evaluated, the NRC staff confirmed: (1) the PRNM system is designed for inservice testability commensurate with the safety function performed through all modes of plant operation; (2) the positive aspects of self-test features are not compromised by the additional complexity added to the safety system by the self-test features; (3) the PRNM hardware and software design supports required system periodic testing; and (4) failure modes assumed to be detectable by the single-failure analysis are in fact detectable. These findings remain valid for the replacement PRNM system.

The capability for testing and calibration of the replacement PRNM is not significantly different from that of the existing NMS. The replacement NU MAC PRNM provides enhanced self-testing and diagnostic functions that reduce the likelihood of undetected failures. See Section 3.12 of this SE for a more detailed description of the NUMAC PRNM self-test features. The PRNM system self-tests and the application-specific test and calibration functions were performed during the system Factory Acceptance Test to verify the safety function is not adversely affected by performance of built-in or application-specific test and calibration functions.

PRNM system periodic testing includes channel calibrations. The channel calibrations can be performed on line using the bypass capability of the channel or during refueling outages when the PRNM system is not required to be operable.

When online testing is required for system maintenance, the PRNM replacement design allows for testing without disconnecting wires, installing jumpers, or otherwise modifying the installed equipment. Simulated signal inputs into a protection channel can be applied using measuring and test equipment. During performance of testing or maintenance of the PRNM system, affected channels may be placed into the bypass mode.

Considering the system testing and calibration features described above, the NRC staff determined that the replacement PRNM design has sufficient capability for performance of testing and calibration during power operation. The NRC staff also determined that test methods described in the LAR adequately duplicate the performance of the system safety functions to provide reasonable assurance these functions can be maintained in an operable state during plant power operations. Therefore, the replacement PRNM system complies with the criteria of IEEE 603-1991, Clause 5.7.

IEEE 603-1991. Clause 5.8, "Information Displays" IEEE Std 603, Clause 5.8, contains no requirements but has four subclauses that do contain requirements used to evaluate the replacement PRNM system in the subsections below. SRP Chapter 7, Appendix 7.1-C, Section 5.8, "Information Displays," provides further review guidance for Clause 5.8.

IEEE 603-1991. Clause 5.8.1. "Displays for Manually Controlled Actions" This clause states that display instrumentation provided for manually controlled actions for which no automatic control is provided and that are required for the safety systems to OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION accomplish their safety functions will be part of the safety systems. The design shall minimize the possibility of ambiguous indications that could be confusing to the operator.

The replacement PRNM system supplies signals to display instruments used to support manual control actions. These functions are being implemented in a manner that duplicates the display functions that are currently being performed by the existing neutron monitoring system. As such, no change to existing display functionality or introduction of new display functionality is being implemented with this modification. Because PRNM safety functions are automatically initiated, there are no display instruments for manually controlled actions for which no automatic PRNM control is provided.

The NRC staff reviewed the indications provided by the PRNM system and determined that safety system manual control actions are adequately supported by these indications. The NRC staff also determined that PRNM supported indications provide sufficient information to plant operators in an unambiguous format that supports successful completion of required safety functions. The replacement PRNM system; therefore, complies with the criteria of IEEE 603, Clause 5.8.1.

IEEE 603-1991, Clause 5.8.2. "System Status Indication" This clause states that display instrumentation shall provide accurate, complete, and timely information pertinent to safety system status. It also states that this information shall include indication and identification of protective actions of the sense and command features and execute features. Clause 5.8.2 further states that the design minimizes the possibility of ambiguous indications that could be confusing to the operator; however, the display instrumentation provided for safety system status indication need not be part of the safety systems.

The PRNM system includes instruments for indicating neutron flux levels and recirculation flow, as well as system annunciators and indicator lamps. These instruments, as defined in Section 6 of the NUMAC PRNM System Requirements Specification (Reference 1, Appendix F), provide information regarding status of actuated components to control room operators to support identification of protective actions of the PRNM system sense and command and execute features. The NRC staff determined that the replacement PRNM system status indications, as provided by safety system components, remain accurate, complete, and timely, and meet the requirements of IEEE Std 603-1991, Clause 5.8.2.

IEEE 603-1991. Clause 5.8.3. "Indication of Bypasses" This clause states that if the protective actions of some part of a safety system have been bypassed or deliberately rendered inoperative for any purpose other than an operating bypass, then continued indication of this fact for each affected safety group shall be provided in the control room. Clause 5.8.3 further states that this display instrumentation need not be part of the safety systems. Clause 5.8.3 also states that this indication shall be automatically actuated if the bypass or inoperative condition is expected to occur more frequently than once-a-year, and is expected to occur when the affected system is required to be operable, that the capability shall exist in the control room to manually activate this display indication, and that the information displays shall be located accessible to the operator. RG 1.47, "Bypassed and OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Inoperable Status Indication for Nuclear Power Plant Safety Systems," May 1973, describes an acceptable method of complying with the requirements of Clause 5.8.3.

When any APRM channel is bypassed, associated bypass indicator lamps, status lights on the voter modules, and ODA indications are activated. The bypass switch configuration ensures that only one channel can be placed into bypass at a time.

The NRC staff confirmed that placing any APRM channels into bypass will automatically cause the associated bypass indicator lamp to light to alert the operator of this condition. The NRC staff also confirmed this indicator lamp remains lit until the associated channel is removed from bypass and restored to operation. The NRC staff concludes that the channel bypass functions are being implemented in a manner that is consistent with the criteria of this clause. Therefore, the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.8.3.

IEEE 603-1991, Clause 5.8.4, "Location" This clause states that the information displays shall be located accessible to the operator and that information displays provided for manually controlled protective actions shall be visible from the location of the controls used to effect the actions.

Existing NMS related control board indications are being retained for the replacement PRNM system and will remain accessible to the operators. Information displays in the control room are part of the safety system. The HCGS PRNM system will include NU MAC screen displays that will provide additional PRNM system status information to the operator. The NRC staff determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.8.4.

An assessment of potential susceptibilities evaluation was performed by the NRC staff, which is documented in Section 3.17 of this SE. The replacement PRNM system contains design features that provide means to control physical access to protection system equipment, including access to test points and the means for changing setpoints via the NUMAC panel interfaces. The PRNM system components are located inside the plant control room, and access to these components is administratively controlled by the operators. Access control of the control room is addressed under the plant physical security and is, therefore, acceptable.

Communication pathway access controls are described and evaluated in Section 3.3 of this SE.

IEEE 603-1991, Clause 5.9, "Control of Access" This clause states that the safety system shall be designed to permit administrative control of access to safety system equipment. SRP Chapter 7, Appendix 7 .1-C, Section 5.9, "Control of Access," provides acceptance criteria for Clause 5.9. This acceptance criteria states that administrative control is acceptable to assure that the access to the means for bypassing safety system functions is limited to qualified plant personnel; permission of the control room operator is obtained to gain access; and that digital computer-based systems need to consider controls over electronic access, including access via network connections and maintenance equipment, to safety system software and data. Electronic access to the replacement PRNM is evaluated in Section 3.3 of this SE. Security aspects of Clause 5.9 are evaluated by the NRC staff in OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Section 3.17 of this SE. The NRC staff determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 5.9.

IEEE 603-1991, Clause 5.10. "Repair" This clause states that safety systems shall be designed to facilitate timely recognition, location, replacement, repair, and adjustment of malfunctioning equipment. SRP Chapter 7, Appendix 7 .1-C, Section 5.10, "Repair," provides acceptance criteria for Clause 5.10. This acceptance criteria states that while digital safety systems may include self-diagnostic capabilities to aid in troubleshooting, the use of self-diagnostics does not replace the need for the capability for test and calibration systems as required by Clauses 5. 7 and 6.5.

The timely identification and location of malfunctioning components is facilitated by NUMAC system design features of the replacement PRNM system. The majority of equipment is modular and rack mounted, and components are expected to be replaced rather than repaired to address failures. This facilitates timely repair of failed NU MAC PRNM components.

The NUMAC PRNM system is designed for high reliability and it contains self-test features that identify and report detected hardware module failures. These features minimize required maintenance and simplify online hardware replacement activities.

The NRC staff reviewed the maintenance, repair features, and capabilities of the NUMAC PRNM system and determined they adequately address the timely recognition, location, replacement, repair, and adjustment of malfunctioning PRNM equipment. Furthermore, the PRNM system design does not unduly rely upon self-diagnostic capabilities of the system to meet system test and calibration criteria. The PRNM system retains the capability for online testing during plant operation. The NRC, therefore, determined the replacement PRNM system meets the criteria of IEEE 603-1991, Clause 5.10.

IEEE 603-1991. Clause 5.11. "Identification" This clause states that safety system equipment be distinctly identified for each redundant portion of a safety system; that identification of safety system equipment shall be distinguishable from any identifying markings placed on equipment for other purposes; that identification of safety system equipment and its divisional assignment shall not require frequent use of reference material; and that the associated documentation shall be distinctly identified.

However, the components or modules mounted in equipment or assemblies that are clearly identified as being in a single redundant portion of a safety system do not themselves require identification. SRP Chapter?, Appendix 7.1-C, Section 5.11, "Identification," provides acceptance criteria for IEEE Std 603-1991, Clause 5.11. This acceptance criteria also identifies RG 1.75, which endorses IEEE Std 384-1992 as guidance.

HCGS plant-specific identification requirements provide a standardized method for identifying equipment diagrams and signal names on function diagrams. All PRNM equipment is to be mounted in existing control room cabinets. These cabinets are already identified with markings to indicate the designated redundant portion of the protection system. No additional equipment identification markings are required for the HCGS equipment.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Cables associated with the four PRNM protection set components are labeled in accordance with PRNM channel assignments and are routed in separate cable trays, in accordance with the guidance on identification provided in IEEE Std 384-1992, Section 6.1.2, "Identification."

Therefore, the NRC staff determined that the identification of the replacement PRNM system and associated components meets the requirements of IEEE 603-1991, Clause 5.11.

IEEE 603-1991. Clause 5.12, "Auxiliary Features" This clause states that auxiliary supporting features meet all requirements of this standard. The auxiliary features that perform a function that is not required for the safety systems to accomplish their safety functions and are not isolated from the safety system shall be designed to meet those criteria necessary to ensure that these components, equipment, and systems do not degrade the safety systems below an acceptable level. SRP Chapter 7, Appendix 7 .1-C, Section 5.12, "Auxiliary Features," provides acceptance criteria for Clause 5.12. This acceptance criteria states that BTP 7-9 provides specific guidance for the review of anticipatory trips that are auxiliary features of an RPS.

The replacement PRNM system design includes communications links for transmittal of system data to nonsafety-related plant systems. The degree of independence between the PRNM and these systems is evaluated in Section 3.3.4 of this SE. That evaluation supports the conclusion that this communications feature will not degrade the PRNM system performance below an acceptable level. All other nonsafety-related features supported by the PRNM are either isolated from the PRNM system via qualified isolation devices or are included in the safety system design. The NRC staff finds that the replacement PRNM system, therefore, meets the criteria of IEEE 603-1991, Clause 5.12.

IEEE 603-1991, Clause 5.13. "Multi-Unit Stations" This clause states that the sharing of SSCs between units at multi-unit generating stations is permissible, provided that the ability to simultaneously perform required safety functions in all units is not impaired. SRP Chapter 7, Appendix 7 .1-C, Section 5.13, "Multi Unit Stations,"

provides acceptance criteria for Clause 5.13. This acceptance criteria states that the shared user interfaces must be sufficient to support the operator needs for each of the shared units.

HCGS is a single unit site and, therefore, the criteria of IEEE 603-1991, Clause 5.13, is not applicable to the replacement PRNM system at HCGS.

IEEE 603-1991, Clause 5.14. "Human Factors Considerations" This clause states that human factors be considered at the initial stages and throughout the design process to assure that the functions allocated in whole or in part to the human operators and maintainers can be successfully accomplished to meet the safety system design goals.

SRP Chapter 7, Appendix 7.1-C, Section 5.14, "Human Factors Considerations," provides acceptance criteria for Clause 5.14, and states that safety system human factors design should be consistent with the applicant/licensee's commitments documented in Chapter 18 of the UFSAR.

The NUMAC PRNM system was designed to meet the guidance of NUREG-0700, as applicable, to back panel equipment. Operator interfaces associated with the existing NMS OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION system using control panel mounted switches and indicators are being retained; however, NUMAC ODAs will be added to the design. These displays have been designed to meet applicable guidance of NUREG-0700. PRNM outputs to the control room annunciation system will remain functionally equivalent to the existing NMS alarms.

The HCGS design change process required performance of a HFE review of the changes to the control room operator panels in accordance with NUREG-0700. An evaluation of human performance aspects of the replacement PRNM system was performed in Section 3.20 of this SE with all aspects found to be acceptable. Therefore, the replacement PRNM system meets the criteria of criteria of IEEE 603-1991, Clause 5.14.

