Application for Amends to Licenses NPF-10 & NPF-15, Requesting Permission of Radiation Monitoring Sys Upgrade

ML20217J949
Person / Time
Site:	San Onofre
Issue date:	10/17/1997
From:	Nunn D SOUTHERN CALIFORNIA EDISON CO.
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
Shared Package
ML20217J945	List: ML20217J939 ML20217J949 ML20217J959 ML20217J977
References
NUDOCS 9710220310
Download: ML20217J949 (22)
v • d • e

Text

. - . - - - - - . . ~ . . - . .

UNITED STATES OF AMERICA j NUCLEAR REGULATORY COMMISSION Application of SOUTHERN CALIFORNIA )

EDISON COMPANY, EI AL. for a Class 103 ) Docket No. 50-361 License to Acqui:e, Possess, and Use )

i a Utilization Facility as Part of ) Amendment Application Unit No. 2 of the San Onofre Nuclear ) No.171

Generating Station )'

SOUTHERN CALIFORNIA EDISON COMPANY, EI AL. pursuant to 10 CFR 50.90, hereby submit Amendment Application No.171.

This amendment application consists of Proposed Change . .r NPF-10-459 to Facility Operating License NPF-10. The Amendment Application is required to permit digital radiation monitor installation for bc,di trains supplying the Containment Purge Isolation Signal (CPIS), and permit digital radiation monitor installation for both trains supplying the Control Room Isolation Signal (CRIS). This amendment does not require revision of the SONGS Unit 2 Technical Specifications.

l 9710220310 971017 PDR ADOCK 05000361 p PDR

Subscribed on this } T dayof 607. I1 ,1997.

/

Respectfully submitted, SOUTHERN CALIFORNIA EDlSON COMPANY l l

By - -

Dwight E. NunnY Vice President State of California County of San Diego g 2

On I O- I ~I -91 before me, Frn nc s AT . personally appeared Dunohr E Eu nn, personally known to me (or proved to me i

on the basis of satisfactory evidence) to be the person (s) whose name(s) is/are subscribed to the within instrument and acknowledged to me that l

he/she tbey executed the same in his/her/their authorized capacity (ies), and that by his/her/their signature (s) on th- instrument the person (s), or the entity upon behalf of which the person (s) acted, executed the instrument.

WITNESS my hand cad ofEcial seal.

. Signature >W '

b _ -

g co m weden e ll s l

,9 M,Comm.EsWeeW23 E, m eutee - casmNo I SanDegoce q

..- - - - . . - _ . _ - . . ~ - . .- - _

UNITED STATES OF AMERICA NUCl. EAR REGULATORY COMMISSION Application of SOUTHERN CALIFORNIA )

EDISON COMPANY,EI AL for a Class 103 ) Docket No. 50 362 License to Acquire, Possess, and Use )

Utilizatica Facility as Part of ) Amendment Application i nit No. ~; of the San Onofre Nuclear ) No.157.

'Jenuating Station )

SOUTHERN CALIFORNIA EDISON COMPANY, EI hL pursuant to 10 CFR 50.90, hereby

submit Amendment Application No 157.

This amendment application consists of Proposed Change Number NPF 15 459 to Facility Operating License 4

NPF-15. The Amendment Application is required to permit digital radiation monitor installation for both trains 4

supplying the Containment Purge Isolation Signal (CPIS), and permit digital radiation monitor installation for both trains supplying the Control Room Isolation Signal (CRIS). This amendment does not require revision of the SONGS Unit 3 Technical Specifications.

4 i

Subscriber. on this M day of n o Toh e v .1997.

Respectfully submitted, SOUTHERN CALIFORNIA EDISON COMPANY B)

.A --- -

Dwight E. Nunn Vice President i

State of California County of San Diego On 10 -il - 91 before me, Eva nrE 3 .N d[ekonally appeared D4)fT E . NNersonally known to me (or proved to me on the basis of satisfactory evidence) to be the person (s) whose name(s) is/are subscribed to the within instnuner: and s.cknowledged to me that he/she/they executed the same in his/her/their autheriW. capacity (ics), and that by his/her/their signature (s) on the instrument the person (s), or the entity upon behalf of which the person (s) acted, executed the instrument.

WITNESS my hand and oflicial seal.

Signature OWO N

[._____I______. , _ _ _ _ ,

Commbulon # 1130912  ;

Notary P@te-Capodo ,j SonDiego County 4 My Comns Epos Mar 23.2001 >

DESCRIPTION AND SAFETY ANALYSIS OF PROPOSED CIIANGE NUMBER NPF-10/15-459 The Amendment Application is required for to permit digital radiation monitor installation for both trains supplying the Containment Purge Isolation Signal (CPIS), and permit digital radiation monitor installation for both trains supplying the Control Room Isolation Signal (CRIS).

Descrintion of Changes

1. Summary The Amendment Application is a request for NRC approval to re0cct the acceptability and use of digital radiation monitors as input to both trains of the Control Room isolation Signal (CRIS) and to both trains of the Containment Purge Isolation Signal (CPIS).

This amendment will not require revision of the Technical Speci0 cations for the San Onofre Nuclear Generating Station (SONGS) Unit 2 or Unit 3.

2. Background The Radiation Monitoring System (RMS) for the San Onofre Nuclear Generating Station (SONGS) Unit 2 und Unit 3 is being upgraded by Design Change Package DCP 2&3-6926.0lSJ," Obsolete Equipment:

Radiation Monitoring System Replacement Project." This upr ade will resolve such issues as the lack of spare parts and poor equipment availability of the installed obsolete RMS; The Amendment Application reflects the acceptability and use of digital radiation monitors as input to both traint of the Control Room Isolation Signal (CRIS) and to both trains of the Containment Purge Isolation Signal (CPIS).

