ML20058F169
| ML20058F169 | |
| Person / Time | |
|---|---|
| Site: | Perry  |
| Issue date: | 11/22/1993 |
| From: | Stratman R CENTERIOR ENERGY |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| Shared Package | |
| ML20058F171 | List: |
| References | |
| PY-CEI-NRR-1654, NUDOCS 9312080019 | |
| Download: ML20058F169 (35) | |
Text
<
1 s
l j
I(
{
CENTEMOR l
ENERGY PERRY NUCLEAR POWER PLANT Mail Address:
i P.O BOX 97 Robert A. Stratman j
10 CENTER ROAD m, OHO 44081 VICE PRESIDENT. NUCLEAR PERRY, OHIO 44081 (216) 259-3737 November 22, 1993 PY-CEI/NRR-1654 L U.S. Nuclear Regulatory Commission Document Control Desk l
Vashington, D. C. 20555 j
Perry Nuclear Power Plant Docket No. 50-440 License Amendment Request:
Replacement of Selected Analog Leak l
Detection System Instruments with i
GE NUMAC Leak Detection Monitors l
I Gentlemen:
Enclosed is a request for amendment of the Facility Operating License (NPF-58) for the Perry Nuclear Power Plant (PNPP), Unit 1, to permit the installation /
operation of digital, microprocessor-based Leak Detection System monitors.
The proposed amendment will result in the replacement of most of the existing i
analog Riley temperature monitoring instrumentation associated with the Leak i
Detection System (LDS) with digital leak detection monitoring equipment from the General Electric Company NUMAC product line. As analog-to-digital
,t instrumentation replacements are currently considered an Unreviewed Safety Question (US0) by the NRC, a License Amendment in accordance with 10 CFR 50.59 is necessary for implementation. This modification is currently scheduled to be installed during the fourth refuel outage. Approval of this License Amendment is necessary to allow plant startup from the refuel outage -
scheduled for April 25, 1994.
Based on the reduced drift and design features such as automatic self-testing i
incorporated by General Electric into the NUMAC product line, it is appropriate to reduce the channel functional test surveillance frequency for several area temperature and differential temperature trip functions within Technical Specification Table 4.3.2.1-1, " Isolation Actuation Instrumentation Surveillance Requirements." This change would increase the present Channel Functional Test surveillance interval from monthly to semiannually. The 0300'5 Operating Cornponies Cleveland Electric filuminating
\\
Toledo Edson 4
9312080019 931122 PDR ADOCK 05000440 J
P PDR
- J
. _. _ _. j
i 1
i November 22, 1993 PY-CEI/NRR-1654 L Page 2 of 2 l
i information to support the associated Technical Specification changes is also
[
included in this submittal.
Issuance of these Technical Specification changes together with the associated Safety Evaluation could also serve as the
~
documentation of NRC review and approval of the US0. Note, however, that issuance of the Technical Specification changes themselves is not necessary for startup from the refuel outage.
- provides the Summary, Safety Assessment, Description of the Proposed Changes, and the Environmental Consideration. Attachment 2 provides a copy of the marked-up Technical Specification pages. Attachment 3 provides the Significant Hazards Consideration. Attachment 4 provides the results of the recently completed additional Electromagnetic and Radiofrequency Interference (EMI/RFI) testing performed by General Electric vith the PNPP Leak Detection Monitor configuration.
If you have any questions or require additional information, please contact Mr. Henry Hegrat - Regulatory Af f airs at (216) 259-3737 extension 5606.
t Sincerely, 7
. S/
~
Q-
., ps 1
3 I
RAS:RAL:ss Attachments cc: NRC Project Manager i
NRC Resident Inspector Office
)
NRC Region III State of Ohio i
PY-CEI/NRR-1654 L Attcchm:nt 1 Page 1 of 33
SUMMARY
This proposed modification is the first phase of the Riley leak detection temperature module replacement effort which removes 52 of the 60 Riley temperature modules in the Leak Detection System (LDS). These temperature i
modules provide divisional alarms and, when necessary, isolation signals which close either the inboard or outboard containment isolation valves for a specific system, vben high ambient or high differential temperature is sensed in the respective systems' equipment areas. These 52 temperature modules have the highest potential for spurious Engineered Safety Feature (ESF) system actuations. This proposed change includes both divisions of the two division LDS instrumentation for the Reactor Core Isolation Cooling (RCIC), Residual Heat Removal (RHR) and Reactor Vater Cleanup (RVCU) Systems.
It also includes the Division 1 and 2 logic (two of the four divisions) for the Main Steam Line Tunnel areas. The eight remaining Riley Temperature Modules for the Main Steam Line Tunnel (Division 3 and 4) and for the Main Steam Lines in the Turbine Building Area (Divisions 1 through 4) are being considered for future replacement. These remaining divisions require two division actuations to cause an ESF System isolation and thus have less potential for spurious trips.
The Riley leak detection temperature modules (svitches) vill be replaced with two digital Leak Detection Monitors manufactured by the General Electric (GE)
Company. These monitors are part of the GE Nuclear Measurement Analysis and Control (NUMAC) product line, which is a microprocessor-based instrument family designed for various safety and non-safety related applications in nuclear power plants.
Recognizing that the replacement of analog equipment vith digital equipment is currently considered an Unreviewed Safety Question (US0) by the NRC,.this licence amendment request has been prepared pursuant to the regulations.
Industry, NRC and other licensee correspondence / amendment requests on this issue were reviewed and conversations were held with other plants who had recently replaced (or vere in the process of replacing) analog with digital systems to address the various issues in this evolving area. Resolution of the USO portion of this change is needed prior to startup from the refuel outage, currently scheduled for April 25, 1994. Because the same issues are addressed when responding to the "No Significant Hazards Consideration" questions for both the US0 and the Technical Specification changes also proposed herein, no advantage was seen in submitting separate license amendment requests.
The proposed Technical Specification changes are a result of replacing the analog Riley temperature modules with the digital microprocessor-based NUMAC Leak Detection Monitors (LDMs), which allow the channel functional testing surveillance interval to be increased. The justification for extending the l
channel functional testing surveillance interval from monthly to semiannually l
is provided in Part D, Section 4
" Extending the Channel Functional Testing i
Surveillance Intervals." The " Description of the Proposed Technical Specification Changes" section describes the precise changes needed to be made. Note that these Technical Specification changes are not necessary for startup from the refuel outage as they only lengthen the existing surveillance interval. Also, there are no changes in the systems / areas being monitored or the corresponding Technical Specification setpoints.
PY-CEI/NRR-1654 L f
s Page 2 of 33 i
1 1
Due to the recent NRC and industry concerns relating to the EMI/RFI issue, CEI has recently completed an EMI/RFI survey in various areas (including the Control Roota) to quantify and document the fields in these areas. Results of i
this survey vill be provided to the NRC as soon as possible after the report is compiled and approved in support of this License Amendment request.
Additionally, GE is performing the seismic qualification for installing the NUMAC Leak Detection Monitors into the Control Room. This qualification is i
scheduled to be completed by the end of November; the results of that evaluation vill also be submitted to the NRC as soon as possible after this report is compiled.
SAFETY ASSESSMENT The safety assessment is divided into eight separate areas:
l Part Description A
General Overview of the Temperature-Related Monitoring Functions of the Leak Detection System B
Assessment of the Major Factors Influencing the Utilization of the NUMAC Leak Detection Monitor in this Application l
C System Description of the NUMAC Leak Detection Monitor i
D Self-Test System, Error Detection Features Description, Isolation Provisions and Channel Functional Testing E
NUMAC Leak Detection System Environmental Qualifications F
Electromagnetic and Radio Frequency Interference (EMI/RFI)
G Software Design Control and Verification and Validation (V&V) l H
Conclusions PART A - GENERAL OVERVIEW OF THE TEMPERATURE-RELATED MONITORING FUNCTIONS OF THE LEAK DETECTION SYSTEM The Leak Detection System is designed to monitor leakage from the reactor coolant pressure boundary (RCPB) (or systems which may serve as extensions of the RCFB). and initiate alarms and/or isolations when predetermined temperature (or differential temperature) setpoints are exceeded. The plant areas monitored include the Containment and selected areas / buildings outside the Containment. The areas / buildings that are outside the Containment and monitored for reactor coolant leakage include the equipment areas in the l
Auxiliary Building, the Steam Tunnel and the Turbine Building.
\\
The process piping for each system monitored for leakage is located in compartments or rooms separate from other systems, wherever feasible, so that leakage may be detected by measuring changes in area ambient temperature or differential temperature. When the temperature based portion of the Leak Detection System detects such changes, alarms and, when necessary, system isolations are provided. The instrumentation for the Leak Detection System (except for the main steam lines (MSLs)) is divided into two divisions which isolate either the inboard or outboard containment isolation valve on a penetration flow path. The main steam line logic has four divisions.
Each of these two (four for the MSLs) divisions is located on a panel in a different j
i l
l l
j PY-CSI/NRR-1654 L i !
Att>-hment 1 Page 3 of 33 l
l quadrant of the Control Room. The trip outputs from the Leak Detection System j
l provide inputs to the Nuclear Steam Supply Shutoff System logic to isolate I
selected systems based on exceeding the process setpoints for a system / area.
l The operator is kept aware of the status of the Leak Detection System variables through various meters (one type of which is the Riley temperature modules - used for ambient and differential temperature monitoring) and recorders which indicate the measured variables in the Control Room.
If an alarm or a trip occurs, the condition is annunciated in the Control Room.
PART B - ASSESSMENT OF THE MAJOR FACTORS INFLUENCING THE UTILIZATION OF THE NUMAC LEAK DETECTION MONITOR IN THIS APPLICAT]ON NRC Information Notice 86-69 (Reference 1) and General Electric Service Information Letter (SIL) Number 416 (Reference 2) both describe problems with the Riley temperature modules which have resulted in spurious system isolations. The ambient or differential temperature monitoring function is performed continuously by the Riley temperature modules and is independent of the operation of any controls. When the temperature (or differential temperature) being monitored is in the alarm condition, relay contacts are closed which automatically initiate further actions such as annunciations or system isolations.
Indication to the operator depends on the operation of a
" READ / SET" switch which causes the output of each thermocouple " point" module to be indicated on a separate meter module. The electrical transient caused by the operation of this " READ / SET" switch has been the predominant source of the spurious isolations.