IEEE 603-1991, Clause 5.15. "Reliability" This clause states that those systems for which either quantitative or qualitative reliability goals have been established, appropriate analysis of the design shall be performed in order to confirm that such goals have been achieved. SRP Chapter 7, Appendix 7 .1-C, Section 5.15, "Reliability," provides acceptance criteria for Clause 5.15. This acceptance criteria states that the applicant/licensee should justify that the degree of redundancy, diversity, testability, and quality provided in the safety system design is adequate to achieve functional reliability commensurate with the safety functions to be performed. It also states that for computer systems, both hardware and software reliability should be analyzed. The acceptance criteria in the SRP further states that software that complies with the quality criteria of Clause 5.3 and that is used in safety systems that provide measures for defense against CCFs, as previously described for Clause 5.1, are considered by the NRC staff to comply with the fundamental reliability requirements of IEEE Std 279-1971 and IEEE Std 603-1991.

UFSAR Section 3.1.2.3.2 Criterion 21, "Protection System Reliability and Testability," requires, in part, that the protection system be designed for high functional reliability commensurate with the safety functions to be performed.

SRP Chapter 7, Appendix 7.1 -C, Section 5.15, further states that hardware failure conditions to be considered should include failures of portions of the computer itself and failures of portions of communication systems. Hard failures, transient failures, sustained failures, and partial failures should be considered. Software failure conditions to be considered should include, as appropriate, software CCFs, cascading failures, and undetected failures.

A NUMAC PRNM reliability analysis, which includes PRNM hardware reliability data and a system unavailability analysis was performed to demonstrate adequate system reliability (Reference 29.G). The failure analysis was evaluated by the NRC staff (Section 3.13 of this SE). Based on this evaluation, the NRC staff determined that the replacement PRNM system meets the reliability requirements of IEEE 603-1991, Clause 5.15.

IEEE 603-1991. Clause 6, "Sense and Command Features" The requirements of this clause, in addition to the requirements of Clause 5, apply to the sense and command features of a safety system. SRP Chapter 7, Appendix 7.1-C, Section 6, "Sense and Command Features - Functional and Design Requirements," provides acceptance criteria for Clause 6.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION IEEE 603-1991. Clause 6.1. "Automatic Control" This clause states that for each design-basis event, all protective actions should automatically initiate without operator action, except as justified in IEEE Std 603, Clause 4.5. SRP Chapter 7, Appendix 7 .1-C, Section 6.1, "Automatic Controls," provides acceptance criteria for Clause 6.1.

The acceptance criteria states the automatic initiation should be precise and reliable, and the evaluation of the precision of the safety system should be addressed to the extent that setpoints, margins, errors, and response times are factored into the analysis.

SRP Chapter 7, Appendix 7.1-C, Section 6.1, states that for digital computer-based systems, the evaluation should confirm that the functional requirements have been appropriately allocated into hardware and software requirements. The evaluation should also confirm that the system's real time performance is deterministic and known. BTP 7-21 provides guidance for this evaluation.

The replacement PRNM design includes documents that describe the software and hardware requirements of the system. The NRC staff determined that functional requirements have been appropriately allocated between hardware and software, and adequate deterministic behavior has been demonstrated.

The evaluation of the replacement PRNM response time against the applicable requirements is documented in Section 3.6 of this SE. The evaluation of the PRNM setpoint values is documented in Section 3.5 of this SE. Based on these evaluations, the NRC staff determined that the replacement PRNM system conforms to the criteria of IEEE 603-1991, Clause 6.1.

IEEE 603-1991. Clause 6.2. "Manual Control" This clause contains the requirements applicable to manual controls as described in the subsections below. SRP Chapter 7, Appendix 7 .1-C, Section 6.2, "Manual Control," provides acceptance criteria for Clause 6.2. There are three categories of manual controls as described in Clause 6.2, "Manual Controls." The evaluation of the PRNM system against the requirements of each of these three categories is addressed in the subsections below.

IEEE 603-1991. Clause 6.2.1. "Division Level Activation" This clause requires that means be provided in the control room to implement manual initiation at the division level of the automatically initiated protective actions. These means must minimize the number of discrete operator manipulations and shall depend on the operation of a minimum of equipment. SRP Chapter 7, Appendix 7 .1-C, Section 6.2, states that features for manual initiation of protective action should conform to RG 1.62, Revision 1, "Manual Initiation of Protective Actions," June 2010, and will be functional, accessible within the time constraints of operator responses, and available during plant conditions under which manual actions may be necessary.

Initiation of protection actions at the division level are performed by systems that are external to the PRNM system. These means are provided at the RPS actuation level, which is downstream of the PRNM system output. The PRNM replacement does not affect any of the division-level manual initiation features or functions in the HCGS protection system. Therefore, the NRC staff OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION finds that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 6.2.1.

IEEE 603-1991, Clause 6.2.2, "Non-Automatic Control" This clause requires that means be provided in the control room to implement manual initiation and control of the protective actions identified in Clause 4.5 that have not been selected for automatic control under Clause 6.1. The displays provided for these actions must meet the requirements of IEEE 603-1991, Clause 5.8.1.

The manual initiation and control of protective actions functions is not affected by the PRNM replacement; therefore, this feature of the replacement RPS continues to meet the criteria of IEEE 603-1991, Clause 6.2.2.

IEEE 603-1991. Clause 6.2.3. "Manual Control After Completion of Protective Action" This clause requires that means be provided in the control room to implement the manual actions necessary to maintain safe conditions after the protective actions are completed as specified in Clause 4.10. The information provided to the operators, the actions required of these operators, and the quality and location of associated displays and controls must be appropriate for the time period within which the actions must be accomplished and for the number of available qualified operators. Such displays and controls must be located in areas that are accessible, located in an environment suitable for the operator, and suitably arranged for operator surveillance and action.

The PRNM replacement design retains availability of existing information provided to the operators, the actions needed of the operators, and the quantity of the associated displays and controls available to the operators. Safety-related controls and indicators remain Class 1E, and nonsafety-related indicators are driven by qualified isolation devices.

Manual initiation and control of protective action functions and information provided to the operators to support manual actions is retained in the PRNM replacement design. Therefore, the NRC staff finds that the replacement PRNM system continues to meet the regulatory requirements of IEEE 603-1991, Clause 6.2.3.

IEEE 603-1991. Clause 6.3, "Interaction with Other Systems" This cause contains two subclauses that have requirements that were used to evaluate the replacement PRNM system. SRP Chapter 7, Appendix 7.1-C, Section 6.3, "Interaction between the Sense and Command Features and Other Systems," provides acceptance criteria for the subclauses of Clause 6.3.

IEEE 603-1991. Clause 6.3.1. "Interaction with Other Systems" This clause states that if a single credible event can both cause a nonsafety system action that results in a condition requiring protective action and can concurrently prevent the protective action in those sense and command feature channels designated to provide principal protection against the condition, either an alternate channel or alternate equipment not subject to this failure will be provided, or equipment not subject to failure caused by the same single credible OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION event shall be provided. SRP Chapter 7, Appendix 7.1-C, Section 6.3, states that if the event of concern is a single failure of a sensing channel shared between control and protection functions, isolating the safety system from the sensing channel failure by providing additional redundancy or isolating the control system from the sensing channel failure by using data validation techniques to select a valid control input are approaches that have been previously accepted.

The PRNM system is designed to minimize the possibility of occurrence of events that can cause a nonsafety system action resulting in a condition requiring a PRNM protective action and concurrently preventing the PRNM from providing protection for the event.

The PRNM failure analysis includes an evaluation of interconnections and means of isolation between redundant safety channels and between safety channels and nonsafety systems to assure that no single failure can cause the loss of a safety function (Section 3.13 of this SE).

Devices used for class 1E isolation are qualified to prevent electrical faults from propagating between redundant class 1E circuits and between class 1E circuits and non-1 E circuits. The failure analysis considers features included within the replacement PRNM boundary, including the operator panel displays, to assure that no single failure can cause the loss of a safety function or lead to spurious safety function actuations.

The NRC staff confirmed there are no unanalyzed interactions between control systems and the PRNM protection systems. Therefore, the replacement PRNM system continues to meet the regulatory requirements of IEEE 603-1991, Clause 6.3.1.

IEEE 603-1991. Clause 6.3.2. "Interaction with Other Systems" This clause states that provisions must be included so that the requirements of Clause 6.3.1 can be met in conjunction with the requirements of Clause 6. 7 if a channel is in maintenance bypass.

The PRNM system failure analysis identifies the consequences of PRNM module level single failures, as required by IEEE 603-1991, Clause 6.3.2. This analysis provides assurance that single-failure criteria are met even if a bypassed channel is unavailable to support the safety function. There are no failures of the interfaced nonsafety-related systems that will cause the loss of a safety function of the PRNM system, even when one APRM channel is manually bypassed. The NRC staff, therefore, determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 6.3.2.

IEEE 603-1991. Clause 6.4. "Derivation of System Inputs" This clause states that, to the extent feasible and practical, sense and command feature inputs shall be derived from signals that are direct measures of the desired variables as specified in the design basis. SRP Chapter 7, Appendix 7.1-C, Section 6.4, "Derivation of System Inputs,"

provides acceptance criteria for Clause 6.4. This acceptance criteria states that if indirect parameters are used, the indirect parameter must be shown to be a valid representation of the desired direct parameter for all events, and that for both direct and indirect parameters, the characteristics of the instruments that produce the safety system inputs such as range, accuracy, resolution, response time, and sample rate, are consistent with the analysis provided in Chapter 15 of the UFSAR.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The PRNM system uses the same LPRM and reactor recirculating flow sensor inputs used for the existing NMS. The instrument scaling is also being retained. The manner in which these system inputs are derived is not being changed from the methods used in the plant safety analysis. The NRC staff finds that the replacement PRNM system will, therefore, continue to meet the regulatory requirements of IEEE 603-1991, Clause 6.4.

IEEE 603-1991. Clause 6.5. "Capability for Testing and Calibration" SRP Chapter 7, Appendix 7.1-C, Section 6.5, "Capability for Testing and Calibration," provides acceptance criteria for Clause 6.5 and states that BTP 7-17 discusses issues that should be considered in sensor check and surveillance test provisions for digital computer l&C systems.

IEEE 603-1991. Clause 6.5.1. "Checking for Operational Availability" This clause states that it must be possible to check, with a high degree of confidence, the operational availability of each sense and command feature input sensor required for a safety function during reactor operation. SRP Chapter 7, Appendix 7.1-C, states that the operational availability can be checked by varying the input to the sensor or by cross-checking between redundant channels. SRP Chapter 7, Appendix 7 .1-C, Section 6.5, also states that BTP 7-17 contains guidance concerning sensor check and surveillance test provisions for digital computer l&C systems.

The NRC staff reviewed the means used to determine PRNM system operability as defined by HCGS TSs (Section 3.2 of this SE). The TS SRs pertaining to the PRNM system include performance of channel checks, channel functional tests and channel calibrations. Logic system functional tests are also performed to ensure proper functionality of the new voter modules. The replacement PRNM system includes provisions to support performance of periodic channel calibrations. Verification of proper response time for the PRNM system functions is also performed on a periodic basis.

The replacement PRNM system includes diagnostic features that continually test and verify system hardware performance. These features are also being credited for the purpose of ensuring channel operability. The NRC staff determined that these means, in conjunction with performance of required surveillance testing, provide an adequate degree of confidence that operational availability of the PRNM system safety functions will be maintained during reactor operation. Based upon review of the SRs and NU MAC self-test functions, the NRC staff has determined that the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 6.5.1.

IEEE 603-1991, Clause 6.5.2, "Checking for Operational Availability" This clause requires that one of two means must be provided for assuring the operational availability of each sense and command feature required during the post-accident period. The first is by using the same methods described in Clause 6.5.1 (i.e., checking post-accident is the same as checking during normal operation). The second is by specifying equipment that is stable and the period of time it retains its calibration during the post-accident period.

PRNM system automatic self-testing and periodic channel check methods are used during the post-accident period to assure that the sense and command features required during the OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION post-accident period remain operational and available. PRNM system equipment is designed to remain functional in all normal and post-accident environmental conditions of the control room.

Section 3.8 of this SE evaluates the NUMAC PRNM system equipment EQs. The NRC staff determined that these methods are acceptable; therefore, the replacement PRNM system meets the requirements of IEEE 603-1991, Clause 6.5.2.

IEEE 603-1991, Clauses 6.6, "Operating Bypasses" This clause states that if the applicable permissive conditions are not met, a safety system must automatically prevent the activation of an operating bypass or initiate the appropriate safety function; if plant conditions change so that an activated operating bypass is no longer permissible, the safety system must either remove the appropriate active operating bypass, restore plant conditions so that permissive conditions once again exist, or initiate the appropriate safety function(s). SRP Chapter 7, Appendix 7.1-C, Section 6.6, "Operating Bypasses," provides acceptance criteria for Clause 6.6. This acceptance criteria states that the requirement for automatic removal of operational bypasses means that the reactor operator may not have a role in such removal; however, the operator may take action to prevent the unnecessary initiation of a protective action.

