ML20209G899
| ML20209G899 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 07/12/1999 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20209G337 | List: |
| References | |
| NUDOCS 9907200048 | |
| Download: ML20209G899 (7) | |
Text
F "849
' ~
g UN(TED STATES l
g i
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 30eeH001 s*****J SAFETY EVALUATION BY THE OFFICE OF NUCI FAR REACTOR REGULATION RELATED TO AMENDMENT NO.154. TO FACILriY OPERATING LICENSE NO. NPF-10
~
L
(
l AND AMENDMENT NO. in TO FACILITY OPERATING LICENSE NO. NPF-15 SOUTHERN CAllFORNIA EDISON COMPANY SAN DIEGO GAS AND ELECTRIC COMPANY i.
THE CITY OF RIVERSIDE. CALIFORNIA THE CITY OF ANAHEIM. CALIFORNIA SAN ONOFRE NUCLEAR GENERATING STATION. UNITS 2 AND 3 l
DOCKET NOS. 50-361 AND 50-362
1.0 INTRODUCTION
By letter dated October 17,1997, Southem Califomia Edison Company (SCE), the licensee,
- proposed an upgrade of the radiation monitoring system (RMS) for San Onofre Nuclear Generating Station (SONGS), Units 2 and 3. The proposed upgrade would involve installation of digital radiation monitors for both the containment purge isolation signal (CPIS) and the control room isolation signal (CRIS). The amendments will not require revision of the Technical Specification _s (TSs) for SONGS Unit 2 or Unit 3. The existing analog RMS would be
' replaced to resolve a lack of spare parts and poor availability of equipment.
This proposal was sent to the U.S. Nuclear Regu'atory Commission (NRC) staff as a result of a
.10 CFR 50.59 safety e"aluation determination that an ur viewed safety question 6xisted as a result of the use of common software in redundant chanescia when both trains of CRIS and
' CPIS radiation monitors are upgraded to use the digital radiation monitoring system (DRMS).
> In a letter dated January 30,1998, the NRC staff sent SCE a request for additional information (RAI) on the DRMS. SCE submitted this additionalinformation to the staff in a letter dated March 2,1998. On August 21,1998, the staff again requested more information in a second RAI.- SCE submitted the additionst information to the staff in a letter dated November 23, 1998.
On January 28,1998, the NRC noticed in the FederaIRegister(FR) the licensee's proposed changes and basis for proposed no significant hazards consideration determination (63 FR 4324).' The licensee's letters dated March 2 and November 23,1998, provided j
clarifice%ns and additionalinformation that were within the scope of the original FR nctice and did not u,ange the staff's initial proposed no significant hazards consideration determiration.
9907200048 990712 PDR ADOCK 05000361 P
,ej
\\
2-
. 2.0 - SYSTEM DESCRIPTION The DRMS is physically divided into three makr subsystems: a (fnit 2 DRMS, a Unit 3 DRMS, and equipment common to Unit 2 and 3. The Unit 2 and 3 subsystems are primarily the CPIS systems, which are independently actuated for each unit. The common equipment is the
' CRIS, because Units 2 and 3 share a common control room. Each makr subsystem is composed _ of two subsystems: the data acquisition subsystem (DAS) and the field unit (FU)..
The DAS, the nonsafety related portion of the DRMS, consists of the cathode ray tube display, the mass storage device, the event recorder, communication loops to the various FUs, and the
- network interface. The FUs consist of radiation detection units and the remote display unit
'(RDU)c The FUs are safety related if they are used to provide isolation signals and are considered nonsafety related if they only provide information to the DAS.
The DRMS and its software were manufactured by MGP instruments (MGPI) and are qualified as safety-related grade by the manufacturer. The safety-related portion of the system is physically and electrically isolated from the nonsafety-related portion of the system.
2.1 CPIS System Descriotien -
CPIS provides a close signal for both the 8-inch mini-purge and the 42-inch main-purge containment valves upon detection of high gaseous radiationin containment. This isolation is performed on a unit-specific basis, such that high gaseous radiation in one unit will close that unit's containment puige valves. There are two trains of radiation monitors, and either train will cause a train-related CPIS, which will initiate closure of the train-related valves in the supply and exhaust penetrations. The other train will initiate closure of the redundant valves in the supply and exhaust penetrations.
' The new containment airbome radiation digital monitor will have the same basic architecture as the existing analog system. The airbome radiation digital monitor consists of a radiation detector assembly, a local processing unit, a local display unit, and an RDU. The new monitors will sample from the same location as the existing gaseous monitor using the existing sample lines in containment. The change involves the replacement of an analog system with s predominantly digital system that uses software algorithms to perform the required functions.
4 1
2.2 CRIS System Description
]
CRIS initiates the isolation of the normal ventilation mode of operation for the control room area and initiates the emergency mode of control room ventilation upon detection of high gaseous radiation at the normal ventilation intake to the Units 2 and 3 shared control room.
This action assures that adequate radiation piotection is provided to permit access and occupancy of the control room under accident conditions.