In accordance with the guidance of Generic Letter 95 02,"Use of NUMARC/EPRI Report TR-102348,

' Guideline on Licensing Digital Upgrades,' in Determining the Acceptability of Performing Analog-to-Digital Replacements under 10 CFR 50.59," the following specific arer.a relating to the RMS analog to digital upgrade at SONGS Units 2 and 3 were evaluated:

Sensitivity to the effects of electromagnetic interference (Section 6.1)

Use and control of equipment used to control and modify software and hardware configurations (Section 7.3)

System integration (Sections 4 and 5)

Commercial dedication of digital electronics (Section 6.2)

Affect on diverse trip functions This design change does not affect any reactor trip functions and therefore does not affect any diverse reactor trip functions.

l 1

Use of common schware in redundant channels The new CRIS and CPIS radiation monitors may result in failure modes and/or system malfunctions that were not considered in the initial plant design.

The use of conunon sof ware in redundant channels evaluation resulted in an unreviewed safety question (USQ) during performance of the 10 CFR 50.59 Safety Evaluation for this design change. The unreviewed safety question would only exist when both trains of CRIS and CPIS radiation monitors are upgraded to the digital system.

3. Overview The unreviewed safety question created by the use of common sonware in redundant channels of the Fuel Handling Isolation Signal (FHIS)', CPIS, and CRIS is addressed in accordance with the requirements of 10 CFR 50.92. Approval of this Amendment Application will allow installation and operation ofdigital >

radiation . onitors for both trains of CPIS and CRIS. These changes are necessary to address obsolete equipment issues afTecting reliability and maintenance of the existing radiation monitors providing input to the CRIS and CPIS.

Evaluations / Calculations J-SPA 289,"ESFAS Radiation Monitor Sofhvare Common Mode Failure Evaluation," and N-0720-014," Control Room and Offsite Doses Should CPIS, CRIS and FHIS Fail,"

have been perfonned to evaluate the consequences of a common mode failure of FHIS, CPIS, and CRIS radiation monitors. The basic software structure including its complexity and size have also been analyzed in J SPA-289. The results of these evaluations / calculations are presented in this Amendment Application to support a no significant hazards determination.

This amendment will not require revision of the Technical Specifications for the San Onofre Nuclear Generating Station (SONGS) Unit 2 or Unit 3. Requirements for the CPIS and CRIS mstrumentation is however, governed by the Technical Specifications for SONGS Units 2 and 3. Technical Specification 1

(TS) 3.3.8, " Containment Purge Isolation Signal (CPIS)," and TS 3.3.9, " Control Room Isolation Signal (CRIS)," contain reqmrements for the CPIS and CRIS instrumentatioa. In part, the Specifications require ,

a single channel of the respective instrumentation to be operable during the applicable Modes of operation, and other cited conditions. The required channel consists of the gaseous radiation monitor, Actuation Logic, and Manual Trip. The Specifications encompass plant specific instrumentation that performs an actuation function required for plant protection but is not otherwise included in TS 3.3.5,

" Engineered Safety Features Actuation System (ESFAS) Instrumentation," or TS 3.3.6, " Engineered Safety Features Actuation System (ESFAS) Logic and Manual Trip."

Replacement of FIIIS radiation monitors only does not create nr. unreviewed safety question and has been found to be acceptable for implementation by 10 CFR 50.59. However, the combined effect of CRIS, CPIS and FIIIS radiation monitor changes have been evaluated for this amendment request.

2-I

4. Containment Purge Isolation Signal (CPIS) Radiation Monitors 4.1 CPIS Radiation Monitor Design I ases 10 CFR 50 Appendix A, General Design Criteria 16 on containment design, and General Design Criteria 56 on primary containment isolation, provide the design bases for CPIS. These criteria assure an essentially leak tight barrier against the uncontrolled release of radioactivity to the environment and assure that the Containment design conditions important to safety are not exceeded for as long as postulated accident conditions require. The containment gaseous airborne radiation monitors provide a CPIS that isolates containment purge as an accident mitigation function to limit offsite doses to within the limits of 10 CFR 100.

A CPIS only provides a close signal to the Containment Purge Valves, therefore, if containment purge is not in progress a CPIS is not required for accident mitigation. The CPIS gaseous airborne radiation monitors measure the radioactivity concentrations in Containment. If these radiation levels exceed the monitors setpoint value a CPIS will be generated to close the Containment Purge Valves (both the 8" and 42" purge valves) thereby isolating the radioactive release from containment to the atmosphere through the Containment purge lines.

Design basis accidents associated with CPIS are a loss of coolant accident (LOCA) with the 8" mini purge valves open, and a fuel handling accident inside containment with the 42" main-purge valves open. Large break LOCAs will result in a Safety Injection Actuation Signal (SIAS) and/or a Containment Isolation Actuation Signal (CIAS). SIAS is generated by a pressurizer pressure low condition or a containment preswre high condition and CIAS is generated by a containment pressure high condition. Either SIAS or CIAS will, among other actions, close the 8" containment mini-purge valves. The 42" main-purge valves are verified sealed closed by Technical Specification Surveillance Requirement 3.6.3.1 every 31 days while in Modes 1,2,3, and 4. The initiation of a high containment airborne radiation trip generating a CPIS will occur later than CIAS or SIAS for this large break LOCA event. Therefore, CPIS is not credited to isolate Containment purge in the large break LOCA dose analyses. Smaller LOCAs result in longer time to SIAS and CIAS generation. Therefore, for some small break LOCAs, a CPIS may be generated prior to a SIAS or CIAS.