The replacement PRNM system does not have any automatic bypasses for the APRM trip functions; however, the Neutron Flux-Upscale (Setdown) Trip is automatically activated when the reactor mode switch is placed in the Startup position. The OPRM includes enabling logic to automatically activate trip outputs in applicable operating zones of the plant power-flow map.

The NRC staff reviewed the PRNM system functional specifications associated with the OPRM enabling logic and confirmed the automatic trip function enabling features are included in the modified system design. The NRC staff, therefore, determined that the replacement PRNM system is adequately designed to automatically remove operating bypasses associated with the OPRM safety function when plant conditions for bypass operation are not satisfied. The replacement PRNM system, therefore, meets the criteria of IEEE 603-1991, Clause 6.6.

IEEE 603-1991. Clauses 6. 7. "Maintenance Bypass" This clause states that the safety system be designed such that while sense and command features equipment is in maintenance bypass, the capability of a safety system to accomplish its safety function must be retained, and during such operation, the sense and command features must continue to meet the requirements of Clauses 5.1 and 6.3. SRP Chapter 7, Appendix 7 .1-C, Section 6. 7, "Maintenance Bypass, provides acceptance criteria for Clause 6.7. This acceptance criteria states that provisions for this bypass need to be consistent with the required actions of the plant TSs.

The capability of the PRNM system to perform its safety functions is established such that these functions will remain operable during system testing and when a single APRM channel is placed into the maintenance bypass mode for any reason. The replacement PRNM system design will retain bypass and inoperable status indications in the control room, and operators will be provided with continuous indication of channel bypass status whenever an APRM channel is placed in bypass.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The HCGS PRNM system failure analysis assumes that one APRM channel is bypassed as an initial condition. The analysis then determines the effect of an additional failure on the safety system's capability to perform the required PRNM safety functions. The failure analysis results that are evaluated in Section 3.13 of this SE demonstrate that the replacement PRNM system is capable of performing its required safety functions even while an APRM channel is in the maintenance bypass mode. Thus, the replacement PRNM system is capable of meeting the single-failure criteria of Section 5.1, as well as the interaction between control and protection criteria of Section 6.3 of IEEE 603-1991 while any channel is in the maintenance bypass mode.

The NRC staff, therefore, concludes that the replacement PRNM system meets the criteria of IEEE 603-1991 Section 6.7.

IEEE 603-1991, Clause 6.8, "Setpoints" This clause states that the allowance for uncertainties between the process analytical limit documented in Clause 4, Item d) and the device setpoint must be determined using a documented methodology. Where it is necessary to provide multiple setpoints for adequate protection for a particular mode of operation or set of operating conditions, the design must provide a positive means of ensuring that the more restrictive setpoint is used when required.

SRP Chapter 7, Appendix 7 .1-C, Section 6.8, "Setpoints," provides acceptance criteria for Clause 6.8. This acceptance criteria states that the setpoint analysis should confirm that an adequate margin exists between operating limits and setpoints such that there is a low probability for inadvertent actuation of the system and should confirm that an adequate margin exists between setpoints and safety limits. The SRP also states that additional guidance on establishment of instrument setpoints can be found in RG 1.105; BTP 7-12; and in Regulatory Issue Summary 2006-17, "NRC Staff Position on the Requirements of 10 CFR 50.36, 'Technical Specifications,' Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels," dated August 24, 2006. SRP Chapter 7, Appendix 7.1-C, Section 6.8, further states that where it is necessary to provide multiple setpoints as discussed in Clause 6.8.2, the NRC staff interpretation of "positive means" is that automatic action is provided to ensure that the more restrictive setpoint is used when required and that BTP 7-3 provides additional guidance on multiple setpoints used to allow operation with reactor coolant pumps out of service.

Setpoint calculations used for the replacement PRNM system are performed in accordance with GEH Instrument Setpoint Methodology, which is described in Appendix P of the LAR (Reference 1). This methodology is based on the GEH instrument setpoint methodology of NEDC-31336P-A, which was previously approved for use in determining PRNM system setpoints. Section 3.5 of this SE provides the staff evaluation on the setpoint methodology.

The approach used for setpoint methodology is consistent with ISA- 67.04.01-2006 and addresses guidance provided in RIS 2006-17 and TSTF-493. The NRC staff determined that the documented setpoint methodology provides an acceptable basis for determination of PRNM system setpoints and, therefore, meets the criteria of IEEE 603-1991, Clause 6.8.1.

IEEE 603-1991. Clause 7, "Execute Features" This clause requires that Clauses 7.1 through 7.5 apply to the execute features. The PRNM system functions, however, are limited to sense and command. The actuation signal outputs of OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION the PRNM system are executed by the RPS. Therefore, the criteria of IEEE Section 7 do not apply to the PRNM system.

IEEE 603-1991, Clause 8, "Power Source Requirements" Clause 8 contains no requirements but has three subclauses that contain requirements for evaluating the HCGS PRNM system. SRP Chapter 7, Appendix 7.1-C, Section 8, does not provide acceptance criteria for Clause 8.

IEEE 603-1991. Clause 8.1. "Electrical Power Sources" This clause states that those portions of the Class 1E power system that are required to provide the power to the many facets of the safety system are governed by the criteria of this document and are a portion of the safety systems.

The replacement PRNM will use the same electrical power sources as the existing NMS. Each PRNM channel is powered from a separate 120 volt (V) alternating current (AC) vital bus via a Class 1E uninterruptible power supply. Since this aspect is not being changed by this LAR, the replacement PRNM system remains compliant with IEEE 603-1991, Clause 8.1.

IEEE 603-1991, Clause 8.2. "Non-Electrical Power Sources" This clause states that non-electrical power sources required to provide the power to the safety system must be a portion of the safety systems and must provide power consistent with the requirements of IEEE Std 603.

The PRNM replacement does not rely on non-electrical power sources for performance of its safety-related functions; therefore, IEEE 603-1991, Clause 8.2 is not applicable, and no evaluation is required with respect to Clause 8.2.

IEEE 603-1991. Clause 8.3. "Maintenance Bypass" This clause states that the capability of the safety systems to accomplish their safety functions must be retained with the power sources in maintenance bypass. Clause 8.3 also states that the portions of the power sources with a degree of redundancy of one must be designed such that when a portion is placed in maintenance bypass, the remaining portions provide acceptable reliability.

The replacement PRNM system uses the same power sources as the existing NMS system that it replaces. If an external power source for a safety-related PRNM channel fails, the remaining safety-related channels are designed to ensure that the safety system remains capable of performing required safety functions. There is no maintenance bypass mode associated with the power sources to the PRNM. Since the power source to the PRNM system is being retained, the criteria of IEEE 603-1991, the NRC staff finds that Clause 8.3 will continue to be satisfied by the replacement PRNM system.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.16 Conformance with IEEE Std 7-4.3.2-2003 RG 1.152 states that conformance with the requirements of IEEE Std 7-4.3.2-2003, "IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations," is a method that the NRC staff has deemed acceptable for satisfying the Commission's regulations with respect to high functional reliability and design requirements for computers used in safety systems of nuclear power plants. SRP Chapter 7, Appendix 7 .1-D, "Guidance for Evaluation of the Application of IEEE Std 7-4.3.2," contains guidance for the evaluation of the application of the requirements of IEEE Std 7-4.3.2-2003.

For HCGS, the licensee included a report on compliance with IEEE Std 7-4.3.2-2003 within the LAR (Reference 1, Appendix 0). The NRC staff is, therefore, including the following evaluation and determination of compliance with IEEE 7-4.3.2-2003 to support the safety conclusions of this SE.

IEEE Std 7-4.3.2-2003. Clause 5. "Safety System Criteria" Clause 5 has 15 subclauses that contain requirements used to evaluate the HCGS PRNM system in the subsections below. SRP Chapter 7, Appendix 7.1 -D, Section 5, provides acceptance criteria for the subclauses of Clause 5.

IEEE 7-4.3.2-2003. Clause 5.3. "Quality" Clause 5.3 states that computer development activities must include the development of computer hardware and software. In addition, Clause 5.3, also states that the integration of computer hardware and software and the integration of the computer with the safety system must be addressed in the development process. SRP Chapter 7, Appendix 7.1-C, Section 5.3, states that BTP 7-14 contains acceptance criteria for software development processes.

The computer development activities of the PRNM system were initially reviewed and approved by the NRC as part of the NU MAC PRNM LTR SE (Reference 7); however, standards for development of digital l&C systems have changed over time, and the NUMAC system developer has made improvements to the NUMAC development processes. These process improvements were included in the HCGS LAR as Appendices (Reference 1, Appendixes B, C, D, and E).

These activities include the development of the system hardware and NU MAC software. The computer development processes of the replacement PRNM system have been evaluated as documented in Section 3.7 of this SE, and were determined to be acceptable.

The NRC staff found that integration of NU MAC PRNM hardware and software is a planned activity included in the PRNM system development process plans. The NRC also found that integration of PRNM system hardware and software are planned activities that are included in the PRNM system development processes. The planning aspects of these activities are evaluated in Section 3. 7.1 of this SE.

IEEE 7-4.3.2-2003. Clause 5.3.1. "Software Development" Clause 5.3.1 requires an approved QA plan for the development modification and acceptance of all software that is resident at run time. SRP Chapter 7, Appendix 7.1-D, Section 5.3.1, states that BTP 7-14 describes the characteristics of a software development process that the NRC staff evaluates when assessing the quality criteria of Clause 5.3.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Software that is resident in the NUMAC PRNM system at run time is generated using structured development processes. These development processes were evaluated by the NRC using the criteria of BTP 7-14. NUMAC software is developed, modified, and accepted in accordance with the NUMAC qualification program (Reference 1, Appendix H) and the NUMAC Systems Quality Assurance Plan (Reference 1, Appendix C).

The NRC staff evaluated the quality of the PRNM application software by reviewing the software specifications (Reference 1, Appendix F), as well as the processes used for the NUMAC system development. The NRC staff verified that NUMAC SDPs (Section 3.7.1 of this SE),

implementation of the plans (Section 3.7.2 of this SE), and the design outputs produced (Section 3.7.3 of this SE) were performed in an acceptable manner. Based on these evaluations, the NRC staff determined that the NUMAC PRNM system meets the requirements of IEEE 7-4.3.2-2003, Clause 5.3.1.

IEEE 7-4.3.2-2003, Clause 5.3.1.1. "Software Quality Metrics" Clause 5.3.1.1 states that the use of software quality metrics shall be considered throughout the software lifecycle to assess whether software quality requirements are being met. SRP Appendix 7.1 -D, Section 5.3.1.1, states that metrics are considered in the review of the software development process in accordance with BTP 7-14.

The NUMAC system development process includes QA oversight activities, including activities for performing baseline reviews at each of the five stages of development. One objective of the baseline reviews is to monitor and assess software quality throughout the project lifecycle.

During the NRC staff review of the software development process and implementation activities, the staff observed how the software quality was assessed.

The NUMAC systems QA plan, which is evaluated in Section 3.7.1.3 of this SE, addresses correctness and completeness of requirements during the requirements phase, compliance with requirements as part of the design phase, compliance with design as part of the implementation phase, and functional compliance with requirements as part of the test phase. Therefore, the NRC staff determined that the NUMAC PRNM system meets the requirements of IEEE 7-4.3.2-2003, Clause 5.3.1.1.

IEEE 7-4.3.2-2003. Clause 5.3.2, "Software Tools" Clause 5.3.2 states that software tools used to support software development and V&V processes shall be controlled under configuration management and that the tools shall either be developed to a similar standard as the safety-related software, or that the software tool shall be used in a manner such that defects not detected by the software tool will be detected by V&V activities. SRP Chapter 7, Appendix 7.1-D, guides the NRC staff to thoroughly evaluate software tool use.

Software tools used in the development of NUMAC applications are reviewed and evaluated in accordance with the digital l&C lifecycle process. Appendix 0 of the LAR (Reference 1, Appendix 0) states that software tools are used in a manner such that defects not detected by the software tools are detected by IW activities. Performance of IW activities are evaluated in Sections 3.7.1.4 and 3.7.2.2 of this SE. The NRC staff determined that IW activities used OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION during development of the HCGS PRNM system were compliant with the criteria of IEEE 1012 and are, therefore, acceptable.

NU MAC development tools are maintained under the GEH configuration management programs. Software developed with the NUMAC development tools is independently verified and validated to ensure that defects not detected by the tool will be detected and corrected through other means. Software V&V activities performed during the NUMAC software development (evaluated in Section 3.7.1.6 of this SE) do not rely on use of software tools and, therefore, can be credited as an independent means of ensuring tool output is correct.