This change will allow installation of the new digital CRIS gaseous radiation monitor in both channels of the shared control room normal ventilation intake. The proposed control room gaseous airbome radiation digital monitor will have the same basic architecture as the existing 5
i
4 analog system. The digital system will consist of a radiation detector assembly, a local processing unit, a local display unit, and an RDU. This change involves the replacement of an analog system with a predominantly digital system that uses software al0orithms to perform the required functions.
3.0 EVALUATION Section 50.55a(h) of 10 CFR requires, in part, that protection systems satisfy the criteria of either institute of Electrical and Electronic Engineers (IEEE) Standard 279, " Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Standard 603-1991, "lEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30,1995. Paragraph 4.3 of American National Standards Institute (ANSI)/IEEE Std. 279 states in part that the quality of components is to be achieved through the specification of requirements known to promote high quality, such as requirements for design, inspection, and test. Similar criteria for the quality of components are identified in IEEE Standard 603, "lEEE Standard Criteria for Safety Systems for Nuclear Power Generating Stations."
3.1 System The licensee has stated that the change from an analog to a digital RMS maintains the basic architecture of the existing system and serves the r,ame function. The methods of satisfying the criteria of IEEE Standard 279 are not changed by this modification. The existing defense-in-depth provisions of the existing system are maintained. A comparison of mean time between failure (MTBF) data, with the MTBF for the analog equipment taken from plant records and the MTBF data for the digital equipment taken from vendor data, shows a predicted improvement by a factor of 10, 3.1.1 Calibration and Test Equipment SONGS Units 2 and 3 TSs require that the channels be calibrated every 24 months for the containment airtome radiation monitors, and every 18 months for the control room airbome radiation monitors. These requirements will not change, are within the guidelines for calibration provided by the equipment manufacturer, and therefore no TS modification is required..The primary calibration tool used with the DRMS is the portable maintenance computer (PMC). This notebook computer runs the maintenance and setup software (MASS).
The PMC can be attached to either the local processing unit or the display unit. Use of the PMC and the MASS is controlled by procedure and possesses a required password. All personnel using the PMC have been certified in its use. The MASS software was verified and
. validated, and the configuration is controlled in the same manner as the DRMS software.
The staff has reviewed this procedure and finds the use of the PMC and the MASS is acceptab!e.
E
,?
'4 4
3.1.2 Single-Failure Analysis The licensee performed a single-failure analysis of the DRMS in ace.
ace with IEEE Standard 379, "lEEE Standard Application of the Single-Failure Cnteism to Nuclear Power Generating Station Safety Syst6ms." The analysis is documented in SCE calculation number J-SPA-289. This' analysis determined that each control function has fully redundant monitors performing the identical function and that monitors are powered from diverse power sources. It also showed that loss of a single monitor does not prevent the safety function from being performed.
The licensee determined that in'the event of shielding failure, electromagnetic interference (EMI) can cause communications failure.: The communications software is written to automatically retransmit any lost messages, and continuous interference causing continuous communications failure will be annunciated as a failure. Electromagnetic protection anti testing is discussed in Section 3.3.2 of this safety evaluation.
l-The staff has reviewed the single-failure analysis and finds that the DRMS engineered safety l
- feature actuation tysem (ESFAS) functions will not be disabled by a single failure and is, therefore, acceptable.
I 3.1.3 Isolation The DRML is interconnected with the nonsafety-related plant DAS to provide information to I
plant persnnnel and to transmit annunciation signals to the control room. Both physical isolation and data isolation are provided to prevent the DAS from interfering with operation of the DRMS. The physicalisolation consists of optical couplers and DC-to-DC converters. This i.
arrangement prevents faults in the nonsafety systems from affecting the safety-related equipment. The data isolation is performed by ensuring there are no data communications from the DAS to the DRMS. The DAS does not contain communication drivers capable of tmnsmitting data to the DRMS. In addition, a logic switch in the RDUs of the DRMS prevents the units from accepting any write commands. The communications protocols contain a cyclic redundancy check (CRC) to ensure that an error in request instructions sent by the DAS does not change into incorrect and possibly harmful instructions. This CRC will cause any garbled instruction to be ignored.
The staff has reviewed these provisions for isolation and has determined that the isolation is acceptable.
. 3.1.3 Post Installation Test The staff has reviewed the post-installation testing planned by the licensee and has determined that these tests, if successfully performed, will demonstrate the correct installation and operation of the DRMS.
y
,2 1
w !
4 3.1.4 - Board Repair The licensee will not repair failed components of these systems on site. The equipment vendor, MGPI, is under contract to perform all repairs. The licensee will perform unit-level replacement of failed parts, and the entire unit will be retumed to the vendor for repair. The licensee has stated that sufficient spare parts have been purchased to account for the repair
)
cycle time, and that all repairs to safety-related units will be under the vendor's 10 CFR
{
Part 50, Appendix B, program. The staff has determined that the repair procedures are adequate.