Appendix K to 10 CFR Part 50 requires that the effect of the operation of all installed Containment pressure reducing systems and processes be included in the emergency core cooling system evaluation.

Based on the Safety Evaluation Report (SER) Chapter 6, Section 6.2.1.3, the analysis of the Containment atmosphere pressure did not include the reduction in pressure due to concurrent operation of the containment mini-purge system. However, based en the size of the purge lines (8" diameter) and the short closure time of the purge system isolation valves, the effect of the concurrent purging or. the Containment backpressure analysis is negligible.

A design basis fuel handling accident inside containment will initiate containment purge isolation on high gaseous radiation levels in containment. However, the dose analysis of record for this accident does not credit containment purge isolation and concludes that 10 CFR 100 dose limits are not exceeded.

The containment gaseous and particulate radiation monitors are also utilized to identify reactor coolant leaks inside containment in accordance with Regulatory Guide 1.45. The containment atmosphere particulate radioactivity monitors are contained in the same instrument loops as the containment atmosphere gaseous radioactivity monitors, however, the particulate channels do not provide a CPIS

-3

actuation.

4.2 CPIS System Description CPIS provides a close signal for both the 8" mini-purge and the 42" main-purge containment s alves upon detection of high gaseous radiation in contaimnent. This is performed on a unit specific basis, such that high gaseous radiation in one unit will close that unit's Containment Purge Valves. The train A gaseous radiation monitor generates a train A purge valve closure signal and the train B gaseous radiation monitor generates a train B purge valve closure signal.

Each unit's Containment has two penetrations that cupport containment purge. One is the supply penetration, and the other is the exhaust penetration. Each penetration has four valves associated with it; a mini-purge valve inside and outside containment, and a main-purge valve inside and outside containment.

In Modes 1 through 4, the 42" main-purge valves are maintained scaled closed. The 8" mini-purge penetration flow paths may be open in Modes 1 through 4 for pressure control, ALARA, or air quality considerations for personnel entry, or for surveillance tests that require the valves to be open. In Modes 5, 6, and during core alterations or during movement ofirradiated fuel assemblies within containment, the main-purge valves may be open.

The current CPIS radiation monitors are Nuclear Measurement Corporation (NMC) instruments, There are two trains of radiation monitors, either train will cause a train related CPIS which will initiate closure of the train related valves in the supply penetration and the exhaust penetration. The other train will initiate closure of the redundant valves in the supply penetration and the exhaust penetration.

The basic radiation monitor components are a gaseous detector, a discriminator, a current logarittunic pump circuit supplying a trip / alarm module, an indicator meter, and a recorder. A CPIS may be generated by manual actuation, a containment airborne gaseous radiation high signal, or a loss ofinstrument power.

The Containment Purge Valves close signals and failure states are as follows:

42" main-purge valves inside Containment close on CPIS and manual actuation. They fail as-is on loss of power.

42" main-purge valves outside Containment close on CPIS, Containment purge stack radiation monitor high radiation, and manual actuation. They fail closed on loss of power.

8" mini-purge valves inside Containment close on CPIS, CIAS, SIAS and manual actuation.

They fait closed on loss of power.

8" mini-purge outside Containment close on CPIS, CIAS, SIAS, containment purge stack radiation monitor high radiation, and manual actuation. They fait closed on loss of power.

4.3 CPIS Changes Approval of this Amendment Application will permit installation of the second train (train "B") of CPIS radiation monitors for both SONGS Unit 2 and Unit 3. The new monitors will sample from the same location as the existing gaseous monitor using the existing sample lines in containment The new containment airbome radiation digital monitor will have the same basic architecture as the existing analog system. It consists of a radiation detector assembly, local micro processing unit,!.cc.!

display unit, and a remote display unit. This change involves the replacement of an analog system to a predominantly digital system that uses sonware algorithms to perform the required functions. This change will result in both trains of CPIS radiation monitors having common sonware and therefore requires a review of the susceptibility and consequences of a postulated common mode failure.

5. Control Room isolation Signal (CRIS) Radiation Monitors 5,1 CRIS Radiation Monitor Design Bases The design basis requirement for CRIS is the Control Room Habitability Systems criteria of 10 CFR 50, Appendix A, General Design Criteria 19. It requires that Control Room personnel be protected from radiation exposure in excess of 5 rem for the duration of any design basis event.

Control Room isolation capability is required in all plant modes since accidents requiring Control Room isolation may occur in any plant mode. The Control Room is a Unit 2 and Unit 3 shared area seniced by a common normal and emergency ventilation system. Accidents that generate a SIAS will, through a SIAS contact in the CRIS circuitry, generate a CRIS that will isolate the Control Room area normal ventilation and switch to emergency ventilation mode.

Control Room isolation is specifically credited in dose analysis for LOCAs and for fuel handling accidents in both the containment and the fuel handling building. LOCA dose analyses are bounded by the large break LOCA analysis which credits SlAS for generating the CRIS. Fuel handling accident dose analyses credit CRIS from the radiation monitors since SIAS is not generated by these events. However, the CRIS radiation monitors are in the intake ventilation duct for the Control Room area and therefore any event that causes the setpoint of the radiation monitor for CRIS to be exceeded will initiate the Control Room Emergency Area Cleanup System (CREACUS) equipment.