Based on the review of the V&V processes as described in Sections 3.7.1.4 and 3.7.2.2 of this SE, the NRC staff determined that the output of software tools used for application development were subject to IW activities that would detect defects or errors caused by the tools. The NRC staff concludes that the NUMAC software development tool assessment and qualification processes meet the requirements of IEEE Std 7-4.3.2-2003, Clause 5.3.2.

IEEE 7-4.3.2-2003, Clause 5.3.3. "Verification and Validation" Clause 5.3.3 states that a V&V program must address hardware, software, integration of digital components, and interaction with the nuclear power plant. The V&V program must exist throughout the entire system lifecycle. SRP Appendix 7.1-C states that the software V&V effort should be performed in accordance with IEEE Std 1012-1998, which is endorsed by NRC RG 1. 168, Revision 1.

The NRC staff used RG 1.168 and IEEE Std 1012 to evaluate the V&V planning processes used for the NU MAC PRNM system (Section 3. 7.1.4 of this SE) and V&V analysis and test reports (Section 3.7.2.2 of this SE). The NRC staff also evaluated the plan for the integration of digital components (Section 3.7.1.2 of this SE); and the plan for testing (Section 3.7.1.4 of this SE). Based on these evaluations, the NRC staff determined that the NUMAC PRNM system conforms to the criteria of IEEE 7-4.3.2-2003, Clause 5.3.3.

IEEE 7-4.3.2-2003. Clause 5.3.4, "Independent W" Clause 5.3.4 defines the levels of independence required for the V&V effort in terms of technical independence, managerial independence, and financial independence. SRP Chapter 7, Appendix 7 .1-D, Section 5.3.4, provides additional guidance to assist the NRC staff in determining the extent of independence and effectiveness of the V&V activities.

The NUMAC SylWP (Reference 1, Appendix D) identifies the IW team as the organizational entity responsible for performance and oversight of V&V activities for the NUMAC PRNM system development. The IW team includes a system V&V engineer and a system safety analysis engineer. This plan describes the V&V activities performed by the IW team, as well as team member responsibilities. The HCGS NUMAC PRNM System Management Plan also includes a test and qualification engineer as a member of the IW team. The NRC staff evaluated the level of independence between the IW team and the NUMAC design organization. The NRC staff also evaluated the qualification level of IW team personnel.

These aspects of the system design V&V were found acceptable (Section 3.7.1.1 of this SE).

The NRC staff determined that the technical competence of personnel assigned to perform V&V OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION tasks was adequate and that individuals performing V&V tasks were not the same individuals that perform the design and development activities.

The responsibility for oversight of the project V&V activities as defined in the SylWP is assigned to GEH Chief Engineers Office, which operates independently from the l&C Engineering Office. The NRC staff reviewed the following activities and determined that they were being conducted independently from design and development activities.

• Selection of the PRNM application software to be analyzed,

• Selection of techniques used to perform analysis, Selection of issues or problems to be acted upon, and

• Allocation of independent resources Personnel responsible for V&V oversight activities are not responsible for PRNM system development activities or for program management. Therefore, the vendor-assigned responsibilities for IW oversight comply with the criteria of Clause 5.3.4. The NRC staff concludes that the degree of independence established by the NUMAC PRNM system supplier is adequate and meets the criteria of IEEE 7-4.3.2-2003, Clause 5.3.4.

IEEE 7-4.3.2-2003. Clause 5.3.5. "Software Configuration Management" Clause 5.3.5 states that SCM shall be performed in accordance with IEEE Std 1042-1987 and that IEEE Std 828-1998, provides guidance for the development of software configuration management plans. IEEE Std 828-1990 and IEEE Std 1042-1987 are endorsed by RG 1.169.

SRP Chapter 7, Appendix 7.1-D, states that BTP 7-14 and RG 1.169 provide acceptance criteria for the SCM plan and activities.

The SCM plan used for the PRNM system replacement project was evaluated against the criteria of BTP 7-14, Section B.3.1.11; SRP Appendix 7.1-D, Section 5.3.5; RG 1.169; and IEEE Std 1042-1987 (Section 3.4.1.11 of this SE). The SCM planning documentation is evaluated in Section 3. 7 .1.2 of this SE. The system configuration implementation documents are evaluated in Section 3.7.2.3 of this SE. Based on these evaluations, the NRC staff determined that the configuration management activities performed for the NUMAC PRNM system conform to the requirements of IEEE 7-4.3.2-2003, Clause 5.3.5.

IEEE 7-4.3.2-2003, Clause 5.3.6. "Software Project Risk Management" Clause 5.3.6 defines the risk management criteria for a software project. SRP Chapter 7, Appendix 7 .1-D, Section 5.3.6, "Software Project Risk Management," provides acceptance criteria for software project risk management. This section states that software project risk management is a tool for problem prevention and should be performed at all levels of the digital system project to provide adequate coverage for each potential problem area. It also states that software project risks may include technical, schedule, or resource-related risks that could compromise software quality goals, and thereby affect the ability of the safety computer system to perform safety-related functions.

A standardized project management process to assess risks is described in Section 5, "Risk Management," of the NUMAC System Management Plan (Reference 1, Appendix E). The risk OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAb USE ONbY PROPRIETARY INFORMATION management methodology described in the SyMP includes identification, assessment, monitoring, and control of risks that arise during the software development project.

In addition, the methodologies employed for software project risk management include processes to rate the complexity and risks of projects to optimize project planning and execution. In the course of project execution, the project risks are monitored as a baseline review activity, and the original rating is reviewed and updated as risks are identified, mitigated or closed. The software development and project management plans address development risks throughout the lifecycle. The NRC staff determined that NUMAC PRNM system development processes include an acceptable level of risk management based on a review of the processes used for managing project risk defined in the SyMP (Reference 1, Appendix E, Section 5). Section 3.7.1.1 of this SE includes an evaluation of the risk management process used for the HCGS PRNM system. Based on this evaluation, the NRC staff finds that the NUMAC PRNM system, therefore, meets the criteria of IEEE 7-4.3.2-2003, Clause 5.3.6.

IEEE 7-4.3.2-2003. Clause 5.4, "Equipment Qualification" Clause 5.4 defines the equipment qualification required for a software project. SRP Chapter 7, Appendix 7.1-D, Section 5.4, "Equipment Qualification," which provides acceptance criteria for equipment qualifications, states that in addition to the equipment qualification criteria provided by IEEE Std 603 and Section 5.4 of SRP Chapter 7, Appendix 7.1-C, additional criteria, as defined in Sections 5.4.1 and 5.4.2, are necessary to qualify digital computers for use in safety systems. These sections are discussed in the following subsections.

IEEE 7-4.3.2-2003. Clause 5.4.1. "Computer System Testing" Clause 5.4.1 discusses the software that should be operational on the computer system while qualification testing is being performed. SRP Chapter 7, Appendix 7.1-D, Section 5.4.1, "Computer System Testing," provides acceptance criteria for equipment qualifications. This section states that computer system equipment qualification testing should be performed with the computer functioning with software and diagnostics that are representative of those used in actual operation.

The NUMAC PRNM system software and diagnostics representative of system operation were exercised during system qualification testing activities. The PRNM NUMAC computer system was in operation and system parameters were monitored during test performance. The PRNM system qualification test results (Reference 29.F) demonstrate compliance with performance requirements related to the PRNM safety functions; therefore, the NRC staff determined that the PRNM system conforms to IEEE 7-4.3.2, Clause 5.4.1.

IEEE 7-4.3.2-2003. Clause 5.4.2. "Qualification of Existing Commercial Computers" Clause 5.4.2 defines the qualification of existing commercial computers for use in safety-related applications in nuclear power plants. SRP Chapter 7, Appendix 7.1-D, Section 5.4.2, "Qualification of Existing Commercial Computers," provides acceptance criteria for equipment qualifications. This section states that Electric Power Research Institute (EPRI) TR 106439, "Guideline on Evaluation and Acceptance of Commercial Grade Digital Equipment for Nuclear Safety Applications," and EPRI TR-107330, "Generic Requirements Specification for Qualifying a Commercially Available PLC [Programmatic Logic Controllers] for Safety-Related Applications OFFICIAb USE ONbY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION in Nuclear Power Plants," provide specific guidance for the evaluation of commercial grade digital equipment and existing PLCs.

No commercial grade software components are used in the NUMAC PRNM system design for performance of safety functions. Commercial grade hardware components are, however, used in the NUMAC system. These hardware components are dedicated for use in safety-related systems in accordance with the vendor Quality Assurance Plan (Reference 1, Appendix C).

The dedication processes used include identification of the physical, performance, and development process requirements for components being dedicated. The dedication process provides adequate confidence that dedicated PRNM hardware components are capable of performing required safety functions. Based on these evaluations the NRC staff determined that the NUMAC PRNM system conforms to IEEE 7-4.3.2-2003, Clause 5.4.

IEEE 7-4.3.2-2003, Clause 5.5. "System Integrity" Clause 5.5 states that in addition to the system integrity criteria provided by IEEE Std 603, the digital system shall be designed for computer integrity, test and calibration, and fault detection and self-diagnostics activities. These attributes are further defined in IEEE Std 7-4.3.2-2003, Clause 5.5.1, "Design for Computer Integrity"; Clause 5.5.2, "Design for Test and Calibration";

and Clause 5.5.3, "Fault Detection and Self-Diagnostics." These subclauses are evaluated in the subsections below. There are no specific acceptance criteria shown in SRP Chapter 7, Appendix 7 .1-D, Section 5.5, "System Integrity."

IEEE 7-4.3.2-2003. Clause 5.5.1, "Design for Computer Integrity" Clause 5.5.1 states that the computer shall be designed to perform its safety function when subjected to conditions, external or internal, that have significant potential for defeating the safety function.

The NUMAC computers are designed to provide required inputs to the reactor trip safety function when subjected to conditions that have potential for defeating the safety function.

Section 3.8 of this SE evaluates NUMAC PRNM system qualification within external environmental conditions of the HCGS control room. This environmental evaluation determined the NUMAC PRNM system is capable of completing its safety functions for all expected conditions of the installed environment.

The independence and single-failure criteria evaluations as documented in Section 3.15 of this SE determined that PRNM channel redundancy and separation adequately ensure that internal conditions that have the potential to defeat NUMAC safety functions are addressed within the system design such that NUMAC safety functions are performed when required.

The PRNM system requirements identify a fail-safe state such that failures of the NU MAC computers result in reactor trip signal outputs defaulting to the actuated state. Failure of the NUMAC computers will not prevent the reactor trip safety function from occurring, and a NUMAC computer restart operation does not prevent a reactor trip function from occurring.

Another aspect of the PRNM system development that has a significant potential for defeating the safety function is the security of the System Development and Operating Environment (SDOE). Section 3.17 of this SE includes the NRC staff's evaluation of SDOE. This evaluation OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION determined adequate security measures are used during PRNM system development processes to ensure safety function performance. Based on these evaluations the NRC staff determined that the NUMAC PRNM system conforms to IEEE 7-4.3.2-2003, Clause 5.5.1.

IEEE 7-4.3.2-2003, Clause 5.5.2, "Design for Test and Calibration" Clause 5.5.2 states that test and calibration functions must not adversely affect the ability of the computer to perform its safety function, and it must be verified that the test and calibration functions do not affect computer functions that are not included in a calibration. The clause further states that V&V, configuration management, and QA be required for test and calibration functions on separate computers, such as test and calibration computers that provide the sole verification of test and calibration data, but that V&V, configuration management, and QA are not required when the test and calibration function is resident on a separate computer and does not provide the sole verification of test and calibration data for the computer that is part of the safety system.

Surveillance testing and calibration of the PRNM system will be performed during periods when the portion of the system being calibrated is not performing its safety functions. A channel bypass switch is included in the PRNM design to facilitate this capability. The channel bypass functions are designed such that only one APRM channel can be bypassed at a time and un-bypassed portions of the PRNM remain capable of performing required safety functions during maintenance and calibration activities. Based on these evaluations, the NRC staff determined that the NUMAC PRNM system conforms to the requirements of IEEE 7-4.3.2-2003, Clause 5.5.2.

IEEE 7-4.3.2-2003. Clause 5.5.3. "Fault Detection and Self-Diagnostics" Clause 5.5.3 discusses fault detection and self-diagnostics and states that if reliability requirements warrant self-diagnostics, then computer programs should contain functions to detect and report computer system faults and failures in a timely manner, and that these self-diagnostic functions shall not adversely affect the ability of the computer system to perform its safety function or cause spurious actuations of the safety function.

The reliability requirements for the PRNM system warrant the use of self-diagnostic functions within the system design. The NUMAC PRNM system contains automatic self-test features that are periodically run during system operation for the purpose of detecting conditions that could adversely affect safety function performance. The self-test software is designed and tested to ensure that PRNM safety functions are not adversely affected by operation of these functions.

The same V&V processes that are used for the qualification of the safety system functions are being applied to the self-diagnostic functions. The PRNM system design also includes a hardware based watchdog timer which, when activated, causes either system recovery or trip signal outputs to revert to the fail-safe actuated state.