I l
Riley has attempted to improve the temperature module design twice, once to reduce READ / SET switch spiking and the other to eliminate the output relay i
chatter and improve the thermocouple burnout protection feature. Design changes have been implemented such as installing one second time delay relays l
l to prevent the relay chatter and spiking from initiating an isolation signal.
Unfortunately these changes are not considered to have completely solved the spurious isolation problem and the Riley temperature modules have design features (compared to the NUMAC LDM) which makes it more likely that the Instrumentation and Control (I&C) technician may experience problems.
Calibration of the Riley temperature modules is time consuming and has a high potential for creating spurious ESF actuations for the I&C technicians for the reasons discussed below. Each month over thirty channel functional surveillance tests are run on the Riley temperature modules to satisfy Technical Specification requirements. Additionally, the testing of the Riley ambient and differential temperature modules requires the lifting of the thermocouple leads to perform the monthly channel functional testing.
For testing purposes the thermocouple leads must be lifted and jumpers added around the isolation relays.
Installation of jumpers increases the risk of l
technician errors and of unnecessary isolations. The lifting of the leads is l
labor intensive, and also has the potential to cause events (resulting in l
Licensee Event Reports (LERs)) if the leads are incorrectly retermed after performing the tests. Also, the I&C technician can inadvertently ground /short the jumper, a thermocouple wire or a component while he is working within the cabinet - leading.to an isolation. This lead lifting procedure can also cause the breakage of thermocouple lead vires when the wires are disconnected and reconnected.
l PY-CEI/NRR-1654 L l
Page 4 of 33 The Riley leak detection temperature modules have created problems for the operators and 1&C technicians in terms of isolations and half isolation signals. Note that even a half isolation in the two-division portion of the i
LDS (that is, for the RCIC, RHR and RVCU Systems) causes an isolation of the i
flow path to/from the Containment (since one of the containment isolation
{
valves in the penetration flow path closes), reducing the reliability of those systems and their ability to be available upon demand. Each time that a Riley temperature module fails in the two-division RCIC, RHR or RVCU systems, the affected system must be isolated due to Technical Specification requirements (usually for a minimum of 3-4 hours), which reduces the system availability while the module is being replaced.
Also, although the PNPP has not had a resulting scram, Limerick has suffered an MSIV isolation that led to a scram.
In that event, a Reactor Protection System (RPS) channel vas placed in the tripped condition due to a Riley temperature module spiking; when the operator " read" a Riley in another panel, r
the signal spike from operating the READ / SET switch initiated a full isolation signal which closed the MSIVs and caused the scram. This is because the MSIV l
logic consists of four channels with a one-out-of-two taken twice logic, and the correct two channels were in trip to result in the isolation. Because the same design / logic exists at the PNPP, an administrative change was made to the l
PNPP operating instructions following that event to prevent the operators from
" reading" a Riley temperature module in the MSIV (four channel) portion of the system while the opposite channel is in the tripped condition.
Other plants have replaced the Riley temperature modules, or are in the process of replacing them or evaluating replacement units. One company has developed a digital version of a Riley temperature module. However, that device is still undergoing in-plant testing and has not been demonstrated to be reliable as yet.
General Electric NUMAC Leak Detection Systems have been i
installed at Limerick, Hope Creek and VNP-2 (for 4 years) and have operated i
very well. By using the NUMAC digital Leak Detection Monitor, PNPP expects to significantly reduce the number of failures experienced compared to the l
existing analog Riley temperature modules. The erratic operation of the Riley temperature modules has led to many,roblems, such as signal spiking, relay chatter and thermocouple burrout protection failure. The Riley leak detection temperature modules are being replaced because they have been a source of several events due to spurious trip signals which have caused system l
isolations at the plant. The failures experienced by the existing LDS in the last eight years have resulted in three LERs and over 30 Condition Reports (CRs - an internal problem tracking / resolution process).
Most of these failures were caused by either human error during maintenance and calibration l
activities, or equipment and component failures.
Use of the NUMAC digital LDM i
is expected to reduce the number of spurious isolations and failures related l
to these causes, because the NUMAC LDM design is entirely different than the Riley design. The NUMAC LDM does not have the " READ / SET" switch feature; the NUMAC design has features which eliminate the need to jumper isolation relays and disconnect the thermocouples during testing (eliminating these sources of human error); and it uses more reliable (generally military grade) components and equipment than the present LDS.
e t
i
PY-CEI/NRR-1654 L Page 5 of 33 PART C - SYSTEM DESCRIPTION OF THE PUMAC LEAK DETECTION MONITOR The NUMAC Class-1E architecture consists of a f amily of firmware-basec 'sO 86 (16 bit) and 80376 (32 bit) microprocessors with application-specific analog and digital modules connected via a NUMAC bus. An independent display controller connects to the Class-1L microcomputer via a serial data link and provides the man-machine interface without affecting the calculations of the Class-lE process. The NUMAC architecture also includes both hardware and software timers and an integral self-test system.
The NUMAC Leak Detection Monitor uses the same microcomputers, programming language and compiler as those previously approved by the NRC for two safety-related applications, the NUMAC Logarithmic Radiation Monitor and the Vide Range Neutron Monitor These applications are described in GE Licensing Topical Reports, Nuclear Energy Division (NEDO) 30883-A and NEDO 31439-A (References 3 and 4).
Both of these applications have received generic approval through the issuance of NRC Safety Evaluations. As of the date of this letter, there are nearly 500 NUMAC based instruments in operation with this general configuration.
The following paragraphs provide a description of tne major equipment in the NUMAC Leak Detection Monitor assembly, an overview of the system operation, 1
and the firmware configuration and control.
1.
NUMAC LEAK DETECTION MONITOR ASSEMBLY HARDVARE DESCPJPTION This modification replaces analog Riley temperature modules and associated components located in two of the Control Room panels with two NUMAC Leak Detection Monitors.
Each NUMAC Leak Detection Monitor (LDM) assembly (in the leak detection monitoring configuration to be used at the PNPP, i.e., for monitoring ambient and differential temperatures) consists of three basic components: a) the NUMAC leak detection monitor chassis, b) the NUMAC thermocouple input unit (TCIU) and c) the relay output unit (ROU). A functional diagram of the major NUMAC Leak j
Detection Monitor components is provided in Figure 1.
A description of the functisns is provided later, and the numbers listed withip
]
parentheses in the following table correspond to the appropriate Sections of Peference 3:
Essential Microcomputer (3.1.1)
High Speed Parallel Data Bus (3.1.2)
Display Microcomputer (3.1.8)
Serial Data Link (3.1.3)
Front Panel Display (3.1.8)
Redundant Instrument Pover Supplies (3.1.7)
Trip and Analog Outputs (3.1.6)
Each LDM chassis is a separate independent, redundant division and can accept up to 36 (in this configuration ambient and differential temperature) leak detection system inputs.
Each thermocouple input signal is routed to the thermocouple input unit and is assigned to a separate chapr.ei for processing by the LDM. The relay output unit is the
PY-CEI/NRR-1654 L l
Page 6 of 33 J
interface with the analog relay logic used for the various system alarm and trip functions. Each of these units and their functioning is l
discussed in more detail later in this letter.
i The NUMAC Leak Detection Monitor chassis is a standard 19 inch vide rack-mounted instrument that is slide mounted within the Control Room panels to permit easy maintenance and module replacement.
It is designed to be installed in typical GE control panels. All components are mounted in functional modules. Printed circuit boards are housed in a standard card file which has space for a maximum of 15 printed circuit boards.
l Circuit boards (also referred to as functional modules) plug into a j
standard backplane or motherboard containing printed power viring, ground viring and the signal / computer bus. The display and keypads are on the front of the NUMAC LDM chassis. The main chassis, motherboard, the display and keypad assembly, the computer and analog modules, and the low voltage power supplies are common to all current NUMAC instrument types.
Essential Microcomputer l
The essential microcomputer, a Barris 80C96 microprocessor, performs three functions:
it controls the instrument's measurement, trip and I/O functions; it communicates with the display microcomputer; and it performs the tests of the Self-Test System.(STS) when not processing l
instrument data. The essential microcomputer contains the 80C86 microprocessor, Random Access Memory (RAM), Electrically Alterable Read Only Memory (EAROM), Read Only Memory (ROM), a priority interrupt 3
controller, independent timers, and the STS circuitry. The microcomputer j
has sufficient computing power to perform digital trips, digital temperature compensation, automatic ranging, automatic calibration and digital filtering. The microcomputer automatically calibrates the thermocouple inputs to a known internal reference, compensating for time dependent drift characteristics with a resulting improvement in accuracy and resolution. Output trips are set digitally and thus do not drift.
l The essential microcomputer processes the received data and transmits appropriate control signals to other modules within the chassis using a high speed parallel data bus and to the display microcomputer / front panel display and keypads using a serial data link.
Inputs, distributed from the rear I/O panel, enter appropriate signal ~
conditioning modules via connectors. Analog inputs are converted to digital form by an analog / digital (A/D) converter on an Analog Module and then read by the essential (functional) microcomputer via the NUMAC bus.
Digital and discrete inputs, af ter conditioning, can be read immediately.
High Speed Parallel Data Bus The high speed parallel data bus provides the communication link between the essential microcomputer and the other modules, except for the display microcomputer and the front panel display / keyboard.
l l
1 l
m,
4 PY-CEI/NRR-1654 L l
Page 7 of 33 i
Serial Data Link 1
i The serial data link provides electrical separation between the safety-related essential microcomputer and the non-safety related display microcomputer and front panel display / keyboard. The serial data link is used to minimize the possibility of injecting faults into the essential microcomputers' safety-related circuits.
Trip Outputs The trip outputs of the relay output unit are used to drive external i
isolation (trip) relays and annunciators.
Redundant Instrument Power Supplies The NUMAC LDM has two internal redundant instrument power supplies.
In the event of a failure of one internal power supply, the LDM vill automatically switch to the other supply.
The lov voltage power supplies in the LDM have been tested (as part of the NUMAC instruments) for response to line surges and transients. The LDM contains separate grounds for analog and digital circuits. These grounds are both tied back to the power supplies within the NUMAC.
The NUMAC power requirements are defined in the General Electric Design and Performance Specification for the PNPP which specifies the following:
Design Minimum Center Maximum Voltage:
100 Vac 120 Vac 132 Vac Frequency:
47 Hz 60 Hz 63 Hz Power Drain:
90 V 100 V Switching power supplies are used in the NUMAC LDM. The maximum allovable noise outputs of the power supplies are specified and the NUMAC computer bus is designed to operate with this amount of supply noise.