5.2 CRIS System Description The Control Room Airborne radiation monitors, one monitor per instrument power train, draw samples from and return them to, the Control Room air supply ventilation duct. Each monitor consists of a chmmel thst monitors radioactive noble gas activity levels. Each monitor alarms and initiates a CPJS which isolates the normal control room ventilation system, and initiates the operation of Control Room Complex emergency cleanup equipment, when preset radiation levels have been exceeded. This series of actions are designed to protect Control Room operators from radiation exposure in excess of 10 CFR 50 Appendix A Design Criteria 19 requirements.

CRIS initiates the isolation of the normal ventilation mode of operation for the Control Room area and initiates the starting of the emergency mode of Control Room ventilation upon detection of high gaseous radiation at the normal ventilation intake to the Unit 2 and Unit 3 shared Control Room. A SIAS from either SONGS Unit 2 or Unit 3 will also cause a CRIS to be generated. The CRIS isolates the normal Control Room ventilation intake and starts the associated emergency train of CREACUS equipment.

This action assures adequate radiation protection is provided to permit access and occupancy of the Control Room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of an accident. This is a 10

-5 l

1 CFR 50 Appendix A General Design Criteria 19 requirement.

5.3 CRIS Proposed Changes The proposed change will allow installation of the second train (train "B") of the new digital CRIS gaseous radiation monitor in the shared Control Room normal ventilation intake. The monitor will be relocated from downstream of the normal intake isolation dampers to a location in the normal control ventilation inlet plenum. Additionally, the monitor will be changed from an off line monitor (i.e., not in direct line) to an in line monitor (i.e., in direct line). The proposed Control Room gaseous airborne radiation digital monitor will have the same basic architecture as the existing analog system, consisting of a radiation detector assembly, local micro processing unit, local display unit, and a remote display unit.

This change involves the replacement of an analog system to a predominantly digital system that uses software algorithms to perform the required functions.

Both CRIS gaseous radiation monitors will be located in-duct in the inlet plenum of the normal intake for the Control Room ventilation system. This allows for a direct measurement of the gaseous radioactivity in the normal intake for the Control Room ventilation system. However, after performing the normal intake isolation function, the new CRIS gaseous radiation monitors will not be available to sample Control Room atmosphere since they will be located outside the CREACUS boundary. This new location of the Control Room Airborne Monitors, used in conjunction with portable sampling and monitoring instruments (SCA),

will satisfy the requirements of NUREG-0737, item Ill.D.3.3, NUREG 0578, Item 2.2.2.b, and NPC Letter dated November 9,1979.

, These changes will not affect the time response of a SIAS initiated CRIS because CRIS initiation from SIAS is accomplished by a contact that opens on SIAS and this contact (one from each unit) and the remainder of the actuation circuitry is not affected by the proposed changes.

The total time response of the new CRIS monitors (including plenum fill time, detector response time, signal processing time and damper closure times) will be shown to be within the required design basis response time of 3 minutes prior to declaring the system operable. This will be accomplished by a combination of engineering calculations (plenum fill time) and system testing. Therefore, no significant increase in consequt .ces will result from monitor replacement.

6. Ilardware Design Considerations 6.1 EMI/RFI Emissions And Susceptibility Testing of the MGPI Digital Radiation Monitoring System (DRMS) was conducted by Wyle Labs and documented in Wyle Test Report 44356-01. The program included emissions and susceptibility tests on typical RMS configurations. The report concluded that the RMS does not generate radiated or conducted emissions that exceed the limits specified in EPRI Document No. 102323 " Guide to Electromagnetic Interference (EMI) Susceptibility Testing for Digital Safety Equipment m Nuclear Power Plants."

The Wyle report also concluded that the MGPI DRMS was not susceptible to excitations as defined in the susceptibility criteria with two exceptions. Two Notice of Anomalies (NOA) were issued during this test program to document the problems encountered during these tests. The RMS in its original test configuration was susceptible to electrical fast transients (NOA 1) and radiated electric fields (NOA 2B).

-6

CHAR Sen ices performed an EMI evaluation of the MGPl DRMS design and provided specific recommendations documented in report EMI Design Review of MGP Radiation Monitoring System at SONGS Report CSR098. This report included the results of a point ofinstallation review of the SONGS MGP Radiation Monitoring System and presented recommendations for assuring the EMI immunity of the system. CHAR also monitored the EMI Susceptibility and Emissions testing performed by Wyle Laboratory. As a result of the equipment and EMI testing evaluation, the need for additional power filtering along with relocation of surge protection was noted and included in the original EMI susceptibility testing as a test deviation.

The CHAR review of the point ofinstallation for the various radiation monitors determined that the .

SONGS Units 2 and 3 operating EMI environment is similar to the environment identified in EPRI Topical Report TR 102323-RI. The review also determined that no other equipment in the local area would affect the radiation monitors and that they are compatible with their EM environment at the point of installation. The CHAR recommendations and their implementation at SONGS Units 2 and 3 resolve the anomalies nekd in the Wyle Test Report.

6.2 Commercial Dedication The safety ielated equipment and sonware has been qualified by the sapplier (MGPI) with the exception Ohe additional power supply filters and surge protection devices required for electro-magnetic and radio frequency itterferences (EMiiRFI) suppression. These devices will be qualified by a vendor prior to installmion.