The PRNM system factory acceptance tests were performed with the self-test functions running; therefore, the test results demonstrate that self-test functions did not adversely affect the ability of the PRNM to perform its safety functions. The diagnostic and self-test functions are designed to report test results and to actuate alarm functions to inform plant operators when conditions that could affect safety functions exist or to initiate fail-safe states for PRNM reactor trip signal OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION outputs. Based on these evaluations, the NRC staff determined that the NUMAC PRNM system conforms to the requirements of IEEE 7-4.3.2-2003, Clause 5.5.3.

IEEE 7-4.3.2-2003, Clause 5.6, "Independence" Clause 5.6 states that, in addition to the requirements of IEEE Std 603, data communication between safety channels or between safety and nonsafety systems shall not inhibit the performance of the safety function. Additionally, if safety and nonsafety software reside on the same computer and use the same computer resources, then the nonsafety software functions shall be developed in accordance with safety-related software development practices. SRP Chapter 7, Appendix 7.1-D, Section 5.6, "Independence," provides acceptance criteria for equipment qualifications. UFSAR Section 3.1.2.3.5, Criterion 24, "Separation of Protection and Control Systems," states that the protection system be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel that is common to the control and protection systems, leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. UFSAR Section 3.1.2.3.5 goes on to say that interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. ISG-04 was developed to address communication independence.

The NUMAC PRNM system does not include any data communication paths between APRM channels (i.e., safety divisions); therefore, there is no potential for such communication to inhibit or adversely affect performance of any PRNM safety function. There are, however, communications paths between APRM channels and the PRNM voter modules. These communications paths are evaluated by the NRC staff in Section 3.3.2 of this SE. These evaluations determined that NUMAC PRNM system inter-channel communications interfaces do not compromise the independence between safety channels and that operability of interconnected system components is not adversely affected by the communications through these interfaces.

The NRC staff evaluation of data communication between the PRNM system and nonsafety systems is documented in Section 3.3.4 of this SE. The results of this evaluation concluded that communications interfaces to nonsafety components of the NU MAC PRNM system do not adversely affect the ability of the PRNM to perform required safety functions. PRNM system safety software does not run on the same computer hardware as PRNM nonsafety software.

Therefore, nonsafety PRNM software functions do not need to be developed in accordance with the requirements of IEEE 7-4.3.2, and no evaluation of nonsafety software was performed by the NRC staff.

The NRC staff evaluated communication independence aspects of Clause 5.6 (Section 3.3 of this SE) and determined that the NUMAC PRNM system conforms to IEEE 7-4.3.2-2003, Clause 5.6.

IEEE 7-4.3.2-2003, Clause 5.7, "Capability for Test and Calibration" Clause 5.7 states that there are no requirements beyond those found in IEEE Std 603. SRP Chapter 7, Appendix 7. 1-D, Section 5.7, "Capability for Test and Calibration," provides no acceptance criteria for IEEE Std 7-4.3.2-2003, Clause 5.7. However, SRP Chapter 7, OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Appendix 7.1-C, Section 5.6, states that for digital computer-based systems, test provisions should address the increased potential for subtle system failures such as data errors and references BTP 7-17, "Guidance on Self-Test and Surveillance Test Provisions." BTP 7-17 describes additional considerations in the evaluation of test provisions in digital computer-based systems.

NUMAC self-diagnostic and self-test provisions evaluated under IEEE 7-4.3.2, Clause 5.5.3 above describe how the increased potential for system failures such as data errors have been addressed. The PRNM system factory acceptance tests were also performed with system self-diagnostic tests running. The test results demonstrate these tests did not adversely affect the ability of the PRNM system to perform its safety functions.

The NRC staff also considered the criteria of BTP 7-17 and determined that sufficient provisions relating to the self-test functions of the PRNM system were taken to assure adequate identification of system failures and to assure that self-test functions do not adversely affect the safety functions of the PRNM system. Based on these determinations, the NRC staff finds that the NUMAC PRNM system complies with the criteria of IEEE 7-4.3.2-2003, Clause 5.7.

IEEE 7-4.3.2-2003. Clause 5.8. "Information Displays" Clause 5.8 states that there are no requirements beyond those found in IEEE Std 603; however, SRP Chapter 7, Appendix 7.1-D, states that the NRC staff should ensure that incorrect functioning of the information displays does not prevent the safety function from being performed.

The NUMAC PRNM system being implemented at HCGS includes plant operator panel interfaces. No control or protective actions are executed through these displays. These information displays are used to display LPRM status and various combinations of control rod status information to the operator in the main control room.

The NRC staff determined that incorrect functioning or operation of the plant operator panel will not prevent the PRNM safety functions from being performed. Therefore, the NRC staff determined that the NUMAC PRNM system conforms to the guidance of IEEE 7-4.3.2-2003, Clause 5.8.

IEEE 7-4.3.2-2003. Clause 5.11, "Identification" Clause 5.11 states identification requirements specific to software systems. The clause states that: (1) firmware and software identification shall be used to assure the correct software is installed in the correct hardware component; (2) means shall be included in the software such that the identification may be retrieved from the firmware using software maintenance tools; and (3) physical identification requirements of the digital computer system hardware shall be in accordance with the identification requirements in IEEE Std 603. SRP Chapter 7, Appendix 7 .1-D, Section 5.11, states that the identification should be clear and unambiguous, include the revision level, and be traceable to configuration control documentation that identifies the changes made by that revision.

Software identification control for NUMAC PRNM software is described in the NUMAC Systems Engineering Development Plan (SyEDP) (Reference 31 ). NUMAC source code, which includes OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USfii ONLY PROPRlfiiTARY INFORMATION program listings, is a required configuration item to be baselined at completion of the implementation phase. The SyEDP also specifies requirements for establishing and maintaining traceability between the source code and the design documentation used to develop it. Software and associated configuration information is thus included in the GEH configuration management program. The NRC staff determined that the NUMAC PRNM system conforms to the identification guidance of IEEE 7-4.3.2-2003, Clause 5.11.

IEEE 7-4.3.2-2003, Clause 5.15. "Reliability" Clause 5.15 states that in addition to the requirements of IEEE Std 603, when reliability goals are identified, the proof of meeting the goals shall include the software. Guidance is provided in SRP Chapter 7, Appendix 7.1-C, Section 5.15, and Appendix 7.1-D, Section 5.15. SRP Appendix 7 .1-D, Section 5.15, identifies RG 1.152, containing guidance regarding digital computer reliability. SRP, Appendix 7 .1-C, Appendix 7 .1-D, and RG 1.152 state that quantitative reliability goals are not sufficient as a sole means of meeting the NRC's regulations for the reliability of digital computers used in safety systems.

Requirements for NUMAC PRNM system reliability and availability are specified within the System Requirements Specification (Reference 1, Appendix F, Section 7). Reliability of the NUMAC system is discussed in Section 5.3.14 of the PRNM LTR (Reference 7). A system failure analysis was performed to provide a qualitative assessment of the effects of failures on critical system functions. This failure analysis includes an assessment of the extent to which software is considered as proof for meeting system reliability goals.

The licensee provided a HCGS PRNM Reliability Analysis (Reference 29.G) to address review criteria and guidelines for reliability analyses of Sections D.9.4.2.1 and D.10.4.2.15 of Dl&C-ISG-06. This analysis confirmed reliability conclusions of Section 6.5 of the PRNM LTR (Reference 7), which state that the PRNM modification results in no increase in overall unavailability of the APRM trip functions or RBM functions and, as such, no overall increase in the RPS failure frequency remain valid for the HCGS PRNM application.

The licensee's analysis conclusions determined the results of the previous unavailability analysis are acceptable. The reliability conclusions in the PRNM LTR were confirmed to be applicable to the HCGS PRNM system, and the criteria of UFSAR Section 3.1.2.3.2, Criterion 21, "Protection System Reliability and Testability," are therefore met. The NRC staff determined that the HCGS NUMAC PRNM system conforms to the guidance of IEEE 7-4.3.2-2003 for system reliability of Clause 5.15.

3.17 Secure Development and Operational Environment RG 1.152 describes a method that the NRC considers acceptable to comply with the regulatory criteria to promote high functional reliability, design quality, and establish secure SDOEs for the use of digital computers in safety-related systems at nuclear power plants. The overall guidance provides the basis for physical and logical access controls to be established throughout the digital system development process to address the susceptibility of a digital safety system to inadvertent access and modification.

A secure development environment must be established to ensure that unneeded, unwanted, and undocumented code is not introduced into a digital safety system - either operating system OFFICIAL USfii ONLY PROPRlfiiTARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION software or application software. In addition, a secure operational environment must be established to ensure that predictable, non-malicious events will not degrade the reliable performance of the safety system. Regulatory Positions 2.1 - 2.5 of RG 1.152 specifically identify analyses and associated design activities that should be addressed during the safety-related system development. In the context of RG 1.152, "security" refers to protective actions taken against a predictable set of non-malicious acts that could challenge the integrity, reliability, or functionality of a digital safety system.

Secure software development and operation is established via activities performed during the NUMAC product development and operational phases of the product lifecycle. For the HCGS PRNM replacement project, a "Secure Development and Operational Environment and Vulnerability Assessment Report" was submitted for NRC review (Reference 1, Appendix Q). This document identifies the lifecycle vulnerabilities for the NUMAC PRNM replacement system and associated mitigation measures taken to address these vulnerabilities. Administrative controls established within the NU MAC PRNM LTR (Reference 7, Section 5.3.13, "Security Considerations") have been confirmed for the HCGS PRNM system (Section 3.1 O of this SE, Item 5) and are included in the NUMAC PRNM System Requirements Specification (Reference 1, Appendix F).

The NRC staff review of equipment security features is limited to ensuring their inclusion is not adverse to the reliability of PRNM equipment safety functions.

The following sections describe the lifecycle phases applicable to the NUMAC PRNM system development and the SDOE activities performed during each phase.

Lifecycle Phases RG 1.152 uses the lifecycle phases of the waterfall model as a framework for describing specific guidance for the protection of digital safety systems and the establishment of an SDOE for those systems. RG 1.152 states the digital safety system development process should identify and mitigate potential weakness or vulnerabilities in each phase of the digital safety system lifecycle that may degrade the SDOE or degrade the reliability of the system.

The NUMAC lifecycle framework correlates with the lifecycle phases identified in RG 1.152.

Table 3.12.1-1 below shows alignment between NUMAC lifecycle phases and the phases discussed in RG 1.152.

Table 3.12.1-1 Lifecycle Phases Comparison RG 1.152 Revision 3 NU MAC (Reference 31)

Concepts Concept (Baseline 1)

Requirements Requirements (Baseline 2)

Desiqn Desiqn (Baseline 3)

Implementation Implementation (Baseline 4)

Test Test (Baseline 5)

Installation, Checkout, and Delivery (Licensee)

Acceptance Testing Operation Maintenance Retirement OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION Concepts Phase Identification of Secure Operational Environment Design Features As stated in Regulatory Position 2.1 of RG 1.152, the Concepts Phase is the phase in which the licensee should identify digital safety system design features required to establish a secure operational environment for the system and describe these design features as part of its application.

The PRNM system security requirements beyond those specified in the NUMAC PRNM system LTR, Section 5.3.13, are included in the NUMAC PRNM System Requirements Specification (Reference 1, Appendix F, Section 4.4). Based on the information reviewed by the NRC staff, the licensee identified the design features required to establish a secure operational environment and, therefore, meets the criteria of Regulatory Position 2.1 of RG 1.152 for NUMAC-based safety applications.

Assessment of Potential Susceptibilities RG 1.152 states the licensee should assess the digital safety system's potential susceptibility to inadvertent access and undesirable behavior from connected systems over the course of the system's lifecycle that could degrade its reliable operation.

The Secure Development and Operational Environment and Vulnerability Assessment Report (Reference 1, Appendix Q) provides a list of vulnerabilities and mitigation measures for the NUMAC PRNM system. These vulnerabilities address physical and network access controls, personnel security, administrative controls, and application program configuration and source code controls.

The vulnerability assessment performed provides reasonable assurance the NUMAC PRNM replacement system is protected from unauthorized access and modification throughout the system lifecycle.

To confirm the secure development environment evaluated for the NUMAC PRNM system meets the guidance of RG 1.152, the NRC staff conducted an audit of the NU MAC development facilities (Reference 28). During this audit, NRC staff observed the activities performed in the GEH design and production facilities in Wilmington, North Carolina. The NRC staff examined the code production practices, security controls, and the application development environments.

The audit team determined GEH had maintained a secure development environment in accordance with RG 1.152.

Based on the information reviewed by the NRC staff, the licensee has assessed the digital safety system's potential susceptibility to inadvertent access and undesirable behavior from connected systems over the course of the system's lifecycle and, therefore, meets the criteria of Regulatory Position 2.1 of RG 1.152 for NUMAC-based safety applications.