Circuits which may be especially sensitive to power supply noise contain additional local filtering.
Display Microcomputer and Front Panel Display / Keyboard The essential microcomputer transmits data to the display microcomputer via the serial data link. The display microcomputer drives the front panel display / keyboard and performs all necessary engineering unit l
conversions. The front panel contains all of the circuitry necessary to interface with the display microcomputer and the front panel's keyboard and electroluminesent (EL) display. The display microcomputer uses a 80180 microprocessor, with built in I/O and program data RAM and ROM. A separate block of screen data RAM is dual-ported for use in providing rapid screen updates. The front panel display / keyboard is shown in Figure 1.
It consists of a 512 x 256 pixel EL display, four function keys, four cursor keys, enter and clear entry keys, and a numeric keypad i
a l
PY-CEI/NRR-1654 L Page 8 of 33 for entering passwords and setpoint informa aon. The front panel display, with its human factors design and menu-driven operation, reduces j
the possibility of human error.
]
In the OPERATE mode, a set of displays generated by the display microcomputer is available which provides the operator with instrument
]
readings in graphic and digital form, trip settings and status, self-test i
and calibration data, and other information.
In the INOPERABLE (IN0P) mode, the I&C technician can manually configure trips and perform calibration measurements.
Function or " menu" keys located under the EL display allow the I&C technician to select displays for performing the necessary functions. The numeric keypad is available for entering data for trip settings, etc.
NUMAC Thermccouple Input Unit (TCIU) l I
The NUMAC thermocouple input unit (or module) interfaces the ambient and differential thermocouples to the LDM instrument chassis. The unit-contains an isothermal terminal board interface and transmits the temperature measurements to the LDM chassis.
Six solid state temperature devices in the TCIU are used for determining the cold junction temperature. The LDM cold calibration may be performed with the thermocouples in place.
Up to six thermocouple (T/C) input modules may be used to accommodate a maximum of 36 thermocouple inputs. Maintenance is accomplished by module replacement.
Each input is assigned to a channel within each input module. The modules are isolated from one another such that each input assigned to a channel within each module vill not be affected by a failure which may occur in a different module.
Relay Output Unit (ROU)
The relay output unit interfaces with the NUMAC LDM chassis and provides Isolation, Alarm, INOP, and spare outputs using Form-C relay output contacts. The assignment of the output contacts to specific functions is programmable. A channel's Isolation and Alarm functions are automatically bypassed (the state of the assigned output relays does not change) when any of the following activities / conditions occur:
a Calibrate, Calibration Check, or Trip Check activity is being a.
performed on the channel; b.
an open condition exists in the channel's thermocouple; c.
a critical self-test fault exists in the channel.
After completion of the Calibration, Calibration Check or Trip Check activity (exiting these modes remoces the bypass) or, upon the self-test fault condition clearing, or upon the correction of the open thermocouple condition, the bypass clears.
A single INOP/ Trouble output relay is provided. The IN0P/ Trouble relay is tripped in the INOP mode and may be programmed to trip whenever there is a self-test failure condition while in the OPERATE mode. Each relay contact is also testable by manual intervention within the INOP mode.
.~.
[
i t
PY-CE1/NRR-1054 L l
l Page 9 of 33 2.
SYSTEM OPERATION 1
The Leak Detection Monitor turns on through the application of power.
The front panel display is normally in the screen-save mode, but vill go on whenever a trip occurs or any front panel key is pressed. Whenever the display is on, the instrument reading, trip status and self-test l
status are shown along the top. The remainder of the display vill depend on the actions selected by the user. When there are no trips the display is in the screen-save mode through time-outs. A detailed discussion of the NUMAC sy.ctem operation, the various displays and operating modes vill.
be provided in a PNPP NUMAC Leak Detection Monitor Operations and i
Maintenance (0&M) Manual and vill include the User's Manual, PNPP LDM performance specifications, maintenance information and drawings for the l
instrument. The PNPP Leak Detection Monitor O&M Manual is expected to be very similar to ones that the NRC has reviewed for other NUMAC l
applications. A LDM Users Manual has already been submitted for Staff f
reviev/information for at least one other plant doing a Leak Detection l
Monitor upgrade. The changes are'similar to what PNPP~is planning except that an upgrade of other isolation features (RVCU delta flow) is not j
being considered for the PNPP (only. ambient and differential temperature l
l functions are included) at this time.
l Four push-button keys (softkeys) located below the display are used to determine the next display or user action. The specific function of each i
of these keys vill vary with the display shown. A set of four keys is i
provided to the right of the display to move a cursor should one be j
needed for a given display. A numeric keypad of 16 keys is used to enter
+
settings and calibration data.
i i
Vhen the keylock is in the OPERATE position, the front panel is an a
" display only" mode, and just the softkeys are operable. The user may I
select from several displays; including self-test displays, displays shoving the input status, displays showing the parameters, a trend data display and HELP messages. The user may also reset trip displays, where appropriate.
If the self-test option is chosen, the user may interrogate the self-test system for diagnostics. As long as the instrument is in the OPERATE mode, the essential (functional) microcomputer sends data one l
vay to the 'ront panel controller via the serial data link,-but not vice t
versa. L3, isolates the essential microcomputer (which runs the Class-lE process) from any disturbance in the front panel display or
~
display microcomputer.
An additional protective feature is that there is no combination of user-keys vhich can (in the OPERATE mode) alter any parameters or safety function operations within the NUMAC.
When the key-lock switch is in the INOP mode either the INOP-CAL or.
INOP-SET mode is entered. Two vay communication is now estrblished between the essential microcomputer and the display microcomputer, and the user in addition to being able to perform the functions described above icr the OPERATE mode (with the exception of the trend display) can
PY-CEI/NRR-1654 L l
Page 10 of 33 set the channel or unit (chassis) parameters, calibrate the instrument, perform various checks (such as checking the calibration, trip settings I
or output relays, displays, keypads etc.) and interrogate the self-test system.
)
3.
FIRMVARE CONFIGURATION i
The software programs to operate the essential and display microcomputers are written by General Electric and installed in the form of programmable i
read only memory (PROM) chips installed in the NUMAC Leak Detection Monitor. The program for development and control of the softvare is discussed in Part G of this letter.
Once the firmware is generated in the form of PROMS, it is handled as hardware using standard hardware control OA/0C methods.
l l
The NUMAC LDM application firmware consists of two principal modules:
the functional firmware for the essential microcomputer (including the self-test function); and the front panel keypads and display firmware for the display microcomputer. These two modules coincide with their I
hardware counterparts. The NUMAC LDM firmware is written in high-level languages, to the maximum extent possible, to simplify firmware maintenance over the NUMAC LDM lifetime.
Instrument operating manual files are easily accessed using the front panel display. The NUMAC LDM l
firmvare performs sampling and filtering of sensor data, comparison of l
data to operator entered trip setpoints, operator display updates, the l
generation of analog and trip output signals, and concurrent self-tests l
and maintenance operations.
Essential (Functional) Firmware l
The essential microcomputer's firmware executes under control of a resident multitasking operating system which assures proper scheduling of event-and time-critical functions. When the instrument is in the OPERATE mode, data are acquired, converted to machine format, processed, and reconverted to physical outputs (analog and trip) under firmvare control I
of the essential microcomputer. Additionally, proper instrument operation is monitored, i.e., self-testing is performed. The results of these activities are transmitted to the display microcomputer in a
" Broadcast only" mode using the serial data link for display to the operator. When the instrument is-placed in either the Inop-Cal or Inop-Set mode, two-vay communication is established over the serial data link between the essential (functional) and display microcomputers.
The operator may then request the essential microcomputer to perform operations such as self-calibration and alteration of its trip settings.
Display Firmware The display firmware for the display microcomputer acquires and displays i
the results from the essential microcomputer.
It also obtains and interprets user command inputs, displays hardware fault status, and I
supplies mode selection for all user functions. The " HELP" system, an operating aid is included in this firmware. The display firmware also j
supports text, normal and inverse video and graphics displays.
f
PY-CEI/ ERR-1654 L Page 11 of 33 NUMAC Memory-Retention Capability Each NUMAC LDM chassis stores its unit and channel setup parameters (channel functional names, thermocouple types, alarm and isolation setpoints, etc.) in non-volatile EAROM memory. These parameters are retained during a power interruption. Upon power restoration to the bus supplying the LDM, the LDM automatically restarts and trip capability on the isolation outputs is operational within several seconds.
PART D - SELF-TEST SYSTEM, ERROR DETECTION FEATURES DESCRIPTION, ISOLATION PROVISIONS AND CHANNEL FUNCTIONAL TESTING 1.
SELF-TEST SYSTEM DESCRIPTION The LDM has a self-test system (STS) that verifies hardware integrity and assures that internal parameters are being accurately retained. The self-test system runs continuously in the OPERATE mode and cannot be stopped by the user. A complete self-test cycle occurs about every thirty minutes. The essential microcomputer's functional performance is not inhibited by the self-test function in the OPERATE mode.
When a fault is detected, a " FAULT" message vill appear in whichever NUMAC display screen is currently being displayed, and a detailed message identifying the specific fault vill be available on the self-test monitoring display screen.
In addition, an INOP/ Trouble relay will operate and result in actuation of either a "DIV 1 LD NUMAC MONITOR TROUBLE" or "DIV 2 LD NUMAC MONITOR TROUBLE" annunciator in the Control Room (depending on in which division the fault has occurred in). The i
fault is retained in memory and the self-test cycle vill continue.
In the OPERATE mode, the user may select a display screen that monitors the current status of the self-test function, including details such as the current module under test and identification of the last failure and the cycle in which it occurred.
In the INOP mode, the self-test feature is only performed upon user demand. Once initiated, it vill continuously cycle until it is manually stopped or the mode is exited.
In the IN0P mode, self-test stops when a fault is de ted. This is useful in diagnostic vork when multiple faults migh. se present.
The PNPP NUMAC Leak Detection Monitor User's Manual being developed l
includes detailed descriptions of specific error messages and screen displays.
A cope of the version for another plant (expected to be very similar to the p.sposed PNPP version) was provided to the NRC in preparation for an audit of the General Electric NUMAC software validation and verification design process (in San Jose) in January 1993.
1 Most credible cases of a loss of NUMAC system function vill be automatically detected via the self-test system and be externally annunciated.
