Text

. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _.

,,[

g NUCLEAR REGULATORY COMMISSION

~

I UNITED STATES y'

j WA$HINGTON, D. C. 20555 g

4

/

i SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION

+

RELATED TO AMENDMENT NO. 91 TO FACILITY OPERATING LICENSE N0. DPR-6 CONSUMERS POWER COMPANY BIG ROCK POINT PLANT DOCKET NO. 50-155

1.0 INTRODUCTION

By application dated November 9,1987, Consumers Power Company (the licensee)

[

requested an amendment to the Technical Specifications for Facility Operating License No. DPR-6 for the Big Rock Point Plant.

The proposed Technical Specification (TS) changes would incorporate the new out-of-core DC wide range monitor nuclear instrumentation in the Reactor Protection System.

The TS changes include sections 6.1.2 (Table 1) Reactor Safety System During Power Operation; 6.1.2.2 Intermediate Range Channels; 6.1.2.3 Power Range Monitor Channels; 6.1.2.!i Neutron Monitoring Range Switch: 6.1.5 Operating Requirements; 6.2 Control Rod Withdrawal Permissive System; 6.3 Refueling Operation Interlock System; 7.3.4 Normal Power Operation; 7.3.5 Extended Shutdown; and 7.3.6 Short Duration Shutdown of the Big Rock Technical Specifications.

2 In response to the staff's request for addition information, the licensee provided in a letter dated March 17, 1988, a detailed comparison between the NUMAC-DCWAM r

l system (as presented in Topical Rcport NED0-31399) and the previously approved F

l NUMAC-LRM system (Topical Report NE00-30883).

By letter dated March 31, 1988,

)

the licensee provided a document "Power Range Monitoring Instrumentation Modification Safety Evaluation" in accordance with the requirements of the Code of Federal Regulations, 10CFR50.59, "Changes, Tests and Experiments." On April 21 and 22, 1988, the staff performed an audit review of the Big Rock Point i

Plant DC wide range monitor system software verification and validation program.

Our contractor's audit report is attached in Appendix 1 of this Safety Evaluation.

2.0 ACCEPTANCE CRITERIA l

The criteria used in evaluating this DC wide range monitor system include 10 CFR Part 50.55a(h), (IEEE Standard 279 requirements), Regulatory Guide 1.152 (Criteria for Programmable Digital Computer System Software in Safety-Related l

Systems of Nuclear Power Plants), and the Standard Review Plan Section 7.1, Table 7-1 (Acceptance Criteria and Guidelines for Instrumentation and Control l

Systems Important to Safety), and Section 7.2 (Reactor Trip System.)

{

i 3.0 BIG ROCK POINT DC WIDE RANGE MONITOR SYSTEM DESCRIPTION Consumers Power Company planned to install the new out-of-core DC wide range l

monitor nuclear instrumentation during the 1988 refueling outage.

The new instrumentation is a member of the General Electric Company's (GE) NUMAC series of microprocessor based instrumentation.

It is called the Nuclear Measurement Analysis and Control DC Wide Range Monitor (NUMAC-DCWRM).

It is described in

%[

P e

i 4 ;

GE Topical Report'NE00-31399.

This installation will replace the existing i

power range monitoring system, including elimination of the two intermediate range detectors, and the range switches.

However, three power range detectors 1

(compensated ion chambers) will not be changed or modified.

These three 3

detectors will be used as sensors for the new DC wide range monitor system.

DCWideRangeMonitorChg9nels1,2,and3provideindicationofneutronflux over the range of 1 x 10 % to 150% power.

From the lower end of the measurement range to 1% power, a logarithmic output is provided.

The system automatically switches to a linear output between 1% power and 150% power.

L The DCWRM also overlaps the range covered by the Source Range Monitor by approximately four decades.

Three compensated ion chambers are located in vertical guide tubes at 120 positions around the core.

Compensated ion chamber outputs are directly connected to DCWRMs located in the control room.

The input signal from the ion chamber is conditioned and amplified by the DCWRM's femtoammeter module which is tied to an internal computer bus.