Remote Access The guidance in Regulatory Position 2.1 of RG 1.152, states the licensee should not allow remote access to the safety system. In RG 1.152, remote access is defined as the ability to OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION access a computer, node, or network resource that performs a safety function or that can affect the safety function from a computer or node that is located in an area with less physical security than the safety system (e.g., outside the protected area).

The PRNM system design does not allow for remote access to the NUMAC computers from computers or nodes that are located in plant areas with less physical security than the safety PRNM system. There are also no communication paths between the redundant channels of the PRNM system. The safety and reliability of the communication between the safety-related and the nonsafety portions of the PRNM system are addressed in Section 3.3.4 of this SE and were determined to be acceptable. Therefore, the NUMAC PRNM system meets the remote access criteria of Regulatory Position 2.1 of RG 1.152.

Requirements Phase Definition of Secure Operational Environment Functional Requirements Section 2.2.1 of RG 1.152 states, in part, "The licensee should define the functional performance requirements and system configuration for a secure operational environment; interfaces external to the system; and requirements for qualification, HFE, data definitions, documentation for the software and hardware, installation and acceptance, operation and execution, and maintenance."

SDOE functional performance requirements for the PRNM system are defined in the NUMAC PRNM system LTR and in Section 4.4 of the software specifications (Reference 1, Appendix F).

These functional performance requirements were defined based on the design features and vulnerabilities identified in the concepts phase. The NRC staff determined that the functional performance requirements and system configuration for a secure operational environment have been adequately established. Therefore, the criteria of Regulatory Position 2.2 of RG 1.152 are met for NUMAC-based safety applications.

Verification of SDOE Requirements Regulatory Position 2.2 of RG 1.152 states, in part, the verification process of the requirements phase should ensure the correctness, completeness, accuracy, testability, and consistency of the system's SDOE features.

The NUMAC PRNM system SDOE features are implemented by including system requirements necessary to establish the secure development and operational environments. These requirements were verified and validated in accordance with the NUMAC systems Independent SylWP (Reference 1, Appendix D). An evaluation of the V&V processes is included in Sections 3.7.1.4 and 3.7.2.2 of this SE. The NRC staff determined that adequate measures have been taken to ensure the correctness, completeness, accuracy, testability, and consistency of the NU MAC system's SDOE features. Therefore, the NU MAC PRNM system meets the criteria of Regulatory Position 2.2 of RG 1.152 for NUMAC-based safety applications.

Use of Predeveloped Software and Systems Section 2.2.1 of RG 1.152 further states the requirements specifying the use of pre-developed software and systems (e.g., reused software and commercial off-the-shelf systems) should OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION address the reliability of the safety system (e.g., by using pre-developed software functions that have been tested and are supported by operating experience).

No commercial grade software components are used in the NUMAC PRNM system design for performance of safety functions. Therefore, there are no requirements specifying the use of pre-developed software and systems and no additional assessment of reliability is needed and the criteria of Regulatory Position 2.2 of RG 1.152 regarding pre-developed software and systems is not applicable for NUMAC-based safety applications.

Prevention of Unnecessary Requirements The guidance in RG 1.152 states the licensee should prevent the introduction of unnecessary or extraneous requirements that may result in inclusion of unwanted or unnecessary code.

The NUMAC system development process includes specific code and design reviews between defined lifecycle phases, which serve to verify that undocumented or unwanted code is not included in the delivered product. The specified features are confirmed as part of the product's V&V process. Once installed, safety-related software is contained in programmed devices that become part of the documented system configuration. These configurations cannot be subsequently modified by the licensee. Correct software configuration is established prior to delivery of the PRNM system equipment to the licensee.

The licensee has specified various measures to protect the safety systems from unwanted access and introduction of incorrect data. ((

))

The SDOE and Vulnerability Assessment Report also includes a section (Reference 1, Appendix Q, Section 3.3) that describes operational experience of the NUMAC PRNM system.

The NRC staff acknowledges the extensive operating history of the NU MAC PRNM system has revealed no adverse system behavior, inadvertent access issues, or undesired code issues during system operation.

The NRC staff determined that adequate measures have been taken to prevent the introduction of unnecessary or extraneous requirements that may result in inclusion of unwanted or unnecessary code. Therefore, the criteria of Regulatory Position 2.2 of RG 1.152, have been met for NUMAC-based safety applications.

Design Phase Translation of SDOE Requirements into Design Configuration Items The guidance in RG 1.152 states the safety system design features for a secure operational environment identified in the System Requirements Specification should be translated into specific design configuration items in the system design description.

In its evaluation of software design implementation (Section 3.7.2 of this SE), the NRC staff confirmed that specified requirements including those related to SDOE were correctly translated OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION into specific design configuration items. Therefore, the criteria of Regulatory Position 2.3 of RG 1.152 have been met for NUMAC-based safety applications.

Physical and Logical Access Controls The guidance in RG 1.152 states, in part, that physical and logical access control features should be based on the results of the assessment performed in the concepts phase of the lifecycle.

The SDOE and Vulnerability Assessment Report identifies physical, logical, and administrative controls used to mitigate the vulnerabilities identified. The NUMAC configuration and control processes and tools limit access and changes to formal baselines of the software, which are established in accordance with NEDC-33864P, Appendix B, NUMAC Systems Engineering Development Plan" (Reference 31 ). These configuration control processes limit personnel access to the software at the correct version. Therefore, the NRC staff determined that GEH used the results of the vulnerability assessment performed in the concepts phase of the lifecycle to implement the physical and logical access control features.

Prevention of Unnecessary Design Features The guidance in RG 1.152 states that during the design phase, measures should be taken to prevent the introduction of unnecessary design features or functions that may result in the inclusion of unwanted or unnecessary code.

The development process for safety-related NUMAC application software is governed by the NUMAC System Management Plan, SyEDP, System Quality Assurance Plan, SylWP, and supporting GEH implementing procedures. The NUMAC System Management Plan (Reference 1, Appendix E) describes the security requirements at the project level based on licensee design inputs. The SyEDP provides requirements relevant to the SDOE. The SylWP (Reference 1, Appendix D) discusses IW activities, including security analysis activities, required for the V&V effort. Based on the information provided on these plans, the NRC staff determined that the licensee has taken adequate measures to prevent the introduction of unnecessary design features or functions that may result in the inclusion of unwanted or unnecessary code. Therefore, the criteria of Regulatory Position 2.3 of RG 1.152 are met for NU MAC-based safety applications.

Implementation Phase Transformation from System Design Specification to Design Configuration Items The guidance in RG 1.152 states the developer should ensure that the transformation from the system design specification to the design configuration items of the secure operational environment is correct, accurate, and complete.

The SyEDP defines the integration process controls for all phases of NUMAC project development. These controls assure the functional system requirements are correctly and completely translated. ((

)) During the regulatory audit, the NRC staff observed how GEH uses a code review tool to perform the application code walk-through and ensure that OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION all design configuration items from the software requirements specification are implemented in the application code correctly, accurately, and completely. The NRC staff determined that the NUMAC development processes provide an adequate means of ensuring that transformation from the system design specification to the design configuration items of the secure operational environment is correct, accurate, and complete. Therefore, the criteria of Regulatory Position 2.3 of RG 1.152 are met for NUMAC-based safety applications.

Implementation of Secure Development Environment Procedures and Standards The guidance in RG 1.152 states the developer should implement secure development environment procedures and standards to minimize and mitigate any inadvertent or inappropriate alterations of the developed system.

The NUMAC System Management Plan (Reference 1, Appendix E) describes the security requirements at the project level based on licensee design inputs. The SyEDP provides requirements relevant to the SDOE. The SylWP (Reference 1, Appendix D) discusses IW activities relevant to the SDOE, including security analysis activities required for the V&V effort.

The NRC staff reviewed GEH procedures used during application development activities.

These procedures define requirements for securing the computers used for development of NUMAC applications. The requirements in these procedures ensure that only authorized personnel have access to the software and that no unintended code is allowed into the software.

The NRC staff determined that the licensee has taken adequate measures to prevent the introduction of unnecessary design features or functions that may result in the inclusion of unwanted or unnecessary code. Therefore, the criteria of Regulatory Position 2.3 of RG 1.152 are met for NUMAC-based safety applications.

The NRC staff also reviewed the GEH procedures that contain requirements for the NU MAC development and test environment. ((

)) The NRC staff determined that secure development environment procedures and standards used are adequate to minimize and mitigate inadvertent or inappropriate alterations of the developed NUMAC system. Therefore, the criteria of Regulatory Position 2.4 of RG 1.152, is met for NUMAC-based safety applications.

Accounting for Hidden Functions in the Code The guidance in RG 1.152 states the developer should account for hidden functions and vulnerable features embedded in the code, their purpose, and their impact on the integrity and reliability of the safety system.

GEH implementation procedures are used to define the detailed software development process actions, (( )). These procedures require that security requirements have traceability through system integration testing. ((

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

)) The NRC staff determined that measures taken by GEH have adequately accounted for hidden functions and vulnerable features embedded in the code, their purpose and their impact on the integrity and reliability of the safety system. Therefore, the criteria of Regulatory Position 2.4 of RG 1.152 are met for NUMAC-based safety applications.

Test Phase Validation of Secure Operational Environment Design Configuration Items The guidance in RG 1.152 states the secure operational environment design requirements and configuration items intended to ensure reliable system operation should be part of the validation effort for the overall system requirements and design configuration items.

In accordance with GEH implementation procedures, NUMAC application programs are verified, and the combined hardware-software system is validated such that all system features, including security features, are tested. Online test and calibration functions are tested to ensure that the NUMAC safety functions are not adversely impacted by undesirable operation of the connected systems or by inadvertent operator actions performed during testing. NUMAC application Test Specifications include tests cases to validate that access to the NUMAC computers via the external communication interfaces will be administratively controlled [(

)). During the audit, the NRC staff reviewed a cyber security test procedure for the HCGS PRNM to ((

)) Based on the information reviewed by the NRC staff, GEH has validated the secure operational environment design requirements and, therefore, meets the criteria of Regulatory Position 2.5 of RG 1.152, for NUMAC-based safety applications.

Configuration of Secure Operational Environment Design Features The guidance in RG 1.152 states the developer should correctly configure and enable the design features of the secure operational environment. The developer should also test the system hardware architecture, external communication devices, and configurations for unauthorized pathways and system integrity.

During the audit, several security requirements were checked and traced through to the function NUMAC software requirements and to applicable test plans and procedures. The associated tests for these security requirements were completed and no anomalies were identified. After development and delivery of the software from GEH to the licensee, the licensee's procedures will be used to maintain software configuration control throughout the remaining lifecycle phases. A licensee controlled QA program will then be used to control and administer the software during all remaining lifecycle phases. Based on the information reviewed, the NRC staff determined that the NU MAC developers have adequately configured and enabled the OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION design features of the secure operational environment and, therefore, the criteria of Regulatory Position 2.5 of RG 1.152 are met for NUMAC-based safety applications.

The NRC staff determined that the approaches used to secure the NUMAC system development and operation provide an acceptable method to meet the evaluation criteria established in RG 1.152, Staff Positions 2.1 through 2.5 for the previously approved software and for all software changes since the approved LTRs. This NRC staff determination is based on the use of a secure development and operational environment, configuration control procedures, and design review procedures providing reasonable assurance that undocumented, malicious, or unwanted code is not included in the delivered product. This NRC staff determination is further based on the implementation of security features that do not adversely affect the safety functions of the NUMAC-based system.

3.18 Rod Withdrawal Error Analysis The improved RBM system for HCGS with power-dependent setpoints requires that new rod withdrawal error (RWE) analyses be performed to determine the minimum critical power ratio requirements and corresponding setpoints. A generic statistical analysis for application to all BWRs, including HCGS, was performed and the application of these results is validated for each reload analysis consistent with the NEDE-24011-P-A, "General Electric Standard Application for Reactor Fuel (GESTAR 11)" (Reference 32) CPR correlation.

The RWE transient is hypothesized as an inadvertent reactor operator initiated withdrawal of a single control rod from the core. Withdrawal of a single control rod has the effect of increasing local power and core thermal power, which lowers the minimum critical power ratio and increases the linear heat generation rate in the core limiting fuel rods. The RWE transient is terminated by control rod blocks, which are initiated by the RBM system.

The function of the RBM is to prevent fuel damage in the event of erroneous rod withdrawal from locations of high-power density during high-power level operation. It does this by blocking control rod movement that could result in violating a thermal limit (1 percent plastic strain criteria, or the safety limit minimum critical power ratio) in the event of an RWE.

The evaluation of the RWE event was performed, taking credit for the mitigating effect of the power-dependent RBM. The RBM setpoints are determined based on a statistical analysis.