Because of the continuous nature and in-depth component / software (module) monitoring of the self-test system it is considered likely that..ost anomalous conditions or failures will be l
i
l PY-CEI/NRR-1654 L Page 12 of 33 promptly identified.
Problems result in the display of appropriate diagnostic messages. These diagnostic messages dictate the initial troubleshooting approaches to system restoration. Less credible instances of a loss of system function might not be detected by the self-test funct hn.
Most of these failures vould be expected to result in spurious system isolations or annunciations and thereby be quickly identified. As is airo true with all plant equipment, an anomalous condition or failure resulting in a " fail-as-is" condition might not be noticed until it was found during the performance of the next surveillance test. This is one of the major reasons why surveillance testing is performed. However, considering the high reliability demonstrated by the presently installed NUMAC systems and the continucus verifying of proper operation by the self-test system the likelihood of this mode of failures is considered acceptably low.
For problems identified external to the NUMAC LDM assembly, such as signal input failures or out-of-limits, the approach is to restore correct functioning in the external portion of the system.
For internal j
NUMAC problems, the primary method of corrective action is generally card i
or module replacemer.t in accordance with the on-screen displayed error messages or troubleshooting instructions outlined in the O&M manual. The applicable portions of the associated Technical Specification surveillance test instructions are performed as necessary to demonstrate post-maintenance operability.
j As mentioned previously, the NUMAC architecture includes an IdOP/ Trouble
[
relay output contact which causes a divisional NUMAC leak detection j
monitor trouble annunciator to alarm in the Control Room (a separate l
divisional annunciator alarms for a loss of power) under the following l
circumstances:
I a) placing the key-lock switch out of the OPERATE position, t
l b) failure of a hardware module during self-test u N 'stics (performed approximately every 1-2 minutes),
c) detection of an open thermocouple signal circuit, f
l I
d) failure of the Class-1E microcomputer to update the hardware l
vatchdog timer at regular intervals,
[
t e) any software task which is not running at its expected intervals, i
i i
l f) loss of external or internal power to the NUMAC LDM.
l Self-testing is accomplished by the essential microcomputer through
.j passive measurements by reading selected voltages and data registers vithin the instrument and comparing them with expected values. When in j
either the INOP-CAL or INOP-SET mode, this testing is done on operator l
demand so as not to interfere with calibration or setpoint.adjurtment.
Included in surveillance tests is the exercising of the relay output (trip) circuits. The self-test system does not exercise the relay outputs in order to prevent spurious trips. However, normal output lead I
l L
i
i PY-CEI/NRR-1654 L J
Page 13 of 33 l
currents are monitored. When the NUMAC LDM is in the OPERATE mode, testing is automatic. The results of any self-testing can be accessed by the operator from the front panel display.
Since the self-test system is i
an integral part of the LDM hardware, the possibility of temporary test modification (i.e., jumpers) not being removed after testing is eliminated.
In addition, since the STS can continually operate, availability is enhanced as compared to older designs with surveillance l
intervals of one month or more.
2.
RARDVARE/ SOFTWARE COMMON MODE FAILURE PROTECTION As described in the NRC Safety Evaluation for the NUMAC Logarithmic Radiation Monitor (see Reference 3), the NUMAC instrument design features certain design methods and techniques that are used to prevent the softvare program from cycling in a continuous loop and to defend against common mode failures. The same software programs are used within both l
the essential (functional) and display microcomputers within the NUMAC l
Leak Detection Monitor for redundant safety-related channels.
l l
1)
Softvare for the NUMAC LDM vr.s developed and documented in accordance l
vith the NRC approved GE Nuclear Energy Group BVR QA Program.
I l
2)
The NUMAC LDM has two microcomputers, but only the essential (functional) microcomputer is required to perform critical tasks.
The display microcomputer is designed to run an " executive loop" l
vith hardware timer so that the potential for traps is minimized and depends primarily on the integrity of the hardware.
i 3)
The essential (functional) microcomputer runs with a small operating system, which itself is an executive loop, started and re-entered by a hardware timer. Initiation of the operating system depends on hardware, and any endless loop in the application software vill be escaped via the hardware restart.
4)
Total operational run time for the operating system in the Logarithmic Radiation Monitor (LRM) plus other NUMAC instruments (at the time of issuance of the SER for the LRM, January 1987) vas in excess of 40,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />. Many thousands of hours of operation with i
various NUMAC instrument configurations have occurred since.
I Structured and unstructured testing of the operating system for the LRM vas in excess of 2,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />. Testing of the operating system logic included monitoring software timers to assure that task times i
are correct and confirmed that software paths were as expected.
5)
The NUMAC LDM essential (functional) software is structured in tasks 1
with all of the critical functions included in one task, which has I
the highest priority. A hardware " watchdog" timer is refreshed by software logic that requires the main operating system and the main task to be running at the predefined frequency.
Failure of the main j
task to run at the required rate vill result in time out of the vatchdog timer.
i
PY-CEI/NRR-1654 L Page 14 of 33 i
l Based on this information, the NRC Staff concluded that the above design measures and tests procedures applied to the NbMAC inst?ument design are reasonable to prevent the software program from cycling in a continuous j
loop and defends against common mode failures.
l 3.
ISOLATION PROVISIONS AND THERMOCOUPLE FAILURE DETECTION i
The interface between the NUMAC LDM alarm and isolation logic and the l
l external plant logic circuitry occurs at the Relay Output Unit which l
consists of sixteen individual relays. Through the channel setup function, each relay can be assigned to a specific monitor channel or channels and can be set as normally energized /de-energized. The isolation initiation logic for each of the involved plant systems has i
been configured to retain the existing " fail-safe" valve lineups.
Each of the two NUMAC LDMs is assigned to a particular division to maintain separation of safety-related circuits. Each of the two LDMs can i
accommodate non-Class lE as well as Class lE inputs and outputs.
(However, no non-Class lE input / outputs are assigned for this application.) All interfaces for the instrumentation and control circuits to and from each NUMAC Leak Detection Monitor chassis take place via either a Thermocouple Input Unit and/or a Relay Output Unit.
The thermocouple input signals are limit checked within the LDM.
Should opens or shorts in the thermocouple input signal lines occur this vill be detected and the LDM will give an IN0P/ Trouble alarm. A trip vill not The NUMAC LDM design includes features that monitor the incoming occur.
temperature signals to detect open or out-of-bounds siLnals.
On the leak detection ambient and differential temperature channels, each thermocouple input is monitored for an open condition.
For these thermocouple channels, an open input triggers a designated bias voltage into the measuring circuit that vill be interpreted as an open input. This type of condition vill be l
detected with!n the channel response time and the channel indication vill then be driven hard downscale by circuitry within the NUMAC Thermocouple Input Unit. This softvare design prevents the initiation of spurious system isolations in response to a channel fault. The channel hard downscale value l
vill result in a self-test fault. The self-test fault vill cause a test / trouble Control Room annunciator to alarm, directing the operator to investigate the NUMAC LDM chassis display screens for a specific message describing the fault. The fault vill automatically reset when the input is no longer within this range.
The thermocouple signals are input through magnetically coupled electronic isolation components located on the Thermocouple Input Unit circuit boards. The NUMAC interface with the external isolation and j
annunciation logic circaitry occurs at the contacts on the relays mounted on the Relay Output Unit assembly.
Specifically, the isolation feature is the coil-to-contact separation provided within the individual relays.
Additional internal circuit protection is provided by the use of high impedance resistors on input and output circuit paths and by the use of poly-fuses within individual NUMAC modules.
I l
PY-CEI/NRR-1654 L l
Page 15 of 33 l
4.
EXTENDING THE CHANNEL FUNCTIONAL TESTING SURVEILLAhCE INTERVALS The reduced drift inherent in a digital system and design features, e.g.,
automatic self-testing allows a reduction in the surveillance frequency for channel functional testing for several area temperature and differential temperature trip functions within Technical Specification Table 4.3.2.1-1, " Isolation Actuation Instrumentation Surveillance Requirements." This license amendment vill increase the CHANNEL FUNCTIONAL TEST surveillance interval from M (Monthly) to SA (Semiannually) for the ambient and differential temperature trip functions for the i
Reactor Vater Cleanup, Reactor Core Isolation Cooling (including the Main Steam Line Tunnel Temperature Timer), Residual Heat Removal Systems and the Division 1 and 2 logic for main steam line isolation (for the temperature instrumentation located in the Steam Tunnel area). Note that this license amendment does not include the main steam line temperature isolation logic for the temperature instrumentation located in the Turbine Building. Also, this proposed amendment does not change the CHANNEL CHECK or the CHANNEL CALIBRATION surveillance intervals.
The manual (as opposed to the automatic self-test). surveillance testing features provide the capability to manually verify the various instrument channels operability. The " Trip Check" and " Calibration Check" features vill be utilized to perform the CHANNEL FUNCTIONAL TESTS. The " Trip Check, Calibration Check, Relay Check and Calibrate" features vill be used to perform CHANNEL CALIBRATIONS. These manual surveillance testing I
features are described in the PNPP NUMAC Leak Detection Monitor Users Manual. Thes.: testing features are identical to those that the NRC has reviewed for another licensee who recently installed a Leak Detection l
Monitor. These features in combination with the automatic NUMAC LDM i
self-test features provide a comprehensive verification of channel operability. The self-test feature is discussed in more detail elsewhere in this letter.
l Each division of the NUMAC Leak Detection System performs a comprehensive self-test and alerts the operator via an annunciator when a problem is l
detected. The continuous self-test feature is capable of detecting most i
of the potential failures that the current CHANNEL FUNCTIONAL TEST only checks monthly. This allows most problems and failures to be detected on a real time basis instead of not being detected until the next l
performance of the CHANNEL FUNCTIONAL TEST. The self-test features includt continuous monitoring of the thermocouple input signals against offstale values, continuous monitoring of the two internal instrument i
power supplies, continuous monitoring of the external power input, a self-check of each channel to confirm functionality at least once every thirty minutes, and continuous monitoring to assure that the instrument is not left in an inoperable condition (card out-of-file, keylock switch left in the INOP mode).
l The major contributors to instrument inaccuracy and drift (the Riley i
temperature modules and associated circuitry) have been replaced with a device that is predominantly digital (the thermocouples and precision r
PY-CEI/NRR-1654 L Page 16 of 33 resistor componet+s in the TCIU are analog components) but the overall instrument loop has very lov drift. The drift for the temperature channels according to Section 5.4, Accuracy & Drift (Temperature l
Channels), specified within the General Electric NUMAC Performance Specification is less than 0.7'F over a six month period. An engineering evaluation has been performed incorporating the NUMAC LDM drift value and verified that there is sufficient margin between the Technical Specification Allovable Values and the Nominal Trip Setpoints (for the various ambient and differential temperature channels) to allow the CHANNEL FUNCTIONAL TEST surveillance interval to be extended from one to six months. Additionally, as stated previously, most of the failures i
detectable by the CHANNEL FUNCTIONAL TEST vill now be detected on a continuous basis by the NUMAC self-test feature. Therefore, the self-test feature together with the reduced drift of the NUMAC Leak Detection Monitor justify extending the CHANNEL FUNCTIONAL TEST interval from monthly to semiannually.