The linear and logarithmic flux measurement functions, the high flux /short period /

rate of change trips and alarm functions, internal compensation and instrument calibration are performed by a computer.

Alarm and trip setpoints are stored digitally in non-volatile memory.

DC Wide Range Monitor trip contacts are connected to the Reactor Protection System Channel 1 and Channel 2 through j

Reactor Protection System logic.

If two-out-of-three DC Wide Range Monitors are tripped, a control rod scram is initiated.

DC Wide Range Monitor trip contacts are actuated by:

(1) High neutron flux at 120% power (2) Shortr9actorperiodof10secondswhenoperatingbetween 1 x 10 % and 1% power (3) High MW/ min rate of change (4) Loss of either one of the two high voltage power supplies.

Another reactor trip may occur when one channel is downscale (less than 1 x 10-7%

power), and a second channel is tripped due to high flux, short period or rate of change (upscale).

All trip contacts go to the tripped condition upon loss of power to the Power Range Monitor.

An alarm will occur when the system approaches the trip limit.

Interlocks are provided for the rod control system and the refueling operation.

4.0 EVALUATION (1) Conformance to Safety-Related System Requirements (IEEE Std 279-1971)

The NUMAC-DCWRM is a functional and physical replacement for existing neutron flux monitoring equipment.

Three existing detectors are used for sensors for the new system.

The new instrument assemblies are chassis mounted in the main control room panels.

Each NUMAC-DCWRM contains a single input module.

Three channels are in three separate sections of the control room panel.

The remote read-only display assemblies are located on the main control room console.

Signal and polarizing voltage cables to I

the existin7 detectors from each channel will be replaced.

The new cables will be routed from the control room through the existing cable trays, electrical penetrations, and conduits presently used for the existing cables.

The new cables will be provided with extra shielding to reduce noise levels.

The existing channel separation and channel independence will be maintained.

The Big Rock Point NUMAC-DCWRM system uses two-out-of-three logic to initiate the trip function. When one channel indicates a downscale, inoperable, or loss of power to the monitor, the system will automatically put that channel in a trip status.

Any trip or failure in a second channel will cause a reactor scram (e.g., the 2/3 logic will be satisfied).

This design satisfies the single failure criterion.

The NUMAC-DCWRM system was qualified using the methodology of IEEE Std. 323-1974.

This qualification was to the same temperature limits as specified for the instruments being replaced.

The qualification procedure I

used for the NUMAC-DCWRM, including an aging process, represents an improvement in product testing.

The NUMAC-DCWRM system has a continuous self-testing and a self-calibration feature.

It provides on-line test capability for the protection system.

l The computer based display unit and the menu-driven software provides an i

acceptable level of detailed information to the operator and represents an improvement on man-machine interface design.

Based on our review, the staff finds that this design is in conformance with the IEEE Std. 279-1971 requirements and, therefore, is acceptable.

(2) Software Design Verification and Validation Program Audit (R.G. 1.152)

On April 21 and 22, 1988, the staff performed a NUMAC-DCWRM system software design verification and validation program audit at General Electric Company.

The staff reviewed the NUMAC-DCWRM design process and the documentation of design verification and validation steps utilized in the i

development of hardware and software.

The staff also examined a thread path from detector input, through femtoammeter module (signal conditioning),

discriminator module (detector power supplies), CPU module, display control module, solid state I/O contact module, analog module, trip output module to verify the flow path of the software design verification and validation steps.

The staff was assisted in its review of the verification and validation (V&V) plan by SoHar (NRC consultant).

The detailed results of the V&V review are provided as Appendix 1 to this Safety Evaluation.

It should be noted that our review has resulted in an interim acceptancs of the V&V plan.

As a result, this interim V&V plan acceptance is specific to the software as applied to the Big Rock Point DC Wide Range Moni'.oring Instrumentation installation.

It is not intended to cover any future wide range monitoring modification provided by General Electric.