3.2 Software Regulatory Guide (RG) 1.152, " Criteria for Digital Computers in Safety Systems of Nuclear Power Plants," which endorses ANSI /IEEE-American Nuclear Society (ANS)-7-4.3.2,
" Application Criteria for Programmable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations," provides guidance for complying with requirements for safety systems that use digital comput.,r systems.
j
-3.2.1 Software Verification and Validation The licensee stated that the software verification and validation (V&V) process has been f
performed in accordance with IEEE Standard 1012, " Standard for Software Verification and 1
=
Validation Plans." RG 1,168 (" Verification, Validation, Reviews, and Audits for Digital Computer Software Used in Safety Systems of Nuclear Power Plants") endorsed this standard as acceptable for safety-related software V&V.
The V&V was performed by the equipment manufacturer, MGPI, and was audited by the licensee. The staff has reviewed the MGPl Software Verification and VawAtion Plan, MGPl document 46120 FA, and SCE Software Evaluation Report, document 900 "' The staff finds
- that the MGPl plan implements the IEEE Standard 1012 appropriately, and that the V&V procedure used by MGPlis acceptable.
3.2.2 Quality Control The muufacturer of the DRMS stated that the software quality control was in accordance with L IEEE 3tandard 730,"lEEE Standard for Software Quality Assurance Plans."
The staff has reviewed the NiGPl Software Quality Assurance Plan, MGPl document
. 45203 GA, and SCE Software Evaluation Repost, document 90400. The SCE Software Evaluation Report reviewed and approved the MGPl Software Quality Assurance Plan, and implementation of that plan. The staff finds that IEEE Standard 730 is an appropriate standard
. for software quality control and that the quality control procedure used by MGPl is acceptable.
3.2.3, Configuration Management i
The licensee stated that configuration management is perform < ;6 mcordance with IEEE Standard 828, " Standard Software Configuration Plans. RG '.169 (" Configuration Management Plans for Digital Computer Software Used in Safety S%sms of Nuclear Power p
Lf.
l Plants") endorsed this standard as acceptable for safety-related software configuration man &gement. Software configuration controlis specified in the SCE Quality Control Manual, 00084.T, Chapter 1-J, Section 5. The software configuration database for the DRMS is SCE document 90402. The staff has reviewed these documents and finds the configuration management system used by SCE acceptable.
3.2.4 Reliability Assessment SCE performed an assessment of the software and system reliability, which was documented
-in SCE Report NSG-97-001, " Software Reliability Assessment of the Radiation Monitoring System" and in calculation J-SPA-289, "ESFAS Radiation Monitor Software Common-Mode Failure Evaluation." The SCE conclusion, shown in Section 8.3.4 of the calculation, is that the DRMS reliability reflects an improvement by approximately a factor of 10 when compared to the existing analog system. The staff has reviewed these documents and concurs with this assessment.
l 3.3 Hardware 3.3.1 Seismic Qualification L
The licensee has verified that the digital radiation monitoring hardware is qualified as Quality
~
i Class 11, Seismic Category 1, for those portions of the hardware that are in the trip signal path i
for the ESFAS functions. Portions of the system outside the ESFAS signal path that are not j
qualified to this safety level are electrically and physically isolated from the safety-related
.peruons of the system. The staff finds this arrangement acceptable.
3.3.2 ElectromagneticInterference The EMI susceptibility of the DRMS equipment was tested by Wyle Laboratory and was l
documented in Report Number 44356-01. This report showed that with two exceptions, the DRMS equipment conformed to the standards of Electric Power Research Institute (EPRI)
Report TR-102323, " Guidelines for Electromagnetic Interference Testing in Power Plants"
-(proprietary information; not publicly available). The staff has approvsd this report by a safety evaluation dated April 17,1996. The exceptions to the Wyle Laboratory tests were the EMI susceptibility test and the surge suppression test. These anomalies were corrected by adding EMI filters and surge suppressors. CHAR Services monitored the Wyle Laboratory testing and performed an electromagnetic compatibility review, documented in Report CSR098. CHAR Services also compared the operating EMI environment at SONGS Units 2 and 3 to that referenced in EPRI TR-102323 and determined that the EPRI report was applicable to the SONGS units.
The staff has reviewed the Wyle Laboratory and CHAR Services reports and finds that the DRMS electromagnetic compatibility is acceptable.
On the basis of this review, the NRC staff concludes that the licensee's proposed replacement of the existing analog radiation monitoring equipment with digital equipment and the resulting use of common software in both channels of CRIS and CPIS is acceptable and is therefore, approved.
s
a a
4.0 STATE CONSULTATION
in accordance with the Commission's regulations, the Califomia State official was notified of the proposed issuance of the amendments. The State official had no comments.
5.0 ENVIRONMENTAL CONSIDERATION
The amendments change a requirement with respect to the installation o use of a facility component located within the restricted area as defined in 10 CFR Part 20. The NRC staff has determined that the amendments involve no significant increase in the amounts and no significant change in the types of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendre.ents involve no significant hazards consideration, and there has been no public comment on such finding (63 FR 4324). Accordingly, the amendments meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendments.
6.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that (1) there l
is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defenso and security or to the health and safety of the public.
Principal Contributor: P. Losser Date: July 12, 1999 I
i