Part E - NUMAC Leak Detection System Environmental Qualification 10 CFR Part 50, Appendix A, General Design Criteria (GDC) 2 and 4 require that safety related systems be designed to withstand the effects of natural phenomena and accommodate the effects of environmental conditions associated with normal operation and postulated accidents. To ensure that these effects vill not adversely impact the ability of the NUMAC system as used in the leak l
detection application to perform its intended safety function (s), the following environmental qualification factors were reviewed and considered as part of the utilization of NUMAC equipment for this application (1) temperature and humidity, (2) seismic, (3) radiation, and (4) electromagnetic l
and radio frequency interference (discussed in Part F).
1.
TEMPERATURE AND IP" 'ifY
^
The NUMAC LDM environmental tests consisted of component aging, PC board (module) qualification, instrument qualification, and instrument heat rise. The NUMAC LDM is qualified for operation between 40'F (5'C) and 122'F (50'C) and between 10% and 90% non-condensing humidity. All NUMAC l
LDM modules have completed additional qualification programs where they have been operationally tested at 158'F.
The maximum LDM instrument internal heat rise has been mease.ad at 18'F in the vicinity of the power supp12es.
The design range for PNPP Control Room temperature and humidity is as follows:
l l
Temperature: Normal 64 - 75'F (75'F Avg.)
i Design Basis Accident (87'F Avg.)
Humidity: Normal 20 - 90% RH (50% Avg.)
Design Basis Accident 20 - 90% RH (87% Avg.)
l I
t
I PY-CEI/NRR-1654 L l
i Page 17 of 33 t
The Control Room average air temperature is observed and recorded daily as directed in the PNPP Technical Specification Rounds Instruction.
The margin between the normal Control Room general area ambient temperature l
and the NUMAC qualification temperature is adequate to accommodate potential local heating effects inside the panel where the NUMAC LDMs are proposed to be installed.
l The Control Room humidity is maintained within the range of 10% to 90%
relative humidity for which the NUMAC is qualified.
The temperature and humidity qualification performed by General Electric of the GE NUMAC product line envelopes the temperature and humidity requirements for the PNPP. Therefore the temperature and humidity qualifications are acceptable.
2.
SEISMIC QUALIFICATION The LDM equipment replaces existing Riley temperature modules. The current Riley temperature modules and the replacement NUMAC LDMs are both safety-related seismic Category 1 components.
Since the installation of the replacement NUMAC LDM components might alter to some degree the mass and stiffness characteristics of the Control Room panels and structural supports, the seismic / dynamic qualification must be demonstrated for the i
equipment to be installed.
A similarity analysis is being performed by General Electric of the NUMAC LDM chassis, Thermocouple Input Unit, and Relay Output Unit. Based on l
the similarity to other NUMAC installations, the similarity analysis is expected to show that the PNPP specific devices are mechanically the same or equivalent to the previousl-j tested devices; as such GE vill demonstrate that the NUMAC LDM equipment is capable of withstanding the as tested seismic forces.
In addition, GE is performing seismic calculations of the panels where the LDMs vill be mounted and vill determine that the loads at the mounting locations are enveloped by the tested limits. These analyses are underway and will be performed in i
compliance with IEEE 344-1975, " Recommended Practices for Seismic 1
Qualification of Class lE Equipment for Nuclear Power Generation Stations," and be certified as such by GE on the Product Quality l
Certifications provided with the LDM equipment.
Based on the projected l
outcome of these analyses, the LDM equipment is seismically qualified for the PNPP environment. The cenclusions of this analysis vill be provided in a letter to the NRC following completion.
l 3.
RADIATION EFFECTS The LDM components located in the Control Room (the LDM chassis, Thermocouple Input Unit and the Relay Output Unit) vere qualified to a i
maximum total integrated dose (TID) of 1000 Rads (carbon). This is well i
above the PNPP normal and accident doses for the Control Room area, and therefore acceptable.
l l
d PY-CEI/NRR-1654 L l
Page 18 of 33 1
Part F - Electromagnetic and Radio Frequency Interference (EMI/RFI)
Electromagnetic interference and radio frequency interference (EMI/RFI) are random " noises" that may be produced by systems within the operating environment in any industrial facility including a nuclear power plant. This random noise could potentially affect the safety of the plant since it could lead to common cause failure of redundant safety-related equipment if that equipment vere particularly vulnerable to these types of noise.
In safety-related (and non-safety related) instrumentation and control equipment at nuclear power plants, digital equipment, which operates at higher speeds and lover voltages than the analog equipment it replaces, may be vulnerable to EMI/RFI.
Hence, in reviewing the application of digital instrumentation and control equipment at nuclear power plants the NRC Staff has currently placed additional emphasis on addressing the vulnerabilities of this equipment to EMI/RFI noise.
1.
LEAK DETECTION MONITOR EMI/RFI QUALIFICATION TESTING l
General Electric has previously tested the NUMAC instrumentation for four different types of EMI/RFI susceptibilities. The four types of EMI/RFI susceptibility tested vere (1) radiated electric fields, (2) radiated magnetic fields, (3) conductive noise, and (4) static discharges. GE selected the test methodologies from various standards.
GE has previously performed numerous EMI/RFI tests on various NUMAC applications such as their Logarithmic Radiation Monitor (LRM), Source Range Monitor (SRM), AC & DC Vide Range Neutron Monitors (VRNM and DCVRNM) and Reactor Building Ventilation Radiation Monitor (RBVRM).
Specific EMI/RFI qualification testing examples include:
1) continuous-vave radiated electric field susceptibility tests at 65 V/m from 20-990 Mhz (RBVRM) and at 10 V/m from 27-500 Mhz (VRNM).
2) continuous-vave radiated magnetic field susceptibility tests with 300 V oscillations at 0.5-1 Hz repetitive rates with damped oscillations of 6-7 Hz at 100, 200, 300, 400 and 500 Khz and with 5 V oscillations from 0.5-100 Mhz at a rate of 1-5 MhHz/Sec (LRM, SRM, VRNM, DCVRNM, RBVRM).
i 3) conducted susceptibility tests as performed for the radiated magnetic field tests (LRM, SRM, VRNM, DCVRNM, RBVRM), with 3 KV pulses capacitively coupled to the power and I/O ports, 250 V sinusoid applied to the I/O ports at power, +/-2 to 4 K" savtooth transients (up to 50 nsee) applied to power & signal I/O ports at i
power and a 0.5-1 KV, damped 1 MhHz sinusoid at a repetition rate of 300-500 Hz applied to power and signal I/O ports at power (VRNM).
4) electrostatic discharge susceptibility tests at 2, 4 and 8 KV (VRNM).
t 4
PY-CEI/NRR-1654 L Page 19 of 33 However, in a recent Safety Evaluation Report for a NUMAC Refuel Zone and Reactor Building Ventilation Radiation Monitor (RBVRM) for another plant (see Reference 5), the NRC Staff found that the testing methodologies were inadequate for the lov and high frequency ranges.
Furthermore, the Staff determined that licensees needed to demonstrate that the EMI/RFI environmental conditions are within the tested envelope either by site survey or analysis.
Due to the increased degree of regulatory and industry interest in EMI/RFI, additional testing has been performed by General Electric on the NUMAC Leak Detection Monitor configuration in order to both expand the overall qualification region, and to obtain test data specific to this application. This testing ensures the qualification of the Thermocouple Input Unit (TCIU), a NUMAC circuit board which is unique to the LDM application. This testing also extends the NUMAC RFI qualification to include both higher and lower frequencies'than previously tested. The range was extended from 10 KHz to 18 GHz. This additional testing.by General Electric was performed as part of a broader plan to improve the testing and documentation for the entire NUMAC product line.
A summary of the expanded testing regime for the PNPP Leak Detection Monitor configuration is presented below. A summary of the GE qualification testing describing the methods and results was recently provided to the PNPP by GE and is presented as Attachment 4.
The GE testing consisted of six types of tests as follows:
1)
Electrostatic Discharge Using IEC Method 801-2 l
This is an electrostatic discharge test that simulates a technician with an electrostatic charge or high voltage in contact with the instrument.
2)
Fast Transient Burst Test Using IEC Method 801 4 i
This test simulates coupling of other noise-emitting cables in the vicinity of both power line and signal line inputs to the NUMAC LDM.
During the test a noise source is capacitively coupled to the NUMAC inputs and several transients are generated while the NUMAC is monitored for its response.
l l
3)
Surge Withstand Using IEC Method 801-5 This test applies surges of 1 KV transients to the line-ground, neutral-ground and line-neutral of the input power.
4)
Electric Field Susceptibility Mil-Std-462 Method RS-103 The test applied modulated RF both horizontally and vertically polarized at various RF spectrum and field strengths.
5)
Magnetic Field Susceptibility Mil-Std-462 Method RS-101
)
The test consisted of 30 Hz to 100 KHz magnetic fields applied in the vicinity of the NUMAC LDM.
l
PY-CEI/MRR-1654 L Page 20 of 33 i
l 1
6)
Inducted Susceptibility Method CS-101 The test involved the application of sinusoidal modulated and l
unmodulated noise of 30 Hz to 50 KHz on the power line.
I l
The PNPP Leak Detection Monitor configuration passed all the EMI/RFI i
l testing methods. The PNPP LDM design includes metal oxide _ varistors (MOVs) added for surge protection as result of the IEC 801-5 testing, and also includes the addition of small RC filters at each of the temperature reference elements to provide radiated electric field protection in i
accordance with Hil-Std-462 Method RS-103 as discussed in Attachment 4.
l l
The PNPP has recently completed through a contractor an EMI/RFI survey of several plant areas (including mapping the Control Room). As soon as possible after the results have been compiled they vill be submitted to the NRC for reviev. Details of the testing methodology will be included in the test report. This EMI/RFI testing is also intended to support the generic EPRI EMI/RFI test program.