7. Software Design 7.1 List of Documents Utilized in Design The following dociunents were utilized in the design of this upgrade:

7.1.1 NRC Generic Letter 95-02: Use of NUMARC/EPRI Report TR-102348," Guideline on Licensing Digital Upgrades,"in Determining the Acceptability of Perrnrning Analog-to-Digital Replacements Under 10 CFR 50.59 7.1.2 ANSI /IEEE 7-4.32 - 1982: Application Criteria for Progranunable Digital Computer Systems in Safety Systems of Nuclear Power Generating Stations (For information only not a conunitment document) 7.1.3 ANSI /AN 10.3 - 1986: Guidelines for the Documentation of Digital Computer Programs (For information only-not a commitment document) 7.1.4 ANSI /AN 10.4 - 1987: Guidelines for Verification and Validation of Scientific and Enginecting Computer Programs for the Nuclear Industry (For infonnation only-not a commitment document) 7.1.5 IEEE STD 730.1 - 1989: Standard for Quality Assurance Plans 7.1.6 IEEE STD 828 - 1990: Standard Sonware Configuration Management Plans 7.1.7 IEEE STD 833 - 1974: Guide to Sonware Requirements Specifications

7.1.8 IEEE STD 1012 1986: Standard for Software Verifications and Validation Plans

?.1.9 IEEE STD 1016 - 1987: Recommended Practice for Sonware Design Guideline 7.2 Verification and Validation The Sonware Verification and Validation (V&V) process has been performed in accordance with IEEE Standard 1012," Standard for Sonware Verifications and Validation Plans."

7.3 Configuration Control MGPl controls their software products in accordance with the MGP1 Quality Assurance Manual. The -

Southern California Edison Company implements software configuration management for all safety related/ quality affecting sonware in accordance with Topical Quality Assurance Manual (TQAM) Chapter IL

8. Safety Analysis 8.1 System Reliability Probabilistic Assessment A quantitative assessment has been made of the probability of each of the Engineered Safety Features Actuation System (ESFAS) Radiation Monitor Systems failing to perform its function. The assessment compared the original systems to the proposed replacement digital systems. The estimate of system failure was evaluated for each system (CRIS, CPIS, and FHIS) for the cases where both trains are operational and fer the case where only one train is operational.

Mean-time-between-failure (MTBF) data for the existing systems was obtained from plant maintenance records. The replacement digital systems failure data was obtained from vendor docurrents. The data received from the vendor was a combination of hardware and sonware failure probabilities. Estimates of the software failure rates were made by examining the failures that had occurred since placing the equipment into operation and the total number of hours of operation for each sonware module. Hardware failure rate data was determined by extracting the sonware failure rate data from the combined hardware and software data.

The prediction of software failures is an imprecise science, and therefore, the margin of error associated ,

with the generated MTBF values is likely to be large. However, by comparing the calculated existing '

system to the new digital systems failure rates the pattern shows that for all digital replacement systems, an improvement of approximately a factor of ten can be expected.

8.2 Component Reliability of New Digital Design 8.2.1 Hardware The digital radiation monitoring hardware systems for CRIS, CPIS, and FHIS are qualified as -

Quality Class II, Seismic Category I systems in the trip signal path to the ESFAS function. Portio..s of the system outside the ESFAS signal path that are not qualified to this safety related level, are electrically and physically isolated from the safety related portions such that degradation of the

-8

safety related system will not occur from the non-safety related system.

8.2.2 Software The digital ESFAS radiation monitoring sonwarc for CRIS, CPIS, and FHIS is qualified safety-related grade (Quality Class II) by the supplier A formal sonware verification and validation (V&V) process will be completed prior to declaring the equipment operational. The Probabilistic reliability assessment (Probabilistic Risk Assessment Report NSG-97 001,"SoRware Reliability Assessment of Radiation hionitoring System") of the new RhtS u.:luded industry sonwars experience data. This assessment compared the reliability between the new digital RhtS (including sonware) and the existing RhtS, This assessment showed that an improvement in the mean time between failures (htTBF) can be expected with the installation of the new digital system.

83 Impact on Relevant Accident or Safety Analyses The analog to digital upgrade of the Fuel Handling Isolation Signal (FHIS) radiation monitors has been reviewed in accordance with the 10 CFR 50.59 process, including Gene;ic Letter 95-02 "Use of NUMARCJEPRI Report TR 102348, ' Guideline on Licensing Digital Upgrades', in Determining the Acceptability of Performing Analog-to Digital Replacements Under 10 CFR 50 59," The installetion of the radiation monitors for both trains of FHIS only was found not to result in an unreviewed safety question. However since portions of the sonware of the new digital ESFAS radiation monitors are common to all ESFAS radiation monitors (CPIS, CRIS, and FHIS), an analysis has been perfonned that determines the offsite and Control Room doses due to the common failure of CPIS, CRIS, and FHIS radiation monitors concurrent with a design bases accident.

Calculation N 0720-014," Control Room and OITsite Doses Should CPIS, CRIS and FHIS Fail" detennined the dose at the exclusion area boundary (EAB), the low population zone (LPZ), and to the Control Room operators for accidents that may be affected 'vy the loss of ESFAS radiation monitors' actuations. This analysis uses some " realistic" input assumptions. However, the acceptance criteria has been taken directly from 10 CFR 50 and the Standard Review Plan and is the same as u<ed for design basis calculations. The following provides a summary of the results of that analysis for all relevant accidents.

p 8.3.1 Accidents Inside Containment That Credit CRIS and/or CPIS The SONGS Units 2 and 3 Updated Final Safety Analysis Report (UFSAR) Chapter 15 accidents were reviewed. Those accidents that resulted in high containment radiation and did not generate a SIAS were considered for review of the offsite and Control Room doses.

The following incidents, all limiting faults, were identified:

a. UFSAR Section 15.2.3.1, Feedwater System Pipe Break This accident results in a release of radioactivity from the containment mini-purge and direct containment leakage, and from Atmospheric Dump Valves (ADVs) and Main Steam Safety Valves (MSSVs). The mini-purge release path can be tr mulated by CPIS actuation. The other release paths cannot be terminated by ESFAS radiation monitor actuation. Dose consequences to the Control Room operators can be mitigated by CRIS actuation.