The rrason for this caveat and the interim acceptance is that we have concluded t1at the V&V plan did not adhere to the guidance provided in ANSI /IEEE-ANS 7.4.3.2-1982 regarding independent verification.

The basis for this inte"im acceptance is the staff belief that the non-independent verification effort, the independent and structured validation effort, the fail-safe aspects of

4 the software'and the time-out aspects of the hardware provide adequate assurance that the systems will operate safely on an interim basis.

To provide final acceptance of the V&V plan, because of the lack of independent verification, the licensee should perform (within 120 days of receipt of this evaluation) independent, post-implementation verification reviews of the software as discussed in ANSI /IEEE-ANSI-7.4.3.2-1982.

The first verification review performed should be the functional requirements verification.

This is a review of the functional requirements versus the system design specification.

The functional requirements document is an essential document in that the integrated system is validated against this document.

Errors and ambiguity here can lead to an unacceptable system.

Furthermore, acceptable verification at this step helps ensure correctness, completeness, consistency, understandability, feasibility, testability, and traceability at later stages.

The objective of this review is to ascertain the adequacy of the definition of system requirements.

The next verification review performed should be the software specification document verification.

A formal software specification document is a key factor in the total formalized software process.

This document should be in place during the design phase, which is the second phase of the software development process.

The system requirements are decomposed to establish the particular software specifications within the system framework.

The software specifications must be traceable to the system functional requirements and must fully support software design coding, testing, and integration with the system hardware.

This traceability must be verified by the independent verification.

In the course of these reviews, the verification personnel should review the designs in the content of the program and the interface specification, flow charts, algorithms, operating modes for the display stations, format and content of each display, control and data entry devices and formats, and all printouts (status error and data).

Once the software has been coded, then each unit, module, and subprogram should undergo a verification code review.

This review involves the independent verification team.

This code review should verify that the j

control software code is an accurate representation of the software specification document.

In addition, this verification should perform a t

design documentation review and a test review.

The entire program should have been planned and broken down into sub parts that are separately testable.

The subparts should be structurally tested at this time such i

that all of the software units are exercised.

Verification personnel should check to insure that each test is performed satisfactorily as specified and will make written reports of their findings.

There should be follow-up on the required corrective actions.

Based on our review of the licensee's amendment application with the i

supplemental information provided in References 2 and 3, the staff concludes i

5-that the NU dt-DCWRM instrument will perform in a reliable manner.

The mitigating factors cited in this Safety Evaluation and its appendix provide an adequate level of assurance that the system will operate safely on an interim basis.

However, before final acceptance of the V&V plan, because of the weaknesses in the verification process, the licensee should perform an independent post-implementation verification as discussed above.

This independent verification should be completed within 120 days of receipt of this evaluation.

(3) Changes to Technical Specifications The new instrumentation is functionally equivalent to the existing instrumentation, although some features are different.

For example, elimination of the existing intermediate range instrumentation will result in changing the period trip from the present 1-out-of-2 logic to 2-out-of-3 logic, and elimination of the range switches will eliminate the existing range-related trips associated with those switches.

The proposed changes to the Technical Specifications for the Big Rock Point Plant reflect the features and terminology to be used with the new power range instrumentation.

Additional changes are proposed to capitalize defined terms, as is the practice is Standard Technical Specifications, and to more closely conform with defined terms.

Based on our review, the staff finds the proposed changes to the Technical Specifications acceptable.

5.0 ENVIRONMENTAL CONSIDERATION

An Environmental Assessment and Finding of No Significant Impact has been l

issued for this amendment (53 FR 17128, May 13, 1988).

l

6.0 CONCLUSION

We have concludsi, based on the considerations discussed above, that (1) there is reasonat,le assurance that the health and safety of the public will not be endangered by operation in the proposed manner, and (2) such activities l

will be conducted in compliance with the Commission's regulations, and the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

l l

7.0 REFERENCES

1.

Application for Amendment to License DPR-6, Bi.g Rock Point Plant i

Technical Specification Change Request - Power Range Monitoring Instrumentation dated November 9, 1987.