Based on the results of the testing already performed on various NUMAC instruments and the high degree of commonalty in components and I
configuration between the Leak Detection Monitor and the other NUMAC l
instruments, it is expected that the testing of the NUMAC Leak Detection Monitor vill produce acceptable results. This testing vill also expand I
the qualification envelope applicable to site survey conditions.
2.
ELECTROSTATIC DISCllARGE i
Electrostatic discharge (ESD) is the transfer of static charges from one obj ect to another object with dif ferent electrostatic potential.
Integrated circuit (IC) components may be sensitive to ESD.
l Electrostatic discharge can stress IC components beyond the components' designed tolerances and might cause the components to fail immediately or l
reduce the components' service life.
For the LDM system, which has i
numerous IC components, ESD could therefore, potentially reduce the' LDM l
reliability if the equipment has not been properly designed to be l
resistant to ESD and appropriate maintenance precautions are not taken.
The NUMAC LDM has been qualified per IEC standard 801-2, " Electromagnetic Compatibility for Industrial-Process Measurement and Control Equipment Part 2: Electrostatic Discharge Requirements," by General Electric.
In addition, the Operation and Maintenance (0&M) manual provides information on how to avoid electrostatic voltage damage to vulnerable modules while-servicing the instrument cards. The precautions provided in the manual include: vork surfaces and tools and test equipment are groundcJ, technicians connect themselves to ground using a conductive bracelet and cards are never to be removed or inserted into a card' file with power applied to the card file. The training for the instrument technicians addresses these considerations. Based on the LDM electrostatic discharge qualification tests and the ESD training of the I&C technicians the ESD concern has been adequately addressed.
l 4
PY-CEI/NRR-1654 L Attachmtnt 1 l
Page 21 of 33 PART G - SOFIVARE DESIGN CONTROL AND VERIFICATION AND VALIDATION (V&V)
TESTING The NUMAC LDM application softvare consists of tv) principal modules:
(1) the functional software for the essential microcomputer, including the self-test system, and (2) the front panel keypads and display software.for the display microcomputer. The LDM software is written in high level languages, to the maximum extent possible, to simplify software maintenance over the lifetime of the equipment. The functions performed by.the software include (1) sampling and filtering sensor data, (2) comparing data to operator defined trip setpoints, (3) updating the operator display, (4) generating analog and trip output signals, and (5) performing self-tests.
A software system with a large number of' inputs and outputs has an impractical number of input and output combinations to check for all the various error possibilities. The reliable operation of such software is assessed qualitatively based on the idea that software development processes and configuration management have a significant impact on producing reliable softvare. A discussion of some of the hardware and softvare features to effecti.'ely eliminate the possibility of common mode failures due to software / hardware problems was presented in Part D of this letter. This section describes some of the software configuration control and verification and validation techniques.
1.
SOFTWARE VERIFICATION AND VALIDATION PROCESS GE uses nuclear quality assurance programs with supplemental verification and validation (V&V) procedures based on Regulatory Guide 1.152 to develop both Class IE and non-Class 1E NUMAC software. The GE NUMAC line of instruments is highly modularized and uses NUMAC product code where appropriate. The lines of code for the NUMAC Leak Detection Monitor application are stored in the two sets of firmvare which are the essential (functional) and the display microcomputer firmware.
The GE V6V method is based on logical steps with baseline reviews performed at the completion of each phase of the development process.
The validation step includes a matrix relating each validation test to a functional requirement. The reviewers are effectively independent from the designers and communicate their results in vritten reports. The V&V reviewer team, however, is not totally independent from the design team organization.
As reflected in the NRC Safety Evaluation for the installation of a NUMAC Reactor Building Ventilation Radiation Monitor at the Browns Ferry Nuclear Power Station (discussed on the next page, see also Reference 3),
the NRC Staff determined that the V6V process for NUMAC software in actual use at GE appeared adequate. However, personnel who conducted the 4
V&V activities reported to the same first line supervisor as those responsible for the software design. This was considered by the NRC to be a deviation from the requirements for organizational independence in Regulatory Guide 1.152.
This question was identified to General Electric I
PY-CEI/NRR-1654 L l :
Page 22 of 33 by CEI. General Electric indicated that subsequent discussions with the NRC Staff confirmed that the statement in the SER vas in error, and represents a position of some members of the Staff but not one required by Regulatory Guide 1.152.
Softvare testing is done using emulators; each and every change requires testing. An organizationally independent configuration control engineer is required to sign-off on all baseline reviews (verification steps) and controls the NUMAC library of documents and firmvare. The NUMAC review team must approve all changes for resolutions of open items.
The NRC Staff performed a NUMAC software review at the GE San Jose facility, assisted by contractors from Lawrence Livermore National Laboratory and Sahor, during January 11-15, 1993.
The NUMAC software design is performed according to the same software control program l
l described in Reference 4 for the Vide Range Neutron Monitor. The audit involved specific software for the NUMAC Reactor Building Ventilation Radiation Monitor (REVRM) application installed at the Browns Ferry Nuclear Power Station, but also included an examination of the generic l
NUMAC software development process, with particular attention to:
l (1) the software management plan (SMP), (2) the software configuration i
management plan (SCMP), and 3) the software verification and validation plan (SVVP). The Staff examined these plans and their implementation for compliance with Regulatory Guide 1.152, " Criteria for Programmable Digital Computer System Software in Safety-related Systems of Nuclear Power Plants," and ANSI /IEEE-7-4.3,2-1982, " Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear. Power Generating Stations" and found that the software design process met these standards. The results of this evaluation of the NUMAC generic software design process are directly applicable to the PNPP Leak Detection Monitor l
softvare design.
The Leak Detection Monitor (LDM) softvare for application at the Perry Nuclear Power Plant is being developed usir.g the same sof tware verification and validation (V&V) program as that previously approved by the NRC for the NUMAC Vide Range Neutron Monitor (see Appendix E of l
Reference 4).
This program specifically addresses issues such as design i
control, change control, documentation, record keeping, independent verification, and specific software development requirements as delineated in NRC Regulatory Guide 1.152.
l The basic approach of this softvare V&V methodology is as follows:
-l L
(a) The design process is divided into logical steps, starting from the top, with each step resulting in a documented output.
(b) Independent technical verification reviews are performed for each I
step of the design process, including verification of test methods and results.
(c) The design steps are divided into logical groups, starting from the top, each of which comprise a baseline for the next set of design steps.
I
- - ~. -
PY-CEI/NRR-1654 L j
j l
Page 23 of 33
)
)
i (d) An independent process review is performed after each group of design steps to assure that the process, including technical l
verification review, is being followed and issues resolved.
l (e) A final validation test is performed on the completed softvare in the target hardware.
(f) All steps of the process are documented.
-l I
The overall LDM softvare design process is divided into several groups of
-i design activities, each of.which comprise a baseline for subsequent-
'l activities. All Leak Detection Monitor software, including that for the display microcomputer and self-test system functions, is-included in the i
V6V program.
i The GE software verification and validation is conducted in accordance.
vith the NUMAC Software Verification and Validation Plan.-
This involves j
independent design verification as a product assurance action which l
assures adequate quality, safety, reliability and performance of the j
l design.
It is the process of reviewing and substantiating the design to l
provide controlled, independent, documented' confirmation that'the design meets its requirements. Throughout the design process formal-baseline i
reviews are conducted to provide independent evaluations of the l
conformance to the design. process. These reviews are used to evaluate t
l the adequacy of documentation, the design process, test methods and to confirm adherence to the verification and validation plan..
I Another issue raised in the NRC Safety Evaluation for the installation of' l
a NUMAC Reactor Building Ventilation Radiation Honitor (see Reference 5),
i involved the level of detail in the instructions for performing the V&V process described in the GE Software Verification and Validation Plan.
The Staff found that in actual practice, that the GE. software development j
i l
methodology was being implemented consistently with an auditable-paper l
trail throughout the development process, but required that the plan be updated. The status of this update vas; raised by.the PNPP.to General Electric; GE indicated that the Software Verification and Validation' Plan i
and supporting plans are being modified to reflect the improved NUMAC i
software process actually used for current projects. General Electric indicated that the revision of the plans is to be completed by-December 31, 1993.
[
2.
CONFIGURATION CONTROL
'I l
Emergent needs for future changes to the NUMAC LDM software design that j
might be identified by the PNPP vill be managed through the normal proj ect identification and design control processes. The PNPP site design control process vill be utilized to define, approve, implement and test any changes to the NUMAC Leak Detection Monitor sof tware or hardware. The PNPP vill identify any requirement changes to General l
Electric. GE vill then implement those changes in accordance with their l
NRC approved 0A and softvare V&V programs. The modified hardware or l
software vould then be provided to the PNPP for-site implementation in j
accordance with the plant modification procedures.
1 l
1]
i I
I=
u,
,s
PY-CEI/ ERR-1654 L l
Attachment I Page 24 of 33 l
1 l
As part of the configuration control review during the January 1993 audit of GE, the NRC Staff reviewed Revision 1 of the Software Configuration i
Management Plan, and Revision 1 of the Softvare Management Plan, both l
dated March 12, 1991. This configuration management plan vould also be applicable to the PNPP. The review determined that strict-configuration control standards vere in place and all updates to the NUMAC instruments vere performed at GE.
Each version of the firmware includes all software modules, whether modified or not.
Each version is controlled with a separate revision and part number.
Based upon their reviews and audits the NRC Staff has confirmed that GE has established a formal design, code, and test review process with the associated documentation for NUMAC software development. The Staff also found that GE has a formal configuration management plan and it is being consistently applied. The decision by General Electric to maintain a library where each revision of the code is a complete entity removes the problems associated with controlling different versions of the code and was considered a plus.
Therefore, General Electric has established appropriate design, testing, documentation and configuration management control programs to administer the 4
NUMAC software design / maintenance process.
PART H - CONCLUSIONS l
The following discussion summarizes the considerations that have been examined l
in preparation for the installation of the NUMAC Leak Detection Monitors in l
place of most of the Riley temperature module instrumentation in the Leak Detection System. This discussion vill briefly address the problems with the existing Leak Detection System instrumentation, and the design, reliability, environmental qualifications and resistance to common mode failure concerns (such as those associated with EMI/RFI, softvare control and softvare V&V) of the NUMAC system.