9 l

Dose analysis determines that for this event, with the concurrent lo:s of all ESFAS radiation monitors, offsite and Control Room doses will be less than the design basis limits. These results are based on the use of dispersion factors at the 50% meteorology level and operator actions at 30 minutes to: (1) begin a controlled cooldown via the ADVs until shutdown cooling can be initiated, and (2) isolate Containment mini purge.

The following instruments and indications arc available to alert the operator of the need to perform the above manual operator actions:

afTected steam generator narrow range level decrease affected steam generator pressure decrease containment normal sump level increase containment efiluent purge radiation increase (this will initiate outside conta'mment purge valve closure on high radiation) containment refueling cavity area radiation increase

b. UFSAR Section 15.4.3.2, Control Element Assembly Ejection This accident results in a release of radioactivity from the containment mini-purge and direct containment leakage, and from the ADVs and MSSVs. The mini purge release paths can be g

terminated by ESFAS radiation monitor actuation.

The analysis of record for the CEA ejection (ABB CE Letter S CE-5696) did not model a RCS boundary break for this accident in order to maximize the RCS overpressurization transient. However, in accordance with this letter, the break size is 0.041 ft2 for this event.

Using ABB Letter ST-96-456, which provides a chart of SIAS times based on RCS break a sizes, results in a SIAS time of 165 seconds. A new dose analysis assumed this 165 second SIAS time to initiate Control Rocm isolation (emergency HVAC mode) and containment purge isolation. A value of 175 seconds was used to account for valve / damper closing time.

Additionally a dispersion factor at the 50% meteorology level was used.

Based on this new calculation, this event with the conearent loss of all ESFAS radiation monitors will not result in exceeding offsite (EAB and LPZ) or Control Room dose requirements.

c. UFSAR Section 15.6.3.3, Small Break Loss of Coolant Accident This accident results in a release of radioactivity through direct contai.unent leakage, through the containment mini purge and from the MSSVs and ADVs. The sv.ini-purge release path can be terminated by CPIS actuation. The other release paths cannot be temiinated by ESFAS radiation monitor actuation. Dose consequences to the Control Room operators can be mitigated by CRIS actuation.

The dose analysis shows that offsite and Control Room doses resulting from this es ent are less than the design basis limits. These results are based on dispersion factors at the 50%

meteorology level and operator actions at 30 minutes. These actions are: (1) manually isolating Containment mini-purge, and (2) manually placing the Control Room in the emergency HVAC mode.

The following instruments and indications are available to alert the operator of the need to perfonn the above manual operator actions; containment normal stunp level increase contrinment emergency eturp level increase

- charging flow versus letdown flow increase containment effluent purge radiation increase / alarm (this will initiate outside containment purge valve closure on high radiation) control room area radiation increase /alann containment refueling cavity area radiation increase

d. UFSAR Sectioa 15.7.3.9, Design Basis Fuel Handling Accident Inside Containment This accident results in a release of radioactinty via tue containment purge stack operating with main purge flow rates. The main purge flow peth can be isolated by CPIS actuation.

The design basis analysis for this event (Calculation N-4072-003 Rev. 2," Fuel Handling Accident Inside Containment"), assumes that the containment air space is effectively vented -

outside Containment within the first twe hours of the event. Because the exhaus: flow . ate to accomplish this release is greater than the capacity of the main containment purge system, the failure of the CPIS would not affect the calculated otTsite doses Irom this event.

However, to prevent exceeding 10 Cl R 50 Appendix A General Design Criteria 19 dose limits, the Control Room must be placed in the emergency HVAC mode within 3 minutes of the initiation of this event. SONGS Units 2 and 3 Licensee Controlled Specification 3.9.102 requires continuous communication v.ith the Control Room when performing fuel handling activities inside Containment. This required communication link will ensure prompt notification of the Control Room personnel and allow for the immediate (within three minutes of event) manual operator action to shift the Control Room HVAC to emergency mode.

Based on the above. the Control Room doses will be less than the GDC 19 lin.its for this event.

The following instruments and indications are also available to alert the operator of the need to perform the above manual operator actions:

containment effluent purge radiation increase / alarm (this will initiate outside containment purge valve closure on high radiation) containment hatch area radiation increase / alarm containment refueling cavity area radiation increase / alarm containment high range area radiation increase control room area radiation increase / alarm

-11

8.3.2 Accidents inside the Fuelllandling Building That Credit CRIS and/or Fills The UFSAR Chapter 15 accidents were reviewed and those accidents that resulted in high Fuel Handling Building (FHB) radiation were considered for review of the offsite and Control Room doses. The following incidents were identified;

a. UTSAR Section 15.7.3.4, Desiga Basic Fuel Handling Accident inside Fuel Handling Building This accident result; in a release of radioactivity through the FHB exhaust system which exits through the pits vent stack exhaust. The FHIS radiation monitors would isolate the FHB and prevent releases to the atmosphere via the plant vent stack. Dose consequences to the Cont.a Room operators can be mitigated by CRIS actuation.

The design basis dose analysis for this event (Calculation N-4072-001 Rev. 4,(CCN 1 and CCN-2) " Fuel Handling /.ccident inside the Fuel Har.dling Building") assumes that all the 2

radioactive material in the FHB is released to the environment over a two hour interval (FHIS actuation of ventilation isolation and post accident cleanup units is i.ot edited). The exhaust flow rate to accomplish this release is equivalent to the nonnal operation FHB HVAC system, therefore the failure of FHB isolation system to operate would not affect the calculated offsite doses from this event.