The RBM has three power-dependent trip levels. The trip levels are determined based on analyses that compare severity of the RWE with different setpoints. The setpoints that are adopted are based on a 95 percent probability, with a 95 percent confidence level interval assessment that the RWE consequences do not breach the safety limit minimum critical power ratio. The analyses were performed, assuming conservative LPRM failure assumptions and using NRG-approved methods. Specific evaluations were performed for the reference HCGS core to confirm that the maximum linear heat generation rate limits are met based on the RBM setpoints. On a core specific basis, it is confirmed that the RBM monitor setpoints adequately ensure cladding integrity protection by comparison to thermal limits.

The NRC staff finds that the statistical evaluation is sufficiently conservative and the analytical results indicate that the implementation of "Full" ARTS with the proposed setpoints provides reasonable assurance that an RWE will not result in fuel bundles exceeding their specified acceptable fuel design limits.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The analyses using the reference core loading for Cycle 13 without rod blocks show that the relevant criteria are met. Further, as part of the reload analysis, the licensee will perform calculations to confirm the applicability of the ARTS-based statistical RWE result for subsequent fuel cycles at HCGS with rod blocks. The NRC staff concludes that the HCGS RWE analysis with the proposed NUMAC PRNM system and "Full" ARTS implementation at current licensed thermal power conditions is acceptable.

3.19 Thermal-Hydraulic Stability The PRNM system includes an OPRM capability to detect and suppress reactor instability. The OPRM function continues to satisfy the same regulatory requirements as the currently installed OPRM equipment. The existing ABB OPRM with BWROG Option Ill stability solution will change to the GEH OPRM with the DSS-CD stability solution. Appendix T of NEDC-33864P provides the evaluation and justification for implementing DSS-CD at HCGS.

HCGS will implement DSS-CD consistent with the DSS-CD LTR (Reference 27). DSS-CD maintains the algorithms (with generic setpoints) that were approved for Option Ill: the PBDA, the amplitude based algorithm, and the growth rate algorithm for DID. DSS-CD is designed to detect power oscillations upon inception and initiate control rod insertion (scram) to terminate the oscillations prior to any significant amplitude growth. DSS-CD introduces an enhanced detection algorithm that detects the inception of power oscillations and generates an earlier power suppression trip signal based on successive period confirmation recognition and an amplitude component.

The NRC staff requested additional information related to the confirmatory TRACG limiting cases. The licensee provided the requested information in a letter dated September 23, 2016 (Reference 5). The provided information confirmed that the safety limit minimum critical power ratio is not exceeded for the limiting cases.

Protection against exceeding specified acceptable fuel design limits as a result of instability events is provided by the DSS-CD long-term stability solution. The NRC staff reviewed the licensee's disposition of the limitations and conditions related to the SE for NEDC-33075P-A (Reference 27) and determined that the licensee has satisfied the Limitations and Conditions from the DSS-CD LTR.

Based on the analyses provided by the licensee and the fact that NRG-approved methodologies were used, the NRC staff concludes that the thermal hydraulic stability characteristics of HCGS, with the proposed DSS-CD implementation at the current licensed thermal power conditions, are acceptable.

3.20 Human Factors Review 3.20.1 Description of Operator Action(s) Added/Changed/Deleted By letter dated September 21, 2015 (Reference 1), the licensee stated in Section 4.1.2.5, "Human Factors Evaluation," that a detailed analysis of compliance with NUREG-0700 will be documented with the completion of the detailed design. The Phase 2 submittal of the proposed amendment would be provided to the NRC staff approximately 1 year after the Phase 1 submittal that would describe the NUREG-0700 compliance. By letter dated September 12, OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION 2016 (Reference 4 ), the licensee submitted six enclosures for the ISG-06 Phase 2 supplemental information that included a HFE assessment.

As stated by the licensee in Enclosure 1, "Human Factors Engineering Assessment,"

Section 3.5, "Important Human Actions," the PRNM system performs an automatic safety function; there are no important operator actions performed to support the safety function, nor will there be additions, changes, or deletions to the important operator actions as a result of the PRNM system upgrade.

In Section 5, "Task Analysis," of Enclosure 1, the licensee describes eight operator actions that have existing task analyses in the HCGS Operations training program, two of which are new operator actions that affect the STP setpoint of the NU MAC APRMs. These actions are part of the standard operating procedures for the system and are not part of abnormal or emergency operating procedures. The two new actions related to the STP setpoint of the NUMAC APRMs are:

1. Place the APRM channel to Single Loop Operation (SLO) mode and

2. Place an APRM channel in Automatic Backup Stability Protection (BSP) mode.

The licensee stated that the first new action must be performed on each of the four APRM channels within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> of entering single recirculation loop operation per HCGS TS 3.4.1.1.

The second new action, placing the APRM channel in BSP mode, must be performed on each of the four APRM channels within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of declaring the OPRM function inoperable per Action 10 of HCGS TS Table 3.3.1-1, as modified by the LAR. Both new actions occur on the same panel, H 1SE-10-C-608. The licensee stated that based on the simplicity of the actions, the length of time available and that the sequence of steps for both new actions can be accomplished in much less time than available, a detailed time required was not developed.

The licensee credited two existing manual operator actions in the PRNM DID analysis, which are responses to the following two events: [(

))

The licensee provided the simulator time validations in Enclosure 2, NUREG-0800, "Appendix 18-A, Assessment, Crediting Manual Operator Actions in the Diversity and Defense-in-Depth Analyses" (Reference 4 ), and both actions were verified to be taken successfully and within the time available to mitigate the two events. The licensee goes on to state in Section 4, "Functional Requirements Analysis and Function Allocation," of .3, that these two actions are existing operator actions, included in operations department procedures and training, and have not changed with the proposed amendment.

Furthermore, the time available and the information available to the operators to respond to the two aforementioned events have not changed. Finally, the proposed amendment will not affect an anticipated transient without scram.

The NRC staff finds the changes to manual operator actions associated with the proposed amendment to be acceptable as there will be no changes, additions, or deletions to the important operator actions as a result of the PRNM system upgrade, and the two new actions related to the STP setpoint of the NU MAC ARPMs will be in compliance with their associated TS completion times.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION 3.20.2 Operating Experience Review By letter dated September 12, 2016 (Reference 4 ), the licensee details in Enclosure 1, Section 3, "Operating Experience Review," the operating experience (OE) that was reviewed as part of the modification. As stated by the licensee, the review was accomplished using the Institute of Nuclear Power Operations (INPO) OE database, correspondence with other utilities and information from the system vendor. Specifically, HCGS identified Columbia, Grand Gulf, Susquehanna Steam Electric Station, and Peach Bottom Atomic Power Station as the utilities with units with similar NUMAC PRNM systems. The licensee stated that its HCGS project team visited the sites listed above to solicit information related to OE and did not identify HFE-related problems in the NUMAC PRNM system. Furthermore, the licensee stated that there are no recognized industry HFE issues applicable to the NUMAC PRNM system since it performs an automatic safety function with minimal operator interaction and no important operator actions required to support the automatic safety function of the system. The NRC staff reviewed the internal OE communications and the Agencywide Documents Access and Management System (ADAMS) for HFE-related OE and did not identify any for the proposed amendment.

Based on the above, and consistent with the guidance contained in Section 3.0, "Operating Experience Review," of NUREG-0711, the NRC staff concludes that the licensee has appropriately reviewed previous systems that are similar to the NUMAC PRNM system and has identified, analyzed, and addressed potential HFE-related problems.

3.20.3 Staffing and Qualifications By letter dated September 12, 2016 (Reference 4), the licensee stated in Enclosure 1, Section 6, "Staffing and Qualification," that there is no change to required staffing levels or personnel qualifications. The licensee stated that the proposed new system will continue to provide information, enforce control rod blocks, and initiate reactor scrams under appropriate specified conditions; therefore, the operator actions remain unchanged in that the same actions/responses occur with data received from the digital upgrade as with the analog system.

Based on the above, the NRC staff finds this to be acceptable, as the licensee has addressed the guidance in NUREG-0800 to ensure that the operating staff levels and the related qualification requirements for the digital upgrade are appropriate.

3.20.4 Human-System Interface Design The PRNM design change specifically modifies the 1OC651 Operator Console arrangement to accommodate the NUMAC PRNM system ODAs and the change from six APRM channels to four APRM channels. As described by the licensee in Section 8, "Human-System Interface Design," of Enclosure 1, "Human Factors Engineering Assessment," the NUMAC PRNM system provides an automatic safety function, and operator actions are primarily limited to bypassing channels, acknowledging alarms, and selecting displays. As mentioned above in Section 3.20.1 of this SE, two new functions are performed by operators at the instruments on the H1SE-10-C-608 panel: (1) placing the APRM channel in SLO mode and (2) placing an APRM channel in BSP mode.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION The licensee stated in Section 8.1, "Human Factors Analysis," of Enclosure 1, that it used the guidance in NUREG-0700 to incorporate HFE principles to the design change. It identified the following as the applicable design principles for the change:

• Regulatory Requirements

• Panel Layout

• Control-Display Integration

• Prevent Accidental Activation of a Control

• Legend Pushbuttons

• Visual Displays

• Labeling

• Demarcation For each principle, the licensee cited the applicable section in the licensee's document, PSEG Procedure NC.DE-TS.ZZ-1017, "Human Factors Engineering." The licensee stated for each principle the specific changes that will be made, if applicable, with further detail in NC.DE-TS.ZZ-1017.

Consistent with the guidance in NUREG-0711, the licensee has adequately addressed the design of alarms, displays, controls, and other aspect of the human-system interface design and applied the HFE principles; therefore, the NRC staff finds it to be acceptable.

3.20.5 Procedure Design By letter dated September 12, 2016 (Reference 4 ), the licensee details in Enclosure 1, "Human Factors Engineering Assessment," Section 9, "Procedure Development," the changes to the procedures that will result from the proposed amendment and stated that the affected procedures have been developed in accordance with HCGS's existing procedure development program as described in UFSAR Section 13.2. The proposed NUMAC PRNM system will affect the following procedures: (1) integrated operating procedures, (2) NMS and RBM system operating and abnormal operating procedures, (3) maintenance procedures, (4) surveillance procedures, and (5) alarm response procedures. The licensee stated that there are no new operator actions required to support the updated procedures listed above and that computer-based procedures are not implemented with the installation of the NUMAC PRNM system.

Furthermore, the licensee specified there is no change to the emergency preparedness program and a 10 CFR 50.54(q) evaluation is not required; therefore, emergency operating procedures are not affected. The licensee stated that the procedures will be changed and validated prior to installation during the Site Acceptance Testing. Additionally, the impacted procedures that involve interfaces to other plant systems will receive tabletop reviews and be validated prior to installation and training of the PRNM system.

The licensee discussed in Section 9.1, "Administrative Controls," of Enclosure 1 the administrative controls identified in the NUMAC PRNM operations and maintenance manuals that will be incorporated into the applicable HCGS procedures. For each administrative control, the licensee cites the applicable HCGS procedure.

Based on the considerations above, and consistent with the guidance in Section 9, "Procedure Development," of NUREG-0711, the NRC staff finds that the licensee has adequately OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION addressed the procedure design for the proposed license amendment and finds it to be acceptable.

3.20.6 Training Program Design By letter dated September 12, 2016 (Reference 4 ), the licensee stated in Enclosure 1, "Human Factors Engineering Assessment," Section 10, "Training Program Development," that training will be conducted in accordance with the requirements of PSEG's INPO-accredited training program as described in UFSAR Section 13.2. The licensee has developed draft Operations and Maintenance training plans specific to the PRNM upgrade. These plans address the changes required to training documentation, identify which personnel will be trained, identify what training is required and the objectives of that training, and include a schedule for both pre-and post-installation training.

In Section 12, "Design Implementation," of Enclosure 1, the licensee specifies the operator training schedule that is scheduled to occur in phases. Training for operators consists of utilizing the computer room PRNM system, the simulator, and classroom training. The phases of operator training are as follows:

• Pre-installation training (1 /2018) - This will be the first training provided to entire licensed operator population. This training will be performed utilizing the computer room PRNMs and/or the simulator PRNM, depending on simulator installation.

• Just in time training (4/2018) - This training will occur during the outage while installation is occurring. It will contain up-to-date information that may not have been covered in the pre-installation training. This training will occur in the classroom and/or simulator once the simulator installation is completed.

• Gap training post-outage - This training will occur in a training segment following the installation (Spring/Summer 2018) to cover any gaps identified between the previous training and final state of the project.

In this section, the licensee repeated that prior to the installation of the NU MAC PRNM system, training will be identified for the affected/identified personnel.

Specific to maintenance training, the licensee provided a timeline that includes an initial "train the trainers" in the fourth quarter of 2016, with detailed training updates developed through the first and second quarters of 2017. The training on the new system will begin in the fourth quarter of 2017 to be ready for system installation in the second quarter of 2018 during the proposed refueling outage.

The licensee stated that startup and initial operations will be monitored, and any procedural or training deficiencies will be entered into the corrective action process for tracking and resolution.

Evaluation of the training process for the PRNM system will occur 6-12 months following the installation and it will include a review of system performance and personnel operation of the system to determine if any further training is required or if the initial training was sufficient.