Based on the design and control mechanisms described below, i
the NUMAC Leak Detection Monitor is qualified for this safety related application at the Perry Nuclear Power Plant.
i As described in Part B of this letter, the Riley leak detection temperature j
modules within the Leak Detection System (LDS) are being replaced because thsy
[
have been a source of several events reported in Licensee Event Reports (and numerous other problems have been experienced) due to spurious trip signals which have caused system isolations at the plant. NRC Information Notice 86-69 and General Electric Service Information Letter (SIL) Number 416 both describe problems with the Riley temperature modules which have resulted in j
spurious system isolations. The current Leak Detection System uses analog j
equipment which has an inherent tendency to drift and also has design problems i
vhich may result in spurious isolations or false annunciations. Use of the General Electric NUMAC digital Leak Detection Monitors is expected to reduce the number of spurious isolations and failures related to these causes, j
because the NUMAC LDM design is entirely different than the Riley design. The NUMAC LDM does not have the " READ / SET" switch feature; the NUMAC design has features which eliminate the need to jumper isolation relays and disconnect the thermocouples during testing (eliminating these sources of human error);
and it uses more reliable (generally military grade) components and equipment j
than the present LDS.
1
)
I
PY-CEI/NRR-1654 L l
Page 25 of 33 Two NUMAC Leak Detection Monitors (LDMs) vill replace the vast majority of the l
existing Riley leak detection temperature modules. The two NUMAC LDMs will l
provide divisional monitoring and, when necessary, isolation signals to close either the inboard or outboard containment isolation valves for a specific system, when high ambient or high differential temperature is sensed in that respective systems' equipment area (s) (or areas that high energy lines of that system passes through). This upgrade is being made for the temperature-based instrumentation monitoring the following piping lines: Reactor Vater Cleanup, Reactor Core Isolation Cooling, Residual Heat Removal, and the Division 1 and 2 instrumentation for the main steam lines (in the Steam Tunnel). The Division 3 and 4 main steam line leak detection temperature instrumentation (in the Steam Tunnel) is located in other r sels and vill not be upgraded to NUMAC components as part of this change.
iso, the main steam line leak detection temperature instrumentation in tne Turbine Building is located in other panels and vill not be upgraded to NUMAC components as part of this change.
No changes are being made in the systems / areas being monitored or the f
corresponding setpoints, only a portion of the Control Room leak detection instrumentation is being upgraded to utilize the NUMAC Leak Detection Monitors.
The NUMAC Leak Detection Monitor design is summarized in Part C of this letter. The NUMAC instruments are of a highly modularized design which uses many common components between applications. Therefore, the operational history and testing performance of these common components is directly applicable to never applications in which these components are used. The NUMAC product line is a mature technology (nearly 500 instruments are in use all over the world). This provides a large ongoing historical data base to establish system application / component reliability, and the design has been
+
demonstrated to be reliable by General Electric.
Part D of this letter discusses certain design features of the NUMAC system which contributes to its reliability. The replacement NUMAC LDMs are digital instruments that use a microcomputer to monitor the processes (in this case ambient and differential temperatures) and provide accurate outputs and automatic self-testing and calibration. A second microcomputer is isolated from the essential microcomputer (which runs the Class 1E process) by a serial data link and is used to control the LDM front panel display.
Typical failures that can affect components within the NUMAC LDMs and I
associated input and output units inclade:
- 1) open vires and/or cables.
- 2) sensor failure, 3) loss of power, 4) output relay failure, and 5) computer module failure. These failures vill be detected by the automatic self-test system function which is a part of the NUMAC LDM design. When a failure is detected by the self-test system function, an alarm vill be annunciated in the Control Room. The failure mcde vill also be displayed on the NUMAC LDM screen on the front panel with the appropriate error message (s).
l
PY-CEI/NRR-1654 L Page 26 of 33 J
J The self-test system feature of the NUMAC LDM provides automatic testing of its internal circuits and reperts any failures resulting in the loss of safety related functions. This also includes the use of a hardware " watchdog" timer to monitor against the software cycling in a continuous loop. Also, the software of the essential microcomputer is structured so that all the safety related essential tasks have the highest priority in the operating system.
This design drastically reduces the potential for common mode software /
hardware failures. Additionally, the NUMAC LDM design includes provisions for thermocouple failure detection and provisions to test the output relays without the use of jumpers - reducing the threat of spurious isolations.
These capabilities increase the reliability of the collected data, reduce the possibility of inadvertent isolations and plant shutdowns, and reduce the need for frequent functional testing and calibrations.
)
Also, the NUMAC Leak Detection Monitors have built-in dual power supplies such that if one fails the other vill automatically provide internal power to the electronic cards without interrupting the operations of the monitors. The Leak Detection Monitors are also equipped with key-locks (and passwords) to prevent unauthorized access and tampering with the monitors' parameters.
Also, as discussed in Part D of this letter, based on the NUMAC digital design and the inharent resistance to drift, analysis demonstrates that the CHANNEL FUNCTIONAL TEST surveillance interval can be increased to six months.
Part E of this letter discusses the NUMAC environmental qualifications. The NUMAC Leak Detection Monitors and associated thermocouple input and relay L
output units vill be mounted seismically such that qualification of these i
components and panels is maintained. The NUMAC LDMs including the TCIUs and ROUs have been seismically and environmentally qualified to IEEE 344-1975 and IEEE 323-1974 respectively. The NUMAC design meets the existing qualifications for the current Leak Detection System compor.ents.
l In regard to division / channel independence, the two NUMAC LDMs (one per division) vill be physically and electrically independent of each other and do not share power supplies, thermocouple inputs, output relays, microcomputer based logic units, display units or enclosures and mounting locations. A postulated gross failure of any one NUMAC LDM - such as gross malfunction of the input unit, microcomputer logic unit or the relay output unit - vill not propagate to the other NUMAC LDM. Thus, a failure within one NUMAC LDM vill i
not prevent or disable the function of the other NUMAC LDM. A failure within one NUMAC LDM may cause the loss of one division of the isolation trip logic.
However, since the other redundant division (the MSLs have three other divisions) vill not be affected by this failure, the Leak Detection System vill still be able to perform its designed safety-related function and provide j
the necessary system isolations. This is the same as the current Leak Detection System design basis.
Since the isolation logic is bi-divisional (for the RHR, RCIC, and RUCU systems; the MSLs have four divisions) and all of the isolation functions are being routed to a single NUMAC for each division, a gross failure of one of the two NUMAC Leak Detection Monitors coold initiate a half isolation for the
~
t PY-CEI/NRR-1654 L Page 27 of 33 l
above systems resulting in either the inboard or outboard containment isolation valve closing and system flov being isolated (if the system were 3
running).
If this were to occur, this vould cause an additional burden on the 3
operators to address multiple system isolations. However, this is similar to the currently analyzed sceaario of a loss of power to essentially one division of the Riley temperature modules (most of the Rileys in each division receive power from a single supply). Therefore, the loss of power from that source vould also result in multiple system isolations. However, due to the significantly increased reliability of the NUMAC design (as discussed above) this scenario is considered very unlikely. Also, this scenario, while presenting an additional burden on the operators (if it vere to happen) is l
within the current plant design basis and the components fail-safe (the isolations occur on a loss of power).
The single failure criterion requires that any single failure within a safety-related system not prevent proper protective action of the system when the system is required to function. Therefore, the system design has to be such that a failure of one division (or train, subsystem etc.) of a i
multi-division system vill not prevent the system from performing it's safety function.
Common mode /cause failures (in this case the failure of both NUMAC LDM divisions [or the channels for the same trip function between divisions])
could potentially prevent a system from performing its intended safety function. A microcomputer based digital system has a potential for common mode /cause failures in the areas of software, hardware, software / hardware interaction, and those resulting from electromagnetic or radio-frequency i
interference (EMI/RFI). Therefore, the design of the hardware and software, the verification and validation (V6V) of the software to reduce the likelihood of errors, the testing of the software (to discover and eliminate errors) and testing of the hardware to identify EMI/RFI susceptibility levels takes on added importance. The NUMAC system design, testing and verification programs i
adequately addresses these types of concerns. Also, the NUMAC components are not commercial grade components that have been dedicated for nuclear use, but have been designed with a nuclear QA program overseeing the development j
process from the beginning. Therefore, concerns about common mode failures resulting from an inadequate review and dedication cf commercial grade i
equipment are not applicable.
l
\\
The NUMAC instruments are designed to minimize ';tth their susceptibility to, and generation of, electromagnetic and radio-frequancy interference (EMI/RFI) to prevent spurious operations and allow their use in safety-related systems.
As described in Part F of this letter, General Electric has previously tested the NUMAC instrumentation for various types of EMI/RFI susceptibilities.
EMI/RFI testing has been performed on various NUMAC applications such as their Logarithmic Radiation Monitor (LRM), Source Range Monitor (SRM), AC & DC Vide Range Neutron Monitors (VRNM and DCVRNM) and Reactor Building Ventilation Radiation Monitor (RBVRM). Additional testing has been performed on the NUMAC Leak Detection Monitor configuration in order to both expand the overall qualification region, and to obtain test data specific to this application.
This testing ensures the qualification of the Thermocouple Input Unit (TCIU),
a NUMAC circuit board which is unique to the LDM application. This testing also extends the NUMAC RFI qu'alification to include both higher and lover frequencies than previously tested. This additional testing by General
PY-CEI/NRR-1654 L i
Page 28 of 33 4
Electric was performed as part of a broader plan te improve the testing and i
documentation for the entire NUMAC product line. This testing demonstrates the minimal susceptibility of the NUMAC design to EMI/RFI. The testing being performed in the PNPP Control Room vill demonstrate that the NUMAC Leak 1
Detection Monitor design is within the General Electric qualified EMI/RFI testing envelope, and therefore acceptable for installation on-site.
f b
i l
The comprehensive General Electric software V&V and configuration management control programs described in Part G of this letter strongly minimizes, although cannot entirely eliminate, the likelihood of a common mode NUMAC 1
instrument failure. The NUMAC instrument design concept has undergone review by the NRC, and the initial instruments of the NUMAC product line (the Logarithmic Radiation Monitor and Wide Range Neutron Monitoring System) have 4
received NRC approval via Safety Evaluations of the associated GE Licensing Topical Reports. The various types of NUMAC equipment in operation at other nuclear power plants have components and software modules which are similar to and in some instances identical to the NUMAC LDMs. The hardware (firmware) and software for the PNPP NUMAC Leak Detection Monitors vill undergo a formal software verification and validation (V&V) process by General Electric equivalent to the one reviewed and approved by the NRC for the safety-related Vide Range Neutron Monitor.