In the design basis analysis, to prevent exceeding 10 CFR 50 Appendix A General Design Criteria 19 dose limits, the Control Room is assumed to be in the emergency HVAC mode within 3 minutes of the initiation of this event based on a CRIS actuation. This time is not considered achievable if the radiation monitors supplying the automatic initiation of Control Room isolation are not operable. Therefore aa analysis has been performed which results in acceptable Control Room doses if the Control Room HVAC is n.anually placed in the emergency mode within 30 minutes of the event initiation. This analyses uses the " realistic" asstunption of a dispersion factor at the 50% meteorology level.

The following instrument; and indications are available to alert the operator of the need to 2 perform the above manual operator actions:

plant vent stack efiluent airborne rad;ation increase /alann spent fuel cask area radiation herease/ alarm control room area radiation increase / alarm personnel in FHB would be expected to provide notification of event to the Control Room

b. UFSAR Section 15.7.3.6, Spent Fuel Pool Gate Drop Accident This accident results in a release of radioactivity through the FHB exhaust system which exits the plant vert stack. FHIS actuation could mitigate this accident by isolating the plant vent stack release.

The Spent Fuel Pool (SFP) Gate Drop damages 236 fuel pins. Following a SFP gate drop in the FHB, activity is released into the Spent Fuel Pool, and then disperses into t1:e FHB l

• • .. osphere, and from there to the Control Room, EAB, and LPZ.

The dose analysis (Calculation N-0720-013 Rev.1 Appendix C) shows that offsite and Control Room doses resulting from this event are less than the design basis limits. These results are based on: (1) 9 days of fuel decay prior to the accident,(2) dispersion factors at the 50% meteorology level, and (3) an operator action at 20 minutes to place the Control Room in the emergency HVAC mode.

The following instruments and indications are available to alert the operator of the need to perforn. the above manual operator action:

- plant vent stack effluent radiation increase

- spent fuel osk area radiation increase / alarm control room area radiation increase / alarm The manual operator action at 20 minutes is reasonable since personnel must be in the FHB lining the gate for the gate drop to occur, this interval allows time for the personnel to exit the FHB and then notify the Control Room. Measures will be taken to ensure that the spent fuel pool gate will not be lined such that a drop would cause damage or impact fuel with lesnhan 9 days decay.

c. UFSAP Section 15.7.3.7, Test Equipment Drop As noted in the UFS AR, administrative controls will be implemented to ensure that the radiological conseqxaces for a test equipment drop will be bounded by the radiological consequences for a spent fuel pool gate drop accident. Having these controls in place ensures that the fuel assemblies are not damaged which will result in preventing radiological consequences. The affected radiation monitors operability does not impact this analysis,

d. UFSAR Sectica 15.7.3.8, Spent Fuel Pool Boiling Accideat This accident results in a release of radioactivity through the FilB exhaust system which exits through the plant vent stack. FHB releases can be isolatcd by FHIS actuation.

The radiological consequences of this event have been previously evaluated in a design basis analysis (Calculation N 4072-007 Rev. 3 (CCN 1)" Doses Due to Spent Fuel Pool Boiling").

No credit was taken for the FHIS actuation of FHB isolation or post accidern cleanup unit operation because the activity relcased into the FHB as a result of the SFP Boiling Accident was modeled as being instantaneously released to the outside enviromnent. The offsite radiological consequences are bounded by the FHA in the FHB. This accident was evaluated aEain since the accident may not provide indication in the Control Room that an accident has occurred and hence the Control Room may not be isolated by manual operator action.

The new dose analysis (Calculation N 0720-013 Rev.1 Appendix H, H3.1 and H3.2) shows that offsite and Control Room doses resulting from this event are less than the design basis limits. These results are based on: (1) a normal fuel offload, (2) 150 hours0.00174 days <br />0.0417 hours <br />2.480159e-4 weeks <br />5.7075e-5 months <br /> of decay between reactor shutdown and loss of Spent fuel Pool (SFP) cooling, and (3) dispersion factors at the 50% meteorology level. A full core ofiload was not evaluated since the Shutdown Cooling

System would then be available as backup to the SFP Cooling System rendering a boiling accident unlikely. Therefore the conunon failure of the ESFAS radiation monitors will not afTect the consequences of this accident.

8.3.3 Accidents Outside Containment and the Fuelllandling Building That Credit CRIS The UFSAR Chapter 15 accidents were reviewed and those accidents that required CRIS actuation that also did not result in a SIAS were considered for review of Control Room doses. The following incidents were identified:

a. UFSAR Section 15.1.2.3 Increased Main Steam Flow with a single active failure This accident results in a release of radioactivity directly to the atmosphere through the MSSVs and ADVs. Neither release path can be terminated by ESFAS radiation monitor actuation. Dose consequences to the Contml Room operators can be mitigated by CRIS actuation.

Analysis (Calculation N-0720-013 Rev.1 Appendix F, Astumption F3.4 and FS.6 for Dose Results) shows that offsite and Control Room doses resulting from this event are less than the design basis limits. These results are based on atmospheric dispersion factors at the 50%

meteorology level and a manual operator action at 30 minutes to place the Control Room in the emergency HVAC mode.

The following instruments and indications are available to alert the operator of the need to perform the above manual operator action:

reactor trip status in alarm steam generator narrow range level decrease / alarm Main Steam flowincrease Control Room area radiation increase / alarm

b. UFSAR Section 15.1.2.4, Inadvertent Opening ora Steam Generator Atmospheric Dmnp Valve With a Single Active Failure This accident results in a radioactivity release directly to the atmosphere through the ADVs.