Based on the considerations above, and consistent with the guidance in Section 10, "Training Program Development," of NUREG-0711, the NRC staff concludes that the licensee has appropriately addressed training for both licensed and non-licensed plant personnel and, therefore, find it to be acceptable.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 100 -

3.20.7 Human Factors Verification and Validation By letter dated September 12, 2016 (Reference 4), Enclosure 1, "Human Factors Engineering Assessment," Section 11, "Human Factors V&V," states that no important operator actions are being changed, added, or deleted as a result of the proposed PRNM upgrade. There are two new actions related to the STP setpoint of the NU MAC APRMS and each has sufficient time to complete them. The licensee stated the upgrade to the PRNM system does not impact reactor operating parameters or the functional requirements of the APRM system, and the system will continue to provide information, enforce control rod blocks, and initiate reactor scrams under appropriate specified conditions as before. The licensee stated that as a consequence to that, no new task analyses were performed and human-systems interface task support verification is not required for the proposed amendment. The licensee goes on to state that the "design of the PRNM replacement equipment meets the intent of NUREG-0700 as applicable to the back panel equipment. The base design for the plant operator's panel uses the existing operator interface devices, so there is no effect on the plant's human factor evaluations. The digital NU MAC ODA alternate for the plant operator's panel display has been designed to meet NUREG-0700 to the extent possible. The licensee confirmed the diagnosis of minimal operator impact during the Factory Acceptance Test conducted during March 2015 using the new HCGS hardware attached to a plant simulator. The licensee stated that for the upgrade to the proposed NUMAC PRNM system, an integrated system validation is not warranted, as there is no change in important human actions for the replacement hardware. Important operator tasks remain unchanged; therefore, there is no impact to task dynamics, complexity, or workload for the operations staff.

The proposed PRNM system provides the same information as the current analog system and there is reasonable expectation that there will be little or no overall effect on the operations staff regarding workload or the likelihood of an error.

Consistent with the guidance in Section 11, "Human Factors Verification and Validation," of NUREG-0711, the NRC staff finds the licensee's discussion of the human factors V&V for the proposed PRNM system upgrade to be acceptable because the same information will be available to the operators as a result of the system upgrade and no important operator actions are being changed, added, or deleted.

3.21 Technical Conclusion The NRC staff determined that the proposed license amendment to modify the HCGS operating license and TSs to allow plant operation with a replacement NUMAC-based PRNM system satisfies the applicable design criteria, as identified in Section 2.0 of this SE.

The NRC staff further concludes that the proposed replacement PRNM system meets the criteria of 10 CFR 50.36(c)(1)(ii)(A), 10 CFR 50.36(c)(2)(i), 10 CFR 50.36(c)(3),

10 CFR 50.54Uj). 10 CFR 50.55(i), and 10 CFR 50.55a(h), and thereby provides reasonable assurance of continued adequate protection of public health, safety, and security. The NRC staff also determined that manual control measures needed to support BSP are sufficiently diverse from the digital NUMAC PRNM system and, therefore, provide an acceptable means of diverse protection for the DSS-CD safety function. On this basis, the NRC staff finds the proposed license amendment acceptable.

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 101 -

4.0 STATE CONSULTATION

In accordance with the Commission's regulations, the New Jersey State Official was notified of the proposed issuance of the amendment on July 20, 2017. The State official had no comments.

5.0 ENVIRONMENTAL CONSIDERATION

The amendment changes a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and changes SRs.

The NRC staff has determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (81 FR 36607; June 7, 2016). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

6.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner; (2) there is reasonable assurance that such activities will be conducted in compliance with the Commission's regulations; and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

7.0 REFERENCES

1. PSEG letter from Paul Davison to USN RC, "License Amendment Request - Digital Power Range Neutron Monitoring (PRNM) System Upgrade," dated September 21, 2015 (ADAMS Accession No. ML15265A224) and Appendices (ADAMS Accession No. ML15265A225), as noted below:

A. Appendix A - PRNM System Architecture Description B. Appendix B - NUMAC Systems Engineering Development Plan Note: This document has been superseded. See Reference 31 below.

C. Appendix C - NUMAC Systems Quality Assurance Plan D. Appendix D - NUMAC Systems Independent Verification and Validation Plan E. Appendix E - HCGS NUMAC PRNM System Management Plan F. Appendix F - Software Specifications, Parts 1 and 2 G. Appendix G -APRM Functional Controller Software Design Specification H. Appendix H - NUMAC Qualification Program HCGS I. Appendix I - Diversity and Defense-in-Depth Analysis J. Appendix J - Design Analysis Report: HCGS NUMAC PRNM System, Hardware, and Software Modifications K. Appendix K - Design Analysis Report: Methodology Modifications L. Appendix L - Design Analysis Report on Electrical Independence OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 102 -

M. Appendix M - Design Report on Computer Integrity, Test and Calibration, and Fault Detection N. Appendix N - PRNM System Response Time Analysis Report

0. Appendix 0 - Report on Compliance with IEEE Standards (603-1991 and 7-4.3.2-2003) and Theory of Operations Description P. Appendix P - GEH Instrument Setpoint Methodology- Overview, HCGS PRNM, Parts 1 and 2 Q. Appendix Q - Secure Development and Operational Environment and Vulnerability Assessment Report R. Appendix R - HCGS Plant-specific Responses Required by PRNM LTR S. Appendix S - Supplemental Information for ARTS for HCGS T. Appendix T HCGS Thermal Hydraulic Stability, DSS-CD Evaluation

2. PSEG letter from Paul Davison to USNRC, "Supplemental Information Needed for Acceptance of Requested Licensing Action Re: Amendment Request Regarding Digital Power Range Neutron Monitoring System Upgrade," dated November 19, 2015 (ADAMS Accession No. ML15323A268).

3. PSEG letter from Paul Davison to USN RC, "Supplemental information - License Amendment Request - Digital Power Range Neutron Monitoring (PRNM) System Upgrade," dated June 17, 2016 (ADAMS Accession No. ML16172A012).

4. PSEG letter from Paul Davison to USN RC, "Phase 2 Supplement - License Amendment Request - Digital Power Range Neutron Monitoring (PRNM) System Upgrade," dated September 12, 2016 (ADAMS Package Accession No. ML16256A638).

5. PSEG letter from Paul Davison to USN RC, "Response to Request for Additional Information Regarding Digital Power Range Neutron Monitoring (PRNM) System Upgrade," dated September 23, 2016 (ADAMS Accession No. ML16270A006).

6. TSTF letter to USN RC, "Transmittal of TSTF-493, Revision 4, Errata," dated April 23, 2010 (ADAMS Accession No. ML101160026).

7. NEDC-32410P-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option Ill Stability Trip Function, Volume 1,"

October 1995 (9605290009-Proprietary).

8. NEDC-3241 OP-A, "Nuclear Measurement Analysis and Control Power Range Neutron Monitor (NUMAC PRNM) Retrofit Plus Option Ill Stability Trip Function, Volume 2,"

October 1995 (9605290009-Proprietary).

9. NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition," Chapter 7, "Instrumentation and Controls,"

August 2016 (ADAMS Package Accession No. ML160088013).

10. Staff Requirements Memorandum, SECY-93-087, "Policy, Technical, and Licensing Issues Pertaining to Evolutionary and Advanced Light-Water Reactor (ALWR) Designs,"

dated July 21, 1993 (ADAMS Accession No. ML003708056).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 103 -

11. NUREG-0800, Chapter 18, Revision. 3, "Human Factors Engineering," December 2016 (ADAMS Accession No. ML16125A114).

12. NUREG-0711, Revision 3, "Human Factors Engineering Program Review Model,"

November 2012 (ADAMS Accession No. ML12324A013).

13. Regulatory Guide 1. 75, Revision 3, "Criteria for Independence of Electrical Safety Systems," February 2005 (ADAMS Accession No. ML043630448).

14. Regulatory Guide 1.100, Revision 3, "Seismic Qualification of Electrical and Active Mechanical Equipment and Functional Qualification of Active Mechanical Equipment for Nuclear Power Plants," September 2009 (ADAMS Accession No. ML091320468).

15. Regulatory Guide 1.105, Revision 3, "Setpoints for Safety-Related Instrumentation,"

December 1999 (ADAMS Accession No. ML993560062).

16. Regulatory Guide 1.152, Revision 3, "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants," July 2011 (ADAMS Accession No. ML102870022).

17. Regulatory Guide 1.168, Revision 2, "Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML13073A210).

18. Regulatory Guide 1.169, Revision 1, "Configuration Management Plans for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML12355A642).

19. Regulatory Guide 1.170, Revision 1, 'Test Documentation for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML13003A216.).

20. Regulatory Guide 1.171, Revision 1, "Software Unit Testing for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML13004A375).

21. Regulatory Guide 1.172, Revision 1, "Software Requirement Specifications for Digital Computer Software and Complex Electronics Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML13007A173).

22. Regulatory Guide 1.173, Revision 1, "Developing Software Lifecycle Processes for Digital Computer Software Used in Safety Systems of Nuclear Power Plants," July 2013 (ADAMS Accession No. ML13009A190).

23. Regulatory Guide 1.180, Revision 1, "Guidelines for Evaluating Electromagnetic and Radio-Frequency Interference in Safety-Related Instrumentation and Control Systems,"

December 1999 (ADAMS Accession No. ML032740277).

OFFICIAL USE ONLY PROPRIETARY INFORMATION

OFFICIAL USE ONLY PROPRIETARY INFORMATION

- 104-

24. Regulatory Guide 1.209, "Guidelines for Environmental Qualification of Safety-Related Computer-Based Instrumentation and Control Systems in Nuclear Power Plants,"

March 2007 (ADAMS Accession No. ML070190294 ).

25. Digital Instrumentation and Controls, Dl&C-ISG-04, Revision 1, "Task Working Group

1. 4: Highly-Integrated Control Rooms-Communications Issues (HICRc), Interim Staff Guidance," dated March 6, 2009 (ADAMS Accession No. ML083310185).

26. Digital Instrumentation and Controls, Dl&C-ISG-06, Revision 1, "Task Working Group

1. 6: Licensing Process, Interim Staff Guidance," dated January 19, 2011 (ADAMS Accession No. ML110140103).

27. NEDC-33075P-A, Revision 8, "Licensing Topical Report GE-Hitachi Boiling Water Reactor Detect and Suppress," dated November 19, 2013 (ADAMS Accession No. ML13324A098 (Proprietary) and ADAMS Accession No. ML13324A099 (Non-Proprietary)).

28. Instrumentation and Controls Branch Hope Creek Generating Station Regulatory Audit Report for General Electric - Hitachi NUMAC Power Range Neutron Monitoring System (ADAMS Accession No. ML16344A117 (Non-Public)).

29. NED0-33872, Hope Creek Generating Station NUMAC PRNM Upgrade Phase 2 Documents (ADAMS Accession Nos. ML16256A648 (Proprietary) and ADAMS Accession No. ML16256A642 (Non-Proprietary)), and Appendices, as noted below:

A. HCGS PRNM System Safety Analysis Task Report B. HCGS PRNM System Verification and Validation Task Report C. HCGS PRNM System Configuration Management Task Report D. HCGS PRNM Verification and Validation Test Summary Report E. HCGS PRNM Failure Mode and Effects Analysis Report F. HCGS PRNM Qualification Summary Report G. HCGS PRNM Reliability Analysis

30. NED0-11209, Revision 11, "GE Hitachi Nuclear Energy Quality Assurance Program Description," February 12, 2015 (ADAMS Accession No. ML15043A414).

31. NEDC-33864P, Appendix B (NEDE-33834P), NUMAC Systems Engineering Development Plan (ADAMS Accession No. ML16256A650 (Proprietary) and ADAMS Accession No. ML16256A644 (Non-Proprietary)). Note: This document replaces Appendix B in the original LAR (Reference 1).

32. NEDE- 24011-P-A, "General Electric Standard Application for Reactor Fuel (GESTAR - II)."

Principal Contributors: R. Stattel S. Darbali D. Ki J. Whitman Date: August 4, 2017 OFFICIAL USE ONLY PROPRIETARY INFORMATION

PKG ML17216A018 Proprrietary AMO ML17193A918 Non ro rietar AMO ML17216A022 *b memorandum **b e-mail OFFICE DORULPL 1/PM DORULPL 1/LA DE/El CB/BC* DRA/APHB/BC*

NAME JPoole LRonewicz MWaters GCasto DATE 07/31/2017 07/31/2017 05/15/2017 06/19/2017 OFFICE DSS/SRXB/BC* DSS/STSB/BC(A)** OGC-NLO DORULPL 1/BC w/comments**

NAME EOesterle JWhitman AGhosh JDanna DATE 07/05/2017 1i--;;;...;...:...;...~-+~~.;...;...;...~~~

08/01/2017 07/31/2017 08/02/2017 OFFICE DORULPL4/PM NAME LRegner JPoole for DATE 08/04/2017