Additionally, the alternate leak detection methods described belov provide 1
adequate backup in the event of loss of both divisions of the NUMAC Leak Detection Monitor temperature-based isolation functions. As described within Sections 7.3.1.1.2, 7.6.1.3 and 7.3.1 of the Updated Safety Analysis Report (USAR), diversity is provided to the ambient and differential temperature monitoring trip functions for the various systems by alternative leak detection methods. A summary is presented below:
System Alternative Leak Detection Method i
RCIC RCIC steam line flow RCIC steam line pressure l
RHR RHR/RCIC steam line flov i
RVCU RVCU differential flov l
Reactor water level MSL MSL high flov
{
MSL low pressure j
t These functions are physically separate from those being performed by the l
NUMAC Leak Detection Monitor and constitute diverse, redundant, safety-related backup means that are capable of responding to a design basis line break for i
the various systems. Non-safety related sump alarms are also available to the l
operator. Therefore, a common mode failure of both divisions of the NUMAC LDM
)
instrumentation vould not prevent the necessary detection of system line j
1 breaks from occurring.
\\
1 6
-g
7 PY-CEI/NRR-1654 L Page 29 of 33 DESCRIPTION OF THE PROPOSED TECHNICAL SPECIFICATION CHANGES This modification involves the conversion of the present analog leak detection system (for the associated systems) to a digital microprocessor based system.
The upgrade from analog to digital devices improves several system parameters, such as channel accuracy, drift and loop calibration. The means of testing a digital channel is no different from the means of testing an analog channel.
The only difference may be in the way the data from the sensor is transmitted.
Adding " digital" to the DEFINITION of the CHANNEL FUNCTIONAL TEST along with l
the currently referenced " analog" channels merely clarifies that the same test i
applies to digital channels.
This proposed change vould also increase the CHANNEL FUNCTIONAL TEST surveillance interval from M (Monthly) to SA (Semiannually) for the ambient and differential temperature trip functions for the Reactor Vater Cleanup, Reactor Core Isolation Cooling (including the Main Steam Line Tunnel Temperature Timer), Residual Heat Removal Systems and the Division 1 and 2 logic for main steam line isolation (for the temperature instrumentation located in the Steam Tunnel area). Note that this change does not include the main steam line temperature isolation logic for the temperature instrumentation located in the Turbine Building.
Refer to Attachment 2 for a marked-up copy of the subject Technical Specification pages.
1.
Specification 1.6: CHANNEL FUNCTIONAL TEST (page 1-1) i Revise part a of the CHANNEL FUNCTIONAL TEST definition to recognize that l
this same definition applies to testing performed on digital channels.
Add "/ digital" after the word " Analog" in Definition 1.6.a.
2.
Specification 3.3.2:
ISOLATION ACTUATION INSTRUMENTATION: MAIN STEAM LINE ISOLATION, TRIP FUNCTIONS 2.f and 2.g (page 3/4 3-23)
Increase the CHANNEL FUNCTIONAL TEST surveillance interval from M (Monthly) to SA (Semiannually) for the temperature and differential temperature Trip Functions listed below. Note that for the Main Steam Line Tunnel high temperature and high differential temperature trip functions listed belov, that only the Division 1 and 2 CHANNEL FUNCTIONAL TEST surveillance interval is being extended from monthly to semiannually, and that the current trip function is being broken-up into separate Items 1 and 2. The divisions that these surveillance intervals apply to is being added to these titles for clarification.
(Note that the Turbine Building main steam line temperature instrumentation (Item 2.h in the Table) is not proposed to be changed.) The proposed changes are shovn in boldf ace below.
l e
m-
-- m-
j PY-CEI/NRR-1654 L
~
j Page 30 of 33 l
Channel-l Current New TRIP FUNCTION (SYSTEM) ISOLATION (PAGE)'
Functional l
Item No.
Item No.. Trip Function Name Test Reg'at MAIN STEAM LINE ISOLATION (Page 3/4 3-23) l 2.f 2.f.1 Main Steam Line Tunnel Temperature - High SA
[
(Division 1 and 2)'
t 1
2.f 2.f.2 Main Steam Line Tunnel Temperature - High H l
(Division 3 and 4) i I
l 2.g 2.g.1 Main Steam Line' Tunnel a Temperature -
'SA
.l l
High (Division 1 and 2) r 2.g 2.g.2 Main Steam Line Tunnel a Temperature -
M
_j High (Division 3 and 4) _
3.
Specification 3.3.2:
ISOLATION ACTUATION INSTRUMENTATION (pages 3/4~3-24 through 3/4 3-26) i Increase the CHANNEL FUNCTIONAL TEST surveillance. interval from M~
(Monthly) to SA (Semiannually) for the temperature and differential l
temperature Trip Functions listed below.
(Note that the' systems listed.'
l l
below consist of only two divisions (i.e., Divisions 1 and 2, which are.
l both being upgraded to the NUMAC instrumentation) with the same CHANNEL FUNCTIONAL TEST surveillance interval; therefore there is no need to-clarify the divisions as was done in' item 2 above.) The proposed changes i
i are shown in boldface belov, f
I Channel TRIP FUNCTION (SYSTEM) ISOLATION (PAGE)'
Functional l
Item No.
Trip Function Name-Test Reg'at t
REACTOR VATER CLEANUP SYSTEM ISOLATION'(Page 3/4'3-24) ll t
i 4.c Equipment Area Temperature - High SA
.i j
4.d Equipment Area Ventilation SA
-[
6 Temperature - High l
4.f Main Steam Line Tunnel Ambient.
SA Temperature - High
- l t
-l 4.g Main Steam Line. Tunnel SAL A Temperature - High
- j l
i 1
-l i
i I.
,,.. ~.
i
PY-CEl/NRR-1654 L Page 31 of 33 I
Channel l
TRIP FUNCT]ON (SYSTEM) ISOLATION (PAGE)
Functional l
Item No.
Trip Function Name Test Req'at REACTOR CORE ISOLATION COOLING SYSTEM ISOLATION (Page 3/4 3-25) 5.d RCIC Equipment Room Ambient SA I
Temperature - High 5.e RCIC Equipment Room a Temperature - High SA l
l 5.f Main Steam Line Tunnel Ambient SA Temperature - High i
5.g Main Steam Line Tunnel SA a Temperature - High f
1 l
5.1 RHR Equipment Room Artient SA Temperature - High 5.j RHR Equipment Room a Temperature - High SA RHR SYSTEM ISOLATION (Page 3/4 3-26) 6.a RER Equipment Area Ambient SA Temperature - High 6.b RHR Equipment Area a Temperature - High SA 4.
Specification 3.3.2:
ISOLATION ACTUATION INSTRUMENTATION: REACTOR CORE l
l ISOLATION COOLING SYSTEM ISOLATION, TRIP FUNCTION 5.h (page 3/4 3-25)
Increase the CHANNEL FUNCTIONAL TEST surveillance interval'from M (Monthly) to SA (Semiannually) for the Main Steam Line Tunnel Temperature Timer.
I SIGNIFICANT HAZARDS CONSIDERATION The discussion of whether the proposed change involves a significant hazards consideration is included in Attachment 3 to this letter.
ENVIRONMENTAL CONSIDERATION i
j The proposed Technical Specification change request has been reviewed against j
the criteria of 10 CFR 51.22 for environmental considerations. As shown above and in Attachment 3, the proposed change does not involve a significant l
hazards consideration, nor increase the types and amounts of effluents that I
may be released offsite, nor significantly increase individual or cumulative l
occupational radiation exposures.
Based on the foregoing, it has been l
concluded that the proposed Technical Specification change meets the criteria given in 10 CFR 51.22(c)(9) for a categorical exclusion from the requirement for an Environmental Impact Statement.
i
PY-CEI/NRR-1654 L Page 32 of 33 REFERENCES i
1.
Inspection and Enforcement Information Notice Notice 86-69, August 18, 1986, " Spurious System Isolations Caused by the Panalarm Model 86 l
Thermocouple Monitor."
2.
General Electric Company Service Information Letter Number 416, January i
24, 1985, "Riley Temperature Switches."
l 3.
"The Nuclear Measurement Analysis and Control Logarithmic Radiation Monitor (NUMAC-LRM)," Licensing Topical Report, General Electric Company, j
January 1987 (NEDO 30883-A) l l
4.
"The Nuclear Measurement Analysis and Control Vide Range Neutron i
Monitoring System (NUMAC-VRNHS)," Licensing Topical Report, General
}
Electric Company, October 1990 (NEDO 31439-A) i 5.
Letter from Frederick. J. Herdon (NRR) to Dr. Mark 0. Medford (TVA),
i Safety Evaluation for amendments to the Technical Specifications for j
l Browns Ferry Units 1, 2 and 3, to reflect the installation of a NUMAC l
Refuel Zone and Reactor Building Ventilation Radiation Monitoring l
(RBRVM) system, dated April 13, 1993.
i l
t l
l l
l l
PY-CEI/NRR-1654 ly Page 13, of 33 1
Figure 1 l
l i
l
\\
l DtSCRETE TRIPS
> OUTPUT
[
TRF AND ANALOG ANALOG _,
THERMOCOUPLE OUTPUTS 8
l (t/O CONTACT AND l
l ANALOG.moulES:
l
[h
[\\
\\/
V HIGH SPEED PARALLEL DATA BUS
[h LOW VOLTAGE
+ POWER TD MODULES l
AC INPUT REDUNDANT ESSENTIAL POWER POWER MICROCOMPUTER
+
r SUPPUES FUNCTIONAL (LOW VOLTAGE MEASUREMENTS POWER SUPPLY SELF-TEST SYSTEM MODULES)
(COMPUTER MODULE) h l
SERIAL DATA I
UNK i
y DISPLAY MICROCOMPUTER (DtSPLAY CONTROL CPU AND MEMORY MODULES)
C) "-
a p>
/// Q/)
0000 0000 9 Q Q G A
0000 gy V
OOOD,9 1
I i
l i
I l
j Figure 1 NUMAC Leak Detection Monitor Functional B!ock Diagram 3
0
-