This release path cannot be terminated by ESFAS radiation monitor actuation.

s' 4 Analysis (Calculation N-0720-013 Rev.1 Appendix G, Assumption G3.1 and G3.2 and G5.2 for Dose Results) shows that offsite and Control Room doses resulting from this event are less than the design basis limits. These results are based on atmospheric dispersion factors at the 50% meteorology level and manual operator actions within 30 minutes. These actions are: (1) terminate steam releases via the inadvertently opened atmospheric dump valve and (2) provide auxiliary flow to the intact steam generator and to open the atmospheric dump valve of the intact steam generator to facilitate heat removal, ne the condenser is unavailable.

Therefore, the loss of the ESFAS radiction monitors will not significantly impact the consequences of this event.

G-

c. UFSAR Section 15.6.3.1, Primary Sample or Instrument Line Break (Referred to as a Letdown Line Break)

This accident results in a release of radioactivity directly to the atmosphere through the plant vent stack and through the ADVs. Neither release path can be terminated by ESFAS radiation monitor actuatio.

The design basis calculation (Calculation N-;077-001 " Letdown Line Break - Offsite and l Control Room Doses") for the letdown line break shows acceptable dose consequences offsite and in the Control Room. The analysis of record credits manual isolation of the letdown line '

within 30 minutes. Letdown line isolation may occur sooner from the installed non-safety related temperature loop (but is not credited).

The ESFAS radiation monitors are not required to mitigate the dose consequences of this accident to meet offsite or Control Room dose requirements.

Safety Analysis i

The proposed change described above shall be deemed to involve a sigrificant hazards consideration if there is a positive finding in any one of the following areas:

1. Will operation of the facility in accordance with this proposed change involve a significant increase in the probability or consequences of any accident previously evaluated?

Response: No.

The propcsed change is required to permit using digital radiation monitors as input to both trains of the Control Room Isolation Signal (CRIS), and to both trains of the Containment Purge Isolation Signal (CPIS). These changes will allow replacement of the remaining safety related obsolete radiation monitor equipment to address spare parts and equipment availability issues. The new containment airborne radiation digital monitor will have the same basic architecture as the existing analog system, and sents to perform the same function. In addition, the digital radiation monitors are expected to be more reliable then the existing equipment which is of an analog design.

Furthermore, defense-in-depth equipment is available that either provides, or allows for, actions to mitigate the release of offsite and Control Room doses to within existing licensing limits based on realistic event input assumptions. Analyses show that if" realistic" input assumptions are utilized and reasonable operator actions are allowed, then, acceptable dose consequences result both to the general public offsite, and to the Control Room operators.

Therefore, the proposed change will not invoh e a significant increase in the probability or consequences of any accident previously evaluated.

-15

2. Will operation of the facility in accordance with this proposed change create the possibility of a new

. or differcrit kind of accident from any previously evaluated?

Response: No.

The pruposed change will permit upgrading the existing analog radiation monitors with upgraded digital radiation monitors. Replacement of an analog system to a predominantly digital system, uses sonware algorithms to perform the required functions. A satisfactory sonware verification ,nd validation (V&V) report, including continued sonware change control procedures, provides assurance that a software common mode failure is not likely.

In addition, the design, installation, testing, maintenance, and operation cf the affected equipment will assure that no new or difTerent kinds of accidents will be created. The ESFAS radiation monitors involved are portions of systems that respond to accidents. They can not, by their actions or inactions, create a new or different accident from any accident previously evaluated.

Therefore, the proposed change will not create the possibility of a new or different kind of accident from any accident previously evaluated.

3. Will operation of the facility in accordance with this proposed change involve a significant reduction in a margin of safety?

Response: No.

The CRIS and CPIS Radiation Monitor Systems provide an accident mitigation function for ofTsite doses (10 CFR 100) and Control Room doses (10 CFR 50 Appendix A, General Design Criteria 19). A change in the margin of safety is introduced due to the possibility of a software common mode failure in redundant equipment simultaneously afTecting equipment performing a different function.

This change is not a significant reduction in the margin of safety, however, due to the following:

(1) A probabilistic risk analysis has determined that the availability of the afTected radiation monitors, including software, should be better than the existing equipment based on industry oata to date, (2) The sonware V&V and preoperational testing to be performed will provide assurance of system operation, and (3) The combined occurrence of a software common mode failure that simultaneously causes failure of all available ESFAS radiation monitors cencurrent with a design bases accident is very unlikely.

16-l 1

In the unlikely event of a software common mode failure that causes all ESFAS radiation monitors to be inoper:b!c concurrent with a design bases accident, analyses show that if" realistic" input assumptions are utilized and reasonable operator actions are allowed, then acceptable dose consequences result both to the general public offsite, and to the Control Room operators.

Therefore, the proposed change will not involve a significant reduction in a margin of safety.

Safety and Sienificant liarards Determination Based on the above Safety Analysis, it is concluded that: (1) the proposed change does not constitute a significant hazards consideration as defined by 10 CFR 50.92, and (2) there is reasonable assurance that the health and safety of the public will not be endangered by the proposed change. Moreover, because this action does not involve a significant hazards consideration, it will also not result in a condition which significantly alters the impact of the station on the environment as described in the NRC Final Environmental Statement.

w

o 1

Enclosure 2 J-SPA-289, "ESFAS Radiation Monitor Software Common Mode Failure Evaluation" and N-0720-014," Control Room and Offsite Doses Should CPIS, CRIS and FHIS Fail" San Onofre Nuclear Generating Station Units 2 and 3

'