2.

Letter from Consumers Power Company to NRC Document Control Desk dated March 17, 1988.

3.

Letter from Consumers Power Company to NRC Document Control Desk dated March 31, 1988.

Date:

lta y 17, 1988 Principal Contributors:

H. Li J. Mauch

e APPENDIX 1 REPORT ON THE AUDIT OF THE BIG ROCK POINT

@ CLEAR MEASUREMENT ANALYSIS AND CONTROL SYSTEM DC WIDE RANGE MONITOR GENERAL ELECTRIC, SAN JOSE, CALIFORNIA 4/21-22/88 INTRODUCTION The General Electric Nuclear Measurement and Analysis DC Wide Range Monitors (NUMAC-DCWRM) are single channel instrument replacements for equipment previously in use at the Big Rock Point nuclear plant and are designed to monitor the neutron flux levels in the BWR core over the intermediate and power ranges of operation and to initiate trips and alarms when the setpoints are reached. The design incorporates numerous self-test features which monitor the status of the system and provido automatic hardware initiation of the trip and alarm functions unless the software reports a safe value at least once very 100 milliseconds.

SCOPE OF THE AUDIT The scope of the audit was to examine the design process with particular

[

emphasis on the Verification and Validation plan and its implementation.

COMMENTS AND OBSERVATIONS The DCWRM is a relatively simple instrument designed to provide information on the state of the plant and to trip the plant if safety conditions are not met.

There are approximately 160 units of software used to perform these tasks, half identical to those used in a previous instrument in the NUMAC series, the Logarithmic Radiation Monitor LRM (Topical Report NED0-30883).

The safety function performed by the instrument is to trip the plant if flux values which are read are unacceptable.

The design incorporates hardware which will always initiate a trip and alarm unless the software provides evidence of a signal in the acceptable range every 100 milliseconds.

The plant logic requires 2 out of 3 instruments used to provide acceptable values.

- Deficiencies Noted Deficiencies noted in the V&V process were lack of organizational independence in the V&V function, lack of adherence to rigorous documentation procedures during verification and integration, and weakness in the functional and structural verification testing of the software.

Integration and validation testing were relied upon to provide proof that the system meets all functional requirements.

- Positive Observations

(

i Points observed during the audit which were judged to mitigate the lack of adherence to Regulatory Guide 1.152 and other deficiencies noted above included the following:

l The system is small, with limited signal input and functionality.

l

O 4

.g.

HardwaIe fail-safe mechanisms are inherent in the design.

The thread path reviewed at the audit demonstrated the presence of an l

adequate paper trail through design, implementation, and V&V.

The DCWRM instrument has been subjected to several levels of testing including validation tests written and performed by personnel other than the designers, although within the same organization.

Full scale emulators were used, testing was performed at a test reactor, and extensive validation testing using a requirements matrix was done.

Of the two software errors found during validation., one was related to system response and would not have been found during verification.

The second resulted from a design modification requested by the utility not being implemented in the software.

This should have been detected during verification and thus demonstrates the weaknesses observed in that area.

However, since it was found during validation, a higher level of confidence is given to the independence and thoroughness of the validation process.

- Configuration Control Strict configuration control standards are in place and a'il updates to the system will be performed at GE.

The Users Manual and other documentation are judged to be adequate.

CONCLUSIONS AND RECOMMENDATIONS i

Although the Verification and Validation process did not adhere to the provisions of Regulatory Guide 1.152, the mitigating factors cited above provide an adequate level of assurance that the system will operate safely t

on an interim-basis according to the stated functional requirements.

It is recommended that NUMAC DCWRM be approved on an interim basis for use in the Big Rock Point nuclear plant.

Because of the weaknesses of the verification process, it is strongly recommended that this approval not form the basis for i

fccepting the system or its software in any other application subject to j

regulatory review.

During the interim period, it is recommended that a post-fact independent verification be performed.

i I

e i

l

\\

l 1

f l

. -. - _..,, - _ _,. _. _